npm - @better-auth/sso - Versions diffs - 1.4.0-beta.14 → 1.4.0-beta.16 - Mend

@better-auth/sso 1.4.0-beta.14 → 1.4.0-beta.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/.turbo/turbo-build.log +10 -18
package/dist/client.d.ts +1 -1
package/dist/client.js +1 -1
package/dist/{index-CL9gq2xe.d.ts → index-U95aRHHN.d.ts} +58 -52
package/dist/index.d.ts +1 -1
package/dist/index.js +1 -1
package/dist/{src-BEPbgggK.js → src-BrnaMP1W.js} +1 -1
package/package.json +8 -10
package/src/index.ts +140 -122
package/tsdown.config.ts +1 -1
package/dist/client.cjs +0 -12
package/dist/client.d.cts +0 -9
package/dist/index-N2GvRGik.d.cts +0 -688
package/dist/index.cjs +0 -3
package/dist/index.d.cts +0 -2
package/dist/src-BsLnNXTo.cjs +0 -1256

package/.turbo/turbo-build.log CHANGED Viewed

@@ -1,25 +1,17 @@
-> @better-auth/sso@1.4.0-beta.14 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.4.0-beta.16 build /home/runner/work/better-auth/better-auth/packages/sso
 > tsdown
-[34mℹ[39m tsdown [2mv0.15.10[22m powered by rolldown [2mv1.0.0-beta.44[22m
+[34mℹ[39m tsdown [2mv0.15.11[22m powered by rolldown [2mv1.0.0-beta.45[22m
 [34mℹ[39m Using tsdown config: [4m/home/runner/work/better-auth/better-auth/packages/sso/tsdown.config.ts[24m
 [34mℹ[39m entry: [34msrc/client.ts, src/index.ts[39m
 [34mℹ[39m tsconfig: [34mtsconfig.json[39m
 [34mℹ[39m Build start
-[34mℹ[39m [33m[CJS][39m [2mdist/[22m[1mclient.cjs[22m        [2m 0.19 kB[22m [2m│ gzip: 0.16 kB[22m
-[34mℹ[39m [33m[CJS][39m [2mdist/[22m[1mindex.cjs[22m         [2m 0.08 kB[22m [2m│ gzip: 0.08 kB[22m
-[34mℹ[39m [33m[CJS][39m [2mdist/[22msrc-BsLnNXTo.cjs  [2m52.34 kB[22m [2m│ gzip: 9.21 kB[22m
-[34mℹ[39m [33m[CJS][39m 3 files, total: 52.61 kB
-[34mℹ[39m [34m[ESM][39m [2mdist/[22m[1mclient.js[22m            [2m 0.18 kB[22m [2m│ gzip: 0.16 kB[22m
-[34mℹ[39m [34m[ESM][39m [2mdist/[22m[1mindex.js[22m             [2m 0.06 kB[22m [2m│ gzip: 0.07 kB[22m
-[34mℹ[39m [34m[ESM][39m [2mdist/[22msrc-BEPbgggK.js      [2m49.59 kB[22m [2m│ gzip: 8.54 kB[22m
-[34mℹ[39m [34m[ESM][39m [2mdist/[22m[32m[1mindex.d.ts[22m[39m           [2m 0.24 kB[22m [2m│ gzip: 0.16 kB[22m
-[34mℹ[39m [34m[ESM][39m [2mdist/[22m[32m[1mclient.d.ts[22m[39m          [2m 0.21 kB[22m [2m│ gzip: 0.18 kB[22m
-[34mℹ[39m [34m[ESM][39m [2mdist/[22m[32mindex-CL9gq2xe.d.ts[39m  [2m21.42 kB[22m [2m│ gzip: 3.10 kB[22m
-[34mℹ[39m [34m[ESM][39m 6 files, total: 71.70 kB
-[34mℹ[39m [33m[CJS][39m [2mdist/[22m[32m[1mindex.d.cts[22m[39m           [2m 0.24 kB[22m [2m│ gzip: 0.16 kB[22m
-[34mℹ[39m [33m[CJS][39m [2mdist/[22m[32m[1mclient.d.cts[22m[39m          [2m 0.21 kB[22m [2m│ gzip: 0.18 kB[22m
-[34mℹ[39m [33m[CJS][39m [2mdist/[22m[32mindex-N2GvRGik.d.cts[39m  [2m21.42 kB[22m [2m│ gzip: 3.10 kB[22m
-[34mℹ[39m [33m[CJS][39m 3 files, total: 21.88 kB
-[32m✔[39m Build complete in [32m8609ms[39m
+[34mℹ[39m [2mdist/[22m[1mclient.js[22m            [2m 0.18 kB[22m [2m│ gzip: 0.16 kB[22m
+[34mℹ[39m [2mdist/[22m[1mindex.js[22m             [2m 0.06 kB[22m [2m│ gzip: 0.07 kB[22m
+[34mℹ[39m [2mdist/[22msrc-BrnaMP1W.js      [2m49.60 kB[22m [2m│ gzip: 8.54 kB[22m
+[34mℹ[39m [2mdist/[22m[32m[1mindex.d.ts[22m[39m           [2m 0.24 kB[22m [2m│ gzip: 0.16 kB[22m
+[34mℹ[39m [2mdist/[22m[32m[1mclient.d.ts[22m[39m          [2m 0.21 kB[22m [2m│ gzip: 0.18 kB[22m
+[34mℹ[39m [2mdist/[22m[32mindex-U95aRHHN.d.ts[39m  [2m22.51 kB[22m [2m│ gzip: 3.39 kB[22m
+[34mℹ[39m 6 files, total: 72.81 kB
+[32m✔[39m Build complete in [32m11363ms[39m

