@better-auth/oauth-provider 1.7.0-beta.1 → 1.7.0-beta.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,5 +1,5 @@
1
1
  //#endregion
2
2
  //#region src/version.ts
3
- const PACKAGE_VERSION = "1.7.0-beta.1";
3
+ const PACKAGE_VERSION = "1.7.0-beta.10";
4
4
  //#endregion
5
5
  export { PACKAGE_VERSION as t };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@better-auth/oauth-provider",
3
- "version": "1.7.0-beta.1",
3
+ "version": "1.7.0-beta.10",
4
4
  "description": "An oauth provider plugin for Better Auth",
5
5
  "type": "module",
6
6
  "license": "MIT",
@@ -57,22 +57,21 @@
57
57
  }
58
58
  },
59
59
  "dependencies": {
60
- "jose": "^6.1.3",
60
+ "jose": "^6.2.3",
61
61
  "zod": "^4.3.6"
62
62
  },
63
63
  "devDependencies": {
64
- "@modelcontextprotocol/sdk": "^1.27.1",
65
64
  "listhen": "^1.9.0",
66
65
  "tsdown": "0.21.1",
67
- "@better-auth/core": "1.7.0-beta.1",
68
- "better-auth": "1.7.0-beta.1"
66
+ "@better-auth/core": "1.7.0-beta.10",
67
+ "better-auth": "1.7.0-beta.10"
69
68
  },
70
69
  "peerDependencies": {
71
- "@better-auth/utils": "0.4.0",
72
- "@better-fetch/fetch": "1.1.21",
73
- "better-call": "1.3.5",
74
- "@better-auth/core": "^1.7.0-beta.1",
75
- "better-auth": "^1.7.0-beta.1"
70
+ "@better-auth/utils": "0.4.2",
71
+ "@better-fetch/fetch": "1.3.1",
72
+ "better-call": "1.3.7",
73
+ "@better-auth/core": "^1.7.0-beta.10",
74
+ "better-auth": "^1.7.0-beta.10"
76
75
  },
77
76
  "scripts": {
78
77
  "build": "tsdown",
@@ -1,56 +0,0 @@
1
- import { isAPIError } from "better-auth/api";
2
- import { verifyAccessToken } from "better-auth/oauth2";
3
- import { APIError as APIError$1 } from "better-call";
4
- //#region src/mcp.ts
5
- /**
6
- * A request middleware handler that checks and responds with
7
- * a WWW-Authenticate header for unauthenticated responses.
8
- *
9
- * @external
10
- */
11
- const mcpHandler = (verifyOptions, handler, opts) => {
12
- return async (req) => {
13
- const authorization = req.headers?.get("authorization") ?? void 0;
14
- const accessToken = authorization?.startsWith("Bearer ") ? authorization.replace("Bearer ", "") : authorization;
15
- try {
16
- if (!accessToken?.length) throw new APIError$1("UNAUTHORIZED", { message: "missing authorization header" });
17
- return handler(req, await verifyAccessToken(accessToken, verifyOptions));
18
- } catch (error) {
19
- try {
20
- handleMcpErrors(error, verifyOptions.verifyOptions.audience, opts);
21
- } catch (err) {
22
- if (err instanceof APIError$1) return new Response(err.message, {
23
- ...err,
24
- status: err.statusCode
25
- });
26
- throw new Error(String(err));
27
- }
28
- throw new Error(String(error));
29
- }
30
- };
31
- };
32
- /**
33
- * The following handles all MCP errors and API errors
34
- *
35
- * @internal
36
- */
37
- function handleMcpErrors(error, resource, opts) {
38
- if (isAPIError(error) && error.status === "UNAUTHORIZED") {
39
- const wwwAuthenticateValue = (Array.isArray(resource) ? resource : [resource]).map((v) => {
40
- let audiencePath;
41
- if (URL.canParse?.(v)) {
42
- const url = new URL(v);
