@hammadj/better-auth-core 1.5.0-beta.9

package/src/social-providers/apple.ts

@@ -0,0 +1,223 @@
+import { betterFetch } from "@better-fetch/fetch";
+
+import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
+import { APIError } from "../error";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "../oauth2";
+export interface AppleProfile {
+	/**
+	 * The subject registered claim identifies the principal that’s the subject
+	 * of the identity token. Because this token is for your app, the value is
+	 * the unique identifier for the user.
+	 */
+	sub: string;
+	/**
+	 * A String value representing the user's email address.
+	 * The email address is either the user's real email address or the proxy
+	 * address, depending on their status private email relay service.
+	 */
+	email: string;
+	/**
+	 * A string or Boolean value that indicates whether the service verifies
+	 * the email. The value can either be a string ("true" or "false") or a
+	 * Boolean (true or false). The system may not verify email addresses for
+	 * Sign in with Apple at Work & School users, and this claim is "false" or
+	 * false for those users.
+	 */
+	email_verified: true | "true";
+	/**
+	 * A string or Boolean value that indicates whether the email that the user
+	 * shares is the proxy address. The value can either be a string ("true" or
+	 * "false") or a Boolean (true or false).
+	 */
+	is_private_email: boolean;
+	/**
+	 * An Integer value that indicates whether the user appears to be a real
+	 * person. Use the value of this claim to mitigate fraud. The possible
+	 * values are: 0 (or Unsupported), 1 (or Unknown), 2 (or LikelyReal). For
+	 * more information, see ASUserDetectionStatus. This claim is present only
+	 * in iOS 14 and later, macOS 11 and later, watchOS 7 and later, tvOS 14
+	 * and later. The claim isn’t present or supported for web-based apps.
+	 */
+	real_user_status: number;
+	/**
+	 * The user’s full name in the format provided during the authorization
+	 * process.
+	 */
+	name: string;
+	/**
+	 * The URL to the user's profile picture.
+	 */
+	picture: string;
+	user?: AppleNonConformUser | undefined;
+}
+
+/**
+ * This is the shape of the `user` query parameter that Apple sends the first
+ * time the user consents to the app.
+ * @see https://developer.apple.com/documentation/signinwithapplerestapi/request-an-authorization-to-the-sign-in-with-apple-server./
+ */
+export interface AppleNonConformUser {
+	name: {
+		firstName: string;
+		lastName: string;
+	};
+	email: string;
+}
+
+export interface AppleOptions extends ProviderOptions<AppleProfile> {
+	clientId: string;
+	appBundleIdentifier?: string | undefined;
+	audience?: (string | string[]) | undefined;
+}
+
+export const apple = (options: AppleOptions) => {
+	const tokenEndpoint = "https://appleid.apple.com/auth/token";
+	return {
+		id: "apple",
+		name: "Apple",
+		async createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scope = options.disableDefaultScope ? [] : ["email", "name"];
+			if (options.scope) _scope.push(...options.scope);
+			if (scopes) _scope.push(...scopes);
+			const url = await createAuthorizationURL({
+				id: "apple",
+				options,
+				authorizationEndpoint: "https://appleid.apple.com/auth/authorize",
+				scopes: _scope,
+				state,
+				redirectURI,
+				responseMode: "form_post",
+				responseType: "code id_token",
+			});
+			return url;
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint,
+			});
+		},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) {
+				return false;
+			}
+			if (options.verifyIdToken) {
+				return options.verifyIdToken(token, nonce);
+			}
+			const decodedHeader = decodeProtectedHeader(token);
+			const { kid, alg: jwtAlg } = decodedHeader;
+			if (!kid || !jwtAlg) return false;
+			const publicKey = await getApplePublicKey(kid);
+			const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
+				algorithms: [jwtAlg],
+				issuer: "https://appleid.apple.com",
+				audience:
