@better-auth/oauth-provider 1.6.17 → 1.6.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/dist/client-resource.mjs +2 -2
  2. package/dist/client.mjs +2 -13
  3. package/dist/index.mjs +12 -8
  4. package/dist/{utils-BKGiA6QL.mjs → utils-CN81wPAr.mjs} +5 -12
  5. package/dist/version-BOM1iw6q.mjs +47 -0
  6. package/package.json +7 -7
  7. package/dist/version-yLooQum9.mjs +0 -5
package/dist/client-resource.mjs CHANGED
@@ -1,5 +1,5 @@
1
- import { C as handleMcpErrors, a as getJwtPlugin, o as getOAuthProviderPlugin } from "./utils-BKGiA6QL.mjs";
2
- import { t as PACKAGE_VERSION } from "./version-yLooQum9.mjs";
1
+ import { a as getJwtPlugin, b as handleMcpErrors, o as getOAuthProviderPlugin } from "./utils-CN81wPAr.mjs";
2
+ import { t as PACKAGE_VERSION } from "./version-BOM1iw6q.mjs";
3
3
  import { verifyAccessToken } from "better-auth/oauth2";
4
4
  import { APIError } from "better-call";
5
5
  import { logger } from "@better-auth/core/env";
package/dist/client.mjs CHANGED
@@ -1,17 +1,6 @@
1
- import { t as PACKAGE_VERSION } from "./version-yLooQum9.mjs";
1
+ import { n as buildSignedOAuthQuery, t as PACKAGE_VERSION } from "./version-BOM1iw6q.mjs";
2
2
  import { safeJSONParse } from "@better-auth/core/utils/json";
3
3
  //#region src/client.ts
4
- function parseSignedQuery(search) {
5
- const params = new URLSearchParams(search);
6
- if (params.has("sig")) {
7
- const signedParams = new URLSearchParams();
8
- for (const [key, value] of params.entries()) {
9
- signedParams.append(key, value);
10
- if (key === "sig") break;
11
- }
12
- return signedParams.toString();
13
- }
14
- }
15
4
  const oauthProviderClient = () => {
16
5
  return {
17
6
  id: "oauth-provider-client",
@@ -26,7 +15,7 @@ const oauthProviderClient = () => {
26
15
  if (body?.oauth_query) return;
27
16
  if (typeof window !== "undefined" && window?.location?.search && !(ctx.method === "GET" || ctx.method === "DELETE")) ctx.body = JSON.stringify({
28
17
  ...body,
29
- oauth_query: parseSignedQuery(window.location.search)
18
+ oauth_query: buildSignedOAuthQuery(window.location.search)
30
19
  });
31
20
  } }
32
21
  }],
package/dist/index.mjs CHANGED
@@ -1,5 +1,5 @@
1
- import { S as verifyOAuthQueryParams, _ as searchParamsToQuery, a as getJwtPlugin, b as storeToken, c as getStoredToken, d as parseClientMetadata, f as parsePrompt, g as resolveSubjectIdentifier, h as resolveSessionAuthTime, i as getClient, l as isPKCERequired, m as removePromptFromQuery, n as clientAllowsGrant, p as postLoginClearedParam, r as decryptStoredClientSecret, s as getSignedQueryIssuedAt, t as basicToClientCredentials, u as normalizeTimestampValue, v as signedQueryIssuedAtParam, w as mcpHandler, x as validateClientCredentials, y as storeClientSecret } from "./utils-BKGiA6QL.mjs";
2
- import { t as PACKAGE_VERSION } from "./version-yLooQum9.mjs";
1
+ import { _ as storeToken, a as getJwtPlugin, c as isPKCERequired, d as parsePrompt, f as removePromptFromQuery, g as storeClientSecret, h as searchParamsToQuery, i as getClient, l as normalizeTimestampValue, m as resolveSubjectIdentifier, n as clientAllowsGrant, p as resolveSessionAuthTime, r as decryptStoredClientSecret, s as getStoredToken, t as basicToClientCredentials, u as parseClientMetadata, v as validateClientCredentials, x as mcpHandler, y as verifyOAuthQueryParams } from "./utils-CN81wPAr.mjs";
