@sirketio/auth 0.0.1

package/dist/api/routes/callback.mjs

@@ -0,0 +1,179 @@
+import { getAwaitableValue } from "../../context/helpers.mjs";
+import { setSessionCookie } from "../../cookies/index.mjs";
+import { parseState } from "../../oauth2/state.mjs";
+import { setTokenUtil } from "../../oauth2/utils.mjs";
+import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
+import { HIDE_METADATA } from "../../utils/hide-metadata.mjs";
+import { safeJSONParse } from "@better-auth/core/utils/json";
+import { createAuthEndpoint } from "@better-auth/core/api";
+import * as z from "zod";
+
+//#region src/api/routes/callback.ts
+const schema = z.object({
+	code: z.string().optional(),
+	error: z.string().optional(),
+	device_id: z.string().optional(),
+	error_description: z.string().optional(),
+	state: z.string().optional(),
+	user: z.string().optional()
+});
+const callbackOAuth = createAuthEndpoint("/callback/:id", {
+	method: ["GET", "POST"],
+	operationId: "handleOAuthCallback",
+	body: schema.optional(),
+	query: schema.optional(),
+	metadata: {
+		...HIDE_METADATA,
+		allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"]
+	}
+}, async (c) => {
+	let queryOrBody;
+	const defaultErrorURL = c.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;
+	if (c.method === "POST") {
+		const postData = c.body ? schema.parse(c.body) : {};
+		const queryData = c.query ? schema.parse(c.query) : {};
+		const mergedData = schema.parse({
+			...postData,
+			...queryData
+		});
+		const params = new URLSearchParams();
+		for (const [key, value] of Object.entries(mergedData)) if (value !== void 0 && value !== null) params.set(key, String(value));
+		const redirectURL = `${c.context.baseURL}/callback/${c.params.id}?${params.toString()}`;
+		throw c.redirect(redirectURL);
+	}
+	try {
+		if (c.method === "GET") queryOrBody = schema.parse(c.query);
+		else if (c.method === "POST") queryOrBody = schema.parse(c.body);
+		else throw new Error("Unsupported method");
+	} catch (e) {
+		c.context.logger.error("INVALID_CALLBACK_REQUEST", e);
+		throw c.redirect(`${defaultErrorURL}?error=invalid_callback_request`);
+	}
+	const { code, error, state, error_description, device_id, user: userData } = queryOrBody;
+	if (!state) {
+		c.context.logger.error("State not found", error);
+		const url = `${defaultErrorURL}${defaultErrorURL.includes("?") ? "&" : "?"}state=state_not_found`;
+		throw c.redirect(url);
+	}
+	const { codeVerifier, callbackURL, link, errorURL, newUserURL, requestSignUp } = await parseState(c);
+	function redirectOnError(error, description) {
+		const baseURL = errorURL ?? defaultErrorURL;
+		const params = new URLSearchParams({ error });
+		if (description) params.set("error_description", description);
+		const url = `${baseURL}${baseURL.includes("?") ? "&" : "?"}${params.toString()}`;
+		throw c.redirect(url);
+	}
+	if (error) redirectOnError(error, error_description);
+	if (!code) {
+		c.context.logger.error("Code not found");
+		throw redirectOnError("no_code");
+	}
+	const provider = await getAwaitableValue(c.context.socialProviders, { value: c.params.id });
+	if (!provider) {
+		c.context.logger.error("Oauth provider with id", c.params.id, "not found");
+		throw redirectOnError("oauth_provider_not_found");
+	}
+	let tokens;
+	try {
+		tokens = await provider.validateAuthorizationCode({
+			code,
+			codeVerifier,
+			deviceId: device_id,
+			redirectURI: `${c.context.baseURL}/callback/${provider.id}`
+		});
+	} catch (e) {
+		c.context.logger.error("", e);
+		throw redirectOnError("invalid_code");
+	}
+	if (!tokens) throw redirectOnError("invalid_code");
+	const parsedUserData = userData ? safeJSONParse(userData) : null;
+	const userInfo = await provider.getUserInfo({
+		...tokens,
+		user: parsedUserData ?? void 0
+	}).then((res) => res?.user);
+	if (!userInfo) {
+		c.context.logger.error("Unable to get user info");
+		return redirectOnError("unable_to_get_user_info");
+	}
+	if (!callbackURL) {
+		c.context.logger.error("No callback URL found");
+		throw redirectOnError("no_callback_url");
+	}
+	if (link) {
+		if (!c.context.trustedProviders.includes(provider.id) && !userInfo.emailVerified || c.context.options.account?.accountLinking?.enabled === false) {
+			c.context.logger.error("Unable to link account - untrusted provider");
+			return redirectOnError("unable_to_link_account");
+		}
+		if (userInfo.email?.toLowerCase() !== link.email.toLowerCase() && c.context.options.account?.accountLinking?.allowDifferentEmails !== true) return redirectOnError("email_doesn't_match");
