better-auth 1.6.10 → 1.6.12

package/dist/plugins/oauth-proxy/index.mjs

@@ -1,13 +1,15 @@
+import { isAPIError } from "../../utils/is-api-error.mjs";
 import { getOrigin } from "../../utils/url.mjs";
 import { originCheck } from "../../api/middlewares/origin-check.mjs";
 import { parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
 import { symmetricDecrypt, symmetricEncrypt } from "../../crypto/index.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
+import { redirectOnError } from "../../oauth2/errors.mjs";
 import { parseGenericState } from "../../state.mjs";
 import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";
 import { parseJSON } from "../../client/parser.mjs";
-import { checkSkipProxy, redirectOnError, resolveCurrentURL, stripTrailingSlash } from "./utils.mjs";
+import { checkSkipProxy, resolveCurrentURL, stripTrailingSlash } from "./utils.mjs";
 import { defu } from "defu";
 import { createAuthEndpoint, createAuthMiddleware } from "@better-auth/core/api";
 import * as z from "zod";
@@ -90,18 +92,28 @@ const oAuthProxy = (opts) => {
 				throw redirectOnError(ctx, errorURL, "payload_expired");
 			}
 			try {
-				await parseGenericState(ctx, payload.state);
+				await parseGenericState(ctx, payload.state, { skipStateCookieCheck: true });
 			} catch (e) {
 				ctx.context.logger.warn("Failed to clean up OAuth state", e);
 			}
-			const result = await handleOAuthUserInfo(ctx, {
-				userInfo: payload.userInfo,
-				account: payload.account,
-				callbackURL: payload.callbackURL,
-				disableSignUp: payload.disableSignUp
-			});
-			if (result.error || !result.data) {
-				ctx.context.logger.error("Failed to create user or session", result.error);
+			let result;
+			try {
+				result = await handleOAuthUserInfo(ctx, {
+					userInfo: payload.userInfo,
+					account: payload.account,
+					callbackURL: payload.callbackURL,
+					disableSignUp: payload.disableSignUp
+				});
+			} catch (e) {
+				if (isAPIError(e) && e.body?.code) throw redirectOnError(ctx, errorURL, e.body.code, e.body.message);
+				throw e;
+			}
+			if (result.error) {
+				ctx.context.logger.error("OAuth proxy callback error", result.error);
+				throw redirectOnError(ctx, errorURL, result.error.split(" ").join("_"));
+			}
+			if (!result.data) {
+				ctx.context.logger.error("OAuth proxy callback missing session data");
 				throw redirectOnError(ctx, errorURL, "user_creation_failed");
 			}
 			await setSessionCookie(ctx, result.data);
@@ -141,6 +153,7 @@ const oAuthProxy = (opts) => {
 							data: state
 						}));
 					} catch {
+						ctx.context.logger.debug("OAuth proxy: could not decrypt state package, falling back to regular callback");
 						return;
 					}
 					if (!statePackage.isOAuthProxy || !statePackage.state || !statePackage.stateCookie) {
@@ -248,29 +261,29 @@ const oAuthProxy = (opts) => {
 					const oauthURL = new URL(providerURL);
 					const originalState = oauthURL.searchParams.get("state");
 					if (!originalState) return;
-					let stateCookieValue;
-					if (ctx.context.oauthConfig.storeStateStrategy === "cookie") {
-						const setCookieHeader = ctx.context.responseHeaders?.get("set-cookie");
-						if (setCookieHeader) {
-							const parsedCookies = parseSetCookieHeader(setCookieHeader);
-							const stateCookie = ctx.context.createAuthCookie("oauth_state");
-							stateCookieValue = parsedCookies.get(stateCookie.name)?.value;
-						}
-					} else {
-						const verification = await ctx.context.internalAdapter.findVerificationValue(originalState);
-						if (verification) stateCookieValue = await symmetricEncrypt({
-							key: getEncryptionKey(ctx),
-							data: verification.value
-						});
-					}
-					if (!stateCookieValue) {
-						ctx.context.logger.warn("No OAuth state cookie value found");
-						return;
-					}
 					try {
+						let plaintextState;
+						if (ctx.context.oauthConfig.storeStateStrategy === "cookie") {
+							const setCookieHeader = ctx.context.responseHeaders?.get("set-cookie");
+							if (setCookieHeader) {
+								const oauthStateCookie = ctx.context.createAuthCookie("oauth_state");
+								const encryptedCookieValue = parseSetCookieHeader(setCookieHeader).get(oauthStateCookie.name)?.value;
+								if (encryptedCookieValue) plaintextState = await symmetricDecrypt({
+									key: ctx.context.secretConfig,
+									data: encryptedCookieValue
+								});
+							}
+						} else plaintextState = (await ctx.context.internalAdapter.findVerificationValue(originalState))?.value;
+						if (!plaintextState) {
+							ctx.context.logger.warn("No OAuth state found for proxy");
+							return;
+						}
 						const statePackage = {
 							state: originalState,
-							stateCookie: stateCookieValue,
+							stateCookie: await symmetricEncrypt({
+								key: getEncryptionKey(ctx),
+								data: plaintextState
+							}),
 							isOAuthProxy: true
 						};
 						const encryptedPackage = await symmetricEncrypt({
@@ -283,7 +296,7 @@ const oAuthProxy = (opts) => {
 							url: oauthURL.toString()
 						};
 					} catch (e) {
-						ctx.context.logger.error("Failed to encrypt OAuth proxy state package:", e);
+						ctx.context.logger.error("Failed to prepare OAuth proxy state:", e);
 					}
 				})
 			}, {

