@better-auth/oauth-provider 1.6.10 → 1.6.12

package/dist/client-resource.d.mts

@@ -1,9 +1,16 @@
-import { s as ResourceServerMetadata } from "./oauth-CqgT-XaR.mjs";
+import { s as ResourceServerMetadata } from "./oauth-D74mBkw6.mjs";
 import { JWTPayload, JWTVerifyOptions } from "jose";
-import { Auth } from "better-auth/types";
+import { BetterAuthOptions } from "better-auth/types";
 
 //#region src/client-resource.d.ts
-declare const oauthProviderResourceClient: <T extends Auth | undefined>(auth?: T) => {
+type ResourceClientAuth = {
+  options: {
+    baseURL?: BetterAuthOptions["baseURL"];
+    basePath?: BetterAuthOptions["basePath"];
+  };
+  $context: Promise<unknown>;
+};
+declare const oauthProviderResourceClient: <T extends ResourceClientAuth | undefined = undefined>(auth?: T) => {
   id: "oauth-provider-resource-client";
   version: string;
   getActions(): {
@@ -43,7 +50,7 @@ interface VerifyAccessTokenRemote {
    */
   force?: boolean;
 }
-type VerifyAccessTokenOutput<T> = T extends Auth ? (token: string | undefined, opts?: VerifyAccessTokenAuthOpts) => Promise<JWTPayload> : (token: string | undefined, opts: VerifyAccessTokenNoAuthOpts) => Promise<JWTPayload>;
+type VerifyAccessTokenOutput<T> = T extends undefined ? (token: string | undefined, opts: VerifyAccessTokenNoAuthOpts) => Promise<JWTPayload> : (token: string | undefined, opts?: VerifyAccessTokenAuthOpts) => Promise<JWTPayload>;
 type VerifyAccessTokenAuthOpts = {
   verifyOptions?: JWTVerifyOptions & Required<Pick<JWTVerifyOptions, "audience">>;
   scopes?: string[];
@@ -64,12 +71,12 @@ type VerifyAccessTokenNoAuthOpts = {
   remoteVerify: VerifyAccessTokenRemote; /** Maps non-url (ie urn, client) resources to resource_metadata */
   resourceMetadataMappings?: Record<string, string>;
 };
-type ProtectedResourceMetadataOutput<T> = T extends Auth ? (overrides?: Partial<ResourceServerMetadata>, opts?: {
+type ProtectedResourceMetadataOutput<T> = T extends undefined ? (overrides: ResourceServerMetadata, opts?: {
   silenceWarnings?: {
     oidcScopes?: boolean;
   };
   externalScopes?: string[];
-}) => Promise<ResourceServerMetadata> : (overrides: ResourceServerMetadata, opts?: {
+}) => Promise<ResourceServerMetadata> : (overrides?: Partial<ResourceServerMetadata>, opts?: {
   silenceWarnings?: {
     oidcScopes?: boolean;
   };

package/dist/client-resource.mjs

@@ -1,5 +1,5 @@
-import { S as handleMcpErrors, a as getOAuthProviderPlugin, i as getJwtPlugin } from "./utils-LAthGy-x.mjs";
-import { t as PACKAGE_VERSION } from "./version-Cg-c01N0.mjs";
+import { S as handleMcpErrors, a as getOAuthProviderPlugin, i as getJwtPlugin } from "./utils-DoYEeMrg.mjs";
+import { t as PACKAGE_VERSION } from "./version-DZ0lABPc.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { logger } from "@better-auth/core/env";

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { n as oauthProvider } from "./oauth-DBCeGXT3.mjs";
+import { n as oauthProvider } from "./oauth-CUqnBdrR.mjs";
 import * as _better_fetch_fetch0 from "@better-fetch/fetch";
 
