@hammadj/better-auth 1.5.0-beta.9

package/dist/plugins/generic-oauth/types.d.mts

@@ -0,0 +1,145 @@
+import { GenericEndpointContext } from "@better-auth/core";
+import { User } from "@better-auth/core/db";
+import { OAuth2Tokens, OAuth2UserInfo } from "@better-auth/core/oauth2";
+
+//#region src/plugins/generic-oauth/types.d.ts
+interface GenericOAuthOptions {
+  /**
+   * Array of OAuth provider configurations.
+   */
+  config: GenericOAuthConfig[];
+}
+/**
+ * Configuration interface for generic OAuth providers.
+ */
+interface GenericOAuthConfig {
+  /** Unique identifier for the OAuth provider */
+  providerId: string;
+  /**
+   * URL to fetch OAuth 2.0 configuration.
+   * If provided, the authorization and token endpoints will be fetched from this URL.
+   */
+  discoveryUrl?: string | undefined;
+  /**
+   * URL for the authorization endpoint.
+   * Optional if using discoveryUrl.
+   */
+  authorizationUrl?: string | undefined;
+  /**
+   * URL for the token endpoint.
+   * Optional if using discoveryUrl.
+   */
+  tokenUrl?: string | undefined;
+  /**
+   * URL for the user info endpoint.
+   * Optional if using discoveryUrl.
+   */
+  userInfoUrl?: string | undefined;
+  /** OAuth client ID */
+  clientId: string;
+  /** OAuth client secret */
+  clientSecret?: string | undefined;
+  /**
+   * Array of OAuth scopes to request.
+   * @default []
+   */
+  scopes?: string[] | undefined;
+  /**
+   * Custom redirect URI.
+   * If not provided, a default URI will be constructed.
+   */
+  redirectURI?: string | undefined;
+  /**
+   * OAuth response type.
+   * @default "code"
+   */
+  responseType?: string | undefined;
+  /**
+   * The response mode to use for the authorization code request.
+    */
+  responseMode?: ("query" | "form_post") | undefined;
+  /**
+   * Prompt parameter for the authorization request.
+   * Controls the authentication experience for the user.
+   */
+  prompt?: ("none" | "login" | "create" | "consent" | "select_account" | "select_account consent" | "login consent") | undefined;
+  /**
+   * Whether to use PKCE (Proof Key for Code Exchange)
+   * @default false
+   */
+  pkce?: boolean | undefined;
+  /**
+   * Access type for the authorization request.
+   * Use "offline" to request a refresh token.
+   */
+  accessType?: string | undefined;
+  /**
+   * Custom function to exchange authorization code for tokens.
+   * If provided, this function will be used instead of the default token exchange logic.
+   * This is useful for providers with non-standard token endpoints.
+   * @param data - Authorization code exchange parameters
+   * @returns A promise that resolves to OAuth2Tokens
+   */
+  getToken?: ((data: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }) => Promise<OAuth2Tokens>) | undefined;
+  /**
+   * Custom function to fetch user info.
+   * If provided, this function will be used instead of the default user info fetching logic.
+   * @param tokens - The OAuth tokens received after successful authentication
+   * @returns A promise that resolves to a User object or null
+   */
+  getUserInfo?: ((tokens: OAuth2Tokens) => Promise<OAuth2UserInfo | null>) | undefined;
+  /**
+   * Custom function to map the user profile to a User object.
+   */
+  mapProfileToUser?: ((profile: Record<string, any>) => Partial<Partial<User>> | Promise<Partial<User>>) | undefined;
+  /**
+   * Additional search-params to add to the authorizationUrl.
+   * Warning: Search-params added here overwrite any default params.
+   */
+  authorizationUrlParams?: (Record<string, string> | ((ctx: GenericEndpointContext) => Record<string, string>)) | undefined;
+  /**
+   * Additional search-params to add to the tokenUrl.
+   * Warning: Search-params added here overwrite any default params.
+   */
+  tokenUrlParams?: (Record<string, string> | ((ctx: GenericEndpointContext) => Record<string, string>)) | undefined;
+  /**
+   * Disable implicit sign up for new users. When set to true for the provider,
+   * sign-in need to be called with with requestSignUp as true to create new users.
+   */
+  disableImplicitSignUp?: boolean | undefined;
+  /**
+   * Disable sign up for new users.
+   */
+  disableSignUp?: boolean | undefined;
+  /**
+   * Authentication method for token requests.
+   * @default "post"
+   */
+  authentication?: ("basic" | "post") | undefined;
+  /**
+   * Custom headers to include in the discovery request.
+   * Useful for providers like Epic that require specific headers (e.g., Epic-Client-ID).
+   */
+  discoveryHeaders?: Record<string, string> | undefined;
+  /**
+   * Custom headers to include in the authorization request.
+   * Useful for providers like Qonto that require specific headers (e.g., X-Qonto-Staging-Token for local development).
+   */
+  authorizationHeaders?: Record<string, string> | undefined;
+  /**
+   * Override user info with the provider info.
+   *
+   * This will update the user info with the provider info,
+   * when the user signs in with the provider.
+   * @default false
+   */
+  overrideUserInfo?: boolean | undefined;
+}
+//#endregion
+export { GenericOAuthConfig, GenericOAuthOptions };
+//# sourceMappingURL=types.d.mts.map

