@better-auth/oauth-provider 1.7.0-beta.1 → 1.7.0-beta.3

package/dist/index.mjs

@@ -1,12 +1,13 @@
-import { n as isPrivateHostname } from "./client-assertion-CderPEmR.mjs";
+import { n as isPrivateHostname } from "./client-assertion-BYtMWGCE.mjs";
 import { n as mcpHandler } from "./mcp-CYnz-MXn.mjs";
-import { _ as storeClientSecret, a as getClient, b as validateClientCredentials, c as getStoredToken, d as normalizeTimestampValue, f as parseClientMetadata, g as searchParamsToQuery, h as resolveSubjectIdentifier, i as extractClientCredentials, l as isPKCERequired, m as resolveSessionAuthTime, n as deleteFromPrompt, o as getJwtPlugin, p as parsePrompt, r as destructureCredentials, t as decryptStoredClientSecret, u as mergeDiscoveryMetadata, v as storeToken, x as verifyOAuthQueryParams, y as toClientDiscoveryArray } from "./utils-Cx_XnD9i.mjs";
-import { t as PACKAGE_VERSION } from "./version-DIwdpXrQ.mjs";
+import { C as validateClientCredentials, S as toClientDiscoveryArray, _ as resolveSubjectIdentifier, a as getJwtPlugin, b as storeClientSecret, c as getStoredToken, d as normalizeTimestampValue, f as parseClientMetadata, g as resolveSessionAuthTime, h as removePromptFromQuery, i as getClient, l as isPKCERequired, m as postLoginClearedParam, n as destructureCredentials, p as parsePrompt, r as extractClientCredentials, s as getSignedQueryIssuedAt, t as decryptStoredClientSecret, u as mergeDiscoveryMetadata, v as searchParamsToQuery, w as verifyOAuthQueryParams, x as storeToken, y as signedQueryIssuedAtParam } from "./utils-_Jr_enAe.mjs";
+import { t as PACKAGE_VERSION } from "./version-CG1YnCiF.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
 import { ASSERTION_SIGNING_ALGORITHMS } from "@better-auth/core/oauth2";
 import { isBrowserFetchRequest } from "@better-auth/core/utils/fetch-metadata";
+import { isLoopbackHost, isLoopbackIP } from "@better-auth/core/utils/host";
 import { generateRandomString, makeSignature } from "better-auth/crypto";
 import { defineRequestState } from "@better-auth/core/context";
 import { logger } from "@better-auth/core/env";
@@ -18,7 +19,8 @@ import { resolveSigningKey, signJWT, toExpJWT } from "better-auth/plugins";
 import { SignJWT, base64url, compactVerify, createLocalJWKSet, decodeJwt, decodeProtectedHeader } from "jose";
 //#region src/consent.ts
 async function consentEndpoint(ctx, opts) {
-	const _query = (await oAuthState.get())?.query;
+	const oauthRequest = await oAuthState.get();
+	const _query = oauthRequest?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
 		error_description: "missing oauth query",
 		error: "invalid_request"
@@ -42,6 +44,17 @@ async function consentEndpoint(ctx, opts) {
 		url: formatErrorURL(query.get("redirect_uri") ?? "", "access_denied", "User denied access", query.get("state") ?? void 0, getIssuer(ctx, opts))
 	};
 	const session = await getSessionFromCtx(ctx);
+	const hasLoginPrompt = parsePrompt(query.get("prompt") ?? "").has("login");
+	const hasSatisfiedLoginPrompt = hasLoginPrompt && sessionSatisfiesLoginPrompt(session?.session.createdAt, oauthRequest?.signedQueryIssuedAt);
+	if (hasLoginPrompt && !hasSatisfiedLoginPrompt) {
+		ctx?.headers?.set("accept", "application/json");
+		ctx.query = searchParamsToQuery(query);
+		const { url } = await authorizeEndpoint(ctx, opts);
+		return {
+			redirect: true,
+			url
+		};
+	}
 	const referenceId = await opts.postLogin?.consentReferenceId?.({
 		user: session?.user,
 		session: session?.session,
@@ -92,14 +105,21 @@ async function consentEndpoint(ctx, opts) {
 	});
 	if (requestedScopes) query.set("scope", consent.scopes.join(" "));
 	ctx?.headers?.set("accept", "application/json");
-	ctx.query = deleteFromPrompt(query, "consent");
-	ctx.context.postLogin = true;
-	const { url } = await authorizeEndpoint(ctx, opts);
+	let authorizationQuery = removePromptFromQuery(query, "consent");
+	if (hasSatisfiedLoginPrompt) authorizationQuery = removePromptFromQuery(authorizationQuery, "login");
+	ctx.query = searchParamsToQuery(authorizationQuery);
+	const { url } = await authorizeEndpoint(ctx, opts, { postLogin: oauthRequest?.postLoginClearedForSession !== void 0 && oauthRequest.postLoginClearedForSession === session?.session.id });
 	return {
 		redirect: true,
 		url
 	};
 }
+function sessionSatisfiesLoginPrompt(sessionCreatedAt, signedQueryIssuedAt) {
+	if (!signedQueryIssuedAt) return false;
+	const normalized = normalizeTimestampValue(sessionCreatedAt);
+	if (!normalized) return false;
+	return normalized.getTime() >= signedQueryIssuedAt.getTime();
+}
 //#endregion
 //#region src/continue.ts
 async function continueEndpoint(ctx, opts) {
@@ -118,7 +138,7 @@ async function selected(ctx, opts) {
 		error: "invalid_request"
 	});
 	ctx.headers?.set("accept", "application/json");
-	ctx.query = deleteFromPrompt(new URLSearchParams(_query), "select_account");
+	ctx.query = searchParamsToQuery(removePromptFromQuery(new URLSearchParams(_query), "select_account"));
 	const { url } = await authorizeEndpoint(ctx, opts);
 	return {
 		redirect: true,
@@ -133,7 +153,7 @@ async function created(ctx, opts) {
 	});
 	const query = new URLSearchParams(_query);
 	ctx.headers?.set("accept", "application/json");
-	ctx.query = deleteFromPrompt(query, "create");
+	ctx.query = searchParamsToQuery(removePromptFromQuery(query, "create"));
 	const { url } = await authorizeEndpoint(ctx, opts);
 	return {
 		redirect: true,
@@ -162,9 +182,6 @@ const DANGEROUS_SCHEMES = [
 	"data:",
 	"vbscript:"
 ];
-function isLocalhost(hostname) {
-	return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "[::1]" || hostname.endsWith(".localhost");
-}
 /**
 * Runtime schema for OAuthAuthorizationQuery.
