npm - @better-auth/sso - Versions diffs - 1.3.15 → 1.3.17 - Mend

@better-auth/sso 1.3.15 → 1.3.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/.turbo/turbo-build.log CHANGED Viewed

@@ -1,17 +1,17 @@
-> @better-auth/sso@1.3.15 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.3.17 build /home/runner/work/better-auth/better-auth/packages/sso
 > unbuild
 [info] Automatically detected entries: src/index, src/client [esm] [cjs] [dts]
 [info] Building sso
 [success] Build succeeded for sso
-[log]   dist/index.cjs (total size: 64.5 kB, chunk size: 64.5 kB, exports: sso)
+[log]   dist/index.cjs (total size: 65.4 kB, chunk size: 65.4 kB, exports: sso)
 [log]   dist/client.cjs (total size: 141 B, chunk size: 141 B, exports: ssoClient)
-[log]   dist/index.mjs (total size: 62.9 kB, chunk size: 62.9 kB, exports: sso)
+[log]   dist/index.mjs (total size: 63.7 kB, chunk size: 63.7 kB, exports: sso)
 [log]   dist/client.mjs (total size: 117 B, chunk size: 117 B, exports: ssoClient)
-Σ Total dist size (byte size): 255 kB
+Σ Total dist size (byte size): 256 kB
 [log]

package/dist/index.cjs CHANGED Viewed

@@ -76,8 +76,18 @@ const sso = (options) => {
             });
           }
           const parsedSamlConfig = JSON.parse(provider.samlConfig);
-          const sp = saml__namespace.ServiceProvider({
+          const sp = parsedSamlConfig.spMetadata.metadata ? saml__namespace.ServiceProvider({
             metadata: parsedSamlConfig.spMetadata.metadata
+          }) : saml__namespace.SPMetadata({
+            entityID: parsedSamlConfig.spMetadata?.entityID || parsedSamlConfig.issuer,
+            assertionConsumerService: [
+              {
+                Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+                Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs/${provider.id}`
+              }
+            ],
+            wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
+            nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
           });
           return new Response(sp.getMetadata(), {
             headers: {
@@ -647,10 +657,10 @@ const sso = (options) => {
               allowCreate: true
             });
             const idp = saml__namespace.IdentityProvider({
-              metadata: parsedSamlConfig.idpMetadata.metadata,
-              entityID: parsedSamlConfig.idpMetadata.entityID,
-              encryptCert: parsedSamlConfig.idpMetadata.cert,
-              singleSignOnService: parsedSamlConfig.idpMetadata.singleSignOnService
+              metadata: parsedSamlConfig.idpMetadata?.metadata,
+              entityID: parsedSamlConfig.idpMetadata?.entityID,
+              encryptCert: parsedSamlConfig.idpMetadata?.cert,
+              singleSignOnService: parsedSamlConfig.idpMetadata?.singleSignOnService
             });
             const loginRequest = sp.createLoginRequest(
               idp,
@@ -1039,7 +1049,8 @@ const sso = (options) => {
             isAssertionEncrypted: spData?.isAssertionEncrypted || false,
             encPrivateKey: spData?.encPrivateKey,
             encPrivateKeyPass: spData?.encPrivateKeyPass,
-            wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false
+            wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
+            nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
           });
           let parsedResponse;
           try {
@@ -1273,13 +1284,14 @@ const sso = (options) => {
             assertionConsumerService: [
               {
                 Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-                Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs`
+                Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs/${providerId}`
               }
             ],
             wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
             metadata: parsedSamlConfig.spMetadata?.metadata,
             privateKey: parsedSamlConfig.spMetadata?.privateKey || parsedSamlConfig.privateKey,
-            privateKeyPass: parsedSamlConfig.spMetadata?.privateKeyPass
+            privateKeyPass: parsedSamlConfig.spMetadata?.privateKeyPass,
+            nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
           });
           const idpData = parsedSamlConfig.idpMetadata;
           const idp = !idpData?.metadata ? saml__namespace.IdentityProvider({

