@better-auth/oauth-provider 1.6.15 → 1.6.17

package/dist/client-resource.d.mts

@@ -49,6 +49,20 @@ interface VerifyAccessTokenRemote {
    * is also still active.
    */
   force?: boolean;
+  /**
+   * Accept introspection responses that omit the `aud` claim even when a
+   * required `audience` is configured in `verifyOptions`.
+   *
+   * By default verification fails closed: if you configure an `audience` and
+   * the introspection response has no `aud` (or a mismatching one), the token
+   * is rejected. Some authorization servers legitimately omit `aud` from
+   * introspection responses (it is OPTIONAL per RFC 7662 §2.2); only enable
+   * this if you trust the issuer to bind the token to this resource through
+   * another mechanism, as it skips the audience check in that case.
+   *
+   * @default false
+   */
+  allowMissingAudience?: boolean;
 }
 type VerifyAccessTokenOutput<T> = T extends undefined ? (token: string | undefined, opts: VerifyAccessTokenNoAuthOpts) => Promise<JWTPayload> : (token: string | undefined, opts?: VerifyAccessTokenAuthOpts) => Promise<JWTPayload>;
 type VerifyAccessTokenAuthOpts = {

package/dist/client-resource.mjs

@@ -1,5 +1,5 @@
-import { S as handleMcpErrors, a as getOAuthProviderPlugin, i as getJwtPlugin } from "./utils-DoYEeMrg.mjs";
-import { t as PACKAGE_VERSION } from "./version-CG3TZoBa.mjs";
+import { C as handleMcpErrors, a as getJwtPlugin, o as getOAuthProviderPlugin } from "./utils-BKGiA6QL.mjs";
+import { t as PACKAGE_VERSION } from "./version-yLooQum9.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { logger } from "@better-auth/core/env";

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-CG3TZoBa.mjs";
+import { t as PACKAGE_VERSION } from "./version-yLooQum9.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 //#region src/client.ts
 function parseSignedQuery(search) {

