@rio.js/enterprise 1.4.0

package/dist/social-providers-DNfE9Ak7-Be5zMAEe.mjs

@@ -0,0 +1,2920 @@
+import { f as logger, g as BetterAuthError } from "./env-DwlNAN_D-C1zHd0cf-Cdlw8sNp.mjs";
+import { A as JWKSTimeout, C as JOSENotSupported, D as JWKSInvalid, F as decode, H as base64, O as JWKSMultipleMatchingKeys, P as JWTInvalid, R as decoder, S as JOSEError, U as base64Url, d as importJWK, k as JWKSNoMatchingKey, p as isObject, t as jwtVerify } from "./verify-CN5Qc0e-.mjs";
+import { t as betterFetch } from "./dist-CygcgJYk.mjs";
+import { APIError } from "better-call";
+import * as z$2 from "zod";
+
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/jwks/local.js
+function getKtyFromAlg(alg) {
+	switch (typeof alg === "string" && alg.slice(0, 2)) {
+		case "RS":
+		case "PS": return "RSA";
+		case "ES": return "EC";
+		case "Ed": return "OKP";
+		case "ML": return "AKP";
+		default: throw new JOSENotSupported("Unsupported \"alg\" value for a JSON Web Key Set");
+	}
+}
+function isJWKSLike(jwks) {
+	return jwks && typeof jwks === "object" && Array.isArray(jwks.keys) && jwks.keys.every(isJWKLike);
+}
+function isJWKLike(key) {
+	return isObject(key);
+}
+var LocalJWKSet = class {
+	#jwks;
+	#cached = /* @__PURE__ */ new WeakMap();
+	constructor(jwks) {
+		if (!isJWKSLike(jwks)) throw new JWKSInvalid("JSON Web Key Set malformed");
+		this.#jwks = structuredClone(jwks);
+	}
+	jwks() {
+		return this.#jwks;
+	}
+	async getKey(protectedHeader, token) {
+		const { alg, kid } = {
+			...protectedHeader,
+			...token?.header
+		};
+		const kty = getKtyFromAlg(alg);
+		const candidates = this.#jwks.keys.filter((jwk$1) => {
+			let candidate = kty === jwk$1.kty;
+			if (candidate && typeof kid === "string") candidate = kid === jwk$1.kid;
+			if (candidate && (typeof jwk$1.alg === "string" || kty === "AKP")) candidate = alg === jwk$1.alg;
+			if (candidate && typeof jwk$1.use === "string") candidate = jwk$1.use === "sig";
+			if (candidate && Array.isArray(jwk$1.key_ops)) candidate = jwk$1.key_ops.includes("verify");
+			if (candidate) switch (alg) {
+				case "ES256":
+					candidate = jwk$1.crv === "P-256";
+					break;
+				case "ES384":
+					candidate = jwk$1.crv === "P-384";
+					break;
+				case "ES512":
+					candidate = jwk$1.crv === "P-521";
+					break;
+				case "Ed25519":
+				case "EdDSA":
+					candidate = jwk$1.crv === "Ed25519";
+					break;
+			}
+			return candidate;
+		});
+		const { 0: jwk, length } = candidates;
+		if (length === 0) throw new JWKSNoMatchingKey();
+		if (length !== 1) {
+			const error = new JWKSMultipleMatchingKeys();
+			const _cached = this.#cached;
+			error[Symbol.asyncIterator] = async function* () {
+				for (const jwk$1 of candidates) try {
+					yield await importWithAlgCache(_cached, jwk$1, alg);
+				} catch {}
+			};
+			throw error;
+		}
+		return importWithAlgCache(this.#cached, jwk, alg);
+	}
+};
+async function importWithAlgCache(cache, jwk, alg) {
+	const cached = cache.get(jwk) || cache.set(jwk, {}).get(jwk);
+	if (cached[alg] === void 0) {
+		const key = await importJWK({
+			...jwk,
+			ext: true
+		}, alg);
+		if (key instanceof Uint8Array || key.type !== "public") throw new JWKSInvalid("JSON Web Key Set members must be public keys");
+		cached[alg] = key;
+	}
+	return cached[alg];
+}
+function createLocalJWKSet(jwks) {
+	const set = new LocalJWKSet(jwks);
+	const localJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
+	Object.defineProperties(localJWKSet, { jwks: {
+		value: () => structuredClone(set.jwks()),
+		enumerable: false,
+		configurable: false,
+		writable: false
+	} });
+	return localJWKSet;
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/jwks/remote.js
+function isCloudflareWorkers() {
+	return typeof WebSocketPair !== "undefined" || typeof navigator !== "undefined" && navigator.userAgent === "Cloudflare-Workers" || typeof EdgeRuntime !== "undefined" && EdgeRuntime === "vercel";
+}
+let USER_AGENT;
+if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) USER_AGENT = `jose/v6.1.2`;
+const customFetch = Symbol();
+async function fetchJwks(url, headers, signal, fetchImpl = fetch) {
+	const response = await fetchImpl(url, {
+		method: "GET",
+		signal,
+		redirect: "manual",
+		headers
+	}).catch((err) => {
+		if (err.name === "TimeoutError") throw new JWKSTimeout();
+		throw err;
+	});
+	if (response.status !== 200) throw new JOSEError("Expected 200 OK from the JSON Web Key Set HTTP response");
+	try {
+		return await response.json();
+	} catch {
+		throw new JOSEError("Failed to parse the JSON Web Key Set HTTP response as JSON");
+	}
+}
+const jwksCache = Symbol();
+function isFreshJwksCache(input, cacheMaxAge) {
+	if (typeof input !== "object" || input === null) return false;
+	if (!("uat" in input) || typeof input.uat !== "number" || Date.now() - input.uat >= cacheMaxAge) return false;
+	if (!("jwks" in input) || !isObject(input.jwks) || !Array.isArray(input.jwks.keys) || !Array.prototype.every.call(input.jwks.keys, isObject)) return false;
+	return true;
+}
+var RemoteJWKSet = class {
+	#url;
+	#timeoutDuration;
+	#cooldownDuration;
+	#cacheMaxAge;
+	#jwksTimestamp;
+	#pendingFetch;
+	#headers;
+	#customFetch;
+	#local;
+	#cache;
+	constructor(url, options) {
+		if (!(url instanceof URL)) throw new TypeError("url must be an instance of URL");
+		this.#url = new URL(url.href);
+		this.#timeoutDuration = typeof options?.timeoutDuration === "number" ? options?.timeoutDuration : 5e3;
+		this.#cooldownDuration = typeof options?.cooldownDuration === "number" ? options?.cooldownDuration : 3e4;
+		this.#cacheMaxAge = typeof options?.cacheMaxAge === "number" ? options?.cacheMaxAge : 6e5;
+		this.#headers = new Headers(options?.headers);
+		if (USER_AGENT && !this.#headers.has("User-Agent")) this.#headers.set("User-Agent", USER_AGENT);
+		if (!this.#headers.has("accept")) {
+			this.#headers.set("accept", "application/json");
+			this.#headers.append("accept", "application/jwk-set+json");
+		}
+		this.#customFetch = options?.[customFetch];
+		if (options?.[jwksCache] !== void 0) {
+			this.#cache = options?.[jwksCache];
+			if (isFreshJwksCache(options?.[jwksCache], this.#cacheMaxAge)) {
+				this.#jwksTimestamp = this.#cache.uat;
+				this.#local = createLocalJWKSet(this.#cache.jwks);
+			}
+		}
+	}
+	pendingFetch() {
+		return !!this.#pendingFetch;
+	}
+	coolingDown() {
+		return typeof this.#jwksTimestamp === "number" ? Date.now() < this.#jwksTimestamp + this.#cooldownDuration : false;
+	}
+	fresh() {
+		return typeof this.#jwksTimestamp === "number" ? Date.now() < this.#jwksTimestamp + this.#cacheMaxAge : false;
+	}
+	jwks() {
+		return this.#local?.jwks();
+	}
+	async getKey(protectedHeader, token) {
+		if (!this.#local || !this.fresh()) await this.reload();
+		try {
+			return await this.#local(protectedHeader, token);
+		} catch (err) {
+			if (err instanceof JWKSNoMatchingKey) {
+				if (this.coolingDown() === false) {
+					await this.reload();
+					return this.#local(protectedHeader, token);
+				}
+			}
+			throw err;
+		}
+	}
+	async reload() {
+		if (this.#pendingFetch && isCloudflareWorkers()) this.#pendingFetch = void 0;
+		this.#pendingFetch ||= fetchJwks(this.#url.href, this.#headers, AbortSignal.timeout(this.#timeoutDuration), this.#customFetch).then((json) => {
+			this.#local = createLocalJWKSet(json);
+			if (this.#cache) {
+				this.#cache.uat = Date.now();
+				this.#cache.jwks = json;
+			}
+			this.#jwksTimestamp = Date.now();
+			this.#pendingFetch = void 0;
+		}).catch((err) => {
+			this.#pendingFetch = void 0;
+			throw err;
+		});
+		await this.#pendingFetch;
+	}
+};
+function createRemoteJWKSet(url, options) {
+	const set = new RemoteJWKSet(url, options);
+	const remoteJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
+	Object.defineProperties(remoteJWKSet, {
+		coolingDown: {
+			get: () => set.coolingDown(),
+			enumerable: true,
+			configurable: false
+		},
+		fresh: {
+			get: () => set.fresh(),
+			enumerable: true,
+			configurable: false
+		},
+		reload: {
+			value: () => set.reload(),
+			enumerable: true,
+			configurable: false,
+			writable: false
+		},
+		reloading: {
+			get: () => set.pendingFetch(),
+			enumerable: true,
+			configurable: false
+		},
+		jwks: {
+			value: () => set.jwks(),
+			enumerable: true,
+			configurable: false,
+			writable: false
+		}
+	});
+	return remoteJWKSet;
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/util/decode_protected_header.js
+function decodeProtectedHeader(token) {
+	let protectedB64u;
+	if (typeof token === "string") {
+		const parts = token.split(".");
+		if (parts.length === 3 || parts.length === 5) [protectedB64u] = parts;
+	} else if (typeof token === "object" && token) if ("protected" in token) protectedB64u = token.protected;
+	else throw new TypeError("Token does not contain a Protected Header");
+	try {
+		if (typeof protectedB64u !== "string" || !protectedB64u) throw new Error();
+		const result = JSON.parse(decoder.decode(decode(protectedB64u)));
+		if (!isObject(result)) throw new Error();
+		return result;
+	} catch {
+		throw new TypeError("Invalid Token or Protected Header formatting");
+	}
+}
+
+//#endregion
+//#region ../../node_modules/.pnpm/jose@6.1.2/node_modules/jose/dist/webapi/util/decode_jwt.js
+function decodeJwt(jwt) {
+	if (typeof jwt !== "string") throw new JWTInvalid("JWTs must use Compact JWS serialization, JWT must be a string");
+	const { 1: payload, length } = jwt.split(".");
+	if (length === 5) throw new JWTInvalid("Only JWTs using Compact JWS serialization can be decoded");
+	if (length !== 3) throw new JWTInvalid("Invalid JWT");
