@better-auth/oauth-provider 1.5.7-beta.1 → 1.6.0

package/dist/client-resource.d.mts

@@ -1,10 +1,11 @@
-import { a as ResourceServerMetadata } from "./oauth-DrFFxaBJ.mjs";
+import { a as ResourceServerMetadata } from "./oauth-Cc0nzj5Q.mjs";
 import { JWTPayload, JWTVerifyOptions } from "jose";
 import { Auth } from "better-auth/types";
 
 //#region src/client-resource.d.ts
 declare const oauthProviderResourceClient: <T extends Auth | undefined>(auth?: T) => {
   id: "oauth-provider-resource-client";
+  version: string;
   getActions(): {
     /**
      * Performs verification of an access token for your APIs. Can perform
@@ -75,5 +76,4 @@ type ProtectedResourceMetadataOutput<T> = T extends Auth ? (overrides?: Partial<
   externalScopes?: string[];
 }) => Promise<ResourceServerMetadata>;
 //#endregion
-export { VerifyAccessTokenRemote, oauthProviderResourceClient };
-//# sourceMappingURL=client-resource.d.mts.map
+export { VerifyAccessTokenRemote, oauthProviderResourceClient };

package/dist/client-resource.mjs

@@ -1,4 +1,5 @@
-import { a as getJwtPlugin, g as handleMcpErrors, o as getOAuthProviderPlugin } from "./utils-BpUSdl43.mjs";
+import { a as getJwtPlugin, o as getOAuthProviderPlugin, v as handleMcpErrors } from "./utils-sQ4gYeh3.mjs";
+import { t as PACKAGE_VERSION } from "./version-DNcPo3T3.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { logger } from "@better-auth/core/env";
@@ -22,6 +23,7 @@ const oauthProviderResourceClient = (auth) => {
 	const authServerBasePath = auth?.options.basePath;
 	return {
 		id: "oauth-provider-resource-client",
+		version: PACKAGE_VERSION,
 		getActions() {
 			return {
 				verifyAccessToken: (async (token, opts) => {
@@ -84,5 +86,3 @@ const oauthProviderResourceClient = (auth) => {
 };
 //#endregion
 export { oauthProviderResourceClient };
-
-//# sourceMappingURL=client-resource.mjs.map

package/dist/client.d.mts

@@ -1,9 +1,10 @@
-import { n as oauthProvider } from "./oauth-CiaEIjBG.mjs";
+import { n as oauthProvider } from "./oauth-CYgzO8Am.mjs";
 import * as _better_fetch_fetch0 from "@better-fetch/fetch";
 
 //#region src/client.d.ts
 declare const oauthProviderClient: () => {
   id: "oauth-provider-client";
+  version: string;
   fetchPlugins: {
     id: string;
     name: string;
@@ -15,5 +16,4 @@ declare const oauthProviderClient: () => {
   $InferServerPlugin: ReturnType<typeof oauthProvider>;
 };
 //#endregion
-export { oauthProviderClient };
-//# sourceMappingURL=client.d.mts.map
+export { oauthProviderClient };

package/dist/client.mjs

@@ -1,3 +1,4 @@
+import { t as PACKAGE_VERSION } from "./version-DNcPo3T3.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 //#region src/client.ts
 function parseSignedQuery(search) {
@@ -14,6 +15,7 @@ function parseSignedQuery(search) {
 const oauthProviderClient = () => {
 	return {
 		id: "oauth-provider-client",
+		version: PACKAGE_VERSION,
 		fetchPlugins: [{
 			id: "oauth-provider-signin",
 			name: "oauth-provider-signin",
@@ -33,5 +35,3 @@ const oauthProviderClient = () => {
 };
 //#endregion
 export { oauthProviderClient };
-
-//# sourceMappingURL=client.mjs.map