 * Uses passthrough to tolerate fields added by future extensions (PAR, FPA, etc.)
@@ -203,7 +220,7 @@ const verificationValueSchema = z.object({
 /**
 * Reusable URL validation for OAuth redirect URIs.
 * - Blocks dangerous schemes (javascript:, data:, vbscript:)
-* - For http/https: requires HTTPS (HTTP allowed only for localhost)
+* - For http/https: requires HTTPS (HTTP allowed only for loopback hosts: 127.0.0.0/8, [::1], *.localhost per RFC 6761)
 * - Allows custom schemes for mobile apps (e.g., myapp://callback)
 */
 const SafeUrlSchema = z.url().superRefine((val, ctx) => {
@@ -223,12 +240,10 @@ const SafeUrlSchema = z.url().superRefine((val, ctx) => {
 		});
 		return;
 	}
-	if (u.protocol === "http:" || u.protocol === "https:") {
-		if (u.protocol === "http:" && !isLocalhost(u.hostname)) ctx.addIssue({
-			code: "custom",
-			message: "Redirect URI must use HTTPS (HTTP allowed only for localhost)"
-		});
-	}
+	if (u.protocol === "http:" && !isLoopbackHost(u.host)) ctx.addIssue({
+		code: "custom",
+		message: "Redirect URI must use HTTPS (HTTP allowed only for loopback hosts)"
+	});
 });
 //#endregion
 //#region src/userinfo.ts
@@ -259,11 +274,7 @@ function userNormalClaims(user, scopes) {
 * Handles the /oauth2/userinfo endpoint
 */
 async function userInfoEndpoint(ctx, opts) {
-	if (!ctx.request) throw new APIError("UNAUTHORIZED", {
-		error_description: "request not found",
-		error: "invalid_request"
-	});
-	const authorization = ctx.request.headers.get("authorization");
+	const authorization = ctx.headers?.get("authorization");
 	const token = typeof authorization === "string" && authorization?.startsWith("Bearer ") ? authorization?.replace("Bearer ", "") : authorization;
 	if (!token?.length) throw new APIError("UNAUTHORIZED", {
 		error_description: "authorization header not found",
@@ -309,8 +320,8 @@ async function userInfoEndpoint(ctx, opts) {
 * the grant types
 */
 async function tokenEndpoint(ctx, opts) {
-	const grantType = ctx.body?.grant_type;
-	if (opts.grantTypes && grantType && !opts.grantTypes.includes(grantType)) throw new APIError("BAD_REQUEST", {
+	const grantType = ctx.body.grant_type;
+	if (opts.grantTypes && !opts.grantTypes.includes(grantType)) throw new APIError("BAD_REQUEST", {
 		error_description: `unsupported grant_type ${grantType}`,
 		error: "unsupported_grant_type"
 	});
@@ -318,14 +329,6 @@ async function tokenEndpoint(ctx, opts) {
 		case "authorization_code": return handleAuthorizationCodeGrant(ctx, opts);
 		case "client_credentials": return handleClientCredentialsGrant(ctx, opts);
 		case "refresh_token": return handleRefreshTokenGrant(ctx, opts);
-		case void 0: throw new APIError("BAD_REQUEST", {
-			error_description: "missing required grant_type",
-			error: "unsupported_grant_type"
-		});
-		default: throw new APIError("BAD_REQUEST", {
-			error_description: `unsupported grant_type ${grantType}`,
-			error: "unsupported_grant_type"
-		});
 	}
 }
 async function createJwtAccessToken(ctx, opts, user, client, audience, scopes, referenceId, overrides) {
@@ -955,7 +958,7 @@ async function validateRefreshToken(ctx, opts, token, clientId) {
 			model: "session",
 			where: [{
 				field: "id",
-				value: refreshToken.sessionId
+				value: sessionId
 			}]
 		});
 		if (!session || session.expiresAt < /* @__PURE__ */ new Date()) sessionId = void 0;
@@ -1016,6 +1019,7 @@ async function resolveIntrospectionSub(opts, payload, client) {
 }
 async function introspectEndpoint(ctx, opts) {
 	let { token, token_type_hint } = ctx.body;
+	if (token_type_hint !== "access_token" && token_type_hint !== "refresh_token") token_type_hint = void 0;
 	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/introspect`));
 	if (!client_id || !client_secret && !preVerifiedClient) throw new APIError$1("UNAUTHORIZED", {
 		error_description: "missing required credentials",
@@ -1173,6 +1177,109 @@ async function rpInitiatedLogoutEndpoint(ctx, opts) {
 	}
 }
 //#endregion
+//#region src/oauth-endpoint.ts
+/**
+* Wraps `createAuthEndpoint` so zod schemas stay the single source of truth
+* for body/query shape while validation failures serialize as the RFC 6749
+* §5.2 error envelope `{ error, error_description }`.
