@better-auth/oauth-provider 1.7.0-beta.3 → 1.7.0-beta.5

package/dist/{client-assertion-BYtMWGCE.mjs → client-assertion-DmT1B6_6.mjs}

@@ -1,6 +1,9 @@
-import { i as getClient } from "./utils-_Jr_enAe.mjs";
+import { o as getClient } from "./utils-D2dLqo7f.mjs";
 import { APIError } from "better-call";
-import { ASSERTION_SIGNING_ALGORITHMS, CLIENT_ASSERTION_TYPE } from "@better-auth/core/oauth2";
+import { CLIENT_ASSERTION_TYPE, PRIVATE_KEY_JWT_SIGNING_ALGORITHMS } from "@better-auth/core/oauth2";
+import { isPublicRoutableHost } from "@better-auth/core/utils/host";
+import { base64Url } from "@better-auth/utils/base64";
+import { createHash } from "@better-auth/utils/hash";
 import { createLocalJWKSet, decodeJwt, decodeProtectedHeader, jwtVerify } from "jose";
 //#region \0rolldown/runtime.js
 var __defProp = Object.defineProperty;
@@ -33,34 +36,22 @@ function setJwksCache(uri, jwks, fetchedAt) {
 		if (oldest !== void 0) jwksCache.delete(oldest);
 	}
 }
-const ALGORITHMS_LIST = [...ASSERTION_SIGNING_ALGORITHMS];
-const pendingAssertionIds = /* @__PURE__ */ new Set();
+const ALGORITHMS_LIST = [...PRIVATE_KEY_JWT_SIGNING_ALGORITHMS];
 /**
-* Block SSRF: reject jwks_uri pointing at private/reserved IP ranges.
-* Only HTTPS with public hostnames is allowed.
+* SSRF gate for user-supplied server-side fetch targets (`jwks_uri`,
+* `backchannel_logout_uri`): returns true when the host is NOT publicly
+* routable. That covers loopback, RFC 1918 private, link-local (including AWS
+* IMDS `169.254.169.254`), shared-address-space (carrier-grade NAT),
+* IPv4-mapped IPv6, 6to4/NAT64/Teredo tunnels, every other RFC 6890
+* special-purpose range, and cloud-metadata FQDNs.
+*
+* Delegates to the audited single source of truth so this check cannot drift
+* into the kind of encoding bypass that bespoke regexes invite. This is a
+* syntactic check only: it does not resolve DNS, so a public name that
+* resolves to a private address at fetch time is not caught here.
 */
-function isPrivateIpv4(hostname) {
-	const parts = hostname.split(".");
-	if (parts.length !== 4 || parts.some((p) => !/^\d{1,3}$/.test(p))) return false;
-	const octets = parts.map(Number);
-	const a = octets[0];
-	const b = octets[1];
-	return a === 10 || a === 0 || a === 172 && b >= 16 && b <= 31 || a === 192 && b === 168 || a === 169 && b === 254 || a === 127;
-}
 function isPrivateHostname(hostname) {
-	const lower = hostname.toLowerCase();
-	const host = lower.startsWith("[") && lower.endsWith("]") ? lower.slice(1, -1) : lower;
-	if (host === "localhost" || host === "::1") return true;
-	if (isPrivateIpv4(host)) return true;
-	if (host.includes(":")) {
-		const v4MappedMatch = host.match(/^(?:0{0,4}:){0,4}:?(?:0{0,4}:)?ffff:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/);
-		if (v4MappedMatch && isPrivateIpv4(v4MappedMatch[1])) return true;
-		const isLinkLocal = host.startsWith("fe8") || host.startsWith("fe9") || host.startsWith("fea") || host.startsWith("feb");
-		const isUniqueLocal = host.startsWith("fc") || host.startsWith("fd");
-		if (isLinkLocal || isUniqueLocal) return true;
-	}
-	if (host === "metadata.google.internal") return true;
-	return false;
+	return !isPublicRoutableHost(hostname);
 }
 function validateJwksUri(ctx, jwksUri, clientIdUrlOrigin) {
 	const parsed = new URL(jwksUri);
@@ -160,7 +151,7 @@ async function verifyClientAssertion(ctx, opts, clientAssertion, clientAssertion
 			error: "invalid_client"
 		});
 	}
-	if (!header.alg || !ASSERTION_SIGNING_ALGORITHMS.includes(header.alg)) throw new APIError("BAD_REQUEST", {
+	if (!header.alg || !ALGORITHMS_LIST.includes(header.alg)) throw new APIError("BAD_REQUEST", {
 		error_description: `unsupported assertion signing algorithm: ${header.alg}`,
 		error: "invalid_client"
 	});
@@ -244,33 +235,33 @@ async function verifyClientAssertion(ctx, opts, clientAssertion, clientAssertion
 		error_description: "client assertion must include jti claim",
 		error: "invalid_client"
 	});
-	const jtiIdentifier = `private_key_jwt:${clientId}:${payload.jti}`;
-	if (pendingAssertionIds.has(jtiIdentifier)) throw new APIError("BAD_REQUEST", {
-		error_description: "client assertion jti has already been used",
-		error: "invalid_client"
-	});
-	pendingAssertionIds.add(jtiIdentifier);
+	const jtiDigest = await createHash("SHA-256").digest(new TextEncoder().encode(`private_key_jwt:${clientId}:${payload.jti}`));
+	const jtiId = base64Url.encode(new Uint8Array(jtiDigest).slice(0, 24), { padding: false });
 	try {
-		if (await ctx.context.internalAdapter.findVerificationValue(jtiIdentifier)) throw new APIError("BAD_REQUEST", {
+		await ctx.context.adapter.create({
+			model: "oauthClientAssertion",
+			data: {
+				id: jtiId,
+				expiresAt: /* @__PURE__ */ new Date(payload.exp * 1e3)
+			},
+			forceAllowId: true
+		});
+	} catch (createErr) {
+		let alreadyUsed = false;
+		try {
+			alreadyUsed = Boolean(await ctx.context.adapter.findOne({
+				model: "oauthClientAssertion",
+				where: [{
+					field: "id",
+					value: jtiId
+				}]
+			}));
+		} catch {}
+		if (alreadyUsed) throw new APIError("BAD_REQUEST", {
 			error_description: "client assertion jti has already been used",
 			error: "invalid_client"
 		});
-		const jtiExpiry = /* @__PURE__ */ new Date(payload.exp * 1e3);
-		try {
-			await ctx.context.internalAdapter.createVerificationValue({
-				identifier: jtiIdentifier,
-				value: clientId,
-				expiresAt: jtiExpiry
-			});
-		} catch (createErr) {
-			if (await ctx.context.internalAdapter.findVerificationValue(jtiIdentifier)) throw new APIError("BAD_REQUEST", {
-				error_description: "client assertion jti has already been used",
-				error: "invalid_client"
-			});
-			throw createErr;
-		}
-	} finally {
-		pendingAssertionIds.delete(jtiIdentifier);
+		throw createErr;
 	}
 	return {
 		clientId,

