@sirketio/auth 0.0.1

package/dist/plugins/magic-link/index.mjs

@@ -0,0 +1,177 @@
+import { originCheck } from "../../api/middlewares/origin-check.mjs";
+import { parseUserOutput } from "../../db/schema.mjs";
+import { generateRandomString } from "../../crypto/random.mjs";
+import "../../crypto/index.mjs";
+import { setSessionCookie } from "../../cookies/index.mjs";
+import "../../api/index.mjs";
+import { defaultKeyHasher } from "./utils.mjs";
+import { createAuthEndpoint } from "@better-auth/core/api";
+import * as z from "zod";
+
+//#region src/plugins/magic-link/index.ts
+const signInMagicLinkBodySchema = z.object({
+	email: z.email().meta({ description: "Email address to send the magic link" }),
+	name: z.string().meta({ description: "User display name. Only used if the user is registering for the first time. Eg: \"my-name\"" }).optional(),
+	callbackURL: z.string().meta({ description: "URL to redirect after magic link verification" }).optional(),
+	newUserCallbackURL: z.string().meta({ description: "URL to redirect after new user signup. Only used if the user is registering for the first time." }).optional(),
+	errorCallbackURL: z.string().meta({ description: "URL to redirect after error." }).optional()
+});
+const magicLinkVerifyQuerySchema = z.object({
+	token: z.string().meta({ description: "Verification token" }),
+	callbackURL: z.string().meta({ description: "URL to redirect after magic link verification, if not provided the user will be redirected to the root URL. Eg: \"/dashboard\"" }).optional(),
+	errorCallbackURL: z.string().meta({ description: "URL to redirect after error." }).optional(),
+	newUserCallbackURL: z.string().meta({ description: "URL to redirect after new user signup. Only used if the user is registering for the first time." }).optional()
+});
+const magicLink = (options) => {
+	const opts = {
+		storeToken: "plain",
+		allowedAttempts: 1,
+		...options
+	};
+	async function storeToken(ctx, token) {
+		if (opts.storeToken === "hashed") return await defaultKeyHasher(token);
+		if (typeof opts.storeToken === "object" && "type" in opts.storeToken && opts.storeToken.type === "custom-hasher") return await opts.storeToken.hash(token);
+		return token;
+	}
+	return {
+		id: "magic-link",
+		endpoints: {
+			signInMagicLink: createAuthEndpoint("/sign-in/magic-link", {
+				method: "POST",
+				requireHeaders: true,
+				body: signInMagicLinkBodySchema,
+				metadata: { openapi: {
+					operationId: "signInWithMagicLink",
+					description: "Sign in with magic link",
+					responses: { 200: {
+						description: "Success",
+						content: { "application/json": { schema: {
+							type: "object",
+							properties: { status: { type: "boolean" } }
+						} } }
+					} }
+				} }
+			}, async (ctx) => {
+				const { email } = ctx.body;
+				const verificationToken = opts?.generateToken ? await opts.generateToken(email) : generateRandomString(32, "a-z", "A-Z");
+				const storedToken = await storeToken(ctx, verificationToken);
+				await ctx.context.internalAdapter.createVerificationValue({
+					identifier: storedToken,
+					value: JSON.stringify({
+						email,
+						name: ctx.body.name,
+						attempt: 0
+					}),
+					expiresAt: new Date(Date.now() + (opts.expiresIn || 300) * 1e3)
+				});
+				const realBaseURL = new URL(ctx.context.baseURL);
+				const pathname = realBaseURL.pathname === "/" ? "" : realBaseURL.pathname;
+				const basePath = pathname ? "" : ctx.context.options.basePath || "";
+				const url = new URL(`${pathname}${basePath}/magic-link/verify`, realBaseURL.origin);
+				url.searchParams.set("token", verificationToken);
+				url.searchParams.set("callbackURL", ctx.body.callbackURL || "/");
+				if (ctx.body.newUserCallbackURL) url.searchParams.set("newUserCallbackURL", ctx.body.newUserCallbackURL);
+				if (ctx.body.errorCallbackURL) url.searchParams.set("errorCallbackURL", ctx.body.errorCallbackURL);
+				await options.sendMagicLink({
+					email,
+					url: url.toString(),
+					token: verificationToken
+				}, ctx);
+				return ctx.json({ status: true });
+			}),
+			magicLinkVerify: createAuthEndpoint("/magic-link/verify", {
+				method: "GET",
+				query: magicLinkVerifyQuerySchema,
+				use: [
+					originCheck((ctx) => {
+						return ctx.query.callbackURL ? decodeURIComponent(ctx.query.callbackURL) : "/";
+					}),
+					originCheck((ctx) => {
+						return ctx.query.newUserCallbackURL ? decodeURIComponent(ctx.query.newUserCallbackURL) : "/";
+					}),
+					originCheck((ctx) => {
+						return ctx.query.errorCallbackURL ? decodeURIComponent(ctx.query.errorCallbackURL) : "/";
+					})
+				],
+				requireHeaders: true,
+				metadata: { openapi: {
+					operationId: "verifyMagicLink",
+					description: "Verify magic link",
+					responses: { 200: {
+						description: "Success",
+						content: { "application/json": { schema: {
+							type: "object",
+							properties: {
+								session: { $ref: "#/components/schemas/Session" },
+								user: { $ref: "#/components/schemas/User" }
+							}
+						} } }
+					} }
+				} }
+			}, async (ctx) => {
+				const token = ctx.query.token;
+				const callbackURL = new URL(ctx.query.callbackURL ? decodeURIComponent(ctx.query.callbackURL) : "/", ctx.context.baseURL).toString();
+				const errorCallbackURL = new URL(ctx.query.errorCallbackURL ? decodeURIComponent(ctx.query.errorCallbackURL) : callbackURL, ctx.context.baseURL);
+				function redirectWithError(error) {
+					errorCallbackURL.searchParams.set("error", error);
+					throw ctx.redirect(errorCallbackURL.toString());
+				}
