better-auth 0.3.1 → 0.3.2

package/dist/adapters/drizzle.d.ts

@@ -1,6 +1,6 @@
-import { A as Adapter } from '../index-BRcc7HbO.js';
+import { A as Adapter } from '../index-DHmaFGpa.js';
 import 'kysely';
-import '../index-JM-i6hLs.js';
+import '../index-BlnDgm2S.js';
 import 'arctic';
 import 'zod';
 import '../helper-DPDj8Nix.js';

package/dist/adapters/mongodb.d.ts

@@ -1,7 +1,7 @@
 import { Db } from 'mongodb';
-import { W as Where } from '../index-BRcc7HbO.js';
+import { W as Where } from '../index-DHmaFGpa.js';
 import 'kysely';
-import '../index-JM-i6hLs.js';
+import '../index-BlnDgm2S.js';
 import 'arctic';
 import 'zod';
 import '../helper-DPDj8Nix.js';

package/dist/adapters/prisma.d.ts

@@ -1,6 +1,6 @@
-import { A as Adapter } from '../index-BRcc7HbO.js';
+import { A as Adapter } from '../index-DHmaFGpa.js';
 import 'kysely';
-import '../index-JM-i6hLs.js';
+import '../index-BlnDgm2S.js';
 import 'arctic';
 import 'zod';
 import '../helper-DPDj8Nix.js';

package/dist/api.d.ts

@@ -1,9 +1,9 @@
-export { f as AuthEndpoint, g as AuthMiddleware, n as callbackOAuth, L as changePassword, e as createAuthEndpoint, d as createAuthMiddleware, D as createEmailVerificationToken, V as csrfMiddleware, N as deleteUser, Q as error, y as forgetPassword, z as forgetPasswordCallback, O as getCSRFToken, l as getEndpoints, p as getSession, q as getSessionFromCtx, u as listSessions, T as ok, o as optionsMiddleware, C as resetPassword, v as revokeSession, w as revokeSessions, r as router, E as sendVerificationEmail, t as sessionMiddleware, M as setPassword, m as signInEmail, s as signInOAuth, x as signOut, U as signUpEmail, K as updateUser, J as verifyEmail } from './index-BRcc7HbO.js';
+export { f as AuthEndpoint, g as AuthMiddleware, n as callbackOAuth, L as changePassword, e as createAuthEndpoint, d as createAuthMiddleware, D as createEmailVerificationToken, V as csrfMiddleware, N as deleteUser, Q as error, y as forgetPassword, z as forgetPasswordCallback, O as getCSRFToken, l as getEndpoints, p as getSession, q as getSessionFromCtx, u as listSessions, T as ok, o as optionsMiddleware, C as resetPassword, v as revokeSession, w as revokeSessions, r as router, E as sendVerificationEmail, t as sessionMiddleware, M as setPassword, m as signInEmail, s as signInOAuth, x as signOut, U as signUpEmail, K as updateUser, J as verifyEmail } from './index-DHmaFGpa.js';
 import 'zod';
 import './helper-DPDj8Nix.js';
 import 'better-call';
 import 'kysely';
-import './index-JM-i6hLs.js';
+import './index-BlnDgm2S.js';
 import 'arctic';
 import 'better-sqlite3';
 import 'mysql2';

package/dist/api.js

@@ -156,6 +156,8 @@ function getBaseURL(url, path) {
 
 // src/social-providers/utils.ts
 import { betterFetch } from "@better-fetch/fetch";
+import { sha256 as sha2562 } from "@noble/hashes/sha256";
+import { base64url } from "oslo/encoding";
 function getRedirectURI(providerId, redirectURI) {
   return redirectURI || `${getBaseURL()}/callback/${providerId}`;
 }
@@ -188,6 +190,27 @@ async function validateAuthorizationCode({
   const tokens = new OAuth2Tokens(data);
   return tokens;
 }
+function generateCodeChallenge(codeVerifier) {
+  const codeChallengeBytes = sha2562(new TextEncoder().encode(codeVerifier));
+  return base64url.encode(codeChallengeBytes, {
+    includePadding: false
+  });
+}
+function createAuthorizationURL(id, options, authorizationEndpoint, state, codeVerifier, scopes) {
+  const url = new URL(authorizationEndpoint);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("client_id", options.clientId);
+  url.searchParams.set("state", state);
+  url.searchParams.set("scope", scopes.join(" "));
+  url.searchParams.set(
+    "redirect_uri",
+    options.redirectURI || getRedirectURI(id)
+  );
+  const codeChallenge = generateCodeChallenge(codeVerifier);
+  url.searchParams.set("code_challenge_method", "S256");
+  url.searchParams.set("code_challenge", codeChallenge);
+  return url;
+}
 
