@better-auth/sso 1.3.13 → 1.3.14

package/src/oidc.test.ts

@@ -84,13 +84,13 @@ describe("SSO", async () => {
 					tokenEndpoint: `${server.issuer.url}/token`,
 					jwksEndpoint: `${server.issuer.url}/jwks`,
 					discoveryEndpoint: `${server.issuer.url}/.well-known/openid-configuration`,
-				},
-				mapping: {
-					id: "sub",
-					email: "email",
-					emailVerified: "email_verified",
-					name: "name",
-					image: "picture",
+					mapping: {
+						id: "sub",
+						email: "email",
+						emailVerified: "email_verified",
+						name: "name",
+						image: "picture",
+					},
 				},
 				providerId: "test",
 			},
@@ -196,6 +196,67 @@ describe("SSO", async () => {
 	});
 });
 
+describe("SSO with defaultSSO array", async () => {
+	const { auth, signInWithTestUser, customFetchImpl } =
+		await getTestInstanceMemory({
+			plugins: [
+				sso({
+					defaultSSO: [
+						{
+							domain: "localhost.com",
+							providerId: "default-test",
+							oidcConfig: {
+								issuer: "http://localhost:8080",
+								clientId: "test",
+								clientSecret: "test",
+								authorizationEndpoint: "http://localhost:8080/authorize",
+								tokenEndpoint: "http://localhost:8080/token",
+								jwksEndpoint: "http://localhost:8080/jwks",
+								discoveryEndpoint:
+									"http://localhost:8080/.well-known/openid-configuration",
+								pkce: true,
+								mapping: {
+									id: "sub",
+									email: "email",
+									emailVerified: "email_verified",
+									name: "name",
+									image: "picture",
+								},
+							},
+						},
+					],
+				}),
+				organization(),
+			],
+		});
+
+	it("should use default SSO provider from array when no provider found in database using providerId", async () => {
+		const res = await auth.api.signInSSO({
+			body: {
+				providerId: "default-test",
+				callbackURL: "/dashboard",
+			},
+		});
+		expect(res.url).toContain("http://localhost:8080/authorize");
+		expect(res.url).toContain(
+			"redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fsso%2Fcallback%2Fdefault-test",
+		);
+	});
+
+	it("should use default SSO provider from array when no provider found in database using domain fallback", async () => {
+		const res = await auth.api.signInSSO({
+			body: {
+				email: "test@localhost.com",
+				callbackURL: "/dashboard",
+			},
+		});
+		expect(res.url).toContain("http://localhost:8080/authorize");
+		expect(res.url).toContain(
+			"redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fsso%2Fcallback%2Fdefault-test",
+		);
+	});
+});
+
 describe("SSO disable implicit sign in", async () => {
 	const { auth, signInWithTestUser, customFetchImpl } =
 		await getTestInstanceMemory({
@@ -272,13 +333,14 @@ describe("SSO disable implicit sign in", async () => {
 					authorizationEndpoint: `${server.issuer.url}/authorize`,
 					tokenEndpoint: `${server.issuer.url}/token`,
 					jwksEndpoint: `${server.issuer.url}/jwks`,
-				},
-				mapping: {
-					id: "sub",
-					email: "email",
-					emailVerified: "email_verified",
-					name: "name",
-					image: "picture",
+					discoveryEndpoint: `${server.issuer.url}/.well-known/openid-configuration`,
+					mapping: {
+						id: "sub",
+						email: "email",
+						emailVerified: "email_verified",
+						name: "name",
+						image: "picture",
+					},
 				},
 				providerId: "test",
 			},
@@ -526,13 +588,14 @@ describe("provisioning", async (ctx) => {
 					authorizationEndpoint: `${server.issuer.url}/authorize`,
 					tokenEndpoint: `${server.issuer.url}/token`,
 					jwksEndpoint: `${server.issuer.url}/jwks`,
-				},
-				mapping: {
-					id: "sub",
-					email: "email",
-					emailVerified: "email_verified",
-					name: "name",
-					image: "picture",
+					discoveryEndpoint: `${server.issuer.url}/.well-known/openid-configuration`,
+					mapping: {
+						id: "sub",
+						email: "email",
+						emailVerified: "email_verified",
+						name: "name",
+						image: "picture",
+					},
 				},
 				providerId: "test2",
 				organizationId: organization?.id,

package/src/saml.test.ts

@@ -493,6 +493,98 @@ const createMockSAMLIdP = (port: number) => {
 	return { start, stop, metadataUrl };
 };
 
