@better-auth/oauth-provider 1.7.0-beta.0 → 1.7.0-beta.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.d.mts CHANGED
@@ -1,35 +1,92 @@
1
- import { _ as Awaitable, a as ResourceServerMetadata, c as OAuthConsent, d as OAuthRefreshToken, f as Prompt, g as VerificationValue, h as StoreTokenType, i as OIDCMetadata, l as OAuthOpaqueAccessToken, m as Scope, n as GrantType, o as AuthorizePrompt, p as SchemaClient, r as OAuthClient, s as OAuthAuthorizationQuery, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-C8aTlaAC.mjs";
2
- import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-Dh4YXCXY.mjs";
3
- import { verifyAccessToken } from "better-auth/oauth2";
1
+ import { A as OAuthProviderExtension, B as StoreTokenType, C as OAuthConsent, D as OAuthOpaqueAccessToken, E as OAuthMetadataExtensionInput, F as OAuthTokenResponse, H as VerificationValue, I as OAuthUserInfoExtensionInput, L as Prompt, M as OAuthResource, N as OAuthResourceInput, O as OAuthOptions, P as OAuthTokenIssueParams, R as SchemaClient, S as OAuthClientResource, T as OAuthExtensionGrantHandlerInput, U as ClientRegistrationRequest, V as StoredAuthorizationQuery, W as ResourceUriSchema, _ as OAuthClaimExtensionInput, a as GrantType, b as OAuthClientAuthenticationResult, c as ResourceServerMetadata, d as ActiveAccessTokenPayload, f as AuthorizePrompt, g as OAuthAuthorizationQuery, h as OAuthAuthenticatedClient, i as Confirmation, j as OAuthRefreshToken, k as OAuthProviderApi, l as TokenEndpointAuthMethod, m as InitialAccessTokenAuthorization, n as AuthServerMetadata, o as OAuthClient, p as ClientDiscovery, r as BearerMethodsSupported, s as OIDCMetadata, t as AuthMethod, u as TokenType, v as OAuthClientAuthenticationInput, w as OAuthExtensionGrantHandler, x as OAuthClientAuthenticationStrategy, y as OAuthClientAuthenticationRequest, z as Scope } from "./oauth-ScTJEcFV.mjs";
2
+ import { a as OAuthEndpointErrorResult, c as OAuthFieldErrorCode, i as getIssuer, l as OAuthFieldErrorCodeMap, n as getOAuthProviderState, o as OAuthEndpointRedirectContext, r as oauthProvider, s as OAuthErrorCode, t as DEFAULT_OAUTH_SCOPES, u as OAuthRedirectOnError } from "./oauth-BrNRbP2A.mjs";
3
+ import { getSessionFromCtx } from "better-auth/api";
4
4
  import { JWSAlgorithms, JwtOptions } from "better-auth/plugins";
5
- import { JWTPayload } from "jose";
6
- import { GenericEndpointContext } from "@better-auth/core";
5
+ import { AuthContext, GenericEndpointContext } from "@better-auth/core";
6
+ import * as better_auth0 from "better-auth";
7
7
 
8
- //#region src/mcp.d.ts
8
+ //#region src/extensions.d.ts
9
9
  /**
10
- * A request middleware handler that checks and responds with
11
- * a WWW-Authenticate header for unauthenticated responses.
10
+ * Registers an {@link OAuthProviderExtension} with the OAuth Provider plugin
11
+ * from a companion plugin's `init()` hook. An extension can add token grants,
12
+ * assertion-based client authentication methods, additive discovery metadata,
13
+ * access-token / ID-token / UserInfo claims, and client-id discovery, without
14
+ * forking provider core.
