@better-auth/sso 1.3.1 → 1.3.3

package/.turbo/turbo-build.log

@@ -1,17 +1,17 @@
 
-> @better-auth/sso@1.3.1 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.3.3 build /home/runner/work/better-auth/better-auth/packages/sso
 > unbuild
 
 [info] Automatically detected entries: src/index, src/client [esm] [cjs] [dts]
 [info] Building sso
 [success] Build succeeded for sso
-[log]   dist/index.cjs (total size: 45.3 kB, chunk size: 45.3 kB, exports: sso)
+[log]   dist/index.cjs (total size: 47.5 kB, chunk size: 47.5 kB, exports: sso)
 
 [log]   dist/client.cjs (total size: 141 B, chunk size: 141 B, exports: ssoClient)
 
-[log]   dist/index.mjs (total size: 43.9 kB, chunk size: 43.9 kB, exports: sso)
+[log]   dist/index.mjs (total size: 46.1 kB, chunk size: 46.1 kB, exports: sso)
 
 [log]   dist/client.mjs (total size: 117 B, chunk size: 117 B, exports: ssoClient)
 
-Σ Total dist size (byte size): 199 kB
+Σ Total dist size (byte size): 204 kB
 [log]

package/dist/index.cjs

@@ -416,7 +416,8 @@ const sso = (options) => {
                 identifierFormat: body.samlConfig.identifierFormat,
                 privateKey: body.samlConfig.privateKey,
                 decryptionPvk: body.samlConfig.decryptionPvk,
-                additionalParams: body.samlConfig.additionalParams
+                additionalParams: body.samlConfig.additionalParams,
+                mapping: body.mapping
               }) : null,
               organizationId: body.organizationId,
               userId: ctx.context.session.user.id,
@@ -790,7 +791,7 @@ const sso = (options) => {
               ),
               id: idToken[mapping.id || "sub"],
               email: idToken[mapping.email || "email"],
-              emailVerified: idToken[mapping.emailVerified || "email_verified"],
+              emailVerified: options?.trustEmailVerified ? idToken[mapping.emailVerified || "email_verified"] : false,
               name: idToken[mapping.name || "name"],
               image: idToken[mapping.image || "picture"]
             };
@@ -824,7 +825,7 @@ const sso = (options) => {
               name: userInfo.name || userInfo.email,
               id: userInfo.id,
               image: userInfo.image,
-              emailVerified: userInfo.emailVerified || false
+              emailVerified: options?.trustEmailVerified ? userInfo.emailVerified || false : false
             },
             account: {
               idToken: tokenResponse.idToken,
@@ -979,7 +980,8 @@ const sso = (options) => {
               attributes[mapping.firstName] || attributes["givenName"],
               attributes[mapping.lastName] || attributes["surname"]
             ].filter(Boolean).join(" ") || parsedResponse.extract.attributes?.displayName,
-            attributes: parsedResponse.extract.attributes
+            attributes: parsedResponse.extract.attributes,
+            emailVerified: options?.trustEmailVerified ? attributes?.[mapping.emailVerified] || false : false
           };
           let user;
           const existingUser = await ctx.context.adapter.findOne({
@@ -992,6 +994,36 @@ const sso = (options) => {
             ]
           });
           if (existingUser) {
+            const accounts = await ctx.context.adapter.findOne({
+              model: "account",
+              where: [
+                { field: "userId", value: existingUser.id },
+                { field: "providerId", value: provider.providerId },
+                { field: "accountId", value: userInfo.id }
+              ]
+            });
+            if (!accounts) {
+              const isTrustedProvider = ctx.context.options.account?.accountLinking?.trustedProviders?.includes(
+                provider.providerId
+              );
+              if (!isTrustedProvider) {
+                throw ctx.redirect(
+                  `${parsedSamlConfig.callbackUrl}?error=account_not_found`
+                );
+              }
+              await ctx.context.adapter.create({
+                model: "account",
+                data: {
+                  userId: existingUser.id,
+                  providerId: provider.providerId,
+                  accountId: userInfo.id,
+                  createdAt: /* @__PURE__ */ new Date(),
+                  updatedAt: /* @__PURE__ */ new Date(),
+                  accessToken: "",
+                  refreshToken: ""
+                }
+              });
+            }
             user = existingUser;
           } else {
             user = await ctx.context.adapter.create({
@@ -999,7 +1031,24 @@ const sso = (options) => {
               data: {
                 email: userInfo.email,
                 name: userInfo.name,
-                emailVerified: true
+                emailVerified: options?.trustEmailVerified ? userInfo.emailVerified || false : false,
+                createdAt: /* @__PURE__ */ new Date(),
+                updatedAt: /* @__PURE__ */ new Date()
+              }
+            });
+            await ctx.context.adapter.create({
+              model: "account",
+              data: {
+                userId: user.id,
+                providerId: provider.providerId,
+                accountId: userInfo.id,
+                accessToken: "",
+                refreshToken: "",
+                accessTokenExpiresAt: /* @__PURE__ */ new Date(),
+                refreshTokenExpiresAt: /* @__PURE__ */ new Date(),
+                scope: "",
+                createdAt: /* @__PURE__ */ new Date(),
+                updatedAt: /* @__PURE__ */ new Date()
               }
             });
           }

