@better-auth/oauth-provider 1.6.14 → 1.6.15

package/dist/client-resource.mjs

@@ -1,5 +1,5 @@
 import { S as handleMcpErrors, a as getOAuthProviderPlugin, i as getJwtPlugin } from "./utils-DoYEeMrg.mjs";
-import { t as PACKAGE_VERSION } from "./version-CrTJknzp.mjs";
+import { t as PACKAGE_VERSION } from "./version-CG3TZoBa.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { logger } from "@better-auth/core/env";

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { n as oauthProvider } from "./oauth-CUqnBdrR.mjs";
+import { n as oauthProvider } from "./oauth-DZ80cNUW.mjs";
 import * as _better_fetch_fetch0 from "@better-fetch/fetch";
 
 //#region src/client.d.ts

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-CrTJknzp.mjs";
+import { t as PACKAGE_VERSION } from "./version-CG3TZoBa.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 //#region src/client.ts
 function parseSignedQuery(search) {

package/dist/index.d.mts

@@ -1,5 +1,5 @@
 import { _ as Scope, a as OAuthClient, b as Awaitable, c as TokenEndpointAuthMethod, d as OAuthConsent, f as OAuthOpaqueAccessToken, g as SchemaClient, h as Prompt, i as GrantType, l as AuthorizePrompt, m as OAuthRefreshToken, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOptions, r as BearerMethodsSupported, s as ResourceServerMetadata, t as AuthMethod, u as OAuthAuthorizationQuery, v as StoreTokenType, y as VerificationValue } from "./oauth-D74mBkw6.mjs";
-import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-CUqnBdrR.mjs";
+import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-DZ80cNUW.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { JWSAlgorithms, JwtOptions } from "better-auth/plugins";
 import { JWTPayload } from "jose";