+	if (!payload) throw new JWTInvalid("JWTs must contain a payload");
+	let decoded;
+	try {
+		decoded = decode(payload);
+	} catch {
+		throw new JWTInvalid("Failed to base64url decode the payload");
+	}
+	let result;
+	try {
+		result = JSON.parse(decoder.decode(decoded));
+	} catch {
+		throw new JWTInvalid("Failed to parse the decoded payload as JSON");
+	}
+	if (!isObject(result)) throw new JWTInvalid("Invalid JWT Claims Set");
+	return result;
+}
+
+//#endregion
+//#region ../better-auth/dist/social-providers-DNfE9Ak7.mjs
+function createClientCredentialsTokenRequest({ options, scope, authentication, resource }) {
+	const body = new URLSearchParams();
+	const headers = {
+		"content-type": "application/x-www-form-urlencoded",
+		accept: "application/json"
+	};
+	body.set("grant_type", "client_credentials");
+	scope && body.set("scope", scope);
+	if (resource) if (typeof resource === "string") body.append("resource", resource);
+	else for (const _resource of resource) body.append("resource", _resource);
+	if (authentication === "basic") {
+		const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+		headers["authorization"] = `Basic ${base64Url.encode(`${primaryClientId}:${options.clientSecret}`)}`;
+	} else {
+		const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+		body.set("client_id", primaryClientId);
+		body.set("client_secret", options.clientSecret);
+	}
+	return {
+		body,
+		headers
+	};
+}
+async function clientCredentialsToken({ options, tokenEndpoint, scope, authentication, resource }) {
+	const { body, headers } = createClientCredentialsTokenRequest({
+		options,
+		scope,
+		authentication,
+		resource
+	});
+	const { data, error } = await betterFetch(tokenEndpoint, {
+		method: "POST",
+		body,
+		headers
+	});
+	if (error) throw error;
+	const tokens = {
+		accessToken: data.access_token,
+		tokenType: data.token_type,
+		scopes: data.scope?.split(" ")
+	};
+	if (data.expires_in) {
+		const now = /* @__PURE__ */ new Date();
+		tokens.accessTokenExpiresAt = new Date(now.getTime() + data.expires_in * 1e3);
+	}
+	return tokens;
+}
+function getOAuth2Tokens(data) {
+	const getDate = (seconds) => {
+		const now = /* @__PURE__ */ new Date();
+		return new Date(now.getTime() + seconds * 1e3);
+	};
+	return {
+		tokenType: data.token_type,
+		accessToken: data.access_token,
+		refreshToken: data.refresh_token,
+		accessTokenExpiresAt: data.expires_in ? getDate(data.expires_in) : void 0,
+		refreshTokenExpiresAt: data.refresh_token_expires_in ? getDate(data.refresh_token_expires_in) : void 0,
+		scopes: data?.scope ? typeof data.scope === "string" ? data.scope.split(" ") : data.scope : [],
+		idToken: data.id_token,
+		raw: data
+	};
+}
+async function generateCodeChallenge(codeVerifier) {
+	const data = new TextEncoder().encode(codeVerifier);
+	const hash = await crypto.subtle.digest("SHA-256", data);
+	return base64Url.encode(new Uint8Array(hash), { padding: false });
+}
+async function createAuthorizationURL({ id, options, authorizationEndpoint, state, codeVerifier, scopes, claims, redirectURI, duration, prompt, accessType, responseType, display, loginHint, hd, responseMode, additionalParams, scopeJoiner }) {
+	const url = new URL(authorizationEndpoint);
+	url.searchParams.set("response_type", responseType || "code");
+	const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+	url.searchParams.set("client_id", primaryClientId);
+	url.searchParams.set("state", state);
+	url.searchParams.set("scope", scopes.join(scopeJoiner || " "));
+	url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
+	duration && url.searchParams.set("duration", duration);
+	display && url.searchParams.set("display", display);
+	loginHint && url.searchParams.set("login_hint", loginHint);
+	prompt && url.searchParams.set("prompt", prompt);
+	hd && url.searchParams.set("hd", hd);
+	accessType && url.searchParams.set("access_type", accessType);
+	responseMode && url.searchParams.set("response_mode", responseMode);
+	if (codeVerifier) {
+		const codeChallenge = await generateCodeChallenge(codeVerifier);
+		url.searchParams.set("code_challenge_method", "S256");
+		url.searchParams.set("code_challenge", codeChallenge);
+	}
+	if (claims) {
+		const claimsObj = claims.reduce((acc, claim) => {
+			acc[claim] = null;
+			return acc;
+		}, {});
+		url.searchParams.set("claims", JSON.stringify({ id_token: {
+			email: null,
+			email_verified: null,
+			...claimsObj
+		} }));
+	}
+	if (additionalParams) Object.entries(additionalParams).forEach(([key, value]) => {
+		url.searchParams.set(key, value);
+	});
+	return url;
+}
+function createRefreshAccessTokenRequest({ refreshToken, options, authentication, extraParams, resource }) {
+	const body = new URLSearchParams();
+	const headers = {
+		"content-type": "application/x-www-form-urlencoded",
+		accept: "application/json"
+	};
+	body.set("grant_type", "refresh_token");
+	body.set("refresh_token", refreshToken);
+	if (authentication === "basic") {
+		const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+		if (primaryClientId) headers["authorization"] = "Basic " + base64.encode(`${primaryClientId}:${options.clientSecret ?? ""}`);
+		else headers["authorization"] = "Basic " + base64.encode(`:${options.clientSecret ?? ""}`);
+	} else {
+		const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+		body.set("client_id", primaryClientId);
+		if (options.clientSecret) body.set("client_secret", options.clientSecret);
+	}
+	if (resource) if (typeof resource === "string") body.append("resource", resource);
+	else for (const _resource of resource) body.append("resource", _resource);
+	if (extraParams) for (const [key, value] of Object.entries(extraParams)) body.set(key, value);
+	return {
+		body,
+		headers
+	};
+}
+async function refreshAccessToken({ refreshToken, options, tokenEndpoint, authentication, extraParams }) {
+	const { body, headers } = createRefreshAccessTokenRequest({
+		refreshToken,
+		options,
+		authentication,
+		extraParams
+	});
+	const { data, error } = await betterFetch(tokenEndpoint, {
+		method: "POST",
+		body,
+		headers
+	});
+	if (error) throw error;
+	const tokens = {
+		accessToken: data.access_token,
+		refreshToken: data.refresh_token,
+		tokenType: data.token_type,
+		scopes: data.scope?.split(" "),
+		idToken: data.id_token
+	};
+	if (data.expires_in) {
+		const now = /* @__PURE__ */ new Date();
+		tokens.accessTokenExpiresAt = new Date(now.getTime() + data.expires_in * 1e3);
+	}
+	return tokens;
+}
+function createAuthorizationCodeRequest({ code, codeVerifier, redirectURI, options, authentication, deviceId, headers, additionalParams = {}, resource }) {
+	const body = new URLSearchParams();
+	const requestHeaders = {
+		"content-type": "application/x-www-form-urlencoded",
+		accept: "application/json",
+		...headers
+	};
+	body.set("grant_type", "authorization_code");
+	body.set("code", code);
+	codeVerifier && body.set("code_verifier", codeVerifier);
+	options.clientKey && body.set("client_key", options.clientKey);
+	deviceId && body.set("device_id", deviceId);
+	body.set("redirect_uri", options.redirectURI || redirectURI);
+	if (resource) if (typeof resource === "string") body.append("resource", resource);
+	else for (const _resource of resource) body.append("resource", _resource);
+	if (authentication === "basic") {
+		const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+		requestHeaders["authorization"] = `Basic ${base64.encode(`${primaryClientId}:${options.clientSecret ?? ""}`)}`;
+	} else {
+		const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+		body.set("client_id", primaryClientId);
+		if (options.clientSecret) body.set("client_secret", options.clientSecret);
+	}
+	for (const [key, value] of Object.entries(additionalParams)) if (!body.has(key)) body.append(key, value);
+	return {
+		body,
+		headers: requestHeaders
+	};
+}
+async function validateAuthorizationCode({ code, codeVerifier, redirectURI, options, tokenEndpoint, authentication, deviceId, headers, additionalParams = {}, resource }) {
+	const { body, headers: requestHeaders } = createAuthorizationCodeRequest({
+		code,
+		codeVerifier,
+		redirectURI,
+		options,
+		authentication,
+		deviceId,
+		headers,
+		additionalParams,
+		resource
+	});
+	const { data, error } = await betterFetch(tokenEndpoint, {
+		method: "POST",
+		body,
+		headers: requestHeaders
+	});
+	if (error) throw error;
+	return getOAuth2Tokens(data);
+}
+async function validateToken(token, jwksEndpoint) {
+	const { data, error } = await betterFetch(jwksEndpoint, {
+		method: "GET",
+		headers: { accept: "application/json" }
+	});
+	if (error) throw error;
+	const keys = data["keys"];
+	const header = JSON.parse(atob(token.split(".")[0]));
+	const key = keys.find((key$1) => key$1.kid === header.kid);
+	if (!key) throw new Error("Key not found");
+	return await jwtVerify(token, key);
+}
+const apple = (options) => {
+	const tokenEndpoint = "https://appleid.apple.com/auth/token";
+	return {
+		id: "apple",
+		name: "Apple",
+		async createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scope = options.disableDefaultScope ? [] : ["email", "name"];
+			if (options.scope) _scope.push(...options.scope);
+			if (scopes) _scope.push(...scopes);
+			return await createAuthorizationURL({
+				id: "apple",
+				options,
+				authorizationEndpoint: "https://appleid.apple.com/auth/authorize",
+				scopes: _scope,
+				state,
+				redirectURI,
+				responseMode: "form_post",
+				responseType: "code id_token"
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint
+			});
+		},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) return false;
