@better-auth/oauth-provider 1.7.0-beta.4 → 1.7.0-beta.5

package/dist/{client-assertion-DLMKVgoj.mjs → client-assertion-DmT1B6_6.mjs}

@@ -1,6 +1,9 @@
-import { a as getClient } from "./utils-DKBWQ8fe.mjs";
+import { o as getClient } from "./utils-D2dLqo7f.mjs";
 import { APIError } from "better-call";
 import { CLIENT_ASSERTION_TYPE, PRIVATE_KEY_JWT_SIGNING_ALGORITHMS } from "@better-auth/core/oauth2";
+import { isPublicRoutableHost } from "@better-auth/core/utils/host";
+import { base64Url } from "@better-auth/utils/base64";
+import { createHash } from "@better-auth/utils/hash";
 import { createLocalJWKSet, decodeJwt, decodeProtectedHeader, jwtVerify } from "jose";
 //#region \0rolldown/runtime.js
 var __defProp = Object.defineProperty;
@@ -34,33 +37,21 @@ function setJwksCache(uri, jwks, fetchedAt) {
 	}
 }
 const ALGORITHMS_LIST = [...PRIVATE_KEY_JWT_SIGNING_ALGORITHMS];
-const pendingAssertionIds = /* @__PURE__ */ new Set();
 /**
-* Block SSRF: reject jwks_uri pointing at private/reserved IP ranges.
-* Only HTTPS with public hostnames is allowed.
+* SSRF gate for user-supplied server-side fetch targets (`jwks_uri`,
+* `backchannel_logout_uri`): returns true when the host is NOT publicly
+* routable. That covers loopback, RFC 1918 private, link-local (including AWS
+* IMDS `169.254.169.254`), shared-address-space (carrier-grade NAT),
+* IPv4-mapped IPv6, 6to4/NAT64/Teredo tunnels, every other RFC 6890
+* special-purpose range, and cloud-metadata FQDNs.
+*
+* Delegates to the audited single source of truth so this check cannot drift
+* into the kind of encoding bypass that bespoke regexes invite. This is a
+* syntactic check only: it does not resolve DNS, so a public name that
+* resolves to a private address at fetch time is not caught here.
 */
-function isPrivateIpv4(hostname) {
-	const parts = hostname.split(".");
-	if (parts.length !== 4 || parts.some((p) => !/^\d{1,3}$/.test(p))) return false;
-	const octets = parts.map(Number);
-	const a = octets[0];
-	const b = octets[1];
-	return a === 10 || a === 0 || a === 172 && b >= 16 && b <= 31 || a === 192 && b === 168 || a === 169 && b === 254 || a === 127;
-}
 function isPrivateHostname(hostname) {
-	const lower = hostname.toLowerCase();
-	const host = lower.startsWith("[") && lower.endsWith("]") ? lower.slice(1, -1) : lower;
-	if (host === "localhost" || host === "::1") return true;
-	if (isPrivateIpv4(host)) return true;
-	if (host.includes(":")) {
-		const v4MappedMatch = host.match(/^(?:0{0,4}:){0,4}:?(?:0{0,4}:)?ffff:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/);
-		if (v4MappedMatch && isPrivateIpv4(v4MappedMatch[1])) return true;
-		const isLinkLocal = host.startsWith("fe8") || host.startsWith("fe9") || host.startsWith("fea") || host.startsWith("feb");
-		const isUniqueLocal = host.startsWith("fc") || host.startsWith("fd");
-		if (isLinkLocal || isUniqueLocal) return true;
-	}
-	if (host === "metadata.google.internal") return true;
-	return false;
+	return !isPublicRoutableHost(hostname);
 }
 function validateJwksUri(ctx, jwksUri, clientIdUrlOrigin) {
 	const parsed = new URL(jwksUri);
@@ -244,33 +235,33 @@ async function verifyClientAssertion(ctx, opts, clientAssertion, clientAssertion
 		error_description: "client assertion must include jti claim",
 		error: "invalid_client"
 	});
-	const jtiIdentifier = `private_key_jwt:${clientId}:${payload.jti}`;
-	if (pendingAssertionIds.has(jtiIdentifier)) throw new APIError("BAD_REQUEST", {
-		error_description: "client assertion jti has already been used",
-		error: "invalid_client"
-	});
-	pendingAssertionIds.add(jtiIdentifier);
+	const jtiDigest = await createHash("SHA-256").digest(new TextEncoder().encode(`private_key_jwt:${clientId}:${payload.jti}`));
+	const jtiId = base64Url.encode(new Uint8Array(jtiDigest).slice(0, 24), { padding: false });
 	try {
-		if (await ctx.context.internalAdapter.findVerificationValue(jtiIdentifier)) throw new APIError("BAD_REQUEST", {
+		await ctx.context.adapter.create({
+			model: "oauthClientAssertion",
+			data: {
+				id: jtiId,
+				expiresAt: /* @__PURE__ */ new Date(payload.exp * 1e3)
+			},
+			forceAllowId: true
+		});
+	} catch (createErr) {
+		let alreadyUsed = false;
+		try {
+			alreadyUsed = Boolean(await ctx.context.adapter.findOne({
+				model: "oauthClientAssertion",
+				where: [{
+					field: "id",
+					value: jtiId
+				}]
+			}));
+		} catch {}
+		if (alreadyUsed) throw new APIError("BAD_REQUEST", {
 			error_description: "client assertion jti has already been used",
 			error: "invalid_client"
 		});
-		const jtiExpiry = /* @__PURE__ */ new Date(payload.exp * 1e3);
-		try {
-			await ctx.context.internalAdapter.createVerificationValue({
-				identifier: jtiIdentifier,
-				value: clientId,
-				expiresAt: jtiExpiry
-			});
-		} catch (createErr) {
-			if (await ctx.context.internalAdapter.findVerificationValue(jtiIdentifier)) throw new APIError("BAD_REQUEST", {
-				error_description: "client assertion jti has already been used",
-				error: "invalid_client"
-			});
-			throw createErr;
-		}
-	} finally {
-		pendingAssertionIds.delete(jtiIdentifier);
+		throw createErr;
 	}
 	return {
 		clientId,