+					options.audience && options.audience.length
+						? options.audience
+						: options.appBundleIdentifier
+							? options.appBundleIdentifier
+							: options.clientId,
+				maxTokenAge: "1h",
+			});
+			["email_verified", "is_private_email"].forEach((field) => {
+				if (jwtClaims[field] !== undefined) {
+					jwtClaims[field] = Boolean(jwtClaims[field]);
+				}
+			});
+			if (nonce && jwtClaims.nonce !== nonce) {
+				return false;
+			}
+			return !!jwtClaims;
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://appleid.apple.com/auth/token",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			if (!token.idToken) {
+				return null;
+			}
+			const profile = decodeJwt<AppleProfile>(token.idToken);
+			if (!profile) {
+				return null;
+			}
+
+			// TODO: " " masking will be removed when the name field is made optional
+			let name: string;
+			if (token.user?.name) {
+				const firstName = token.user.name.firstName || "";
+				const lastName = token.user.name.lastName || "";
+				const fullName = `${firstName} ${lastName}`.trim();
+				name = fullName || " ";
+			} else {
+				name = profile.name || " ";
+			}
+
+			const emailVerified =
+				typeof profile.email_verified === "boolean"
+					? profile.email_verified
+					: profile.email_verified === "true";
+			const enrichedProfile = {
+				...profile,
+				name,
+			};
+			const userMap = await options.mapProfileToUser?.(enrichedProfile);
+			return {
+				user: {
+					id: profile.sub,
+					name: enrichedProfile.name,
+					emailVerified: emailVerified,
+					email: profile.email,
+					...userMap,
+				},
+				data: enrichedProfile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<AppleProfile>;
+};
+
+export const getApplePublicKey = async (kid: string) => {
+	const APPLE_BASE_URL = "https://appleid.apple.com";
+	const JWKS_APPLE_URI = "/auth/keys";
+	const { data } = await betterFetch<{
+		keys: Array<{
+			kid: string;
+			alg: string;
+			kty: string;
+			use: string;
+			n: string;
+			e: string;
+		}>;
+	}>(`${APPLE_BASE_URL}${JWKS_APPLE_URI}`);
+	if (!data?.keys) {
+		throw new APIError("BAD_REQUEST", {
+			message: "Keys not found",
+		});
+	}
+	const jwk = data.keys.find((key) => key.kid === kid);
+	if (!jwk) {
+		throw new Error(`JWK with kid ${kid} not found`);
+	}
+	return await importJWK(jwk, jwk.alg);
+};

package/src/social-providers/atlassian.ts

@@ -0,0 +1,132 @@
+import { betterFetch } from "@better-fetch/fetch";
+import { logger } from "../env";
+import { BetterAuthError } from "../error";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "../oauth2";
+
+export interface AtlassianProfile {
+	account_type?: string | undefined;
+	account_id: string;
+	email?: string | undefined;
+	name: string;
+	picture?: string | undefined;
+	nickname?: string | undefined;
+	locale?: string | undefined;
+	extended_profile?:
+		| {
+				job_title?: string;
+				organization?: string;
+				department?: string;
+				location?: string;
+		  }
+		| undefined;
+}
+export interface AtlassianOptions extends ProviderOptions<AtlassianProfile> {
+	clientId: string;
+}
+
+export const atlassian = (options: AtlassianOptions) => {
+	return {
+		id: "atlassian",
+		name: "Atlassian",
+
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			if (!options.clientId || !options.clientSecret) {
+				logger.error("Client Id and Secret are required for Atlassian");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			if (!codeVerifier) {
+				throw new BetterAuthError("codeVerifier is required for Atlassian");
+			}
+
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["read:jira-user", "offline_access"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+
+			return createAuthorizationURL({
+				id: "atlassian",
+				options,
+				authorizationEndpoint: "https://auth.atlassian.com/authorize",
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				additionalParams: {
+					audience: "api.atlassian.com",
+				},
+				prompt: options.prompt,
+			});
+		},
+