43
- audiencePath = url.pathname.endsWith("/") ? url.pathname.slice(0, -1) : url.pathname;
44
- return `Bearer resource_metadata="${url.origin}/.well-known/oauth-protected-resource${audiencePath}"`;
45
- } else {
46
- const resourceMetadata = opts?.resourceMetadataMappings?.[v];
47
- if (!resourceMetadata) throw new APIError$1("INTERNAL_SERVER_ERROR", { message: `missing resource_metadata mapping for ${v}` });
48
- return `Bearer resource_metadata=${resourceMetadata}`;
49
- }
50
- }).join(", ");
51
- throw new APIError$1("UNAUTHORIZED", { message: error.message }, { "WWW-Authenticate": wwwAuthenticateValue });
52
- } else if (error instanceof Error) throw error;
53
- else throw new Error(error);
54
- }
55
- //#endregion
56
- export { mcpHandler as n, handleMcpErrors as t };
@@ -1,449 +0,0 @@
1
- import { APIError } from "better-call";
2
- import { constantTimeEqual, makeSignature, symmetricDecrypt, symmetricEncrypt } from "better-auth/crypto";
3
- import { BetterAuthError } from "@better-auth/core/error";
4
- import { base64, base64Url } from "@better-auth/utils/base64";
5
- import { createHash } from "@better-auth/utils/hash";
6
- //#region src/utils/index.ts
7
- var TTLCache = class {
8
- cache = /* @__PURE__ */ new Map();
9
- constructor() {}
10
- set(key, value) {
11
- this.cache.set(key, value);
12
- }
13
- get(key) {
14
- const entry = this.cache.get(key);
15
- if (!entry) return void 0;
16
- if (entry.expiresAt && entry.expiresAt < /* @__PURE__ */ new Date()) {
17
- this.cache.delete(key);
18
- return;
19
- }
20
- return entry;
21
- }
22
- };
23
- /**
24
- * Gets the oAuth Provider Plugin
25
- * @internal
26
- */
27
- const getOAuthProviderPlugin = (ctx) => {
28
- return ctx.getPlugin("oauth-provider");
29
- };
30
- /**
31
- * Gets the JWT Plugin
32
- * @internal
33
- */
34
- const getJwtPlugin = (ctx) => {
35
- const plugin = ctx.getPlugin("jwt");
36
- if (!plugin) throw new BetterAuthError("jwt_config");
37
- return plugin;
38
- };
39
- /**
40
- * Normalizes timestamp-like values returned by adapters.
41
- *
42
- * Accepts Date instances, epoch milliseconds as numbers, and strings that are
43
- * either ISO dates or numeric millisecond values such as "1774295570569.0".
44
- */
45
- function normalizeTimestampValue(value) {
46
- if (value == null) return;
47
- if (value instanceof Date) return Number.isFinite(value.getTime()) ? value : void 0;
48
- if (typeof value === "number") {
49
- if (!Number.isFinite(value)) return;
50
- const parsed = new Date(value);
51
- return Number.isFinite(parsed.getTime()) ? parsed : void 0;
52
- }
53
- if (typeof value === "string") {
54
- const trimmed = value.trim();
55
- if (!trimmed.length) return;
56
- const numeric = Number(trimmed);
57
- if (Number.isFinite(numeric)) {
58
- const parsed = new Date(numeric);
59
- return Number.isFinite(parsed.getTime()) ? parsed : void 0;
60
- }
61
- const parsed = new Date(trimmed);
62
- return Number.isFinite(parsed.getTime()) ? parsed : void 0;
63
- }
64
- }
65
- /**
66
- * Resolves a session auth time from common adapter return shapes.