package/dist/index.mjs

@@ -1,6 +1,6 @@
 import { C as mcpHandler, _ as signedQueryIssuedAtParam, b as validateClientCredentials, c as isPKCERequired, d as parsePrompt, f as postLoginClearedParam, g as searchParamsToQuery, h as resolveSubjectIdentifier, i as getJwtPlugin, l as normalizeTimestampValue, m as resolveSessionAuthTime, n as decryptStoredClientSecret, o as getSignedQueryIssuedAt, p as removePromptFromQuery, r as getClient, s as getStoredToken, t as basicToClientCredentials, u as parseClientMetadata, v as storeClientSecret, x as verifyOAuthQueryParams, y as storeToken } from "./utils-DoYEeMrg.mjs";
-import { t as PACKAGE_VERSION } from "./version-CrTJknzp.mjs";
-import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
+import { t as PACKAGE_VERSION } from "./version-CG3TZoBa.mjs";
+import { APIError, createAuthEndpoint, createAuthMiddleware, dispatchAuthEndpoint, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
 import { isBrowserFetchRequest } from "@better-auth/core/utils/fetch-metadata";
@@ -16,7 +16,7 @@ import { signJWT, toExpJWT } from "better-auth/plugins";
 import { SignJWT, compactVerify, createLocalJWKSet, decodeJwt } from "jose";
 import { SafeUrlSchema } from "@better-auth/core/utils/redirect-uri";
 //#region src/consent.ts
-async function consentEndpoint(ctx, opts) {
+async function consentEndpoint(ctx, opts, authorize) {
 	const oauthRequest = await oAuthState.get();
 	const _query = oauthRequest?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
@@ -47,11 +47,7 @@ async function consentEndpoint(ctx, opts) {
 	if (hasLoginPrompt && !hasSatisfiedLoginPrompt) {
 		ctx?.headers?.set("accept", "application/json");
 		ctx.query = searchParamsToQuery(query);
-		const { url } = await authorizeEndpoint(ctx, opts);
-		return {
-			redirect: true,
-			url
-		};
+		return await authorize(ctx);
 	}
 	const referenceId = await opts.postLogin?.consentReferenceId?.({
 		user: session?.user,
@@ -106,11 +102,7 @@ async function consentEndpoint(ctx, opts) {
 	let authorizationQuery = removePromptFromQuery(query, "consent");
 	if (hasSatisfiedLoginPrompt) authorizationQuery = removePromptFromQuery(authorizationQuery, "login");
 	ctx.query = searchParamsToQuery(authorizationQuery);
-	const { url } = await authorizeEndpoint(ctx, opts, { postLogin: oauthRequest?.postLoginClearedForSession !== void 0 && oauthRequest.postLoginClearedForSession === session?.session.id });
-	return {
-		redirect: true,
-		url
-	};
+	return await authorize(ctx, { postLogin: oauthRequest?.postLoginClearedForSession !== void 0 && oauthRequest.postLoginClearedForSession === session?.session.id });
 }
 function sessionSatisfiesLoginPrompt(sessionCreatedAt, signedQueryIssuedAt) {
 	if (!signedQueryIssuedAt) return false;
@@ -120,16 +112,16 @@ function sessionSatisfiesLoginPrompt(sessionCreatedAt, signedQueryIssuedAt) {
 }
 //#endregion
 //#region src/continue.ts
-async function continueEndpoint(ctx, opts) {
-	if (ctx.body.selected === true) return await selected(ctx, opts);
-	else if (ctx.body.created === true) return await created(ctx, opts);
-	else if (ctx.body.postLogin === true) return await postLogin(ctx, opts);
+async function continueEndpoint(ctx, authorize) {
+	if (ctx.body.selected === true) return await selected(ctx, authorize);
+	else if (ctx.body.created === true) return await created(ctx, authorize);
+	else if (ctx.body.postLogin === true) return await postLogin(ctx, authorize);
 	else throw new APIError("BAD_REQUEST", {
 		error_description: "Missing parameters",
 		error: "invalid_request"
 	});
 }
-async function selected(ctx, opts) {
+async function selected(ctx, authorize) {
 	const _query = (await oAuthState.get())?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
 		error_description: "missing oauth query",
@@ -137,13 +129,9 @@ async function selected(ctx, opts) {
 	});
 	ctx.headers?.set("accept", "application/json");
 	ctx.query = searchParamsToQuery(removePromptFromQuery(new URLSearchParams(_query), "select_account"));
-	const { url } = await authorizeEndpoint(ctx, opts);
-	return {
-		redirect: true,
-		url
-	};
+	return await authorize(ctx);
 }
-async function created(ctx, opts) {
+async function created(ctx, authorize) {
 	const _query = (await oAuthState.get())?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
 		error_description: "missing oauth query",
@@ -152,13 +140,9 @@ async function created(ctx, opts) {
 	const query = new URLSearchParams(_query);
 	ctx.headers?.set("accept", "application/json");
 	ctx.query = searchParamsToQuery(removePromptFromQuery(query, "create"));
-	const { url } = await authorizeEndpoint(ctx, opts);
-	return {
-		redirect: true,
-		url
-	};
+	return await authorize(ctx);
 }
-async function postLogin(ctx, opts) {
+async function postLogin(ctx, authorize) {
 	const _query = (await oAuthState.get())?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
 		error_description: "missing oauth query",
@@ -167,11 +151,7 @@ async function postLogin(ctx, opts) {
 	const query = new URLSearchParams(_query);
 	ctx.headers?.set("accept", "application/json");
 	ctx.query = searchParamsToQuery(query);
-	const { url } = await authorizeEndpoint(ctx, opts, { postLogin: true });
-	return {
-		redirect: true,
-		url
-	};
+	return await authorize(ctx, { postLogin: true });
 }
 //#endregion
 //#region src/types/zod.ts
@@ -2849,6 +2829,140 @@ const oauthProvider = (options) => {
 		}
 		if (isOpenIdConfigRequest) return { response: createMetadataResponse(oidcServerMetadata(endpointCtx, opts)) };
 	};
+	const oauth2AuthorizeEndpoint = createAuthEndpoint("/oauth2/authorize", {
+		method: "GET",
+		query: z.object({
+			response_type: z.enum(["code"]).optional(),
+			client_id: z.string(),
+			redirect_uri: SafeUrlSchema.optional(),
+			scope: z.string().optional(),
+			state: z.string().optional(),
+			request_uri: z.string().optional(),
+			code_challenge: z.string().optional(),
+			code_challenge_method: z.enum(["S256"]).optional(),
+			nonce: z.string().optional(),
+			prompt: z.enum([
+				"none",
+				"consent",
+				"login",
+				"create",
+				"select_account",
+				"login consent",
+				"select_account consent"
+			]).optional()
+		}),
+		metadata: { openapi: {
+			description: "Authorize an OAuth2 request",
+			parameters: [
+				{
+					name: "response_type",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "OAuth2 response type (e.g., 'code')"
+				},
+				{
+					name: "client_id",
+					in: "query",
+					required: true,
+					schema: { type: "string" },
+					description: "OAuth2 client ID"
+				},
+				{
+					name: "redirect_uri",
+					in: "query",
+					required: false,
+					schema: {
+						type: "string",
+						format: "uri"
+					},