 //#region src/client.d.ts

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-Cg-c01N0.mjs";
+import { t as PACKAGE_VERSION } from "./version-DZ0lABPc.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 //#region src/client.ts
 function parseSignedQuery(search) {

package/dist/index.d.mts

@@ -1,5 +1,5 @@
-import { _ as Scope, a as OAuthClient, b as Awaitable, c as TokenEndpointAuthMethod, d as OAuthConsent, f as OAuthOpaqueAccessToken, g as SchemaClient, h as Prompt, i as GrantType, l as AuthorizePrompt, m as OAuthRefreshToken, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOptions, r as BearerMethodsSupported, s as ResourceServerMetadata, t as AuthMethod, u as OAuthAuthorizationQuery, v as StoreTokenType, y as VerificationValue } from "./oauth-CqgT-XaR.mjs";
-import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-DBCeGXT3.mjs";
+import { _ as Scope, a as OAuthClient, b as Awaitable, c as TokenEndpointAuthMethod, d as OAuthConsent, f as OAuthOpaqueAccessToken, g as SchemaClient, h as Prompt, i as GrantType, l as AuthorizePrompt, m as OAuthRefreshToken, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOptions, r as BearerMethodsSupported, s as ResourceServerMetadata, t as AuthMethod, u as OAuthAuthorizationQuery, v as StoreTokenType, y as VerificationValue } from "./oauth-D74mBkw6.mjs";
+import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-CUqnBdrR.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { JWSAlgorithms, JwtOptions } from "better-auth/plugins";
 import { JWTPayload } from "jose";
@@ -21,6 +21,7 @@ verifyOptions: Parameters<typeof verifyAccessToken>[1], handler: (req: Request,
 //#region src/metadata.d.ts
 declare function authServerMetadata(ctx: GenericEndpointContext, opts?: JwtOptions, overrides?: {
   scopes_supported?: AuthServerMetadata["scopes_supported"];
+  dynamic_client_registration_supported?: boolean;
   public_client_supported?: boolean;
   grant_types_supported?: GrantType[];
   jwt_disabled?: boolean;