package/dist/index.mjs

@@ -1,5 +1,5 @@
-import { C as mcpHandler, _ as signedQueryIssuedAtParam, b as validateClientCredentials, c as isPKCERequired, d as parsePrompt, f as postLoginClearedParam, g as searchParamsToQuery, h as resolveSubjectIdentifier, i as getJwtPlugin, l as normalizeTimestampValue, m as resolveSessionAuthTime, n as decryptStoredClientSecret, o as getSignedQueryIssuedAt, p as removePromptFromQuery, r as getClient, s as getStoredToken, t as basicToClientCredentials, u as parseClientMetadata, v as storeClientSecret, x as verifyOAuthQueryParams, y as storeToken } from "./utils-DoYEeMrg.mjs";
-import { t as PACKAGE_VERSION } from "./version-CG3TZoBa.mjs";
+import { S as verifyOAuthQueryParams, _ as searchParamsToQuery, a as getJwtPlugin, b as storeToken, c as getStoredToken, d as parseClientMetadata, f as parsePrompt, g as resolveSubjectIdentifier, h as resolveSessionAuthTime, i as getClient, l as isPKCERequired, m as removePromptFromQuery, n as clientAllowsGrant, p as postLoginClearedParam, r as decryptStoredClientSecret, s as getSignedQueryIssuedAt, t as basicToClientCredentials, u as normalizeTimestampValue, v as signedQueryIssuedAtParam, w as mcpHandler, x as validateClientCredentials, y as storeClientSecret } from "./utils-BKGiA6QL.mjs";
+import { t as PACKAGE_VERSION } from "./version-yLooQum9.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, dispatchAuthEndpoint, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
@@ -143,7 +143,8 @@ async function created(ctx, authorize) {
 	return await authorize(ctx);
 }
 async function postLogin(ctx, authorize) {
-	const _query = (await oAuthState.get())?.query;
+	const state = await oAuthState.get();
+	const _query = state?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
 		error_description: "missing oauth query",
 		error: "invalid_request"
@@ -151,7 +152,8 @@ async function postLogin(ctx, authorize) {
 	const query = new URLSearchParams(_query);
 	ctx.headers?.set("accept", "application/json");
 	ctx.query = searchParamsToQuery(query);
-	return await authorize(ctx, { postLogin: true });
+	const session = await getSessionFromCtx(ctx);
+	return await authorize(ctx, { postLogin: state?.postLoginClearedForSession !== void 0 && state.postLoginClearedForSession === session?.session.id });
 }
 //#endregion
 //#region src/types/zod.ts
@@ -503,7 +505,7 @@ async function createUserTokens(ctx, opts, params) {
 		return prev < curr ? prev : curr;
 	}, defaultExp) : defaultExp;
 	const audience = await checkResource(ctx, opts, scopes);
-	const isRefreshToken = user && (existingRefreshToken?.scopes?.includes("offline_access") || scopes.includes("offline_access"));
+	const isRefreshToken = user && clientAllowsGrant(client, "refresh_token") && (existingRefreshToken?.scopes?.includes("offline_access") || scopes.includes("offline_access"));
 	const isJwtAccessToken = audience && !opts.disableJwtPlugin;
 	const isIdToken = user && scopes.includes("openid");
 	const customFields = opts.customTokenResponseFields ? await opts.customTokenResponseFields({
@@ -618,7 +620,7 @@ async function handleAuthorizationCodeGrant(ctx, opts) {
 		error: "invalid_scope"
 	});
 	/** Verify Client */
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, scopes);
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, scopes, "authorization_code");
 	if (isPKCERequired(client, (verificationValue.query?.scope)?.split(" ") || [])) {
 		if (!isAuthCodeWithPkce) throw new APIError("BAD_REQUEST", {
 			error_description: "PKCE is required for this client",
@@ -701,7 +703,7 @@ async function handleClientCredentialsGrant(ctx, opts) {
 		error_description: "Missing a required client_secret",
 		error: "invalid_grant"
 	});
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret);
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, void 0, "client_credentials");
 	let requestedScopes = scope?.split(" ");
 	if (requestedScopes) {
 		const validScopes = new Set(client.scopes ?? opts.scopes);
@@ -784,7 +786,7 @@ async function handleRefreshTokenGrant(ctx, opts) {
 			error: "invalid_scope"
 		});
 	}
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, requestedScopes ?? scopes);
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, requestedScopes ?? scopes, "refresh_token");
 	const user = await ctx.context.internalAdapter.findUserById(refreshToken.userId);
 	if (!user) throw new APIError("BAD_REQUEST", {
 		error_description: "user not found",
@@ -825,6 +827,7 @@ async function validateJwtAccessToken(ctx, opts, token, clientId) {
 			jwksFetch: jwtPluginOptions?.jwks?.remoteUrl ? jwtPluginOptions.jwks.remoteUrl : async () => {
 				return (await jwtPlugin?.endpoints.getJwks(ctx))?.response;
 			},
+			jwksCacheKey: jwtPlugin,
 			verifyOptions: {
 				audience: opts.validAudiences ?? ctx.context.baseURL,
 				issuer: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL
@@ -842,12 +845,10 @@ async function validateJwtAccessToken(ctx, opts, token, clientId) {
 		}
 		throw new Error(error);
 	}
-	let client;
-	if (jwtPayload.azp) {
-		client = await getClient(ctx, opts, jwtPayload.azp);
-		if (!client || client?.disabled) return { active: false };
-		if (clientId && jwtPayload.azp !== clientId) return { active: false };
-	}
+	if (!jwtPayload.azp) return { active: false };
+	const client = await getClient(ctx, opts, jwtPayload.azp);
+	if (!client || client?.disabled) return { active: false };
+	if (clientId && jwtPayload.azp !== clientId) return { active: false };
 	const sessionId = jwtPayload.sid;
 	if (sessionId) {
 		const session = await ctx.context.adapter.findOne({
@@ -859,7 +860,7 @@ async function validateJwtAccessToken(ctx, opts, token, clientId) {
 		});
 		if (!session || session.expiresAt < /* @__PURE__ */ new Date()) jwtPayload.sid = void 0;
 	}
-	if (jwtPayload.azp) jwtPayload.client_id = jwtPayload.azp;
+	jwtPayload.client_id = jwtPayload.azp;
 	jwtPayload.active = true;
 	return jwtPayload;
 }
@@ -2268,6 +2269,7 @@ async function revokeJwtAccessToken(ctx, opts, token) {
 			jwksFetch: jwtPluginOptions?.jwks?.remoteUrl ? jwtPluginOptions.jwks.remoteUrl : async () => {
 				return (await jwtPlugin?.endpoints.getJwks(ctx))?.response;
 			},
+			jwksCacheKey: jwtPlugin,
 			verifyOptions: {
 				audience: opts.validAudiences ?? ctx.context.baseURL,
 				issuer: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL
@@ -3856,6 +3858,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 	const client = await getClient(ctx, opts, query.client_id);
 	if (!client) return handleRedirect(ctx, getErrorURL(ctx, "invalid_client", "client_id is required"));
 	if (client.disabled) return handleRedirect(ctx, getErrorURL(ctx, "client_disabled", "client is disabled"));
+	if (!clientAllowsGrant(client, "authorization_code")) return handleRedirect(ctx, getErrorURL(ctx, "unauthorized_client", "client is not authorized to use the authorization_code grant"));
 	if (!client.redirectUris?.find((url) => {
 		if (url === query.redirect_uri) return true;
 		try {

