@better-auth/sso 1.3.24 → 1.3.26

package/.turbo/turbo-build.log

@@ -1,17 +1,17 @@
 
-> @better-auth/sso@1.3.24 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.3.26 build /home/runner/work/better-auth/better-auth/packages/sso
 > unbuild
 
 [info] Automatically detected entries: src/index, src/client [esm] [cjs] [dts]
 [info] Building sso
 [success] Build succeeded for sso
-[log]   dist/index.cjs (total size: 67.2 kB, chunk size: 67.2 kB, exports: sso)
+[log]   dist/index.cjs (total size: 69 kB, chunk size: 69 kB, exports: sso)
 
 [log]   dist/client.cjs (total size: 141 B, chunk size: 141 B, exports: ssoClient)
 
-[log]   dist/index.mjs (total size: 65.5 kB, chunk size: 65.5 kB, exports: sso)
+[log]   dist/index.mjs (total size: 67.3 kB, chunk size: 67.3 kB, exports: sso)
 
 [log]   dist/client.mjs (total size: 117 B, chunk size: 117 B, exports: ssoClient)
 
-Σ Total dist size (byte size): 260 kB
+Σ Total dist size (byte size): 263 kB
 [log]

package/dist/index.cjs

@@ -36,6 +36,22 @@ const fastValidator = {
   }
 };
 saml__namespace.setSchemaValidator(fastValidator);
+function safeJsonParse(value) {
+  if (!value) return null;
+  if (typeof value === "object") {
+    return value;
+  }
+  if (typeof value === "string") {
+    try {
+      return JSON.parse(value);
+    } catch (error) {
+      throw new Error(
+        `Failed to parse JSON: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+    }
+  }
+  return null;
+}
 const sso = (options) => {
   return {
     id: "sso",
@@ -75,7 +91,14 @@ const sso = (options) => {
               message: "No provider found for the given providerId"
             });
           }
-          const parsedSamlConfig = JSON.parse(provider.samlConfig);
+          const parsedSamlConfig = safeJsonParse(
+            provider.samlConfig
+          );
+          if (!parsedSamlConfig) {
+            throw new api.APIError("BAD_REQUEST", {
+              message: "Invalid SAML configuration"
+            });
+          }
           const sp = parsedSamlConfig.spMetadata.metadata ? saml__namespace.ServiceProvider({
             metadata: parsedSamlConfig.spMetadata.metadata
           }) : saml__namespace.SPMetadata({
@@ -448,6 +471,23 @@ const sso = (options) => {
               });
             }
           }
+          const existingProvider = await ctx.context.adapter.findOne({
+            model: "ssoProvider",
+            where: [
+              {
+                field: "providerId",
+                value: body.providerId
+              }
+            ]
+          });
+          if (existingProvider) {
+            ctx.context.logger.info(
+              `SSO provider creation attempt with existing providerId: ${body.providerId}`
+            );
+            throw new api.APIError("UNPROCESSABLE_ENTITY", {
+              message: "SSO provider with this providerId already exists"
+            });
+          }
           const provider = await ctx.context.adapter.create({
             model: "ssoProvider",
             data: {
@@ -667,8 +707,12 @@ const sso = (options) => {
               }
               return {
                 ...res,
-                oidcConfig: res.oidcConfig ? JSON.parse(res.oidcConfig) : void 0,
-                samlConfig: res.samlConfig ? JSON.parse(res.samlConfig) : void 0
+                oidcConfig: res.oidcConfig ? safeJsonParse(
+                  res.oidcConfig
+                ) || void 0 : void 0,
+                samlConfig: res.samlConfig ? safeJsonParse(
+                  res.samlConfig
+                ) || void 0 : void 0
