@better-auth/oauth-provider 1.7.0-beta.4 → 1.7.0-beta.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (18) hide show
  1. package/dist/{client-assertion-DLMKVgoj.mjs → client-assertion-CctbJywV.mjs} +102 -87
  2. package/dist/client-resource.d.mts +31 -2
  3. package/dist/client-resource.mjs +45 -25
  4. package/dist/client.d.mts +1 -1
  5. package/dist/client.mjs +3 -13
  6. package/dist/index.d.mts +102 -17
  7. package/dist/index.mjs +1747 -1886
  8. package/dist/introspect-BXqKFUQZ.mjs +2115 -0
  9. package/dist/{oauth-Vt3lTNHX.d.mts → oauth-CAeemjD7.d.mts} +364 -175
  10. package/dist/{oauth-q7dn10NU.d.mts → oauth-CaXmZpoL.d.mts} +922 -33
  11. package/dist/resource-challenge-B-cqv4ur.mjs +63 -0
  12. package/dist/rolldown-runtime-wcPFST8Q.mjs +13 -0
  13. package/dist/signed-query-CFv2jNMT.mjs +44 -0
  14. package/dist/utils-Baq6atYN.mjs +764 -0
  15. package/dist/{version-nFnRm-a3.mjs → version-CUu3vBtU.mjs} +1 -1
  16. package/package.json +8 -9
  17. package/dist/mcp-CYnz-MXn.mjs +0 -56
  18. package/dist/utils-DKBWQ8fe.mjs +0 -492
package/dist/{oauth-Vt3lTNHX.d.mts → oauth-CAeemjD7.d.mts} RENAMED
@@ -1,9 +1,9 @@
1
- import { a as OAuthClient, c as TokenEndpointAuthMethod, f as OAuthConsent, g as Prompt, i as GrantType, m as OAuthOptions, t as AuthMethod, v as Scope } from "./oauth-q7dn10NU.mjs";
1
+ import { C as OAuthConsent, F as OAuthTokenResponse, L as Prompt, M as OAuthResource, O as OAuthOptions, a as GrantType, l as TokenEndpointAuthMethod, n as AuthServerMetadata, o as OAuthClient, z as Scope } from "./oauth-CaXmZpoL.mjs";
2
2
  import * as better_call0 from "better-call";
3
3
  import * as z from "zod";
4
- import * as better_auth_plugins0 from "better-auth/plugins";
5
4
  import * as jose from "jose";
6
- import { GenericEndpointContext } from "@better-auth/core";
5
+ import * as better_auth_plugins0 from "better-auth/plugins";
6
+ import { AuthContext, GenericEndpointContext } from "@better-auth/core";
7
7
  import * as better_auth0 from "better-auth";
8
8
 
9
9
  //#region src/oauth-endpoint.d.ts
@@ -34,9 +34,25 @@ interface OAuthEndpointRedirectContext<Ctx = unknown> {
34
34
  error_description: string;
35
35
  ctx: Ctx;
36
36
  }
37
- type OAuthRedirectOnError<Ctx = any> = (result: OAuthEndpointRedirectContext<Ctx>) => unknown;
37
+ type OAuthRedirectOnError<Ctx = unknown, Result = unknown> = (result: OAuthEndpointRedirectContext<Ctx>) => Result | Promise<Result>;
38
+ //#endregion
39
+ //#region src/authorize.d.ts
40
+ type OAuthRedirectResult = {
41
+ redirect: true;
42
+ url: string;
43
+ };
44
+ /**
45
+ * Gets the issuer identifier
46
+ */
47
+ declare function getIssuer(ctx: GenericEndpointContext, opts: OAuthOptions<Scope[]>): string;
38
48
  //#endregion
39
49
  //#region src/oauth.d.ts
50
+ /**
51
+ * Default scopes advertised and accepted when a configuration sets none. Shared
52
+ * with the MCP preset so the resource metadata it serves matches what the
53
+ * authorization-server metadata advertises.