package/dist/plugins/oauth-proxy/utils.mjs

@@ -1,4 +1,4 @@
-import { getOrigin } from "../../utils/url.mjs";
+import { getOrigin, trimTrailingSlashes } from "../../utils/url.mjs";
 import { env } from "@better-auth/core/env";
 //#region src/plugins/oauth-proxy/utils.ts
 /**
@@ -6,7 +6,7 @@ import { env } from "@better-auth/core/env";
 */
 function stripTrailingSlash(url) {
 	if (!url) return "";
-	return url.replace(/\/+$/, "");
+	return trimTrailingSlashes(url);
 }
 /**
 * Get base URL from vendor-specific environment variables
@@ -37,12 +37,5 @@ function checkSkipProxy(ctx, opts) {
 	if (!currentURL) return false;
 	return getOrigin(productionURL) === getOrigin(currentURL);
 }
-/**
-* Redirect to error URL with error code
-*/
-function redirectOnError(ctx, errorURL, error) {
-	const sep = errorURL.includes("?") ? "&" : "?";
-	throw ctx.redirect(`${errorURL}${sep}error=${error}`);
-}
 //#endregion
-export { checkSkipProxy, redirectOnError, resolveCurrentURL, stripTrailingSlash };
+export { checkSkipProxy, resolveCurrentURL, stripTrailingSlash };