package/dist/index.d.mts

@@ -1,5 +1,5 @@
-import { _ as Awaitable, a as ResourceServerMetadata, c as OAuthConsent, d as OAuthRefreshToken, f as Prompt, g as VerificationValue, h as StoreTokenType, i as OIDCMetadata, l as OAuthOpaqueAccessToken, m as Scope, n as GrantType, o as AuthorizePrompt, p as SchemaClient, r as OAuthClient, s as OAuthAuthorizationQuery, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-DrFFxaBJ.mjs";
-import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-CiaEIjBG.mjs";
+import { _ as Awaitable, a as ResourceServerMetadata, c as OAuthConsent, d as OAuthRefreshToken, f as Prompt, g as VerificationValue, h as StoreTokenType, i as OIDCMetadata, l as OAuthOpaqueAccessToken, m as Scope, n as GrantType, o as AuthorizePrompt, p as SchemaClient, r as OAuthClient, s as OAuthAuthorizationQuery, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-Cc0nzj5Q.mjs";
+import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-CYgzO8Am.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { JWSAlgorithms, JwtOptions } from "better-auth/plugins";
 import { JWTPayload } from "jose";
@@ -61,5 +61,4 @@ declare const oauthProviderOpenIdConfigMetadata: <Auth extends {
   headers?: HeadersInit;
 }) => (_request: Request) => Promise<Response>;
 //#endregion
-export { AuthServerMetadata, AuthorizePrompt, OAuthAuthorizationQuery, OAuthClient, OAuthConsent, OAuthOpaqueAccessToken, OAuthOptions, OAuthRefreshToken, OIDCMetadata, Prompt, ResourceServerMetadata, SchemaClient, Scope, StoreTokenType, VerificationValue, authServerMetadata, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oidcServerMetadata };
-//# sourceMappingURL=index.d.mts.map
+export { AuthServerMetadata, AuthorizePrompt, OAuthAuthorizationQuery, OAuthClient, OAuthConsent, OAuthOpaqueAccessToken, OAuthOptions, OAuthRefreshToken, OIDCMetadata, Prompt, ResourceServerMetadata, SchemaClient, Scope, StoreTokenType, VerificationValue, authServerMetadata, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oidcServerMetadata };