54
+ */
55
+ declare const DEFAULT_OAUTH_SCOPES: readonly ["openid", "profile", "email", "offline_access"];
40
56
  declare module "@better-auth/core" {
41
57
  interface BetterAuthPluginRegistry<AuthOptions, Options> {
42
58
  "oauth-provider": {
@@ -65,7 +81,26 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
65
81
  } | {
66
82
  request: Request;
67
83
  } | void>;
68
- init: (ctx: better_auth0.AuthContext) => void;
84
+ init: (ctx: better_auth0.AuthContext) => Promise<{
85
+ options: {
86
+ databaseHooks: {
87
+ session: {
88
+ delete: {
89
+ before(session: {
90
+ id: string;
91
+ createdAt: Date;
92
+ updatedAt: Date;
93
+ userId: string;
94
+ expiresAt: Date;
95
+ token: string;
96
+ ipAddress?: string | null | undefined;
97
+ userAgent?: string | null | undefined;
98
+ } & Record<string, unknown>, hookCtx: GenericEndpointContext | null): Promise<void>;
99
+ };
100
+ };
101
+ };
102
+ };
103
+ }>;
69
104
  hooks: {
70
105
  before: {
71
106
  matcher(ctx: better_auth0.HookEndpointContext): any;
@@ -73,10 +108,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
73
108
  }[];
74
109
  after: {
75
110
  matcher(ctx: better_auth0.HookEndpointContext): boolean;
76
- handler: (inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
77
- redirect: boolean;
78
- url: string;
79
- } | undefined>;
111
+ handler: (inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<OAuthRedirectResult | undefined>;
80
112
  }[];
81
113
  };
82
114
  endpoints: {
@@ -92,64 +124,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
92
124
  metadata: {
93
125
  SERVER_ONLY: true;
94
126
  };
95
- }, {
96
- jwks_uri?: string | undefined;
97
- userinfo_endpoint: string;
98
- acr_values_supported: string[];
99
- subject_types_supported: ("public" | "pairwise")[];
100
- claims_supported: string[];
101
- end_session_endpoint: string;
102
- prompt_values_supported: Prompt[];
103
- issuer: string;
104
- authorization_endpoint: string;
105
- token_endpoint: string;
106
- registration_endpoint?: string | undefined;
107
- scopes_supported?: string[] | undefined;
108
- response_types_supported: "code"[];
109
- response_modes_supported: "query"[];
110
- grant_types_supported: GrantType[];
111
- token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
112
- token_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
113
- service_documentation?: string | undefined;
114
- ui_locales_supported?: string[] | undefined;
115
- op_policy_uri?: string | undefined;
116
- op_tos_uri?: string | undefined;
117
- revocation_endpoint?: string | undefined;
118
- revocation_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
119
- revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
120
- introspection_endpoint?: string | undefined;
121
- introspection_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
122
- introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
123
- code_challenge_methods_supported: "S256"[];
124
- authorization_response_iss_parameter_supported?: boolean | undefined;
125
- client_id_metadata_document_supported?: boolean | undefined;
126
- id_token_signing_alg_values_supported: better_auth_plugins0.JWSAlgorithms[] | ["HS256"];
127
- } | {
128
- issuer: string;
129
- authorization_endpoint: string;
130
- token_endpoint: string;
131
- jwks_uri?: string;
132
- registration_endpoint?: string;
133
- scopes_supported?: string[];
134
- response_types_supported: "code"[];
135
- response_modes_supported: "query"[];
136
- grant_types_supported: GrantType[];
137
- token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[];
138
- token_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[];
139
- service_documentation?: string;
140
- ui_locales_supported?: string[];
141
- op_policy_uri?: string;
142
- op_tos_uri?: string;
143
- revocation_endpoint?: string;
144
- revocation_endpoint_auth_methods_supported?: AuthMethod[];
145
- revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[];
146
- introspection_endpoint?: string;
147
- introspection_endpoint_auth_methods_supported?: AuthMethod[];
148
- introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[];
149
- code_challenge_methods_supported: "S256"[];
150
- authorization_response_iss_parameter_supported?: boolean;
151
- client_id_metadata_document_supported?: boolean;
152
- }>;
127
+ }, AuthServerMetadata>;
153
128
  /**
154
129
  * A server-only endpoint that helps provide the
155
130
  * OpenId configuration at the well-known endpoint.
@@ -185,14 +160,17 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
185
160
  op_policy_uri?: string | undefined;
186
161
  op_tos_uri?: string | undefined;
187
162
  revocation_endpoint?: string | undefined;
188
- revocation_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
163
