@better-auth/sso 1.4.0-beta.15 → 1.4.0-beta.17

package/.turbo/turbo-build.log

@@ -1,25 +1,17 @@
 
-> @better-auth/sso@1.4.0-beta.15 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.4.0-beta.17 build /home/runner/work/better-auth/better-auth/packages/sso
 > tsdown
 
-ℹ tsdown v0.15.11 powered by rolldown v1.0.0-beta.45
+ℹ tsdown v0.16.0 powered by rolldown v1.0.0-beta.46
 ℹ Using tsdown config: /home/runner/work/better-auth/better-auth/packages/sso/tsdown.config.ts
 ℹ entry: src/client.ts, src/index.ts
 ℹ tsconfig: tsconfig.json
 ℹ Build start
-ℹ [CJS] dist/client.cjs         0.19 kB │ gzip: 0.16 kB
-ℹ [CJS] dist/index.cjs          0.08 kB │ gzip: 0.08 kB
-ℹ [CJS] dist/src-BsLnNXTo.cjs  52.34 kB │ gzip: 9.21 kB
-ℹ [CJS] 3 files, total: 52.61 kB
-ℹ [ESM] dist/client.js             0.18 kB │ gzip: 0.16 kB
-ℹ [ESM] dist/index.js              0.06 kB │ gzip: 0.07 kB
-ℹ [ESM] dist/src-BEPbgggK.js      49.59 kB │ gzip: 8.54 kB
-ℹ [ESM] dist/index.d.ts            0.24 kB │ gzip: 0.16 kB
-ℹ [ESM] dist/client.d.ts           0.21 kB │ gzip: 0.18 kB
-ℹ [ESM] dist/index-CdeDxbNh.d.ts  22.04 kB │ gzip: 3.15 kB
-ℹ [ESM] 6 files, total: 72.32 kB
-ℹ [CJS] dist/index.d.cts            0.24 kB │ gzip: 0.16 kB
-ℹ [CJS] dist/client.d.cts           0.21 kB │ gzip: 0.18 kB
-ℹ [CJS] dist/index-DJAIa5j3.d.cts  22.04 kB │ gzip: 3.16 kB
-ℹ [CJS] 3 files, total: 22.50 kB
-✔ Build complete in 9377ms
+ℹ dist/client.mjs             0.18 kB │ gzip: 0.16 kB
+ℹ dist/index.mjs              0.06 kB │ gzip: 0.07 kB
+ℹ dist/src-D0TWWO55.mjs      49.60 kB │ gzip: 8.54 kB
+ℹ dist/index.d.mts            0.24 kB │ gzip: 0.16 kB
+ℹ dist/client.d.mts           0.21 kB │ gzip: 0.18 kB
+ℹ dist/index-D8XmWYZn.d.mts  22.51 kB │ gzip: 3.39 kB
+ℹ 6 files, total: 72.81 kB
+✔ Build complete in 11481ms

package/dist/{client.d.cts → client.d.mts}

@@ -1,4 +1,4 @@
-import { s as sso } from "./index-DJAIa5j3.cjs";
+import { s as sso } from "./index-D8XmWYZn.mjs";
 
 //#region src/client.d.ts
 declare const ssoClient: () => {

package/dist/{client.js → client.mjs}

@@ -1,4 +1,4 @@
-import "./src-BEPbgggK.js";
+import "./src-D0TWWO55.mjs";
 