package/dist/plugins/haveibeenpwned/index.d.mts

@@ -0,0 +1,21 @@
+//#region src/plugins/haveibeenpwned/index.d.ts
+declare module "@better-auth/core" {
+  interface BetterAuthPluginRegistry<AuthOptions, Options> {
+    "have-i-been-pwned": {
+      creator: typeof haveIBeenPwned;
+    };
+  }
+}
+interface HaveIBeenPwnedOptions {
+  customPasswordCompromisedMessage?: string | undefined;
+  /**
+   * Paths to check for password
+   *
+   * @default ["/sign-up/email", "/change-password", "/reset-password"]
+   */
+  paths?: string[];
+}
+declare const haveIBeenPwned: (options?: HaveIBeenPwnedOptions | undefined) => BetterAuthPlugin;
+//#endregion
+export { HaveIBeenPwnedOptions, haveIBeenPwned };
+//# sourceMappingURL=index.d.mts.map

package/dist/plugins/haveibeenpwned/index.mjs

@@ -0,0 +1,56 @@
+import { isAPIError } from "../../utils/is-api-error.mjs";
+import { APIError } from "../../api/index.mjs";
+import { getCurrentAuthContext } from "@better-auth/core/context";
+import { defineErrorCodes } from "@better-auth/core/utils/error-codes";
+import { createHash } from "@better-auth/utils/hash";
+import { betterFetch } from "@better-fetch/fetch";
+
+//#region src/plugins/haveibeenpwned/index.ts
+const ERROR_CODES = defineErrorCodes({ PASSWORD_COMPROMISED: "The password you entered has been compromised. Please choose a different password." });
+async function checkPasswordCompromise(password, customMessage) {
+	if (!password) return;
+	const sha1Hash = (await createHash("SHA-1", "hex").digest(password)).toUpperCase();
+	const prefix = sha1Hash.substring(0, 5);
+	const suffix = sha1Hash.substring(5);
+	try {
+		const { data, error } = await betterFetch(`https://api.pwnedpasswords.com/range/${prefix}`, { headers: {
+			"Add-Padding": "true",
+			"User-Agent": "BetterAuth Password Checker"
+		} });
+		if (error) throw new APIError("INTERNAL_SERVER_ERROR", { message: `Failed to check password. Status: ${error.status}` });
+		if (data.split("\n").some((line) => line.split(":")[0].toUpperCase() === suffix.toUpperCase())) throw APIError.from("BAD_REQUEST", {
+			message: customMessage || ERROR_CODES.PASSWORD_COMPROMISED.message,
+			code: ERROR_CODES.PASSWORD_COMPROMISED.code
+		});
+	} catch (error) {
+		if (isAPIError(error)) throw error;
+		throw new APIError("INTERNAL_SERVER_ERROR", { message: "Failed to check password. Please try again later." });
+	}
+}
+const haveIBeenPwned = (options) => {
+	const paths = options?.paths || [
+		"/sign-up/email",
+		"/change-password",
+		"/reset-password"
+	];
+	return {
+		id: "have-i-been-pwned",
+		init(ctx) {
+			return { context: { password: {
+				...ctx.password,
+				async hash(password) {
+					const c = await getCurrentAuthContext();
+					if (!c.path || !paths.includes(c.path)) return ctx.password.hash(password);
+					await checkPasswordCompromise(password, options?.customPasswordCompromisedMessage);
+					return ctx.password.hash(password);
+				}
+			} } };
+		},
+		options,
+		$ERROR_CODES: ERROR_CODES
+	};
+};
+
+//#endregion
+export { haveIBeenPwned };
+//# sourceMappingURL=index.mjs.map