+ revocation_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
189
164
  revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
190
165
  introspection_endpoint?: string | undefined;
191
- introspection_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
166
+ introspection_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
192
167
  introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
193
168
  code_challenge_methods_supported: "S256"[];
194
169
  authorization_response_iss_parameter_supported?: boolean | undefined;
195
170
  client_id_metadata_document_supported?: boolean | undefined;
171
+ backchannel_logout_supported?: boolean | undefined;
172
+ backchannel_logout_session_supported?: boolean | undefined;
173
+ dpop_signing_alg_values_supported?: better_auth_plugins0.JWSAlgorithms[] | undefined;
196
174
  id_token_signing_alg_values_supported: better_auth_plugins0.JWSAlgorithms[] | ["HS256"];
197
175
  }>;
198
176
  oauth2Authorize: better_call0.StrictEndpoint<"/oauth2/authorize", {
@@ -201,28 +179,27 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
201
179
  response_type: z.ZodOptional<z.ZodPipe<z.ZodString, z.ZodEnum<{
202
180
  code: "code";
203
181
  }>>>;
204
- client_id: z.ZodString;
182
+ request_uri: z.ZodOptional<z.ZodString>;
205
183
  redirect_uri: z.ZodOptional<z.ZodURL>;
206
184
  scope: z.ZodOptional<z.ZodString>;
207
185
  state: z.ZodOptional<z.ZodString>;
208
- request_uri: z.ZodOptional<z.ZodString>;
186
+ client_id: z.ZodString;
187
+ prompt: z.ZodOptional<z.ZodString>;
188
+ display: z.ZodOptional<z.ZodString>;
189
+ ui_locales: z.ZodOptional<z.ZodString>;
190
+ max_age: z.ZodOptional<z.ZodPipe<z.ZodUnion<readonly [z.ZodNumber, z.ZodString]>, z.ZodTransform<number, string | number>>>;
191
+ acr_values: z.ZodOptional<z.ZodString>;
192
+ login_hint: z.ZodOptional<z.ZodString>;
193
+ id_token_hint: z.ZodOptional<z.ZodString>;
209
194
  code_challenge: z.ZodOptional<z.ZodString>;
210
195
  code_challenge_method: z.ZodOptional<z.ZodPipe<z.ZodString, z.ZodEnum<{
211
196
  S256: "S256";
212
197
  }>>>;
213
198
  nonce: z.ZodOptional<z.ZodString>;
199
+ dpop_jkt: z.ZodOptional<z.ZodString>;
214
200
  resource: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
215
- prompt: z.ZodOptional<z.ZodPipe<z.ZodString, z.ZodEnum<{
216
- none: "none";
217
- consent: "consent";
218
- login: "login";
219
- create: "create";
220
- select_account: "select_account";
221
- "login consent": "login consent";
222
- "select_account consent": "select_account consent";
223
- }>>>;
224
- }, z.core.$strip>;
225
- redirectOnError: OAuthRedirectOnError<GenericEndpointContext>;
201
+ }, z.core.$loose>;
202
+ redirectOnError: OAuthRedirectOnError<GenericEndpointContext, OAuthRedirectResult>;
226
203
  errorCodesByField: {
227
204
  response_type: {
228
205
  invalid: "unsupported_response_type";
@@ -241,6 +218,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
241
218
  schema: {
242
219
  type: "string";
243
220
  format?: undefined;
221
+ minimum?: undefined;
244
222
  items?: undefined;
245
223
  };
246
224
  description: string;
@@ -251,6 +229,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
251
229
  schema: {
252
230
  type: "string";
253
231
  format?: undefined;
232
+ minimum?: undefined;
254
233
  items?: undefined;
255
234
  };
256
235
  description: string;
@@ -261,6 +240,18 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
261
240
  schema: {
262
241
  type: "string";
263
242
  format: string;
243
+ minimum?: undefined;
244
+ items?: undefined;
245
+ };
246
+ description: string;
247
+ } | {
248
+ name: string;
249
+ in: "query";
250
+ required: false;
251
+ schema: {
252
+ type: "integer";
253
+ minimum: number;
254
+ format?: undefined;
264
255
  items?: undefined;
265
256
  };
266
257
  description: string;
@@ -274,6 +265,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
274
265
  type: "string";
275
266
  };
276
267
  format?: undefined;
268
+ minimum?: undefined;
277
269
  };
278
270
  description: string;
279
271
  })[];
@@ -315,10 +307,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
315
307
  };
316
308
  };
317
309
  };
318
- }, {
319
- redirect: boolean;
320
- url: string;
321
- }>;
310
+ }, OAuthRedirectResult>;
322
311
  oauth2Consent: better_call0.StrictEndpoint<"/oauth2/consent", {
323
312
  method: "POST";
324
313
  body: z.ZodObject<{
@@ -374,7 +363,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
374
363
  };
375
364
  };
376
365
  };
377
- }, {
366
+ }, OAuthRedirectResult | {
378
367
  redirect: boolean;
379
368
  url: string;
380
369
  }>;
@@ -434,18 +423,12 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
434
423
  };
435
424
  };
436
425
  };
437
- }, {
438
- redirect: boolean;
439
