npm - @better-auth/oauth-provider - Versions diffs - 1.7.0-beta.4 → 1.7.0-beta.6 - Mend

@better-auth/oauth-provider 1.7.0-beta.4 → 1.7.0-beta.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/dist/{client-assertion-DLMKVgoj.mjs → client-assertion-CctbJywV.mjs} +102 -87
package/dist/client-resource.d.mts +31 -2
package/dist/client-resource.mjs +45 -25
package/dist/client.d.mts +1 -1
package/dist/client.mjs +3 -13
package/dist/index.d.mts +102 -17
package/dist/index.mjs +1747 -1886
package/dist/introspect-BXqKFUQZ.mjs +2115 -0
package/dist/{oauth-Vt3lTNHX.d.mts → oauth-CAeemjD7.d.mts} +364 -175
package/dist/{oauth-q7dn10NU.d.mts → oauth-CaXmZpoL.d.mts} +922 -33
package/dist/resource-challenge-B-cqv4ur.mjs +63 -0
package/dist/rolldown-runtime-wcPFST8Q.mjs +13 -0
package/dist/signed-query-CFv2jNMT.mjs +44 -0
package/dist/utils-Baq6atYN.mjs +764 -0
package/dist/{version-nFnRm-a3.mjs → version-CUu3vBtU.mjs} +1 -1
package/package.json +8 -9
package/dist/mcp-CYnz-MXn.mjs +0 -56
package/dist/utils-DKBWQ8fe.mjs +0 -492

package/dist/utils-Baq6atYN.mjs ADDED Viewed

@@ -0,0 +1,764 @@
+import { n as canonicalizeOAuthQueryParams } from "./signed-query-CFv2jNMT.mjs";
+import { constantTimeEqual, makeSignature, symmetricDecrypt, symmetricEncrypt } from "better-auth/crypto";
+import { APIError } from "better-call";
+import { logger } from "@better-auth/core/env";
+import { BetterAuthError } from "@better-auth/core/error";
+import { CLIENT_ASSERTION_TYPE, decodeBasicCredentials } from "@better-auth/core/oauth2";
+import { base64Url } from "@better-auth/utils/base64";
+import { createHash } from "@better-auth/utils/hash";
+//#region src/extensions.ts
+const DEFAULT_GRANT_TYPES = [
+	"authorization_code",
+	"client_credentials",
+	"refresh_token"
+];
+const BUILT_IN_CONFIDENTIAL_AUTH_METHODS = [
+	"client_secret_basic",
+	"client_secret_post",
+	"private_key_jwt"
+];
+const RESERVED_TOKEN_ENDPOINT_AUTH_METHODS = ["none", ...BUILT_IN_CONFIDENTIAL_AUTH_METHODS];
+const RESERVED_TOKEN_ENDPOINT_AUTH_METHOD_SET = new Set(RESERVED_TOKEN_ENDPOINT_AUTH_METHODS);
+function assertNonEmptyExtensionValue(name, value) {
+	if (value.trim().length > 0) return;
+	throw new BetterAuthError(`OAuth Provider extension ${name} cannot be empty`);
+}
+function assertAbsoluteUri(name, value) {
+	assertNonEmptyExtensionValue(name, value);
+	let url;
+	try {
+		url = new URL(value);
+	} catch {
+		url = void 0;
+	}
+	if (url?.protocol) return;
+	throw new BetterAuthError(`OAuth Provider extension ${name} must be an absolute URI: ${value}`);
+}
+function assertExtensionGrantType(grantType) {
+	assertAbsoluteUri("grant type", grantType);
+}
+function assertExtensionTokenEndpointAuthMethod(method) {
+	assertNonEmptyExtensionValue("token_endpoint_auth_method", method);
+	if (!RESERVED_TOKEN_ENDPOINT_AUTH_METHOD_SET.has(method)) return;
+	throw new BetterAuthError(`OAuth Provider extension token_endpoint_auth_method is reserved: ${method}`);
+}
+function assertExtensionClientAssertionType(assertionType) {
+	assertAbsoluteUri("client_assertion_type", assertionType);
+	if (assertionType !== CLIENT_ASSERTION_TYPE) return;
+	throw new BetterAuthError(`OAuth Provider extension client_assertion_type is reserved: ${assertionType}`);
+}
+/**
+* Validates one extension's dispatched keys (grant types, auth methods,
+* assertion types) and returns them for the cross-extension disjointness check.
+* Throws on a non-absolute grant/assertion URI, a reserved auth-method name, or
+* an empty assertion-type list.
