@better-auth/oauth-provider 1.7.0-beta.3 → 1.7.0-beta.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{client-assertion-BYtMWGCE.mjs → client-assertion-DmT1B6_6.mjs} +42 -51
- package/dist/client-resource.d.mts +27 -6
- package/dist/client-resource.mjs +2 -2
- package/dist/client.d.mts +1 -1
- package/dist/client.mjs +1 -1
- package/dist/index.d.mts +9 -6
- package/dist/index.mjs +893 -388
- package/dist/{oauth-Ds-ejTJY.d.mts → oauth-BXrYl5x6.d.mts} +129 -7
- package/dist/{oauth-BxP4Iupj.d.mts → oauth-DU6NeviY.d.mts} +171 -52
- package/dist/{utils-_Jr_enAe.mjs → utils-D2dLqo7f.mjs} +86 -17
- package/dist/{version-CG1YnCiF.mjs → version-B1ZiRmxj.mjs} +1 -1
- package/package.json +8 -8
|
@@ -1,8 +1,9 @@
|
|
|
1
|
-
import { a as OAuthClient, c as TokenEndpointAuthMethod, f as OAuthConsent, g as Prompt, i as GrantType, m as OAuthOptions, t as AuthMethod, v as Scope } from "./oauth-
|
|
1
|
+
import { a as OAuthClient, c as TokenEndpointAuthMethod, f as OAuthConsent, g as Prompt, i as GrantType, m as OAuthOptions, t as AuthMethod, v as Scope } from "./oauth-BXrYl5x6.mjs";
|
|
2
2
|
import * as better_call0 from "better-call";
|
|
3
3
|
import * as z from "zod";
|
|
4
4
|
import * as better_auth_plugins0 from "better-auth/plugins";
|
|
5
5
|
import * as jose from "jose";
|
|
6
|
+
import { GenericEndpointContext } from "@better-auth/core";
|
|
6
7
|
import * as better_auth0 from "better-auth";
|
|
7
8
|
|
|
8
9
|
//#region src/oauth-endpoint.d.ts
|
|
@@ -33,7 +34,13 @@ interface OAuthEndpointRedirectContext<Ctx = unknown> {
|
|
|
33
34
|
error_description: string;
|
|
34
35
|
ctx: Ctx;
|
|
35
36
|
}
|
|
36
|
-
type OAuthRedirectOnError<Ctx =
|
|
37
|
+
type OAuthRedirectOnError<Ctx = unknown, Result = unknown> = (result: OAuthEndpointRedirectContext<Ctx>) => Result | Promise<Result>;
|
|
38
|
+
//#endregion
|
|
39
|
+
//#region src/authorize.d.ts
|
|
40
|
+
type OAuthRedirectResult = {
|
|
41
|
+
redirect: true;
|
|
42
|
+
url: string;
|
|
43
|
+
};
|
|
37
44
|
//#endregion
|
|
38
45
|
//#region src/oauth.d.ts
|
|
39
46
|
declare module "@better-auth/core" {
|
|
@@ -59,7 +66,31 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
59
66
|
id: "oauth-provider";
|
|
60
67
|
version: string;
|
|
61
68
|
options: NoInfer<O>;
|
|
62
|
-
|
|
69
|
+
onRequest: (request: Request, ctx: better_auth0.AuthContext) => Promise<{
|
|
70
|
+
response: Response;
|
|
71
|
+
} | {
|
|
72
|
+
request: Request;
|
|
73
|
+
} | void>;
|
|
74
|
+
init: (ctx: better_auth0.AuthContext) => {
|
|
75
|
+
options: {
|
|
76
|
+
databaseHooks: {
|
|
77
|
+
session: {
|
|
78
|
+
delete: {
|
|
79
|
+
before(session: {
|
|
80
|
+
id: string;
|
|
81
|
+
createdAt: Date;
|
|
82
|
+
updatedAt: Date;
|
|
83
|
+
userId: string;
|
|
84
|
+
expiresAt: Date;
|
|
85
|
+
token: string;
|
|
86
|
+
ipAddress?: string | null | undefined;
|
|
87
|
+
userAgent?: string | null | undefined;
|
|
88
|
+
} & Record<string, unknown>, hookCtx: GenericEndpointContext | null): Promise<void>;
|
|
89
|
+
};
|
|
90
|
+
};
|
|
91
|
+
};
|
|
92
|
+
};
|
|
93
|
+
};
|
|
63
94
|
hooks: {
|
|
64
95
|
before: {
|
|
65
96
|
matcher(ctx: better_auth0.HookEndpointContext): any;
|
|
@@ -67,10 +98,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
67
98
|
}[];
|
|
68
99
|
after: {
|
|
69
100
|
matcher(ctx: better_auth0.HookEndpointContext): boolean;
|
|
70
|
-
handler: (inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<
|
|
71
|
-
redirect: boolean;
|
|
72
|
-
url: string;
|
|
73
|
-
} | undefined>;
|
|
101
|
+
handler: (inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<OAuthRedirectResult | undefined>;
|
|
74
102
|
}[];
|
|
75
103
|
};
|
|
76
104
|
endpoints: {
|
|
@@ -97,52 +125,56 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
97
125
|
issuer: string;
|
|
98
126
|
authorization_endpoint: string;
|
|
99
127
|
token_endpoint: string;
|
|
100
|
-
registration_endpoint
|
|
128
|
+
registration_endpoint?: string | undefined;
|
|
101
129
|
scopes_supported?: string[] | undefined;
|
|
102
130
|
response_types_supported: "code"[];
|
|
103
131
|
response_modes_supported: "query"[];
|
|
104
132
|
grant_types_supported: GrantType[];
|
|
105
133
|
token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
|
|
106
|
-
token_endpoint_auth_signing_alg_values_supported?: better_auth0.
