@better-auth/oauth-provider 1.7.0-beta.4 → 1.7.0-beta.5

package/dist/{oauth-q7dn10NU.d.mts → oauth-BXrYl5x6.d.mts}

@@ -100,6 +100,14 @@ declare const schema: {
         type: "string[]";
         required: false;
       };
+      backchannelLogoutUri: {
+        type: "string";
+        required: false;
+      };
+      backchannelLogoutSessionRequired: {
+        type: "boolean";
+        required: false;
+      };
       tokenEndpointAuthMethod: {
         type: "string";
         required: false;
@@ -280,6 +288,10 @@ declare const schema: {
       createdAt: {
         type: "date";
       };
+      revoked: {
+        type: "date";
+        required: false;
+      };
       scopes: {
         type: "string[]";
         required: true;
@@ -327,6 +339,27 @@ declare const schema: {
       };
     };
   };
+  /**
+   * Single-use record for `private_key_jwt` client assertion `jti` values. The
+   * row id is a digest of the per-client assertion identifier, so a replayed or
+   * concurrent assertion collides on the primary key and the insert fails
+   * atomically on every adapter (SQL primary key, MongoDB `_id`), including
+   * across multiple server processes.
+   *
+   * A row keeps blocking its id until deleted; `expiresAt` marks when removal
+   * is safe, since the assertion it guards has expired and is rejected earlier.
+   * TODO: no scheduled job prunes expired rows yet; like the verification
+   * table, they accumulate until a deployment-level sweep removes them.
+   */
+  oauthClientAssertion: {
+    modelName: string;
+    fields: {
+      expiresAt: {
+        type: "date";
+        required: true;
+      };
+    };
+  };
 };
 //#endregion
 //#region src/types/helpers.d.ts
@@ -1290,6 +1323,22 @@ interface SchemaClient<Scopes extends readonly Scope[] = InternallySupportedScop
    * For example, `https://example.com/logout/callback`
    */
   postLogoutRedirectUris?: string[];
+  /**
+   * RP URL that will receive a signed Logout Token when the end-user's OP
+   * session ends. Registering it is the per-client opt-in for back-channel
+   * logout. Must be absolute, without a fragment, and HTTPS for confidential
+   * clients.
+   *
+   * @see https://openid.net/specs/openid-connect-backchannel-1_0.html#RPMetadata
+   */
+  backchannelLogoutUri?: string;
+  /**
+   * When true, the RP requires the `sid` claim in every Logout Token.
+   * User-scoped (sid-less) logouts are not dispatched to such a client.
+   *
+   * @default false
+   */
+  backchannelLogoutSessionRequired?: boolean;
   tokenEndpointAuthMethod?: "none" | "client_secret_basic" | "client_secret_post" | "private_key_jwt";
   grantTypes?: GrantType[];
   responseTypes?: "code"[];
@@ -1381,6 +1430,12 @@ interface OAuthOpaqueAccessToken<Scopes extends readonly Scope[] = InternallySup
   expiresAt: Date;
   /** The creation date of the access token. */
   createdAt: Date;
+  /**
+   * When the access token was revoked. Set by session-end dispatch, the
+   * revoke endpoint, and back-channel logout. Introspection and protected
+   * endpoints MUST treat a revoked token as inactive.
+   */
+  revoked?: Date | null;
   /**
    * Scope granted for the access token.
    *
@@ -1614,6 +1669,28 @@ interface AuthServerMetadata {
    * it on its own.
    */
   client_id_metadata_document_supported?: boolean;
+  /**
+   * Boolean value specifying whether the OP supports back-channel logout,
+   * with true indicating support.
+   *
+   * Registered in the "OAuth Authorization Server Metadata" IANA registry
+   * under OpenID Connect Back-Channel Logout 1.0, so this may appear at both
+   * `.well-known/oauth-authorization-server` and `.well-known/openid-configuration`.
