@rudderjs/socialite 1.0.1 → 2.0.0

package/README.md

@@ -27,11 +27,10 @@ export default {
   },
 }
 
-// bootstrap/providers.ts
-import { SocialiteProvider } from '@rudderjs/socialite'
-export default [SocialiteProvider]
 ```
 
+`SocialiteProvider` is picked up by [auto-discovery](https://github.com/rudderjs/rudder/blob/main/docs/guide/service-providers.md#auto-discovery) — `pnpm rudder providers:discover` is all that's needed.
+
 ## Usage
 
 ```ts
@@ -64,6 +63,50 @@ Route.get('/auth/github/callback', async (req) => {
 })
 ```
 
+## CSRF state — stateful by default
+
+Socialite mints a CSPRNG `state` parameter on every redirect, persists it
+on the session, and validates the `state` returned in the callback before
+exchanging the code. A mismatch (or a missing session) throws
+`InvalidStateException` — same defense Laravel Socialite ships out of the
+box. No code changes needed: the routes above are already protected, as
+long as `@rudderjs/session`'s middleware is mounted (auto-installed on
+the `web` group).
+
+For flows that legitimately can't reach the session — mobile clients,
+machine-to-machine token grants, server-side OAuth where the round-trip
+happens entirely off-browser — opt out per call:
+
+```ts
+Route.get('/auth/github', () => {
+  return Socialite.driver('github').stateless().redirect()
+})
+
+Route.get('/auth/github/callback', async (req) => {
+  const user = await Socialite.driver('github').stateless().user(req)
+  // …
+})
+```
+
+`InvalidStateException` is exported for `instanceof`-checks in your
+exception handler:
+
+```ts
+import { InvalidStateException } from '@rudderjs/socialite'
+
+try {
+  await Socialite.driver('github').user(req)
+} catch (err) {
+  if (err instanceof InvalidStateException) return abort(403, 'Auth failed.')
+  throw err
+}
+```
+
+State is namespaced per provider (`socialite_state:github`,
+`socialite_state:google`, …) so concurrent OAuth flows on the same
+session don't collide. State is one-time use — successful or failed
+validation clears the slot, so a leaked value can't be replayed.
+
 ## Providers
 
 | Provider | Driver | Auth URL |
@@ -73,12 +116,46 @@ Route.get('/auth/github/callback', async (req) => {
 | Facebook | `facebook` | `facebook.com/v19.0/dialog/oauth` |
 | Apple | `apple` | `appleid.apple.com/auth/authorize` |
 
+### Sign-in-with-Apple — extra config
+
+Apple's OAuth flow requires a freshly-signed ES256 JWT as `client_secret`
+on every token exchange (a raw string is rejected with `invalid_client`).
+Add three Apple-specific fields to your config:
+
+```ts
+// config/socialite.ts
+import { readFileSync } from 'node:fs'
+import type { AppleSocialiteConfig } from '@rudderjs/socialite'
+
+export default {
+  apple: {
+    clientId:    Env.get('APPLE_CLIENT_ID', ''),     // Service ID, e.g. com.example.app
+    redirectUrl: Env.get('APPLE_REDIRECT_URL', ''),
+    teamId:      Env.get('APPLE_TEAM_ID', ''),       // 10-char Team ID from developer.apple.com
+    keyId:       Env.get('APPLE_KEY_ID', ''),        // 10-char Key ID for the .p8
+    privateKey:  readFileSync(Env.get('APPLE_PRIVATE_KEY_PATH', ''), 'utf8'),
+    clientSecret: '',                                // unused; left for type compat
+  } satisfies AppleSocialiteConfig,
+}
+```
+
+Download the `.p8` file once from the Apple Developer portal and either
+read it from disk (as above) or pass its PEM contents directly. The
+driver verifies returned `id_token`s against Apple's JWKS
+(`https://appleid.apple.com/auth/keys`, cached for 1h) — signature, `iss`,
+`aud`, and `exp` are all checked before any user data is trusted.
+
+Apple's first-authorization callback POSTs the user's `name` once in the
+form-post body. RudderJS reads it automatically when you pass the request
+object to `user(req)`. Your route handler must include the `body` in the
+request shape — `@rudderjs/server-hono` already does this.
+
 ## Custom Providers
 
 ```ts
-import { SocialiteProvider, SocialUser, Socialite } from '@rudderjs/socialite'
+import { SocialiteDriver, SocialUser, Socialite } from '@rudderjs/socialite'
 
-class GitLabProvider extends SocialiteProvider {
+class GitLabProvider extends SocialiteDriver {
   protected defaultScopes() { return ['read_user'] }
   protected authUrl()  { return 'https://gitlab.com/oauth/authorize' }
   protected tokenUrl() { return 'https://gitlab.com/oauth/token' }

package/boost/guidelines.md

@@ -39,9 +39,11 @@ Route.get('/auth/github', () => {
 Route.get('/auth/github/callback', async (req) => {
   const socialUser = await Socialite.driver('github').user(req)
 
-  // socialUser exposes: getId(), getName(), getEmail(), getAvatar(), getToken()
-  const id    = socialUser.getId()
-  const email = socialUser.getEmail()
+  // socialUser methods: getId(), getName(), getEmail(), getAvatar(), getNickname(), getRaw()
+  // socialUser getters: .token, .refreshToken, .expiresIn
+  const id          = socialUser.getId()
+  const email       = socialUser.getEmail()
+  const accessToken = socialUser.token
 
   // Find or create a local user
   let user = await User.where('email', email).first()
@@ -58,31 +60,42 @@ Route.get('/auth/github/callback', async (req) => {
 ### Scopes + state
 
 ```ts
-Socialite.driver('github')
-  .scopes(['user:email', 'read:org'])
-  .with({ allow_signup: 'false' })        // extra query params
-  .redirect()
+// Replace defaults
+Socialite.driver('github').setScopes(['user:email', 'read:org']).redirect()
+
+// Or extend defaults — withScopes() merges, deduped
+Socialite.driver('github').withScopes(['read:org']).redirect()
+
+// Skip CSRF state (mobile / machine-to-machine flows that can't reach the session)
+Socialite.driver('github').stateless().redirect()
 ```
 
-State (CSRF) is handled automatically — stored in the session and verified on callback.
+State (CSRF) is handled automatically — stored in the session and verified on callback. To inject extra provider-specific query parameters (`prompt=consent`, Apple's `response_mode=form_post`, etc.), override `extraAuthParams()` on a custom driver subclass — there is no fluent `.with({...})` method.
 
 ### Custom providers
 
+`SocialiteDriver` declares `authUrl`, `tokenUrl`, `userUrl`, `defaultScopes`, and `mapToUser` as abstract **methods** (not properties). Override each:
+
 ```ts
-import { Socialite, SocialiteDriver } from '@rudderjs/socialite'
+import { Socialite, SocialiteDriver, SocialUser } from '@rudderjs/socialite'
 
 class DiscordDriver extends SocialiteDriver {
-  protected authUrl  = 'https://discord.com/api/oauth2/authorize'
-  protected tokenUrl = 'https://discord.com/api/oauth2/token'
-  protected userUrl  = 'https://discord.com/api/users/@me'
-
-  protected mapUser(raw: any) {
-    return {
-      id:     raw.id,
-      name:   raw.username,
-      email:  raw.email,
-      avatar: `https://cdn.discordapp.com/avatars/${raw.id}/${raw.avatar}.png`,
-    }
+  protected defaultScopes() { return ['identify', 'email'] }
+  protected authUrl()  { return 'https://discord.com/api/oauth2/authorize' }
+  protected tokenUrl() { return 'https://discord.com/api/oauth2/token' }
+  protected userUrl()  { return 'https://discord.com/api/users/@me' }
+
+  protected mapToUser(raw: Record<string, unknown>, token: string, refreshToken: string | null): SocialUser {
+    return new SocialUser({
+      id:       String(raw['id']),
+      name:     (raw['username'] as string) ?? null,
+      email:    (raw['email']    as string) ?? null,
+      avatar:   raw['avatar'] ? `https://cdn.discordapp.com/avatars/${raw['id']}/${raw['avatar']}.png` : null,
+      nickname: null,
+      token,
+      refreshToken,
+      raw,
+    })
   }
 }
 
@@ -92,12 +105,18 @@ Socialite.extend('discord', (cfg) => new DiscordDriver(cfg))
 ### SocialUser interface
 
 ```ts
-socialUser.getId()       // provider's user id
-socialUser.getName()
-socialUser.getEmail()
-socialUser.getAvatar()
-socialUser.getToken()    // access token
-socialUser.getRaw()      // full raw provider response
+// Methods
+socialUser.getId()         // provider's user id (always string)
+socialUser.getName()       // string | null
+socialUser.getEmail()      // string | null
+socialUser.getAvatar()     // string | null
+socialUser.getNickname()   // string | null
+socialUser.getRaw()        // Record<string, unknown> — full raw provider response
+
+// Getters (not methods)
+socialUser.token           // access token
+socialUser.refreshToken    // string | null
+socialUser.expiresIn       // number | null
 ```
 
 ## Common Pitfalls

package/dist/driver.d.ts

@@ -4,10 +4,32 @@ export interface SocialiteDriverConfig {
     clientSecret: string;
     redirectUrl: string;
     scopes?: string[];
+    /** Per-request HTTP timeout in milliseconds (default 10_000). */
+    timeout?: number;
+}
+/** Detail attached to OAuth provider errors via `Error.cause`. */
+export interface SocialiteHttpErrorCause {
+    status: number;
+    body: string;
+}
+/**
+ * Thrown when an OAuth callback's `state` parameter is missing, doesn't
+ * match the value the framework stored before redirect, or arrives without
+ * a session in context. Indicates a CSRF / state-fixation attempt — apps
+ * should treat as auth failure.
+ */
+export declare class InvalidStateException extends Error {
+    constructor(message?: string);
+}
+/** Shape of the request object accepted by `user()` and `validateRequestState`. */
+export interface SocialiteCallbackRequest {
+    query: Record<string, string>;
+    body?: unknown;
 }
 export declare abstract class SocialiteDriver {
     protected readonly config: SocialiteDriverConfig;
     protected scopes: string[];
+    private _stateless;
     constructor(config: SocialiteDriverConfig);
     /** Default scopes for this provider. */
     protected abstract defaultScopes(): string[];
@@ -19,14 +41,43 @@ export declare abstract class SocialiteDriver {
     protected abstract userUrl(): string;
     /** Parse the provider's user API response into a SocialUser. */
     protected abstract mapToUser(data: Record<string, unknown>, token: string, refreshToken: string | null): SocialUser;
+    /**
+     * Provider key used to namespace the session state slot. Defaults to the
+     * lowercase class name with a trailing `provider` stripped (e.g. `GitHubProvider`
+     * → `github`). Override on a subclass if a custom key is preferred.
+     */
+    protected providerName(): string;
     /** Add extra scopes. */
     withScopes(scopes: string[]): this;
     /** Set scopes (replacing defaults). */
     setScopes(scopes: string[]): this;
+    /**
+     * Disable state generation + validation (Laravel `->stateless()`).
+     *
+     * Use for OAuth flows that can't reach the session — e.g. mobile clients,
+     * machine-to-machine auth, or token grants where the round-trip happens
+     * entirely server-to-server. The default (stateful) generates a CSPRNG
+     * `state` on redirect, stores it in the session, and validates it on
+     * callback to prevent CSRF / state-fixation.
+     */
+    stateless(): this;
+    isStateless(): boolean;
+    /**
+     * Provider-specific extra params to merge into the authorize URL. Apple
+     * needs `response_mode=form_post`; other drivers may want `prompt=consent`
+     * etc. Override on subclasses — base returns `{}`.
+     */
+    protected extraAuthParams(): Record<string, string>;
     /** Get the redirect URL to the OAuth provider. */
     getRedirectUrl(state?: string): string;
     /** Redirect the response to the OAuth provider. */
     redirect(state?: string): Response;
+    /**
+     * Wrapper around `fetch` that injects an `AbortSignal.timeout` so a hung
+     * provider endpoint can't keep the request handler alive indefinitely.
