create-croissant 0.1.0 → 0.1.2

package/template/apps/web/node_modules/@better-auth/core/src/oauth2/validate-authorization-code.ts

@@ -0,0 +1,180 @@
+import { base64 } from "@better-auth/utils/base64";
+import { betterFetch } from "@better-fetch/fetch";
+import { createRemoteJWKSet, jwtVerify } from "jose";
+import type { AwaitableFunction } from "../types";
+import type { ProviderOptions } from "./index";
+import { getOAuth2Tokens } from "./index";
+
+export async function authorizationCodeRequest({
+	code,
+	codeVerifier,
+	redirectURI,
+	options,
+	authentication,
+	deviceId,
+	headers,
+	additionalParams = {},
+	resource,
+}: {
+	code: string;
+	redirectURI: string;
+	options: AwaitableFunction<Partial<ProviderOptions>>;
+	codeVerifier?: string | undefined;
+	deviceId?: string | undefined;
+	authentication?: ("basic" | "post") | undefined;
+	headers?: Record<string, string> | undefined;
+	additionalParams?: Record<string, string> | undefined;
+	resource?: (string | string[]) | undefined;
+}) {
+	options = typeof options === "function" ? await options() : options;
+	return createAuthorizationCodeRequest({
+		code,
+		codeVerifier,
+		redirectURI,
+		options,
+		authentication,
+		deviceId,
+		headers,
+		additionalParams,
+		resource,
+	});
+}
+
+/**
+ * @deprecated use async'd authorizationCodeRequest instead
+ */
+export function createAuthorizationCodeRequest({
+	code,
+	codeVerifier,
+	redirectURI,
+	options,
+	authentication,
+	deviceId,
+	headers,
+	additionalParams = {},
+	resource,
+}: {
+	code: string;
+	redirectURI: string;
+	options: Partial<ProviderOptions>;
+	codeVerifier?: string | undefined;
+	deviceId?: string | undefined;
+	authentication?: ("basic" | "post") | undefined;
+	headers?: Record<string, string> | undefined;
+	additionalParams?: Record<string, string> | undefined;
+	resource?: (string | string[]) | undefined;
+}) {
+	const body = new URLSearchParams();
+	const requestHeaders: Record<string, any> = {
+		"content-type": "application/x-www-form-urlencoded",
+		accept: "application/json",
+		...headers,
+	};
+
+	body.set("grant_type", "authorization_code");
+	body.set("code", code);
+	codeVerifier && body.set("code_verifier", codeVerifier);
+	options.clientKey && body.set("client_key", options.clientKey);
+	deviceId && body.set("device_id", deviceId);
+	body.set("redirect_uri", options.redirectURI || redirectURI);
+	if (resource) {
+		if (typeof resource === "string") {
+			body.append("resource", resource);
+		} else {
+			for (const _resource of resource) {
+				body.append("resource", _resource);
+			}
+		}
+	}
+	// Use standard Base64 encoding for HTTP Basic Auth (OAuth2 spec, RFC 7617)
+	// Fixes compatibility with providers like Notion, Twitter, etc.
