@better-auth/sso 1.4.0-beta.11 → 1.4.0-beta.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (15) hide show
  1. package/.turbo/turbo-build.log +10 -10
  2. package/dist/client.d.cts +1 -1
  3. package/dist/client.d.ts +1 -1
  4. package/dist/client.js +1 -1
  5. package/dist/index-CL9gq2xe.d.ts +688 -0
  6. package/dist/index-N2GvRGik.d.cts +688 -0
  7. package/dist/index.d.cts +1 -1
  8. package/dist/index.d.ts +1 -1
  9. package/dist/index.js +1 -1
  10. package/dist/{src-Z1RpfPZt.js → src-KQzfNIm4.js} +1 -1
  11. package/package.json +7 -5
  12. package/tsconfig.json +6 -4
  13. package/tsdown.config.ts +1 -1
  14. package/dist/index-Cl11-WdU.d.cts +0 -965
  15. package/dist/index-Dtx0Mkqc.d.ts +0 -965
package/dist/index-CL9gq2xe.d.ts ADDED
@@ -0,0 +1,688 @@
1
+ import { OAuth2Tokens, User } from "better-auth";
2
+ import * as z from "zod/v4";
3
+ import * as better_call0 from "better-call";
4
+
5
+ //#region src/index.d.ts
6
+ interface OIDCMapping {
7
+ id?: string;
8
+ email?: string;
9
+ emailVerified?: string;
10
+ name?: string;
11
+ image?: string;
12
+ extraFields?: Record<string, string>;
13
+ }
14
+ interface SAMLMapping {
15
+ id?: string;
16
+ email?: string;
17
+ emailVerified?: string;
18
+ name?: string;
19
+ firstName?: string;
20
+ lastName?: string;
21
+ extraFields?: Record<string, string>;
22
+ }
23
+ interface OIDCConfig {
24
+ issuer: string;
25
+ pkce: boolean;
26
+ clientId: string;
27
+ clientSecret: string;
28
+ authorizationEndpoint?: string;
29
+ discoveryEndpoint: string;
30
+ userInfoEndpoint?: string;
31
+ scopes?: string[];
32
+ overrideUserInfo?: boolean;
33
+ tokenEndpoint?: string;
34
+ tokenEndpointAuthentication?: "client_secret_post" | "client_secret_basic";
35
+ jwksEndpoint?: string;
36
+ mapping?: OIDCMapping;
37
+ }
38
+ interface SAMLConfig {
39
+ issuer: string;
40
+ entryPoint: string;
41
+ cert: string;
42
+ callbackUrl: string;
43
+ audience?: string;
44
+ idpMetadata?: {
45
+ metadata?: string;
46
+ entityID?: string;
47
+ entityURL?: string;
48
+ redirectURL?: string;
49
+ cert?: string;
50
+ privateKey?: string;
51
+ privateKeyPass?: string;
52
+ isAssertionEncrypted?: boolean;
53
+ encPrivateKey?: string;
54
+ encPrivateKeyPass?: string;
55
+ singleSignOnService?: Array<{
56
+ Binding: string;
57
+ Location: string;
58
+ }>;
59
+ };
60
+ spMetadata: {
61
+ metadata?: string;
62
+ entityID?: string;
63
+ binding?: string;
64
+ privateKey?: string;
65
+ privateKeyPass?: string;
66
+ isAssertionEncrypted?: boolean;
67
+ encPrivateKey?: string;
68
+ encPrivateKeyPass?: string;
69
+ };
70
+ wantAssertionsSigned?: boolean;
71
+ signatureAlgorithm?: string;
72
+ digestAlgorithm?: string;
73
+ identifierFormat?: string;
74
+ privateKey?: string;
75
+ decryptionPvk?: string;
76
+ additionalParams?: Record<string, any>;
77
+ mapping?: SAMLMapping;
78
+ }
79
+ interface SSOProvider {
80
+ issuer: string;
81
+ oidcConfig?: OIDCConfig;
82
+ samlConfig?: SAMLConfig;
83
+ userId: string;
84
+ providerId: string;
85
+ organizationId?: string;
86
+ }
87
+ interface SSOOptions {
88
+ /**
89
+ * custom function to provision a user when they sign in with an SSO provider.