package/dist/plugins/haveibeenpwned/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","names":[],"sources":["../../../src/plugins/haveibeenpwned/index.ts"],"sourcesContent":["import type { BetterAuthPlugin } from \"@better-auth/core\";\nimport { getCurrentAuthContext } from \"@better-auth/core/context\";\nimport { defineErrorCodes } from \"@better-auth/core/utils/error-codes\";\nimport { createHash } from \"@better-auth/utils/hash\";\nimport { betterFetch } from \"@better-fetch/fetch\";\nimport { APIError } from \"../../api\";\nimport { isAPIError } from \"../../utils/is-api-error\";\n\ndeclare module \"@better-auth/core\" {\n\tinterface BetterAuthPluginRegistry<AuthOptions, Options> {\n\t\t\"have-i-been-pwned\": {\n\t\t\tcreator: typeof haveIBeenPwned;\n\t\t};\n\t}\n}\n\nconst ERROR_CODES = defineErrorCodes({\n\tPASSWORD_COMPROMISED:\n\t\t\"The password you entered has been compromised. Please choose a different password.\",\n});\n\nasync function checkPasswordCompromise(\n\tpassword: string,\n\tcustomMessage?: string | undefined,\n) {\n\tif (!password) return;\n\n\tconst sha1Hash = (\n\t\tawait createHash(\"SHA-1\", \"hex\").digest(password)\n\t).toUpperCase();\n\tconst prefix = sha1Hash.substring(0, 5);\n\tconst suffix = sha1Hash.substring(5);\n\ttry {\n\t\tconst { data, error } = await betterFetch<string>(\n\t\t\t`https://api.pwnedpasswords.com/range/${prefix}`,\n\t\t\t{\n\t\t\t\theaders: {\n\t\t\t\t\t\"Add-Padding\": \"true\",\n\t\t\t\t\t\"User-Agent\": \"BetterAuth Password Checker\",\n\t\t\t\t},\n\t\t\t},\n\t\t);\n\n\t\tif (error) {\n\t\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\t\tmessage: `Failed to check password. Status: ${error.status}`,\n\t\t\t});\n\t\t}\n\t\tconst lines = data.split(\"\\n\");\n\t\tconst found = lines.some(\n\t\t\t(line) => line.split(\":\")[0]!.toUpperCase() === suffix.toUpperCase(),\n\t\t);\n\n\t\tif (found) {\n\t\t\tthrow APIError.from(\"BAD_REQUEST\", {\n\t\t\t\tmessage: customMessage || ERROR_CODES.PASSWORD_COMPROMISED.message,\n\t\t\t\tcode: ERROR_CODES.PASSWORD_COMPROMISED.code,\n\t\t\t});\n\t\t}\n\t} catch (error) {\n\t\tif (isAPIError(error)) throw error;\n\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\tmessage: \"Failed to check password. Please try again later.\",\n\t\t});\n\t}\n}\n\nexport interface HaveIBeenPwnedOptions {\n\tcustomPasswordCompromisedMessage?: string | undefined;\n\t/**\n\t * Paths to check for password\n\t *\n\t * @default [\"/sign-up/email\", \"/change-password\", \"/reset-password\"]\n\t */\n\tpaths?: string[];\n}\n\nexport const haveIBeenPwned = (options?: HaveIBeenPwnedOptions | undefined) => {\n\tconst paths = options?.paths || [\n\t\t\"/sign-up/email\",\n\t\t\"/change-password\",\n\t\t\"/reset-password\",\n\t];\n\n\treturn {\n\t\tid: \"have-i-been-pwned\",\n\t\tinit(ctx) {\n\t\t\treturn {\n\t\t\t\tcontext: {\n\t\t\t\t\tpassword: {\n\t\t\t\t\t\t...ctx.password,\n\t\t\t\t\t\tasync hash(password) {\n\t\t\t\t\t\t\tconst c = await getCurrentAuthContext();\n\t\t\t\t\t\t\tif (!c.path || !paths.includes(c.path)) {\n\t\t\t\t\t\t\t\treturn ctx.password.hash(password);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tawait checkPasswordCompromise(\n\t\t\t\t\t\t\t\tpassword,\n\t\t\t\t\t\t\t\toptions?.customPasswordCompromisedMessage,\n\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\treturn ctx.password.hash(password);\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t};\n\t\t},\n\t\toptions,\n\t\t$ERROR_CODES: ERROR_CODES,\n\t} satisfies BetterAuthPlugin;\n};\n"],"mappings":";;;;;;;;AAgBA,MAAM,cAAc,iBAAiB,EACpC,sBACC,sFACD,CAAC;AAEF,eAAe,wBACd,UACA,eACC;AACD,KAAI,CAAC,SAAU;CAEf,MAAM,YACL,MAAM,WAAW,SAAS,MAAM,CAAC,OAAO,SAAS,EAChD,aAAa;CACf,MAAM,SAAS,SAAS,UAAU,GAAG,EAAE;CACvC,MAAM,SAAS,SAAS,UAAU,EAAE;AACpC,KAAI;EACH,MAAM,EAAE,MAAM,UAAU,MAAM,YAC7B,wCAAwC,UACxC,EACC,SAAS;GACR,eAAe;GACf,cAAc;GACd,EACD,CACD;AAED,MAAI,MACH,OAAM,IAAI,SAAS,yBAAyB,EAC3C,SAAS,qCAAqC,MAAM,UACpD,CAAC;AAOH,MALc,KAAK,MAAM,KAAK,CACV,MAClB,SAAS,KAAK,MAAM,IAAI,CAAC,GAAI,aAAa,KAAK,OAAO,aAAa,CACpE,CAGA,OAAM,SAAS,KAAK,eAAe;GAClC,SAAS,iBAAiB,YAAY,qBAAqB;GAC3D,MAAM,YAAY,qBAAqB;GACvC,CAAC;UAEK,OAAO;AACf,MAAI,WAAW,MAAM,CAAE,OAAM;AAC7B,QAAM,IAAI,SAAS,yBAAyB,EAC3C,SAAS,qDACT,CAAC;;;AAcJ,MAAa,kBAAkB,YAAgD;CAC9E,MAAM,QAAQ,SAAS,SAAS;EAC/B;EACA;EACA;EACA;AAED,QAAO;EACN,IAAI;EACJ,KAAK,KAAK;AACT,UAAO,EACN,SAAS,EACR,UAAU;IACT,GAAG,IAAI;IACP,MAAM,KAAK,UAAU;KACpB,MAAM,IAAI,MAAM,uBAAuB;AACvC,SAAI,CAAC,EAAE,QAAQ,CAAC,MAAM,SAAS,EAAE,KAAK,CACrC,QAAO,IAAI,SAAS,KAAK,SAAS;AAEnC,WAAM,wBACL,UACA,SAAS,iCACT;AACD,YAAO,IAAI,SAAS,KAAK,SAAS;;IAEnC,EACD,EACD;;EAEF;EACA,cAAc;EACd"}

