@better-auth/sso 1.3.13 → 1.3.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.turbo/turbo-build.log +4 -4
- package/dist/index.cjs +538 -164
- package/dist/index.d.cts +186 -39
- package/dist/index.d.mts +186 -39
- package/dist/index.d.ts +186 -39
- package/dist/index.mjs +538 -164
- package/package.json +5 -5
- package/src/index.ts +780 -220
- package/src/oidc.test.ts +84 -21
- package/src/saml.test.ts +92 -0
- package/tsconfig.json +9 -15
- package/CHANGELOG.md +0 -20
package/dist/index.d.ts
CHANGED
|
@@ -2,6 +2,23 @@ import * as better_call from 'better-call';
|
|
|
2
2
|
import { User, OAuth2Tokens } from 'better-auth';
|
|
3
3
|
import * as z from 'zod/v4';
|
|
4
4
|
|
|
5
|
+
interface OIDCMapping {
|
|
6
|
+
id?: string;
|
|
7
|
+
email?: string;
|
|
8
|
+
emailVerified?: string;
|
|
9
|
+
name?: string;
|
|
10
|
+
image?: string;
|
|
11
|
+
extraFields?: Record<string, string>;
|
|
12
|
+
}
|
|
13
|
+
interface SAMLMapping {
|
|
14
|
+
id?: string;
|
|
15
|
+
email?: string;
|
|
16
|
+
emailVerified?: string;
|
|
17
|
+
name?: string;
|
|
18
|
+
firstName?: string;
|
|
19
|
+
lastName?: string;
|
|
20
|
+
extraFields?: Record<string, string>;
|
|
21
|
+
}
|
|
5
22
|
interface OIDCConfig {
|
|
6
23
|
issuer: string;
|
|
7
24
|
pkce: boolean;
|
|
@@ -15,29 +32,48 @@ interface OIDCConfig {
|
|
|
15
32
|
tokenEndpoint?: string;
|
|
16
33
|
tokenEndpointAuthentication?: "client_secret_post" | "client_secret_basic";
|
|
17
34
|
jwksEndpoint?: string;
|
|
18
|
-
mapping?:
|
|
19
|
-
id?: string;
|
|
20
|
-
email?: string;
|
|
21
|
-
emailVerified?: string;
|
|
22
|
-
name?: string;
|
|
23
|
-
image?: string;
|
|
24
|
-
extraFields?: Record<string, string>;
|
|
25
|
-
};
|
|
35
|
+
mapping?: OIDCMapping;
|
|
26
36
|
}
|
|
27
37
|
interface SAMLConfig {
|
|
28
38
|
issuer: string;
|
|
29
39
|
entryPoint: string;
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
+
cert: string;
|
|
41
|
+
callbackUrl: string;
|
|
42
|
+
audience?: string;
|
|
43
|
+
idpMetadata?: {
|
|
44
|
+
metadata?: string;
|
|
45
|
+
entityID?: string;
|
|
46
|
+
entityURL?: string;
|
|
47
|
+
redirectURL?: string;
|
|
48
|
+
cert?: string;
|
|
49
|
+
privateKey?: string;
|
|
50
|
+
privateKeyPass?: string;
|
|
51
|
+
isAssertionEncrypted?: boolean;
|
|
52
|
+
encPrivateKey?: string;
|
|
53
|
+
encPrivateKeyPass?: string;
|
|
54
|
+
singleSignOnService?: Array<{
|
|
55
|
+
Binding: string;
|
|
56
|
+
Location: string;
|
|
57
|
+
}>;
|
|
40
58
|
};
|
|
59
|
+
spMetadata: {
|
|
60
|
+
metadata?: string;
|
|
61
|
+
entityID?: string;
|
|
62
|
+
binding?: string;
|
|
63
|
+
privateKey?: string;
|
|
64
|
+
privateKeyPass?: string;
|
|
65
|
+
isAssertionEncrypted?: boolean;
|
|
66
|
+
encPrivateKey?: string;
|
|
67
|
+
encPrivateKeyPass?: string;
|
|
68
|
+
};
|
|
69
|
+
wantAssertionsSigned?: boolean;
|
|
70
|
+
signatureAlgorithm?: string;
|
|
71
|
+
digestAlgorithm?: string;
|
|
72
|
+
identifierFormat?: string;
|
|
73
|
+
privateKey?: string;
|
|
74
|
+
decryptionPvk?: string;
|
|
75
|
+
additionalParams?: Record<string, any>;
|
|
76
|
+
mapping?: SAMLMapping;
|
|
41
77
|
}
|
|
42
78
|
interface SSOProvider {
|
|
43
79
|
issuer: string;
|
|
@@ -94,6 +130,29 @@ interface SSOOptions {
|
|
|
94
130
|
provider: SSOProvider;
|
|
95
131
|
}) => Promise<"member" | "admin">;
|
|
96
132
|
};
|
|
133
|
+
/**
|
|
134
|
+
* Default SSO provider configurations for testing.
