@better-auth/oauth-provider 1.6.3 → 1.7.0-beta.1

package/dist/client-assertion-CderPEmR.mjs

@@ -0,0 +1,281 @@
+import { a as getClient } from "./utils-Cx_XnD9i.mjs";
+import { APIError } from "better-call";
+import { ASSERTION_SIGNING_ALGORITHMS, CLIENT_ASSERTION_TYPE } from "@better-auth/core/oauth2";
+import { createLocalJWKSet, decodeJwt, decodeProtectedHeader, jwtVerify } from "jose";
+//#region \0rolldown/runtime.js
+var __defProp = Object.defineProperty;
+var __exportAll = (all, no_symbols) => {
+	let target = {};
+	for (var name in all) __defProp(target, name, {
+		get: all[name],
+		enumerable: true
+	});
+	if (!no_symbols) __defProp(target, Symbol.toStringTag, { value: "Module" });
+	return target;
+};
+//#endregion
+//#region src/utils/client-assertion.ts
+var client_assertion_exports = /* @__PURE__ */ __exportAll({
+	isPrivateHostname: () => isPrivateHostname,
+	verifyClientAssertion: () => verifyClientAssertion
+});
+const jwksCache = /* @__PURE__ */ new Map();
+const JWKS_CACHE_TTL_MS = 300 * 1e3;
+const JWKS_CACHE_MAX_ENTRIES = 500;
+const JWKS_FETCH_TIMEOUT_MS = 5e3;
+function setJwksCache(uri, jwks, fetchedAt) {
+	jwksCache.set(uri, {
+		jwks,
+		fetchedAt
+	});
+	if (jwksCache.size > JWKS_CACHE_MAX_ENTRIES) {
+		const oldest = jwksCache.keys().next().value;
+		if (oldest !== void 0) jwksCache.delete(oldest);
+	}
+}
+const ALGORITHMS_LIST = [...ASSERTION_SIGNING_ALGORITHMS];
+const pendingAssertionIds = /* @__PURE__ */ new Set();
+/**
+* Block SSRF: reject jwks_uri pointing at private/reserved IP ranges.
+* Only HTTPS with public hostnames is allowed.
+*/
+function isPrivateIpv4(hostname) {
+	const parts = hostname.split(".");
+	if (parts.length !== 4 || parts.some((p) => !/^\d{1,3}$/.test(p))) return false;
+	const octets = parts.map(Number);
+	const a = octets[0];
+	const b = octets[1];
+	return a === 10 || a === 0 || a === 172 && b >= 16 && b <= 31 || a === 192 && b === 168 || a === 169 && b === 254 || a === 127;
+}
+function isPrivateHostname(hostname) {
+	const lower = hostname.toLowerCase();
+	const host = lower.startsWith("[") && lower.endsWith("]") ? lower.slice(1, -1) : lower;
+	if (host === "localhost" || host === "::1") return true;
+	if (isPrivateIpv4(host)) return true;
+	if (host.includes(":")) {
+		const v4MappedMatch = host.match(/^(?:0{0,4}:){0,4}:?(?:0{0,4}:)?ffff:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/);
+		if (v4MappedMatch && isPrivateIpv4(v4MappedMatch[1])) return true;
+		const isLinkLocal = host.startsWith("fe8") || host.startsWith("fe9") || host.startsWith("fea") || host.startsWith("feb");
+		const isUniqueLocal = host.startsWith("fc") || host.startsWith("fd");
+		if (isLinkLocal || isUniqueLocal) return true;
+	}
+	if (host === "metadata.google.internal") return true;
+	return false;
+}
+function validateJwksUri(ctx, jwksUri, clientIdUrlOrigin) {
+	const parsed = new URL(jwksUri);
+	if (parsed.protocol !== "https:") throw new APIError("BAD_REQUEST", {
+		error_description: "jwks_uri must use HTTPS",
+		error: "invalid_client"
+	});
+	if (isPrivateHostname(parsed.hostname)) throw new APIError("BAD_REQUEST", {
+		error_description: "jwks_uri must not point to a private or reserved address",
+		error: "invalid_client"
+	});
+	if (clientIdUrlOrigin && parsed.origin === clientIdUrlOrigin) return;
+	if (!ctx.context.isTrustedOrigin(parsed.href)) throw new APIError("BAD_REQUEST", {
+		error_description: "client jwks_uri is not trusted",
+		error: "invalid_client"
+	});
+}
+function urlClientIdOrigin(clientId) {
+	if (!clientId.startsWith("https://") && !clientId.startsWith("http://")) return;
+	try {
+		return new URL(clientId).origin;
+	} catch {