               };
             });
           }
@@ -715,7 +759,14 @@ const sso = (options) => {
             });
           }
           if (provider.samlConfig) {
-            const parsedSamlConfig = typeof provider.samlConfig === "object" ? provider.samlConfig : JSON.parse(provider.samlConfig);
+            const parsedSamlConfig = typeof provider.samlConfig === "object" ? provider.samlConfig : safeJsonParse(
+              provider.samlConfig
+            );
+            if (!parsedSamlConfig) {
+              throw new api.APIError("BAD_REQUEST", {
+                message: "Invalid SAML configuration"
+              });
+            }
             const sp = saml__namespace.ServiceProvider({
               metadata: parsedSamlConfig.spMetadata.metadata,
               allowCreate: true
@@ -811,7 +862,7 @@ const sso = (options) => {
               }
               return {
                 ...res,
-                oidcConfig: JSON.parse(res.oidcConfig)
+                oidcConfig: safeJsonParse(res.oidcConfig) || void 0
               };
             });
           }
@@ -1059,7 +1110,9 @@ const sso = (options) => {
               if (!res) return null;
               return {
                 ...res,
-                samlConfig: res.samlConfig ? JSON.parse(res.samlConfig) : void 0
+                samlConfig: res.samlConfig ? safeJsonParse(
+                  res.samlConfig
+                ) || void 0 : void 0
               };
             });
           }
@@ -1068,25 +1121,30 @@ const sso = (options) => {
               message: "No provider found for the given providerId"
             });
           }
-          const parsedSamlConfig = JSON.parse(
+          const parsedSamlConfig = safeJsonParse(
             provider.samlConfig
           );
+          if (!parsedSamlConfig) {
+            throw new api.APIError("BAD_REQUEST", {
+              message: "Invalid SAML configuration"
+            });
+          }
           const idpData = parsedSamlConfig.idpMetadata;
           let idp = null;
           if (!idpData?.metadata) {
             idp = saml__namespace.IdentityProvider({
-              entityID: idpData.entityID || parsedSamlConfig.issuer,
+              entityID: idpData?.entityID || parsedSamlConfig.issuer,
               singleSignOnService: [
                 {
                   Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
                   Location: parsedSamlConfig.entryPoint
                 }
               ],
-              signingCert: idpData.cert || parsedSamlConfig.cert,
+              signingCert: idpData?.cert || parsedSamlConfig.cert,
               wantAuthnRequestsSigned: parsedSamlConfig.wantAssertionsSigned || false,
-              isAssertionEncrypted: idpData.isAssertionEncrypted || false,
-              encPrivateKey: idpData.encPrivateKey,
-              encPrivateKeyPass: idpData.encPrivateKeyPass
+              isAssertionEncrypted: idpData?.isAssertionEncrypted || false,
+              encPrivateKey: idpData?.encPrivateKey,
+              encPrivateKeyPass: idpData?.encPrivateKeyPass
             });
           } else {
             idp = saml__namespace.IdentityProvider({
@@ -1333,7 +1391,9 @@ const sso = (options) => {
               if (!res) return null;
               return {
                 ...res,
-                samlConfig: res.samlConfig ? JSON.parse(res.samlConfig) : void 0
+                samlConfig: res.samlConfig ? safeJsonParse(
+                  res.samlConfig
+                ) || void 0 : void 0
               };
             });
           }