package/dist/plugins/index.d.mts

@@ -0,0 +1,68 @@
+import { InferOptionSchema, InferPluginErrorCodes, InferPluginIDs } from "../types/plugins.mjs";
+import { AccessControl, Role, Statements, SubArray, Subset } from "./access/types.mjs";
+import { AuthorizeResponse, createAccessControl, role } from "./access/access.mjs";
+import "./access/index.mjs";
+import { OrganizationOptions } from "./organization/types.mjs";
+import { InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferTeam, Invitation, InvitationInput, InvitationStatus, Member, MemberInput, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, Team, TeamInput, TeamMember, TeamMemberInput, defaultRolesSchema, invitationSchema, invitationStatus, memberSchema, organizationRoleSchema, organizationSchema, roleSchema, teamMemberSchema, teamSchema } from "./organization/schema.mjs";
+import { getOrgAdapter } from "./organization/adapter.mjs";
+import { DefaultOrganizationPlugin, DynamicAccessControlEndpoints, OrganizationCreator, OrganizationEndpoints, OrganizationPlugin, TeamEndpoints, organization, parseRoles } from "./organization/organization.mjs";
+import "./organization/index.mjs";
+import { AdminOptions, InferAdminRolesFromOption, SessionWithImpersonatedBy, UserWithRole } from "./admin/types.mjs";
+import { API_KEY_ERROR_CODES } from "./api-key/error-codes.mjs";
+import { ApiKey, ApiKeyOptions } from "./api-key/types.mjs";
+import { GenericOAuthConfig, GenericOAuthOptions } from "./generic-oauth/types.mjs";
+import { Auth0Options, auth0 } from "./generic-oauth/providers/auth0.mjs";
+import { GumroadOptions, gumroad } from "./generic-oauth/providers/gumroad.mjs";
+import { HubSpotOptions, hubspot } from "./generic-oauth/providers/hubspot.mjs";
+import { KeycloakOptions, keycloak } from "./generic-oauth/providers/keycloak.mjs";
+import { LineOptions, line } from "./generic-oauth/providers/line.mjs";
+import { MicrosoftEntraIdOptions, microsoftEntraId } from "./generic-oauth/providers/microsoft-entra-id.mjs";
+import { OktaOptions, okta } from "./generic-oauth/providers/okta.mjs";
+import { PatreonOptions, patreon } from "./generic-oauth/providers/patreon.mjs";
+import { SlackOptions, slack } from "./generic-oauth/providers/slack.mjs";
+import { BaseOAuthProviderOptions, genericOAuth } from "./generic-oauth/index.mjs";
+import { HIDE_METADATA } from "../utils/hide-metadata.mjs";
+import { JWKOptions, JWSAlgorithms, Jwk, JwtOptions } from "./jwt/types.mjs";
+import { MULTI_SESSION_ERROR_CODES } from "./multi-session/error-codes.mjs";
+import { MultiSessionConfig, multiSession } from "./multi-session/index.mjs";
+import { AuthorizationQuery, Client, CodeVerificationValue, OAuthAccessToken, OIDCMetadata, OIDCOptions, TokenBody } from "./oidc-provider/types.mjs";
+import { OneTimeTokenOptions, oneTimeToken } from "./one-time-token/index.mjs";
+import { PhoneNumberOptions, UserWithPhoneNumber } from "./phone-number/types.mjs";
+import { TWO_FACTOR_ERROR_CODES } from "./two-factor/error-code.mjs";
+import { BackupCodeOptions, backupCode2fa, generateBackupCodes, getBackupCodes, verifyBackupCode } from "./two-factor/backup-codes/index.mjs";
+import { TOTPOptions, totp2fa } from "./two-factor/totp/index.mjs";
+import { TwoFactorOptions, TwoFactorProvider, TwoFactorTable, UserWithTwoFactor } from "./two-factor/types.mjs";
+import { OTPOptions, otp2fa } from "./two-factor/otp/index.mjs";
+import { twoFactorClient } from "./two-factor/client.mjs";
+import { USERNAME_ERROR_CODES } from "./username/error-codes.mjs";
+import { admin } from "./admin/admin.mjs";
+import "./admin/index.mjs";
+import { anonymous } from "./anonymous/index.mjs";
+import { API_KEY_TABLE_NAME, apiKey, defaultKeyHasher } from "./api-key/index.mjs";
+import { BearerOptions, bearer } from "./bearer/index.mjs";
+import { BaseCaptchaOptions, CaptchaFoxOptions, CaptchaOptions, CloudflareTurnstileOptions, GoogleRecaptchaOptions, HCaptchaOptions, Provider } from "./captcha/types.mjs";
+import { captcha } from "./captcha/index.mjs";
+import { CustomSessionPluginOptions, customSession } from "./custom-session/index.mjs";
+import { TimeString, ms, sec } from "../utils/time.mjs";
+import { DeviceAuthorizationOptions, deviceAuthorization, deviceAuthorizationOptionsSchema } from "./device-authorization/index.mjs";