90
+ */
91
+ provisionUser?: (data: {
92
+ /**
93
+ * The user object from the database
94
+ */
95
+ user: User & Record<string, any>;
96
+ /**
97
+ * The user info object from the provider
98
+ */
99
+ userInfo: Record<string, any>;
100
+ /**
101
+ * The OAuth2 tokens from the provider
102
+ */
103
+ token?: OAuth2Tokens;
104
+ /**
105
+ * The SSO provider
106
+ */
107
+ provider: SSOProvider;
108
+ }) => Promise<void>;
109
+ /**
110
+ * Organization provisioning options
111
+ */
112
+ organizationProvisioning?: {
113
+ disabled?: boolean;
114
+ defaultRole?: "member" | "admin";
115
+ getRole?: (data: {
116
+ /**
117
+ * The user object from the database
118
+ */
119
+ user: User & Record<string, any>;
120
+ /**
121
+ * The user info object from the provider
122
+ */
123
+ userInfo: Record<string, any>;
124
+ /**
125
+ * The OAuth2 tokens from the provider
126
+ */
127
+ token?: OAuth2Tokens;
128
+ /**
129
+ * The SSO provider
130
+ */
131
+ provider: SSOProvider;
132
+ }) => Promise<"member" | "admin">;
133
+ };
134
+ /**
135
+ * Default SSO provider configurations for testing.
136
+ * These will take the precedence over the database providers.
137
+ */
138
+ defaultSSO?: Array<{
139
+ /**
140
+ * The domain to match for this default provider.
141
+ * This is only used to match incoming requests to this default provider.
142
+ */
143
+ domain: string;
144
+ /**
145
+ * The provider ID to use
146
+ */
147
+ providerId: string;
148
+ /**
149
+ * SAML configuration
150
+ */
151
+ samlConfig?: SAMLConfig;
152
+ /**
153
+ * OIDC configuration
154
+ */
155
+ oidcConfig?: OIDCConfig;
156
+ }>;
157
+ /**
158
+ * Override user info with the provider info.
159
+ * @default false
160
+ */
161
+ defaultOverrideUserInfo?: boolean;
162
+ /**
163
+ * Disable implicit sign up for new users. When set to true for the provider,
164
+ * sign-in need to be called with with requestSignUp as true to create new users.
165
+ */
166
+ disableImplicitSignUp?: boolean;
167
+ /**
168
+ * Configure the maximum number of SSO providers a user can register.
169
+ * You can also pass a function that returns a number.
170
+ * Set to 0 to disable SSO provider registration.
171
+ *
172
+ * @example
173
+ * ```ts
174
+ * providersLimit: async (user) => {
175
+ * const plan = await getUserPlan(user);
176
+ * return plan.name === "pro" ? 10 : 1;
177
+ * }
178
+ * ```
179
+ * @default 10
180
+ */
181
+ providersLimit?: number | ((user: User) => Promise<number> | number);
182
+ /**
183
+ * Trust the email verified flag from the provider.
184
+ * @default false
185
+ */
186
+ trustEmailVerified?: boolean;
187
+ }
188
+ declare const sso: (options?: SSOOptions) => {
189
+ id: "sso";
190
+ endpoints: {
191
+ spMetadata: better_call0.StrictEndpoint<"/sso/saml2/sp/metadata", {
192
+ method: "GET";
193
+ query: z.ZodObject<{
194
+ providerId: z.ZodString;
195
+ format: z.ZodDefault<z.ZodEnum<{
196
+ json: "json";
197
+ xml: "xml";
198
+ }>>;
199
+ }, z.core.$strip>;
200
+ metadata: {
201
+ openapi: {
202
+ summary: string;
203
+ description: string;
204
+ responses: {
205
+ "200": {
206
+ description: string;
207
+ };
208
+ };
209
+ };
210
+ };
211
+ } & {
212
+ use: any[];
213
+ }, Response>;
214
+ registerSSOProvider: better_call0.StrictEndpoint<"/sso/register", {
215
+ method: "POST";
216
+ body: z.ZodObject<{
217
+ providerId: z.ZodString;
218
+ issuer: z.ZodString;
219
+ domain: z.ZodString;
220
+ oidcConfig: z.ZodOptional<z.ZodObject<{
221
+ clientId: z.ZodString;
222
+ clientSecret: z.ZodString;
223
+ authorizationEndpoint: z.ZodOptional<z.ZodString>;
224
+ tokenEndpoint: z.ZodOptional<z.ZodString>;
225
+ userInfoEndpoint: z.ZodOptional<z.ZodString>;
226
+ tokenEndpointAuthentication: z.ZodOptional<z.ZodEnum<{