 // src/social-providers/apple.ts
 var apple = (options) => {
@@ -196,7 +219,7 @@ var apple = (options) => {
     id: "apple",
     name: "Apple",
     createAuthorizationURL({ state, scopes, redirectURI }) {
-      const _scope = scopes || ["email", "name", "openid"];
+      const _scope = options.scope || scopes || ["email", "name", "openid"];
       return new URL(
         `https://appleid.apple.com/auth/authorize?client_id=${options.clientId}&response_type=code&redirect_uri=${redirectURI || options.redirectURI}&scope=${_scope.join(" ")}&state=${state}`
       );
@@ -235,7 +258,7 @@ var discord = (options) => {
     id: "discord",
     name: "Discord",
     createAuthorizationURL({ state, scopes }) {
-      const _scopes = scopes || ["identify", "email"];
+      const _scopes = options.scope || scopes || ["identify", "email"];
       return new URL(
         `https://discord.com/api/oauth2/authorize?scope=${_scopes.join(
           "+"
@@ -298,7 +321,7 @@ var facebook = (options) => {
     id: "facebook",
     name: "Facebook",
     createAuthorizationURL({ state, scopes }) {
-      const _scopes = scopes || ["email", "public_profile"];
+      const _scopes = options.scope || scopes || ["email", "public_profile"];
       return facebookArctic.createAuthorizationURL(state, _scopes);
     },
     validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
@@ -342,6 +365,7 @@ import { GitHub } from "arctic";
 var github = ({
   clientId,
   clientSecret,
+  scope,
   redirectURI
 }) => {
   const githubArctic = new GitHub(
@@ -353,7 +377,7 @@ var github = ({
     id: "github",
     name: "Github",
     createAuthorizationURL({ state, scopes }) {
-      const _scopes = scopes || ["user:email"];
+      const _scopes = scope || scopes || ["user:email"];
       return githubArctic.createAuthorizationURL(state, _scopes);
     },
     validateAuthorizationCode: async (state) => {
@@ -467,7 +491,7 @@ var google = (options) => {
       if (!codeVerifier) {
         throw new BetterAuthError("codeVerifier is required for Google");
       }
-      const _scopes = scopes || ["email", "profile"];
+      const _scopes = options.scope || scopes || ["email", "profile"];
       const url = googleArctic.createAuthorizationURL(
         state,
         codeVerifier,
@@ -503,8 +527,76 @@ var google = (options) => {
   };
 };
 