package/dist/client-resource.d.mts

@@ -1,9 +1,16 @@
-import { s as ResourceServerMetadata } from "./oauth-Ds-ejTJY.mjs";
+import { s as ResourceServerMetadata } from "./oauth-BXrYl5x6.mjs";
 import { JWTPayload, JWTVerifyOptions } from "jose";
-import { Auth } from "better-auth/types";
+import { BetterAuthOptions } from "better-auth/types";
 
 //#region src/client-resource.d.ts
-declare const oauthProviderResourceClient: <T extends Auth | undefined>(auth?: T) => {
+type ResourceClientAuth = {
+  options: {
+    baseURL?: BetterAuthOptions["baseURL"];
+    basePath?: BetterAuthOptions["basePath"];
+  };
+  $context: Promise<unknown>;
+};
+declare const oauthProviderResourceClient: <T extends ResourceClientAuth | undefined = undefined>(auth?: T) => {
   id: "oauth-provider-resource-client";
   version: string;
   getActions(): {
@@ -42,8 +49,22 @@ interface VerifyAccessTokenRemote {
    * is also still active.
    */
   force?: boolean;
+  /**
+   * Accept introspection responses that omit the `aud` claim even when a
+   * required `audience` is configured in `verifyOptions`.
+   *
+   * By default verification fails closed: if you configure an `audience` and
+   * the introspection response has no `aud` (or a mismatching one), the token
+   * is rejected. Some authorization servers legitimately omit `aud` from
+   * introspection responses (it is OPTIONAL per RFC 7662 §2.2); only enable
+   * this if you trust the issuer to bind the token to this resource through
+   * another mechanism, as it skips the audience check in that case.
+   *
+   * @default false
+   */
+  allowMissingAudience?: boolean;
 }
-type VerifyAccessTokenOutput<T> = T extends Auth ? (token: string | undefined, opts?: VerifyAccessTokenAuthOpts) => Promise<JWTPayload> : (token: string | undefined, opts: VerifyAccessTokenNoAuthOpts) => Promise<JWTPayload>;
+type VerifyAccessTokenOutput<T> = T extends undefined ? (token: string | undefined, opts: VerifyAccessTokenNoAuthOpts) => Promise<JWTPayload> : (token: string | undefined, opts?: VerifyAccessTokenAuthOpts) => Promise<JWTPayload>;
 type VerifyAccessTokenAuthOpts = {
   verifyOptions?: JWTVerifyOptions & Required<Pick<JWTVerifyOptions, "audience">>;
   scopes?: string[];
@@ -64,12 +85,12 @@ type VerifyAccessTokenNoAuthOpts = {
   remoteVerify: VerifyAccessTokenRemote; /** Maps non-url (ie urn, client) resources to resource_metadata */
   resourceMetadataMappings?: Record<string, string>;
 };
-type ProtectedResourceMetadataOutput<T> = T extends Auth ? (overrides?: Partial<ResourceServerMetadata>, opts?: {
+type ProtectedResourceMetadataOutput<T> = T extends undefined ? (overrides: ResourceServerMetadata, opts?: {
   silenceWarnings?: {
     oidcScopes?: boolean;
   };
   externalScopes?: string[];
-}) => Promise<ResourceServerMetadata> : (overrides: ResourceServerMetadata, opts?: {
+}) => Promise<ResourceServerMetadata> : (overrides?: Partial<ResourceServerMetadata>, opts?: {
   silenceWarnings?: {
     oidcScopes?: boolean;
   };

