@better-auth/oauth-provider 1.6.5 → 1.6.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/dist/client-resource.mjs +1 -1
  2. package/dist/client.mjs +1 -1
  3. package/dist/index.mjs +10 -19
  4. package/dist/{version-CYsV29Ge.mjs → version-BWjL4z5q.mjs} +1 -1
  5. package/package.json +5 -5
package/dist/client-resource.mjs CHANGED
@@ -1,5 +1,5 @@
1
1
  import { a as getJwtPlugin, o as getOAuthProviderPlugin, y as handleMcpErrors } from "./utils-B9Pj9EPf.mjs";
2
- import { t as PACKAGE_VERSION } from "./version-CYsV29Ge.mjs";
2
+ import { t as PACKAGE_VERSION } from "./version-BWjL4z5q.mjs";
3
3
  import { verifyAccessToken } from "better-auth/oauth2";
4
4
  import { APIError } from "better-call";
5
5
  import { logger } from "@better-auth/core/env";
package/dist/client.mjs CHANGED
@@ -1,4 +1,4 @@
1
- import { t as PACKAGE_VERSION } from "./version-CYsV29Ge.mjs";
1
+ import { t as PACKAGE_VERSION } from "./version-BWjL4z5q.mjs";
2
2
  import { safeJSONParse } from "@better-auth/core/utils/json";
3
3
  //#region src/client.ts
4
4
  function parseSignedQuery(search) {
package/dist/index.mjs CHANGED
@@ -1,9 +1,10 @@
1
1
  import { _ as validateClientCredentials, a as getJwtPlugin, b as mcpHandler, c as isPKCERequired, d as parsePrompt, f as resolveSessionAuthTime, g as storeToken, h as storeClientSecret, i as getClient, l as normalizeTimestampValue, m as searchParamsToQuery, n as decryptStoredClientSecret, p as resolveSubjectIdentifier, r as deleteFromPrompt, s as getStoredToken, t as basicToClientCredentials, u as parseClientMetadata, v as verifyOAuthQueryParams } from "./utils-B9Pj9EPf.mjs";
2
- import { t as PACKAGE_VERSION } from "./version-CYsV29Ge.mjs";
2
+ import { t as PACKAGE_VERSION } from "./version-BWjL4z5q.mjs";
3
3
  import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
4
4
  import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
5
5
  import { APIError as APIError$1 } from "better-call";
6
6
  import { isBrowserFetchRequest } from "@better-auth/core/utils/fetch-metadata";
7
+ import { isLoopbackHost, isLoopbackIP } from "@better-auth/core/utils/host";
7
8
  import { generateRandomString, makeSignature } from "better-auth/crypto";
8
9
  import { defineRequestState } from "@better-auth/core/context";
9
10
  import { logger } from "@better-auth/core/env";
@@ -159,9 +160,6 @@ const DANGEROUS_SCHEMES = [
159
160
  "data:",
160
161
  "vbscript:"
161
162
  ];
162
- function isLocalhost(hostname) {
163
- return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "[::1]" || hostname.endsWith(".localhost");
164
- }
165
163
  /**
166
164
  * Runtime schema for OAuthAuthorizationQuery.
167
165
  * Uses passthrough to tolerate fields added by future extensions (PAR, FPA, etc.)
@@ -200,7 +198,7 @@ const verificationValueSchema = z.object({
200
198
  /**
201
199
  * Reusable URL validation for OAuth redirect URIs.