+*
+* A failing issue is routed by its first path segment via `errorCodesByField`:
+* - missing required (`invalid_type` + "received undefined") → `.missing`
+* - unsupported value (`invalid_value`) → `.invalid`
+* - anything else (wrong type, duplicated params, bad format) → `defaultError`
+*
+* For enum fields that need to distinguish missing from unsupported, compose
+* as `z.string().pipe(z.enum([...]))` so duplicated params fail the outer
+* `z.string()` as `invalid_type` instead of masquerading as an unsupported
+* enum value.
+*/
+function createOAuthEndpoint(path, options, handler) {
+	const { redirectOnError, onValidationError: userHook, errorCodesByField, defaultError = "invalid_request", ...rest } = options;
+	if (!redirectOnError) return createAuthEndpoint(path, {
+		...rest,
+		onValidationError: async (args) => {
+			if (userHook) await userHook(args);
+			throw new APIError$1("BAD_REQUEST", { ...mapIssuesToOAuthError(args.issues, errorCodesByField, defaultError) });
+		}
+	}, handler);
+	const redirect = redirectOnError;
+	const { body: bodySchema, query: querySchema, ...forwarded } = rest;
+	async function validateSlot(ctx, slot, schema) {
+		if (!schema) return { ok: true };
+		const result = await schema.safeParseAsync(ctx[slot] ?? {});
+		if (result.success) {
+			ctx[slot] = result.data;
+			return { ok: true };
+		}
+		if (userHook) await userHook({
+			message: result.error.message,
+			issues: result.error.issues
+		});
+		return {
+			ok: false,
+			response: redirect({
+				...mapIssuesToOAuthError(result.error.issues, errorCodesByField, defaultError),
+				ctx
+			})
+		};
+	}
+	return createAuthEndpoint(path, forwarded, async (ctx) => {
+		const body = await validateSlot(ctx, "body", bodySchema);
+		if (!body.ok) return body.response;
+		const query = await validateSlot(ctx, "query", querySchema);
+		if (!query.ok) return query.response;
+		return handler(ctx);
+	});
+}
+function mapIssuesToOAuthError(issues, errorCodesByField, defaultError = "invalid_request") {
+	const issue = issues[0];
+	if (!issue) return {
+		error: defaultError,
+		error_description: "Invalid request."
+	};
+	const first = issue.path?.[0];
+	const fieldKey = typeof first === "string" ? first : void 0;
+	const mapping = fieldKey ? errorCodesByField?.[fieldKey] : void 0;
+	const field = issue.path?.length ? z.core.toDotPath(issue.path) : "";
+	return {
+		error: resolveErrorCode(issue, mapping, defaultError),
+		error_description: describeIssue(issue, field)
+	};
+}
+function resolveErrorCode(issue, mapping, defaultError) {
+	if (typeof mapping === "string") return mapping;
+	if (isMissingValueIssue(issue)) return mapping?.missing ?? defaultError;
+	if (issue.code === "invalid_value") return mapping?.invalid ?? defaultError;
+	return defaultError;
+}
+/**
+* Returns `true` for issues that represent an absent required value. Zod v4
+* strips `input` from published issues, so the signal is the `invalid_type`
+* code combined with a message suffix of "received undefined". The suffix is
+* pinned by a regression test so a zod rephrase fails the test instead of
+* silently reclassifying missing fields.
+*
+* Assumes the default zod error map. Consumers that install a localized map
+* via `z.setErrorMap()` will break this check, collapsing missing-field
+* failures to `defaultError`.
