@better-auth/oauth-provider 1.6.11 → 1.6.12

package/dist/client-resource.d.mts

@@ -1,9 +1,16 @@
-import { s as ResourceServerMetadata } from "./oauth-BqWgUea8.mjs";
+import { s as ResourceServerMetadata } from "./oauth-D74mBkw6.mjs";
 import { JWTPayload, JWTVerifyOptions } from "jose";
-import { Auth } from "better-auth/types";
+import { BetterAuthOptions } from "better-auth/types";
 
 //#region src/client-resource.d.ts
-declare const oauthProviderResourceClient: <T extends Auth | undefined>(auth?: T) => {
+type ResourceClientAuth = {
+  options: {
+    baseURL?: BetterAuthOptions["baseURL"];
+    basePath?: BetterAuthOptions["basePath"];
+  };
+  $context: Promise<unknown>;
+};
+declare const oauthProviderResourceClient: <T extends ResourceClientAuth | undefined = undefined>(auth?: T) => {
   id: "oauth-provider-resource-client";
   version: string;
   getActions(): {
@@ -43,7 +50,7 @@ interface VerifyAccessTokenRemote {
    */
   force?: boolean;
 }
-type VerifyAccessTokenOutput<T> = T extends Auth ? (token: string | undefined, opts?: VerifyAccessTokenAuthOpts) => Promise<JWTPayload> : (token: string | undefined, opts: VerifyAccessTokenNoAuthOpts) => Promise<JWTPayload>;
+type VerifyAccessTokenOutput<T> = T extends undefined ? (token: string | undefined, opts: VerifyAccessTokenNoAuthOpts) => Promise<JWTPayload> : (token: string | undefined, opts?: VerifyAccessTokenAuthOpts) => Promise<JWTPayload>;
 type VerifyAccessTokenAuthOpts = {
   verifyOptions?: JWTVerifyOptions & Required<Pick<JWTVerifyOptions, "audience">>;
   scopes?: string[];
@@ -64,12 +71,12 @@ type VerifyAccessTokenNoAuthOpts = {
   remoteVerify: VerifyAccessTokenRemote; /** Maps non-url (ie urn, client) resources to resource_metadata */
   resourceMetadataMappings?: Record<string, string>;
 };
-type ProtectedResourceMetadataOutput<T> = T extends Auth ? (overrides?: Partial<ResourceServerMetadata>, opts?: {
+type ProtectedResourceMetadataOutput<T> = T extends undefined ? (overrides: ResourceServerMetadata, opts?: {
   silenceWarnings?: {
     oidcScopes?: boolean;
   };
   externalScopes?: string[];
-}) => Promise<ResourceServerMetadata> : (overrides: ResourceServerMetadata, opts?: {
+}) => Promise<ResourceServerMetadata> : (overrides?: Partial<ResourceServerMetadata>, opts?: {
   silenceWarnings?: {
     oidcScopes?: boolean;
   };

package/dist/client-resource.mjs

@@ -1,5 +1,5 @@
-import { S as handleMcpErrors, a as getOAuthProviderPlugin, i as getJwtPlugin } from "./utils-LAthGy-x.mjs";
-import { t as PACKAGE_VERSION } from "./version-CRjaDWWg.mjs";
+import { S as handleMcpErrors, a as getOAuthProviderPlugin, i as getJwtPlugin } from "./utils-DoYEeMrg.mjs";
+import { t as PACKAGE_VERSION } from "./version-DZ0lABPc.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { logger } from "@better-auth/core/env";

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { n as oauthProvider } from "./oauth-C4GaGx2I.mjs";
+import { n as oauthProvider } from "./oauth-CUqnBdrR.mjs";
 import * as _better_fetch_fetch0 from "@better-fetch/fetch";
 
 //#region src/client.d.ts

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-CRjaDWWg.mjs";
+import { t as PACKAGE_VERSION } from "./version-DZ0lABPc.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 //#region src/client.ts
 function parseSignedQuery(search) {

