better_auth-sso 0.2.0 → 0.5.0

data/lib/better_auth/sso/constants.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SSO
+    module Constants
+      AUTHN_REQUEST_KEY_PREFIX = BetterAuth::Plugins::SSO_SAML_AUTHN_REQUEST_KEY_PREFIX
+      USED_ASSERTION_KEY_PREFIX = BetterAuth::Plugins::SSO_SAML_USED_ASSERTION_KEY_PREFIX
+      SAML_SESSION_KEY_PREFIX = BetterAuth::Plugins::SSO_SAML_SESSION_KEY_PREFIX
+      SAML_SESSION_BY_ID_PREFIX = BetterAuth::Plugins::SSO_SAML_SESSION_BY_ID_KEY_PREFIX
+      LOGOUT_REQUEST_KEY_PREFIX = BetterAuth::Plugins::SSO_SAML_LOGOUT_REQUEST_KEY_PREFIX
+      DEFAULT_AUTHN_REQUEST_TTL_MS = BetterAuth::Plugins::SSO_DEFAULT_AUTHN_REQUEST_TTL_MS
+      DEFAULT_ASSERTION_TTL_MS = BetterAuth::Plugins::SSO_DEFAULT_ASSERTION_TTL_MS
+      DEFAULT_LOGOUT_REQUEST_TTL_MS = BetterAuth::Plugins::SSO_DEFAULT_LOGOUT_REQUEST_TTL_MS
+      DEFAULT_CLOCK_SKEW_MS = BetterAuth::Plugins::SSO_DEFAULT_CLOCK_SKEW_MS
+      DEFAULT_MAX_SAML_RESPONSE_SIZE = BetterAuth::Plugins::SSO_DEFAULT_MAX_SAML_RESPONSE_SIZE
+      DEFAULT_MAX_SAML_METADATA_SIZE = BetterAuth::Plugins::SSO_DEFAULT_MAX_SAML_METADATA_SIZE
+      SAML_STATUS_SUCCESS = BetterAuth::Plugins::SSO_SAML_STATUS_SUCCESS
+    end
+  end
+end

data/lib/better_auth/sso/domain_verification.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SSO
+    module DomainVerification
+      module_function
+
+      def identifier(config, provider_id)
+        BetterAuth::Plugins.sso_domain_verification_identifier(config, provider_id)
+      end
+
+      def hostname(domain)
+        BetterAuth::Plugins.sso_hostname_from_domain(domain)
+      end
+    end
+  end
+end

