@better-auth/oauth-provider 1.6.5 → 1.6.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/client-resource.mjs
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { a as getJwtPlugin, o as getOAuthProviderPlugin, y as handleMcpErrors } from "./utils-B9Pj9EPf.mjs";
|
|
2
|
-
import { t as PACKAGE_VERSION } from "./version-
|
|
2
|
+
import { t as PACKAGE_VERSION } from "./version-A7ZA9idU.mjs";
|
|
3
3
|
import { verifyAccessToken } from "better-auth/oauth2";
|
|
4
4
|
import { APIError } from "better-call";
|
|
5
5
|
import { logger } from "@better-auth/core/env";
|
package/dist/client.mjs
CHANGED
package/dist/index.mjs
CHANGED
|
@@ -1,9 +1,10 @@
|
|
|
1
1
|
import { _ as validateClientCredentials, a as getJwtPlugin, b as mcpHandler, c as isPKCERequired, d as parsePrompt, f as resolveSessionAuthTime, g as storeToken, h as storeClientSecret, i as getClient, l as normalizeTimestampValue, m as searchParamsToQuery, n as decryptStoredClientSecret, p as resolveSubjectIdentifier, r as deleteFromPrompt, s as getStoredToken, t as basicToClientCredentials, u as parseClientMetadata, v as verifyOAuthQueryParams } from "./utils-B9Pj9EPf.mjs";
|
|
2
|
-
import { t as PACKAGE_VERSION } from "./version-
|
|
2
|
+
import { t as PACKAGE_VERSION } from "./version-A7ZA9idU.mjs";
|
|
3
3
|
import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
|
|
4
4
|
import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
|
|
5
5
|
import { APIError as APIError$1 } from "better-call";
|
|
6
6
|
import { isBrowserFetchRequest } from "@better-auth/core/utils/fetch-metadata";
|
|
7
|
+
import { isLoopbackHost, isLoopbackIP } from "@better-auth/core/utils/host";
|
|
7
8
|
import { generateRandomString, makeSignature } from "better-auth/crypto";
|
|
8
9
|
import { defineRequestState } from "@better-auth/core/context";
|
|
9
10
|
import { logger } from "@better-auth/core/env";
|
|
@@ -159,9 +160,6 @@ const DANGEROUS_SCHEMES = [
|
|
|
159
160
|
"data:",
|
|
160
161
|
"vbscript:"
|
|
161
162
|
];
|
|
162
|
-
function isLocalhost(hostname) {
|
|
163
|
-
return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "[::1]" || hostname.endsWith(".localhost");
|
|
164
|
-
}
|
|
165
163
|
/**
|
|
166
164
|
* Runtime schema for OAuthAuthorizationQuery.
|
|
167
165
|
* Uses passthrough to tolerate fields added by future extensions (PAR, FPA, etc.)
|
|
@@ -200,7 +198,7 @@ const verificationValueSchema = z.object({
|
|
|
200
198
|
/**
|
|
201
199
|
* Reusable URL validation for OAuth redirect URIs.
|
|
202
200
|
* - Blocks dangerous schemes (javascript:, data:, vbscript:)
|
|
203
|
-
* - For http/https: requires HTTPS (HTTP allowed only for localhost)
|
|
201
|
+
* - For http/https: requires HTTPS (HTTP allowed only for loopback hosts: 127.0.0.0/8, [::1], *.localhost per RFC 6761)
|
|
204
202
|
* - Allows custom schemes for mobile apps (e.g., myapp://callback)
|
|
205
203
|
*/
|
|
206
204
|
const SafeUrlSchema = z.url().superRefine((val, ctx) => {
|
|
@@ -220,12 +218,10 @@ const SafeUrlSchema = z.url().superRefine((val, ctx) => {
|
|
|
220
218
|
});
|
|
221
219
|
return;
|
|
222
220
|
}
|
|
223
|
-
if (u.protocol === "http:"
|
|
224
|
-
|
|
225
|
-
|
|
226
|
-
|
|
227
|
-
});
|
|
228
|
-
}
|
|
221
|
+
if (u.protocol === "http:" && !isLoopbackHost(u.host)) ctx.addIssue({
|
|
222
|
+
code: "custom",
|
|
223
|
+
message: "Redirect URI must use HTTPS (HTTP allowed only for loopback hosts)"
|
|
224
|
+
});
|
|
229
225
|
});
|
|
230
226
|
//#endregion
|
|
231
227
|
//#region src/userinfo.ts
|
|
@@ -3706,8 +3702,7 @@ function redirectWithPromptNoneError(ctx, opts, query, error, description) {
|
|
|
3706
3702
|
function validateIssuerUrl(issuer) {
|
|
3707
3703
|
try {
|
|
3708
3704
|
const url = new URL(issuer);
|
|
3709
|
-
|
|
3710
|
-
if (url.protocol !== "https:" && !isLocalhost) url.protocol = "https:";
|
|
3705
|
+
if (url.protocol !== "https:" && !isLoopbackHost(url.host)) url.protocol = "https:";
|
|
3711
3706
|
url.search = "";
|
|
3712
3707
|
url.hash = "";
|
|
3713
3708
|
return url.toString().replace(/\/$/, "");
|
|
@@ -3770,7 +3765,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
|
|
|
3770
3765
|
try {
|
|
3771
3766
|
const registered = new URL(url);
|
|
3772
3767
|
const requested = new URL(query.redirect_uri);
|
|
3773
|
-
if ((registered.hostname
|
|
3768
|
+
if (isLoopbackIP(registered.hostname) && registered.hostname === requested.hostname && registered.pathname === requested.pathname && registered.protocol === requested.protocol && registered.search === requested.search) return true;
|
|
3774
3769
|
} catch {}
|
|
3775
3770
|
return false;
|
|
3776
3771
|
}) || !query.redirect_uri) return handleRedirect(ctx, getErrorURL(ctx, "invalid_redirect", "invalid redirect uri"));
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@better-auth/oauth-provider",
|
|
3
|
-
"version": "1.6.
|
|
3
|
+
"version": "1.6.6",
|
|
4
4
|
"description": "An oauth provider plugin for Better Auth",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"license": "MIT",
|
|
@@ -64,15 +64,15 @@
|
|
|
64
64
|
"@modelcontextprotocol/sdk": "^1.27.1",
|
|
65
65
|
"listhen": "^1.9.0",
|
|
66
66
|
"tsdown": "0.21.1",
|
|
67
|
-
"
|
|
68
|
-
"better-auth": "1.6.
|
|
67
|
+
"better-auth": "1.6.6",
|
|
68
|
+
"@better-auth/core": "1.6.6"
|
|
69
69
|
},
|
|
70
70
|
"peerDependencies": {
|
|
71
71
|
"@better-auth/utils": "0.4.0",
|
|
72
72
|
"@better-fetch/fetch": "1.1.21",
|
|
73
73
|
"better-call": "1.3.5",
|
|
74
|
-
"@better-auth/core": "^1.6.
|
|
75
|
-
"better-auth": "^1.6.
|
|
74
|
+
"@better-auth/core": "^1.6.6",
|
|
75
|
+
"better-auth": "^1.6.6"
|
|
76
76
|
},
|
|
77
77
|
"scripts": {
|
|
78
78
|
"build": "tsdown",
|