+		return;
+	}
+}
+async function fetchJwksFromUri(jwksUri) {
+	const controller = new AbortController();
+	const timeout = setTimeout(() => controller.abort(), JWKS_FETCH_TIMEOUT_MS);
+	try {
+		const response = await fetch(jwksUri, {
+			signal: controller.signal,
+			headers: { accept: "application/json" },
+			redirect: "error"
+		});
+		if (!response.ok) throw new Error(`JWKS fetch returned ${response.status}`);
+		const jwks = await response.json();
+		if (!jwks.keys || !Array.isArray(jwks.keys)) throw new Error("JWKS response missing keys array");
+		return jwks;
+	} finally {
+		clearTimeout(timeout);
+	}
+}
+async function fetchClientJwks(ctx, client) {
+	if (client.jwks) return JSON.parse(client.jwks);
+	if (!client.jwksUri) throw new APIError("BAD_REQUEST", {
+		error_description: "client has no JWKS configured",
+		error: "invalid_client"
+	});
+	validateJwksUri(ctx, client.jwksUri, urlClientIdOrigin(client.clientId));
+	const now = Date.now();
+	const cached = jwksCache.get(client.jwksUri);
+	if (cached && now - cached.fetchedAt < JWKS_CACHE_TTL_MS) return cached.jwks;
+	try {
+		const jwks = await fetchJwksFromUri(client.jwksUri);
+		setJwksCache(client.jwksUri, jwks, now);
+		return jwks;
+	} catch {
+		const staleLimitMs = JWKS_CACHE_TTL_MS * 2;
+		if (cached && now - cached.fetchedAt < staleLimitMs) return cached.jwks;
+		throw new APIError("BAD_REQUEST", {
+			error_description: "failed to fetch client JWKS",
+			error: "invalid_client"
+		});
+	}
+}
+/**
+* Refetch JWKS from jwks_uri when signature verification fails with cached keys.
+* Handles key rotation: the client may have published a new key that isn't in our cache yet.
+*/
+async function refetchClientJwks(client) {
+	if (!client.jwksUri) return null;
+	try {
+		const jwks = await fetchJwksFromUri(client.jwksUri);
+		setJwksCache(client.jwksUri, jwks, Date.now());
+		return jwks;
+	} catch {
+		return null;
+	}
+}
+/**
+* Verifies a client assertion JWT for `private_key_jwt` authentication.
+*
+* Validates: signature, iss=client_id, sub=client_id, aud=token_endpoint,
+* exp, assertion max lifetime, jti uniqueness (replay prevention).
+*/
+async function verifyClientAssertion(ctx, opts, clientAssertion, clientAssertionType, clientIdHint, expectedAudience) {
+	if (clientAssertionType !== CLIENT_ASSERTION_TYPE) throw new APIError("BAD_REQUEST", {
+		error_description: "unsupported client_assertion_type",
+		error: "invalid_client"
+	});
+	let header;
+	try {
+		header = decodeProtectedHeader(clientAssertion);
+	} catch {
+		throw new APIError("BAD_REQUEST", {
+			error_description: "malformed client assertion: invalid JWT header",
+			error: "invalid_client"
+		});
+	}
+	if (!header.alg || !ASSERTION_SIGNING_ALGORITHMS.includes(header.alg)) throw new APIError("BAD_REQUEST", {
+		error_description: `unsupported assertion signing algorithm: ${header.alg}`,
+		error: "invalid_client"
+	});
+	let unverified;
+	try {
+		unverified = decodeJwt(clientAssertion);
+	} catch {
+		throw new APIError("BAD_REQUEST", {
+			error_description: "malformed client assertion: invalid JWT payload",
+			error: "invalid_client"
+		});
+	}
+	const clientId = unverified.sub ?? unverified.iss;
+	if (!clientId) throw new APIError("BAD_REQUEST", {
+		error_description: "client assertion must contain sub or iss claim identifying the client",
+		error: "invalid_client"
+	});
+	if (clientIdHint && clientIdHint !== clientId) throw new APIError("BAD_REQUEST", {
+		error_description: "client_id in body does not match assertion sub/iss",
+		error: "invalid_client"
+	});
+	const client = await getClient(ctx, opts, clientId);
+	if (!client) throw new APIError("BAD_REQUEST", {