+     * Subclasses (Apple, GitHub) call this for their own provider fetches.
+     */
+    protected fetchWithTimeout(input: Parameters<typeof fetch>[0], init?: RequestInit): Promise<Response>;
     /** Exchange the authorization code for an access token. */
     getAccessToken(code: string): Promise<{
         accessToken: string;
@@ -34,10 +85,32 @@ export declare abstract class SocialiteDriver {
         expiresIn: number | null;
     }>;
     /** Get the authenticated user from the OAuth callback. */
-    user(codeOrRequest: string | {
-        query: Record<string, string>;
-    }): Promise<SocialUser>;
+    user(codeOrRequest: string | SocialiteCallbackRequest): Promise<SocialUser>;
     /** Get the user directly from an access token (e.g. for mobile apps). */
     getUserByToken(token: string, refreshToken?: string | null): Promise<SocialUser>;
+    private get stateKey();
+    /**
+     * Generate a CSPRNG state token, store it on the session, and return the
+     * value to embed in the authorize URL. Throws when no session is in
+     * context — the caller can opt out via `.stateless()`.
+     */
+    private generateAndStoreState;
+    /**
+     * Validate the `state` carried in a callback request against what was
+     * stored at redirect time. Pulls from `query.state` first, falling back
+     * to the request body's `state` (used by Apple's `form_post` callback).
+     * Always forgets the stored value after validation — the state is
+     * one-time use, so a leaked state can't be replayed.
+     */
+    protected validateRequestState(req: SocialiteCallbackRequest): void;
+    private extractState;
+    private constantTimeStringEqual;
+    /**
+     * Build an Error whose `message` carries only status + statusText (safe to
+     * surface in logs), with the response body attached on `cause` so callers
+     * that need it can still inspect — without leaking provider-echoed
+     * client_id / hints / PII into top-level error tracking.
+     */
+    protected httpError(prefix: string, res: Response): Promise<Error>;
 }
 //# sourceMappingURL=driver.d.ts.map

package/dist/driver.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"driver.d.ts","sourceRoot":"","sources":["../src/driver.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAI7C,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAM,MAAM,CAAA;IACpB,YAAY,EAAE,MAAM,CAAA;IACpB,WAAW,EAAG,MAAM,CAAA;IACpB,MAAM,CAAC,EAAO,MAAM,EAAE,CAAA;CACvB;AAED,8BAAsB,eAAe;IAGvB,SAAS,CAAC,QAAQ,CAAC,MAAM,EAAE,qBAAqB;IAF5D,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,CAAA;gBAEK,MAAM,EAAE,qBAAqB;IAI5D,wCAAwC;IACxC,SAAS,CAAC,QAAQ,CAAC,aAAa,IAAI,MAAM,EAAE;IAE5C,2EAA2E;IAC3E,SAAS,CAAC,QAAQ,CAAC,OAAO,IAAI,MAAM;IAEpC,0EAA0E;IAC1E,SAAS,CAAC,QAAQ,CAAC,QAAQ,IAAI,MAAM;IAErC,wDAAwD;IACxD,SAAS,CAAC,QAAQ,CAAC,OAAO,IAAI,MAAM;IAEpC,gEAAgE;IAChE,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,IAAI,GAAG,UAAU;IAEnH,wBAAwB;IACxB,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI;IAKlC,uCAAuC;IACvC,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI;IAKjC,kDAAkD;IAClD,cAAc,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM;IAWtC,mDAAmD;IACnD,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,QAAQ;IAIlC,2DAA2D;IACrD,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;IAmC3H,0DAA0D;IACpD,IAAI,CAAC,aAAa,EAAE,MAAM,GAAG;QAAE,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,GAAG,OAAO,CAAC,UAAU,CAAC;IAW1F,yEAAyE;IACnE,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,UAAU,CAAC;CAgBvF"}
+{"version":3,"file":"driver.d.ts","sourceRoot":"","sources":["../src/driver.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAI7C,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAM,MAAM,CAAA;IACpB,YAAY,EAAE,MAAM,CAAA;IACpB,WAAW,EAAG,MAAM,CAAA;IACpB,MAAM,CAAC,EAAO,MAAM,EAAE,CAAA;IACtB,iEAAiE;IACjE,OAAO,CAAC,EAAM,MAAM,CAAA;CACrB;AAKD,kEAAkE;AAClE,MAAM,WAAW,uBAAuB;IACtC,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAI,MAAM,CAAA;CACf;AAED;;;;;GAKG;AACH,qBAAa,qBAAsB,SAAQ,KAAK;gBAClC,OAAO,SAAiD;CAIrE;AAED,mFAAmF;AACnF,MAAM,WAAW,wBAAwB;IACvC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAC7B,IAAI,CAAC,EAAE,OAAO,CAAA;CACf;AAED,8BAAsB,eAAe;IAIvB,SAAS,CAAC,QAAQ,CAAC,MAAM,EAAE,qBAAqB;IAH5D,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,CAAA;IAC1B,OAAO,CAAC,UAAU,CAAQ;gBAEK,MAAM,EAAE,qBAAqB;IAI5D,wCAAwC;IACxC,SAAS,CAAC,QAAQ,CAAC,aAAa,IAAI,MAAM,EAAE;IAE5C,2EAA2E;IAC3E,SAAS,CAAC,QAAQ,CAAC,OAAO,IAAI,MAAM;IAEpC,0EAA0E;IAC1E,SAAS,CAAC,QAAQ,CAAC,QAAQ,IAAI,MAAM;IAErC,wDAAwD;IACxD,SAAS,CAAC,QAAQ,CAAC,OAAO,IAAI,MAAM;IAEpC,gEAAgE;IAChE,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,IAAI,GAAG,UAAU;IAEnH;;;;OAIG;IACH,SAAS,CAAC,YAAY,IAAI,MAAM;IAIhC,wBAAwB;IACxB,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI;IAKlC,uCAAuC;IACvC,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI;IAKjC;;;;;;;;OAQG;IACH,SAAS,IAAI,IAAI;IAKjB,WAAW,IAAI,OAAO;IAItB;;;;OAIG;IACH,SAAS,CAAC,eAAe,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAInD,kDAAkD;IAClD,cAAc,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM;IAgBtC,mDAAmD;IACnD,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,QAAQ;IAIlC;;;;OAIG;IACH,SAAS,CAAC,gBAAgB,CACxB,KAAK,EAAE,UAAU,CAAC,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,EAClC,IAAI,GAAE,WAAgB,GACrB,OAAO,CAAC,QAAQ,CAAC;IAKpB,2DAA2D;IACrD,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,WAAW,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;IA2C3H,0DAA0D;IACpD,IAAI,CAAC,aAAa,EAAE,MAAM,GAAG,wBAAwB,GAAG,OAAO,CAAC,UAAU,CAAC;IAejF,yEAAyE;IACnE,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,UAAU,CAAC;IAkBtF,OAAO,KAAK,QAAQ,GAEnB;IAED;;;;OAIG;IACH,OAAO,CAAC,qBAAqB;IAa7B;;;;;;OAMG;IACH,SAAS,CAAC,oBAAoB,CAAC,GAAG,EAAE,wBAAwB,GAAG,IAAI;IAwBnE,OAAO,CAAC,YAAY;IAYpB,OAAO,CAAC,uBAAuB;IAO/B;;;;;OAKG;cACa,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC;CAKzE"}

package/dist/driver.js

@@ -1,10 +1,35 @@
+import { randomBytes, timingSafeEqual } from 'node:crypto';
+import { Session } from '@rudderjs/session';
+const DEFAULT_TIMEOUT_MS = 10_000;
+const STATE_BYTES = 20;
+/**
+ * Thrown when an OAuth callback's `state` parameter is missing, doesn't
+ * match the value the framework stored before redirect, or arrives without
+ * a session in context. Indicates a CSRF / state-fixation attempt — apps
+ * should treat as auth failure.
+ */
+export class InvalidStateException extends Error {
+    constructor(message = 'OAuth state mismatch — possible CSRF attack.') {
+        super(`[RudderJS Socialite] ${message}`);
+        this.name = 'InvalidStateException';
+    }
+}
 export class SocialiteDriver {
     config;
     scopes;
+    _stateless = false;
     constructor(config) {
         this.config = config;
         this.scopes = config.scopes ?? this.defaultScopes();
     }
+    /**
+     * Provider key used to namespace the session state slot. Defaults to the
+     * lowercase class name with a trailing `provider` stripped (e.g. `GitHubProvider`
+     * → `github`). Override on a subclass if a custom key is preferred.
+     */
+    providerName() {
+        return this.constructor.name.toLowerCase().replace(/provider$/, '');
+    }
     /** Add extra scopes. */
     withScopes(scopes) {
         this.scopes = [...new Set([...this.scopes, ...scopes])];
@@ -15,14 +40,42 @@ export class SocialiteDriver {
         this.scopes = scopes;
         return this;
     }
+    /**
+     * Disable state generation + validation (Laravel `->stateless()`).
+     *
+     * Use for OAuth flows that can't reach the session — e.g. mobile clients,
+     * machine-to-machine auth, or token grants where the round-trip happens
+     * entirely server-to-server. The default (stateful) generates a CSPRNG
+     * `state` on redirect, stores it in the session, and validates it on
+     * callback to prevent CSRF / state-fixation.
+     */
+    stateless() {
+        this._stateless = true;
+        return this;
+    }
+    isStateless() {
+        return this._stateless;
+    }
+    /**
+     * Provider-specific extra params to merge into the authorize URL. Apple
+     * needs `response_mode=form_post`; other drivers may want `prompt=consent`
+     * etc. Override on subclasses — base returns `{}`.
+     */
+    extraAuthParams() {
+        return {};
+    }
     /** Get the redirect URL to the OAuth provider. */
     getRedirectUrl(state) {
+        // Caller-supplied state always wins (test-friendly + advanced override).
+        // When stateful and no state is supplied, generate + persist one.
+        const stateValue = state ?? (this._stateless ? undefined : this.generateAndStoreState());
         const params = new URLSearchParams({
             client_id: this.config.clientId,
             redirect_uri: this.config.redirectUrl,
             response_type: 'code',
             scope: this.scopes.join(' '),
-            ...(state ? { state } : {}),
+            ...(stateValue ? { state: stateValue } : {}),
+            ...this.extraAuthParams(),
         });
         return `${this.authUrl()}?${params.toString()}`;
     }
@@ -30,15 +83,27 @@ export class SocialiteDriver {
     redirect(state) {
         return Response.redirect(this.getRedirectUrl(state), 302);
     }
+    /**
+     * Wrapper around `fetch` that injects an `AbortSignal.timeout` so a hung
+     * provider endpoint can't keep the request handler alive indefinitely.
+     * Subclasses (Apple, GitHub) call this for their own provider fetches.
+     */
+    fetchWithTimeout(input, init = {}) {
+        const timeoutMs = this.config.timeout ?? DEFAULT_TIMEOUT_MS;
+        return fetch(input, { ...init, signal: init.signal ?? AbortSignal.timeout(timeoutMs) });
+    }
     /** Exchange the authorization code for an access token. */
     async getAccessToken(code) {
-        const res = await fetch(this.tokenUrl(), {
+        // RFC 6749 §4.1.3 mandates `application/x-www-form-urlencoded` for the
+        // token endpoint. GitHub, Google, and Facebook all reject JSON bodies
+        // (or accept them inconsistently); Apple's override already form-encodes.
+        const res = await this.fetchWithTimeout(this.tokenUrl(), {
             method: 'POST',
             headers: {
-                'Content-Type': 'application/json',
+                'Content-Type': 'application/x-www-form-urlencoded',
                 'Accept': 'application/json',
             },
-            body: JSON.stringify({
+            body: new URLSearchParams({
                 client_id: this.config.clientId,
                 client_secret: this.config.clientSecret,
                 code,
@@ -47,21 +112,28 @@ export class SocialiteDriver {
             }),
         });
         if (!res.ok) {
-            const text = await res.text();
-            throw new Error(`[RudderJS Socialite] Token exchange failed: ${res.status} ${text}`);
+            throw await this.httpError('Token exchange failed', res);
         }
         const data = await res.json();
-        // Some providers return access_token, others return it in different shapes
-        const accessToken = (data['access_token'] ?? data['accessToken']);
-        const refreshToken = (data['refresh_token'] ?? data['refreshToken']);
-        const expiresIn = (data['expires_in'] ?? data['expiresIn']);
-        if (!accessToken) {
-            throw new Error(`[RudderJS Socialite] No access_token in response: ${JSON.stringify(data)}`);
+        // Provider response is JSON of unknown shape — type-check before trusting.
