create-croissant 0.1.7 → 0.1.9

package/template/apps/web/node_modules/@better-auth/core/src/oauth2/validate-authorization-code.ts

@@ -1,180 +0,0 @@
-import { base64 } from "@better-auth/utils/base64";
-import { betterFetch } from "@better-fetch/fetch";
-import { createRemoteJWKSet, jwtVerify } from "jose";
-import type { AwaitableFunction } from "../types";
-import type { ProviderOptions } from "./index";
-import { getOAuth2Tokens } from "./index";
-
-export async function authorizationCodeRequest({
-	code,
-	codeVerifier,
-	redirectURI,
-	options,
-	authentication,
-	deviceId,
-	headers,
-	additionalParams = {},
-	resource,
-}: {
-	code: string;
-	redirectURI: string;
-	options: AwaitableFunction<Partial<ProviderOptions>>;
-	codeVerifier?: string | undefined;
-	deviceId?: string | undefined;
-	authentication?: ("basic" | "post") | undefined;
-	headers?: Record<string, string> | undefined;
-	additionalParams?: Record<string, string> | undefined;
-	resource?: (string | string[]) | undefined;
-}) {
-	options = typeof options === "function" ? await options() : options;
-	return createAuthorizationCodeRequest({
-		code,
-		codeVerifier,
-		redirectURI,
-		options,
-		authentication,
-		deviceId,
-		headers,
-		additionalParams,
-		resource,
-	});
-}
-
-/**
- * @deprecated use async'd authorizationCodeRequest instead
- */
-export function createAuthorizationCodeRequest({
-	code,
-	codeVerifier,
-	redirectURI,
-	options,
-	authentication,
-	deviceId,
-	headers,
-	additionalParams = {},
-	resource,
-}: {
-	code: string;
-	redirectURI: string;
-	options: Partial<ProviderOptions>;
-	codeVerifier?: string | undefined;
-	deviceId?: string | undefined;
-	authentication?: ("basic" | "post") | undefined;
-	headers?: Record<string, string> | undefined;
-	additionalParams?: Record<string, string> | undefined;
-	resource?: (string | string[]) | undefined;
-}) {
-	const body = new URLSearchParams();
-	const requestHeaders: Record<string, any> = {
-		"content-type": "application/x-www-form-urlencoded",
-		accept: "application/json",
-		...headers,
-	};
-
-	body.set("grant_type", "authorization_code");
-	body.set("code", code);
-	codeVerifier && body.set("code_verifier", codeVerifier);
-	options.clientKey && body.set("client_key", options.clientKey);
-	deviceId && body.set("device_id", deviceId);
-	body.set("redirect_uri", options.redirectURI || redirectURI);
-	if (resource) {
-		if (typeof resource === "string") {
-			body.append("resource", resource);
-		} else {
-			for (const _resource of resource) {
-				body.append("resource", _resource);
-			}
-		}
-	}
-	// Use standard Base64 encoding for HTTP Basic Auth (OAuth2 spec, RFC 7617)
-	// Fixes compatibility with providers like Notion, Twitter, etc.