+				const newUserCallbackURL = new URL(ctx.query.newUserCallbackURL ? decodeURIComponent(ctx.query.newUserCallbackURL) : callbackURL, ctx.context.baseURL).toString();
+				const storedToken = await storeToken(ctx, token);
+				const tokenValue = await ctx.context.internalAdapter.findVerificationValue(storedToken);
+				if (!tokenValue) redirectWithError("INVALID_TOKEN");
+				if (tokenValue.expiresAt < /* @__PURE__ */ new Date()) {
+					await ctx.context.internalAdapter.deleteVerificationValue(tokenValue.id);
+					redirectWithError("EXPIRED_TOKEN");
+				}
+				const { email, name, attempt = 0 } = JSON.parse(tokenValue.value);
+				if (attempt >= opts.allowedAttempts) {
+					await ctx.context.internalAdapter.deleteVerificationValue(tokenValue.id);
+					redirectWithError("ATTEMPTS_EXCEEDED");
+				}
+				await ctx.context.internalAdapter.updateVerificationValue(tokenValue.id, { value: JSON.stringify({
+					email,
+					name,
+					attempt: attempt + 1
+				}) });
+				let isNewUser = false;
+				let user = await ctx.context.internalAdapter.findUserByEmail(email).then((res) => res?.user);
+				if (!user) if (!opts.disableSignUp) {
+					const newUser = await ctx.context.internalAdapter.createUser({
+						email,
+						emailVerified: true,
+						name: name || ""
+					});
+					isNewUser = true;
+					user = newUser;
+					if (!user) redirectWithError("failed_to_create_user");
+				} else redirectWithError("new_user_signup_disabled");
+				if (!user.emailVerified) user = await ctx.context.internalAdapter.updateUser(user.id, { emailVerified: true });
+				const session = await ctx.context.internalAdapter.createSession(user.id);
+				if (!session) redirectWithError("failed_to_create_session");
+				await setSessionCookie(ctx, {
+					session,
+					user
+				});
+				if (!ctx.query.callbackURL) return ctx.json({
+					token: session.token,
+					user: parseUserOutput(ctx.context.options, user)
+				});
+				if (isNewUser) throw ctx.redirect(newUserCallbackURL);
+				throw ctx.redirect(callbackURL);
+			})
+		},
+		rateLimit: [{
+			pathMatcher(path) {
+				return path.startsWith("/sign-in/magic-link") || path.startsWith("/magic-link/verify");
+			},
+			window: opts.rateLimit?.window || 60,
+			max: opts.rateLimit?.max || 5
+		}],
+		options
+	};
+};
+
+//#endregion
+export { magicLink };
+//# sourceMappingURL=index.mjs.map

package/dist/plugins/magic-link/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","names":[],"sources":["../../../src/plugins/magic-link/index.ts"],"sourcesContent":["import type {\n\tAwaitable,\n\tBetterAuthPlugin,\n\tGenericEndpointContext,\n} from \"@better-auth/core\";\nimport { createAuthEndpoint } from \"@better-auth/core/api\";\nimport * as z from \"zod\";\nimport { originCheck } from \"../../api\";\nimport { setSessionCookie } from \"../../cookies\";\nimport { generateRandomString } from \"../../crypto\";\nimport { parseUserOutput } from \"../../db/schema\";\nimport { defaultKeyHasher } from \"./utils\";\n\ndeclare module \"@better-auth/core\" {\n\tinterface BetterAuthPluginRegistry<AuthOptions, Options> {\n\t\t\"magic-link\": {\n\t\t\tcreator: typeof magicLink;\n\t\t};\n\t}\n}\n\nexport interface MagicLinkOptions {\n\t/**\n\t * Time in seconds until the magic link expires.\n\t * @default (60 * 5) // 5 minutes\n\t */\n\texpiresIn?: number | undefined;\n\t/**\n\t * Allowed attempts for verifying the magic link token.\n\t * Note: Passing Infinity will allow unlimited attempts.\n\t * @default 1\n\t */\n\tallowedAttempts?: number;\n\t/**\n\t * Send magic link implementation.\n\t */\n\tsendMagicLink: (\n\t\tdata: {\n\t\t\temail: string;\n\t\t\turl: string;\n\t\t\ttoken: string;\n\t\t},\n\t\tctx?: GenericEndpointContext | undefined,\n\t) => Awaitable<void>;\n\t/**\n\t * Disable sign up if user is not found.\n\t *\n\t * @default false\n\t */\n\tdisableSignUp?: boolean | undefined;\n\t/**\n\t * Rate limit configuration.\n\t *\n\t * @default {\n\t *  window: 60,\n\t *  max: 5,\n\t * }\n\t */\n\trateLimit?:\n\t\t| {\n\t\t\t\twindow: number;\n\t\t\t\tmax: number;\n\t\t  }\n\t\t| undefined;\n\t/**\n\t * Custom function to generate a token\n\t */\n\tgenerateToken?: ((email: string) => Awaitable<string>) | undefined;\n\n\t/**\n\t * This option allows you to configure how the token is stored in your database.\n\t * Note: This will not affect the token that's sent, it will only affect the token stored in your database.\n\t *\n\t * @default \"plain\"\n\t */\n\tstoreToken?:\n\t\t| (\n\t\t\t\t| \"plain\"\n\t\t\t\t| \"hashed\"\n\t\t\t\t| { type: \"custom-hasher\"; hash: (token: string) => Promise<string> }\n\t\t  )\n\t\t| undefined;\n}\n\nconst signInMagicLinkBodySchema = z.object({\n\temail: z.email().meta({\n\t\tdescription: \"Email address to send the magic link\",\n\t}),\n\tname: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t'User display name. Only used if the user is registering for the first time. Eg: \"my-name\"',\n\t\t})\n\t\t.optional(),\n\tcallbackURL: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: \"URL to redirect after magic link verification\",\n\t\t})\n\t\t.optional(),\n\tnewUserCallbackURL: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t\"URL to redirect after new user signup. Only used if the user is registering for the first time.\",\n\t\t})\n\t\t.optional(),\n\terrorCallbackURL: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: \"URL to redirect after error.