@better-auth/oauth-provider 1.7.0-beta.2 → 1.7.0-beta.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{client-assertion-CderPEmR.mjs → client-assertion-DLMKVgoj.mjs} +4 -4
- package/dist/client-resource.d.mts +13 -6
- package/dist/client-resource.mjs +2 -2
- package/dist/client.d.mts +1 -1
- package/dist/client.mjs +1 -1
- package/dist/index.d.mts +8 -7
- package/dist/index.mjs +397 -172
- package/dist/{oauth-DJcZ8MMZ.d.mts → oauth-Vt3lTNHX.d.mts} +79 -20
- package/dist/{oauth-CU79t-eG.d.mts → oauth-q7dn10NU.d.mts} +51 -10
- package/dist/{utils-Cx_XnD9i.mjs → utils-DKBWQ8fe.mjs} +69 -26
- package/dist/{version-CZxZ64qJ.mjs → version-nFnRm-a3.mjs} +1 -1
- package/package.json +6 -6
|
@@ -1,8 +1,9 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { a as OAuthClient, c as TokenEndpointAuthMethod, f as OAuthConsent, g as Prompt, i as GrantType, m as OAuthOptions, t as AuthMethod, v as Scope } from "./oauth-q7dn10NU.mjs";
|
|
2
2
|
import * as better_call0 from "better-call";
|
|
3
3
|
import * as z from "zod";
|
|
4
4
|
import * as better_auth_plugins0 from "better-auth/plugins";
|
|
5
5
|
import * as jose from "jose";
|
|
6
|
+
import { GenericEndpointContext } from "@better-auth/core";
|
|
6
7
|
import * as better_auth0 from "better-auth";
|
|
7
8
|
|
|
8
9
|
//#region src/oauth-endpoint.d.ts
|
|
@@ -45,6 +46,8 @@ declare module "@better-auth/core" {
|
|
|
45
46
|
}
|
|
46
47
|
declare const getOAuthProviderState: () => Promise<{
|
|
47
48
|
query?: string;
|
|
49
|
+
signedQueryIssuedAt?: Date;
|
|
50
|
+
postLoginClearedForSession?: string;
|
|
48
51
|
} | null>;
|
|
49
52
|
/**
|
|
50
53
|
* oAuth 2.1 provider plugin for Better Auth.
|
|
@@ -57,6 +60,11 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
57
60
|
id: "oauth-provider";
|
|
58
61
|
version: string;
|
|
59
62
|
options: NoInfer<O>;
|
|
63
|
+
onRequest: (request: Request, ctx: better_auth0.AuthContext) => Promise<{
|
|
64
|
+
response: Response;
|
|
65
|
+
} | {
|
|
66
|
+
request: Request;
|
|
67
|
+
} | void>;
|
|
60
68
|
init: (ctx: better_auth0.AuthContext) => void;
|
|
61
69
|
hooks: {
|
|
62
70
|
before: {
|
|
@@ -95,23 +103,23 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
95
103
|
issuer: string;
|
|
96
104
|
authorization_endpoint: string;
|
|
97
105
|
token_endpoint: string;
|
|
98
|
-
registration_endpoint
|
|
106
|
+
registration_endpoint?: string | undefined;
|
|
99
107
|
scopes_supported?: string[] | undefined;
|
|
100
108
|
response_types_supported: "code"[];
|
|
101
109
|
response_modes_supported: "query"[];
|
|
102
110
|
grant_types_supported: GrantType[];
|
|
103
111
|
token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
|
|
104
|
-
token_endpoint_auth_signing_alg_values_supported?: better_auth0.
|
|
112
|
+
token_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
|
|
105
113
|
service_documentation?: string | undefined;
|
|
106
114
|
ui_locales_supported?: string[] | undefined;
|
|
107
115
|
op_policy_uri?: string | undefined;
|
|
108
116
|
op_tos_uri?: string | undefined;
|
|
109
117
|
revocation_endpoint?: string | undefined;
|
|
110
118
|
revocation_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
|
|
111
|
-
revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.
|
|
119
|
+
revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
|
|
112
120
|
introspection_endpoint?: string | undefined;
|
|
113
121
|
introspection_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
|
|
114
|
-
introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.