+			if (options.verifyIdToken) return options.verifyIdToken(token, nonce);
+			const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
+			if (!kid || !jwtAlg) return false;
+			const { payload: jwtClaims } = await jwtVerify(token, await getApplePublicKey(kid), {
+				algorithms: [jwtAlg],
+				issuer: "https://appleid.apple.com",
+				audience: options.audience && options.audience.length ? options.audience : options.appBundleIdentifier ? options.appBundleIdentifier : options.clientId,
+				maxTokenAge: "1h"
+			});
+			["email_verified", "is_private_email"].forEach((field) => {
+				if (jwtClaims[field] !== void 0) jwtClaims[field] = Boolean(jwtClaims[field]);
+			});
+			if (nonce && jwtClaims.nonce !== nonce) return false;
+			return !!jwtClaims;
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://appleid.apple.com/auth/token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			if (!token.idToken) return null;
+			const profile = decodeJwt(token.idToken);
+			if (!profile) return null;
+			const name = token.user ? `${token.user.name?.firstName} ${token.user.name?.lastName}` : profile.name || profile.email;
+			const emailVerified = typeof profile.email_verified === "boolean" ? profile.email_verified : profile.email_verified === "true";
+			const enrichedProfile = {
+				...profile,
+				name
+			};
+			const userMap = await options.mapProfileToUser?.(enrichedProfile);
+			return {
+				user: {
+					id: profile.sub,
+					name: enrichedProfile.name,
+					emailVerified,
+					email: profile.email,
+					...userMap
+				},
+				data: enrichedProfile
+			};
+		},
+		options
+	};
+};
+const getApplePublicKey = async (kid) => {
+	const { data } = await betterFetch(`https://appleid.apple.com/auth/keys`);
+	if (!data?.keys) throw new APIError("BAD_REQUEST", { message: "Keys not found" });
+	const jwk = data.keys.find((key) => key.kid === kid);
+	if (!jwk) throw new Error(`JWK with kid ${kid} not found`);
+	return await importJWK(jwk, jwk.alg);
+};
+const atlassian = (options) => {
+	return {
+		id: "atlassian",
+		name: "Atlassian",
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			if (!options.clientId || !options.clientSecret) {
+				logger.error("Client Id and Secret are required for Atlassian");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			if (!codeVerifier) throw new BetterAuthError("codeVerifier is required for Atlassian");
+			const _scopes = options.disableDefaultScope ? [] : ["read:jira-user", "offline_access"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "atlassian",
+				options,
+				authorizationEndpoint: "https://auth.atlassian.com/authorize",
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				additionalParams: { audience: "api.atlassian.com" },
+				prompt: options.prompt
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://auth.atlassian.com/oauth/token"
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://auth.atlassian.com/oauth/token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			if (!token.accessToken) return null;
+			try {
+				const { data: profile } = await betterFetch("https://api.atlassian.com/me", { headers: { Authorization: `Bearer ${token.accessToken}` } });
+				if (!profile) return null;
+				const userMap = await options.mapProfileToUser?.(profile);
+				return {
+					user: {
+						id: profile.account_id,
+						name: profile.name,
+						email: profile.email,
+						image: profile.picture,
+						emailVerified: false,
+						...userMap
+					},
+					data: profile
+				};
+			} catch (error) {
+				logger.error("Failed to fetch user info from Figma:", error);
+				return null;
+			}
+		},
+		options
+	};
+};
+const cognito = (options) => {
+	if (!options.domain || !options.region || !options.userPoolId) {
+		logger.error("Domain, region and userPoolId are required for Amazon Cognito. Make sure to provide them in the options.");
+		throw new BetterAuthError("DOMAIN_AND_REGION_REQUIRED");
+	}
+	const cleanDomain = options.domain.replace(/^https?:\/\//, "");
+	const authorizationEndpoint = `https://${cleanDomain}/oauth2/authorize`;
+	const tokenEndpoint = `https://${cleanDomain}/oauth2/token`;
+	const userInfoEndpoint = `https://${cleanDomain}/oauth2/userinfo`;
+	return {
+		id: "cognito",
+		name: "Cognito",
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			if (!options.clientId) {
+				logger.error("ClientId is required for Amazon Cognito. Make sure to provide them in the options.");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			if (options.requireClientSecret && !options.clientSecret) {
+				logger.error("Client Secret is required when requireClientSecret is true. Make sure to provide it in the options.");
+				throw new BetterAuthError("CLIENT_SECRET_REQUIRED");
+			}
+			const _scopes = options.disableDefaultScope ? [] : [
+				"openid",
+				"profile",
+				"email"
+			];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
+				id: "cognito",
+				options: { ...options },
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				prompt: options.prompt
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint
+			});
+		},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) return false;
+			if (options.verifyIdToken) return options.verifyIdToken(token, nonce);
+			try {
+				const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
+				if (!kid || !jwtAlg) return false;
+				const publicKey = await getCognitoPublicKey(kid, options.region, options.userPoolId);
+				const expectedIssuer = `https://cognito-idp.${options.region}.amazonaws.com/${options.userPoolId}`;
+				const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
+					algorithms: [jwtAlg],
+					issuer: expectedIssuer,
+					audience: options.clientId,
+					maxTokenAge: "1h"
+				});
+				if (nonce && jwtClaims.nonce !== nonce) return false;
+				return true;
+			} catch (error) {
+				logger.error("Failed to verify ID token:", error);
+				return false;
+			}
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			if (token.idToken) try {
+				const profile = decodeJwt(token.idToken);
+				if (!profile) return null;
+				const name = profile.name || profile.given_name || profile.username || profile.email;
+				const enrichedProfile = {
+					...profile,
+					name
+				};
+				const userMap = await options.mapProfileToUser?.(enrichedProfile);
+				return {
+					user: {
+						id: profile.sub,
+						name: enrichedProfile.name,
+						email: profile.email,
+						image: profile.picture,
+						emailVerified: profile.email_verified,
+						...userMap
+					},
+					data: enrichedProfile
+				};
+			} catch (error) {
+				logger.error("Failed to decode ID token:", error);
+			}
+			if (token.accessToken) try {
+				const { data: userInfo } = await betterFetch(userInfoEndpoint, { headers: { Authorization: `Bearer ${token.accessToken}` } });
+				if (userInfo) {
+					const userMap = await options.mapProfileToUser?.(userInfo);
+					return {
+						user: {
+							id: userInfo.sub,
+							name: userInfo.name || userInfo.given_name || userInfo.username,
+							email: userInfo.email,
+							image: userInfo.picture,
+							emailVerified: userInfo.email_verified,
+							...userMap
+						},
+						data: userInfo
+					};
+				}
+			} catch (error) {
+				logger.error("Failed to fetch user info from Cognito:", error);
+			}
+			return null;
+		},
+		options
+	};
+};
+const getCognitoPublicKey = async (kid, region, userPoolId) => {
+	const COGNITO_JWKS_URI = `https://cognito-idp.${region}.amazonaws.com/${userPoolId}/.well-known/jwks.json`;
+	try {
+		const { data } = await betterFetch(COGNITO_JWKS_URI);
+		if (!data?.keys) throw new APIError("BAD_REQUEST", { message: "Keys not found" });
+		const jwk = data.keys.find((key) => key.kid === kid);
+		if (!jwk) throw new Error(`JWK with kid ${kid} not found`);
+		return await importJWK(jwk, jwk.alg);
+	} catch (error) {
+		logger.error("Failed to fetch Cognito public key:", error);
+		throw error;
+	}
+};
+const discord = (options) => {
+	return {
+		id: "discord",
+		name: "Discord",
+		createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["identify", "email"];
+			if (scopes) _scopes.push(...scopes);
+			if (options.scope) _scopes.push(...options.scope);
+			const permissionsParam = _scopes.includes("bot") && options.permissions !== void 0 ? `&permissions=${options.permissions}` : "";
+			return new URL(`https://discord.com/api/oauth2/authorize?scope=${_scopes.join("+")}&response_type=code&client_id=${options.clientId}&redirect_uri=${encodeURIComponent(options.redirectURI || redirectURI)}&state=${state}&prompt=${options.prompt || "none"}${permissionsParam}`);
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://discord.com/api/oauth2/token"
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://discord.com/api/oauth2/token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch("https://discord.com/api/users/@me", { headers: { authorization: `Bearer ${token.accessToken}` } });
+			if (error) return null;
+			if (profile.avatar === null) profile.image_url = `https://cdn.discordapp.com/embed/avatars/${profile.discriminator === "0" ? Number(BigInt(profile.id) >> BigInt(22)) % 6 : parseInt(profile.discriminator) % 5}.png`;
+			else {
+				const format = profile.avatar.startsWith("a_") ? "gif" : "png";
+				profile.image_url = `https://cdn.discordapp.com/avatars/${profile.id}/${profile.avatar}.${format}`;
+			}
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.id,
+					name: profile.global_name || profile.username || "",
+					email: profile.email,
+					emailVerified: profile.verified,
+					image: profile.image_url,
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+const dropbox = (options) => {