+					description: "OAuth2 redirect URI"
+				},
+				{
+					name: "scope",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "OAuth2 scopes (space-separated)"
+				},
+				{
+					name: "state",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "OAuth2 state parameter"
+				},
+				{
+					name: "request_uri",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "Pushed Authorization Request URI referencing stored parameters"
+				},
+				{
+					name: "code_challenge",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "PKCE code challenge"
+				},
+				{
+					name: "code_challenge_method",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "PKCE code challenge method"
+				},
+				{
+					name: "nonce",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "OpenID Connect nonce"
+				},
+				{
+					name: "prompt",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "OAuth2 prompt parameter"
+				}
+			],
+			responses: {
+				"302": {
+					description: "Redirect to client with code or error",
+					headers: { Location: {
+						description: "Redirect URI with code or error",
+						schema: {
+							type: "string",
+							format: "uri"
+						}
+					} }
+				},
+				"400": {
+					description: "Invalid request",
+					content: { "application/json": { schema: {
+						type: "object",
+						properties: {
+							error: { type: "string" },
+							error_description: { type: "string" },
+							state: { type: "string" }
+						},
+						required: ["error"]
+					} } }
+				}
+			}
+		} }
+	}, async (ctx) => {
+		return authorizeEndpoint(ctx, opts, ctx.authorizeSettings ?? { isAuthorize: true });
+	});
+	const runOAuth2Authorize = (ctx, settings) => dispatchAuthEndpoint(oauth2AuthorizeEndpoint, {
+		...ctx,
+		asResponse: false,
+		returnHeaders: false,
+		returnStatus: false,
+		authorizeSettings: settings ?? {}
+	});
 	return {
 		id: "oauth-provider",
 		version: PACKAGE_VERSION,
@@ -2915,7 +3029,7 @@ const oauthProvider = (options) => {
 					const acceptHeader = ctx.request?.headers?.get("accept")?.toLowerCase() ?? "";
 					if (!(secFetchMode === "navigate" || !secFetchMode && (acceptHeader.includes("text/html") || acceptHeader.includes("application/xhtml+xml")))) ctx.headers?.set("accept", "application/json");
 					ctx.query = searchParamsToQuery(removePromptFromQuery(query, "login"));
-					return await authorizeEndpoint(ctx, opts);
+					return await runOAuth2Authorize(ctx);
 				})
 			}]
 		},
@@ -2940,133 +3054,7 @@ const oauthProvider = (options) => {
 				if (opts.scopes && !opts.scopes.includes("openid")) throw new APIError("NOT_FOUND");
 				return oidcServerMetadata(ctx, opts);
 			}),
-			oauth2Authorize: createAuthEndpoint("/oauth2/authorize", {
-				method: "GET",
-				query: z.object({
-					response_type: z.enum(["code"]).optional(),
-					client_id: z.string(),
-					redirect_uri: SafeUrlSchema.optional(),
-					scope: z.string().optional(),
-					state: z.string().optional(),
-					request_uri: z.string().optional(),
-					code_challenge: z.string().optional(),
-					code_challenge_method: z.enum(["S256"]).optional(),
-					nonce: z.string().optional(),
-					prompt: z.enum([
-						"none",
-						"consent",
-						"login",
-						"create",
-						"select_account",
-						"login consent",
-						"select_account consent"
-					]).optional()
-				}),
-				metadata: { openapi: {
-					description: "Authorize an OAuth2 request",
-					parameters: [
-						{
-							name: "response_type",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "OAuth2 response type (e.g., 'code')"
-						},
-						{
-							name: "client_id",
-							in: "query",
-							required: true,
-							schema: { type: "string" },
-							description: "OAuth2 client ID"
-						},
-						{
-							name: "redirect_uri",
-							in: "query",
-							required: false,
-							schema: {
-								type: "string",
-								format: "uri"
-							},
-							description: "OAuth2 redirect URI"
-						},
-						{
-							name: "scope",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "OAuth2 scopes (space-separated)"
-						},
-						{
-							name: "state",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "OAuth2 state parameter"
-						},
-						{
-							name: "request_uri",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "Pushed Authorization Request URI referencing stored parameters"
-						},
-						{
-							name: "code_challenge",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "PKCE code challenge"
-						},
-						{
-							name: "code_challenge_method",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "PKCE code challenge method"
-						},
-						{
-							name: "nonce",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "OpenID Connect nonce"
-						},
-						{
-							name: "prompt",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "OAuth2 prompt parameter"
-						}
-					],
-					responses: {
-						"302": {
-							description: "Redirect to client with code or error",
-							headers: { Location: {
-								description: "Redirect URI with code or error",
-								schema: {
-									type: "string",
-									format: "uri"
-								}
-							} }
-						},
-						"400": {
-							description: "Invalid request",
-							content: { "application/json": { schema: {
-								type: "object",
-								properties: {
-									error: { type: "string" },
-									error_description: { type: "string" },
-									state: { type: "string" }
-								},
-								required: ["error"]
-							} } }
-						}
-					}
-				} }
-			}, async (ctx) => {
-				return authorizeEndpoint(ctx, opts, { isAuthorize: true });
-			}),
+			oauth2Authorize: oauth2AuthorizeEndpoint,
 			oauth2Consent: createAuthEndpoint("/oauth2/consent", {
 				method: "POST",
 				body: z.object({
@@ -3091,7 +3079,7 @@ const oauthProvider = (options) => {
 					} }
 				} }
 			}, async (ctx) => {
-				return consentEndpoint(ctx, opts);
+				return consentEndpoint(ctx, opts, runOAuth2Authorize);
 			}),
 			oauth2Continue: createAuthEndpoint("/oauth2/continue", {
 				method: "POST",
@@ -3118,7 +3106,7 @@ const oauthProvider = (options) => {
 					} }
 				} }
 			}, async (ctx) => {
-				return continueEndpoint(ctx, opts);
+				return continueEndpoint(ctx, runOAuth2Authorize);
 			}),
 			oauth2Token: createAuthEndpoint("/oauth2/token", {
 				method: "POST",
@@ -3432,7 +3420,7 @@ const oauthProvider = (options) => {
 				return revokeEndpoint(ctx, opts);
 			}),
 			oauth2UserInfo: createAuthEndpoint("/oauth2/userinfo", {
-				method: "GET",
+				method: ["GET", "POST"],
 				metadata: { openapi: {
 					description: "Get OpenID Connect user information (UserInfo endpoint)",
 					security: [{ bearerAuth: [] }, { OAuth2: [

