feat: allow unsigned tokens to be passed as a bearer token (#953)

docs/content/docs/plugins/bearer.mdx

@@ -131,4 +131,9 @@ export async function handler(req, res) {
   // Process authenticated request
   // ...
 }
-```
+```
+
+
+## Options
+
+**requireSignature** (boolean): Require the token to be signed. Default: `false`.

packages/better-auth/package.json

@@ -1,6 +1,6 @@
 {
   "name": "better-auth",
-  "version": "1.0.23-beta.2",
+  "version": "1.0.23-beta.3",
   "description": "The most comprehensive authentication library for TypeScript.",
   "type": "module",
   "repository": {

packages/better-auth/src/plugins/bearer/bearer.test.ts

@@ -50,7 +50,7 @@ describe("bearer", async () => {
 		expect(session?.session).toBeDefined();
 	});
 
-	it("shouldn't work with un signed token", async () => {
+	it("should work with ", async () => {
 		const session = await client.getSession({
 			fetchOptions: {
 				headers: {
@@ -58,7 +58,7 @@ describe("bearer", async () => {
 				},
 			},
 		});
-		expect(session.data).toBeNull();
+		expect(session.data?.session).toBeDefined();
 	});
 
 	it("should work if valid cookie is provided even if authorization header isn't valid", async () => {

packages/better-auth/src/plugins/bearer/index.ts

@@ -4,10 +4,21 @@ import { parseSetCookieHeader } from "../../cookies";
 import { createAuthMiddleware } from "../../api";
 import { createHMAC } from "@better-auth/utils/hmac";
 
+interface BearerOptions {
+	/**
+	 * If true, only signed tokens
+	 * will be converted to session
+	 * cookies
+	 *
+	 * @default false
+	 */
+	requireSignature?: boolean;
+}
+
 /**
  * Converts bearer token to session cookie
  */
-export const bearer = () => {
+export const bearer = (options?: BearerOptions) => {
 	return {
 		id: "bearer",
 		hooks: {
@@ -23,12 +34,23 @@ export const bearer = () => {
 						const token =
 							c.request?.headers.get("authorization")?.replace("Bearer ", "") ||
 							c.headers?.get("authorization")?.replace("Bearer ", "");
-						if (!token || !token.includes(".")) {
+						if (!token) {
 							return;
 						}
-						const sessionToken = token.replace("=", "");
+
+						let signedToken = "";
+						if (token.includes(".")) {
+							signedToken = token.replace("=", "");
+						} else {
+							if (options?.requireSignature) {
+								return;
+							}
+							signedToken = (
+								await serializeSigned("", token, c.context.secret)
+							).replace("=", "");
+						}
 						try {
-							const decodedToken = decodeURIComponent(sessionToken);
+							const decodedToken = decodeURIComponent(signedToken);
 							const isValid = await createHMAC(
 								"SHA-256",
 								"base64urlnopad",
@@ -46,16 +68,13 @@ export const bearer = () => {
 						if (c.request) {
 							c.request.headers.append(
 								"cookie",
-								`${c.context.authCookies.sessionToken.name}=${sessionToken}`,
+								`${c.context.authCookies.sessionToken.name}=${signedToken}`,
 							);
 						}
 						if (c.headers) {
 							c.headers.append(
 								"cookie",
-								`${c.context.authCookies.sessionToken.name}=${token.replace(
-									"=",
-									"",
-								)}`,
+								`${c.context.authCookies.sessionToken.name}=${signedToken}`,
 							);
 						}
 						return {

packages/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/cli",
-  "version": "1.0.23-beta.2",
+  "version": "1.0.23-beta.3",
   "description": "The CLI for Better Auth",
   "module": "dist/index.mjs",
   "repository": {

packages/expo/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/expo",
-  "version": "1.0.23-beta.2",
+  "version": "1.0.23-beta.3",
   "description": "",
   "main": "dist/index.js",
   "module": "dist/index.mjs",