package/dist/client.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { s as sso } from "./index-CL9gq2xe.js";
+import { s as sso } from "./index-U95aRHHN.js";
 //#region src/client.d.ts
 declare const ssoClient: () => {

package/dist/client.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import "./src-BEPbgggK.js";
+import "./src-BrnaMP1W.js";
 //#region src/client.ts
 const ssoClient = () => {

package/dist/{index-CL9gq2xe.d.ts → index-U95aRHHN.d.ts} RENAMED Viewed

@@ -4,43 +4,43 @@ import * as better_call0 from "better-call";
 //#region src/index.d.ts
 interface OIDCMapping {
-  id?: string;
-  email?: string;
-  emailVerified?: string;
-  name?: string;
-  image?: string;
-  extraFields?: Record<string, string>;
+  id?: string | undefined;
+  email?: string | undefined;
+  emailVerified?: string | undefined;
+  name?: string | undefined;
+  image?: string | undefined;
+  extraFields?: Record<string, string> | undefined;
 }
 interface SAMLMapping {
-  id?: string;
-  email?: string;
-  emailVerified?: string;
-  name?: string;
-  firstName?: string;
-  lastName?: string;
-  extraFields?: Record<string, string>;
+  id?: string | undefined;
+  email?: string | undefined;
+  emailVerified?: string | undefined;
+  name?: string | undefined;
+  firstName?: string | undefined;
+  lastName?: string | undefined;
+  extraFields?: Record<string, string> | undefined;
 }
 interface OIDCConfig {
   issuer: string;
   pkce: boolean;
   clientId: string;
   clientSecret: string;
-  authorizationEndpoint?: string;
+  authorizationEndpoint?: string | undefined;
   discoveryEndpoint: string;
-  userInfoEndpoint?: string;
-  scopes?: string[];
-  overrideUserInfo?: boolean;
-  tokenEndpoint?: string;
-  tokenEndpointAuthentication?: "client_secret_post" | "client_secret_basic";
-  jwksEndpoint?: string;
-  mapping?: OIDCMapping;
+  userInfoEndpoint?: string | undefined;
+  scopes?: string[] | undefined;
+  overrideUserInfo?: boolean | undefined;
+  tokenEndpoint?: string | undefined;
+  tokenEndpointAuthentication?: ("client_secret_post" | "client_secret_basic") | undefined;
+  jwksEndpoint?: string | undefined;
+  mapping?: OIDCMapping | undefined;
 }
 interface SAMLConfig {
   issuer: string;
   entryPoint: string;
   cert: string;
   callbackUrl: string;
-  audience?: string;
+  audience?: string | undefined;
   idpMetadata?: {
     metadata?: string;
     entityID?: string;
@@ -56,39 +56,39 @@ interface SAMLConfig {
       Binding: string;
       Location: string;
     }>;
-  };
+  } | undefined;
   spMetadata: {
-    metadata?: string;
-    entityID?: string;
-    binding?: string;
-    privateKey?: string;
-    privateKeyPass?: string;
-    isAssertionEncrypted?: boolean;
-    encPrivateKey?: string;
-    encPrivateKeyPass?: string;
+    metadata?: string | undefined;
+    entityID?: string | undefined;
+    binding?: string | undefined;
+    privateKey?: string | undefined;
+    privateKeyPass?: string | undefined;
+    isAssertionEncrypted?: boolean | undefined;
+    encPrivateKey?: string | undefined;
+    encPrivateKeyPass?: string | undefined;
   };
-  wantAssertionsSigned?: boolean;
-  signatureAlgorithm?: string;
-  digestAlgorithm?: string;
-  identifierFormat?: string;
-  privateKey?: string;
-  decryptionPvk?: string;
-  additionalParams?: Record<string, any>;
-  mapping?: SAMLMapping;
+  wantAssertionsSigned?: boolean | undefined;