package/dist/index.mjs CHANGED Viewed

@@ -59,8 +59,18 @@ const sso = (options) => {
             });
           }
           const parsedSamlConfig = JSON.parse(provider.samlConfig);
-          const sp = saml.ServiceProvider({
+          const sp = parsedSamlConfig.spMetadata.metadata ? saml.ServiceProvider({
             metadata: parsedSamlConfig.spMetadata.metadata
+          }) : saml.SPMetadata({
+            entityID: parsedSamlConfig.spMetadata?.entityID || parsedSamlConfig.issuer,
+            assertionConsumerService: [
+              {
+                Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+                Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs/${provider.id}`
+              }
+            ],
+            wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
+            nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
           });
           return new Response(sp.getMetadata(), {
             headers: {
@@ -630,10 +640,10 @@ const sso = (options) => {
               allowCreate: true
             });
             const idp = saml.IdentityProvider({
-              metadata: parsedSamlConfig.idpMetadata.metadata,
-              entityID: parsedSamlConfig.idpMetadata.entityID,
-              encryptCert: parsedSamlConfig.idpMetadata.cert,
-              singleSignOnService: parsedSamlConfig.idpMetadata.singleSignOnService
+              metadata: parsedSamlConfig.idpMetadata?.metadata,
+              entityID: parsedSamlConfig.idpMetadata?.entityID,
+              encryptCert: parsedSamlConfig.idpMetadata?.cert,
+              singleSignOnService: parsedSamlConfig.idpMetadata?.singleSignOnService
             });
             const loginRequest = sp.createLoginRequest(
               idp,
@@ -1022,7 +1032,8 @@ const sso = (options) => {
             isAssertionEncrypted: spData?.isAssertionEncrypted || false,
             encPrivateKey: spData?.encPrivateKey,
             encPrivateKeyPass: spData?.encPrivateKeyPass,
-            wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false
+            wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
+            nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
           });
           let parsedResponse;
           try {
@@ -1256,13 +1267,14 @@ const sso = (options) => {
             assertionConsumerService: [
               {
                 Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-                Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs`
+                Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs/${providerId}`
               }
             ],
             wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
             metadata: parsedSamlConfig.spMetadata?.metadata,
             privateKey: parsedSamlConfig.spMetadata?.privateKey || parsedSamlConfig.privateKey,
-            privateKeyPass: parsedSamlConfig.spMetadata?.privateKeyPass
+            privateKeyPass: parsedSamlConfig.spMetadata?.privateKeyPass,
+            nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
           });
           const idpData = parsedSamlConfig.idpMetadata;
           const idp = !idpData?.metadata ? saml.IdentityProvider({

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.3.15",
+  "version": "1.3.17",
   "main": "dist/index.cjs",
   "license": "MIT",
   "keywords": [
@@ -58,10 +58,10 @@
     "body-parser": "^2.2.0",
     "express": "^5.1.0",
     "unbuild": "3.6.1",
-    "better-auth": "^1.3.15"
+    "better-auth": "^1.3.17"
   },
   "peerDependencies": {
-    "better-auth": "1.3.15"
+    "better-auth": "1.3.17"
   },
   "scripts": {
     "test": "vitest",

