@better-auth/oauth-provider 1.7.0-beta.0 → 1.7.0-beta.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{client-assertion-DZqo-L5j.mjs → client-assertion-D-tAYsKC.mjs} +116 -92
- package/dist/client-resource.d.mts +43 -7
- package/dist/client-resource.mjs +45 -25
- package/dist/client.d.mts +1 -1
- package/dist/client.mjs +3 -13
- package/dist/index.d.mts +151 -18
- package/dist/index.mjs +2239 -1803
- package/dist/introspect-DvHp2a64.mjs +2507 -0
- package/dist/{oauth-Dh4YXCXY.d.mts → oauth-BrNRbP2A.d.mts} +532 -141
- package/dist/oauth-ScTJEcFV.d.mts +2849 -0
- package/dist/resource-challenge-B-cqv4ur.mjs +63 -0
- package/dist/rolldown-runtime-wcPFST8Q.mjs +13 -0
- package/dist/signed-query-Df1MNiSH.mjs +44 -0
- package/dist/utils-DO8lmoDw.mjs +769 -0
- package/dist/{version-BGWhjYBb.mjs → version-a5HhJg8A.mjs} +1 -1
- package/package.json +9 -10
- package/dist/mcp-CYnz-MXn.mjs +0 -56
- package/dist/oauth-C8aTlaAC.d.mts +0 -1645
- package/dist/utils-CIbcUsZ5.mjs +0 -417
package/dist/index.d.mts
CHANGED
|
@@ -1,35 +1,92 @@
|
|
|
1
|
-
import { _ as
|
|
2
|
-
import { n as oauthProvider, t as
|
|
3
|
-
import {
|
|
1
|
+
import { A as OAuthProviderExtension, B as StoreTokenType, C as OAuthConsent, D as OAuthOpaqueAccessToken, E as OAuthMetadataExtensionInput, F as OAuthTokenResponse, H as VerificationValue, I as OAuthUserInfoExtensionInput, L as Prompt, M as OAuthResource, N as OAuthResourceInput, O as OAuthOptions, P as OAuthTokenIssueParams, R as SchemaClient, S as OAuthClientResource, T as OAuthExtensionGrantHandlerInput, U as ClientRegistrationRequest, V as StoredAuthorizationQuery, W as ResourceUriSchema, _ as OAuthClaimExtensionInput, a as GrantType, b as OAuthClientAuthenticationResult, c as ResourceServerMetadata, d as ActiveAccessTokenPayload, f as AuthorizePrompt, g as OAuthAuthorizationQuery, h as OAuthAuthenticatedClient, i as Confirmation, j as OAuthRefreshToken, k as OAuthProviderApi, l as TokenEndpointAuthMethod, m as InitialAccessTokenAuthorization, n as AuthServerMetadata, o as OAuthClient, p as ClientDiscovery, r as BearerMethodsSupported, s as OIDCMetadata, t as AuthMethod, u as TokenType, v as OAuthClientAuthenticationInput, w as OAuthExtensionGrantHandler, x as OAuthClientAuthenticationStrategy, y as OAuthClientAuthenticationRequest, z as Scope } from "./oauth-ScTJEcFV.mjs";
|
|
2
|
+
import { a as OAuthEndpointErrorResult, c as OAuthFieldErrorCode, i as getIssuer, l as OAuthFieldErrorCodeMap, n as getOAuthProviderState, o as OAuthEndpointRedirectContext, r as oauthProvider, s as OAuthErrorCode, t as DEFAULT_OAUTH_SCOPES, u as OAuthRedirectOnError } from "./oauth-BrNRbP2A.mjs";
|
|
3
|
+
import { getSessionFromCtx } from "better-auth/api";
|
|
4
4
|
import { JWSAlgorithms, JwtOptions } from "better-auth/plugins";
|
|
5
|
-
import {
|
|
6
|
-
import
|
|
5
|
+
import { AuthContext, GenericEndpointContext } from "@better-auth/core";
|
|
6
|
+
import * as better_auth0 from "better-auth";
|
|
7
7
|
|
|
8
|
-
//#region src/
|
|
8
|
+
//#region src/extensions.d.ts
|
|
9
9
|
/**
|
|
10
|
-
*
|
|
11
|
-
* a
|
|
10
|
+
* Registers an {@link OAuthProviderExtension} with the OAuth Provider plugin
|
|
11
|
+
* from a companion plugin's `init()` hook. An extension can add token grants,
|
|
12
|
+
* assertion-based client authentication methods, additive discovery metadata,
|
|
13
|
+
* access-token / ID-token / UserInfo claims, and client-id discovery, without
|
|
14
|
+
* forking provider core.