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://auth.atlassian.com/oauth/token",
+			});
+		},
+
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://auth.atlassian.com/oauth/token",
+					});
+				},
+
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+
+			if (!token.accessToken) {
+				return null;
+			}
+
+			try {
+				const { data: profile } = await betterFetch<{
+					account_id: string;
+					name: string;
+					email?: string | undefined;
+					picture?: string | undefined;
+				}>("https://api.atlassian.com/me", {
+					headers: { Authorization: `Bearer ${token.accessToken}` },
+				});
+
+				if (!profile) return null;
+
+				const userMap = await options.mapProfileToUser?.(profile);
+
+				return {
+					user: {
+						id: profile.account_id,
+						name: profile.name,
+						email: profile.email,
+						image: profile.picture,
+						emailVerified: false,
+						...userMap,
+					},
+					data: profile,
+				};
+			} catch (error) {
+				logger.error("Failed to fetch user info from Figma:", error);
+				return null;
+			}
+		},
+
+		options,
+	} satisfies OAuthProvider<AtlassianProfile>;
+};

package/src/social-providers/cognito.ts

@@ -0,0 +1,279 @@
+import { betterFetch } from "@better-fetch/fetch";
+import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
+import { logger } from "../env";
+import { APIError, BetterAuthError } from "../error";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "../oauth2";
+
+export interface CognitoProfile {
+	sub: string;
+	email: string;
+	email_verified: boolean;
+	name: string;
+	given_name?: string | undefined;
+	family_name?: string | undefined;
+	picture?: string | undefined;
+	username?: string | undefined;
+	locale?: string | undefined;
+	phone_number?: string | undefined;
+	phone_number_verified?: boolean | undefined;
+	aud: string;
+	iss: string;
+	exp: number;
+	iat: number;
+	// Custom attributes from Cognito can be added here
+	[key: string]: any;
+}
+
+export interface CognitoOptions extends ProviderOptions<CognitoProfile> {
+	clientId: string;
+	/**
+	 * The Cognito domain (e.g., "your-app.auth.us-east-1.amazoncognito.com")
+	 */
+	domain: string;
+	/**
+	 * AWS region where User Pool is hosted (e.g., "us-east-1")
+	 */
+	region: string;
+	userPoolId: string;
+	requireClientSecret?: boolean | undefined;
+}
+
+export const cognito = (options: CognitoOptions) => {
+	if (!options.domain || !options.region || !options.userPoolId) {
+		logger.error(
+			"Domain, region and userPoolId are required for Amazon Cognito. Make sure to provide them in the options.",
+		);
+		throw new BetterAuthError("DOMAIN_AND_REGION_REQUIRED");
+	}
+
+	const cleanDomain = options.domain.replace(/^https?:\/\//, "");
+	const authorizationEndpoint = `https://${cleanDomain}/oauth2/authorize`;
+	const tokenEndpoint = `https://${cleanDomain}/oauth2/token`;
+	const userInfoEndpoint = `https://${cleanDomain}/oauth2/userinfo`;
+
+	return {
+		id: "cognito",
+		name: "Cognito",
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			if (!options.clientId) {
+				logger.error(
+					"ClientId is required for Amazon Cognito. Make sure to provide them in the options.",
+				);
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+
+			if (options.requireClientSecret && !options.clientSecret) {
+				logger.error(
+					"Client Secret is required when requireClientSecret is true. Make sure to provide it in the options.",
+				);
+				throw new BetterAuthError("CLIENT_SECRET_REQUIRED");
+			}
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["openid", "profile", "email"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+
+			const url = await createAuthorizationURL({
+				id: "cognito",
+				options: {
+					...options,
+				},
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				prompt: options.prompt,
+			});
+			// AWS Cognito requires scopes to be encoded with %20 instead of +
+			// URLSearchParams encodes spaces as + by default, so we need to fix this
+			const scopeValue = url.searchParams.get("scope");
