@lobehub/lobehub 2.0.0-next.124 → 2.0.0-next.126

package/src/libs/better-auth/sso/providers/cloudflare-zero-trust.ts

@@ -0,0 +1,41 @@
+import { authEnv } from '@/envs/auth';
+
+import { buildOidcConfig } from '../helpers';
+import type { GenericProviderDefinition } from '../types';
+
+const provider: GenericProviderDefinition<{
+  AUTH_CLOUDFLARE_ZERO_TRUST_ID: string;
+  AUTH_CLOUDFLARE_ZERO_TRUST_ISSUER: string;
+  AUTH_CLOUDFLARE_ZERO_TRUST_SECRET: string;
+}> = {
+  build: (env) =>
+    buildOidcConfig({
+      clientId: env.AUTH_CLOUDFLARE_ZERO_TRUST_ID,
+      clientSecret: env.AUTH_CLOUDFLARE_ZERO_TRUST_SECRET,
+      issuer: env.AUTH_CLOUDFLARE_ZERO_TRUST_ISSUER,
+      overrides: {
+        mapProfileToUser: (profile) => ({
+          email: profile.email,
+          name: profile.name ?? profile.email ?? profile.sub,
+        }),
+      },
+      providerId: 'cloudflare-zero-trust',
+    }),
+  checkEnvs: () => {
+    return !!(
+      authEnv.AUTH_CLOUDFLARE_ZERO_TRUST_ID &&
+      authEnv.AUTH_CLOUDFLARE_ZERO_TRUST_SECRET &&
+      authEnv.AUTH_CLOUDFLARE_ZERO_TRUST_ISSUER
+    )
+      ? {
+          AUTH_CLOUDFLARE_ZERO_TRUST_ID: authEnv.AUTH_CLOUDFLARE_ZERO_TRUST_ID,
+          AUTH_CLOUDFLARE_ZERO_TRUST_ISSUER: authEnv.AUTH_CLOUDFLARE_ZERO_TRUST_ISSUER,
+          AUTH_CLOUDFLARE_ZERO_TRUST_SECRET: authEnv.AUTH_CLOUDFLARE_ZERO_TRUST_SECRET,
+        }
+      : false;
+  },
+  id: 'cloudflare-zero-trust',
+  type: 'generic',
+};
+
+export default provider;

package/src/libs/better-auth/sso/providers/cognito.ts

@@ -0,0 +1,45 @@
+import { authEnv } from '@/envs/auth';
+
+import type { BuiltinProviderDefinition } from '../types';
+
+const provider: BuiltinProviderDefinition<
+  {
+    AUTH_COGNITO_DOMAIN: string;
+    AUTH_COGNITO_ID: string;
+    AUTH_COGNITO_REGION: string;
+    AUTH_COGNITO_SECRET: string;
+    AUTH_COGNITO_USERPOOL_ID: string;
+  },
+  'cognito'
+> = {
+  build: (env) => {
+    return {
+      clientId: env.AUTH_COGNITO_ID,
+      clientSecret: env.AUTH_COGNITO_SECRET,
+      domain: env.AUTH_COGNITO_DOMAIN,
+      region: env.AUTH_COGNITO_REGION,
+      userPoolId: env.AUTH_COGNITO_USERPOOL_ID,
+    };
+  },
+  checkEnvs: () => {
+    return !!(
+      authEnv.AUTH_COGNITO_ID &&
+      authEnv.AUTH_COGNITO_SECRET &&
+      authEnv.AUTH_COGNITO_DOMAIN &&
+      authEnv.AUTH_COGNITO_REGION &&
+      authEnv.AUTH_COGNITO_USERPOOL_ID
+    )
+      ? {
+          AUTH_COGNITO_DOMAIN: authEnv.AUTH_COGNITO_DOMAIN,
+          AUTH_COGNITO_ID: authEnv.AUTH_COGNITO_ID,
+          AUTH_COGNITO_REGION: authEnv.AUTH_COGNITO_REGION,
+          AUTH_COGNITO_SECRET: authEnv.AUTH_COGNITO_SECRET,
+          AUTH_COGNITO_USERPOOL_ID: authEnv.AUTH_COGNITO_USERPOOL_ID,
+        }
+      : false;
+  },
+  id: 'cognito',
+  type: 'builtin',
+};
+
+export default provider;