-// src/social-providers/spotify.ts
+// src/social-providers/microsoft-entra-id.ts
 import { betterFetch as betterFetch6 } from "@better-fetch/fetch";
+import { parseJWT as parseJWT3 } from "oslo/jwt";
+var microsoft = (options) => {
+  const tenant = options.tenantId || "common";
+  const authorizationEndpoint = `https://login.microsoftonline.com/${tenant}/oauth2/v2.0/authorize`;
+  const tokenEndpoint = `https://login.microsoftonline.com/${tenant}/oauth2/v2.0/token`;
+  return {
+    id: "microsoft",
+    name: "Microsoft EntraID",
+    createAuthorizationURL(data) {
+      const scopes = options.scope || data.scopes || ["openid", "profile", "email", "User.Read"];
+      return createAuthorizationURL(
+        "microsoft",
+        options,
+        authorizationEndpoint,
+        data.state,
+        data.codeVerifier,
+        scopes
+      );
+    },
+    validateAuthorizationCode(code, codeVerifier, redirectURI) {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("microsoft", options.redirectURI),
+        options,
+        tokenEndpoint
+      });
+    },
+    async getUserInfo(token) {
+      const user = parseJWT3(token.idToken())?.payload;
+      const profilePhotoSize = options.profilePhotoSize || 48;
+      await betterFetch6(
+        `https://graph.microsoft.com/v1.0/me/photos/${profilePhotoSize}x${profilePhotoSize}/$value`,
+        {
+          headers: {
+            Authorization: `Bearer ${token.accessToken()}`
+          },
+          async onResponse(context) {
+            if (options.disableProfilePhoto || !context.response.ok) {
+              return;
+            }
+            try {
+              const response = context.response.clone();
+              const pictureBuffer = await response.arrayBuffer();
+              const pictureBase64 = Buffer.from(pictureBuffer).toString("base64");
+              user.picture = `data:image/jpeg;base64, ${pictureBase64}`;
+            } catch (e) {
+              logger.error(e);
+            }
+          }
+        }
+      );
+      return {
+        user: {
+          id: user.sub,
+          name: user.name,
+          email: user.email,
+          image: user.picture,
+          emailVerified: true
+        },
+        data: user
+      };
+    }
+  };
+};
+
+// src/social-providers/spotify.ts
+import { betterFetch as betterFetch7 } from "@better-fetch/fetch";
 import { Spotify } from "arctic";
 var spotify = (options) => {
   const spotifyArctic = new Spotify(
@@ -516,7 +608,7 @@ var spotify = (options) => {
     id: "spotify",
     name: "Spotify",
     createAuthorizationURL({ state, scopes }) {
-      const _scopes = scopes || ["user-read-email"];
+      const _scopes = options.scope || scopes || ["user-read-email"];
       return spotifyArctic.createAuthorizationURL(state, _scopes);
     },
     validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
@@ -529,7 +621,7 @@ var spotify = (options) => {
       });
     },
     async getUserInfo(token) {
-      const { data: profile, error: error2 } = await betterFetch6(
+      const { data: profile, error: error2 } = await betterFetch7(
         "https://api.spotify.com/v1/me",
         {
           method: "GET",
@@ -556,7 +648,7 @@ var spotify = (options) => {
 };
 
 // src/social-providers/twitch.ts
-import { betterFetch as betterFetch7 } from "@better-fetch/fetch";
+import { betterFetch as betterFetch8 } from "@better-fetch/fetch";
 import { Twitch } from "arctic";
 var twitch = (options) => {
   const twitchArctic = new Twitch(
@@ -568,7 +660,7 @@ var twitch = (options) => {
     id: "twitch",
     name: "Twitch",
     createAuthorizationURL({ state, scopes }) {
-      const _scopes = scopes || ["activity:write", "read"];
+      const _scopes = options.scope || scopes || ["activity:write", "read"];
       return twitchArctic.createAuthorizationURL(state, _scopes);
     },
     validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
@@ -580,7 +672,7 @@ var twitch = (options) => {
       });
     },
     async getUserInfo(token) {
-      const { data: profile, error: error2 } = await betterFetch7(
+      const { data: profile, error: error2 } = await betterFetch8(
         "https://api.twitch.tv/helix/users",
         {
           method: "GET",
@@ -607,7 +699,7 @@ var twitch = (options) => {
 };
 
 // src/social-providers/twitter.ts
-import { betterFetch as betterFetch8 } from "@better-fetch/fetch";
+import { betterFetch as betterFetch9 } from "@better-fetch/fetch";
 import { Twitter } from "arctic";
 var twitter = (options) => {
   const twitterArctic = new Twitter(
@@ -619,7 +711,7 @@ var twitter = (options) => {
     id: "twitter",
     name: "Twitter",
     createAuthorizationURL(data) {
-      const _scopes = data.scopes || ["account_info.read"];
+      const _scopes = options.scope || data.scopes || ["account_info.read"];
       return twitterArctic.createAuthorizationURL(
         data.state,
         data.codeVerifier,
@@ -636,7 +728,7 @@ var twitter = (options) => {
       });
     },
     async getUserInfo(token) {
-      const { data: profile, error: error2 } = await betterFetch8(
+      const { data: profile, error: error2 } = await betterFetch9(
         "https://api.x.com/2/users/me?user.fields=profile_image_url",
         {
           method: "GET",
@@ -665,7 +757,7 @@ var twitter = (options) => {
   };
 };
 