|
|
122
|
+
introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
|
|
115
123
|
code_challenge_methods_supported: "S256"[];
|
|
116
124
|
authorization_response_iss_parameter_supported?: boolean | undefined;
|
|
117
125
|
client_id_metadata_document_supported?: boolean | undefined;
|
|
@@ -121,23 +129,23 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
121
129
|
authorization_endpoint: string;
|
|
122
130
|
token_endpoint: string;
|
|
123
131
|
jwks_uri?: string;
|
|
124
|
-
registration_endpoint
|
|
132
|
+
registration_endpoint?: string;
|
|
125
133
|
scopes_supported?: string[];
|
|
126
134
|
response_types_supported: "code"[];
|
|
127
135
|
response_modes_supported: "query"[];
|
|
128
136
|
grant_types_supported: GrantType[];
|
|
129
137
|
token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[];
|
|
130
|
-
token_endpoint_auth_signing_alg_values_supported?: better_auth0.
|
|
138
|
+
token_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[];
|
|
131
139
|
service_documentation?: string;
|
|
132
140
|
ui_locales_supported?: string[];
|
|
133
141
|
op_policy_uri?: string;
|
|
134
142
|
op_tos_uri?: string;
|
|
135
143
|
revocation_endpoint?: string;
|
|
136
144
|
revocation_endpoint_auth_methods_supported?: AuthMethod[];
|
|
137
|
-
revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.
|
|
145
|
+
revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[];
|
|
138
146
|
introspection_endpoint?: string;
|
|
139
147
|
introspection_endpoint_auth_methods_supported?: AuthMethod[];
|
|
140
|
-
introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.
|
|
148
|
+
introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[];
|
|
141
149
|
code_challenge_methods_supported: "S256"[];
|
|
142
150
|
authorization_response_iss_parameter_supported?: boolean;
|
|
143
151
|
client_id_metadata_document_supported?: boolean;
|
|
@@ -165,23 +173,23 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
165
173
|
issuer: string;
|
|
166
174
|
authorization_endpoint: string;
|
|
167
175
|
token_endpoint: string;
|
|
168
|
-
registration_endpoint
|
|
176
|
+
registration_endpoint?: string | undefined;
|
|
169
177
|
scopes_supported?: string[] | undefined;
|
|
170
178
|
response_types_supported: "code"[];
|
|
171
179
|
response_modes_supported: "query"[];
|
|
172
180
|
grant_types_supported: GrantType[];
|
|
173
181
|
token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
|
|
174
|
-
token_endpoint_auth_signing_alg_values_supported?: better_auth0.
|
|
182
|
+
token_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
|
|
175
183
|
service_documentation?: string | undefined;
|
|
176
184
|
ui_locales_supported?: string[] | undefined;
|
|
177
185
|
op_policy_uri?: string | undefined;
|
|
178
186
|
op_tos_uri?: string | undefined;
|
|
179
187
|
revocation_endpoint?: string | undefined;
|
|
180
188
|
revocation_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
|
|
181
|
-
revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.
|
|
189
|
+
revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
|
|
182
190
|
introspection_endpoint?: string | undefined;
|
|
183
191
|
introspection_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
|
|
184
|
-
introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.
|
|
192
|
+
introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
|
|
185
193
|
code_challenge_methods_supported: "S256"[];
|
|
186
194
|
authorization_response_iss_parameter_supported?: boolean | undefined;
|
|
187
195
|
client_id_metadata_document_supported?: boolean | undefined;
|
|
@@ -203,6 +211,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
203
211
|
S256: "S256";
|
|
204
212
|
}>>>;
|
|
205
213
|
nonce: z.ZodOptional<z.ZodString>;
|
|
214
|
+
resource: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
|
|
206