227
+ client_secret_post: "client_secret_post";
228
+ client_secret_basic: "client_secret_basic";
229
+ }>>;
230
+ jwksEndpoint: z.ZodOptional<z.ZodString>;
231
+ discoveryEndpoint: z.ZodOptional<z.ZodString>;
232
+ scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
233
+ pkce: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
234
+ mapping: z.ZodOptional<z.ZodObject<{
235
+ id: z.ZodString;
236
+ email: z.ZodString;
237
+ emailVerified: z.ZodOptional<z.ZodString>;
238
+ name: z.ZodString;
239
+ image: z.ZodOptional<z.ZodString>;
240
+ extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
241
+ }, z.core.$strip>>;
242
+ }, z.core.$strip>>;
243
+ samlConfig: z.ZodOptional<z.ZodObject<{
244
+ entryPoint: z.ZodString;
245
+ cert: z.ZodString;
246
+ callbackUrl: z.ZodString;
247
+ audience: z.ZodOptional<z.ZodString>;
248
+ idpMetadata: z.ZodOptional<z.ZodObject<{
249
+ metadata: z.ZodOptional<z.ZodString>;
250
+ entityID: z.ZodOptional<z.ZodString>;
251
+ cert: z.ZodOptional<z.ZodString>;
252
+ privateKey: z.ZodOptional<z.ZodString>;
253
+ privateKeyPass: z.ZodOptional<z.ZodString>;
254
+ isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
255
+ encPrivateKey: z.ZodOptional<z.ZodString>;
256
+ encPrivateKeyPass: z.ZodOptional<z.ZodString>;
257
+ singleSignOnService: z.ZodOptional<z.ZodArray<z.ZodObject<{
258
+ Binding: z.ZodString;
259
+ Location: z.ZodString;
260
+ }, z.core.$strip>>>;
261
+ }, z.core.$strip>>;
262
+ spMetadata: z.ZodObject<{
263
+ metadata: z.ZodOptional<z.ZodString>;
264
+ entityID: z.ZodOptional<z.ZodString>;
265
+ binding: z.ZodOptional<z.ZodString>;
266
+ privateKey: z.ZodOptional<z.ZodString>;
267
+ privateKeyPass: z.ZodOptional<z.ZodString>;
268
+ isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
269
+ encPrivateKey: z.ZodOptional<z.ZodString>;
270
+ encPrivateKeyPass: z.ZodOptional<z.ZodString>;
271
+ }, z.core.$strip>;
272
+ wantAssertionsSigned: z.ZodOptional<z.ZodBoolean>;
273
+ signatureAlgorithm: z.ZodOptional<z.ZodString>;
274
+ digestAlgorithm: z.ZodOptional<z.ZodString>;
275
+ identifierFormat: z.ZodOptional<z.ZodString>;
276
+ privateKey: z.ZodOptional<z.ZodString>;
277
+ decryptionPvk: z.ZodOptional<z.ZodString>;
278
+ additionalParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
279
+ mapping: z.ZodOptional<z.ZodObject<{
280
+ id: z.ZodString;
281
+ email: z.ZodString;
282
+ emailVerified: z.ZodOptional<z.ZodString>;
283
+ name: z.ZodString;
284
+ firstName: z.ZodOptional<z.ZodString>;
285
+ lastName: z.ZodOptional<z.ZodString>;
286
+ extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
287
+ }, z.core.$strip>>;
288
+ }, z.core.$strip>>;
289
+ organizationId: z.ZodOptional<z.ZodString>;
290
+ overrideUserInfo: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
291
+ }, z.core.$strip>;
292
+ use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
293
+ session: {
294
+ session: Record<string, any> & {
295
+ id: string;
296
+ createdAt: Date;
297
+ updatedAt: Date;
298
+ userId: string;
299
+ expiresAt: Date;
300
+ token: string;
301
+ ipAddress?: string | null | undefined;
302
+ userAgent?: string | null | undefined;
303
+ };
304
+ user: Record<string, any> & {
305
+ id: string;
306
+ createdAt: Date;
307
+ updatedAt: Date;
308
+ email: string;
309
+ emailVerified: boolean;
310
+ name: string;
311
+ image?: string | null | undefined;
312
+ };
313
+ };
314
+ }>)[];
315
+ metadata: {
316
+ openapi: {
317
+ summary: string;
318
+ description: string;
319
+ responses: {
320
+ "200": {
321
+ description: string;
322
+ content: {
323
+ "application/json": {
324
+ schema: {
325
+ type: "object";
326
+ properties: {
327
+ issuer: {
328
+ type: string;
329
+ format: string;
330
+ description: string;