|
|
134
|
+
token_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
|
|
107
135
|
service_documentation?: string | undefined;
|
|
108
136
|
ui_locales_supported?: string[] | undefined;
|
|
109
137
|
op_policy_uri?: string | undefined;
|
|
110
138
|
op_tos_uri?: string | undefined;
|
|
111
139
|
revocation_endpoint?: string | undefined;
|
|
112
140
|
revocation_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
|
|
113
|
-
revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.
|
|
141
|
+
revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
|
|
114
142
|
introspection_endpoint?: string | undefined;
|
|
115
143
|
introspection_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
|
|
116
|
-
introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.
|
|
144
|
+
introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
|
|
117
145
|
code_challenge_methods_supported: "S256"[];
|
|
118
146
|
authorization_response_iss_parameter_supported?: boolean | undefined;
|
|
119
147
|
client_id_metadata_document_supported?: boolean | undefined;
|
|
148
|
+
backchannel_logout_supported?: boolean | undefined;
|
|
149
|
+
backchannel_logout_session_supported?: boolean | undefined;
|
|
120
150
|
id_token_signing_alg_values_supported: better_auth_plugins0.JWSAlgorithms[] | ["HS256"];
|
|
121
151
|
} | {
|
|
122
152
|
issuer: string;
|
|
123
153
|
authorization_endpoint: string;
|
|
124
154
|
token_endpoint: string;
|
|
125
155
|
jwks_uri?: string;
|
|
126
|
-
registration_endpoint
|
|
156
|
+
registration_endpoint?: string;
|
|
127
157
|
scopes_supported?: string[];
|
|
128
158
|
response_types_supported: "code"[];
|
|
129
159
|
response_modes_supported: "query"[];
|
|
130
160
|
grant_types_supported: GrantType[];
|
|
131
161
|
token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[];
|
|
132
|
-
token_endpoint_auth_signing_alg_values_supported?: better_auth0.
|
|
162
|
+
token_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[];
|
|
133
163
|
service_documentation?: string;
|
|
134
164
|
ui_locales_supported?: string[];
|
|
135
165
|
op_policy_uri?: string;
|
|
136
166
|
op_tos_uri?: string;
|
|
137
167
|
revocation_endpoint?: string;
|
|
138
168
|
revocation_endpoint_auth_methods_supported?: AuthMethod[];
|
|
139
|
-
revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.
|
|
169
|
+
revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[];
|
|
140
170
|
introspection_endpoint?: string;
|
|
141
171
|
introspection_endpoint_auth_methods_supported?: AuthMethod[];
|
|
142
|
-
introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.
|
|
172
|
+
introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[];
|
|
143
173
|
code_challenge_methods_supported: "S256"[];
|
|
144
174
|
authorization_response_iss_parameter_supported?: boolean;
|
|
145
175
|
client_id_metadata_document_supported?: boolean;
|
|
176
|
+
backchannel_logout_supported?: boolean;
|
|
177
|
+
backchannel_logout_session_supported?: boolean;
|
|
146
178
|
}>;
|
|
147
179
|
/**
|
|
148
180
|
* A server-only endpoint that helps provide the
|
|
@@ -167,26 +199,28 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
167
199
|
issuer: string;
|
|
168
200
|
authorization_endpoint: string;
|
|
169
201
|
token_endpoint: string;
|
|
170
|
-
registration_endpoint
|
|
202
|
+
registration_endpoint?: string | undefined;
|
|
171
203
|
scopes_supported?: string[] | undefined;
|
|
172
204
|
response_types_supported: "code"[];
|
|
173
205
|
response_modes_supported: "query"[];
|
|
174
206
|
grant_types_supported: GrantType[];
|
|
175
207
|
token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
|
|
176
|
-
token_endpoint_auth_signing_alg_values_supported?: better_auth0.