package/dist/index.mjs

@@ -19,6 +19,22 @@ const fastValidator = {
   }
 };
 saml.setSchemaValidator(fastValidator);
+function safeJsonParse(value) {
+  if (!value) return null;
+  if (typeof value === "object") {
+    return value;
+  }
+  if (typeof value === "string") {
+    try {
+      return JSON.parse(value);
+    } catch (error) {
+      throw new Error(
+        `Failed to parse JSON: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+    }
+  }
+  return null;
+}
 const sso = (options) => {
   return {
     id: "sso",
@@ -58,7 +74,14 @@ const sso = (options) => {
               message: "No provider found for the given providerId"
             });
           }
-          const parsedSamlConfig = JSON.parse(provider.samlConfig);
+          const parsedSamlConfig = safeJsonParse(
+            provider.samlConfig
+          );
+          if (!parsedSamlConfig) {
+            throw new APIError("BAD_REQUEST", {
+              message: "Invalid SAML configuration"
+            });
+          }
           const sp = parsedSamlConfig.spMetadata.metadata ? saml.ServiceProvider({
             metadata: parsedSamlConfig.spMetadata.metadata
           }) : saml.SPMetadata({
@@ -431,6 +454,23 @@ const sso = (options) => {
               });
             }
           }
+          const existingProvider = await ctx.context.adapter.findOne({
+            model: "ssoProvider",
+            where: [
+              {
+                field: "providerId",
+                value: body.providerId
+              }
+            ]
+          });
+          if (existingProvider) {
+            ctx.context.logger.info(
+              `SSO provider creation attempt with existing providerId: ${body.providerId}`
+            );
+            throw new APIError("UNPROCESSABLE_ENTITY", {
+              message: "SSO provider with this providerId already exists"
+            });
+          }
           const provider = await ctx.context.adapter.create({
             model: "ssoProvider",
             data: {
@@ -650,8 +690,12 @@ const sso = (options) => {
               }
               return {
                 ...res,
-                oidcConfig: res.oidcConfig ? JSON.parse(res.oidcConfig) : void 0,
-                samlConfig: res.samlConfig ? JSON.parse(res.samlConfig) : void 0
+                oidcConfig: res.oidcConfig ? safeJsonParse(
+                  res.oidcConfig
+                ) || void 0 : void 0,
+                samlConfig: res.samlConfig ? safeJsonParse(
+                  res.samlConfig
+                ) || void 0 : void 0
               };
             });
           }
@@ -698,7 +742,14 @@ const sso = (options) => {
             });
           }
           if (provider.samlConfig) {
-            const parsedSamlConfig = typeof provider.samlConfig === "object" ? provider.samlConfig : JSON.parse(provider.samlConfig);
+            const parsedSamlConfig = typeof provider.samlConfig === "object" ? provider.samlConfig : safeJsonParse(
+              provider.samlConfig
+            );
+            if (!parsedSamlConfig) {
+              throw new APIError("BAD_REQUEST", {
+                message: "Invalid SAML configuration"
+              });
+            }
             const sp = saml.ServiceProvider({
               metadata: parsedSamlConfig.spMetadata.metadata,
               allowCreate: true
@@ -794,7 +845,7 @@ const sso = (options) => {
               }
               return {
                 ...res,
-                oidcConfig: JSON.parse(res.oidcConfig)
+                oidcConfig: safeJsonParse(res.oidcConfig) || void 0
               };
             });
           }
@@ -1042,7 +1093,9 @@ const sso = (options) => {
               if (!res) return null;
               return {
                 ...res,
-                samlConfig: res.samlConfig ? JSON.parse(res.samlConfig) : void 0
+                samlConfig: res.samlConfig ? safeJsonParse(
+                  res.samlConfig
+                ) || void 0 : void 0
               };
             });
           }
@@ -1051,25 +1104,30 @@ const sso = (options) => {
               message: "No provider found for the given providerId"
             });
           }
-          const parsedSamlConfig = JSON.parse(
+          const parsedSamlConfig = safeJsonParse(
             provider.samlConfig
           );
+          if (!parsedSamlConfig) {
+            throw new APIError("BAD_REQUEST", {
+              message: "Invalid SAML configuration"
+            });
+          }
           const idpData = parsedSamlConfig.idpMetadata;
           let idp = null;
           if (!idpData?.metadata) {
             idp = saml.IdentityProvider({
-              entityID: idpData.entityID || parsedSamlConfig.issuer,
+              entityID: idpData?.entityID || parsedSamlConfig.issuer,
               singleSignOnService: [
                 {
                   Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
                   Location: parsedSamlConfig.entryPoint
                 }
               ],
-              signingCert: idpData.cert || parsedSamlConfig.cert,
+              signingCert: idpData?.cert || parsedSamlConfig.cert,
               wantAuthnRequestsSigned: parsedSamlConfig.wantAssertionsSigned || false,
-              isAssertionEncrypted: idpData.isAssertionEncrypted || false,
-              encPrivateKey: idpData.encPrivateKey,
-              encPrivateKeyPass: idpData.encPrivateKeyPass
+              isAssertionEncrypted: idpData?.isAssertionEncrypted || false,
+              encPrivateKey: idpData?.encPrivateKey,
+              encPrivateKeyPass: idpData?.encPrivateKeyPass
             });
           } else {
             idp = saml.IdentityProvider({
@@ -1316,7 +1374,9 @@ const sso = (options) => {
               if (!res) return null;
               return {
                 ...res,
-                samlConfig: res.samlConfig ? JSON.parse(res.samlConfig) : void 0
+                samlConfig: res.samlConfig ? safeJsonParse(
+                  res.samlConfig
+                ) || void 0 : void 0
               };
             });
           }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.3.24",
+  "version": "1.3.26",
   "main": "dist/index.cjs",
   "license": "MIT",
   "keywords": [
@@ -58,10 +58,10 @@
     "body-parser": "^2.2.0",
     "express": "^5.1.0",
     "unbuild": "3.6.1",
-    "better-auth": "^1.3.24"
+    "better-auth": "^1.3.26"
   },
   "peerDependencies": {
-    "better-auth": "1.3.24"
+    "better-auth": "1.3.26"
   },
   "scripts": {
     "test": "vitest",

package/src/index.ts

@@ -38,6 +38,34 @@ const fastValidator = {
 
 saml.setSchemaValidator(fastValidator);
 