+	const tokenEndpoint = "https://api.dropboxapi.com/oauth2/token";
+	return {
+		id: "dropbox",
+		name: "Dropbox",
+		createAuthorizationURL: async ({ state, scopes, codeVerifier, redirectURI }) => {
+			const _scopes = options.disableDefaultScope ? [] : ["account_info.read"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			const additionalParams = {};
+			if (options.accessType) additionalParams.token_access_type = options.accessType;
+			return await createAuthorizationURL({
+				id: "dropbox",
+				options,
+				authorizationEndpoint: "https://www.dropbox.com/oauth2/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI,
+				codeVerifier,
+				additionalParams
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return await validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://api.dropbox.com/oauth2/token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch("https://api.dropboxapi.com/2/users/get_current_account", {
+				method: "POST",
+				headers: { Authorization: `Bearer ${token.accessToken}` }
+			});
+			if (error) return null;
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.account_id,
+					name: profile.name?.display_name,
+					email: profile.email,
+					emailVerified: profile.email_verified || false,
+					image: profile.profile_photo_url,
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+const facebook = (options) => {
+	return {
+		id: "facebook",
+		name: "Facebook",
+		async createAuthorizationURL({ state, scopes, redirectURI, loginHint }) {
+			const _scopes = options.disableDefaultScope ? [] : ["email", "public_profile"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
+				id: "facebook",
+				options,
+				authorizationEndpoint: "https://www.facebook.com/v21.0/dialog/oauth",
+				scopes: _scopes,
+				state,
+				redirectURI,
+				loginHint,
+				additionalParams: options.configId ? { config_id: options.configId } : {}
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://graph.facebook.com/oauth/access_token"
+			});
+		},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) return false;
+			if (options.verifyIdToken) return options.verifyIdToken(token, nonce);
+			if (token.split(".").length === 3) try {
+				const { payload: jwtClaims } = await jwtVerify(token, createRemoteJWKSet(new URL("https://limited.facebook.com/.well-known/oauth/openid/jwks/")), {
+					algorithms: ["RS256"],
+					audience: options.clientId,
+					issuer: "https://www.facebook.com"
+				});
+				if (nonce && jwtClaims.nonce !== nonce) return false;
+				return !!jwtClaims;
+			} catch (error) {
+				return false;
+			}
+			return true;
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://graph.facebook.com/v18.0/oauth/access_token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			if (token.idToken && token.idToken.split(".").length === 3) {
+				const profile$1 = decodeJwt(token.idToken);
+				const user = {
+					id: profile$1.sub,
+					name: profile$1.name,
+					email: profile$1.email,
+					picture: { data: {
+						url: profile$1.picture,
+						height: 100,
+						width: 100,
+						is_silhouette: false
+					} }
+				};
+				const userMap$1 = await options.mapProfileToUser?.({
+					...user,
+					email_verified: false
+				});
+				return {
+					user: {
+						...user,
+						emailVerified: false,
+						...userMap$1
+					},
+					data: profile$1
+				};
+			}
+			const { data: profile, error } = await betterFetch("https://graph.facebook.com/me?fields=" + [
+				"id",
+				"name",
+				"email",
+				"picture",
+				...options?.fields || []
+			].join(","), { auth: {
+				type: "Bearer",
+				token: token.accessToken
+			} });
+			if (error) return null;
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.id,
+					name: profile.name,
+					email: profile.email,
+					image: profile.picture.data.url,
+					emailVerified: profile.email_verified,
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+const figma = (options) => {
+	return {
+		id: "figma",
+		name: "Figma",
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			if (!options.clientId || !options.clientSecret) {
+				logger.error("Client Id and Client Secret are required for Figma. Make sure to provide them in the options.");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			if (!codeVerifier) throw new BetterAuthError("codeVerifier is required for Figma");
+			const _scopes = options.disableDefaultScope ? [] : ["file_read"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
+				id: "figma",
+				options,
+				authorizationEndpoint: "https://www.figma.com/oauth",
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://www.figma.com/api/oauth/token"
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://www.figma.com/api/oauth/token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			try {
+				const { data: profile } = await betterFetch("https://api.figma.com/v1/me", { headers: { Authorization: `Bearer ${token.accessToken}` } });
+				if (!profile) {
+					logger.error("Failed to fetch user from Figma");
+					return null;
+				}
+				const userMap = await options.mapProfileToUser?.(profile);
+				return {
+					user: {
+						id: profile.id,
+						name: profile.handle,
+						email: profile.email,
+						image: profile.img_url,
+						emailVerified: !!profile.email,
+						...userMap
+					},
+					data: profile
+				};
+			} catch (error) {
+				logger.error("Failed to fetch user info from Figma:", error);
+				return null;
+			}
+		},
+		options
+	};
+};
+const github = (options) => {
+	const tokenEndpoint = "https://github.com/login/oauth/access_token";
+	return {
+		id: "github",
+		name: "GitHub",
+		createAuthorizationURL({ state, scopes, loginHint, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["read:user", "user:email"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "github",
+				options,
+				authorizationEndpoint: "https://github.com/login/oauth/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI,
+				loginHint,
+				prompt: options.prompt
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://github.com/login/oauth/access_token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch("https://api.github.com/user", { headers: {
+				"User-Agent": "better-auth",
+				authorization: `Bearer ${token.accessToken}`
+			} });
+			if (error) return null;
+			const { data: emails } = await betterFetch("https://api.github.com/user/emails", { headers: {
+				Authorization: `Bearer ${token.accessToken}`,
+				"User-Agent": "better-auth"
+			} });
+			if (!profile.email && emails) profile.email = (emails.find((e) => e.primary) ?? emails[0])?.email;
+			const emailVerified = emails?.find((e) => e.email === profile.email)?.verified ?? false;
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.id,
+					name: profile.name || profile.login,
+					email: profile.email,
+					image: profile.avatar_url,
+					emailVerified,
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+const cleanDoubleSlashes = (input = "") => {
+	return input.split("://").map((str) => str.replace(/\/{2,}/g, "/")).join("://");
+};
+const issuerToEndpoints = (issuer) => {
+	let baseUrl = issuer || "https://gitlab.com";
+	return {
+		authorizationEndpoint: cleanDoubleSlashes(`${baseUrl}/oauth/authorize`),
+		tokenEndpoint: cleanDoubleSlashes(`${baseUrl}/oauth/token`),
+		userinfoEndpoint: cleanDoubleSlashes(`${baseUrl}/api/v4/user`)
+	};
+};
+const gitlab = (options) => {
+	const { authorizationEndpoint, tokenEndpoint, userinfoEndpoint } = issuerToEndpoints(options.issuer);
+	const issuerId = "gitlab";
+	return {
+		id: issuerId,
+		name: "Gitlab",
+		createAuthorizationURL: async ({ state, scopes, codeVerifier, loginHint, redirectURI }) => {
+			const _scopes = options.disableDefaultScope ? [] : ["read_user"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
+				id: issuerId,
+				options,
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				redirectURI,
+				codeVerifier,
+				loginHint
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI, codeVerifier }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				codeVerifier,
+				tokenEndpoint
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch(userinfoEndpoint, { headers: { authorization: `Bearer ${token.accessToken}` } });
+			if (error || profile.state !== "active" || profile.locked) return null;
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.id,
+					name: profile.name ?? profile.username,
+					email: profile.email,
+					image: profile.avatar_url,
+					emailVerified: profile.email_verified ?? false,
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+const google = (options) => {
+	return {
+		id: "google",
+		name: "Google",
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, loginHint, display }) {
+			if (!options.clientId || !options.clientSecret) {
+				logger.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options.");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			if (!codeVerifier) throw new BetterAuthError("codeVerifier is required for Google");
+			const _scopes = options.disableDefaultScope ? [] : [
+				"email",
+				"profile",
+				"openid"
+			];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
+				id: "google",
+				options,
+				authorizationEndpoint: "https://accounts.google.com/o/oauth2/auth",
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				prompt: options.prompt,
+				accessType: options.accessType,
+				display: display || options.display,
+				loginHint,
+				hd: options.hd,
+				additionalParams: { include_granted_scopes: "true" }
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://oauth2.googleapis.com/token"
