@better-auth/oauth-provider 1.6.0-beta.0 → 1.6.0

package/dist/client-resource.d.mts

@@ -1,4 +1,4 @@
-import { a as ResourceServerMetadata } from "./oauth-4vgZlF-I.mjs";
+import { a as ResourceServerMetadata } from "./oauth-Cc0nzj5Q.mjs";
 import { JWTPayload, JWTVerifyOptions } from "jose";
 import { Auth } from "better-auth/types";
 

package/dist/client-resource.mjs

@@ -1,5 +1,5 @@
 import { a as getJwtPlugin, o as getOAuthProviderPlugin, v as handleMcpErrors } from "./utils-sQ4gYeh3.mjs";
-import { t as PACKAGE_VERSION } from "./version-DevbO3Yy.mjs";
+import { t as PACKAGE_VERSION } from "./version-DNcPo3T3.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { logger } from "@better-auth/core/env";

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { n as oauthProvider } from "./oauth-CEoJtL3Y.mjs";
+import { n as oauthProvider } from "./oauth-CYgzO8Am.mjs";
 import * as _better_fetch_fetch0 from "@better-fetch/fetch";
 
 //#region src/client.d.ts

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-DevbO3Yy.mjs";
+import { t as PACKAGE_VERSION } from "./version-DNcPo3T3.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 //#region src/client.ts
 function parseSignedQuery(search) {

package/dist/index.d.mts

@@ -1,5 +1,5 @@
-import { _ as Awaitable, a as ResourceServerMetadata, c as OAuthConsent, d as OAuthRefreshToken, f as Prompt, g as VerificationValue, h as StoreTokenType, i as OIDCMetadata, l as OAuthOpaqueAccessToken, m as Scope, n as GrantType, o as AuthorizePrompt, p as SchemaClient, r as OAuthClient, s as OAuthAuthorizationQuery, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-4vgZlF-I.mjs";
-import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-CEoJtL3Y.mjs";
+import { _ as Awaitable, a as ResourceServerMetadata, c as OAuthConsent, d as OAuthRefreshToken, f as Prompt, g as VerificationValue, h as StoreTokenType, i as OIDCMetadata, l as OAuthOpaqueAccessToken, m as Scope, n as GrantType, o as AuthorizePrompt, p as SchemaClient, r as OAuthClient, s as OAuthAuthorizationQuery, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-Cc0nzj5Q.mjs";
+import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-CYgzO8Am.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { JWSAlgorithms, JwtOptions } from "better-auth/plugins";
 import { JWTPayload } from "jose";

