create-croissant 0.1.0 → 0.1.2

package/template/apps/web/node_modules/@better-auth/core/dist/oauth2/validate-authorization-code.d.mts

@@ -0,0 +1,85 @@
+import { AwaitableFunction } from "../types/helper.mjs";
+import { OAuth2Tokens, ProviderOptions } from "./oauth-provider.mjs";
+import * as jose from "jose";
+
+//#region src/oauth2/validate-authorization-code.d.ts
+declare function authorizationCodeRequest({
+  code,
+  codeVerifier,
+  redirectURI,
+  options,
+  authentication,
+  deviceId,
+  headers,
+  additionalParams,
+  resource
+}: {
+  code: string;
+  redirectURI: string;
+  options: AwaitableFunction<Partial<ProviderOptions>>;
+  codeVerifier?: string | undefined;
+  deviceId?: string | undefined;
+  authentication?: ("basic" | "post") | undefined;
+  headers?: Record<string, string> | undefined;
+  additionalParams?: Record<string, string> | undefined;
+  resource?: (string | string[]) | undefined;
+}): Promise<{
+  body: URLSearchParams;
+  headers: Record<string, any>;
+}>;
+/**
+ * @deprecated use async'd authorizationCodeRequest instead
+ */
+declare function createAuthorizationCodeRequest({
+  code,
+  codeVerifier,
+  redirectURI,
+  options,
+  authentication,
+  deviceId,
+  headers,
+  additionalParams,
+  resource
+}: {
+  code: string;
+  redirectURI: string;
+  options: Partial<ProviderOptions>;
+  codeVerifier?: string | undefined;
+  deviceId?: string | undefined;
+  authentication?: ("basic" | "post") | undefined;
+  headers?: Record<string, string> | undefined;
+  additionalParams?: Record<string, string> | undefined;
+  resource?: (string | string[]) | undefined;
+}): {
+  body: URLSearchParams;
+  headers: Record<string, any>;
+};
+declare function validateAuthorizationCode({
+  code,
+  codeVerifier,
+  redirectURI,
+  options,
+  tokenEndpoint,
+  authentication,
+  deviceId,
+  headers,
+  additionalParams,
+  resource
+}: {
+  code: string;
+  redirectURI: string;
+  options: AwaitableFunction<Partial<ProviderOptions>>;
+  codeVerifier?: string | undefined;
+  deviceId?: string | undefined;
+  tokenEndpoint: string;
+  authentication?: ("basic" | "post") | undefined;
+  headers?: Record<string, string> | undefined;
+  additionalParams?: Record<string, string> | undefined;
+  resource?: (string | string[]) | undefined;
+}): Promise<OAuth2Tokens>;
+declare function validateToken(token: string, jwksEndpoint: string, options?: {
+  audience?: string | string[];
+  issuer?: string | string[];
+}): Promise<jose.JWTVerifyResult<jose.JWTPayload> & jose.ResolvedKey>;
+//#endregion
+export { authorizationCodeRequest, createAuthorizationCodeRequest, validateAuthorizationCode, validateToken };

package/template/apps/web/node_modules/@better-auth/core/dist/oauth2/validate-authorization-code.mjs