|
|
12
15
|
*
|
|
13
|
-
*
|
|
16
|
+
* Call this once, at `init()` time. It is idempotent in the same `extension`
|
|
17
|
+
* object, so re-running a plugin's `init()` (for example when one plugin factory
|
|
18
|
+
* result is shared across two `betterAuth()` instances) does not register it
|
|
19
|
+
* twice. It throws if the oauth-provider plugin is not installed, if a grant
|
|
20
|
+
* type or assertion type is not an absolute URI, if a client authentication
|
|
21
|
+
* method reuses a built-in name, or if the extension registers a grant type,
|
|
22
|
+
* auth method, or assertion type that another extension already registered
|
|
23
|
+
* (contributions must be disjoint).
|
|
24
|
+
*
|
|
25
|
+
* @example
|
|
26
|
+
* ```ts
|
|
27
|
+
* init(ctx) {
|
|
28
|
+
* extendOAuthProvider(ctx, {
|
|
29
|
+
* grants: { "urn:example:grant": async ({ provider }) => provider.issueTokens(...) },
|
|
30
|
+
* });
|
|
31
|
+
* }
|
|
32
|
+
* ```
|
|
14
33
|
*/
|
|
15
|
-
declare
|
|
16
|
-
|
|
17
|
-
verifyOptions: Parameters<typeof verifyAccessToken>[1], handler: (req: Request, jwt: JWTPayload) => Awaitable<Response>, opts?: {
|
|
18
|
-
/** Maps non-url (ie urn, client) resources to resource_metadata */resourceMetadataMappings: Record<string, string>;
|
|
19
|
-
}) => (req: Request) => Promise<Response>;
|
|
34
|
+
declare function extendOAuthProvider(ctx: AuthContext, extension: OAuthProviderExtension): void;
|
|
20
35
|
//#endregion
|
|
21
36
|
//#region src/metadata.d.ts
|
|
22
37
|
declare function authServerMetadata(ctx: GenericEndpointContext, opts?: JwtOptions, overrides?: {
|
|
23
38
|
scopes_supported?: AuthServerMetadata["scopes_supported"];
|
|
39
|
+
dynamic_client_registration_supported?: boolean;
|
|
24
40
|
public_client_supported?: boolean;
|
|
25
41
|
grant_types_supported?: GrantType[];
|
|
42
|
+
token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[];
|
|
43
|
+
endpoint_auth_methods_supported?: TokenEndpointAuthMethod[];
|
|
26
44
|
jwt_disabled?: boolean;
|
|
45
|
+
dpop_signing_alg_values_supported?: JWSAlgorithms[];
|
|
27
46
|
}): AuthServerMetadata;
|
|
47
|
+
declare function oauthAuthorizationServerMetadata(ctx: GenericEndpointContext, opts: OAuthOptions<Scope[]>): AuthServerMetadata;
|
|
28
48
|
declare function oidcServerMetadata(ctx: GenericEndpointContext, opts: OAuthOptions<Scope[]> & {
|
|
29
49
|
claims?: string[];
|
|
30
|
-
}):
|
|
50
|
+
}): {
|
|
51
|
+
jwks_uri?: string | undefined;
|
|
52
|
+
userinfo_endpoint: string;
|
|
53
|
+
acr_values_supported?: string[] | undefined;
|
|
54
|
+
subject_types_supported: ("public" | "pairwise")[];
|
|
55
|
+
claims_supported: string[];
|
|
56
|
+
claims_parameter_supported?: boolean | undefined;
|
|
57
|
+
end_session_endpoint: string;
|
|
58
|
+
request_parameter_supported?: boolean | undefined;
|
|
59
|
+
request_uri_parameter_supported?: boolean | undefined;
|
|
60
|
+
prompt_values_supported: Prompt[];
|
|
61
|
+
issuer: string;
|
|
62
|
+
authorization_endpoint: string;
|
|
63
|
+
token_endpoint: string;
|
|
64
|
+
registration_endpoint?: string | undefined;
|
|
65
|
+
scopes_supported?: string[] | undefined;
|
|
66
|
+
response_types_supported: "code"[];
|
|
67
|
+
response_modes_supported: "query"[];
|
|
68
|
+
grant_types_supported: GrantType[];
|
|
69
|
+
token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
|
|
70
|
+
token_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
|
|
71
|
+
service_documentation?: string | undefined;
|
|
72
|
+
ui_locales_supported?: string[] | undefined;
|
|
73
|
+
op_policy_uri?: string | undefined;
|
|
74
|
+
op_tos_uri?: string | undefined;
|
|
75
|
+
revocation_endpoint?: string | undefined;
|
|
76
|
+
revocation_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
|
|
77
|
+
revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
|
|
78
|
+
introspection_endpoint?: string | undefined;
|
|
79
|
+
introspection_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
|
|
80
|
+
introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
|
|
81
|
+
code_challenge_methods_supported: "S256"[];
|
|
82
|
+
authorization_response_iss_parameter_supported?: boolean | undefined;
|
|
83
|
+
client_id_metadata_document_supported?: boolean | undefined;
|
|
84
|
+
backchannel_logout_supported?: boolean | undefined;
|
|
85
|
+
backchannel_logout_session_supported?: boolean | undefined;
|
|
86
|
+
dpop_signing_alg_values_supported?: JWSAlgorithms[] | undefined;
|
|
31
87
|
id_token_signing_alg_values_supported: JWSAlgorithms[] | ["HS256"];
|
|
32
88
|
};
|
|
89
|
+
declare function metadataResponse(body: unknown, extraHeaders?: HeadersInit): Response;
|
|
33
90
|
/**
|
|
34
91
|
* Provides an exportable `/.well-known/oauth-authorization-server`.
