@better-auth/oauth-provider 1.7.0-beta.4 → 1.7.0-beta.6

package/dist/resource-challenge-B-cqv4ur.mjs

@@ -0,0 +1,63 @@
+import { isAPIError } from "better-auth/api";
+import { APIError as APIError$1 } from "better-call";
+import { DPOP_SIGNING_ALGORITHMS } from "better-auth/oauth2";
+//#region src/resource-challenge.ts
+const DPOP_CHALLENGE_ERRORS = new Set(["invalid_dpop_proof"]);
+function quoteAuthParam(value) {
+	return value.replace(/[\r\n]+/g, " ").replace(/\\/g, "\\\\").replace(/"/g, "\\\"");
+}
+function extractDpopError(error) {
+	const body = error.body;
+	return {
+		errorCode: typeof body?.error === "string" ? body.error : void 0,
+		description: typeof body?.error_description === "string" ? body.error_description : typeof body?.message === "string" ? body.message : error.message
+	};
+}
+function isDpopChallengeError(error) {
+	const { errorCode, description } = extractDpopError(error);
+	return !!errorCode && (DPOP_CHALLENGE_ERRORS.has(errorCode) || errorCode === "invalid_token" && description.includes("DPoP"));
+}
+function buildDpopChallenge(error, opts) {
+	const { errorCode, description } = extractDpopError(error);
+	const algorithms = opts?.dpopSigningAlgorithms ?? DPOP_SIGNING_ALGORITHMS;
+	return [
+		`DPoP error="${quoteAuthParam(errorCode ?? "invalid_dpop_proof")}"`,
+		`error_description="${quoteAuthParam(description)}"`,
+		`algs="${quoteAuthParam(algorithms.join(" "))}"`
+	].join(", ");
+}
+/**
+* Raise an OAuth resource-server challenge for a failed access-token request.
+*
+* Missing/invalid bearer credentials are reported with RFC 6750 plus the RFC
+* 9728 `resource_metadata` pointer. DPoP-bound-token failures are reported with
+* RFC 9449's `DPoP` challenge so clients know which proof algorithms to use.
+* Non-URL resources (for example a `urn:` or a client id) resolve their
+* metadata URL through `resourceMetadataMappings`.
+*
+* @internal
+*/
+function raiseResourceServerChallenge(error, resource, opts) {
+	if (isAPIError(error) && error.status === "UNAUTHORIZED") {
+		if (isDpopChallengeError(error)) throw new APIError$1("UNAUTHORIZED", { message: error.message }, { "WWW-Authenticate": buildDpopChallenge(error, opts) });
+		const wwwAuthenticateValue = (Array.isArray(resource) ? resource : [resource]).map((value) => {
+			const url = URL.canParse?.(value) ? new URL(value) : null;
+			if (url && url.origin !== "null") {
+				const resourcePath = url.pathname.endsWith("/") ? url.pathname.slice(0, -1) : url.pathname;
+				let challenge = `Bearer resource_metadata="${url.origin}/.well-known/oauth-protected-resource${resourcePath}${url.search}"`;
+				if (opts?.scope) challenge += `, scope="${quoteAuthParam(opts.scope)}"`;
+				return challenge;
+			}
+			const resourceMetadata = opts?.resourceMetadataMappings?.[value];
+			if (!resourceMetadata) throw new APIError$1("INTERNAL_SERVER_ERROR", { message: `missing resource_metadata mapping for ${value}` });
+			let challenge = `Bearer resource_metadata="${resourceMetadata}"`;
+			if (opts?.scope) challenge += `, scope="${quoteAuthParam(opts.scope)}"`;
+			return challenge;
+		}).join(", ");
+		throw new APIError$1("UNAUTHORIZED", { message: error.message }, { "WWW-Authenticate": wwwAuthenticateValue });
+	}
+	if (error instanceof Error) throw error;
+	throw new Error(error);
+}
+//#endregion
+export { raiseResourceServerChallenge as t };

package/dist/rolldown-runtime-wcPFST8Q.mjs

@@ -0,0 +1,13 @@
+//#region \0rolldown/runtime.js
+var __defProp = Object.defineProperty;
+var __exportAll = (all, no_symbols) => {
+	let target = {};
+	for (var name in all) __defProp(target, name, {
+		get: all[name],
+		enumerable: true
+	});
+	if (!no_symbols) __defProp(target, Symbol.toStringTag, { value: "Module" });
+	return target;
+};
+//#endregion
+export { __exportAll as t };

package/dist/signed-query-CFv2jNMT.mjs

@@ -0,0 +1,44 @@
+//#region src/signed-query.ts
+const signedQueryIssuedAtParam = "ba_iat";
+const postLoginClearedParam = "ba_pl";
+const signedQueryParameterNameParam = "ba_param";
+function canonicalizeOAuthQueryParams(params) {
+	const canonicalParams = new URLSearchParams();
+	const entries = [...params.entries()].sort(([keyA, valueA], [keyB, valueB]) => {
+		if (keyA < keyB) return -1;
+		if (keyA > keyB) return 1;
+		if (valueA < valueB) return -1;
+		if (valueA > valueB) return 1;
+		return 0;
+	});
+	for (const [key, value] of entries) canonicalParams.append(key, value);
+	return canonicalParams;
+}
+function setSignedOAuthQueryParameterNames(params) {
+	params.delete(signedQueryParameterNameParam);
+	const signedParameterNames = [...new Set([...params.keys(), signedQueryParameterNameParam])].sort();
+	for (const parameterName of signedParameterNames) params.append(signedQueryParameterNameParam, parameterName);
+}
+function getSignedOAuthQueryParameterNames(params) {
+	const signedParameterNames = params.getAll(signedQueryParameterNameParam);
+	if (!signedParameterNames.length) return;
+	return new Set(signedParameterNames);
+}
+function buildSignedOAuthQuery(search) {
+	const params = new URLSearchParams(search);
+	if (!params.has("sig")) return;
+	const signedParameterNames = getSignedOAuthQueryParameterNames(params);
+	if (!signedParameterNames) return;
+	const signedParams = new URLSearchParams();
+	for (const [key, value] of params.entries()) if (key === "sig" || key === signedQueryParameterNameParam || signedParameterNames.has(key)) signedParams.append(key, value);
+	return signedParams.toString();
+}
+function getSignedQueryIssuedAt(oauthQuery) {
+	const raw = new URLSearchParams(oauthQuery).get(signedQueryIssuedAtParam);
+	if (!raw) return null;
+	const issuedAt = Number(raw);
+	if (!Number.isFinite(issuedAt) || issuedAt <= 0) return null;
+	return new Date(issuedAt);
+}
+//#endregion
+export { setSignedOAuthQueryParameterNames as a, postLoginClearedParam as i, canonicalizeOAuthQueryParams as n, signedQueryIssuedAtParam as o, getSignedQueryIssuedAt as r, buildSignedOAuthQuery as t };