+        // Some providers use snake_case, some camelCase; either is fine, but the
+        // value must be a non-empty string. Anything else (number, null, object,
+        // empty string) is treated as a missing token.
+        const rawToken = data['access_token'] ?? data['accessToken'];
+        const rawRefresh = data['refresh_token'] ?? data['refreshToken'];
+        const rawExpiresIn = data['expires_in'] ?? data['expiresIn'];
+        if (typeof rawToken !== 'string' || rawToken.length === 0) {
+            throw new Error('[RudderJS Socialite] No access_token in token-exchange response.');
         }
-        return { accessToken, refreshToken: refreshToken ?? null, expiresIn: expiresIn ?? null };
+        const refreshToken = typeof rawRefresh === 'string' && rawRefresh.length > 0 ? rawRefresh : null;
+        const expiresIn = typeof rawExpiresIn === 'number' && Number.isFinite(rawExpiresIn) ? rawExpiresIn : null;
+        return { accessToken: rawToken, refreshToken, expiresIn };
     }
     /** Get the authenticated user from the OAuth callback. */
     async user(codeOrRequest) {
+        if (typeof codeOrRequest !== 'string') {
+            this.validateRequestState(codeOrRequest);
+        }
         const code = typeof codeOrRequest === 'string'
             ? codeOrRequest
             : codeOrRequest.query['code'];
@@ -72,18 +144,89 @@ export class SocialiteDriver {
     }
     /** Get the user directly from an access token (e.g. for mobile apps). */
     async getUserByToken(token, refreshToken) {
-        const res = await fetch(this.userUrl(), {
+        const res = await this.fetchWithTimeout(this.userUrl(), {
             headers: {
                 'Authorization': `Bearer ${token}`,
                 'Accept': 'application/json',
             },
         });
         if (!res.ok) {
-            const text = await res.text();
-            throw new Error(`[RudderJS Socialite] User info request failed: ${res.status} ${text}`);
+            throw await this.httpError('User info request failed', res);
         }
         const data = await res.json();
         return this.mapToUser(data, token, refreshToken ?? null);
     }
+    // ─── State (CSRF defense) ───────────────────────────────
+    get stateKey() {
+        return `socialite_state:${this.providerName()}`;
+    }
+    /**
+     * Generate a CSPRNG state token, store it on the session, and return the
+     * value to embed in the authorize URL. Throws when no session is in
+     * context — the caller can opt out via `.stateless()`.
+     */
+    generateAndStoreState() {
+        if (!Session.active()) {
+            throw new Error('[RudderJS Socialite] Cannot generate OAuth state: no session in context. ' +
+                'Register session middleware (auto-installed on the web group), or call ' +
+                '`.stateless()` on the driver if state validation is intentionally skipped.');
+        }
+        const value = randomBytes(STATE_BYTES).toString('hex');
+        Session.put(this.stateKey, value);
+        return value;
+    }
+    /**
+     * Validate the `state` carried in a callback request against what was
+     * stored at redirect time. Pulls from `query.state` first, falling back
+     * to the request body's `state` (used by Apple's `form_post` callback).
+     * Always forgets the stored value after validation — the state is
+     * one-time use, so a leaked state can't be replayed.
+     */
+    validateRequestState(req) {
+        if (this._stateless)
+            return;
+        if (!Session.active()) {
+            throw new InvalidStateException('No session in context for state validation. Register session middleware ' +
+                'or use `.stateless()` if state validation is intentionally skipped.');
+        }
+        const stored = Session.get(this.stateKey);
+        Session.forget(this.stateKey);
+        const provided = this.extractState(req);
+        if (typeof stored !== 'string' || stored.length === 0 ||
+            typeof provided !== 'string' || provided.length === 0 ||
+            !this.constantTimeStringEqual(stored, provided)) {
+            throw new InvalidStateException();
+        }
+    }
+    extractState(req) {
+        const fromQuery = req.query['state'];
+        if (typeof fromQuery === 'string' && fromQuery.length > 0)
+            return fromQuery;
+        const body = req.body;
+        if (body && typeof body === 'object') {
+            const fromBody = body['state'];
+            if (typeof fromBody === 'string' && fromBody.length > 0)
+                return fromBody;
+        }
+        return undefined;
+    }
+    constantTimeStringEqual(a, b) {
+        if (a.length !== b.length)
+            return false;
+        const ab = Buffer.from(a, 'utf8');
+        const bb = Buffer.from(b, 'utf8');
+        return timingSafeEqual(ab, bb);
+    }
+    /**
+     * Build an Error whose `message` carries only status + statusText (safe to
+     * surface in logs), with the response body attached on `cause` so callers
+     * that need it can still inspect — without leaking provider-echoed
+     * client_id / hints / PII into top-level error tracking.
+     */
+    async httpError(prefix, res) {
+        const body = await res.text().catch(() => '');
+        const cause = { status: res.status, body };
+        return new Error(`[RudderJS Socialite] ${prefix}: ${res.status} ${res.statusText}`.trimEnd(), { cause });
+    }
 }
 //# sourceMappingURL=driver.js.map

package/dist/driver.js.map

@@ -1 +1 @@
-{"version":3,"file":"driver.js","sourceRoot":"","sources":["../src/driver.ts"],"names":[],"mappings":"AAWA,MAAM,OAAgB,eAAe;IAGJ;IAFrB,MAAM,CAAU;IAE1B,YAA+B,MAA6B;QAA7B,WAAM,GAAN,MAAM,CAAuB;QAC1D,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,IAAI,CAAC,aAAa,EAAE,CAAA;IACrD,CAAC;IAiBD,wBAAwB;IACxB,UAAU,CAAC,MAAgB;QACzB,IAAI,CAAC,MAAM,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,MAAM,CAAC,CAAC,CAAC,CAAA;QACvD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,uCAAuC;IACvC,SAAS,CAAC,MAAgB;QACxB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAA;QACpB,OAAO,IAAI,CAAA;IACb,CAAC;IAED,kDAAkD;IAClD,cAAc,CAAC,KAAc;QAC3B,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,SAAS,EAAM,IAAI,CAAC,MAAM,CAAC,QAAQ;YACnC,YAAY,EAAG,IAAI,CAAC,MAAM,CAAC,WAAW;YACtC,aAAa,EAAE,MAAM;YACrB,KAAK,EAAU,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;YACpC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC5B,CAAC,CAAA;QACF,OAAO,GAAG,IAAI,CAAC,OAAO,EAAE,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAA;IACjD,CAAC;IAED,mDAAmD;IACnD,QAAQ,CAAC,KAAc;QACrB,OAAO,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAA;IAC3D,CAAC;IAED,2DAA2D;IAC3D,KAAK,CAAC,cAAc,CAAC,IAAY;QAC/B,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE;YACvC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,QAAQ,EAAQ,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,SAAS,EAAM,IAAI,CAAC,MAAM,CAAC,QAAQ;gBACnC,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY;gBACvC,IAAI;gBACJ,YAAY,EAAG,IAAI,CAAC,MAAM,CAAC,WAAW;gBACtC,UAAU,EAAK,oBAAoB;aACpC,CAAC;SACH,CAAC,CAAA;QAEF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAA;YAC7B,MAAM,IAAI,KAAK,CAAC,+CAA+C,GAAG,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC,CAAA;QACtF,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA6B,CAAA;QAExD,2EAA2E;QAC3E,MAAM,WAAW,GAAI,CAAC,IAAI,CAAC,cAAc,CAAC,IAAK,IAAI,CAAC,aAAa,CAAC,CAAuB,CAAA;QACzF,MAAM,YAAY,GAAG,CAAC,IAAI,CAAC,eAAe,CAAC,IAAI,IAAI,CAAC,cAAc,CAAC,CAAuB,CAAA;QAC1F,MAAM,SAAS,GAAM,CAAC,IAAI,CAAC,YAAY,CAAC,IAAO,IAAI,CAAC,WAAW,CAAC,CAAuB,CAAA;QAEvF,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,qDAAqD,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;QAC9F,CAAC;QAED,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,IAAI,IAAI,EAAE,SAAS,EAAE,SAAS,IAAI,IAAI,EAAE,CAAA;IAC1F,CAAC;IAED,0DAA0D;IAC1D,KAAK,CAAC,IAAI,CAAC,aAAyD;QAClE,MAAM,IAAI,GAAG,OAAO,aAAa,KAAK,QAAQ;YAC5C,CAAC,CAAC,aAAa;YACf,CAAC,CAAC,aAAa,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;QAE/B,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAA;QAE9E,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAA;QACrE,OAAO,IAAI,CAAC,cAAc,CAAC,WAAW,EAAE,YAAY,CAAC,CAAA;IACvD,CAAC;IAED,yEAAyE;IACzE,KAAK,CAAC,cAAc,CAAC,KAAa,EAAE,YAA4B;QAC9D,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE;YACtC,OAAO,EAAE;gBACP,eAAe,EAAE,UAAU,KAAK,EAAE;gBAClC,QAAQ,EAAS,kBAAkB;aACpC;SACF,CAAC,CAAA;QAEF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAA;YAC7B,MAAM,IAAI,KAAK,CAAC,kDAAkD,GAAG,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC,CAAA;QACzF,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA6B,CAAA;QACxD,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,KAAK,EAAE,YAAY,IAAI,IAAI,CAAC,CAAA;IAC1D,CAAC;CACF"}
+{"version":3,"file":"driver.js","sourceRoot":"","sources":["../src/driver.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAC1D,OAAO,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAA;AAc3C,MAAM,kBAAkB,GAAG,MAAM,CAAA;AACjC,MAAM,WAAW,GAAU,EAAE,CAAA;AAQ7B;;;;;GAKG;AACH,MAAM,OAAO,qBAAsB,SAAQ,KAAK;IAC9C,YAAY,OAAO,GAAG,8CAA8C;QAClE,KAAK,CAAC,wBAAwB,OAAO,EAAE,CAAC,CAAA;QACxC,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAA;IACrC,CAAC;CACF;AAQD,MAAM,OAAgB,eAAe;IAIJ;IAHrB,MAAM,CAAU;IAClB,UAAU,GAAG,KAAK,CAAA;IAE1B,YAA+B,MAA6B;QAA7B,WAAM,GAAN,MAAM,CAAuB;QAC1D,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,IAAI,CAAC,aAAa,EAAE,CAAA;IACrD,CAAC;IAiBD;;;;OAIG;IACO,YAAY;QACpB,OAAO,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAA;IACrE,CAAC;IAED,wBAAwB;IACxB,UAAU,CAAC,MAAgB;QACzB,IAAI,CAAC,MAAM,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,MAAM,CAAC,CAAC,CAAC,CAAA;QACvD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,uCAAuC;IACvC,SAAS,CAAC,MAAgB;QACxB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAA;QACpB,OAAO,IAAI,CAAA;IACb,CAAC;IAED;;;;;;;;OAQG;IACH,SAAS;QACP,IAAI,CAAC,UAAU,GAAG,IAAI,CAAA;QACtB,OAAO,IAAI,CAAA;IACb,CAAC;IAED,WAAW;QACT,OAAO,IAAI,CAAC,UAAU,CAAA;IACxB,CAAC;IAED;;;;OAIG;IACO,eAAe;QACvB,OAAO,EAAE,CAAA;IACX,CAAC;IAED,kDAAkD;IAClD,cAAc,CAAC,KAAc;QAC3B,yEAAyE;QACzE,kEAAkE;QAClE,MAAM,UAAU,GAAG,KAAK,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,qBAAqB,EAAE,CAAC,CAAA;QAExF,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,SAAS,EAAM,IAAI,CAAC,MAAM,CAAC,QAAQ;YACnC,YAAY,EAAG,IAAI,CAAC,MAAM,CAAC,WAAW;YACtC,aAAa,EAAE,MAAM;YACrB,KAAK,EAAU,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;YACpC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