@@ -0,0 +1,79 @@
+import { getOAuth2Tokens } from "./utils.mjs";
+import { base64 } from "@better-auth/utils/base64";
+import { betterFetch } from "@better-fetch/fetch";
+import { createRemoteJWKSet, jwtVerify } from "jose";
+//#region src/oauth2/validate-authorization-code.ts
+async function authorizationCodeRequest({ code, codeVerifier, redirectURI, options, authentication, deviceId, headers, additionalParams = {}, resource }) {
+	options = typeof options === "function" ? await options() : options;
+	return createAuthorizationCodeRequest({
+		code,
+		codeVerifier,
+		redirectURI,
+		options,
+		authentication,
+		deviceId,
+		headers,
+		additionalParams,
+		resource
+	});
+}
+/**
+* @deprecated use async'd authorizationCodeRequest instead
+*/
+function createAuthorizationCodeRequest({ code, codeVerifier, redirectURI, options, authentication, deviceId, headers, additionalParams = {}, resource }) {
+	const body = new URLSearchParams();
+	const requestHeaders = {
+		"content-type": "application/x-www-form-urlencoded",
+		accept: "application/json",
+		...headers
+	};
+	body.set("grant_type", "authorization_code");
+	body.set("code", code);
+	codeVerifier && body.set("code_verifier", codeVerifier);
+	options.clientKey && body.set("client_key", options.clientKey);
+	deviceId && body.set("device_id", deviceId);
+	body.set("redirect_uri", options.redirectURI || redirectURI);
+	if (resource) if (typeof resource === "string") body.append("resource", resource);
+	else for (const _resource of resource) body.append("resource", _resource);
+	if (authentication === "basic") {
+		const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+		requestHeaders["authorization"] = `Basic ${base64.encode(`${primaryClientId}:${options.clientSecret ?? ""}`)}`;
+	} else {
+		const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
+		body.set("client_id", primaryClientId);
+		if (options.clientSecret) body.set("client_secret", options.clientSecret);
+	}
+	for (const [key, value] of Object.entries(additionalParams)) if (!body.has(key)) body.append(key, value);
+	return {
+		body,
+		headers: requestHeaders
+	};
+}
+async function validateAuthorizationCode({ code, codeVerifier, redirectURI, options, tokenEndpoint, authentication, deviceId, headers, additionalParams = {}, resource }) {
+	const { body, headers: requestHeaders } = await authorizationCodeRequest({
+		code,
+		codeVerifier,
+		redirectURI,
+		options,
+		authentication,
+		deviceId,
+		headers,
+		additionalParams,
+		resource
+	});
+	const { data, error } = await betterFetch(tokenEndpoint, {
+		method: "POST",
+		body,
+		headers: requestHeaders
+	});
+	if (error) throw error;
+	return getOAuth2Tokens(data);
+}
+async function validateToken(token, jwksEndpoint, options) {
+	return await jwtVerify(token, createRemoteJWKSet(new URL(jwksEndpoint)), {
+		audience: options?.audience,
+		issuer: options?.issuer
+	});
+}
+//#endregion
+export { authorizationCodeRequest, createAuthorizationCodeRequest, validateAuthorizationCode, validateToken };

package/template/apps/web/node_modules/@better-auth/core/dist/oauth2/verify.d.mts

@@ -0,0 +1,42 @@
+import { JSONWebKeySet, JWTPayload, JWTVerifyOptions } from "jose";
+
+//#region src/oauth2/verify.d.ts
+interface VerifyAccessTokenRemote {
+  /** Full url of the introspect endpoint. Should end with `/oauth2/introspect` */
+  introspectUrl: string;
+  /** Client Secret */
+  clientId: string;
+  /** Client Secret */
+  clientSecret: string;
+  /**
+   * Forces remote verification of a token.
+   * This ensures attached session (if applicable)
+   * is also still active.
+   */
+  force?: boolean;
+}
+/**
+ * Performs local verification of an access token for your APIs.
+ *
+ * Can also be configured for remote verification.
+ */
+declare function verifyJwsAccessToken(token: string, opts: {
+  /** Jwks url or promise of a Jwks */jwksFetch: string | (() => Promise<JSONWebKeySet | undefined>); /** Verify options */
+  verifyOptions: JWTVerifyOptions & Required<Pick<JWTVerifyOptions, "audience" | "issuer">>;
+}): Promise<JWTPayload>;
+declare function getJwks(token: string, opts: {
+  /** Jwks url or promise of a Jwks */jwksFetch: string | (() => Promise<JSONWebKeySet | undefined>);
+}): Promise<JSONWebKeySet>;
+/**
+ * Performs local verification of an access token for your API.
+ *
+ * Can also be configured for remote verification.
+ */
+declare function verifyAccessToken(token: string, opts: {
+  /** Verify options */verifyOptions: JWTVerifyOptions & Required<Pick<JWTVerifyOptions, "audience" | "issuer">>; /** Scopes to additionally verify. Token must include all but not exact. */
+  scopes?: string[]; /** Required to verify access token locally */
+  jwksUrl?: string; /** If provided, can verify a token remotely */
+  remoteVerify?: VerifyAccessTokenRemote;
+}): Promise<JWTPayload>;
+//#endregion
+export { getJwks, verifyAccessToken, verifyJwsAccessToken };