\",\n\t\t})\n\t\t.optional(),\n});\nconst magicLinkVerifyQuerySchema = z.object({\n\ttoken: z.string().meta({\n\t\tdescription: \"Verification token\",\n\t}),\n\tcallbackURL: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t'URL to redirect after magic link verification, if not provided the user will be redirected to the root URL. Eg: \"/dashboard\"',\n\t\t})\n\t\t.optional(),\n\terrorCallbackURL: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: \"URL to redirect after error.\",\n\t\t})\n\t\t.optional(),\n\tnewUserCallbackURL: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t\"URL to redirect after new user signup. Only used if the user is registering for the first time.\",\n\t\t})\n\t\t.optional(),\n});\nexport const magicLink = (options: MagicLinkOptions) => {\n\tconst opts = {\n\t\tstoreToken: \"plain\",\n\t\tallowedAttempts: 1,\n\t\t...options,\n\t} satisfies MagicLinkOptions;\n\n\tasync function storeToken(ctx: GenericEndpointContext, token: string) {\n\t\tif (opts.storeToken === \"hashed\") {\n\t\t\treturn await defaultKeyHasher(token);\n\t\t}\n\t\tif (\n\t\t\ttypeof opts.storeToken === \"object\" &&\n\t\t\t\"type\" in opts.storeToken &&\n\t\t\topts.storeToken.type === \"custom-hasher\"\n\t\t) {\n\t\t\treturn await opts.storeToken.hash(token);\n\t\t}\n\t\treturn token;\n\t}\n\n\treturn {\n\t\tid: \"magic-link\",\n\t\tendpoints: {\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * POST `/sign-in/magic-link`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.signInMagicLink`\n\t\t\t *\n\t\t\t * **client:**\n\t\t\t * `authClient.signIn.magicLink`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/sign-in#api-method-sign-in-magic-link)\n\t\t\t */\n\t\t\tsignInMagicLink: createAuthEndpoint(\n\t\t\t\t\"/sign-in/magic-link\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\trequireHeaders: true,\n\t\t\t\t\tbody: signInMagicLinkBodySchema,\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\toperationId: \"signInWithMagicLink\",\n\t\t\t\t\t\t\tdescription: \"Sign in with magic link\",\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\t\t\tdescription: \"Success\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tstatus: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\tconst { email } = ctx.body;\n\n\t\t\t\t\tconst verificationToken = opts?.generateToken\n\t\t\t\t\t\t? await opts.generateToken(email)\n\t\t\t\t\t\t: generateRandomString(32, \"a-z\", \"A-Z\");\n\t\t\t\t\tconst storedToken = await storeToken(ctx, verificationToken);\n\t\t\t\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\t\t\t\tidentifier: storedToken,\n\t\t\t\t\t\tvalue: JSON.stringify({ email, name: ctx.body.name, attempt: 0 }),\n\t\t\t\t\t\texpiresAt: new Date(Date.now() + (opts.expiresIn || 60 * 5) * 1000),\n\t\t\t\t\t});\n\t\t\t\t\tconst realBaseURL = new URL(ctx.context.baseURL);\n\t\t\t\t\tconst pathname =\n\t\t\t\t\t\trealBaseURL.pathname === \"/\" ? \"\" : realBaseURL.pathname;\n\t\t\t\t\tconst basePath = pathname ? \"\" : ctx.context.options.basePath || \"\";\n\t\t\t\t\tconst url = new URL(\n\t\t\t\t\t\t`${pathname}${basePath}/magic-link/verify`,\n\t\t\t\t\t\trealBaseURL.origin,\n\t\t\t\t\t);\n\t\t\t\t\turl.searchParams.set(\"token\", verificationToken);\n\t\t\t\t\turl.searchParams.set(\"callbackURL\", ctx.body.callbackURL || \"/\");\n\t\t\t\t\tif (ctx.body.newUserCallbackURL) {\n\t\t\t\t\t\turl.searchParams.set(\n\t\t\t\t\t\t\t\"newUserCallbackURL\",\n\t\t\t\t\t\t\tctx.body.newUserCallbackURL,\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t\tif (ctx.body.errorCallbackURL) {\n\t\t\t\t\t\turl.searchParams.set(\"errorCallbackURL\", ctx.body.errorCallbackURL);\n\t\t\t\t\t}\n\t\t\t\t\tawait options.sendMagicLink(\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\temail,\n\t\t\t\t\t\t\turl: url.toString(),\n\t\t\t\t\t\t\ttoken: verificationToken,\n\t\t\t\t\t\t},\n\t\t\t\t\t\tctx,\n\t\t\t\t\t);\n\t\t\t\t\treturn ctx.json({\n\t\t\t\t\t\tstatus: true,\n\t\t\t\t\t});\n\t\t\t\t},\n\t\t\t),\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * GET `/magic-link/verify`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.magicLinkVerify`\n\t\t\t *\n\t\t\t * **client:**\n\t\t\t * `authClient.magicLink.verify`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/magic-link#api-method-magic-link-verify)\n\t\t\t */\n\t\t\tmagicLinkVerify: createAuthEndpoint(\n\t\t\t\t\"/magic-link/verify\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"GET\",\n\t\t\t\t\tquery: magicLinkVerifyQuerySchema,\n\t\t\t\t\tuse: [\n\t\t\t\t\t\toriginCheck((ctx) => {\n\t\t\t\t\t\t\treturn ctx.query.callbackURL\n\t\t\t\t\t\t\t\t? decodeURIComponent(ctx.query.callbackURL)\n\t\t\t\t\t\t\t\t: \"/\";\n\t\t\t\t\t\t}),\n\t\t\t\t\t\toriginCheck((ctx) => {\n\t\t\t\t\t\t\treturn ctx.query.newUserCallbackURL\n\t\t\t\t\t\t\t\t? decodeURIComponent(ctx.query.newUserCallbackURL)\n\t\t\t\t\t\t\t\t: \"/\";\n\t\t\t\t\t\t}),\n\t\t\t\t\t\toriginCheck((ctx) => {\n\t\t\t\t\t\t\treturn ctx.query.errorCallbackURL\n\t\t\t\t\t\t\t\t? decodeURIComponent(ctx.query.errorCallbackURL)\n\t\t\t\t\t\t\t\t: \"/\";\n\t\t\t\t\t\t}),\n\t\t\t\t\t],\n\t\t\t\t\trequireHeaders: true,\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\toperationId: \"verifyMagicLink\",\n\t\t\t\t\t\t\tdescription: \"Verify magic link\",\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\t\t\tdescription: \"Success\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tsession: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t$ref: \"#/components/schemas/Session\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t$ref: \"#/components/schemas/User\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\tconst token = ctx.query.token;\n\t\t\t\t\t// If the first argument provides the origin, it will ignore the second argument of `new URL`.