+		const existingAccount = await c.context.internalAdapter.findAccount(String(userInfo.id));
+		if (existingAccount) {
+			if (existingAccount.userId.toString() !== link.userId.toString()) return redirectOnError("account_already_linked_to_different_user");
+			const updateData = Object.fromEntries(Object.entries({
+				accessToken: await setTokenUtil(tokens.accessToken, c.context),
+				refreshToken: await setTokenUtil(tokens.refreshToken, c.context),
+				idToken: tokens.idToken,
+				accessTokenExpiresAt: tokens.accessTokenExpiresAt,
+				refreshTokenExpiresAt: tokens.refreshTokenExpiresAt,
+				scope: tokens.scopes?.join(",")
+			}).filter(([_, value]) => value !== void 0));
+			await c.context.internalAdapter.updateAccount(existingAccount.id, updateData);
+		} else if (!await c.context.internalAdapter.createAccount({
+			userId: link.userId,
+			providerId: provider.id,
+			accountId: String(userInfo.id),
+			...tokens,
+			accessToken: await setTokenUtil(tokens.accessToken, c.context),
+			refreshToken: await setTokenUtil(tokens.refreshToken, c.context),
+			scope: tokens.scopes?.join(",")
+		})) return redirectOnError("unable_to_link_account");
+		let toRedirectTo;
+		try {
+			toRedirectTo = callbackURL.toString();
+		} catch {
+			toRedirectTo = callbackURL;
+		}
+		throw c.redirect(toRedirectTo);
+	}
+	if (!userInfo.email) {
+		c.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings.");
+		return redirectOnError("email_not_found");
+	}
+	const accountData = {
+		providerId: provider.id,
+		accountId: String(userInfo.id),
+		...tokens,
+		scope: tokens.scopes?.join(",")
+	};
+	const result = await handleOAuthUserInfo(c, {
+		userInfo: {
+			...userInfo,
+			id: String(userInfo.id),
+			email: userInfo.email,
+			name: userInfo.name || ""
+		},
+		account: accountData,
+		callbackURL,
+		disableSignUp: provider.disableImplicitSignUp && !requestSignUp || provider.options?.disableSignUp,
+		overrideUserInfo: provider.options?.overrideUserInfoOnSignIn
+	});
+	if (result.error) {
+		c.context.logger.error(result.error.split(" ").join("_"));
+		return redirectOnError(result.error.split(" ").join("_"));
+	}
+	const { session, user } = result.data;
+	await setSessionCookie(c, {
+		session,
+		user
+	});
+	let toRedirectTo;
+	try {
+		toRedirectTo = (result.isRegister ? newUserURL || callbackURL : callbackURL).toString();
+	} catch {
+		toRedirectTo = result.isRegister ? newUserURL || callbackURL : callbackURL;
+	}
+	throw c.redirect(toRedirectTo);
+});
+
+//#endregion
+export { callbackOAuth };
+//# sourceMappingURL=callback.mjs.map

package/dist/api/routes/callback.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"callback.mjs","names":[],"sources":["../../../src/api/routes/callback.ts"],"sourcesContent":["import { createAuthEndpoint } from \"@better-auth/core/api\";\nimport type { OAuth2Tokens } from \"@better-auth/core/oauth2\";\nimport { safeJSONParse } from \"@better-auth/core/utils/json\";\nimport * as z from \"zod\";\nimport { getAwaitableValue } from \"../../context/helpers\";\nimport { setSessionCookie } from \"../../cookies\";\nimport { handleOAuthUserInfo } from \"../../oauth2/link-account\";\nimport { parseState } from \"../../oauth2/state\";\nimport { setTokenUtil } from \"../../oauth2/utils\";\nimport { HIDE_METADATA } from \"../../utils/hide-metadata\";\n\nconst schema = z.object({\n\tcode: z.string().optional(),\n\terror: z.string().optional(),\n\tdevice_id: z.string().optional(),\n\terror_description: z.string().optional(),\n\tstate: z.string().optional(),\n\tuser: z.string().optional(),\n});\n\nexport const callbackOAuth = createAuthEndpoint(\n\t\"/callback/:id\",\n\t{\n\t\tmethod: [\"GET\", \"POST\"],\n\t\toperationId: \"handleOAuthCallback\",\n\t\tbody: schema.optional(),\n\t\tquery: schema.optional(),\n\t\tmetadata: {\n\t\t\t...HIDE_METADATA,\n\t\t\tallowedMediaTypes: [\n\t\t\t\t\"application/x-www-form-urlencoded\",\n\t\t\t\t\"application/json\",\n\t\t\t],\n\t\t},\n\t},\n\tasync (c) => {\n\t\tlet queryOrBody: z.infer<typeof schema>;\n\t\tconst defaultErrorURL =\n\t\t\tc.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;\n\n\t\t// Handle POST requests by redirecting to GET to ensure cookies are sent\n\t\tif (c.method === \"POST\") {\n\t\t\tconst postData = c.body ? schema.parse(c.body) : {};\n\t\t\tconst queryData = c.query ? schema.parse(c.query) : {};\n\n\t\t\tconst mergedData = schema.parse({ ...postData, ...queryData });\n\t\t\tconst params = new URLSearchParams();\n\n\t\t\tfor (const [key, value] of Object.entries(mergedData)) {\n\t\t\t\tif (value !== undefined && value !