67
- */
68
- function resolveSessionAuthTime(value) {
69
- if (value instanceof Date) return normalizeTimestampValue(value);
70
- if (!value || typeof value !== "object") return normalizeTimestampValue(value);
71
- const direct = normalizeTimestampValue(value.createdAt) ?? normalizeTimestampValue(value.created_at);
72
- if (direct) return direct;
73
- const nested = value.session;
74
- if (!nested || typeof nested !== "object") return;
75
- return normalizeTimestampValue(nested.createdAt) ?? normalizeTimestampValue(nested.created_at);
76
- }
77
- const cachedTrustedClients = new TTLCache();
78
- async function verifyOAuthQueryParams(oauth_query, secret) {
79
- const queryParams = new URLSearchParams(oauth_query);
80
- const sig = queryParams.get("sig");
81
- const exp = Number(queryParams.get("exp"));
82
- queryParams.delete("sig");
83
- const verifySig = await makeSignature(queryParams.toString(), secret);
84
- return !!sig && constantTimeEqual(sig, verifySig) && /* @__PURE__ */ new Date(exp * 1e3) >= /* @__PURE__ */ new Date();
85
- }
86
- /**
87
- * Get a client by ID, checking trusted clients first, then database
88
- */
89
- async function getClient(ctx, options, clientId) {
90
- const trustedClient = cachedTrustedClients.get(clientId);
91
- if (trustedClient) return Object.assign({}, trustedClient);
92
- let dbClient = await ctx.context.adapter.findOne({
93
- model: options.schema?.oauthClient?.modelName ?? "oauthClient",
94
- where: [{
95
- field: "clientId",
96
- value: clientId
97
- }]
98
- });
99
- const discoveries = toClientDiscoveryArray(options.clientDiscovery);
100
- for (const discovery of discoveries) {
101
- if (!discovery.matches(clientId)) continue;
102
- const resolved = await discovery.resolve(ctx, clientId, dbClient);
103
- if (resolved) {
104
- dbClient = resolved;
105
- break;
106
- }
107
- }
108
- if (dbClient && options.cachedTrustedClients?.has(clientId)) cachedTrustedClients.set(clientId, Object.assign({}, dbClient));
109
- return dbClient;
110
- }
111
- /**
112
- * Normalize the `clientDiscovery` option into an array. Accepts a single
113
- * {@link ClientDiscovery}, an array of them, or `undefined`.
114
- *
115
- * @internal
116
- */
117
- function toClientDiscoveryArray(discovery) {
118
- if (!discovery) return [];
119
- return Array.isArray(discovery) ? discovery : [discovery];
120
- }
121
- /**
122
- * Merge `discoveryMetadata` from every configured {@link ClientDiscovery}
123
- * into a single object. Entries are spread in order; later entries override
124
- * earlier ones on key collisions.
125
- *
126
- * @internal
127
- */
128
- function mergeDiscoveryMetadata(discovery) {
129
- return toClientDiscoveryArray(discovery).reduce((acc, d) => ({
130
- ...acc,
131
- ...d.discoveryMetadata ?? {}
132
- }), {});
133
- }
134
- /**
135
- * Default client secret hasher using SHA-256
136
- *
137
- * @internal
138
- */
139
- const defaultHasher = async (value) => {
140
- const hash = await createHash("SHA-256").digest(new TextEncoder().encode(value));
141
- return base64Url.encode(new Uint8Array(hash), { padding: false });
142
- };
143
- /**
144
- * Decrypts a storedClientSecret for signing
145
- *
146
- * @internal
147
- */
148
- async function decryptStoredClientSecret(ctx, storageMethod, storedClientSecret) {
149
- if (storageMethod === "encrypted") return await symmetricDecrypt({
150
- key: ctx.context.secretConfig,
151
- data: storedClientSecret
152
- });
153
- else if (typeof storageMethod === "object" && "decrypt" in storageMethod) return await storageMethod.decrypt(storedClientSecret);
154
- throw new BetterAuthError(`Unsupported decryption storageMethod type '${storageMethod}'`);
155
- }
156
- /**
157
- * Verify stored client secret against provided client secret
158
- *
159
- * @internal
160
- */
161
- async function verifyStoredClientSecret(ctx, opts, storedClientSecret, clientSecret) {
162
- const storageMethod = opts.storeClientSecret ?? (opts.disableJwtPlugin ? "encrypted" : "hashed");
163
- if (clientSecret && opts.prefix?.clientSecret) if (clientSecret.startsWith(opts.prefix?.clientSecret)) clientSecret = clientSecret.replace(opts.prefix.clientSecret, "");
164
- else throw new APIError("UNAUTHORIZED", {
165
- error_description: "invalid client_secret",
166
- error: "invalid_client"
167
- });
168
- if (storageMethod === "hashed") {
169
- const hashedClientSecret = clientSecret ? await defaultHasher(clientSecret) : void 0;
170
- return !!hashedClientSecret && constantTimeEqual(hashedClientSecret, storedClientSecret);
171
- } else if (typeof storageMethod === "object" && "hash" in storageMethod) if (storageMethod.verify) return !!clientSecret && await storageMethod.verify(clientSecret, storedClientSecret);
172
- else {
173
- const hashedClientSecret = clientSecret ? await storageMethod.hash(clientSecret) : void 0;
174
- return !!hashedClientSecret && constantTimeEqual(hashedClientSecret, storedClientSecret);
175
- }
176
- else if (storageMethod === "encrypted") try {
177
- const decryptedClientSecret = await decryptStoredClientSecret(ctx, storageMethod, storedClientSecret);
178
- return !!clientSecret && constantTimeEqual(decryptedClientSecret, clientSecret);