\n\t\t\t\t\t// new URL(\"http://localhost:3001/hello\", \"http://localhost:3000\").toString()\n\t\t\t\t\t// Returns http://localhost:3001/hello\n\t\t\t\t\tconst callbackURL = new URL(\n\t\t\t\t\t\tctx.query.callbackURL\n\t\t\t\t\t\t\t? decodeURIComponent(ctx.query.callbackURL)\n\t\t\t\t\t\t\t: \"/\",\n\t\t\t\t\t\tctx.context.baseURL,\n\t\t\t\t\t).toString();\n\t\t\t\t\tconst errorCallbackURL = new URL(\n\t\t\t\t\t\tctx.query.errorCallbackURL\n\t\t\t\t\t\t\t? decodeURIComponent(ctx.query.errorCallbackURL)\n\t\t\t\t\t\t\t: callbackURL,\n\t\t\t\t\t\tctx.context.baseURL,\n\t\t\t\t\t);\n\n\t\t\t\t\tfunction redirectWithError(error: string): never {\n\t\t\t\t\t\terrorCallbackURL.searchParams.set(\"error\", error);\n\t\t\t\t\t\tthrow ctx.redirect(errorCallbackURL.toString());\n\t\t\t\t\t}\n\n\t\t\t\t\tconst newUserCallbackURL = new URL(\n\t\t\t\t\t\tctx.query.newUserCallbackURL\n\t\t\t\t\t\t\t? decodeURIComponent(ctx.query.newUserCallbackURL)\n\t\t\t\t\t\t\t: callbackURL,\n\t\t\t\t\t\tctx.context.baseURL,\n\t\t\t\t\t).toString();\n\t\t\t\t\tconst storedToken = await storeToken(ctx, token);\n\t\t\t\t\tconst tokenValue =\n\t\t\t\t\t\tawait ctx.context.internalAdapter.findVerificationValue(\n\t\t\t\t\t\t\tstoredToken,\n\t\t\t\t\t\t);\n\t\t\t\t\tif (!tokenValue) {\n\t\t\t\t\t\tredirectWithError(\"INVALID_TOKEN\");\n\t\t\t\t\t}\n\t\t\t\t\tif (tokenValue.expiresAt < new Date()) {\n\t\t\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\t\t\ttokenValue.id,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tredirectWithError(\"EXPIRED_TOKEN\");\n\t\t\t\t\t}\n\t\t\t\t\tconst {\n\t\t\t\t\t\temail,\n\t\t\t\t\t\tname,\n\t\t\t\t\t\tattempt = 0,\n\t\t\t\t\t} = JSON.parse(tokenValue.value) as {\n\t\t\t\t\t\temail: string;\n\t\t\t\t\t\tname?: string | undefined;\n\t\t\t\t\t\tattempt?: number | undefined;\n\t\t\t\t\t};\n\t\t\t\t\tif (attempt >= opts.allowedAttempts) {\n\t\t\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\t\t\ttokenValue.id,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tredirectWithError(\"ATTEMPTS_EXCEEDED\");\n\t\t\t\t\t}\n\t\t\t\t\tawait ctx.context.internalAdapter.updateVerificationValue(\n\t\t\t\t\t\ttokenValue.id,\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tvalue: JSON.stringify({\n\t\t\t\t\t\t\t\temail,\n\t\t\t\t\t\t\t\tname,\n\t\t\t\t\t\t\t\tattempt: attempt + 1,\n\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t},\n\t\t\t\t\t);\n\n\t\t\t\t\tlet isNewUser = false;\n\t\t\t\t\tlet user = await ctx.context.internalAdapter\n\t\t\t\t\t\t.findUserByEmail(email)\n\t\t\t\t\t\t.then((res) => res?.user);\n\n\t\t\t\t\tif (!user) {\n\t\t\t\t\t\tif (!opts.disableSignUp) {\n\t\t\t\t\t\t\tconst newUser = await ctx.context.internalAdapter.createUser({\n\t\t\t\t\t\t\t\temail: email,\n\t\t\t\t\t\t\t\temailVerified: true,\n\t\t\t\t\t\t\t\tname: name || \"\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\tisNewUser = true;\n\t\t\t\t\t\t\tuser = newUser;\n\t\t\t\t\t\t\tif (!user) {\n\t\t\t\t\t\t\t\tredirectWithError(\"failed_to_create_user\");\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tredirectWithError(\"new_user_signup_disabled\");\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tif (!user.emailVerified) {\n\t\t\t\t\t\tuser = await ctx.context.internalAdapter.updateUser(user.id, {\n\t\t\t\t\t\t\temailVerified: true,\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\n\t\t\t\t\tconst session = await ctx.context.internalAdapter.createSession(\n\t\t\t\t\t\tuser.id,\n\t\t\t\t\t);\n\n\t\t\t\t\tif (!session) {\n\t\t\t\t\t\tredirectWithError(\"failed_to_create_session\");\n\t\t\t\t\t}\n\n\t\t\t\t\tawait setSessionCookie(ctx, {\n\t\t\t\t\t\tsession,\n\t\t\t\t\t\tuser,\n\t\t\t\t\t});\n\t\t\t\t\tif (!ctx.query.callbackURL) {\n\t\t\t\t\t\treturn ctx.json({\n\t\t\t\t\t\t\ttoken: session.token,\n\t\t\t\t\t\t\tuser: parseUserOutput(ctx.context.options, user),\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tif (isNewUser) {\n\t\t\t\t\t\tthrow ctx.redirect(newUserCallbackURL);\n\t\t\t\t\t}\n\t\t\t\t\tthrow ctx.redirect(callbackURL);\n\t\t\t\t},\n\t\t\t),\n\t\t},\n\t\trateLimit: [\n\t\t\t{\n\t\t\t\tpathMatcher(path) {\n\t\t\t\t\treturn (\n\t\t\t\t\t\tpath.startsWith(\"/sign-in/magic-link\") ||\n\t\t\t\t\t\tpath.startsWith(\"/magic-link/verify\")\n\t\t\t\t\t);\n\t\t\t\t},\n\t\t\t\twindow: opts.rateLimit?.window || 60,\n\t\t\t\tmax: opts.rateLimit?.max || 5,\n\t\t\t},\n\t\t],\n\t\toptions,\n\t} satisfies BetterAuthPlugin;\n};\n"],"mappings":";;;;;;;;;;;AAoFA,MAAM,4BAA4B,EAAE,OAAO;CAC1C,OAAO,EAAE,OAAO,CAAC,KAAK,EACrB,aAAa,wCACb,CAAC;CACF,MAAM,EACJ,QAAQ,CACR,KAAK,EACL,aACC,+FACD,CAAC,CACD,UAAU;CACZ,aAAa,EACX,QAAQ,CACR,KAAK,EACL,aAAa,iDACb,CAAC,CACD,UAAU;CACZ,oBAAoB,EAClB,QAAQ,CACR,KAAK,EACL,aACC,mGACD,CAAC,CACD,UAAU;CACZ,kBAAkB,EAChB,QAAQ,CACR,KAAK,EACL,aAAa,gCACb,CAAC,CACD,UAAU;CACZ,CAAC;AACF,MAAM,6BAA6B,EAAE,OAAO;CAC3C,OAAO,EAAE,QAAQ,CAAC,KAAK,EACtB,aAAa,sBACb,CAAC;CACF,aAAa,EACX,QAAQ,CACR,KAAK,EACL,aACC,kIACD,CAAC,CACD,UAAU;CACZ,kBAAkB,EAChB,QAAQ,CACR,KAAK,EACL,aAAa,gCACb,CAAC,CACD,UAAU;CACZ,oBAAoB,EAClB,QAAQ,CACR,KAAK,EACL,aACC,mGACD,CAAC,CACD,UAAU;CACZ,CAAC;AACF,MAAa,aAAa,YAA8B;CACvD,MAAM,OAAO;EACZ,YAAY;EACZ,iBAAiB;EACjB,GAAG;EACH;CAED,eAAe,WAAW,KAA6B,OAAe;AACrE,MAAI,KAAK,eAAe,SACvB,QAAO,MAAM,iBAAiB,MAAM;AAErC,MACC,OAAO,KAAK,eAAe,YAC3B,UAAU,KAAK,cACf,KAAK,WAAW,SAAS,gBAEzB,QAAO,MAAM,KAAK,WAAW,KAAK,MAAM;AAEzC,SAAO;;AAGR,QAAO;EACN,IAAI;EACJ,WAAW;GAgBV,iBAAiB,mBAChB,uBACA;IACC,QAAQ;IACR,gBAAgB;IAChB,MAAM;IACN,UAAU,EACT,SAAS;KACR,aAAa;KACb,aAAa;KACb,WAAW,EACV,KAAK;MACJ,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY,EACX,QAAQ,EACP,MAAM,WACN,EACD;OACD,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;IACd,MAAM,EAAE,UAAU,IAAI;IAEtB,MAAM,oBAAoB,MAAM,gBAC7B,MAAM,KAAK,cAAc,MAAM,GAC/B,qBAAqB,IAAI,OAAO,MAAM;IACzC,MAAM,cAAc,MAAM,WAAW,KAAK,kBAAkB;AAC5D,UAAM,IAAI,QAAQ,gBAAgB,wBAAwB;KACzD,YAAY;KACZ,OAAO,KAAK,UAAU;MAAE;MAAO,MAAM,IAAI,KAAK;MAAM,SAAS;MAAG,CAAC;KACjE,WAAW,IAAI,KAAK,KAAK,KAAK,IAAI,KAAK,aAAa,OAAU,IAAK;KACnE,CAAC;IACF,MAAM,cAAc,IAAI,IAAI,IAAI,QAAQ,QAAQ;IAChD,MAAM,WACL,YAAY,aAAa,MAAM,KAAK,YAAY;IACjD,MAAM,WAAW,WAAW,KAAK,IAAI,QAAQ,QAAQ,YAAY;IACjE,MAAM,MAAM,IAAI,IACf,GAAG,WAAW,SAAS,qBACvB,YAAY,OACZ;AACD,QAAI,aAAa,IAAI,SAAS,kBAAkB;AAChD,QAAI,aAAa,IAAI,eAAe,IAAI,KAAK,eAAe,IAAI;AAChE,QAAI,IAAI,KAAK,mBACZ,KAAI,aAAa,IAChB,sBACA,IAAI,KAAK,mBACT;AAEF,QAAI,IAAI,KAAK,iBACZ,KAAI,aAAa,IAAI,oBAAoB,IAAI,KAAK,iBAAiB;AAEpE,UAAM,QAAQ,cACb;KACC;KACA,KAAK,IAAI,UAAU;KACnB,OAAO;KACP,EACD,IACA;AACD,WAAO,IAAI,KAAK,EACf,QAAQ,MACR,CAAC;KAEH;GAgBD,iBAAiB,mBAChB,sBACA;IACC,QAAQ;IACR,OAAO;IACP,KAAK;KACJ,aAAa,QAAQ;AACpB,aAAO,IAAI,MAAM,cACd,mBAAmB,IAAI,MAAM,YAAY,GACzC;OACF;KACF,aAAa,QAAQ;AACpB,aAAO,IAAI,MAAM,qBACd,mBAAmB,IAAI,MAAM,mBAAmB,GAChD;OACF;KACF,aAAa,QAAQ;AACpB,aAAO,IAAI,MAAM,mBACd,mBAAmB,IAAI,MAAM,iBAAiB,GAC9C;OACF;KACF;IACD,gBAAgB;IAChB,UAAU,EACT,SAAS;KACR,aAAa;KACb,aAAa;KACb,WAAW,EACV,KAAK;MACJ,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY;QACX,SAAS,EACR,MAAM,gCACN;QACD,MAAM,EACL,MAAM,6BACN;QACD;OACD,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;IACd,MAAM,QAAQ,IAAI,MAAM;IAIxB,MAAM,cAAc,IAAI,IACvB,IAAI,MAAM,cACP,mBAAmB,IAAI,MAAM,YAAY,GACzC,KACH,IAAI,QAAQ,QACZ,CAAC,UAAU;IACZ,MAAM,mBAAmB,IAAI,IAC5B,IAAI,MAAM,mBACP,mBAAmB,IAAI,MAAM,iBAAiB,GAC9C,aACH,IAAI,QAAQ,QACZ;IAED,SAAS,kBAAkB,OAAsB;AAChD,sBAAiB,aAAa,IAAI,SAAS,MAAM;AACjD,WAAM,IAAI,SAAS,iBAAiB,UAAU,CAAC;;IAGhD,MAAM,qBAAqB,IAAI,IAC9B,IAAI,MAAM,qBACP,mBAAmB,IAAI,MAAM,mBAAmB,GAChD,aACH,IAAI,QAAQ,QACZ,CAAC,UAAU;IACZ,MAAM,cAAc,MAAM,WAAW,KAAK,MAAM;IAChD,MAAM,aACL,MAAM,IAAI,QAAQ,gBAAgB,sBACjC,YACA;AACF,QAAI,CAAC,WACJ,mBAAkB,gBAAgB;AAEnC,QAAI,WAAW,4BAAY,IAAI,MAAM,EAAE;AACtC,WAAM,IAAI,QAAQ,gBAAgB,wBACjC,WAAW,GACX;AACD,uBAAkB,gBAAgB;;IAEnC,MAAM,EACL,OACA,MACA,UAAU,MACP,KAAK,MAAM,WAAW,MAAM;AAKhC,QAAI,WAAW,KAAK,iBAAiB;AACpC,WAAM,IAAI,QAAQ,gBAAgB,wBACjC,WAAW,GACX;AACD,uBAAkB,oBAAoB;;AAEvC,UAAM,IAAI,QAAQ,gBAAgB,wBACjC,WAAW,IACX,EACC,OAAO,KAAK,UAAU;KACrB;KACA;KACA,SAAS,UAAU;KACnB,CAAC,EACF,CACD;IAED,IAAI,YAAY;IAChB,IAAI,OAAO,MAAM,IAAI,QAAQ,gBAC3B,gBAAgB,MAAM,CACtB,MAAM,QAAQ,KAAK,KAAK;AAE1B,QAAI,CAAC,KACJ,KAAI,CAAC,KAAK,eAAe;KACxB,MAAM,UAAU,MAAM,IAAI,QAAQ,gBAAgB,WAAW;MACrD;MACP,eAAe;MACf,MAAM,QAAQ;MACd,CAAC;AACF,iBAAY;AACZ,YAAO;AACP,SAAI,CAAC,KACJ,mBAAkB,wBAAwB;UAG3C,mBAAkB,2BAA2B;AAI/C,QAAI,CAAC,KAAK,cACT,QAAO,MAAM,IAAI,QAAQ,gBAAgB,WAAW,KAAK,IAAI,EAC5D,eAAe,MACf,CAAC;IAGH,MAAM,UAAU,MAAM,IAAI,QAAQ,gBAAgB,cACjD,KAAK,GACL;AAED,QAAI,CAAC,QACJ,mBAAkB,2BAA2B;AAG9C,UAAM,iBAAiB,KAAK;KAC3B;KACA;KACA,CAAC;AACF,QAAI,CAAC,IAAI,MAAM,YACd,QAAO,IAAI,KAAK;KACf,OAAO,QAAQ;KACf,MAAM,gBAAgB,IAAI,QAAQ,SAAS,KAAK;KAChD,CAAC;AAEH,QAAI,UACH,OAAM,IAAI,SAAS,mBAAmB;AAEvC,UAAM,IAAI,SAAS,YAAY;KAEhC;GACD;EACD,WAAW,CACV;GACC,YAAY,MAAM;AACjB,WACC,KAAK,WAAW,sBAAsB,IACtC,KAAK,WAAW,qBAAqB;;GAGvC,QAAQ,KAAK,WAAW,UAAU;GAClC,KAAK,KAAK,WAAW,OAAO;GAC5B,CACD;EACD;EACA"}

package/dist/plugins/magic-link/utils.mjs

@@ -0,0 +1,12 @@
+import { base64Url } from "@better-auth/utils/base64";
+import { createHash } from "@better-auth/utils/hash";
+
+//#region src/plugins/magic-link/utils.ts
+const defaultKeyHasher = async (otp) => {
+	const hash = await createHash("SHA-256").digest(new TextEncoder().encode(otp));
+	return base64Url.encode(new Uint8Array(hash), { padding: false });
+};
+
+//#endregion
+export { defaultKeyHasher };
+//# sourceMappingURL=utils.mjs.map

package/dist/plugins/magic-link/utils.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.mjs","names":[],"sources":["../../../src/plugins/magic-link/utils.ts"],"sourcesContent":["import { base64Url } from \"@better-auth/utils/base64\";\nimport { createHash } from \"@better-auth/utils/hash\";\n\nexport const defaultKeyHasher = async (otp: string) => {\n\tconst hash = await createHash(\"SHA-256\").digest(\n\t\tnew TextEncoder().encode(otp),\n\t);\n\tconst hashed = base64Url.encode(new Uint8Array(hash), {\n\t\tpadding: false,\n\t});\n\treturn hashed;\n};\n"],"mappings":";;;;AAGA,MAAa,mBAAmB,OAAO,QAAgB;CACtD,MAAM,OAAO,MAAM,WAAW,UAAU,CAAC,OACxC,IAAI,aAAa,CAAC,OAAO,IAAI,CAC7B;AAID,QAHe,UAAU,OAAO,IAAI,WAAW,KAAK,EAAE,EACrD,SAAS,OACT,CAAC"}

package/dist/plugins/mcp/authorize.mjs

@@ -0,0 +1,133 @@
+import { generateRandomString } from "../../crypto/random.mjs";
+import "../../crypto/index.mjs";
+import { getSessionFromCtx } from "../../api/routes/session.mjs";
+import "../../api/index.mjs";
+import { APIError } from "@better-auth/core/error";
+
+//#region src/plugins/mcp/authorize.ts
+function redirectErrorURL(url, error, description) {
+	return `${url}${url.includes("?") ? "&" : "?"}error=${error}&error_description=${description}`;
+}
+async function authorizeMCPOAuth(ctx, options) {
+	ctx.setHeader("Access-Control-Allow-Origin", "*");
+	ctx.setHeader("Access-Control-Allow-Methods", "POST, OPTIONS");
+	ctx.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
+	ctx.setHeader("Access-Control-Max-Age", "86400");
+	const opts = {
+		codeExpiresIn: 600,
+		defaultScope: "openid",
+		...options,
+		scopes: [
+			"openid",
+			"profile",
+			"email",
+			"offline_access",
+			...options?.scopes || []
+		]
+	};
+	if (!ctx.request) throw new APIError("UNAUTHORIZED", {
+		error_description: "request not found",
+		error: "invalid_request"
+	});
+	const session = await getSessionFromCtx(ctx);
+	if (!session) {
+		/**
+		* If the user is not logged in, we need to redirect them to the
+		* login page.