package/src/libs/better-auth/sso/providers/feishu.ts

@@ -0,0 +1,181 @@
+import { authEnv } from '@/envs/auth';
+
+import type { GenericProviderDefinition } from '../types';
+
+const FEISHU_AUTHORIZATION_URL = 'https://accounts.feishu.cn/open-apis/authen/v1/authorize';
+const FEISHU_TOKEN_URL = 'https://open.feishu.cn/open-apis/authen/v2/oauth/token';
+const FEISHU_USERINFO_URL = 'https://open.feishu.cn/open-apis/authen/v1/user_info';
+
+type FeishuUserProfile = {
+  avatar_big?: string;
+  avatar_middle?: string;
+  avatar_thumb?: string;
+  avatar_url?: string;
+  email?: string;
+  en_name?: string;
+  enterprise_email?: string;
+  name?: string;
+  open_id?: string;
+  tenant_key?: string;
+  union_id?: string;
+};
+
+type FeishuUserInfoResponse = {
+  code?: number;
+  data?: FeishuUserProfile;
+  msg?: string;
+};
+
+type FeishuTokenPayload = {
+  access_token?: string;
+  expires_in?: number;
+  refresh_token?: string;
+  scope?: string;
+  tokenType?: string;
+  token_type?: string;
+};
+
+type FeishuTokenResponse = {
+  code?: number;
+  data?: FeishuTokenPayload;
+  message?: string;
+  msg?: string;
+} & FeishuTokenPayload;
+
+const isFeishuProfile = (value: unknown): value is FeishuUserProfile => {
+  if (!value || typeof value !== 'object') return false;
+  const candidate = value as Record<string, unknown>;
+  return (
+    typeof candidate.union_id === 'string' ||
+    typeof candidate.open_id === 'string' ||
+    typeof candidate.avatar_url === 'string' ||
+    typeof candidate.name === 'string'
+  );
+};
+
+const parseScopes = (scope: string | undefined) =>
+  scope ? scope.split(/[\s,]+/).filter(Boolean) : [];
+
+const provider: GenericProviderDefinition<{
+  AUTH_FEISHU_APP_ID: string;
+  AUTH_FEISHU_APP_SECRET: string;
+}> = {
+  build: (env) => {
+    const clientId = env.AUTH_FEISHU_APP_ID;
+    const clientSecret = env.AUTH_FEISHU_APP_SECRET;
+
+    return {
+      authorizationUrl: FEISHU_AUTHORIZATION_URL,
+      authorizationUrlParams: {
+        app_id: clientId,
+        response_type: 'code',
+        scope: '',
+      },
+      clientId,
+      clientSecret,
+      /**
+       * Exchange code directly with Feishu (no proxy needed).
+       */
+      getToken: async ({ code, redirectURI }) => {
+        const tokenResponse = await fetch(FEISHU_TOKEN_URL, {
+          body: JSON.stringify({
+            app_id: clientId,
+            app_secret: clientSecret,
+            code,
+            grant_type: 'authorization_code',
+            redirect_uri: redirectURI,
+          }),
+          cache: 'no-store',
+          headers: {
+            'content-type': 'application/json; charset=utf-8',
+          },
+          method: 'POST',
+        });
+
+        const parsed = (await tokenResponse.json()) as FeishuTokenResponse;
+        const payload = parsed.data ?? parsed;
+
+        const hasErrorCode = typeof parsed.code === 'number' && parsed.code !== 0;
+        const tokenMissing = !payload.access_token;
+
+        if (!tokenResponse.ok || hasErrorCode || tokenMissing) {
+          throw new Error(parsed.msg ?? parsed.message ?? 'Failed to fetch Feishu OAuth token');
+        }
+
+        return {
+          accessToken: payload.access_token,
+          accessTokenExpiresAt: payload.expires_in
+            ? new Date(Date.now() + payload.expires_in * 1000)
+            : undefined,
+          expiresIn: payload.expires_in,
+          raw: parsed,
+          refreshToken: payload.refresh_token,
+          scopes: parseScopes(payload.scope),
+          tokenType: payload.token_type ?? payload.tokenType ?? 'Bearer',
+        };
+      },
+      getUserInfo: async (tokens) => {
+        if (!tokens.accessToken) return null;
+
+        const response = await fetch(FEISHU_USERINFO_URL, {
+          cache: 'no-store',
+          headers: {
+            Authorization: `Bearer ${tokens.accessToken}`,
+          },
+        });
+
+        if (!response.ok) {
+          return null;
+        }
+
+        const payload = (await response.json()) as unknown;
+        const profileResponse = payload as FeishuUserInfoResponse;
+
+        if (profileResponse.code && profileResponse.code !== 0) {
+          return null;
+        }
+
+        const profile: FeishuUserProfile | undefined =
+          profileResponse.data ?? (isFeishuProfile(payload) ? payload : undefined);
+
+        if (!profile) return null;
+
+        const unionId = profile.union_id ?? profile.open_id;
+        if (!unionId) return null;
+
+        const syntheticEmail =
+          profile.email ?? profile.enterprise_email ?? `${unionId}@feishu.lobehub`;
+
+        return {
+          email: syntheticEmail,
+          emailVerified: false,
+          id: unionId,
+          image:
+            profile.avatar_url ??
+            profile.avatar_thumb ??
+            profile.avatar_middle ??
+            profile.avatar_big,
+          name: profile.name ?? profile.en_name ?? unionId,
+          ...profile,
+        };
+      },
+      pkce: false,
+      providerId: 'feishu',
+      responseMode: 'query',
+      scopes: [],
+    };
+  },
+
+  checkEnvs: () => {
+    return !!(authEnv.AUTH_FEISHU_APP_ID && authEnv.AUTH_FEISHU_APP_SECRET)
+      ? {
+          AUTH_FEISHU_APP_ID: authEnv.AUTH_FEISHU_APP_ID,
+          AUTH_FEISHU_APP_SECRET: authEnv.AUTH_FEISHU_APP_SECRET,
+        }
+      : false;
+  },
+  id: 'feishu',
+  type: 'generic',
+};
+
+export default provider;