package/template/apps/web/node_modules/@better-auth/core/dist/oauth2/verify.mjs

@@ -0,0 +1,92 @@
+import { logger } from "../env/logger.mjs";
+import { APIError } from "better-call";
+import { betterFetch } from "@better-fetch/fetch";
+import { UnsecuredJWT, createLocalJWKSet, decodeProtectedHeader, jwtVerify } from "jose";
+//#region src/oauth2/verify.ts
+/** Last fetched jwks used locally in getJwks @internal */
+let jwks;
+/**
+* Performs local verification of an access token for your APIs.
+*
+* Can also be configured for remote verification.
+*/
+async function verifyJwsAccessToken(token, opts) {
+	try {
+		const jwt = await jwtVerify(token, createLocalJWKSet(await getJwks(token, opts)), opts.verifyOptions);
+		if (jwt.payload.azp) jwt.payload.client_id = jwt.payload.azp;
+		return jwt.payload;
+	} catch (error) {
+		if (error instanceof Error) throw error;
+		throw new Error(error);
+	}
+}
+async function getJwks(token, opts) {
+	let jwtHeaders;
+	try {
+		jwtHeaders = decodeProtectedHeader(token);
+	} catch (error) {
+		if (error instanceof Error) throw error;
+		throw new Error(error);
+	}
+	if (!jwtHeaders.kid) throw new Error("Missing jwt kid");
+	if (!jwks || !jwks.keys.find((jwk) => jwk.kid === jwtHeaders.kid)) {
+		jwks = typeof opts.jwksFetch === "string" ? await betterFetch(opts.jwksFetch, { headers: { Accept: "application/json" } }).then(async (res) => {
+			if (res.error) throw new Error(`Jwks failed: ${res.error.message ?? res.error.statusText}`);
+			return res.data;
+		}) : await opts.jwksFetch();
+		if (!jwks) throw new Error("No jwks found");
+	}
+	return jwks;
+}
+/**
+* Performs local verification of an access token for your API.
+*
+* Can also be configured for remote verification.
+*/
+async function verifyAccessToken(token, opts) {
+	let payload;
+	if (opts.jwksUrl && !opts?.remoteVerify?.force) try {
+		payload = await verifyJwsAccessToken(token, {
+			jwksFetch: opts.jwksUrl,
+			verifyOptions: opts.verifyOptions
+		});
+	} catch (error) {
+		if (error instanceof Error) if (error.name === "TypeError" || error.name === "JWSInvalid") {} else if (error.name === "JWTExpired") throw new APIError("UNAUTHORIZED", { message: "token expired" });
+		else if (error.name === "JWTInvalid") throw new APIError("UNAUTHORIZED", { message: "token invalid" });
+		else throw error;
+		else throw new Error(error);
+	}
+	if (opts?.remoteVerify) {
+		const { data: introspect, error: introspectError } = await betterFetch(opts.remoteVerify.introspectUrl, {
+			method: "POST",
+			headers: {
+				Accept: "application/json",
+				"Content-Type": "application/x-www-form-urlencoded"
+			},
+			body: new URLSearchParams({
+				client_id: opts.remoteVerify.clientId,
+				client_secret: opts.remoteVerify.clientSecret,
+				token,
+				token_type_hint: "access_token"
+			}).toString()
+		});
+		if (introspectError) logger.error(`Introspection failed: ${introspectError.message ?? introspectError.statusText}`);
+		if (!introspect) throw new APIError("INTERNAL_SERVER_ERROR", { message: "introspection failed" });
+		if (!introspect.active) throw new APIError("UNAUTHORIZED", { message: "token inactive" });
+		try {
+			const unsecuredJwt = new UnsecuredJWT(introspect).encode();
+			const { audience: _audience, ...verifyOptions } = opts.verifyOptions;
+			payload = (introspect.aud ? UnsecuredJWT.decode(unsecuredJwt, opts.verifyOptions) : UnsecuredJWT.decode(unsecuredJwt, verifyOptions)).payload;
+		} catch (error) {
+			throw new Error(error);
+		}
+	}
+	if (!payload) throw new APIError("UNAUTHORIZED", { message: `no token payload` });
+	if (opts.scopes) {
+		const validScopes = new Set(payload.scope?.split(" "));
+		for (const sc of opts.scopes) if (!validScopes.has(sc)) throw new APIError("FORBIDDEN", { message: `invalid scope ${sc}` });
+	}
+	return payload;
+}
+//#endregion
+export { getJwks, verifyAccessToken, verifyJwsAccessToken };