+		*/
+		await ctx.setSignedCookie("oidc_login_prompt", JSON.stringify(ctx.query), ctx.context.secret, {
+			maxAge: 600,
+			path: "/",
+			sameSite: "lax"
+		});
+		const queryFromURL = ctx.request.url?.split("?")[1];
+		throw ctx.redirect(`${options.loginPage}?${queryFromURL}`);
+	}
+	const query = ctx.query;
+	if (!query.client_id) throw ctx.redirect(`${ctx.context.baseURL}/error?error=invalid_client`);
+	if (!query.response_type) throw ctx.redirect(redirectErrorURL(`${ctx.context.baseURL}/error`, "invalid_request", "response_type is required"));
+	const client = await ctx.context.adapter.findOne({
+		model: "oauthApplication",
+		where: [{
+			field: "clientId",
+			value: ctx.query.client_id
+		}]
+	}).then((res) => {
+		if (!res) return null;
+		return {
+			...res,
+			redirectUrls: res.redirectUrls.split(","),
+			metadata: res.metadata ? JSON.parse(res.metadata) : {}
+		};
+	});
+	if (!client) throw ctx.redirect(`${ctx.context.baseURL}/error?error=invalid_client`);
+	const redirectURI = client.redirectUrls.find((url) => url === ctx.query.redirect_uri);
+	if (!redirectURI || !query.redirect_uri)
+ /**
+	* show UI error here warning the user that the redirect URI is invalid
+	*/
+	throw new APIError("BAD_REQUEST", { message: "Invalid redirect URI" });
+	if (client.disabled) throw ctx.redirect(`${ctx.context.baseURL}/error?error=client_disabled`);
+	if (query.response_type !== "code") throw ctx.redirect(`${ctx.context.baseURL}/error?error=unsupported_response_type`);
+	const requestScope = query.scope?.split(" ").filter((s) => s) || opts.defaultScope.split(" ");
+	const invalidScopes = requestScope.filter((scope) => {
+		return !opts.scopes.includes(scope);
+	});
+	if (invalidScopes.length) throw ctx.redirect(redirectErrorURL(query.redirect_uri, "invalid_scope", `The following scopes are invalid: ${invalidScopes.join(", ")}`));
+	if ((!query.code_challenge || !query.code_challenge_method) && options.requirePKCE) throw ctx.redirect(redirectErrorURL(query.redirect_uri, "invalid_request", "pkce is required"));
+	if (!query.code_challenge_method) query.code_challenge_method = "plain";
+	if (!["s256", options.allowPlainCodeChallengeMethod ? "plain" : "s256"].includes(query.code_challenge_method?.toLowerCase() || "")) throw ctx.redirect(redirectErrorURL(query.redirect_uri, "invalid_request", "invalid code_challenge method"));
+	const code = generateRandomString(32, "a-z", "A-Z", "0-9");
+	const codeExpiresInMs = opts.codeExpiresIn * 1e3;
+	const expiresAt = new Date(Date.now() + codeExpiresInMs);
+	try {
+		/**
+		* Save the code in the database
+		*/
+		await ctx.context.internalAdapter.createVerificationValue({
+			value: JSON.stringify({
+				clientId: client.clientId,
+				redirectURI: query.redirect_uri,
+				scope: requestScope,
+				userId: session.user.id,
+				authTime: new Date(session.session.createdAt).getTime(),
+				requireConsent: query.prompt === "consent",
+				state: query.prompt === "consent" ? query.state : null,
+				codeChallenge: query.code_challenge,
+				codeChallengeMethod: query.code_challenge_method,
+				nonce: query.nonce
+			}),
+			identifier: code,
+			expiresAt
+		});
+	} catch {
+		throw ctx.redirect(redirectErrorURL(query.redirect_uri, "server_error", "An error occurred while processing the request"));
+	}
+	if (query.prompt !== "consent") {
+		const redirectURIWithCode = new URL(redirectURI);
+		redirectURIWithCode.searchParams.set("code", code);
+		if (ctx.query.state) redirectURIWithCode.searchParams.set("state", ctx.query.state);
+		throw ctx.redirect(redirectURIWithCode.toString());
+	}
+	if (options?.consentPage) {
+		await ctx.setSignedCookie("oidc_consent_prompt", code, ctx.context.secret, {
+			maxAge: 600,
+			path: "/",
+			sameSite: "lax"
+		});
+		const urlParams = new URLSearchParams();
+		urlParams.set("consent_code", code);
+		urlParams.set("client_id", client.clientId);
+		urlParams.set("scope", requestScope.join(" "));
+		const consentURI = `${options.consentPage}?${urlParams.toString()}`;
+		throw ctx.redirect(consentURI);
+	}
+	const redirectURIWithCode = new URL(redirectURI);
+	redirectURIWithCode.searchParams.set("code", code);
+	if (ctx.query.state) redirectURIWithCode.searchParams.set("state", ctx.query.state);
+	throw ctx.redirect(redirectURIWithCode.toString());
+}
+
+//#endregion
+export { authorizeMCPOAuth };
+//# sourceMappingURL=authorize.mjs.map

