@better-auth/sso 1.4.0-beta.15 → 1.4.0-beta.16

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @better-auth/sso@1.4.0-beta.15 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.4.0-beta.16 build /home/runner/work/better-auth/better-auth/packages/sso
 > tsdown
 
 ℹ tsdown v0.15.11 powered by rolldown v1.0.0-beta.45
@@ -7,19 +7,11 @@
 ℹ entry: src/client.ts, src/index.ts
 ℹ tsconfig: tsconfig.json
 ℹ Build start
-ℹ [CJS] dist/client.cjs         0.19 kB │ gzip: 0.16 kB
-ℹ [CJS] dist/index.cjs          0.08 kB │ gzip: 0.08 kB
-ℹ [CJS] dist/src-BsLnNXTo.cjs  52.34 kB │ gzip: 9.21 kB
-ℹ [CJS] 3 files, total: 52.61 kB
-ℹ [ESM] dist/client.js             0.18 kB │ gzip: 0.16 kB
-ℹ [ESM] dist/index.js              0.06 kB │ gzip: 0.07 kB
-ℹ [ESM] dist/src-BEPbgggK.js      49.59 kB │ gzip: 8.54 kB
-ℹ [ESM] dist/index.d.ts            0.24 kB │ gzip: 0.16 kB
-ℹ [ESM] dist/client.d.ts           0.21 kB │ gzip: 0.18 kB
-ℹ [ESM] dist/index-CdeDxbNh.d.ts  22.04 kB │ gzip: 3.15 kB
-ℹ [ESM] 6 files, total: 72.32 kB
-ℹ [CJS] dist/index.d.cts            0.24 kB │ gzip: 0.16 kB
-ℹ [CJS] dist/client.d.cts           0.21 kB │ gzip: 0.18 kB
-ℹ [CJS] dist/index-DJAIa5j3.d.cts  22.04 kB │ gzip: 3.16 kB
-ℹ [CJS] 3 files, total: 22.50 kB
-✔ Build complete in 9377ms
+ℹ dist/client.js             0.18 kB │ gzip: 0.16 kB
+ℹ dist/index.js              0.06 kB │ gzip: 0.07 kB
+ℹ dist/src-BrnaMP1W.js      49.60 kB │ gzip: 8.54 kB
+ℹ dist/index.d.ts            0.24 kB │ gzip: 0.16 kB
+ℹ dist/client.d.ts           0.21 kB │ gzip: 0.18 kB
+ℹ dist/index-U95aRHHN.d.ts  22.51 kB │ gzip: 3.39 kB
+ℹ 6 files, total: 72.81 kB
+✔ Build complete in 11363ms

package/dist/client.d.ts

@@ -1,4 +1,4 @@
-import { s as sso } from "./index-CdeDxbNh.js";
+import { s as sso } from "./index-U95aRHHN.js";
 
 //#region src/client.d.ts
 declare const ssoClient: () => {

package/dist/client.js

@@ -1,4 +1,4 @@
-import "./src-BEPbgggK.js";
+import "./src-BrnaMP1W.js";
 
 //#region src/client.ts
 const ssoClient = () => {

package/dist/{index-CdeDxbNh.d.ts → index-U95aRHHN.d.ts}

@@ -181,6 +181,12 @@ interface SSOOptions {
   providersLimit?: (number | ((user: User) => Promise<number> | number)) | undefined;
   /**
    * Trust the email verified flag from the provider.
+   *
+   * ⚠️ Use this with caution — it can lead to account takeover if misused. Only enable it if users **cannot freely register new providers**. You can
+   * prevent that by using `disabledPaths` or other safeguards to block provider registration from the client.
+   *
+   * If you want to allow account linking for specific trusted providers, enable the `accountLinking` option in your auth config and specify those
+   * providers in the `trustedProviders` list.
    * @default false
    */
   trustEmailVerified?: boolean | undefined;

package/dist/index.d.ts

@@ -1,2 +1,2 @@
-import { a as SSOOptions, i as SAMLMapping, n as OIDCMapping, o as SSOProvider, r as SAMLConfig, s as sso, t as OIDCConfig } from "./index-CdeDxbNh.js";
+import { a as SSOOptions, i as SAMLMapping, n as OIDCMapping, o as SSOProvider, r as SAMLConfig, s as sso, t as OIDCConfig } from "./index-U95aRHHN.js";
 export { OIDCConfig, OIDCMapping, SAMLConfig, SAMLMapping, SSOOptions, SSOProvider, sso };

package/dist/index.js

@@ -1,3 +1,3 @@
-import { t as sso } from "./src-BEPbgggK.js";
+import { t as sso } from "./src-BrnaMP1W.js";
 