+		error_description: "unknown client",
+		error: "invalid_client"
+	});
+	if (client.disabled) throw new APIError("BAD_REQUEST", {
+		error_description: "client is disabled",
+		error: "invalid_client"
+	});
+	if (client.tokenEndpointAuthMethod !== "private_key_jwt") throw new APIError("BAD_REQUEST", {
+		error_description: "client is not registered for private_key_jwt authentication",
+		error: "invalid_client"
+	});
+	const jwks = await fetchClientJwks(ctx, client);
+	const audience = expectedAudience ?? `${ctx.context.baseURL}/oauth2/token`;
+	const maxLifetime = opts.assertionMaxLifetime ?? 300;
+	const verifyOpts = {
+		issuer: clientId,
+		subject: clientId,
+		audience,
+		algorithms: ALGORITHMS_LIST
+	};
+	let payload;
+	try {
+		({payload} = await jwtVerify(clientAssertion, createLocalJWKSet(jwks), verifyOpts));
+	} catch (verifyErr) {
+		if (verifyErr instanceof Error && /no matching key|no applicable key/i.test(verifyErr.message)) {
+			const refreshed = await refetchClientJwks(client);
+			if (refreshed) try {
+				({payload} = await jwtVerify(clientAssertion, createLocalJWKSet(refreshed), verifyOpts));
+			} catch {
+				throw new APIError("UNAUTHORIZED", {
+					error_description: "client assertion signature verification failed",
+					error: "invalid_client"
+				});
+			}
+			else throw new APIError("UNAUTHORIZED", {
+				error_description: "client assertion signature verification failed",
+				error: "invalid_client"
+			});
+		} else throw new APIError("UNAUTHORIZED", {
+			error_description: "client assertion signature verification failed",
+			error: "invalid_client"
+		});
+	}
+	const now = Math.floor(Date.now() / 1e3);
+	if (typeof payload.exp !== "number") throw new APIError("BAD_REQUEST", {
+		error_description: "client assertion must include exp claim",
+		error: "invalid_client"
+	});
+	if (payload.exp - now > maxLifetime) throw new APIError("BAD_REQUEST", {
+		error_description: `client assertion exp is too far in the future (max ${maxLifetime}s)`,
+		error: "invalid_client"
+	});
+	if (typeof payload.iat === "number" && now - payload.iat > maxLifetime) throw new APIError("BAD_REQUEST", {
+		error_description: `client assertion iat is too far in the past (max ${maxLifetime}s)`,
+		error: "invalid_client"
+	});
+	if (!payload.jti) throw new APIError("BAD_REQUEST", {
+		error_description: "client assertion must include jti claim",
+		error: "invalid_client"
+	});
+	const jtiIdentifier = `private_key_jwt:${clientId}:${payload.jti}`;
+	if (pendingAssertionIds.has(jtiIdentifier)) throw new APIError("BAD_REQUEST", {
+		error_description: "client assertion jti has already been used",
+		error: "invalid_client"
+	});
+	pendingAssertionIds.add(jtiIdentifier);
+	try {
+		if (await ctx.context.internalAdapter.findVerificationValue(jtiIdentifier)) throw new APIError("BAD_REQUEST", {
+			error_description: "client assertion jti has already been used",
+			error: "invalid_client"
+		});
+		const jtiExpiry = /* @__PURE__ */ new Date(payload.exp * 1e3);
+		try {
+			await ctx.context.internalAdapter.createVerificationValue({
+				identifier: jtiIdentifier,
+				value: clientId,
+				expiresAt: jtiExpiry
+			});
+		} catch (createErr) {
+			if (await ctx.context.internalAdapter.findVerificationValue(jtiIdentifier)) throw new APIError("BAD_REQUEST", {
+				error_description: "client assertion jti has already been used",
+				error: "invalid_client"
+			});
+			throw createErr;
+		}
+	} finally {
+		pendingAssertionIds.delete(jtiIdentifier);
+	}
+	return {
+		clientId,
+		client
+	};
+}
+//#endregion
+export { isPrivateHostname as n, client_assertion_exports as t };

