@better-auth/oauth-provider 1.6.16 → 1.6.18

package/dist/client-resource.mjs

@@ -1,5 +1,5 @@
-import { C as handleMcpErrors, a as getJwtPlugin, o as getOAuthProviderPlugin } from "./utils-BKGiA6QL.mjs";
-import { t as PACKAGE_VERSION } from "./version-BJguNh6q.mjs";
+import { a as getJwtPlugin, b as handleMcpErrors, o as getOAuthProviderPlugin } from "./utils-B8pHZVEm.mjs";
+import { t as PACKAGE_VERSION } from "./version-D8-vU8KW.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { logger } from "@better-auth/core/env";

package/dist/client.mjs

@@ -1,17 +1,6 @@
-import { t as PACKAGE_VERSION } from "./version-BJguNh6q.mjs";
+import { n as buildSignedOAuthQuery, t as PACKAGE_VERSION } from "./version-D8-vU8KW.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 //#region src/client.ts
-function parseSignedQuery(search) {
-	const params = new URLSearchParams(search);
-	if (params.has("sig")) {
-		const signedParams = new URLSearchParams();
-		for (const [key, value] of params.entries()) {
-			signedParams.append(key, value);
-			if (key === "sig") break;
-		}
-		return signedParams.toString();
-	}
-}
 const oauthProviderClient = () => {
 	return {
 		id: "oauth-provider-client",
@@ -26,7 +15,7 @@ const oauthProviderClient = () => {
 				if (body?.oauth_query) return;
 				if (typeof window !== "undefined" && window?.location?.search && !(ctx.method === "GET" || ctx.method === "DELETE")) ctx.body = JSON.stringify({
 					...body,
-					oauth_query: parseSignedQuery(window.location.search)
+					oauth_query: buildSignedOAuthQuery(window.location.search)
 				});
 			} }
 		}],

package/dist/index.mjs

@@ -1,5 +1,5 @@
-import { S as verifyOAuthQueryParams, _ as searchParamsToQuery, a as getJwtPlugin, b as storeToken, c as getStoredToken, d as parseClientMetadata, f as parsePrompt, g as resolveSubjectIdentifier, h as resolveSessionAuthTime, i as getClient, l as isPKCERequired, m as removePromptFromQuery, n as clientAllowsGrant, p as postLoginClearedParam, r as decryptStoredClientSecret, s as getSignedQueryIssuedAt, t as basicToClientCredentials, u as normalizeTimestampValue, v as signedQueryIssuedAtParam, w as mcpHandler, x as validateClientCredentials, y as storeClientSecret } from "./utils-BKGiA6QL.mjs";
-import { t as PACKAGE_VERSION } from "./version-BJguNh6q.mjs";
+import { _ as storeToken, a as getJwtPlugin, c as isPKCERequired, d as parsePrompt, f as removePromptFromQuery, g as storeClientSecret, h as searchParamsToQuery, i as getClient, l as normalizeTimestampValue, m as resolveSubjectIdentifier, n as clientAllowsGrant, p as resolveSessionAuthTime, r as decryptStoredClientSecret, s as getStoredToken, t as basicToClientCredentials, u as parseClientMetadata, v as validateClientCredentials, x as mcpHandler, y as verifyOAuthQueryParams } from "./utils-B8pHZVEm.mjs";
+import { a as postLoginClearedParam, i as getSignedQueryIssuedAt, o as setSignedOAuthQueryParameterNames, r as canonicalizeOAuthQueryParams, s as signedQueryIssuedAtParam, t as PACKAGE_VERSION } from "./version-D8-vU8KW.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, dispatchAuthEndpoint, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
@@ -827,6 +827,7 @@ async function validateJwtAccessToken(ctx, opts, token, clientId) {
 			jwksFetch: jwtPluginOptions?.jwks?.remoteUrl ? jwtPluginOptions.jwks.remoteUrl : async () => {
 				return (await jwtPlugin?.endpoints.getJwks(ctx))?.response;
 			},
+			jwksCacheKey: jwtPlugin,
 			verifyOptions: {
 				audience: opts.validAudiences ?? ctx.context.baseURL,
 				issuer: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL
@@ -2268,6 +2269,7 @@ async function revokeJwtAccessToken(ctx, opts, token) {
 			jwksFetch: jwtPluginOptions?.jwks?.remoteUrl ? jwtPluginOptions.jwks.remoteUrl : async () => {
 				return (await jwtPlugin?.endpoints.getJwks(ctx))?.response;
 			},
+			jwksCacheKey: jwtPlugin,
 			verifyOptions: {
 				audience: opts.validAudiences ?? ctx.context.baseURL,
 				issuer: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL
@@ -4023,10 +4025,12 @@ async function signParams(ctx, opts, flags) {
 	const params = serializeAuthorizationQuery(ctx.query);
 	params.set("exp", String(exp));
 	params.set(signedQueryIssuedAtParam, String(issuedAt));
+	params.delete("sig");
 	params.delete(postLoginClearedParam);
 	if (flags?.postLoginClearedForSession) params.set(postLoginClearedParam, flags.postLoginClearedForSession);
-	const signature = await makeSignature(params.toString(), ctx.context.secret);
-	params.append("sig", signature);
+	setSignedOAuthQueryParameterNames(params);
+	const signature = await makeSignature(canonicalizeOAuthQueryParams(params).toString(), ctx.context.secret);
+	params.set("sig", signature);
 	return params.toString();
 }
 //#endregion

