create-croissant 0.1.0 → 0.1.2

package/template/apps/web/node_modules/@better-auth/core/src/social-providers/microsoft-entra-id.ts

@@ -0,0 +1,352 @@
+import { base64 } from "@better-auth/utils/base64";
+import { betterFetch } from "@better-fetch/fetch";
+import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
+import { logger } from "../env";
+import { APIError, BetterAuthError } from "../error";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import {
+	createAuthorizationURL,
+	getPrimaryClientId,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "../oauth2";
+
+/**
+ * @see [Microsoft Identity Platform - Optional claims reference](https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims-reference)
+ */
+export interface MicrosoftEntraIDProfile extends Record<string, any> {
+	/** Identifies the intended recipient of the token */
+	aud: string;
+	/** Identifies the issuer, or "authorization server" that constructs and returns the token */
+	iss: string;
+	/** Indicates when the authentication for the token occurred */
+	iat: Date;
+	/** Records the identity provider that authenticated the subject of the token */
+	idp: string;
+	/** Identifies the time before which the JWT can't be accepted for processing */
+	nbf: Date;
+	/** Identifies the expiration time on or after which the JWT can't be accepted for processing */
+	exp: Date;
+	/** Code hash included in ID tokens when issued with an OAuth 2.0 authorization code */
+	c_hash: string;
+	/** Access token hash included in ID tokens when issued with an OAuth 2.0 access token */
+	at_hash: string;
+	/** Internal claim used to record data for token reuse */
+	aio: string;
+	/** The primary username that represents the user */
+	preferred_username: string;
+	/** User's email address */
+	email: string;
+	/** Human-readable value that identifies the subject of the token */
+	name: string;
+	/** Matches the parameter included in the original authorize request */
+	nonce: string;
+	/** User's profile picture */
+	picture: string;
+	/** Immutable identifier for the user account */
+	oid: string;
+	/** Set of roles assigned to the user */
+	roles: string[];
+	/** Internal claim used to revalidate tokens */
+	rh: string;
+	/** Subject identifier - unique to application ID */
+	sub: string;
+	/** Tenant ID the user is signing in to */
+	tid: string;
+	/** Unique identifier for a session */
+	sid: string;
+	/** Token identifier claim */
+	uti: string;
+	/** Indicates if user is in at least one group */
+	hasgroups: boolean;
+	/** User account status in tenant (0 = member, 1 = guest) */
+	acct: 0 | 1;
+	/** Auth Context IDs */
+	acrs: string;
+	/** Time when the user last authenticated */
+	auth_time: Date;
+	/** User's country/region */
+	ctry: string;
+	/** IP address of requesting client when inside VNET */
+	fwd: string;
+	/** Group claims */
+	groups: string;
+	/** Login hint for SSO */
+	login_hint: string;
+	/** Resource tenant's country/region */
+	tenant_ctry: string;
+	/** Region of the resource tenant */
+	tenant_region_scope: string;
+	/** UserPrincipalName */
+	upn: string;
+	/** User's verified primary email addresses */
+	verified_primary_email: string[];
+	/** User's verified secondary email addresses */
+	verified_secondary_email: string[];
+	/** Whether the user's email is verified (optional claim, must be configured in app registration) */
+	email_verified?: boolean | undefined;
+	/** VNET specifier information */
+	vnet: string;
+	/** Client Capabilities */
+	xms_cc: string;
+	/** Whether user's email domain is verified */
+	xms_edov: boolean;
+	/** Preferred data location for Multi-Geo tenants */
+	xms_pdl: string;
+	/** User preferred language */
+	xms_pl: string;
+	/** Tenant preferred language */
+	xms_tpl: string;
+	/** Zero-touch Deployment ID */
+	ztdid: string;
+	/** IP Address */
+	ipaddr: string;
+	/** On-premises Security Identifier */
+	onprem_sid: string;
+	/** Password Expiration Time */
+	pwd_exp: number;
+	/** Change Password URL */
+	pwd_url: string;
+	/** Inside Corporate Network flag */
+	in_corp: string;
+	/** User's family name/surname */
+	family_name: string;
+	/** User's given/first name */
+	given_name: string;
+}
+
+export interface MicrosoftOptions
+	extends ProviderOptions<MicrosoftEntraIDProfile> {
+	clientId: string | string[];
+	/**
+	 * The tenant ID of the Microsoft account
+	 * @default "common"
+	 */
+	tenantId?: string | undefined;
+	/**
+	 * The authentication authority URL. Use the default "https://login.microsoftonline.com" for standard Entra ID or "https://<tenant-id>.ciamlogin.com" for CIAM scenarios.
+	 * @default "https://login.microsoftonline.com"
+	 */
+	authority?: string | undefined;
+	/**
+	 * The size of the profile photo
+	 * @default 48
+	 */
+	profilePhotoSize?:
+		| (48 | 64 | 96 | 120 | 240 | 360 | 432 | 504 | 648)
+		| undefined;
+	/**
+	 * Disable profile photo
+	 */
+	disableProfilePhoto?: boolean | undefined;
+}
+
+export const microsoft = (options: MicrosoftOptions) => {
+	const tenant = options.tenantId || "common";
+	const authority = options.authority || "https://login.microsoftonline.com";
+	const authorizationEndpoint = `${authority}/${tenant}/oauth2/v2.0/authorize`;
+	const tokenEndpoint = `${authority}/${tenant}/oauth2/v2.0/token`;
+	return {
+		id: "microsoft",
+		name: "Microsoft EntraID",
+		createAuthorizationURL(data) {
+			// Microsoft Entra supports public clients (SPA / native apps with
