@better-auth/oauth-provider 1.5.3 → 1.5.5

package/dist/client-resource.d.mts

@@ -1,4 +1,4 @@
-import { a as ResourceServerMetadata } from "./oauth-7Jc-EFsq.mjs";
+import { a as ResourceServerMetadata } from "./oauth-Chk8ejPr.mjs";
 import { JWTPayload, JWTVerifyOptions } from "jose";
 import { Auth } from "better-auth/types";
 

package/dist/client-resource.mjs

@@ -1,4 +1,4 @@
-import { a as getJwtPlugin, m as handleMcpErrors, o as getOAuthProviderPlugin } from "./utils-D6kv_BUA.mjs";
+import { a as getJwtPlugin, h as handleMcpErrors, o as getOAuthProviderPlugin } from "./utils-DgozotLg.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { logger } from "@better-auth/core/env";

package/dist/client.d.mts

@@ -1,5 +1,5 @@
-import "./oauth-7Jc-EFsq.mjs";
-import { n as oauthProvider } from "./oauth-C_QoLKZA.mjs";
+import "./oauth-Chk8ejPr.mjs";
+import { n as oauthProvider } from "./oauth-wm0HlZm9.mjs";
 import * as _better_fetch_fetch0 from "@better-fetch/fetch";
 
 //#region src/client.d.ts

package/dist/index.d.mts

@@ -1,5 +1,5 @@
-import { _ as Awaitable, a as ResourceServerMetadata, c as OAuthConsent, d as OAuthRefreshToken, f as Prompt, g as VerificationValue, h as StoreTokenType, i as OIDCMetadata, l as OAuthOpaqueAccessToken, m as Scope, n as GrantType, o as AuthorizePrompt, p as SchemaClient, r as OAuthClient, s as OAuthAuthorizationQuery, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-7Jc-EFsq.mjs";
-import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-C_QoLKZA.mjs";
+import { _ as Awaitable, a as ResourceServerMetadata, c as OAuthConsent, d as OAuthRefreshToken, f as Prompt, g as VerificationValue, h as StoreTokenType, i as OIDCMetadata, l as OAuthOpaqueAccessToken, m as Scope, n as GrantType, o as AuthorizePrompt, p as SchemaClient, r as OAuthClient, s as OAuthAuthorizationQuery, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-Chk8ejPr.mjs";
+import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-wm0HlZm9.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { JWSAlgorithms, JwtOptions } from "better-auth/plugins";
 import { JWTPayload } from "jose";