package/dist/index.d.mts

@@ -1,5 +1,5 @@
-import { _ as Scope, a as OAuthClient, b as Awaitable, c as TokenEndpointAuthMethod, d as OAuthConsent, f as OAuthOpaqueAccessToken, g as SchemaClient, h as Prompt, i as GrantType, l as AuthorizePrompt, m as OAuthRefreshToken, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOptions, r as BearerMethodsSupported, s as ResourceServerMetadata, t as AuthMethod, u as OAuthAuthorizationQuery, v as StoreTokenType, y as VerificationValue } from "./oauth-BqWgUea8.mjs";
-import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-C4GaGx2I.mjs";
+import { _ as Scope, a as OAuthClient, b as Awaitable, c as TokenEndpointAuthMethod, d as OAuthConsent, f as OAuthOpaqueAccessToken, g as SchemaClient, h as Prompt, i as GrantType, l as AuthorizePrompt, m as OAuthRefreshToken, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOptions, r as BearerMethodsSupported, s as ResourceServerMetadata, t as AuthMethod, u as OAuthAuthorizationQuery, v as StoreTokenType, y as VerificationValue } from "./oauth-D74mBkw6.mjs";
+import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-CUqnBdrR.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { JWSAlgorithms, JwtOptions } from "better-auth/plugins";
 import { JWTPayload } from "jose";
@@ -21,6 +21,7 @@ verifyOptions: Parameters<typeof verifyAccessToken>[1], handler: (req: Request,
 //#region src/metadata.d.ts
 declare function authServerMetadata(ctx: GenericEndpointContext, opts?: JwtOptions, overrides?: {
   scopes_supported?: AuthServerMetadata["scopes_supported"];
+  dynamic_client_registration_supported?: boolean;
   public_client_supported?: boolean;
   grant_types_supported?: GrantType[];
   jwt_disabled?: boolean;