+  signatureAlgorithm?: string | undefined;
+  digestAlgorithm?: string | undefined;
+  identifierFormat?: string | undefined;
+  privateKey?: string | undefined;
+  decryptionPvk?: string | undefined;
+  additionalParams?: Record<string, any> | undefined;
+  mapping?: SAMLMapping | undefined;
 }
 interface SSOProvider {
   issuer: string;
-  oidcConfig?: OIDCConfig;
-  samlConfig?: SAMLConfig;
+  oidcConfig?: OIDCConfig | undefined;
+  samlConfig?: SAMLConfig | undefined;
   userId: string;
   providerId: string;
-  organizationId?: string;
+  organizationId?: string | undefined;
 }
 interface SSOOptions {
   /**
    * custom function to provision a user when they sign in with an SSO provider.
    */
-  provisionUser?: (data: {
+  provisionUser?: ((data: {
     /**
      * The user object from the database
      */
@@ -105,7 +105,7 @@ interface SSOOptions {
      * The SSO provider
      */
     provider: SSOProvider;
-  }) => Promise<void>;
+  }) => Promise<void>) | undefined;
   /**
    * Organization provisioning options
    */
@@ -130,7 +130,7 @@ interface SSOOptions {
        */
       provider: SSOProvider;
     }) => Promise<"member" | "admin">;
-  };
+  } | undefined;
   /**
    * Default SSO provider configurations for testing.
    * These will take the precedence over the database providers.
@@ -153,17 +153,17 @@ interface SSOOptions {
      * OIDC configuration
      */
     oidcConfig?: OIDCConfig;
-  }>;
+  }> | undefined;
   /**
    * Override user info with the provider info.
    * @default false
    */
-  defaultOverrideUserInfo?: boolean;
+  defaultOverrideUserInfo?: boolean | undefined;
   /**
    * Disable implicit sign up for new users. When set to true for the provider,
    * sign-in need to be called with with requestSignUp as true to create new users.
    */
-  disableImplicitSignUp?: boolean;
+  disableImplicitSignUp?: boolean | undefined;
   /**
    * Configure the maximum number of SSO providers a user can register.
    * You can also pass a function that returns a number.
@@ -178,14 +178,20 @@ interface SSOOptions {
    * ```
    * @default 10
    */
-  providersLimit?: number | ((user: User) => Promise<number> | number);
+  providersLimit?: (number | ((user: User) => Promise<number> | number)) | undefined;
   /**
    * Trust the email verified flag from the provider.
+   *
+   * ⚠️ Use this with caution — it can lead to account takeover if misused. Only enable it if users **cannot freely register new providers**. You can
+   * prevent that by using `disabledPaths` or other safeguards to block provider registration from the client.
+   *
+   * If you want to allow account linking for specific trusted providers, enable the `accountLinking` option in your auth config and specify those
+   * providers in the `trustedProviders` list.
    * @default false
    */
-  trustEmailVerified?: boolean;
+  trustEmailVerified?: boolean | undefined;
 }
-declare const sso: (options?: SSOOptions) => {
+declare const sso: (options?: SSOOptions | undefined) => {
   id: "sso";
   endpoints: {
     spMetadata: better_call0.StrictEndpoint<"/sso/saml2/sp/metadata", {
@@ -473,7 +479,7 @@ declare const sso: (options?: SSOOptions) => {
       issuer: string;
       userId: string;
       providerId: string;
-      organizationId?: string;
+      organizationId?: string | undefined;
     }>;
     signInSSO: better_call0.StrictEndpoint<"/sign-in/sso", {
       method: "POST";