|
|
135
|
+
* These will take the precedence over the database providers.
|
|
136
|
+
*/
|
|
137
|
+
defaultSSO?: Array<{
|
|
138
|
+
/**
|
|
139
|
+
* The domain to match for this default provider.
|
|
140
|
+
* This is only used to match incoming requests to this default provider.
|
|
141
|
+
*/
|
|
142
|
+
domain: string;
|
|
143
|
+
/**
|
|
144
|
+
* The provider ID to use
|
|
145
|
+
*/
|
|
146
|
+
providerId: string;
|
|
147
|
+
/**
|
|
148
|
+
* SAML configuration
|
|
149
|
+
*/
|
|
150
|
+
samlConfig?: SAMLConfig;
|
|
151
|
+
/**
|
|
152
|
+
* OIDC configuration
|
|
153
|
+
*/
|
|
154
|
+
oidcConfig?: OIDCConfig;
|
|
155
|
+
}>;
|
|
97
156
|
/**
|
|
98
157
|
* Override user info with the provider info.
|
|
99
158
|
* @default false
|
|
@@ -198,13 +257,22 @@ declare const sso: (options?: SSOOptions) => {
|
|
|
198
257
|
discoveryEndpoint?: string | undefined;
|
|
199
258
|
scopes?: string[] | undefined;
|
|
200
259
|
pkce?: boolean | undefined;
|
|
260
|
+
mapping?: {
|
|
261
|
+
id: string;
|
|
262
|
+
email: string;
|
|
263
|
+
name: string;
|
|
264
|
+
emailVerified?: string | undefined;
|
|
265
|
+
image?: string | undefined;
|
|
266
|
+
extraFields?: Record<string, any> | undefined;
|
|
267
|
+
} | undefined;
|
|
201
268
|
} | undefined;
|
|
202
269
|
samlConfig?: {
|
|
203
270
|
entryPoint: string;
|
|
204
271
|
cert: string;
|
|
205
272
|
callbackUrl: string;
|
|
206
273
|
spMetadata: {
|
|
207
|
-
metadata
|
|
274
|
+
metadata?: string | undefined;
|
|
275
|
+
entityID?: string | undefined;
|
|
208
276
|
binding?: string | undefined;
|
|
209
277
|
privateKey?: string | undefined;
|
|
210
278
|
privateKeyPass?: string | undefined;
|
|
@@ -214,12 +282,18 @@ declare const sso: (options?: SSOOptions) => {
|
|
|
214
282
|
};
|
|
215
283
|
audience?: string | undefined;
|
|
216
284
|
idpMetadata?: {
|
|
217
|
-
metadata
|
|
285
|
+
metadata?: string | undefined;
|
|
286
|
+
entityID?: string | undefined;
|
|
287
|
+
cert?: string | undefined;
|
|
218
288
|
privateKey?: string | undefined;
|
|
219
289
|
privateKeyPass?: string | undefined;
|
|
220
290
|
isAssertionEncrypted?: boolean | undefined;
|
|
221
291
|
encPrivateKey?: string | undefined;
|
|
222
292
|
encPrivateKeyPass?: string | undefined;
|
|
293
|
+
singleSignOnService?: {
|
|
294
|
+
Binding: string;
|
|
295
|
+
Location: string;
|
|
296
|
+
}[] | undefined;
|
|
223
297
|
} | undefined;
|
|
224
298
|
wantAssertionsSigned?: boolean | undefined;
|
|
225
299
|
signatureAlgorithm?: string | undefined;
|
|
@@ -228,14 +302,15 @@ declare const sso: (options?: SSOOptions) => {
|
|
|
228
302
|
privateKey?: string | undefined;
|
|
229
303
|
decryptionPvk?: string | undefined;
|
|
230
304
|
additionalParams?: Record<string, any> | undefined;
|
|
231
|
-
|
|
232
|
-
|
|
233
|
-
|
|
234
|
-
|
|
235
|
-
|
|
236
|
-
|
|
237
|
-
|
|
238
|