12
15
  *
13
- * @external
16
+ * Call this once, at `init()` time. It is idempotent in the same `extension`
17
+ * object, so re-running a plugin's `init()` (for example when one plugin factory
18
+ * result is shared across two `betterAuth()` instances) does not register it
19
+ * twice. It throws if the oauth-provider plugin is not installed, if a grant
20
+ * type or assertion type is not an absolute URI, if a client authentication
21
+ * method reuses a built-in name, or if the extension registers a grant type,
22
+ * auth method, or assertion type that another extension already registered
23
+ * (contributions must be disjoint).
24
+ *
25
+ * @example
26
+ * ```ts
27
+ * init(ctx) {
28
+ * extendOAuthProvider(ctx, {
29
+ * grants: { "urn:example:grant": async ({ provider }) => provider.issueTokens(...) },
30
+ * });
31
+ * }
32
+ * ```
14
33
  */
15
- declare const mcpHandler: (/** Resource is the same url as the audience */
16
-
17
- verifyOptions: Parameters<typeof verifyAccessToken>[1], handler: (req: Request, jwt: JWTPayload) => Awaitable<Response>, opts?: {
18
- /** Maps non-url (ie urn, client) resources to resource_metadata */resourceMetadataMappings: Record<string, string>;
19
- }) => (req: Request) => Promise<Response>;
34
+ declare function extendOAuthProvider(ctx: AuthContext, extension: OAuthProviderExtension): void;
20
35
  //#endregion
21
36
  //#region src/metadata.d.ts
22
37
  declare function authServerMetadata(ctx: GenericEndpointContext, opts?: JwtOptions, overrides?: {
23
38
  scopes_supported?: AuthServerMetadata["scopes_supported"];
39
+ dynamic_client_registration_supported?: boolean;
24
40
  public_client_supported?: boolean;
25
41
  grant_types_supported?: GrantType[];
42
+ token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[];
43
+ endpoint_auth_methods_supported?: TokenEndpointAuthMethod[];
26
44
  jwt_disabled?: boolean;
45
+ dpop_signing_alg_values_supported?: JWSAlgorithms[];
27
46
  }): AuthServerMetadata;
47
+ declare function oauthAuthorizationServerMetadata(ctx: GenericEndpointContext, opts: OAuthOptions<Scope[]>): AuthServerMetadata;
28
48
  declare function oidcServerMetadata(ctx: GenericEndpointContext, opts: OAuthOptions<Scope[]> & {
29
49
  claims?: string[];
30
- }): Omit<OIDCMetadata, "id_token_signing_alg_values_supported"> & {
50
+ }): {
51
+ jwks_uri?: string | undefined;
52
+ userinfo_endpoint: string;
53
+ acr_values_supported?: string[] | undefined;
54
+ subject_types_supported: ("public" | "pairwise")[];
55
+ claims_supported: string[];
56
+ claims_parameter_supported?: boolean | undefined;
57
+ end_session_endpoint: string;
58
+ request_parameter_supported?: boolean | undefined;
59
+ request_uri_parameter_supported?: boolean | undefined;
60
+ prompt_values_supported: Prompt[];
61
+ issuer: string;
62
+ authorization_endpoint: string;
63
+ token_endpoint: string;
64
+ registration_endpoint?: string | undefined;
65
+ scopes_supported?: string[] | undefined;
66
+ response_types_supported: "code"[];
67
+ response_modes_supported: "query"[];
68
+ grant_types_supported: GrantType[];
69
+ token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
70
+ token_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
71
+ service_documentation?: string | undefined;
72
+ ui_locales_supported?: string[] | undefined;
73
+ op_policy_uri?: string | undefined;
74
+ op_tos_uri?: string | undefined;
75
+ revocation_endpoint?: string | undefined;
76
+ revocation_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
77
+ revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
78
+ introspection_endpoint?: string | undefined;
79
+ introspection_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
80
+ introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
81
+ code_challenge_methods_supported: "S256"[];
82
+ authorization_response_iss_parameter_supported?: boolean | undefined;
83
+ client_id_metadata_document_supported?: boolean | undefined;
84
+ backchannel_logout_supported?: boolean | undefined;
85
+ backchannel_logout_session_supported?: boolean | undefined;
86
+ dpop_signing_alg_values_supported?: JWSAlgorithms[] | undefined;
31
87
  id_token_signing_alg_values_supported: JWSAlgorithms[] | ["HS256"];
32
88
  };
89
+ declare function metadataResponse(body: unknown, extraHeaders?: HeadersInit): Response;
33
90
  /**
34
91
  * Provides an exportable `/.well-known/oauth-authorization-server`.