package/dist/index.mjs

@@ -1,5 +1,5 @@
-import { C as mcpHandler, _ as signedQueryIssuedAtParam, b as validateClientCredentials, c as isPKCERequired, d as parsePrompt, f as postLoginClearedParam, g as searchParamsToQuery, h as resolveSubjectIdentifier, i as getJwtPlugin, l as normalizeTimestampValue, m as resolveSessionAuthTime, n as decryptStoredClientSecret, o as getSignedQueryIssuedAt, p as removePromptFromQuery, r as getClient, s as getStoredToken, t as basicToClientCredentials, u as parseClientMetadata, v as storeClientSecret, x as verifyOAuthQueryParams, y as storeToken } from "./utils-LAthGy-x.mjs";
-import { t as PACKAGE_VERSION } from "./version-Cg-c01N0.mjs";
+import { C as mcpHandler, _ as signedQueryIssuedAtParam, b as validateClientCredentials, c as isPKCERequired, d as parsePrompt, f as postLoginClearedParam, g as searchParamsToQuery, h as resolveSubjectIdentifier, i as getJwtPlugin, l as normalizeTimestampValue, m as resolveSessionAuthTime, n as decryptStoredClientSecret, o as getSignedQueryIssuedAt, p as removePromptFromQuery, r as getClient, s as getStoredToken, t as basicToClientCredentials, u as parseClientMetadata, v as storeClientSecret, x as verifyOAuthQueryParams, y as storeToken } from "./utils-DoYEeMrg.mjs";
+import { t as PACKAGE_VERSION } from "./version-DZ0lABPc.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
@@ -437,33 +437,95 @@ async function createOpaqueAccessToken(ctx, opts, user, client, scopes, payload,
 	});
 	return (opts.prefix?.opaqueAccessToken ?? "") + token;
 }
+/**
+* Tear down the entire refresh-token family for a (client, user) pair, plus
+* any access tokens that reference those refresh rows, per RFC 9700 §4.14.
+* Access tokens are deleted first so the parent rows' foreign-key children
+* do not block the refresh-row delete.
+*
+* TODO(invalidate-family-race): the two `deleteMany` calls are not atomic
+* with respect to each other. Between them, a concurrent rotation in a
+* different worker can `create` a fresh refresh row (and, immediately after,
+* an access-token row referencing it) for the same (client, user) pair,
+* leaving the family partially rebuilt and the new refresh row orphaned of
+* any deletion. Closing this window requires the same transactional adapter
+* contract tracked under FIXME(strict-family-invalidation) in
+* `createRefreshToken`.
+*
+* @internal
+*/
+async function invalidateRefreshFamily(ctx, clientId, userId) {
+	const refreshTokens = await ctx.context.adapter.findMany({
+		model: "oauthRefreshToken",
+		where: [{
+			field: "clientId",
+			value: clientId
+		}, {
+			field: "userId",
+			value: userId
+		}]
+	});
+	if (refreshTokens.length) await ctx.context.adapter.deleteMany({
+		model: "oauthAccessToken",
+		where: [{
+			field: "refreshId",
+			operator: "in",
+			value: refreshTokens.map((r) => r.id)
+		}]
+	});
+	await ctx.context.adapter.deleteMany({
+		model: "oauthRefreshToken",
+		where: [{
+			field: "clientId",
+			value: clientId
+		}, {
+			field: "userId",
+			value: userId
+		}]
+	});
+}
 async function createRefreshToken(ctx, opts, user, referenceId, client, scopes, payload, originalRefresh, authTime) {
 	const iat = payload.iat ?? Math.floor(Date.now() / 1e3);
 	const exp = payload?.exp ?? iat + (opts.refreshTokenExpiresIn ?? 2592e3);
 	const token = opts.generateRefreshToken ? await opts.generateRefreshToken() : generateRandomString(32, "A-Z", "a-z");
 	const sessionId = payload?.sid;
-	if (originalRefresh?.id) await ctx.context.adapter.update({
+	const newRow = {
+		token: await storeToken(opts.storeTokens, token, "refresh_token"),
+		clientId: client.clientId,
+		sessionId,
+		userId: user.id,
+		referenceId,
+		authTime,
+		scopes,
+		createdAt: /* @__PURE__ */ new Date(iat * 1e3),
+		expiresAt: /* @__PURE__ */ new Date(exp * 1e3)
+	};
+	if (!originalRefresh?.id) return {
+		id: (await ctx.context.adapter.create({
+			model: "oauthRefreshToken",
+			data: newRow
+		})).id,
+		token: await encodeRefreshToken(opts, token, sessionId)
+	};
+	if (!await ctx.context.adapter.update({
 		model: "oauthRefreshToken",
 		where: [{
 			field: "id",
 			value: originalRefresh.id
+		}, {
+			field: "revoked",
+			operator: "eq",
+			value: null
 		}],
 		update: { revoked: /* @__PURE__ */ new Date(iat * 1e3) }
+	})) throw new APIError("BAD_REQUEST", {
+		error_description: "invalid refresh token",
+		error: "invalid_grant"
 	});
 	return {
 		id: (await ctx.context.adapter.create({
 			model: "oauthRefreshToken",
-			data: {
-				token: await storeToken(opts.storeTokens, token, "refresh_token"),
-				clientId: client.clientId,
-				sessionId,
-				userId: user.id,
-				referenceId,
-				authTime,
-				scopes,
-				createdAt: /* @__PURE__ */ new Date(iat * 1e3),
-				expiresAt: /* @__PURE__ */ new Date(exp * 1e3)
-			}
+			data: newRow
 		})).id,
 		token: await encodeRefreshToken(opts, token, sessionId)
 	};
@@ -541,15 +603,10 @@ async function createUserTokens(ctx, opts, params) {
 }