-// src/types/provider.ts
+// src/social-providers/types.ts
 import "arctic";
 
 // src/social-providers/index.ts
@@ -674,6 +766,7 @@ var oAuthProviders = {
   discord,
   facebook,
   github,
+  microsoft,
   google,
   spotify,
   twitch,
@@ -1295,6 +1388,7 @@ var callbackOAuth = createAuthEndpoint(
       ...user,
       id
     });
+    console.log({ user, data });
     const parsedState = parseState(c.query.state);
     if (!parsedState.success) {
       c.context.logger.error("Unable to parse state");
@@ -1438,7 +1532,7 @@ var signOut = createAuthEndpoint(
 
 // src/api/routes/forget-password.ts
 import { TimeSpan as TimeSpan2 } from "oslo";
-import { createJWT, parseJWT as parseJWT3 } from "oslo/jwt";
+import { createJWT, parseJWT as parseJWT4 } from "oslo/jwt";
 import { validateJWT } from "oslo/jwt";
 import { z as z8 } from "zod";
 var forgetPassword = createAuthEndpoint(
@@ -1533,7 +1627,7 @@ var forgetPasswordCallback = createAuthEndpoint(
         throw Error("Token expired");
       }
     } catch (e) {
-      const decoded = parseJWT3(token);
+      const decoded = parseJWT4(token);
       const jwt = schema.safeParse(decoded?.payload);
       if (jwt.success) {
         throw ctx.redirect(`${jwt.data?.redirectTo}?error=invalid_token`);

package/dist/cli.js

@@ -850,7 +850,7 @@ var kyselyAdapter = (db, config) => {
       const migrations = await compileMigrations();
       return {
         code: migrations,
-        fileName: `./better-auth_migrations/${(/* @__PURE__ */ new Date()).toISOString()}.sql`
+        fileName: `./better-auth_migrations/${(/* @__PURE__ */ new Date()).toISOString().replace(/:/g, "-")}.sql`
       };
     }
   };

package/dist/client/plugins.d.ts

@@ -2,14 +2,14 @@ import * as nanostores from 'nanostores';
 import { A as AccessControl, S as StatementsPrimitive, R as Role } from '../statement-CfnyN34h.js';
 import * as _better_fetch_fetch from '@better-fetch/fetch';
 import { BetterFetchOption } from '@better-fetch/fetch';
-import { o as organization, f as Organization, M as Member, I as Invitation, u as username, m as magicLink, d as phoneNumber, e as anonymous } from '../index-B-Rb8u6d.js';
-export { g as getPasskeyActions, c as passkeyClient, a as twoFactorClient } from '../index-B-Rb8u6d.js';
+import { o as organization, f as Organization, M as Member, I as Invitation, u as username, m as magicLink, d as phoneNumber, e as anonymous } from '../index-8Ml1biZQ.js';
+export { g as getPasskeyActions, c as passkeyClient, a as twoFactorClient } from '../index-8Ml1biZQ.js';
 import { P as Prettify } from '../helper-DPDj8Nix.js';
-import '../index-JM-i6hLs.js';
+import '../index-BlnDgm2S.js';
 import 'arctic';
 import 'zod';
 import 'better-call';
-import '../index-BRcc7HbO.js';
+import '../index-DHmaFGpa.js';
 import 'kysely';
 import 'better-sqlite3';
 import 'mysql2';

package/dist/client.d.ts

@@ -6,9 +6,9 @@ import { BetterFetch, BetterFetchError, BetterFetchOption } from '@better-fetch/
 import { U as UnionToIntersection, P as Prettify, S as StripEmptyObjects } from './helper-DPDj8Nix.js';
 import { ClientOptions, InferClientAPI, InferActions, InferAdditionalFromClient, InferSessionFromClient, InferUserFromClient, BetterAuthClientPlugin, IsSignal } from './types.js';
 export { AtomListener, InferPluginsFromClient } from './types.js';
-import './index-BRcc7HbO.js';
+import './index-DHmaFGpa.js';
 import 'kysely';
-import './index-JM-i6hLs.js';
+import './index-BlnDgm2S.js';
 import 'arctic';
 import 'better-call';
 import 'better-sqlite3';