package/dist/index.d.ts CHANGED Viewed

@@ -1,2 +1,2 @@
-import { a as SSOOptions, i as SAMLMapping, n as OIDCMapping, o as SSOProvider, r as SAMLConfig, s as sso, t as OIDCConfig } from "./index-CL9gq2xe.js";
+import { a as SSOOptions, i as SAMLMapping, n as OIDCMapping, o as SSOProvider, r as SAMLConfig, s as sso, t as OIDCConfig } from "./index-U95aRHHN.js";
 export { OIDCConfig, OIDCMapping, SAMLConfig, SAMLMapping, SSOOptions, SSOProvider, sso };

package/dist/index.js CHANGED Viewed

@@ -1,3 +1,3 @@
-import { t as sso } from "./src-BEPbgggK.js";
+import { t as sso } from "./src-BrnaMP1W.js";
 export { sso };

package/dist/{src-BEPbgggK.js → src-BrnaMP1W.js} RENAMED Viewed

@@ -504,7 +504,7 @@ const sso = (options) => {
 					if (body.providerType === "saml" && !provider.samlConfig) throw new APIError("BAD_REQUEST", { message: "SAML provider is not configured" });
 				}
 				if (provider.oidcConfig && body.providerType !== "saml") {
-					const state = await generateState(ctx);
+					const state = await generateState(ctx, void 0, false);
 					const redirectURI = `${ctx.context.baseURL}/sso/callback/${provider.providerId}`;
 					const authorizationURL = await createAuthorizationURL({
 						id: provider.issuer,

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.4.0-beta.14",
+  "version": "1.4.0-beta.16",
   "type": "module",
   "main": "dist/index.js",
   "homepage": "https://www.better-auth.com/docs/plugins/sso",
@@ -32,14 +32,12 @@
     ".": {
       "better-auth-dev-source": "./src/index.ts",
       "types": "./dist/index.d.ts",
-      "import": "./dist/index.js",
-      "require": "./dist/index.cjs"
+      "default": "./dist/index.js"
     },
     "./client": {
       "better-auth-dev-source": "./src/client.ts",
       "types": "./dist/client.d.ts",
-      "import": "./dist/client.js",
-      "require": "./dist/client.cjs"
+      "default": "./dist/client.js"
     }
   },
   "typesVersions": {
@@ -56,21 +54,21 @@
     "@better-fetch/fetch": "1.1.18",
     "fast-xml-parser": "^5.2.5",
     "jose": "^6.1.0",
-    "oauth2-mock-server": "^7.2.1",
     "samlify": "^2.10.1",
     "zod": "^4.1.5"
   },
   "devDependencies": {
     "@types/body-parser": "^1.19.6",
-    "@types/express": "^5.0.3",
+    "@types/express": "^5.0.5",
     "better-call": "1.0.24",
     "body-parser": "^2.2.0",
     "express": "^5.1.0",
-    "tsdown": "^0.15.10",
-    "better-auth": "^1.4.0-beta.14"
+    "oauth2-mock-server": "^7.2.1",
+    "tsdown": "^0.15.11",
+    "better-auth": "^1.4.0-beta.16"
   },
   "peerDependencies": {
-    "better-auth": "1.4.0-beta.14"
+    "better-auth": "1.4.0-beta.16"
   },
   "scripts": {
     "test": "vitest",