+			// PKCE only), so clientSecret is intentionally not required here.
+			// See https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow
+			if (!getPrimaryClientId(options.clientId)) {
+				logger.error(
+					"Client Id is required for Microsoft Entra ID. Make sure to provide it in the options.",
+				);
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			const scopes = options.disableDefaultScope
+				? []
+				: ["openid", "profile", "email", "User.Read", "offline_access"];
+			if (options.scope) scopes.push(...options.scope);
+			if (data.scopes) scopes.push(...data.scopes);
+			return createAuthorizationURL({
+				id: "microsoft",
+				options,
+				authorizationEndpoint,
+				state: data.state,
+				codeVerifier: data.codeVerifier,
+				scopes,
+				redirectURI: data.redirectURI,
+				prompt: options.prompt,
+				loginHint: data.loginHint,
+			});
+		},
+		validateAuthorizationCode({ code, codeVerifier, redirectURI }) {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint,
+			});
+		},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) {
+				return false;
+			}
+			if (options.verifyIdToken) {
+				return options.verifyIdToken(token, nonce);
+			}
+
+			try {
+				const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
+				if (!kid || !jwtAlg) return false;
+
+				const publicKey = await getMicrosoftPublicKey(kid, tenant, authority);
+				const verifyOptions: {
+					algorithms: [string];
+					audience: string | string[];
+					maxTokenAge: string;
+					issuer?: string;
+				} = {
+					algorithms: [jwtAlg],
+					audience: options.clientId,
+					maxTokenAge: "1h",
+				};
+				/**
+				 * Issuer varies per user's tenant for multi-tenant endpoints, so only validate for specific tenants.
+				 * @see https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols#endpoints
+				 */
+				if (
+					tenant !== "common" &&
+					tenant !== "organizations" &&
+					tenant !== "consumers"
+				) {
+					verifyOptions.issuer = `${authority}/${tenant}/v2.0`;
+				}
+				const { payload: jwtClaims } = await jwtVerify(
+					token,
+					publicKey,
+					verifyOptions,
+				);
+
+				if (nonce && jwtClaims.nonce !== nonce) {
+					return false;
+				}
+
+				return true;
+			} catch (error) {
+				logger.error("Failed to verify ID token:", error);
+				return false;
+			}
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			if (!token.idToken) {
+				return null;
+			}
+			const user = decodeJwt(token.idToken) as MicrosoftEntraIDProfile;
+			const profilePhotoSize = options.profilePhotoSize || 48;
+			await betterFetch<ArrayBuffer>(
+				`https://graph.microsoft.com/v1.0/me/photos/${profilePhotoSize}x${profilePhotoSize}/$value`,
+				{
+					headers: {
+						Authorization: `Bearer ${token.accessToken}`,
+					},
+					async onResponse(context) {
+						if (options.disableProfilePhoto || !context.response.ok) {
+							return;
+						}
+						try {
+							const response = context.response.clone();
+							const pictureBuffer = await response.arrayBuffer();
+							const pictureBase64 = base64.encode(pictureBuffer);
+							user.picture = `data:image/jpeg;base64, ${pictureBase64}`;
+						} catch (e) {
+							logger.error(
+								e && typeof e === "object" && "name" in e
+									? (e.name as string)
+									: "",
+								e,
+							);
+						}
+					},
+				},
+			);
+			const userMap = await options.mapProfileToUser?.(user);
+			// Microsoft Entra ID does NOT include email_verified claim by default.
+			// It must be configured as an optional claim in the app registration.
+			// We default to false when not provided for security consistency.
+			// We can also check verified_primary_email/verified_secondary_email arrays as fallback.
+			const emailVerified =
+				user.email_verified !== undefined
+					? user.email_verified
+					: user.email &&
+							(user.verified_primary_email?.includes(user.email) ||
+								user.verified_secondary_email?.includes(user.email))
+						? true
+						: false;
+			return {
+				user: {
+					id: user.sub,
+					name: user.name,
+					email: user.email,
+					image: user.picture,
+					emailVerified,
+					...userMap,
+				},
+				data: user,
+			};
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					const scopes = options.disableDefaultScope
+						? []
+						: ["openid", "profile", "email", "User.Read", "offline_access"];
+					if (options.scope) scopes.push(...options.scope);
+
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientSecret: options.clientSecret,
+						},
+						extraParams: {
+							scope: scopes.join(" "), // Include the scopes in request to microsoft
+						},
+						tokenEndpoint,
+					});
+				},
+		options,
+	} satisfies OAuthProvider;
+};
+
+export const getMicrosoftPublicKey = async (
+	kid: string,
+	tenant: string,
+	authority: string,
+) => {
+	const { data } = await betterFetch<{
+		keys: Array<{
+			kid: string;
+			alg: string;
+			kty: string;
+			use: string;
+			n: string;
+			e: string;
+			x5c?: string[];
+			x5t?: string;
+		}>;
+	}>(`${authority}/${tenant}/discovery/v2.0/keys`);
+
+	if (!data?.keys) {
+		throw new APIError("BAD_REQUEST", {
+			message: "Keys not found",
+		});
+	}
+
+	const jwk = data.keys.find((key) => key.kid === kid);
+	if (!jwk) {
+		throw new Error(`JWK with kid ${kid} not found`);
+	}
+
+	return await importJWK(jwk, jwk.alg);
+};