+*/
+function isMissingValueIssue(issue) {
+	return issue.code === "invalid_type" && issue.message.endsWith("received undefined");
+}
+function describeIssue(issue, field) {
+	if (!field) return issue.message;
+	if (issue.code === "invalid_type") {
+		if (issue.message.endsWith("received undefined")) return `${field} is required`;
+		if (issue.message.endsWith("received array")) return `${field} must not appear more than once`;
+		return `${field} must be a ${issue.expected ?? "valid value"}`;
+	}
+	if (issue.code === "invalid_value") {
+		const values = issue.values;
+		if (Array.isArray(values) && values.length > 0) return `${field} must be one of: ${values.join(", ")}`;
+	}
+	return `${field}: ${issue.message}`;
+}
+//#endregion
 //#region src/middleware/index.ts
 const publicSessionMiddleware = (opts) => createAuthMiddleware(async (ctx) => {
 	if (!opts.allowPublicClientPrelogin) throw new APIError("BAD_REQUEST");
@@ -1458,14 +1565,8 @@ function schemaToOAuth(input) {
 //#region src/oauthClient/endpoints.ts
 async function getClientEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
+	await assertClientPrivileges(ctx, session, opts, "read");
 	if (!session) throw new APIError("UNAUTHORIZED");
-	if (!ctx.headers) throw new APIError("BAD_REQUEST");
-	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.headers,
-		action: "read",
-		session: session.session,
-		user: session.user
-	})) throw new APIError("UNAUTHORIZED");
 	const client = await getClient(ctx, opts, ctx.query.client_id);
 	if (!client) throw new APIError("NOT_FOUND", {
 		error_description: "client not found",
@@ -1506,14 +1607,8 @@ async function getClientPublicEndpoint(ctx, opts, clientId) {
 }
 async function getClientsEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
+	await assertClientPrivileges(ctx, session, opts, "list");
 	if (!session) throw new APIError("UNAUTHORIZED");
-	if (!ctx.headers) throw new APIError("BAD_REQUEST");
-	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.headers,
-		action: "list",
-		session: session.session,
-		user: session.user
-	})) throw new APIError("UNAUTHORIZED");
 	const referenceId = await opts.clientReference?.(session);
 	if (referenceId) return await ctx.context.adapter.findMany({
 		model: "oauthClient",
@@ -1547,14 +1642,8 @@ async function getClientsEndpoint(ctx, opts) {
 }
 async function deleteClientEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
+	await assertClientPrivileges(ctx, session, opts, "delete");
 	if (!session) throw new APIError("UNAUTHORIZED");
-	if (!ctx.headers) throw new APIError("BAD_REQUEST");
-	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.headers,
-		action: "delete",
-		session: session.session,
-		user: session.user
-	})) throw new APIError("UNAUTHORIZED");
 	const clientId = ctx.body.client_id;
 	if (opts.cachedTrustedClients?.has(clientId)) throw new APIError("INTERNAL_SERVER_ERROR", {
 		error_description: "trusted clients must be updated manually",
@@ -1580,14 +1669,8 @@ async function deleteClientEndpoint(ctx, opts) {
 }
 async function updateClientEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
+	await assertClientPrivileges(ctx, session, opts, "update");
 	if (!session) throw new APIError("UNAUTHORIZED");
-	if (!ctx.headers) throw new APIError("BAD_REQUEST");
-	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.headers,
-		action: "update",
-		session: session.session,
-		user: session.user
-	})) throw new APIError("UNAUTHORIZED");
 	const clientId = ctx.body.client_id;
 	if (opts.cachedTrustedClients?.has(clientId)) throw new APIError("INTERNAL_SERVER_ERROR", {
 		error_description: "trusted clients must be updated manually",
@@ -1641,14 +1724,8 @@ async function updateClientEndpoint(ctx, opts) {
 }
 async function rotateClientSecretEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
+	await assertClientPrivileges(ctx, session, opts, "rotate");
 	if (!session) throw new APIError("UNAUTHORIZED");
-	if (!ctx.headers) throw new APIError("BAD_REQUEST");
-	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.headers,
-		action: "rotate",
-		session: session.session,
-		user: session.user
-	})) throw new APIError("UNAUTHORIZED");
 	const clientId = ctx.body.client_id;
 	if (opts.cachedTrustedClients?.has(clientId)) throw new APIError("INTERNAL_SERVER_ERROR", {
 		error_description: "trusted clients must be updated manually",
@@ -1690,6 +1767,16 @@ async function rotateClientSecretEndpoint(ctx, opts) {
 		clientSecret: (opts.prefix?.clientSecret ?? "") + clientSecret
 	});
 }
+async function assertClientPrivileges(ctx, session, opts, action) {
+	if (!session) throw new APIError("UNAUTHORIZED");
+	if (!ctx.headers) throw new APIError("BAD_REQUEST");
+	if (opts.clientPrivileges && !await opts.clientPrivileges({
+		headers: ctx.headers,
+		action,
+		session: session.session,
+		user: session.user
+	})) throw new APIError("UNAUTHORIZED");
+}
 //#endregion
 //#region src/oauthClient/index.ts
 const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/create-client", {
@@ -1875,6 +1962,7 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 		}
 	}
 }, async (ctx) => {
+	await assertClientPrivileges(ctx, await getSessionFromCtx(ctx), opts, "create");
 	return createOAuthClientEndpoint(ctx, opts, { isRegister: false });
 });