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://www.googleapis.com/oauth2/v4/token"
+			});
+		},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) return false;
+			if (options.verifyIdToken) return options.verifyIdToken(token, nonce);
+			const { data: tokenInfo } = await betterFetch(`https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${token}`);
+			if (!tokenInfo) return false;
+			return tokenInfo.aud === options.clientId && (tokenInfo.iss === "https://accounts.google.com" || tokenInfo.iss === "accounts.google.com");
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			if (!token.idToken) return null;
+			const user = decodeJwt(token.idToken);
+			const userMap = await options.mapProfileToUser?.(user);
+			return {
+				user: {
+					id: user.sub,
+					name: user.name,
+					email: user.email,
+					image: user.picture,
+					emailVerified: user.email_verified,
+					...userMap
+				},
+				data: user
+			};
+		},
+		options
+	};
+};
+const huggingface = (options) => {
+	return {
+		id: "huggingface",
+		name: "Hugging Face",
+		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : [
+				"openid",
+				"profile",
+				"email"
+			];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "huggingface",
+				options,
+				authorizationEndpoint: "https://huggingface.co/oauth/authorize",
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://huggingface.co/oauth/token"
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://huggingface.co/oauth/token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch("https://huggingface.co/oauth/userinfo", {
+				method: "GET",
+				headers: { Authorization: `Bearer ${token.accessToken}` }
+			});
+			if (error) return null;
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.sub,
+					name: profile.name || profile.preferred_username,
+					email: profile.email,
+					image: profile.picture,
+					emailVerified: profile.email_verified ?? false,
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+const kakao = (options) => {
+	return {
+		id: "kakao",
+		name: "Kakao",
+		createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : [
+				"account_email",
+				"profile_image",
+				"profile_nickname"
+			];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "kakao",
+				options,
+				authorizationEndpoint: "https://kauth.kakao.com/oauth/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://kauth.kakao.com/oauth/token"
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://kauth.kakao.com/oauth/token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch("https://kapi.kakao.com/v2/user/me", { headers: { Authorization: `Bearer ${token.accessToken}` } });
+			if (error || !profile) return null;
+			const userMap = await options.mapProfileToUser?.(profile);
+			const account = profile.kakao_account || {};
+			const kakaoProfile = account.profile || {};
+			return {
+				user: {
+					id: String(profile.id),
+					name: kakaoProfile.nickname || account.name || void 0,
+					email: account.email,
+					image: kakaoProfile.profile_image_url || kakaoProfile.thumbnail_image_url,
+					emailVerified: !!account.is_email_valid && !!account.is_email_verified,
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+const kick = (options) => {
+	return {
+		id: "kick",
+		name: "Kick",
+		createAuthorizationURL({ state, scopes, redirectURI, codeVerifier }) {
+			const _scopes = options.disableDefaultScope ? [] : ["user:read"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "kick",
+				redirectURI,
+				options,
+				authorizationEndpoint: "https://id.kick.com/oauth/authorize",
+				scopes: _scopes,
+				codeVerifier,
+				state
+			});
+		},
+		async validateAuthorizationCode({ code, redirectURI, codeVerifier }) {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://id.kick.com/oauth/token",
+				codeVerifier
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data, error } = await betterFetch("https://api.kick.com/public/v1/users", {
+				method: "GET",
+				headers: { Authorization: `Bearer ${token.accessToken}` }
+			});
+			if (error) return null;
+			const profile = data.data[0];
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.user_id,
+					name: profile.name,
+					email: profile.email,
+					image: profile.profile_picture,
+					emailVerified: false,
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+/**
+* LINE Login v2.1
+* - Authorization endpoint: https://access.line.me/oauth2/v2.1/authorize
+* - Token endpoint: https://api.line.me/oauth2/v2.1/token
+* - UserInfo endpoint: https://api.line.me/oauth2/v2.1/userinfo
+* - Verify ID token: https://api.line.me/oauth2/v2.1/verify
+*
+* Docs: https://developers.line.biz/en/reference/line-login/#issue-access-token
+*/
+const line = (options) => {
+	const authorizationEndpoint = "https://access.line.me/oauth2/v2.1/authorize";
+	const tokenEndpoint = "https://api.line.me/oauth2/v2.1/token";
+	const userInfoEndpoint = "https://api.line.me/oauth2/v2.1/userinfo";
+	const verifyIdTokenEndpoint = "https://api.line.me/oauth2/v2.1/verify";
+	return {
+		id: "line",
+		name: "LINE",
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, loginHint }) {
+			const _scopes = options.disableDefaultScope ? [] : [
+				"openid",
+				"profile",
+				"email"
+			];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
+				id: "line",
+				options,
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				loginHint
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint
+			});
+		},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) return false;
+			if (options.verifyIdToken) return options.verifyIdToken(token, nonce);
+			const body = new URLSearchParams();
+			body.set("id_token", token);
+			body.set("client_id", options.clientId);
+			if (nonce) body.set("nonce", nonce);
+			const { data, error } = await betterFetch(verifyIdTokenEndpoint, {
+				method: "POST",
+				headers: { "content-type": "application/x-www-form-urlencoded" },
+				body
+			});
+			if (error || !data) return false;
+			if (data.aud !== options.clientId) return false;
+			if (nonce && data.nonce && data.nonce !== nonce) return false;
+			return true;
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			let profile = null;
+			if (token.idToken) try {
+				profile = decodeJwt(token.idToken);
+			} catch {}
+			if (!profile) {
+				const { data } = await betterFetch(userInfoEndpoint, { headers: { authorization: `Bearer ${token.accessToken}` } });
+				profile = data || null;
+			}
+			if (!profile) return null;
+			const userMap = await options.mapProfileToUser?.(profile);
+			const id = profile.sub || profile.userId;
+			const name = profile.name || profile.displayName;
+			const image = profile.picture || profile.pictureUrl || void 0;
+			return {
+				user: {
+					id,
+					name,
+					email: profile.email,
+					image,
+					emailVerified: false,
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+const linear = (options) => {
+	const tokenEndpoint = "https://api.linear.app/oauth/token";
+	return {
+		id: "linear",
+		name: "Linear",
+		createAuthorizationURL({ state, scopes, loginHint, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["read"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "linear",
+				options,
+				authorizationEndpoint: "https://linear.app/oauth/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI,
+				loginHint
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch("https://api.linear.app/graphql", {
+				method: "POST",
+				headers: {
+					"Content-Type": "application/json",
+					Authorization: `Bearer ${token.accessToken}`
+				},
+				body: JSON.stringify({ query: `
+							query {
+								viewer {
+									id
+									name
+									email
+									avatarUrl
+									active
+									createdAt
+									updatedAt
+								}
+							}
+						` })
+			});
+			if (error || !profile?.data?.viewer) return null;
+			const userData = profile.data.viewer;
+			const userMap = await options.mapProfileToUser?.(userData);
+			return {
+				user: {
+					id: profile.data.viewer.id,
+					name: profile.data.viewer.name,
+					email: profile.data.viewer.email,
+					image: profile.data.viewer.avatarUrl,
+					emailVerified: false,
+					...userMap
+				},
+				data: userData
+			};
+		},
+		options
+	};
+};
+const linkedin = (options) => {
+	const authorizationEndpoint = "https://www.linkedin.com/oauth/v2/authorization";
+	const tokenEndpoint = "https://www.linkedin.com/oauth/v2/accessToken";
+	return {
+		id: "linkedin",
+		name: "Linkedin",
+		createAuthorizationURL: async ({ state, scopes, redirectURI, loginHint }) => {
+			const _scopes = options.disableDefaultScope ? [] : [
+				"profile",
+				"email",
+				"openid"
+			];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
+				id: "linkedin",
+				options,
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				loginHint,
+				redirectURI
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return await validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch("https://api.linkedin.com/v2/userinfo", {
+				method: "GET",
+				headers: { Authorization: `Bearer ${token.accessToken}` }
+			});
+			if (error) return null;
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.sub,
+					name: profile.name,
+					email: profile.email,
+					emailVerified: profile.email_verified || false,
+					image: profile.picture,
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+const microsoft = (options) => {
+	const tenant = options.tenantId || "common";
+	const authority = options.authority || "https://login.microsoftonline.com";