215
|
prompt: z.ZodOptional<z.ZodPipe<z.ZodString, z.ZodEnum<{
|
|
207
216
|
none: "none";
|
|
208
217
|
consent: "consent";
|
|
@@ -213,11 +222,14 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
213
222
|
"select_account consent": "select_account consent";
|
|
214
223
|
}>>>;
|
|
215
224
|
}, z.core.$strip>;
|
|
216
|
-
redirectOnError: OAuthRedirectOnError<
|
|
225
|
+
redirectOnError: OAuthRedirectOnError<GenericEndpointContext>;
|
|
217
226
|
errorCodesByField: {
|
|
218
227
|
response_type: {
|
|
219
228
|
invalid: "unsupported_response_type";
|
|
220
229
|
};
|
|
230
|
+
resource: {
|
|
231
|
+
invalid: "invalid_target";
|
|
232
|
+
};
|
|
221
233
|
};
|
|
222
234
|
metadata: {
|
|
223
235
|
openapi: {
|
|
@@ -229,6 +241,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
229
241
|
schema: {
|
|
230
242
|
type: "string";
|
|
231
243
|
format?: undefined;
|
|
244
|
+
items?: undefined;
|
|
232
245
|
};
|
|
233
246
|
description: string;
|
|
234
247
|
} | {
|
|
@@ -238,6 +251,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
238
251
|
schema: {
|
|
239
252
|
type: "string";
|
|
240
253
|
format?: undefined;
|
|
254
|
+
items?: undefined;
|
|
241
255
|
};
|
|
242
256
|
description: string;
|
|
243
257
|
} | {
|
|
@@ -247,6 +261,19 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
247
261
|
schema: {
|
|
248
262
|
type: "string";
|
|
249
263
|
format: string;
|
|
264
|
+
items?: undefined;
|
|
265
|
+
};
|
|
266
|
+
description: string;
|
|
267
|
+
} | {
|
|
268
|
+
name: string;
|
|
269
|
+
in: "query";
|
|
270
|
+
required: false;
|
|
271
|
+
schema: {
|
|
272
|
+
type: "array";
|
|
273
|
+
items: {
|
|
274
|
+
type: "string";
|
|
275
|
+
};
|
|
276
|
+
format?: undefined;
|
|
250
277
|
};
|
|
251
278
|
description: string;
|
|
252
279
|
})[];
|
|
@@ -427,7 +454,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
427
454
|
code_verifier: z.ZodOptional<z.ZodString>;
|
|
428
455
|
redirect_uri: z.ZodOptional<z.ZodURL>;
|
|
429
456
|
refresh_token: z.ZodOptional<z.ZodString>;
|
|
430
|
-
resource: z.ZodOptional<z.ZodString
|
|
457
|
+
resource: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
|
|
431
458
|
scope: z.ZodOptional<z.ZodString>;
|
|
432
459
|
}, z.core.$strip>;
|
|
433
460
|
errorCodesByField: {
|
|
@@ -435,6 +462,9 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
435
462
|
missing: "invalid_request";
|
|
436
463
|
invalid: "unsupported_grant_type";
|
|
437
464
|
};
|
|
465
|
+
resource: {
|
|
466
|
+
invalid: "invalid_target";
|
|
467
|
+
};
|
|
438
468
|
};
|
|
439
469
|
metadata: {
|
|
440
470
|
allowedMediaTypes: string[];
|
|
@@ -478,7 +508,17 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
478
508
|
description: string;
|
|
479
509
|
};
|
|
480
510
|
resource: {
|
|
481
|
-
|
|
511
|
+
oneOf: ({
|
|
512
|
+
type: string;
|
|
513
|
+
description: string;
|
|
514
|
+
items?: undefined;
|
|
515
|
+
} | {
|
|
516
|
+
type: string;
|
|
517
|
+
items: {
|
|
518
|
+
type: string;
|
|
519
|
+
};
|
|
520
|
+
description: string;
|
|
521
|
+
})[];
|
|
482
522
|
description: string;
|
|
483
523
|
};
|
|
484
524
|
scope: {
|
|
@@ -601,10 +641,6 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
601
641
|
type: string;
|
|
602
642
|
description: string;
|
|
603
643
|
};
|
|
604
|
-
resource: {
|
|
605
|
-
type: string;
|
|
606
|
-
description: string;
|
|
607
|
-
};
|
|
608
644
|
};
|
|
609
645
|
required: string[];
|
|
610
646
|
};
|
|
@@ -1967,6 +2003,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
1967
2003
|
model: string;
|
|
1968
2004
|
field: string;
|
|
1969
2005
|
};
|
|
2006
|
+
index: true;
|
|
1970
2007
|
};
|
|
1971
2008
|
createdAt: {
|
|
1972
2009
|
type: "date";
|
|
@@ -2067,6 +2104,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
2067
2104
|
token: {
|
|
2068
2105
|