package/template/apps/web/node_modules/@better-auth/core/src/social-providers/naver.ts

@@ -0,0 +1,113 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "../oauth2";
+
+export interface NaverProfile {
+	/** API response result code */
+	resultcode: string;
+	/** API response message */
+	message: string;
+	response: {
+		/** Unique Naver user identifier */
+		id: string;
+		/** User nickname */
+		nickname: string;
+		/** User real name */
+		name: string;
+		/** User email address */
+		email: string;
+		/** Gender (F: female, M: male, U: unknown) */
+		gender: string;
+		/** Age range */
+		age: string;
+		/** Birthday (MM-DD format) */
+		birthday: string;
+		/** Birth year */
+		birthyear: string;
+		/** Profile image URL */
+		profile_image: string;
+		/** Mobile phone number */
+		mobile: string;
+	};
+}
+
+export interface NaverOptions extends ProviderOptions<NaverProfile> {
+	clientId: string;
+}
+
+export const naver = (options: NaverOptions) => {
+	const tokenEndpoint = "https://nid.naver.com/oauth2.0/token";
+	return {
+		id: "naver",
+		name: "Naver",
+		createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["profile", "email"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "naver",
+				options,
+				authorizationEndpoint: "https://nid.naver.com/oauth2.0/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI,
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint,
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint,
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const { data: profile, error } = await betterFetch<NaverProfile>(
+				"https://openapi.naver.com/v1/nid/me",
+				{
+					headers: {
+						Authorization: `Bearer ${token.accessToken}`,
+					},
+				},
+			);
+			if (error || !profile || profile.resultcode !== "00") {
+				return null;
+			}
+			const userMap = await options.mapProfileToUser?.(profile);
+			const res = profile.response || {};
+			const user = {
+				id: res.id,
+				name: res.name || res.nickname || "",
+				email: res.email,
+				image: res.profile_image,
+				emailVerified: false,
+				...userMap,
+			};
+			return {
+				user,
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<NaverProfile>;
+};

package/template/apps/web/node_modules/@better-auth/core/src/social-providers/notion.ts