 const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client", {
@@ -2047,6 +2135,7 @@ const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client",
 		} }
 	} }
 }, async (ctx) => {
+	await assertClientPrivileges(ctx, await getSessionFromCtx(ctx), opts, "create");
 	return createOAuthClientEndpoint(ctx, opts, { isRegister: false });
 });
 const getOAuthClient = (opts) => createAuthEndpoint("/oauth2/get-client", {
@@ -2459,6 +2548,7 @@ async function revokeAccessToken(ctx, opts, clientId, token) {
 }
 async function revokeEndpoint(ctx, opts) {
 	let { token, token_type_hint } = ctx.body;
+	if (token_type_hint !== "access_token" && token_type_hint !== "refresh_token") token_type_hint = void 0;
 	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/revoke`));
 	if (!client_id) throw new APIError$1("UNAUTHORIZED", {
 		error_description: "missing required credentials",
@@ -2546,7 +2636,8 @@ const schema = {
 				references: {
 					model: "user",
 					field: "id"
-				}
+				},
+				index: true
 			},
 			createdAt: {
 				type: "date",
@@ -2653,7 +2744,8 @@ const schema = {
 			references: {
 				model: "oauthClient",
 				field: "clientId"
-			}
+			},
+			index: true
 		},
 		sessionId: {
 			type: "string",
@@ -2662,7 +2754,8 @@ const schema = {
 				model: "session",
 				field: "id",
 				onDelete: "set null"
-			}
+			},
+			index: true
 		},
 		userId: {
 			type: "string",
@@ -2670,7 +2763,8 @@ const schema = {
 			references: {
 				model: "user",
 				field: "id"
-			}
+			},
+			index: true
 		},
 		referenceId: {
 			type: "string",
@@ -2704,7 +2798,8 @@ const schema = {
 				references: {
 					model: "oauthClient",
 					field: "clientId"
-				}
+				},
+				index: true
 			},
 			sessionId: {
 				type: "string",
@@ -2713,7 +2808,8 @@ const schema = {
 					model: "session",
 					field: "id",
 					onDelete: "set null"
-				}
+				},
+				index: true
 			},
 			userId: {
 				type: "string",
@@ -2721,7 +2817,8 @@ const schema = {
 				references: {
 					model: "user",
 					field: "id"
-				}
+				},
+				index: true
 			},
 			referenceId: {
 				type: "string",
@@ -2733,7 +2830,8 @@ const schema = {
 				references: {
 					model: "oauthRefreshToken",
 					field: "id"
-				}
+				},
+				index: true
 			},
 			expiresAt: { type: "date" },
 			createdAt: { type: "date" },
@@ -2752,7 +2850,8 @@ const schema = {
 				references: {
 					model: "oauthClient",
 					field: "clientId"
-				}
+				},
+				index: true
 			},
 			userId: {
 				type: "string",
@@ -2760,7 +2859,8 @@ const schema = {
 				references: {
 					model: "user",
 					field: "id"
-				}
+				},
+				index: true
 			},
 			referenceId: {
 				type: "string",
@@ -2872,10 +2972,18 @@ const oauthProvider = (options) => {
 				handler: createAuthMiddleware(async (ctx) => {
 					const query = ctx.body.oauth_query;
 					if (!await verifyOAuthQueryParams(query, ctx.context.secret)) throw new APIError("BAD_REQUEST", { error: "invalid_signature" });
+					const signedQueryIssuedAt = getSignedQueryIssuedAt(query);
 					const queryParams = new URLSearchParams(query);
+					const postLoginClearedForSession = queryParams.get("ba_pl") ?? void 0;
 					queryParams.delete("sig");
 					queryParams.delete("exp");
-					await oAuthState.set({ query: queryParams.toString() });
+					queryParams.delete(signedQueryIssuedAtParam);
+					queryParams.delete(postLoginClearedParam);
+					await oAuthState.set({
+						query: queryParams.toString(),
+						signedQueryIssuedAt: signedQueryIssuedAt ?? void 0,
+						postLoginClearedForSession
+					});
 					if (ctx.path === "/sign-in/social") {
 						if (ctx.body.additionalData?.query) return;
 						if (!ctx.body.additionalData) ctx.body.additionalData = {};
@@ -2899,7 +3007,7 @@ const oauthProvider = (options) => {
 					const secFetchMode = ctx.request?.headers?.get("sec-fetch-mode")?.toLowerCase();
 					const acceptHeader = ctx.request?.headers?.get("accept")?.toLowerCase() ?? "";
 					if (!(secFetchMode === "navigate" || !secFetchMode && (acceptHeader.includes("text/html") || acceptHeader.includes("application/xhtml+xml")))) ctx.headers?.set("accept", "application/json");
-					ctx.query = deleteFromPrompt(query, "login");
+					ctx.query = searchParamsToQuery(removePromptFromQuery(query, "login"));
 					return await authorizeEndpoint(ctx, opts);
 				})
 			}]
@@ -2927,19 +3035,19 @@ const oauthProvider = (options) => {
 				if (opts.scopes && !opts.scopes.includes("openid")) throw new APIError("NOT_FOUND");
 				return oidcServerMetadata(ctx, opts);
 			}),
-			oauth2Authorize: createAuthEndpoint("/oauth2/authorize", {
+			oauth2Authorize: createOAuthEndpoint("/oauth2/authorize", {
 				method: "GET",
 				query: z.object({
-					response_type: z.enum(["code"]).optional(),
+					response_type: z.string().pipe(z.enum(["code"])).optional(),
 					client_id: z.string(),
 					redirect_uri: SafeUrlSchema.optional(),
 					scope: z.string().optional(),
 					state: z.string().optional(),
 					request_uri: z.string().optional(),
 					code_challenge: z.string().optional(),
-					code_challenge_method: z.enum(["S256"]).optional(),
+					code_challenge_method: z.string().pipe(z.enum(["S256"])).optional(),
 					nonce: z.string().optional(),
-					prompt: z.enum([
+					prompt: z.string().pipe(z.enum([
 						"none",
 						"consent",