- url: string;
440
- }>;
426
+ }, OAuthRedirectResult>;
441
427
  oauth2Token: better_call0.StrictEndpoint<"/oauth2/token", {
442
428
  method: "POST";
429
+ cloneRequest: true;
443
430
  body: z.ZodObject<{
444
- grant_type: z.ZodPipe<z.ZodString, z.ZodEnum<{
445
- authorization_code: "authorization_code";
446
- client_credentials: "client_credentials";
447
- refresh_token: "refresh_token";
448
- }>>;
431
+ grant_type: z.ZodString;
449
432
  client_id: z.ZodOptional<z.ZodString>;
450
433
  client_secret: z.ZodOptional<z.ZodString>;
451
434
  client_assertion: z.ZodOptional<z.ZodString>;
@@ -456,7 +439,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
456
439
  refresh_token: z.ZodOptional<z.ZodString>;
457
440
  resource: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
458
441
  scope: z.ZodOptional<z.ZodString>;
459
- }, z.core.$strip>;
442
+ }, z.core.$loose>;
460
443
  errorCodesByField: {
461
444
  grant_type: {
462
445
  missing: "invalid_request";
@@ -467,9 +450,19 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
467
450
  };
468
451
  };
469
452
  metadata: {
453
+ noStore: boolean;
470
454
  allowedMediaTypes: string[];
471
455
  openapi: {
472
456
  description: string;
457
+ parameters: {
458
+ name: string;
459
+ in: "header";
460
+ required: false;
461
+ schema: {
462
+ type: "string";
463
+ };
464
+ description: string;
465
+ }[];
473
466
  requestBody: {
474
467
  required: boolean;
475
468
  content: {
@@ -479,7 +472,6 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
479
472
  properties: {
480
473
  grant_type: {
481
474
  type: string;
482
- enum: string[];
483
475
  description: string;
484
476
  };
485
477
  client_id: {
@@ -595,15 +587,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
595
587
  };
596
588
  };
597
589
  };
598
- }, {
599
- access_token: string;
600
- expires_in: number;
601
- expires_at: number;
602
- token_type: "Bearer";
603
- refresh_token: string | undefined;
604
- scope: string;
605
- id_token: string | undefined;
606
- }>;
590
+ }, OAuthTokenResponse>;
607
591
  oauth2Introspect: better_call0.StrictEndpoint<"/oauth2/introspect", {
608
592
  method: "POST";
609
593
  body: z.ZodObject<{
@@ -615,6 +599,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
615
599
  token_type_hint: z.ZodOptional<z.ZodString>;
616
600
  }, z.core.$strip>;
617
601
  metadata: {
602
+ noStore: boolean;
618
603
  allowedMediaTypes: string[];
619
604
  openapi: {
620
605
  description: string;
@@ -817,8 +802,9 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
817
802
  };
818
803
  }, null | undefined>;
819
804
  oauth2UserInfo: better_call0.StrictEndpoint<"/oauth2/userinfo", {
820
- method: "GET";
805
+ method: ("GET" | "POST")[];
821
806
  metadata: {
807
+ noStore: boolean;
822
808
  openapi: {
823
809
  description: string;
824
810
  security: ({
@@ -929,13 +915,13 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
929
915
  };
930
916
  };
931
917
  }, {
918
+ sub: string;
932
919
  email?: string | undefined;
933
920
  email_verified?: boolean | undefined;
934
921
  name?: string | undefined;
935
922
  picture?: string | undefined;
936
923
  given_name?: string | undefined;
937
924
  family_name?: string | undefined;
938
- sub: string;
939
925
  }>;
940
926
  oauth2EndSession: better_call0.StrictEndpoint<"/oauth2/end-session", {
941
927
  method: "GET";
@@ -973,14 +959,11 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
973
959
  };
974
960
  };
975
961
  };
976
- }, {
977
- redirect: boolean;
978
- url: string;
979
- } | undefined>;
962
+ }, OAuthRedirectResult | undefined>;
980
963
  registerOAuthClient: better_call0.StrictEndpoint<"/oauth2/register", {
981
964
  method: "POST";
982
965
  body: z.ZodObject<{
983
- redirect_uris: z.ZodArray<z.ZodURL>;
966
+ redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
984
967
  scope: z.ZodOptional<z.ZodString>;
985
968
  client_name: z.ZodOptional<z.ZodString>;
986
969
  client_uri: z.ZodOptional<z.ZodString>;
@@ -992,24 +975,17 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
992
975
  software_version: z.ZodOptional<z.ZodString>;
993
976
  software_statement: z.ZodOptional<z.ZodString>;
994
977
  post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
995
- token_endpoint_auth_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
996
- none: "none";
997
- client_secret_basic: "client_secret_basic";
998
- client_secret_post: "client_secret_post";
999
- private_key_jwt: "private_key_jwt";
1000
- }>>>;
978
+ backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
979
+ backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
980
+ token_endpoint_auth_method: z.ZodOptional<z.ZodString>;
1001
981