+	if (authentication === "basic") {
+		const primaryClientId = Array.isArray(options.clientId)
+			? options.clientId[0]
+			: options.clientId;
+		const encodedCredentials = base64.encode(
+			`${primaryClientId}:${options.clientSecret ?? ""}`,
+		);
+		requestHeaders["authorization"] = `Basic ${encodedCredentials}`;
+	} else {
+		const primaryClientId = Array.isArray(options.clientId)
+			? options.clientId[0]
+			: options.clientId;
+		body.set("client_id", primaryClientId);
+		if (options.clientSecret) {
+			body.set("client_secret", options.clientSecret);
+		}
+	}
+
+	for (const [key, value] of Object.entries(additionalParams)) {
+		if (!body.has(key)) body.append(key, value);
+	}
+
+	return {
+		body,
+		headers: requestHeaders,
+	};
+}
+
+export async function validateAuthorizationCode({
+	code,
+	codeVerifier,
+	redirectURI,
+	options,
+	tokenEndpoint,
+	authentication,
+	deviceId,
+	headers,
+	additionalParams = {},
+	resource,
+}: {
+	code: string;
+	redirectURI: string;
+	options: AwaitableFunction<Partial<ProviderOptions>>;
+	codeVerifier?: string | undefined;
+	deviceId?: string | undefined;
+	tokenEndpoint: string;
+	authentication?: ("basic" | "post") | undefined;
+	headers?: Record<string, string> | undefined;
+	additionalParams?: Record<string, string> | undefined;
+	resource?: (string | string[]) | undefined;
+}) {
+	const { body, headers: requestHeaders } = await authorizationCodeRequest({
+		code,
+		codeVerifier,
+		redirectURI,
+		options,
+		authentication,
+		deviceId,
+		headers,
+		additionalParams,
+		resource,
+	});
+
+	const { data, error } = await betterFetch<object>(tokenEndpoint, {
+		method: "POST",
+		body: body,
+		headers: requestHeaders,
+	});
+	if (error) {
+		throw error;
+	}
+	const tokens = getOAuth2Tokens(data);
+	return tokens;
+}
+
+export async function validateToken(
+	token: string,
+	jwksEndpoint: string,
+	options?: {
+		audience?: string | string[];
+		issuer?: string | string[];
+	},
+) {
+	const jwks = createRemoteJWKSet(new URL(jwksEndpoint));
+	const verified = await jwtVerify(token, jwks, {
+		audience: options?.audience,
+		issuer: options?.issuer,
+	});
+	return verified;
+}

package/template/apps/web/node_modules/@better-auth/core/src/oauth2/verify.ts

@@ -0,0 +1,221 @@
+import { betterFetch } from "@better-fetch/fetch";
+import { APIError } from "better-call";
+import type {
+	JSONWebKeySet,
+	JWTPayload,
+	JWTVerifyOptions,
+	ProtectedHeaderParameters,
+} from "jose";
+import {
+	createLocalJWKSet,
+	decodeProtectedHeader,
+	jwtVerify,
+	UnsecuredJWT,
+} from "jose";
+import { logger } from "../env";
+
+/** Last fetched jwks used locally in getJwks @internal */
+let jwks: JSONWebKeySet | undefined;
+
+export interface VerifyAccessTokenRemote {
+	/** Full url of the introspect endpoint. Should end with `/oauth2/introspect` */
+	introspectUrl: string;
+	/** Client Secret */
+	clientId: string;
+	/** Client Secret */
+	clientSecret: string;
+	/**
+	 * Forces remote verification of a token.
+	 * This ensures attached session (if applicable)
+	 * is also still active.
+	 */
+	force?: boolean;
+}
+
+/**
+ * Performs local verification of an access token for your APIs.
+ *
+ * Can also be configured for remote verification.