package/src/index.ts CHANGED Viewed

@@ -252,6 +252,7 @@ export const sso = (options?: SSOOptions) => {
 				},
 				async (ctx) => {
 					const provider = await ctx.context.adapter.findOne<{
+						id: string;
 						samlConfig: string;
 					}>({
 						model: "ssoProvider",
@@ -268,10 +269,29 @@ export const sso = (options?: SSOOptions) => {
 						});
 					}
-					const parsedSamlConfig = JSON.parse(provider.samlConfig);
-					const sp = saml.ServiceProvider({
-						metadata: parsedSamlConfig.spMetadata.metadata,
-					});
+					const parsedSamlConfig: SAMLConfig = JSON.parse(provider.samlConfig);
+					const sp = parsedSamlConfig.spMetadata.metadata
+						? saml.ServiceProvider({
+								metadata: parsedSamlConfig.spMetadata.metadata,
+							})
+						: saml.SPMetadata({
+								entityID:
+									parsedSamlConfig.spMetadata?.entityID ||
+									parsedSamlConfig.issuer,
+								assertionConsumerService: [
+									{
+										Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+										Location:
+											parsedSamlConfig.callbackUrl ||
+											`${ctx.context.baseURL}/sso/saml2/sp/acs/${provider.id}`,
+									},
+								],
+								wantMessageSigned:
+									parsedSamlConfig.wantAssertionsSigned || false,
+								nameIDFormat: parsedSamlConfig.identifierFormat
+									? [parsedSamlConfig.identifierFormat]
+									: undefined,
+							});
 					return new Response(sp.getMetadata(), {
 						headers: {
 							"Content-Type": "application/xml",
@@ -1004,7 +1024,7 @@ export const sso = (options?: SSOOptions) => {
 						});
 					}
 					if (provider.samlConfig) {
-						const parsedSamlConfig =
+						const parsedSamlConfig: SAMLConfig =
 							typeof provider.samlConfig === "object"
 								? provider.samlConfig
 								: JSON.parse(provider.samlConfig as unknown as string);
@@ -1014,11 +1034,11 @@ export const sso = (options?: SSOOptions) => {
 						});
 						const idp = saml.IdentityProvider({
-							metadata: parsedSamlConfig.idpMetadata.metadata,
-							entityID: parsedSamlConfig.idpMetadata.entityID,
-							encryptCert: parsedSamlConfig.idpMetadata.cert,
+							metadata: parsedSamlConfig.idpMetadata?.metadata,
+							entityID: parsedSamlConfig.idpMetadata?.entityID,
+							encryptCert: parsedSamlConfig.idpMetadata?.cert,
 							singleSignOnService:
-								parsedSamlConfig.idpMetadata.singleSignOnService,
+								parsedSamlConfig.idpMetadata?.singleSignOnService,
 						});
 						const loginRequest = sp.createLoginRequest(
 							idp,
@@ -1507,6 +1527,9 @@ export const sso = (options?: SSOOptions) => {
 						encPrivateKey: spData?.encPrivateKey,
 						encPrivateKeyPass: spData?.encPrivateKeyPass,
 						wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
+						nameIDFormat: parsedSamlConfig.identifierFormat
+							? [parsedSamlConfig.identifierFormat]
+							: undefined,
 					});
 					let parsedResponse: FlowResult;
@@ -1794,7 +1817,7 @@ export const sso = (options?: SSOOptions) => {
 								Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
 								Location:
 									parsedSamlConfig.callbackUrl ||
-									`${ctx.context.baseURL}/sso/saml2/sp/acs`,
+									`${ctx.context.baseURL}/sso/saml2/sp/acs/${providerId}`,
 							},
 						],
 						wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
@@ -1803,6 +1826,9 @@ export const sso = (options?: SSOOptions) => {
 							parsedSamlConfig.spMetadata?.privateKey ||
 							parsedSamlConfig.privateKey,
 						privateKeyPass: parsedSamlConfig.spMetadata?.privateKeyPass,
+						nameIDFormat: parsedSamlConfig.identifierFormat
+							? [parsedSamlConfig.identifierFormat]
+							: undefined,
 					});
 					// Update where we construct the IdP