 /** Checks verification value */
 async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri) {
-	const verification = await ctx.context.internalAdapter.findVerificationValue(await storeToken(opts.storeTokens, code, "authorization_code"));
+	const verification = await ctx.context.internalAdapter.consumeVerificationValue(await storeToken(opts.storeTokens, code, "authorization_code"));
 	if (!verification) throw new APIError("UNAUTHORIZED", {
-		error_description: "Invalid code",
-		error: "invalid_verification"
-	});
-	await ctx.context.internalAdapter.deleteVerificationByIdentifier(await storeToken(opts.storeTokens, code, "authorization_code"));
-	if (!verification.expiresAt || verification.expiresAt < /* @__PURE__ */ new Date()) throw new APIError("UNAUTHORIZED", {
-		error_description: "code expired",
-		error: "invalid_verification"
+		error_description: "invalid code",
+		error: "invalid_grant"
 	});
 	let rawValue;
 	try {
@@ -557,13 +614,13 @@ async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri)
 	} catch {
 		throw new APIError("UNAUTHORIZED", {
 			error_description: "malformed verification value",
-			error: "invalid_verification"
+			error: "invalid_grant"
 		});
 	}
 	const parsed = verificationValueSchema.safeParse(rawValue);
 	if (!parsed.success) throw new APIError("UNAUTHORIZED", {
 		error_description: "malformed verification value",
-		error: "invalid_verification"
+		error: "invalid_grant"
 	});
 	const verificationValue = parsed.data;
 	if (verificationValue.query.client_id !== client_id) throw new APIError("UNAUTHORIZED", {
@@ -764,16 +821,7 @@ async function handleRefreshTokenGrant(ctx, opts) {
 		error: "invalid_grant"
 	});
 	if (refreshToken.revoked) {
-		await ctx.context.adapter.deleteMany({
-			model: "oauthRefreshToken",
-			where: [{
-				field: "clientId",
-				value: client_id
-			}, {
-				field: "userId",
-				value: refreshToken.userId
-			}]
-		});
+		await invalidateRefreshFamily(ctx, client_id, refreshToken.userId);
 		throw new APIError("BAD_REQUEST", {
 			error_description: "invalid refresh token",
 			error: "invalid_grant"
@@ -2176,12 +2224,12 @@ async function updateConsentEndpoint(ctx, opts) {
 		error_description: "no consent",
 		error: "not_found"
 	});
+	if (consent.userId !== session.user.id) throw new APIError("UNAUTHORIZED");
 	const client = await getClient(ctx, opts, consent.clientId);
-	if (!consent) throw new APIError("NOT_FOUND", {
-		error_description: "no consent",
+	if (!client) throw new APIError("NOT_FOUND", {
+		error_description: "client not found",
 		error: "not_found"
 	});
-	if (consent.userId !== session.user.id) throw new APIError("UNAUTHORIZED");
 	const allowedScopes = client?.scopes ?? opts.scopes ?? [];
 	const updates = ctx.body.update;
 	const scopes = updates.scopes;
@@ -2329,16 +2377,7 @@ async function revokeRefreshToken(ctx, opts, token, clientId) {
 		error: "invalid_request"
 	});
 	if (refreshToken.revoked) {
-		await ctx.context.adapter.deleteMany({
-			model: "oauthRefreshToken",
-			where: [{
-				field: "clientId",
-				value: clientId
-			}, {
-				field: "userId",
-				value: refreshToken.userId
-			}]
-		});
+		await invalidateRefreshFamily(ctx, clientId, refreshToken.userId);
 		throw new APIError$1("BAD_REQUEST", {
 			error_description: "refresh token revoked",
 			error: "invalid_request"
@@ -2346,20 +2385,31 @@ async function revokeRefreshToken(ctx, opts, token, clientId) {
 	}
 	if (!refreshToken.clientId || refreshToken.clientId !== clientId) return null;
 	const iat = Math.floor(Date.now() / 1e3);
-	await Promise.allSettled([ctx.context.adapter.deleteMany({
-		model: "oauthAccessToken",
-		where: [{
-			field: "refreshId",
-			value: refreshToken.id
-		}]
-	}), ctx.context.adapter.update({
+	if (!await ctx.context.adapter.update({
 		model: "oauthRefreshToken",
 		where: [{
 			field: "id",
 			value: refreshToken.id
+		}, {
+			field: "revoked",
+			operator: "eq",
+			value: null
 		}],
 		update: { revoked: /* @__PURE__ */ new Date(iat * 1e3) }
-	})]);
+	})) {
+		await invalidateRefreshFamily(ctx, clientId, refreshToken.userId);
+		throw new APIError$1("BAD_REQUEST", {
+			error_description: "refresh token revoked",
+			error: "invalid_request"
+		});
+	}
+	await ctx.context.adapter.deleteMany({
+		model: "oauthAccessToken",
+		where: [{
+			field: "refreshId",
+			value: refreshToken.id
+		}]
+	});
 }
 /**
 * We don't know the access token format so we try to validate it
@@ -2569,7 +2619,8 @@ const schema = {
 	oauthRefreshToken: { fields: {
 		token: {
 			type: "string",
-			required: true
+			required: true,
+			unique: true
 		},
 		clientId: {
 			type: "string",
@@ -2776,6 +2827,47 @@ const oauthProvider = (options) => {
 	if (opts.grantTypes && opts.grantTypes.includes("refresh_token") && !opts.grantTypes.includes("authorization_code")) throw new BetterAuthError("refresh_token grant requires authorization_code grant");