+*/
+function collectExtensionKeys(extension) {
+	const grantTypes = Object.keys(extension.grants ?? {});
+	for (const grantType of grantTypes) assertExtensionGrantType(grantType);
+	const authMethods = [];
+	const assertionTypes = [];
+	for (const [method, strategy] of Object.entries(extension.clientAuthentication ?? {})) {
+		assertExtensionTokenEndpointAuthMethod(method);
+		authMethods.push(method);
+		const methodAssertionTypes = strategy.assertionTypes ?? [method];
+		if (methodAssertionTypes.length === 0) throw new BetterAuthError(`OAuth Provider extension client_assertion_type list cannot be empty for ${method}`);
+		for (const assertionType of methodAssertionTypes) {
+			assertExtensionClientAssertionType(assertionType);
+			assertionTypes.push(assertionType);
+		}
+	}
+	return {
+		grantTypes,
+		authMethods,
+		assertionTypes
+	};
+}
+function assertNoDuplicateAcrossExtensions(label, values) {
+	const seen = /* @__PURE__ */ new Set();
+	for (const value of values) {
+		if (seen.has(value)) throw new BetterAuthError(`OAuth Provider extensions register ${label} "${value}" more than once. Extension contributions must be disjoint.`);
+		seen.add(value);
+	}
+}
+/**
+* Validates every extension and rejects two extensions registering the same
+* grant type, auth method, or assertion type: otherwise the first would win and
+* the second be silently unreachable. Runs at setup over the whole list;
+* extensions number in the single digits, so a full re-scan per registration is
+* cheaper than the bookkeeping to cache it.
+*/
+function validateOAuthProviderExtensions(extensions) {
+	const keys = (extensions ?? []).map(collectExtensionKeys);
+	assertNoDuplicateAcrossExtensions("grant type", keys.flatMap((k) => k.grantTypes));
+	assertNoDuplicateAcrossExtensions("token_endpoint_auth_method", keys.flatMap((k) => k.authMethods));
+	assertNoDuplicateAcrossExtensions("client_assertion_type", keys.flatMap((k) => k.assertionTypes));
+}
+function getOAuthProviderExtensions(opts) {
+	return opts.extensions ?? [];
+}
+/**
+* Flattens the client-id discovery sources contributed by every registered
+* extension into a single ordered list. `getClient()` consults them in order;
+* the metadata endpoints merge their `discoveryMetadata`.
+*/
+function getClientDiscoveries(opts) {
+	return getOAuthProviderExtensions(opts).flatMap((extension) => {
+		const discovery = extension.clientDiscovery;
+		if (!discovery) return [];
+		return Array.isArray(discovery) ? discovery : [discovery];
+	});
+}
+/**
+* Registers an {@link OAuthProviderExtension} with the OAuth Provider plugin
+* from a companion plugin's `init()` hook. An extension can add token grants,
+* assertion-based client authentication methods, additive discovery metadata,
+* access-token / ID-token / UserInfo claims, and client-id discovery, without
+* forking provider core.
+*
+* Call this once, at `init()` time. It is idempotent in the same `extension`
+* object, so re-running a plugin's `init()` (for example when one plugin factory
+* result is shared across two `betterAuth()` instances) does not register it
+* twice. It throws if the oauth-provider plugin is not installed, if a grant
+* type or assertion type is not an absolute URI, if a client authentication
+* method reuses a built-in name, or if the extension registers a grant type,
+* auth method, or assertion type that another extension already registered
+* (contributions must be disjoint).
+*
+* @example
+* ```ts
+* init(ctx) {
+*   extendOAuthProvider(ctx, {
+*     grants: { "urn:example:grant": async ({ provider }) => provider.issueTokens(...) },
+*   });
+* }
+* ```
+*/
+function extendOAuthProvider(ctx, extension) {
+	const provider = ctx.getPlugin("oauth-provider");
+	if (!provider) throw new BetterAuthError("extendOAuthProvider requires the oauth-provider plugin.");
+	const existing = provider.options.extensions ?? [];
+	if (existing.includes(extension)) return;
+	const extensions = [...existing, extension];
+	validateOAuthProviderExtensions(extensions);
+	provider.options.extensions = extensions;
+}
+function getExtensionGrantTypes(opts) {
+	return getOAuthProviderExtensions(opts).flatMap((extension) => Object.keys(extension.grants ?? {}));
+}
+function getSupportedGrantTypes(opts) {
+	return Array.from(new Set([...opts.grantTypes ?? DEFAULT_GRANT_TYPES, ...getExtensionGrantTypes(opts)]));
+}
+function getExtensionGrantHandler(opts, grantType) {
+	for (const extension of getOAuthProviderExtensions(opts)) {
+		const handler = extension.grants?.[grantType];
+		if (handler) return handler;
+	}
+}
+function getExtensionTokenEndpointAuthMethods(opts) {
+	return getOAuthProviderExtensions(opts).flatMap((extension) => Object.keys(extension.clientAuthentication ?? {}));
+}
+/**
+* Confidential and extension client-authentication methods the provider
+* supports. Pass `includeNone` to prepend `"none"` for the token endpoint and
+* DCR, where public clients are allowed; the introspection and revocation
+* endpoints, which never accept public clients, omit it (the default).