package/dist/index.mjs

@@ -1,5 +1,5 @@
-import { C as mcpHandler, _ as signedQueryIssuedAtParam, b as validateClientCredentials, c as isPKCERequired, d as parsePrompt, f as postLoginClearedParam, g as searchParamsToQuery, h as resolveSubjectIdentifier, i as getJwtPlugin, l as normalizeTimestampValue, m as resolveSessionAuthTime, n as decryptStoredClientSecret, o as getSignedQueryIssuedAt, p as removePromptFromQuery, r as getClient, s as getStoredToken, t as basicToClientCredentials, u as parseClientMetadata, v as storeClientSecret, x as verifyOAuthQueryParams, y as storeToken } from "./utils-LAthGy-x.mjs";
-import { t as PACKAGE_VERSION } from "./version-CRjaDWWg.mjs";
+import { C as mcpHandler, _ as signedQueryIssuedAtParam, b as validateClientCredentials, c as isPKCERequired, d as parsePrompt, f as postLoginClearedParam, g as searchParamsToQuery, h as resolveSubjectIdentifier, i as getJwtPlugin, l as normalizeTimestampValue, m as resolveSessionAuthTime, n as decryptStoredClientSecret, o as getSignedQueryIssuedAt, p as removePromptFromQuery, r as getClient, s as getStoredToken, t as basicToClientCredentials, u as parseClientMetadata, v as storeClientSecret, x as verifyOAuthQueryParams, y as storeToken } from "./utils-DoYEeMrg.mjs";
+import { t as PACKAGE_VERSION } from "./version-DZ0lABPc.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
@@ -605,11 +605,7 @@ async function createUserTokens(ctx, opts, params) {
 async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri) {
 	const verification = await ctx.context.internalAdapter.consumeVerificationValue(await storeToken(opts.storeTokens, code, "authorization_code"));
 	if (!verification) throw new APIError("UNAUTHORIZED", {
-		error_description: "Invalid code",
-		error: "invalid_grant"
-	});
-	if (!verification.expiresAt || verification.expiresAt < /* @__PURE__ */ new Date()) throw new APIError("UNAUTHORIZED", {
-		error_description: "code expired",
+		error_description: "invalid code",
 		error: "invalid_grant"
 	});
 	let rawValue;
@@ -2228,12 +2224,12 @@ async function updateConsentEndpoint(ctx, opts) {
 		error_description: "no consent",
 		error: "not_found"
 	});
+	if (consent.userId !== session.user.id) throw new APIError("UNAUTHORIZED");
 	const client = await getClient(ctx, opts, consent.clientId);
-	if (!consent) throw new APIError("NOT_FOUND", {
-		error_description: "no consent",
+	if (!client) throw new APIError("NOT_FOUND", {
+		error_description: "client not found",
 		error: "not_found"
 	});
-	if (consent.userId !== session.user.id) throw new APIError("UNAUTHORIZED");
 	const allowedScopes = client?.scopes ?? opts.scopes ?? [];
 	const updates = ctx.body.update;
 	const scopes = updates.scopes;
@@ -2831,6 +2827,47 @@ const oauthProvider = (options) => {
 	if (opts.grantTypes && opts.grantTypes.includes("refresh_token") && !opts.grantTypes.includes("authorization_code")) throw new BetterAuthError("refresh_token grant requires authorization_code grant");
 	if (opts.disableJwtPlugin && (opts.storeClientSecret === "hashed" || typeof opts.storeClientSecret === "object" && "hash" in opts.storeClientSecret)) throw new BetterAuthError("unable to store hashed secrets because id tokens will be signed with secret");
 	if (!opts.disableJwtPlugin && (opts.storeClientSecret === "encrypted" || typeof opts.storeClientSecret === "object" && ("encrypt" in opts.storeClientSecret || "decrypt" in opts.storeClientSecret))) throw new BetterAuthError("encryption method not recommended, please use 'hashed' or the 'hash' function");
+	const handleIssuerMetadataRequest = async (request, ctx) => {
+		const requestPathname = new URL(request.url).pathname;
+		const requestPath = ctx.options.advanced?.skipTrailingSlashes ? requestPathname.replace(/\/+$/, "") || "/" : requestPathname;
+		const issuer = opts.disableJwtPlugin ? ctx.baseURL : getJwtPlugin(ctx)?.options?.jwt?.issuer ?? ctx.baseURL;
+		let issuerPath = "/";
+		try {
+			issuerPath = new URL(issuer).pathname.replace(/\/$/, "") || "";
+		} catch {
+			issuerPath = new URL(ctx.baseURL).pathname.replace(/\/$/, "") || "";
+		}
+		const endpointCtx = { context: ctx };
+		const authServerMetadataPaths = new Set([`/.well-known/oauth-authorization-server${issuerPath}`, `${issuerPath}/.well-known/oauth-authorization-server`]);
+		const openIdConfigPath = `${issuerPath}/.well-known/openid-configuration`;
+		const isAuthServerMetadataRequest = authServerMetadataPaths.has(requestPath);
+		const isOpenIdConfigRequest = opts.scopes?.includes("openid") && requestPath === openIdConfigPath;
+		const createMetadataResponse = (metadata) => {
+			const response = metadataResponse(metadata);
+			if (request.method === "HEAD") return new Response(null, {
+				status: response.status,
+				headers: response.headers
+			});
+			return response;
+		};
+		if (isAuthServerMetadataRequest || isOpenIdConfigRequest) {
+			if (request.method !== "GET" && request.method !== "HEAD") return { response: new Response(null, {
+				status: 405,
+				headers: { Allow: "GET, HEAD" }
+			}) };
+		}
+		if (isAuthServerMetadataRequest) {
+			if (opts.scopes?.includes("openid")) return { response: createMetadataResponse(oidcServerMetadata(endpointCtx, opts)) };
+			return { response: createMetadataResponse(authServerMetadata(endpointCtx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx)?.options, {
+				scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+				dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
+				public_client_supported: opts.allowUnauthenticatedClientRegistration,
+				grant_types_supported: opts.grantTypes,
+				jwt_disabled: opts.disableJwtPlugin
+			})) };
+		}
+		if (isOpenIdConfigRequest) return { response: createMetadataResponse(oidcServerMetadata(endpointCtx, opts)) };
+	};
 	return {
 		id: "oauth-provider",
 		version: PACKAGE_VERSION,
@@ -2852,6 +2889,7 @@ const oauthProvider = (options) => {
 				if (!opts.silenceWarnings?.openidConfig && ctx.options.basePath !== issuerPath && opts.scopes?.includes("openid")) logger.warn(`Please ensure '${issuerPath}${issuerPath.endsWith("/") ? "" : "/"}.well-known/openid-configuration' exists. Upon completion, clear with silenceWarnings.openidConfig.`);
 			}
 		},
+		onRequest: handleIssuerMetadataRequest,
 		hooks: {
 			before: [{
 				matcher(ctx) {
@@ -2908,6 +2946,7 @@ const oauthProvider = (options) => {
 				if (opts.scopes && opts.scopes.includes("openid")) return oidcServerMetadata(ctx, opts);
 				else return authServerMetadata(ctx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context)?.options, {
 					scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+					dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
 					public_client_supported: opts.allowUnauthenticatedClientRegistration,
 					grant_types_supported: opts.grantTypes,
 					jwt_disabled: opts.disableJwtPlugin
@@ -4030,7 +4069,7 @@ function authServerMetadata(ctx, opts, overrides) {
 		authorization_endpoint: `${baseURL}/oauth2/authorize`,
 		token_endpoint: `${baseURL}/oauth2/token`,
 		jwks_uri: overrides?.jwt_disabled ? void 0 : opts?.jwks?.remoteUrl ?? `${baseURL}${opts?.jwks?.jwksPath ?? "/jwks"}`,
-		registration_endpoint: `${baseURL}/oauth2/register`,
+		registration_endpoint: overrides?.dynamic_client_registration_supported ? `${baseURL}/oauth2/register` : void 0,
 		introspection_endpoint: `${baseURL}/oauth2/introspect`,
 		revocation_endpoint: `${baseURL}/oauth2/revoke`,
 		response_types_supported: overrides?.grant_types_supported && !overrides.grant_types_supported.includes("authorization_code") ? [] : ["code"],
@@ -4057,6 +4096,7 @@ function oidcServerMetadata(ctx, opts) {
 	return {
 		...authServerMetadata(ctx, jwtPluginOptions, {
 			scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+			dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
 			public_client_supported: opts.allowUnauthenticatedClientRegistration,
 			grant_types_supported: opts.grantTypes,
 			jwt_disabled: opts.disableJwtPlugin