data/lib/better_auth/sso/linking/org_assignment.rb

@@ -0,0 +1,118 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SSO
+    module Linking
+      module OrgAssignment
+        module_function
+
+        def assign_organization_from_provider(ctx, provider:, user:, profile: {}, token: nil, provisioning_options: nil, config: {})
+          organization_id = fetch_value(provider, :organization_id)
+          return if organization_id.to_s.empty?
+
+          options = normalized_provisioning_options(provisioning_options, config)
+          return if options[:disabled]
+          return unless organization_plugin?(ctx)
+          return if member_exists?(ctx, organization_id, fetch_value(user, :id))
+
+          role = organization_role(
+            options,
+            user: user,
+            user_info: fetch_value(profile || {}, :raw_attributes) || {},
+            token: token,
+            provider: provider
+          )
+          create_member(ctx, organization_id, fetch_value(user, :id), role)
+        end
+
+        def assign_organization_by_domain(ctx, user:, provisioning_options: nil, domain_verification: nil, config: {})
+          options = normalized_provisioning_options(provisioning_options, config)
+          return if options[:disabled]
+          return unless organization_plugin?(ctx)
+
+          domain_config = BetterAuth::Plugins.normalize_hash(domain_verification || config[:domain_verification] || {})
+          domain = fetch_value(user, :email).to_s.split("@", 2)[1]
+          return if domain.to_s.empty?
+
+          where = [{field: "domain", value: domain}]
+          where << {field: "domainVerified", value: true} if domain_config[:enabled]
+          provider = ctx.context.adapter.find_one(model: "ssoProvider", where: where)
+
+          unless provider
+            fallback_where = domain_config[:enabled] ? [{field: "domainVerified", value: true}] : []
+            providers = ctx.context.adapter.find_many(model: "ssoProvider", where: fallback_where)
+            provider = providers.find do |entry|
+              (!domain_config[:enabled] || fetch_value(entry, :domain_verified)) &&
+                BetterAuth::SSO::Utils.domain_matches?(domain, fetch_value(entry, :domain))
+            end
+          end
+
+          organization_id = fetch_value(provider || {}, :organization_id)
+          return if organization_id.to_s.empty?
+          return if member_exists?(ctx, organization_id, fetch_value(user, :id))
+
+          role = organization_role(
+            options,
+            user: user,
+            user_info: {},
+            provider: provider
+          )
+          create_member(ctx, organization_id, fetch_value(user, :id), role)
+        end
+
+        def normalized_provisioning_options(provisioning_options, config)
+          BetterAuth::Plugins.normalize_hash(provisioning_options || config[:organization_provisioning] || {})
+        end
+
+        def organization_plugin?(ctx)
+          context = ctx.context
+          return context.hasPlugin("organization") if context.respond_to?(:hasPlugin)
+          return context.has_plugin?("organization") if context.respond_to?(:has_plugin?)
+
+          plugins = context.options.respond_to?(:plugins) ? context.options.plugins : []
+          plugins.any? { |plugin| plugin.respond_to?(:id) && plugin.id == "organization" }
+        end
+
+        def member_exists?(ctx, organization_id, user_id)
+          ctx.context.adapter.find_one(
+            model: "member",
+            where: [
+              {field: "organizationId", value: organization_id},
+              {field: "userId", value: user_id}
+            ]
+          )
+        end
+
+        def organization_role(options, user:, user_info:, provider:, token: nil)
+          get_role = options[:get_role]
+          if get_role.respond_to?(:call)
+            return get_role.call(
+              user: user,
+              userInfo: user_info,
+              token: token,
+              provider: provider
+            )
+          end
+
+          options[:default_role] || options[:role] || "member"
+        end
+
+        def create_member(ctx, organization_id, user_id, role)
+          ctx.context.adapter.create(
+            model: "member",
+            data: {
+              organizationId: organization_id,
+              userId: user_id,
+              role: role,
+              createdAt: Time.now
+            }
+          )
+        end
+
+        def fetch_value(data, key)
+          BetterAuth::Plugins.sso_fetch(data, key)
+        end
+      end
+    end
+  end
+end

data/lib/better_auth/sso/linking/types.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SSO
+    module Linking
+      module Types
+        REQUIRED_PROFILE_KEYS = {
+          provider_type: "providerType",
+          provider_id: "providerId",
+          account_id: "accountId",
+          email: "email",
+          email_verified: "emailVerified"
+        }.freeze
+
+        module_function
+
+        def normalized_profile(profile)
+          raw_attributes = raw_value(profile, :raw_attributes, "rawAttributes", "raw_attributes")
+          source = BetterAuth::Plugins.normalize_hash(profile || {})
+          normalized = {
+            provider_type: source[:provider_type].to_s,
+            provider_id: source[:provider_id].to_s,
+            account_id: source[:account_id].to_s,
+            email: source[:email].to_s.downcase,
+            email_verified: !!source[:email_verified]
+          }
+          normalized[:name] = source[:name] if source.key?(:name)
+          normalized[:image] = source[:image] if source.key?(:image)
+          normalized[:raw_attributes] = raw_attributes unless raw_attributes.nil?
+
+          missing = REQUIRED_PROFILE_KEYS.filter_map do |key, upstream_name|
+            value = normalized[key]
+            upstream_name if value.nil? || (value.respond_to?(:empty?) && value.empty?)
+          end
+          raise ArgumentError, "Missing normalized SSO profile fields: #{missing.join(", ")}" unless missing.empty?
+          raise ArgumentError, "Invalid normalized SSO profile providerType: #{normalized[:provider_type]}" unless BetterAuth::SSO::Types.provider_type?(normalized[:provider_type])
+
+          normalized.freeze
+        end
+
+        def raw_value(profile, *keys)
+          return nil unless profile.respond_to?(:key?) && profile.respond_to?(:[])
+
+          keys.each do |key|
+            return profile[key] if profile.key?(key)
+          end
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/better_auth/sso/linking.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require_relative "linking/types"
+require_relative "linking/org_assignment"
+
+module BetterAuth
+  module SSO
+    module Linking
+      module_function
+
+      def assign_organization_from_provider(ctx, provider:, user:, config: {})
+        OrgAssignment.assign_organization_from_provider(ctx, provider: provider, user: user, config: config)
+      end
+
+      def assign_organization_by_domain(ctx, user:, config: {})
+        OrgAssignment.assign_organization_by_domain(ctx, user: user, config: config)
+      end
+
+      def normalized_profile(profile)
+        Types.normalized_profile(profile)
+      end
+    end
+  end
+end