package/dist/index.mjs

@@ -1,5 +1,5 @@
 import { _ as verifyOAuthQueryParams, a as getJwtPlugin, c as isPKCERequired, d as parsePrompt, f as resolveSessionAuthTime, g as validateClientCredentials, h as storeToken, i as getClient, l as normalizeTimestampValue, m as storeClientSecret, n as decryptStoredClientSecret, p as resolveSubjectIdentifier, r as deleteFromPrompt, s as getStoredToken, t as basicToClientCredentials, u as parseClientMetadata, y as mcpHandler } from "./utils-sQ4gYeh3.mjs";
-import { t as PACKAGE_VERSION } from "./version-DevbO3Yy.mjs";
+import { t as PACKAGE_VERSION } from "./version-DNcPo3T3.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
@@ -474,7 +474,7 @@ async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri)
 		error: "invalid_user"
 	});
 	if (verificationValue.query?.redirect_uri && verificationValue.query?.redirect_uri !== redirect_uri) throw new APIError("BAD_REQUEST", {
-		error_description: "missing verification redirect_uri",
+		error_description: "redirect_uri mismatch",
 		error: "invalid_request"
 	});
 	return verificationValue;
@@ -1172,6 +1172,10 @@ async function checkOAuthClient(client, opts, settings) {
 		error: "invalid_client_metadata",
 		error_description: `pkce is required for registered clients.`
 	});
+	if (settings?.isRegister && client.skip_consent) throw new APIError("BAD_REQUEST", {
+		error: "invalid_client_metadata",
+		error_description: "skip_consent cannot be set during dynamic client registration"
+	});
 }
 async function createOAuthClientEndpoint(ctx, opts, settings) {
 	const body = ctx.body;
@@ -2805,11 +2809,12 @@ const oauthProvider = (options) => {
 			oauth2Authorize: createAuthEndpoint("/oauth2/authorize", {
 				method: "GET",
 				query: z.object({
-					response_type: z.enum(["code"]),
+					response_type: z.enum(["code"]).optional(),
 					client_id: z.string(),
 					redirect_uri: SafeUrlSchema.optional(),
 					scope: z.string().optional(),
 					state: z.string().optional(),
+					request_uri: z.string().optional(),
 					code_challenge: z.string().optional(),
 					code_challenge_method: z.enum(["S256"]).optional(),
 					nonce: z.string().optional(),
@@ -2829,7 +2834,7 @@ const oauthProvider = (options) => {
 						{
 							name: "response_type",
 							in: "query",
-							required: true,
+							required: false,
 							schema: { type: "string" },
 							description: "OAuth2 response type (e.g., 'code')"
 						},
@@ -2864,6 +2869,13 @@ const oauthProvider = (options) => {
 							schema: { type: "string" },
 							description: "OAuth2 state parameter"
 						},
+						{
+							name: "request_uri",
+							in: "query",
+							required: false,
+							schema: { type: "string" },
+							description: "Pushed Authorization Request URI referencing stored parameters"
+						},
 						{
 							name: "code_challenge",
 							in: "query",
@@ -3436,7 +3448,8 @@ const oauthProvider = (options) => {
 						"native",
 						"user-agent-based"
 					]).optional(),
-					subject_type: z.enum(["public", "pairwise"]).optional()
+					subject_type: z.enum(["public", "pairwise"]).optional(),
+					skip_consent: z.boolean().optional()
 				}),
 				metadata: { openapi: {
 					description: "Register an OAuth2 application",
@@ -3698,8 +3711,21 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		error_description: "request not found",
 		error: "invalid_request"
 	});
-	const query = ctx.query;
-	await oAuthState.set({ query: query.toString() });
+	let query = ctx.query;
+	if (query.request_uri) {
+		if (!opts.requestUriResolver) return handleRedirect(ctx, getErrorURL(ctx, "invalid_request_uri", "request_uri not supported"));
+		const resolvedParams = await opts.requestUriResolver({
+			requestUri: query.request_uri,
+			clientId: query.client_id ?? "",
+			ctx
+		});
+		if (!resolvedParams) return handleRedirect(ctx, getErrorURL(ctx, "invalid_request_uri", "request_uri is invalid or expired"));
+		const urlClientId = query.client_id;
+		query = resolvedParams;
+		if (urlClientId) query.client_id = urlClientId;
+	}
+	ctx.query = query;
+	await oAuthState.set({ query: serializeAuthorizationQuery(query).toString() });
 	if (!query.client_id) return handleRedirect(ctx, getErrorURL(ctx, "invalid_client", "client_id is required"));
 	if (!query.response_type) return handleRedirect(ctx, getErrorURL(ctx, "invalid_request", "response_type is required"));
 	const promptSet = ctx.query?.prompt ? parsePrompt(ctx.query?.prompt) : void 0;
@@ -3709,7 +3735,15 @@ async function authorizeEndpoint(ctx, opts, settings) {
 	const client = await getClient(ctx, opts, query.client_id);
 	if (!client) return handleRedirect(ctx, getErrorURL(ctx, "invalid_client", "client_id is required"));
 	if (client.disabled) return handleRedirect(ctx, getErrorURL(ctx, "client_disabled", "client is disabled"));
-	if (!client.redirectUris?.find((url) => url === query.redirect_uri) || !query.redirect_uri) return handleRedirect(ctx, getErrorURL(ctx, "invalid_redirect", "invalid redirect uri"));
+	if (!client.redirectUris?.find((url) => {
+		if (url === query.redirect_uri) return true;
+		try {
+			const registered = new URL(url);
+			const requested = new URL(query.redirect_uri);
+			if ((registered.hostname === "127.0.0.1" || registered.hostname === "[::1]") && registered.hostname === requested.hostname && registered.pathname === requested.pathname && registered.protocol === requested.protocol && registered.search === requested.search) return true;
+		} catch {}
+		return false;
+	}) || !query.redirect_uri) return handleRedirect(ctx, getErrorURL(ctx, "invalid_redirect", "invalid redirect uri"));
 	let requestedScopes = query.scope?.split(" ").filter((s) => s);
 	if (requestedScopes) {
 		const validScopes = new Set(client.scopes ?? opts.scopes);
@@ -3814,6 +3848,11 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		referenceId
 	});
 }
+function serializeAuthorizationQuery(query) {
+	const params = new URLSearchParams();
+	for (const [key, value] of Object.entries(query)) if (value != null) params.set(key, String(value));
+	return params;
+}
 async function redirectWithAuthorizationCode(ctx, opts, verificationValue) {
 	const code = generateRandomString(32, "a-z", "A-Z", "0-9");
 	const iat = Math.floor(Date.now() / 1e3);
@@ -3824,7 +3863,7 @@ async function redirectWithAuthorizationCode(ctx, opts, verificationValue) {
 		expiresAt: /* @__PURE__ */ new Date(exp * 1e3),
 		value: JSON.stringify({
 			type: "authorization_code",
-			query: ctx.query,
+			query: verificationValue.query,
 			userId: verificationValue.userId,
 			sessionId: verificationValue?.sessionId,
 			referenceId: verificationValue.referenceId,
@@ -3854,7 +3893,7 @@ async function redirectWithPromptCode(ctx, opts, type, page) {
 }
 async function signParams(ctx, opts) {
 	const exp = Math.floor(Date.now() / 1e3) + (opts.codeExpiresIn ?? 600);
-	const params = new URLSearchParams(ctx.query);
+	const params = serializeAuthorizationQuery(ctx.query);
 	params.set("exp", String(exp));
 	const signature = await makeSignature(params.toString(), ctx.context.secret);
 	params.append("sig", signature);