+	const authorizationEndpoint = `${authority}/${tenant}/oauth2/v2.0/authorize`;
+	const tokenEndpoint = `${authority}/${tenant}/oauth2/v2.0/token`;
+	return {
+		id: "microsoft",
+		name: "Microsoft EntraID",
+		createAuthorizationURL(data) {
+			const scopes = options.disableDefaultScope ? [] : [
+				"openid",
+				"profile",
+				"email",
+				"User.Read",
+				"offline_access"
+			];
+			if (options.scope) scopes.push(...options.scope);
+			if (data.scopes) scopes.push(...data.scopes);
+			return createAuthorizationURL({
+				id: "microsoft",
+				options,
+				authorizationEndpoint,
+				state: data.state,
+				codeVerifier: data.codeVerifier,
+				scopes,
+				redirectURI: data.redirectURI,
+				prompt: options.prompt,
+				loginHint: data.loginHint
+			});
+		},
+		validateAuthorizationCode({ code, codeVerifier, redirectURI }) {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			if (!token.idToken) return null;
+			const user = decodeJwt(token.idToken);
+			const profilePhotoSize = options.profilePhotoSize || 48;
+			await betterFetch(`https://graph.microsoft.com/v1.0/me/photos/${profilePhotoSize}x${profilePhotoSize}/$value`, {
+				headers: { Authorization: `Bearer ${token.accessToken}` },
+				async onResponse(context) {
+					if (options.disableProfilePhoto || !context.response.ok) return;
+					try {
+						const pictureBuffer = await context.response.clone().arrayBuffer();
+						user.picture = `data:image/jpeg;base64, ${base64.encode(pictureBuffer)}`;
+					} catch (e) {
+						logger.error(e && typeof e === "object" && "name" in e ? e.name : "", e);
+					}
+				}
+			});
+			const userMap = await options.mapProfileToUser?.(user);
+			const emailVerified = user.email_verified !== void 0 ? user.email_verified : user.email && (user.verified_primary_email?.includes(user.email) || user.verified_secondary_email?.includes(user.email)) ? true : false;
+			return {
+				user: {
+					id: user.sub,
+					name: user.name,
+					email: user.email,
+					image: user.picture,
+					emailVerified,
+					...userMap
+				},
+				data: user
+			};
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			const scopes = options.disableDefaultScope ? [] : [
+				"openid",
+				"profile",
+				"email",
+				"User.Read",
+				"offline_access"
+			];
+			if (options.scope) scopes.push(...options.scope);
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientSecret: options.clientSecret
+				},
+				extraParams: { scope: scopes.join(" ") },
+				tokenEndpoint
+			});
+		},
+		options
+	};
+};
+const naver = (options) => {
+	return {
+		id: "naver",
+		name: "Naver",
+		createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["profile", "email"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "naver",
+				options,
+				authorizationEndpoint: "https://nid.naver.com/oauth2.0/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://nid.naver.com/oauth2.0/token"
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://nid.naver.com/oauth2.0/token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch("https://openapi.naver.com/v1/nid/me", { headers: { Authorization: `Bearer ${token.accessToken}` } });
+			if (error || !profile || profile.resultcode !== "00") return null;
+			const userMap = await options.mapProfileToUser?.(profile);
+			const res = profile.response || {};
+			return {
+				user: {
+					id: res.id,
+					name: res.name || res.nickname,
+					email: res.email,
+					image: res.profile_image,
+					emailVerified: false,
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+const notion = (options) => {
+	const tokenEndpoint = "https://api.notion.com/v1/oauth/token";
+	return {
+		id: "notion",
+		name: "Notion",
+		createAuthorizationURL({ state, scopes, loginHint, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : [];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "notion",
+				options,
+				authorizationEndpoint: "https://api.notion.com/v1/oauth/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI,
+				loginHint,
+				additionalParams: { owner: "user" }
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint,
+				authentication: "basic"
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch("https://api.notion.com/v1/users/me", { headers: {
+				Authorization: `Bearer ${token.accessToken}`,
+				"Notion-Version": "2022-06-28"
+			} });
+			if (error || !profile) return null;
+			const userProfile = profile.bot?.owner?.user;
+			if (!userProfile) return null;
+			const userMap = await options.mapProfileToUser?.(userProfile);
+			return {
+				user: {
+					id: userProfile.id,
+					name: userProfile.name || "Notion User",
+					email: userProfile.person?.email || null,
+					image: userProfile.avatar_url,
+					emailVerified: !!userProfile.person?.email,
+					...userMap
+				},
+				data: userProfile
+			};
+		},
+		options
+	};
+};
+const paybin = (options) => {
+	const issuer = options.issuer || "https://idp.paybin.io";
+	const authorizationEndpoint = `${issuer}/oauth2/authorize`;
+	const tokenEndpoint = `${issuer}/oauth2/token`;
+	return {
+		id: "paybin",
+		name: "Paybin",
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, loginHint }) {
+			if (!options.clientId || !options.clientSecret) {
+				logger.error("Client Id and Client Secret is required for Paybin. Make sure to provide them in the options.");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			if (!codeVerifier) throw new BetterAuthError("codeVerifier is required for Paybin");
+			const _scopes = options.disableDefaultScope ? [] : [
+				"openid",
+				"email",
+				"profile"
+			];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
+				id: "paybin",
+				options,
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				prompt: options.prompt,
+				loginHint
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			if (!token.idToken) return null;
+			const user = decodeJwt(token.idToken);
+			const userMap = await options.mapProfileToUser?.(user);
+			return {
+				user: {
+					id: user.sub,
+					name: user.name || user.preferred_username || (user.email ? user.email.split("@")[0] : "User") || "User",
+					email: user.email,
+					image: user.picture,
+					emailVerified: user.email_verified || false,
+					...userMap
+				},
+				data: user
+			};
+		},
+		options
+	};
+};
+const paypal = (options) => {
+	const isSandbox = (options.environment || "sandbox") === "sandbox";
+	const authorizationEndpoint = isSandbox ? "https://www.sandbox.paypal.com/signin/authorize" : "https://www.paypal.com/signin/authorize";
+	const tokenEndpoint = isSandbox ? "https://api-m.sandbox.paypal.com/v1/oauth2/token" : "https://api-m.paypal.com/v1/oauth2/token";
+	const userInfoEndpoint = isSandbox ? "https://api-m.sandbox.paypal.com/v1/identity/oauth2/userinfo" : "https://api-m.paypal.com/v1/identity/oauth2/userinfo";
+	return {
+		id: "paypal",
+		name: "PayPal",
+		async createAuthorizationURL({ state, codeVerifier, redirectURI }) {
+			if (!options.clientId || !options.clientSecret) {
+				logger.error("Client Id and Client Secret is required for PayPal. Make sure to provide them in the options.");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			return await createAuthorizationURL({
+				id: "paypal",
+				options,
+				authorizationEndpoint,
+				scopes: [],
+				state,
+				codeVerifier,
+				redirectURI,
+				prompt: options.prompt
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			/**
+			* PayPal requires Basic Auth for token exchange
+			**/
+			const credentials = base64.encode(`${options.clientId}:${options.clientSecret}`);
+			try {
+				const response = await betterFetch(tokenEndpoint, {
+					method: "POST",
+					headers: {
+						Authorization: `Basic ${credentials}`,
+						Accept: "application/json",
+						"Accept-Language": "en_US",
+						"Content-Type": "application/x-www-form-urlencoded"
+					},
+					body: new URLSearchParams({
+						grant_type: "authorization_code",
+						code,
+						redirect_uri: redirectURI
+					}).toString()
+				});
+				if (!response.data) throw new BetterAuthError("FAILED_TO_GET_ACCESS_TOKEN");
+				const data = response.data;
+				return {
+					accessToken: data.access_token,
+					refreshToken: data.refresh_token,
+					accessTokenExpiresAt: data.expires_in ? new Date(Date.now() + data.expires_in * 1e3) : void 0,
+					idToken: data.id_token
+				};
+			} catch (error) {
+				logger.error("PayPal token exchange failed:", error);
+				throw new BetterAuthError("FAILED_TO_GET_ACCESS_TOKEN");
+			}
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			const credentials = base64.encode(`${options.clientId}:${options.clientSecret}`);
+			try {
+				const response = await betterFetch(tokenEndpoint, {
+					method: "POST",
+					headers: {
+						Authorization: `Basic ${credentials}`,
+						Accept: "application/json",
+						"Accept-Language": "en_US",
+						"Content-Type": "application/x-www-form-urlencoded"
+					},
+					body: new URLSearchParams({
+						grant_type: "refresh_token",
+						refresh_token: refreshToken
+					}).toString()
+				});
+				if (!response.data) throw new BetterAuthError("FAILED_TO_REFRESH_ACCESS_TOKEN");
+				const data = response.data;
+				return {
+					accessToken: data.access_token,
+					refreshToken: data.refresh_token,
+					accessTokenExpiresAt: data.expires_in ? new Date(Date.now() + data.expires_in * 1e3) : void 0
+				};
+			} catch (error) {
+				logger.error("PayPal token refresh failed:", error);
+				throw new BetterAuthError("FAILED_TO_REFRESH_ACCESS_TOKEN");
+			}
+		},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) return false;
+			if (options.verifyIdToken) return options.verifyIdToken(token, nonce);