package/dist/client-resource.d.mts

@@ -1,4 +1,4 @@
-import { a as ResourceServerMetadata } from "./oauth-IpUqx-_N.mjs";
+import { o as ResourceServerMetadata } from "./oauth-CU79t-eG.mjs";
 import { JWTPayload, JWTVerifyOptions } from "jose";
 import { Auth } from "better-auth/types";
 

package/dist/client-resource.mjs

@@ -1,5 +1,6 @@
-import { a as getJwtPlugin, o as getOAuthProviderPlugin, y as handleMcpErrors } from "./utils-B9Pj9EPf.mjs";
-import { t as PACKAGE_VERSION } from "./version-BlcZ64XB.mjs";
+import { t as handleMcpErrors } from "./mcp-CYnz-MXn.mjs";
+import { o as getJwtPlugin, s as getOAuthProviderPlugin } from "./utils-Cx_XnD9i.mjs";
+import { t as PACKAGE_VERSION } from "./version-DIwdpXrQ.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { logger } from "@better-auth/core/env";

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { n as oauthProvider } from "./oauth-DH61OMT6.mjs";
+import { n as oauthProvider } from "./oauth-B_qonG53.mjs";
 import * as _better_fetch_fetch0 from "@better-fetch/fetch";
 
 //#region src/client.d.ts

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-BlcZ64XB.mjs";
+import { t as PACKAGE_VERSION } from "./version-DIwdpXrQ.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 //#region src/client.ts
 function parseSignedQuery(search) {

package/dist/index.d.mts

@@ -1,9 +1,10 @@
-import { _ as Awaitable, a as ResourceServerMetadata, c as OAuthConsent, d as OAuthRefreshToken, f as Prompt, g as VerificationValue, h as StoreTokenType, i as OIDCMetadata, l as OAuthOpaqueAccessToken, m as Scope, n as GrantType, o as AuthorizePrompt, p as SchemaClient, r as OAuthClient, s as OAuthAuthorizationQuery, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-IpUqx-_N.mjs";
-import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-DH61OMT6.mjs";
+import { _ as Scope, a as OIDCMetadata, b as Awaitable, c as AuthorizePrompt, d as OAuthConsent, f as OAuthOpaqueAccessToken, g as SchemaClient, h as Prompt, i as OAuthClient, l as ClientDiscovery, m as OAuthRefreshToken, n as AuthServerMetadata, o as ResourceServerMetadata, p as OAuthOptions, r as GrantType, s as TokenEndpointAuthMethod, t as AuthMethod, u as OAuthAuthorizationQuery, v as StoreTokenType, y as VerificationValue } from "./oauth-CU79t-eG.mjs";
+import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-B_qonG53.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { JWSAlgorithms, JwtOptions } from "better-auth/plugins";
 import { JWTPayload } from "jose";
 import { GenericEndpointContext } from "@better-auth/core";
+import * as better_auth0 from "better-auth";
 
 //#region src/mcp.d.ts
 /**
@@ -27,7 +28,37 @@ declare function authServerMetadata(ctx: GenericEndpointContext, opts?: JwtOptio
 }): AuthServerMetadata;
 declare function oidcServerMetadata(ctx: GenericEndpointContext, opts: OAuthOptions<Scope[]> & {
   claims?: string[];
-}): Omit<OIDCMetadata, "id_token_signing_alg_values_supported"> & {
+}): {
+  jwks_uri?: string | undefined;
+  userinfo_endpoint: string;
+  acr_values_supported: string[];
+  subject_types_supported: ("public" | "pairwise")[];
+  claims_supported: string[];
+  end_session_endpoint: string;
+  prompt_values_supported: Prompt[];
+  issuer: string;
+  authorization_endpoint: string;
+  token_endpoint: string;
+  registration_endpoint: string;
+  scopes_supported?: string[] | undefined;
+  response_types_supported: "code"[];
+  response_modes_supported: "query"[];
+  grant_types_supported: GrantType[];
+  token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
+  token_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+  service_documentation?: string | undefined;
+  ui_locales_supported?: string[] | undefined;
+  op_policy_uri?: string | undefined;
+  op_tos_uri?: string | undefined;
+  revocation_endpoint?: string | undefined;
+  revocation_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
+  revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+  introspection_endpoint?: string | undefined;
+  introspection_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
+  introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+  code_challenge_methods_supported: "S256"[];
+  authorization_response_iss_parameter_supported?: boolean | undefined;
+  client_id_metadata_document_supported?: boolean | undefined;
   id_token_signing_alg_values_supported: JWSAlgorithms[] | ["HS256"];
 };
 /**
@@ -61,4 +92,17 @@ declare const oauthProviderOpenIdConfigMetadata: <Auth extends {
   headers?: HeadersInit;
 }) => (request: Request) => Promise<Response>;
 //#endregion
-export { AuthServerMetadata, AuthorizePrompt, OAuthAuthorizationQuery, OAuthClient, OAuthConsent, OAuthOpaqueAccessToken, OAuthOptions, OAuthRefreshToken, OIDCMetadata, Prompt, ResourceServerMetadata, SchemaClient, Scope, StoreTokenType, VerificationValue, authServerMetadata, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oidcServerMetadata };
+//#region src/register.d.ts
+declare function checkOAuthClient(client: OAuthClient, opts: OAuthOptions<Scope[]>, settings?: {
+  isRegister?: boolean;
+  ctx?: GenericEndpointContext;
+}): Promise<void>;
+/**
+ * Converts an OAuth 2.0 Dynamic Client Schema to a Database Schema
+ *
+ * @param input
+ * @returns
+ */
+declare function oauthToSchema(input: OAuthClient): SchemaClient<Scope[]>;
+//#endregion
+export { AuthServerMetadata, AuthorizePrompt, ClientDiscovery, OAuthAuthorizationQuery, OAuthClient, OAuthConsent, OAuthOpaqueAccessToken, OAuthOptions, OAuthRefreshToken, OIDCMetadata, Prompt, ResourceServerMetadata, SchemaClient, Scope, StoreTokenType, VerificationValue, authServerMetadata, checkOAuthClient, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oauthToSchema, oidcServerMetadata };