data/lib/better_auth/sso/oidc/discovery.rb

@@ -0,0 +1,259 @@
+# frozen_string_literal: true
+
+require "uri"
+require "json"
+require "net/http"
+
+module BetterAuth
+  module SSO
+    module OIDC
+      module Discovery
+        module_function
+
+        REQUIRED_DISCOVERY_FIELDS = %i[issuer authorization_endpoint token_endpoint jwks_uri].freeze
+        DISCOVERY_URL_FIELDS = %i[
+          token_endpoint
+          authorization_endpoint
+          jwks_uri
+          userinfo_endpoint
+          revocation_endpoint
+          end_session_endpoint
+          introspection_endpoint
+        ].freeze
+
+        def compute_discovery_url(issuer)
+          "#{issuer.to_s.sub(%r{/+\z}, "")}/.well-known/openid-configuration"
+        end
+
+        def validate_discovery_url(url, trusted_origin = nil)
+          uri = parse_http_url!(url, "discoveryEndpoint", details: {url: url})
+          return true unless trusted_origin && !trusted_origin.call(uri.to_s)
+
+          raise DiscoveryError.new(
+            "discovery_untrusted_origin",
+            "The main discovery endpoint \"#{uri}\" is not trusted by your trusted origins configuration.",
+            details: {url: uri.to_s}
+          )
+        end
+
+        def validate_discovery_document(document, issuer)
+          doc = BetterAuth::Plugins.normalize_hash(document || {})
+          missing = REQUIRED_DISCOVERY_FIELDS.select { |field| doc[field].to_s.empty? }
+          unless missing.empty?
+            raise DiscoveryError.new(
+              "discovery_incomplete",
+              "OIDC discovery document is missing required fields: #{missing.join(", ")}",
+              details: {missingFields: missing.map(&:to_s)}
+            )
+          end
+
+          discovered = doc[:issuer].to_s.sub(%r{/+\z}, "")
+          configured = issuer.to_s.sub(%r{/+\z}, "")
+          return true if discovered == configured
+
+          raise DiscoveryError.new(
+            "issuer_mismatch",
+            "OIDC discovery issuer does not match configured issuer",
+            details: {discovered: doc[:issuer], configured: issuer}
+          )
+        end
+
+        def normalize_discovery_urls(document, issuer, trusted_origin = nil)
+          doc = BetterAuth::Plugins.normalize_hash(document || {}).dup
+          DISCOVERY_URL_FIELDS.each do |field|
+            next if doc[field].to_s.empty?
+
+            doc[field] = normalize_url(field.to_s, doc[field], issuer, trusted_origin)
+          end
+          doc
+        end
+
+        def fetch_discovery_document(url, timeout: nil, fetch: nil)
+          response = if fetch
+            fetch.call(url, timeout: timeout)
+          else
+            uri = URI(url)
+            Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https", read_timeout: timeout) do |http|
+              http.get(uri.request_uri)
+            end
+          end
+          parse_discovery_fetch_response(response)
+        rescue DiscoveryError
+          raise
+        rescue Timeout::Error
+          raise DiscoveryError.new("discovery_timeout", "OIDC discovery request timed out", details: {url: url})
+        rescue => exception
+          if exception.message.match?(/aborted/i)
+            raise DiscoveryError.new("discovery_timeout", "OIDC discovery request timed out", details: {url: url})
+          end
+
+          raise DiscoveryError.new("discovery_unexpected_error", "OIDC discovery request failed", details: {url: url, error: exception.message})
+        end
+
+        def discover_oidc_config(issuer:, fetch: nil, existing_config: nil, discovery_endpoint: nil, trusted_origin: nil, is_trusted_origin: nil, timeout: nil)
+          existing = BetterAuth::Plugins.normalize_hash(existing_config || {})
+          origin_check = trusted_origin || is_trusted_origin
+          discovery_url = discovery_endpoint || existing[:discovery_endpoint] || compute_discovery_url(issuer)
+          validate_discovery_url(discovery_url, origin_check)
+
+          document = fetch_discovery_document(discovery_url, timeout: timeout, fetch: fetch)
+          validate_discovery_document(document, issuer)
+          normalized_document = normalize_discovery_urls(document, issuer, origin_check)
+
+          {
+            issuer: existing[:issuer] || normalized_document[:issuer],
+            discovery_endpoint: existing[:discovery_endpoint] || discovery_url,
+            client_id: existing[:client_id],
+            client_secret: existing[:client_secret],
+            authorization_endpoint: existing[:authorization_endpoint] || normalized_document[:authorization_endpoint],
+            token_endpoint: existing[:token_endpoint] || normalized_document[:token_endpoint],
+            jwks_endpoint: existing[:jwks_endpoint] || normalized_document[:jwks_uri],
+            user_info_endpoint: existing[:user_info_endpoint] || normalized_document[:userinfo_endpoint],
+            token_endpoint_authentication: select_token_endpoint_auth_method(normalized_document, existing[:token_endpoint_authentication]),
+            scopes_supported: existing[:scopes_supported] || normalized_document[:scopes_supported],
+            pkce: existing[:pkce],
+            override_user_info: existing[:override_user_info],
+            mapping: existing[:mapping]
+          }.compact
+        end
+
+        def normalize_url(name_or_value, value_or_issuer, issuer = nil, trusted_origin = nil)
+          name = issuer.nil? ? "url" : name_or_value.to_s
+          value = issuer.nil? ? name_or_value : value_or_issuer
+          issuer_value = issuer.nil? ? value_or_issuer : issuer
+          normalized = normalize_endpoint_url(name, value, issuer_value)
+
+          if trusted_origin && !trusted_origin.call(normalized)
+            raise DiscoveryError.new(
+              "discovery_untrusted_origin",
+              "The #{name} \"#{normalized}\" is not trusted by your trusted origins configuration.",
+              details: {endpoint: name, url: normalized}
+            )
+          end
+
+          normalized
+        end
+
+        def needs_runtime_discovery?(oidc_config)
+          config = BetterAuth::Plugins.normalize_hash(oidc_config || {})
+          config[:authorization_endpoint].to_s.empty? ||
+            config[:token_endpoint].to_s.empty? ||
+            config[:jwks_endpoint].to_s.empty?
+        end
+
+        def ensure_runtime_discovery(config, issuer, trusted_origin, fetch: nil, timeout: nil)
+          normalized = BetterAuth::Plugins.normalize_hash(config || {})
+          return config unless needs_runtime_discovery?(normalized)
+
+          discovered = discover_oidc_config(
+            issuer: issuer,
+            existing_config: normalized,
+            trusted_origin: trusted_origin,
+            fetch: fetch,
+            timeout: timeout
+          )
+          normalized.merge(
+            authorization_endpoint: discovered[:authorization_endpoint],
+            token_endpoint: discovered[:token_endpoint],
+            token_endpoint_authentication: discovered[:token_endpoint_authentication],
+            user_info_endpoint: discovered[:user_info_endpoint],
+            jwks_endpoint: discovered[:jwks_endpoint]
+          ).compact
+        end
+
+        def select_token_endpoint_auth_method(document_or_config = {}, existing_method = nil)
+          return existing_method if existing_method
+
+          config = BetterAuth::Plugins.normalize_hash(document_or_config || {})
+          return config[:token_endpoint_authentication] if config[:token_endpoint_authentication]
