npm - @better-auth/oauth-provider - Versions diffs - 1.6.4 → 1.6.6 - Mend

@better-auth/oauth-provider 1.6.4 → 1.6.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/client-resource.mjs +1 -1
package/dist/client.mjs +1 -1
package/dist/index.mjs +26 -49
package/dist/{version-Cvnm3JjE.mjs → version-A7ZA9idU.mjs} +1 -1
package/package.json +5 -5

package/dist/client-resource.mjs CHANGED Viewed

@@ -1,5 +1,5 @@
 import { a as getJwtPlugin, o as getOAuthProviderPlugin, y as handleMcpErrors } from "./utils-B9Pj9EPf.mjs";
-import { t as PACKAGE_VERSION } from "./version-Cvnm3JjE.mjs";
+import { t as PACKAGE_VERSION } from "./version-A7ZA9idU.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { logger } from "@better-auth/core/env";

package/dist/client.mjs CHANGED Viewed

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-Cvnm3JjE.mjs";
+import { t as PACKAGE_VERSION } from "./version-A7ZA9idU.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 //#region src/client.ts
 function parseSignedQuery(search) {

package/dist/index.mjs CHANGED Viewed

@@ -1,9 +1,10 @@
 import { _ as validateClientCredentials, a as getJwtPlugin, b as mcpHandler, c as isPKCERequired, d as parsePrompt, f as resolveSessionAuthTime, g as storeToken, h as storeClientSecret, i as getClient, l as normalizeTimestampValue, m as searchParamsToQuery, n as decryptStoredClientSecret, p as resolveSubjectIdentifier, r as deleteFromPrompt, s as getStoredToken, t as basicToClientCredentials, u as parseClientMetadata, v as verifyOAuthQueryParams } from "./utils-B9Pj9EPf.mjs";
-import { t as PACKAGE_VERSION } from "./version-Cvnm3JjE.mjs";
+import { t as PACKAGE_VERSION } from "./version-A7ZA9idU.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
 import { isBrowserFetchRequest } from "@better-auth/core/utils/fetch-metadata";
+import { isLoopbackHost, isLoopbackIP } from "@better-auth/core/utils/host";
 import { generateRandomString, makeSignature } from "better-auth/crypto";
 import { defineRequestState } from "@better-auth/core/context";
 import { logger } from "@better-auth/core/env";
@@ -159,9 +160,6 @@ const DANGEROUS_SCHEMES = [
 	"data:",
 	"vbscript:"
 ];
-function isLocalhost(hostname) {
-	return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "[::1]" || hostname.endsWith(".localhost");
-}
 /**
 * Runtime schema for OAuthAuthorizationQuery.
 * Uses passthrough to tolerate fields added by future extensions (PAR, FPA, etc.)
@@ -200,7 +198,7 @@ const verificationValueSchema = z.object({
 /**
 * Reusable URL validation for OAuth redirect URIs.
 * - Blocks dangerous schemes (javascript:, data:, vbscript:)
-* - For http/https: requires HTTPS (HTTP allowed only for localhost)
+* - For http/https: requires HTTPS (HTTP allowed only for loopback hosts: 127.0.0.0/8, [::1], *.localhost per RFC 6761)
 * - Allows custom schemes for mobile apps (e.g., myapp://callback)
 */
 const SafeUrlSchema = z.url().superRefine((val, ctx) => {
@@ -220,12 +218,10 @@ const SafeUrlSchema = z.url().superRefine((val, ctx) => {
 		});
 		return;
 	}
-	if (u.protocol === "http:" || u.protocol === "https:") {
-		if (u.protocol === "http:" && !isLocalhost(u.hostname)) ctx.addIssue({
-			code: "custom",
-			message: "Redirect URI must use HTTPS (HTTP allowed only for localhost)"
-		});
-	}
+	if (u.protocol === "http:" && !isLoopbackHost(u.host)) ctx.addIssue({
+		code: "custom",
+		message: "Redirect URI must use HTTPS (HTTP allowed only for loopback hosts)"
+	});
 });
 //#endregion
 //#region src/userinfo.ts
@@ -1404,14 +1400,8 @@ function schemaToOAuth(input) {
 //#region src/oauthClient/endpoints.ts
 async function getClientEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
+	await assertClientPrivileges(ctx, session, opts, "read");
 	if (!session) throw new APIError("UNAUTHORIZED");
-	if (!ctx.headers) throw new APIError("BAD_REQUEST");
-	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.headers,
-		action: "read",
-		session: session.session,
-		user: session.user
-	})) throw new APIError("UNAUTHORIZED");
 	const client = await getClient(ctx, opts, ctx.query.client_id);
 	if (!client) throw new APIError("NOT_FOUND", {
 		error_description: "client not found",
@@ -1452,14 +1442,8 @@ async function getClientPublicEndpoint(ctx, opts, clientId) {
 }
 async function getClientsEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
+	await assertClientPrivileges(ctx, session, opts, "list");
 	if (!session) throw new APIError("UNAUTHORIZED");
-	if (!ctx.headers) throw new APIError("BAD_REQUEST");
-	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.headers,
-		action: "list",
-		session: session.session,
-		user: session.user
-	})) throw new APIError("UNAUTHORIZED");
 	const referenceId = await opts.clientReference?.(session);
 	if (referenceId) return await ctx.context.adapter.findMany({
 		model: "oauthClient",
@@ -1493,14 +1477,8 @@ async function getClientsEndpoint(ctx, opts) {
 }
 async function deleteClientEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
+	await assertClientPrivileges(ctx, session, opts, "delete");
 	if (!session) throw new APIError("UNAUTHORIZED");
-	if (!ctx.headers) throw new APIError("BAD_REQUEST");
-	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.headers,
-		action: "delete",