-	if (authentication === "basic") {
-		const primaryClientId = Array.isArray(options.clientId)
-			? options.clientId[0]
-			: options.clientId;
-		const encodedCredentials = base64.encode(
-			`${primaryClientId}:${options.clientSecret ?? ""}`,
-		);
-		requestHeaders["authorization"] = `Basic ${encodedCredentials}`;
-	} else {
-		const primaryClientId = Array.isArray(options.clientId)
-			? options.clientId[0]
-			: options.clientId;
-		body.set("client_id", primaryClientId);
-		if (options.clientSecret) {
-			body.set("client_secret", options.clientSecret);
-		}
-	}
-
-	for (const [key, value] of Object.entries(additionalParams)) {
-		if (!body.has(key)) body.append(key, value);
-	}
-
-	return {
-		body,
-		headers: requestHeaders,
-	};
-}
-
-export async function validateAuthorizationCode({
-	code,
-	codeVerifier,
-	redirectURI,
-	options,
-	tokenEndpoint,
-	authentication,
-	deviceId,
-	headers,
-	additionalParams = {},
-	resource,
-}: {
-	code: string;
-	redirectURI: string;
-	options: AwaitableFunction<Partial<ProviderOptions>>;
-	codeVerifier?: string | undefined;
-	deviceId?: string | undefined;
-	tokenEndpoint: string;
-	authentication?: ("basic" | "post") | undefined;
-	headers?: Record<string, string> | undefined;
-	additionalParams?: Record<string, string> | undefined;
-	resource?: (string | string[]) | undefined;
-}) {
-	const { body, headers: requestHeaders } = await authorizationCodeRequest({
-		code,
-		codeVerifier,
-		redirectURI,
-		options,
-		authentication,
-		deviceId,
-		headers,
-		additionalParams,
-		resource,
-	});
-
-	const { data, error } = await betterFetch<object>(tokenEndpoint, {
-		method: "POST",
-		body: body,
-		headers: requestHeaders,
-	});
-	if (error) {
-		throw error;
-	}
-	const tokens = getOAuth2Tokens(data);
-	return tokens;
-}
-
-export async function validateToken(
-	token: string,
-	jwksEndpoint: string,
-	options?: {
-		audience?: string | string[];
-		issuer?: string | string[];
-	},
-) {
-	const jwks = createRemoteJWKSet(new URL(jwksEndpoint));
-	const verified = await jwtVerify(token, jwks, {
-		audience: options?.audience,
-		issuer: options?.issuer,
-	});
-	return verified;
-}

package/template/apps/web/node_modules/@better-auth/core/src/oauth2/verify.ts

@@ -1,221 +0,0 @@
-import { betterFetch } from "@better-fetch/fetch";
-import { APIError } from "better-call";
-import type {
-	JSONWebKeySet,
-	JWTPayload,
-	JWTVerifyOptions,
-	ProtectedHeaderParameters,
-} from "jose";
-import {
-	createLocalJWKSet,
-	decodeProtectedHeader,
-	jwtVerify,
-	UnsecuredJWT,
-} from "jose";
-import { logger } from "../env";
-