package/dist/plugins/oidc-provider/authorize.mjs

@@ -93,8 +93,14 @@ async function authorize(ctx, options) {
 	});
 	if (invalidScopes.length) return handleRedirect(formatErrorURL(query.redirect_uri, "invalid_scope", `The following scopes are invalid: ${invalidScopes.join(", ")}`));
 	if ((!query.code_challenge || !query.code_challenge_method) && options.requirePKCE) return handleRedirect(formatErrorURL(query.redirect_uri, "invalid_request", "pkce is required"));
-	if (!query.code_challenge_method) query.code_challenge_method = "plain";
-	if (!["s256", options.allowPlainCodeChallengeMethod ? "plain" : "s256"].includes(query.code_challenge_method?.toLowerCase() || "")) return handleRedirect(formatErrorURL(query.redirect_uri, "invalid_request", "invalid code_challenge method"));
+	if (query.code_challenge_method && !query.code_challenge) return handleRedirect(formatErrorURL(query.redirect_uri, "invalid_request", "code_challenge_method requires code_challenge"));
+	if (query.code_challenge) {
+		const allowedCodeChallengeMethods = options.allowPlainCodeChallengeMethod ? ["s256", "plain"] : ["s256"];
+		let codeChallengeMethod = query.code_challenge_method?.toLowerCase();
+		if (!codeChallengeMethod && options.allowPlainCodeChallengeMethod) codeChallengeMethod = "plain";
+		if (!codeChallengeMethod || !allowedCodeChallengeMethods.includes(codeChallengeMethod)) return handleRedirect(formatErrorURL(query.redirect_uri, "invalid_request", "invalid code_challenge method"));
+		query.code_challenge_method = codeChallengeMethod;
+	}
 	const code = generateRandomString(32, "a-z", "A-Z", "0-9");
 	const codeExpiresInMs = opts.codeExpiresIn * 1e3;
 	const expiresAt = new Date(Date.now() + codeExpiresInMs);