 						"login",
@@ -2947,8 +3055,10 @@ const oauthProvider = (options) => {
 						"select_account",
 						"login consent",
 						"select_account consent"
-					]).optional()
+					])).optional()
 				}),
+				redirectOnError: authorizeRedirectOnError(opts),
+				errorCodesByField: { response_type: { invalid: "unsupported_response_type" } },
 				metadata: { openapi: {
 					description: "Authorize an OAuth2 request",
 					parameters: [
@@ -3107,14 +3217,14 @@ const oauthProvider = (options) => {
 			}, async (ctx) => {
 				return continueEndpoint(ctx, opts);
 			}),
-			oauth2Token: createAuthEndpoint("/oauth2/token", {
+			oauth2Token: createOAuthEndpoint("/oauth2/token", {
 				method: "POST",
 				body: z.object({
-					grant_type: z.enum([
+					grant_type: z.string().pipe(z.enum([
 						"authorization_code",
 						"client_credentials",
 						"refresh_token"
-					]),
+					])),
 					client_id: z.string().optional(),
 					client_secret: z.string().optional(),
 					client_assertion: z.string().optional(),
@@ -3126,6 +3236,10 @@ const oauthProvider = (options) => {
 					resource: z.string().optional(),
 					scope: z.string().optional()
 				}),
+				errorCodesByField: { grant_type: {
+					missing: "invalid_request",
+					invalid: "unsupported_grant_type"
+				} },
 				metadata: {
 					allowedMediaTypes: ["application/x-www-form-urlencoded"],
 					openapi: {
@@ -3238,7 +3352,7 @@ const oauthProvider = (options) => {
 			}, async (ctx) => {
 				return tokenEndpoint(ctx, opts);
 			}),
-			oauth2Introspect: createAuthEndpoint("/oauth2/introspect", {
+			oauth2Introspect: createOAuthEndpoint("/oauth2/introspect", {
 				method: "POST",
 				body: z.object({
 					client_id: z.string().optional(),
@@ -3246,7 +3360,7 @@ const oauthProvider = (options) => {
 					client_assertion: z.string().optional(),
 					client_assertion_type: z.string().optional(),
 					token: z.string(),
-					token_type_hint: z.enum(["access_token", "refresh_token"]).optional()
+					token_type_hint: z.string().optional()
 				}),
 				metadata: {
 					allowedMediaTypes: ["application/x-www-form-urlencoded"],
@@ -3271,8 +3385,7 @@ const oauthProvider = (options) => {
 									},
 									token_type_hint: {
 										type: "string",
-										enum: ["access_token", "refresh_token"],
-										description: "Hint about the type of the token submitted for introspection"
+										description: "Hint about the token type. Recognized values: `access_token`, `refresh_token`."
 									},
 									resource: {
 										type: "string",
@@ -3358,7 +3471,7 @@ const oauthProvider = (options) => {
 			}, async (ctx) => {
 				return introspectEndpoint(ctx, opts);
 			}),
-			oauth2Revoke: createAuthEndpoint("/oauth2/revoke", {
+			oauth2Revoke: createOAuthEndpoint("/oauth2/revoke", {
 				method: "POST",
 				body: z.object({
 					client_id: z.string().optional(),
@@ -3366,7 +3479,7 @@ const oauthProvider = (options) => {
 					client_assertion: z.string().optional(),
 					client_assertion_type: z.string().optional(),
 					token: z.string(),
-					token_type_hint: z.enum(["access_token", "refresh_token"]).optional()
+					token_type_hint: z.string().optional()
 				}),
 				metadata: {
 					allowedMediaTypes: ["application/x-www-form-urlencoded"],
@@ -3391,8 +3504,7 @@ const oauthProvider = (options) => {
 									},
 									token_type_hint: {
 										type: "string",
-										enum: ["access_token", "refresh_token"],
-										description: "Hint about the type of the token submitted for revocation"
+										description: "Hint about the token type. Recognized values: `access_token`, `refresh_token`."
 									}
 								},
 								required: ["token"]
@@ -3513,7 +3625,7 @@ const oauthProvider = (options) => {
 			}, async (ctx) => {
 				return userInfoEndpoint(ctx, opts);
 			}),
-			oauth2EndSession: createAuthEndpoint("/oauth2/end-session", {
+			oauth2EndSession: createOAuthEndpoint("/oauth2/end-session", {
 				method: "GET",
 				query: z.object({
 					id_token_hint: z.string(),
@@ -3544,7 +3656,7 @@ const oauthProvider = (options) => {
 			}, async (ctx) => {
 				return rpInitiatedLogoutEndpoint(ctx, opts);
 			}),
-			registerOAuthClient: createAuthEndpoint("/oauth2/register", {
+			registerOAuthClient: createOAuthEndpoint("/oauth2/register", {
 				method: "POST",
 				body: z.object({
 					redirect_uris: z.array(SafeUrlSchema).min(1).min(1),
@@ -3581,6 +3693,12 @@ const oauthProvider = (options) => {
 					subject_type: z.enum(["public", "pairwise"]).optional(),
 					skip_consent: z.never({ error: "skip_consent cannot be set during dynamic client registration" }).optional()
 				}),
+				errorCodesByField: {
+					redirect_uris: "invalid_redirect_uri",
+					post_logout_redirect_uris: "invalid_redirect_uri",
+					software_statement: "invalid_software_statement"
+				},
+				defaultError: "invalid_client_metadata",
 				metadata: { openapi: {
 					description: "Register an OAuth2 application",
 					responses: { "200": {
@@ -3773,17 +3891,37 @@ const oauthProvider = (options) => {
 //#endregion
 //#region src/authorize.ts
 /**
-* Formats an error url
+* Formats an error url. Per OIDC Core 1.0 §5 / RFC 6749 §4.2.2.1, errors on
+* implicit and hybrid flows are delivered in the URL fragment, not the query.
