create-croissant 0.1.0 → 0.1.1

package/template/apps/web/node_modules/@better-auth/core/src/oauth2/oauth-provider.ts

@@ -0,0 +1,222 @@
+import type { Awaitable, LiteralString } from "../types";
+
+export interface OAuth2Tokens {
+	tokenType?: string | undefined;
+	accessToken?: string | undefined;
+	refreshToken?: string | undefined;
+	accessTokenExpiresAt?: Date | undefined;
+	refreshTokenExpiresAt?: Date | undefined;
+	scopes?: string[] | undefined;
+	idToken?: string | undefined;
+	/**
+	 * Raw token response from the provider.
+	 * Preserves provider-specific fields that are not part of the standard OAuth2 token response.
+	 */
+	raw?: Record<string, unknown> | undefined;
+}
+
+export type OAuth2UserInfo = {
+	id: string | number;
+	name?: string | undefined;
+	email?: (string | null) | undefined;
+	image?: string | undefined;
+	emailVerified: boolean;
+};
+
+export interface OAuthProvider<
+	T extends Record<string, any> = Record<string, any>,
+	O extends Record<string, any> = Partial<ProviderOptions>,
+> {
+	id: LiteralString;
+	createAuthorizationURL: (data: {
+		state: string;
+		codeVerifier: string;
+		scopes?: string[] | undefined;
+		redirectURI: string;
+		display?: string | undefined;
+		loginHint?: string | undefined;
+	}) => Awaitable<URL>;
+	name: string;
+	validateAuthorizationCode: (data: {
+		code: string;
+		redirectURI: string;
+		codeVerifier?: string | undefined;
+		deviceId?: string | undefined;
+	}) => Promise<OAuth2Tokens | null>;
+	getUserInfo: (
+		token: OAuth2Tokens & {
+			/**
+			 * The user object from the provider
+			 * This is only available for some providers like Apple
+			 */
+			user?:
+				| {
+						name?: {
+							firstName?: string;
+							lastName?: string;
+						};
+						email?: string;
+				  }
+				| undefined;
+		},
+	) => Promise<{
+		user: OAuth2UserInfo;
+		data: T;
+	} | null>;
+	/**
+	 * Custom function to refresh a token
+	 */
+	refreshAccessToken?:
+		| ((refreshToken: string) => Promise<OAuth2Tokens>)
+		| undefined;
+	revokeToken?: ((token: string) => Promise<void>) | undefined;
+	/**
+	 * Verify the id token
+	 * @param token - The id token
+	 * @param nonce - The nonce
+	 * @returns True if the id token is valid, false otherwise
+	 */
+	verifyIdToken?:
+		| ((token: string, nonce?: string) => Promise<boolean>)
+		| undefined;
+	/**
+	 * Disable implicit sign up for new users. When set to true for the provider,
+	 * sign-in need to be called with with requestSignUp as true to create new users.
+	 */
+	disableImplicitSignUp?: boolean | undefined;
+	/**
+	 * Disable sign up for new users.
+	 */
+	disableSignUp?: boolean | undefined;
+	/**
+	 * Options for the provider
+	 */
+	options?: O | undefined;
+}
+
+export type ProviderOptions<Profile extends Record<string, any> = any> = {
+	/**
+	 * The client ID of your application.
+	 *
+	 * This is usually a string but can be any type depending on the provider.
+	 */
+	clientId?: unknown | undefined;
+	/**
+	 * The client secret of your application
+	 */
+	clientSecret?: string | undefined;
+	/**
+	 * The scopes you want to request from the provider
+	 */
+	scope?: string[] | undefined;
+	/**
+	 * Remove default scopes of the provider
+	 */
+	disableDefaultScope?: boolean | undefined;
+	/**
+	 * The redirect URL for your application. This is where the provider will
+	 * redirect the user after the sign in process. Make sure this URL is
+	 * whitelisted in the provider's dashboard.
+	 */
+	redirectURI?: string | undefined;
+	/**
+	 * Custom authorization endpoint URL.
+	 * Use this to override the default authorization endpoint of the provider.
+	 * Useful for testing with local OAuth servers or using sandbox environments.
+	 */
+	authorizationEndpoint?: string | undefined;
+	/**
+	 * The client key of your application
+	 * Tiktok Social Provider uses this field instead of clientId
+	 */
+	clientKey?: string | undefined;
+	/**
+	 * Disable provider from allowing users to sign in
+	 * with this provider with an id token sent from the
+	 * client.
+	 */
+	disableIdTokenSignIn?: boolean | undefined;
+	/**
+	 * verifyIdToken function to verify the id token
+	 */
+	verifyIdToken?:
+		| ((token: string, nonce?: string) => Promise<boolean>)
+		| undefined;
+	/**
+	 * Custom function to get user info from the provider
+	 */
+	getUserInfo?:
+		| ((token: OAuth2Tokens) => Promise<{
+				user: {
+					id: string;
+					name?: string;
+					email?: string | null;
+					image?: string;
+					emailVerified: boolean;
+					[key: string]: any;
+				};
+				data: any;
+		  } | null>)
+		| undefined;
+	/**
+	 * Custom function to refresh a token
+	 */
+	refreshAccessToken?:
+		| ((refreshToken: string) => Promise<OAuth2Tokens>)
+		| undefined;
+	/**
+	 * Custom function to map the provider profile to a
+	 * user.
+	 */
+	mapProfileToUser?:
+		| ((profile: Profile) =>
+				| {
+						id?: string;
+						name?: string;
+						email?: string | null;
+						image?: string;
+						emailVerified?: boolean;
+						[key: string]: any;
+				  }
+				| Promise<{
+						id?: string;
+						name?: string;
+						email?: string | null;
+						image?: string;
+						emailVerified?: boolean;
+						[key: string]: any;
+				  }>)
+		| undefined;
+	/**
+	 * Disable implicit sign up for new users. When set to true for the provider,
+	 * sign-in need to be called with with requestSignUp as true to create new users.
+	 */
+	disableImplicitSignUp?: boolean | undefined;
+	/**
+	 * Disable sign up for new users.
+	 */
+	disableSignUp?: boolean | undefined;
+	/**
+	 * The prompt to use for the authorization code request
+	 */
+	prompt?:
+		| (
+				| "select_account"
+				| "consent"
+				| "login"
+				| "none"
+				| "select_account consent"
+		  )
+		| undefined;
+	/**
+	 * The response mode to use for the authorization code request
+	 */
+	responseMode?: ("query" | "form_post") | undefined;
+	/**
+	 * If enabled, the user info will be overridden with the provider user info
+	 * This is useful if you want to use the provider user info to update the user info
+	 *
+	 * @default false
+	 */
+	overrideUserInfoOnSignIn?: boolean | undefined;
+};