35
92
  *
@@ -44,7 +101,7 @@ declare const oauthProviderAuthServerMetadata: <Auth extends {
44
101
  };
45
102
  }>(auth: Auth, opts?: {
46
103
  headers?: HeadersInit;
47
- }) => (_request: Request) => Promise<Response>;
104
+ }) => (request: Request) => Promise<Response>;
48
105
  /**
49
106
  * Provides an exportable `/.well-known/openid-configuration`.
50
107
  *
@@ -59,6 +116,82 @@ declare const oauthProviderOpenIdConfigMetadata: <Auth extends {
59
116
  };
60
117
  }>(auth: Auth, opts?: {
61
118
  headers?: HeadersInit;
62
- }) => (_request: Request) => Promise<Response>;
119
+ }) => (request: Request) => Promise<Response>;
120
+ //#endregion
121
+ //#region src/register.d.ts
122
+ declare function checkOAuthClient(client: OAuthClient, opts: OAuthOptions<Scope[]>, settings?: {
123
+ isRegister?: boolean;
124
+ ctx?: GenericEndpointContext;
125
+ }): Promise<void>;
126
+ /**
127
+ * Converts an OAuth 2.0 Dynamic Client Schema to a Database Schema
128
+ *
129
+ * @param input
130
+ * @returns
131
+ */
132
+ declare function oauthToSchema(input: OAuthClient): SchemaClient<Scope[]>;
133
+ //#endregion
134
+ //#region src/resource-challenge.d.ts
135
+ /**
136
+ * Raise an OAuth resource-server challenge for a failed access-token request.
137
+ *
138
+ * Missing/invalid bearer credentials are reported with RFC 6750 plus the RFC
139
+ * 9728 `resource_metadata` pointer. DPoP-bound-token failures are reported with
140
+ * RFC 9449's `DPoP` challenge so clients know which proof algorithms to use.
141
+ * Non-URL resources (for example a `urn:` or a client id) resolve their
142
+ * metadata URL through `resourceMetadataMappings`.
143
+ *
144
+ * @internal
145
+ */
146
+ declare function raiseResourceServerChallenge(error: unknown, resource: string | string[], opts?: {
147
+ /** Maps non-URL (urn, client) resources to their resource_metadata URL. */resourceMetadataMappings?: Record<string, string>; /** DPoP JWS algorithms to advertise in RFC 9449 challenges. */
148
+ dpopSigningAlgorithms?: readonly string[]; /** Space-delimited scopes to advertise in RFC 6750 bearer challenges. */
149
+ scope?: string;
150
+ }): never;
151
+ //#endregion
152
+ //#region src/token.d.ts
153
+ /**
154
+ * Returns the OAuth Provider's server-side capability surface bound to `ctx`.
155
+ * The token endpoint passes one (pre-bound to the dispatched grant) to each
156
+ * extension grant handler; a companion plugin's own endpoint calls this directly
157
+ * with its grant type. `grantType` is bound here, not per issuance, so a handler
158
+ * cannot mislabel the grant; omit it for capabilities that do not issue tokens
159
+ * (`getClient`, `validateAccessToken`, `requireActiveAccessToken`), and
160
+ * `issueTokens` then throws.