|
|
35
92
|
*
|
|
@@ -44,7 +101,7 @@ declare const oauthProviderAuthServerMetadata: <Auth extends {
|
|
|
44
101
|
};
|
|
45
102
|
}>(auth: Auth, opts?: {
|
|
46
103
|
headers?: HeadersInit;
|
|
47
|
-
}) => (
|
|
104
|
+
}) => (request: Request) => Promise<Response>;
|
|
48
105
|
/**
|
|
49
106
|
* Provides an exportable `/.well-known/openid-configuration`.
|
|
50
107
|
*
|
|
@@ -59,6 +116,82 @@ declare const oauthProviderOpenIdConfigMetadata: <Auth extends {
|
|
|
59
116
|
};
|
|
60
117
|
}>(auth: Auth, opts?: {
|
|
61
118
|
headers?: HeadersInit;
|
|
62
|
-
}) => (
|
|
119
|
+
}) => (request: Request) => Promise<Response>;
|
|
120
|
+
//#endregion
|
|
121
|
+
//#region src/register.d.ts
|
|
122
|
+
declare function checkOAuthClient(client: OAuthClient, opts: OAuthOptions<Scope[]>, settings?: {
|
|
123
|
+
isRegister?: boolean;
|
|
124
|
+
ctx?: GenericEndpointContext;
|
|
125
|
+
}): Promise<void>;
|
|
126
|
+
/**
|
|
127
|
+
* Converts an OAuth 2.0 Dynamic Client Schema to a Database Schema
|
|
128
|
+
*
|
|
129
|
+
* @param input
|
|
130
|
+
* @returns
|
|
131
|
+
*/
|
|
132
|
+
declare function oauthToSchema(input: OAuthClient): SchemaClient<Scope[]>;
|
|
133
|
+
//#endregion
|
|
134
|
+
//#region src/resource-challenge.d.ts
|
|
135
|
+
/**
|
|
136
|
+
* Raise an OAuth resource-server challenge for a failed access-token request.
|
|
137
|
+
*
|
|
138
|
+
* Missing/invalid bearer credentials are reported with RFC 6750 plus the RFC
|
|
139
|
+
* 9728 `resource_metadata` pointer. DPoP-bound-token failures are reported with
|
|
140
|
+
* RFC 9449's `DPoP` challenge so clients know which proof algorithms to use.
|
|
141
|
+
* Non-URL resources (for example a `urn:` or a client id) resolve their
|
|
142
|
+
* metadata URL through `resourceMetadataMappings`.
|
|
143
|
+
*
|
|
144
|
+
* @internal
|
|
145
|
+
*/
|
|
146
|
+
declare function raiseResourceServerChallenge(error: unknown, resource: string | string[], opts?: {
|
|
147
|
+
/** Maps non-URL (urn, client) resources to their resource_metadata URL. */resourceMetadataMappings?: Record<string, string>; /** DPoP JWS algorithms to advertise in RFC 9449 challenges. */
|
|
148
|
+
dpopSigningAlgorithms?: readonly string[]; /** Space-delimited scopes to advertise in RFC 6750 bearer challenges. */
|
|
149
|
+
scope?: string;
|
|
150
|
+
}): never;
|
|
151
|
+
//#endregion
|
|
152
|
+
//#region src/token.d.ts
|
|
153
|
+
/**
|
|
154
|
+
* Returns the OAuth Provider's server-side capability surface bound to `ctx`.
|
|
155
|
+
* The token endpoint passes one (pre-bound to the dispatched grant) to each
|
|
156
|
+
* extension grant handler; a companion plugin's own endpoint calls this directly
|
|
157
|
+
* with its grant type. `grantType` is bound here, not per issuance, so a handler
|
|
158
|
+
* cannot mislabel the grant; omit it for capabilities that do not issue tokens
|
|
159
|
+
* (`getClient`, `validateAccessToken`, `requireActiveAccessToken`), and
|
|
160
|
+
* `issueTokens` then throws.