179
- } catch {
180
- return false;
181
- }
182
- else if (typeof storageMethod === "object" && "decrypt" in storageMethod) {
183
- const decryptedClientSecret = await decryptStoredClientSecret(ctx, storageMethod, storedClientSecret);
184
- return !!clientSecret && constantTimeEqual(decryptedClientSecret, clientSecret);
185
- }
186
- throw new BetterAuthError(`Unsupported verify storageMethod type '${storageMethod}'`);
187
- }
188
- /**
189
- * Store client secret according to the configured storage method
190
- *
191
- * @internal
192
- */
193
- async function storeClientSecret(ctx, opts, clientSecret) {
194
- const storageMethod = opts.storeClientSecret ?? (opts.disableJwtPlugin ? "encrypted" : "hashed");
195
- if (storageMethod === "encrypted") return await symmetricEncrypt({
196
- key: ctx.context.secretConfig,
197
- data: clientSecret
198
- });
199
- else if (storageMethod === "hashed") return await defaultHasher(clientSecret);
200
- else if (typeof storageMethod === "object" && "hash" in storageMethod) return await storageMethod.hash(clientSecret);
201
- else if (typeof storageMethod === "object" && "encrypt" in storageMethod) return await storageMethod.encrypt(clientSecret);
202
- throw new BetterAuthError(`Unsupported storeClientSecret type '${storageMethod}'`);
203
- }
204
- /**
205
- * Stores a token value (ie opaque tokens, refresh tokens, transaction tokens, verification codes)
206
- * on the database in a secure hashed format.
207
- *
208
- * @internal
209
- */
210
- async function storeToken(storageMethod = "hashed", token, type) {
211
- if (storageMethod === "hashed") return await defaultHasher(token);
212
- else if (typeof storageMethod === "object" && "hash" in storageMethod) return await storageMethod.hash(token, type);
213
- throw new BetterAuthError(`storeToken: unsupported storageMethod type '${storageMethod}'`);
214
- }
215
- /**
216
- * Gets a hashed token value to find on the database.
217
- *
218
- * @internal
219
- */
220
- async function getStoredToken(storageMethod = "hashed", token, type) {
221
- if (storageMethod === "hashed") return await defaultHasher(token);
222
- else if (typeof storageMethod === "object" && "hash" in storageMethod) return await storageMethod.hash(token, type);
223
- throw new BetterAuthError(`getStoredToken: unsupported storageMethod type '${storageMethod}'`);
224
- }
225
- /**
226
- * Converts a BASIC authorization header
227
- * into its client_id and client_secret representation
228
- *
229
- * @internal
230
- */
231
- function basicToClientCredentials(authorization) {
232
- if (authorization.startsWith("Basic ")) {
233
- const encoded = authorization.replace("Basic ", "");
234
- const decoded = new TextDecoder().decode(base64.decode(encoded));
235
- if (!decoded.includes(":")) throw new APIError("BAD_REQUEST", {
236
- error_description: "invalid authorization header format",
237
- error: "invalid_client"
238
- });
239
- const [id, secret] = decoded.split(":", 2);
240
- if (!id || !secret) throw new APIError("BAD_REQUEST", {
241
- error_description: "invalid authorization header format",
242
- error: "invalid_client"
243
- });
244
- return {
245
- client_id: id,
246
- client_secret: secret
247
- };
248
- }
249
- }
250
- /**
251
- * Validates client credentials failing on mismatches
252
- * and incorrectly provided information
253
- *
254
- * @internal
255
- */
256
- async function validateClientCredentials(ctx, options, clientId, clientSecret, scopes, preVerifiedClient) {
257
- const client = preVerifiedClient ?? await getClient(ctx, options, clientId);
258
- if (!client) throw new APIError("BAD_REQUEST", {
259
- error_description: "missing client",
260
- error: "invalid_client"
261
- });
262
- if (client.disabled) throw new APIError("BAD_REQUEST", {
263
- error_description: "client is disabled",
264
- error: "invalid_client"
265
- });
266
- if (client.tokenEndpointAuthMethod === "private_key_jwt" && !preVerifiedClient) throw new APIError("BAD_REQUEST", {
267
- error_description: "client registered for private_key_jwt must use client_assertion",
268
- error: "invalid_client"
269
- });
270
- if (!preVerifiedClient) {
271
- if (!client.public && !clientSecret) throw new APIError("BAD_REQUEST", {
272
- error_description: "client secret must be provided",
273
- error: "invalid_client"
274
- });
275
- if (clientSecret && !client.clientSecret) throw new APIError("BAD_REQUEST", {
276
- error_description: "public client, client secret should not be received",
277
- error: "invalid_client"
278
- });
279
- if (clientSecret && !await verifyStoredClientSecret(ctx, options, client.clientSecret, clientSecret)) throw new APIError("UNAUTHORIZED", {
280
- error_description: "invalid client_secret",
281
- error: "invalid_client"
282
- });
283
- }
284
- if (scopes && client.scopes) {
285
- const validScopes = new Set(client.scopes);
286
- for (const sc of scopes) if (!validScopes.has(sc)) throw new APIError("BAD_REQUEST", {
287
- error_description: `client does not allow scope ${sc}`,
288
- error: "invalid_scope"
289
- });
290
- }
291
- return client;
292
- }
293
- /**
294
- * Parse client metadata that may be stored as JSON string or already parsed object.