5C,GAAG,IAAI,CAAC,eAAe,EAAE;SAC1B,CAAC,CAAA;QACF,OAAO,GAAG,IAAI,CAAC,OAAO,EAAE,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAA;IACjD,CAAC;IAED,mDAAmD;IACnD,QAAQ,CAAC,KAAc;QACrB,OAAO,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAA;IAC3D,CAAC;IAED;;;;OAIG;IACO,gBAAgB,CACxB,KAAkC,EAClC,OAAoB,EAAE;QAEtB,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,kBAAkB,CAAA;QAC3D,OAAO,KAAK,CAAC,KAAK,EAAE,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;IACzF,CAAC;IAED,2DAA2D;IAC3D,KAAK,CAAC,cAAc,CAAC,IAAY;QAC/B,uEAAuE;QACvE,sEAAsE;QACtE,0EAA0E;QAC1E,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE;YACvD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;gBACnD,QAAQ,EAAQ,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,eAAe,CAAC;gBACxB,SAAS,EAAM,IAAI,CAAC,MAAM,CAAC,QAAQ;gBACnC,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY;gBACvC,IAAI;gBACJ,YAAY,EAAG,IAAI,CAAC,MAAM,CAAC,WAAW;gBACtC,UAAU,EAAK,oBAAoB;aACpC,CAAC;SACH,CAAC,CAAA;QAEF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,MAAM,IAAI,CAAC,SAAS,CAAC,uBAAuB,EAAE,GAAG,CAAC,CAAA;QAC1D,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA6B,CAAA;QAExD,2EAA2E;QAC3E,yEAAyE;QACzE,yEAAyE;QACzE,+CAA+C;QAC/C,MAAM,QAAQ,GAAQ,IAAI,CAAC,cAAc,CAAC,IAAK,IAAI,CAAC,aAAa,CAAC,CAAA;QAClE,MAAM,UAAU,GAAM,IAAI,CAAC,eAAe,CAAC,IAAI,IAAI,CAAC,cAAc,CAAC,CAAA;QACnE,MAAM,YAAY,GAAI,IAAI,CAAC,YAAY,CAAC,IAAO,IAAI,CAAC,WAAW,CAAC,CAAA;QAEhE,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1D,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAA;QACrF,CAAC;QAED,MAAM,YAAY,GAAG,OAAO,UAAU,KAAO,QAAQ,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAG,CAAC,CAAC,IAAI,CAAA;QACpG,MAAM,SAAS,GAAM,OAAO,YAAY,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAA;QAE5G,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,YAAY,EAAE,SAAS,EAAE,CAAA;IAC3D,CAAC;IAED,0DAA0D;IAC1D,KAAK,CAAC,IAAI,CAAC,aAAgD;QACzD,IAAI,OAAO,aAAa,KAAK,QAAQ,EAAE,CAAC;YACtC,IAAI,CAAC,oBAAoB,CAAC,aAAa,CAAC,CAAA;QAC1C,CAAC;QAED,MAAM,IAAI,GAAG,OAAO,aAAa,KAAK,QAAQ;YAC5C,CAAC,CAAC,aAAa;YACf,CAAC,CAAC,aAAa,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;QAE/B,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAA;QAE9E,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAA;QACrE,OAAO,IAAI,CAAC,cAAc,CAAC,WAAW,EAAE,YAAY,CAAC,CAAA;IACvD,CAAC;IAED,yEAAyE;IACzE,KAAK,CAAC,cAAc,CAAC,KAAa,EAAE,YAA4B;QAC9D,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE;YACtD,OAAO,EAAE;gBACP,eAAe,EAAE,UAAU,KAAK,EAAE;gBAClC,QAAQ,EAAS,kBAAkB;aACpC;SACF,CAAC,CAAA;QAEF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,MAAM,IAAI,CAAC,SAAS,CAAC,0BAA0B,EAAE,GAAG,CAAC,CAAA;QAC7D,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA6B,CAAA;QACxD,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,KAAK,EAAE,YAAY,IAAI,IAAI,CAAC,CAAA;IAC1D,CAAC;IAED,2DAA2D;IAE3D,IAAY,QAAQ;QAClB,OAAO,mBAAmB,IAAI,CAAC,YAAY,EAAE,EAAE,CAAA;IACjD,CAAC;IAED;;;;OAIG;IACK,qBAAqB;QAC3B,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CACb,2EAA2E;gBAC3E,yEAAyE;gBACzE,4EAA4E,CAC7E,CAAA;QACH,CAAC;QACD,MAAM,KAAK,GAAG,WAAW,CAAC,WAAW,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;QACtD,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;QACjC,OAAO,KAAK,CAAA;IACd,CAAC;IAED;;;;;;OAMG;IACO,oBAAoB,CAAC,GAA6B;QAC1D,IAAI,IAAI,CAAC,UAAU;YAAE,OAAM;QAE3B,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;YACtB,MAAM,IAAI,qBAAqB,CAC7B,0EAA0E;gBAC1E,qEAAqE,CACtE,CAAA;QACH,CAAC;QAED,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAS,IAAI,CAAC,QAAQ,CAAC,CAAA;QACjD,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QAE7B,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAA;QAEvC,IACE,OAAO,MAAM,KAAO,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAO,CAAC;YACrD,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YACrD,CAAC,IAAI,CAAC,uBAAuB,CAAC,MAAM,EAAE,QAAQ,CAAC,EAC/C,CAAC;YACD,MAAM,IAAI,qBAAqB,EAAE,CAAA;QACnC,CAAC;IACH,CAAC;IAEO,YAAY,CAAC,GAA6B;QAChD,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QACpC,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,SAAS,CAAA;QAE3E,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAA;QACrB,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YACrC,MAAM,QAAQ,GAAI,IAAgC,CAAC,OAAO,CAAC,CAAA;YAC3D,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC;gBAAE,OAAO,QAAQ,CAAA;QAC1E,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAEO,uBAAuB,CAAC,CAAS,EAAE,CAAS;QAClD,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;YAAE,OAAO,KAAK,CAAA;QACvC,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,CAAC,CAAA;QACjC,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,CAAC,CAAA;QACjC,OAAO,eAAe,CAAC,EAAE,EAAE,EAAE,CAAC,CAAA;IAChC,CAAC;IAED;;;;;OAKG;IACO,KAAK,CAAC,SAAS,CAAC,MAAc,EAAE,GAAa;QACrD,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAA;QAC7C,MAAM,KAAK,GAA4B,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,CAAA;QACnE,OAAO,IAAI,KAAK,CAAC,wBAAwB,MAAM,KAAK,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,UAAU,EAAE,CAAC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;IAC1G,CAAC;CACF"}

package/dist/drivers/apple.d.ts

@@ -1,17 +1,55 @@
-import { SocialiteDriver } from '../driver.js';
+import { SocialiteDriver, type SocialiteDriverConfig, type SocialiteCallbackRequest } from '../driver.js';
 import { SocialUser } from '../social-user.js';
+/**
+ * Apple-specific config. The base `clientSecret` field is unused — Apple
+ * requires a freshly-signed ES256 JWT as `client_secret` on each token
+ * exchange. Provide `teamId`, `keyId`, and `privateKey` (PEM contents of the
+ * `.p8` file downloaded from the Apple Developer portal); the driver mints
+ * the JWT just-in-time.
+ */
+export interface AppleSocialiteConfig extends SocialiteDriverConfig {
+    /** Apple Developer Team ID (10 chars). Used as the `iss` claim. */
+    teamId?: string;
+    /** Sign-in-with-Apple Key ID (10 chars). Embedded in the JWT header as `kid`. */
+    keyId?: string;
+    /** PEM-encoded EC P-256 private key (the `.p8` file contents). */
+    privateKey?: string;
+    /** Override the JWT lifetime in seconds. Apple max is 6 months; default 5 minutes. */
+    clientSecretTtl?: number;
+}
 export declare class AppleProvider extends SocialiteDriver {
+    private static _jwksCache;
+    constructor(config: AppleSocialiteConfig);
     protected defaultScopes(): string[];
     protected authUrl(): string;
     protected tokenUrl(): string;
     protected userUrl(): string;
-    getRedirectUrl(state?: string): string;
+    protected extraAuthParams(): Record<string, string>;
     protected mapToUser(data: Record<string, unknown>, token: string, refreshToken: string | null): SocialUser;
-    /** Apple sends user data as form POST on callback. Parse the id_token JWT for user info. */
-    user(codeOrRequest: string | {
-        query: Record<string, string>;
-        body?: unknown;
-    }): Promise<SocialUser>;
-    private getIdToken;
+    /**
+     * Exchange the auth code with Apple in a single POST, verify the returned
+     * id_token, and merge any first-authorization user details from the
+     * form_post body. Apple's auth codes are single-use, so this driver does
+     * NOT call the inherited `getAccessToken` — the token endpoint is hit
+     * exactly once per callback.
+     */
+    user(codeOrRequest: string | SocialiteCallbackRequest): Promise<SocialUser>;
+    private _exchange;
+    /**
+     * Build a freshly-signed ES256 JWT to use as `client_secret` for Apple's
+     * token endpoint. Apple requires JWS spec signatures — IEEE P-1363 raw
+     * (r||s, 64 bytes), NOT DER. node:crypto's `createSign` defaults to DER
+     * for EC keys, so `dsaEncoding: 'ieee-p1363'` is mandatory.
+     */
+    private _buildClientSecret;
+    /**
+     * Verify Apple's id_token: signature against the JWKS-resolved public key,
+     * then issuer / audience / expiration claims. Throws on any failure —
+     * never returns unverified data.
+     */
+    private _verifyIdToken;
+    private _resolveAppleJwk;
+    /** @internal — testing only. */
+    static _resetJwksCache(): void;
 }
 //# sourceMappingURL=apple.d.ts.map

package/dist/drivers/apple.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"apple.d.ts","sourceRoot":"","sources":["../../src/drivers/apple.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAA;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAE9C,qBAAa,aAAc,SAAQ,eAAe;IAChD,SAAS,CAAC,aAAa,IAAI,MAAM,EAAE;IACnC,SAAS,CAAC,OAAO,IAAK,MAAM;IAC5B,SAAS,CAAC,QAAQ,IAAI,MAAM;IAC5B,SAAS,CAAC,OAAO,IAAK,MAAM;IAE5B,cAAc,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM;IAYtC,SAAS,CAAC,SAAS,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,IAAI,GAAG,UAAU;IAkB1G,4FAA4F;IACtF,IAAI,CAAC,aAAa,EAAE,MAAM,GAAG;QAAE,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAAC,IAAI,CAAC,EAAE,OAAO,CAAA;KAAE,GAAG,OAAO,CAAC,UAAU,CAAC;YA0B5F,UAAU;CAwBzB"}
+{"version":3,"file":"apple.d.ts","sourceRoot":"","sources":["../../src/drivers/apple.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,KAAK,qBAAqB,EAAE,KAAK,wBAAwB,EAAE,MAAM,cAAc,CAAA;AACzG,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAE9C;;;;;;GAMG;AACH,MAAM,WAAW,oBAAqB,SAAQ,qBAAqB;IACjE,mEAAmE;IACnE,MAAM,CAAC,EAAM,MAAM,CAAA;IACnB,iFAAiF;IACjF,KAAK,CAAC,EAAO,MAAM,CAAA;IACnB,kEAAkE;IAClE,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,sFAAsF;IACtF,eAAe,CAAC,EAAE,MAAM,CAAA;CACzB;AA+BD,qBAAa,aAAc,SAAQ,eAAe;IAGhD,OAAO,CAAC,MAAM,CAAC,UAAU,CAA8B;gBAE3C,MAAM,EAAE,oBAAoB;IAIxC,SAAS,CAAC,aAAa,IAAI,MAAM,EAAE;IACnC,SAAS,CAAC,OAAO,IAAK,MAAM;IAC5B,SAAS,CAAC,QAAQ,IAAI,MAAM;IAE5B,SAAS,CAAC,OAAO,IAAK,MAAM;cAET,eAAe,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAO5D,SAAS,CAAC,SAAS,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,IAAI,GAAG,UAAU;IAiB1G;;;;;;OAMG;IACY,IAAI,CAAC,aAAa,EAAE,MAAM,GAAG,wBAAwB,GAAG,OAAO,CAAC,UAAU,CAAC;YAuC5E,SAAS;IA4CvB;;;;;OAKG;YACW,kBAAkB;IAoDhC;;;;OAIG;YACW,cAAc;YA0Ed,gBAAgB;IAwB9B,gCAAgC;IAChC,MAAM,CAAC,eAAe,IAAI,IAAI;CAG/B"}

package/dist/drivers/apple.js

@@ -1,23 +1,28 @@
 import { SocialiteDriver } from '../driver.js';
 import { SocialUser } from '../social-user.js';
+const APPLE_ISSUER = 'https://appleid.apple.com';
+const APPLE_JWKS = 'https://appleid.apple.com/auth/keys';
+const JWKS_TTL_MS = 60 * 60 * 1000; // 1 hour
+const DEFAULT_JWT_TTL_SECONDS = 5 * 60;
 export class AppleProvider extends SocialiteDriver {
+    // Process-wide cache shared across AppleProvider instances. JWKS is small
+    // and Apple's keys rotate slowly, so a 1h cache is well within their guidance.