+import { EmailOTPOptions } from "./email-otp/types.mjs";
+import { emailOTP } from "./email-otp/index.mjs";
+import { HaveIBeenPwnedOptions, haveIBeenPwned } from "./haveibeenpwned/index.mjs";
+import { getJwtToken, signJWT } from "./jwt/sign.mjs";
+import { createJwk, generateExportedKeyPair, toExpJWT } from "./jwt/utils.mjs";
+import { verifyJWT } from "./jwt/verify.mjs";
+import { jwt } from "./jwt/index.mjs";
+import { LastLoginMethodOptions, lastLoginMethod } from "./last-login-method/index.mjs";
+import { MagicLinkOptions, magicLink } from "./magic-link/index.mjs";
+import { getClient, getMetadata, oidcProvider } from "./oidc-provider/index.mjs";
+import { getMCPProtectedResourceMetadata, getMCPProviderMetadata, mcp, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, withMcpAuth } from "./mcp/index.mjs";
+import { OAuthProxyOptions, oAuthProxy } from "./oauth-proxy/index.mjs";
+import { OneTapOptions, oneTap } from "./one-tap/index.mjs";
+import { FieldSchema, OpenAPIModelSchema, Path, generator } from "./open-api/generator.mjs";
+import { OpenAPIOptions, openAPI } from "./open-api/index.mjs";
+import { phoneNumber } from "./phone-number/index.mjs";
+import { SIWEPluginOptions, siwe } from "./siwe/index.mjs";
+import { twoFactor } from "./two-factor/index.mjs";
+import { UsernameOptions, username } from "./username/index.mjs";
+import { AuthEndpoint, AuthMiddleware, createAuthEndpoint, createAuthMiddleware, optionsMiddleware } from "@better-auth/core/api";
+export { API_KEY_ERROR_CODES, API_KEY_TABLE_NAME, AccessControl, AdminOptions, ApiKey, ApiKeyOptions, Auth0Options, type AuthEndpoint, type AuthMiddleware, AuthorizationQuery, AuthorizeResponse, BackupCodeOptions, BaseCaptchaOptions, BaseOAuthProviderOptions, BearerOptions, CaptchaFoxOptions, CaptchaOptions, Client, CloudflareTurnstileOptions, CodeVerificationValue, CustomSessionPluginOptions, DefaultOrganizationPlugin, DeviceAuthorizationOptions, DynamicAccessControlEndpoints, MULTI_SESSION_ERROR_CODES as ERROR_CODES, EmailOTPOptions, FieldSchema, GenericOAuthConfig, GenericOAuthOptions, GoogleRecaptchaOptions, GumroadOptions, HCaptchaOptions, HIDE_METADATA, HaveIBeenPwnedOptions, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOptionSchema, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginErrorCodes, InferPluginIDs, InferTeam, Invitation, InvitationInput, InvitationStatus, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodOptions, LineOptions, MagicLinkOptions, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OAuthProxyOptions, OIDCMetadata, OIDCOptions, OTPOptions, OktaOptions, OneTapOptions, OneTimeTokenOptions, OpenAPIModelSchema, OpenAPIOptions, Organization, OrganizationCreator, OrganizationEndpoints, OrganizationInput, OrganizationOptions, OrganizationPlugin, OrganizationRole, OrganizationSchema, Path, PatreonOptions, PhoneNumberOptions, Provider, Role, SIWEPluginOptions, SessionWithImpersonatedBy, SlackOptions, Statements, SubArray, Subset, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamEndpoints, TeamInput, TeamMember, TeamMemberInput, TimeString, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, UsernameOptions, admin, anonymous, apiKey, auth0, backupCode2fa, bearer, captcha, createAccessControl, createAuthEndpoint, createAuthMiddleware, createJwk, customSession, defaultKeyHasher, defaultRolesSchema, deviceAuthorization, deviceAuthorizationOptionsSchema, emailOTP, generateBackupCodes, generateExportedKeyPair, generator, genericOAuth, getBackupCodes, getClient, getJwtToken, getMCPProtectedResourceMetadata, getMCPProviderMetadata, getMetadata, getOrgAdapter, gumroad, haveIBeenPwned, hubspot, invitationSchema, invitationStatus, jwt, keycloak, lastLoginMethod, line, magicLink, mcp, memberSchema, microsoftEntraId, ms, multiSession, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, oAuthProxy, oidcProvider, okta, oneTap, oneTimeToken, openAPI, optionsMiddleware, organization, organizationRoleSchema, organizationSchema, otp2fa, parseRoles, patreon, phoneNumber, role, roleSchema, sec, signJWT, siwe, slack, teamMemberSchema, teamSchema, toExpJWT, totp2fa, twoFactor, twoFactorClient, username, verifyBackupCode, verifyJWT, withMcpAuth };