package/dist/index.mjs

@@ -1,7 +1,8 @@
-import { a as getJwtPlugin, c as isPKCERequired, d as storeClientSecret, f as storeToken, h as mcpHandler, i as getClient, l as parseClientMetadata, n as decryptStoredClientSecret, p as validateClientCredentials, r as deleteFromPrompt, s as getStoredToken, t as basicToClientCredentials, u as parsePrompt } from "./utils-D6kv_BUA.mjs";
+import { a as getJwtPlugin, c as isPKCERequired, d as resolveSubjectIdentifier, f as storeClientSecret, g as mcpHandler, i as getClient, l as parseClientMetadata, m as validateClientCredentials, n as decryptStoredClientSecret, p as storeToken, r as deleteFromPrompt, s as getStoredToken, t as basicToClientCredentials, u as parsePrompt } from "./utils-DgozotLg.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
+import { isBrowserFetchRequest } from "@better-auth/core/utils/fetch-metadata";
 import { constantTimeEqual, generateRandomString, makeSignature } from "better-auth/crypto";
 import { defineRequestState } from "@better-auth/core/context";
 import { logger } from "@better-auth/core/env";
@@ -206,6 +207,13 @@ async function userInfoEndpoint(ctx, opts) {
 		error: "invalid_request"
 	});
 	const baseUserClaims = userNormalClaims(user, scopes ?? []);
+	if (opts.pairwiseSecret) {
+		const clientId = jwt.client_id ?? jwt.azp;
+		if (clientId) {
+			const client = await getClient(ctx, opts, clientId);
+			if (client) baseUserClaims.sub = await resolveSubjectIdentifier(user.id, client, opts);
+		}
+	}
 	const additionalInfoUserClaims = opts.customUserInfoClaims && scopes?.length ? await opts.customUserInfoClaims({
 		user,
 		scopes,
@@ -277,6 +285,7 @@ async function createIdToken(ctx, opts, user, client, scopes, nonce, sessionId,
 	const iat = Math.floor(Date.now() / 1e3);
 	const exp = iat + (opts.idTokenExpiresIn ?? 36e3);
 	const userClaims = userNormalClaims(user, scopes);
+	const resolvedSub = await resolveSubjectIdentifier(user.id, client, opts);
 	const authTimeSec = authTime != null ? Math.floor(authTime.getTime() / 1e3) : void 0;
 	const acr = "urn:mace:incommon:iap:bronze";
 	const customClaims = opts.customIdTokenClaims ? await opts.customIdTokenClaims({
@@ -291,7 +300,7 @@ async function createIdToken(ctx, opts, user, client, scopes, nonce, sessionId,
 		auth_time: authTimeSec,
 		acr,
 		iss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,
-		sub: user.id,
+		sub: resolvedSub,
 		aud: client.clientId,
 		nonce,
 		iat,
@@ -908,6 +917,21 @@ async function validateAccessToken(ctx, opts, token, clientId) {
 		error: "invalid_request"
 	});
 }
+/**
+* Resolves pairwise sub on an introspection payload.
+* Applied at the presentation layer so internal validation functions
+* keep real user.id (needed for user lookup in /userinfo).
+*/
+async function resolveIntrospectionSub(opts, payload, client) {
+	if (payload.active && payload.sub) {
+		const resolvedSub = await resolveSubjectIdentifier(payload.sub, client, opts);
+		return {
+			...payload,
+			sub: resolvedSub
+		};
+	}
+	return payload;
+}
 async function introspectEndpoint(ctx, opts) {
 	let { client_id, client_secret, token, token_type_hint } = ctx.body;
 	const authorization = ctx.request?.headers.get("authorization") || null;
@@ -928,7 +952,7 @@ async function introspectEndpoint(ctx, opts) {
 	const client = await validateClientCredentials(ctx, opts, client_id, client_secret);
 	try {
 		if (token_type_hint === void 0 || token_type_hint === "access_token") try {
-			return await validateAccessToken(ctx, opts, token, client.clientId);
+			return resolveIntrospectionSub(opts, await validateAccessToken(ctx, opts, token, client.clientId), client);
 		} catch (error) {
 			if (error instanceof APIError$1) {
 				if (token_type_hint === "access_token") throw error;
@@ -936,7 +960,7 @@ async function introspectEndpoint(ctx, opts) {
 			else throw new Error(error);
 		}
 		if (token_type_hint === void 0 || token_type_hint === "refresh_token") try {
-			return await validateRefreshToken(ctx, opts, (await decodeRefreshToken(opts, token)).token, client.clientId);