package/template/apps/web/node_modules/@better-auth/core/dist/social-providers/apple.d.mts

@@ -0,0 +1,126 @@
+import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+//#region src/social-providers/apple.d.ts
+interface AppleProfile {
+  /**
+   * The subject registered claim identifies the principal that’s the subject
+   * of the identity token. Because this token is for your app, the value is
+   * the unique identifier for the user.
+   */
+  sub: string;
+  /**
+   * A String value representing the user's email address.
+   * The email address is either the user's real email address or the proxy
+   * address, depending on their status private email relay service.
+   */
+  email: string;
+  /**
+   * A string or Boolean value that indicates whether the service verifies
+   * the email. The value can either be a string ("true" or "false") or a
+   * Boolean (true or false). The system may not verify email addresses for
+   * Sign in with Apple at Work & School users, and this claim is "false" or
+   * false for those users.
+   */
+  email_verified: true | "true";
+  /**
+   * A string or Boolean value that indicates whether the email that the user
+   * shares is the proxy address. The value can either be a string ("true" or
+   * "false") or a Boolean (true or false).
+   */
+  is_private_email: boolean;
+  /**
+   * An Integer value that indicates whether the user appears to be a real
+   * person. Use the value of this claim to mitigate fraud. The possible
+   * values are: 0 (or Unsupported), 1 (or Unknown), 2 (or LikelyReal). For
+   * more information, see ASUserDetectionStatus. This claim is present only
+   * in iOS 14 and later, macOS 11 and later, watchOS 7 and later, tvOS 14
+   * and later. The claim isn’t present or supported for web-based apps.
+   */
+  real_user_status: number;
+  /**
+   * The user’s full name in the format provided during the authorization
+   * process.
+   */
+  name: string;
+  /**
+   * The URL to the user's profile picture.
+   */
+  picture: string;
+  user?: AppleNonConformUser | undefined;
+}
+/**
+ * This is the shape of the `user` query parameter that Apple sends the first
+ * time the user consents to the app.
+ * @see https://developer.apple.com/documentation/signinwithapplerestapi/request-an-authorization-to-the-sign-in-with-apple-server./
+ */
+interface AppleNonConformUser {
+  name: {
+    firstName: string;
+    lastName: string;
+  };
+  email: string;
+}
+interface AppleOptions extends ProviderOptions<AppleProfile> {
+  clientId: string | string[];
+  appBundleIdentifier?: string | undefined;
+  audience?: (string | string[]) | undefined;
+}
+declare const apple: (options: AppleOptions) => {
+  id: "apple";
+  name: string;
+  createAuthorizationURL({
+    state,
+    scopes,
+    redirectURI
+  }: {
+    state: string;
+    codeVerifier: string;
+    scopes?: string[] | undefined;
+    redirectURI: string;
+    display?: string | undefined;
+    loginHint?: string | undefined;
+  }): Promise<URL>;
+  validateAuthorizationCode: ({
+    code,
+    codeVerifier,
+    redirectURI
+  }: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }) => Promise<OAuth2Tokens>;
+  verifyIdToken(token: string, nonce: string | undefined): Promise<boolean>;
+  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
+  getUserInfo(token: OAuth2Tokens & {
+    user?: {
+      name?
+      /**
+      * An Integer value that indicates whether the user appears to be a real
+      * person. Use the value of this claim to mitigate fraud. The possible
+      * values are: 0 (or Unsupported), 1 (or Unknown), 2 (or LikelyReal). For
+      * more information, see ASUserDetectionStatus. This claim is present only
+      * in iOS 14 and later, macOS 11 and later, watchOS 7 and later, tvOS 14
+      * and later. The claim isn’t present or supported for web-based apps.
+      */
+      : {
+        firstName?: string;
+        lastName?: string;
+      };
+      email?: string;
+    } | undefined;
+  }): Promise<{
+    user: {
+      id: string;
+      name?: string;
+      email?: string | null;
+      image?: string;
+      emailVerified: boolean;
+      [key: string]: any;
+    };
+    data: any;
+  } | null>;
+  options: AppleOptions;
+};
+declare const getApplePublicKey: (kid: string) => Promise<Uint8Array<ArrayBufferLike> | CryptoKey>;
+//#endregion
+export { AppleNonConformUser, AppleOptions, AppleProfile, apple, getApplePublicKey };