package/dist/plugins/index.mjs

@@ -0,0 +1,51 @@
+import { HIDE_METADATA } from "../utils/hide-metadata.mjs";
+import { createAccessControl, role } from "./access/access.mjs";
+import "./access/index.mjs";
+import { API_KEY_ERROR_CODES } from "./api-key/error-codes.mjs";
+import { MULTI_SESSION_ERROR_CODES } from "./multi-session/error-codes.mjs";
+import { TWO_FACTOR_ERROR_CODES } from "./two-factor/error-code.mjs";
+import { twoFactorClient } from "./two-factor/client.mjs";
+import { USERNAME_ERROR_CODES } from "./username/error-codes.mjs";
+import { admin } from "./admin/admin.mjs";
+import "./admin/index.mjs";
+import { anonymous } from "./anonymous/index.mjs";
+import { API_KEY_TABLE_NAME, apiKey, defaultKeyHasher } from "./api-key/index.mjs";
+import { bearer } from "./bearer/index.mjs";
+import { captcha } from "./captcha/index.mjs";
+import { customSession } from "./custom-session/index.mjs";
+import { deviceAuthorization, deviceAuthorizationOptionsSchema } from "./device-authorization/index.mjs";
+import { emailOTP } from "./email-otp/index.mjs";
+import { auth0 } from "./generic-oauth/providers/auth0.mjs";
+import { gumroad } from "./generic-oauth/providers/gumroad.mjs";
+import { hubspot } from "./generic-oauth/providers/hubspot.mjs";
+import { keycloak } from "./generic-oauth/providers/keycloak.mjs";
+import { line } from "./generic-oauth/providers/line.mjs";
+import { microsoftEntraId } from "./generic-oauth/providers/microsoft-entra-id.mjs";
+import { okta } from "./generic-oauth/providers/okta.mjs";
+import { patreon } from "./generic-oauth/providers/patreon.mjs";
+import { slack } from "./generic-oauth/providers/slack.mjs";
+import { genericOAuth } from "./generic-oauth/index.mjs";
+import { haveIBeenPwned } from "./haveibeenpwned/index.mjs";
+import { createJwk, generateExportedKeyPair, toExpJWT } from "./jwt/utils.mjs";
+import { getJwtToken, signJWT } from "./jwt/sign.mjs";
+import { verifyJWT } from "./jwt/verify.mjs";
+import { jwt } from "./jwt/index.mjs";
+import { lastLoginMethod } from "./last-login-method/index.mjs";
+import { magicLink } from "./magic-link/index.mjs";
+import { getClient, getMetadata, oidcProvider } from "./oidc-provider/index.mjs";
+import { getMCPProtectedResourceMetadata, getMCPProviderMetadata, mcp, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, withMcpAuth } from "./mcp/index.mjs";
+import { multiSession } from "./multi-session/index.mjs";
+import { oAuthProxy } from "./oauth-proxy/index.mjs";
+import { oneTap } from "./one-tap/index.mjs";
+import { oneTimeToken } from "./one-time-token/index.mjs";
+import { openAPI } from "./open-api/index.mjs";
+import { getOrgAdapter } from "./organization/adapter.mjs";
+import { organization, parseRoles } from "./organization/organization.mjs";
+import "./organization/index.mjs";
+import { phoneNumber } from "./phone-number/index.mjs";
+import { siwe } from "./siwe/index.mjs";
+import { twoFactor } from "./two-factor/index.mjs";
+import { username } from "./username/index.mjs";
+import { createAuthEndpoint, createAuthMiddleware, optionsMiddleware } from "@better-auth/core/api";
+
+export { API_KEY_ERROR_CODES, API_KEY_TABLE_NAME, MULTI_SESSION_ERROR_CODES as ERROR_CODES, HIDE_METADATA, TWO_FACTOR_ERROR_CODES, USERNAME_ERROR_CODES, admin, anonymous, apiKey, auth0, bearer, captcha, createAccessControl, createAuthEndpoint, createAuthMiddleware, createJwk, customSession, defaultKeyHasher, deviceAuthorization, deviceAuthorizationOptionsSchema, emailOTP, generateExportedKeyPair, genericOAuth, getClient, getJwtToken, getMCPProtectedResourceMetadata, getMCPProviderMetadata, getMetadata, getOrgAdapter, gumroad, haveIBeenPwned, hubspot, jwt, keycloak, lastLoginMethod, line, magicLink, mcp, microsoftEntraId, multiSession, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, oAuthProxy, oidcProvider, okta, oneTap, oneTimeToken, openAPI, optionsMiddleware, organization, parseRoles, patreon, phoneNumber, role, signJWT, siwe, slack, toExpJWT, twoFactor, twoFactorClient, username, verifyJWT, withMcpAuth };