  jwks: z.ZodOptional<z.ZodUnion<readonly [z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>, z.ZodObject<{
1002
982
  keys: z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
1003
983
  }, z.core.$strip>]>>;
1004
984
  jwks_uri: z.ZodOptional<z.ZodString>;
1005
- grant_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
1006
- authorization_code: "authorization_code";
1007
- client_credentials: "client_credentials";
1008
- refresh_token: "refresh_token";
1009
- }>>>>;
1010
- response_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
985
+ grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
986
+ response_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1011
987
  code: "code";
1012
- }>>>>;
988
+ }>>>;
1013
989
  type: z.ZodOptional<z.ZodEnum<{
1014
990
  web: "web";
1015
991
  native: "native";
@@ -1019,19 +995,23 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1019
995
  public: "public";
1020
996
  pairwise: "pairwise";
1021
997
  }>>;
998
+ dpop_bound_access_tokens: z.ZodOptional<z.ZodBoolean>;
999
+ resources: z.ZodOptional<z.ZodArray<z.ZodString>>;
1022
1000
  skip_consent: z.ZodOptional<z.ZodNever>;
1023
1001
  }, z.core.$strip>;
1024
1002
  errorCodesByField: {
1025
1003
  redirect_uris: "invalid_redirect_uri";
1026
1004
  post_logout_redirect_uris: "invalid_redirect_uri";
1027
1005
  software_statement: "invalid_software_statement";
1006
+ resources: "invalid_target";
1028
1007
  };
1029
1008
  defaultError: "invalid_client_metadata";
1030
1009
  metadata: {
1010
+ noStore: boolean;
1031
1011
  openapi: {
1032
1012
  description: string;
1033
1013
  responses: {
1034
- "200": {
1014
+ "201": {
1035
1015
  description: string;
1036
1016
  content: {
1037
1017
  "application/json": {
@@ -1117,16 +1097,23 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1117
1097
  };
1118
1098
  description: string;
1119
1099
  };
1100
+ backchannel_logout_uri: {
1101
+ type: string;
1102
+ format: string;
1103
+ description: string;
1104
+ };
1105
+ backchannel_logout_session_required: {
1106
+ type: string;
1107
+ description: string;
1108
+ };
1120
1109
  token_endpoint_auth_method: {
1121
1110
  type: string;
1122
1111
  description: string;
1123
- enum: string[];
1124
1112
  };
1125
1113
  grant_types: {
1126
1114
  type: string;
1127
1115
  items: {
1128
1116
  type: string;
1129
- enum: string[];
1130
1117
  };
1131
1118
  description: string;
1132
1119
  };
@@ -1164,7 +1151,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1164
1151
  adminCreateOAuthClient: better_call0.StrictEndpoint<"/admin/oauth2/create-client", {
1165
1152
  method: "POST";
1166
1153
  body: z.ZodObject<{
1167
- redirect_uris: z.ZodArray<z.ZodURL>;
1154
+ redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1168
1155
  scope: z.ZodOptional<z.ZodString>;
1169
1156
  client_name: z.ZodOptional<z.ZodString>;
1170
1157
  client_uri: z.ZodOptional<z.ZodString>;
@@ -1176,24 +1163,17 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1176
1163
  software_version: z.ZodOptional<z.ZodString>;
1177
1164
  software_statement: z.ZodOptional<z.ZodString>;
1178
1165
  post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1179
- token_endpoint_auth_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
1180
- none: "none";
1181
- client_secret_basic: "client_secret_basic";
1182
- client_secret_post: "client_secret_post";
1183
- private_key_jwt: "private_key_jwt";
1184
- }>>>;
1166
+ backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
1167
+ backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
1168
+ token_endpoint_auth_method: z.ZodOptional<z.ZodString>;
1185
1169
  jwks: z.ZodOptional<z.ZodUnion<readonly [z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>, z.ZodObject<{
1186
1170
  keys: z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
1187
1171
  }, z.core.$strip>]>>;
1188
1172
  jwks_uri: z.ZodOptional<z.ZodString>;
1189
- grant_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
1190
- authorization_code: "authorization_code";
1191
- client_credentials: "client_credentials";
1192
- refresh_token: "refresh_token";
1193
- }>>>>;
1194
- response_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
1173
+ grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
1174
+ response_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1195
1175
  code: "code";
1196
- }>>>>;
1176
+ }>>>;
1197
1177
  type: z.ZodOptional<z.ZodEnum<{
1198
1178
  web: "web";
1199
1179
  native: "native";
@@ -1203,6 +1183,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1203
1183
  skip_consent: z.ZodOptional<z.ZodBoolean>;
1204
1184
  enable_end_session: z.ZodOptional<z.ZodBoolean>;
1205
1185
  require_pkce: z.ZodOptional<z.ZodBoolean>;
1186
+ dpop_bound_access_tokens: z.ZodOptional<z.ZodBoolean>;
1206
1187