+   *
+   * @default false
+   * @see https://openid.net/specs/openid-connect-backchannel-1_0.html#OPMetadata
+   */
+  backchannel_logout_supported?: boolean;
+  /**
+   * Boolean value specifying whether the OP can pass a `sid` (session ID)
+   * Claim in the Logout Token to identify the RP session with the OP.
+   *
+   * When true, the OP also includes `sid` in ID Tokens it issues.
+   *
+   * @default false
+   * @see https://openid.net/specs/openid-connect-backchannel-1_0.html#OPMetadata
+   */
+  backchannel_logout_session_supported?: boolean;
 }
 /**
  * Metadata returned by the openid-configuration endpoint:
@@ -1716,6 +1793,22 @@ interface OAuthClient {
   software_statement?: string;
   redirect_uris: string[];
   post_logout_redirect_uris?: string[];
+  /**
+   * RP URL that the OP POSTs a signed Logout Token to when a session at the OP
+   * ends. The RP uses the token to terminate its own session state for that
+   * user (including any access tokens it has bound to the session).
+   *
+   * @see https://openid.net/specs/openid-connect-backchannel-1_0.html#RPMetadata
+   */
+  backchannel_logout_uri?: string;
+  /**
+   * When true, the RP requires the `sid` Claim in every Logout Token it
+   * receives; the OP will not dispatch user-scoped (sid-less) logouts to it.
+   *
+   * @default false
+   * @see https://openid.net/specs/openid-connect-backchannel-1_0.html#RPMetadata
+   */
+  backchannel_logout_session_required?: boolean;
   token_endpoint_auth_method?: "none" | "client_secret_basic" | "client_secret_post" | "private_key_jwt";
   grant_types?: GrantType[];
   response_types?: "code"[];

package/dist/{oauth-Vt3lTNHX.d.mts → oauth-DU6NeviY.d.mts}

@@ -1,4 +1,4 @@
-import { a as OAuthClient, c as TokenEndpointAuthMethod, f as OAuthConsent, g as Prompt, i as GrantType, m as OAuthOptions, t as AuthMethod, v as Scope } from "./oauth-q7dn10NU.mjs";
+import { a as OAuthClient, c as TokenEndpointAuthMethod, f as OAuthConsent, g as Prompt, i as GrantType, m as OAuthOptions, t as AuthMethod, v as Scope } from "./oauth-BXrYl5x6.mjs";
 import * as better_call0 from "better-call";
 import * as z from "zod";
 import * as better_auth_plugins0 from "better-auth/plugins";
@@ -34,7 +34,13 @@ interface OAuthEndpointRedirectContext<Ctx = unknown> {
   error_description: string;
   ctx: Ctx;
 }
-type OAuthRedirectOnError<Ctx = any> = (result: OAuthEndpointRedirectContext<Ctx>) => unknown;
+type OAuthRedirectOnError<Ctx = unknown, Result = unknown> = (result: OAuthEndpointRedirectContext<Ctx>) => Result | Promise<Result>;
+//#endregion
+//#region src/authorize.d.ts
+type OAuthRedirectResult = {
+  redirect: true;
+  url: string;
+};
 //#endregion
 //#region src/oauth.d.ts
 declare module "@better-auth/core" {
@@ -65,7 +71,26 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
   } | {
     request: Request;
   } | void>;
-  init: (ctx: better_auth0.AuthContext) => void;
+  init: (ctx: better_auth0.AuthContext) => {
+    options: {
+      databaseHooks: {
+        session: {
+          delete: {
+            before(session: {
+              id: string;
+              createdAt: Date;
+              updatedAt: Date;
+              userId: string;
+              expiresAt: Date;
+              token: string;
+              ipAddress?: string | null | undefined;
+              userAgent?: string | null | undefined;
+            } & Record<string, unknown>, hookCtx: GenericEndpointContext | null): Promise<void>;
+          };
+        };
+      };
+    };
+  };
   hooks: {
     before: {
       matcher(ctx: better_auth0.HookEndpointContext): any;
@@ -73,10 +98,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
     }[];
     after: {
       matcher(ctx: better_auth0.HookEndpointContext): boolean;
-      handler: (inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
-        redirect: boolean;
-        url: string;
-      } | undefined>;
+      handler: (inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<OAuthRedirectResult | undefined>;
     }[];
   };
   endpoints: {
@@ -123,6 +145,8 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       code_challenge_methods_supported: "S256"[];
