better-auth

Version:

The most comprehensive authentication framework for TypeScript.

1 lines • 13.1 kB

Source Map (JSON)

{"version":3,"file":"callback.mjs","names":["queryOrBody: z.infer<typeof schema>","tokens: OAuth2Tokens","toRedirectTo: string","toRedirectTo"],"sources":["../../../src/api/routes/callback.ts"],"sourcesContent":["import { createAuthEndpoint } from \"@better-auth/core/api\";\nimport type { OAuth2Tokens } from \"@better-auth/core/oauth2\";\nimport { safeJSONParse } from \"@better-auth/core/utils\";\nimport * as z from \"zod\";\nimport { setSessionCookie } from \"../../cookies\";\nimport { handleOAuthUserInfo } from \"../../oauth2/link-account\";\nimport { parseState } from \"../../oauth2/state\";\nimport { setTokenUtil } from \"../../oauth2/utils\";\nimport { HIDE_METADATA } from \"../../utils/hide-metadata\";\n\nconst schema = z.object({\n\tcode: z.string().optional(),\n\terror: z.string().optional(),\n\tdevice_id: z.string().optional(),\n\terror_description: z.string().optional(),\n\tstate: z.string().optional(),\n\tuser: z.string().optional(),\n});\n\nexport const callbackOAuth = createAuthEndpoint(\n\t\"/callback/:id\",\n\t{\n\t\tmethod: [\"GET\", \"POST\"],\n\t\toperationId: \"handleOAuthCallback\",\n\t\tbody: schema.optional(),\n\t\tquery: schema.optional(),\n\t\tmetadata: {\n\t\t\t...HIDE_METADATA,\n\t\t\tallowedMediaTypes: [\n\t\t\t\t\"application/x-www-form-urlencoded\",\n\t\t\t\t\"application/json\",\n\t\t\t],\n\t\t},\n\t},\n\tasync (c) => {\n\t\tlet queryOrBody: z.infer<typeof schema>;\n\t\tconst defaultErrorURL =\n\t\t\tc.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;\n\n\t\t// Handle POST requests by redirecting to GET to ensure cookies are sent\n\t\tif (c.method === \"POST\") {\n\t\t\tconst postData = c.body ? schema.parse(c.body) : {};\n\t\t\tconst queryData = c.query ? schema.parse(c.query) : {};\n\n\t\t\tconst mergedData = schema.parse({ ...postData, ...queryData });\n\t\t\tconst params = new URLSearchParams();\n\n\t\t\tfor (const [key, value] of Object.entries(mergedData)) {\n\t\t\t\tif (value !== undefined && value !== null) {\n\t\t\t\t\tparams.set(key, String(value));\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tconst redirectURL = `${c.context.baseURL}/callback/${c.params.id}?${params.toString()}`;\n\t\t\tthrow c.redirect(redirectURL);\n\t\t}\n\n\t\ttry {\n\t\t\tif (c.method === \"GET\") {\n\t\t\t\tqueryOrBody = schema.parse(c.query);\n\t\t\t} else if (c.method === \"POST\") {\n\t\t\t\tqueryOrBody = schema.parse(c.body);\n\t\t\t} else {\n\t\t\t\tthrow new Error(\"Unsupported method\");\n\t\t\t}\n\t\t} catch (e) {\n\t\t\tc.context.logger.error(\"INVALID_CALLBACK_REQUEST\", e);\n\t\t\tthrow c.redirect(`${defaultErrorURL}?error=invalid_callback_request`);\n\t\t}\n\n\t\tconst { code, error, state, error_description, device_id } = queryOrBody;\n\n\t\tif (!state) {\n\t\t\tc.context.logger.error(\"State not found\", error);\n\t\t\tconst sep = defaultErrorURL.includes(\"?