202
200
  * - Blocks dangerous schemes (javascript:, data:, vbscript:)
203
- * - For http/https: requires HTTPS (HTTP allowed only for localhost)
201
+ * - For http/https: requires HTTPS (HTTP allowed only for loopback hosts: 127.0.0.0/8, [::1], *.localhost per RFC 6761)
204
202
  * - Allows custom schemes for mobile apps (e.g., myapp://callback)
205
203
  */
206
204
  const SafeUrlSchema = z.url().superRefine((val, ctx) => {
@@ -220,12 +218,10 @@ const SafeUrlSchema = z.url().superRefine((val, ctx) => {
220
218
  });
221
219
  return;
222
220
  }
223
- if (u.protocol === "http:" || u.protocol === "https:") {
224
- if (u.protocol === "http:" && !isLocalhost(u.hostname)) ctx.addIssue({
225
- code: "custom",
226
- message: "Redirect URI must use HTTPS (HTTP allowed only for localhost)"
227
- });
228
- }
221
+ if (u.protocol === "http:" && !isLoopbackHost(u.host)) ctx.addIssue({
222
+ code: "custom",
223
+ message: "Redirect URI must use HTTPS (HTTP allowed only for loopback hosts)"
224
+ });
229
225
  });
230
226
  //#endregion
231
227
  //#region src/userinfo.ts
@@ -256,11 +252,7 @@ function userNormalClaims(user, scopes) {
256
252
  * Handles the /oauth2/userinfo endpoint
257
253
  */
258
254
  async function userInfoEndpoint(ctx, opts) {
259
- if (!ctx.request) throw new APIError("UNAUTHORIZED", {
260
- error_description: "request not found",
261
- error: "invalid_request"
262
- });
263
- const authorization = ctx.request.headers.get("authorization");
255
+ const authorization = ctx.headers?.get("authorization");
264
256
  const token = typeof authorization === "string" && authorization?.startsWith("Bearer ") ? authorization?.replace("Bearer ", "") : authorization;
265
257
  if (!token?.length) throw new APIError("UNAUTHORIZED", {
266
258
  error_description: "authorization header not found",
@@ -3706,8 +3698,7 @@ function redirectWithPromptNoneError(ctx, opts, query, error, description) {
3706
3698
  function validateIssuerUrl(issuer) {
3707
3699
  try {
3708
3700
  const url = new URL(issuer);
3709
- const isLocalhost = url.hostname === "localhost" || url.hostname === "127.0.0.1";
3710
- if (url.protocol !== "https:" && !isLocalhost) url.protocol = "https:";
3701
+ if (url.protocol !== "https:" && !isLoopbackHost(url.host)) url.protocol = "https:";
3711
3702
  url.search = "";
3712
3703
  url.hash = "";
3713
3704
  return url.toString().replace(/\/$/, "");
@@ -3770,7 +3761,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
3770
3761
  try {
3771
3762
  const registered = new URL(url);
3772
3763
  const requested = new URL(query.redirect_uri);
3773
- if ((registered.hostname === "127.0.0.1" || registered.hostname === "[::1]") && registered.hostname === requested.hostname && registered.pathname === requested.pathname && registered.protocol === requested.protocol && registered.search === requested.search) return true;
3764
+ if (isLoopbackIP(registered.hostname) && registered.hostname === requested.hostname && registered.pathname === requested.pathname && registered.protocol === requested.protocol && registered.search === requested.search) return true;
3774
3765
  } catch {}
3775
3766
  return false;
3776
3767
  }) || !query.redirect_uri) return handleRedirect(ctx, getErrorURL(ctx, "invalid_redirect", "invalid redirect uri"));
package/dist/{version-CYsV29Ge.mjs → version-BWjL4z5q.mjs} RENAMED
@@ -1,5 +1,5 @@
1
1
  //#endregion
2
2
  //#region src/version.ts
3
- const PACKAGE_VERSION = "1.6.5";
3
+ const PACKAGE_VERSION = "1.6.7";
4
4
  //#endregion
5
5
  export { PACKAGE_VERSION as t };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@better-auth/oauth-provider",
3
- "version": "1.6.5",
3
+ "version": "1.6.7",
4
4
  "description": "An oauth provider plugin for Better Auth",
5
5
  "type": "module",
6
6
  "license": "MIT",
@@ -64,15 +64,15 @@
64
64
  "@modelcontextprotocol/sdk": "^1.27.1",
65
65
  "listhen": "^1.9.0",
66
66
  "tsdown": "0.21.1",
67
- "@better-auth/core": "1.6.5",
68
- "better-auth": "1.6.5"
67
+ "@better-auth/core": "1.6.7",
68
+ "better-auth": "1.6.7"
69
69
  },
70
70
  "peerDependencies": {
71
71
  "@better-auth/utils": "0.4.0",
72
72
  "@better-fetch/fetch": "1.1.21",
73
73
  "better-call": "1.3.5",
74
- "@better-auth/core": "^1.6.5",
75
- "better-auth": "^1.6.5"
74
+ "@better-auth/core": "^1.6.7",
75
+ "better-auth": "^1.6.7"
76
76
  },
77
77
  "scripts": {
78
78
  "build": "tsdown",