type: "string";
|
|
2069
2106
|
required: true;
|
|
2107
|
+
unique: true;
|
|
2070
2108
|
};
|
|
2071
2109
|
clientId: {
|
|
2072
2110
|
type: "string";
|
|
@@ -2075,6 +2113,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
2075
2113
|
model: string;
|
|
2076
2114
|
field: string;
|
|
2077
2115
|
};
|
|
2116
|
+
index: true;
|
|
2078
2117
|
};
|
|
2079
2118
|
sessionId: {
|
|
2080
2119
|
type: "string";
|
|
@@ -2084,6 +2123,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
2084
2123
|
field: string;
|
|
2085
2124
|
onDelete: "set null";
|
|
2086
2125
|
};
|
|
2126
|
+
index: true;
|
|
2087
2127
|
};
|
|
2088
2128
|
userId: {
|
|
2089
2129
|
type: "string";
|
|
@@ -2092,11 +2132,16 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
2092
2132
|
model: string;
|
|
2093
2133
|
field: string;
|
|
2094
2134
|
};
|
|
2135
|
+
index: true;
|
|
2095
2136
|
};
|
|
2096
2137
|
referenceId: {
|
|
2097
2138
|
type: "string";
|
|
2098
2139
|
required: false;
|
|
2099
2140
|
};
|
|
2141
|
+
resources: {
|
|
2142
|
+
type: "string[]";
|
|
2143
|
+
required: false;
|
|
2144
|
+
};
|
|
2100
2145
|
expiresAt: {
|
|
2101
2146
|
type: "date";
|
|
2102
2147
|
};
|
|
@@ -2131,6 +2176,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
2131
2176
|
model: string;
|
|
2132
2177
|
field: string;
|
|
2133
2178
|
};
|
|
2179
|
+
index: true;
|
|
2134
2180
|
};
|
|
2135
2181
|
sessionId: {
|
|
2136
2182
|
type: "string";
|
|
@@ -2140,6 +2186,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
2140
2186
|
field: string;
|
|
2141
2187
|
onDelete: "set null";
|
|
2142
2188
|
};
|
|
2189
|
+
index: true;
|
|
2143
2190
|
};
|
|
2144
2191
|
userId: {
|
|
2145
2192
|
type: "string";
|
|
@@ -2148,11 +2195,16 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
2148
2195
|
model: string;
|
|
2149
2196
|
field: string;
|
|
2150
2197
|
};
|
|
2198
|
+
index: true;
|
|
2151
2199
|
};
|
|
2152
2200
|
referenceId: {
|
|
2153
2201
|
type: "string";
|
|
2154
2202
|
required: false;
|
|
2155
2203
|
};
|
|
2204
|
+
resources: {
|
|
2205
|
+
type: "string[]";
|
|
2206
|
+
required: false;
|
|
2207
|
+
};
|
|
2156
2208
|
refreshId: {
|
|
2157
2209
|
type: "string";
|
|
2158
2210
|
required: false;
|
|
@@ -2160,6 +2212,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
2160
2212
|
model: string;
|
|
2161
2213
|
field: string;
|
|
2162
2214
|
};
|
|
2215
|
+
index: true;
|
|
2163
2216
|
};
|
|
2164
2217
|
expiresAt: {
|
|
2165
2218
|
type: "date";
|
|
@@ -2183,6 +2236,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
2183
2236
|
model: string;
|
|
2184
2237
|
field: string;
|
|
2185
2238
|
};
|
|
2239
|
+
index: true;
|
|
2186
2240
|
};
|
|
2187
2241
|
userId: {
|
|
2188
2242
|
type: "string";
|
|
@@ -2191,11 +2245,16 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
2191
2245
|
model: string;
|
|
2192
2246
|
field: string;
|
|
2193
2247
|
};
|
|
2248
|
+
index: true;
|
|
2194
2249
|
};
|
|
2195
2250
|
referenceId: {
|
|
2196
2251
|
type: "string";
|
|
2197
2252
|
required: false;
|
|
2198
2253
|
};
|
|
2254
|
+
resources: {
|
|
2255
|
+
type: "string[]";
|
|
2256
|
+
required: false;
|
|
2257
|
+
};
|
|
2199
2258
|
scopes: {
|
|
2200
2259
|
type: "string[]";
|
|
2201
2260
|
required: true;
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { PrivateKeyJwtSigningAlgorithm } from "@better-auth/core/oauth2";
|
|
2
2
|
import { JWSAlgorithms } from "better-auth/plugins";
|
|
3
3
|
import { JWTPayload } from "jose";
|
|
4
4
|
import { InferOptionSchema, Session, User } from "better-auth/types";
|
|
@@ -46,6 +46,7 @@ declare const schema: {
|
|
|
46
46
|
model: string;
|
|
47
47
|
field: string;
|
|
48
48
|
};
|
|
49
|
+
index: true;
|
|
49
50
|
};
|
|
50
51
|
createdAt: {
|
|
51
52
|
type: "date";
|
|
@@ -151,6 +152,7 @@ declare const schema: {
|
|
|
151
152
|
token: {