-		session: session.session,
-		user: session.user
-	})) throw new APIError("UNAUTHORIZED");
 	const clientId = ctx.body.client_id;
 	if (opts.cachedTrustedClients?.has(clientId)) throw new APIError("INTERNAL_SERVER_ERROR", {
 		error_description: "trusted clients must be updated manually",
@@ -1526,14 +1504,8 @@ async function deleteClientEndpoint(ctx, opts) {
 }
 async function updateClientEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
+	await assertClientPrivileges(ctx, session, opts, "update");
 	if (!session) throw new APIError("UNAUTHORIZED");
-	if (!ctx.headers) throw new APIError("BAD_REQUEST");
-	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.headers,
-		action: "update",
-		session: session.session,
-		user: session.user
-	})) throw new APIError("UNAUTHORIZED");
 	const clientId = ctx.body.client_id;
 	if (opts.cachedTrustedClients?.has(clientId)) throw new APIError("INTERNAL_SERVER_ERROR", {
 		error_description: "trusted clients must be updated manually",
@@ -1580,14 +1552,8 @@ async function updateClientEndpoint(ctx, opts) {
 }
 async function rotateClientSecretEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
+	await assertClientPrivileges(ctx, session, opts, "rotate");
 	if (!session) throw new APIError("UNAUTHORIZED");
-	if (!ctx.headers) throw new APIError("BAD_REQUEST");
-	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.headers,
-		action: "rotate",
-		session: session.session,
-		user: session.user
-	})) throw new APIError("UNAUTHORIZED");
 	const clientId = ctx.body.client_id;
 	if (opts.cachedTrustedClients?.has(clientId)) throw new APIError("INTERNAL_SERVER_ERROR", {
 		error_description: "trusted clients must be updated manually",
@@ -1629,6 +1595,16 @@ async function rotateClientSecretEndpoint(ctx, opts) {
 		clientSecret: (opts.prefix?.clientSecret ?? "") + clientSecret
 	});
 }
+async function assertClientPrivileges(ctx, session, opts, action) {
+	if (!session) throw new APIError("UNAUTHORIZED");
+	if (!ctx.headers) throw new APIError("BAD_REQUEST");
+	if (opts.clientPrivileges && !await opts.clientPrivileges({
+		headers: ctx.headers,
+		action,
+		session: session.session,
+		user: session.user
+	})) throw new APIError("UNAUTHORIZED");
+}
 //#endregion
 //#region src/oauthClient/index.ts
 const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/create-client", {
@@ -1811,6 +1787,7 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 		}
 	}
 }, async (ctx) => {
+	await assertClientPrivileges(ctx, await getSessionFromCtx(ctx), opts, "create");
 	return createOAuthClientEndpoint(ctx, opts, { isRegister: false });
 });
 const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client", {
@@ -1980,6 +1957,7 @@ const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client",
 		} }
 	} }
 }, async (ctx) => {
+	await assertClientPrivileges(ctx, await getSessionFromCtx(ctx), opts, "create");
 	return createOAuthClientEndpoint(ctx, opts, { isRegister: false });
 });
 const getOAuthClient = (opts) => createAuthEndpoint("/oauth2/get-client", {
@@ -3724,8 +3702,7 @@ function redirectWithPromptNoneError(ctx, opts, query, error, description) {
 function validateIssuerUrl(issuer) {
 	try {
 		const url = new URL(issuer);
-		const isLocalhost = url.hostname === "localhost" || url.hostname === "127.0.0.1";
-		if (url.protocol !== "https:" && !isLocalhost) url.protocol = "https:";
+		if (url.protocol !== "https:" && !isLoopbackHost(url.host)) url.protocol = "https:";
 		url.search = "";
 		url.hash = "";
 		return url.toString().replace(/\/$/, "");
@@ -3788,7 +3765,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		try {
 			const registered = new URL(url);
 			const requested = new URL(query.redirect_uri);
-			if ((registered.hostname === "127.0.0.1" || registered.hostname === "[::1]") && registered.hostname === requested.hostname && registered.pathname === requested.pathname && registered.protocol === requested.protocol && registered.search === requested.search) return true;
+			if (isLoopbackIP(registered.hostname) && registered.hostname === requested.hostname && registered.pathname === requested.pathname && registered.protocol === requested.protocol && registered.search === requested.search) return true;
 		} catch {}
 		return false;
 	}) || !query.redirect_uri) return handleRedirect(ctx, getErrorURL(ctx, "invalid_redirect", "invalid redirect uri"));

package/dist/{version-Cvnm3JjE.mjs → version-A7ZA9idU.mjs} RENAMED Viewed

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.6.4";
+const PACKAGE_VERSION = "1.6.6";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.6.4",
+  "version": "1.6.6",
   "description": "An oauth provider plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -64,15 +64,15 @@
     "@modelcontextprotocol/sdk": "^1.27.1",
     "listhen": "^1.9.0",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.6.4",
-    "better-auth": "1.6.4"
+    "better-auth": "1.6.6",
+    "@better-auth/core": "1.6.6"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.0",
     "@better-fetch/fetch": "1.1.21",
     "better-call": "1.3.5",
-    "@better-auth/core": "^1.6.4",
-    "better-auth": "^1.6.4"
+    "@better-auth/core": "^1.6.6",
+    "better-auth": "^1.6.6"
   },
   "scripts": {
     "build": "tsdown",