feat(social-provider): add wechat social provider (#5189)

Eric-Song-Nop · claude · himself65 · himself65 · commit c440221d71b8 · 2026-03-13T23:46:35.000-07:00
Co-authored-by: Claude &lt;noreply@anthropic.com&gt;
Co-authored-by: Alex Yang &lt;himself65@outlook.com&gt;
diff --git a/.cspell/third-party.txt b/.cspell/third-party.txt
@@ -40,3 +40,4 @@ vite
 electronjs
 wagmi
 tldts
+headimgurl
diff --git a/docs/content/docs/authentication/wechat.mdx b/docs/content/docs/authentication/wechat.mdx
@@ -0,0 +1,77 @@
+---
+title: WeChat
+description: WeChat provider setup and usage.
+---
+
+<Steps>
+    <Step>
+        ### Get your WeChat Credentials
+        To use WeChat sign in, you need to register a website application on the [WeChat Open Platform](https://open.weixin.qq.com/), set the `Authorization Callback Domain` to the better auth domain and get your App ID and App Secret.
+    </Step>
+
+    <Step>
+        ### Configure the provider
+        To configure the provider, you need to import the provider and pass it to the `socialProviders` option of the auth instance.
+
+        ```ts title="auth.ts"
+        import { betterAuth } from "better-auth"
+
+        export const auth = betterAuth({
+            socialProviders: {
+                wechat: { // [!code highlight]
+                    clientId: process.env.WECHAT_CLIENT_ID, // [!code highlight]
+                    clientSecret: process.env.WECHAT_CLIENT_SECRET, // [!code highlight]
+                }, // [!code highlight]
+            },
+        })
+        ```
+
+        #### Optional Configuration
+
+        You can customize the WeChat provider with additional options:
+
+        ```ts title="auth.ts"
+        export const auth = betterAuth({
+            socialProviders: {
+                wechat: {
+                    clientId: process.env.WECHAT_CLIENT_ID,
+                    clientSecret: process.env.WECHAT_CLIENT_SECRET,
+                    // Optional: Set UI language for the WeChat login page
+                    lang: "cn", // or "en" for English
+                    // Optional: Use custom scopes
+                    scope: [], // "snsapi_login" for web QR code login.
+                },
+            },
+        })
+        ```
+    </Step>
+
+    <Step>
+        ### Sign In with WeChat
+        To sign in with WeChat, you can use the `signIn.social` function provided by the client. The `signIn` function takes an object with the following properties:
+        - `provider`: The provider to use. It should be set to `wechat`.
+
+        ```ts title="auth-client.ts"
+        import { createAuthClient } from "better-auth/client"
+        const authClient = createAuthClient()
+
+        const signIn = async () => {
+            const data = await authClient.signIn.social({
+                provider: "wechat"
+            })
+        }
+        ```
+    </Step>
+
+</Steps>
+
+## Usage
+
+### Platform Support
+
+WeChat provider currently supports the Website Application platform type, which enables WeChat QR code login for web applications.
+
+### Development Notes
+
+- The redirect URL domain must match the domain configured in the WeChat Open Platform
+
diff --git a/landing/components/sidebar-content.tsx b/landing/components/sidebar-content.tsx
@@ -1135,6 +1135,24 @@ C0.7,239.6,62.1,0.5,62.2,0.4c0,0,54,13.8,119.9,30.8S302.1,62,302.2,62c0.2,0,0.2,
 					</svg>
 				),
 			},
+			{
+				title: "WeChat",
+				href: "/docs/authentication/wechat",
+				isNew: true,
+				icon: () => (
+					<svg
+						xmlns="http://www.w3.org/2000/svg"
+						width="1.2em"
+						height="1.2em"
+						viewBox="0 0 24 24"
+					>
+						<path
+							fill="currentColor"
