@better-auth/oauth-provider 1.6.3 → 1.6.5

package/dist/client-resource.mjs

@@ -1,5 +1,5 @@
 import { a as getJwtPlugin, o as getOAuthProviderPlugin, y as handleMcpErrors } from "./utils-B9Pj9EPf.mjs";
-import { t as PACKAGE_VERSION } from "./version-BlcZ64XB.mjs";
+import { t as PACKAGE_VERSION } from "./version-CYsV29Ge.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { logger } from "@better-auth/core/env";

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-BlcZ64XB.mjs";
+import { t as PACKAGE_VERSION } from "./version-CYsV29Ge.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 //#region src/client.ts
 function parseSignedQuery(search) {

package/dist/index.mjs

@@ -1,5 +1,5 @@
 import { _ as validateClientCredentials, a as getJwtPlugin, b as mcpHandler, c as isPKCERequired, d as parsePrompt, f as resolveSessionAuthTime, g as storeToken, h as storeClientSecret, i as getClient, l as normalizeTimestampValue, m as searchParamsToQuery, n as decryptStoredClientSecret, p as resolveSubjectIdentifier, r as deleteFromPrompt, s as getStoredToken, t as basicToClientCredentials, u as parseClientMetadata, v as verifyOAuthQueryParams } from "./utils-B9Pj9EPf.mjs";
-import { t as PACKAGE_VERSION } from "./version-BlcZ64XB.mjs";
+import { t as PACKAGE_VERSION } from "./version-CYsV29Ge.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
@@ -1404,14 +1404,8 @@ function schemaToOAuth(input) {
 //#region src/oauthClient/endpoints.ts
 async function getClientEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
+	await assertClientPrivileges(ctx, session, opts, "read");
 	if (!session) throw new APIError("UNAUTHORIZED");
-	if (!ctx.headers) throw new APIError("BAD_REQUEST");
-	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.headers,
-		action: "read",
-		session: session.session,
-		user: session.user
-	})) throw new APIError("UNAUTHORIZED");
 	const client = await getClient(ctx, opts, ctx.query.client_id);
 	if (!client) throw new APIError("NOT_FOUND", {
 		error_description: "client not found",
@@ -1452,14 +1446,8 @@ async function getClientPublicEndpoint(ctx, opts, clientId) {
 }
 async function getClientsEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
+	await assertClientPrivileges(ctx, session, opts, "list");
 	if (!session) throw new APIError("UNAUTHORIZED");
-	if (!ctx.headers) throw new APIError("BAD_REQUEST");
-	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.headers,
-		action: "list",
-		session: session.session,
-		user: session.user
-	})) throw new APIError("UNAUTHORIZED");
 	const referenceId = await opts.clientReference?.(session);
 	if (referenceId) return await ctx.context.adapter.findMany({
 		model: "oauthClient",
@@ -1493,14 +1481,8 @@ async function getClientsEndpoint(ctx, opts) {
 }
 async function deleteClientEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
+	await assertClientPrivileges(ctx, session, opts, "delete");
 	if (!session) throw new APIError("UNAUTHORIZED");
-	if (!ctx.headers) throw new APIError("BAD_REQUEST");
-	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.headers,
-		action: "delete",
-		session: session.session,
-		user: session.user
-	})) throw new APIError("UNAUTHORIZED");
 	const clientId = ctx.body.client_id;
 	if (opts.cachedTrustedClients?.has(clientId)) throw new APIError("INTERNAL_SERVER_ERROR", {
 		error_description: "trusted clients must be updated manually",
@@ -1526,14 +1508,8 @@ async function deleteClientEndpoint(ctx, opts) {
 }
 async function updateClientEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
+	await assertClientPrivileges(ctx, session, opts, "update");
 	if (!session) throw new APIError("UNAUTHORIZED");
-	if (!ctx.headers) throw new APIError("BAD_REQUEST");
-	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.headers,
-		action: "update",
-		session: session.session,
-		user: session.user
-	})) throw new APIError("UNAUTHORIZED");
 	const clientId = ctx.body.client_id;
 	if (opts.cachedTrustedClients?.has(clientId)) throw new APIError("INTERNAL_SERVER_ERROR", {
 		error_description: "trusted clients must be updated manually",
@@ -1580,14 +1556,8 @@ async function updateClientEndpoint(ctx, opts) {
 }
 async function rotateClientSecretEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
+	await assertClientPrivileges(ctx, session, opts, "rotate");
 	if (!session) throw new APIError("UNAUTHORIZED");
-	if (!ctx.headers) throw new APIError("BAD_REQUEST");
-	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.headers,
-		action: "rotate",
-		session: session.session,
-		user: session.user
-	})) throw new APIError("UNAUTHORIZED");
 	const clientId = ctx.body.client_id;
 	if (opts.cachedTrustedClients?.has(clientId)) throw new APIError("INTERNAL_SERVER_ERROR", {
 		error_description: "trusted clients must be updated manually",
@@ -1629,6 +1599,16 @@ async function rotateClientSecretEndpoint(ctx, opts) {
 		clientSecret: (opts.prefix?.clientSecret ?? "") + clientSecret
 	});
 }
+async function assertClientPrivileges(ctx, session, opts, action) {
+	if (!session) throw new APIError("UNAUTHORIZED");
+	if (!ctx.headers) throw new APIError("BAD_REQUEST");
+	if (opts.clientPrivileges && !await opts.clientPrivileges({
+		headers: ctx.headers,
+		action,
+		session: session.session,
+		user: session.user
+	})) throw new APIError("UNAUTHORIZED");
+}
 //#endregion
 //#region src/oauthClient/index.ts
 const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/create-client", {
@@ -1811,6 +1791,7 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 		}
 	}
 }, async (ctx) => {
+	await assertClientPrivileges(ctx, await getSessionFromCtx(ctx), opts, "create");
 	return createOAuthClientEndpoint(ctx, opts, { isRegister: false });
 });
 const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client", {
@@ -1980,6 +1961,7 @@ const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client",
 		} }
 	} }
 }, async (ctx) => {
+	await assertClientPrivileges(ctx, await getSessionFromCtx(ctx), opts, "create");
 	return createOAuthClientEndpoint(ctx, opts, { isRegister: false });
 });
 const getOAuthClient = (opts) => createAuthEndpoint("/oauth2/get-client", {

package/dist/{version-BlcZ64XB.mjs → version-CYsV29Ge.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.6.3";
+const PACKAGE_VERSION = "1.6.5";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.6.3",
+  "version": "1.6.5",
   "description": "An oauth provider plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -64,15 +64,15 @@
     "@modelcontextprotocol/sdk": "^1.27.1",
     "listhen": "^1.9.0",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.6.3",
-    "better-auth": "1.6.3"
+    "@better-auth/core": "1.6.5",
+    "better-auth": "1.6.5"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.0",
     "@better-fetch/fetch": "1.1.21",
     "better-call": "1.3.5",
-    "@better-auth/core": "^1.6.3",
-    "better-auth": "^1.6.3"
+    "@better-auth/core": "^1.6.5",
+    "better-auth": "^1.6.5"
   },
   "scripts": {
     "build": "tsdown",