 //#region src/client.ts
 const ssoClient = () => {

package/dist/{index-CdeDxbNh.d.ts → index-D8XmWYZn.d.mts}

@@ -181,6 +181,12 @@ interface SSOOptions {
   providersLimit?: (number | ((user: User) => Promise<number> | number)) | undefined;
   /**
    * Trust the email verified flag from the provider.
+   *
+   * ⚠️ Use this with caution — it can lead to account takeover if misused. Only enable it if users **cannot freely register new providers**. You can
+   * prevent that by using `disabledPaths` or other safeguards to block provider registration from the client.
+   *
+   * If you want to allow account linking for specific trusted providers, enable the `accountLinking` option in your auth config and specify those
+   * providers in the `trustedProviders` list.
    * @default false
    */
   trustEmailVerified?: boolean | undefined;
@@ -193,8 +199,8 @@ declare const sso: (options?: SSOOptions | undefined) => {
       query: z.ZodObject<{
         providerId: z.ZodString;
         format: z.ZodDefault<z.ZodEnum<{
-          json: "json";
           xml: "xml";
+          json: "json";
         }>>;
       }, z.core.$strip>;
       metadata: {

package/dist/{index.d.cts → index.d.mts}

@@ -1,2 +1,2 @@
-import { a as SSOOptions, i as SAMLMapping, n as OIDCMapping, o as SSOProvider, r as SAMLConfig, s as sso, t as OIDCConfig } from "./index-DJAIa5j3.cjs";
+import { a as SSOOptions, i as SAMLMapping, n as OIDCMapping, o as SSOProvider, r as SAMLConfig, s as sso, t as OIDCConfig } from "./index-D8XmWYZn.mjs";
 export { OIDCConfig, OIDCMapping, SAMLConfig, SAMLMapping, SSOOptions, SSOProvider, sso };

package/dist/index.mjs

@@ -0,0 +1,3 @@
+import { t as sso } from "./src-D0TWWO55.mjs";
+
+export { sso };

package/dist/{src-BEPbgggK.js → src-D0TWWO55.mjs}

@@ -504,7 +504,7 @@ const sso = (options) => {
 					if (body.providerType === "saml" && !provider.samlConfig) throw new APIError("BAD_REQUEST", { message: "SAML provider is not configured" });
 				}
 				if (provider.oidcConfig && body.providerType !== "saml") {
-					const state = await generateState(ctx);
+					const state = await generateState(ctx, void 0, false);
 					const redirectURI = `${ctx.context.baseURL}/sso/callback/${provider.providerId}`;
 					const authorizationURL = await createAuthorizationURL({
 						id: provider.issuer,

package/package.json

@@ -1,9 +1,9 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.4.0-beta.15",
+  "version": "1.4.0-beta.17",
   "type": "module",
-  "main": "dist/index.js",
+  "main": "dist/index.mjs",
   "homepage": "https://www.better-auth.com/docs/plugins/sso",
   "repository": {
     "type": "git",
@@ -26,29 +26,27 @@
   "publishConfig": {
     "access": "public"
   },
-  "module": "dist/index.js",
+  "module": "dist/index.mjs",
   "description": "SSO plugin for Better Auth",
   "exports": {
     ".": {
       "better-auth-dev-source": "./src/index.ts",
-      "types": "./dist/index.d.ts",
-      "import": "./dist/index.js",
-      "require": "./dist/index.cjs"
+      "types": "./dist/index.d.mts",
+      "default": "./dist/index.mjs"
     },
     "./client": {
       "better-auth-dev-source": "./src/client.ts",
-      "types": "./dist/client.d.ts",
-      "import": "./dist/client.js",
-      "require": "./dist/client.cjs"
+      "types": "./dist/client.d.mts",
+      "default": "./dist/client.mjs"
     }
   },
   "typesVersions": {
     "*": {
       "*": [
-        "./dist/index.d.ts"
+        "./dist/index.d.mts"
       ],
       "client": [
-        "./dist/client.d.ts"
+        "./dist/client.d.mts"
       ]
     }
   },
@@ -56,21 +54,21 @@
     "@better-fetch/fetch": "1.1.18",
     "fast-xml-parser": "^5.2.5",
     "jose": "^6.1.0",
-    "oauth2-mock-server": "^7.2.1",
     "samlify": "^2.10.1",
     "zod": "^4.1.5"
   },
   "devDependencies": {
     "@types/body-parser": "^1.19.6",
     "@types/express": "^5.0.5",
-    "better-call": "1.0.24",
+    "better-call": "1.0.26",
     "body-parser": "^2.2.0",
     "express": "^5.1.0",
-    "tsdown": "^0.15.11",
-    "better-auth": "^1.4.0-beta.15"
+    "oauth2-mock-server": "^7.2.1",
+    "tsdown": "^0.16.0",
+    "better-auth": "^1.4.0-beta.17"
   },
   "peerDependencies": {
-    "better-auth": "1.4.0-beta.15"
+    "better-auth": "1.4.0-beta.17"
   },
   "scripts": {
     "test": "vitest",