package/dist/plugins/jwt/adapter.mjs

@@ -0,0 +1,27 @@
+//#region src/plugins/jwt/adapter.ts
+const getJwksAdapter = (adapter, options) => {
+	return {
+		getAllKeys: async (ctx) => {
+			if (options?.adapter?.getJwks) return await options.adapter.getJwks(ctx);
+			return await adapter.findMany({ model: "jwks" });
+		},
+		getLatestKey: async (ctx) => {
+			if (options?.adapter?.getJwks) return (await options.adapter.getJwks(ctx))?.sort((a, b) => b.createdAt.getTime() - a.createdAt.getTime())[0];
+			return (await adapter.findMany({ model: "jwks" }))?.sort((a, b) => b.createdAt.getTime() - a.createdAt.getTime())[0];
+		},
+		createJwk: async (ctx, webKey) => {
+			if (options?.adapter?.createJwk) return await options.adapter.createJwk(webKey, ctx);
+			return await adapter.create({
+				model: "jwks",
+				data: {
+					...webKey,
+					createdAt: /* @__PURE__ */ new Date()
+				}
+			});
+		}
+	};
+};
+
+//#endregion
+export { getJwksAdapter };
+//# sourceMappingURL=adapter.mjs.map

package/dist/plugins/jwt/adapter.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapter.mjs","names":[],"sources":["../../../src/plugins/jwt/adapter.ts"],"sourcesContent":["import type {\n\tBetterAuthOptions,\n\tGenericEndpointContext,\n} from \"@better-auth/core\";\nimport type { DBAdapter } from \"@better-auth/core/db/adapter\";\nimport type { Jwk, JwtOptions } from \"./types\";\n\nexport const getJwksAdapter = (\n\tadapter: DBAdapter<BetterAuthOptions>,\n\toptions?: JwtOptions,\n) => {\n\treturn {\n\t\tgetAllKeys: async (ctx: GenericEndpointContext) => {\n\t\t\tif (options?.adapter?.getJwks) {\n\t\t\t\treturn await options.adapter.getJwks(ctx);\n\t\t\t}\n\t\t\treturn await adapter.findMany<Jwk>({\n\t\t\t\tmodel: \"jwks\",\n\t\t\t});\n\t\t},\n\t\tgetLatestKey: async (ctx: GenericEndpointContext) => {\n\t\t\tif (options?.adapter?.getJwks) {\n\t\t\t\tconst keys = await options.adapter.getJwks(ctx);\n\t\t\t\treturn keys?.sort(\n\t\t\t\t\t(a, b) => b.createdAt.getTime() - a.createdAt.getTime(),\n\t\t\t\t)[0];\n\t\t\t}\n\t\t\tconst keys = await adapter.findMany<Jwk>({\n\t\t\t\tmodel: \"jwks\",\n\t\t\t});\n\t\t\treturn keys?.sort(\n\t\t\t\t(a, b) => b.createdAt.getTime() - a.createdAt.getTime(),\n\t\t\t)[0];\n\t\t},\n\t\tcreateJwk: async (ctx: GenericEndpointContext, webKey: Omit<Jwk, \"id\">) => {\n\t\t\tif (options?.adapter?.createJwk) {\n\t\t\t\treturn await options.adapter.createJwk(webKey, ctx);\n\t\t\t}\n\t\t\tconst jwk = await adapter.create<Omit<Jwk, \"id\">, Jwk>({\n\t\t\t\tmodel: \"jwks\",\n\t\t\t\tdata: {\n\t\t\t\t\t...webKey,\n\t\t\t\t\tcreatedAt: new Date(),\n\t\t\t\t},\n\t\t\t});\n\n\t\t\treturn jwk;\n\t\t},\n\t};\n};\n"],"mappings":";AAOA,MAAa,kBACZ,SACA,YACI;AACJ,QAAO;EACN,YAAY,OAAO,QAAgC;AAClD,OAAI,SAAS,SAAS,QACrB,QAAO,MAAM,QAAQ,QAAQ,QAAQ,IAAI;AAE1C,UAAO,MAAM,QAAQ,SAAc,EAClC,OAAO,QACP,CAAC;;EAEH,cAAc,OAAO,QAAgC;AACpD,OAAI,SAAS,SAAS,QAErB,SADa,MAAM,QAAQ,QAAQ,QAAQ,IAAI,GAClC,MACX,GAAG,MAAM,EAAE,UAAU,SAAS,GAAG,EAAE,UAAU,SAAS,CACvD,CAAC;AAKH,WAHa,MAAM,QAAQ,SAAc,EACxC,OAAO,QACP,CAAC,GACW,MACX,GAAG,MAAM,EAAE,UAAU,SAAS,GAAG,EAAE,UAAU,SAAS,CACvD,CAAC;;EAEH,WAAW,OAAO,KAA6B,WAA4B;AAC1E,OAAI,SAAS,SAAS,UACrB,QAAO,MAAM,QAAQ,QAAQ,UAAU,QAAQ,IAAI;AAUpD,UARY,MAAM,QAAQ,OAA6B;IACtD,OAAO;IACP,MAAM;KACL,GAAG;KACH,2BAAW,IAAI,MAAM;KACrB;IACD,CAAC;;EAIH"}