 	if (opts.disableJwtPlugin && (opts.storeClientSecret === "hashed" || typeof opts.storeClientSecret === "object" && "hash" in opts.storeClientSecret)) throw new BetterAuthError("unable to store hashed secrets because id tokens will be signed with secret");
 	if (!opts.disableJwtPlugin && (opts.storeClientSecret === "encrypted" || typeof opts.storeClientSecret === "object" && ("encrypt" in opts.storeClientSecret || "decrypt" in opts.storeClientSecret))) throw new BetterAuthError("encryption method not recommended, please use 'hashed' or the 'hash' function");
+	const handleIssuerMetadataRequest = async (request, ctx) => {
+		const requestPathname = new URL(request.url).pathname;
+		const requestPath = ctx.options.advanced?.skipTrailingSlashes ? requestPathname.replace(/\/+$/, "") || "/" : requestPathname;
+		const issuer = opts.disableJwtPlugin ? ctx.baseURL : getJwtPlugin(ctx)?.options?.jwt?.issuer ?? ctx.baseURL;
+		let issuerPath = "/";
+		try {
+			issuerPath = new URL(issuer).pathname.replace(/\/$/, "") || "";
+		} catch {
+			issuerPath = new URL(ctx.baseURL).pathname.replace(/\/$/, "") || "";
+		}
+		const endpointCtx = { context: ctx };
+		const authServerMetadataPaths = new Set([`/.well-known/oauth-authorization-server${issuerPath}`, `${issuerPath}/.well-known/oauth-authorization-server`]);
+		const openIdConfigPath = `${issuerPath}/.well-known/openid-configuration`;
+		const isAuthServerMetadataRequest = authServerMetadataPaths.has(requestPath);
+		const isOpenIdConfigRequest = opts.scopes?.includes("openid") && requestPath === openIdConfigPath;
+		const createMetadataResponse = (metadata) => {
+			const response = metadataResponse(metadata);
+			if (request.method === "HEAD") return new Response(null, {
+				status: response.status,
+				headers: response.headers
+			});
+			return response;
+		};
+		if (isAuthServerMetadataRequest || isOpenIdConfigRequest) {
+			if (request.method !== "GET" && request.method !== "HEAD") return { response: new Response(null, {
+				status: 405,
+				headers: { Allow: "GET, HEAD" }
+			}) };
+		}
+		if (isAuthServerMetadataRequest) {
+			if (opts.scopes?.includes("openid")) return { response: createMetadataResponse(oidcServerMetadata(endpointCtx, opts)) };
+			return { response: createMetadataResponse(authServerMetadata(endpointCtx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx)?.options, {
+				scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+				dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
+				public_client_supported: opts.allowUnauthenticatedClientRegistration,
+				grant_types_supported: opts.grantTypes,
+				jwt_disabled: opts.disableJwtPlugin
+			})) };
+		}
+		if (isOpenIdConfigRequest) return { response: createMetadataResponse(oidcServerMetadata(endpointCtx, opts)) };
+	};
 	return {
 		id: "oauth-provider",
 		version: PACKAGE_VERSION,
@@ -2797,6 +2889,7 @@ const oauthProvider = (options) => {
 				if (!opts.silenceWarnings?.openidConfig && ctx.options.basePath !== issuerPath && opts.scopes?.includes("openid")) logger.warn(`Please ensure '${issuerPath}${issuerPath.endsWith("/") ? "" : "/"}.well-known/openid-configuration' exists. Upon completion, clear with silenceWarnings.openidConfig.`);
 			}
 		},
+		onRequest: handleIssuerMetadataRequest,
 		hooks: {
 			before: [{
 				matcher(ctx) {
@@ -2853,6 +2946,7 @@ const oauthProvider = (options) => {
 				if (opts.scopes && opts.scopes.includes("openid")) return oidcServerMetadata(ctx, opts);
 				else return authServerMetadata(ctx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context)?.options, {
 					scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+					dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
 					public_client_supported: opts.allowUnauthenticatedClientRegistration,
 					grant_types_supported: opts.grantTypes,
 					jwt_disabled: opts.disableJwtPlugin
@@ -3975,7 +4069,7 @@ function authServerMetadata(ctx, opts, overrides) {
 		authorization_endpoint: `${baseURL}/oauth2/authorize`,
 		token_endpoint: `${baseURL}/oauth2/token`,
 		jwks_uri: overrides?.jwt_disabled ? void 0 : opts?.jwks?.remoteUrl ?? `${baseURL}${opts?.jwks?.jwksPath ?? "/jwks"}`,
-		registration_endpoint: `${baseURL}/oauth2/register`,
+		registration_endpoint: overrides?.dynamic_client_registration_supported ? `${baseURL}/oauth2/register` : void 0,
 		introspection_endpoint: `${baseURL}/oauth2/introspect`,
 		revocation_endpoint: `${baseURL}/oauth2/revoke`,
 		response_types_supported: overrides?.grant_types_supported && !overrides.grant_types_supported.includes("authorization_code") ? [] : ["code"],
@@ -4002,6 +4096,7 @@ function oidcServerMetadata(ctx, opts) {
 	return {
 		...authServerMetadata(ctx, jwtPluginOptions, {
 			scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+			dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
 			public_client_supported: opts.allowUnauthenticatedClientRegistration,
 			grant_types_supported: opts.grantTypes,
 			jwt_disabled: opts.disableJwtPlugin