331
+ };
332
+ domain: {
333
+ type: string;
334
+ description: string;
335
+ };
336
+ oidcConfig: {
337
+ type: string;
338
+ properties: {
339
+ issuer: {
340
+ type: string;
341
+ format: string;
342
+ description: string;
343
+ };
344
+ pkce: {
345
+ type: string;
346
+ description: string;
347
+ };
348
+ clientId: {
349
+ type: string;
350
+ description: string;
351
+ };
352
+ clientSecret: {
353
+ type: string;
354
+ description: string;
355
+ };
356
+ authorizationEndpoint: {
357
+ type: string;
358
+ format: string;
359
+ nullable: boolean;
360
+ description: string;
361
+ };
362
+ discoveryEndpoint: {
363
+ type: string;
364
+ format: string;
365
+ description: string;
366
+ };
367
+ userInfoEndpoint: {
368
+ type: string;
369
+ format: string;
370
+ nullable: boolean;
371
+ description: string;
372
+ };
373
+ scopes: {
374
+ type: string;
375
+ items: {
376
+ type: string;
377
+ };
378
+ nullable: boolean;
379
+ description: string;
380
+ };
381
+ tokenEndpoint: {
382
+ type: string;
383
+ format: string;
384
+ nullable: boolean;
385
+ description: string;
386
+ };
387
+ tokenEndpointAuthentication: {
388
+ type: string;
389
+ enum: string[];
390
+ nullable: boolean;
391
+ description: string;
392
+ };
393
+ jwksEndpoint: {
394
+ type: string;
395
+ format: string;
396
+ nullable: boolean;
397
+ description: string;
398
+ };
399
+ mapping: {
400
+ type: string;
401
+ nullable: boolean;
402
+ properties: {
403
+ id: {
404
+ type: string;
405
+ description: string;
406
+ };
407
+ email: {
408
+ type: string;
409
+ description: string;
410
+ };
411
+ emailVerified: {
412
+ type: string;
413
+ nullable: boolean;
414
+ description: string;
415
+ };
416
+ name: {
417
+ type: string;
418
+ description: string;
419
+ };
420
+ image: {
421
+ type: string;
422
+ nullable: boolean;
423
+ description: string;
424
+ };
425
+ extraFields: {
426
+ type: string;
427
+ additionalProperties: {
428
+ type: string;
429
+ };
430
+ nullable: boolean;
431
+ description: string;
432
+ };
433
+ };
434
+ required: string[];
435
+ };
436
+ };
437
+ required: string[];
438
+ description: string;
439
+ };
440
+ organizationId: {
441
+ type: string;
442
+ nullable: boolean;
443
+ description: string;
444
+ };
445
+ userId: {
446
+ type: string;
447
+ description: string;
448
+ };
449
+ providerId: {
450
+ type: string;
451
+ description: string;
452
+ };
453
+ redirectURI: {
454
+ type: string;
455
+ format: string;
456
+ description: string;
457
+ };
458
+ };
459
+ required: string[];
460
+ };
461
+ };
462
+ };
463
+ };
464
+ };
465
+ };
466
+ };
467
+ } & {
468
+ use: any[];
469
+ }, {
470
+ oidcConfig: OIDCConfig;
471
+ samlConfig: SAMLConfig;
472
+ redirectURI: string;
473
+ issuer: string;
474
+ userId: string;
475
+ providerId: string;
476
+ organizationId?: string;
477
+ }>;
478
+ signInSSO: better_call0.StrictEndpoint<"/sign-in/sso", {
479
+ method: "POST";
480
+ body: z.ZodObject<{
481
+ email: z.ZodOptional<z.ZodString>;
482
+ organizationSlug: z.ZodOptional<z.ZodString>;
483
+ providerId: z.ZodOptional<z.ZodString>;
484
+ domain: z.ZodOptional<z.ZodString>;
485
+ callbackURL: z.ZodString;
486
+ errorCallbackURL: z.ZodOptional<z.ZodString>;
487
+ newUserCallbackURL: z.ZodOptional<z.ZodString>;
488
+ scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
489
+ loginHint: z.ZodOptional<z.ZodString>;
490
+ requestSignUp: z.ZodOptional<z.ZodBoolean>;
491
+ providerType: z.ZodOptional<z.ZodEnum<{
492
+ oidc: "oidc";
493
+ saml: "saml";
494
+ }>>;
495
+ }, z.core.$strip>;
496
+ metadata: {
497
+ openapi: {
498
+ summary: string;
499
+ description: string;
500
+ requestBody: {
501
+ content: {
502
+ "application/json": {
503
+ schema: {
504
+ type: "object";
505
+ properties: {