+			if (scopeValue) {
+				url.searchParams.delete("scope");
+				const encodedScope = encodeURIComponent(scopeValue);
+				// Manually append the scope with proper encoding to the URL
+				const urlString = url.toString();
+				const separator = urlString.includes("?") ? "&" : "?";
+				return new URL(`${urlString}${separator}scope=${encodedScope}`);
+			}
+			return url;
+		},
+
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint,
+			});
+		},
+
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint,
+					});
+				},
+
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) {
+				return false;
+			}
+			if (options.verifyIdToken) {
+				return options.verifyIdToken(token, nonce);
+			}
+
+			try {
+				const decodedHeader = decodeProtectedHeader(token);
+				const { kid, alg: jwtAlg } = decodedHeader;
+				if (!kid || !jwtAlg) return false;
+
+				const publicKey = await getCognitoPublicKey(
+					kid,
+					options.region,
+					options.userPoolId,
+				);
+				const expectedIssuer = `https://cognito-idp.${options.region}.amazonaws.com/${options.userPoolId}`;
+
+				const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
+					algorithms: [jwtAlg],
+					issuer: expectedIssuer,
+					audience: options.clientId,
+					maxTokenAge: "1h",
+				});
+
+				if (nonce && jwtClaims.nonce !== nonce) {
+					return false;
+				}
+				return true;
+			} catch (error) {
+				logger.error("Failed to verify ID token:", error);
+				return false;
+			}
+		},
+
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+
+			if (token.idToken) {
+				try {
+					const profile = decodeJwt<CognitoProfile>(token.idToken);
+					if (!profile) {
+						return null;
+					}
+					const name =
+						profile.name ||
+						profile.given_name ||
+						profile.username ||
+						profile.email;
+					const enrichedProfile = {
+						...profile,
+						name,
+					};
+					const userMap = await options.mapProfileToUser?.(enrichedProfile);
+
+					return {
+						user: {
+							id: profile.sub,
+							name: enrichedProfile.name,
+							email: profile.email,
+							image: profile.picture,
+							emailVerified: profile.email_verified,
+							...userMap,
+						},
+						data: enrichedProfile,
+					};
+				} catch (error) {
+					logger.error("Failed to decode ID token:", error);
+				}
+			}
+
+			if (token.accessToken) {
+				try {
+					const { data: userInfo } = await betterFetch<CognitoProfile>(
+						userInfoEndpoint,
+						{
+							headers: {
+								Authorization: `Bearer ${token.accessToken}`,
+							},
+						},
+					);
+
+					if (userInfo) {
+						const userMap = await options.mapProfileToUser?.(userInfo);
+						return {
+							user: {
+								id: userInfo.sub,
+								name: userInfo.name || userInfo.given_name || userInfo.username,
+								email: userInfo.email,
+								image: userInfo.picture,
+								emailVerified: userInfo.email_verified,
+								...userMap,
+							},
+							data: userInfo,
+						};
+					}
+				} catch (error) {
+					logger.error("Failed to fetch user info from Cognito:", error);
+				}
+			}
+
+			return null;
+		},
+
+		options,
+	} satisfies OAuthProvider<CognitoProfile>;
+};
+
+export const getCognitoPublicKey = async (
+	kid: string,
+	region: string,
+	userPoolId: string,
+) => {
+	const COGNITO_JWKS_URI = `https://cognito-idp.${region}.amazonaws.com/${userPoolId}/.well-known/jwks.json`;
+
+	try {
+		const { data } = await betterFetch<{
+			keys: Array<{
+				kid: string;
+				alg: string;
+				kty: string;
+				use: string;
+				n: string;
+				e: string;
+			}>;
+		}>(COGNITO_JWKS_URI);
+
+		if (!data?.keys) {
+			throw new APIError("BAD_REQUEST", {
+				message: "Keys not found",
+			});
+		}
+
+		const jwk = data.keys.find((key) => key.kid === kid);
+		if (!jwk) {
+			throw new Error(`JWK with kid ${kid} not found`);
+		}
+
+		return await importJWK(jwk, jwk.alg);
+	} catch (error) {
+		logger.error("Failed to fetch Cognito public key:", error);
+		throw error;
+	}
+};