package/dist/client-resource.mjs

@@ -1,6 +1,6 @@
 import { t as handleMcpErrors } from "./mcp-CYnz-MXn.mjs";
-import { a as getJwtPlugin, o as getOAuthProviderPlugin } from "./utils-_Jr_enAe.mjs";
-import { t as PACKAGE_VERSION } from "./version-CG1YnCiF.mjs";
+import { c as getOAuthProviderPlugin, s as getJwtPlugin } from "./utils-D2dLqo7f.mjs";
+import { t as PACKAGE_VERSION } from "./version-B1ZiRmxj.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { logger } from "@better-auth/core/env";

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { n as oauthProvider } from "./oauth-BxP4Iupj.mjs";
+import { n as oauthProvider } from "./oauth-DU6NeviY.mjs";
 import * as _better_fetch_fetch0 from "@better-fetch/fetch";
 
 //#region src/client.d.ts

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-CG1YnCiF.mjs";
+import { t as PACKAGE_VERSION } from "./version-B1ZiRmxj.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 //#region src/client.ts
 function parseSignedQuery(search) {

package/dist/index.d.mts

@@ -1,5 +1,5 @@
-import { _ as SchemaClient, a as OAuthClient, b as VerificationValue, c as TokenEndpointAuthMethod, d as OAuthAuthorizationQuery, f as OAuthConsent, g as Prompt, h as OAuthRefreshToken, i as GrantType, l as AuthorizePrompt, m as OAuthOptions, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOpaqueAccessToken, r as BearerMethodsSupported, s as ResourceServerMetadata, t as AuthMethod, u as ClientDiscovery, v as Scope, x as Awaitable, y as StoreTokenType } from "./oauth-Ds-ejTJY.mjs";
-import { a as OAuthErrorCode, c as OAuthRedirectOnError, i as OAuthEndpointRedirectContext, n as oauthProvider, o as OAuthFieldErrorCode, r as OAuthEndpointErrorResult, s as OAuthFieldErrorCodeMap, t as getOAuthProviderState } from "./oauth-BxP4Iupj.mjs";
+import { _ as SchemaClient, a as OAuthClient, b as VerificationValue, c as TokenEndpointAuthMethod, d as OAuthAuthorizationQuery, f as OAuthConsent, g as Prompt, h as OAuthRefreshToken, i as GrantType, l as AuthorizePrompt, m as OAuthOptions, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOpaqueAccessToken, r as BearerMethodsSupported, s as ResourceServerMetadata, t as AuthMethod, u as ClientDiscovery, v as Scope, x as Awaitable, y as StoreTokenType } from "./oauth-BXrYl5x6.mjs";
+import { a as OAuthErrorCode, c as OAuthRedirectOnError, i as OAuthEndpointRedirectContext, n as oauthProvider, o as OAuthFieldErrorCode, r as OAuthEndpointErrorResult, s as OAuthFieldErrorCodeMap, t as getOAuthProviderState } from "./oauth-DU6NeviY.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { JWSAlgorithms, JwtOptions } from "better-auth/plugins";
 import { JWTPayload } from "jose";
@@ -22,6 +22,7 @@ verifyOptions: Parameters<typeof verifyAccessToken>[1], handler: (req: Request,
 //#region src/metadata.d.ts
 declare function authServerMetadata(ctx: GenericEndpointContext, opts?: JwtOptions, overrides?: {
   scopes_supported?: AuthServerMetadata["scopes_supported"];
+  dynamic_client_registration_supported?: boolean;
   public_client_supported?: boolean;
   grant_types_supported?: GrantType[];
   jwt_disabled?: boolean;
@@ -39,26 +40,28 @@ declare function oidcServerMetadata(ctx: GenericEndpointContext, opts: OAuthOpti
   issuer: string;
   authorization_endpoint: string;
   token_endpoint: string;
-  registration_endpoint: string;
+  registration_endpoint?: string | undefined;
   scopes_supported?: string[] | undefined;
   response_types_supported: "code"[];
   response_modes_supported: "query"[];
   grant_types_supported: GrantType[];
   token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
-  token_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+  token_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
   service_documentation?: string | undefined;
   ui_locales_supported?: string[] | undefined;
   op_policy_uri?: string | undefined;
   op_tos_uri?: string | undefined;
   revocation_endpoint?: string | undefined;
   revocation_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
-  revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+  revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
   introspection_endpoint?: string | undefined;
   introspection_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
-  introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+  introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
   code_challenge_methods_supported: "S256"[];
   authorization_response_iss_parameter_supported?: boolean | undefined;
   client_id_metadata_document_supported?: boolean | undefined;
+  backchannel_logout_supported?: boolean | undefined;
+  backchannel_logout_session_supported?: boolean | undefined;
   id_token_signing_alg_values_supported: JWSAlgorithms[] | ["HS256"];
 };
 /**