package/dist/index.d.cts

@@ -30,6 +30,14 @@ interface SAMLConfig {
     signingKey: string;
     certificate: string;
     attributeConsumingServiceIndex: number;
+    mapping?: {
+        id?: string;
+        email?: string;
+        name?: string;
+        firstName?: string;
+        lastName?: string;
+        extraFields?: Record<string, string>;
+    };
 }
 interface SSOProvider {
     issuer: string;
@@ -111,6 +119,11 @@ interface SSOOptions {
      * @default 10
      */
     providersLimit?: number | ((user: User) => Promise<number> | number);
+    /**
+     * Trust the email verified flag from the provider.
+     * @default false
+     */
+    trustEmailVerified?: boolean;
 }
 declare const sso: (options?: SSOOptions) => {
     id: "sso";

package/dist/index.d.mts

@@ -30,6 +30,14 @@ interface SAMLConfig {
     signingKey: string;
     certificate: string;
     attributeConsumingServiceIndex: number;
+    mapping?: {
+        id?: string;
+        email?: string;
+        name?: string;
+        firstName?: string;
+        lastName?: string;
+        extraFields?: Record<string, string>;
+    };
 }
 interface SSOProvider {
     issuer: string;
@@ -111,6 +119,11 @@ interface SSOOptions {
      * @default 10
      */
     providersLimit?: number | ((user: User) => Promise<number> | number);
+    /**
+     * Trust the email verified flag from the provider.
+     * @default false
+     */
+    trustEmailVerified?: boolean;
 }
 declare const sso: (options?: SSOOptions) => {
     id: "sso";

package/dist/index.d.ts

@@ -30,6 +30,14 @@ interface SAMLConfig {
     signingKey: string;
     certificate: string;
     attributeConsumingServiceIndex: number;
+    mapping?: {
+        id?: string;
+        email?: string;
+        name?: string;
+        firstName?: string;
+        lastName?: string;
+        extraFields?: Record<string, string>;
+    };
 }
 interface SSOProvider {
     issuer: string;
@@ -111,6 +119,11 @@ interface SSOOptions {
      * @default 10
      */
     providersLimit?: number | ((user: User) => Promise<number> | number);
+    /**
+     * Trust the email verified flag from the provider.
+     * @default false
+     */
+    trustEmailVerified?: boolean;
 }
 declare const sso: (options?: SSOOptions) => {
     id: "sso";