+/**
+ * Safely parses a value that might be a JSON string or already a parsed object
+ * This handles cases where ORMs like Drizzle might return already parsed objects
+ * instead of JSON strings from TEXT/JSON columns
+ */
+function safeJsonParse<T>(value: string | T | null | undefined): T | null {
+	if (!value) return null;
+
+	// If it's already an object (not a string), return it as-is
+	if (typeof value === "object") {
+		return value as T;
+	}
+
+	// If it's a string, try to parse it
+	if (typeof value === "string") {
+		try {
+			return JSON.parse(value) as T;
+		} catch (error) {
+			// If parsing fails, this might indicate the string is not valid JSON
+			throw new Error(
+				`Failed to parse JSON: ${error instanceof Error ? error.message : "Unknown error"}`,
+			);
+		}
+	}
+
+	return null;
+}
+
 export interface OIDCMapping {
 	id?: string;
 	email?: string;
@@ -269,7 +297,14 @@ export const sso = (options?: SSOOptions) => {
 						});
 					}
 
-					const parsedSamlConfig: SAMLConfig = JSON.parse(provider.samlConfig);
+					const parsedSamlConfig = safeJsonParse<SAMLConfig>(
+						provider.samlConfig,
+					);
+					if (!parsedSamlConfig) {
+						throw new APIError("BAD_REQUEST", {
+							message: "Invalid SAML configuration",
+						});
+					}
 					const sp = parsedSamlConfig.spMetadata.metadata
 						? saml.ServiceProvider({
 								metadata: parsedSamlConfig.spMetadata.metadata,
@@ -745,6 +780,26 @@ export const sso = (options?: SSOOptions) => {
 							});
 						}
 					}
+
+					const existingProvider = await ctx.context.adapter.findOne({
+						model: "ssoProvider",
+						where: [
+							{
+								field: "providerId",
+								value: body.providerId,
+							},
+						],
+					});
+
+					if (existingProvider) {
+						ctx.context.logger.info(
+							`SSO provider creation attempt with existing providerId: ${body.providerId}`,
+						);
+						throw new APIError("UNPROCESSABLE_ENTITY", {
+							message: "SSO provider with this providerId already exists",
+						});
+					}
+
 					const provider = await ctx.context.adapter.create<
 						Record<string, any>,
 						SSOProvider
@@ -1040,10 +1095,14 @@ export const sso = (options?: SSOOptions) => {
 								return {
 									...res,
 									oidcConfig: res.oidcConfig
-										? JSON.parse(res.oidcConfig as unknown as string)
+										? safeJsonParse<OIDCConfig>(
+												res.oidcConfig as unknown as string,
+											) || undefined
 										: undefined,
 									samlConfig: res.samlConfig
-										? JSON.parse(res.samlConfig as unknown as string)
+										? safeJsonParse<SAMLConfig>(
+												res.samlConfig as unknown as string,
+											) || undefined
 										: undefined,
 								};
 							});
@@ -1094,10 +1153,17 @@ export const sso = (options?: SSOOptions) => {
 						});
 					}
 					if (provider.samlConfig) {
-						const parsedSamlConfig: SAMLConfig =
+						const parsedSamlConfig =
 							typeof provider.samlConfig === "object"
 								? provider.samlConfig
-								: JSON.parse(provider.samlConfig as unknown as string);
+								: safeJsonParse<SAMLConfig>(
+										provider.samlConfig as unknown as string,
+									);
+						if (!parsedSamlConfig) {
+							throw new APIError("BAD_REQUEST", {
+								message: "Invalid SAML configuration",
+							});
+						}
 						const sp = saml.ServiceProvider({
 							metadata: parsedSamlConfig.spMetadata.metadata,
 							allowCreate: true,
@@ -1206,7 +1272,8 @@ export const sso = (options?: SSOOptions) => {
 								}
 								return {
 									...res,
-									oidcConfig: JSON.parse(res.oidcConfig),
+									oidcConfig:
+										safeJsonParse<OIDCConfig>(res.oidcConfig) || undefined,
 								} as SSOProvider;
 							});
 					}
@@ -1533,7 +1600,9 @@ export const sso = (options?: SSOOptions) => {
 								return {
 									...res,
 									samlConfig: res.samlConfig
-										? JSON.parse(res.samlConfig as unknown as string)
+										? safeJsonParse<SAMLConfig>(
+												res.samlConfig as unknown as string,
+											) || undefined
 										: undefined,
 								};
 							});
@@ -1544,28 +1613,33 @@ export const sso = (options?: SSOOptions) => {
 							message: "No provider found for the given providerId",
 						});
 					}
-					const parsedSamlConfig = JSON.parse(
+					const parsedSamlConfig = safeJsonParse<SAMLConfig>(
 						provider.samlConfig as unknown as string,
 					);
+					if (!parsedSamlConfig) {
+						throw new APIError("BAD_REQUEST", {
+							message: "Invalid SAML configuration",
+						});
+					}
 					const idpData = parsedSamlConfig.idpMetadata;
 					let idp: IdentityProvider | null = null;
 