+*/
+function getSupportedAuthMethods(opts, settings) {
+	return Array.from(new Set([
+		...settings?.includeNone ? ["none"] : [],
+		...BUILT_IN_CONFIDENTIAL_AUTH_METHODS,
+		...getExtensionTokenEndpointAuthMethods(opts)
+	]));
+}
+function isExtensionTokenEndpointAuthMethod(opts, method) {
+	return method ? getExtensionTokenEndpointAuthMethods(opts).includes(method) : false;
+}
+function getExtensionClientAuthenticationStrategy(opts, assertionType) {
+	if (assertionType === CLIENT_ASSERTION_TYPE) return void 0;
+	for (const extension of getOAuthProviderExtensions(opts)) {
+		const strategies = extension.clientAuthentication ?? {};
+		for (const [method, strategy] of Object.entries(strategies)) if ((strategy.assertionTypes ?? [method]).includes(assertionType)) return {
+			method,
+			strategy
+		};
+	}
+}
+/**
+* Merges each registered extension's `metadata()` contribution into `document`,
+* first-wins: the provider owns every key it already wrote, so an extension can
+* add fields but never override core. Each contributor sees the base `document`,
+* not the running accumulation, so contributions stay order-independent.
+*/
+function applyOAuthProviderMetadataExtensions(ctx, opts, type, document) {
+	const next = { ...document };
+	for (const extension of getOAuthProviderExtensions(opts)) {
+		const contribution = extension.metadata?.({
+			ctx,
+			opts,
+			type,
+			document
+		});
+		for (const [key, value] of Object.entries(contribution ?? {})) if (!(key in next)) next[key] = value;
+	}
+	return next;
+}
+async function collectClaims(opts, run) {
+	const claims = {};
+	for (const extension of getOAuthProviderExtensions(opts)) {
+		const contribution = await run(extension) ?? {};
+		for (const [key, value] of Object.entries(contribution)) {
+			if (key in claims) {
+				logger.warn(`oauth-provider: two extensions contributed the claim "${key}"; keeping the first-registered value.`);
+				continue;
+			}
+			claims[key] = value;
+		}
+	}
+	return claims;
+}
+function collectExtensionAccessTokenClaims(opts, input) {
+	return collectClaims(opts, (extension) => extension.claims?.accessToken?.(input));
+}
+function collectExtensionIdTokenClaims(opts, input) {
+	return collectClaims(opts, (extension) => extension.claims?.idToken?.(input));
+}
+function collectExtensionUserInfoClaims(opts, input) {
+	return collectClaims(opts, (extension) => extension.claims?.userInfo?.(input));
+}
+/**
+* Whether any registered extension contributes UserInfo claims. Lets the
+* UserInfo endpoint skip loading the client when nothing needs it.
+*/
+function hasUserInfoClaimExtension(opts) {
+	return getOAuthProviderExtensions(opts).some((extension) => extension.claims?.userInfo);
+}
+//#endregion
+//#region src/utils/index.ts
+/**
+* Extracts the credentials from an `Authorization: Bearer <token>` header.