2
+ import { a as postLoginClearedParam, i as getSignedQueryIssuedAt, o as setSignedOAuthQueryParameterNames, r as canonicalizeOAuthQueryParams, s as signedQueryIssuedAtParam, t as PACKAGE_VERSION } from "./version-BOM1iw6q.mjs";
3
3
  import { APIError, createAuthEndpoint, createAuthMiddleware, dispatchAuthEndpoint, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
4
4
  import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
5
5
  import { APIError as APIError$1 } from "better-call";
@@ -457,7 +457,7 @@ async function createRefreshToken(ctx, opts, user, referenceId, client, scopes,
457
457
  })).id,
458
458
  token: await encodeRefreshToken(opts, token, sessionId)
459
459
  };
460
- if (!await ctx.context.adapter.update({
460
+ if (!await ctx.context.adapter.incrementOne({
461
461
  model: "oauthRefreshToken",
462
462
  where: [{
463
463
  field: "id",
@@ -467,7 +467,8 @@ async function createRefreshToken(ctx, opts, user, referenceId, client, scopes,
467
467
  operator: "eq",
468
468
  value: null
469
469
  }],
470
- update: { revoked: /* @__PURE__ */ new Date(iat * 1e3) }
470
+ increment: {},
471
+ set: { revoked: /* @__PURE__ */ new Date(iat * 1e3) }
471
472
  })) throw new APIError("BAD_REQUEST", {
472
473
  error_description: "invalid refresh token",
473
474
  error: "invalid_grant"
@@ -2348,7 +2349,7 @@ async function revokeRefreshToken(ctx, opts, token, clientId) {
2348
2349
  }
2349
2350
  if (!refreshToken.clientId || refreshToken.clientId !== clientId) return null;
2350
2351
  const iat = Math.floor(Date.now() / 1e3);
2351
- if (!await ctx.context.adapter.update({
2352
+ if (!await ctx.context.adapter.incrementOne({
2352
2353
  model: "oauthRefreshToken",
2353
2354
  where: [{
2354
2355
  field: "id",
@@ -2358,7 +2359,8 @@ async function revokeRefreshToken(ctx, opts, token, clientId) {
2358
2359
  operator: "eq",
2359
2360
  value: null
2360
2361
  }],
2361
- update: { revoked: /* @__PURE__ */ new Date(iat * 1e3) }
2362
+ increment: {},
2363
+ set: { revoked: /* @__PURE__ */ new Date(iat * 1e3) }
2362
2364
  })) {
2363
2365
  await invalidateRefreshFamily(ctx, clientId, refreshToken.userId);
2364
2366
  throw new APIError$1("BAD_REQUEST", {
@@ -4025,10 +4027,12 @@ async function signParams(ctx, opts, flags) {
4025
4027
  const params = serializeAuthorizationQuery(ctx.query);
4026
4028
  params.set("exp", String(exp));
4027
4029
  params.set(signedQueryIssuedAtParam, String(issuedAt));
4030
+ params.delete("sig");
4028
4031
  params.delete(postLoginClearedParam);
4029
4032
  if (flags?.postLoginClearedForSession) params.set(postLoginClearedParam, flags.postLoginClearedForSession);
4030
- const signature = await makeSignature(params.toString(), ctx.context.secret);
4031
- params.append("sig", signature);
4033
+ setSignedOAuthQueryParameterNames(params);
4034
+ const signature = await makeSignature(canonicalizeOAuthQueryParams(params).toString(), ctx.context.secret);
4035
+ params.set("sig", signature);
4032
4036
  return params.toString();
4033
4037
  }
4034
4038
  //#endregion
package/dist/{utils-BKGiA6QL.mjs → utils-CN81wPAr.mjs} RENAMED
@@ -1,3 +1,4 @@
1
+ import { r as canonicalizeOAuthQueryParams } from "./version-BOM1iw6q.mjs";
1
2
  import { isAPIError } from "better-auth/api";