|
|
208
|
+
token_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
|
|
177
209
|
service_documentation?: string | undefined;
|
|
178
210
|
ui_locales_supported?: string[] | undefined;
|
|
179
211
|
op_policy_uri?: string | undefined;
|
|
180
212
|
op_tos_uri?: string | undefined;
|
|
181
213
|
revocation_endpoint?: string | undefined;
|
|
182
214
|
revocation_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
|
|
183
|
-
revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.
|
|
215
|
+
revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
|
|
184
216
|
introspection_endpoint?: string | undefined;
|
|
185
217
|
introspection_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
|
|
186
|
-
introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.
|
|
218
|
+
introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
|
|
187
219
|
code_challenge_methods_supported: "S256"[];
|
|
188
220
|
authorization_response_iss_parameter_supported?: boolean | undefined;
|
|
189
221
|
client_id_metadata_document_supported?: boolean | undefined;
|
|
222
|
+
backchannel_logout_supported?: boolean | undefined;
|
|
223
|
+
backchannel_logout_session_supported?: boolean | undefined;
|
|
190
224
|
id_token_signing_alg_values_supported: better_auth_plugins0.JWSAlgorithms[] | ["HS256"];
|
|
191
225
|
}>;
|
|
192
226
|
oauth2Authorize: better_call0.StrictEndpoint<"/oauth2/authorize", {
|
|
@@ -195,31 +229,33 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
195
229
|
response_type: z.ZodOptional<z.ZodPipe<z.ZodString, z.ZodEnum<{
|
|
196
230
|
code: "code";
|
|
197
231
|
}>>>;
|
|
198
|
-
|
|
232
|
+
request_uri: z.ZodOptional<z.ZodString>;
|
|
199
233
|
redirect_uri: z.ZodOptional<z.ZodURL>;
|
|
200
234
|
scope: z.ZodOptional<z.ZodString>;
|
|
201
235
|
state: z.ZodOptional<z.ZodString>;
|
|
202
|
-
|
|
236
|
+
client_id: z.ZodString;
|
|
237
|
+
prompt: z.ZodOptional<z.ZodString>;
|
|
238
|
+
display: z.ZodOptional<z.ZodString>;
|
|
239
|
+
ui_locales: z.ZodOptional<z.ZodString>;
|
|
240
|
+
max_age: z.ZodOptional<z.ZodPipe<z.ZodUnion<readonly [z.ZodNumber, z.ZodString]>, z.ZodTransform<number, string | number>>>;
|
|
241
|
+
acr_values: z.ZodOptional<z.ZodString>;
|
|
242
|
+
login_hint: z.ZodOptional<z.ZodString>;
|
|
243
|
+
id_token_hint: z.ZodOptional<z.ZodString>;
|
|
203
244
|
code_challenge: z.ZodOptional<z.ZodString>;
|
|
204
245
|
code_challenge_method: z.ZodOptional<z.ZodPipe<z.ZodString, z.ZodEnum<{
|
|
205
246
|
S256: "S256";
|
|
206
247
|
}>>>;
|
|
207
248
|
nonce: z.ZodOptional<z.ZodString>;
|
|
208
|
-
|
|
209
|
-
|
|
210
|
-
|
|
211
|
-
login: "login";
|
|
212
|
-
create: "create";
|
|
213
|
-
select_account: "select_account";
|
|
214
|
-
"login consent": "login consent";
|
|
215
|
-
"select_account consent": "select_account consent";
|
|
216
|
-
}>>>;
|
|
217
|
-
}, z.core.$strip>;
|
|
218
|
-
redirectOnError: OAuthRedirectOnError<better_auth0.GenericEndpointContext>;
|
|
249
|
+
resource: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
|
|
250
|
+
}, z.core.$loose>;
|
|
251
|
+
redirectOnError: OAuthRedirectOnError<GenericEndpointContext, OAuthRedirectResult>;
|
|
219
252
|
errorCodesByField: {
|
|
220
253
|
response_type: {
|
|
221
254
|
invalid: "unsupported_response_type";
|
|
222
255
|
};
|
|
256
|
+
resource: {
|
|
257
|
+
invalid: "invalid_target";
|
|
258
|
+
};
|
|
223
259
|
};
|
|
224
260
|
metadata: {
|
|
225
261
|
openapi: {
|
|
@@ -231,6 +267,8 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
231
267
|
schema: {
|
|
232
268
|
type: "string";
|
|
233
269
|
format?: undefined;
|
|
270
|
+
minimum?: undefined;
|
|
271
|
+
items?: undefined;
|
|
234
272
|
};
|
|
235
273
|
description: string;
|
|
236
274
|
} | {
|
|
@@ -240,6 +278,8 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
240
278
|
schema: {
|
|
241
279
|
type: "string";
|
|
242
280
|
format?: undefined;
|
|
281
|
+
minimum?: undefined;
|
|
282
|
+
items?: undefined;
|
|
243
283
|
};
|
|
244
284
|
description: string;
|
|
245
285
|
} | {
|
|