161
+ */
162
+ declare function getOAuthProviderApi(ctx: GenericEndpointContext, opts: OAuthOptions<Scope[]>, grantType?: GrantType): OAuthProviderApi;
163
+ //#endregion
164
+ //#region src/utils/client-assertion.d.ts
165
+ /**
166
+ * Enforces the assertion-hygiene claims every client-assertion authentication
167
+ * method must check, independent of how the signature is verified or where the
168
+ * verification keys come from:
169
+ * - `aud` MUST include `expectedAudience` (RFC 7523 §3 rule 3),
170
+ * - `exp` MUST be present, unexpired, and at most `assertionMaxLifetime`
171
+ * seconds away (RFC 7523 §3 rule 4),
172
+ * - `iat`, when present, MUST be within `assertionMaxLifetime`,
173
+ * - `jti` MUST be present and single-use; this consumes a replay tombstone keyed
174
+ * by `` `${namespace}:${jti}` ``, inserted under the adapter's primary key so a
175
+ * replay across workers fails atomically.
176
+ *
177
+ * A custom {@link OAuthClientAuthenticationStrategy} should call this after
178
+ * verifying the assertion signature, so an extension method inherits the same
179
+ * replay, lifetime, and audience guarantees as the built-in `private_key_jwt`
180
+ * path, which calls it too.
181
+ *
182
+ * @param params.namespace Scopes the replay tombstone to the method and client,
183
+ * e.g. `` `${method}:${clientId}` ``, so the same `jti` can recur across
184
+ * distinct methods or clients but never within one.
185
+ */
186
+ declare function consumeClientAssertion(ctx: GenericEndpointContext, opts: OAuthOptions<Scope[]>, params: {
187
+ namespace: string;
188
+ payload: {
189
+ aud?: unknown;
190
+ exp?: unknown;
191
+ iat?: unknown;
192
+ jti?: unknown;
193
+ };
194
+ expectedAudience: string;
195
+ }): Promise<void>;
63
196
  //#endregion
64
- export { AuthServerMetadata, AuthorizePrompt, OAuthAuthorizationQuery, OAuthClient, OAuthConsent, OAuthOpaqueAccessToken, OAuthOptions, OAuthRefreshToken, OIDCMetadata, Prompt, ResourceServerMetadata, SchemaClient, Scope, StoreTokenType, VerificationValue, authServerMetadata, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oidcServerMetadata };
197
+ export { ActiveAccessTokenPayload, AuthMethod, AuthServerMetadata, AuthorizePrompt, BearerMethodsSupported, ClientDiscovery, ClientRegistrationRequest, Confirmation, DEFAULT_OAUTH_SCOPES, GrantType, InitialAccessTokenAuthorization, OAuthAuthenticatedClient, OAuthAuthorizationQuery, OAuthClaimExtensionInput, type OAuthClient, OAuthClientAuthenticationInput, OAuthClientAuthenticationRequest, OAuthClientAuthenticationResult, OAuthClientAuthenticationStrategy, OAuthClientResource, OAuthConsent, type OAuthEndpointErrorResult, type OAuthEndpointRedirectContext, type OAuthErrorCode, OAuthExtensionGrantHandler, OAuthExtensionGrantHandlerInput, type OAuthFieldErrorCode, type OAuthFieldErrorCodeMap, OAuthMetadataExtensionInput, OAuthOpaqueAccessToken, OAuthOptions, OAuthProviderApi, OAuthProviderExtension, type OAuthRedirectOnError, OAuthRefreshToken, OAuthResource, OAuthResourceInput, OAuthTokenIssueParams, OAuthTokenResponse, OAuthUserInfoExtensionInput, OIDCMetadata, Prompt, type ResourceServerMetadata, ResourceUriSchema, SchemaClient, Scope, StoreTokenType, StoredAuthorizationQuery, TokenEndpointAuthMethod, TokenType, VerificationValue, authServerMetadata, checkOAuthClient, consumeClientAssertion, extendOAuthProvider, getIssuer, getOAuthProviderApi, getOAuthProviderState, metadataResponse, oauthAuthorizationServerMetadata, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oauthToSchema, oidcServerMetadata, raiseResourceServerChallenge };