+    static _jwksCache = null;
+    constructor(config) {
+        super(config);
+    }
     defaultScopes() { return ['name', 'email']; }
     authUrl() { return 'https://appleid.apple.com/auth/authorize'; }
     tokenUrl() { return 'https://appleid.apple.com/auth/token'; }
-    userUrl() { return ''; } // Apple sends user data in the callback, not a separate endpoint
-    getRedirectUrl(state) {
-        const params = new URLSearchParams({
-            client_id: this.config.clientId,
-            redirect_uri: this.config.redirectUrl,
-            response_type: 'code',
-            response_mode: 'form_post',
-            scope: this.scopes.join(' '),
-            ...(state ? { state } : {}),
-        });
-        return `${this.authUrl()}?${params.toString()}`;
+    // Apple sends user data in the id_token + first-auth form_post body, never a separate user endpoint.
+    userUrl() { return ''; }
+    extraAuthParams() {
+        // Apple requires form_post when the requested scopes include `name` or
+        // `email` (anything beyond `openid`) — the user-info payload is sent as
+        // a POST body, not a query.
+        return { response_mode: 'form_post' };
     }
     mapToUser(data, token, refreshToken) {
-        // Apple's id_token contains the user info as a JWT
         const sub = data['sub'] ?? '';
         const email = data['email'] ?? null;
         const name = data['name'];
@@ -32,55 +37,219 @@ export class AppleProvider extends SocialiteDriver {
             raw: data,
         });
     }
-    /** Apple sends user data as form POST on callback. Parse the id_token JWT for user info. */
+    /**
+     * Exchange the auth code with Apple in a single POST, verify the returned
+     * id_token, and merge any first-authorization user details from the
+     * form_post body. Apple's auth codes are single-use, so this driver does
+     * NOT call the inherited `getAccessToken` — the token endpoint is hit
+     * exactly once per callback.
+     */
     async user(codeOrRequest) {
+        if (typeof codeOrRequest !== 'string') {
+            // Apple's `state` arrives in the form_post body, not the query — the
+            // base validator already checks both, no Apple-specific override needed.
+            this.validateRequestState(codeOrRequest);
+        }
         const code = typeof codeOrRequest === 'string'
             ? codeOrRequest
             : (codeOrRequest.query['code'] ?? codeOrRequest.body?.['code']);
         if (!code)
             throw new Error('[RudderJS Socialite] Missing authorization code.');
-        const { accessToken, refreshToken } = await this.getAccessToken(code);
-        // Decode id_token (JWT) for user info — no verification needed here,
-        // Apple's token endpoint is trusted.
-        const idToken = (await this.getIdToken(code)) ?? {};
-        const userData = { ...idToken };
-        // Apple sends user name only on first authorization (as form POST body)
+        const { accessToken, refreshToken, idToken } = await this._exchange(code);
+        const claims = await this._verifyIdToken(idToken);
+        const userData = { ...claims };
+        // First authorization only — Apple sends `name` once, in the form_post body.
         if (typeof codeOrRequest !== 'string' && codeOrRequest.body) {
             const body = codeOrRequest.body;
-            if (body['user']) {
-                const user = typeof body['user'] === 'string' ? JSON.parse(body['user']) : body['user'];
-                userData['name'] = user;
+            const userField = body['user'];
+            if (userField !== undefined) {
+                try {
+                    const parsed = typeof userField === 'string' ? JSON.parse(userField) : userField;
+                    if (parsed && typeof parsed === 'object' && 'name' in parsed) {
+                        userData['name'] = parsed['name'];
+                    }
+                }
+                catch {
+                    // Malformed body.user — ignore, name simply won't be set.
+                }
             }
         }
         return this.mapToUser(userData, accessToken, refreshToken);
     }
-    async getIdToken(code) {
+    // ─── Token exchange ────────────────────────────────────
+    async _exchange(code) {
+        const clientSecret = await this._buildClientSecret();
+        const res = await this.fetchWithTimeout(this.tokenUrl(), {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+                'Accept': 'application/json',
+            },
+            body: new URLSearchParams({
+                client_id: this.config.clientId,
+                client_secret: clientSecret,
+                code,
+                redirect_uri: this.config.redirectUrl,
+                grant_type: 'authorization_code',
+            }),
+        });
+        if (!res.ok) {
+            throw await this.httpError('Apple token exchange failed', res);
+        }
+        const data = await res.json();
+        const accessToken = data['access_token'];
+        const refreshToken = data['refresh_token'];
+        const idToken = data['id_token'];
+        if (typeof accessToken !== 'string' || accessToken.length === 0) {
+            throw new Error('[RudderJS Socialite] Apple token-exchange response missing access_token.');
+        }
+        if (typeof idToken !== 'string' || idToken.length === 0) {
+            throw new Error('[RudderJS Socialite] Apple token-exchange response missing id_token.');
+        }
+        return {
+            accessToken,
+            refreshToken: typeof refreshToken === 'string' && refreshToken.length > 0 ? refreshToken : null,
+            idToken,
+        };
+    }
+    // ─── O2: ES256 client_secret JWT ───────────────────────
+    /**
+     * Build a freshly-signed ES256 JWT to use as `client_secret` for Apple's
+     * token endpoint. Apple requires JWS spec signatures — IEEE P-1363 raw
+     * (r||s, 64 bytes), NOT DER. node:crypto's `createSign` defaults to DER
+     * for EC keys, so `dsaEncoding: 'ieee-p1363'` is mandatory.
+     */
+    async _buildClientSecret() {
+        const cfg = this.config;
+        if (!cfg.teamId || !cfg.keyId || !cfg.privateKey) {
+            throw new Error('[RudderJS Socialite] Apple requires `teamId`, `keyId`, and `privateKey` ' +
+                'in config to sign the client_secret JWT. See https://developer.apple.com/sign-in-with-apple/.');
+        }
+        const { createPrivateKey, createSign } = await import('node:crypto');
+        const now = Math.floor(Date.now() / 1000);
+        const ttl = cfg.clientSecretTtl ?? DEFAULT_JWT_TTL_SECONDS;
+        const header = { alg: 'ES256', kid: cfg.keyId, typ: 'JWT' };
+        const payload = {
+            iss: cfg.teamId,
+            iat: now,
+            exp: now + ttl,
+            aud: APPLE_ISSUER,
+            sub: this.config.clientId,
+        };
+        const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64url');
+        const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64url');
+        const signingInput = `${headerB64}.${payloadB64}`;
+        let key;
+        try {
+            key = createPrivateKey({ key: cfg.privateKey, format: 'pem' });
+        }
+        catch (err) {
+            throw new Error('[RudderJS Socialite] Apple `privateKey` is not a valid PEM-encoded EC private key. ' +
+                '(See `.p8` file from Apple Developer portal.)', { cause: err });
+        }
+        if (key.asymmetricKeyType !== 'ec') {
+            throw new Error(`[RudderJS Socialite] Apple expects an EC P-256 private key; got ${key.asymmetricKeyType ?? 'unknown'}.`);
+        }
+        const signer = createSign('SHA256');
+        signer.update(signingInput);
+        const signature = signer.sign({ key, dsaEncoding: 'ieee-p1363' }, 'base64url');
+        return `${signingInput}.${signature}`;
+    }
+    // ─── O3: id_token verification ─────────────────────────
+    /**
+     * Verify Apple's id_token: signature against the JWKS-resolved public key,
+     * then issuer / audience / expiration claims. Throws on any failure —
+     * never returns unverified data.
+     */
+    async _verifyIdToken(idToken) {
+        const parts = idToken.split('.');
+        if (parts.length !== 3) {
+            throw new Error('[RudderJS Socialite] Apple id_token: malformed (expected 3 segments).');
+        }
+        const [headerB64, payloadB64, signatureB64] = parts;
+        let header;
         try {
-            const res = await fetch(this.tokenUrl(), {
-                method: 'POST',
-                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-                body: new URLSearchParams({
-                    client_id: this.config.clientId,
-                    client_secret: this.config.clientSecret,
-                    code,
-                    redirect_uri: this.config.redirectUrl,
-                    grant_type: 'authorization_code',
-                }),
-            });
-            if (!res.ok)
-                return null;
-            const data = await res.json();
-            if (!data.id_token)
-                return null;
-            // Decode JWT payload (base64url)
-            const payload = data.id_token.split('.')[1];
-            if (!payload)
-                return null;
-            return JSON.parse(Buffer.from(payload, 'base64url').toString('utf8'));
+            header = JSON.parse(Buffer.from(headerB64, 'base64url').toString('utf8'));
         }
         catch {
-            return null;
+            throw new Error('[RudderJS Socialite] Apple id_token: header is not valid JSON.');
+        }
+        if (header.alg !== 'RS256') {
+            throw new Error(`[RudderJS Socialite] Apple id_token: unexpected alg "${header.alg ?? ''}" (expected RS256).`);
+        }
+        if (typeof header.kid !== 'string' || header.kid.length === 0) {
+            throw new Error('[RudderJS Socialite] Apple id_token: header missing `kid`.');
+        }
+        const jwk = await this._resolveAppleJwk(header.kid);
+        if (!jwk) {
+            throw new Error(`[RudderJS Socialite] Apple id_token: no signing key for kid "${header.kid}".`);
         }
+        const { createPublicKey, createVerify } = await import('node:crypto');
+        let publicKey;
+        try {
+            // node:crypto's createPublicKey accepts a JsonWebKey from lib.dom; this
+            // package targets Node and doesn't include DOM lib, so widen via
+            // `as never` (bottom type, assignable to the parameter's expected type).
+            publicKey = createPublicKey({ key: jwk, format: 'jwk' });
+        }
+        catch (err) {
+            throw new Error('[RudderJS Socialite] Apple id_token: failed to import JWKS public key.', { cause: err });
+        }
+        const verifier = createVerify('SHA256');
+        verifier.update(`${headerB64}.${payloadB64}`);
+        if (!verifier.verify(publicKey, signatureB64, 'base64url')) {
+            throw new Error('[RudderJS Socialite] Apple id_token: signature verification failed.');
+        }
+        let claims;
+        try {
+            claims = JSON.parse(Buffer.from(payloadB64, 'base64url').toString('utf8'));
+        }
+        catch {
+            throw new Error('[RudderJS Socialite] Apple id_token: payload is not valid JSON.');
+        }
+        if (claims.iss !== APPLE_ISSUER) {
+            throw new Error(`[RudderJS Socialite] Apple id_token: iss "${claims.iss ?? ''}" does not match "${APPLE_ISSUER}".`);
+        }
+        const expectedAud = this.config.clientId;
+        const audMatches = Array.isArray(claims.aud)
+            ? claims.aud.includes(expectedAud)
+            : claims.aud === expectedAud;
+        if (!audMatches) {
+            throw new Error('[RudderJS Socialite] Apple id_token: aud does not match clientId.');
+        }
+        if (typeof claims.exp !== 'number' || claims.exp * 1000 <= Date.now()) {
+            throw new Error('[RudderJS Socialite] Apple id_token: token expired or missing exp.');
+        }
+        if (typeof claims.sub !== 'string' || claims.sub.length === 0) {
+            throw new Error('[RudderJS Socialite] Apple id_token: missing sub.');
+        }
+        return claims;
+    }
+    async _resolveAppleJwk(kid) {
+        const cache = AppleProvider._jwksCache;
+        if (cache && Date.now() - cache.fetchedAt < JWKS_TTL_MS) {
+            const hit = cache.keys.get(kid);
+            if (hit)
+                return hit;
+            // Fall through — kid not in cache. Apple may have rotated; refetch.