@@ -249,6 +289,32 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
249
289
|
schema: {
|
|
250
290
|
type: "string";
|
|
251
291
|
format: string;
|
|
292
|
+
minimum?: undefined;
|
|
293
|
+
items?: undefined;
|
|
294
|
+
};
|
|
295
|
+
description: string;
|
|
296
|
+
} | {
|
|
297
|
+
name: string;
|
|
298
|
+
in: "query";
|
|
299
|
+
required: false;
|
|
300
|
+
schema: {
|
|
301
|
+
type: "integer";
|
|
302
|
+
minimum: number;
|
|
303
|
+
format?: undefined;
|
|
304
|
+
items?: undefined;
|
|
305
|
+
};
|
|
306
|
+
description: string;
|
|
307
|
+
} | {
|
|
308
|
+
name: string;
|
|
309
|
+
in: "query";
|
|
310
|
+
required: false;
|
|
311
|
+
schema: {
|
|
312
|
+
type: "array";
|
|
313
|
+
items: {
|
|
314
|
+
type: "string";
|
|
315
|
+
};
|
|
316
|
+
format?: undefined;
|
|
317
|
+
minimum?: undefined;
|
|
252
318
|
};
|
|
253
319
|
description: string;
|
|
254
320
|
})[];
|
|
@@ -290,10 +356,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
290
356
|
};
|
|
291
357
|
};
|
|
292
358
|
};
|
|
293
|
-
},
|
|
294
|
-
redirect: boolean;
|
|
295
|
-
url: string;
|
|
296
|
-
}>;
|
|
359
|
+
}, OAuthRedirectResult>;
|
|
297
360
|
oauth2Consent: better_call0.StrictEndpoint<"/oauth2/consent", {
|
|
298
361
|
method: "POST";
|
|
299
362
|
body: z.ZodObject<{
|
|
@@ -349,7 +412,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
349
412
|
};
|
|
350
413
|
};
|
|
351
414
|
};
|
|
352
|
-
}, {
|
|
415
|
+
}, OAuthRedirectResult | {
|
|
353
416
|
redirect: boolean;
|
|
354
417
|
url: string;
|
|
355
418
|
}>;
|
|
@@ -409,10 +472,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
409
472
|
};
|
|
410
473
|
};
|
|
411
474
|
};
|
|
412
|
-
},
|
|
413
|
-
redirect: boolean;
|
|
414
|
-
url: string;
|
|
415
|
-
}>;
|
|
475
|
+
}, OAuthRedirectResult>;
|
|
416
476
|
oauth2Token: better_call0.StrictEndpoint<"/oauth2/token", {
|
|
417
477
|
method: "POST";
|
|
418
478
|
body: z.ZodObject<{
|
|
@@ -429,7 +489,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
429
489
|
code_verifier: z.ZodOptional<z.ZodString>;
|
|
430
490
|
redirect_uri: z.ZodOptional<z.ZodURL>;
|
|
431
491
|
refresh_token: z.ZodOptional<z.ZodString>;
|
|
432
|
-
resource: z.ZodOptional<z.ZodString
|
|
492
|
+
resource: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
|
|
433
493
|
scope: z.ZodOptional<z.ZodString>;
|
|
434
494
|
}, z.core.$strip>;
|
|
435
495
|
errorCodesByField: {
|
|
@@ -437,6 +497,9 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
437
497
|
missing: "invalid_request";
|
|
438
498
|
invalid: "unsupported_grant_type";
|
|
439
499
|
};
|
|
500
|
+
resource: {
|
|
501
|
+
invalid: "invalid_target";
|
|
502
|
+
};
|
|
440
503
|
};
|
|
441
504
|
metadata: {
|
|
442
505
|
allowedMediaTypes: string[];
|
|
@@ -480,7 +543,17 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
480
543
|
description: string;
|
|
481
544
|
};
|
|
482
545
|
resource: {
|
|
483
|
-
|
|
546
|
+
oneOf: ({
|
|
547
|
+
type: string;
|
|
548
|
+
description: string;
|
|
549
|
+
items?: undefined;
|
|
550
|
+
} | {
|
|
551
|
+
type: string;
|
|
552
|
+
items: {
|
|
553
|
+
type: string;
|
|
554
|
+
};
|
|
555
|
+
description: string;
|
|
556
|
+
})[];
|
|
484
557
|
description: string;
|
|
485
558
|
};
|
|
486
559
|
scope: {
|
|
@@ -603,10 +676,6 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
603
676
|
type: string;
|
|
604
677
|
description: string;
|
|
605
678
|
};
|
|
606
|
-
resource: {
|
|
607
|
-
type: string;
|
|
608
|
-
description: string;
|
|
609
|
-
};
|
|
610
679
|
};
|
|
611
680
|
required: string[];
|
|
612
681
|
};
|
|
@@ -783,7 +852,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
783
852
|
};
|
|
784
853
|
}, null | undefined>;
|
|
785
854
|
oauth2UserInfo: better_call0.StrictEndpoint<"/oauth2/userinfo", {
|
|
786
|
-
method: "GET";
|
|
855
|
+
method: ("GET" | "POST")[];
|
|
787
856
|
metadata: {
|
|
788
857
|
openapi: {
|
|
789
858
|
description: string;
|
|
@@ -939,10 +1008,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
939
1008
|
};
|
|
940
1009
|
};
|
|
941
