npm - @better-auth/oauth-provider - Versions diffs - 1.6.10 → 1.6.11 - Mend

@better-auth/oauth-provider 1.6.10 → 1.6.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/client-resource.d.mts +1 -1
package/dist/client-resource.mjs +1 -1
package/dist/client.d.mts +1 -1
package/dist/client.mjs +1 -1
package/dist/index.d.mts +2 -2
package/dist/index.mjs +103 -48
package/dist/{oauth-CqgT-XaR.d.mts → oauth-BqWgUea8.d.mts} +1 -0
package/dist/{oauth-DBCeGXT3.d.mts → oauth-C4GaGx2I.d.mts} +2 -1
package/dist/{version-Cg-c01N0.mjs → version-CRjaDWWg.mjs} +1 -1
package/package.json +5 -5

package/dist/client-resource.d.mts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { s as ResourceServerMetadata } from "./oauth-CqgT-XaR.mjs";
+import { s as ResourceServerMetadata } from "./oauth-BqWgUea8.mjs";
 import { JWTPayload, JWTVerifyOptions } from "jose";
 import { Auth } from "better-auth/types";

package/dist/client-resource.mjs CHANGED Viewed

@@ -1,5 +1,5 @@
 import { S as handleMcpErrors, a as getOAuthProviderPlugin, i as getJwtPlugin } from "./utils-LAthGy-x.mjs";
-import { t as PACKAGE_VERSION } from "./version-Cg-c01N0.mjs";
+import { t as PACKAGE_VERSION } from "./version-CRjaDWWg.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { logger } from "@better-auth/core/env";

package/dist/client.d.mts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { n as oauthProvider } from "./oauth-DBCeGXT3.mjs";
+import { n as oauthProvider } from "./oauth-C4GaGx2I.mjs";
 import * as _better_fetch_fetch0 from "@better-fetch/fetch";
 //#region src/client.d.ts

package/dist/client.mjs CHANGED Viewed

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-Cg-c01N0.mjs";
+import { t as PACKAGE_VERSION } from "./version-CRjaDWWg.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 //#region src/client.ts
 function parseSignedQuery(search) {

package/dist/index.d.mts CHANGED Viewed

@@ -1,5 +1,5 @@
-import { _ as Scope, a as OAuthClient, b as Awaitable, c as TokenEndpointAuthMethod, d as OAuthConsent, f as OAuthOpaqueAccessToken, g as SchemaClient, h as Prompt, i as GrantType, l as AuthorizePrompt, m as OAuthRefreshToken, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOptions, r as BearerMethodsSupported, s as ResourceServerMetadata, t as AuthMethod, u as OAuthAuthorizationQuery, v as StoreTokenType, y as VerificationValue } from "./oauth-CqgT-XaR.mjs";
-import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-DBCeGXT3.mjs";
+import { _ as Scope, a as OAuthClient, b as Awaitable, c as TokenEndpointAuthMethod, d as OAuthConsent, f as OAuthOpaqueAccessToken, g as SchemaClient, h as Prompt, i as GrantType, l as AuthorizePrompt, m as OAuthRefreshToken, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOptions, r as BearerMethodsSupported, s as ResourceServerMetadata, t as AuthMethod, u as OAuthAuthorizationQuery, v as StoreTokenType, y as VerificationValue } from "./oauth-BqWgUea8.mjs";
+import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-C4GaGx2I.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { JWSAlgorithms, JwtOptions } from "better-auth/plugins";
 import { JWTPayload } from "jose";