package/src/saml.test.ts CHANGED Viewed

@@ -242,7 +242,7 @@ const certificate = `
     yyoWAJDUHiAmvFA=
     -----END CERTIFICATE-----
     `;
-const idpEncyptionKey = `
+const idpEncryptionKey = `
     -----BEGIN RSA PRIVATE KEY-----
     Proc-Type: 4,ENCRYPTED
     DEK-Info: DES-EDE3-CBC,860FDB9F3BE14699
@@ -274,7 +274,7 @@ const idpEncyptionKey = `
     ISbutnQPUN5fsaIsgKDIV3T7n6519t6brobcW5bdigmf5ebFeZJ16/lYy6V77UM5
     -----END RSA PRIVATE KEY-----
     `;
-const spEncyptionKey = `
+const spEncryptionKey = `
     -----BEGIN RSA PRIVATE KEY-----
     Proc-Type: 4,ENCRYPTED
     DEK-Info: DES-EDE3-CBC,860FDB9F3BE14699
@@ -698,7 +698,7 @@ describe("SAML SSO", async () => {
 						privateKey: idpPrivateKey,
 						privateKeyPass: "q9ALNhGT5EhfcRmp8Pg7e9zTQeP2x1bW",
 						isAssertionEncrypted: true,
-						encPrivateKey: idpEncyptionKey,
+						encPrivateKey: idpEncryptionKey,
 						encPrivateKeyPass: "g7hGcRmp8PxT5QeP2q9Ehf1bWe9zTALN",
 					},
 					spMetadata: {
@@ -707,7 +707,7 @@ describe("SAML SSO", async () => {
 						privateKey: spPrivateKey,
 						privateKeyPass: "VHOSp5RUiBcrsjrcAuXFwU1NKCkGA8px",
 						isAssertionEncrypted: true,
-						encPrivateKey: spEncyptionKey,
+						encPrivateKey: spEncryptionKey,
 						encPrivateKeyPass: "BXFNKpxrsjrCkGA8cAu5wUVHOSpci1RU",
 					},
 					identifierFormat:
@@ -754,7 +754,7 @@ describe("SAML SSO", async () => {
 						privateKey: idpPrivateKey,
 						privateKeyPass: "q9ALNhGT5EhfcRmp8Pg7e9zTQeP2x1bW",
 						isAssertionEncrypted: true,
-						encPrivateKey: idpEncyptionKey,
+						encPrivateKey: idpEncryptionKey,
 						encPrivateKeyPass: "g7hGcRmp8PxT5QeP2q9Ehf1bWe9zTALN",
 					},
 					spMetadata: {
@@ -763,7 +763,7 @@ describe("SAML SSO", async () => {
 						privateKey: spPrivateKey,
 						privateKeyPass: "VHOSp5RUiBcrsjrcAuXFwU1NKCkGA8px",
 						isAssertionEncrypted: true,
-						encPrivateKey: spEncyptionKey,
+						encPrivateKey: spEncryptionKey,
 						encPrivateKeyPass: "BXFNKpxrsjrCkGA8cAu5wUVHOSpci1RU",
 					},
 					identifierFormat:
@@ -782,6 +782,69 @@ describe("SAML SSO", async () => {
 		expect(spMetadataRes.status).toBe(200);
 		expect(spMetadataResResValue).toBe(spMetadata);
 	});
+	it("Should fetch sp metadata", async () => {
+		const headers = await getAuthHeaders();
+		await authClient.signIn.email(testUser, {
+			throw: true,
+			onSuccess: setCookieToHeader(headers),
+		});
+		const issuer = "http://localhost:8081";
+		const provider = await auth.api.registerSSOProvider({
+			body: {
+				providerId: "saml-provider-1",
+				issuer: issuer,
+				domain: issuer,
+				samlConfig: {
+					entryPoint: mockIdP.metadataUrl,
+					cert: certificate,
+					callbackUrl: `${issuer}/api/sso/saml2/sp/acs`,
+					wantAssertionsSigned: false,
+					signatureAlgorithm: "sha256",
+					digestAlgorithm: "sha256",
+					idpMetadata: {
+						metadata: idpMetadata,
+						privateKey: idpPrivateKey,
+						privateKeyPass: "q9ALNhGT5EhfcRmp8Pg7e9zTQeP2x1bW",
+						isAssertionEncrypted: true,
+						encPrivateKey: idpEncryptionKey,
+						encPrivateKeyPass: "g7hGcRmp8PxT5QeP2q9Ehf1bWe9zTALN",
+					},
+					spMetadata: {
+						binding: "post",
+						privateKey: spPrivateKey,
+						privateKeyPass: "VHOSp5RUiBcrsjrcAuXFwU1NKCkGA8px",
+						isAssertionEncrypted: true,
+						encPrivateKey: spEncryptionKey,
+						encPrivateKeyPass: "BXFNKpxrsjrCkGA8cAu5wUVHOSpci1RU",
+					},
+					identifierFormat:
+						"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+				},
+			},
+			headers,
+		});
+		const spMetadataRes = await auth.api.spMetadata({
+			query: {
+				providerId: provider.providerId,
+			},
+		});
+		const spMetadataResResValue = await spMetadataRes.text();
+		expect(spMetadataRes.status).toBe(200);
+		expect(spMetadataResResValue).toBeDefined();
+		expect(spMetadataResResValue).toContain(
+			"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+		);
+		expect(spMetadataResResValue).toContain(
+			"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+		);
+		expect(spMetadataResResValue).toContain(
+			`<EntityDescriptor entityID="${issuer}"`,
+		);
+		expect(spMetadataResResValue).toContain(
+			`Location="${issuer}/api/sso/saml2/sp/acs"`,
+		);
+	});
 	it("should initiate SAML login and handle response", async () => {
 		const headers = await getAuthHeaders();
 		const res = await authClient.signIn.email(testUser, {
@@ -805,7 +868,7 @@ describe("SAML SSO", async () => {
 						privateKey: idpPrivateKey,
 						privateKeyPass: "q9ALNhGT5EhfcRmp8Pg7e9zTQeP2x1bW",
 						isAssertionEncrypted: true,
-						encPrivateKey: idpEncyptionKey,
+						encPrivateKey: idpEncryptionKey,
 						encPrivateKeyPass: "g7hGcRmp8PxT5QeP2q9Ehf1bWe9zTALN",
 					},
 					spMetadata: {
@@ -814,7 +877,7 @@ describe("SAML SSO", async () => {
 						privateKey: spPrivateKey,
 						privateKeyPass: "VHOSp5RUiBcrsjrcAuXFwU1NKCkGA8px",
 						isAssertionEncrypted: true,
-						encPrivateKey: spEncyptionKey,
+						encPrivateKey: spEncryptionKey,
 						encPrivateKeyPass: "BXFNKpxrsjrCkGA8cAu5wUVHOSpci1RU",
 					},
 					identifierFormat: