elysia-betterauth-oauth
Integrates OAuth 2.1 with PKCE for BetterAuth and Elysia APIs, enabling secure authentication for native desktop and mobile clients.
Install this skill
Security score
The elysia-betterauth-oauth skill was audited on Mar 8, 2026 and we found 32 security issues across 6 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 333 | uris.push(`http://${LOOPBACK_HOST}:${port}/callback`); |
Template literal with variable interpolation in command context
| 741 | const url = new URL(`${API_BASE_URL}/api/auth/oauth2/authorize`); |
Template literal with variable interpolation in command context
| 767 | const response = await fetch(`${API_BASE_URL}/api/auth/oauth2/token`, { |
Template literal with variable interpolation in command context
| 781 | throw new Error(`Token exchange failed (${response.status}): ${body}`); |
Template literal with variable interpolation in command context
| 800 | const response = await fetch(`${API_BASE_URL}/api/auth/oauth2/token`, { |
Template literal with variable interpolation in command context
| 812 | throw new Error(`Token refresh failed (${response.status}): ${body}`); |
Template literal with variable interpolation in command context
| 830 | const response = await fetch(`${API_BASE_URL}/api/auth/oauth2/userinfo`, { |
Template literal with variable interpolation in command context
| 831 | headers: { Authorization: `Bearer ${accessToken}` }, |
Template literal with variable interpolation in command context
| 834 | throw new Error(`Userinfo failed (${response.status})`); |
Template literal with variable interpolation in command context
| 900 | `http://${LOOPBACK_HOST}:${CALLBACK_PORT_START}` |
Template literal with variable interpolation in command context
| 913 | safeReject(new Error(`OAuth error: ${error}`)); |
Template literal with variable interpolation in command context
| 947 | safeReject(new Error(`Callback server error: ${nodeErr.message}`)); |
Template literal with variable interpolation in command context
| 953 | `All ports ${CALLBACK_PORT_START}-${CALLBACK_PORT_END} in use` |
Template literal with variable interpolation in command context
| 982 | return `http://${LOOPBACK_HOST}:${port}/callback`; |
Template literal with variable interpolation in command context
| 1136 | `${API_BASE_URL}/oauth/revoke-all-sessions`, |
Template literal with variable interpolation in command context
| 1139 | headers: { Authorization: `Bearer ${accessToken}` }, |
Fetch to external URL
| 458 | const res = await fetch('/api/auth/sign-in/email', { |
Access to .env file
| 1001 | process.env.NODE_ENV === "development" |
Access to system keychain/keyring
| 1084 | // Store tokens securely (e.g., Electron safeStorage, keychain) |
Character code construction - potential obfuscation
| 724 | return btoa(String.fromCharCode(...new Uint8Array(hash))) |
External URL reference
| 71 | 4. Receive callback ←──────────────── 302 → http://127.0.0.1:{port}/callback?code=...&state=... |
External URL reference
| 333 | uris.push(`http://${LOOPBACK_HOST}:${port}/callback`); |
External URL reference
| 550 | new URL("/api/auth/oauth2/userinfo", "http://localhost"), |
External URL reference
| 591 | hashing. The `http://localhost` base URL is a dummy — only the path and headers |
External URL reference
| 678 | jwks_uri: https://your-api.com/api/auth/jwks |
External URL reference
| 900 | `http://${LOOPBACK_HOST}:${CALLBACK_PORT_START}` |
External URL reference
| 982 | return `http://${LOOPBACK_HOST}:${port}/callback`; |
External URL reference
| 1186 | base URL like `http://127.0.0.1:8789` instead of the dynamic active port. After |
External URL reference
| 1188 | would cause `new URL(req.url, 'http://127.0.0.1:null')` which throws |
External URL reference
| 1237 | https://better-auth.com/docs/plugins/oauth-provider |
External URL reference
| 1238 | - **RFC 7636 (PKCE):** https://tools.ietf.org/html/rfc7636 |
External URL reference
| 1239 | - **RFC 8252 (OAuth for Native Apps):** https://tools.ietf.org/html/rfc8252 |