-/** Last fetched jwks used locally in getJwks @internal */
-let jwks: JSONWebKeySet | undefined;
-
-export interface VerifyAccessTokenRemote {
-	/** Full url of the introspect endpoint. Should end with `/oauth2/introspect` */
-	introspectUrl: string;
-	/** Client Secret */
-	clientId: string;
-	/** Client Secret */
-	clientSecret: string;
-	/**
-	 * Forces remote verification of a token.
-	 * This ensures attached session (if applicable)
-	 * is also still active.
-	 */
-	force?: boolean;
-}
-
-/**
- * Performs local verification of an access token for your APIs.
- *
- * Can also be configured for remote verification.
- */
-export async function verifyJwsAccessToken(
-	token: string,
-	opts: {
-		/** Jwks url or promise of a Jwks */
-		jwksFetch: string | (() => Promise<JSONWebKeySet | undefined>);
-		/** Verify options */
-		verifyOptions: JWTVerifyOptions &
-			Required<Pick<JWTVerifyOptions, "audience" | "issuer">>;
-	},
-) {
-	try {
-		const jwks = await getJwks(token, opts);
-		const jwt = await jwtVerify<JWTPayload>(
-			token,
-			createLocalJWKSet(jwks),
-			opts.verifyOptions,
-		);
-		// Return the JWT payload in introspection format
-		// https://datatracker.ietf.org/doc/html/rfc7662#section-2.2
-		if (jwt.payload.azp) {
-			jwt.payload.client_id = jwt.payload.azp;
-		}
-		return jwt.payload;
-	} catch (error) {
-		if (error instanceof Error) throw error;
-		throw new Error(error as unknown as string);
-	}
-}
-
-export async function getJwks(
-	token: string,
-	opts: {
-		/** Jwks url or promise of a Jwks */
-		jwksFetch: string | (() => Promise<JSONWebKeySet | undefined>);
-	},
-) {
-	// Attempt to decode the token and find a matching kid in jwks
-	let jwtHeaders: ProtectedHeaderParameters | undefined;
-	try {
-		jwtHeaders = decodeProtectedHeader(token);
-	} catch (error) {
-		if (error instanceof Error) throw error;
-		throw new Error(error as unknown as string);
-	}
-
-	if (!jwtHeaders.kid) throw new Error("Missing jwt kid");
-
-	// Fetch jwks if not set or has a different kid than the one stored
-	if (!jwks || !jwks.keys.find((jwk) => jwk.kid === jwtHeaders.kid)) {
-		jwks =
-			typeof opts.jwksFetch === "string"
-				? await betterFetch<JSONWebKeySet>(opts.jwksFetch, {
-						headers: {
-							Accept: "application/json",
-						},
-					}).then(async (res) => {
-						if (res.error)
-							throw new Error(
-								`Jwks failed: ${res.error.message ?? res.error.statusText}`,
-							);
-						return res.data;
-					})
-				: await opts.jwksFetch();
-		if (!jwks) throw new Error("No jwks found");
-	}
-
-	return jwks;
-}
-
-/**
- * Performs local verification of an access token for your API.
