npm - @better-auth/oauth-provider - Versions diffs - 1.7.0-beta.0 → 1.7.0-beta.2 - Mend

@better-auth/oauth-provider 1.7.0-beta.0 → 1.7.0-beta.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/dist/{client-assertion-DZqo-L5j.mjs → client-assertion-CderPEmR.mjs} +12 -3
package/dist/client-resource.d.mts +1 -1
package/dist/client-resource.mjs +2 -2
package/dist/client.d.mts +1 -1
package/dist/client.mjs +1 -1
package/dist/index.d.mts +50 -6
package/dist/index.mjs +467 -237
package/dist/{oauth-C8aTlaAC.d.mts → oauth-CU79t-eG.d.mts} +102 -5
package/dist/{oauth-Dh4YXCXY.d.mts → oauth-DJcZ8MMZ.d.mts} +152 -23
package/dist/{utils-CIbcUsZ5.mjs → utils-Cx_XnD9i.mjs} +35 -3
package/dist/{version-BGWhjYBb.mjs → version-CZxZ64qJ.mjs} +1 -1
package/package.json +5 -5

package/dist/{client-assertion-DZqo-L5j.mjs → client-assertion-CderPEmR.mjs} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { a as getClient } from "./utils-CIbcUsZ5.mjs";
+import { a as getClient } from "./utils-Cx_XnD9i.mjs";
 import { APIError } from "better-call";
 import { ASSERTION_SIGNING_ALGORITHMS, CLIENT_ASSERTION_TYPE } from "@better-auth/core/oauth2";
 import { createLocalJWKSet, decodeJwt, decodeProtectedHeader, jwtVerify } from "jose";
@@ -62,7 +62,7 @@ function isPrivateHostname(hostname) {
 	if (host === "metadata.google.internal") return true;
 	return false;
 }
-function validateJwksUri(ctx, jwksUri) {
+function validateJwksUri(ctx, jwksUri, clientIdUrlOrigin) {
 	const parsed = new URL(jwksUri);
 	if (parsed.protocol !== "https:") throw new APIError("BAD_REQUEST", {
 		error_description: "jwks_uri must use HTTPS",
@@ -72,11 +72,20 @@ function validateJwksUri(ctx, jwksUri) {
 		error_description: "jwks_uri must not point to a private or reserved address",
 		error: "invalid_client"
 	});
+	if (clientIdUrlOrigin && parsed.origin === clientIdUrlOrigin) return;
 	if (!ctx.context.isTrustedOrigin(parsed.href)) throw new APIError("BAD_REQUEST", {
 		error_description: "client jwks_uri is not trusted",
 		error: "invalid_client"
 	});
 }
+function urlClientIdOrigin(clientId) {
+	if (!clientId.startsWith("https://") && !clientId.startsWith("http://")) return;
+	try {
+		return new URL(clientId).origin;
+	} catch {
+		return;
+	}
+}
 async function fetchJwksFromUri(jwksUri) {
 	const controller = new AbortController();
 	const timeout = setTimeout(() => controller.abort(), JWKS_FETCH_TIMEOUT_MS);
@@ -100,7 +109,7 @@ async function fetchClientJwks(ctx, client) {
 		error_description: "client has no JWKS configured",
 		error: "invalid_client"
 	});
-	validateJwksUri(ctx, client.jwksUri);
+	validateJwksUri(ctx, client.jwksUri, urlClientIdOrigin(client.clientId));
 	const now = Date.now();
 	const cached = jwksCache.get(client.jwksUri);
 	if (cached && now - cached.fetchedAt < JWKS_CACHE_TTL_MS) return cached.jwks;

package/dist/client-resource.d.mts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { a as ResourceServerMetadata } from "./oauth-C8aTlaAC.mjs";
+import { o as ResourceServerMetadata } from "./oauth-CU79t-eG.mjs";
 import { JWTPayload, JWTVerifyOptions } from "jose";
 import { Auth } from "better-auth/types";

package/dist/client-resource.mjs CHANGED Viewed

@@ -1,6 +1,6 @@
 import { t as handleMcpErrors } from "./mcp-CYnz-MXn.mjs";
-import { o as getJwtPlugin, s as getOAuthProviderPlugin } from "./utils-CIbcUsZ5.mjs";
-import { t as PACKAGE_VERSION } from "./version-BGWhjYBb.mjs";
+import { o as getJwtPlugin, s as getOAuthProviderPlugin } from "./utils-Cx_XnD9i.mjs";
+import { t as PACKAGE_VERSION } from "./version-CZxZ64qJ.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { logger } from "@better-auth/core/env";

package/dist/client.d.mts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { n as oauthProvider } from "./oauth-Dh4YXCXY.mjs";
+import { n as oauthProvider } from "./oauth-DJcZ8MMZ.mjs";
 import * as _better_fetch_fetch0 from "@better-fetch/fetch";
 //#region src/client.d.ts

package/dist/client.mjs CHANGED Viewed

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-BGWhjYBb.mjs";
+import { t as PACKAGE_VERSION } from "./version-CZxZ64qJ.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 //#region src/client.ts
 function parseSignedQuery(search) {