package/dist/index.mjs

@@ -1,4 +1,5 @@
-import { _ as mcpHandler, a as getJwtPlugin, c as isPKCERequired, d as resolveSubjectIdentifier, f as storeClientSecret, h as verifyOAuthQueryParams, i as getClient, l as parseClientMetadata, m as validateClientCredentials, n as decryptStoredClientSecret, p as storeToken, r as deleteFromPrompt, s as getStoredToken, t as basicToClientCredentials, u as parsePrompt } from "./utils-BpUSdl43.mjs";
+import { _ as verifyOAuthQueryParams, a as getJwtPlugin, c as isPKCERequired, d as parsePrompt, f as resolveSessionAuthTime, g as validateClientCredentials, h as storeToken, i as getClient, l as normalizeTimestampValue, m as storeClientSecret, n as decryptStoredClientSecret, p as resolveSubjectIdentifier, r as deleteFromPrompt, s as getStoredToken, t as basicToClientCredentials, u as parseClientMetadata, y as mcpHandler } from "./utils-sQ4gYeh3.mjs";
+import { t as PACKAGE_VERSION } from "./version-DNcPo3T3.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
@@ -127,7 +128,9 @@ async function created(ctx, opts) {
 		error_description: "missing oauth query",
 		error: "invalid_request"
 	});
-	ctx.query = deleteFromPrompt(new URLSearchParams(_query), "create");
+	const query = new URLSearchParams(_query);
+	ctx.headers?.set("accept", "application/json");
+	ctx.query = deleteFromPrompt(query, "create");
 	const { url } = await authorizeEndpoint(ctx, opts);
 	return {
 		redirect: true,
@@ -292,9 +295,9 @@ async function createIdToken(ctx, opts, user, client, scopes, nonce, sessionId,
 	const jwtPluginOptions = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options;
 	const payload = {
 		...userClaims,
-		...customClaims,
 		auth_time: authTimeSec,
 		acr,
+		...customClaims,
 		iss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,
 		sub: resolvedSub,
 		aud: client.clientId,
@@ -471,7 +474,7 @@ async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri)
 		error: "invalid_user"
 	});
 	if (verificationValue.query?.redirect_uri && verificationValue.query?.redirect_uri !== redirect_uri) throw new APIError("BAD_REQUEST", {
-		error_description: "missing verification redirect_uri",
+		error_description: "redirect_uri mismatch",
 		error: "invalid_request"
 	});
 	return verificationValue;
@@ -561,7 +564,7 @@ async function handleAuthorizationCodeGrant(ctx, opts) {
 		error_description: "session no longer exists",
 		error: "invalid_request"
 	});
-	const authTime = verificationValue.authTime != null ? new Date(verificationValue.authTime) : new Date(session.createdAt);
+	const authTime = verificationValue.authTime != null ? normalizeTimestampValue(verificationValue.authTime) : resolveSessionAuthTime(session);
 	return createUserTokens(ctx, opts, client, verificationValue.query.scope?.split(" ") ?? [], user, verificationValue.referenceId, session.id, verificationValue.query?.nonce, void 0, authTime);
 }
 /**
@@ -716,7 +719,7 @@ async function handleRefreshTokenGrant(ctx, opts) {
 		error_description: "user not found",
 		error: "invalid_request"
 	});
-	const authTime = refreshToken.authTime != null ? new Date(refreshToken.authTime) : void 0;
+	const authTime = refreshToken.authTime != null ? normalizeTimestampValue(refreshToken.authTime) : void 0;
 	return createUserTokens(ctx, opts, client, requestedScopes ?? scopes, user, refreshToken.referenceId, refreshToken.sessionId, void 0, { refreshToken }, authTime);
 }
 //#endregion
@@ -1169,6 +1172,10 @@ async function checkOAuthClient(client, opts, settings) {
 		error: "invalid_client_metadata",
 		error_description: `pkce is required for registered clients.`
 	});
+	if (settings?.isRegister && client.skip_consent) throw new APIError("BAD_REQUEST", {
+		error: "invalid_client_metadata",
+		error_description: "skip_consent cannot be set during dynamic client registration"
+	});
 }
 async function createOAuthClientEndpoint(ctx, opts, settings) {
 	const body = ctx.body;
@@ -2720,12 +2727,21 @@ const oauthProvider = (options) => {