== null) {\n\t\t\t\t\tparams.set(key, String(value));\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tconst redirectURL = `${c.context.baseURL}/callback/${c.params.id}?${params.toString()}`;\n\t\t\tthrow c.redirect(redirectURL);\n\t\t}\n\n\t\ttry {\n\t\t\tif (c.method === \"GET\") {\n\t\t\t\tqueryOrBody = schema.parse(c.query);\n\t\t\t} else if (c.method === \"POST\") {\n\t\t\t\tqueryOrBody = schema.parse(c.body);\n\t\t\t} else {\n\t\t\t\tthrow new Error(\"Unsupported method\");\n\t\t\t}\n\t\t} catch (e) {\n\t\t\tc.context.logger.error(\"INVALID_CALLBACK_REQUEST\", e);\n\t\t\tthrow c.redirect(`${defaultErrorURL}?error=invalid_callback_request`);\n\t\t}\n\n\t\tconst {\n\t\t\tcode,\n\t\t\terror,\n\t\t\tstate,\n\t\t\terror_description,\n\t\t\tdevice_id,\n\t\t\tuser: userData,\n\t\t} = queryOrBody;\n\n\t\tif (!state) {\n\t\t\tc.context.logger.error(\"State not found\", error);\n\t\t\tconst sep = defaultErrorURL.includes(\"?\") ? \"&\" : \"?\";\n\t\t\tconst url = `${defaultErrorURL}${sep}state=state_not_found`;\n\t\t\tthrow c.redirect(url);\n\t\t}\n\n\t\tconst {\n\t\t\tcodeVerifier,\n\t\t\tcallbackURL,\n\t\t\tlink,\n\t\t\terrorURL,\n\t\t\tnewUserURL,\n\t\t\trequestSignUp,\n\t\t} = await parseState(c);\n\n\t\tfunction redirectOnError(error: string, description?: string | undefined) {\n\t\t\tconst baseURL = errorURL ?? defaultErrorURL;\n\n\t\t\tconst params = new URLSearchParams({ error });\n\t\t\tif (description) params.set(\"error_description\", description);\n\n\t\t\tconst sep = baseURL.includes(\"?\") ? \"&\" : \"?\";\n\t\t\tconst url = `${baseURL}${sep}${params.toString()}`;\n\n\t\t\tthrow c.redirect(url);\n\t\t}\n\n\t\tif (error) {\n\t\t\tredirectOnError(error, error_description);\n\t\t}\n\n\t\tif (!code) {\n\t\t\tc.context.logger.error(\"Code not found\");\n\t\t\tthrow redirectOnError(\"no_code\");\n\t\t}\n\n\t\tconst provider = await getAwaitableValue(c.context.socialProviders, {\n\t\t\tvalue: c.params.id,\n\t\t});\n\n\t\tif (!provider) {\n\t\t\tc.context.logger.error(\n\t\t\t\t\"Oauth provider with id\",\n\t\t\t\tc.params.id,\n\t\t\t\t\"not found\",\n\t\t\t);\n\t\t\tthrow redirectOnError(\"oauth_provider_not_found\");\n\t\t}\n\n\t\tlet tokens: OAuth2Tokens | null;\n\t\ttry {\n\t\t\ttokens = await provider.validateAuthorizationCode({\n\t\t\t\tcode: code,\n\t\t\t\tcodeVerifier,\n\t\t\t\tdeviceId: device_id,\n\t\t\t\tredirectURI: `${c.context.baseURL}/callback/${provider.id}`,\n\t\t\t});\n\t\t} catch (e) {\n\t\t\tc.context.logger.error(\"\", e);\n\t\t\tthrow redirectOnError(\"invalid_code\");\n\t\t}\n\t\tif (!tokens) {\n\t\t\tthrow redirectOnError(\"invalid_code\");\n\t\t}\n\t\tconst parsedUserData = userData\n\t\t\t? safeJSONParse<{\n\t\t\t\t\tname?: {\n\t\t\t\t\t\tfirstName?: string;\n\t\t\t\t\t\tlastName?: string;\n\t\t\t\t\t};\n\t\t\t\t\temail?: string;\n\t\t\t\t}>(userData)\n\t\t\t: null;\n\n\t\tconst userInfo = await provider\n\t\t\t.getUserInfo({\n\t\t\t\t...tokens,\n\t\t\t\t/**\n\t\t\t\t * The user object from the provider\n\t\t\t\t * This is only available for some providers like Apple\n\t\t\t\t */\n\t\t\t\tuser: parsedUserData ?? undefined,\n\t\t\t})\n\t\t\t.then((res) => res?.user);\n\n\t\tif (!userInfo) {\n\t\t\tc.context.logger.error(\"Unable to get user info\");\n\t\t\treturn redirectOnError(\"unable_to_get_user_info\");\n\t\t}\n\n\t\tif (!callbackURL) {\n\t\t\tc.context.logger.error(\"No callback URL found\");\n\t\t\tthrow redirectOnError(\"no_callback_url\");\n\t\t}\n\n\t\tif (link) {\n\t\t\tconst isTrustedProvider = c.context.trustedProviders.includes(\n\t\t\t\tprovider.id,\n\t\t\t);\n\t\t\tif (\n\t\t\t\t(!isTrustedProvider && !userInfo.emailVerified) ||\n\t\t\t\tc.context.options.account?.accountLinking?.enabled === false\n\t\t\t) {\n\t\t\t\tc.context.logger.error(\"Unable to link account - untrusted provider\");\n\t\t\t\treturn redirectOnError(\"unable_to_link_account\");\n\t\t\t}\n\n\t\t\tif (\n\t\t\t\tuserInfo.email?.toLowerCase() !== link.email.toLowerCase() &&\n\t\t\t\tc.context.options.account?.accountLinking?.allowDifferentEmails !== true\n\t\t\t) {\n\t\t\t\treturn redirectOnError(\"email_doesn't_match\");\n\t\t\t}\n\n\t\t\tconst existingAccount = await c.context.internalAdapter.findAccount(\n\t\t\t\tString(userInfo.id),\n\t\t\t);\n\n\t\t\tif (existingAccount) {\n\t\t\t\tif (existingAccount.userId.toString() !== link.userId.toString()) {\n\t\t\t\t\treturn redirectOnError(\"account_already_linked_to_different_user\");\n\t\t\t\t}\n\t\t\t\tconst updateData = Object.fromEntries(\n\t\t\t\t\tObject.entries({\n\t\t\t\t\t\taccessToken: await setTokenUtil(tokens.accessToken, c.context),\n\t\t\t\t\t\trefreshToken: await setTokenUtil(tokens.refreshToken, c.context),\n\t\t\t\t\t\tidToken: tokens.idToken,\n\t\t\t\t\t\taccessTokenExpiresAt: tokens.accessTokenExpiresAt,\n\t\t\t\t\t\trefreshTokenExpiresAt: tokens.refreshTokenExpiresAt,\n\t\t\t\t\t\tscope: tokens.scopes?.join(\",\"),\n\t\t\t\t\t}).filter(([_, value]) => value !