+							d="M8.691 2.188C3.891 2.188 0 5.476 0 9.53c0 2.212 1.17 4.203 3.002 5.55a.59.59 0 0 1 .213.665l-.39 1.504c-.019.07-.048.141-.048.213 0 .163.13.295.29.295a.326.326 0 0 0 .167-.054l1.903-1.114a.864.864 0 0 1 .717-.098 10.16 10.16 0 0 0 2.837.403c.276 0 .543-.027.811-.05-.857-2.578.157-4.972 1.932-6.446 1.703-1.415 3.882-1.98 5.853-1.838-.576-3.583-4.196-6.348-8.596-6.348zM5.785 5.991c.642 0 1.162.529 1.162 1.18a1.17 1.17 0 0 1-1.162 1.178A1.17 1.17 0 0 1 4.623 7.17c0-.651.52-1.18 1.162-1.18zm5.813 0c.642 0 1.162.529 1.162 1.18a1.17 1.17 0 0 1-1.162 1.178 1.17 1.17 0 0 1-1.162-1.178c0-.651.52-1.18 1.162-1.18zm5.34 2.867c-1.797-.052-3.746.512-5.28 1.786-1.72 1.428-2.687 3.72-1.78 6.22.942 2.453 3.666 4.229 6.884 4.229.826 0 1.622-.12 2.361-.336a.722.722 0 0 1 .598.082l1.584.926a.272.272 0 0 0 .14.047c.134 0 .24-.111.24-.247 0-.06-.023-.12-.038-.177l-.327-1.233a.582.582 0 0 1-.023-.156.49.49 0 0 1 .201-.398C23.024 18.48 24 16.82 24 14.98c0-3.21-2.931-5.837-6.656-6.088V8.89c-.135-.01-.27-.027-.407-.03zm-2.53 3.274c.535 0 .969.44.969.982a.976.976 0 0 1-.969.983.976.976 0 0 1-.969-.983c0-.542.434-.982.97-.982zm4.844 0c.535 0 .969.44.969.982a.976.976 0 0 1-.969.983.976.976 0 0 1-.969-.983c0-.542.434-.982.969-.982z"
+						/>
+					</svg>
+				),
+			},
 			{
 				title: "Zoom",
 				href: "/docs/authentication/zoom",
diff --git a/packages/core/src/social-providers/index.ts b/packages/core/src/social-providers/index.ts
@@ -33,6 +33,7 @@ import { twitch } from "./twitch";
 import { twitter } from "./twitter";
 import { vercel } from "./vercel";
 import { vk } from "./vk";
+import { wechat } from "./wechat";
 import { zoom } from "./zoom";
 
 export const socialProviders = {
@@ -70,6 +71,7 @@ export const socialProviders = {
 	polar,
 	railway,
 	vercel,
+	wechat,
 };
 
 export const socialProviderList = Object.keys(socialProviders) as [
@@ -126,6 +128,7 @@ export * from "./twitch";
 export * from "./twitter";
 export * from "./vercel";
 export * from "./vk";
+export * from "./wechat";
 export * from "./zoom";
 
 export type SocialProviderList = typeof socialProviderList;
diff --git a/packages/core/src/social-providers/wechat.ts b/packages/core/src/social-providers/wechat.ts
@@ -0,0 +1,213 @@
+import { betterFetch } from "@better-fetch/fetch";
+import type { OAuth2Tokens, OAuthProvider, ProviderOptions } from "../oauth2";
+
+/**
+ * WeChat user profile information
+ * @see https://developers.weixin.qq.com/doc/oplatform/en/Website_App/WeChat_Login/Wechat_Login.html
+ */
+export interface WeChatProfile extends Record<string, any> {
+	/**
+	 * User's unique OpenID
+	 */
+	openid: string;
+	/**
+	 * User's nickname
+	 */
+	nickname: string;
+	/**
+	 * User's avatar image URL
+	 */
+	headimgurl: string;
+	/**
+	 * User's privileges
+	 */
+	privilege: string[];
+	/**
+	 * User's UnionID (unique across the developer's various applications)
+	 */
+	unionid?: string;
+	/** @note Email is currently unsupported by WeChat */
+	email?: string;
+}
+
+export interface WeChatOptions extends ProviderOptions<WeChatProfile> {
+	/**
+	 * WeChat App ID
+	 */
+	clientId: string;
+	/**
+	 * WeChat App Secret
+	 */
+	clientSecret: string;
+	/**
+	 * Platform type for WeChat login
+	 * - Currently only supports "WebsiteApp" for WeChat Website Application (&#32593;&#31449;&#24212;&#29992;)
+	 * @default "WebsiteApp"
+	 */
+	platformType?: "WebsiteApp";
+
+	/**
+	 * UI language for the WeChat login page
+	 * cn for Simplified Chinese, en for English
+	 * @default "cn" if left undefined
+	 */
+	lang?: "cn" | "en";
+}
+
+export const wechat = (options: WeChatOptions) => {
+	return {
+		id: "wechat",
+		name: "WeChat",
+		createAuthorizationURL({ state, scopes, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["snsapi_login"];
+			options.scope && _scopes.push(...options.scope);
+			scopes && _scopes.push(...scopes);
+
+			// WeChat uses non-standard OAuth2 parameters (appid instead of client_id)
+			// and requires a fragment (#wechat_redirect), so we construct the URL manually.