+			try {
+				return !!decodeJwt(token).sub;
+			} catch (error) {
+				logger.error("Failed to verify PayPal ID token:", error);
+				return false;
+			}
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			if (!token.accessToken) {
+				logger.error("Access token is required to fetch PayPal user info");
+				return null;
+			}
+			try {
+				const response = await betterFetch(`${userInfoEndpoint}?schema=paypalv1.1`, { headers: {
+					Authorization: `Bearer ${token.accessToken}`,
+					Accept: "application/json"
+				} });
+				if (!response.data) {
+					logger.error("Failed to fetch user info from PayPal");
+					return null;
+				}
+				const userInfo = response.data;
+				const userMap = await options.mapProfileToUser?.(userInfo);
+				return {
+					user: {
+						id: userInfo.user_id,
+						name: userInfo.name,
+						email: userInfo.email,
+						image: userInfo.picture,
+						emailVerified: userInfo.email_verified,
+						...userMap
+					},
+					data: userInfo
+				};
+			} catch (error) {
+				logger.error("Failed to fetch user info from PayPal:", error);
+				return null;
+			}
+		},
+		options
+	};
+};
+const polar = (options) => {
+	return {
+		id: "polar",
+		name: "Polar",
+		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : [
+				"openid",
+				"profile",
+				"email"
+			];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "polar",
+				options,
+				authorizationEndpoint: "https://polar.sh/oauth2/authorize",
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				prompt: options.prompt
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://api.polar.sh/v1/oauth2/token"
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://api.polar.sh/v1/oauth2/token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch("https://api.polar.sh/v1/oauth2/userinfo", { headers: { Authorization: `Bearer ${token.accessToken}` } });
+			if (error) return null;
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.id,
+					name: profile.public_name || profile.username,
+					email: profile.email,
+					image: profile.avatar_url,
+					emailVerified: profile.email_verified ?? false,
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+const reddit = (options) => {
+	return {
+		id: "reddit",
+		name: "Reddit",
+		createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["identity"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "reddit",
+				options,
+				authorizationEndpoint: "https://www.reddit.com/api/v1/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI,
+				duration: options.duration
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			const body = new URLSearchParams({
+				grant_type: "authorization_code",
+				code,
+				redirect_uri: options.redirectURI || redirectURI
+			});
+			const { data, error } = await betterFetch("https://www.reddit.com/api/v1/access_token", {
+				method: "POST",
+				headers: {
+					"content-type": "application/x-www-form-urlencoded",
+					accept: "text/plain",
+					"user-agent": "better-auth",
+					Authorization: `Basic ${base64.encode(`${options.clientId}:${options.clientSecret}`)}`
+				},
+				body: body.toString()
+			});
+			if (error) throw error;
+			return getOAuth2Tokens(data);
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				authentication: "basic",
+				tokenEndpoint: "https://www.reddit.com/api/v1/access_token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch("https://oauth.reddit.com/api/v1/me", { headers: {
+				Authorization: `Bearer ${token.accessToken}`,
+				"User-Agent": "better-auth"
+			} });
+			if (error) return null;
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.id,
+					name: profile.name,
+					email: profile.oauth_client_id,
+					emailVerified: profile.has_verified_email,
+					image: profile.icon_img?.split("?")[0],
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+const roblox = (options) => {
+	return {
+		id: "roblox",
+		name: "Roblox",
+		createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["openid", "profile"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return new URL(`https://apis.roblox.com/oauth/v1/authorize?scope=${_scopes.join("+")}&response_type=code&client_id=${options.clientId}&redirect_uri=${encodeURIComponent(options.redirectURI || redirectURI)}&state=${state}&prompt=${options.prompt || "select_account consent"}`);
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI: options.redirectURI || redirectURI,
+				options,
+				tokenEndpoint: "https://apis.roblox.com/oauth/v1/token",
+				authentication: "post"
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://apis.roblox.com/oauth/v1/token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch("https://apis.roblox.com/oauth/v1/userinfo", { headers: { authorization: `Bearer ${token.accessToken}` } });
+			if (error) return null;
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.sub,
+					name: profile.nickname || profile.preferred_username || "",
+					image: profile.picture,
+					email: profile.preferred_username || null,
+					emailVerified: false,
+					...userMap
+				},
+				data: { ...profile }
+			};
+		},
+		options
+	};
+};
+const salesforce = (options) => {
+	const isSandbox = (options.environment ?? "production") === "sandbox";
+	const authorizationEndpoint = options.loginUrl ? `https://${options.loginUrl}/services/oauth2/authorize` : isSandbox ? "https://test.salesforce.com/services/oauth2/authorize" : "https://login.salesforce.com/services/oauth2/authorize";
+	const tokenEndpoint = options.loginUrl ? `https://${options.loginUrl}/services/oauth2/token` : isSandbox ? "https://test.salesforce.com/services/oauth2/token" : "https://login.salesforce.com/services/oauth2/token";
+	const userInfoEndpoint = options.loginUrl ? `https://${options.loginUrl}/services/oauth2/userinfo` : isSandbox ? "https://test.salesforce.com/services/oauth2/userinfo" : "https://login.salesforce.com/services/oauth2/userinfo";
+	return {
+		id: "salesforce",
+		name: "Salesforce",
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			if (!options.clientId || !options.clientSecret) {
+				logger.error("Client Id and Client Secret are required for Salesforce. Make sure to provide them in the options.");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			if (!codeVerifier) throw new BetterAuthError("codeVerifier is required for Salesforce");
+			const _scopes = options.disableDefaultScope ? [] : [
+				"openid",
+				"email",
+				"profile"
+			];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "salesforce",
+				options,
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI: options.redirectURI || redirectURI
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI: options.redirectURI || redirectURI,
+				options,
+				tokenEndpoint
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			try {
+				const { data: user } = await betterFetch(userInfoEndpoint, { headers: { Authorization: `Bearer ${token.accessToken}` } });
+				if (!user) {
+					logger.error("Failed to fetch user info from Salesforce");
+					return null;
+				}
+				const userMap = await options.mapProfileToUser?.(user);
+				return {
+					user: {
+						id: user.user_id,
+						name: user.name,
+						email: user.email,
+						image: user.photos?.picture || user.photos?.thumbnail,
+						emailVerified: user.email_verified ?? false,
+						...userMap
+					},
+					data: user
+				};
+			} catch (error) {
+				logger.error("Failed to fetch user info from Salesforce:", error);
+				return null;
+			}
+		},
+		options
+	};
+};
+const slack = (options) => {
+	return {
+		id: "slack",
+		name: "Slack",
+		createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : [
+				"openid",
+				"profile",
+				"email"
+			];
+			if (scopes) _scopes.push(...scopes);
+			if (options.scope) _scopes.push(...options.scope);
+			const url = new URL("https://slack.com/openid/connect/authorize");
+			url.searchParams.set("scope", _scopes.join(" "));
+			url.searchParams.set("response_type", "code");
+			url.searchParams.set("client_id", options.clientId);
+			url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
+			url.searchParams.set("state", state);
+			return url;
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://slack.com/api/openid.connect.token"
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://slack.com/api/openid.connect.token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch("https://slack.com/api/openid.connect.userInfo", { headers: { authorization: `Bearer ${token.accessToken}` } });
+			if (error) return null;
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile["https://slack.com/user_id"],
+					name: profile.name || "",
+					email: profile.email,
+					emailVerified: profile.email_verified,
+					image: profile.picture || profile["https://slack.com/user_image_512"],
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+const spotify = (options) => {
+	return {
+		id: "spotify",
+		name: "Spotify",
+		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["user-read-email"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "spotify",
+				options,
+				authorizationEndpoint: "https://accounts.spotify.com/authorize",
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://accounts.spotify.com/api/token"
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://accounts.spotify.com/api/token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch("https://api.spotify.com/v1/me", {
+				method: "GET",
+				headers: { Authorization: `Bearer ${token.accessToken}` }
+			});
+			if (error) return null;
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.id,