-
|
|
305
|
+
mapping?: {
|
|
306
|
+
id: string;
|
|
307
|
+
email: string;
|
|
308
|
+
name: string;
|
|
309
|
+
emailVerified?: string | undefined;
|
|
310
|
+
firstName?: string | undefined;
|
|
311
|
+
lastName?: string | undefined;
|
|
312
|
+
extraFields?: Record<string, any> | undefined;
|
|
313
|
+
} | undefined;
|
|
239
314
|
} | undefined;
|
|
240
315
|
organizationId?: string | undefined;
|
|
241
316
|
overrideUserInfo?: boolean | undefined;
|
|
@@ -298,6 +373,14 @@ declare const sso: (options?: SSOOptions) => {
|
|
|
298
373
|
discoveryEndpoint: z.ZodOptional<z.ZodString>;
|
|
299
374
|
scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
300
375
|
pkce: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
|
|
376
|
+
mapping: z.ZodOptional<z.ZodObject<{
|
|
377
|
+
id: z.ZodString;
|
|
378
|
+
email: z.ZodString;
|
|
379
|
+
emailVerified: z.ZodOptional<z.ZodString>;
|
|
380
|
+
name: z.ZodString;
|
|
381
|
+
image: z.ZodOptional<z.ZodString>;
|
|
382
|
+
extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
|
|
383
|
+
}, z.core.$strip>>;
|
|
301
384
|
}, z.core.$strip>>;
|
|
302
385
|
samlConfig: z.ZodOptional<z.ZodObject<{
|
|
303
386
|
entryPoint: z.ZodString;
|
|
@@ -305,15 +388,22 @@ declare const sso: (options?: SSOOptions) => {
|
|
|
305
388
|
callbackUrl: z.ZodString;
|
|
306
389
|
audience: z.ZodOptional<z.ZodString>;
|
|
307
390
|
idpMetadata: z.ZodOptional<z.ZodObject<{
|
|
308
|
-
metadata: z.ZodString
|
|
391
|
+
metadata: z.ZodOptional<z.ZodString>;
|
|
392
|
+
entityID: z.ZodOptional<z.ZodString>;
|
|
393
|
+
cert: z.ZodOptional<z.ZodString>;
|
|
309
394
|
privateKey: z.ZodOptional<z.ZodString>;
|
|
310
395
|
privateKeyPass: z.ZodOptional<z.ZodString>;
|
|
311
396
|
isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
|
|
312
397
|
encPrivateKey: z.ZodOptional<z.ZodString>;
|
|
313
398
|
encPrivateKeyPass: z.ZodOptional<z.ZodString>;
|
|
399
|
+
singleSignOnService: z.ZodOptional<z.ZodArray<z.ZodObject<{
|
|
400
|
+
Binding: z.ZodString;
|
|
401
|
+
Location: z.ZodString;
|
|
402
|
+
}, z.core.$strip>>>;
|
|
314
403
|
}, z.core.$strip>>;
|
|
315
404
|
spMetadata: z.ZodObject<{
|
|
316
|
-
metadata: z.ZodString
|
|
405
|
+
metadata: z.ZodOptional<z.ZodString>;
|
|
406
|
+
entityID: z.ZodOptional<z.ZodString>;
|
|
317
407
|
binding: z.ZodOptional<z.ZodString>;
|
|
318
408
|
privateKey: z.ZodOptional<z.ZodString>;
|
|
319
409
|
privateKeyPass: z.ZodOptional<z.ZodString>;
|
|
@@ -328,14 +418,15 @@ declare const sso: (options?: SSOOptions) => {
|
|
|
328
418
|
privateKey: z.ZodOptional<z.ZodString>;
|
|
329
419
|
decryptionPvk: z.ZodOptional<z.ZodString>;
|
|
330
420
|
additionalParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
|
|
331
|
-
|
|
332
|
-
|
|
333
|
-
|
|
334
|
-
|
|
335
|
-
|
|
336
|
-
|
|
337
|
-
|
|
338
|
-
|
|
421
|
+