- *
- * Can also be configured for remote verification.
- */
-export async function verifyAccessToken(
-	token: string,
-	opts: {
-		/** Verify options */
-		verifyOptions: JWTVerifyOptions &
-			Required<Pick<JWTVerifyOptions, "audience" | "issuer">>;
-		/** Scopes to additionally verify. Token must include all but not exact. */
-		scopes?: string[];
-		/** Required to verify access token locally */
-		jwksUrl?: string;
-		/** If provided, can verify a token remotely */
-		remoteVerify?: VerifyAccessTokenRemote;
-	},
-) {
-	let payload: JWTPayload | undefined;
-	// Locally verify
-	if (opts.jwksUrl && !opts?.remoteVerify?.force) {
-		try {
-			payload = await verifyJwsAccessToken(token, {
-				jwksFetch: opts.jwksUrl,
-				verifyOptions: opts.verifyOptions,
-			});
-		} catch (error) {
-			if (error instanceof Error) {
-				if (error.name === "TypeError" || error.name === "JWSInvalid") {
-					// likely an opaque token (continue)
-				} else if (error.name === "JWTExpired") {
-					throw new APIError("UNAUTHORIZED", {
-						message: "token expired",
-					});
-				} else if (error.name === "JWTInvalid") {
-					throw new APIError("UNAUTHORIZED", {
-						message: "token invalid",
-					});
-				} else {
-					throw error;
-				}
-			} else {
-				throw new Error(error as unknown as string);
-			}
-		}
-	}
-
-	// Remote verify
-	if (opts?.remoteVerify) {
-		const { data: introspect, error: introspectError } = await betterFetch<
-			JWTPayload & {
-				active: boolean;
-			}
-		>(opts.remoteVerify.introspectUrl, {
-			method: "POST",
-			headers: {
-				Accept: "application/json",
-				"Content-Type": "application/x-www-form-urlencoded",
-			},
-			body: new URLSearchParams({
-				client_id: opts.remoteVerify.clientId,
-				client_secret: opts.remoteVerify.clientSecret,
-				token,
-				token_type_hint: "access_token",
-			}).toString(),
-		});
-		if (introspectError)
-			logger.error(
-				`Introspection failed: ${introspectError.message ?? introspectError.statusText}`,
-			);
-		if (!introspect)
-			throw new APIError("INTERNAL_SERVER_ERROR", {
-				message: "introspection failed",
-			});
-		if (!introspect.active)
-			throw new APIError("UNAUTHORIZED", {
-				message: "token inactive",
-			});
-		// Verifies payload using verify options (token valid through introspect)
-		try {
-			const unsecuredJwt = new UnsecuredJWT(introspect).encode();
-			const { audience: _audience, ...verifyOptions } = opts.verifyOptions;
-			const verify = introspect.aud
-				? UnsecuredJWT.decode(unsecuredJwt, opts.verifyOptions)
-				: UnsecuredJWT.decode(unsecuredJwt, verifyOptions);
-			payload = verify.payload;
-		} catch (error) {
-			throw new Error(error as unknown as string);
-		}
-	}
-
-	if (!payload)
-		throw new APIError("UNAUTHORIZED", {
-			message: `no token payload`,
-		});
-
-	// Check scopes if provided
-	if (opts.scopes) {
-		const validScopes = new Set(
-			(payload.scope as string | undefined)?.split(" "),
-		);
-		for (const sc of opts.scopes) {
-			if (!validScopes.has(sc)) {
-				throw new APIError("FORBIDDEN", {
-					message: `invalid scope ${sc}`,
-				});
-			}
-		}
-	}
-
-	return payload;
-}

package/template/apps/web/node_modules/@better-auth/core/src/social-providers/apple.ts

@@ -1,231 +0,0 @@
-import { betterFetch } from "@better-fetch/fetch";
-
-import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
-import { logger } from "../env";
-import { APIError, BetterAuthError } from "../error";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
-import {
-	createAuthorizationURL,
-	getPrimaryClientId,
-	refreshAccessToken,
-	validateAuthorizationCode,
-} from "../oauth2";
-export interface AppleProfile {
-	/**
-	 * The subject registered claim identifies the principal that’s the subject
-	 * of the identity token. Because this token is for your app, the value is
-	 * the unique identifier for the user.
-	 */
-	sub: string;
-	/**
-	 * A String value representing the user's email address.
-	 * The email address is either the user's real email address or the proxy
-	 * address, depending on their status private email relay service.
-	 */
-	email: string;
-	/**
-	 * A string or Boolean value that indicates whether the service verifies
-	 * the email. The value can either be a string ("true" or "false") or a
-	 * Boolean (true or false). The system may not verify email addresses for
-	 * Sign in with Apple at Work & School users, and this claim is "false" or
-	 * false for those users.
-	 */
-	email_verified: true | "true";
-	/**
-	 * A string or Boolean value that indicates whether the email that the user
-	 * shares is the proxy address. The value can either be a string ("true" or
-	 * "false") or a Boolean (true or false).
-	 */
-	is_private_email: boolean;
-	/**
-	 * An Integer value that indicates whether the user appears to be a real
-	 * person. Use the value of this claim to mitigate fraud. The possible
-	 * values are: 0 (or Unsupported), 1 (or Unknown), 2 (or LikelyReal). For
-	 * more information, see ASUserDetectionStatus. This claim is present only
-	 * in iOS 14 and later, macOS 11 and later, watchOS 7 and later, tvOS 14
-	 * and later. The claim isn’t present or supported for web-based apps.
-	 */
-	real_user_status: number;
-	/**
-	 * The user’s full name in the format provided during the authorization
-	 * process.
-	 */
-	name: string;
-	/**
-	 * The URL to the user's profile picture.
-	 */
-	picture: string;
-	user?: AppleNonConformUser | undefined;
-}
-
-/**
- * This is the shape of the `user` query parameter that Apple sends the first
- * time the user consents to the app.