+					name: profile.display_name,
+					email: profile.email,
+					image: profile.images[0]?.url,
+					emailVerified: false,
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+const tiktok = (options) => {
+	return {
+		id: "tiktok",
+		name: "TikTok",
+		createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["user.info.profile"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return new URL(`https://www.tiktok.com/v2/auth/authorize?scope=${_scopes.join(",")}&response_type=code&client_key=${options.clientKey}&redirect_uri=${encodeURIComponent(options.redirectURI || redirectURI)}&state=${state}`);
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI: options.redirectURI || redirectURI,
+				options: {
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://open.tiktokapis.com/v2/oauth/token/"
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: { clientSecret: options.clientSecret },
+				tokenEndpoint: "https://open.tiktokapis.com/v2/oauth/token/",
+				authentication: "post",
+				extraParams: { client_key: options.clientKey }
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch(`https://open.tiktokapis.com/v2/user/info/?fields=${[
+				"open_id",
+				"avatar_large_url",
+				"display_name",
+				"username"
+			].join(",")}`, { headers: { authorization: `Bearer ${token.accessToken}` } });
+			if (error) return null;
+			return {
+				user: {
+					email: profile.data.user.email || profile.data.user.username,
+					id: profile.data.user.open_id,
+					name: profile.data.user.display_name || profile.data.user.username,
+					image: profile.data.user.avatar_large_url,
+					emailVerified: profile.data.user.email ? true : false
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+const twitch = (options) => {
+	return {
+		id: "twitch",
+		name: "Twitch",
+		createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["user:read:email", "openid"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "twitch",
+				redirectURI,
+				options,
+				authorizationEndpoint: "https://id.twitch.tv/oauth2/authorize",
+				scopes: _scopes,
+				state,
+				claims: options.claims || [
+					"email",
+					"email_verified",
+					"preferred_username",
+					"picture"
+				]
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint: "https://id.twitch.tv/oauth2/token"
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://id.twitch.tv/oauth2/token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const idToken = token.idToken;
+			if (!idToken) {
+				logger.error("No idToken found in token");
+				return null;
+			}
+			const profile = decodeJwt(idToken);
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.sub,
+					name: profile.preferred_username,
+					email: profile.email,
+					image: profile.picture,
+					emailVerified: profile.email_verified,
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+const twitter = (options) => {
+	return {
+		id: "twitter",
+		name: "Twitter",
+		createAuthorizationURL(data) {
+			const _scopes = options.disableDefaultScope ? [] : [
+				"users.read",
+				"tweet.read",
+				"offline.access",
+				"users.email"
+			];
+			if (options.scope) _scopes.push(...options.scope);
+			if (data.scopes) _scopes.push(...data.scopes);
+			return createAuthorizationURL({
+				id: "twitter",
+				options,
+				authorizationEndpoint: "https://x.com/i/oauth2/authorize",
+				scopes: _scopes,
+				state: data.state,
+				codeVerifier: data.codeVerifier,
+				redirectURI: data.redirectURI
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				authentication: "basic",
+				redirectURI,
+				options,
+				tokenEndpoint: "https://api.x.com/2/oauth2/token"
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				authentication: "basic",
+				tokenEndpoint: "https://api.x.com/2/oauth2/token"
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error: profileError } = await betterFetch("https://api.x.com/2/users/me?user.fields=profile_image_url", {
+				method: "GET",
+				headers: { Authorization: `Bearer ${token.accessToken}` }
+			});
+			if (profileError) return null;
+			const { data: emailData, error: emailError } = await betterFetch("https://api.x.com/2/users/me?user.fields=confirmed_email", {
+				method: "GET",
+				headers: { Authorization: `Bearer ${token.accessToken}` }
+			});
+			let emailVerified = false;
+			if (!emailError && emailData?.data?.confirmed_email) {
+				profile.data.email = emailData.data.confirmed_email;
+				emailVerified = true;
+			}
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.data.id,
+					name: profile.data.name,
+					email: profile.data.email || profile.data.username || null,
+					image: profile.data.profile_image_url,
+					emailVerified,
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+const vk = (options) => {
+	return {
+		id: "vk",
+		name: "VK",
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["email", "phone"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "vk",
+				options,
+				authorizationEndpoint: "https://id.vk.com/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI,
+				codeVerifier
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI, deviceId }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI: options.redirectURI || redirectURI,
+				options,
+				deviceId,
+				tokenEndpoint: "https://id.vk.com/oauth2/auth"
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint: "https://id.vk.com/oauth2/auth"
+			});
+		},
+		async getUserInfo(data) {
+			if (options.getUserInfo) return options.getUserInfo(data);
+			if (!data.accessToken) return null;
+			const formBody = new URLSearchParams({
+				access_token: data.accessToken,
+				client_id: options.clientId
+			}).toString();
+			const { data: profile, error } = await betterFetch("https://id.vk.com/oauth2/user_info", {
+				method: "POST",
+				headers: { "Content-Type": "application/x-www-form-urlencoded" },
+				body: formBody
+			});
+			if (error) return null;
+			const userMap = await options.mapProfileToUser?.(profile);
+			if (!profile.user.email && !userMap?.email) return null;
+			return {
+				user: {
+					id: profile.user.user_id,
+					first_name: profile.user.first_name,
+					last_name: profile.user.last_name,
+					email: profile.user.email,
+					image: profile.user.avatar,
+					emailVerified: !!profile.user.email,
+					birthday: profile.user.birthday,
+					sex: profile.user.sex,
+					name: `${profile.user.first_name} ${profile.user.last_name}`,
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+const zoom = (userOptions) => {
+	const options = {
+		pkce: true,
+		...userOptions
+	};
+	return {
+		id: "zoom",
+		name: "Zoom",
+		createAuthorizationURL: async ({ state, redirectURI, codeVerifier }) => {
+			const params = new URLSearchParams({
+				response_type: "code",
+				redirect_uri: options.redirectURI ? options.redirectURI : redirectURI,
+				client_id: options.clientId,
+				state
+			});
+			if (options.pkce) {
+				const codeChallenge = await generateCodeChallenge(codeVerifier);
+				params.set("code_challenge_method", "S256");
+				params.set("code_challenge", codeChallenge);
+			}
+			const url = new URL("https://zoom.us/oauth/authorize");
+			url.search = params.toString();
+			return url;
+		},
+		validateAuthorizationCode: async ({ code, redirectURI, codeVerifier }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI: options.redirectURI || redirectURI,
+				codeVerifier,
+				options,
+				tokenEndpoint: "https://zoom.us/oauth/token",
+				authentication: "post"
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => refreshAccessToken({
+			refreshToken,
+			options: {
+				clientId: options.clientId,
+				clientKey: options.clientKey,
+				clientSecret: options.clientSecret
+			},
+			tokenEndpoint: "https://zoom.us/oauth/token"
+		}),
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch("https://api.zoom.us/v2/users/me", { headers: { authorization: `Bearer ${token.accessToken}` } });
+			if (error) return null;
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.id,
+					name: profile.display_name,
+					image: profile.pic_url,
+					email: profile.email,
+					emailVerified: Boolean(profile.verified),
+					...userMap
+				},
+				data: { ...profile }
+			};
+		}
+	};
+};
+const socialProviders = {
+	apple,
+	atlassian,
+	cognito,
+	discord,
+	facebook,
+	figma,
+	github,
+	microsoft,
+	google,
+	huggingface,
+	slack,
+	spotify,
+	twitch,
+	twitter,
+	dropbox,
+	kick,
+	linear,
+	linkedin,
+	gitlab,
+	tiktok,
+	reddit,
+	roblox,
+	salesforce,
+	vk,
+	zoom,
+	notion,
+	kakao,
+	naver,
+	line,
+	paybin,
+	paypal,
+	polar
+};
+const socialProviderList = Object.keys(socialProviders);
+const SocialProviderListEnum = z$2.enum(socialProviderList).or(z$2.string());
+
+//#endregion
+export { paybin as A, spotify as B, kick as C, microsoft as D, linkedin as E, roblox as F, validateToken as G, twitch as H, salesforce as I, decodeJwt as J, vk as K, slack as L, polar as M, reddit as N, naver as O, refreshAccessToken as P, socialProviderList as R, kakao as S, linear as T, twitter as U, tiktok as V, validateAuthorizationCode as W, createRemoteJWKSet as Y, getOAuth2Tokens as _, cognito as a, google as b, createClientCredentialsTokenRequest as c, dropbox as d, facebook as f, getCognitoPublicKey as g, getApplePublicKey as h, clientCredentialsToken as i, paypal as j, notion as k, createRefreshAccessTokenRequest as l, generateCodeChallenge as m, apple as n, createAuthorizationCodeRequest as o, figma as p, zoom as q, atlassian as r, createAuthorizationURL as s, SocialProviderListEnum as t, discord as u, github as v, line as w, huggingface as x, gitlab as y, socialProviders as z };