\") ? \"&\" : \"?\";\n\t\t\tconst url = `${defaultErrorURL}${sep}state=state_not_found`;\n\t\t\tthrow c.redirect(url);\n\t\t}\n\n\t\tconst {\n\t\t\tcodeVerifier,\n\t\t\tcallbackURL,\n\t\t\tlink,\n\t\t\terrorURL,\n\t\t\tnewUserURL,\n\t\t\trequestSignUp,\n\t\t} = await parseState(c);\n\n\t\tfunction redirectOnError(error: string, description?: string | undefined) {\n\t\t\tconst baseURL = errorURL ?? defaultErrorURL;\n\n\t\t\tconst params = new URLSearchParams({ error });\n\t\t\tif (description) params.set(\"error_description\", description);\n\n\t\t\tconst sep = baseURL.includes(\"?\") ? \"&\" : \"?\";\n\t\t\tconst url = `${baseURL}${sep}${params.toString()}`;\n\n\t\t\tthrow c.redirect(url);\n\t\t}\n\n\t\tif (error) {\n\t\t\tredirectOnError(error, error_description);\n\t\t}\n\n\t\tif (!code) {\n\t\t\tc.context.logger.error(\"Code not found\");\n\t\t\tthrow redirectOnError(\"no_code\");\n\t\t}\n\t\tconst provider = c.context.socialProviders.find(\n\t\t\t(p) => p.id === c.params.id,\n\t\t);\n\n\t\tif (!provider) {\n\t\t\tc.context.logger.error(\n\t\t\t\t\"Oauth provider with id\",\n\t\t\t\tc.params.id,\n\t\t\t\t\"not found\",\n\t\t\t);\n\t\t\tthrow redirectOnError(\"oauth_provider_not_found\");\n\t\t}\n\n\t\tlet tokens: OAuth2Tokens;\n\t\ttry {\n\t\t\ttokens = await provider.validateAuthorizationCode({\n\t\t\t\tcode: code,\n\t\t\t\tcodeVerifier,\n\t\t\t\tdeviceId: device_id,\n\t\t\t\tredirectURI: `${c.context.baseURL}/callback/${provider.id}`,\n\t\t\t});\n\t\t} catch (e) {\n\t\t\tc.context.logger.error(\"\", e);\n\t\t\tthrow redirectOnError(\"invalid_code\");\n\t\t}\n\t\tconst userInfo = await provider\n\t\t\t.getUserInfo({\n\t\t\t\t...tokens,\n\t\t\t\tuser: c.body?.user ? safeJSONParse<any>(c.body.user) : undefined,\n\t\t\t})\n\t\t\t.then((res) => res?.user);\n\n\t\tif (!userInfo) {\n\t\t\tc.context.logger.error(\"Unable to get user info\");\n\t\t\treturn redirectOnError(\"unable_to_get_user_info\");\n\t\t}\n\n\t\tif (!callbackURL) {\n\t\t\tc.context.logger.error(\"No callback URL found\");\n\t\t\tthrow redirectOnError(\"no_callback_url\");\n\t\t}\n\n\t\tif (link) {\n\t\t\tconst trustedProviders =\n\t\t\t\tc.context.options.account?.accountLinking?.trustedProviders;\n\t\t\tconst isTrustedProvider = trustedProviders?.includes(\n\t\t\t\tprovider.id as \"apple\",\n\t\t\t);\n\t\t\tif (\n\t\t\t\t(!isTrustedProvider && !userInfo.emailVerified) ||\n\t\t\t\tc.context.options.account?.accountLinking?.enabled === false\n\t\t\t) {\n\t\t\t\tc.context.logger.error(\"Unable to link account - untrusted provider\");\n\t\t\t\treturn redirectOnError(\"unable_to_link_account\");\n\t\t\t}\n\n\t\t\tif (\n\t\t\t\tuserInfo.email !