+describe("SAML SSO with defaultSSO array", async () => {
+	const data = {
+		user: [],
+		session: [],
+		verification: [],
+		account: [],
+		ssoProvider: [],
+	};
+
+	const memory = memoryAdapter(data);
+	const mockIdP = createMockSAMLIdP(8081); // Different port from your main app
+
+	const ssoOptions = {
+		defaultSSO: [
+			{
+				domain: "localhost:8081",
+				providerId: "default-saml",
+				samlConfig: {
+					issuer: "http://localhost:8081",
+					entryPoint: "http://localhost:8081/api/sso/saml2/idp/post",
+					cert: certificate,
+					callbackUrl: "http://localhost:8081/dashboard",
+					wantAssertionsSigned: false,
+					signatureAlgorithm: "sha256",
+					digestAlgorithm: "sha256",
+					idpMetadata: {
+						metadata: idpMetadata,
+					},
+					spMetadata: {
+						metadata: spMetadata,
+					},
+					identifierFormat:
+						"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+				},
+			},
+		],
+		provisionUser: vi
+			.fn()
+			.mockImplementation(async ({ user, userInfo, token, provider }) => {
+				return {
+					id: "provisioned-user-id",
+					email: userInfo.email,
+					name: userInfo.name,
+					attributes: userInfo.attributes,
+				};
+			}),
+	};
+
+	const auth = betterAuth({
+		database: memory,
+		baseURL: "http://localhost:3000",
+		emailAndPassword: {
+			enabled: true,
+		},
+		plugins: [sso(ssoOptions)],
+	});
+
+	const ctx = await auth.$context;
+
+	const authClient = createAuthClient({
+		baseURL: "http://localhost:3000",
+		plugins: [bearer(), ssoClient()],
+		fetchOptions: {
+			customFetchImpl: async (url, init) => {
+				return auth.handler(new Request(url, init));
+			},
+		},
+	});
+
+	beforeAll(async () => {
+		await mockIdP.start();
+	});
+
+	afterAll(async () => {
+		await mockIdP.stop();
+	});
+
+	it("should use default SAML SSO provider from array when no provider found in database", async () => {
+		const signInResponse = await auth.api.signInSSO({
+			body: {
+				providerId: "default-saml",
+				callbackURL: "http://localhost:3000/dashboard",
+			},
+		});
+
+		expect(signInResponse).toEqual({
+			url: expect.stringContaining("http://localhost:8081"),
+			redirect: true,
+		});
+	});
+});
+
 describe("SAML SSO", async () => {
 	const data = {
 		user: [],

package/CHANGELOG.md

@@ -1,20 +0,0 @@
-# @better-auth/sso
-
-## 1.3.4
-
-### Patch Changes
-
-- 2bd2fa9: Added support for listing organization members with pagination, sorting, and filtering, and improved client inference for additional organization fields. Also fixed date handling in rate limits and tokens, improved Notion OAuth user extraction, and ensured session is always set in context.
-
-  Organization
-
-  - Added listMembers API with pagination, sorting, and filtering.
-  - Added membersLimit param to getFullOrganization.
-  - Improved client inference for additional fields in organization schemas.
-  - Bug Fixes
-  - Fixed date handling by casting DB values to Date objects before using date methods.
-  - Fixed Notion OAuth to extract user info correctly.
-  - Ensured session is set in context when reading from cookie cach
-
-- Updated dependencies [2bd2fa9]
-  - better-auth@1.3.4