package/dist/plugins/mcp/authorize.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorize.mjs","names":[],"sources":["../../../src/plugins/mcp/authorize.ts"],"sourcesContent":["import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { APIError } from \"@better-auth/core/error\";\nimport { getSessionFromCtx } from \"../../api\";\nimport { generateRandomString } from \"../../crypto\";\nimport type { OAuthApplication } from \"../oidc-provider/schema\";\nimport type {\n\tAuthorizationQuery,\n\tClient,\n\tOIDCOptions,\n} from \"../oidc-provider/types\";\n\nfunction redirectErrorURL(url: string, error: string, description: string) {\n\treturn `${url}${\n\t\turl.includes(\"?\") ? \"&\" : \"?\"\n\t}error=${error}&error_description=${description}`;\n}\n\nexport async function authorizeMCPOAuth(\n\tctx: GenericEndpointContext,\n\toptions: OIDCOptions,\n) {\n\tctx.setHeader(\"Access-Control-Allow-Origin\", \"*\");\n\tctx.setHeader(\"Access-Control-Allow-Methods\", \"POST, OPTIONS\");\n\tctx.setHeader(\"Access-Control-Allow-Headers\", \"Content-Type, Authorization\");\n\tctx.setHeader(\"Access-Control-Max-Age\", \"86400\");\n\tconst opts = {\n\t\tcodeExpiresIn: 600,\n\t\tdefaultScope: \"openid\",\n\t\t...options,\n\t\tscopes: [\n\t\t\t\"openid\",\n\t\t\t\"profile\",\n\t\t\t\"email\",\n\t\t\t\"offline_access\",\n\t\t\t...(options?.scopes || []),\n\t\t],\n\t};\n\tif (!ctx.request) {\n\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\terror_description: \"request not found\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\tconst session = await getSessionFromCtx(ctx);\n\tif (!session) {\n\t\t/**\n\t\t * If the user is not logged in, we need to redirect them to the\n\t\t * login page.\n\t\t */\n\t\tawait ctx.setSignedCookie(\n\t\t\t\"oidc_login_prompt\",\n\t\t\tJSON.stringify(ctx.query),\n\t\t\tctx.context.secret,\n\t\t\t{\n\t\t\t\tmaxAge: 600,\n\t\t\t\tpath: \"/\",\n\t\t\t\tsameSite: \"lax\",\n\t\t\t},\n\t\t);\n\t\tconst queryFromURL = ctx.request.url?.split(\"?\")[1]!;\n\t\tthrow ctx.redirect(`${options.loginPage}?${queryFromURL}`);\n\t}\n\n\tconst query = ctx.query as AuthorizationQuery;\n\tif (!query.client_id) {\n\t\tthrow ctx.redirect(`${ctx.context.baseURL}/error?error=invalid_client`);\n\t}\n\n\tif (!query.response_type) {\n\t\tthrow ctx.redirect(\n\t\t\tredirectErrorURL(\n\t\t\t\t`${ctx.context.baseURL}/error`,\n\t\t\t\t\"invalid_request\",\n\t\t\t\t\"response_type is required\",\n\t\t\t),\n\t\t);\n\t}\n\n\tconst client = await ctx.context.adapter\n\t\t.findOne<OAuthApplication>({\n\t\t\tmodel: \"oauthApplication\",\n\t\t\twhere: [\n\t\t\t\t{\n\t\t\t\t\tfield: \"clientId\",\n\t\t\t\t\tvalue: ctx.query.client_id,\n\t\t\t\t},\n\t\t\t],\n\t\t})\n\t\t.then((res) => {\n\t\t\tif (!res) {\n\t\t\t\treturn null;\n\t\t\t}\n\t\t\treturn {\n\t\t\t\t...res,\n\t\t\t\tredirectUrls: res.redirectUrls.split(\",\"),\n\t\t\t\tmetadata: res.metadata ? JSON.parse(res.metadata) : {},\n\t\t\t} as Client;\n\t\t});\n\tif (!client) {\n\t\tthrow ctx.redirect(`${ctx.context.baseURL}/error?error=invalid_client`);\n\t}\n\tconst redirectURI = client.redirectUrls.find(\n\t\t(url) => url === ctx.query.redirect_uri,\n\t);\n\n\tif (!redirectURI || !query.redirect_uri) {\n\t\t/**\n\t\t * show UI error here warning the user that the redirect URI is invalid\n\t\t */\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\tmessage: \"Invalid redirect URI\",\n\t\t});\n\t}\n\tif (client.disabled) {\n\t\tthrow ctx.redirect(`${ctx.context.baseURL}/error?error=client_disabled`);\n\t}\n\n\tif (query.response_type !== \"code\") {\n\t\tthrow ctx.redirect(\n\t\t\t`${ctx.context.baseURL}/error?error=unsupported_response_type`,\n\t\t);\n\t}\n\n\tconst requestScope =\n\t\tquery.scope?.split(\" \").filter((s) => s) || opts.defaultScope.split(\" \");\n\tconst invalidScopes = requestScope.filter((scope) => {\n\t\treturn !opts.scopes.includes(scope);\n\t});\n\tif (invalidScopes.length) {\n\t\tthrow ctx.redirect(\n\t\t\tredirectErrorURL(\n\t\t\t\tquery.redirect_uri,\n\t\t\t\t\"invalid_scope\",\n\t\t\t\t`The following scopes are invalid: ${invalidScopes.join(\", \")}`,\n\t\t\t),\n\t\t);\n\t}\n\n\tif (\n\t\t(!query.code_challenge || !query.code_challenge_method) &&\n\t\toptions.requirePKCE\n\t) {\n\t\tthrow ctx.redirect(\n\t\t\tredirectErrorURL(\n\t\t\t\tquery.redirect_uri,\n\t\t\t\t\"invalid_request\",\n\t\t\t\t\"pkce is required\",\n\t\t\t),\n\t\t);\n\t}\n\n\tif (!query.code_challenge_method) {\n\t\tquery.code_challenge_method = \"plain\";\n\t}\n\n\tif (\n\t\t![\n\t\t\t\"s256\",\n\t\t\toptions.allowPlainCodeChallengeMethod ? \"plain\" : \"s256\",\n\t\t].includes(query.code_challenge_method?.toLowerCase() || \"\")\n\t) {\n\t\tthrow ctx.redirect(\n\t\t\tredirectErrorURL(\n\t\t\t\tquery.redirect_uri,\n\t\t\t\t\"invalid_request\",\n\t\t\t\t\"invalid code_challenge method\",\n\t\t\t),\n\t\t);\n\t}\n\n\tconst code = generateRandomString(32, \"a-z\", \"A-Z\", \"0-9\");\n\tconst codeExpiresInMs = opts.codeExpiresIn * 1000;\n\tconst expiresAt = new Date(Date.now() + codeExpiresInMs);\n\ttry {\n\t\t/**\n\t\t * Save the code in the database\n\t\t */\n\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\tvalue: JSON.stringify({\n\t\t\t\tclientId: client.clientId,\n\t\t\t\tredirectURI: query.redirect_uri,\n\t\t\t\tscope: requestScope,\n\t\t\t\tuserId: session.user.id,\n\t\t\t\tauthTime: new Date(session.session.createdAt).getTime(),\n\t\t\t\t/**\n\t\t\t\t * If the prompt is set to `consent`, then we need\n\t\t\t\t * to require the user to consent to the scopes.\n\t\t\t\t *\n\t\t\t\t * This means the code now needs to be treated as a\n\t\t\t\t * consent request.\n\t\t\t\t *\n\t\t\t\t * once the user consents, the code will be updated\n\t\t\t\t * with the actual code. This is to prevent the\n\t\t\t\t * client from using the code before the user\n\t\t\t\t * consents.