 					// Construct IDP with fallback to manual configuration
 					if (!idpData?.metadata) {
 						idp = saml.IdentityProvider({
-							entityID: idpData.entityID || parsedSamlConfig.issuer,
+							entityID: idpData?.entityID || parsedSamlConfig.issuer,
 							singleSignOnService: [
 								{
 									Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
 									Location: parsedSamlConfig.entryPoint,
 								},
 							],
-							signingCert: idpData.cert || parsedSamlConfig.cert,
+							signingCert: idpData?.cert || parsedSamlConfig.cert,
 							wantAuthnRequestsSigned:
 								parsedSamlConfig.wantAssertionsSigned || false,
-							isAssertionEncrypted: idpData.isAssertionEncrypted || false,
-							encPrivateKey: idpData.encPrivateKey,
-							encPrivateKeyPass: idpData.encPrivateKeyPass,
+							isAssertionEncrypted: idpData?.isAssertionEncrypted || false,
+							encPrivateKey: idpData?.encPrivateKey,
+							encPrivateKeyPass: idpData?.encPrivateKeyPass,
 						});
 					} else {
 						idp = saml.IdentityProvider({
@@ -1865,7 +1939,9 @@ export const sso = (options?: SSOOptions) => {
 								return {
 									...res,
 									samlConfig: res.samlConfig
-										? JSON.parse(res.samlConfig as unknown as string)
+										? safeJsonParse<SAMLConfig>(
+												res.samlConfig as unknown as string,
+											) || undefined
 										: undefined,
 								};
 							});

package/src/oidc.test.ts

@@ -157,6 +157,43 @@ describe("SSO", async () => {
 		}
 	});
 
+	it("should not allow creating a provider with duplicate providerId", async () => {
+		const { headers } = await signInWithTestUser();
+
+		await auth.api.registerSSOProvider({
+			body: {
+				issuer: server.issuer.url!,
+				domain: "duplicate.com",
+				providerId: "duplicate-oidc-provider",
+				oidcConfig: {
+					clientId: "test",
+					clientSecret: "test",
+				},
+			},
+			headers,
+		});
+
+		await expect(
+			auth.api.registerSSOProvider({
+				body: {
+					issuer: server.issuer.url!,
+					domain: "another-duplicate.com",
+					providerId: "duplicate-oidc-provider",
+					oidcConfig: {
+						clientId: "test2",
+						clientSecret: "test2",
+					},
+				},
+				headers,
+			}),
+		).rejects.toMatchObject({
+			status: "UNPROCESSABLE_ENTITY",
+			body: {
+				message: "SSO provider with this providerId already exists",
+			},
+		});
+	});
+
 	it("should sign in with SSO provider with email matching", async () => {
 		const headers = new Headers();
 		const res = await authClient.signIn.sso({

package/src/saml.test.ts

@@ -1069,4 +1069,53 @@ describe("SAML SSO", async () => {
 			},
 		});
 	});
+
+	it("should not allow creating a provider with duplicate providerId", async () => {
+		const headers = await getAuthHeaders();
+		await authClient.signIn.email(testUser, {
+			throw: true,
+			onSuccess: setCookieToHeader(headers),
+		});
+
+		await auth.api.registerSSOProvider({
+			body: {
+				providerId: "duplicate-provider",
+				issuer: "http://localhost:8081",
+				domain: "http://localhost:8081",
+				samlConfig: {
+					entryPoint: mockIdP.metadataUrl,
+					cert: certificate,
+					callbackUrl: "http://localhost:8081/api/sso/saml2/callback",
+					spMetadata: {
+						metadata: spMetadata,
+					},
+				},
+			},
+			headers,
+		});
+
+		await expect(
+			auth.api.registerSSOProvider({
+				body: {
+					providerId: "duplicate-provider",
+					issuer: "http://localhost:8082",
+					domain: "http://localhost:8082",
+					samlConfig: {
+						entryPoint: mockIdP.metadataUrl,
+						cert: certificate,
+						callbackUrl: "http://localhost:8082/api/sso/saml2/callback",
+						spMetadata: {
+							metadata: spMetadata,
+						},
+					},
+				},
+				headers,
+			}),
+		).rejects.toMatchObject({
+			status: "UNPROCESSABLE_ENTITY",
+			body: {
+				message: "SSO provider with this providerId already exists",
+			},
+		});
+	});
 });