+ */
+export async function verifyJwsAccessToken(
+	token: string,
+	opts: {
+		/** Jwks url or promise of a Jwks */
+		jwksFetch: string | (() => Promise<JSONWebKeySet | undefined>);
+		/** Verify options */
+		verifyOptions: JWTVerifyOptions &
+			Required<Pick<JWTVerifyOptions, "audience" | "issuer">>;
+	},
+) {
+	try {
+		const jwks = await getJwks(token, opts);
+		const jwt = await jwtVerify<JWTPayload>(
+			token,
+			createLocalJWKSet(jwks),
+			opts.verifyOptions,
+		);
+		// Return the JWT payload in introspection format
+		// https://datatracker.ietf.org/doc/html/rfc7662#section-2.2
+		if (jwt.payload.azp) {
+			jwt.payload.client_id = jwt.payload.azp;
+		}
+		return jwt.payload;
+	} catch (error) {
+		if (error instanceof Error) throw error;
+		throw new Error(error as unknown as string);
+	}
+}
+
+export async function getJwks(
+	token: string,
+	opts: {
+		/** Jwks url or promise of a Jwks */
+		jwksFetch: string | (() => Promise<JSONWebKeySet | undefined>);
+	},
+) {
+	// Attempt to decode the token and find a matching kid in jwks
+	let jwtHeaders: ProtectedHeaderParameters | undefined;
+	try {
+		jwtHeaders = decodeProtectedHeader(token);
+	} catch (error) {
+		if (error instanceof Error) throw error;
+		throw new Error(error as unknown as string);
+	}
+
+	if (!jwtHeaders.kid) throw new Error("Missing jwt kid");
+
+	// Fetch jwks if not set or has a different kid than the one stored
+	if (!jwks || !jwks.keys.find((jwk) => jwk.kid === jwtHeaders.kid)) {
+		jwks =
+			typeof opts.jwksFetch === "string"
+				? await betterFetch<JSONWebKeySet>(opts.jwksFetch, {
+						headers: {
+							Accept: "application/json",
+						},
+					}).then(async (res) => {
+						if (res.error)
+							throw new Error(
+								`Jwks failed: ${res.error.message ?? res.error.statusText}`,
+							);
+						return res.data;
+					})
+				: await opts.jwksFetch();
+		if (!jwks) throw new Error("No jwks found");
+	}
+
+	return jwks;
+}
+
+/**
+ * Performs local verification of an access token for your API.
+ *
+ * Can also be configured for remote verification.
+ */
+export async function verifyAccessToken(
+	token: string,
+	opts: {
+		/** Verify options */
+		verifyOptions: JWTVerifyOptions &
+			Required<Pick<JWTVerifyOptions, "audience" | "issuer">>;
+		/** Scopes to additionally verify. Token must include all but not exact. */
+		scopes?: string[];
+		/** Required to verify access token locally */
+		jwksUrl?: string;
+		/** If provided, can verify a token remotely */
+		remoteVerify?: VerifyAccessTokenRemote;
+	},
+) {
+	let payload: JWTPayload | undefined;
+	// Locally verify
+	if (opts.jwksUrl && !opts?.remoteVerify?.force) {
+		try {
+			payload = await verifyJwsAccessToken(token, {
+				jwksFetch: opts.jwksUrl,
+				verifyOptions: opts.verifyOptions,
+			});
+		} catch (error) {
+			if (error instanceof Error) {
+				if (error.name === "TypeError" || error.name === "JWSInvalid") {
+					// likely an opaque token (continue)
+				} else if (error.name === "JWTExpired") {
+					throw new APIError("UNAUTHORIZED", {
+						message: "token expired",
+					});
+				} else if (error.name === "JWTInvalid") {
+					throw new APIError("UNAUTHORIZED", {
+						message: "token invalid",
+					});
+				} else {
+					throw error;
+				}
+			} else {
+				throw new Error(error as unknown as string);
+			}
+		}
+	}
+
+	// Remote verify
+	if (opts?.remoteVerify) {
+		const { data: introspect, error: introspectError } = await betterFetch<
+			JWTPayload & {
+				active: boolean;
+			}
+		>(opts.remoteVerify.introspectUrl, {
+			method: "POST",
+			headers: {
+				Accept: "application/json",
+				"Content-Type": "application/x-www-form-urlencoded",
+			},
+			body: new URLSearchParams({
+				client_id: opts.remoteVerify.clientId,
+				client_secret: opts.remoteVerify.clientSecret,
