@better-auth/sso 1.5.1 → 1.5.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.mjs +15 -9
- package/dist/index.mjs.map +1 -1
- package/package.json +5 -5
package/dist/index.mjs
CHANGED
|
@@ -2374,7 +2374,20 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
|
|
|
2374
2374
|
});
|
|
2375
2375
|
if (!tokenResponse) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_response_not_found`);
|
|
2376
2376
|
let userInfo = null;
|
|
2377
|
-
|
|
2377
|
+
const mapping = config.mapping || {};
|
|
2378
|
+
if (config.userInfoEndpoint) {
|
|
2379
|
+
const userInfoResponse = await betterFetch(config.userInfoEndpoint, { headers: { Authorization: `Bearer ${tokenResponse.accessToken}` } });
|
|
2380
|
+
if (userInfoResponse.error) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${userInfoResponse.error.message}`);
|
|
2381
|
+
const rawUserInfo = userInfoResponse.data;
|
|
2382
|
+
userInfo = {
|
|
2383
|
+
...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, rawUserInfo[value]])),
|
|
2384
|
+
id: rawUserInfo[mapping.id || "sub"],
|
|
2385
|
+
email: rawUserInfo[mapping.email || "email"],
|
|
2386
|
+
emailVerified: options?.trustEmailVerified ? rawUserInfo[mapping.emailVerified || "email_verified"] : false,
|
|
2387
|
+
name: rawUserInfo[mapping.name || "name"],
|
|
2388
|
+
image: rawUserInfo[mapping.image || "picture"]
|
|
2389
|
+
};
|
|
2390
|
+
} else if (tokenResponse.idToken) {
|
|
2378
2391
|
const idToken = decodeJwt(tokenResponse.idToken);
|
|
2379
2392
|
if (!config.jwksEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=jwks_endpoint_not_found`);
|
|
2380
2393
|
const verified = await validateToken(tokenResponse.idToken, config.jwksEndpoint, {
|
|
@@ -2385,7 +2398,6 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
|
|
|
2385
2398
|
return null;
|
|
2386
2399
|
});
|
|
2387
2400
|
if (!verified) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_not_verified`);
|
|
2388
|
-
const mapping = config.mapping || {};
|
|
2389
2401
|
userInfo = {
|
|
2390
2402
|
...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, verified.payload[value]])),
|
|
2391
2403
|
id: idToken[mapping.id || "sub"],
|
|
@@ -2394,13 +2406,7 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
|
|
|
2394
2406
|
name: idToken[mapping.name || "name"],
|
|
2395
2407
|
image: idToken[mapping.image || "picture"]
|
|
2396
2408
|
};
|
|
2397
|
-
}
|
|
2398
|
-
if (!userInfo) {
|
|
2399
|
-
if (!config.userInfoEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=user_info_endpoint_not_found`);
|
|
2400
|
-
const userInfoResponse = await betterFetch(config.userInfoEndpoint, { headers: { Authorization: `Bearer ${tokenResponse.accessToken}` } });
|
|
2401
|
-
if (userInfoResponse.error) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${userInfoResponse.error.message}`);
|
|
2402
|
-
userInfo = userInfoResponse.data;
|
|
2403
|
-
}
|
|
2409
|
+
} else throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=user_info_endpoint_not_found`);
|
|
2404
2410
|
if (!userInfo.email || !userInfo.id) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=missing_user_info`);
|
|
2405
2411
|
const isTrustedProvider = "domainVerified" in provider && provider.domainVerified === true && validateEmailDomain(userInfo.email, provider.domain);
|
|
2406
2412
|
const linked = await handleOAuthUserInfo(ctx, {
|