|
|
152
153
|
type: "string";
|
|
153
154
|
required: true;
|
|
155
|
+
unique: true;
|
|
154
156
|
};
|
|
155
157
|
clientId: {
|
|
156
158
|
type: "string";
|
|
@@ -159,6 +161,7 @@ declare const schema: {
|
|
|
159
161
|
model: string;
|
|
160
162
|
field: string;
|
|
161
163
|
};
|
|
164
|
+
index: true;
|
|
162
165
|
};
|
|
163
166
|
sessionId: {
|
|
164
167
|
type: "string";
|
|
@@ -168,6 +171,7 @@ declare const schema: {
|
|
|
168
171
|
field: string;
|
|
169
172
|
onDelete: "set null";
|
|
170
173
|
};
|
|
174
|
+
index: true;
|
|
171
175
|
};
|
|
172
176
|
userId: {
|
|
173
177
|
type: "string";
|
|
@@ -176,11 +180,16 @@ declare const schema: {
|
|
|
176
180
|
model: string;
|
|
177
181
|
field: string;
|
|
178
182
|
};
|
|
183
|
+
index: true;
|
|
179
184
|
};
|
|
180
185
|
referenceId: {
|
|
181
186
|
type: "string";
|
|
182
187
|
required: false;
|
|
183
188
|
};
|
|
189
|
+
resources: {
|
|
190
|
+
type: "string[]";
|
|
191
|
+
required: false;
|
|
192
|
+
};
|
|
184
193
|
expiresAt: {
|
|
185
194
|
type: "date";
|
|
186
195
|
};
|
|
@@ -227,6 +236,7 @@ declare const schema: {
|
|
|
227
236
|
model: string;
|
|
228
237
|
field: string;
|
|
229
238
|
};
|
|
239
|
+
index: true;
|
|
230
240
|
};
|
|
231
241
|
sessionId: {
|
|
232
242
|
type: "string";
|
|
@@ -236,6 +246,7 @@ declare const schema: {
|
|
|
236
246
|
field: string;
|
|
237
247
|
onDelete: "set null";
|
|
238
248
|
};
|
|
249
|
+
index: true;
|
|
239
250
|
};
|
|
240
251
|
userId: {
|
|
241
252
|
type: "string";
|
|
@@ -244,11 +255,16 @@ declare const schema: {
|
|
|
244
255
|
model: string;
|
|
245
256
|
field: string;
|
|
246
257
|
};
|
|
258
|
+
index: true;
|
|
247
259
|
};
|
|
248
260
|
referenceId: {
|
|
249
261
|
type: "string";
|
|
250
262
|
required: false;
|
|
251
263
|
};
|
|
264
|
+
resources: {
|
|
265
|
+
type: "string[]";
|
|
266
|
+
required: false;
|
|
267
|
+
};
|
|
252
268
|
refreshId: {
|
|
253
269
|
type: "string";
|
|
254
270
|
required: false;
|
|
@@ -256,6 +272,7 @@ declare const schema: {
|
|
|
256
272
|
model: string;
|
|
257
273
|
field: string;
|
|
258
274
|
};
|
|
275
|
+
index: true;
|
|
259
276
|
};
|
|
260
277
|
expiresAt: {
|
|
261
278
|
type: "date";
|
|
@@ -279,6 +296,7 @@ declare const schema: {
|
|
|
279
296
|
model: string;
|
|
280
297
|
field: string;
|
|
281
298
|
};
|
|
299
|
+
index: true;
|
|
282
300
|
};
|
|
283
301
|
userId: {
|
|
284
302
|
type: "string";
|
|
@@ -287,11 +305,16 @@ declare const schema: {
|
|
|
287
305
|
model: string;
|
|
288
306
|
field: string;
|
|
289
307
|
};
|
|
308
|
+
index: true;
|
|
290
309
|
};
|
|
291
310
|
referenceId: {
|
|
292
311
|
type: "string";
|
|
293
312
|
required: false;
|
|
294
313
|
};
|
|
314
|
+
resources: {
|
|
315
|
+
type: "string[]";
|
|
316
|
+
required: false;
|
|
317
|
+
};
|
|
295
318
|
scopes: {
|
|
296
319
|
type: "string[]";
|
|
297
320
|
required: true;
|
|
@@ -822,8 +845,8 @@ interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScop
|
|
|
822
845
|
customAccessTokenClaims?: (info: {
|
|
823
846
|
/** The user object if token is associated to a user. Null if user doesn't exist. Undefined if user not applicable. */user?: (User & Record<string, unknown>) | null; /** reference of the consent/authorization */
|
|
824
847
|
referenceId?: string; /** Scopes granted for this token */
|
|
825
|
-
scopes: Scopes; /** The
|
|
826
|
-
|
|
848
|
+
scopes: Scopes; /** The resources requested. */
|
|
849
|
+
resources?: string[]; /** oAuthClient metadata */
|
|
827
850
|
metadata?: Record<string, any>;
|
|
828
851
|
}) => Awaitable<Record<string, any>>;
|
|
829
852
|
/**
|
|
@@ -1096,10 +1119,12 @@ interface OAuthAuthorizationQuery {
|
|
|
1096
1119
|
* Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the
|
|
1097
1120
|
* value of this parameter with a browser cookie.