package/src/index.ts CHANGED Viewed

@@ -66,22 +66,22 @@ function safeJsonParse<T>(value: string | T | null | undefined): T | null {
 }
 export interface OIDCMapping {
-	id?: string;
-	email?: string;
-	emailVerified?: string;
-	name?: string;
-	image?: string;
-	extraFields?: Record<string, string>;
+	id?: string | undefined;
+	email?: string | undefined;
+	emailVerified?: string | undefined;
+	name?: string | undefined;
+	image?: string | undefined;
+	extraFields?: Record<string, string> | undefined;
 }
 export interface SAMLMapping {
-	id?: string;
-	email?: string;
-	emailVerified?: string;
-	name?: string;
-	firstName?: string;
-	lastName?: string;
-	extraFields?: Record<string, string>;
+	id?: string | undefined;
+	email?: string | undefined;
+	emailVerified?: string | undefined;
+	name?: string | undefined;
+	firstName?: string | undefined;
+	lastName?: string | undefined;
+	extraFields?: Record<string, string> | undefined;
 }
 export interface OIDCConfig {
@@ -89,15 +89,17 @@ export interface OIDCConfig {
 	pkce: boolean;
 	clientId: string;
 	clientSecret: string;
-	authorizationEndpoint?: string;
+	authorizationEndpoint?: string | undefined;
 	discoveryEndpoint: string;
-	userInfoEndpoint?: string;
-	scopes?: string[];
-	overrideUserInfo?: boolean;
-	tokenEndpoint?: string;
-	tokenEndpointAuthentication?: "client_secret_post" | "client_secret_basic";
-	jwksEndpoint?: string;
-	mapping?: OIDCMapping;
+	userInfoEndpoint?: string | undefined;
+	scopes?: string[] | undefined;
+	overrideUserInfo?: boolean | undefined;
+	tokenEndpoint?: string | undefined;
+	tokenEndpointAuthentication?:
+		| ("client_secret_post" | "client_secret_basic")
+		| undefined;
+	jwksEndpoint?: string | undefined;
+	mapping?: OIDCMapping | undefined;
 }
 export interface SAMLConfig {
@@ -105,132 +107,140 @@ export interface SAMLConfig {
 	entryPoint: string;
 	cert: string;
 	callbackUrl: string;
-	audience?: string;
-	idpMetadata?: {
-		metadata?: string;
-		entityID?: string;
-		entityURL?: string;
-		redirectURL?: string;
-		cert?: string;
-		privateKey?: string;
-		privateKeyPass?: string;
-		isAssertionEncrypted?: boolean;
-		encPrivateKey?: string;
-		encPrivateKeyPass?: string;
-		singleSignOnService?: Array<{
-			Binding: string;
-			Location: string;
-		}>;
-	};
+	audience?: string | undefined;
+	idpMetadata?:
+		| {
+				metadata?: string;
+				entityID?: string;
+				entityURL?: string;
+				redirectURL?: string;
+				cert?: string;
+				privateKey?: string;
+				privateKeyPass?: string;
+				isAssertionEncrypted?: boolean;
+				encPrivateKey?: string;
+				encPrivateKeyPass?: string;
+				singleSignOnService?: Array<{
+					Binding: string;
+					Location: string;
+				}>;
+		  }
+		| undefined;
 	spMetadata: {
-		metadata?: string;
-		entityID?: string;
-		binding?: string;
-		privateKey?: string;
-		privateKeyPass?: string;
-		isAssertionEncrypted?: boolean;
-		encPrivateKey?: string;
-		encPrivateKeyPass?: string;
+		metadata?: string | undefined;
+		entityID?: string | undefined;
+		binding?: string | undefined;
+		privateKey?: string | undefined;
+		privateKeyPass?: string | undefined;
+		isAssertionEncrypted?: boolean | undefined;