+			return resolveIntrospectionSub(opts, await validateRefreshToken(ctx, opts, (await decodeRefreshToken(opts, token)).token, client.clientId), client);
 		} catch (error) {
 			if (error instanceof APIError$1) {
 				if (token_type_hint === "refresh_token") throw error;
@@ -1116,6 +1140,22 @@ async function checkOAuthClient(client, opts, settings) {
 		error: "invalid_client_metadata",
 		error_description: "When 'authorization_code' grant type is used, 'code' response type must be included"
 	});
+	if (client.subject_type !== void 0) {
+		if (client.subject_type !== "public" && client.subject_type !== "pairwise") throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: `subject_type must be "public" or "pairwise"`
+		});
+		if (client.subject_type === "pairwise" && !opts.pairwiseSecret) throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: "pairwise subject_type requires server pairwiseSecret configuration"
+		});
+		if (client.subject_type === "pairwise" && client.redirect_uris && client.redirect_uris.length > 1) {
+			if (new Set(client.redirect_uris.map((uri) => new URL(uri).host)).size > 1) throw new APIError("BAD_REQUEST", {
+				error: "invalid_client_metadata",
+				error_description: "pairwise clients with redirect_uris on different hosts require a sector_identifier_uri, which is not yet supported. All redirect_uris must share the same host."
+			});
+		}
+	}
 	const requestedScopes = (client?.scope)?.split(" ").filter((v) => v.length);
 	const allowedScopes = settings?.isRegister ? opts.clientRegistrationAllowedScopes ?? opts.scopes : opts.scopes;
 	if (allowedScopes) {
@@ -1182,7 +1222,7 @@ async function createOAuthClientEndpoint(ctx, opts, settings) {
 * @returns
 */
 function oauthToSchema(input) {
-	const { client_id: clientId, client_secret: clientSecret, client_secret_expires_at: _expiresAt, scope: _scope, user_id: userId, client_id_issued_at: _createdAt, client_name: name, client_uri: uri, logo_uri: icon, contacts, tos_uri: tos, policy_uri: policy, jwks: _jwks, jwks_uri: _jwksUri, software_id: softwareId, software_version: softwareVersion, software_statement: softwareStatement, redirect_uris: redirectUris, post_logout_redirect_uris: postLogoutRedirectUris, token_endpoint_auth_method: tokenEndpointAuthMethod, grant_types: grantTypes, response_types: responseTypes, public: _public, type, disabled, skip_consent: skipConsent, enable_end_session: enableEndSession, require_pkce: requirePKCE, reference_id: referenceId, metadata: inputMetadata, ...rest } = input;
+	const { client_id: clientId, client_secret: clientSecret, client_secret_expires_at: _expiresAt, scope: _scope, user_id: userId, client_id_issued_at: _createdAt, client_name: name, client_uri: uri, logo_uri: icon, contacts, tos_uri: tos, policy_uri: policy, jwks: _jwks, jwks_uri: _jwksUri, software_id: softwareId, software_version: softwareVersion, software_statement: softwareStatement, redirect_uris: redirectUris, post_logout_redirect_uris: postLogoutRedirectUris, token_endpoint_auth_method: tokenEndpointAuthMethod, grant_types: grantTypes, response_types: responseTypes, public: _public, type, disabled, skip_consent: skipConsent, enable_end_session: enableEndSession, require_pkce: requirePKCE, subject_type: subjectType, reference_id: referenceId, metadata: inputMetadata, ...rest } = input;
 	const expiresAt = _expiresAt ? /* @__PURE__ */ new Date(_expiresAt * 1e3) : void 0;
 	const createdAt = _createdAt ? /* @__PURE__ */ new Date(_createdAt * 1e3) : void 0;
 	const scopes = _scope?.split(" ");
@@ -1217,6 +1257,7 @@ function oauthToSchema(input) {
 		skipConsent,
 		enableEndSession,
 		requirePKCE,
+		subjectType,
 		referenceId,
 		metadata: Object.keys(metadataObj).length ? JSON.stringify(metadataObj) : void 0
 	};
@@ -1228,7 +1269,7 @@ function oauthToSchema(input) {
 * @returns
 */
 function schemaToOAuth(input) {
-	const { clientId, clientSecret, disabled, scopes, userId, createdAt, updatedAt: _updatedAt, expiresAt, name, uri, icon, contacts, tos, policy, softwareId, softwareVersion, softwareStatement, redirectUris, postLogoutRedirectUris, tokenEndpointAuthMethod, grantTypes, responseTypes, public: _public, type, skipConsent, enableEndSession, requirePKCE, referenceId, metadata } = input;