== undefined),\n\t\t\t\t);\n\t\t\t\tawait c.context.internalAdapter.updateAccount(\n\t\t\t\t\texistingAccount.id,\n\t\t\t\t\tupdateData,\n\t\t\t\t);\n\t\t\t} else {\n\t\t\t\tconst newAccount = await c.context.internalAdapter.createAccount({\n\t\t\t\t\tuserId: link.userId,\n\t\t\t\t\tproviderId: provider.id,\n\t\t\t\t\taccountId: String(userInfo.id),\n\t\t\t\t\t...tokens,\n\t\t\t\t\taccessToken: await setTokenUtil(tokens.accessToken, c.context),\n\t\t\t\t\trefreshToken: await setTokenUtil(tokens.refreshToken, c.context),\n\t\t\t\t\tscope: tokens.scopes?.join(\",\"),\n\t\t\t\t});\n\t\t\t\tif (!newAccount) {\n\t\t\t\t\treturn redirectOnError(\"unable_to_link_account\");\n\t\t\t\t}\n\t\t\t}\n\t\t\tlet toRedirectTo: string;\n\t\t\ttry {\n\t\t\t\tconst url = callbackURL;\n\t\t\t\ttoRedirectTo = url.toString();\n\t\t\t} catch {\n\t\t\t\ttoRedirectTo = callbackURL;\n\t\t\t}\n\t\t\tthrow c.redirect(toRedirectTo);\n\t\t}\n\n\t\tif (!userInfo.email) {\n\t\t\tc.context.logger.error(\n\t\t\t\t\"Provider did not return email. This could be due to misconfiguration in the provider settings.\",\n\t\t\t);\n\t\t\treturn redirectOnError(\"email_not_found\");\n\t\t}\n\t\tconst accountData = {\n\t\t\tproviderId: provider.id,\n\t\t\taccountId: String(userInfo.id),\n\t\t\t...tokens,\n\t\t\tscope: tokens.scopes?.join(\",\"),\n\t\t};\n\t\tconst result = await handleOAuthUserInfo(c, {\n\t\t\tuserInfo: {\n\t\t\t\t...userInfo,\n\t\t\t\tid: String(userInfo.id),\n\t\t\t\temail: userInfo.email,\n\t\t\t\tname: userInfo.name || \"\",\n\t\t\t},\n\t\t\taccount: accountData,\n\t\t\tcallbackURL,\n\t\t\tdisableSignUp:\n\t\t\t\t(provider.disableImplicitSignUp && !requestSignUp) ||\n\t\t\t\tprovider.options?.disableSignUp,\n\t\t\toverrideUserInfo: provider.options?.overrideUserInfoOnSignIn,\n\t\t});\n\t\tif (result.error) {\n\t\t\tc.context.logger.error(result.error.split(\" \").join(\"_\"));\n\t\t\treturn redirectOnError(result.error.split(\" \").join(\"_\"));\n\t\t}\n\t\tconst { session, user } = result.data!;\n\t\tawait setSessionCookie(c, {\n\t\t\tsession,\n\t\t\tuser,\n\t\t});\n\n\t\tlet toRedirectTo: string;\n\t\ttry {\n\t\t\tconst url = result.isRegister ? newUserURL || callbackURL : callbackURL;\n\t\t\ttoRedirectTo = url.toString();\n\t\t} catch {\n\t\t\ttoRedirectTo = result.isRegister\n\t\t\t\t? newUserURL || callbackURL\n\t\t\t\t: callbackURL;\n\t\t}\n\t\tthrow c.redirect(toRedirectTo);\n\t},\n);\n"],"mappings":";;;;;;;;;;;AAWA,MAAM,SAAS,EAAE,OAAO;CACvB,MAAM,EAAE,QAAQ,CAAC,UAAU;CAC3B,OAAO,EAAE,QAAQ,CAAC,UAAU;CAC5B,WAAW,EAAE,QAAQ,CAAC,UAAU;CAChC,mBAAmB,EAAE,QAAQ,CAAC,UAAU;CACxC,OAAO,EAAE,QAAQ,CAAC,UAAU;CAC5B,MAAM,EAAE,QAAQ,CAAC,UAAU;CAC3B,CAAC;AAEF,MAAa,gBAAgB,mBAC5B,iBACA;CACC,QAAQ,CAAC,OAAO,OAAO;CACvB,aAAa;CACb,MAAM,OAAO,UAAU;CACvB,OAAO,OAAO,UAAU;CACxB,UAAU;EACT,GAAG;EACH,mBAAmB,CAClB,qCACA,mBACA;EACD;CACD,EACD,OAAO,MAAM;CACZ,IAAI;CACJ,MAAM,kBACL,EAAE,QAAQ,QAAQ,YAAY,YAAY,GAAG,EAAE,QAAQ,QAAQ;AAGhE,KAAI,EAAE,WAAW,QAAQ;EACxB,MAAM,WAAW,EAAE,OAAO,OAAO,MAAM,EAAE,KAAK,GAAG,EAAE;EACnD,MAAM,YAAY,EAAE,QAAQ,OAAO,MAAM,EAAE,MAAM,GAAG,EAAE;EAEtD,MAAM,aAAa,OAAO,MAAM;GAAE,GAAG;GAAU,GAAG;GAAW,CAAC;EAC9D,MAAM,SAAS,IAAI,iBAAiB;AAEpC,OAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,WAAW,CACpD,KAAI,UAAU,UAAa,UAAU,KACpC,QAAO,IAAI,KAAK,OAAO,MAAM,CAAC;EAIhC,MAAM,cAAc,GAAG,EAAE,QAAQ,QAAQ,YAAY,EAAE,OAAO,GAAG,GAAG,OAAO,UAAU;AACrF,QAAM,EAAE,SAAS,YAAY;;AAG9B,KAAI;AACH,MAAI,EAAE,WAAW,MAChB,eAAc,OAAO,MAAM,EAAE,MAAM;WACzB,EAAE,WAAW,OACvB,eAAc,OAAO,MAAM,EAAE,KAAK;MAElC,OAAM,IAAI,MAAM,qBAAqB;UAE9B,GAAG;AACX,IAAE,QAAQ,OAAO,MAAM,4BAA4B,EAAE;AACrD,QAAM,EAAE,SAAS,GAAG,gBAAgB,iCAAiC;;CAGtE,MAAM,EACL,MACA,OACA,OACA,mBACA,WACA,MAAM,aACH;AAEJ,KAAI,CAAC,OAAO;AACX,IAAE,QAAQ,OAAO,MAAM,mBAAmB,MAAM;EAEhD,MAAM,MAAM,GAAG,kBADH,gBAAgB,SAAS,IAAI,GAAG,MAAM,IACb;AACrC,QAAM,EAAE,SAAS,IAAI;;CAGtB,MAAM,EACL,cACA,aACA,MACA,UACA,YACA,kBACG,MAAM,WAAW,EAAE;CAEvB,SAAS,gBAAgB,OAAe,aAAkC;EACzE,MAAM,UAAU,YAAY;EAE5B,MAAM,SAAS,IAAI,gBAAgB,EAAE,OAAO,CAAC;AAC7C,MAAI,YAAa,QAAO,IAAI,qBAAqB,YAAY;EAG7D,MAAM,MAAM,GAAG,UADH,QAAQ,SAAS,IAAI,GAAG,MAAM,MACX,OAAO,UAAU;AAEhD,QAAM,EAAE,SAAS,IAAI;;AAGtB,KAAI,MACH,iBAAgB,OAAO,kBAAkB;AAG1C,KAAI,CAAC,MAAM;AACV,IAAE,QAAQ,OAAO,MAAM,iBAAiB;AACxC,QAAM,gBAAgB,UAAU;;CAGjC,MAAM,WAAW,MAAM,kBAAkB,EAAE,QAAQ,iBAAiB,EACnE,OAAO,EAAE,OAAO,IAChB,CAAC;AAEF,KAAI,CAAC,UAAU;AACd,IAAE,QAAQ,OAAO,MAChB,0BACA,EAAE,OAAO,IACT,YACA;AACD,QAAM,gBAAgB,2BAA2B;;CAGlD,IAAI;AACJ,KAAI;AACH,WAAS,MAAM,SAAS,0BAA0B;GAC3C;GACN;GACA,UAAU;GACV,aAAa,GAAG,EAAE,QAAQ,QAAQ,YAAY,SAAS;GACvD,CAAC;UACM,GAAG;AACX,IAAE,QAAQ,OAAO,MAAM,IAAI,EAAE;AAC7B,QAAM,gBAAgB,eAAe;;AAEtC,KAAI,CAAC,OACJ,OAAM,gBAAgB,eAAe;CAEtC,MAAM,iBAAiB,WACpB,cAME,SAAS,GACX;CAEH,MAAM,WAAW,MAAM,SACrB,YAAY;EACZ,GAAG;EAKH,MAAM,kBAAkB;EACxB,CAAC,CACD,MAAM,QAAQ,KAAK,KAAK;AAE1B,KAAI,CAAC,UAAU;AACd,IAAE,QAAQ,OAAO,MAAM,0BAA0B;AACjD,SAAO,gBAAgB,0BAA0B;;AAGlD,KAAI,CAAC,aAAa;AACjB,IAAE,QAAQ,OAAO,MAAM,wBAAwB;AAC/C,QAAM,gBAAgB,kBAAkB;;AAGzC,KAAI,MAAM;AAIT,MACE,CAJwB,EAAE,QAAQ,iBAAiB,SACpD,SAAS,GACT,IAEuB,CAAC,SAAS,iBACjC,EAAE,QAAQ,QAAQ,SAAS,gBAAgB,YAAY,OACtD;AACD,KAAE,QAAQ,OAAO,MAAM,8CAA8C;AACrE,UAAO,gBAAgB,yBAAyB;;AAGjD,MACC,SAAS,OAAO,aAAa,KAAK,KAAK,MAAM,aAAa,IAC1D,EAAE,QAAQ,QAAQ,SAAS,gBAAgB,yBAAyB,KAEpE,QAAO,gBAAgB,sBAAsB;EAG9C,MAAM,kBAAkB,MAAM,EAAE,QAAQ,gBAAgB,YACvD,OAAO,SAAS,GAAG,CACnB;AAED,MAAI,iBAAiB;AACpB,OAAI,gBAAgB,OAAO,UAAU,KAAK,KAAK,OAAO,UAAU,CAC/D,QAAO,gBAAgB,2CAA2C;GAEnE,MAAM,aAAa,OAAO,YACzB,OAAO,QAAQ;IACd,aAAa,MAAM,aAAa,OAAO,aAAa,EAAE,QAAQ;IAC9D,cAAc,MAAM,aAAa,OAAO,cAAc,EAAE,QAAQ;IAChE,SAAS,OAAO;IAChB,sBAAsB,OAAO;IAC7B,uBAAuB,OAAO;IAC9B,OAAO,OAAO,QAAQ,KAAK,IAAI;IAC/B,CAAC,CAAC,QAAQ,CAAC,GAAG,WAAW,UAAU,OAAU,CAC9C;AACD,SAAM,EAAE,QAAQ,gBAAgB,cAC/B,gBAAgB,IAChB,WACA;aAWG,CATe,MAAM,EAAE,QAAQ,gBAAgB,cAAc;GAChE,QAAQ,KAAK;GACb,YAAY,SAAS;GACrB,WAAW,OAAO,SAAS,GAAG;GAC9B,GAAG;GACH,aAAa,MAAM,aAAa,OAAO,aAAa,EAAE,QAAQ;GAC9D,cAAc,MAAM,aAAa,OAAO,cAAc,EAAE,QAAQ;GAChE,OAAO,OAAO,QAAQ,KAAK,IAAI;GAC/B,CAAC,CAED,QAAO,gBAAgB,yBAAyB;EAGlD,IAAI;AACJ,MAAI;AAEH,kBADY,YACO,UAAU;UACtB;AACP,kBAAe;;AAEhB,QAAM,EAAE,SAAS,aAAa;;AAG/B,KAAI,CAAC,SAAS,OAAO;AACpB,IAAE,QAAQ,OAAO,MAChB,iGACA;AACD,SAAO,gBAAgB,kBAAkB;;CAE1C,MAAM,cAAc;EACnB,YAAY,SAAS;EACrB,WAAW,OAAO,SAAS,GAAG;EAC9B,GAAG;EACH,OAAO,OAAO,QAAQ,KAAK,IAAI;EAC/B;CACD,MAAM,SAAS,MAAM,oBAAoB,GAAG;EAC3C,UAAU;GACT,GAAG;GACH,IAAI,OAAO,SAAS,GAAG;GACvB,OAAO,SAAS;GAChB,MAAM,SAAS,QAAQ;GACvB;EACD,SAAS;EACT;EACA,eACE,SAAS,yBAAyB,CAAC,iBACpC,SAAS,SAAS;EACnB,kBAAkB,SAAS,SAAS;EACpC,CAAC;AACF,KAAI,OAAO,OAAO;AACjB,IAAE,QAAQ,OAAO,MAAM,OAAO,MAAM,MAAM,IAAI,CAAC,KAAK,IAAI,CAAC;AACzD,SAAO,gBAAgB,OAAO,MAAM,MAAM,IAAI,CAAC,KAAK,IAAI,CAAC;;CAE1D,MAAM,EAAE,SAAS,SAAS,OAAO;AACjC,OAAM,iBAAiB,GAAG;EACzB;EACA;EACA,CAAC;CAEF,IAAI;AACJ,KAAI;AAEH,kBADY,OAAO,aAAa,cAAc,cAAc,aACzC,UAAU;SACtB;AACP,iBAAe,OAAO,aACnB,cAAc,cACd;;AAEJ,OAAM,EAAE,SAAS,aAAa;EAE/B"}

package/dist/api/routes/email-verification.d.mts

@@ -0,0 +1,161 @@
+import { User } from "../../types/models.mjs";
+import "../../types/index.mjs";
+import { GenericEndpointContext } from "@better-auth/core";
+import * as better_call0 from "better-call";
+import * as z from "zod";
+
+//#region src/api/routes/email-verification.d.ts
+declare function createEmailVerificationToken(secret: string, email: string,
+/**
+ * The email to update from
+ */
+
+updateTo?: string | undefined,
+/**
+ * The time in seconds for the token to expire
+ */
+
+expiresIn?: number,
+/**
+ * Extra payload to include in the token
+ */
+
+extraPayload?: Record<string, any>): Promise<string>;
+/**
+ * A function to send a verification email to the user
+ */
+declare function sendVerificationEmailFn(ctx: GenericEndpointContext, user: User): Promise<void>;
+declare const sendVerificationEmail: better_call0.StrictEndpoint<"/send-verification-email", {
+  method: "POST";
+  operationId: string;
+  body: z.ZodObject<{
+    email: z.ZodEmail;
+    callbackURL: z.ZodOptional<z.ZodString>;
+  }, z.core.$strip>;
+  metadata: {
+    openapi: {
+      operationId: string;
+      description: string;
+      requestBody: {
+        content: {
+          "application/json": {
+            schema: {
+              type: "object";
+              properties: {
+                email: {
+                  type: string;
+                  description: string;
+                  example: string;
+                };
+                callbackURL: {
+                  type: string;
+                  description: string;
+                  example: string;
+                  nullable: boolean;
+                };
+              };
+              required: string[];
+            };
+          };
+        };
+      };
+      responses: {
+        "200": {
+          description: string;
+          content: {
+            "application/json": {
+              schema: {
+                type: "object";
+                properties: {
+                  status: {
+                    type: string;
+                    description: string;
+                    example: boolean;