       authorization_response_iss_parameter_supported?: boolean | undefined;
       client_id_metadata_document_supported?: boolean | undefined;
+      backchannel_logout_supported?: boolean | undefined;
+      backchannel_logout_session_supported?: boolean | undefined;
       id_token_signing_alg_values_supported: better_auth_plugins0.JWSAlgorithms[] | ["HS256"];
     } | {
       issuer: string;
@@ -149,6 +173,8 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       code_challenge_methods_supported: "S256"[];
       authorization_response_iss_parameter_supported?: boolean;
       client_id_metadata_document_supported?: boolean;
+      backchannel_logout_supported?: boolean;
+      backchannel_logout_session_supported?: boolean;
     }>;
     /**
      * A server-only endpoint that helps provide the
@@ -193,6 +219,8 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       code_challenge_methods_supported: "S256"[];
       authorization_response_iss_parameter_supported?: boolean | undefined;
       client_id_metadata_document_supported?: boolean | undefined;
+      backchannel_logout_supported?: boolean | undefined;
+      backchannel_logout_session_supported?: boolean | undefined;
       id_token_signing_alg_values_supported: better_auth_plugins0.JWSAlgorithms[] | ["HS256"];
     }>;
     oauth2Authorize: better_call0.StrictEndpoint<"/oauth2/authorize", {
@@ -201,28 +229,26 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
         response_type: z.ZodOptional<z.ZodPipe<z.ZodString, z.ZodEnum<{
           code: "code";
         }>>>;
-        client_id: z.ZodString;
+        request_uri: z.ZodOptional<z.ZodString>;
         redirect_uri: z.ZodOptional<z.ZodURL>;
         scope: z.ZodOptional<z.ZodString>;
         state: z.ZodOptional<z.ZodString>;
-        request_uri: z.ZodOptional<z.ZodString>;
+        client_id: z.ZodString;
+        prompt: z.ZodOptional<z.ZodString>;
+        display: z.ZodOptional<z.ZodString>;
+        ui_locales: z.ZodOptional<z.ZodString>;
+        max_age: z.ZodOptional<z.ZodPipe<z.ZodUnion<readonly [z.ZodNumber, z.ZodString]>, z.ZodTransform<number, string | number>>>;
+        acr_values: z.ZodOptional<z.ZodString>;
+        login_hint: z.ZodOptional<z.ZodString>;
+        id_token_hint: z.ZodOptional<z.ZodString>;
         code_challenge: z.ZodOptional<z.ZodString>;
         code_challenge_method: z.ZodOptional<z.ZodPipe<z.ZodString, z.ZodEnum<{
           S256: "S256";
         }>>>;
         nonce: z.ZodOptional<z.ZodString>;
         resource: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
-        prompt: z.ZodOptional<z.ZodPipe<z.ZodString, z.ZodEnum<{
-          none: "none";
-          consent: "consent";
-          login: "login";
-          create: "create";
-          select_account: "select_account";
-          "login consent": "login consent";
-          "select_account consent": "select_account consent";
-        }>>>;
-      }, z.core.$strip>;
-      redirectOnError: OAuthRedirectOnError<GenericEndpointContext>;
+      }, z.core.$loose>;
+      redirectOnError: OAuthRedirectOnError<GenericEndpointContext, OAuthRedirectResult>;
       errorCodesByField: {
         response_type: {
           invalid: "unsupported_response_type";
@@ -241,6 +267,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             schema: {
               type: "string";
               format?: undefined;
+              minimum?: undefined;
               items?: undefined;
             };
             description: string;
@@ -251,6 +278,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             schema: {
               type: "string";
               format?: undefined;
+              minimum?: undefined;
               items?: undefined;
             };
             description: string;
@@ -261,6 +289,18 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             schema: {
               type: "string";
               format: string;
+              minimum?: undefined;
+              items?: undefined;
+            };
+            description: string;
+          } | {
+            name: string;
+            in: "query";
+            required: false;
+            schema: {