 	if (!opts.disableJwtPlugin && (opts.storeClientSecret === "encrypted" || typeof opts.storeClientSecret === "object" && ("encrypt" in opts.storeClientSecret || "decrypt" in opts.storeClientSecret))) throw new BetterAuthError("encryption method not recommended, please use 'hashed' or the 'hash' function");
 	return {
 		id: "oauth-provider",
+		version: PACKAGE_VERSION,
 		options: opts,
 		init: (ctx) => {
-			if (ctx.options.session && !ctx.options.session.storeSessionInDatabase) throw new BetterAuthError("OAuth Provider requires `session.storeSessionInDatabase: true` when using secondaryStorage");
+			if (ctx.options.secondaryStorage && ctx.options.session?.storeSessionInDatabase !== true) throw new BetterAuthError("OAuth Provider requires `session.storeSessionInDatabase: true` when using secondaryStorage");
 			if (!opts.disableJwtPlugin) {
-				const issuer = (getJwtPlugin(ctx)?.options)?.jwt?.issuer ?? ctx.baseURL;
-				const issuerPath = new URL(issuer).pathname;
+				const jwtPluginOptions = getJwtPlugin(ctx)?.options;
+				const issuer = jwtPluginOptions?.jwt?.issuer ?? ctx.baseURL;
+				const isDynamicBaseURLInit = jwtPluginOptions?.jwt?.issuer == null && typeof ctx.options.baseURL === "object" && ctx.options.baseURL !== null && "allowedHosts" in ctx.options.baseURL;
+				let issuerPath;
+				try {
+					issuerPath = new URL(issuer).pathname;
+				} catch (error) {
+					if (isDynamicBaseURLInit && issuer === "") return;
+					throw error;
+				}
 				if (!opts.silenceWarnings?.oauthAuthServerConfig && !(ctx.options.basePath === "/" && issuerPath === "/")) logger.warn(`Please ensure '/.well-known/oauth-authorization-server${issuerPath === "/" ? "" : issuerPath}' exists. Upon completion, clear with silenceWarnings.oauthAuthServerConfig.`);
 				if (!opts.silenceWarnings?.openidConfig && ctx.options.basePath !== issuerPath && opts.scopes?.includes("openid")) logger.warn(`Please ensure '${issuerPath}${issuerPath.endsWith("/") ? "" : "/"}.well-known/openid-configuration' exists. Upon completion, clear with silenceWarnings.openidConfig.`);
 			}
@@ -2762,6 +2778,9 @@ const oauthProvider = (options) => {
 					const session = await ctx.context.internalAdapter.findSession(sessionToken);
 					if (!session) return;
 					ctx.context.session = session;
+					const secFetchMode = ctx.request?.headers?.get("sec-fetch-mode")?.toLowerCase();
+					const acceptHeader = ctx.request?.headers?.get("accept")?.toLowerCase() ?? "";
+					if (!(secFetchMode === "navigate" || !secFetchMode && (acceptHeader.includes("text/html") || acceptHeader.includes("application/xhtml+xml")))) ctx.headers?.set("accept", "application/json");
 					ctx.query = deleteFromPrompt(query, "login");
 					return await authorizeEndpoint(ctx, opts);
 				})
@@ -2790,11 +2809,12 @@ const oauthProvider = (options) => {
 			oauth2Authorize: createAuthEndpoint("/oauth2/authorize", {
 				method: "GET",
 				query: z.object({
-					response_type: z.enum(["code"]),
+					response_type: z.enum(["code"]).optional(),
 					client_id: z.string(),
 					redirect_uri: SafeUrlSchema.optional(),
 					scope: z.string().optional(),
 					state: z.string().optional(),
+					request_uri: z.string().optional(),
 					code_challenge: z.string().optional(),
 					code_challenge_method: z.enum(["S256"]).optional(),
 					nonce: z.string().optional(),
@@ -2814,7 +2834,7 @@ const oauthProvider = (options) => {
 						{
 							name: "response_type",
 							in: "query",
-							required: true,
+							required: false,
 							schema: { type: "string" },
 							description: "OAuth2 response type (e.g., 'code')"
 						},
@@ -2849,6 +2869,13 @@ const oauthProvider = (options) => {
 							schema: { type: "string" },
 							description: "OAuth2 state parameter"
 						},
+						{
+							name: "request_uri",
+							in: "query",
+							required: false,
+							schema: { type: "string" },
+							description: "Pushed Authorization Request URI referencing stored parameters"