package/dist/plugins/jwt/client.d.mts

@@ -0,0 +1,18 @@
+import { JWKOptions, JWSAlgorithms, Jwk, JwtOptions } from "./types.mjs";
+
+//#region src/plugins/jwt/client.d.ts
+interface JwtClientOptions {
+  jwks?: {
+    /**
+     * The path of the endpoint exposing the JWKS.
+     * Must match the server configuration.
+     *
+     * @default /jwks
+     */
+    jwksPath?: string;
+  };
+}
+declare const jwtClient: (options?: JwtClientOptions) => BetterAuthClientPlugin;
+//#endregion
+export { jwtClient };
+//# sourceMappingURL=client.d.mts.map

package/dist/plugins/jwt/client.mjs

@@ -0,0 +1,19 @@
+//#region src/plugins/jwt/client.ts
+const jwtClient = (options) => {
+	const jwksPath = options?.jwks?.jwksPath ?? "/jwks";
+	return {
+		id: "better-auth-client",
+		$InferServerPlugin: {},
+		pathMethods: { [jwksPath]: "GET" },
+		getActions: ($fetch) => ({ jwks: async (fetchOptions) => {
+			return await $fetch(jwksPath, {
+				method: "GET",
+				...fetchOptions
+			});
+		} })
+	};
+};
+
+//#endregion
+export { jwtClient };
+//# sourceMappingURL=client.mjs.map

package/dist/plugins/jwt/client.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.mjs","names":[],"sources":["../../../src/plugins/jwt/client.ts"],"sourcesContent":["import type { BetterAuthClientPlugin } from \"@better-auth/core\";\nimport type { JSONWebKeySet } from \"jose\";\nimport type { jwt } from \"./index\";\n\ninterface JwtClientOptions {\n\tjwks?: {\n\t\t/**\n\t\t * The path of the endpoint exposing the JWKS.\n\t\t * Must match the server configuration.\n\t\t *\n\t\t * @default /jwks\n\t\t */\n\t\tjwksPath?: string;\n\t};\n}\n\nexport const jwtClient = (options?: JwtClientOptions) => {\n\tconst jwksPath = options?.jwks?.jwksPath ?? \"/jwks\";\n\n\treturn {\n\t\tid: \"better-auth-client\",\n\t\t$InferServerPlugin: {} as ReturnType<typeof jwt>,\n\t\tpathMethods: {\n\t\t\t[jwksPath]: \"GET\",\n\t\t},\n\t\tgetActions: ($fetch) => ({\n\t\t\tjwks: async (fetchOptions?: any) => {\n\t\t\t\treturn await $fetch<JSONWebKeySet>(jwksPath, {\n\t\t\t\t\tmethod: \"GET\",\n\t\t\t\t\t...fetchOptions,\n\t\t\t\t});\n\t\t\t},\n\t\t}),\n\t} satisfies BetterAuthClientPlugin;\n};\n\nexport type * from \"./types\";\n"],"mappings":";AAgBA,MAAa,aAAa,YAA+B;CACxD,MAAM,WAAW,SAAS,MAAM,YAAY;AAE5C,QAAO;EACN,IAAI;EACJ,oBAAoB,EAAE;EACtB,aAAa,GACX,WAAW,OACZ;EACD,aAAa,YAAY,EACxB,MAAM,OAAO,iBAAuB;AACnC,UAAO,MAAM,OAAsB,UAAU;IAC5C,QAAQ;IACR,GAAG;IACH,CAAC;KAEH;EACD"}

package/dist/plugins/jwt/index.d.mts

@@ -0,0 +1,17 @@
+import { JWKOptions, JWSAlgorithms, Jwk, JwtOptions } from "./types.mjs";
+import { getJwtToken, signJWT } from "./sign.mjs";
+import { createJwk, generateExportedKeyPair, toExpJWT } from "./utils.mjs";
+import { verifyJWT } from "./verify.mjs";
+
+//#region src/plugins/jwt/index.d.ts
+declare module "@better-auth/core" {
+  interface BetterAuthPluginRegistry<AuthOptions, Options> {
+    jwt: {
+      creator: typeof jwt;
+    };
+  }
+}
+declare const jwt: <O extends JwtOptions>(options?: O) => BetterAuthPlugin;
+//#endregion
+export { JWKOptions, JWSAlgorithms, Jwk, JwtOptions, createJwk, generateExportedKeyPair, getJwtToken, jwt, signJWT, toExpJWT, verifyJWT };
+//# sourceMappingURL=index.d.mts.map