+                  };
+                };
+              };
+            };
+          };
+        };
+        "400": {
+          description: string;
+          content: {
+            "application/json": {
+              schema: {
+                type: "object";
+                properties: {
+                  message: {
+                    type: string;
+                    description: string;
+                    example: string;
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}, {
+  status: boolean;
+}>;
+declare const verifyEmail: better_call0.StrictEndpoint<"/verify-email", {
+  method: "GET";
+  operationId: string;
+  query: z.ZodObject<{
+    token: z.ZodString;
+    callbackURL: z.ZodOptional<z.ZodString>;
+  }, z.core.$strip>;
+  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>)[];
+  metadata: {
+    openapi: {
+      description: string;
+      parameters: ({
+        name: string;
+        in: "query";
+        description: string;
+        required: true;
+        schema: {
+          type: "string";
+        };
+      } | {
+        name: string;
+        in: "query";
+        description: string;
+        required: false;
+        schema: {
+          type: "string";
+        };
+      })[];
+      responses: {
+        "200": {
+          description: string;
+          content: {
+            "application/json": {
+              schema: {
+                type: "object";
+                properties: {
+                  user: {
+                    type: string;
+                    $ref: string;
+                  };
+                  status: {
+                    type: string;
+                    description: string;
+                  };
+                };
+                required: string[];
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}, void | {
+  status: boolean;
+}>;
+//#endregion
+export { createEmailVerificationToken, sendVerificationEmail, sendVerificationEmailFn, verifyEmail };
+//# sourceMappingURL=email-verification.d.mts.map

package/dist/api/routes/email-verification.mjs

@@ -0,0 +1,299 @@
+import { originCheck } from "../middlewares/origin-check.mjs";
+import "../middlewares/index.mjs";
+import { parseUserOutput } from "../../db/schema.mjs";
+import { signJWT } from "../../crypto/jwt.mjs";
+import { setSessionCookie } from "../../cookies/index.mjs";
+import { getSessionFromCtx } from "./session.mjs";
+import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
+import { createAuthEndpoint } from "@better-auth/core/api";
+import * as z from "zod";
+import { jwtVerify } from "jose";
+import { JWTExpired } from "jose/errors";
+
+//#region src/api/routes/email-verification.ts
+async function createEmailVerificationToken(secret, email, updateTo, expiresIn = 3600, extraPayload) {
+	return await signJWT({
+		email: email.toLowerCase(),
+		updateTo,
+		...extraPayload
+	}, secret, expiresIn);
+}
+/**
+* A function to send a verification email to the user
+*/
+async function sendVerificationEmailFn(ctx, user) {
+	if (!ctx.context.options.emailVerification?.sendVerificationEmail) {
+		ctx.context.logger.error("Verification email isn't enabled.");
+		throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.VERIFICATION_EMAIL_NOT_ENABLED);
+	}
+	const token = await createEmailVerificationToken(ctx.context.secret, user.email, void 0, ctx.context.options.emailVerification?.expiresIn);
+	const callbackURL = ctx.body.callbackURL ? encodeURIComponent(ctx.body.callbackURL) : encodeURIComponent("/");
+	const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${callbackURL}`;
+	await ctx.context.runInBackgroundOrAwait(ctx.context.options.emailVerification.sendVerificationEmail({
+		user,
+		url,
+		token
+	}, ctx.request));
+}
+const sendVerificationEmail = createAuthEndpoint("/send-verification-email", {
+	method: "POST",
+	operationId: "sendVerificationEmail",
+	body: z.object({
+		email: z.email().meta({ description: "The email to send the verification email to" }),
+		callbackURL: z.string().meta({ description: "The URL to use for email verification callback" }).optional()
+	}),
+	metadata: { openapi: {
+		operationId: "sendVerificationEmail",
+		description: "Send a verification email to the user",
+		requestBody: { content: { "application/json": { schema: {
+			type: "object",
+			properties: {
+				email: {
+					type: "string",
+					description: "The email to send the verification email to",
+					example: "user@example.com"
+				},
+				callbackURL: {
+					type: "string",
+					description: "The URL to use for email verification callback",