1010
|
};
|
|
942
|
-
},
|
|
943
|
-
redirect: boolean;
|
|
944
|
-
url: string;
|
|
945
|
-
} | undefined>;
|
|
1011
|
+
}, OAuthRedirectResult | undefined>;
|
|
946
1012
|
registerOAuthClient: better_call0.StrictEndpoint<"/oauth2/register", {
|
|
947
1013
|
method: "POST";
|
|
948
1014
|
body: z.ZodObject<{
|
|
@@ -958,6 +1024,8 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
958
1024
|
software_version: z.ZodOptional<z.ZodString>;
|
|
959
1025
|
software_statement: z.ZodOptional<z.ZodString>;
|
|
960
1026
|
post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
|
|
1027
|
+
backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
|
|
1028
|
+
backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
|
|
961
1029
|
token_endpoint_auth_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
|
|
962
1030
|
none: "none";
|
|
963
1031
|
client_secret_basic: "client_secret_basic";
|
|
@@ -1083,6 +1151,15 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
1083
1151
|
};
|
|
1084
1152
|
description: string;
|
|
1085
1153
|
};
|
|
1154
|
+
backchannel_logout_uri: {
|
|
1155
|
+
type: string;
|
|
1156
|
+
format: string;
|
|
1157
|
+
description: string;
|
|
1158
|
+
};
|
|
1159
|
+
backchannel_logout_session_required: {
|
|
1160
|
+
type: string;
|
|
1161
|
+
description: string;
|
|
1162
|
+
};
|
|
1086
1163
|
token_endpoint_auth_method: {
|
|
1087
1164
|
type: string;
|
|
1088
1165
|
description: string;
|
|
@@ -1142,6 +1219,8 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
1142
1219
|
software_version: z.ZodOptional<z.ZodString>;
|
|
1143
1220
|
software_statement: z.ZodOptional<z.ZodString>;
|
|
1144
1221
|
post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
|
|
1222
|
+
backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
|
|
1223
|
+
backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
|
|
1145
1224
|
token_endpoint_auth_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
|
|
1146
1225
|
none: "none";
|
|
1147
1226
|
client_secret_basic: "client_secret_basic";
|
|
@@ -1351,6 +1430,8 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
1351
1430
|
software_version: z.ZodOptional<z.ZodString>;
|
|
1352
1431
|
software_statement: z.ZodOptional<z.ZodString>;
|
|
1353
1432
|
post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
|
|
1433
|
+
backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
|
|
1434
|
+
backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
|
|
1354
1435
|
token_endpoint_auth_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
|
|
1355
1436
|
none: "none";
|
|
1356
1437
|
client_secret_basic: "client_secret_basic";
|
|
@@ -1636,6 +1717,8 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
1636
1717
|
software_version: z.ZodOptional<z.ZodString>;
|
|
1637
1718
|
software_statement: z.ZodOptional<z.ZodString>;
|
|
1638
1719
|
post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
|
|
1720
|
+
backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
|
|
1721
|
+
backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
|
|
1639
1722
|
grant_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
|
|
1640
1723
|
authorization_code: "authorization_code";
|
|
1641
1724
|
client_credentials: "client_credentials";
|
|
@@ -1702,6 +1785,8 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
1702
1785
|
software_version: z.ZodOptional<z.ZodString>;
|
|
1703
1786
|
software_statement: z.ZodOptional<z.ZodString>;
|
|
1704
1787
|
post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
|
|
1788
|
+
backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
|
|
1789
|
+
backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
|
|
1705
1790
|
grant_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
|
|
1706
1791
|
authorization_code: "authorization_code";
|
|
1707
1792
|
client_credentials: "client_credentials";
|
|
@@ -2023,6 +2108,14 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
2023
2108
|
type: "string[]";
|
|
2024
2109
|
required: false;
|
|
2025
2110
|
};
|
|
2111
|
+
backchannelLogoutUri: {