== link.email &&\n\t\t\t\tc.context.options.account?.accountLinking?.allowDifferentEmails !== true\n\t\t\t) {\n\t\t\t\treturn redirectOnError(\"email_doesn't_match\");\n\t\t\t}\n\n\t\t\tconst existingAccount = await c.context.internalAdapter.findAccount(\n\t\t\t\tString(userInfo.id),\n\t\t\t);\n\n\t\t\tif (existingAccount) {\n\t\t\t\tif (existingAccount.userId.toString() !== link.userId.toString()) {\n\t\t\t\t\treturn redirectOnError(\"account_already_linked_to_different_user\");\n\t\t\t\t}\n\t\t\t\tconst updateData = Object.fromEntries(\n\t\t\t\t\tObject.entries({\n\t\t\t\t\t\taccessToken: await setTokenUtil(tokens.accessToken, c.context),\n\t\t\t\t\t\trefreshToken: await setTokenUtil(tokens.refreshToken, c.context),\n\t\t\t\t\t\tidToken: tokens.idToken,\n\t\t\t\t\t\taccessTokenExpiresAt: tokens.accessTokenExpiresAt,\n\t\t\t\t\t\trefreshTokenExpiresAt: tokens.refreshTokenExpiresAt,\n\t\t\t\t\t\tscope: tokens.scopes?.join(\",\"),\n\t\t\t\t\t}).filter(([_, value]) => value !== undefined),\n\t\t\t\t);\n\t\t\t\tawait c.context.internalAdapter.updateAccount(\n\t\t\t\t\texistingAccount.id,\n\t\t\t\t\tupdateData,\n\t\t\t\t);\n\t\t\t} else {\n\t\t\t\tconst newAccount = await c.context.internalAdapter.createAccount({\n\t\t\t\t\tuserId: link.userId,\n\t\t\t\t\tproviderId: provider.id,\n\t\t\t\t\taccountId: String(userInfo.id),\n\t\t\t\t\t...tokens,\n\t\t\t\t\taccessToken: await setTokenUtil(tokens.accessToken, c.context),\n\t\t\t\t\trefreshToken: await setTokenUtil(tokens.refreshToken, c.context),\n\t\t\t\t\tscope: tokens.scopes?.join(\",\"),\n\t\t\t\t});\n\t\t\t\tif (!newAccount) {\n\t\t\t\t\treturn redirectOnError(\"unable_to_link_account\");\n\t\t\t\t}\n\t\t\t}\n\t\t\tlet toRedirectTo: string;\n\t\t\ttry {\n\t\t\t\tconst url = callbackURL;\n\t\t\t\ttoRedirectTo = url.toString();\n\t\t\t} catch {\n\t\t\t\ttoRedirectTo = callbackURL;\n\t\t\t}\n\t\t\tthrow c.redirect(toRedirectTo);\n\t\t}\n\n\t\tif (!userInfo.email) {\n\t\t\tc.context.logger.error(\n\t\t\t\t\"Provider did not return email. This could be due to misconfiguration in the provider settings.