|
|
1098
1121
|
*
|
|
1122
|
+
* Recommended for clients, but optional for the authorization server.
|
|
1123
|
+
*
|
|
1099
1124
|
* Note: Better Auth stores the state in a database instead of a cookie. - This is to minimize
|
|
1100
1125
|
* the complication with native apps and other clients that may not have access to cookies.
|
|
1101
1126
|
*/
|
|
1102
|
-
state
|
|
1127
|
+
state?: string;
|
|
1103
1128
|
/**
|
|
1104
1129
|
* The client ID. Must be the ID of a registered client.
|
|
1105
1130
|
*/
|
|
@@ -1179,6 +1204,10 @@ interface OAuthAuthorizationQuery {
|
|
|
1179
1204
|
* with the Claim Value being the nonce value sent in the Authentication Request.
|
|
1180
1205
|
*/
|
|
1181
1206
|
nonce?: string;
|
|
1207
|
+
/**
|
|
1208
|
+
* Resource parameter as specified by [RFC 8707](https://www.rfc-editor.org/rfc/rfc8707.html)
|
|
1209
|
+
*/
|
|
1210
|
+
resource?: string | string[];
|
|
1182
1211
|
}
|
|
1183
1212
|
/**
|
|
1184
1213
|
* Stored within the verification.value field
|
|
@@ -1192,6 +1221,7 @@ interface VerificationValue {
|
|
|
1192
1221
|
query: OAuthAuthorizationQuery;
|
|
1193
1222
|
sessionId: string;
|
|
1194
1223
|
userId: string;
|
|
1224
|
+
resource?: string[];
|
|
1195
1225
|
referenceId?: string;
|
|
1196
1226
|
authTime?: number;
|
|
1197
1227
|
}
|
|
@@ -1357,13 +1387,17 @@ interface OAuthOpaqueAccessToken<Scopes extends readonly Scope[] = InternallySup
|
|
|
1357
1387
|
* Shall match the refreshId.scopes if refreshId is provided.
|
|
1358
1388
|
*/
|
|
1359
1389
|
scopes: Scopes;
|
|
1390
|
+
/**
|
|
1391
|
+
* Resources allowed for this access token.
|
|
1392
|
+
*/
|
|
1393
|
+
resources?: string[];
|
|
1360
1394
|
}
|
|
1361
1395
|
/**
|
|
1362
1396
|
* Refresh Token Database Schema
|
|
1363
1397
|
*/
|
|
1364
1398
|
interface OAuthRefreshToken<Scopes extends readonly Scope[] = InternallySupportedScopes[]> {
|
|
1365
1399
|
token: string;
|
|
1366
|
-
sessionId
|
|
1400
|
+
sessionId?: string;
|
|
1367
1401
|
userId: string;
|
|
1368
1402
|
referenceId?: string;
|
|
1369
1403
|
clientId?: string;
|
|
@@ -1384,6 +1418,10 @@ interface OAuthRefreshToken<Scopes extends readonly Scope[] = InternallySupporte
|
|
|
1384
1418
|
* Considered Immutable once granted.