 export { sso };

package/dist/{src-BEPbgggK.js → src-BrnaMP1W.js}

@@ -504,7 +504,7 @@ const sso = (options) => {
 					if (body.providerType === "saml" && !provider.samlConfig) throw new APIError("BAD_REQUEST", { message: "SAML provider is not configured" });
 				}
 				if (provider.oidcConfig && body.providerType !== "saml") {
-					const state = await generateState(ctx);
+					const state = await generateState(ctx, void 0, false);
 					const redirectURI = `${ctx.context.baseURL}/sso/callback/${provider.providerId}`;
 					const authorizationURL = await createAuthorizationURL({
 						id: provider.issuer,

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.4.0-beta.15",
+  "version": "1.4.0-beta.16",
   "type": "module",
   "main": "dist/index.js",
   "homepage": "https://www.better-auth.com/docs/plugins/sso",
@@ -32,14 +32,12 @@
     ".": {
       "better-auth-dev-source": "./src/index.ts",
       "types": "./dist/index.d.ts",
-      "import": "./dist/index.js",
-      "require": "./dist/index.cjs"
+      "default": "./dist/index.js"
     },
     "./client": {
       "better-auth-dev-source": "./src/client.ts",
       "types": "./dist/client.d.ts",
-      "import": "./dist/client.js",
-      "require": "./dist/client.cjs"
+      "default": "./dist/client.js"
     }
   },
   "typesVersions": {
@@ -56,7 +54,6 @@
     "@better-fetch/fetch": "1.1.18",
     "fast-xml-parser": "^5.2.5",
     "jose": "^6.1.0",
-    "oauth2-mock-server": "^7.2.1",
     "samlify": "^2.10.1",
     "zod": "^4.1.5"
   },
@@ -66,11 +63,12 @@
     "better-call": "1.0.24",
     "body-parser": "^2.2.0",
     "express": "^5.1.0",
+    "oauth2-mock-server": "^7.2.1",
     "tsdown": "^0.15.11",
-    "better-auth": "^1.4.0-beta.15"
+    "better-auth": "^1.4.0-beta.16"
   },
   "peerDependencies": {
-    "better-auth": "1.4.0-beta.15"
+    "better-auth": "1.4.0-beta.16"
   },
   "scripts": {
     "test": "vitest",

package/src/index.ts

@@ -260,6 +260,12 @@ export interface SSOOptions {
 		| undefined;
 	/**
 	 * Trust the email verified flag from the provider.
+	 *
+	 * ⚠️ Use this with caution — it can lead to account takeover if misused. Only enable it if users **cannot freely register new providers**. You can
+	 * prevent that by using `disabledPaths` or other safeguards to block provider registration from the client.
+	 *
+	 * If you want to allow account linking for specific trusted providers, enable the `accountLinking` option in your auth config and specify those
+	 * providers in the `trustedProviders` list.
 	 * @default false
 	 */
 	trustEmailVerified?: boolean | undefined;
@@ -1149,7 +1155,7 @@ export const sso = (options?: SSOOptions | undefined) => {
 						}
 					}
 					if (provider.oidcConfig && body.providerType !== "saml") {
-						const state = await generateState(ctx);
+						const state = await generateState(ctx, undefined, false);
 						const redirectURI = `${ctx.context.baseURL}/sso/callback/${provider.providerId}`;
 						const authorizationURL = await createAuthorizationURL({
 							id: provider.issuer,

package/tsdown.config.ts

@@ -2,7 +2,7 @@ import { defineConfig } from "tsdown";
 
 export default defineConfig({
 	dts: { build: true, incremental: true },
-	format: ["esm", "cjs"],
+	format: ["esm"],
 	entry: ["./src/index.ts", "./src/client.ts"],
 	external: ["better-auth", "better-call", "@better-fetch/fetch", "stripe"],
 });

package/dist/client.cjs

@@ -1,12 +0,0 @@
-require('./src-BsLnNXTo.cjs');
-
-//#region src/client.ts
-const ssoClient = () => {
-	return {
-		id: "sso-client",
-		$InferServerPlugin: {}
-	};
-};
-
-//#endregion
-exports.ssoClient = ssoClient;

package/dist/client.d.cts

@@ -1,9 +0,0 @@
-import { s as sso } from "./index-DJAIa5j3.cjs";
-
-//#region src/client.d.ts
-declare const ssoClient: () => {
-  id: "sso-client";
-  $InferServerPlugin: ReturnType<typeof sso>;
-};
-//#endregion
-export { ssoClient };