+*
+* Returns `undefined` when the header is absent or carries a non-Bearer scheme,
+* leaving the caller to decide whether that is an error. Throws an
+* `invalid_request` `APIError` when the Bearer scheme is present but the
+* credentials are missing or the header carries extra parts. The scheme match
+* is case-insensitive and the credentials are the single token after it.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6750#section-2.1
+* @see https://datatracker.ietf.org/doc/html/rfc7235#section-2.1
+*/
+function parseBearerToken(authorization) {
+	if (!authorization) return void 0;
+	const [scheme, credentials, ...extraParts] = authorization.trim().split(/\s+/);
+	if (scheme?.toLowerCase() !== "bearer") return void 0;
+	if (!credentials || extraParts.length > 0) throw new APIError("BAD_REQUEST", {
+		error: "invalid_request",
+		error_description: "Malformed Bearer Authorization header"
+	});
+	return credentials;
+}
+var TTLCache = class {
+	cache = /* @__PURE__ */ new Map();
+	constructor() {}
+	set(key, value) {
+		this.cache.set(key, value);
+	}
+	get(key) {
+		const entry = this.cache.get(key);
+		if (!entry) return void 0;
+		if (entry.expiresAt && entry.expiresAt < /* @__PURE__ */ new Date()) {
+			this.cache.delete(key);
+			return;
+		}
+		return entry;
+	}
+};
+/**
+* Gets the oAuth Provider Plugin
+* @internal
+*/
+const getOAuthProviderPlugin = (ctx) => {
+	return ctx.getPlugin("oauth-provider");
+};
+/**
+* Gets the JWT Plugin
+* @internal
+*/
+const getJwtPlugin = (ctx) => {
+	const plugin = ctx.getPlugin("jwt");
+	if (!plugin) throw new BetterAuthError("jwt_config");
+	return plugin;
+};
+/**
+* Normalizes timestamp-like values returned by adapters.
+*
+* Accepts Date instances, epoch milliseconds as numbers, and strings that are
+* either ISO dates or numeric millisecond values such as "1774295570569.0".
+*/
+function normalizeTimestampValue(value) {
+	if (value == null) return;
+	if (value instanceof Date) return Number.isFinite(value.getTime()) ? value : void 0;
+	if (typeof value === "number") {
+		if (!Number.isFinite(value)) return;
+		const parsed = new Date(value);
+		return Number.isFinite(parsed.getTime()) ? parsed : void 0;
+	}
+	if (typeof value === "string") {
+		const trimmed = value.trim();
+		if (!trimmed.length) return;
+		const numeric = Number(trimmed);
+		if (Number.isFinite(numeric)) {
+			const parsed = new Date(numeric);
+			return Number.isFinite(parsed.getTime()) ? parsed : void 0;
+		}
+		const parsed = new Date(trimmed);
+		return Number.isFinite(parsed.getTime()) ? parsed : void 0;
+	}
+}
+/**
+* Resolves a session auth time from common adapter return shapes.
+*/
+function resolveSessionAuthTime(value) {
+	if (value instanceof Date) return normalizeTimestampValue(value);
+	if (!value || typeof value !== "object") return normalizeTimestampValue(value);
+	const direct = normalizeTimestampValue(value.createdAt) ?? normalizeTimestampValue(value.created_at);
+	if (direct) return direct;
+	const nested = value.session;
+	if (!nested || typeof nested !== "object") return;
+	return normalizeTimestampValue(nested.createdAt) ?? normalizeTimestampValue(nested.created_at);
+}
+/**
+* Normalizes OAuth resource values into a non-empty string array.
+*/
+function toResourceList(value) {
+	if (typeof value === "string") return [value];
+	if (!value?.length) return void 0;
+	return value;
+}
+/**
+* Normalizes audience values for JWT claims.
+*/
+function toAudienceClaim(audience) {
+	if (typeof audience === "string") return audience;
+	if (!audience?.length) return void 0;
+	return audience.length === 1 ? audience.at(0) : audience;
+}
+const cachedTrustedClients = new TTLCache();
+async function verifyOAuthQueryParams(oauth_query, secret) {
+	const queryParams = new URLSearchParams(oauth_query);
+	const sig = queryParams.get("sig");
+	const sigs = queryParams.getAll("sig");
+	const exp = Number(queryParams.get("exp"));
+	queryParams.delete("sig");
+	const verifySig = await makeSignature(canonicalizeOAuthQueryParams(queryParams).toString(), secret);
+	return sigs.length === 1 && !!sig && constantTimeEqual(sig, verifySig) && /* @__PURE__ */ new Date(exp * 1e3) >= /* @__PURE__ */ new Date();
+}
+/**
+* Get a client by ID, checking trusted clients first, then database
+*/
+async function getClient(ctx, options, clientId) {
+	const trustedClient = cachedTrustedClients.get(clientId);
+	if (trustedClient) return Object.assign({}, trustedClient);
+	let dbClient = await ctx.context.adapter.findOne({
+		model: options.schema?.oauthClient?.modelName ?? "oauthClient",
+		where: [{
+			field: "clientId",
+			value: clientId
+		}]
+	});
+	const discoveries = getClientDiscoveries(options);
+	for (const discovery of discoveries) {
+		if (!discovery.matches(clientId)) continue;
+		const resolved = await discovery.resolve(ctx, clientId, dbClient);
+		if (resolved) {
+			dbClient = resolved;
+			break;
+		}
+	}
+	if (dbClient && options.cachedTrustedClients?.has(clientId)) cachedTrustedClients.set(clientId, Object.assign({}, dbClient));
+	return dbClient;
+}
+/**
+* Merge `discoveryMetadata` from every contributed {@link ClientDiscovery}
+* into a single object. Entries are spread in order; later entries override
+* earlier ones on key collisions.