package/src/libs/better-auth/sso/providers/generic-oidc.ts

@@ -0,0 +1,44 @@
+import { authEnv } from '@/envs/auth';
+
+import { buildOidcConfig } from '../helpers';
+import type { GenericProviderDefinition } from '../types';
+
+const provider: GenericProviderDefinition<{
+  AUTH_GENERIC_OIDC_ID: string;
+  AUTH_GENERIC_OIDC_ISSUER: string;
+  AUTH_GENERIC_OIDC_SECRET: string;
+}> = {
+  build: (env) =>
+    buildOidcConfig({
+      clientId: env.AUTH_GENERIC_OIDC_ID,
+      clientSecret: env.AUTH_GENERIC_OIDC_SECRET,
+      issuer: env.AUTH_GENERIC_OIDC_ISSUER,
+      overrides: {
+        /**
+         * Mirror NextAuth's fallback that prefers name -> username -> email so Better Auth never
+         * fails with name_is_missing when upstream profiles only expose username/email fields.
+         */
+        mapProfileToUser: (profile) => ({
+          name: profile.name ?? profile.username ?? profile.email ?? profile.id,
+        }),
+      },
+      providerId: 'generic-oidc',
+    }),
+  checkEnvs: () => {
+    return !!(
+      authEnv.AUTH_GENERIC_OIDC_ID &&
+      authEnv.AUTH_GENERIC_OIDC_SECRET &&
+      authEnv.AUTH_GENERIC_OIDC_ISSUER
+    )
+      ? {
+          AUTH_GENERIC_OIDC_ID: authEnv.AUTH_GENERIC_OIDC_ID,
+          AUTH_GENERIC_OIDC_ISSUER: authEnv.AUTH_GENERIC_OIDC_ISSUER,
+          AUTH_GENERIC_OIDC_SECRET: authEnv.AUTH_GENERIC_OIDC_SECRET,
+        }
+      : false;
+  },
+  id: 'generic-oidc',
+  type: 'generic',
+};
+
+export default provider;