package/dist/{utils-BKGiA6QL.mjs → utils-B8pHZVEm.mjs}

@@ -1,3 +1,4 @@
+import { r as canonicalizeOAuthQueryParams } from "./version-D8-vU8KW.mjs";
 import { isAPIError } from "better-auth/api";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
@@ -132,10 +133,11 @@ const cachedTrustedClients = new TTLCache();
 async function verifyOAuthQueryParams(oauth_query, secret) {
 	const queryParams = new URLSearchParams(oauth_query);
 	const sig = queryParams.get("sig");
+	const sigs = queryParams.getAll("sig");
 	const exp = Number(queryParams.get("exp"));
 	queryParams.delete("sig");
-	const verifySig = await makeSignature(queryParams.toString(), secret);
-	return !!sig && constantTimeEqual(sig, verifySig) && /* @__PURE__ */ new Date(exp * 1e3) >= /* @__PURE__ */ new Date();
+	const verifySig = await makeSignature(canonicalizeOAuthQueryParams(queryParams).toString(), secret);
+	return sigs.length === 1 && !!sig && constantTimeEqual(sig, verifySig) && /* @__PURE__ */ new Date(exp * 1e3) >= /* @__PURE__ */ new Date();
 }
 /**
 * Get a client by ID, checking trusted clients first, then database
@@ -390,15 +392,6 @@ function searchParamsToQuery(params) {
 	}
 	return result;
 }
-const signedQueryIssuedAtParam = "ba_iat";
-const postLoginClearedParam = "ba_pl";
-function getSignedQueryIssuedAt(oauthQuery) {
-	const raw = new URLSearchParams(oauthQuery).get(signedQueryIssuedAtParam);
-	if (!raw) return null;
-	const issuedAt = Number(raw);
-	if (!Number.isFinite(issuedAt) || issuedAt <= 0) return null;
-	return new Date(issuedAt);
-}
 function removePromptFromQuery(query, prompt) {
 	const nextQuery = new URLSearchParams(query);
 	const prompts = nextQuery.get("prompt")?.split(" ");
@@ -436,4 +429,4 @@ function isPKCERequired(client, requestedScopes) {
 	return false;
 }
 //#endregion
-export { handleMcpErrors as C, verifyOAuthQueryParams as S, searchParamsToQuery as _, getJwtPlugin as a, storeToken as b, getStoredToken as c, parseClientMetadata as d, parsePrompt as f, resolveSubjectIdentifier as g, resolveSessionAuthTime as h, getClient as i, isPKCERequired as l, removePromptFromQuery as m, clientAllowsGrant as n, getOAuthProviderPlugin as o, postLoginClearedParam as p, decryptStoredClientSecret as r, getSignedQueryIssuedAt as s, basicToClientCredentials as t, normalizeTimestampValue as u, signedQueryIssuedAtParam as v, mcpHandler as w, validateClientCredentials as x, storeClientSecret as y };
+export { storeToken as _, getJwtPlugin as a, handleMcpErrors as b, isPKCERequired as c, parsePrompt as d, removePromptFromQuery as f, storeClientSecret as g, searchParamsToQuery as h, getClient as i, normalizeTimestampValue as l, resolveSubjectIdentifier as m, clientAllowsGrant as n, getOAuthProviderPlugin as o, resolveSessionAuthTime as p, decryptStoredClientSecret as r, getStoredToken as s, basicToClientCredentials as t, parseClientMetadata as u, validateClientCredentials as v, mcpHandler as x, verifyOAuthQueryParams as y };