+        }
+        const res = await this.fetchWithTimeout(APPLE_JWKS, { headers: { Accept: 'application/json' } });
+        if (!res.ok) {
+            throw await this.httpError('Apple JWKS fetch failed', res);
+        }
+        const body = await res.json();
+        const keys = Array.isArray(body.keys) ? body.keys : [];
+        const map = new Map();
+        for (const k of keys) {
+            if (typeof k.kid === 'string')
+                map.set(k.kid, k);
+        }
+        AppleProvider._jwksCache = { fetchedAt: Date.now(), keys: map };
+        return map.get(kid);
+    }
+    /** @internal — testing only. */
+    static _resetJwksCache() {
+        AppleProvider._jwksCache = null;
     }
 }
 //# sourceMappingURL=apple.js.map

package/dist/drivers/apple.js.map

@@ -1 +1 @@
-{"version":3,"file":"apple.js","sourceRoot":"","sources":["../../src/drivers/apple.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAA;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAE9C,MAAM,OAAO,aAAc,SAAQ,eAAe;IACtC,aAAa,KAAe,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA,CAAC,CAAC;IACtD,OAAO,KAAc,OAAO,0CAA0C,CAAA,CAAC,CAAC;IACxE,QAAQ,KAAa,OAAO,sCAAsC,CAAA,CAAC,CAAC;IACpE,OAAO,KAAc,OAAO,EAAE,CAAA,CAAC,CAAC,CAAC,iEAAiE;IAE5G,cAAc,CAAC,KAAc;QAC3B,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,SAAS,EAAM,IAAI,CAAC,MAAM,CAAC,QAAQ;YACnC,YAAY,EAAG,IAAI,CAAC,MAAM,CAAC,WAAW;YACtC,aAAa,EAAE,MAAM;YACrB,aAAa,EAAE,WAAW;YAC1B,KAAK,EAAU,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;YACpC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC5B,CAAC,CAAA;QACF,OAAO,GAAG,IAAI,CAAC,OAAO,EAAE,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAA;IACjD,CAAC;IAES,SAAS,CAAC,IAA6B,EAAE,KAAa,EAAE,YAA2B;QAC3F,mDAAmD;QACnD,MAAM,GAAG,GAAM,IAAI,CAAC,KAAK,CAAwB,IAAI,EAAE,CAAA;QACvD,MAAM,KAAK,GAAI,IAAI,CAAC,OAAO,CAAwB,IAAI,IAAI,CAAA;QAC3D,MAAM,IAAI,GAAK,IAAI,CAAC,MAAM,CAA2D,CAAA;QAErF,OAAO,IAAI,UAAU,CAAC;YACpB,EAAE,EAAQ,GAAG;YACb,IAAI,EAAM,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI;YACzF,KAAK;YACL,MAAM,EAAI,IAAI,EAAE,gCAAgC;YAChD,QAAQ,EAAE,IAAI;YACd,KAAK;YACL,YAAY;YACZ,GAAG,EAAE,IAAI;SACV,CAAC,CAAA;IACJ,CAAC;IAED,4FAA4F;IAC5F,KAAK,CAAC,IAAI,CAAC,aAAyE;QAClF,MAAM,IAAI,GAAG,OAAO,aAAa,KAAK,QAAQ;YAC5C,CAAC,CAAC,aAAa;YACf,CAAC,CAAC,CAAC,aAAa,CAAC,KAAK,CAAC,MAAM,CAAC,IAAK,aAAa,CAAC,IAA2C,EAAE,CAAC,MAAM,CAAC,CAAC,CAAA;QAEzG,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAA;QAE9E,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAA;QAErE,qEAAqE;QACrE,qCAAqC;QACrC,MAAM,OAAO,GAAG,CAAC,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAA;QACnD,MAAM,QAAQ,GAA4B,EAAE,GAAG,OAAO,EAAE,CAAA;QAExD,wEAAwE;QACxE,IAAI,OAAO,aAAa,KAAK,QAAQ,IAAI,aAAa,CAAC,IAAI,EAAE,CAAC;YAC5D,MAAM,IAAI,GAAG,aAAa,CAAC,IAA+B,CAAA;YAC1D,IAAI,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;gBACjB,MAAM,IAAI,GAAG,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;gBACvF,QAAQ,CAAC,MAAM,CAAC,GAAG,IAAI,CAAA;YACzB,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,WAAW,EAAE,YAAY,CAAC,CAAA;IAC5D,CAAC;IAEO,KAAK,CAAC,UAAU,CAAC,IAAY;QACnC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE;gBACvC,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;gBAChE,IAAI,EAAE,IAAI,eAAe,CAAC;oBACxB,SAAS,EAAM,IAAI,CAAC,MAAM,CAAC,QAAQ;oBACnC,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY;oBACvC,IAAI;oBACJ,YAAY,EAAG,IAAI,CAAC,MAAM,CAAC,WAAW;oBACtC,UAAU,EAAK,oBAAoB;iBACpC,CAAC;aACH,CAAC,CAAA;YACF,IAAI,CAAC,GAAG,CAAC,EAAE;gBAAE,OAAO,IAAI,CAAA;YACxB,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA2B,CAAA;YACtD,IAAI,CAAC,IAAI,CAAC,QAAQ;gBAAE,OAAO,IAAI,CAAA;YAC/B,iCAAiC;YACjC,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;YAC3C,IAAI,CAAC,OAAO;gBAAE,OAAO,IAAI,CAAA;YACzB,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAA4B,CAAA;QAClG,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;CACF"}
+{"version":3,"file":"apple.js","sourceRoot":"","sources":["../../src/drivers/apple.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAA6D,MAAM,cAAc,CAAA;AACzG,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAuC9C,MAAM,YAAY,GAAG,2BAA2B,CAAA;AAChD,MAAM,UAAU,GAAK,qCAAqC,CAAA;AAC1D,MAAM,WAAW,GAAI,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA,CAAE,SAAS;AAC9C,MAAM,uBAAuB,GAAG,CAAC,GAAG,EAAE,CAAA;AAOtC,MAAM,OAAO,aAAc,SAAQ,eAAe;IAChD,0EAA0E;IAC1E,+EAA+E;IACvE,MAAM,CAAC,UAAU,GAA0B,IAAI,CAAA;IAEvD,YAAY,MAA4B;QACtC,KAAK,CAAC,MAAM,CAAC,CAAA;IACf,CAAC;IAES,aAAa,KAAe,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA,CAAC,CAAC;IACtD,OAAO,KAAc,OAAO,0CAA0C,CAAA,CAAC,CAAC;IACxE,QAAQ,KAAa,OAAO,sCAAsC,CAAA,CAAC,CAAC;IAC9E,qGAAqG;IAC3F,OAAO,KAAc,OAAO,EAAE,CAAA,CAAC,CAAC;IAEvB,eAAe;QAChC,uEAAuE;QACvE,wEAAwE;QACxE,4BAA4B;QAC5B,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,CAAA;IACvC,CAAC;IAES,SAAS,CAAC,IAA6B,EAAE,KAAa,EAAE,YAA2B;QAC3F,MAAM,GAAG,GAAM,IAAI,CAAC,KAAK,CAAwB,IAAI,EAAE,CAAA;QACvD,MAAM,KAAK,GAAI,IAAI,CAAC,OAAO,CAAwB,IAAI,IAAI,CAAA;QAC3D,MAAM,IAAI,GAAI,IAAI,CAAC,MAAM,CAA0D,CAAA;QAEnF,OAAO,IAAI,UAAU,CAAC;YACpB,EAAE,EAAQ,GAAG;YACb,IAAI,EAAM,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI;YACzF,KAAK;YACL,MAAM,EAAI,IAAI,EAAG,gCAAgC;YACjD,QAAQ,EAAE,IAAI;YACd,KAAK;YACL,YAAY;YACZ,GAAG,EAAE,IAAI;SACV,CAAC,CAAA;IACJ,CAAC;IAED;;;;;;OAMG;IACM,KAAK,CAAC,IAAI,CAAC,aAAgD;QAClE,IAAI,OAAO,aAAa,KAAK,QAAQ,EAAE,CAAC;YACtC,qEAAqE;YACrE,yEAAyE;YACzE,IAAI,CAAC,oBAAoB,CAAC,aAAa,CAAC,CAAA;QAC1C,CAAC;QAED,MAAM,IAAI,GAAG,OAAO,aAAa,KAAK,QAAQ;YAC5C,CAAC,CAAC,aAAa;YACf,CAAC,CAAC,CAAC,aAAa,CAAC,KAAK,CAAC,MAAM,CAAC,IAAK,aAAa,CAAC,IAA2C,EAAE,CAAC,MAAM,CAAC,CAAC,CAAA;QAEzG,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAA;QAE9E,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAA;QACzE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAA;QAEjD,MAAM,QAAQ,GAA4B,EAAE,GAAG,MAAM,EAAE,CAAA;QAEvD,6EAA6E;QAC7E,IAAI,OAAO,aAAa,KAAK,QAAQ,IAAI,aAAa,CAAC,IAAI,EAAE,CAAC;YAC5D,MAAM,IAAI,GAAG,aAAa,CAAC,IAA+B,CAAA;YAC1D,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,CAAA;YAC9B,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;gBAC5B,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,OAAO,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;oBAChF,IAAI,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,IAAK,MAAkC,EAAE,CAAC;wBAC1F,QAAQ,CAAC,MAAM,CAAC,GAAI,MAAkC,CAAC,MAAM,CAAC,CAAA;oBAChE,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,0DAA0D;gBAC5D,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,WAAW,EAAE,YAAY,CAAC,CAAA;IAC5D,CAAC;IAED,0DAA0D;IAElD,KAAK,CAAC,SAAS,CAAC,IAAY;QAClC,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,kBAAkB,EAAE,CAAA;QAEpD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE;YACvD,MAAM,EAAG,MAAM;YACf,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;gBACnD,QAAQ,EAAQ,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,eAAe,CAAC;gBACxB,SAAS,EAAM,IAAI,CAAC,MAAM,CAAC,QAAQ;gBACnC,aAAa,EAAE,YAAY;gBAC3B,IAAI;gBACJ,YAAY,EAAG,IAAI,CAAC,MAAM,CAAC,WAAW;gBACtC,UAAU,EAAK,oBAAoB;aACpC,CAAC;SACH,CAAC,CAAA;QAEF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,MAAM,IAAI,CAAC,SAAS,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAA;QAChE,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA6B,CAAA;QAExD,MAAM,WAAW,GAAI,IAAI,CAAC,cAAc,CAAC,CAAA;QACzC,MAAM,YAAY,GAAG,IAAI,CAAC,eAAe,CAAC,CAAA;QAC1C,MAAM,OAAO,GAAQ,IAAI,CAAC,UAAU,CAAC,CAAA;QAErC,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAChE,MAAM,IAAI,KAAK,CAAC,0EAA0E,CAAC,CAAA;QAC7F,CAAC;QACD,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxD,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAA;QACzF,CAAC;QAED,OAAO;YACL,WAAW;YACX,YAAY,EAAE,OAAO,YAAY,KAAK,QAAQ,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI;YAC/F,OAAO;SACR,CAAA;IACH,CAAC;IAED,0DAA0D;IAE1D;;;;;OAKG;IACK,KAAK,CAAC,kBAAkB;QAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,MAA8B,CAAA;QAC/C,IAAI,CAAC,GAAG,CAAC,MAAM,IAAI,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC;YACjD,MAAM,IAAI,KAAK,CACb,0EAA0E;gBAC1E,+FAA+F,CAChG,CAAA;QACH,CAAC;QAED,MAAM,EAAE,gBAAgB,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAA;QAEpE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;QACzC,MAAM,GAAG,GAAG,GAAG,CAAC,eAAe,IAAI,uBAAuB,CAAA;QAE1D,MAAM,MAAM,GAAI,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,CAAA;QAC5D,MAAM,OAAO,GAAG;YACd,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,GAAG,EAAE,GAAG;YACR,GAAG,EAAE,GAAG,GAAG,GAAG;YACd,GAAG,EAAE,YAAY;YACjB,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;SAC1B,CAAA;QAED,MAAM,SAAS,GAAM,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;QAC9E,MAAM,UAAU,GAAK,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;QAC/E,MAAM,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAA;QAEjD,IAAI,GAAG,CAAA;QACP,IAAI,CAAC;YACH,GAAG,GAAG,gBAAgB,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAA;QAChE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CACb,qFAAqF;gBACrF,+CAA+C,EAC/C,EAAE,KAAK,EAAE,GAAG,EAAE,CACf,CAAA;QACH,CAAC;QACD,IAAI,GAAG,CAAC,iBAAiB,KAAK,IAAI,EAAE,CAAC;YACnC,MAAM,IAAI,KAAK,CACb,mEAAmE,GAAG,CAAC,iBAAiB,IAAI,SAAS,GAAG,CACzG,CAAA;QACH,CAAC;QAED,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAA;QACnC,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAA;QAC3B,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,WAAW,EAAE,YAAY,EAAE,EAAE,WAAW,CAAC,CAAA;QAE9E