+*
+* @internal
+*/
+function mergeDiscoveryMetadata(discoveries) {
+	return discoveries.reduce((acc, d) => ({
+		...acc,
+		...d.discoveryMetadata ?? {}
+	}), {});
+}
+/**
+* Default client secret hasher using SHA-256
+*
+* @internal
+*/
+const defaultHasher = async (value) => {
+	const hash = await createHash("SHA-256").digest(new TextEncoder().encode(value));
+	return base64Url.encode(new Uint8Array(hash), { padding: false });
+};
+/**
+* Decrypts a storedClientSecret for signing
+*
+* @internal
+*/
+async function decryptStoredClientSecret(ctx, storageMethod, storedClientSecret) {
+	if (storageMethod === "encrypted") return await symmetricDecrypt({
+		key: ctx.context.secretConfig,
+		data: storedClientSecret
+	});
+	else if (typeof storageMethod === "object" && "decrypt" in storageMethod) return await storageMethod.decrypt(storedClientSecret);
+	throw new BetterAuthError(`Unsupported decryption storageMethod type '${storageMethod}'`);
+}
+/**
+* Verify stored client secret against provided client secret
+*
+* @internal
+*/
+async function verifyStoredClientSecret(ctx, opts, storedClientSecret, clientSecret) {
+	const storageMethod = opts.storeClientSecret ?? (opts.disableJwtPlugin ? "encrypted" : "hashed");
+	if (clientSecret && opts.prefix?.clientSecret) if (clientSecret.startsWith(opts.prefix?.clientSecret)) clientSecret = clientSecret.replace(opts.prefix.clientSecret, "");
+	else throw new APIError("UNAUTHORIZED", {
+		error_description: "invalid client_secret",
+		error: "invalid_client"
+	});
+	if (storageMethod === "hashed") {
+		const hashedClientSecret = clientSecret ? await defaultHasher(clientSecret) : void 0;
+		return !!hashedClientSecret && constantTimeEqual(hashedClientSecret, storedClientSecret);
+	} else if (typeof storageMethod === "object" && "hash" in storageMethod) if (storageMethod.verify) return !!clientSecret && await storageMethod.verify(clientSecret, storedClientSecret);
+	else {
+		const hashedClientSecret = clientSecret ? await storageMethod.hash(clientSecret) : void 0;
+		return !!hashedClientSecret && constantTimeEqual(hashedClientSecret, storedClientSecret);
+	}
+	else if (storageMethod === "encrypted") try {
+		const decryptedClientSecret = await decryptStoredClientSecret(ctx, storageMethod, storedClientSecret);
+		return !!clientSecret && constantTimeEqual(decryptedClientSecret, clientSecret);
+	} catch {
+		return false;
+	}
+	else if (typeof storageMethod === "object" && "decrypt" in storageMethod) {
+		const decryptedClientSecret = await decryptStoredClientSecret(ctx, storageMethod, storedClientSecret);
+		return !!clientSecret && constantTimeEqual(decryptedClientSecret, clientSecret);
+	}
+	throw new BetterAuthError(`Unsupported verify storageMethod type '${storageMethod}'`);
+}
+/**
+* Store client secret according to the configured storage method
+*
+* @internal
+*/
+async function storeClientSecret(ctx, opts, clientSecret) {
+	const storageMethod = opts.storeClientSecret ?? (opts.disableJwtPlugin ? "encrypted" : "hashed");
+	if (storageMethod === "encrypted") return await symmetricEncrypt({
+		key: ctx.context.secretConfig,
+		data: clientSecret
+	});
+	else if (storageMethod === "hashed") return await defaultHasher(clientSecret);
+	else if (typeof storageMethod === "object" && "hash" in storageMethod) return await storageMethod.hash(clientSecret);
+	else if (typeof storageMethod === "object" && "encrypt" in storageMethod) return await storageMethod.encrypt(clientSecret);
+	throw new BetterAuthError(`Unsupported storeClientSecret type '${storageMethod}'`);
+}
+/**
+* Stores a token value (ie opaque tokens, refresh tokens, transaction tokens, verification codes)
+* on the database in a secure hashed format.