package/template/apps/web/node_modules/@better-auth/core/dist/social-providers/apple.mjs

@@ -0,0 +1,107 @@
+import { APIError, BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
+import { getPrimaryClientId } from "../oauth2/utils.mjs";
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
+import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
+import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
+import { betterFetch } from "@better-fetch/fetch";
+import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
+//#region src/social-providers/apple.ts
+const apple = (options) => {
+	const tokenEndpoint = "https://appleid.apple.com/auth/token";
+	return {
+		id: "apple",
+		name: "Apple",
+		async createAuthorizationURL({ state, scopes, redirectURI }) {
+			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
+				logger.error("Client ID and client secret are required for Apple. Make sure to provide them in the options.");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			const _scope = options.disableDefaultScope ? [] : ["email", "name"];
+			if (options.scope) _scope.push(...options.scope);
+			if (scopes) _scope.push(...scopes);
+			return await createAuthorizationURL({
+				id: "apple",
+				options,
+				authorizationEndpoint: "https://appleid.apple.com/auth/authorize",
+				scopes: _scope,
+				state,
+				redirectURI,
+				responseMode: "form_post",
+				responseType: "code id_token"
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint
+			});
+		},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) return false;
+			if (options.verifyIdToken) return options.verifyIdToken(token, nonce);
+			try {
+				const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
+				if (!kid || !jwtAlg) return false;
+				const { payload: jwtClaims } = await jwtVerify(token, await getApplePublicKey(kid), {
+					algorithms: [jwtAlg],
+					issuer: "https://appleid.apple.com",
+					audience: options.audience && options.audience.length ? options.audience : options.appBundleIdentifier ? options.appBundleIdentifier : options.clientId,
+					maxTokenAge: "1h"
+				});
+				["email_verified", "is_private_email"].forEach((field) => {
+					if (jwtClaims[field] !== void 0) jwtClaims[field] = Boolean(jwtClaims[field]);
+				});
+				if (nonce && jwtClaims.nonce !== nonce) return false;
+				return !!jwtClaims;
+			} catch {
+				return false;
+			}
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options,
+				tokenEndpoint
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			if (!token.idToken) return null;
+			const profile = decodeJwt(token.idToken);
+			if (!profile) return null;
+			let name;
+			if (token.user?.name) name = `${token.user.name.firstName || ""} ${token.user.name.lastName || ""}`.trim();
+			else name = profile.name || "";
+			const emailVerified = typeof profile.email_verified === "boolean" ? profile.email_verified : profile.email_verified === "true";
+			const enrichedProfile = {
+				...profile,
+				name
+			};
+			const userMap = await options.mapProfileToUser?.(enrichedProfile);
+			return {
+				user: {
+					id: profile.sub,
+					name: enrichedProfile.name,
+					emailVerified,
+					email: profile.email,
+					...userMap
+				},
+				data: enrichedProfile
+			};
+		},
+		options
+	};
+};
+const getApplePublicKey = async (kid) => {
+	const { data } = await betterFetch(`https://appleid.apple.com/auth/keys`);
+	if (!data?.keys) throw new APIError("BAD_REQUEST", { message: "Keys not found" });
+	const jwk = data.keys.find((key) => key.kid === kid);
+	if (!jwk) throw new Error(`JWK with kid ${kid} not found`);
+	return await importJWK(jwk, jwk.alg);
+};
+//#endregion
+export { apple, getApplePublicKey };

package/template/apps/web/node_modules/@better-auth/core/dist/social-providers/atlassian.d.mts