2
3
  import { verifyAccessToken } from "better-auth/oauth2";
3
4
  import { APIError as APIError$1 } from "better-call";
@@ -132,10 +133,11 @@ const cachedTrustedClients = new TTLCache();
132
133
  async function verifyOAuthQueryParams(oauth_query, secret) {
133
134
  const queryParams = new URLSearchParams(oauth_query);
134
135
  const sig = queryParams.get("sig");
136
+ const sigs = queryParams.getAll("sig");
135
137
  const exp = Number(queryParams.get("exp"));
136
138
  queryParams.delete("sig");
137
- const verifySig = await makeSignature(queryParams.toString(), secret);
138
- return !!sig && constantTimeEqual(sig, verifySig) && /* @__PURE__ */ new Date(exp * 1e3) >= /* @__PURE__ */ new Date();
139
+ const verifySig = await makeSignature(canonicalizeOAuthQueryParams(queryParams).toString(), secret);
140
+ return sigs.length === 1 && !!sig && constantTimeEqual(sig, verifySig) && /* @__PURE__ */ new Date(exp * 1e3) >= /* @__PURE__ */ new Date();
139
141
  }
140
142
  /**
141
143
  * Get a client by ID, checking trusted clients first, then database
@@ -390,15 +392,6 @@ function searchParamsToQuery(params) {
390
392
  }
391
393
  return result;
392
394
  }
393
- const signedQueryIssuedAtParam = "ba_iat";
394
- const postLoginClearedParam = "ba_pl";
395
- function getSignedQueryIssuedAt(oauthQuery) {
396
- const raw = new URLSearchParams(oauthQuery).get(signedQueryIssuedAtParam);
397
- if (!raw) return null;
398
- const issuedAt = Number(raw);
399
- if (!Number.isFinite(issuedAt) || issuedAt <= 0) return null;
400
- return new Date(issuedAt);
401
- }
402
395
  function removePromptFromQuery(query, prompt) {
403
396
  const nextQuery = new URLSearchParams(query);
404
397
  const prompts = nextQuery.get("prompt")?.split(" ");
@@ -436,4 +429,4 @@ function isPKCERequired(client, requestedScopes) {
436
429
  return false;
437
430
  }
438
431
  //#endregion
439
- export { handleMcpErrors as C, verifyOAuthQueryParams as S, searchParamsToQuery as _, getJwtPlugin as a, storeToken as b, getStoredToken as c, parseClientMetadata as d, parsePrompt as f, resolveSubjectIdentifier as g, resolveSessionAuthTime as h, getClient as i, isPKCERequired as l, removePromptFromQuery as m, clientAllowsGrant as n, getOAuthProviderPlugin as o, postLoginClearedParam as p, decryptStoredClientSecret as r, getSignedQueryIssuedAt as s, basicToClientCredentials as t, normalizeTimestampValue as u, signedQueryIssuedAtParam as v, mcpHandler as w, validateClientCredentials as x, storeClientSecret as y };
432
+ export { storeToken as _, getJwtPlugin as a, handleMcpErrors as b, isPKCERequired as c, parsePrompt as d, removePromptFromQuery as f, storeClientSecret as g, searchParamsToQuery as h, getClient as i, normalizeTimestampValue as l, resolveSubjectIdentifier as m, clientAllowsGrant as n, getOAuthProviderPlugin as o, resolveSessionAuthTime as p, decryptStoredClientSecret as r, getStoredToken as s, basicToClientCredentials as t, parseClientMetadata as u, validateClientCredentials as v, mcpHandler as x, verifyOAuthQueryParams as y };
package/dist/version-BOM1iw6q.mjs ADDED
@@ -0,0 +1,47 @@
1
+ //#region src/signed-query.ts
2
+ const signedQueryIssuedAtParam = "ba_iat";
3
+ const postLoginClearedParam = "ba_pl";
4
+ const signedQueryParameterNameParam = "ba_param";