|
|
2112
|
+
type: "string";
|
|
2113
|
+
required: false;
|
|
2114
|
+
};
|
|
2115
|
+
backchannelLogoutSessionRequired: {
|
|
2116
|
+
type: "boolean";
|
|
2117
|
+
required: false;
|
|
2118
|
+
};
|
|
2026
2119
|
tokenEndpointAuthMethod: {
|
|
2027
2120
|
type: "string";
|
|
2028
2121
|
required: false;
|
|
@@ -2070,6 +2163,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
2070
2163
|
token: {
|
|
2071
2164
|
type: "string";
|
|
2072
2165
|
required: true;
|
|
2166
|
+
unique: true;
|
|
2073
2167
|
};
|
|
2074
2168
|
clientId: {
|
|
2075
2169
|
type: "string";
|
|
@@ -2103,6 +2197,10 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
2103
2197
|
type: "string";
|
|
2104
2198
|
required: false;
|
|
2105
2199
|
};
|
|
2200
|
+
resources: {
|
|
2201
|
+
type: "string[]";
|
|
2202
|
+
required: false;
|
|
2203
|
+
};
|
|
2106
2204
|
expiresAt: {
|
|
2107
2205
|
type: "date";
|
|
2108
2206
|
};
|
|
@@ -2162,6 +2260,10 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
2162
2260
|
type: "string";
|
|
2163
2261
|
required: false;
|
|
2164
2262
|
};
|
|
2263
|
+
resources: {
|
|
2264
|
+
type: "string[]";
|
|
2265
|
+
required: false;
|
|
2266
|
+
};
|
|
2165
2267
|
refreshId: {
|
|
2166
2268
|
type: "string";
|
|
2167
2269
|
required: false;
|
|
@@ -2177,6 +2279,10 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
2177
2279
|
createdAt: {
|
|
2178
2280
|
type: "date";
|
|
2179
2281
|
};
|
|
2282
|
+
revoked: {
|
|
2283
|
+
type: "date";
|
|
2284
|
+
required: false;
|
|
2285
|
+
};
|
|
2180
2286
|
scopes: {
|
|
2181
2287
|
type: "string[]";
|
|
2182
2288
|
required: true;
|
|
@@ -2208,6 +2314,10 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
2208
2314
|
type: "string";
|
|
2209
2315
|
required: false;
|
|
2210
2316
|
};
|
|
2317
|
+
resources: {
|
|
2318
|
+
type: "string[]";
|
|
2319
|
+
required: false;
|
|
2320
|
+
};
|
|
2211
2321
|
scopes: {
|
|
2212
2322
|
type: "string[]";
|
|
2213
2323
|
required: true;
|
|
@@ -2220,6 +2330,15 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
|
|
|
2220
2330
|
};
|
|
2221
2331
|
};
|
|
2222
2332
|
};
|
|
2333
|
+
oauthClientAssertion: {
|
|
2334
|
+
modelName: string;
|
|
2335
|
+
fields: {
|
|
2336
|
+
expiresAt: {
|
|
2337
|
+
type: "date";
|
|
2338
|
+
required: true;
|
|
2339
|
+
};
|
|
2340
|
+
};
|
|
2341
|
+
};
|
|
2223
2342
|
};
|
|
2224
2343
|
rateLimit: ({
|
|
2225
2344
|
pathMatcher: (path: string) => path is "/oauth2/token";
|
|
@@ -1,7 +1,8 @@
|
|
|
1
1
|
import { APIError } from "better-call";
|
|
2
|
+
import { decodeBasicCredentials } from "@better-auth/core/oauth2";
|
|
2
3
|
import { constantTimeEqual, makeSignature, symmetricDecrypt, symmetricEncrypt } from "better-auth/crypto";
|
|
3
4
|
import { BetterAuthError } from "@better-auth/core/error";
|
|
4
|
-
import {
|
|
5
|
+
import { base64Url } from "@better-auth/utils/base64";
|
|
5
6
|
import { createHash } from "@better-auth/utils/hash";
|
|
6
7
|
//#region src/utils/index.ts
|
|
7
8
|
var TTLCache = class {
|
|
@@ -74,6 +75,47 @@ function resolveSessionAuthTime(value) {
|
|
|
74
75
|
if (!nested || typeof nested !== "object") return;
|
|
75
76
|
return normalizeTimestampValue(nested.createdAt) ?? normalizeTimestampValue(nested.created_at);
|
|
76
77
|
}
|
|
78
|
+
/**
|
|
79
|
+
* Normalizes OAuth resource values into a non-empty string array.
|
|
80
|
+
*/
|
|
81
|
+
function toResourceList(value) {
|
|
82
|
+
if (typeof value === "string") return [value];
|
|
83
|
+
if (!value?.length) return void 0;
|
|
84
|
+
return value;
|
|
85
|
+
}
|
|
86
|
+
/**
|
|
87
|
+
* Normalizes audience values for JWT claims.
|
|
88
|
+
*/
|
|
89
|
+
function toAudienceClaim(audience) {
|
|
90
|
+
if (typeof audience === "string") return audience;
|
|
91
|
+
if (!audience?.length) return void 0;
|
|
92
|
+
return audience.length === 1 ? audience.at(0) : audience;
|
|
93
|
+
}
|
|
94
|
+
/**
|
|
95
|
+
* Checks the resource parameter, if provided,
|
|
96
|
+
* and returns either a valid audience or a tagged validation error.