package/template/apps/web/node_modules/@better-auth/core/src/oauth2/refresh-access-token.ts

@@ -0,0 +1,157 @@
+import { base64 } from "@better-auth/utils/base64";
+import { betterFetch } from "@better-fetch/fetch";
+import type { AwaitableFunction } from "../types";
+import type { OAuth2Tokens, ProviderOptions } from "./oauth-provider";
+
+export async function refreshAccessTokenRequest({
+	refreshToken,
+	options,
+	authentication,
+	extraParams,
+	resource,
+}: {
+	refreshToken: string;
+	options: AwaitableFunction<Partial<ProviderOptions>>;
+	authentication?: ("basic" | "post") | undefined;
+	extraParams?: Record<string, string> | undefined;
+	resource?: (string | string[]) | undefined;
+}) {
+	options = typeof options === "function" ? await options() : options;
+	return createRefreshAccessTokenRequest({
+		refreshToken,
+		options,
+		authentication,
+		extraParams,
+		resource,
+	});
+}
+
+/**
+ * @deprecated use async'd refreshAccessTokenRequest instead
+ */
+export function createRefreshAccessTokenRequest({
+	refreshToken,
+	options,
+	authentication,
+	extraParams,
+	resource,
+}: {
+	refreshToken: string;
+	options: ProviderOptions;
+	authentication?: ("basic" | "post") | undefined;
+	extraParams?: Record<string, string> | undefined;
+	resource?: (string | string[]) | undefined;
+}) {
+	const body = new URLSearchParams();
+	const headers: Record<string, any> = {
+		"content-type": "application/x-www-form-urlencoded",
+		accept: "application/json",
+	};
+
+	body.set("grant_type", "refresh_token");
+	body.set("refresh_token", refreshToken);
+	// Use standard Base64 encoding for HTTP Basic Auth (OAuth2 spec, RFC 7617)
+	// Fixes compatibility with providers like Notion, Twitter, etc.
+	if (authentication === "basic") {
+		const primaryClientId = Array.isArray(options.clientId)
+			? options.clientId[0]
+			: options.clientId;
+		if (primaryClientId) {
+			headers["authorization"] =
+				"Basic " +
+				base64.encode(`${primaryClientId}:${options.clientSecret ?? ""}`);
+		} else {
+			headers["authorization"] =
+				"Basic " + base64.encode(`:${options.clientSecret ?? ""}`);
+		}
+	} else {
+		const primaryClientId = Array.isArray(options.clientId)
+			? options.clientId[0]
+			: options.clientId;
+		body.set("client_id", primaryClientId);
+		if (options.clientSecret) {
+			body.set("client_secret", options.clientSecret);
+		}
+	}
+
+	if (resource) {
+		if (typeof resource === "string") {
+			body.append("resource", resource);
+		} else {
+			for (const _resource of resource) {
+				body.append("resource", _resource);
+			}
+		}
+	}
+	if (extraParams) {
+		for (const [key, value] of Object.entries(extraParams)) {
+			body.set(key, value);
+		}
+	}
+
+	return {
+		body,
+		headers,
+	};
+}
+
+export async function refreshAccessToken({
+	refreshToken,
+	options,
+	tokenEndpoint,
+	authentication,
+	extraParams,
+}: {
+	refreshToken: string;
+	options: Partial<ProviderOptions>;
+	tokenEndpoint: string;
+	authentication?: ("basic" | "post") | undefined;
+	extraParams?: Record<string, string> | undefined;
+}): Promise<OAuth2Tokens> {
+	const { body, headers } = await createRefreshAccessTokenRequest({
+		refreshToken,
+		options,
+		authentication,
+		extraParams,
+	});
+
+	const { data, error } = await betterFetch<{
+		access_token: string;
+		refresh_token?: string | undefined;
+		expires_in?: number | undefined;
+		refresh_token_expires_in?: number | undefined;
+		token_type?: string | undefined;
+		scope?: string | undefined;
+		id_token?: string | undefined;
+	}>(tokenEndpoint, {
+		method: "POST",
+		body,
+		headers,
+	});
+	if (error) {
+		throw error;
+	}
+	const tokens: OAuth2Tokens = {
+		accessToken: data.access_token,
+		refreshToken: data.refresh_token,
+		tokenType: data.token_type,
+		scopes: data.scope?.split(" "),
+		idToken: data.id_token,
+	};
+
+	if (data.expires_in) {
+		const now = new Date();
+		tokens.accessTokenExpiresAt = new Date(
+			now.getTime() + data.expires_in * 1000,
+		);
+	}
+
+	if (data.refresh_token_expires_in) {
+		const now = new Date();
+		tokens.refreshTokenExpiresAt = new Date(
+			now.getTime() + data.refresh_token_expires_in * 1000,
+		);
+	}
+
+	return tokens;
+}