package/src/libs/better-auth/sso/providers/github.ts

@@ -0,0 +1,30 @@
+import { authEnv } from '@/envs/auth';
+
+import type { BuiltinProviderDefinition } from '../types';
+
+const provider: BuiltinProviderDefinition<
+  {
+    AUTH_GITHUB_ID: string;
+    AUTH_GITHUB_SECRET: string;
+  },
+  'github'
+> = {
+  build: (env) => {
+    return {
+      clientId: env.AUTH_GITHUB_ID,
+      clientSecret: env.AUTH_GITHUB_SECRET,
+    };
+  },
+  checkEnvs: () => {
+    return !!(authEnv.AUTH_GITHUB_ID && authEnv.AUTH_GITHUB_SECRET)
+      ? {
+          AUTH_GITHUB_ID: authEnv.AUTH_GITHUB_ID,
+          AUTH_GITHUB_SECRET: authEnv.AUTH_GITHUB_SECRET,
+        }
+      : false;
+  },
+  id: 'github',
+  type: 'builtin',
+};
+
+export default provider;

package/src/libs/better-auth/sso/providers/google.ts

@@ -0,0 +1,30 @@
+import { authEnv } from '@/envs/auth';
+
+import type { BuiltinProviderDefinition } from '../types';
+
+const provider: BuiltinProviderDefinition<
+  {
+    AUTH_GOOGLE_ID: string;
+    AUTH_GOOGLE_SECRET: string;
+  },
+  'google'
+> = {
+  build: (env) => {
+    return {
+      clientId: env.AUTH_GOOGLE_ID,
+      clientSecret: env.AUTH_GOOGLE_SECRET,
+    };
+  },
+  checkEnvs: () => {
+    return !!(authEnv.AUTH_GOOGLE_ID && authEnv.AUTH_GOOGLE_SECRET)
+      ? {
+          AUTH_GOOGLE_ID: authEnv.AUTH_GOOGLE_ID,
+          AUTH_GOOGLE_SECRET: authEnv.AUTH_GOOGLE_SECRET,
+        }
+      : false;
+  },
+  id: 'google',
+  type: 'builtin',
+};
+
+export default provider;

package/src/libs/better-auth/sso/providers/keycloak.ts

@@ -0,0 +1,35 @@
+import { authEnv } from '@/envs/auth';
+
+import { buildOidcConfig } from '../helpers';
+import type { GenericProviderDefinition } from '../types';
+
+const provider: GenericProviderDefinition<{
+  AUTH_KEYCLOAK_ID: string;
+  AUTH_KEYCLOAK_ISSUER: string;
+  AUTH_KEYCLOAK_SECRET: string;
+}> = {
+  build: (env) =>
+    buildOidcConfig({
+      clientId: env.AUTH_KEYCLOAK_ID,
+      clientSecret: env.AUTH_KEYCLOAK_SECRET,
+      issuer: env.AUTH_KEYCLOAK_ISSUER,
+      providerId: 'keycloak',
+    }),
+  checkEnvs: () => {
+    return !!(
+      authEnv.AUTH_KEYCLOAK_ID &&
+      authEnv.AUTH_KEYCLOAK_SECRET &&
+      authEnv.AUTH_KEYCLOAK_ISSUER
+    )
+      ? {
+          AUTH_KEYCLOAK_ID: authEnv.AUTH_KEYCLOAK_ID,
+          AUTH_KEYCLOAK_ISSUER: authEnv.AUTH_KEYCLOAK_ISSUER,
+          AUTH_KEYCLOAK_SECRET: authEnv.AUTH_KEYCLOAK_SECRET,
+        }
+      : false;
+  },
+  id: 'keycloak',
+  type: 'generic',
+};
+
+export default provider;