+*
+* @internal
+*/
+async function storeToken(storageMethod = "hashed", token, type) {
+	if (storageMethod === "hashed") return await defaultHasher(token);
+	else if (typeof storageMethod === "object" && "hash" in storageMethod) return await storageMethod.hash(token, type);
+	throw new BetterAuthError(`storeToken: unsupported storageMethod type '${storageMethod}'`);
+}
+/**
+* Gets a hashed token value to find on the database.
+*
+* @internal
+*/
+async function getStoredToken(storageMethod = "hashed", token, type) {
+	if (storageMethod === "hashed") return await defaultHasher(token);
+	else if (typeof storageMethod === "object" && "hash" in storageMethod) return await storageMethod.hash(token, type);
+	throw new BetterAuthError(`getStoredToken: unsupported storageMethod type '${storageMethod}'`);
+}
+/**
+* Converts a BASIC authorization header
+* into its client_id and client_secret representation
+*
+* @internal
+*/
+const BASIC_SCHEME_PREFIX = /^Basic +/i;
+function basicToClientCredentials(authorization) {
+	if (!BASIC_SCHEME_PREFIX.test(authorization)) return;
+	try {
+		const { clientId, clientSecret } = decodeBasicCredentials(authorization);
+		return {
+			client_id: clientId,
+			client_secret: clientSecret
+		};
+	} catch {
+		throw new APIError("BAD_REQUEST", {
+			error_description: "invalid authorization header format",
+			error: "invalid_client"
+		});
+	}
+}
+/**
+* Whether a client is allowed to use a given grant type.
+*
+* A client's registered `grantTypes` defaults to the documented default
+* `["authorization_code"]` when unset (see client registration). Refresh tokens
+* are only ever issued through the authorization_code flow, so a client allowed
+* to use `authorization_code` is implicitly allowed to use `refresh_token`.
+*
+* @internal
+*/
+function clientAllowsGrant(client, grantType) {
+	const allowedGrants = client.grantTypes && client.grantTypes.length > 0 ? client.grantTypes : ["authorization_code"];
+	if (grantType === "refresh_token" && allowedGrants.includes("authorization_code")) return true;
+	return allowedGrants.includes(grantType);
+}
+/**
+* Resolves the registered client by id and authorizes it: existence, disabled
+* state, registered auth method, requested scopes, and grant type. The record is
+* always resolved here via `getClient`, so a client-auth strategy proves the
+* caller controls `clientId` but never supplies the record. `preVerified` marks
+* that an assertion already proved control, so the client-secret check is skipped.
+*
+* @internal
+*/
+async function validateClientCredentials(ctx, options, clientId, clientSecret, scopes, preVerified, grantType, authMethod) {
+	const client = await getClient(ctx, options, clientId);
+	if (!client) throw new APIError("BAD_REQUEST", {
+		error_description: "missing client",
+		error: "invalid_client"
+	});
+	if (client.disabled) throw new APIError("BAD_REQUEST", {
+		error_description: "client is disabled",
+		error: "invalid_client"
+	});
+	if (preVerified && authMethod) {
+		const registeredAuthMethod = client.tokenEndpointAuthMethod ?? "client_secret_basic";
+		if (registeredAuthMethod !== authMethod) throw new APIError("BAD_REQUEST", {
+			error_description: `client registered for ${registeredAuthMethod} cannot use ${authMethod}`,
+			error: "invalid_client"
+		});
+	}
+	if ((client.tokenEndpointAuthMethod === "private_key_jwt" || isExtensionTokenEndpointAuthMethod(options, client.tokenEndpointAuthMethod)) && !preVerified) throw new APIError("BAD_REQUEST", {
+		error_description: `client registered for ${client.tokenEndpointAuthMethod} must use client_assertion`,
+		error: "invalid_client"
+	});
+	if (!preVerified) {
+		if (!client.public && !clientSecret) throw new APIError("BAD_REQUEST", {
+			error_description: "client secret must be provided",
+			error: "invalid_client"
+		});
+		if (clientSecret && !client.clientSecret) throw new APIError("BAD_REQUEST", {
+			error_description: "public client, client secret should not be received",
+			error: "invalid_client"
+		});
+		if (clientSecret && !await verifyStoredClientSecret(ctx, options, client.clientSecret, clientSecret)) throw new APIError("UNAUTHORIZED", {
+			error_description: "invalid client_secret",
+			error: "invalid_client"
+		});
+	}
+	if (scopes && client.scopes) {
+		const validScopes = new Set(client.scopes);
+		for (const sc of scopes) if (!validScopes.has(sc)) throw new APIError("BAD_REQUEST", {
+			error_description: `client does not allow scope ${sc}`,
+			error: "invalid_scope"
+		});
+	}
+	if (grantType && !clientAllowsGrant(client, grantType)) throw new APIError("BAD_REQUEST", {
+		error_description: `client is not authorized to use grant type ${grantType}`,
+		error: "unauthorized_client"
+	});
+	return client;
+}
+/**
+* Parse client metadata that may be stored as JSON string or already parsed object.