package/dist/plugins/oidc-provider/index.mjs

@@ -1,5 +1,6 @@
 import { mergeSchema } from "../../db/schema.mjs";
 import { parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
+import { constantTimeEqual } from "../../crypto/buffer.mjs";
 import { generateRandomString } from "../../crypto/random.mjs";
 import { symmetricDecrypt, symmetricEncrypt } from "../../crypto/index.mjs";
 import { expireCookie } from "../../cookies/index.mjs";
@@ -52,11 +53,7 @@ const getMetadata = (ctx, options) => {
 	const jwtPlugin = ctx.context.getPlugin("jwt");
 	const issuer = jwtPlugin && jwtPlugin.options?.jwt && jwtPlugin.options.jwt.issuer ? jwtPlugin.options.jwt.issuer : ctx.context.options.baseURL;
 	const baseURL = ctx.context.baseURL;
-	const supportedAlgs = options?.useJWTPlugin ? [
-		"RS256",
-		"EdDSA",
-		"none"
-	] : ["HS256", "none"];
+	const supportedAlgs = options?.useJWTPlugin ? ["RS256", "EdDSA"] : ["HS256"];
 	return {
 		issuer,
 		authorization_endpoint: `${baseURL}/oauth2/authorize`,
@@ -161,7 +158,7 @@ const oidcProvider = (options) => {
 		defaultScope: "openid",
 		accessTokenExpiresIn: DEFAULT_ACCESS_TOKEN_EXPIRES_IN,
 		refreshTokenExpiresIn: DEFAULT_REFRESH_TOKEN_EXPIRES_IN,
-		allowPlainCodeChallengeMethod: true,
+		allowPlainCodeChallengeMethod: false,
 		storeClientSecret: "plain",
 		...options,
 		scopes: [
@@ -190,14 +187,14 @@ const oidcProvider = (options) => {
 	* Verify stored client secret against provided client secret
 	*/
 	async function verifyStoredClientSecret(ctx, storedClientSecret, clientSecret) {
-		if (opts.storeClientSecret === "encrypted") return await symmetricDecrypt({
+		if (opts.storeClientSecret === "encrypted") return constantTimeEqual(await symmetricDecrypt({
 			key: ctx.context.secretConfig,
 			data: storedClientSecret
-		}) === clientSecret;
-		if (opts.storeClientSecret === "hashed") return await defaultClientSecretHasher(clientSecret) === storedClientSecret;
-		if (typeof opts.storeClientSecret === "object" && "hash" in opts.storeClientSecret) return await opts.storeClientSecret.hash(clientSecret) === storedClientSecret;
-		if (typeof opts.storeClientSecret === "object" && "decrypt" in opts.storeClientSecret) return await opts.storeClientSecret.decrypt(storedClientSecret) === clientSecret;
-		return clientSecret === storedClientSecret;
+		}), clientSecret);
+		if (opts.storeClientSecret === "hashed") return constantTimeEqual(await defaultClientSecretHasher(clientSecret), storedClientSecret);
+		if (typeof opts.storeClientSecret === "object" && "hash" in opts.storeClientSecret) return constantTimeEqual(await opts.storeClientSecret.hash(clientSecret), storedClientSecret);
+		if (typeof opts.storeClientSecret === "object" && "decrypt" in opts.storeClientSecret) return constantTimeEqual(await opts.storeClientSecret.decrypt(storedClientSecret), clientSecret);
+		return constantTimeEqual(clientSecret, storedClientSecret);
 	}
 	return {
 		id: "oidc-provider",
@@ -378,25 +375,43 @@ const oidcProvider = (options) => {
 				});
 				let { client_id, client_secret } = body;
 				const authorization = ctx.request?.headers.get("authorization") || null;
-				if (authorization && !client_id && !client_secret && authorization.startsWith("Basic ")) try {
-					const encoded = authorization.replace("Basic ", "");
-					const decoded = new TextDecoder().decode(base64.decode(encoded));
-					if (!decoded.includes(":")) throw new APIError("UNAUTHORIZED", {
+				if (authorization && !client_secret && authorization.startsWith("Basic ")) {
+					let decoded;
+					try {
+						const encoded = authorization.replace("Basic ", "");
+						decoded = new TextDecoder().decode(base64.decode(encoded));
+					} catch {
+						throw new APIError("UNAUTHORIZED", {
+							error_description: "invalid authorization header format",
+							error: "invalid_client"
+						});
+					}
+					const colonIndex = decoded.indexOf(":");
+					if (colonIndex === -1) throw new APIError("UNAUTHORIZED", {
 						error_description: "invalid authorization header format",
 						error: "invalid_client"
 					});
-					const [id, secret] = decoded.split(":");
+					let id;
+					let secret;
+					try {
+						id = decodeURIComponent(decoded.slice(0, colonIndex));
+						secret = decodeURIComponent(decoded.slice(colonIndex + 1));
+					} catch {
+						throw new APIError("UNAUTHORIZED", {
+							error_description: "invalid authorization header format",
+							error: "invalid_client"
+						});
+					}
 					if (!id || !secret) throw new APIError("UNAUTHORIZED", {
 						error_description: "invalid authorization header format",
 						error: "invalid_client"
 					});
-					client_id = id;
-					client_secret = secret;
-				} catch {
-					throw new APIError("UNAUTHORIZED", {
-						error_description: "invalid authorization header format",
+					if (client_id && client_id.toString() !== id) throw new APIError("UNAUTHORIZED", {
+						error_description: "client_id in body does not match Authorization header",
 						error: "invalid_client"
 					});
+					client_id = id;
+					client_secret = secret;
 				}
 				const now = Date.now();
 				const iat = Math.floor(now / 1e3);
@@ -428,6 +443,25 @@ const oidcProvider = (options) => {
 						error_description: "refresh token expired",
 						error: "invalid_grant"
 					});
+					const refreshClient = await getClient(client_id.toString(), trustedClients);
+					if (!refreshClient) throw new APIError("UNAUTHORIZED", {
+						error_description: "invalid client_id",
+						error: "invalid_client"
+					});
+					if (refreshClient.disabled) throw new APIError("UNAUTHORIZED", {
+						error_description: "client is disabled",
+						error: "invalid_client"
+					});
+					if (refreshClient.type !== "public") {
+						if (!refreshClient.clientSecret || !client_secret) throw new APIError("UNAUTHORIZED", {
+							error_description: "client_secret is required for confidential clients",
+							error: "invalid_client"
+						});
+						if (!await verifyStoredClientSecret(ctx, refreshClient.clientSecret, client_secret.toString())) throw new APIError("UNAUTHORIZED", {
+							error_description: "invalid client_secret",
+							error: "invalid_client"
+						});
+					}
 					const accessToken = generateRandomString(32, "a-z", "A-Z");
 					const newRefreshToken = generateRandomString(32, "a-z", "A-Z");
 					await ctx.context.adapter.create({
@@ -460,20 +494,11 @@ const oidcProvider = (options) => {
 					error_description: "code verifier is missing",
 					error: "invalid_request"
 				});
-				/**
-				* We need to check if the code is valid before we can proceed
-				* with the rest of the request.
-				*/
-				const verificationValue = await ctx.context.internalAdapter.findVerificationValue(code.toString());
+				const verificationValue = await ctx.context.internalAdapter.consumeVerificationValue(code.toString());
 				if (!verificationValue) throw new APIError("UNAUTHORIZED", {
 					error_description: "invalid code",
 					error: "invalid_grant"
 				});
-				if (verificationValue.expiresAt < /* @__PURE__ */ new Date()) throw new APIError("UNAUTHORIZED", {
-					error_description: "code expired",
-					error: "invalid_grant"
-				});
-				await ctx.context.internalAdapter.deleteVerificationByIdentifier(code.toString());
 				if (!client_id) throw new APIError("UNAUTHORIZED", {
 					error_description: "client_id is required",
 					error: "invalid_client"
@@ -527,12 +552,13 @@ const oidcProvider = (options) => {
 						error: "invalid_client"
 					});
 				}
-				if ((value.codeChallengeMethod === "plain" ? code_verifier : await createHash("SHA-256", "base64urlnopad").digest(code_verifier)) !== value.codeChallenge) throw new APIError("UNAUTHORIZED", {
-					error_description: "code verification failed",
-					error: "invalid_request"
-				});
+				if (value.codeChallenge) {
+					if ((value.codeChallengeMethod === "plain" ? code_verifier : await createHash("SHA-256", "base64urlnopad").digest(code_verifier)) !== value.codeChallenge) throw new APIError("UNAUTHORIZED", {
+						error_description: "code verification failed",
+						error: "invalid_request"
+					});
+				}
 				const requestedScopes = value.scope;
-				await ctx.context.internalAdapter.deleteVerificationByIdentifier(code.toString());
 				const accessToken = generateRandomString(32, "a-z", "A-Z");
 				const refreshToken = generateRandomString(32, "A-Z", "a-z");
 				await ctx.context.adapter.create({

