refactor(oauth-provider): reject skip_consent at schema level in DCR (#8998)

.changeset/gentle-trains-knock.md

@@ -0,0 +1,5 @@
+---
+"@better-auth/oauth-provider": patch
+---
+
+Typescript specifies skip_consent type never and errors through zod

packages/oauth-provider/src/oauth.ts

@@ -1177,7 +1177,12 @@ export const oauthProvider = <O extends OAuthOptions<Scope[]>>(options: O) => {
 							.optional(),
 						type: z.enum(["web", "native", "user-agent-based"]).optional(),
 						subject_type: z.enum(["public", "pairwise"]).optional(),
-						skip_consent: z.boolean().optional(),
+						skip_consent: z
+							.never({
+								error:
+									"skip_consent cannot be set during dynamic client registration",
+							})
+							.optional(),
 					}),
 					metadata: {
 						openapi: {

packages/oauth-provider/src/register.test.ts

@@ -391,6 +391,7 @@ describe("oauth register - skip_consent blocked", async () => {
 	it("should reject skip_consent during dynamic registration", async () => {
 		const res = await serverClient.oauth2.register({
 			redirect_uris: ["http://localhost:5000/callback"],
+			// @ts-expect-error testing skip consent mimicing client incorrectly sending parameter
 			skip_consent: true,
 		});
 		expect(res.error?.status).toBe(400);

packages/oauth-provider/src/register.ts

@@ -174,14 +174,6 @@ export async function checkOAuthClient(
 			error_description: `pkce is required for registered clients.`,
 		});
 	}
-
-	if (settings?.isRegister && client.skip_consent) {
-		throw new APIError("BAD_REQUEST", {
-			error: "invalid_client_metadata",
-			error_description:
-				"skip_consent cannot be set during dynamic client registration",
-		});
-	}
 }
 
 export async function createOAuthClientEndpoint(