+			const url = new URL("https://open.weixin.qq.com/connect/qrconnect");
+			url.searchParams.set("scope", _scopes.join(","));
+			url.searchParams.set("response_type", "code");
+			url.searchParams.set("appid", options.clientId);
+			url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
+			url.searchParams.set("state", state);
+			url.searchParams.set("lang", options.lang || "cn");
+			url.hash = "wechat_redirect";
+
+			return url;
+		},
+
+		// WeChat uses non-standard token exchange (appid/secret instead of
+		// client_id/client_secret, GET instead of POST), so shared helpers
+		// like validateAuthorizationCode/getOAuth2Tokens cannot be used directly.
+		validateAuthorizationCode: async ({ code }) => {
+			const params = new URLSearchParams({
+				appid: options.clientId,
+				secret: options.clientSecret,
+				code: code,
+				grant_type: "authorization_code",
+			});
+
+			const { data: tokenData, error } = await betterFetch<{
+				access_token: string;
+				expires_in: number;
+				refresh_token: string;
+				openid: string;
+				scope: string;
+				unionid?: string;
+				errcode?: number;
+				errmsg?: string;
+			}>(
+				"https://api.weixin.qq.com/sns/oauth2/access_token?" +
+					params.toString(),
+				{
+					method: "GET",
+				},
+			);
+
+			if (error || !tokenData || tokenData.errcode) {
+				throw new Error(
+					`Failed to validate authorization code: ${tokenData?.errmsg || error?.message || "Unknown error"}`,
+				);
+			}
+
+			return {
+				tokenType: "Bearer" as const,
+				accessToken: tokenData.access_token,
+				refreshToken: tokenData.refresh_token,
+				accessTokenExpiresAt: new Date(
+					Date.now() + tokenData.expires_in * 1000,
+				),
+				scopes: tokenData.scope.split(","),
+				// WeChat requires openid for the userinfo endpoint, which is
+				// returned alongside the access token.
+				openid: tokenData.openid,
+				unionid: tokenData.unionid,
+			};
+		},
+
+		refreshAccessToken: options.refreshAccessToken
+			? options.refreshAccessToken
+			: async (refreshToken) => {
+					const params = new URLSearchParams({
+						appid: options.clientId,
+						grant_type: "refresh_token",
+						refresh_token: refreshToken,
+					});
+
+					const { data: tokenData, error } = await betterFetch<{
+						access_token: string;
+						expires_in: number;
+						refresh_token: string;
+						openid: string;
+						scope: string;
+						errcode?: number;
+						errmsg?: string;
+					}>(
+						"https://api.weixin.qq.com/sns/oauth2/refresh_token?" +
+							params.toString(),
+						{
+							method: "GET",
+						},
+					);
+
+					if (error || !tokenData || tokenData.errcode) {
+						throw new Error(
+							`Failed to refresh access token: ${tokenData?.errmsg || error?.message || "Unknown error"}`,
+						);
+					}
+
+					return {
+						tokenType: "Bearer" as const,
+						accessToken: tokenData.access_token,
+						refreshToken: tokenData.refresh_token,
+						accessTokenExpiresAt: new Date(
+							Date.now() + tokenData.expires_in * 1000,
+						),
+						scopes: tokenData.scope.split(","),
+					};
+				},
+
+		async getUserInfo(token) {
+			if (options.getUserInfo) {
+				return options.getUserInfo(token);
+			}
+
+			const openid = (token as OAuth2Tokens & { openid?: string }).openid;
+
+			if (!openid) {
+				return null;
+			}
+
+			const params = new URLSearchParams({
+				access_token: token.accessToken || "",
+				openid: openid,
+				lang: "zh_CN",
+			});
+
+			const { data: profile, error } = await betterFetch<
+				WeChatProfile & { errcode?: number; errmsg?: string }
+			>("https://api.weixin.qq.com/sns/userinfo?" + params.toString(), {
+				method: "GET",
+			});
+
+			if (error || !profile || profile.errcode) {
+				return null;
+			}
+
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.unionid || profile.openid || openid,
+					name: profile.nickname,
+					email: profile.email || null,
+					image: profile.headimgurl,
+					emailVerified: false,
+					...userMap,
+				},
+				data: profile,
+			};
+		},
+		options,
+	} satisfies OAuthProvider<WeChatProfile, WeChatOptions>;
+};