package/template/apps/web/node_modules/@better-auth/core/src/oauth2/utils.ts

@@ -0,0 +1,38 @@
+import { base64Url } from "@better-auth/utils/base64";
+import type { OAuth2Tokens } from "./oauth-provider";
+
+export function getOAuth2Tokens(data: Record<string, any>): OAuth2Tokens {
+	const getDate = (seconds: number) => {
+		const now = new Date();
+		return new Date(now.getTime() + seconds * 1000);
+	};
+
+	return {
+		tokenType: data.token_type,
+		accessToken: data.access_token,
+		refreshToken: data.refresh_token,
+		accessTokenExpiresAt: data.expires_in
+			? getDate(data.expires_in)
+			: undefined,
+		refreshTokenExpiresAt: data.refresh_token_expires_in
+			? getDate(data.refresh_token_expires_in)
+			: undefined,
+		scopes: data?.scope
+			? typeof data.scope === "string"
+				? data.scope.split(" ")
+				: data.scope
+			: [],
+		idToken: data.id_token,
+		// Preserve the raw token response for provider-specific fields
+		raw: data,
+	};
+}
+
+export async function generateCodeChallenge(codeVerifier: string) {
+	const encoder = new TextEncoder();
+	const data = encoder.encode(codeVerifier);
+	const hash = await crypto.subtle.digest("SHA-256", data);
+	return base64Url.encode(new Uint8Array(hash), {
+		padding: false,
+	});
+}

package/template/apps/web/node_modules/@better-auth/core/src/oauth2/validate-authorization-code.ts