package/dist/index.mjs

@@ -399,7 +399,8 @@ const sso = (options) => {
                 identifierFormat: body.samlConfig.identifierFormat,
                 privateKey: body.samlConfig.privateKey,
                 decryptionPvk: body.samlConfig.decryptionPvk,
-                additionalParams: body.samlConfig.additionalParams
+                additionalParams: body.samlConfig.additionalParams,
+                mapping: body.mapping
               }) : null,
               organizationId: body.organizationId,
               userId: ctx.context.session.user.id,
@@ -773,7 +774,7 @@ const sso = (options) => {
               ),
               id: idToken[mapping.id || "sub"],
               email: idToken[mapping.email || "email"],
-              emailVerified: idToken[mapping.emailVerified || "email_verified"],
+              emailVerified: options?.trustEmailVerified ? idToken[mapping.emailVerified || "email_verified"] : false,
               name: idToken[mapping.name || "name"],
               image: idToken[mapping.image || "picture"]
             };
@@ -807,7 +808,7 @@ const sso = (options) => {
               name: userInfo.name || userInfo.email,
               id: userInfo.id,
               image: userInfo.image,
-              emailVerified: userInfo.emailVerified || false
+              emailVerified: options?.trustEmailVerified ? userInfo.emailVerified || false : false
             },
             account: {
               idToken: tokenResponse.idToken,
@@ -962,7 +963,8 @@ const sso = (options) => {
               attributes[mapping.firstName] || attributes["givenName"],
               attributes[mapping.lastName] || attributes["surname"]
             ].filter(Boolean).join(" ") || parsedResponse.extract.attributes?.displayName,
-            attributes: parsedResponse.extract.attributes
+            attributes: parsedResponse.extract.attributes,
+            emailVerified: options?.trustEmailVerified ? attributes?.[mapping.emailVerified] || false : false
           };
           let user;
           const existingUser = await ctx.context.adapter.findOne({
@@ -975,6 +977,36 @@ const sso = (options) => {
             ]
           });
           if (existingUser) {
+            const accounts = await ctx.context.adapter.findOne({
+              model: "account",
+              where: [
+                { field: "userId", value: existingUser.id },
+                { field: "providerId", value: provider.providerId },
+                { field: "accountId", value: userInfo.id }
+              ]
+            });
+            if (!accounts) {
+              const isTrustedProvider = ctx.context.options.account?.accountLinking?.trustedProviders?.includes(
+                provider.providerId
+              );
+              if (!isTrustedProvider) {
+                throw ctx.redirect(
+                  `${parsedSamlConfig.callbackUrl}?error=account_not_found`
+                );
+              }
+              await ctx.context.adapter.create({
+                model: "account",
+                data: {
+                  userId: existingUser.id,
+                  providerId: provider.providerId,
+                  accountId: userInfo.id,
+                  createdAt: /* @__PURE__ */ new Date(),
+                  updatedAt: /* @__PURE__ */ new Date(),
+                  accessToken: "",
+                  refreshToken: ""
+                }
+              });
+            }
             user = existingUser;
           } else {
             user = await ctx.context.adapter.create({
@@ -982,7 +1014,24 @@ const sso = (options) => {
               data: {
                 email: userInfo.email,
                 name: userInfo.name,
-                emailVerified: true
+                emailVerified: options?.trustEmailVerified ? userInfo.emailVerified || false : false,
+                createdAt: /* @__PURE__ */ new Date(),
+                updatedAt: /* @__PURE__ */ new Date()
+              }
+            });
+            await ctx.context.adapter.create({
+              model: "account",
+              data: {
+                userId: user.id,
+                providerId: provider.providerId,
+                accountId: userInfo.id,
+                accessToken: "",
+                refreshToken: "",
+                accessTokenExpiresAt: /* @__PURE__ */ new Date(),
+                refreshTokenExpiresAt: /* @__PURE__ */ new Date(),
+                scope: "",
+                createdAt: /* @__PURE__ */ new Date(),
+                updatedAt: /* @__PURE__ */ new Date()
               }
             });
           }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.3.1",
+  "version": "1.3.3",
   "main": "dist/index.cjs",
   "license": "MIT",
   "keywords": [
@@ -47,7 +47,7 @@
     "oauth2-mock-server": "^7.2.0",
     "samlify": "^2.10.0",
     "zod": "^3.24.1",
-    "better-auth": "^1.3.1"
+    "better-auth": "^1.3.3"
   },
   "devDependencies": {
     "@types/body-parser": "^1.19.6",

package/src/index.ts

@@ -1,5 +1,6 @@
 import {
 	generateState,
+	type Account,
 	type BetterAuthPlugin,
 	type OAuth2Tokens,
 	type Session,
@@ -65,6 +66,14 @@ export interface SAMLConfig {
 	signingKey: string;
 	certificate: string;
 	attributeConsumingServiceIndex: number;
+	mapping?: {
+		id?: string;
+		email?: string;
+		name?: string;
+		firstName?: string;
+		lastName?: string;
+		extraFields?: Record<string, string>;
+	};
 }
 