+				token,
+				token_type_hint: "access_token",
+			}).toString(),
+		});
+		if (introspectError)
+			logger.error(
+				`Introspection failed: ${introspectError.message ?? introspectError.statusText}`,
+			);
+		if (!introspect)
+			throw new APIError("INTERNAL_SERVER_ERROR", {
+				message: "introspection failed",
+			});
+		if (!introspect.active)
+			throw new APIError("UNAUTHORIZED", {
+				message: "token inactive",
+			});
+		// Verifies payload using verify options (token valid through introspect)
+		try {
+			const unsecuredJwt = new UnsecuredJWT(introspect).encode();
+			const { audience: _audience, ...verifyOptions } = opts.verifyOptions;
+			const verify = introspect.aud
+				? UnsecuredJWT.decode(unsecuredJwt, opts.verifyOptions)
+				: UnsecuredJWT.decode(unsecuredJwt, verifyOptions);
+			payload = verify.payload;
+		} catch (error) {
+			throw new Error(error as unknown as string);
+		}
+	}
+
+	if (!payload)
+		throw new APIError("UNAUTHORIZED", {
+			message: `no token payload`,
+		});
+
+	// Check scopes if provided
+	if (opts.scopes) {
+		const validScopes = new Set(
+			(payload.scope as string | undefined)?.split(" "),
+		);
+		for (const sc of opts.scopes) {
+			if (!validScopes.has(sc)) {
+				throw new APIError("FORBIDDEN", {
+					message: `invalid scope ${sc}`,
+				});
+			}
+		}
+	}
+
+	return payload;
+}

package/template/apps/web/node_modules/@better-auth/core/src/social-providers/apple.ts

@@ -0,0 +1,231 @@
+import { betterFetch } from "@better-fetch/fetch";
+
+import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
+import { logger } from "../env";
+import { APIError, BetterAuthError } from "../error";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import {
+	createAuthorizationURL,
+	getPrimaryClientId,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "../oauth2";
+export interface AppleProfile {
+	/**
+	 * The subject registered claim identifies the principal that’s the subject
+	 * of the identity token. Because this token is for your app, the value is
+	 * the unique identifier for the user.
+	 */
+	sub: string;
+	/**
+	 * A String value representing the user's email address.
+	 * The email address is either the user's real email address or the proxy
+	 * address, depending on their status private email relay service.
+	 */
+	email: string;
+	/**
+	 * A string or Boolean value that indicates whether the service verifies
+	 * the email. The value can either be a string ("true" or "false") or a
+	 * Boolean (true or false). The system may not verify email addresses for
+	 * Sign in with Apple at Work & School users, and this claim is "false" or
+	 * false for those users.
+	 */
+	email_verified: true | "true";
+	/**
+	 * A string or Boolean value that indicates whether the email that the user
+	 * shares is the proxy address. The value can either be a string ("true" or
+	 * "false") or a Boolean (true or false).
+	 */
+	is_private_email: boolean;
+	/**
+	 * An Integer value that indicates whether the user appears to be a real
+	 * person. Use the value of this claim to mitigate fraud. The possible
+	 * values are: 0 (or Unsupported), 1 (or Unknown), 2 (or LikelyReal). For
+	 * more information, see ASUserDetectionStatus. This claim is present only
+	 * in iOS 14 and later, macOS 11 and later, watchOS 7 and later, tvOS 14
+	 * and later. The claim isn’t present or supported for web-based apps.
+	 */
+	real_user_status: number;
+	/**
+	 * The user’s full name in the format provided during the authorization
+	 * process.
+	 */
+	name: string;
+	/**
+	 * The URL to the user's profile picture.
+	 */
+	picture: string;
+	user?: AppleNonConformUser | undefined;
+}
+
+/**
+ * This is the shape of the `user` query parameter that Apple sends the first
+ * time the user consents to the app.
