@hammadj/better-auth-core 1.5.0-beta.9

package/src/social-providers/paypal.ts

@@ -0,0 +1,263 @@
+import { base64 } from "@better-auth/utils/base64";
+import { betterFetch } from "@better-fetch/fetch";
+import { decodeJwt } from "jose";
+import { logger } from "../env";
+import { BetterAuthError } from "../error";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import { createAuthorizationURL } from "../oauth2";
+
+export interface PayPalProfile {
+	user_id: string;
+	name: string;
+	given_name: string;
+	family_name: string;
+	middle_name?: string | undefined;
+	picture?: string | undefined;
+	email: string;
+	email_verified: boolean;
+	gender?: string | undefined;
+	birthdate?: string | undefined;
+	zoneinfo?: string | undefined;
+	locale?: string | undefined;
+	phone_number?: string | undefined;
+	address?:
+		| {
+				street_address?: string;
+				locality?: string;
+				region?: string;
+				postal_code?: string;
+				country?: string;
+		  }
+		| undefined;
+	verified_account?: boolean | undefined;
+	account_type?: string | undefined;
+	age_range?: string | undefined;
+	payer_id?: string | undefined;
+}
+
+export interface PayPalTokenResponse {
+	scope?: string | undefined;
+	access_token: string;
+	refresh_token?: string | undefined;
+	token_type: "Bearer";
+	id_token?: string | undefined;
+	expires_in: number;
+	nonce?: string | undefined;
+}
+
+export interface PayPalOptions extends ProviderOptions<PayPalProfile> {
+	clientId: string;
+	/**
+	 * PayPal environment - 'sandbox' for testing, 'live' for production
+	 * @default 'sandbox'
+	 */
+	environment?: ("sandbox" | "live") | undefined;
+	/**
+	 * Whether to request shipping address information
+	 * @default false
+	 */
+	requestShippingAddress?: boolean | undefined;
+}
+
+export const paypal = (options: PayPalOptions) => {
+	const environment = options.environment || "sandbox";
+	const isSandbox = environment === "sandbox";
+
+	const authorizationEndpoint = isSandbox
+		? "https://www.sandbox.paypal.com/signin/authorize"
+		: "https://www.paypal.com/signin/authorize";
+
+	const tokenEndpoint = isSandbox
+		? "https://api-m.sandbox.paypal.com/v1/oauth2/token"
+		: "https://api-m.paypal.com/v1/oauth2/token";
+
+	const userInfoEndpoint = isSandbox
+		? "https://api-m.sandbox.paypal.com/v1/identity/oauth2/userinfo"
+		: "https://api-m.paypal.com/v1/identity/oauth2/userinfo";
+
+	return {
+		id: "paypal",
+		name: "PayPal",
+		async createAuthorizationURL({ state, codeVerifier, redirectURI }) {
+			if (!options.clientId || !options.clientSecret) {
+				logger.error(
+					"Client Id and Client Secret is required for PayPal. Make sure to provide them in the options.",
+				);
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+
+			/**
+			 * Log in with PayPal doesn't use traditional OAuth2 scopes
+			 * Instead, permissions are configured in the PayPal Developer Dashboard
+			 * We don't pass any scopes to avoid "invalid scope" errors
+			 **/
+
+			const _scopes: string[] = [];
+
+			const url = await createAuthorizationURL({
+				id: "paypal",
+				options,
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				prompt: options.prompt,
+			});
+			return url;
+		},
+
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			/**
+			 * PayPal requires Basic Auth for token exchange
+			 **/
+
+			const credentials = base64.encode(
+				`${options.clientId}:${options.clientSecret}`,
+			);
+
+			try {
+				const response = await betterFetch(tokenEndpoint, {
+					method: "POST",
+					headers: {
+						Authorization: `Basic ${credentials}`,
+						Accept: "application/json",
+						"Accept-Language": "en_US",
+						"Content-Type": "application/x-www-form-urlencoded",
+					},
+					body: new URLSearchParams({
+						grant_type: "authorization_code",
+						code: code,
+						redirect_uri: redirectURI,
+					}).toString(),
+				});
+
+				if (!response.data) {
+					throw new BetterAuthError("FAILED_TO_GET_ACCESS_TOKEN");
+				}
+
+				const data = response.data as PayPalTokenResponse;
+
+				const result = {
+					accessToken: data.access_token,
+					refreshToken: data.refresh_token,
+					accessTokenExpiresAt: data.expires_in
+						? new Date(Date.now() + data.expires_in * 1000)
+						: undefined,
+					idToken: data.id_token,
+				};
+
+				return result;
+			} catch (error) {
+				logger.error("PayPal token exchange failed:", error);
+				throw new BetterAuthError("FAILED_TO_GET_ACCESS_TOKEN");
+			}
+		},
+
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					const credentials = base64.encode(
+						`${options.clientId}:${options.clientSecret}`,
+					);
+
+					try {
+						const response = await betterFetch(tokenEndpoint, {
+							method: "POST",
+							headers: {
+								Authorization: `Basic ${credentials}`,
+								Accept: "application/json",
+								"Accept-Language": "en_US",
+								"Content-Type": "application/x-www-form-urlencoded",
+							},
+							body: new URLSearchParams({
+								grant_type: "refresh_token",
+								refresh_token: refreshToken,
+							}).toString(),
+						});
+
+						if (!response.data) {
+							throw new BetterAuthError("FAILED_TO_REFRESH_ACCESS_TOKEN");
+						}
+
+						const data = response.data as any;
+						return {
+							accessToken: data.access_token,
+							refreshToken: data.refresh_token,
+							accessTokenExpiresAt: data.expires_in
+								? new Date(Date.now() + data.expires_in * 1000)
+								: undefined,
+						};
+					} catch (error) {
+						logger.error("PayPal token refresh failed:", error);
+						throw new BetterAuthError("FAILED_TO_REFRESH_ACCESS_TOKEN");
+					}
+				},
+
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) {
+				return false;
+			}
+			if (options.verifyIdToken) {
+				return options.verifyIdToken(token, nonce);
+			}
+			try {
+				const payload = decodeJwt(token);
+				return !!payload.sub;
+			} catch (error) {
+				logger.error("Failed to verify PayPal ID token:", error);
+				return false;
+			}
+		},
+
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+
+			if (!token.accessToken) {
+				logger.error("Access token is required to fetch PayPal user info");
+				return null;
+			}
+
+			try {
+				const response = await betterFetch<PayPalProfile>(
+					`${userInfoEndpoint}?schema=paypalv1.1`,
+					{
+						headers: {
+							Authorization: `Bearer ${token.accessToken}`,
+							Accept: "application/json",
+						},
+					},
+				);
+
+				if (!response.data) {
+					logger.error("Failed to fetch user info from PayPal");
+					return null;
+				}
+
+				const userInfo = response.data;
+				const userMap = await options.mapProfileToUser?.(userInfo);
+
+				const result = {
+					user: {
+						id: userInfo.user_id,
+						name: userInfo.name,
+						email: userInfo.email,
+						image: userInfo.picture,
+						emailVerified: userInfo.email_verified,
+						...userMap,
+					},
+					data: userInfo,
+				};
+
+				return result;
+			} catch (error) {
+				logger.error("Failed to fetch user info from PayPal:", error);
+				return null;
+			}
+		},
+
+		options,
+	} satisfies OAuthProvider<PayPalProfile>;
+};