- * @see https://developer.apple.com/documentation/signinwithapplerestapi/request-an-authorization-to-the-sign-in-with-apple-server./
- */
-export interface AppleNonConformUser {
-	name: {
-		firstName: string;
-		lastName: string;
-	};
-	email: string;
-}
-
-export interface AppleOptions extends ProviderOptions<AppleProfile> {
-	clientId: string | string[];
-	appBundleIdentifier?: string | undefined;
-	audience?: (string | string[]) | undefined;
-}
-
-export const apple = (options: AppleOptions) => {
-	const tokenEndpoint = "https://appleid.apple.com/auth/token";
-	return {
-		id: "apple",
-		name: "Apple",
-		async createAuthorizationURL({ state, scopes, redirectURI }) {
-			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
-				logger.error(
-					"Client ID and client secret are required for Apple. Make sure to provide them in the options.",
-				);
-				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
-			}
-			const _scope = options.disableDefaultScope ? [] : ["email", "name"];
-			if (options.scope) _scope.push(...options.scope);
-			if (scopes) _scope.push(...scopes);
-			const url = await createAuthorizationURL({
-				id: "apple",
-				options,
-				authorizationEndpoint: "https://appleid.apple.com/auth/authorize",
-				scopes: _scope,
-				state,
-				redirectURI,
-				responseMode: "form_post",
-				responseType: "code id_token",
-			});
-			return url;
-		},
-		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
-			return validateAuthorizationCode({
-				code,
-				codeVerifier,
-				redirectURI,
-				options,
-				tokenEndpoint,
-			});
-		},
-		async verifyIdToken(token, nonce) {
-			if (options.disableIdTokenSignIn) {
-				return false;
-			}
-			if (options.verifyIdToken) {
-				return options.verifyIdToken(token, nonce);
-			}
-			try {
-				const decodedHeader = decodeProtectedHeader(token);
-				const { kid, alg: jwtAlg } = decodedHeader;
-				if (!kid || !jwtAlg) return false;
-				const publicKey = await getApplePublicKey(kid);
-				const { payload: jwtClaims } = await jwtVerify(token, publicKey, {
-					algorithms: [jwtAlg],
-					issuer: "https://appleid.apple.com",
-					audience:
-						options.audience && options.audience.length
-							? options.audience
-							: options.appBundleIdentifier
-								? options.appBundleIdentifier
-								: options.clientId,
-					maxTokenAge: "1h",
-				});
-				["email_verified", "is_private_email"].forEach((field) => {
-					if (jwtClaims[field] !== undefined) {
-						jwtClaims[field] = Boolean(jwtClaims[field]);
-					}
-				});
-				if (nonce && jwtClaims.nonce !== nonce) {
-					return false;
-				}
-				return !!jwtClaims;
-			} catch {
-				return false;
-			}
-		},
-		refreshAccessToken: options.refreshAccessToken
-			? options.refreshAccessToken
-			: async (refreshToken) => {
-					return refreshAccessToken({
-						refreshToken,
-						options,
-						tokenEndpoint,
-					});
-				},
-		async getUserInfo(token) {
-			if (options.getUserInfo) {
-				return options.getUserInfo(token);
-			}
-			if (!token.idToken) {
-				return null;
-			}
-			const profile = decodeJwt<AppleProfile>(token.idToken);
-			if (!profile) {
-				return null;
-			}
-
-			// TODO: "" masking will be removed when the name field is made optional
-			let name: string;
-			if (token.user?.name) {
-				const firstName = token.user.name.firstName || "";
-				const lastName = token.user.name.lastName || "";
-				const fullName = `${firstName} ${lastName}`.trim();
-				name = fullName;
-			} else {
-				name = profile.name || "";
-			}
-
-			const emailVerified =
-				typeof profile.email_verified === "boolean"
-					? profile.email_verified
-					: profile.email_verified === "true";
-			const enrichedProfile = {
-				...profile,
-				name,
-			};
-			const userMap = await options.mapProfileToUser?.(enrichedProfile);
-			return {
-				user: {
-					id: profile.sub,
-					name: enrichedProfile.name,
-					emailVerified: emailVerified,
-					email: profile.email,
-					...userMap,
-				},
-				data: enrichedProfile,
-			};
-		},
-		options,
-	} satisfies OAuthProvider<AppleProfile>;
-};
-
-export const getApplePublicKey = async (kid: string) => {
-	const APPLE_BASE_URL = "https://appleid.apple.com";
-	const JWKS_APPLE_URI = "/auth/keys";
-	const { data } = await betterFetch<{
-		keys: Array<{
-			kid: string;
-			alg: string;
-			kty: string;
-			use: string;
-			n: string;
-			e: string;
-		}>;
-	}>(`${APPLE_BASE_URL}${JWKS_APPLE_URI}`);
-	if (!data?.keys) {
-		throw new APIError("BAD_REQUEST", {
-			message: "Keys not found",
-		});
-	}
-	const jwk = data.keys.find((key) => key.kid === kid);
-	if (!jwk) {
-		throw new Error(`JWK with kid ${kid} not found`);
-	}
-	return await importJWK(jwk, jwk.alg);
-};