+ * @see https://developer.apple.com/documentation/signinwithapplerestapi/request-an-authorization-to-the-sign-in-with-apple-server./
+ */
+export interface AppleNonConformUser {
+	name: {
+		firstName: string;
+		lastName: string;
+	};
+	email: string;
+}
+
+export interface AppleOptions extends ProviderOptions<AppleProfile> {
+	clientId: string | string[];
+	appBundleIdentifier?: string | undefined;
+	audience?: (string | string[]) | undefined;
+}
+
+export const apple = (options: AppleOptions) => {
+	const tokenEndpoint = "https://appleid.apple.com/auth/token";
+	return {
+		id: "apple",
+		name: "Apple",
+		async createAuthorizationURL({ state, scopes, redirectURI }) {
+			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
+				logger.error(
+					"Client ID and client secret are required for Apple. Make sure to provide them in the options.",
+				);
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			const _scope = options.disableDefaultScope ? [] : ["email", "name"];
+			if (options.scope) _scope.push(...options.scope);
+			if (scopes) _scope.push(...scopes);
+			const url = await createAuthorizationURL({
+				id: "apple",
+				options,
+				authorizationEndpoint: "https://appleid.apple.com/auth/authorize",
+				scopes: _scope,
+				state,
+				redirectURI,
+				responseMode: "form_post",
+				responseType: "code id_token",
+			});
+			return url;
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint,
+			});
+		},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) {
+				return false;
+			}
+			if (options.verifyIdToken) {
+				return options.verifyIdToken(token, nonce);
+			}
+			try {
+				const decodedHeader = decodeProtectedHeader(token);
+				const { kid, alg: jwtAlg } = decodedHeader;
+				if (!kid || !jwtAlg) return false;
+				const publicKey = await getApplePublicKey(kid);
+				const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
+					algorithms: [jwtAlg],
+					issuer: "https://appleid.apple.com",
+					audience:
+						options.audience && options.audience.length
+							? options.audience
+							: options.appBundleIdentifier
+								? options.appBundleIdentifier
+								: options.clientId,
+					maxTokenAge: "1h",
+				});
+				["email_verified", "is_private_email"].forEach((field) => {
+					if (jwtClaims[field] !== undefined) {
+						jwtClaims[field] = Boolean(jwtClaims[field]);
+					}
+				});
+				if (nonce && jwtClaims.nonce !== nonce) {
+					return false;
+				}
+				return !!jwtClaims;
+			} catch {
+				return false;
+			}
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options,
+						tokenEndpoint,
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			if (!token.idToken) {
+				return null;
+			}
+			const profile = decodeJwt<AppleProfile>(token.idToken);
+			if (!profile) {
+				return null;
+			}
+
+			// TODO: "" masking will be removed when the name field is made optional
+			let name: string;
+			if (token.user?.name) {
+				const firstName = token.user.name.firstName || "";
+				const lastName = token.user.name.lastName || "";
+				const fullName = `${firstName} ${lastName}`.trim();
+				name = fullName;
+			} else {
+				name = profile.name || "";
+			}
+
+			const emailVerified =
+				typeof profile.email_verified === "boolean"
+					? profile.email_verified
+					: profile.email_verified === "true";
+			const enrichedProfile = {
+				...profile,
+				name,
+			};
+			const userMap = await options.mapProfileToUser?.(enrichedProfile);
+			return {
+				user: {
+					id: profile.sub,
+					name: enrichedProfile.name,
+					emailVerified: emailVerified,
+					email: profile.email,
+					...userMap,
+				},
+				data: enrichedProfile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<AppleProfile>;
+};
+
+export const getApplePublicKey = async (kid: string) => {
+	const APPLE_BASE_URL = "https://appleid.apple.com";
+	const JWKS_APPLE_URI = "/auth/keys";
+	const { data } = await betterFetch<{
+		keys: Array<{
+			kid: string;
+			alg: string;
+			kty: string;
+			use: string;
+			n: string;
+			e: string;
+		}>;
+	}>(`${APPLE_BASE_URL}${JWKS_APPLE_URI}`);
+	if (!data?.keys) {
+		throw new APIError("BAD_REQUEST", {
+			message: "Keys not found",
+		});
+	}
+	const jwk = data.keys.find((key) => key.kid === kid);
+	if (!jwk) {
+		throw new Error(`JWK with kid ${kid} not found`);
+	}
+	return await importJWK(jwk, jwk.alg);
+};