+
+          methods = config[:token_endpoint_auth_methods_supported] || config[:methods] || []
+          return "client_secret_post" if Array(methods).include?("client_secret_post") && !Array(methods).include?("client_secret_basic")
+
+          "client_secret_basic"
+        end
+
+        def parse_http_url!(url, name, details: {})
+          uri = URI.parse(url.to_s)
+          raise URI::InvalidURIError if uri.scheme.to_s.empty? || uri.host.to_s.empty?
+          unless %w[http https].include?(uri.scheme)
+            raise DiscoveryError.new(
+              "discovery_invalid_url",
+              "The url \"#{name}\" must use the http or https supported protocols",
+              details: details.merge(protocol: "#{uri.scheme}:")
+            )
+          end
+
+          uri
+        rescue URI::InvalidURIError
+          raise DiscoveryError.new(
+            "discovery_invalid_url",
+            "The url \"#{name}\" must be valid",
+            details: details
+          )
+        end
+
+        def normalize_endpoint_url(name, endpoint, issuer)
+          raw = endpoint.to_s
+          if raw.match?(%r{\Ahttps?://}i)
+            uri = parse_http_url!(raw, name, details: {endpoint: name, url: raw})
+            return uri.to_s
+          end
+
+          issuer_uri = parse_http_url!(issuer, name, details: {endpoint: name, url: raw})
+          issuer_base = issuer_uri.to_s.sub(%r{/+\z}, "")
+          endpoint_path = raw.sub(%r{\A/+}, "")
+          normalized = "#{issuer_base}/#{endpoint_path}"
+          parse_http_url!(normalized, name, details: {endpoint: name, url: normalized}).to_s
+        end
+
+        def parse_discovery_fetch_response(response)
+          if response.respond_to?(:code) && response.respond_to?(:body)
+            status = response.code.to_i
+            body = response.body
+            return parse_discovery_body(body) if status.between?(200, 299)
+
+            raise_discovery_http_error(status, response.message.to_s)
+          end
+
+          normalized = response.is_a?(Hash) ? BetterAuth::Plugins.normalize_hash(response) : {data: response}
+          error = normalized[:error]
+          if error
+            error_hash = BetterAuth::Plugins.normalize_hash(error)
+            raise_discovery_http_error(error_hash[:status].to_i, error_hash[:message].to_s)
+          end
+
+          data = normalized.key?(:data) ? normalized[:data] : normalized
+          parse_discovery_body(data)
+        end
+
+        def parse_discovery_body(data)
+          raise DiscoveryError.new("discovery_invalid_json", "OIDC discovery response was empty") if data.nil?
+          return BetterAuth::Plugins.normalize_hash(data) if data.is_a?(Hash)
+
+          parsed = JSON.parse(data.to_s)
+          raise JSON::ParserError if !parsed.is_a?(Hash)
+
+          BetterAuth::Plugins.normalize_hash(parsed)
+        rescue JSON::ParserError
+          raise DiscoveryError.new(
+            "discovery_invalid_json",
+            "OIDC discovery response was not valid JSON",
+            details: {bodyPreview: data.to_s[0, 200]}
+          )
+        end
+
+        def raise_discovery_http_error(status, message)
+          case status
+          when 404
+            raise DiscoveryError.new("discovery_not_found", "OIDC discovery endpoint was not found", details: {status: status, message: message})
+          when 408
+            raise DiscoveryError.new("discovery_timeout", "OIDC discovery request timed out", details: {status: status, message: message})
+          else
+            raise DiscoveryError.new("discovery_unexpected_error", "OIDC discovery request failed", details: {status: status, message: message})
+          end
+        end
+      end
+    end
+  end
+end