package/dist/index.d.mts CHANGED Viewed

@@ -1,9 +1,10 @@
-import { _ as Awaitable, a as ResourceServerMetadata, c as OAuthConsent, d as OAuthRefreshToken, f as Prompt, g as VerificationValue, h as StoreTokenType, i as OIDCMetadata, l as OAuthOpaqueAccessToken, m as Scope, n as GrantType, o as AuthorizePrompt, p as SchemaClient, r as OAuthClient, s as OAuthAuthorizationQuery, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-C8aTlaAC.mjs";
-import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-Dh4YXCXY.mjs";
+import { _ as Scope, a as OIDCMetadata, b as Awaitable, c as AuthorizePrompt, d as OAuthConsent, f as OAuthOpaqueAccessToken, g as SchemaClient, h as Prompt, i as OAuthClient, l as ClientDiscovery, m as OAuthRefreshToken, n as AuthServerMetadata, o as ResourceServerMetadata, p as OAuthOptions, r as GrantType, s as TokenEndpointAuthMethod, t as AuthMethod, u as OAuthAuthorizationQuery, v as StoreTokenType, y as VerificationValue } from "./oauth-CU79t-eG.mjs";
+import { a as OAuthErrorCode, c as OAuthRedirectOnError, i as OAuthEndpointRedirectContext, n as oauthProvider, o as OAuthFieldErrorCode, r as OAuthEndpointErrorResult, s as OAuthFieldErrorCodeMap, t as getOAuthProviderState } from "./oauth-DJcZ8MMZ.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { JWSAlgorithms, JwtOptions } from "better-auth/plugins";
 import { JWTPayload } from "jose";
 import { GenericEndpointContext } from "@better-auth/core";
+import * as better_auth0 from "better-auth";
 //#region src/mcp.d.ts
 /**
@@ -27,7 +28,37 @@ declare function authServerMetadata(ctx: GenericEndpointContext, opts?: JwtOptio
 }): AuthServerMetadata;
 declare function oidcServerMetadata(ctx: GenericEndpointContext, opts: OAuthOptions<Scope[]> & {
   claims?: string[];
-}): Omit<OIDCMetadata, "id_token_signing_alg_values_supported"> & {
+}): {
+  jwks_uri?: string | undefined;
+  userinfo_endpoint: string;
+  acr_values_supported: string[];
+  subject_types_supported: ("public" | "pairwise")[];
+  claims_supported: string[];
+  end_session_endpoint: string;
+  prompt_values_supported: Prompt[];
+  issuer: string;
+  authorization_endpoint: string;
+  token_endpoint: string;
+  registration_endpoint: string;
+  scopes_supported?: string[] | undefined;
+  response_types_supported: "code"[];
+  response_modes_supported: "query"[];
+  grant_types_supported: GrantType[];
+  token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
+  token_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+  service_documentation?: string | undefined;
+  ui_locales_supported?: string[] | undefined;
+  op_policy_uri?: string | undefined;
+  op_tos_uri?: string | undefined;
+  revocation_endpoint?: string | undefined;
+  revocation_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
+  revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+  introspection_endpoint?: string | undefined;
+  introspection_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
+  introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+  code_challenge_methods_supported: "S256"[];
+  authorization_response_iss_parameter_supported?: boolean | undefined;
+  client_id_metadata_document_supported?: boolean | undefined;
   id_token_signing_alg_values_supported: JWSAlgorithms[] | ["HS256"];
 };
 /**
@@ -44,7 +75,7 @@ declare const oauthProviderAuthServerMetadata: <Auth extends {
   };
 }>(auth: Auth, opts?: {
   headers?: HeadersInit;
-}) => (_request: Request) => Promise<Response>;
+}) => (request: Request) => Promise<Response>;
 /**
  * Provides an exportable `/.well-known/openid-configuration`.
  *
@@ -59,6 +90,19 @@ declare const oauthProviderOpenIdConfigMetadata: <Auth extends {
   };
 }>(auth: Auth, opts?: {
   headers?: HeadersInit;
-}) => (_request: Request) => Promise<Response>;
+}) => (request: Request) => Promise<Response>;
 //#endregion
-export { AuthServerMetadata, AuthorizePrompt, OAuthAuthorizationQuery, OAuthClient, OAuthConsent, OAuthOpaqueAccessToken, OAuthOptions, OAuthRefreshToken, OIDCMetadata, Prompt, ResourceServerMetadata, SchemaClient, Scope, StoreTokenType, VerificationValue, authServerMetadata, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oidcServerMetadata };
+//#region src/register.d.ts
+declare function checkOAuthClient(client: OAuthClient, opts: OAuthOptions<Scope[]>, settings?: {
+  isRegister?: boolean;
+  ctx?: GenericEndpointContext;
+}): Promise<void>;
+/**
+ * Converts an OAuth 2.0 Dynamic Client Schema to a Database Schema
+ *
+ * @param input
+ * @returns
+ */
+declare function oauthToSchema(input: OAuthClient): SchemaClient<Scope[]>;
+//#endregion
+export { AuthServerMetadata, AuthorizePrompt, ClientDiscovery, OAuthAuthorizationQuery, OAuthClient, OAuthConsent, type OAuthEndpointErrorResult, type OAuthEndpointRedirectContext, type OAuthErrorCode, type OAuthFieldErrorCode, type OAuthFieldErrorCodeMap, OAuthOpaqueAccessToken, OAuthOptions, type OAuthRedirectOnError, OAuthRefreshToken, OIDCMetadata, Prompt, ResourceServerMetadata, SchemaClient, Scope, StoreTokenType, VerificationValue, authServerMetadata, checkOAuthClient, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oauthToSchema, oidcServerMetadata };