|
|
1385
1419
|
*/
|
|
1386
1420
|
scopes: Scopes;
|
|
1421
|
+
/**
|
|
1422
|
+
* Resources allowed for this refresh token
|
|
1423
|
+
*/
|
|
1424
|
+
resources?: string[];
|
|
1387
1425
|
}
|
|
1388
1426
|
/**
|
|
1389
1427
|
* Consent Database Schema
|
|
@@ -1392,6 +1430,7 @@ type OAuthConsent<Scopes extends readonly Scope[] = InternallySupportedScopes[]>
|
|
|
1392
1430
|
id: string;
|
|
1393
1431
|
clientId: string;
|
|
1394
1432
|
userId: string;
|
|
1433
|
+
resources?: string[];
|
|
1395
1434
|
referenceId?: string;
|
|
1396
1435
|
scopes: Scopes;
|
|
1397
1436
|
createdAt: Date;
|
|
@@ -1445,9 +1484,11 @@ interface AuthServerMetadata {
|
|
|
1445
1484
|
/**
|
|
1446
1485
|
* The URL of the dynamic client registration endpoint.
|
|
1447
1486
|
*
|
|
1487
|
+
* This field is only present when `allowDynamicClientRegistration` is enabled.
|
|
1488
|
+
*
|
|
1448
1489
|
* @default `/oauth2/register`
|
|
1449
1490
|
*/
|
|
1450
|
-
registration_endpoint
|
|
1491
|
+
registration_endpoint?: string;
|
|
1451
1492
|
/**
|
|
1452
1493
|
* Supported scopes.
|
|
1453
1494
|
*/
|
|
@@ -1480,7 +1521,7 @@ interface AuthServerMetadata {
|
|
|
1480
1521
|
* token endpoint for the "private_key_jwt" and "client_secret_jwt"
|
|
1481
1522
|
* authentication methods (see field token_endpoint_auth_methods_supported).
|
|
1482
1523
|
*/
|
|
1483
|
-
token_endpoint_auth_signing_alg_values_supported?:
|
|
1524
|
+
token_endpoint_auth_signing_alg_values_supported?: PrivateKeyJwtSigningAlgorithm[];
|
|
1484
1525
|
/**
|
|
1485
1526
|
* URL of a page containing human-readable information
|
|
1486
1527
|
* that developers might want or need to know when using the
|
|
@@ -1526,7 +1567,7 @@ interface AuthServerMetadata {
|
|
|
1526
1567
|
* token endpoint for the "private_key_jwt" and "client_secret_jwt"
|
|
1527
1568
|
* authentication methods (see field revocation_endpoint_auth_methods_supported).
|
|
1528
1569
|
*/
|
|
1529
|
-
revocation_endpoint_auth_signing_alg_values_supported?:
|
|
1570
|
+
revocation_endpoint_auth_signing_alg_values_supported?: PrivateKeyJwtSigningAlgorithm[];
|
|
1530
1571
|
/**
|
|
1531
1572
|
* URL of the authorization server's OAuth 2.0
|
|
1532
1573
|
* introspection endpoint [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662)
|
|
@@ -1547,7 +1588,7 @@ interface AuthServerMetadata {
|
|
|
1547
1588
|
* the "private_key_jwt" and "client_secret_jwt" authentication methods
|
|
1548
1589
|
* (see field introspection_endpoint_auth_methods_supported).
|
|
1549
1590
|
*/
|
|
1550
|
-
introspection_endpoint_auth_signing_alg_values_supported?:
|
|
1591
|
+
introspection_endpoint_auth_signing_alg_values_supported?: PrivateKeyJwtSigningAlgorithm[];
|
|
1551
1592
|
/**
|
|
1552
1593
|
* Supported code challenge methods.
|
|
1553
1594
|
*
|
|
@@ -1739,4 +1780,4 @@ interface ResourceServerMetadata {
|
|
|
1739
1780
|
dpop_bound_access_tokens_required?: boolean;
|
|
1740
1781
|
}
|
|
1741
1782
|
//#endregion
|
|
1742
|
-
export {
|
|
1783
|
+
export { SchemaClient as _, OAuthClient as a, VerificationValue as b, TokenEndpointAuthMethod as c, OAuthAuthorizationQuery as d, OAuthConsent as f, Prompt as g, OAuthRefreshToken as h, GrantType as i, AuthorizePrompt as l, OAuthOptions as m, AuthServerMetadata as n, OIDCMetadata as o, OAuthOpaqueAccessToken as p, BearerMethodsSupported as r, ResourceServerMetadata as s, AuthMethod as t, ClientDiscovery as u, Scope as v, Awaitable as x, StoreTokenType as y };
|