@@ -0,0 +1,70 @@
+import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+//#region src/social-providers/atlassian.d.ts
+interface AtlassianProfile {
+  account_type?: string | undefined;
+  account_id: string;
+  email?: string | undefined;
+  name: string;
+  picture?: string | undefined;
+  nickname?: string | undefined;
+  locale?: string | undefined;
+  extended_profile?: {
+    job_title?: string;
+    organization?: string;
+    department?: string;
+    location?: string;
+  } | undefined;
+}
+interface AtlassianOptions extends ProviderOptions<AtlassianProfile> {
+  clientId: string;
+}
+declare const atlassian: (options: AtlassianOptions) => {
+  id: "atlassian";
+  name: string;
+  createAuthorizationURL({
+    state,
+    scopes,
+    codeVerifier,
+    redirectURI
+  }: {
+    state: string;
+    codeVerifier: string;
+    scopes?: string[] | undefined;
+    redirectURI: string;
+    display?: string | undefined;
+    loginHint?: string | undefined;
+  }): Promise<URL>;
+  validateAuthorizationCode: ({
+    code,
+    codeVerifier,
+    redirectURI
+  }: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }) => Promise<OAuth2Tokens>;
+  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
+  getUserInfo(token: OAuth2Tokens & {
+    user?: {
+      name?: {
+        firstName?: string;
+        lastName?: string;
+      };
+      email?: string;
+    } | undefined;
+  }): Promise<{
+    user: {
+      id: string;
+      name?: string;
+      email?: string | null;
+      image?: string;
+      emailVerified: boolean;
+      [key: string]: any;
+    };
+    data: any;
+  } | null>;
+  options: AtlassianOptions;
+};
+//#endregion
+export { AtlassianOptions, AtlassianProfile, atlassian };

package/template/apps/web/node_modules/@better-auth/core/dist/social-providers/atlassian.mjs

@@ -0,0 +1,80 @@
+import { BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
+import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
+import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
+import { betterFetch } from "@better-fetch/fetch";
+//#region src/social-providers/atlassian.ts
+const atlassian = (options) => {
+	const tokenEndpoint = "https://auth.atlassian.com/oauth/token";
+	return {
+		id: "atlassian",
+		name: "Atlassian",
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+			if (!options.clientId || !options.clientSecret) {
+				logger.error("Client Id and Secret are required for Atlassian");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
+			if (!codeVerifier) throw new BetterAuthError("codeVerifier is required for Atlassian");
+			const _scopes = options.disableDefaultScope ? [] : ["read:jira-user", "offline_access"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "atlassian",
+				options,
+				authorizationEndpoint: "https://auth.atlassian.com/authorize",
+				scopes: _scopes,
+				state,
+				codeVerifier,
+				redirectURI,
+				additionalParams: { audience: "api.atlassian.com" },
+				prompt: options.prompt
+			});
+		},
+		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			if (!token.accessToken) return null;
+			try {
+				const { data: profile } = await betterFetch("https://api.atlassian.com/me", { headers: { Authorization: `Bearer ${token.accessToken}` } });
+				if (!profile) return null;
+				const userMap = await options.mapProfileToUser?.(profile);
+				return {
+					user: {
+						id: profile.account_id,
+						name: profile.name,
+						email: profile.email,
+						image: profile.picture,
+						emailVerified: false,
+						...userMap
+					},
+					data: profile
+				};
+			} catch (error) {
+				logger.error("Failed to fetch user info from Figma:", error);
+				return null;
+			}
+		},
+		options
+	};
+};
+//#endregion
+export { atlassian };