+              type: "integer";
+              minimum: number;
+              format?: undefined;
               items?: undefined;
             };
             description: string;
@@ -274,6 +314,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
                 type: "string";
               };
               format?: undefined;
+              minimum?: undefined;
             };
             description: string;
           })[];
@@ -315,10 +356,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           };
         };
       };
-    }, {
-      redirect: boolean;
-      url: string;
-    }>;
+    }, OAuthRedirectResult>;
     oauth2Consent: better_call0.StrictEndpoint<"/oauth2/consent", {
       method: "POST";
       body: z.ZodObject<{
@@ -374,7 +412,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           };
         };
       };
-    }, {
+    }, OAuthRedirectResult | {
       redirect: boolean;
       url: string;
     }>;
@@ -434,10 +472,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           };
         };
       };
-    }, {
-      redirect: boolean;
-      url: string;
-    }>;
+    }, OAuthRedirectResult>;
     oauth2Token: better_call0.StrictEndpoint<"/oauth2/token", {
       method: "POST";
       body: z.ZodObject<{
@@ -817,7 +852,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       };
     }, null | undefined>;
     oauth2UserInfo: better_call0.StrictEndpoint<"/oauth2/userinfo", {
-      method: "GET";
+      method: ("GET" | "POST")[];
       metadata: {
         openapi: {
           description: string;
@@ -973,10 +1008,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           };
         };
       };
-    }, {
-      redirect: boolean;
-      url: string;
-    } | undefined>;
+    }, OAuthRedirectResult | undefined>;
     registerOAuthClient: better_call0.StrictEndpoint<"/oauth2/register", {
       method: "POST";
       body: z.ZodObject<{
@@ -992,6 +1024,8 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
         software_version: z.ZodOptional<z.ZodString>;
         software_statement: z.ZodOptional<z.ZodString>;
         post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
+        backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
+        backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
         token_endpoint_auth_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
           none: "none";
           client_secret_basic: "client_secret_basic";
@@ -1117,6 +1151,15 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
                         };
                         description: string;
                       };
+                      backchannel_logout_uri: {
+                        type: string;
+                        format: string;
+                        description: string;
+                      };
+                      backchannel_logout_session_required: {
+                        type: string;
+                        description: string;
+                      };
                       token_endpoint_auth_method: {
                         type: string;
                         description: string;
@@ -1176,6 +1219,8 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
         software_version: z.ZodOptional<z.ZodString>;
         software_statement: z.ZodOptional<z.ZodString>;
         post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
+        backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
+        backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
         token_endpoint_auth_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
           none: "none";
           client_secret_basic: "client_secret_basic";
@@ -1385,6 +1430,8 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
         software_version: z.ZodOptional<z.ZodString>;
         software_statement: z.ZodOptional<z.ZodString>;
         post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
+        backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
+        backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
         token_endpoint_auth_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