|
|
161
|
+
*/
|
|
162
|
+
declare function getOAuthProviderApi(ctx: GenericEndpointContext, opts: OAuthOptions<Scope[]>, grantType?: GrantType): OAuthProviderApi;
|
|
163
|
+
//#endregion
|
|
164
|
+
//#region src/utils/client-assertion.d.ts
|
|
165
|
+
/**
|
|
166
|
+
* Enforces the assertion-hygiene claims every client-assertion authentication
|
|
167
|
+
* method must check, independent of how the signature is verified or where the
|
|
168
|
+
* verification keys come from:
|
|
169
|
+
* - `aud` MUST include `expectedAudience` (RFC 7523 §3 rule 3),
|
|
170
|
+
* - `exp` MUST be present, unexpired, and at most `assertionMaxLifetime`
|
|
171
|
+
* seconds away (RFC 7523 §3 rule 4),
|
|
172
|
+
* - `iat`, when present, MUST be within `assertionMaxLifetime`,
|
|
173
|
+
* - `jti` MUST be present and single-use; this consumes a replay tombstone keyed
|
|
174
|
+
* by `` `${namespace}:${jti}` ``, inserted under the adapter's primary key so a
|
|
175
|
+
* replay across workers fails atomically.
|
|
176
|
+
*
|
|
177
|
+
* A custom {@link OAuthClientAuthenticationStrategy} should call this after
|
|
178
|
+
* verifying the assertion signature, so an extension method inherits the same
|
|
179
|
+
* replay, lifetime, and audience guarantees as the built-in `private_key_jwt`
|
|
180
|
+
* path, which calls it too.
|
|
181
|
+
*
|
|
182
|
+
* @param params.namespace Scopes the replay tombstone to the method and client,
|
|
183
|
+
* e.g. `` `${method}:${clientId}` ``, so the same `jti` can recur across
|
|
184
|
+
* distinct methods or clients but never within one.
|
|
185
|
+
*/
|
|
186
|
+
declare function consumeClientAssertion(ctx: GenericEndpointContext, opts: OAuthOptions<Scope[]>, params: {
|
|
187
|
+
namespace: string;
|
|
188
|
+
payload: {
|
|
189
|
+
aud?: unknown;
|
|
190
|
+
exp?: unknown;
|
|
191
|
+
iat?: unknown;
|
|
192
|
+
jti?: unknown;
|
|
193
|
+
};
|
|
194
|
+
expectedAudience: string;
|
|
195
|
+
}): Promise<void>;
|
|
63
196
|
//#endregion
|
|
64
|
-
export { AuthServerMetadata, AuthorizePrompt, OAuthAuthorizationQuery, OAuthClient, OAuthConsent, OAuthOpaqueAccessToken, OAuthOptions, OAuthRefreshToken, OIDCMetadata, Prompt, ResourceServerMetadata, SchemaClient, Scope, StoreTokenType, VerificationValue, authServerMetadata, getOAuthProviderState,
|
|
197
|
+
export { ActiveAccessTokenPayload, AuthMethod, AuthServerMetadata, AuthorizePrompt, BearerMethodsSupported, ClientDiscovery, ClientRegistrationRequest, Confirmation, DEFAULT_OAUTH_SCOPES, GrantType, InitialAccessTokenAuthorization, OAuthAuthenticatedClient, OAuthAuthorizationQuery, OAuthClaimExtensionInput, type OAuthClient, OAuthClientAuthenticationInput, OAuthClientAuthenticationRequest, OAuthClientAuthenticationResult, OAuthClientAuthenticationStrategy, OAuthClientResource, OAuthConsent, type OAuthEndpointErrorResult, type OAuthEndpointRedirectContext, type OAuthErrorCode, OAuthExtensionGrantHandler, OAuthExtensionGrantHandlerInput, type OAuthFieldErrorCode, type OAuthFieldErrorCodeMap, OAuthMetadataExtensionInput, OAuthOpaqueAccessToken, OAuthOptions, OAuthProviderApi, OAuthProviderExtension, type OAuthRedirectOnError, OAuthRefreshToken, OAuthResource, OAuthResourceInput, OAuthTokenIssueParams, OAuthTokenResponse, OAuthUserInfoExtensionInput, OIDCMetadata, Prompt, type ResourceServerMetadata, ResourceUriSchema, SchemaClient, Scope, StoreTokenType, StoredAuthorizationQuery, TokenEndpointAuthMethod, TokenType, VerificationValue, authServerMetadata, checkOAuthClient, consumeClientAssertion, extendOAuthProvider, getIssuer, getOAuthProviderApi, getOAuthProviderState, metadataResponse, oauthAuthorizationServerMetadata, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oauthToSchema, oidcServerMetadata, raiseResourceServerChallenge };
|