package/dist/{oauth-DBCeGXT3.d.mts → oauth-CUqnBdrR.d.mts}

@@ -1,4 +1,4 @@
-import { _ as Scope, a as OAuthClient, d as OAuthConsent, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOptions } from "./oauth-CqgT-XaR.mjs";
+import { _ as Scope, a as OAuthClient, d as OAuthConsent, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOptions } from "./oauth-D74mBkw6.mjs";
 import * as better_call0 from "better-call";
 import * as z from "zod";
 import * as better_auth_plugins0 from "better-auth/plugins";
@@ -30,6 +30,11 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
   version: string;
   options: NoInfer<O>;
   init: (ctx: better_auth0.AuthContext) => void;
+  onRequest: (request: Request, ctx: better_auth0.AuthContext) => Promise<{
+    response: Response;
+  } | {
+    request: Request;
+  } | void>;
   hooks: {
     before: {
       matcher(ctx: better_auth0.HookEndpointContext): any;
@@ -1914,6 +1919,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
         token: {
           type: "string";
           required: true;
+          unique: true;
         };
         clientId: {
           type: "string";

package/dist/{oauth-CqgT-XaR.d.mts → oauth-D74mBkw6.d.mts}

@@ -143,6 +143,7 @@ declare const schema: {
       token: {
         type: "string";
         required: true;
+        unique: true;
       };
       clientId: {
         type: "string";
@@ -1379,9 +1380,11 @@ interface AuthServerMetadata {
   /**
    * The URL of the dynamic client registration endpoint.
    *
+   * This field is only present when `allowDynamicClientRegistration` is enabled.
+   *
    * @default `/oauth2/register`
    */
-  registration_endpoint: string;
+  registration_endpoint?: string;
   /**
    * Supported scopes.
    */

package/dist/{utils-LAthGy-x.mjs → utils-DoYEeMrg.mjs}

@@ -254,11 +254,13 @@ function basicToClientCredentials(authorization) {
 	if (authorization.startsWith("Basic ")) {
 		const encoded = authorization.replace("Basic ", "");
 		const decoded = new TextDecoder().decode(base64.decode(encoded));
-		if (!decoded.includes(":")) throw new APIError$1("BAD_REQUEST", {
+		const separatorIndex = decoded.indexOf(":");
+		if (separatorIndex === -1) throw new APIError$1("BAD_REQUEST", {
 			error_description: "invalid authorization header format",
 			error: "invalid_client"
 		});
-		const [id, secret] = decoded.split(":", 2);
+		const id = decoded.slice(0, separatorIndex);
+		const secret = decoded.slice(separatorIndex + 1);
 		if (!id || !secret) throw new APIError$1("BAD_REQUEST", {
 			error_description: "invalid authorization header format",
 			error: "invalid_client"

package/dist/{version-Cg-c01N0.mjs → version-DZ0lABPc.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.6.10";
+const PACKAGE_VERSION = "1.6.12";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.6.10",
+  "version": "1.6.12",
   "description": "An oauth provider plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -64,15 +64,15 @@
     "@modelcontextprotocol/sdk": "^1.27.1",
     "listhen": "^1.9.0",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.6.10",
-    "better-auth": "1.6.10"
+    "@better-auth/core": "1.6.12",
+    "better-auth": "1.6.12"
   },
   "peerDependencies": {
-    "@better-auth/utils": "0.4.0",
+    "@better-auth/utils": "0.4.1",
     "@better-fetch/fetch": "1.1.21",
     "better-call": "1.3.5",
-    "@better-auth/core": "^1.6.10",
-    "better-auth": "^1.6.10"
+    "@better-auth/core": "^1.6.12",
+    "better-auth": "^1.6.12"
   },
   "scripts": {
     "build": "tsdown",