mapping: z.ZodOptional<z.ZodObject<{
|
|
422
|
+
id: z.ZodString;
|
|
423
|
+
email: z.ZodString;
|
|
424
|
+
emailVerified: z.ZodOptional<z.ZodString>;
|
|
425
|
+
name: z.ZodString;
|
|
426
|
+
firstName: z.ZodOptional<z.ZodString>;
|
|
427
|
+
lastName: z.ZodOptional<z.ZodString>;
|
|
428
|
+
extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
|
|
429
|
+
}, z.core.$strip>>;
|
|
339
430
|
}, z.core.$strip>>;
|
|
340
431
|
organizationId: z.ZodOptional<z.ZodString>;
|
|
341
432
|
overrideUserInfo: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
|
|
@@ -767,6 +858,62 @@ declare const sso: (options?: SSOOptions) => {
|
|
|
767
858
|
};
|
|
768
859
|
path: "/sso/saml2/callback/:providerId";
|
|
769
860
|
};
|
|
861
|
+
acsEndpoint: {
|
|
862
|
+
<AsResponse extends boolean = false, ReturnHeaders extends boolean = false>(inputCtx_0: {
|
|
863
|
+
body: {
|
|
864
|
+
SAMLResponse: string;
|
|
865
|
+
RelayState?: string | undefined;
|
|
866
|
+
};
|
|
867
|
+
} & {
|
|
868
|
+
method?: "POST" | undefined;
|
|
869
|
+
} & {
|
|
870
|
+
query?: Record<string, any> | undefined;
|
|
871
|
+
} & {
|
|
872
|
+
params: {
|
|
873
|
+
providerId: string;
|
|
874
|
+
};
|
|
875
|
+
} & {
|
|
876
|
+
request?: Request;
|
|
877
|
+
} & {
|
|
878
|
+
headers?: HeadersInit;
|
|
879
|
+
} & {
|
|
880
|
+
asResponse?: boolean;
|
|
881
|
+
returnHeaders?: boolean;
|
|
882
|
+
use?: better_call.Middleware[];
|
|
883
|
+
path?: string;
|
|
884
|
+
} & {
|
|
885
|
+
asResponse?: AsResponse | undefined;
|
|
886
|
+
returnHeaders?: ReturnHeaders | undefined;
|
|
887
|
+
}): Promise<[AsResponse] extends [true] ? Response : [ReturnHeaders] extends [true] ? {
|
|
888
|
+
headers: Headers;
|
|
889
|
+
response: never;
|
|
890
|
+
} : never>;
|
|
891
|
+
options: {
|
|
892
|
+
method: "POST";
|
|
893
|
+
params: z.ZodObject<{
|
|
894
|
+
providerId: z.ZodOptional<z.ZodString>;
|
|
895
|
+
}, z.core.$strip>;
|
|
896
|
+
body: z.ZodObject<{
|
|
897
|
+
SAMLResponse: z.ZodString;
|
|
898
|
+
RelayState: z.ZodOptional<z.ZodString>;
|
|
899
|
+
}, z.core.$strip>;
|
|
900
|
+
metadata: {
|
|
901
|
+
isAction: boolean;
|
|
902
|
+
openapi: {
|
|
903
|
+
summary: string;
|
|
904
|
+
description: string;
|
|
905
|
+
responses: {
|
|
906
|
+
"302": {
|
|
907
|
+
description: string;
|
|
908
|
+
};
|
|
909
|
+
};
|
|
910
|
+
};
|
|
911
|
+
};
|
|
912
|
+
} & {
|
|
913
|
+
use: any[];
|
|
914
|
+
};
|
|
915
|
+
path: "/sso/saml2/sp/acs/:providerId";
|
|
916
|
+
};
|
|
770
917
|
};
|
|
771
918
|
schema: {
|
|
772
919
|
ssoProvider: {
|
|
@@ -809,4 +956,4 @@ declare const sso: (options?: SSOOptions) => {
|
|
|
809
956
|
};
|
|
810
957
|
|
|
811
958
|
export { sso };
|
|
812
|
-
export type { OIDCConfig, SAMLConfig, SSOOptions, SSOProvider };
|
|
959
|
+
export type { OIDCConfig, OIDCMapping, SAMLConfig, SAMLMapping, SSOOptions, SSOProvider };
|