package/dist/index.mjs CHANGED Viewed

@@ -1,5 +1,5 @@
 import { C as mcpHandler, _ as signedQueryIssuedAtParam, b as validateClientCredentials, c as isPKCERequired, d as parsePrompt, f as postLoginClearedParam, g as searchParamsToQuery, h as resolveSubjectIdentifier, i as getJwtPlugin, l as normalizeTimestampValue, m as resolveSessionAuthTime, n as decryptStoredClientSecret, o as getSignedQueryIssuedAt, p as removePromptFromQuery, r as getClient, s as getStoredToken, t as basicToClientCredentials, u as parseClientMetadata, v as storeClientSecret, x as verifyOAuthQueryParams, y as storeToken } from "./utils-LAthGy-x.mjs";
-import { t as PACKAGE_VERSION } from "./version-Cg-c01N0.mjs";
+import { t as PACKAGE_VERSION } from "./version-CRjaDWWg.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
@@ -437,33 +437,95 @@ async function createOpaqueAccessToken(ctx, opts, user, client, scopes, payload,
 	});
 	return (opts.prefix?.opaqueAccessToken ?? "") + token;
 }
+/**
+* Tear down the entire refresh-token family for a (client, user) pair, plus
+* any access tokens that reference those refresh rows, per RFC 9700 §4.14.
+* Access tokens are deleted first so the parent rows' foreign-key children
+* do not block the refresh-row delete.
+*
+* TODO(invalidate-family-race): the two `deleteMany` calls are not atomic
+* with respect to each other. Between them, a concurrent rotation in a
+* different worker can `create` a fresh refresh row (and, immediately after,
+* an access-token row referencing it) for the same (client, user) pair,
+* leaving the family partially rebuilt and the new refresh row orphaned of
+* any deletion. Closing this window requires the same transactional adapter
+* contract tracked under FIXME(strict-family-invalidation) in
+* `createRefreshToken`.
+*
+* @internal
+*/
+async function invalidateRefreshFamily(ctx, clientId, userId) {
+	const refreshTokens = await ctx.context.adapter.findMany({
+		model: "oauthRefreshToken",
+		where: [{
+			field: "clientId",
+			value: clientId
+		}, {
+			field: "userId",
+			value: userId
+		}]
+	});
+	if (refreshTokens.length) await ctx.context.adapter.deleteMany({
+		model: "oauthAccessToken",
+		where: [{
+			field: "refreshId",
+			operator: "in",
+			value: refreshTokens.map((r) => r.id)
+		}]
+	});
+	await ctx.context.adapter.deleteMany({
+		model: "oauthRefreshToken",
+		where: [{
+			field: "clientId",
+			value: clientId
+		}, {
+			field: "userId",
+			value: userId
+		}]
+	});
+}
 async function createRefreshToken(ctx, opts, user, referenceId, client, scopes, payload, originalRefresh, authTime) {
 	const iat = payload.iat ?? Math.floor(Date.now() / 1e3);
 	const exp = payload?.exp ?? iat + (opts.refreshTokenExpiresIn ?? 2592e3);
 	const token = opts.generateRefreshToken ? await opts.generateRefreshToken() : generateRandomString(32, "A-Z", "a-z");
 	const sessionId = payload?.sid;
-	if (originalRefresh?.id) await ctx.context.adapter.update({
+	const newRow = {
+		token: await storeToken(opts.storeTokens, token, "refresh_token"),
+		clientId: client.clientId,
+		sessionId,
+		userId: user.id,
+		referenceId,
+		authTime,
+		scopes,
+		createdAt: /* @__PURE__ */ new Date(iat * 1e3),
+		expiresAt: /* @__PURE__ */ new Date(exp * 1e3)
+	};
+	if (!originalRefresh?.id) return {
+		id: (await ctx.context.adapter.create({
+			model: "oauthRefreshToken",
+			data: newRow
+		})).id,
+		token: await encodeRefreshToken(opts, token, sessionId)
+	};
+	if (!await ctx.context.adapter.update({
 		model: "oauthRefreshToken",
 		where: [{
 			field: "id",
 			value: originalRefresh.id
+		}, {
+			field: "revoked",
+			operator: "eq",
+			value: null
 		}],
 		update: { revoked: /* @__PURE__ */ new Date(iat * 1e3) }
+	})) throw new APIError("BAD_REQUEST", {
+		error_description: "invalid refresh token",
+		error: "invalid_grant"
 	});
 	return {
 		id: (await ctx.context.adapter.create({
 			model: "oauthRefreshToken",
-			data: {
-				token: await storeToken(opts.storeTokens, token, "refresh_token"),
-				clientId: client.clientId,
-				sessionId,
-				userId: user.id,
-				referenceId,
-				authTime,
-				scopes,
-				createdAt: /* @__PURE__ */ new Date(iat * 1e3),
-				expiresAt: /* @__PURE__ */ new Date(exp * 1e3)
-			}
+			data: newRow
 		})).id,
 		token: await encodeRefreshToken(opts, token, sessionId)
 	};
@@ -541,15 +603,14 @@ async function createUserTokens(ctx, opts, params) {
 }
 /** Checks verification value */
 async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri) {
-	const verification = await ctx.context.internalAdapter.findVerificationValue(await storeToken(opts.storeTokens, code, "authorization_code"));
+	const verification = await ctx.context.internalAdapter.consumeVerificationValue(await storeToken(opts.storeTokens, code, "authorization_code"));
 	if (!verification) throw new APIError("UNAUTHORIZED", {
 		error_description: "Invalid code",
-		error: "invalid_verification"
+		error: "invalid_grant"
 	});
-	await ctx.context.internalAdapter.deleteVerificationByIdentifier(await storeToken(opts.storeTokens, code, "authorization_code"));
 	if (!verification.expiresAt || verification.expiresAt < /* @__PURE__ */ new Date()) throw new APIError("UNAUTHORIZED", {
 		error_description: "code expired",
-		error: "invalid_verification"
+		error: "invalid_grant"
 	});
 	let rawValue;
 	try {
@@ -557,13 +618,13 @@ async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri)
 	} catch {
 		throw new APIError("UNAUTHORIZED", {
 			error_description: "malformed verification value",
-			error: "invalid_verification"
+			error: "invalid_grant"
 		});
 	}
 	const parsed = verificationValueSchema.safeParse(rawValue);
 	if (!parsed.success) throw new APIError("UNAUTHORIZED", {
 		error_description: "malformed verification value",
-		error: "invalid_verification"
+		error: "invalid_grant"
 	});
 	const verificationValue = parsed.data;
 	if (verificationValue.query.client_id !== client_id) throw new APIError("UNAUTHORIZED", {
@@ -764,16 +825,7 @@ async function handleRefreshTokenGrant(ctx, opts) {
 		error: "invalid_grant"
 	});
 	if (refreshToken.revoked) {
-		await ctx.context.adapter.deleteMany({
-			model: "oauthRefreshToken",
-			where: [{
-				field: "clientId",
-				value: client_id
-			}, {
-				field: "userId",
-				value: refreshToken.userId
-			}]
-		});
+		await invalidateRefreshFamily(ctx, client_id, refreshToken.userId);
 		throw new APIError("BAD_REQUEST", {
 			error_description: "invalid refresh token",
 			error: "invalid_grant"
@@ -2329,16 +2381,7 @@ async function revokeRefreshToken(ctx, opts, token, clientId) {
 		error: "invalid_request"
 	});
 	if (refreshToken.revoked) {
-		await ctx.context.adapter.deleteMany({
-			model: "oauthRefreshToken",
-			where: [{
-				field: "clientId",
-				value: clientId
-			}, {
-				field: "userId",
-				value: refreshToken.userId
-			}]
-		});
+		await invalidateRefreshFamily(ctx, clientId, refreshToken.userId);
 		throw new APIError$1("BAD_REQUEST", {
 			error_description: "refresh token revoked",
 			error: "invalid_request"
@@ -2346,20 +2389,31 @@ async function revokeRefreshToken(ctx, opts, token, clientId) {
 	}
 	if (!refreshToken.clientId || refreshToken.clientId !== clientId) return null;
 	const iat = Math.floor(Date.now() / 1e3);
-	await Promise.allSettled([ctx.context.adapter.deleteMany({
-		model: "oauthAccessToken",
-		where: [{
-			field: "refreshId",
-			value: refreshToken.id
-		}]
-	}), ctx.context.adapter.update({
+	if (!await ctx.context.adapter.update({
 		model: "oauthRefreshToken",
 		where: [{
 			field: "id",
 			value: refreshToken.id
+		}, {
+			field: "revoked",
+			operator: "eq",
+			value: null
 		}],
 		update: { revoked: /* @__PURE__ */ new Date(iat * 1e3) }
-	})]);
+	})) {
+		await invalidateRefreshFamily(ctx, clientId, refreshToken.userId);
+		throw new APIError$1("BAD_REQUEST", {
+			error_description: "refresh token revoked",
+			error: "invalid_request"
+		});
+	}
+	await ctx.context.adapter.deleteMany({
+		model: "oauthAccessToken",
+		where: [{
+			field: "refreshId",
+			value: refreshToken.id
+		}]
+	});
 }
 /**
 * We don't know the access token format so we try to validate it
@@ -2569,7 +2623,8 @@ const schema = {
 	oauthRefreshToken: { fields: {
 		token: {
 			type: "string",
-			required: true
+			required: true,
+			unique: true
 		},
 		clientId: {
 			type: "string",

package/dist/{oauth-CqgT-XaR.d.mts → oauth-BqWgUea8.d.mts} RENAMED Viewed

@@ -143,6 +143,7 @@ declare const schema: {
       token: {
         type: "string";
         required: true;
+        unique: true;
       };
       clientId: {
         type: "string";

package/dist/{oauth-DBCeGXT3.d.mts → oauth-C4GaGx2I.d.mts} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { _ as Scope, a as OAuthClient, d as OAuthConsent, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOptions } from "./oauth-CqgT-XaR.mjs";
+import { _ as Scope, a as OAuthClient, d as OAuthConsent, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOptions } from "./oauth-BqWgUea8.mjs";
 import * as better_call0 from "better-call";
 import * as z from "zod";
 import * as better_auth_plugins0 from "better-auth/plugins";
@@ -1914,6 +1914,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
         token: {
           type: "string";
           required: true;
+          unique: true;
         };
         clientId: {
           type: "string";

package/dist/{version-Cg-c01N0.mjs → version-CRjaDWWg.mjs} RENAMED Viewed

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.6.10";
+const PACKAGE_VERSION = "1.6.11";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.6.10",
+  "version": "1.6.11",
   "description": "An oauth provider plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -64,15 +64,15 @@
     "@modelcontextprotocol/sdk": "^1.27.1",
     "listhen": "^1.9.0",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.6.10",
-    "better-auth": "1.6.10"
+    "@better-auth/core": "1.6.11",
+    "better-auth": "1.6.11"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.0",
     "@better-fetch/fetch": "1.1.21",
     "better-call": "1.3.5",
-    "@better-auth/core": "^1.6.10",
-    "better-auth": "^1.6.10"
+    "@better-auth/core": "^1.6.11",
+    "better-auth": "^1.6.11"
   },
   "scripts": {
     "build": "tsdown",