+* Callers on the code flow (default) omit `mode` and get query delivery.
 */
-function formatErrorURL(url, error, description, state, iss) {
+function formatErrorURL(url, error, description, state, iss, mode = "query") {
 	const searchParams = new URLSearchParams({
 		error,
 		error_description: description
 	});
 	state && searchParams.append("state", state);
 	iss && searchParams.append("iss", iss);
+	if (mode === "fragment") return `${url}#${searchParams.toString()}`;
 	return `${url}${url.includes("?") ? "&" : "?"}${searchParams.toString()}`;
 }
+/**
+* Selects the response mode for an error redirect to the RP. OIDC Core 1.0 §5
+* defines defaults based on response_type: `code` → query, types containing
+* `token` / `id_token` → fragment. An explicit `response_mode` overrides.
+*
+* When `response_type` is duplicated (array) or absent, we can't trust the
+* caller's intent, so we default to query — the safer channel for
+* unrecognized shapes.
+*/
+function deriveResponseMode(raw) {
+	const responseMode = typeof raw.response_mode === "string" ? raw.response_mode : void 0;
+	if (responseMode === "fragment") return "fragment";
+	if (responseMode === "query") return "query";
+	const responseType = typeof raw.response_type === "string" ? raw.response_type : void 0;
+	if (responseType && /\b(token|id_token)\b/.test(responseType)) return "fragment";
+	return "query";
+}
 const handleRedirect = (ctx, uri) => {
 	const fromFetch = isBrowserFetchRequest(ctx.request?.headers);
 	const acceptJson = ctx.headers?.get("accept")?.includes("application/json");
@@ -3807,8 +3945,7 @@ function redirectWithPromptNoneError(ctx, opts, query, error, description) {
 function validateIssuerUrl(issuer) {
 	try {
 		const url = new URL(issuer);
-		const isLocalhost = url.hostname === "localhost" || url.hostname === "127.0.0.1";
-		if (url.protocol !== "https:" && !isLocalhost) url.protocol = "https:";
+		if (url.protocol !== "https:" && !isLoopbackHost(url.host)) url.protocol = "https:";
 		url.search = "";
 		url.hash = "";
 		return url.toString().replace(/\/$/, "");
@@ -3836,6 +3973,64 @@ function getIssuer(ctx, opts) {
 function getErrorURL(ctx, error, description) {
 	return formatErrorURL(ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`, error, description);
 }
+/**
+* Finds the matching entry in a client's registered redirect_uris for a
+* requested redirect_uri. Honors RFC 8252 §7.3 loopback port variance for
+* the full 127.0.0.0/8 range and [::1], matching on scheme+host+path+query
+* and ignoring port. DNS names like "localhost" are excluded per §8.3.
+*/
+function findRegisteredRedirectUri(registered, requested) {
+	if (!registered || !requested) return void 0;
+	let req;
+	try {
+		req = new URL(requested);
+	} catch {}
+	return registered.find((url) => {
+		if (url === requested) return true;
+		if (!req) return false;
+		try {
+			const reg = new URL(url);
+			return isLoopbackIP(reg.hostname) && reg.hostname === req.hostname && reg.pathname === req.pathname && reg.protocol === req.protocol && reg.search === req.search;
+		} catch {
+			return false;
+		}
+	});
+}
+/**
+* Loads the client, verifies it's enabled, and returns the requested
+* redirect_uri when it matches a registered entry. Returns null whenever the
+* RP cannot be safely reached, so callers can fall back to the server error
+* page (avoiding open-redirect risk on validation failures).
+*/
+async function resolveTrustedRedirectUri(ctx, opts, clientId, redirectUri) {
+	if (!clientId || !redirectUri) return null;
+	let client;
+	try {
+		client = await getClient(ctx, opts, clientId);
+	} catch {
+		return null;
+	}
+	if (!client || client.disabled) return null;
+	return findRegisteredRedirectUri(client.redirectUris, redirectUri) ? redirectUri : null;
+}
+/**
+* `redirectOnError` callback for `/oauth2/authorize`. Per RFC 6749 §4.1.2.1,
+* authorize errors MUST be delivered to the client's `redirect_uri` with
+* `error`, `error_description`, `state`, and (RFC 9207) `iss`. The clause
+* carves out one case: a missing/invalid `redirect_uri` or `client_id` MUST
+* NOT redirect to the requested URI. We implement the carve-out via
+* `resolveTrustedRedirectUri`, falling back to the server error page.
+*
+* Channel (query vs fragment) follows OIDC Core §5 via `deriveResponseMode`.