506
+ email: {
507
+ type: string;
508
+ description: string;
509
+ };
510
+ issuer: {
511
+ type: string;
512
+ description: string;
513
+ };
514
+ providerId: {
515
+ type: string;
516
+ description: string;
517
+ };
518
+ callbackURL: {
519
+ type: string;
520
+ description: string;
521
+ };
522
+ errorCallbackURL: {
523
+ type: string;
524
+ description: string;
525
+ };
526
+ newUserCallbackURL: {
527
+ type: string;
528
+ description: string;
529
+ };
530
+ loginHint: {
531
+ type: string;
532
+ description: string;
533
+ };
534
+ };
535
+ required: string[];
536
+ };
537
+ };
538
+ };
539
+ };
540
+ responses: {
541
+ "200": {
542
+ description: string;
543
+ content: {
544
+ "application/json": {
545
+ schema: {
546
+ type: "object";
547
+ properties: {
548
+ url: {
549
+ type: string;
550
+ format: string;
551
+ description: string;
552
+ };
553
+ redirect: {
554
+ type: string;
555
+ description: string;
556
+ enum: boolean[];
557
+ };
558
+ };
559
+ required: string[];
560
+ };
561
+ };
562
+ };
563
+ };
564
+ };
565
+ };
566
+ };
567
+ } & {
568
+ use: any[];
569
+ }, {
570
+ url: string;
571
+ redirect: boolean;
572
+ }>;
573
+ callbackSSO: better_call0.StrictEndpoint<"/sso/callback/:providerId", {
574
+ method: "GET";
575
+ query: z.ZodObject<{
576
+ code: z.ZodOptional<z.ZodString>;
577
+ state: z.ZodString;
578
+ error: z.ZodOptional<z.ZodString>;
579
+ error_description: z.ZodOptional<z.ZodString>;
580
+ }, z.core.$strip>;
581
+ metadata: {
582
+ isAction: boolean;
583
+ openapi: {
584
+ summary: string;
585
+ description: string;
586
+ responses: {
587
+ "302": {
588
+ description: string;
589
+ };
590
+ };
591
+ };
592
+ };
593
+ } & {
594
+ use: any[];
595
+ }, never>;
596
+ callbackSSOSAML: better_call0.StrictEndpoint<"/sso/saml2/callback/:providerId", {
597
+ method: "POST";
598
+ body: z.ZodObject<{
599
+ SAMLResponse: z.ZodString;
600
+ RelayState: z.ZodOptional<z.ZodString>;
601
+ }, z.core.$strip>;
602
+ metadata: {
603
+ isAction: boolean;
604
+ openapi: {
605
+ summary: string;
606
+ description: string;
607
+ responses: {
608
+ "302": {
609
+ description: string;
610
+ };
611
+ "400": {
612
+ description: string;
613
+ };
614
+ "401": {
615
+ description: string;
616
+ };
617
+ };
618
+ };
619
+ };
620
+ } & {
621
+ use: any[];
622
+ }, never>;
623
+ acsEndpoint: better_call0.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
624
+ method: "POST";
625
+ params: z.ZodObject<{
626
+ providerId: z.ZodOptional<z.ZodString>;
627
+ }, z.core.$strip>;
628
+ body: z.ZodObject<{
629
+ SAMLResponse: z.ZodString;
630
+ RelayState: z.ZodOptional<z.ZodString>;
631
+ }, z.core.$strip>;
632
+ metadata: {
633
+ isAction: boolean;
634
+ openapi: {
635
+ summary: string;
636
+ description: string;
637
+ responses: {
638
+ "302": {
639
+ description: string;
640
+ };
641
+ };
642
+ };
643
+ };
644
+ } & {
645
+ use: any[];
646
+ }, never>;
647
+ };
648
+ schema: {
649
+ ssoProvider: {
650
+ fields: {
651
+ issuer: {
652
+ type: "string";
653
+ required: true;
654
+ };
655
+ oidcConfig: {
656
+ type: "string";
657
+ required: false;
658
+ };
659
+ samlConfig: {
660
+ type: "string";
661
+ required: false;
662
+ };
663
+ userId: {
664
+ type: "string";
665
+ references: {
666
+ model: string;
667
+ field: string;
668
+ };
669
+ };
670
+ providerId: {
671
+ type: "string";
672
+ required: true;
673
+ unique: true;
674
+ };
675
+ organizationId: {
676
+ type: "string";
677
+ required: false;
678
+ };
679
+ domain: {
680
+ type: "string";
681
+ required: true;
682
+ };
683
+ };
684
+ };
685
+ };
686
+ };
687
+ //#endregion
688
+ export { SSOOptions as a, SAMLMapping as i, OIDCMapping as n, SSOProvider as o, SAMLConfig as r, sso as s, OIDCConfig as t };