           none: "none";
           client_secret_basic: "client_secret_basic";
@@ -1670,6 +1717,8 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           software_version: z.ZodOptional<z.ZodString>;
           software_statement: z.ZodOptional<z.ZodString>;
           post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
+          backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
+          backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
           grant_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
             authorization_code: "authorization_code";
             client_credentials: "client_credentials";
@@ -1736,6 +1785,8 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           software_version: z.ZodOptional<z.ZodString>;
           software_statement: z.ZodOptional<z.ZodString>;
           post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
+          backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
+          backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
           grant_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
             authorization_code: "authorization_code";
             client_credentials: "client_credentials";
@@ -2057,6 +2108,14 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           type: "string[]";
           required: false;
         };
+        backchannelLogoutUri: {
+          type: "string";
+          required: false;
+        };
+        backchannelLogoutSessionRequired: {
+          type: "boolean";
+          required: false;
+        };
         tokenEndpointAuthMethod: {
           type: "string";
           required: false;
@@ -2220,6 +2279,10 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
         createdAt: {
           type: "date";
         };
+        revoked: {
+          type: "date";
+          required: false;
+        };
         scopes: {
           type: "string[]";
           required: true;
@@ -2267,6 +2330,15 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
         };
       };
     };
+    oauthClientAssertion: {
+      modelName: string;
+      fields: {
+        expiresAt: {
+          type: "date";
+          required: true;
+        };
+      };
+    };
   };
   rateLimit: ({
     pathMatcher: (path: string) => path is "/oauth2/token";

package/dist/{utils-DKBWQ8fe.mjs → utils-D2dLqo7f.mjs}

@@ -287,12 +287,27 @@ function basicToClientCredentials(authorization) {
 	}
 }
 /**
+* Whether a client is allowed to use a given grant type.
+*
+* A client's registered `grantTypes` defaults to the documented default
+* `["authorization_code"]` when unset (see client registration). Refresh tokens
+* are only ever issued through the authorization_code flow, so a client allowed
+* to use `authorization_code` is implicitly allowed to use `refresh_token`.
+*
+* @internal
+*/
+function clientAllowsGrant(client, grantType) {
+	const allowedGrants = client.grantTypes && client.grantTypes.length > 0 ? client.grantTypes : ["authorization_code"];
+	if (grantType === "refresh_token" && allowedGrants.includes("authorization_code")) return true;
+	return allowedGrants.includes(grantType);
+}
+/**
 * Validates client credentials failing on mismatches
 * and incorrectly provided information
 *
 * @internal
 */
-async function validateClientCredentials(ctx, options, clientId, clientSecret, scopes, preVerifiedClient) {
+async function validateClientCredentials(ctx, options, clientId, clientSecret, scopes, preVerifiedClient, grantType) {
 	const client = preVerifiedClient ?? await getClient(ctx, options, clientId);
 	if (!client) throw new APIError("BAD_REQUEST", {
 		error_description: "missing client",
@@ -327,6 +342,10 @@ async function validateClientCredentials(ctx, options, clientId, clientSecret, s
 			error: "invalid_scope"
 		});
 	}
+	if (grantType && !clientAllowsGrant(client, grantType)) throw new APIError("BAD_REQUEST", {
+		error_description: `client is not authorized to use grant type ${grantType}`,
+		error: "unauthorized_client"
+	});
 	return client;
 }
 /**
@@ -363,7 +382,7 @@ async function extractClientCredentials(ctx, opts, expectedAudience) {