package/dist/{index-B-Rb8u6d.d.ts → index-8Ml1biZQ.d.ts}

@@ -1,11 +1,11 @@
-import { U as User, S as Session } from './index-JM-i6hLs.js';
+import { U as User, S as Session } from './index-BlnDgm2S.js';
 import * as better_call from 'better-call';
 import { z, ZodObject, ZodOptional, ZodArray, ZodLiteral } from 'zod';
 import { P as Prettify } from './helper-DPDj8Nix.js';
 import { A as AccessControl, R as Role, S as StatementsPrimitive, g as defaultRoles } from './statement-CfnyN34h.js';
 import * as _better_fetch_fetch from '@better-fetch/fetch';
 import { BetterFetch, BetterFetchOption } from '@better-fetch/fetch';
-import { H as HookEndpointContext } from './index-BRcc7HbO.js';
+import { H as HookEndpointContext } from './index-DHmaFGpa.js';
 import * as nanostores from 'nanostores';
 import { atom } from 'nanostores';
 import * as _simplewebauthn_types from '@simplewebauthn/types';

package/dist/{index-JM-i6hLs.d.ts → index-BlnDgm2S.d.ts}

@@ -193,10 +193,7 @@ interface TwitterProfile {
     };
     [claims: string]: unknown;
 }
-interface TwitterOption {
-    clientId: string;
-    clientSecret: string;
-    redirectURI?: string;
+interface TwitterOption extends ProviderOptions {
 }
 declare const twitter: (options: TwitterOption) => {
     id: "twitter";
@@ -238,10 +235,7 @@ interface TwitchProfile {
      */
     picture: string;
 }
-interface TwitchOptions {
-    clientId: string;
-    clientSecret: string;
-    redirectURI?: string;
+interface TwitchOptions extends ProviderOptions {
 }
 declare const twitch: (options: TwitchOptions) => {
     id: "twitch";
@@ -273,10 +267,7 @@ interface SpotifyProfile {
         url: string;
     }[];
 }
-interface SpotifyOptions {
-    clientId: string;
-    clientSecret: string;
-    redirectURI?: string;
+interface SpotifyOptions extends ProviderOptions {
 }
 declare const spotify: (options: SpotifyOptions) => {
     id: "spotify";
@@ -346,6 +337,50 @@ declare const google: (options: GoogleOptions) => {
     } | null>;
 };
 
