npm - @better-auth/oauth-provider - Versions diffs - 1.7.0-beta.3 → 1.7.0-beta.5 - Mend

@better-auth/oauth-provider 1.7.0-beta.3 → 1.7.0-beta.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/dist/{client-assertion-BYtMWGCE.mjs → client-assertion-DmT1B6_6.mjs} +42 -51
package/dist/client-resource.d.mts +27 -6
package/dist/client-resource.mjs +2 -2
package/dist/client.d.mts +1 -1
package/dist/client.mjs +1 -1
package/dist/index.d.mts +9 -6
package/dist/index.mjs +893 -388
package/dist/{oauth-Ds-ejTJY.d.mts → oauth-BXrYl5x6.d.mts} +129 -7
package/dist/{oauth-BxP4Iupj.d.mts → oauth-DU6NeviY.d.mts} +171 -52
package/dist/{utils-_Jr_enAe.mjs → utils-D2dLqo7f.mjs} +86 -17
package/dist/{version-CG1YnCiF.mjs → version-B1ZiRmxj.mjs} +1 -1
package/package.json +8 -8

package/dist/{oauth-Ds-ejTJY.d.mts → oauth-BXrYl5x6.d.mts} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { AssertionSigningAlgorithm } from "@better-auth/core/oauth2";
+import { PrivateKeyJwtSigningAlgorithm } from "@better-auth/core/oauth2";
 import { JWSAlgorithms } from "better-auth/plugins";
 import { JWTPayload } from "jose";
 import { InferOptionSchema, Session, User } from "better-auth/types";
@@ -100,6 +100,14 @@ declare const schema: {
         type: "string[]";
         required: false;
       };
+      backchannelLogoutUri: {
+        type: "string";
+        required: false;
+      };
+      backchannelLogoutSessionRequired: {
+        type: "boolean";
+        required: false;
+      };
       tokenEndpointAuthMethod: {
         type: "string";
         required: false;
@@ -152,6 +160,7 @@ declare const schema: {
       token: {
         type: "string";
         required: true;
+        unique: true;
       };
       clientId: {
         type: "string";
@@ -185,6 +194,10 @@ declare const schema: {
         type: "string";
         required: false;
       };
+      resources: {
+        type: "string[]";
+        required: false;
+      };
       expiresAt: {
         type: "date";
       };
@@ -256,6 +269,10 @@ declare const schema: {
         type: "string";
         required: false;
       };
+      resources: {
+        type: "string[]";
+        required: false;
+      };
       refreshId: {
         type: "string";
         required: false;
@@ -271,6 +288,10 @@ declare const schema: {
       createdAt: {
         type: "date";
       };
+      revoked: {
+        type: "date";
+        required: false;
+      };
       scopes: {
         type: "string[]";
         required: true;
@@ -302,6 +323,10 @@ declare const schema: {
         type: "string";
         required: false;
       };
+      resources: {
+        type: "string[]";
+        required: false;
+      };
       scopes: {
         type: "string[]";
         required: true;
@@ -314,6 +339,27 @@ declare const schema: {
       };
     };
   };
+  /**
+   * Single-use record for `private_key_jwt` client assertion `jti` values. The
+   * row id is a digest of the per-client assertion identifier, so a replayed or
+   * concurrent assertion collides on the primary key and the insert fails
+   * atomically on every adapter (SQL primary key, MongoDB `_id`), including
+   * across multiple server processes.
+   *
+   * A row keeps blocking its id until deleted; `expiresAt` marks when removal
+   * is safe, since the assertion it guards has expired and is rejected earlier.
+   * TODO: no scheduled job prunes expired rows yet; like the verification
+   * table, they accumulate until a deployment-level sweep removes them.