package/src/libs/better-auth/sso/providers/logto.ts

@@ -0,0 +1,38 @@
+import { authEnv } from '@/envs/auth';
+
+import { buildOidcConfig } from '../helpers';
+import type { GenericProviderDefinition } from '../types';
+
+const provider: GenericProviderDefinition<{
+  AUTH_LOGTO_ID: string;
+  AUTH_LOGTO_ISSUER: string;
+  AUTH_LOGTO_SECRET: string;
+}> = {
+  build: (env) =>
+    buildOidcConfig({
+      clientId: env.AUTH_LOGTO_ID,
+      clientSecret: env.AUTH_LOGTO_SECRET,
+      issuer: env.AUTH_LOGTO_ISSUER,
+      overrides: {
+        mapProfileToUser: (profile) => ({
+          email: profile.email,
+          name: profile.name ?? profile.username ?? profile.email ?? profile.sub,
+        }),
+      },
+      providerId: 'logto',
+      scopes: ['openid', 'profile', 'email', 'offline_access'],
+    }),
+  checkEnvs: () => {
+    return !!(authEnv.AUTH_LOGTO_ID && authEnv.AUTH_LOGTO_SECRET && authEnv.AUTH_LOGTO_ISSUER)
+      ? {
+          AUTH_LOGTO_ID: authEnv.AUTH_LOGTO_ID,
+          AUTH_LOGTO_ISSUER: authEnv.AUTH_LOGTO_ISSUER,
+          AUTH_LOGTO_SECRET: authEnv.AUTH_LOGTO_SECRET,
+        }
+      : false;
+  },
+  id: 'logto',
+  type: 'generic',
+};
+
+export default provider;

package/src/libs/better-auth/sso/providers/microsoft.ts

@@ -0,0 +1,65 @@
+import { authEnv } from '@/envs/auth';
+
+import { pickEnv } from '../helpers';
+import type { BuiltinProviderDefinition } from '../types';
+
+type MicrosoftEnv = {
+  AUTH_AZURE_AD_ID?: string;
+  AUTH_AZURE_AD_SECRET?: string;
+  AUTH_MICROSOFT_ENTRA_ID_ID?: string;
+  AUTH_MICROSOFT_ENTRA_ID_SECRET?: string;
+  AUTH_MICROSOFT_ID?: string;
+  AUTH_MICROSOFT_SECRET?: string;
+  AZURE_AD_CLIENT_ID?: string;
+  AZURE_AD_CLIENT_SECRET?: string;
+};
+
+const getClientId = (env: MicrosoftEnv) => {
+  return pickEnv(
+    env.AUTH_MICROSOFT_ID,
+    env.AUTH_MICROSOFT_ENTRA_ID_ID,
+    env.AUTH_AZURE_AD_ID,
+    env.AZURE_AD_CLIENT_ID,
+  );
+};
+
+const getClientSecret = (env: MicrosoftEnv) => {
+  return pickEnv(
+    env.AUTH_MICROSOFT_SECRET,
+    env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
+    env.AUTH_AZURE_AD_SECRET,
+    env.AZURE_AD_CLIENT_SECRET,
+  );
+};
+
+const provider: BuiltinProviderDefinition<MicrosoftEnv, 'microsoft'> = {
+  aliases: ['microsoft-entra-id'],
+  build: (env) => {
+    const clientId = getClientId(env)!;
+    const clientSecret = getClientSecret(env)!;
+    return {
+      clientId,
+      clientSecret,
+    };
+  },
+  checkEnvs: () => {
+    const clientId = getClientId(authEnv);
+    const clientSecret = getClientSecret(authEnv);
+    return !!(clientId && clientSecret)
+      ? {
+          AUTH_AZURE_AD_ID: authEnv.AUTH_AZURE_AD_ID,
+          AUTH_AZURE_AD_SECRET: authEnv.AUTH_AZURE_AD_SECRET,
+          AUTH_MICROSOFT_ENTRA_ID_ID: authEnv.AUTH_MICROSOFT_ENTRA_ID_ID,
+          AUTH_MICROSOFT_ENTRA_ID_SECRET: authEnv.AUTH_MICROSOFT_ENTRA_ID_SECRET,
+          AUTH_MICROSOFT_ID: authEnv.AUTH_MICROSOFT_ID,
+          AUTH_MICROSOFT_SECRET: authEnv.AUTH_MICROSOFT_SECRET,
+          AZURE_AD_CLIENT_ID: authEnv.AZURE_AD_CLIENT_ID,
+          AZURE_AD_CLIENT_SECRET: authEnv.AZURE_AD_CLIENT_SECRET,
+        }
+      : false;
+  },
+  id: 'microsoft',
+  type: 'builtin',
+};
+
+export default provider;