\n\t\t\t\t */\n\t\t\t\trequireConsent: query.prompt === \"consent\",\n\t\t\t\tstate: query.prompt === \"consent\" ? query.state : null,\n\t\t\t\tcodeChallenge: query.code_challenge,\n\t\t\t\tcodeChallengeMethod: query.code_challenge_method,\n\t\t\t\tnonce: query.nonce,\n\t\t\t}),\n\t\t\tidentifier: code,\n\t\t\texpiresAt,\n\t\t});\n\t} catch {\n\t\tthrow ctx.redirect(\n\t\t\tredirectErrorURL(\n\t\t\t\tquery.redirect_uri,\n\t\t\t\t\"server_error\",\n\t\t\t\t\"An error occurred while processing the request\",\n\t\t\t),\n\t\t);\n\t}\n\n\t// Consent is NOT required - redirect with the code immediately\n\tif (query.prompt !== \"consent\") {\n\t\tconst redirectURIWithCode = new URL(redirectURI);\n\t\tredirectURIWithCode.searchParams.set(\"code\", code);\n\t\tif (ctx.query.state) {\n\t\t\tredirectURIWithCode.searchParams.set(\"state\", ctx.query.state);\n\t\t}\n\t\tthrow ctx.redirect(redirectURIWithCode.toString());\n\t}\n\n\t// Consent is REQUIRED - redirect to consent page or show consent HTML\n\tif (options?.consentPage) {\n\t\t// Set cookie to support cookie-based consent flows\n\t\tawait ctx.setSignedCookie(\"oidc_consent_prompt\", code, ctx.context.secret, {\n\t\t\tmaxAge: 600,\n\t\t\tpath: \"/\",\n\t\t\tsameSite: \"lax\",\n\t\t});\n\n\t\t// Pass the consent code as a URL parameter to support URL-BASED consent flows\n\t\tconst urlParams = new URLSearchParams();\n\t\turlParams.set(\"consent_code\", code);\n\t\turlParams.set(\"client_id\", client.clientId);\n\t\turlParams.set(\"scope\", requestScope.join(\" \"));\n\t\tconst consentURI = `${options.consentPage}?${urlParams.toString()}`;\n\n\t\tthrow ctx.redirect(consentURI);\n\t}\n\n\t// No consent page configured - fall back to direct redirect with code\n\tconst redirectURIWithCode = new URL(redirectURI);\n\tredirectURIWithCode.searchParams.set(\"code\", code);\n\tif (ctx.query.state) {\n\t\tredirectURIWithCode.searchParams.set(\"state\", ctx.query.state);\n\t}\n\tthrow ctx.redirect(redirectURIWithCode.toString());\n}\n"],"mappings":";;;;;;;AAWA,SAAS,iBAAiB,KAAa,OAAe,aAAqB;AAC1E,QAAO,GAAG,MACT,IAAI,SAAS,IAAI,GAAG,MAAM,IAC1B,QAAQ,MAAM,qBAAqB;;AAGrC,eAAsB,kBACrB,KACA,SACC;AACD,KAAI,UAAU,+BAA+B,IAAI;AACjD,KAAI,UAAU,gCAAgC,gBAAgB;AAC9D,KAAI,UAAU,gCAAgC,8BAA8B;AAC5E,KAAI,UAAU,0BAA0B,QAAQ;CAChD,MAAM,OAAO;EACZ,eAAe;EACf,cAAc;EACd,GAAG;EACH,QAAQ;GACP;GACA;GACA;GACA;GACA,GAAI,SAAS,UAAU,EAAE;GACzB;EACD;AACD,KAAI,CAAC,IAAI,QACR,OAAM,IAAI,SAAS,gBAAgB;EAClC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAEH,MAAM,UAAU,MAAM,kBAAkB,IAAI;AAC5C,KAAI,CAAC,SAAS;;;;;AAKb,QAAM,IAAI,gBACT,qBACA,KAAK,UAAU,IAAI,MAAM,EACzB,IAAI,QAAQ,QACZ;GACC,QAAQ;GACR,MAAM;GACN,UAAU;GACV,CACD;EACD,MAAM,eAAe,IAAI,QAAQ,KAAK,MAAM,IAAI,CAAC;AACjD,QAAM,IAAI,SAAS,GAAG,QAAQ,UAAU,GAAG,eAAe;;CAG3D,MAAM,QAAQ,IAAI;AAClB,KAAI,CAAC,MAAM,UACV,OAAM,IAAI,SAAS,GAAG,IAAI,QAAQ,QAAQ,6BAA6B;AAGxE,KAAI,CAAC,MAAM,cACV,OAAM,IAAI,SACT,iBACC,GAAG,IAAI,QAAQ,QAAQ,SACvB,mBACA,4BACA,CACD;CAGF,MAAM,SAAS,MAAM,IAAI,QAAQ,QAC/B,QAA0B;EAC1B,OAAO;EACP,OAAO,CACN;GACC,OAAO;GACP,OAAO,IAAI,MAAM;GACjB,CACD;EACD,CAAC,CACD,MAAM,QAAQ;AACd,MAAI,CAAC,IACJ,QAAO;AAER,SAAO;GACN,GAAG;GACH,cAAc,IAAI,aAAa,MAAM,IAAI;GACzC,UAAU,IAAI,WAAW,KAAK,MAAM,IAAI,SAAS,GAAG,EAAE;GACtD;GACA;AACH,KAAI,CAAC,OACJ,OAAM,IAAI,SAAS,GAAG,IAAI,QAAQ,QAAQ,6BAA6B;CAExE,MAAM,cAAc,OAAO,aAAa,MACtC,QAAQ,QAAQ,IAAI,MAAM,aAC3B;AAED,KAAI,CAAC,eAAe,CAAC,MAAM;;;;AAI1B,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,wBACT,CAAC;AAEH,KAAI,OAAO,SACV,OAAM,IAAI,SAAS,GAAG,IAAI,QAAQ,QAAQ,8BAA8B;AAGzE,KAAI,MAAM,kBAAkB,OAC3B,OAAM,IAAI,SACT,GAAG,IAAI,QAAQ,QAAQ,wCACvB;CAGF,MAAM,eACL,MAAM,OAAO,MAAM,IAAI,CAAC,QAAQ,MAAM,EAAE,IAAI,KAAK,aAAa,MAAM,IAAI;CACzE,MAAM,gBAAgB,aAAa,QAAQ,UAAU;AACpD,SAAO,CAAC,KAAK,OAAO,SAAS,MAAM;GAClC;AACF,KAAI,cAAc,OACjB,OAAM,IAAI,SACT,iBACC,MAAM,cACN,iBACA,qCAAqC,cAAc,KAAK,KAAK,GAC7D,CACD;AAGF,MACE,CAAC,MAAM,kBAAkB,CAAC,MAAM,0BACjC,QAAQ,YAER,OAAM,IAAI,SACT,iBACC,MAAM,cACN,mBACA,mBACA,CACD;AAGF,KAAI,CAAC,MAAM,sBACV,OAAM,wBAAwB;AAG/B,KACC,CAAC,CACA,QACA,QAAQ,gCAAgC,UAAU,OAClD,CAAC,SAAS,MAAM,uBAAuB,aAAa,IAAI,GAAG,CAE5D,OAAM,IAAI,SACT,iBACC,MAAM,cACN,mBACA,gCACA,CACD;CAGF,MAAM,OAAO,qBAAqB,IAAI,OAAO,OAAO,MAAM;CAC1D,MAAM,kBAAkB,KAAK,gBAAgB;CAC7C,MAAM,YAAY,IAAI,KAAK,KAAK,KAAK,GAAG,gBAAgB;AACxD,KAAI;;;;AAIH,QAAM,IAAI,QAAQ,gBAAgB,wBAAwB;GACzD,OAAO,KAAK,UAAU;IACrB,UAAU,OAAO;IACjB,aAAa,MAAM;IACnB,OAAO;IACP,QAAQ,QAAQ,KAAK;IACrB,UAAU,IAAI,KAAK,QAAQ,QAAQ,UAAU,CAAC,SAAS;IAavD,gBAAgB,MAAM,WAAW;IACjC,OAAO,MAAM,WAAW,YAAY,MAAM,QAAQ;IAClD,eAAe,MAAM;IACrB,qBAAqB,MAAM;IAC3B,OAAO,MAAM;IACb,CAAC;GACF,YAAY;GACZ;GACA,CAAC;SACK;AACP,QAAM,IAAI,SACT,iBACC,MAAM,cACN,gBACA,iDACA,CACD;;AAIF,KAAI,MAAM,WAAW,WAAW;EAC/B,MAAM,sBAAsB,IAAI,IAAI,YAAY;AAChD,sBAAoB,aAAa,IAAI,QAAQ,KAAK;AAClD,MAAI,IAAI,MAAM,MACb,qBAAoB,aAAa,IAAI,SAAS,IAAI,MAAM,MAAM;AAE/D,QAAM,IAAI,SAAS,oBAAoB,UAAU,CAAC;;AAInD,KAAI,SAAS,aAAa;AAEzB,QAAM,IAAI,gBAAgB,uBAAuB,MAAM,IAAI,QAAQ,QAAQ;GAC1E,QAAQ;GACR,MAAM;GACN,UAAU;GACV,CAAC;EAGF,MAAM,YAAY,IAAI,iBAAiB;AACvC,YAAU,IAAI,gBAAgB,KAAK;AACnC,YAAU,IAAI,aAAa,OAAO,SAAS;AAC3C,YAAU,IAAI,SAAS,aAAa,KAAK,IAAI,CAAC;EAC9C,MAAM,aAAa,GAAG,QAAQ,YAAY,GAAG,UAAU,UAAU;AAEjE,QAAM,IAAI,SAAS,WAAW;;CAI/B,MAAM,sBAAsB,IAAI,IAAI,YAAY;AAChD,qBAAoB,aAAa,IAAI,QAAQ,KAAK;AAClD,KAAI,IAAI,MAAM,MACb,qBAAoB,aAAa,IAAI,SAAS,IAAI,MAAM,MAAM;AAE/D,OAAM,IAAI,SAAS,oBAAoB,UAAU,CAAC"}