+   */
+  oauthClientAssertion: {
+    modelName: string;
+    fields: {
+      expiresAt: {
+        type: "date";
+        required: true;
+      };
+    };
+  };
 };
 //#endregion
 //#region src/types/helpers.d.ts
@@ -832,8 +878,8 @@ interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScop
   customAccessTokenClaims?: (info: {
     /** The user object if token is associated to a user. Null if user doesn't exist. Undefined if user not applicable. */user?: (User & Record<string, unknown>) | null; /** reference of the consent/authorization */
     referenceId?: string; /** Scopes granted for this token */
-    scopes: Scopes; /** The resource requesting. Provided by the token endpoint. */
-    resource?: string; /** oAuthClient metadata */
+    scopes: Scopes; /** The resources requested. */
+    resources?: string[]; /** oAuthClient metadata */
     metadata?: Record<string, any>;
   }) => Awaitable<Record<string, any>>;
   /**
@@ -1191,6 +1237,10 @@ interface OAuthAuthorizationQuery {
    * with the Claim Value being the nonce value sent in the Authentication Request.
    */
   nonce?: string;
+  /**
+   * Resource parameter as specified by [RFC 8707](https://www.rfc-editor.org/rfc/rfc8707.html)
+   */
+  resource?: string | string[];
 }
 /**
  * Stored within the verification.value field
@@ -1204,6 +1254,7 @@ interface VerificationValue {
   query: OAuthAuthorizationQuery;
   sessionId: string;
   userId: string;
+  resource?: string[];
   referenceId?: string;
   authTime?: number;
 }
@@ -1272,6 +1323,22 @@ interface SchemaClient<Scopes extends readonly Scope[] = InternallySupportedScop
    * For example, `https://example.com/logout/callback`
    */
   postLogoutRedirectUris?: string[];
+  /**
+   * RP URL that will receive a signed Logout Token when the end-user's OP
+   * session ends. Registering it is the per-client opt-in for back-channel
+   * logout. Must be absolute, without a fragment, and HTTPS for confidential
+   * clients.
+   *
+   * @see https://openid.net/specs/openid-connect-backchannel-1_0.html#RPMetadata
+   */
+  backchannelLogoutUri?: string;
+  /**
+   * When true, the RP requires the `sid` claim in every Logout Token.
+   * User-scoped (sid-less) logouts are not dispatched to such a client.
+   *
+   * @default false
+   */
+  backchannelLogoutSessionRequired?: boolean;
   tokenEndpointAuthMethod?: "none" | "client_secret_basic" | "client_secret_post" | "private_key_jwt";
   grantTypes?: GrantType[];
   responseTypes?: "code"[];
@@ -1363,12 +1430,22 @@ interface OAuthOpaqueAccessToken<Scopes extends readonly Scope[] = InternallySup
   expiresAt: Date;
   /** The creation date of the access token. */
   createdAt: Date;
+  /**
+   * When the access token was revoked. Set by session-end dispatch, the
+   * revoke endpoint, and back-channel logout. Introspection and protected
+   * endpoints MUST treat a revoked token as inactive.
+   */
+  revoked?: Date | null;
   /**
    * Scope granted for the access token.
    *
    * Shall match the refreshId.scopes if refreshId is provided.
    */
   scopes: Scopes;
+  /**
+   * Resources allowed for this access token.
+   */
+  resources?: string[];
 }
 /**
  * Refresh Token Database Schema
@@ -1396,6 +1473,10 @@ interface OAuthRefreshToken<Scopes extends readonly Scope[] = InternallySupporte
    * Considered Immutable once granted.
    */
   scopes: Scopes;
+  /**
+   * Resources allowed for this refresh token
+   */
+  resources?: string[];
 }
 /**
  * Consent Database Schema
@@ -1404,6 +1485,7 @@ type OAuthConsent<Scopes extends readonly Scope[] = InternallySupportedScopes[]>
   id: string;
   clientId: string;
   userId: string;
+  resources?: string[];
   referenceId?: string;
   scopes: Scopes;
   createdAt: Date;
@@ -1457,9 +1539,11 @@ interface AuthServerMetadata {
   /**
    * The URL of the dynamic client registration endpoint.
    *
+   * This field is only present when `allowDynamicClientRegistration` is enabled.