\",\n\t\t\t);\n\t\t\treturn redirectOnError(\"email_not_found\");\n\t\t}\n\t\tconst accountData = {\n\t\t\tproviderId: provider.id,\n\t\t\taccountId: String(userInfo.id),\n\t\t\t...tokens,\n\t\t\tscope: tokens.scopes?.join(\",\"),\n\t\t};\n\t\tconst result = await handleOAuthUserInfo(c, {\n\t\t\tuserInfo: {\n\t\t\t\t...userInfo,\n\t\t\t\tid: String(userInfo.id),\n\t\t\t\temail: userInfo.email,\n\t\t\t\tname: userInfo.name || userInfo.email,\n\t\t\t},\n\t\t\taccount: accountData,\n\t\t\tcallbackURL,\n\t\t\tdisableSignUp:\n\t\t\t\t(provider.disableImplicitSignUp && !requestSignUp) ||\n\t\t\t\tprovider.options?.disableSignUp,\n\t\t\toverrideUserInfo: provider.options?.overrideUserInfoOnSignIn,\n\t\t});\n\t\tif (result.error) {\n\t\t\tc.context.logger.error(result.error.split(\" \").join(\"_\"));\n\t\t\treturn redirectOnError(result.error.split(\" \").join(\"_\"));\n\t\t}\n\t\tconst { session, user } = result.data!;\n\t\tawait setSessionCookie(c, {\n\t\t\tsession,\n\t\t\tuser,\n\t\t});\n\n\t\tlet toRedirectTo: string;\n\t\ttry {\n\t\t\tconst url = result.isRegister ? newUserURL || callbackURL : callbackURL;\n\t\t\ttoRedirectTo = url.toString();\n\t\t} catch {\n\t\t\ttoRedirectTo = result.isRegister\n\t\t\t\t? newUserURL || callbackURL\n\t\t\t\t: callbackURL;\n\t\t}\n\t\tthrow c.redirect(toRedirectTo);\n\t},\n);\n"],"mappings":";;;;;;;;;;AAUA,MAAM,SAAS,EAAE,OAAO;CACvB,MAAM,EAAE,QAAQ,CAAC,UAAU;CAC3B,OAAO,EAAE,QAAQ,CAAC,UAAU;CAC5B,WAAW,EAAE,QAAQ,CAAC,UAAU;CAChC,mBAAmB,EAAE,QAAQ,CAAC,UAAU;CACxC,OAAO,EAAE,QAAQ,CAAC,UAAU;CAC5B,MAAM,EAAE,QAAQ,CAAC,UAAU;CAC3B,CAAC;AAEF,MAAa,gBAAgB,mBAC5B,iBACA;CACC,QAAQ,CAAC,OAAO,OAAO;CACvB,aAAa;CACb,MAAM,OAAO,UAAU;CACvB,OAAO,OAAO,UAAU;CACxB,UAAU;EACT,GAAG;EACH,mBAAmB,CAClB,qCACA,mBACA;EACD;CACD,EACD,OAAO,MAAM;CACZ,IAAIA;CACJ,MAAM,kBACL,EAAE,QAAQ,QAAQ,YAAY,YAAY,GAAG,EAAE,QAAQ,QAAQ;AAGhE,KAAI,EAAE,WAAW,QAAQ;EACxB,MAAM,WAAW,EAAE,OAAO,OAAO,MAAM,EAAE,KAAK,GAAG,EAAE;EACnD,MAAM,YAAY,EAAE,QAAQ,OAAO,MAAM,EAAE,MAAM,GAAG,EAAE;EAEtD,MAAM,aAAa,OAAO,MAAM;GAAE,GAAG;GAAU,GAAG;GAAW,CAAC;EAC9D,MAAM,SAAS,IAAI,iBAAiB;AAEpC,OAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,WAAW,CACpD,KAAI,UAAU,UAAa,UAAU,KACpC,QAAO,IAAI,KAAK,OAAO,MAAM,CAAC;EAIhC,MAAM,cAAc,GAAG,EAAE,QAAQ,QAAQ,YAAY,EAAE,OAAO,GAAG,GAAG,OAAO,UAAU;AACrF,QAAM,EAAE,SAAS,YAAY;;AAG9B,KAAI;AACH,MAAI,EAAE,WAAW,MAChB,eAAc,OAAO,MAAM,EAAE,MAAM;WACzB,EAAE,WAAW,OACvB,eAAc,OAAO,MAAM,EAAE,KAAK;MAElC,OAAM,IAAI,MAAM,qBAAqB;UAE9B,GAAG;AACX,IAAE,QAAQ,OAAO,MAAM,4BAA4B,EAAE;AACrD,QAAM,EAAE,SAAS,GAAG,gBAAgB,iCAAiC;;CAGtE,MAAM,EAAE,MAAM,OAAO,OAAO,mBAAmB,cAAc;AAE7D,KAAI,CAAC,OAAO;AACX,IAAE,QAAQ,OAAO,MAAM,mBAAmB,MAAM;EAEhD,MAAM,MAAM,GAAG,kBADH,gBAAgB,SAAS,IAAI,GAAG,MAAM,IACb;AACrC,QAAM,EAAE,SAAS,IAAI;;CAGtB,MAAM,EACL,cACA,aACA,MACA,UACA,YACA,kBACG,MAAM,WAAW,EAAE;CAEvB,SAAS,gBAAgB,SAAe,aAAkC;EACzE,MAAM,UAAU,YAAY;EAE5B,MAAM,SAAS,IAAI,gBAAgB,EAAE,gBAAO,CAAC;AAC7C,MAAI,YAAa,QAAO,IAAI,qBAAqB,YAAY;EAG7D,MAAM,MAAM,GAAG,UADH,QAAQ,SAAS,IAAI,GAAG,MAAM,MACX,OAAO,UAAU;AAEhD,QAAM,EAAE,SAAS,IAAI;;AAGtB,KAAI,MACH,iBAAgB,OAAO,kBAAkB;AAG1C,KAAI,CAAC,MAAM;AACV,IAAE,QAAQ,OAAO,MAAM,iBAAiB;AACxC,QAAM,gBAAgB,UAAU;;CAEjC,MAAM,WAAW,EAAE,QAAQ,gBAAgB,MACzC,MAAM,EAAE,OAAO,EAAE,OAAO,GACzB;AAED,KAAI,CAAC,UAAU;AACd,IAAE,QAAQ,OAAO,MAChB,0BACA,EAAE,OAAO,IACT,YACA;AACD,QAAM,gBAAgB,2BAA2B;;CAGlD,IAAIC;AACJ,KAAI;AACH,WAAS,MAAM,SAAS,0BAA0B;GAC3C;GACN;GACA,UAAU;GACV,aAAa,GAAG,EAAE,QAAQ,QAAQ,YAAY,SAAS;GACvD,CAAC;UACM,GAAG;AACX,IAAE,QAAQ,OAAO,MAAM,IAAI,EAAE;AAC7B,QAAM,gBAAgB,eAAe;;CAEtC,MAAM,WAAW,MAAM,SACrB,YAAY;EACZ,GAAG;EACH,MAAM,EAAE,MAAM,OAAO,cAAmB,EAAE,KAAK,KAAK,GAAG;EACvD,CAAC,CACD,MAAM,QAAQ,KAAK,KAAK;AAE1B,KAAI,CAAC,UAAU;AACd,IAAE,QAAQ,OAAO,MAAM,0BAA0B;AACjD,SAAO,gBAAgB,0BAA0B;;AAGlD,KAAI,CAAC,aAAa;AACjB,IAAE,QAAQ,OAAO,MAAM,wBAAwB;AAC/C,QAAM,gBAAgB,kBAAkB;;AAGzC,KAAI,MAAM;AAMT,MACE,EALD,EAAE,QAAQ,QAAQ,SAAS,gBAAgB,mBACA,SAC3C,SAAS,GACT,IAEuB,CAAC,SAAS,iBACjC,EAAE,QAAQ,QAAQ,SAAS,gBAAgB,YAAY,OACtD;AACD,KAAE,QAAQ,OAAO,MAAM,8CAA8C;AACrE,UAAO,gBAAgB,yBAAyB;;AAGjD,MACC,SAAS,UAAU,KAAK,SACxB,EAAE,QAAQ,QAAQ,SAAS,gBAAgB,yBAAyB,KAEpE,QAAO,gBAAgB,sBAAsB;EAG9C,MAAM,kBAAkB,MAAM,EAAE,QAAQ,gBAAgB,YACvD,OAAO,SAAS,GAAG,CACnB;AAED,MAAI,iBAAiB;AACpB,OAAI,gBAAgB,OAAO,UAAU,KAAK,KAAK,OAAO,UAAU,CAC/D,QAAO,gBAAgB,2CAA2C;GAEnE,MAAM,aAAa,OAAO,YACzB,OAAO,QAAQ;IACd,aAAa,MAAM,aAAa,OAAO,aAAa,EAAE,QAAQ;IAC9D,cAAc,MAAM,aAAa,OAAO,cAAc,EAAE,QAAQ;IAChE,SAAS,OAAO;IAChB,sBAAsB,OAAO;IAC7B,uBAAuB,OAAO;IAC9B,OAAO,OAAO,QAAQ,KAAK,IAAI;IAC/B,CAAC,CAAC,QAAQ,CAAC,GAAG,WAAW,UAAU,OAAU,CAC9C;AACD,SAAM,EAAE,QAAQ,gBAAgB,cAC/B,gBAAgB,IAChB,WACA;aAWG,CATe,MAAM,EAAE,QAAQ,gBAAgB,cAAc;GAChE,QAAQ,KAAK;GACb,YAAY,SAAS;GACrB,WAAW,OAAO,SAAS,GAAG;GAC9B,GAAG;GACH,aAAa,MAAM,aAAa,OAAO,aAAa,EAAE,QAAQ;GAC9D,cAAc,MAAM,aAAa,OAAO,cAAc,EAAE,QAAQ;GAChE,OAAO,OAAO,QAAQ,KAAK,IAAI;GAC/B,CAAC,CAED,QAAO,gBAAgB,yBAAyB;EAGlD,IAAIC;AACJ,MAAI;AAEH,oBADY,YACO,UAAU;UACtB;AACP,oBAAe;;AAEhB,QAAM,EAAE,SAASC,eAAa;;AAG/B,KAAI,CAAC,SAAS,OAAO;AACpB,IAAE,QAAQ,OAAO,MAChB,iGACA;AACD,SAAO,gBAAgB,kBAAkB;;CAE1C,MAAM,cAAc;EACnB,YAAY,SAAS;EACrB,WAAW,OAAO,SAAS,GAAG;EAC9B,GAAG;EACH,OAAO,OAAO,QAAQ,KAAK,IAAI;EAC/B;CACD,MAAM,SAAS,MAAM,oBAAoB,GAAG;EAC3C,UAAU;GACT,GAAG;GACH,IAAI,OAAO,SAAS,GAAG;GACvB,OAAO,SAAS;GAChB,MAAM,SAAS,QAAQ,SAAS;GAChC;EACD,SAAS;EACT;EACA,eACE,SAAS,yBAAyB,CAAC,iBACpC,SAAS,SAAS;EACnB,kBAAkB,SAAS,SAAS;EACpC,CAAC;AACF,KAAI,OAAO,OAAO;AACjB,IAAE,QAAQ,OAAO,MAAM,OAAO,MAAM,MAAM,IAAI,CAAC,KAAK,IAAI,CAAC;AACzD,SAAO,gBAAgB,OAAO,MAAM,MAAM,IAAI,CAAC,KAAK,IAAI,CAAC;;CAE1D,MAAM,EAAE,SAAS,SAAS,OAAO;AACjC,OAAM,iBAAiB,GAAG;EACzB;EACA;EACA,CAAC;CAEF,IAAID;AACJ,KAAI;AAEH,kBADY,OAAO,aAAa,cAAc,cAAc,aACzC,UAAU;SACtB;AACP,iBAAe,OAAO,aACnB,cAAc,cACd;;AAEJ,OAAM,EAAE,SAAS,aAAa;EAE/B"}