package/dist/{oauth-CUqnBdrR.d.mts → oauth-DZ80cNUW.d.mts}

@@ -234,6 +234,9 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
     }, {
       redirect: boolean;
       url: string;
+    } | {
+      redirect: boolean;
+      url: string;
     }>;
     oauth2Continue: better_call0.StrictEndpoint<"/oauth2/continue", {
       method: "POST";
@@ -661,7 +664,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       };
     }, null | undefined>;
     oauth2UserInfo: better_call0.StrictEndpoint<"/oauth2/userinfo", {
-      method: "GET";
+      method: ("GET" | "POST")[];
       metadata: {
         openapi: {
           description: string;

package/dist/{version-CrTJknzp.mjs → version-CG3TZoBa.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.6.14";
+const PACKAGE_VERSION = "1.6.15";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.6.14",
+  "version": "1.6.15",
   "description": "An oauth provider plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -64,15 +64,15 @@
     "@modelcontextprotocol/sdk": "^1.27.1",
     "listhen": "^1.9.0",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.6.14",
-    "better-auth": "1.6.14"
+    "@better-auth/core": "1.6.15",
+    "better-auth": "1.6.15"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.1",
     "@better-fetch/fetch": "1.1.21",
     "better-call": "1.3.5",
-    "@better-auth/core": "^1.6.14",
-    "better-auth": "^1.6.14"
+    "@better-auth/core": "^1.6.15",
+    "better-auth": "^1.6.15"
   },
   "scripts": {
     "build": "tsdown",