package/src/libs/better-auth/sso/providers/okta.ts

@@ -0,0 +1,37 @@
+import { authEnv } from '@/envs/auth';
+
+import { buildOidcConfig } from '../helpers';
+import type { GenericProviderDefinition } from '../types';
+
+const provider: GenericProviderDefinition<{
+  AUTH_OKTA_ID: string;
+  AUTH_OKTA_ISSUER: string;
+  AUTH_OKTA_SECRET: string;
+}> = {
+  build: (env) =>
+    buildOidcConfig({
+      clientId: env.AUTH_OKTA_ID,
+      clientSecret: env.AUTH_OKTA_SECRET,
+      issuer: env.AUTH_OKTA_ISSUER,
+      overrides: {
+        mapProfileToUser: (profile) => ({
+          email: profile.email,
+          name: profile.name ?? profile.preferred_username ?? profile.email ?? profile.sub,
+        }),
+      },
+      providerId: 'okta',
+    }),
+  checkEnvs: () => {
+    return !!(authEnv.AUTH_OKTA_ID && authEnv.AUTH_OKTA_SECRET && authEnv.AUTH_OKTA_ISSUER)
+      ? {
+          AUTH_OKTA_ID: authEnv.AUTH_OKTA_ID,
+          AUTH_OKTA_ISSUER: authEnv.AUTH_OKTA_ISSUER,
+          AUTH_OKTA_SECRET: authEnv.AUTH_OKTA_SECRET,
+        }
+      : false;
+  },
+  id: 'okta',
+  type: 'generic',
+};
+
+export default provider;