package/src/social-providers/polar.ts

@@ -0,0 +1,110 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "../oauth2";
+
+export interface PolarProfile {
+	id: string;
+	email: string;
+	username: string;
+	avatar_url: string;
+	github_username?: string | undefined;
+	account_id?: string | undefined;
+	public_name?: string | undefined;
+	email_verified?: boolean | undefined;
+	profile_settings?:
+		| {
+				profile_settings_enabled?: boolean;
+				profile_settings_public_name?: string;
+				profile_settings_public_avatar?: string;
+				profile_settings_public_bio?: string;
+				profile_settings_public_location?: string;
+				profile_settings_public_website?: string;
+				profile_settings_public_twitter?: string;
+				profile_settings_public_github?: string;
+				profile_settings_public_email?: string;
+		  }
+		| undefined;
+}
+
+export interface PolarOptions extends ProviderOptions<PolarProfile> {}
+
+export const polar = (options: PolarOptions) => {
+	return {
+		id: "polar",
+		name: "Polar",
+		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["openid", "profile", "email"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "polar",
+				options,
+				authorizationEndpoint: "https://polar.sh/oauth2/authorize",
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				prompt: options.prompt,
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://api.polar.sh/v1/oauth2/token",
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://api.polar.sh/v1/oauth2/token",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const { data: profile, error } = await betterFetch<PolarProfile>(
+				"https://api.polar.sh/v1/oauth2/userinfo",
+				{
+					headers: {
+						Authorization: `Bearer ${token.accessToken}`,
+					},
+				},
+			);
+			if (error) {
+				return null;
+			}
+			const userMap = await options.mapProfileToUser?.(profile);
+			// Polar may provide email_verified claim, but it's not guaranteed.
+			// We check for it first, then default to false for security consistency.
+			return {
+				user: {
+					id: profile.id,
+					name: profile.public_name || profile.username,
+					email: profile.email,
+					image: profile.avatar_url,
+					emailVerified: profile.email_verified ?? false,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<PolarProfile>;
+};