+		encPrivateKey?: string | undefined;
+		encPrivateKeyPass?: string | undefined;
 	};
-	wantAssertionsSigned?: boolean;
-	signatureAlgorithm?: string;
-	digestAlgorithm?: string;
-	identifierFormat?: string;
-	privateKey?: string;
-	decryptionPvk?: string;
-	additionalParams?: Record<string, any>;
-	mapping?: SAMLMapping;
+	wantAssertionsSigned?: boolean | undefined;
+	signatureAlgorithm?: string | undefined;
+	digestAlgorithm?: string | undefined;
+	identifierFormat?: string | undefined;
+	privateKey?: string | undefined;
+	decryptionPvk?: string | undefined;
+	additionalParams?: Record<string, any> | undefined;
+	mapping?: SAMLMapping | undefined;
 }
 export interface SSOProvider {
 	issuer: string;
-	oidcConfig?: OIDCConfig;
-	samlConfig?: SAMLConfig;
+	oidcConfig?: OIDCConfig | undefined;
+	samlConfig?: SAMLConfig | undefined;
 	userId: string;
 	providerId: string;
-	organizationId?: string;
+	organizationId?: string | undefined;
 }
 export interface SSOOptions {
 	/**
 	 * custom function to provision a user when they sign in with an SSO provider.
 	 */
-	provisionUser?: (data: {
-		/**
-		 * The user object from the database
-		 */
-		user: User & Record<string, any>;
-		/**
-		 * The user info object from the provider
-		 */
-		userInfo: Record<string, any>;
-		/**
-		 * The OAuth2 tokens from the provider
-		 */
-		token?: OAuth2Tokens;
-		/**
-		 * The SSO provider
-		 */
-		provider: SSOProvider;
-	}) => Promise<void>;
+	provisionUser?:
+		| ((data: {
+				/**
+				 * The user object from the database
+				 */
+				user: User & Record<string, any>;
+				/**
+				 * The user info object from the provider
+				 */
+				userInfo: Record<string, any>;
+				/**
+				 * The OAuth2 tokens from the provider
+				 */
+				token?: OAuth2Tokens;
+				/**
+				 * The SSO provider
+				 */
+				provider: SSOProvider;
+		  }) => Promise<void>)
+		| undefined;
 	/**
 	 * Organization provisioning options
 	 */
-	organizationProvisioning?: {
-		disabled?: boolean;
-		defaultRole?: "member" | "admin";
-		getRole?: (data: {
-			/**
-			 * The user object from the database
-			 */
-			user: User & Record<string, any>;
-			/**
-			 * The user info object from the provider
-			 */
-			userInfo: Record<string, any>;
-			/**
-			 * The OAuth2 tokens from the provider
-			 */
-			token?: OAuth2Tokens;
-			/**
-			 * The SSO provider
-			 */
-			provider: SSOProvider;
-		}) => Promise<"member" | "admin">;
-	};
+	organizationProvisioning?:
+		| {
+				disabled?: boolean;
+				defaultRole?: "member" | "admin";
+				getRole?: (data: {
+					/**
+					 * The user object from the database
+					 */
+					user: User & Record<string, any>;
+					/**
+					 * The user info object from the provider
+					 */
+					userInfo: Record<string, any>;
+					/**
+					 * The OAuth2 tokens from the provider
+					 */
+					token?: OAuth2Tokens;
+					/**
+					 * The SSO provider
+					 */
+					provider: SSOProvider;
+				}) => Promise<"member" | "admin">;
+		  }
+		| undefined;
 	/**
 	 * Default SSO provider configurations for testing.
 	 * These will take the precedence over the database providers.
 	 */
-	defaultSSO?: Array<{
-		/**