@@ -0,0 +1,180 @@
+import { base64 } from "@better-auth/utils/base64";
+import { betterFetch } from "@better-fetch/fetch";
+import { createRemoteJWKSet, jwtVerify } from "jose";
+import type { AwaitableFunction } from "../types";
+import type { ProviderOptions } from "./index";
+import { getOAuth2Tokens } from "./index";
+
+export async function authorizationCodeRequest({
+	code,
+	codeVerifier,
+	redirectURI,
+	options,
+	authentication,
+	deviceId,
+	headers,
+	additionalParams = {},
+	resource,
+}: {
+	code: string;
+	redirectURI: string;
+	options: AwaitableFunction<Partial<ProviderOptions>>;
+	codeVerifier?: string | undefined;
+	deviceId?: string | undefined;
+	authentication?: ("basic" | "post") | undefined;
+	headers?: Record<string, string> | undefined;
+	additionalParams?: Record<string, string> | undefined;
+	resource?: (string | string[]) | undefined;
+}) {
+	options = typeof options === "function" ? await options() : options;
+	return createAuthorizationCodeRequest({
+		code,
+		codeVerifier,
+		redirectURI,
+		options,
+		authentication,
+		deviceId,
+		headers,
+		additionalParams,
+		resource,
+	});
+}
+
+/**
+ * @deprecated use async'd authorizationCodeRequest instead
+ */
+export function createAuthorizationCodeRequest({
+	code,
+	codeVerifier,
+	redirectURI,
+	options,
+	authentication,
+	deviceId,
+	headers,
+	additionalParams = {},
+	resource,
+}: {
+	code: string;
+	redirectURI: string;
+	options: Partial<ProviderOptions>;
+	codeVerifier?: string | undefined;
+	deviceId?: string | undefined;
+	authentication?: ("basic" | "post") | undefined;
+	headers?: Record<string, string> | undefined;
+	additionalParams?: Record<string, string> | undefined;
+	resource?: (string | string[]) | undefined;
+}) {
+	const body = new URLSearchParams();
+	const requestHeaders: Record<string, any> = {
+		"content-type": "application/x-www-form-urlencoded",
+		accept: "application/json",
+		...headers,
+	};
+
+	body.set("grant_type", "authorization_code");
+	body.set("code", code);
+	codeVerifier && body.set("code_verifier", codeVerifier);
+	options.clientKey && body.set("client_key", options.clientKey);
+	deviceId && body.set("device_id", deviceId);
+	body.set("redirect_uri", options.redirectURI || redirectURI);
+	if (resource) {
+		if (typeof resource === "string") {
+			body.append("resource", resource);
+		} else {
+			for (const _resource of resource) {
+				body.append("resource", _resource);
+			}
+		}
+	}
+	// Use standard Base64 encoding for HTTP Basic Auth (OAuth2 spec, RFC 7617)
+	// Fixes compatibility with providers like Notion, Twitter, etc.
+	if (authentication === "basic") {
+		const primaryClientId = Array.isArray(options.clientId)
+			? options.clientId[0]
+			: options.clientId;
+		const encodedCredentials = base64.encode(
+			`${primaryClientId}:${options.clientSecret ?? ""}`,
+		);
+		requestHeaders["authorization"] = `Basic ${encodedCredentials}`;
+	} else {
+		const primaryClientId = Array.isArray(options.clientId)
+			? options.clientId[0]
+			: options.clientId;
+		body.set("client_id", primaryClientId);
+		if (options.clientSecret) {
+			body.set("client_secret", options.clientSecret);
+		}
+	}
+
+	for (const [key, value] of Object.entries(additionalParams)) {
+		if (!body.has(key)) body.append(key, value);
+	}
+
+	return {
+		body,
+		headers: requestHeaders,
+	};
+}
+
+export async function validateAuthorizationCode({
+	code,
+	codeVerifier,
+	redirectURI,
+	options,
+	tokenEndpoint,
+	authentication,
+	deviceId,
+	headers,
+	additionalParams = {},
+	resource,
+}: {
+	code: string;
+	redirectURI: string;
+	options: AwaitableFunction<Partial<ProviderOptions>>;
+	codeVerifier?: string | undefined;
+	deviceId?: string | undefined;
+	tokenEndpoint: string;
+	authentication?: ("basic" | "post") | undefined;
+	headers?: Record<string, string> | undefined;
+	additionalParams?: Record<string, string> | undefined;
+	resource?: (string | string[]) | undefined;
+}) {
+	const { body, headers: requestHeaders } = await authorizationCodeRequest({
+		code,
+		codeVerifier,
+		redirectURI,
+		options,
+		authentication,
+		deviceId,
+		headers,
+		additionalParams,
+		resource,
+	});
+
+	const { data, error } = await betterFetch<object>(tokenEndpoint, {
+		method: "POST",
+		body: body,
+		headers: requestHeaders,
+	});
+	if (error) {
+		throw error;
+	}
+	const tokens = getOAuth2Tokens(data);
+	return tokens;
+}
+
+export async function validateToken(
+	token: string,
+	jwksEndpoint: string,
+	options?: {
+		audience?: string | string[];
+		issuer?: string | string[];
+	},
+) {
+	const jwks = createRemoteJWKSet(new URL(jwksEndpoint));
+	const verified = await jwtVerify(token, jwks, {
+		audience: options?.audience,
+		issuer: options?.issuer,
+	});
+	return verified;
+}