package/src/social-providers/reddit.ts

@@ -0,0 +1,122 @@
+import { base64 } from "@better-auth/utils/base64";
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import {
+	createAuthorizationURL,
+	getOAuth2Tokens,
+	refreshAccessToken,
+} from "../oauth2";
+
+export interface RedditProfile {
+	id: string;
+	name: string;
+	icon_img: string | null;
+	has_verified_email: boolean;
+	oauth_client_id: string;
+	verified: boolean;
+}
+
+export interface RedditOptions extends ProviderOptions<RedditProfile> {
+	clientId: string;
+	duration?: string | undefined;
+}
+
+export const reddit = (options: RedditOptions) => {
+	return {
+		id: "reddit",
+		name: "Reddit",
+		createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["identity"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "reddit",
+				options,
+				authorizationEndpoint: "https://www.reddit.com/api/v1/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI,
+				duration: options.duration,
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			const body = new URLSearchParams({
+				grant_type: "authorization_code",
+				code,
+				redirect_uri: options.redirectURI || redirectURI,
+			});
+			const headers = {
+				"content-type": "application/x-www-form-urlencoded",
+				accept: "text/plain",
+				"user-agent": "better-auth",
+				Authorization: `Basic ${base64.encode(
+					`${options.clientId}:${options.clientSecret}`,
+				)}`,
+			};
+
+			const { data, error } = await betterFetch<object>(
+				"https://www.reddit.com/api/v1/access_token",
+				{
+					method: "POST",
+					headers,
+					body: body.toString(),
+				},
+			);
+
+			if (error) {
+				throw error;
+			}
+
+			return getOAuth2Tokens(data);
+		},
+
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						authentication: "basic",
+						tokenEndpoint: "https://www.reddit.com/api/v1/access_token",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+
+			const { data: profile, error } = await betterFetch<RedditProfile>(
+				"https://oauth.reddit.com/api/v1/me",
+				{
+					headers: {
+						Authorization: `Bearer ${token.accessToken}`,
+						"User-Agent": "better-auth",
+					},
+				},
+			);
+
+			if (error) {
+				return null;
+			}
+
+			const userMap = await options.mapProfileToUser?.(profile);
+
+			return {
+				user: {
+					id: profile.id,
+					name: profile.name,
+					email: profile.oauth_client_id,
+					emailVerified: profile.has_verified_email,
+					image: profile.icon_img?.split("?")[0]!,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<RedditProfile>;
+};

package/src/social-providers/roblox.ts

@@ -0,0 +1,111 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import { refreshAccessToken, validateAuthorizationCode } from "../oauth2";
+
+export interface RobloxProfile extends Record<string, any> {
+	/** the user's id */
+	sub: string;
+	/** the user's username */
+	preferred_username: string;
+	/** the user's display name, will return the same value as the preferred_username if not set */
+	nickname: string;
+	/** the user's display name, again, will return the same value as the preferred_username if not set */
+	name: string;
+	/** the account creation date as a unix timestamp in seconds */
+	created_at: number;
+	/** the user's profile URL */
+	profile: string;
+	/** the user's avatar URL */
+	picture: string;
+}
+
+export interface RobloxOptions extends ProviderOptions<RobloxProfile> {
+	clientId: string;
+	prompt?:
+		| (
+				| "none"
+				| "consent"
+				| "login"
+				| "select_account"
+				| "select_account consent"
+		  )
+		| undefined;
+}
+
+export const roblox = (options: RobloxOptions) => {
+	return {
+		id: "roblox",
+		name: "Roblox",
+		createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["openid", "profile"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return new URL(
+				`https://apis.roblox.com/oauth/v1/authorize?scope=${_scopes.join(
+					"+",
+				)}&response_type=code&client_id=${
+					options.clientId
+				}&redirect_uri=${encodeURIComponent(
+					options.redirectURI || redirectURI,
+				)}&state=${state}&prompt=${options.prompt || "select_account consent"}`,
+			);
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI: options.redirectURI || redirectURI,
+				options,
+				tokenEndpoint: "https://apis.roblox.com/oauth/v1/token",
+				authentication: "post",
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint: "https://apis.roblox.com/oauth/v1/token",
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const { data: profile, error } = await betterFetch<RobloxProfile>(
+				"https://apis.roblox.com/oauth/v1/userinfo",
+				{
+					headers: {
+						authorization: `Bearer ${token.accessToken}`,
+					},
+				},
+			);
+
+			if (error) {
+				return null;
+			}
+
+			const userMap = await options.mapProfileToUser?.(profile);
+			// Roblox does not provide email or email_verified claim.
+			// We default to false for security consistency.
+			return {
+				user: {
+					id: profile.sub,
+					name: profile.nickname || profile.preferred_username || "",
+					image: profile.picture,
+					email: profile.preferred_username || null, // Roblox does not provide email
+					emailVerified: false,
+					...userMap,
+				},
+				data: {
+					...profile,
+				},
+			};
+		},
+		options,
+	} satisfies OAuthProvider<RobloxProfile>;
+};