package/dist/{utils-DoYEeMrg.mjs → utils-BKGiA6QL.mjs}

@@ -272,12 +272,27 @@ function basicToClientCredentials(authorization) {
 	}
 }
 /**
+* Whether a client is allowed to use a given grant type.
+*
+* A client's registered `grantTypes` defaults to the documented default
+* `["authorization_code"]` when unset (see client registration). Refresh tokens
+* are only ever issued through the authorization_code flow, so a client allowed
+* to use `authorization_code` is implicitly allowed to use `refresh_token`.
+*
+* @internal
+*/
+function clientAllowsGrant(client, grantType) {
+	const allowedGrants = client.grantTypes && client.grantTypes.length > 0 ? client.grantTypes : ["authorization_code"];
+	if (grantType === "refresh_token" && allowedGrants.includes("authorization_code")) return true;
+	return allowedGrants.includes(grantType);
+}
+/**
 * Validates client credentials failing on mismatches
 * and incorrectly provided information
 *
 * @internal
 */
-async function validateClientCredentials(ctx, options, clientId, clientSecret, scopes) {
+async function validateClientCredentials(ctx, options, clientId, clientSecret, scopes, grantType) {
 	const client = await getClient(ctx, options, clientId);
 	if (!client) throw new APIError$1("BAD_REQUEST", {
 		error_description: "missing client",
@@ -306,6 +321,10 @@ async function validateClientCredentials(ctx, options, clientId, clientSecret, s
 			error: "invalid_scope"
 		});
 	}
+	if (grantType && !clientAllowsGrant(client, grantType)) throw new APIError$1("BAD_REQUEST", {
+		error_description: `client is not authorized to use grant type ${grantType}`,
+		error: "unauthorized_client"
+	});
 	return client;
 }
 /**
@@ -417,4 +436,4 @@ function isPKCERequired(client, requestedScopes) {
 	return false;
 }
 //#endregion
-export { mcpHandler as C, handleMcpErrors as S, signedQueryIssuedAtParam as _, getOAuthProviderPlugin as a, validateClientCredentials as b, isPKCERequired as c, parsePrompt as d, postLoginClearedParam as f, searchParamsToQuery as g, resolveSubjectIdentifier as h, getJwtPlugin as i, normalizeTimestampValue as l, resolveSessionAuthTime as m, decryptStoredClientSecret as n, getSignedQueryIssuedAt as o, removePromptFromQuery as p, getClient as r, getStoredToken as s, basicToClientCredentials as t, parseClientMetadata as u, storeClientSecret as v, verifyOAuthQueryParams as x, storeToken as y };
+export { handleMcpErrors as C, verifyOAuthQueryParams as S, searchParamsToQuery as _, getJwtPlugin as a, storeToken as b, getStoredToken as c, parseClientMetadata as d, parsePrompt as f, resolveSubjectIdentifier as g, resolveSessionAuthTime as h, getClient as i, isPKCERequired as l, removePromptFromQuery as m, clientAllowsGrant as n, getOAuthProviderPlugin as o, postLoginClearedParam as p, decryptStoredClientSecret as r, getSignedQueryIssuedAt as s, basicToClientCredentials as t, normalizeTimestampValue as u, signedQueryIssuedAtParam as v, mcpHandler as w, validateClientCredentials as x, storeClientSecret as y };

package/dist/{version-CG3TZoBa.mjs → version-yLooQum9.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.6.15";
+const PACKAGE_VERSION = "1.6.17";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.6.15",
+  "version": "1.6.17",
   "description": "An oauth provider plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -64,15 +64,15 @@
     "@modelcontextprotocol/sdk": "^1.27.1",
     "listhen": "^1.9.0",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.6.15",
-    "better-auth": "1.6.15"
+    "better-auth": "1.6.17",
+    "@better-auth/core": "1.6.17"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.1.21",
-    "better-call": "1.3.5",
-    "@better-auth/core": "^1.6.15",
-    "better-auth": "^1.6.15"
+    "@better-fetch/fetch": "1.3.0",
+    "better-call": "1.3.6",
+    "@better-auth/core": "^1.6.17",
+    "better-auth": "^1.6.17"
   },
   "scripts": {
     "build": "tsdown",