+					example: "https://example.com/callback",
+					nullable: true
+				}
+			},
+			required: ["email"]
+		} } } },
+		responses: {
+			"200": {
+				description: "Success",
+				content: { "application/json": { schema: {
+					type: "object",
+					properties: { status: {
+						type: "boolean",
+						description: "Indicates if the email was sent successfully",
+						example: true
+					} }
+				} } }
+			},
+			"400": {
+				description: "Bad Request",
+				content: { "application/json": { schema: {
+					type: "object",
+					properties: { message: {
+						type: "string",
+						description: "Error message",
+						example: "Verification email isn't enabled"
+					} }
+				} } }
+			}
+		}
+	} }
+}, async (ctx) => {
+	if (!ctx.context.options.emailVerification?.sendVerificationEmail) {
+		ctx.context.logger.error("Verification email isn't enabled.");
+		throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.VERIFICATION_EMAIL_NOT_ENABLED);
+	}
+	const { email } = ctx.body;
+	const session = await getSessionFromCtx(ctx);
+	if (!session) {
+		const user = await ctx.context.internalAdapter.findUserByEmail(email);
+		if (!user || user.user.emailVerified) {
+			await createEmailVerificationToken(ctx.context.secret, email, void 0, ctx.context.options.emailVerification?.expiresIn);
+			return ctx.json({ status: true });
+		}
+		await sendVerificationEmailFn(ctx, user.user);
+		return ctx.json({ status: true });
+	}
+	if (session?.user.email !== email) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.EMAIL_MISMATCH);
+	if (session?.user.emailVerified) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.EMAIL_ALREADY_VERIFIED);
+	await sendVerificationEmailFn(ctx, session.user);
+	return ctx.json({ status: true });
+});
+const verifyEmail = createAuthEndpoint("/verify-email", {
+	method: "GET",
+	operationId: "verifyEmail",
+	query: z.object({
+		token: z.string().meta({ description: "The token to verify the email" }),
+		callbackURL: z.string().meta({ description: "The URL to redirect to after email verification" }).optional()
+	}),
+	use: [originCheck((ctx) => ctx.query.callbackURL)],
+	metadata: { openapi: {
+		description: "Verify the email of the user",
+		parameters: [{
+			name: "token",
+			in: "query",
+			description: "The token to verify the email",
+			required: true,
+			schema: { type: "string" }
+		}, {
+			name: "callbackURL",
+			in: "query",
+			description: "The URL to redirect to after email verification",
+			required: false,
+			schema: { type: "string" }
+		}],
+		responses: { "200": {
+			description: "Success",
+			content: { "application/json": { schema: {
+				type: "object",
+				properties: {
+					user: {
+						type: "object",
+						$ref: "#/components/schemas/User"
+					},
+					status: {
+						type: "boolean",
+						description: "Indicates if the email was verified successfully"
+					}
+				},
+				required: ["user", "status"]
+			} } }
+		} }
+	} }
+}, async (ctx) => {
+	function redirectOnError(error) {
+		if (ctx.query.callbackURL) {
+			if (ctx.query.callbackURL.includes("?")) throw ctx.redirect(`${ctx.query.callbackURL}&error=${error.code}`);
+			throw ctx.redirect(`${ctx.query.callbackURL}?error=${error.code}`);
+		}
+		throw APIError.from("UNAUTHORIZED", error);
+	}
+	const { token } = ctx.query;
+	let jwt;
+	try {
+		jwt = await jwtVerify(token, new TextEncoder().encode(ctx.context.secret), { algorithms: ["HS256"] });
+	} catch (e) {
+		if (e instanceof JWTExpired) return redirectOnError(BASE_ERROR_CODES.TOKEN_EXPIRED);
+		return redirectOnError(BASE_ERROR_CODES.INVALID_TOKEN);
+	}
+	const parsed = z.object({
+		email: z.email(),
+		updateTo: z.string().optional(),
+		requestType: z.string().optional()
+	}).parse(jwt.payload);
+	const user = await ctx.context.internalAdapter.findUserByEmail(parsed.email);
+	if (!user) return redirectOnError(BASE_ERROR_CODES.USER_NOT_FOUND);
+	if (parsed.updateTo) {
+		const session = await getSessionFromCtx(ctx);
+		if (session && session.user.email !== parsed.email) return redirectOnError(BASE_ERROR_CODES.INVALID_USER);
+		switch (parsed.requestType) {
+			case "change-email-confirmation": {
+				const newToken = await createEmailVerificationToken(ctx.context.secret, parsed.email, parsed.updateTo, ctx.context.options.emailVerification?.expiresIn, { requestType: "change-email-verification" });
+				const updateCallbackURL = ctx.query.callbackURL ? encodeURIComponent(ctx.query.callbackURL) : encodeURIComponent("/");
+				const url = `${ctx.context.baseURL}/verify-email?token=${newToken}&callbackURL=${updateCallbackURL}`;