 export interface SSOProvider {
@@ -148,6 +157,11 @@ export interface SSOOptions {
 	 * @default 10
 	 */
 	providersLimit?: number | ((user: User) => Promise<number> | number);
+	/**
+	 * Trust the email verified flag from the provider.
+	 * @default false
+	 */
+	trustEmailVerified?: boolean;
 }
 
 export const sso = (options?: SSOOptions) => {
@@ -623,6 +637,7 @@ export const sso = (options?: SSOOptions) => {
 										privateKey: body.samlConfig.privateKey,
 										decryptionPvk: body.samlConfig.decryptionPvk,
 										additionalParams: body.samlConfig.additionalParams,
+										mapping: body.mapping,
 									})
 								: null,
 							organizationId: body.organizationId,
@@ -1093,7 +1108,9 @@ export const sso = (options?: SSOOptions) => {
 							),
 							id: idToken[mapping.id || "sub"],
 							email: idToken[mapping.email || "email"],
-							emailVerified: idToken[mapping.emailVerified || "email_verified"],
+							emailVerified: options?.trustEmailVerified
+								? idToken[mapping.emailVerified || "email_verified"]
+								: false,
 							name: idToken[mapping.name || "name"],
 							image: idToken[mapping.image || "picture"],
 						} as {
@@ -1149,7 +1166,9 @@ export const sso = (options?: SSOOptions) => {
 							name: userInfo.name || userInfo.email,
 							id: userInfo.id,
 							image: userInfo.image,
-							emailVerified: userInfo.emailVerified || false,
+							emailVerified: options?.trustEmailVerified
+								? userInfo.emailVerified || false
+								: false,
 						},
 						account: {
 							idToken: tokenResponse.idToken,
@@ -1325,6 +1344,9 @@ export const sso = (options?: SSOOptions) => {
 								.filter(Boolean)
 								.join(" ") || parsedResponse.extract.attributes?.displayName,
 						attributes: parsedResponse.extract.attributes,
+						emailVerified: options?.trustEmailVerified
+							? ((attributes?.[mapping.emailVerified] || false) as boolean)
+							: false,
 					};
 
 					let user: User;
@@ -1340,6 +1362,37 @@ export const sso = (options?: SSOOptions) => {
 					});
 
 					if (existingUser) {
+						const accounts = await ctx.context.adapter.findOne<Account>({
+							model: "account",
+							where: [
+								{ field: "userId", value: existingUser.id },
+								{ field: "providerId", value: provider.providerId },
+								{ field: "accountId", value: userInfo.id },
+							],
+						});
+						if (!accounts) {
+							const isTrustedProvider =
+								ctx.context.options.account?.accountLinking?.trustedProviders?.includes(
+									provider.providerId,
+								);
+							if (!isTrustedProvider) {
+								throw ctx.redirect(
+									`${parsedSamlConfig.callbackUrl}?error=account_not_found`,
+								);
+							}
+							await ctx.context.adapter.create<Account>({
+								model: "account",
+								data: {
+									userId: existingUser.id,
+									providerId: provider.providerId,
+									accountId: userInfo.id,
+									createdAt: new Date(),
+									updatedAt: new Date(),
+									accessToken: "",
+									refreshToken: "",
+								},
+							});
+						}
 						user = existingUser;
 					} else {
 						user = await ctx.context.adapter.create({
@@ -1347,7 +1400,26 @@ export const sso = (options?: SSOOptions) => {
 							data: {
 								email: userInfo.email,
 								name: userInfo.name,
-								emailVerified: true,
+								emailVerified: options?.trustEmailVerified
+									? userInfo.emailVerified || false
+									: false,
+								createdAt: new Date(),
+								updatedAt: new Date(),
+							},
+						});
+						await ctx.context.adapter.create<Account>({
+							model: "account",
+							data: {
+								userId: user.id,
+								providerId: provider.providerId,
+								accountId: userInfo.id,
+								accessToken: "",
+								refreshToken: "",
+								accessTokenExpiresAt: new Date(),
+								refreshTokenExpiresAt: new Date(),
+								scope: "",
+								createdAt: new Date(),
+								updatedAt: new Date(),
 							},
 						});
 					}