package/dist/client-resource.d.mts

@@ -1,4 +1,4 @@
-import { s as ResourceServerMetadata } from "./oauth-q7dn10NU.mjs";
+import { s as ResourceServerMetadata } from "./oauth-BXrYl5x6.mjs";
 import { JWTPayload, JWTVerifyOptions } from "jose";
 import { BetterAuthOptions } from "better-auth/types";
 
@@ -49,6 +49,20 @@ interface VerifyAccessTokenRemote {
    * is also still active.
    */
   force?: boolean;
+  /**
+   * Accept introspection responses that omit the `aud` claim even when a
+   * required `audience` is configured in `verifyOptions`.
+   *
+   * By default verification fails closed: if you configure an `audience` and
+   * the introspection response has no `aud` (or a mismatching one), the token
+   * is rejected. Some authorization servers legitimately omit `aud` from
+   * introspection responses (it is OPTIONAL per RFC 7662 §2.2); only enable
+   * this if you trust the issuer to bind the token to this resource through
+   * another mechanism, as it skips the audience check in that case.
+   *
+   * @default false
+   */
+  allowMissingAudience?: boolean;
 }
 type VerifyAccessTokenOutput<T> = T extends undefined ? (token: string | undefined, opts: VerifyAccessTokenNoAuthOpts) => Promise<JWTPayload> : (token: string | undefined, opts?: VerifyAccessTokenAuthOpts) => Promise<JWTPayload>;
 type VerifyAccessTokenAuthOpts = {

package/dist/client-resource.mjs

@@ -1,6 +1,6 @@
 import { t as handleMcpErrors } from "./mcp-CYnz-MXn.mjs";
-import { o as getJwtPlugin, s as getOAuthProviderPlugin } from "./utils-DKBWQ8fe.mjs";
-import { t as PACKAGE_VERSION } from "./version-nFnRm-a3.mjs";
+import { c as getOAuthProviderPlugin, s as getJwtPlugin } from "./utils-D2dLqo7f.mjs";
+import { t as PACKAGE_VERSION } from "./version-B1ZiRmxj.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { logger } from "@better-auth/core/env";

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { n as oauthProvider } from "./oauth-Vt3lTNHX.mjs";
+import { n as oauthProvider } from "./oauth-DU6NeviY.mjs";
 import * as _better_fetch_fetch0 from "@better-fetch/fetch";
 
 //#region src/client.d.ts

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-nFnRm-a3.mjs";
+import { t as PACKAGE_VERSION } from "./version-B1ZiRmxj.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 //#region src/client.ts
 function parseSignedQuery(search) {

package/dist/index.d.mts

@@ -1,5 +1,5 @@
-import { _ as SchemaClient, a as OAuthClient, b as VerificationValue, c as TokenEndpointAuthMethod, d as OAuthAuthorizationQuery, f as OAuthConsent, g as Prompt, h as OAuthRefreshToken, i as GrantType, l as AuthorizePrompt, m as OAuthOptions, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOpaqueAccessToken, r as BearerMethodsSupported, s as ResourceServerMetadata, t as AuthMethod, u as ClientDiscovery, v as Scope, x as Awaitable, y as StoreTokenType } from "./oauth-q7dn10NU.mjs";
-import { a as OAuthErrorCode, c as OAuthRedirectOnError, i as OAuthEndpointRedirectContext, n as oauthProvider, o as OAuthFieldErrorCode, r as OAuthEndpointErrorResult, s as OAuthFieldErrorCodeMap, t as getOAuthProviderState } from "./oauth-Vt3lTNHX.mjs";
+import { _ as SchemaClient, a as OAuthClient, b as VerificationValue, c as TokenEndpointAuthMethod, d as OAuthAuthorizationQuery, f as OAuthConsent, g as Prompt, h as OAuthRefreshToken, i as GrantType, l as AuthorizePrompt, m as OAuthOptions, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOpaqueAccessToken, r as BearerMethodsSupported, s as ResourceServerMetadata, t as AuthMethod, u as ClientDiscovery, v as Scope, x as Awaitable, y as StoreTokenType } from "./oauth-BXrYl5x6.mjs";
+import { a as OAuthErrorCode, c as OAuthRedirectOnError, i as OAuthEndpointRedirectContext, n as oauthProvider, o as OAuthFieldErrorCode, r as OAuthEndpointErrorResult, s as OAuthFieldErrorCodeMap, t as getOAuthProviderState } from "./oauth-DU6NeviY.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { JWSAlgorithms, JwtOptions } from "better-auth/plugins";
 import { JWTPayload } from "jose";
@@ -60,6 +60,8 @@ declare function oidcServerMetadata(ctx: GenericEndpointContext, opts: OAuthOpti
   code_challenge_methods_supported: "S256"[];
   authorization_response_iss_parameter_supported?: boolean | undefined;
   client_id_metadata_document_supported?: boolean | undefined;
+  backchannel_logout_supported?: boolean | undefined;
+  backchannel_logout_session_supported?: boolean | undefined;
   id_token_signing_alg_values_supported: JWSAlgorithms[] | ["HS256"];
 };
 /**