+* Handles database adapters that auto-parse JSON columns.
+*
+* @internal
+*/
+function parseClientMetadata(metadata) {
+	if (!metadata) return void 0;
+	return typeof metadata === "string" ? JSON.parse(metadata) : metadata;
+}
+/** Unwraps ExtractedCredentials into the fields each grant handler needs. */
+function destructureCredentials(credentials) {
+	return {
+		clientId: credentials?.clientId,
+		clientSecret: credentials?.kind === "client_secret" ? credentials.clientSecret : void 0,
+		preVerified: credentials?.kind === "pre_verified",
+		authMethod: credentials?.method,
+		confirmation: credentials?.kind === "pre_verified" ? credentials.confirmation : void 0
+	};
+}
+/**
+* Extracts and resolves client credentials from the request.
+* Supports: client_secret_basic, client_secret_post, private_key_jwt, and none (public).
+*/
+async function extractClientCredentials(ctx, opts, expectedAudience) {
+	const body = ctx.body ?? {};
+	const authorization = ctx.request?.headers.get("authorization") ?? void 0;
+	if (body.client_assertion_type || body.client_assertion) {
+		if (!body.client_assertion || !body.client_assertion_type) throw new APIError("BAD_REQUEST", {
+			error_description: "client_assertion and client_assertion_type must both be provided",
+			error: "invalid_client"
+		});
+		if (body.client_secret || authorization && BASIC_SCHEME_PREFIX.test(authorization)) throw new APIError("BAD_REQUEST", {
+			error_description: "client_assertion cannot be combined with client_secret or Basic auth",
+			error: "invalid_client"
+		});
+		const assertion = body.client_assertion;
+		const assertionType = body.client_assertion_type;
+		const extensionStrategy = getExtensionClientAuthenticationStrategy(opts, assertionType);
+		if (extensionStrategy) {
+			const result = await extensionStrategy.strategy.authenticate({
+				ctx,
+				opts,
+				assertion,
+				assertionType,
+				clientId: body.client_id,
+				expectedAudience
+			});
+			return {
+				kind: "pre_verified",
+				method: extensionStrategy.method,
+				clientId: result.clientId,
+				confirmation: result.confirmation
+			};
+		}
+		const { verifyClientAssertion: verify } = await import("./client-assertion-CctbJywV.mjs").then((n) => n.t);
+		return {
+			kind: "pre_verified",
+			method: "private_key_jwt",
+			clientId: (await verify(ctx, opts, assertion, assertionType, body.client_id, expectedAudience)).clientId
+		};
+	}
+	if (authorization && BASIC_SCHEME_PREFIX.test(authorization)) {
+		const res = basicToClientCredentials(authorization);
+		if (res) return {
+			kind: "client_secret",
+			method: "client_secret_basic",
+			clientId: res.client_id,
+			clientSecret: res.client_secret
+		};
+	}
+	if (body.client_id && body.client_secret) return {
+		kind: "client_secret",
+		method: "client_secret_post",
+		clientId: body.client_id,
+		clientSecret: body.client_secret
+	};
+	if (body.client_id) return {
+		kind: "public",
+		method: "none",
+		clientId: body.client_id
+	};
+	return null;
+}
+/**
+* Parse space-separated prompt string into a set of prompts
+*
+* @param prompt
+*/
+function parsePrompt(prompt) {
+	const prompts = prompt.split(" ").map((p) => p.trim());
+	const set = /* @__PURE__ */ new Set();
+	for (const p of prompts) if (p === "login" || p === "consent" || p === "create" || p === "select_account" || p === "none") set.add(p);
+	return new Set(set);
+}
+/**
+* Extracts the sector identifier (hostname) from a client's first redirect URI.
+*
+* @see https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg
+* @internal
+*/
+function getSectorIdentifier(client) {
+	const uri = client.redirectUris?.[0];
+	if (!uri) throw new BetterAuthError("Client has no redirect URIs for sector identifier");
+	return new URL(uri).host;
+}
+/**
+* Computes a pairwise subject identifier using HMAC-SHA256.
+*
+* @see https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg
+* @internal
+*/
+async function computePairwiseSub(userId, client, secret) {
+	return makeSignature(`${getSectorIdentifier(client)}.${userId}`, secret);
+}
+/**
+* Returns the appropriate subject identifier for a user+client pair.