5
+ function canonicalizeOAuthQueryParams(params) {
6
+ const canonicalParams = new URLSearchParams();
7
+ const entries = [...params.entries()].sort(([keyA, valueA], [keyB, valueB]) => {
8
+ if (keyA < keyB) return -1;
9
+ if (keyA > keyB) return 1;
10
+ if (valueA < valueB) return -1;
11
+ if (valueA > valueB) return 1;
12
+ return 0;
13
+ });
14
+ for (const [key, value] of entries) canonicalParams.append(key, value);
15
+ return canonicalParams;
16
+ }
17
+ function setSignedOAuthQueryParameterNames(params) {
18
+ params.delete(signedQueryParameterNameParam);
19
+ const signedParameterNames = [...new Set([...params.keys(), signedQueryParameterNameParam])].sort();
20
+ for (const parameterName of signedParameterNames) params.append(signedQueryParameterNameParam, parameterName);
21
+ }
22
+ function getSignedOAuthQueryParameterNames(params) {
23
+ const signedParameterNames = params.getAll(signedQueryParameterNameParam);
24
+ if (!signedParameterNames.length) return;
25
+ return new Set(signedParameterNames);
26
+ }
27
+ function buildSignedOAuthQuery(search) {
28
+ const params = new URLSearchParams(search);
29
+ if (!params.has("sig")) return;
30
+ const signedParameterNames = getSignedOAuthQueryParameterNames(params);
31
+ if (!signedParameterNames) return;
32
+ const signedParams = new URLSearchParams();
33
+ for (const [key, value] of params.entries()) if (key === "sig" || key === signedQueryParameterNameParam || signedParameterNames.has(key)) signedParams.append(key, value);
34
+ return signedParams.toString();
35
+ }
36
+ function getSignedQueryIssuedAt(oauthQuery) {
37
+ const raw = new URLSearchParams(oauthQuery).get(signedQueryIssuedAtParam);
38
+ if (!raw) return null;
39
+ const issuedAt = Number(raw);
40
+ if (!Number.isFinite(issuedAt) || issuedAt <= 0) return null;
41
+ return new Date(issuedAt);
42
+ }
43
+ //#endregion
44
+ //#region src/version.ts
45
+ const PACKAGE_VERSION = "1.6.19";
46
+ //#endregion
47
+ export { postLoginClearedParam as a, getSignedQueryIssuedAt as i, buildSignedOAuthQuery as n, setSignedOAuthQueryParameterNames as o, canonicalizeOAuthQueryParams as r, signedQueryIssuedAtParam as s, PACKAGE_VERSION as t };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@better-auth/oauth-provider",
3
- "version": "1.6.17",
3
+ "version": "1.6.19",
4
4
  "description": "An oauth provider plugin for Better Auth",
5
5
  "type": "module",
6
6
  "license": "MIT",
@@ -64,15 +64,15 @@
64
64
  "@modelcontextprotocol/sdk": "^1.27.1",
65
65
  "listhen": "^1.9.0",
66
66
  "tsdown": "0.21.1",
67
- "better-auth": "1.6.17",
68
- "@better-auth/core": "1.6.17"
67
+ "@better-auth/core": "1.6.19",
68
+ "better-auth": "1.6.19"
69
69
  },
70
70
  "peerDependencies": {
71
- "@better-auth/utils": "0.4.1",
72
- "@better-fetch/fetch": "1.3.0",
71
+ "@better-auth/utils": "0.4.2",
72
+ "@better-fetch/fetch": "1.3.1",
73
73
  "better-call": "1.3.6",
74
- "@better-auth/core": "^1.6.17",
75
- "better-auth": "^1.6.17"
74
+ "@better-auth/core": "^1.6.19",
75
+ "better-auth": "^1.6.19"
76
76
  },
77
77
  "scripts": {
78
78
  "build": "tsdown",
package/dist/version-yLooQum9.mjs DELETED
@@ -1,5 +0,0 @@
1
- //#endregion
2
- //#region src/version.ts
3
- const PACKAGE_VERSION = "1.6.17";
4
- //#endregion
5
- export { PACKAGE_VERSION as t };