  subject_type: z.ZodOptional<z.ZodEnum<{
1207
1188
  public: "public";
1208
1189
  pairwise: "pairwise";
@@ -1210,11 +1191,12 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1210
1191
  metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
1211
1192
  }, z.core.$strip>;
1212
1193
  metadata: {
1194
+ noStore: boolean;
1213
1195
  SERVER_ONLY: true;
1214
1196
  openapi: {
1215
1197
  description: string;
1216
1198
  responses: {
1217
- "200": {
1199
+ "201": {
1218
1200
  description: string;
1219
1201
  content: {
1220
1202
  "application/json": {
@@ -1295,13 +1277,11 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1295
1277
  token_endpoint_auth_method: {
1296
1278
  type: string;
1297
1279
  description: string;
1298
- enum: string[];
1299
1280
  };
1300
1281
  grant_types: {
1301
1282
  type: string;
1302
1283
  items: {
1303
1284
  type: string;
1304
- enum: string[];
1305
1285
  };
1306
1286
  description: string;
1307
1287
  };
@@ -1373,7 +1353,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1373
1353
  };
1374
1354
  }>)[];
1375
1355
  body: z.ZodObject<{
1376
- redirect_uris: z.ZodArray<z.ZodURL>;
1356
+ redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1377
1357
  scope: z.ZodOptional<z.ZodString>;
1378
1358
  client_name: z.ZodOptional<z.ZodString>;
1379
1359
  client_uri: z.ZodOptional<z.ZodString>;
@@ -1385,35 +1365,30 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1385
1365
  software_version: z.ZodOptional<z.ZodString>;
1386
1366
  software_statement: z.ZodOptional<z.ZodString>;
1387
1367
  post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1388
- token_endpoint_auth_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
1389
- none: "none";
1390
- client_secret_basic: "client_secret_basic";
1391
- client_secret_post: "client_secret_post";
1392
- private_key_jwt: "private_key_jwt";
1393
- }>>>;
1368
+ backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
1369
+ backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
1370
+ token_endpoint_auth_method: z.ZodOptional<z.ZodString>;
1394
1371
  jwks: z.ZodOptional<z.ZodUnion<readonly [z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>, z.ZodObject<{
1395
1372
  keys: z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
1396
1373
  }, z.core.$strip>]>>;
1397
1374
  jwks_uri: z.ZodOptional<z.ZodString>;
1398
- grant_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
1399
- authorization_code: "authorization_code";
1400
- client_credentials: "client_credentials";
1401
- refresh_token: "refresh_token";
1402
- }>>>>;
1403
- response_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
1375
+ grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
1376
+ response_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1404
1377
  code: "code";
1405
- }>>>>;
1378
+ }>>>;
1406
1379
  type: z.ZodOptional<z.ZodEnum<{
1407
1380
  web: "web";
1408
1381
  native: "native";
1409
1382
  "user-agent-based": "user-agent-based";
1410
1383
  }>>;
1384
+ dpop_bound_access_tokens: z.ZodOptional<z.ZodBoolean>;
1411
1385
  }, z.core.$strip>;
1412
1386
  metadata: {
1387
+ noStore: boolean;
1413
1388
  openapi: {
1414
1389
  description: string;
1415
1390
  responses: {
1416
- "200": {
1391
+ "201": {
1417
1392
  description: string;
1418
1393
  content: {
1419
1394
  "application/json": {
@@ -1494,13 +1469,11 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1494
1469
  token_endpoint_auth_method: {
1495
1470
  type: string;
1496
1471
  description: string;
1497
- enum: string[];
1498
1472
  };
1499
1473
  grant_types: {
1500
1474
  type: string;
1501
1475
  items: {
1502
1476
  type: string;
1503
- enum: string[];
1504
1477
  };
1505
1478
  description: string;
1506
1479
  };
@@ -1670,11 +1643,9 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1670
1643
  software_version: z.ZodOptional<z.ZodString>;
1671
1644
  software_statement: z.ZodOptional<z.ZodString>;
1672
1645
  post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1673
- grant_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1674
- authorization_code: "authorization_code";
1675
- client_credentials: "client_credentials";
1676
- refresh_token: "refresh_token";
1677
- }>>>;
1646
+ backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
1647
+ backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
1648
+ grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
1678
1649
  response_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1679
1650
  code: "code";
1680
1651
  }>>>;
@@ -1686,6 +1657,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1686
1657
  client_secret_expires_at: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>>;
1687
1658
  skip_consent: z.ZodOptional<z.ZodBoolean>;
1688
1659