,OAAO,GAAG,YAAY,IAAI,SAAS,EAAE,CAAA;IACvC,CAAC;IAED,0DAA0D;IAE1D;;;;OAIG;IACK,KAAK,CAAC,cAAc,CAAC,OAAe;QAC1C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QAChC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,uEAAuE,CAAC,CAAA;QAC1F,CAAC;QACD,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,KAAiC,CAAA;QAE/E,IAAI,MAAsC,CAAA;QAC1C,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAmC,CAAA;QAC7G,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAA;QACnF,CAAC;QAED,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,wDAAwD,MAAM,CAAC,GAAG,IAAI,EAAE,qBAAqB,CAAC,CAAA;QAChH,CAAC;QACD,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,IAAI,MAAM,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9D,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAA;QAC/E,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QACnD,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,KAAK,CAAC,gEAAgE,MAAM,CAAC,GAAG,IAAI,CAAC,CAAA;QACjG,CAAC;QAED,MAAM,EAAE,eAAe,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAA;QAErE,IAAI,SAAS,CAAA;QACb,IAAI,CAAC;YACH,wEAAwE;YACxE,iEAAiE;YACjE,yEAAyE;YACzE,SAAS,GAAG,eAAe,CAAC,EAAE,GAAG,EAAE,GAAY,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAA;QACnE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,wEAAwE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAA;QAC3G,CAAC;QAED,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAA;QACvC,QAAQ,CAAC,MAAM,CAAC,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC,CAAA;QAC7C,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,EAAE,WAAW,CAAC,EAAE,CAAC;YAC3D,MAAM,IAAI,KAAK,CAAC,qEAAqE,CAAC,CAAA;QACxF,CAAC;QAED,IAAI,MAA0B,CAAA;QAC9B,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAuB,CAAA;QAClG,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CAAC,iEAAiE,CAAC,CAAA;QACpF,CAAC;QAED,IAAI,MAAM,CAAC,GAAG,KAAK,YAAY,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CAAC,6CAA6C,MAAM,CAAC,GAAG,IAAI,EAAE,qBAAqB,YAAY,IAAI,CAAC,CAAA;QACrH,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAA;QACxC,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC;YAC1C,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC;YAClC,CAAC,CAAC,MAAM,CAAC,GAAG,KAAK,WAAW,CAAA;QAC9B,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,mEAAmE,CAAC,CAAA;QACtF,CAAC;QAED,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,IAAI,MAAM,CAAC,GAAG,GAAG,IAAI,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YACtE,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAA;QACvF,CAAC;QAED,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,IAAI,MAAM,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9D,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAA;QACtE,CAAC;QAED,OAAO,MAAM,CAAA;IACf,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAAC,GAAW;QACxC,MAAM,KAAK,GAAG,aAAa,CAAC,UAAU,CAAA;QACtC,IAAI,KAAK,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,GAAG,WAAW,EAAE,CAAC;YACxD,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;YAC/B,IAAI,GAAG;gBAAE,OAAO,GAAG,CAAA;YACnB,oEAAoE;QACtE,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,UAAU,EAAE,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAAE,CAAC,CAAA;QAChG,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,MAAM,IAAI,CAAC,SAAS,CAAC,yBAAyB,EAAE,GAAG,CAAC,CAAA;QAC5D,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA2B,CAAA;QACtD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAA;QACtD,MAAM,GAAG,GAAI,IAAI,GAAG,EAAoB,CAAA;QACxC,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;YACrB,IAAI,OAAO,CAAC,CAAC,GAAG,KAAK,QAAQ;gBAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAA;QAClD,CAAC;QAED,aAAa,CAAC,UAAU,GAAG,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAA;QAC/D,OAAO,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IACrB,CAAC;IAED,gCAAgC;IAChC,MAAM,CAAC,eAAe;QACpB,aAAa,CAAC,UAAU,GAAG,IAAI,CAAA;IACjC,CAAC"}

package/dist/drivers/github.js

@@ -39,7 +39,7 @@ export class GitHubProvider extends SocialiteDriver {
     }
     async fetchPrimaryEmail(token) {
         try {
-            const res = await fetch('https://api.github.com/user/emails', {
+            const res = await this.fetchWithTimeout('https://api.github.com/user/emails', {
                 headers: { 'Authorization': `Bearer ${token}`, 'Accept': 'application/json' },
             });
             if (!res.ok)

package/dist/drivers/github.js.map

@@ -1 +1 @@
-{"version":3,"file":"github.js","sourceRoot":"","sources":["../../src/drivers/github.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAA;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAE9C,MAAM,OAAO,cAAe,SAAQ,eAAe;IACvC,aAAa,KAAe,OAAO,CAAC,WAAW,EAAE,YAAY,CAAC,CAAA,CAAC,CAAC;IAChE,OAAO,KAAc,OAAO,0CAA0C,CAAA,CAAC,CAAC;IACxE,QAAQ,KAAa,OAAO,6CAA6C,CAAA,CAAC,CAAC;IAC3E,OAAO,KAAc,OAAO,6BAA6B,CAAA,CAAC,CAAC;IAE3D,SAAS,CAAC,IAA6B,EAAE,KAAa,EAAE,YAA2B;QAC3F,OAAO,IAAI,UAAU,CAAC;YACpB,EAAE,EAAQ,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YAClC,IAAI,EAAO,IAAI,CAAC,MAAM,CAAmB,IAAI,IAAI;YACjD,KAAK,EAAM,IAAI,CAAC,OAAO,CAAmB,IAAI,IAAI;YAClD,MAAM,EAAK,IAAI,CAAC,YAAY,CAAmB,IAAI,IAAI;YACvD,QAAQ,EAAG,IAAI,CAAC,OAAO,CAAmB,IAAI,IAAI;YAClD,KAAK;YACL,YAAY;YACZ,GAAG,EAAE,IAAI;SACV,CAAC,CAAA;IACJ,CAAC;IAED,iGAAiG;IACjG,KAAK,CAAC,IAAI,CAAC,aAAyD;QAClE,MAAM,UAAU,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAA;QAClD,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,EAAE,CAAC;YAC3B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,KAAK,CAAC,CAAA;YAC5D,IAAI,KAAK,EAAE,CAAC;gBACV,OAAO,IAAI,UAAU,CAAC;oBACpB,EAAE,EAAQ,UAAU,CAAC,KAAK,EAAE;oBAC5B,IAAI,EAAM,UAAU,CAAC,OAAO,EAAE;oBAC9B,KAAK;oBACL,MAAM,EAAI,UAAU,CAAC,SAAS,EAAE;oBAChC,QAAQ,EAAE,UAAU,CAAC,WAAW,EAAE;oBAClC,KAAK,EAAK,UAAU,CAAC,KAAK;oBAC1B,YAAY,EAAE,UAAU,CAAC,YAAY;oBACrC,GAAG,EAAE,EAAE,GAAG,UAAU,CAAC,MAAM,EAAE,EAAE,KAAK,EAAE;iBACvC,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;QACD,OAAO,UAAU,CAAA;IACnB,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAAC,KAAa;QAC3C,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,oCAAoC,EAAE;gBAC5D,OAAO,EAAE,EAAE,eAAe,EAAE,UAAU,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE;aAC9E,CAAC,CAAA;YACF,IAAI,CAAC,GAAG,CAAC,EAAE;gBAAE,OAAO,IAAI,CAAA;YACxB,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,IAAI,EAA8D,CAAA;YAC3F,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,QAAQ,CAAC,CAAA;YACzD,OAAO,OAAO,EAAE,KAAK,IAAI,MAAM,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,IAAI,CAAA;QACnD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;CACF"}
+{"version":3,"file":"github.js","sourceRoot":"","sources":["../../src/drivers/github.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAA;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAE9C,MAAM,OAAO,cAAe,SAAQ,eAAe;IACvC,aAAa,KAAe,OAAO,CAAC,WAAW,EAAE,YAAY,CAAC,CAAA,CAAC,CAAC;IAChE,OAAO,KAAc,OAAO,0CAA0C,CAAA,CAAC,CAAC;IACxE,QAAQ,KAAa,OAAO,6CAA6C,CAAA,CAAC,CAAC;IAC3E,OAAO,KAAc,OAAO,6BAA6B,CAAA,CAAC,CAAC;IAE3D,SAAS,CAAC,IAA6B,EAAE,KAAa,EAAE,YAA2B;QAC3F,OAAO,IAAI,UAAU,CAAC;YACpB,EAAE,EAAQ,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YAClC,IAAI,EAAO,IAAI,CAAC,MAAM,CAAmB,IAAI,IAAI;YACjD,KAAK,EAAM,IAAI,CAAC,OAAO,CAAmB,IAAI,IAAI;YAClD,MAAM,EAAK,IAAI,CAAC,YAAY,CAAmB,IAAI,IAAI;YACvD,QAAQ,EAAG,IAAI,CAAC,OAAO,CAAmB,IAAI,IAAI;YAClD,KAAK;YACL,YAAY;YACZ,GAAG,EAAE,IAAI;SACV,CAAC,CAAA;IACJ,CAAC;IAED,iGAAiG;IACjG,KAAK,CAAC,IAAI,CAAC,aAAyD;QAClE,MAAM,UAAU,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAA;QAClD,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,EAAE,CAAC;YAC3B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,KAAK,CAAC,CAAA;YAC5D,IAAI,KAAK,EAAE,CAAC;gBACV,OAAO,IAAI,UAAU,CAAC;oBACpB,EAAE,EAAQ,UAAU,CAAC,KAAK,EAAE;oBAC5B,IAAI,EAAM,UAAU,CAAC,OAAO,EAAE;oBAC9B,KAAK;oBACL,MAAM,EAAI,UAAU,CAAC,SAAS,EAAE;oBAChC,QAAQ,EAAE,UAAU,CAAC,WAAW,EAAE;oBAClC,KAAK,EAAK,UAAU,CAAC,KAAK;oBAC1B,YAAY,EAAE,UAAU,CAAC,YAAY;oBACrC,GAAG,EAAE,EAAE,GAAG,UAAU,CAAC,MAAM,EAAE,EAAE,KAAK,EAAE;iBACvC,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;QACD,OAAO,UAAU,CAAA;IACnB,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAAC,KAAa;QAC3C,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,oCAAoC,EAAE;gBAC5E,OAAO,EAAE,EAAE,eAAe,EAAE,UAAU,KAAK,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE;aAC9E,CAAC,CAAA;YACF,IAAI,CAAC,GAAG,CAAC,EAAE;gBAAE,OAAO,IAAI,CAAA;YACxB,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,IAAI,EAA8D,CAAA;YAC3F,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,QAAQ,CAAC,CAAA;YACzD,OAAO,OAAO,EAAE,KAAK,IAAI,MAAM,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,IAAI,CAAA;QACnD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;CACF"}

package/dist/index.d.ts

@@ -1,12 +1,13 @@
 import { ServiceProvider } from '@rudderjs/core';
 import { SocialiteDriver, type SocialiteDriverConfig } from './driver.js';
 export { SocialUser } from './social-user.js';
-export { SocialiteDriver } from './driver.js';
+export { SocialiteDriver, InvalidStateException } from './driver.js';
 export { GitHubProvider } from './drivers/github.js';
 export { GoogleProvider } from './drivers/google.js';
 export { FacebookProvider } from './drivers/facebook.js';
 export { AppleProvider } from './drivers/apple.js';
-export type { SocialiteDriverConfig } from './driver.js';
+export type { SocialiteDriverConfig, SocialiteCallbackRequest, SocialiteHttpErrorCause } from './driver.js';