-		 * The domain to match for this default provider.
-		 * This is only used to match incoming requests to this default provider.
-		 */
-		domain: string;
-		/**
-		 * The provider ID to use
-		 */
-		providerId: string;
-		/**
-		 * SAML configuration
-		 */
-		samlConfig?: SAMLConfig;
-		/**
-		 * OIDC configuration
-		 */
-		oidcConfig?: OIDCConfig;
-	}>;
+	defaultSSO?:
+		| Array<{
+				/**
+				 * The domain to match for this default provider.
+				 * This is only used to match incoming requests to this default provider.
+				 */
+				domain: string;
+				/**
+				 * The provider ID to use
+				 */
+				providerId: string;
+				/**
+				 * SAML configuration
+				 */
+				samlConfig?: SAMLConfig;
+				/**
+				 * OIDC configuration
+				 */
+				oidcConfig?: OIDCConfig;
+		  }>
+		| undefined;
 	/**
 	 * Override user info with the provider info.
 	 * @default false
 	 */
-	defaultOverrideUserInfo?: boolean;
+	defaultOverrideUserInfo?: boolean | undefined;
 	/**
 	 * Disable implicit sign up for new users. When set to true for the provider,
 	 * sign-in need to be called with with requestSignUp as true to create new users.
 	 */
-	disableImplicitSignUp?: boolean;
+	disableImplicitSignUp?: boolean | undefined;
 	/**
 	 * Configure the maximum number of SSO providers a user can register.
 	 * You can also pass a function that returns a number.
@@ -245,15 +255,23 @@ export interface SSOOptions {
 	 * ```
 	 * @default 10
 	 */
-	providersLimit?: number | ((user: User) => Promise<number> | number);
+	providersLimit?:
+		| (number | ((user: User) => Promise<number> | number))
+		| undefined;
 	/**
 	 * Trust the email verified flag from the provider.
+	 *
+	 * ⚠️ Use this with caution — it can lead to account takeover if misused. Only enable it if users **cannot freely register new providers**. You can
+	 * prevent that by using `disabledPaths` or other safeguards to block provider registration from the client.
+	 *
+	 * If you want to allow account linking for specific trusted providers, enable the `accountLinking` option in your auth config and specify those
+	 * providers in the `trustedProviders` list.
 	 * @default false
 	 */
-	trustEmailVerified?: boolean;
+	trustEmailVerified?: boolean | undefined;
 }
-export const sso = (options?: SSOOptions) => {
+export const sso = (options?: SSOOptions | undefined) => {
 	return {
 		id: "sso",
 		endpoints: {
@@ -1137,7 +1155,7 @@ export const sso = (options?: SSOOptions) => {
 						}
 					}
 					if (provider.oidcConfig && body.providerType !== "saml") {
-						const state = await generateState(ctx);
+						const state = await generateState(ctx, undefined, false);
 						const redirectURI = `${ctx.context.baseURL}/sso/callback/${provider.providerId}`;
 						const authorizationURL = await createAuthorizationURL({
 							id: provider.issuer,

package/tsdown.config.ts CHANGED Viewed

@@ -2,7 +2,7 @@ import { defineConfig } from "tsdown";
 export default defineConfig({
 	dts: { build: true, incremental: true },
-	format: ["esm", "cjs"],
+	format: ["esm"],
 	entry: ["./src/index.ts", "./src/client.ts"],
 	external: ["better-auth", "better-call", "@better-fetch/fetch", "stripe"],
 });