+						},
 						{
 							name: "code_challenge",
 							in: "query",
@@ -3421,7 +3448,8 @@ const oauthProvider = (options) => {
 						"native",
 						"user-agent-based"
 					]).optional(),
-					subject_type: z.enum(["public", "pairwise"]).optional()
+					subject_type: z.enum(["public", "pairwise"]).optional(),
+					skip_consent: z.boolean().optional()
 				}),
 				metadata: { openapi: {
 					description: "Register an OAuth2 application",
@@ -3683,25 +3711,46 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		error_description: "request not found",
 		error: "invalid_request"
 	});
-	const query = ctx.query;
-	await oAuthState.set({ query: query.toString() });
-	if (!query.client_id) throw ctx.redirect(getErrorURL(ctx, "invalid_client", "client_id is required"));
-	if (!query.response_type) throw ctx.redirect(getErrorURL(ctx, "invalid_request", "response_type is required"));
+	let query = ctx.query;
+	if (query.request_uri) {
+		if (!opts.requestUriResolver) return handleRedirect(ctx, getErrorURL(ctx, "invalid_request_uri", "request_uri not supported"));
+		const resolvedParams = await opts.requestUriResolver({
+			requestUri: query.request_uri,
+			clientId: query.client_id ?? "",
+			ctx
+		});
+		if (!resolvedParams) return handleRedirect(ctx, getErrorURL(ctx, "invalid_request_uri", "request_uri is invalid or expired"));
+		const urlClientId = query.client_id;
+		query = resolvedParams;
+		if (urlClientId) query.client_id = urlClientId;
+	}
+	ctx.query = query;
+	await oAuthState.set({ query: serializeAuthorizationQuery(query).toString() });
+	if (!query.client_id) return handleRedirect(ctx, getErrorURL(ctx, "invalid_client", "client_id is required"));
+	if (!query.response_type) return handleRedirect(ctx, getErrorURL(ctx, "invalid_request", "response_type is required"));
 	const promptSet = ctx.query?.prompt ? parsePrompt(ctx.query?.prompt) : void 0;
 	const promptNone = promptSet?.has("none") ?? false;
-	if (promptSet?.has("select_account") && !opts.selectAccount?.page) throw ctx.redirect(getErrorURL(ctx, `unsupported_prompt_select_account`, "unsupported prompt type"));
-	if (!(query.response_type === "code")) throw ctx.redirect(getErrorURL(ctx, "unsupported_response_type", "unsupported response type"));
+	if (promptSet?.has("select_account") && !opts.selectAccount?.page) return handleRedirect(ctx, getErrorURL(ctx, `unsupported_prompt_select_account`, "unsupported prompt type"));
+	if (!(query.response_type === "code")) return handleRedirect(ctx, getErrorURL(ctx, "unsupported_response_type", "unsupported response type"));
 	const client = await getClient(ctx, opts, query.client_id);
-	if (!client) throw ctx.redirect(getErrorURL(ctx, "invalid_client", "client_id is required"));
-	if (client.disabled) throw ctx.redirect(getErrorURL(ctx, "client_disabled", "client is disabled"));
-	if (!client.redirectUris?.find((url) => url === query.redirect_uri) || !query.redirect_uri) throw ctx.redirect(getErrorURL(ctx, "invalid_redirect", "invalid redirect uri"));
+	if (!client) return handleRedirect(ctx, getErrorURL(ctx, "invalid_client", "client_id is required"));
+	if (client.disabled) return handleRedirect(ctx, getErrorURL(ctx, "client_disabled", "client is disabled"));
+	if (!client.redirectUris?.find((url) => {
+		if (url === query.redirect_uri) return true;
+		try {
+			const registered = new URL(url);
+			const requested = new URL(query.redirect_uri);
+			if ((registered.hostname === "127.0.0.1" || registered.hostname === "[::1]") && registered.hostname === requested.hostname && registered.pathname === requested.pathname && registered.protocol === requested.protocol && registered.search === requested.search) return true;
+		} catch {}
+		return false;
+	}) || !query.redirect_uri) return handleRedirect(ctx, getErrorURL(ctx, "invalid_redirect", "invalid redirect uri"));
 	let requestedScopes = query.scope?.split(" ").filter((s) => s);