+*/
+function authorizeRedirectOnError(opts) {
+	return async ({ error, error_description, ctx }) => {
+		const raw = ctx.query ?? {};
+		const trusted = await resolveTrustedRedirectUri(ctx, opts, typeof raw.client_id === "string" ? raw.client_id : void 0, typeof raw.redirect_uri === "string" ? raw.redirect_uri : void 0);
+		if (trusted) return handleRedirect(ctx, formatErrorURL(trusted, error, error_description, typeof raw.state === "string" ? raw.state : void 0, getIssuer(ctx, opts), deriveResponseMode(raw)));
+		return handleRedirect(ctx, getErrorURL(ctx, error, error_description));
+	};
+}
 async function authorizeEndpoint(ctx, opts, settings) {
 	if (opts.grantTypes && !opts.grantTypes.includes("authorization_code")) throw new APIError$1("NOT_FOUND");
 	if (!ctx.request) throw new APIError$1("UNAUTHORIZED", {
@@ -3866,15 +4061,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 	const client = await getClient(ctx, opts, query.client_id);
 	if (!client) return handleRedirect(ctx, getErrorURL(ctx, "invalid_client", "client_id is required"));
 	if (client.disabled) return handleRedirect(ctx, getErrorURL(ctx, "client_disabled", "client is disabled"));
-	if (!client.redirectUris?.find((url) => {
-		if (url === query.redirect_uri) return true;
-		try {
-			const registered = new URL(url);
-			const requested = new URL(query.redirect_uri);
-			if ((registered.hostname === "127.0.0.1" || registered.hostname === "[::1]") && registered.hostname === requested.hostname && registered.pathname === requested.pathname && registered.protocol === requested.protocol && registered.search === requested.search) return true;
-		} catch {}
-		return false;
-	}) || !query.redirect_uri) return handleRedirect(ctx, getErrorURL(ctx, "invalid_redirect", "invalid redirect uri"));
+	if (!findRegisteredRedirectUri(client.redirectUris, query.redirect_uri) || !query.redirect_uri) return handleRedirect(ctx, getErrorURL(ctx, "invalid_redirect", "invalid redirect uri"));
 	let requestedScopes = query.scope?.split(" ").filter((s) => s);
 	if (requestedScopes) {
 		const validScopes = new Set(client.scopes ?? opts.scopes);
@@ -3921,7 +4108,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		});
 		if (signupRedirect) {
 			if (promptNone) return redirectWithPromptNoneError(ctx, opts, query, "interaction_required", "End-User interaction is required");
-			return redirectWithPromptCode(ctx, opts, "create", typeof signupRedirect === "string" ? signupRedirect : void 0);
+			return redirectWithPromptCode(ctx, opts, "create", { page: typeof signupRedirect === "string" ? signupRedirect : void 0 });
 		}
 	}
 	if (!settings?.postLogin && opts.postLogin) {
@@ -3935,7 +4122,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 			return redirectWithPromptCode(ctx, opts, "post_login");
 		}
 	}
-	if (promptSet?.has("consent")) return redirectWithPromptCode(ctx, opts, "consent");
+	if (promptSet?.has("consent")) return redirectWithPromptCode(ctx, opts, "consent", { sessionId: session.session.id });
 	const referenceId = await opts.postLogin?.consentReferenceId?.({
 		user: session.user,
 		session: session.session,
@@ -3968,7 +4155,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 	});
 	if (!consent || !requestedScopes.every((val) => consent.scopes.includes(val))) {
 		if (promptNone) return redirectWithPromptNoneError(ctx, opts, query, "consent_required", "End-User consent is required");
-		return redirectWithPromptCode(ctx, opts, "consent");
+		return redirectWithPromptCode(ctx, opts, "consent", { sessionId: session.session.id });
 	}
 	return redirectWithAuthorizationCode(ctx, opts, {
 		query,
@@ -4015,8 +4202,8 @@ async function redirectWithAuthorizationCode(ctx, opts, verificationValue) {
 	redirectUriWithCode.searchParams.set("iss", getIssuer(ctx, opts));
 	return handleRedirect(ctx, redirectUriWithCode.toString());
 }
-async function redirectWithPromptCode(ctx, opts, type, page) {
-	const queryParams = await signParams(ctx, opts);
+async function redirectWithPromptCode(ctx, opts, type, options) {
+	const queryParams = await signParams(ctx, opts, { postLoginClearedForSession: type === "consent" && opts.postLogin ? options?.sessionId : void 0 });
 	let path = opts.loginPage;
 	if (type === "select_account") path = opts.selectAccount?.page ?? opts.loginPage;
 	else if (type === "post_login") {
@@ -4024,12 +4211,16 @@ async function redirectWithPromptCode(ctx, opts, type, page) {
 		path = opts.postLogin?.page;
 	} else if (type === "consent") path = opts.consentPage;
 	else if (type === "create") path = opts.signup?.page ?? opts.loginPage;
-	return handleRedirect(ctx, `${page ?? path}?${queryParams}`);
+	return handleRedirect(ctx, `${options?.page ?? path}?${queryParams}`);
 }
-async function signParams(ctx, opts) {
-	const exp = Math.floor(Date.now() / 1e3) + (opts.codeExpiresIn ?? 600);
+async function signParams(ctx, opts, flags) {
+	const issuedAt = Date.now();
+	const exp = Math.floor(issuedAt / 1e3) + (opts.codeExpiresIn ?? 600);
 	const params = serializeAuthorizationQuery(ctx.query);
 	params.set("exp", String(exp));
+	params.set(signedQueryIssuedAtParam, String(issuedAt));
+	params.delete(postLoginClearedParam);
+	if (flags?.postLoginClearedForSession) params.set(postLoginClearedParam, flags.postLoginClearedForSession);
 	const signature = await makeSignature(params.toString(), ctx.context.secret);
 	params.append("sig", signature);
 	return params.toString();