package/dist/plugins/one-tap/index.mjs

@@ -71,14 +71,19 @@ const oneTap = (options) => ({
 				user: parseUserOutput(ctx.context.options, newUser.user)
 			});
 		}
-		if (!await ctx.context.internalAdapter.findAccount(sub)) if ((ctx.context.options.account?.accountLinking)?.enabled !== false && (ctx.context.trustedProviders.includes("google") || email_verified)) await ctx.context.internalAdapter.linkAccount({
-			userId: user.user.id,
-			providerId: "google",
-			accountId: sub,
-			scope: "openid,profile,email",
-			idToken
-		});
-		else throw new APIError("UNAUTHORIZED", { message: "Google sub doesn't match" });
+		if (!await ctx.context.internalAdapter.findAccount(sub)) {
+			const accountLinking = ctx.context.options.account?.accountLinking;
+			const providerEmailVerified = typeof email_verified === "boolean" ? email_verified : toBoolean(email_verified);
+			const requireLocalEmailVerified = accountLinking?.requireLocalEmailVerified ?? true;
+			if (accountLinking?.enabled !== false && accountLinking?.disableImplicitLinking !== true && (!requireLocalEmailVerified || user.user.emailVerified) && (ctx.context.trustedProviders.includes("google") || providerEmailVerified)) await ctx.context.internalAdapter.linkAccount({
+				userId: user.user.id,
+				providerId: "google",
+				accountId: sub,
+				scope: "openid,profile,email",
+				idToken
+			});
+			else throw new APIError("UNAUTHORIZED", { message: "Google identity cannot be linked: implicit account-linking is disabled, the local email is not verified, or the Google email_verified claim is false and Google is not a trusted provider" });
+		}
 		const session = await ctx.context.internalAdapter.createSession(user.user.id);
 		await setSessionCookie(ctx, {
 			user: user.user,