+export type { AppleSocialiteConfig } from './drivers/apple.js';
 type DriverFactory = (config: SocialiteDriverConfig) => SocialiteDriver;
 export declare class Socialite {
     private static _config;

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAU,MAAM,gBAAgB,CAAA;AACxD,OAAO,EAAE,eAAe,EAAE,KAAK,qBAAqB,EAAE,MAAM,aAAa,CAAA;AAQzE,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAC7C,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAC7C,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAA;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AAElD,YAAY,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAA;AAIxD,KAAK,aAAa,GAAG,CAAC,MAAM,EAAE,qBAAqB,KAAK,eAAe,CAAA;AAWvE,qBAAa,SAAS;IACpB,OAAO,CAAC,MAAM,CAAC,OAAO,CAAsB;IAC5C,OAAO,CAAC,MAAM,CAAC,OAAO,CAAmC;IACzD,OAAO,CAAC,MAAM,CAAC,UAAU,CAAqC;IAE9D,+CAA+C;IAC/C,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe;IAe5C,sCAAsC;IACtC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,GAAG,IAAI;IAIzD,wDAAwD;IACxD,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,eAAe,GAAG,IAAI;IAK/C,qCAAqC;IACrC,MAAM,CAAC,KAAK,IAAI,IAAI;CAKrB;AAID,MAAM,MAAM,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAA;AAInE;;;;;;;;;;GAUG;AACH,qBAAa,iBAAkB,SAAQ,eAAe;IACpD,QAAQ,IAAI,IAAI;IAEV,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;CAK5B"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAU,MAAM,gBAAgB,CAAA;AACxD,OAAO,EAAE,eAAe,EAAE,KAAK,qBAAqB,EAAE,MAAM,aAAa,CAAA;AAQzE,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAC7C,OAAO,EAAE,eAAe,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAA;AACpE,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAA;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AAElD,YAAY,EAAE,qBAAqB,EAAE,wBAAwB,EAAE,uBAAuB,EAAE,MAAM,aAAa,CAAA;AAC3G,YAAY,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAA;AAI9D,KAAK,aAAa,GAAG,CAAC,MAAM,EAAE,qBAAqB,KAAK,eAAe,CAAA;AAWvE,qBAAa,SAAS;IACpB,OAAO,CAAC,MAAM,CAAC,OAAO,CAAsB;IAC5C,OAAO,CAAC,MAAM,CAAC,OAAO,CAAmC;IACzD,OAAO,CAAC,MAAM,CAAC,UAAU,CAAqC;IAE9D,+CAA+C;IAC/C,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe;IAe5C,sCAAsC;IACtC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,GAAG,IAAI;IAQzD,wDAAwD;IACxD,MAAM,CAAC,SAAS,CAAC,MAAM,EAAE,eAAe,GAAG,IAAI;IAK/C,qCAAqC;IACrC,MAAM,CAAC,KAAK,IAAI,IAAI;CAKrB;AAID,MAAM,MAAM,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAA;AAInE;;;;;;;;;;GAUG;AACH,qBAAa,iBAAkB,SAAQ,eAAe;IACpD,QAAQ,IAAI,IAAI;IAEV,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;CAK5B"}

package/dist/index.js

@@ -5,7 +5,7 @@ import { FacebookProvider } from './drivers/facebook.js';
 import { AppleProvider } from './drivers/apple.js';
 // ─── Re-exports ───────────────────────────────────────────
 export { SocialUser } from './social-user.js';
-export { SocialiteDriver } from './driver.js';
+export { SocialiteDriver, InvalidStateException } from './driver.js';
 export { GitHubProvider } from './drivers/github.js';
 export { GoogleProvider } from './drivers/google.js';
 export { FacebookProvider } from './drivers/facebook.js';
@@ -39,6 +39,10 @@ export class Socialite {
     /** Register a custom OAuth driver. */
     static extend(name, factory) {
         this._custom.set(name, factory);
+        // Drop any previously cached instance so the next driver(name) call uses
+        // the new factory. Without this, calling extend() after driver() is silent
+        // no-op and the old driver lingers (bites hot-reload + runtime override).
+        this._instances.delete(name);
     }
     /** @internal — set config from the service provider. */
     static configure(config) {

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAA;AAExD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAA;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AAElD,6DAA6D;AAE7D,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAC7C,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAC7C,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAA;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AAQlD,MAAM,cAAc,GAAkC;IACpD,MAAM,EAAI,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,cAAc,CAAC,CAAC,CAAC;IACtC,MAAM,EAAI,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,cAAc,CAAC,CAAC,CAAC;IACtC,QAAQ,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,gBAAgB,CAAC,CAAC,CAAC;IACxC,KAAK,EAAK,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,aAAa,CAAC,CAAC,CAAC;CACtC,CAAA;AAED,6DAA6D;AAE7D,MAAM,OAAO,SAAS;IACZ,MAAM,CAAC,OAAO,GAAoB,EAAE,CAAA;IACpC,MAAM,CAAC,OAAO,GAAG,IAAI,GAAG,EAAyB,CAAA;IACjD,MAAM,CAAC,UAAU,GAAG,IAAI,GAAG,EAA2B,CAAA;IAE9D,+CAA+C;IAC/C,MAAM,CAAC,MAAM,CAAC,IAAY;QACxB,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;QAC1C,IAAI,QAAQ;YAAE,OAAO,QAAQ,CAAA;QAE7B,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;QACjC,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,KAAK,CAAC,kCAAkC,IAAI,sBAAsB,CAAC,CAAA;QAE1F,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,cAAc,CAAC,IAAI,CAAC,CAAA;QAC9D,IAAI,CAAC,OAAO;YAAE,MAAM,IAAI,KAAK,CAAC,0CAA0C,IAAI,uDAAuD,CAAC,CAAA;QAEpI,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;QAChC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAA;QACnC,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED,sCAAsC;IACtC,MAAM,CAAC,MAAM,CAAC,IAAY,EAAE,OAAsB;QAChD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;IACjC,CAAC;IAED,wDAAwD;IACxD,MAAM,CAAC,SAAS,CAAC,MAAuB;QACtC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAA;QACrB,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAA;IACzB,CAAC;IAED,qCAAqC;IACrC,MAAM,CAAC,KAAK;QACV,IAAI,CAAC,OAAO,GAAG,EAAE,CAAA;QACjB,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAA;QACpB,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAA;IACzB,CAAC;;AAOH,6DAA6D;AAE7D;;;;;;;;;;GAUG;AACH,MAAM,OAAO,iBAAkB,SAAQ,eAAe;IACpD,QAAQ,KAAU,CAAC;IAEnB,KAAK,CAAC,IAAI;QACR,MAAM,GAAG,GAAG,MAAM,CAAkB,WAAW,CAAC,CAAA;QAChD,SAAS,CAAC,SAAS,CAAC,GAAG,CAAC,CAAA;QACxB,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,SAAS,CAAC,CAAA;IAC3C,CAAC;CACF"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAA;AAExD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAA;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AAElD,6DAA6D;AAE7D,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAC7C,OAAO,EAAE,eAAe,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAA;AACpE,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAA;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AASlD,MAAM,cAAc,GAAkC;IACpD,MAAM,EAAI,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,cAAc,CAAC,CAAC,CAAC;IACtC,MAAM,EAAI,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,cAAc,CAAC,CAAC,CAAC;IACtC,QAAQ,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,gBAAgB,CAAC,CAAC,CAAC;IACxC,KAAK,EAAK,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,aAAa,CAAC,CAAC,CAAC;CACtC,CAAA;AAED,6DAA6D;AAE7D,MAAM,OAAO,SAAS;IACZ,MAAM,CAAC,OAAO,GAAoB,EAAE,CAAA;IACpC,MAAM,CAAC,OAAO,GAAG,IAAI,GAAG,EAAyB,CAAA;IACjD,MAAM,CAAC,UAAU,GAAG,IAAI,GAAG,EAA2B,CAAA;IAE9D,+CAA+C;IAC/C,MAAM,CAAC,MAAM,CAAC,IAAY;QACxB,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;QAC1C,IAAI,QAAQ;YAAE,OAAO,QAAQ,CAAA;QAE7B,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;QACjC,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,KAAK,CAAC,kCAAkC,IAAI,sBAAsB,CAAC,CAAA;QAE1F,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,cAAc,CAAC,IAAI,CAAC,CAAA;QAC9D,IAAI,CAAC,OAAO;YAAE,MAAM,IAAI,KAAK,CAAC,0CAA0C,IAAI,uDAAuD,CAAC,CAAA;QAEpI,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,CAAA;QAChC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAA;QACnC,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED,sCAAsC;IACtC,MAAM,CAAC,MAAM,CAAC,IAAY,EAAE,OAAsB;QAChD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;QAC/B,yEAAyE;QACzE,2EAA2E;QAC3E,0EAA0E;QAC1E,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;IAC9B,CAAC;IAED,wDAAwD;IACxD,MAAM,CAAC,SAAS,CAAC,MAAuB;QACtC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAA;QACrB,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAA;IACzB,CAAC;IAED,qCAAqC;IACrC,MAAM,CAAC,KAAK;QACV,IAAI,CAAC,OAAO,GAAG,EAAE,CAAA;QACjB,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAA;QACpB,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAA;IACzB,CAAC;;AAOH,6DAA6D;AAE7D;;;;;;;;;;GAUG;AACH,MAAM,OAAO,iBAAkB,SAAQ,eAAe;IACpD,QAAQ,KAAU,CAAC;IAEnB,KAAK,CAAC,IAAI;QACR,MAAM,GAAG,GAAG,MAAM,CAAkB,WAAW,CAAC,CAAA;QAChD,SAAS,CAAC,SAAS,CAAC,GAAG,CAAC,CAAA;QACxB,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,SAAS,CAAC,CAAA;IAC3C,CAAC;CACF"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rudderjs/socialite",
-  "version": "1.0.1",
+  "version": "2.0.0",
   "rudderjs": {
     "provider": "SocialiteProvider",
     "stage": "feature"
@@ -25,11 +25,20 @@
     }
   },
   "dependencies": {
-    "@rudderjs/core": "^1.1.2"
+    "@rudderjs/core": "^1.1.4"
+  },
+  "peerDependencies": {
+    "@rudderjs/session": "^2.0.0"
+  },
+  "peerDependenciesMeta": {
+    "@rudderjs/session": {
+      "optional": false
+    }
   },
   "devDependencies": {
     "@types/node": "^20.0.0",
-    "typescript": "^5.4.0"
+    "typescript": "^5.4.0",
+    "@rudderjs/session": "^2.0.0"
   },
   "author": "Suleiman Shahbari",
   "scripts": {