+	const { clientId, clientSecret, disabled, scopes, userId, createdAt, updatedAt: _updatedAt, expiresAt, name, uri, icon, contacts, tos, policy, softwareId, softwareVersion, softwareStatement, redirectUris, postLogoutRedirectUris, tokenEndpointAuthMethod, grantTypes, responseTypes, public: _public, type, skipConsent, enableEndSession, requirePKCE, subjectType, referenceId, metadata } = input;
 	const _expiresAt = expiresAt ? Math.round(new Date(expiresAt).getTime() / 1e3) : void 0;
 	const _createdAt = createdAt ? Math.round(new Date(createdAt).getTime() / 1e3) : void 0;
 	const _scopes = scopes?.join(" ");
@@ -1260,6 +1301,7 @@ function schemaToOAuth(input) {
 		skip_consent: skipConsent ?? void 0,
 		enable_end_session: enableEndSession ?? void 0,
 		require_pkce: requirePKCE ?? void 0,
+		subject_type: subjectType ?? void 0,
 		reference_id: referenceId ?? void 0
 	};
 }
@@ -1572,6 +1614,7 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 		skip_consent: z.boolean().optional(),
 		enable_end_session: z.boolean().optional(),
 		require_pkce: z.boolean().optional(),
+		subject_type: z.enum(["public", "pairwise"]).optional(),
 		metadata: z.record(z.string(), z.unknown()).optional()
 	}),
 	metadata: {
@@ -2366,6 +2409,10 @@ const schema = {
 				type: "boolean",
 				required: false
 			},
+			subjectType: {
+				type: "string",
+				required: false
+			},
 			scopes: {
 				type: "string[]",
 				required: false
@@ -2662,6 +2709,7 @@ const oauthProvider = (options) => {
 		claims: Array.from(claims),
 		clientRegistrationAllowedScopes
 	};
+	if (opts.pairwiseSecret && opts.pairwiseSecret.length < 32) throw new BetterAuthError("pairwiseSecret must be at least 32 characters long for adequate HMAC-SHA256 security");
 	if (opts.grantTypes && opts.grantTypes.includes("refresh_token") && !opts.grantTypes.includes("authorization_code")) throw new BetterAuthError("refresh_token grant requires authorization_code grant");
 	if (opts.disableJwtPlugin && (opts.storeClientSecret === "hashed" || typeof opts.storeClientSecret === "object" && "hash" in opts.storeClientSecret)) throw new BetterAuthError("unable to store hashed secrets because id tokens will be signed with secret");
 	if (!opts.disableJwtPlugin && (opts.storeClientSecret === "encrypted" || typeof opts.storeClientSecret === "object" && ("encrypt" in opts.storeClientSecret || "decrypt" in opts.storeClientSecret))) throw new BetterAuthError("encryption method not recommended, please use 'hashed' or the 'hash' function");
@@ -3371,7 +3419,8 @@ const oauthProvider = (options) => {
 						"web",
 						"native",
 						"user-agent-based"
-					]).optional()
+					]).optional(),
+					subject_type: z.enum(["public", "pairwise"]).optional()
 				}),
 				metadata: { openapi: {
 					description: "Register an OAuth2 application",
@@ -3576,7 +3625,9 @@ function formatErrorURL(url, error, description, state, iss) {
 	return `${url}${url.includes("?") ? "&" : "?"}${searchParams.toString()}`;
 }
 const handleRedirect = (ctx, uri) => {
-	if (ctx.headers?.get("accept")?.includes("application/json")) return {
+	const fromFetch = isBrowserFetchRequest(ctx.request?.headers);
+	const acceptJson = ctx.headers?.get("accept")?.includes("application/json");
+	if (fromFetch || acceptJson) return {
 		redirect: true,
 		url: uri.toString()
 	};
@@ -3818,7 +3869,7 @@ function oidcServerMetadata(ctx, opts) {
 		}),
 		claims_supported: opts?.advertisedMetadata?.claims_supported ?? opts?.claims ?? [],
 		userinfo_endpoint: `${baseURL}/oauth2/userinfo`,
-		subject_types_supported: ["public"],
+		subject_types_supported: opts.pairwiseSecret ? ["public", "pairwise"] : ["public"],
 		id_token_signing_alg_values_supported: jwtPluginOptions?.jwks?.keyPairConfig?.alg ? [jwtPluginOptions?.jwks?.keyPairConfig?.alg] : opts.disableJwtPlugin ? ["HS256"] : ["EdDSA"],
 		end_session_endpoint: `${baseURL}/oauth2/end-session`,
 		acr_values_supported: ["urn:mace:incommon:iap:bronze"],