 	if (requestedScopes) {
 		const validScopes = new Set(client.scopes ?? opts.scopes);
 		const invalidScopes = requestedScopes.filter((scope) => {
 			return !validScopes?.has(scope);
 		});
-		if (invalidScopes.length) throw ctx.redirect(formatErrorURL(query.redirect_uri, "invalid_scope", `The following scopes are invalid: ${invalidScopes.join(", ")}`, query.state, getIssuer(ctx, opts)));
+		if (invalidScopes.length) return handleRedirect(ctx, formatErrorURL(query.redirect_uri, "invalid_scope", `The following scopes are invalid: ${invalidScopes.join(", ")}`, query.state, getIssuer(ctx, opts)));
 	}
 	if (!requestedScopes) {
 		requestedScopes = client.scopes ?? opts.scopes ?? [];
@@ -3709,11 +3758,11 @@ async function authorizeEndpoint(ctx, opts, settings) {
 	}
 	const pkceRequired = isPKCERequired(client, requestedScopes);
 	if (pkceRequired) {
-		if (!query.code_challenge || !query.code_challenge_method) throw ctx.redirect(formatErrorURL(query.redirect_uri, "invalid_request", pkceRequired.valueOf(), query.state, getIssuer(ctx, opts)));
+		if (!query.code_challenge || !query.code_challenge_method) return handleRedirect(ctx, formatErrorURL(query.redirect_uri, "invalid_request", pkceRequired.valueOf(), query.state, getIssuer(ctx, opts)));
 	}
 	if (query.code_challenge || query.code_challenge_method) {
-		if (!query.code_challenge || !query.code_challenge_method) throw ctx.redirect(formatErrorURL(query.redirect_uri, "invalid_request", "code_challenge and code_challenge_method must both be provided", query.state, getIssuer(ctx, opts)));
-		if (!["S256"].includes(query.code_challenge_method)) throw ctx.redirect(formatErrorURL(query.redirect_uri, "invalid_request", "invalid code_challenge method, only S256 is supported", query.state, getIssuer(ctx, opts)));
+		if (!query.code_challenge || !query.code_challenge_method) return handleRedirect(ctx, formatErrorURL(query.redirect_uri, "invalid_request", "code_challenge and code_challenge_method must both be provided", query.state, getIssuer(ctx, opts)));
+		if (!["S256"].includes(query.code_challenge_method)) return handleRedirect(ctx, formatErrorURL(query.redirect_uri, "invalid_request", "invalid code_challenge method, only S256 is supported", query.state, getIssuer(ctx, opts)));
 	}
 	const session = await getSessionFromCtx(ctx);
 	if (!session || promptSet?.has("login") || promptSet?.has("create")) {
@@ -3799,6 +3848,11 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		referenceId
 	});
 }
+function serializeAuthorizationQuery(query) {
+	const params = new URLSearchParams();
+	for (const [key, value] of Object.entries(query)) if (value != null) params.set(key, String(value));
+	return params;
+}
 async function redirectWithAuthorizationCode(ctx, opts, verificationValue) {
 	const code = generateRandomString(32, "a-z", "A-Z", "0-9");
 	const iat = Math.floor(Date.now() / 1e3);
@@ -3809,7 +3863,7 @@ async function redirectWithAuthorizationCode(ctx, opts, verificationValue) {
 		expiresAt: /* @__PURE__ */ new Date(exp * 1e3),
 		value: JSON.stringify({
 			type: "authorization_code",
-			query: ctx.query,
+			query: verificationValue.query,
 			userId: verificationValue.userId,
 			sessionId: verificationValue?.sessionId,
 			referenceId: verificationValue.referenceId,
@@ -3839,7 +3893,7 @@ async function redirectWithPromptCode(ctx, opts, type, page) {
 }
 async function signParams(ctx, opts) {
 	const exp = Math.floor(Date.now() / 1e3) + (opts.codeExpiresIn ?? 600);
-	const params = new URLSearchParams(ctx.query);
+	const params = serializeAuthorizationQuery(ctx.query);
 	params.set("exp", String(exp));
 	const signature = await makeSignature(params.toString(), ctx.context.secret);
 	params.append("sig", signature);
@@ -3945,5 +3999,3 @@ const oauthProviderOpenIdConfigMetadata = (auth, opts) => {
 };
 //#endregion
 export { authServerMetadata, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oidcServerMetadata };
-
-//# sourceMappingURL=index.mjs.map