+   *
    * @default `/oauth2/register`
    */
-  registration_endpoint: string;
+  registration_endpoint?: string;
   /**
    * Supported scopes.
    */
@@ -1492,7 +1576,7 @@ interface AuthServerMetadata {
    * token endpoint for the "private_key_jwt" and "client_secret_jwt"
    * authentication methods (see field token_endpoint_auth_methods_supported).
    */
-  token_endpoint_auth_signing_alg_values_supported?: AssertionSigningAlgorithm[];
+  token_endpoint_auth_signing_alg_values_supported?: PrivateKeyJwtSigningAlgorithm[];
   /**
    * URL of a page containing human-readable information
    * that developers might want or need to know when using the
@@ -1538,7 +1622,7 @@ interface AuthServerMetadata {
    * token endpoint for the "private_key_jwt" and "client_secret_jwt"
    * authentication methods (see field revocation_endpoint_auth_methods_supported).
    */
-  revocation_endpoint_auth_signing_alg_values_supported?: AssertionSigningAlgorithm[];
+  revocation_endpoint_auth_signing_alg_values_supported?: PrivateKeyJwtSigningAlgorithm[];
   /**
    * URL of the authorization server's OAuth 2.0
    * introspection endpoint [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662)
@@ -1559,7 +1643,7 @@ interface AuthServerMetadata {
    * the "private_key_jwt" and "client_secret_jwt" authentication methods
    * (see field introspection_endpoint_auth_methods_supported).
    */
-  introspection_endpoint_auth_signing_alg_values_supported?: AssertionSigningAlgorithm[];
+  introspection_endpoint_auth_signing_alg_values_supported?: PrivateKeyJwtSigningAlgorithm[];
   /**
    * Supported code challenge methods.
    *
@@ -1585,6 +1669,28 @@ interface AuthServerMetadata {
    * it on its own.
    */
   client_id_metadata_document_supported?: boolean;
+  /**
+   * Boolean value specifying whether the OP supports back-channel logout,
+   * with true indicating support.
+   *
+   * Registered in the "OAuth Authorization Server Metadata" IANA registry
+   * under OpenID Connect Back-Channel Logout 1.0, so this may appear at both
+   * `.well-known/oauth-authorization-server` and `.well-known/openid-configuration`.
+   *
+   * @default false
+   * @see https://openid.net/specs/openid-connect-backchannel-1_0.html#OPMetadata
+   */
+  backchannel_logout_supported?: boolean;
+  /**
+   * Boolean value specifying whether the OP can pass a `sid` (session ID)
+   * Claim in the Logout Token to identify the RP session with the OP.
+   *
+   * When true, the OP also includes `sid` in ID Tokens it issues.
+   *
+   * @default false
+   * @see https://openid.net/specs/openid-connect-backchannel-1_0.html#OPMetadata
+   */
+  backchannel_logout_session_supported?: boolean;
 }
 /**
  * Metadata returned by the openid-configuration endpoint:
@@ -1687,6 +1793,22 @@ interface OAuthClient {
   software_statement?: string;
   redirect_uris: string[];
   post_logout_redirect_uris?: string[];
+  /**
+   * RP URL that the OP POSTs a signed Logout Token to when a session at the OP
+   * ends. The RP uses the token to terminate its own session state for that
+   * user (including any access tokens it has bound to the session).
+   *
+   * @see https://openid.net/specs/openid-connect-backchannel-1_0.html#RPMetadata
+   */
+  backchannel_logout_uri?: string;
+  /**
+   * When true, the RP requires the `sid` Claim in every Logout Token it
+   * receives; the OP will not dispatch user-scoped (sid-less) logouts to it.
+   *
+   * @default false
+   * @see https://openid.net/specs/openid-connect-backchannel-1_0.html#RPMetadata
+   */
+  backchannel_logout_session_required?: boolean;
   token_endpoint_auth_method?: "none" | "client_secret_basic" | "client_secret_post" | "private_key_jwt";
   grant_types?: GrantType[];
   response_types?: "code"[];