+* Uses pairwise when the client opts in and the server has a secret configured.
+*
+* @internal
+*/
+async function resolveSubjectIdentifier(userId, client, opts) {
+	if (client.subjectType === "pairwise" && opts.pairwiseSecret) return computePairwiseSub(userId, client, opts.pairwiseSecret);
+	return userId;
+}
+/**
+* Converts URLSearchParams to a plain object, preserving
+* multi-valued keys as arrays instead of discarding duplicates.
+*/
+function searchParamsToQuery(params) {
+	const result = Object.create(null);
+	for (const key of new Set(params.keys())) {
+		const values = params.getAll(key);
+		result[key] = values.length === 1 ? values[0] : values;
+	}
+	return result;
+}
+function isSessionFreshForSignedQuery(sessionCreatedAt, signedQueryIssuedAt) {
+	if (!signedQueryIssuedAt) return false;
+	const normalized = normalizeTimestampValue(sessionCreatedAt);
+	if (!normalized) return false;
+	return normalized.getTime() >= signedQueryIssuedAt.getTime();
+}
+function removePromptFromQuery(query, prompt) {
+	const nextQuery = new URLSearchParams(query);
+	const prompts = nextQuery.get("prompt")?.split(" ");
+	const foundPrompt = prompts?.findIndex((v) => v === prompt) ?? -1;
+	if (foundPrompt >= 0) {
+		prompts?.splice(foundPrompt, 1);
+		prompts?.length ? nextQuery.set("prompt", prompts.join(" ")) : nextQuery.delete("prompt");
+	}
+	return nextQuery;
+}
+function removeMaxAgeFromQuery(query) {
+	const nextQuery = new URLSearchParams(query);
+	nextQuery.delete("max_age");
+	return nextQuery;
+}
+var PKCERequirementErrors = /* @__PURE__ */ function(PKCERequirementErrors) {
+	PKCERequirementErrors["PUBLIC_CLIENT"] = "pkce is required for public clients";
+	PKCERequirementErrors["OFFLINE_ACCESS_SCOPE"] = "pkce is required when requesting offline_access scope";
+	PKCERequirementErrors["CLIENT_REQUIRE_PKCE"] = "pkce is required for this client";
+	return PKCERequirementErrors;
+}(PKCERequirementErrors || {});
+/**
+* Determines if PKCE is required for a given client and scope.
+*
+* PKCE is always required for:
+* 1. Public clients (cannot securely store client_secret)
+* 2. Requests with offline_access scope (refresh token security)
+*
+* For confidential clients without offline_access:
+* - Uses client.requirePKCE if set (defaults to true)
+*
+* Returns false if PKCE is not required, or the reason it is required.
+*
+* @internal
+*/
+function isPKCERequired(client, requestedScopes) {
+	if (client.tokenEndpointAuthMethod === "none" || client.type === "native" || client.type === "user-agent-based" || client.public === true) return PKCERequirementErrors.PUBLIC_CLIENT;
+	if (requestedScopes?.includes("offline_access")) return PKCERequirementErrors.OFFLINE_ACCESS_SCOPE;
+	if (client.requirePKCE ?? true) return PKCERequirementErrors.CLIENT_REQUIRE_PKCE;
+	return false;
+}
+//#endregion
+export { collectExtensionUserInfoClaims as A, toAudienceClaim as C, applyOAuthProviderMetadataExtensions as D, verifyOAuthQueryParams as E, getSupportedGrantTypes as F, hasUserInfoClaimExtension as I, isExtensionTokenEndpointAuthMethod as L, getClientDiscoveries as M, getExtensionGrantHandler as N, collectExtensionAccessTokenClaims as O, getSupportedAuthMethods as P, validateOAuthProviderExtensions as R, storeToken as S, validateClientCredentials as T, removePromptFromQuery as _, getClient as a, searchParamsToQuery as b, getStoredToken as c, mergeDiscoveryMetadata as d, normalizeTimestampValue as f, removeMaxAgeFromQuery as g, parsePrompt as h, extractClientCredentials as i, extendOAuthProvider as j, collectExtensionIdTokenClaims as k, isPKCERequired as l, parseClientMetadata as m, decryptStoredClientSecret as n, getJwtPlugin as o, parseBearerToken as p, destructureCredentials as r, getOAuthProviderPlugin as s, clientAllowsGrant as t, isSessionFreshForSignedQuery as u, resolveSessionAuthTime as v, toResourceList as w, storeClientSecret as x, resolveSubjectIdentifier as y };