package/dist/{oauth-C4GaGx2I.d.mts → oauth-CUqnBdrR.d.mts}

@@ -1,4 +1,4 @@
-import { _ as Scope, a as OAuthClient, d as OAuthConsent, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOptions } from "./oauth-BqWgUea8.mjs";
+import { _ as Scope, a as OAuthClient, d as OAuthConsent, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOptions } from "./oauth-D74mBkw6.mjs";
 import * as better_call0 from "better-call";
 import * as z from "zod";
 import * as better_auth_plugins0 from "better-auth/plugins";
@@ -30,6 +30,11 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
   version: string;
   options: NoInfer<O>;
   init: (ctx: better_auth0.AuthContext) => void;
+  onRequest: (request: Request, ctx: better_auth0.AuthContext) => Promise<{
+    response: Response;
+  } | {
+    request: Request;
+  } | void>;
   hooks: {
     before: {
       matcher(ctx: better_auth0.HookEndpointContext): any;

package/dist/{oauth-BqWgUea8.d.mts → oauth-D74mBkw6.d.mts}

@@ -1380,9 +1380,11 @@ interface AuthServerMetadata {
   /**
    * The URL of the dynamic client registration endpoint.
    *
+   * This field is only present when `allowDynamicClientRegistration` is enabled.
+   *
    * @default `/oauth2/register`
    */
-  registration_endpoint: string;
+  registration_endpoint?: string;
   /**
    * Supported scopes.
    */

package/dist/{utils-LAthGy-x.mjs → utils-DoYEeMrg.mjs}

@@ -254,11 +254,13 @@ function basicToClientCredentials(authorization) {
 	if (authorization.startsWith("Basic ")) {
 		const encoded = authorization.replace("Basic ", "");
 		const decoded = new TextDecoder().decode(base64.decode(encoded));
-		if (!decoded.includes(":")) throw new APIError$1("BAD_REQUEST", {
+		const separatorIndex = decoded.indexOf(":");
+		if (separatorIndex === -1) throw new APIError$1("BAD_REQUEST", {
 			error_description: "invalid authorization header format",
 			error: "invalid_client"
 		});
-		const [id, secret] = decoded.split(":", 2);
+		const id = decoded.slice(0, separatorIndex);
+		const secret = decoded.slice(separatorIndex + 1);
 		if (!id || !secret) throw new APIError$1("BAD_REQUEST", {
 			error_description: "invalid authorization header format",
 			error: "invalid_client"

package/dist/{version-CRjaDWWg.mjs → version-DZ0lABPc.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.6.11";
+const PACKAGE_VERSION = "1.6.12";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.6.11",
+  "version": "1.6.12",
   "description": "An oauth provider plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -64,15 +64,15 @@
     "@modelcontextprotocol/sdk": "^1.27.1",
     "listhen": "^1.9.0",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.6.11",
-    "better-auth": "1.6.11"
+    "@better-auth/core": "1.6.12",
+    "better-auth": "1.6.12"
   },
   "peerDependencies": {
-    "@better-auth/utils": "0.4.0",
+    "@better-auth/utils": "0.4.1",
     "@better-fetch/fetch": "1.1.21",
     "better-call": "1.3.5",
-    "@better-auth/core": "^1.6.11",
-    "better-auth": "^1.6.11"
+    "@better-auth/core": "^1.6.12",
+    "better-auth": "^1.6.12"
   },
   "scripts": {
     "build": "tsdown",