+				if (ctx.context.options.emailVerification?.sendVerificationEmail) await ctx.context.runInBackgroundOrAwait(ctx.context.options.emailVerification.sendVerificationEmail({
+					user: {
+						...user.user,
+						email: parsed.updateTo
+					},
+					url,
+					token: newToken
+				}, ctx.request));
+				if (ctx.query.callbackURL) throw ctx.redirect(ctx.query.callbackURL);
+				return ctx.json({ status: true });
+			}
+			case "change-email-verification": {
+				let activeSession = session;
+				if (!activeSession) {
+					const newSession = await ctx.context.internalAdapter.createSession(user.user.id);
+					if (!newSession) throw APIError.from("INTERNAL_SERVER_ERROR", BASE_ERROR_CODES.FAILED_TO_CREATE_SESSION);
+					activeSession = {
+						session: newSession,
+						user: user.user
+					};
+				}
+				const updatedUser = await ctx.context.internalAdapter.updateUserByEmail(parsed.email, {
+					email: parsed.updateTo,
+					emailVerified: true
+				});
+				if (ctx.context.options.emailVerification?.afterEmailVerification) await ctx.context.options.emailVerification.afterEmailVerification(updatedUser, ctx.request);
+				await setSessionCookie(ctx, {
+					session: activeSession.session,
+					user: {
+						...activeSession.user,
+						email: parsed.updateTo,
+						emailVerified: true
+					}
+				});
+				if (ctx.query.callbackURL) throw ctx.redirect(ctx.query.callbackURL);
+				return ctx.json({
+					status: true,
+					user: parseUserOutput(ctx.context.options, updatedUser)
+				});
+			}
+			default: {
+				let activeSession = session;
+				if (!activeSession) {
+					const newSession = await ctx.context.internalAdapter.createSession(user.user.id);
+					if (!newSession) throw APIError.from("INTERNAL_SERVER_ERROR", BASE_ERROR_CODES.FAILED_TO_CREATE_SESSION);
+					activeSession = {
+						session: newSession,
+						user: user.user
+					};
+				}
+				const updatedUser = await ctx.context.internalAdapter.updateUserByEmail(parsed.email, {
+					email: parsed.updateTo,
+					emailVerified: false
+				});
+				const newToken = await createEmailVerificationToken(ctx.context.secret, parsed.updateTo);
+				const updateCallbackURL = ctx.query.callbackURL ? encodeURIComponent(ctx.query.callbackURL) : encodeURIComponent("/");
+				if (ctx.context.options.emailVerification?.sendVerificationEmail) await ctx.context.runInBackgroundOrAwait(ctx.context.options.emailVerification.sendVerificationEmail({
+					user: updatedUser,
+					url: `${ctx.context.baseURL}/verify-email?token=${newToken}&callbackURL=${updateCallbackURL}`,
+					token: newToken
+				}, ctx.request));
+				await setSessionCookie(ctx, {
+					session: activeSession.session,
+					user: {
+						...activeSession.user,
+						email: parsed.updateTo,
+						emailVerified: false
+					}
+				});
+				if (ctx.query.callbackURL) throw ctx.redirect(ctx.query.callbackURL);
+				return ctx.json({
+					status: true,
+					user: parseUserOutput(ctx.context.options, updatedUser)
+				});
+			}
+		}
+	}
+	if (user.user.emailVerified) {
+		if (ctx.query.callbackURL) throw ctx.redirect(ctx.query.callbackURL);
+		return ctx.json({
+			status: true,
+			user: null
+		});
+	}
+	if (ctx.context.options.emailVerification?.beforeEmailVerification) await ctx.context.options.emailVerification.beforeEmailVerification(user.user, ctx.request);
+	const updatedUser = await ctx.context.internalAdapter.updateUserByEmail(parsed.email, { emailVerified: true });
+	if (ctx.context.options.emailVerification?.afterEmailVerification) await ctx.context.options.emailVerification.afterEmailVerification(updatedUser, ctx.request);
+	if (ctx.context.options.emailVerification?.autoSignInAfterVerification) {
+		const currentSession = await getSessionFromCtx(ctx);
+		if (!currentSession || currentSession.user.email !== parsed.email) {
+			const session = await ctx.context.internalAdapter.createSession(user.user.id);
+			if (!session) throw APIError.from("INTERNAL_SERVER_ERROR", BASE_ERROR_CODES.FAILED_TO_CREATE_SESSION);
+			await setSessionCookie(ctx, {
+				session,
+				user: {
+					...user.user,
+					emailVerified: true
+				}
+			});
+		} else await setSessionCookie(ctx, {
+			session: currentSession.session,
+			user: {
+				...currentSession.user,
+				emailVerified: true
+			}
+		});
+	}
+	if (ctx.query.callbackURL) throw ctx.redirect(ctx.query.callbackURL);
+	return ctx.json({
+		status: true,
+		user: null
+	});
+});
+
+//#endregion
+export { createEmailVerificationToken, sendVerificationEmail, sendVerificationEmailFn, verifyEmail };
+//# sourceMappingURL=email-verification.mjs.map