|
|
97
|
+
*/
|
|
98
|
+
async function checkResource(ctx, opts, resource, scopes) {
|
|
99
|
+
const normalizedResource = toResourceList(resource);
|
|
100
|
+
const audience = normalizedResource ? [...normalizedResource] : void 0;
|
|
101
|
+
if (audience) {
|
|
102
|
+
const hasOpenId = scopes.includes("openid");
|
|
103
|
+
const baseUrl = ctx.context.baseURL;
|
|
104
|
+
const userInfoEndpoint = `${baseUrl}/oauth2/userinfo`;
|
|
105
|
+
if (hasOpenId && !audience.includes(userInfoEndpoint)) audience.push(userInfoEndpoint);
|
|
106
|
+
const filteredValidAudiences = opts.validAudiences?.filter((aud) => aud.length);
|
|
107
|
+
const validAudiences = new Set(filteredValidAudiences?.length ? filteredValidAudiences : [baseUrl]);
|
|
108
|
+
if (hasOpenId) validAudiences.add(userInfoEndpoint);
|
|
109
|
+
for (const aud of audience) if (!validAudiences.has(aud)) return {
|
|
110
|
+
success: false,
|
|
111
|
+
error: "invalid_resource"
|
|
112
|
+
};
|
|
113
|
+
}
|
|
114
|
+
return {
|
|
115
|
+
success: true,
|
|
116
|
+
audience: toAudienceClaim(audience)
|
|
117
|
+
};
|
|
118
|
+
}
|
|
77
119
|
const cachedTrustedClients = new TTLCache();
|
|
78
120
|
async function verifyOAuthQueryParams(oauth_query, secret) {
|
|
79
121
|
const queryParams = new URLSearchParams(oauth_query);
|
|
@@ -228,32 +270,44 @@ async function getStoredToken(storageMethod = "hashed", token, type) {
|
|
|
228
270
|
*
|
|
229
271
|
* @internal
|
|
230
272
|
*/
|
|
273
|
+
const BASIC_SCHEME_PREFIX = /^Basic +/i;
|
|
231
274
|
function basicToClientCredentials(authorization) {
|
|
232
|
-
if (
|
|
233
|
-
|
|
234
|
-
const
|
|
235
|
-
|
|
236
|
-
|
|
237
|
-
|
|
238
|
-
}
|
|
239
|
-
|
|
240
|
-
|
|
275
|
+
if (!BASIC_SCHEME_PREFIX.test(authorization)) return;
|
|
276
|
+
try {
|
|
277
|
+
const { clientId, clientSecret } = decodeBasicCredentials(authorization);
|
|
278
|
+
return {
|
|
279
|
+
client_id: clientId,
|
|
280
|
+
client_secret: clientSecret
|
|
281
|
+
};
|
|
282
|
+
} catch {
|
|
283
|
+
throw new APIError("BAD_REQUEST", {
|
|
241
284
|
error_description: "invalid authorization header format",
|
|
242
285
|
error: "invalid_client"
|
|
243
286
|
});
|
|
244
|
-
return {
|
|
245
|
-
client_id: id,
|
|
246
|
-
client_secret: secret
|
|
247
|
-
};
|
|
248
287
|
}
|
|
249
288
|
}
|
|
250
289
|
/**
|
|
290
|
+
* Whether a client is allowed to use a given grant type.
|
|
291
|
+
*
|
|
292
|
+
* A client's registered `grantTypes` defaults to the documented default
|
|
293
|
+
* `["authorization_code"]` when unset (see client registration). Refresh tokens
|
|
294
|
+
* are only ever issued through the authorization_code flow, so a client allowed
|
|
295
|
+
* to use `authorization_code` is implicitly allowed to use `refresh_token`.