  enable_end_session: z.ZodOptional<z.ZodBoolean>;
1660
+ dpop_bound_access_tokens: z.ZodOptional<z.ZodBoolean>;
1689
1661
  metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
1690
1662
  }, z.core.$strip>;
1691
1663
  }, z.core.$strip>;
@@ -1736,11 +1708,9 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1736
1708
  software_version: z.ZodOptional<z.ZodString>;
1737
1709
  software_statement: z.ZodOptional<z.ZodString>;
1738
1710
  post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1739
- grant_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1740
- authorization_code: "authorization_code";
1741
- client_credentials: "client_credentials";
1742
- refresh_token: "refresh_token";
1743
- }>>>;
1711
+ backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
1712
+ backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
1713
+ grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
1744
1714
  response_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1745
1715
  code: "code";
1746
1716
  }>>>;
@@ -1786,6 +1756,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1786
1756
  client_id: z.ZodString;
1787
1757
  }, z.core.$strip>;
1788
1758
  metadata: {
1759
+ noStore: boolean;
1789
1760
  openapi: {
1790
1761
  description: string;
1791
1762
  };
@@ -1961,6 +1932,92 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1961
1932
  };
1962
1933
  };
1963
1934
  }, void>;
1935
+ adminCreateOAuthResource: better_call0.StrictEndpoint<"/admin/oauth2/resources", {
1936
+ method: "POST";
1937
+ body: z.ZodObject<{
1938
+ identifier: z.ZodNonOptional<z.ZodOptional<z.ZodString>>;
1939
+ name: z.ZodOptional<z.ZodString>;
1940
+ accessTokenTtl: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
1941
+ refreshTokenTtl: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
1942
+ signingAlgorithm: z.ZodOptional<z.ZodNullable<z.ZodEnum<{
1943
+ RS256: "RS256";
1944
+ PS256: "PS256";
1945
+ ES256: "ES256";
1946
+ ES512: "ES512";
1947
+ EdDSA: "EdDSA";
1948
+ }>>>;
1949
+ signingKeyId: z.ZodOptional<z.ZodNullable<z.ZodString>>;
1950
+ allowedScopes: z.ZodOptional<z.ZodNullable<z.ZodArray<z.ZodString>>>;
1951
+ customClaims: z.ZodOptional<z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>>;
1952
+ dpopBoundAccessTokensRequired: z.ZodOptional<z.ZodBoolean>;
1953
+ disabled: z.ZodOptional<z.ZodBoolean>;
1954
+ metadata: z.ZodOptional<z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>>;
1955
+ }, z.core.$strip>;
1956
+ metadata: {
1957
+ SERVER_ONLY: true;
1958
+ };
1959
+ }, OAuthResource>;
1960
+ adminListOAuthResources: better_call0.StrictEndpoint<"/admin/oauth2/resources", {
1961
+ method: "GET";
1962
+ metadata: {
1963
+ SERVER_ONLY: true;
1964
+ };
1965
+ }, OAuthResource[]>;
1966
+ adminGetOAuthResource: better_call0.StrictEndpoint<"/admin/oauth2/resources/:identifier", {
1967
+ method: "GET";
1968
+ metadata: {
1969
+ SERVER_ONLY: true;
1970
+ };
1971
+ }, OAuthResource>;
1972
+ adminUpdateOAuthResource: better_call0.StrictEndpoint<"/admin/oauth2/resources/:identifier", {
1973
+ method: "PATCH";
1974
+ body: z.ZodObject<{
1975
+ identifier: z.ZodOptional<z.ZodString>;
1976
+ name: z.ZodOptional<z.ZodString>;
1977
+ accessTokenTtl: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
1978
+ refreshTokenTtl: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
1979
+ signingAlgorithm: z.ZodOptional<z.ZodNullable<z.ZodEnum<{
1980
+ RS256: "RS256";
1981
+ PS256: "PS256";
1982
+ ES256: "ES256";
1983
+ ES512: "ES512";
1984
+ EdDSA: "EdDSA";
1985
+ }>>>;
1986
+ signingKeyId: z.ZodOptional<z.ZodNullable<z.ZodString>>;
1987
+ allowedScopes: z.ZodOptional<z.ZodNullable<z.ZodArray<z.ZodString>>>;
1988
+ customClaims: z.ZodOptional<z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>>;
1989
+ dpopBoundAccessTokensRequired: z.ZodOptional<z.ZodBoolean>;
1990
+ disabled: z.ZodOptional<z.ZodBoolean>;
1991
+ metadata: z.ZodOptional<z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>>;
1992
+ }, z.core.$strip>;
1993
+ metadata: {
1994
+ SERVER_ONLY: true;
1995
+ };
1996
+ }, OAuthResource>;
1997
+ adminDeleteOAuthResource: better_call0.StrictEndpoint<"/admin/oauth2/resources/:identifier", {
1998
+ method: "DELETE";
1999
+ metadata: {
2000
+ SERVER_ONLY: true;
2001
+ };
2002
+ }, {
2003
+ deleted: boolean;
2004
+ }>;
2005
+ adminLinkClientResource: better_call0.StrictEndpoint<"/admin/oauth2/resources/:identifier/clients/:client_id", {
2006
+ method: "POST";
2007
+ metadata: {
2008
+ SERVER_ONLY: true;
2009
+ };
2010
+ }, {
2011
+ linked: boolean;
2012
+ }>;
2013
+ adminUnlinkClientResource: better_call0.StrictEndpoint<"/admin/oauth2/resources/:identifier/clients/:client_id", {
2014
+ method: "DELETE";
2015
+ metadata: {
2016
+ SERVER_ONLY: true;
2017
+ };