package/dist/plugins/open-api/generator.mjs

@@ -1,6 +1,7 @@
 import { db_exports } from "../../db/index.mjs";
 import { getEndpoints } from "../../api/index.mjs";
 import * as z from "zod";
+import { toPascalCase } from "@better-auth/core/utils/string";
 //#region src/plugins/open-api/generator.ts
 const allowedType = new Set([
 	"string",
@@ -156,7 +157,7 @@ function getResponse(responses) {
 			} } },
 			description: "Internal Server Error. This is a problem with the server that you cannot fix."
 		},
-		...responses
+		...responses ? structuredClone(responses) : {}
 	};
 }
 function toOpenApiPath(path) {
@@ -196,6 +197,16 @@ async function generator(ctx, options) {
 		return acc;
 	}, {}) } };
 	const paths = {};
+	const seenOperationIds = /* @__PURE__ */ new Set();
+	const uniqueOperationId = (operationId, method) => {
+		if (!operationId) return void 0;
+		const base = seenOperationIds.has(operationId) ? `${operationId}${toPascalCase(method)}` : operationId;
+		let result = base;
+		let n = 2;
+		while (seenOperationIds.has(result)) result = `${base}${n++}`;
+		seenOperationIds.add(result);
+		return result;
+	};
 	Object.entries(baseEndpoints.api).forEach(([_, value]) => {
 		if (!value.path || ctx.options.disabledPaths?.includes(value.path)) return;
 		const options = value.options;
@@ -207,7 +218,7 @@ async function generator(ctx, options) {
 			[method.toLowerCase()]: {
 				tags: ["Default", ...options.metadata?.openapi?.tags || []],
 				description: options.metadata?.openapi?.description,
-				operationId: options.metadata?.openapi?.operationId,
+				operationId: uniqueOperationId(options.metadata?.openapi?.operationId, method),
 				security: [{ bearerAuth: [] }],
 				parameters: getParameters(options),
 				responses: getResponse(options.metadata?.openapi?.responses)
@@ -220,7 +231,7 @@ async function generator(ctx, options) {
 				[method.toLowerCase()]: {
 					tags: ["Default", ...options.metadata?.openapi?.tags || []],
 					description: options.metadata?.openapi?.description,
-					operationId: options.metadata?.openapi?.operationId,
+					operationId: uniqueOperationId(options.metadata?.openapi?.operationId, method),
 					security: [{ bearerAuth: [] }],
 					parameters: getParameters(options),
 					...body ? { requestBody: body } : { requestBody: { content: { "application/json": { schema: {
@@ -253,7 +264,7 @@ async function generator(ctx, options) {
 				[method.toLowerCase()]: {
 					tags: options.metadata?.openapi?.tags || [plugin.id.charAt(0).toUpperCase() + plugin.id.slice(1)],
 					description: options.metadata?.openapi?.description,
-					operationId: options.metadata?.openapi?.operationId,
+					operationId: uniqueOperationId(options.metadata?.openapi?.operationId, method),
 					security: [{ bearerAuth: [] }],
 					parameters: getParameters(options),
 					responses: getResponse(options.metadata?.openapi?.responses)
@@ -264,7 +275,7 @@ async function generator(ctx, options) {
 				[method.toLowerCase()]: {
 					tags: options.metadata?.openapi?.tags || [plugin.id.charAt(0).toUpperCase() + plugin.id.slice(1)],
 					description: options.metadata?.openapi?.description,
-					operationId: options.metadata?.openapi?.operationId,
+					operationId: uniqueOperationId(options.metadata?.openapi?.operationId, method),
 					security: [{ bearerAuth: [] }],
 					parameters: getParameters(options),
 					requestBody: getRequestBody(options),