295
- * Handles database adapters that auto-parse JSON columns.
296
- *
297
- * @internal
298
- */
299
- function parseClientMetadata(metadata) {
300
- if (!metadata) return void 0;
301
- return typeof metadata === "string" ? JSON.parse(metadata) : metadata;
302
- }
303
- /** Unwraps ExtractedCredentials into the fields each grant handler needs. */
304
- function destructureCredentials(credentials) {
305
- return {
306
- clientId: credentials?.clientId,
307
- clientSecret: credentials?.method === "client_secret_basic" || credentials?.method === "client_secret_post" ? credentials.clientSecret : void 0,
308
- preVerifiedClient: credentials?.method === "private_key_jwt" ? credentials.client : void 0
309
- };
310
- }
311
- /**
312
- * Extracts and resolves client credentials from the request.
313
- * Supports: client_secret_basic, client_secret_post, private_key_jwt, and none (public).
314
- */
315
- async function extractClientCredentials(ctx, opts, expectedAudience) {
316
- const body = ctx.body ?? {};
317
- const authorization = ctx.request?.headers.get("authorization") ?? void 0;
318
- if (body.client_assertion_type || body.client_assertion) {
319
- if (!body.client_assertion || !body.client_assertion_type) throw new APIError("BAD_REQUEST", {
320
- error_description: "client_assertion and client_assertion_type must both be provided",
321
- error: "invalid_client"
322
- });
323
- if (body.client_secret || authorization?.startsWith("Basic ")) throw new APIError("BAD_REQUEST", {
324
- error_description: "client_assertion cannot be combined with client_secret or Basic auth",
325
- error: "invalid_client"
326
- });
327
- const { verifyClientAssertion: verify } = await import("./client-assertion-CderPEmR.mjs").then((n) => n.t);
328
- const result = await verify(ctx, opts, body.client_assertion, body.client_assertion_type, body.client_id, expectedAudience);
329
- return {
330
- method: "private_key_jwt",
331
- clientId: result.clientId,
332
- client: result.client
333
- };
334
- }
335
- if (authorization?.startsWith("Basic ")) {
336
- const res = basicToClientCredentials(authorization);
337
- if (res) return {
338
- method: "client_secret_basic",
339
- clientId: res.client_id,
340
- clientSecret: res.client_secret
341
- };
342
- }
343
- if (body.client_id && body.client_secret) return {
344
- method: "client_secret_post",
345
- clientId: body.client_id,
346
- clientSecret: body.client_secret
347
- };
348
- if (body.client_id) return {
349
- method: "none",
350
- clientId: body.client_id
351
- };
352
- return null;
353
- }
354
- /**
355
- * Parse space-separated prompt string into a set of prompts
356
- *
357
- * @param prompt
358
- */
359
- function parsePrompt(prompt) {
360
- const prompts = prompt.split(" ").map((p) => p.trim());
361
- const set = /* @__PURE__ */ new Set();
362
- for (const p of prompts) if (p === "login" || p === "consent" || p === "create" || p === "select_account" || p === "none") set.add(p);
363
- return new Set(set);
364
- }
365
- /**
366
- * Extracts the sector identifier (hostname) from a client's first redirect URI.