2018
+ }, {
2019
+ unlinked: boolean;
2020
+ }>;
1964
2021
  };
1965
2022
  schema: {
1966
2023
  oauthClient: {
@@ -2057,6 +2114,14 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2057
2114
  type: "string[]";
2058
2115
  required: false;
2059
2116
  };
2117
+ backchannelLogoutUri: {
2118
+ type: "string";
2119
+ required: false;
2120
+ };
2121
+ backchannelLogoutSessionRequired: {
2122
+ type: "boolean";
2123
+ required: false;
2124
+ };
2060
2125
  tokenEndpointAuthMethod: {
2061
2126
  type: "string";
2062
2127
  required: false;
@@ -2089,6 +2154,11 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2089
2154
  type: "boolean";
2090
2155
  required: false;
2091
2156
  };
2157
+ dpopBoundAccessTokens: {
2158
+ type: "boolean";
2159
+ required: false;
2160
+ defaultValue: false;
2161
+ };
2092
2162
  referenceId: {
2093
2163
  type: "string";
2094
2164
  required: false;
@@ -2099,6 +2169,104 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2099
2169
  };
2100
2170
  };
2101
2171
  };
2172
+ oauthResource: {
2173
+ modelName: string;
2174
+ fields: {
2175
+ identifier: {
2176
+ type: "string";
2177
+ required: true;
2178
+ unique: true;
2179
+ };
2180
+ name: {
2181
+ type: "string";
2182
+ required: true;
2183
+ };
2184
+ accessTokenTtl: {
2185
+ type: "number";
2186
+ required: false;
2187
+ };
2188
+ refreshTokenTtl: {
2189
+ type: "number";
2190
+ required: false;
2191
+ };
2192
+ signingAlgorithm: {
2193
+ type: "string";
2194
+ required: false;
2195
+ };
2196
+ signingKeyId: {
2197
+ type: "string";
2198
+ required: false;
2199
+ };
2200
+ allowedScopes: {
2201
+ type: "string[]";
2202
+ required: false;
2203
+ };
2204
+ customClaims: {
2205
+ type: "json";
2206
+ required: false;
2207
+ };
2208
+ dpopBoundAccessTokensRequired: {
2209
+ type: "boolean";
2210
+ required: false;
2211
+ defaultValue: false;
2212
+ };
2213
+ disabled: {
2214
+ type: "boolean";
2215
+ required: false;
2216
+ defaultValue: false;
2217
+ };
2218
+ createdAt: {
2219
+ type: "date";
2220
+ required: false;
2221
+ };
2222
+ updatedAt: {
2223
+ type: "date";
2224
+ required: false;
2225
+ };
2226
+ policyVersion: {
2227
+ type: "number";
2228
+ required: false;
2229
+ defaultValue: number;
2230
+ };
2231
+ metadata: {
2232
+ type: "json";
2233
+ required: false;
2234
+ };
2235
+ };
2236
+ };
2237
+ oauthClientResource: {
2238
+ modelName: string;
2239
+ fields: {
2240
+ clientId: {
2241
+ type: "string";
2242
+ required: true;
2243
+ references: {
2244
+ model: string;
2245
+ field: string;
2246
+ onDelete: "cascade";
2247
+ };
2248
+ index: true;
2249
+ };
2250
+ resourceId: {
2251
+ type: "string";
2252
+ required: true;
2253
+ references: {
2254
+ model: string;
2255
+ field: string;
2256
+ onDelete: "cascade";
2257
+ };
2258
+ index: true;
2259
+ };
2260
+ metadata: {
2261
+ type: "json";
2262
+ required: false;
2263
+ };
2264
+ createdAt: {
2265
+ type: "date";
2266
+ required: false;
2267
+ };
2268
+ };
2269
+ };
2102
2270
  oauthRefreshToken: {
2103
2271
  fields: {
2104
2272
  token: {
@@ -2156,6 +2324,10 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2156
2324
  type: "date";
2157
2325
  required: false;
2158
2326
  };
2327
+ confirmation: {
2328
+ type: "json";
2329
+ required: false;
2330
+ };
2159
2331
  scopes: {
2160
2332
  type: "string[]";
2161
2333
  required: true;
@@ -2220,6 +2392,14 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2220
2392
  createdAt: {
2221
2393
  type: "date";
2222
2394
  };
2395
+ revoked: {
2396
+ type: "date";
2397
+ required: false;
2398
+ };
2399
+ confirmation: {
2400
+ type: "json";
2401
+ required: false;
2402
+ };
2223
2403
  scopes: {
2224
2404
  type: "string[]";
2225
2405
  required: true;
@@ -2267,6 +2447,15 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2267
2447
  };
2268
2448
  };
2269
2449
  };
2450
+ oauthClientAssertion: {
2451
+ modelName: string;
2452
+ fields: {
2453
+ expiresAt: {
2454
+ type: "date";
2455
+ required: true;
2456
+ };
2457
+ };
2458
+ };
2270
2459
  };
2271
2460
  rateLimit: ({
2272
2461
  pathMatcher: (path: string) => path is "/oauth2/token";
@@ -2295,4 +2484,4 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2295
2484
  })[];
2296
2485
  };
2297
2486
  //#endregion
2298
- export { OAuthErrorCode as a, OAuthRedirectOnError as c, OAuthEndpointRedirectContext as i, oauthProvider as n, OAuthFieldErrorCode as o, OAuthEndpointErrorResult as r, OAuthFieldErrorCodeMap as s, getOAuthProviderState as t };
2487
+ export { OAuthEndpointErrorResult as a, OAuthFieldErrorCode as c, getIssuer as i, OAuthFieldErrorCodeMap as l, getOAuthProviderState as n, OAuthEndpointRedirectContext as o, oauthProvider as r, OAuthErrorCode as s, DEFAULT_OAUTH_SCOPES as t, OAuthRedirectOnError as u };