 			error_description: "client_assertion cannot be combined with client_secret or Basic auth",
 			error: "invalid_client"
 		});
-		const { verifyClientAssertion: verify } = await import("./client-assertion-DLMKVgoj.mjs").then((n) => n.t);
+		const { verifyClientAssertion: verify } = await import("./client-assertion-DmT1B6_6.mjs").then((n) => n.t);
 		const result = await verify(ctx, opts, body.client_assertion, body.client_assertion_type, body.client_id, expectedAudience);
 		return {
 			method: "private_key_jwt",
@@ -452,6 +471,12 @@ function getSignedQueryIssuedAt(oauthQuery) {
 	if (!Number.isFinite(issuedAt) || issuedAt <= 0) return null;
 	return new Date(issuedAt);
 }
+function isSessionFreshForSignedQuery(sessionCreatedAt, signedQueryIssuedAt) {
+	if (!signedQueryIssuedAt) return false;
+	const normalized = normalizeTimestampValue(sessionCreatedAt);
+	if (!normalized) return false;
+	return normalized.getTime() >= signedQueryIssuedAt.getTime();
+}
 function removePromptFromQuery(query, prompt) {
 	const nextQuery = new URLSearchParams(query);
 	const prompts = nextQuery.get("prompt")?.split(" ");
@@ -462,6 +487,11 @@ function removePromptFromQuery(query, prompt) {
 	}
 	return nextQuery;
 }
+function removeMaxAgeFromQuery(query) {
+	const nextQuery = new URLSearchParams(query);
+	nextQuery.delete("max_age");
+	return nextQuery;
+}
 var PKCERequirementErrors = /* @__PURE__ */ function(PKCERequirementErrors) {
 	PKCERequirementErrors["PUBLIC_CLIENT"] = "pkce is required for public clients";
 	PKCERequirementErrors["OFFLINE_ACCESS_SCOPE"] = "pkce is required when requesting offline_access scope";
@@ -489,4 +519,4 @@ function isPKCERequired(client, requestedScopes) {
 	return false;
 }
 //#endregion
-export { toAudienceClaim as C, verifyOAuthQueryParams as D, validateClientCredentials as E, storeToken as S, toResourceList as T, resolveSessionAuthTime as _, getClient as a, signedQueryIssuedAtParam as b, getSignedQueryIssuedAt as c, mergeDiscoveryMetadata as d, normalizeTimestampValue as f, removePromptFromQuery as g, postLoginClearedParam as h, extractClientCredentials as i, getStoredToken as l, parsePrompt as m, decryptStoredClientSecret as n, getJwtPlugin as o, parseClientMetadata as p, destructureCredentials as r, getOAuthProviderPlugin as s, checkResource as t, isPKCERequired as u, resolveSubjectIdentifier as v, toClientDiscoveryArray as w, storeClientSecret as x, searchParamsToQuery as y };
+export { verifyOAuthQueryParams as A, signedQueryIssuedAtParam as C, toClientDiscoveryArray as D, toAudienceClaim as E, toResourceList as O, searchParamsToQuery as S, storeToken as T, postLoginClearedParam as _, extractClientCredentials as a, resolveSessionAuthTime as b, getOAuthProviderPlugin as c, isPKCERequired as d, isSessionFreshForSignedQuery as f, parsePrompt as g, parseClientMetadata as h, destructureCredentials as i, validateClientCredentials as k, getSignedQueryIssuedAt as l, normalizeTimestampValue as m, clientAllowsGrant as n, getClient as o, mergeDiscoveryMetadata as p, decryptStoredClientSecret as r, getJwtPlugin as s, checkResource as t, getStoredToken as u, removeMaxAgeFromQuery as v, storeClientSecret as w, resolveSubjectIdentifier as x, removePromptFromQuery as y };

package/dist/{version-nFnRm-a3.mjs → version-B1ZiRmxj.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.7.0-beta.4";
+const PACKAGE_VERSION = "1.7.0-beta.5";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.7.0-beta.4",
+  "version": "1.7.0-beta.5",
   "description": "An oauth provider plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -64,15 +64,15 @@
     "@modelcontextprotocol/sdk": "^1.27.1",
     "listhen": "^1.9.0",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.7.0-beta.4",
-    "better-auth": "1.7.0-beta.4"
+    "@better-auth/core": "1.7.0-beta.5",
+    "better-auth": "1.7.0-beta.5"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.1.21",
-    "better-call": "1.3.5",
-    "@better-auth/core": "^1.7.0-beta.4",
-    "better-auth": "^1.7.0-beta.4"
+    "@better-fetch/fetch": "1.2.2",
+    "better-call": "1.3.6",
+    "@better-auth/core": "^1.7.0-beta.5",
+    "better-auth": "^1.7.0-beta.5"
   },
   "scripts": {
     "build": "tsdown",