|
|
296
|
+
*
|
|
297
|
+
* @internal
|
|
298
|
+
*/
|
|
299
|
+
function clientAllowsGrant(client, grantType) {
|
|
300
|
+
const allowedGrants = client.grantTypes && client.grantTypes.length > 0 ? client.grantTypes : ["authorization_code"];
|
|
301
|
+
if (grantType === "refresh_token" && allowedGrants.includes("authorization_code")) return true;
|
|
302
|
+
return allowedGrants.includes(grantType);
|
|
303
|
+
}
|
|
304
|
+
/**
|
|
251
305
|
* Validates client credentials failing on mismatches
|
|
252
306
|
* and incorrectly provided information
|
|
253
307
|
*
|
|
254
308
|
* @internal
|
|
255
309
|
*/
|
|
256
|
-
async function validateClientCredentials(ctx, options, clientId, clientSecret, scopes, preVerifiedClient) {
|
|
310
|
+
async function validateClientCredentials(ctx, options, clientId, clientSecret, scopes, preVerifiedClient, grantType) {
|
|
257
311
|
const client = preVerifiedClient ?? await getClient(ctx, options, clientId);
|
|
258
312
|
if (!client) throw new APIError("BAD_REQUEST", {
|
|
259
313
|
error_description: "missing client",
|
|
@@ -288,6 +342,10 @@ async function validateClientCredentials(ctx, options, clientId, clientSecret, s
|
|
|
288
342
|
error: "invalid_scope"
|
|
289
343
|
});
|
|
290
344
|
}
|
|
345
|
+
if (grantType && !clientAllowsGrant(client, grantType)) throw new APIError("BAD_REQUEST", {
|
|
346
|
+
error_description: `client is not authorized to use grant type ${grantType}`,
|
|
347
|
+
error: "unauthorized_client"
|
|
348
|
+
});
|
|
291
349
|
return client;
|
|
292
350
|
}
|
|
293
351
|
/**
|
|
@@ -324,7 +382,7 @@ async function extractClientCredentials(ctx, opts, expectedAudience) {
|
|
|
324
382
|
error_description: "client_assertion cannot be combined with client_secret or Basic auth",
|
|
325
383
|
error: "invalid_client"
|
|
326
384
|
});
|
|
327
|
-
const { verifyClientAssertion: verify } = await import("./client-assertion-
|
|
385
|
+
const { verifyClientAssertion: verify } = await import("./client-assertion-DmT1B6_6.mjs").then((n) => n.t);
|
|
328
386
|
const result = await verify(ctx, opts, body.client_assertion, body.client_assertion_type, body.client_id, expectedAudience);
|
|
329
387
|
return {
|
|
330
388
|
method: "private_key_jwt",
|
|
@@ -413,6 +471,12 @@ function getSignedQueryIssuedAt(oauthQuery) {
|
|
|
413
471
|
if (!Number.isFinite(issuedAt) || issuedAt <= 0) return null;
|
|
414
472
|
return new Date(issuedAt);
|
|
415
473
|
}
|
|
474
|
+
function isSessionFreshForSignedQuery(sessionCreatedAt, signedQueryIssuedAt) {
|
|
475
|
+
if (!signedQueryIssuedAt) return false;
|
|
476
|
+
const normalized = normalizeTimestampValue(sessionCreatedAt);
|
|
477
|
+
if (!normalized) return false;
|
|
478
|
+
return normalized.getTime() >= signedQueryIssuedAt.getTime();
|
|
479
|
+
}
|
|
416
480
|
function removePromptFromQuery(query, prompt) {
|
|
417
481
|
const nextQuery = new URLSearchParams(query);
|
|
418
482
|
const prompts = nextQuery.get("prompt")?.split(" ");
|
|
@@ -423,6 +487,11 @@ function removePromptFromQuery(query, prompt) {
|
|
|
423
487
|
}
|
|
424
488
|
return nextQuery;
|
|
425
489
|
}
|
|
490
|
+
function removeMaxAgeFromQuery(query) {
|
|
491
|
+
const nextQuery = new URLSearchParams(query);
|
|
492
|
+
nextQuery.delete("max_age");
|
|
493
|
+
return nextQuery;
|
|
494
|
+
}
|
|
426
495
|
var PKCERequirementErrors = /* @__PURE__ */ function(PKCERequirementErrors) {
|
|
427
496
|
PKCERequirementErrors["PUBLIC_CLIENT"] = "pkce is required for public clients";
|
|
428
497
|
PKCERequirementErrors["OFFLINE_ACCESS_SCOPE"] = "pkce is required when requesting offline_access scope";
|
|
@@ -450,4 +519,4 @@ function isPKCERequired(client, requestedScopes) {
|
|
|
450
519
|
return false;
|
|
451
520
|
}
|
|
452
521
|
//#endregion
|
|
453
|
-
export {
|
|
522
|
+
export { verifyOAuthQueryParams as A, signedQueryIssuedAtParam as C, toClientDiscoveryArray as D, toAudienceClaim as E, toResourceList as O, searchParamsToQuery as S, storeToken as T, postLoginClearedParam as _, extractClientCredentials as a, resolveSessionAuthTime as b, getOAuthProviderPlugin as c, isPKCERequired as d, isSessionFreshForSignedQuery as f, parsePrompt as g, parseClientMetadata as h, destructureCredentials as i, validateClientCredentials as k, getSignedQueryIssuedAt as l, normalizeTimestampValue as m, clientAllowsGrant as n, getClient as o, mergeDiscoveryMetadata as p, decryptStoredClientSecret as r, getJwtPlugin as s, checkResource as t, getStoredToken as u, removeMaxAgeFromQuery as v, storeClientSecret as w, resolveSubjectIdentifier as x, removePromptFromQuery as y };
|