package/dist/version-D8-vU8KW.mjs

@@ -0,0 +1,47 @@
+//#region src/signed-query.ts
+const signedQueryIssuedAtParam = "ba_iat";
+const postLoginClearedParam = "ba_pl";
+const signedQueryParameterNameParam = "ba_param";
+function canonicalizeOAuthQueryParams(params) {
+	const canonicalParams = new URLSearchParams();
+	const entries = [...params.entries()].sort(([keyA, valueA], [keyB, valueB]) => {
+		if (keyA < keyB) return -1;
+		if (keyA > keyB) return 1;
+		if (valueA < valueB) return -1;
+		if (valueA > valueB) return 1;
+		return 0;
+	});
+	for (const [key, value] of entries) canonicalParams.append(key, value);
+	return canonicalParams;
+}
+function setSignedOAuthQueryParameterNames(params) {
+	params.delete(signedQueryParameterNameParam);
+	const signedParameterNames = [...new Set([...params.keys(), signedQueryParameterNameParam])].sort();
+	for (const parameterName of signedParameterNames) params.append(signedQueryParameterNameParam, parameterName);
+}
+function getSignedOAuthQueryParameterNames(params) {
+	const signedParameterNames = params.getAll(signedQueryParameterNameParam);
+	if (!signedParameterNames.length) return;
+	return new Set(signedParameterNames);
+}
+function buildSignedOAuthQuery(search) {
+	const params = new URLSearchParams(search);
+	if (!params.has("sig")) return;
+	const signedParameterNames = getSignedOAuthQueryParameterNames(params);
+	if (!signedParameterNames) return;
+	const signedParams = new URLSearchParams();
+	for (const [key, value] of params.entries()) if (key === "sig" || key === signedQueryParameterNameParam || signedParameterNames.has(key)) signedParams.append(key, value);
+	return signedParams.toString();
+}
+function getSignedQueryIssuedAt(oauthQuery) {
+	const raw = new URLSearchParams(oauthQuery).get(signedQueryIssuedAtParam);
+	if (!raw) return null;
+	const issuedAt = Number(raw);
+	if (!Number.isFinite(issuedAt) || issuedAt <= 0) return null;
+	return new Date(issuedAt);
+}
+//#endregion
+//#region src/version.ts
+const PACKAGE_VERSION = "1.6.18";
+//#endregion
+export { postLoginClearedParam as a, getSignedQueryIssuedAt as i, buildSignedOAuthQuery as n, setSignedOAuthQueryParameterNames as o, canonicalizeOAuthQueryParams as r, signedQueryIssuedAtParam as s, PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.6.16",
+  "version": "1.6.18",
   "description": "An oauth provider plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -64,15 +64,15 @@
     "@modelcontextprotocol/sdk": "^1.27.1",
     "listhen": "^1.9.0",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.6.16",
-    "better-auth": "1.6.16"
+    "@better-auth/core": "1.6.18",
+    "better-auth": "1.6.18"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.2.2",
+    "@better-fetch/fetch": "1.3.0",
     "better-call": "1.3.6",
-    "@better-auth/core": "^1.6.16",
-    "better-auth": "^1.6.16"
+    "@better-auth/core": "^1.6.18",
+    "better-auth": "^1.6.18"
   },
   "scripts": {
     "build": "tsdown",

package/dist/version-BJguNh6q.mjs

@@ -1,5 +0,0 @@
-//#endregion
-//#region src/version.ts
-const PACKAGE_VERSION = "1.6.16";
-//#endregion
-export { PACKAGE_VERSION as t };