+interface MicrosoftEntraIDProfile extends Record<string, any> {
+    sub: string;
+    name: string;
+    email: string;
+    picture: string;
+}
+interface MicrosoftOptions extends ProviderOptions {
+    /**
+     * The tenant ID of the Microsoft account
+     * @default "common"
+     */
+    tenantId?: string;
+    /**
+     * The size of the profile photo
+     * @default 48
+     */
+    profilePhotoSize?: 48 | 64 | 96 | 120 | 240 | 360 | 432 | 504 | 648;
+    /**
+     * Disable profile photo
+     */
+    disableProfilePhoto?: boolean;
+}
+declare const microsoft: (options: MicrosoftOptions) => {
+    id: "microsoft";
+    name: string;
+    createAuthorizationURL(data: {
+        state: string;
+        codeVerifier: string;
+        scopes?: string[];
+        redirectURI?: string;
+    }): URL;
+    validateAuthorizationCode(code: string, codeVerifier: string | undefined, redirectURI: string | undefined): Promise<arctic.OAuth2Tokens>;
+    getUserInfo(token: arctic.OAuth2Tokens): Promise<{
+        user: {
+            id: string;
+            name: string;
+            email: string;
+            image: string;
+            emailVerified: true;
+        };
+        data: MicrosoftEntraIDProfile;
+    }>;
+};
+
 interface GithubProfile {
     login: string;
     id: string;
@@ -394,12 +429,9 @@ interface GithubProfile {
     first_name: string;
     last_name: string;
 }
-interface GithubOptions {
-    clientId: string;
-    clientSecret: string;
-    redirectURI?: string;
+interface GithubOptions extends ProviderOptions {
 }
-declare const github: ({ clientId, clientSecret, redirectURI, }: GithubOptions) => {
+declare const github: ({ clientId, clientSecret, scope, redirectURI, }: GithubOptions) => {
     id: "github";
     name: string;
     createAuthorizationURL({ state, scopes }: {
@@ -437,10 +469,7 @@ interface FacebookProfile {
         };
     };
 }
-interface FacebookOptions {
-    clientId: string;
-    clientSecret: string;
-    redirectURI?: string;
+interface FacebookOptions extends ProviderOptions {
 }
 declare const facebook: (options: FacebookOptions) => {
     id: "facebook";
@@ -532,10 +561,7 @@ interface DiscordProfile extends Record<string, any> {
     /** undocumented field; the CDN URL of their profile picture */
     image_url: string;
 }
-interface DiscordOptions {
-    clientId: string;
-    clientSecret: string;
-    redirectURI?: string;
+interface DiscordOptions extends ProviderOptions {
 }
 declare const discord: (options: DiscordOptions) => {
     id: "discord";
@@ -601,10 +627,7 @@ interface AppleProfile {
      */
     name: string;
 }
-interface AppleOptions {
-    clientId: string;
-    clientSecret: string;
-    redirectURI?: string;
+interface AppleOptions extends ProviderOptions {
 }
 declare const apple: (options: AppleOptions) => {
     id: "apple";
@@ -728,7 +751,7 @@ declare const oAuthProviders: {
             data: FacebookProfile;
         } | null>;
     };
-    github: ({ clientId, clientSecret, redirectURI, }: GithubOptions) => {
+    github: ({ clientId, clientSecret, scope, redirectURI, }: GithubOptions) => {
         id: "github";
         name: string;
         createAuthorizationURL({ state, scopes }: {
@@ -751,6 +774,27 @@ declare const oAuthProviders: {
             data: GithubProfile;
         } | null>;
     };
+    microsoft: (options: MicrosoftOptions) => {
+        id: "microsoft";
+        name: string;
+        createAuthorizationURL(data: {
+            state: string;
+            codeVerifier: string;
+            scopes?: string[];
+            redirectURI?: string;
+        }): URL;
+        validateAuthorizationCode(code: string, codeVerifier: string | undefined, redirectURI: string | undefined): Promise<arctic.OAuth2Tokens>;
+        getUserInfo(token: arctic.OAuth2Tokens): Promise<{
+            user: {
+                id: string;
+                name: string;
+                email: string;
+                image: string;
+                emailVerified: true;
+            };
+            data: MicrosoftEntraIDProfile;
+        }>;
+    };
     google: (options: GoogleOptions) => {
         id: "google";
         name: string;
@@ -843,4 +887,4 @@ type SocialProviders = typeof oAuthProviders extends {
     enabled?: boolean;
 }>>> : never : never;
 
-export { type Account as A, type DiscordProfile as D, type FacebookProfile as F, type GithubProfile as G, type OAuthProvider as O, type ProviderOptions as P, type Session as S, type TwitchProfile as T, type User as U, type Verification as V, type AppleProfile as a, type GoogleProfile as b, type SpotifyProfile as c, type TwitterProfile as d, type SocialProviders as e, type OAuthProviderList as f, oAuthProviderList as g, type GithubOptions as h, github as i, type GoogleOptions as j, google as k, type AppleOptions as l, apple as m, type DiscordOptions as n, oAuthProviders as o, discord as p, type SpotifyOptions as q, type TwitchOptions as r, spotify as s, twitch as t, type FacebookOptions as u, facebook as v, type TwitterOption as w, twitter as x };
+export { type Account as A, type DiscordProfile as D, type FacebookProfile as F, type GithubProfile as G, type MicrosoftEntraIDProfile as M, type OAuthProvider as O, type ProviderOptions as P, type Session as S, type TwitchProfile as T, type User as U, type Verification as V, type AppleProfile as a, type GoogleProfile as b, type SpotifyProfile as c, type TwitterProfile as d, type SocialProviders as e, type OAuthProviderList as f, oAuthProviderList as g, type GithubOptions as h, github as i, type GoogleOptions as j, google as k, type AppleOptions as l, apple as m, type MicrosoftOptions as n, oAuthProviders as o, microsoft as p, type DiscordOptions as q, discord as r, type SpotifyOptions as s, spotify as t, type TwitchOptions as u, twitch as v, type FacebookOptions as w, facebook as x, type TwitterOption as y, twitter as z };