data/lib/better_auth/sso/oidc/errors.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SSO
+    module OIDC
+      class DiscoveryError < StandardError
+        attr_reader :code, :details
+
+        def initialize(code, message, details: {})
+          @code = code
+          @details = details
+          super(message)
+        end
+      end
+
+      module Errors
+        module_function
+
+        def api_error(error)
+          return error if error.is_a?(APIError)
+
+          APIError.new("BAD_REQUEST", message: error.message)
+        end
+      end
+    end
+  end
+end

data/lib/better_auth/sso/oidc/types.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SSO
+    module OIDC
+      module Types
+        DISCOVERY_ERROR_CODES = %w[
+          discovery_timeout
+          discovery_not_found
+          discovery_invalid_json
+          discovery_invalid_url
+          discovery_untrusted_origin
+          issuer_mismatch
+          discovery_incomplete
+          unsupported_token_auth_method
+          discovery_unexpected_error
+        ].freeze
+
+        REQUIRED_DISCOVERY_FIELDS = Discovery::REQUIRED_DISCOVERY_FIELDS
+
+        module_function
+
+        def discovery_error_code?(value)
+          DISCOVERY_ERROR_CODES.include?(value.to_s)
+        end
+      end
+    end
+  end
+end

data/lib/better_auth/sso/oidc.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require_relative "oidc/discovery"
+require_relative "oidc/errors"
+
+module BetterAuth
+  module SSO
+    module OIDC
+      module_function
+
+      def discover_config(**kwargs)
+        Discovery.discover_oidc_config(**kwargs)
+      end
+
+      def needs_runtime_discovery?(oidc_config)
+        Discovery.needs_runtime_discovery?(oidc_config)
+      end
+    end
+  end
+end

data/lib/better_auth/sso/routes/domain_verification.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SSO
+    module Routes
+      module DomainVerification
+        module_function
+
+        def identifier(config, provider_id)
+          BetterAuth::Plugins.sso_domain_verification_identifier(config, provider_id)
+        end
+
+        def hostname(domain)
+          BetterAuth::Plugins.sso_hostname_from_domain(domain)
+        end
+      end
+    end
+  end
+end

data/lib/better_auth/sso/routes/helpers.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SSO
+    module Routes
+      module Helpers
+        module_function
+
+        def find_saml_provider!(ctx, provider_id)
+          BetterAuth::Plugins.sso_find_provider!(ctx, provider_id)
+        end
+
+        def create_saml_post_form(action, saml_param, saml_value, relay_state = nil)
+          BetterAuth::Plugins.sso_saml_post_form(action, saml_param, saml_value, relay_state)
+        end
+      end
+    end
+  end
+end

data/lib/better_auth/sso/routes/providers.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SSO
+    module Routes
+      module Providers
+        module_function
+
+        def sanitize(provider, context)
+          BetterAuth::Plugins.sso_sanitize_provider(provider, context)
+        end
+
+        def provider_access?(provider, user_id, ctx)
+          BetterAuth::Plugins.sso_provider_access?(provider, user_id, ctx)
+        end
+      end
+    end
+  end
+end

data/lib/better_auth/sso/routes/saml_pipeline.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SSO
+    module Routes
+      module SAMLPipeline
+        module_function
+
+        def process_response(ctx, config = {})
+          BetterAuth::Plugins.sso_handle_saml_response(ctx, config)
+        end
+
+        def safe_redirect_url(ctx, url, provider_id)
+          BetterAuth::Plugins.sso_safe_slo_redirect_url(ctx, url, provider_id)
+        end
+      end
+    end
+  end
+end