@@ -0,0 +1,108 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "../oauth2";
+
+export interface NotionProfile {
+	object: "user";
+	id: string;
+	type: "person" | "bot";
+	name?: string | undefined;
+	avatar_url?: string | undefined;
+	person?:
+		| {
+				email?: string;
+		  }
+		| undefined;
+}
+
+export interface NotionOptions extends ProviderOptions<NotionProfile> {
+	clientId: string;
+}
+
+export const notion = (options: NotionOptions) => {
+	const tokenEndpoint = "https://api.notion.com/v1/oauth/token";
+	return {
+		id: "notion",
+		name: "Notion",
+		createAuthorizationURL({ state, scopes, loginHint, redirectURI }) {
+			const _scopes: string[] = options.disableDefaultScope ? [] : [];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "notion",
+				options,
+				authorizationEndpoint: "https://api.notion.com/v1/oauth/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI,
+				loginHint,
+				additionalParams: {
+					owner: "user",
+				},
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint,
+				authentication: "basic",
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint,
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			const { data: profile, error } = await betterFetch<{
+				bot: {
+					owner: {
+						user: NotionProfile;
+					};
+				};
+			}>("https://api.notion.com/v1/users/me", {
+				headers: {
+					Authorization: `Bearer ${token.accessToken}`,
+					"Notion-Version": "2022-06-28",
+				},
+			});
+			if (error || !profile) {
+				return null;
+			}
+			const userProfile = profile.bot?.owner?.user;
+			if (!userProfile) {
+				return null;
+			}
+			const userMap = await options.mapProfileToUser?.(userProfile);
+			return {
+				user: {
+					id: userProfile.id,
+					name: userProfile.name || "",
+					email: userProfile.person?.email || null,
+					image: userProfile.avatar_url,
+					emailVerified: false,
+					...userMap,
+				},
+				data: userProfile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<NotionProfile>;
+};

package/template/apps/web/node_modules/@better-auth/core/src/social-providers/paybin.ts

@@ -0,0 +1,118 @@
+import { decodeJwt } from "jose";
+import { logger } from "../env";
+import { BetterAuthError } from "../error";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import {
+	createAuthorizationURL,
+	refreshAccessToken,
+	validateAuthorizationCode,
+} from "../oauth2";
+
+export interface PaybinProfile {
+	sub: string;
+	email: string;
+	email_verified?: boolean | undefined;
+	name?: string | undefined;
+	preferred_username?: string | undefined;
+	picture?: string | undefined;
+	given_name?: string | undefined;
+	family_name?: string | undefined;
+}
+
+export interface PaybinOptions extends ProviderOptions<PaybinProfile> {
+	clientId: string;
+	/**
+	 * The issuer URL of your Paybin OAuth server
+	 * @default "https://idp.paybin.io"
+	 */
+	issuer?: string | undefined;
+}
+
+export const paybin = (options: PaybinOptions) => {
+	const issuer = options.issuer || "https://idp.paybin.io";
+	const authorizationEndpoint = `${issuer}/oauth2/authorize`;
+	const tokenEndpoint = `${issuer}/oauth2/token`;
+
+	return {
+		id: "paybin",
+		name: "Paybin",
+		async createAuthorizationURL({
+			state,
+			scopes,
+			codeVerifier,
+			redirectURI,
+			loginHint,
+		}) {
+			if (!options.clientId || !options.clientSecret) {
+				logger.error(
+					"Client Id and Client Secret is required for Paybin. Make sure to provide them in the options.",
+				);
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			if (!codeVerifier) {
+				throw new BetterAuthError("codeVerifier is required for Paybin");
+			}
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["openid", "email", "profile"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			const url = await createAuthorizationURL({
+				id: "paybin",
+				options,
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				prompt: options.prompt,
+				loginHint,
+			});
+			return url;
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint,
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					return refreshAccessToken({
+						refreshToken,
+						options: {
+							clientId: options.clientId,
+							clientKey: options.clientKey,
+							clientSecret: options.clientSecret,
+						},
+						tokenEndpoint,
+					});
+				},
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+			if (!token.idToken) {
+				return null;
+			}
+			const user = decodeJwt(token.idToken) as PaybinProfile;
+			const userMap = await options.mapProfileToUser?.(user);
+			return {
+				user: {
+					id: user.sub,
+					name: user.name || user.preferred_username || "",
+					email: user.email,
+					image: user.picture,
+					emailVerified: user.email_verified || false,
+					...userMap,
+				},
+				data: user,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<PaybinProfile>;
+};