367
- *
368
- * @see https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg
369
- * @internal
370
- */
371
- function getSectorIdentifier(client) {
372
- const uri = client.redirectUris?.[0];
373
- if (!uri) throw new BetterAuthError("Client has no redirect URIs for sector identifier");
374
- return new URL(uri).host;
375
- }
376
- /**
377
- * Computes a pairwise subject identifier using HMAC-SHA256.
378
- *
379
- * @see https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg
380
- * @internal
381
- */
382
- async function computePairwiseSub(userId, client, secret) {
383
- return makeSignature(`${getSectorIdentifier(client)}.${userId}`, secret);
384
- }
385
- /**
386
- * Returns the appropriate subject identifier for a user+client pair.
387
- * Uses pairwise when the client opts in and the server has a secret configured.
388
- *
389
- * @internal
390
- */
391
- async function resolveSubjectIdentifier(userId, client, opts) {
392
- if (client.subjectType === "pairwise" && opts.pairwiseSecret) return computePairwiseSub(userId, client, opts.pairwiseSecret);
393
- return userId;
394
- }
395
- /**
396
- * Converts URLSearchParams to a plain object, preserving
397
- * multi-valued keys as arrays instead of discarding duplicates.
398
- */
399
- function searchParamsToQuery(params) {
400
- const result = Object.create(null);
401
- for (const key of new Set(params.keys())) {
402
- const values = params.getAll(key);
403
- result[key] = values.length === 1 ? values[0] : values;
404
- }
405
- return result;
406
- }
407
- /**
408
- * Deletes a prompt value
409
- *
410
- * @param ctx
411
- * @param prompt - the prompt value to delete
412
- */
413
- function deleteFromPrompt(query, prompt) {
414
- const prompts = query.get("prompt")?.split(" ");
415
- const foundPrompt = prompts?.findIndex((v) => v === prompt) ?? -1;
416
- if (foundPrompt >= 0) {
417
- prompts?.splice(foundPrompt, 1);
418
- prompts?.length ? query.set("prompt", prompts.join(" ")) : query.delete("prompt");
419
- }
420
- return searchParamsToQuery(query);
421
- }
422
- var PKCERequirementErrors = /* @__PURE__ */ function(PKCERequirementErrors) {
423
- PKCERequirementErrors["PUBLIC_CLIENT"] = "pkce is required for public clients";
424
- PKCERequirementErrors["OFFLINE_ACCESS_SCOPE"] = "pkce is required when requesting offline_access scope";
425
- PKCERequirementErrors["CLIENT_REQUIRE_PKCE"] = "pkce is required for this client";
426
- return PKCERequirementErrors;
427
- }(PKCERequirementErrors || {});
428
- /**
429
- * Determines if PKCE is required for a given client and scope.
430
- *
431
- * PKCE is always required for:
432
- * 1. Public clients (cannot securely store client_secret)
433
- * 2. Requests with offline_access scope (refresh token security)
434
- *
435
- * For confidential clients without offline_access:
436
- * - Uses client.requirePKCE if set (defaults to true)
437
- *
438
- * Returns false if PKCE is not required, or the reason it is required.
439
- *
440
- * @internal
441
- */
442
- function isPKCERequired(client, requestedScopes) {
443
- if (client.tokenEndpointAuthMethod === "none" || client.type === "native" || client.type === "user-agent-based" || client.public === true) return PKCERequirementErrors.PUBLIC_CLIENT;
444
- if (requestedScopes?.includes("offline_access")) return PKCERequirementErrors.OFFLINE_ACCESS_SCOPE;
445
- if (client.requirePKCE ?? true) return PKCERequirementErrors.CLIENT_REQUIRE_PKCE;
446
- return false;
447
- }
448
- //#endregion
449
- export { storeClientSecret as _, getClient as a, validateClientCredentials as b, getStoredToken as c, normalizeTimestampValue as d, parseClientMetadata as f, searchParamsToQuery as g, resolveSubjectIdentifier as h, extractClientCredentials as i, isPKCERequired as l, resolveSessionAuthTime as m, deleteFromPrompt as n, getJwtPlugin as o, parsePrompt as p, destructureCredentials as r, getOAuthProviderPlugin as s, decryptStoredClientSecret as t, mergeDiscoveryMetadata as u, storeToken as v, verifyOAuthQueryParams as x, toClientDiscoveryArray as y };