package/src/libs/better-auth/sso/providers/wechat.ts

@@ -0,0 +1,140 @@
+import { authEnv } from '@/envs/auth';
+
+import type { GenericProviderDefinition } from '../types';
+
+const WECHAT_AUTHORIZATION_URL = 'https://open.weixin.qq.com/connect/qrconnect';
+const WECHAT_TOKEN_URL = 'https://api.weixin.qq.com/sns/oauth2/access_token';
+const WECHAT_USERINFO_URL = 'https://api.weixin.qq.com/sns/userinfo';
+
+type WeChatTokenResponse = {
+  access_token?: string;
+  errcode?: number;
+  errmsg?: string;
+  expires_in?: number;
+  openid?: string;
+  refresh_token?: string;
+  scope?: string;
+  token_type?: string;
+  unionid?: string;
+};
+
+const parseWechatScopes = (scope: string | undefined) =>
+  scope ? scope.split(' ').filter(Boolean) : [];
+
+const provider: GenericProviderDefinition<{
+  AUTH_WECHAT_ID: string;
+  AUTH_WECHAT_SECRET: string;
+}> = {
+  build: (env) => {
+    const clientId = env.AUTH_WECHAT_ID;
+    const clientSecret = env.AUTH_WECHAT_SECRET;
+
+    return {
+      authorizationUrl: WECHAT_AUTHORIZATION_URL,
+      authorizationUrlParams: {
+        appid: clientId,
+        response_type: 'code',
+        scope: 'snsapi_login',
+      },
+      clientId,
+      clientSecret,
+      /**
+       * WeChat uses a non-standard token endpoint (GET with appid/secret/code)
+       * and returns openid/unionid alongside tokens, so we exchange the code
+       * manually instead of proxying through a custom API route.
+       */
+      getToken: async ({ code }) => {
+        const tokenUrl = new URL(WECHAT_TOKEN_URL);
+        tokenUrl.searchParams.set('appid', clientId);
+        tokenUrl.searchParams.set('secret', clientSecret);
+        tokenUrl.searchParams.set('code', code);
+        tokenUrl.searchParams.set('grant_type', 'authorization_code');
+
+        const response = await fetch(tokenUrl, { cache: 'no-store' });
+        const data = (await response.json()) as WeChatTokenResponse;
+
+        if (!response.ok || data.errcode) {
+          throw new Error(data.errmsg ?? 'Failed to fetch WeChat OAuth token');
+        }
+
+        if (!data.access_token || !data.openid) {
+          throw new Error('WeChat token response is missing required fields');
+        }
+
+        return {
+          accessToken: data.access_token,
+          accessTokenExpiresAt: data.expires_in
+            ? new Date(Date.now() + data.expires_in * 1000)
+            : undefined,
+          expiresIn: data.expires_in,
+          raw: data,
+          refreshToken: data.refresh_token,
+          refreshTokenExpiresAt: undefined,
+          scopes: parseWechatScopes(data.scope),
+          tokenType: data.token_type ?? 'Bearer',
+        };
+      },
+      /**
+       * Use openid/unionid returned in the token response; no custom scope encoding needed.
+       */
+      getUserInfo: async (tokens) => {
+        const accessToken = tokens.accessToken;
+        const openId = (tokens as { raw?: WeChatTokenResponse }).raw?.openid;
+        const unionId = (tokens as { raw?: WeChatTokenResponse }).raw?.unionid;
+
+        if (!accessToken || !openId) {
+          return null;
+        }
+
+        const url = new URL(WECHAT_USERINFO_URL);
+        url.searchParams.set('access_token', accessToken);
+        url.searchParams.set('openid', openId);
+        url.searchParams.set('lang', 'zh_CN');
+
+        const response = await fetch(url, { cache: 'no-store' });
+        if (!response.ok) {
+          return null;
+        }
+
+        const profile = (await response.json()) as {
+          headimgurl?: string;
+          nickname?: string;
+          unionid?: string;
+        };
+
+        const finalUnionId = unionId ?? profile.unionid ?? openId;
+        const syntheticEmail = `${finalUnionId}@wechat.lobehub`;
+
+        return {
+          email: syntheticEmail,
+          emailVerified: false,
+          id: finalUnionId,
+          image: profile.headimgurl,
+          name: profile.nickname ?? finalUnionId,
+          ...profile,
+        };
+      },
+
+      pkce: false,
+
+      providerId: 'wechat',
+
+      responseMode: 'query',
+
+      scopes: ['snsapi_login'],
+    };
+  },
+
+  checkEnvs: () => {
+    return !!(authEnv.AUTH_WECHAT_ID && authEnv.AUTH_WECHAT_SECRET)
+      ? {
+          AUTH_WECHAT_ID: authEnv.AUTH_WECHAT_ID,
+          AUTH_WECHAT_SECRET: authEnv.AUTH_WECHAT_SECRET,
+        }
+      : false;
+  },
+  id: 'wechat',
+  type: 'generic',
+};
+
+export default provider;