package/src/index.ts

@@ -260,6 +260,12 @@ export interface SSOOptions {
 		| undefined;
 	/**
 	 * Trust the email verified flag from the provider.
+	 *
+	 * ⚠️ Use this with caution — it can lead to account takeover if misused. Only enable it if users **cannot freely register new providers**. You can
+	 * prevent that by using `disabledPaths` or other safeguards to block provider registration from the client.
+	 *
+	 * If you want to allow account linking for specific trusted providers, enable the `accountLinking` option in your auth config and specify those
+	 * providers in the `trustedProviders` list.
 	 * @default false
 	 */
 	trustEmailVerified?: boolean | undefined;
@@ -1149,7 +1155,7 @@ export const sso = (options?: SSOOptions | undefined) => {
 						}
 					}
 					if (provider.oidcConfig && body.providerType !== "saml") {
-						const state = await generateState(ctx);
+						const state = await generateState(ctx, undefined, false);
 						const redirectURI = `${ctx.context.baseURL}/sso/callback/${provider.providerId}`;
 						const authorizationURL = await createAuthorizationURL({
 							id: provider.issuer,

package/src/oidc.test.ts

@@ -1,7 +1,7 @@
 import { betterFetch } from "@better-fetch/fetch";
 import { createAuthClient } from "better-auth/client";
 import { organization } from "better-auth/plugins";
-import { getTestInstanceMemory as getTestInstance } from "better-auth/test";
+import { getTestInstance } from "better-auth/test";
 import { OAuth2Server } from "oauth2-mock-server";
 import { afterAll, beforeAll, describe, expect, it } from "vitest";
 import { sso } from ".";

package/src/saml.test.ts

@@ -4,7 +4,7 @@ import { memoryAdapter } from "better-auth/adapters/memory";
 import { createAuthClient } from "better-auth/client";
 import { setCookieToHeader } from "better-auth/cookies";
 import { bearer } from "better-auth/plugins";
-import { getTestInstanceMemory } from "better-auth/test";
+import { getTestInstance } from "better-auth/test";
 import bodyParser from "body-parser";
 import { randomUUID } from "crypto";
 import type {
@@ -926,7 +926,7 @@ describe("SAML SSO", async () => {
 	});
 
 	it("should not allow creating a provider if limit is set to 0", async () => {
-		const { auth, signInWithTestUser } = await getTestInstanceMemory({
+		const { auth, signInWithTestUser } = await getTestInstance({
 			plugins: [sso({ providersLimit: 0 })],
 		});
 		const { headers } = await signInWithTestUser();
@@ -957,7 +957,7 @@ describe("SAML SSO", async () => {
 	});
 
 	it("should not allow creating a provider if limit is reached", async () => {
-		const { auth, signInWithTestUser } = await getTestInstanceMemory({
+		const { auth, signInWithTestUser } = await getTestInstance({
 			plugins: [sso({ providersLimit: 1 })],
 		});
 		const { headers } = await signInWithTestUser();
@@ -1011,7 +1011,7 @@ describe("SAML SSO", async () => {
 	});
 
 	it("should not allow creating a provider if limit from function is reached", async () => {
-		const { auth, signInWithTestUser } = await getTestInstanceMemory({
+		const { auth, signInWithTestUser } = await getTestInstance({
 			plugins: [
 				sso({
 					providersLimit: async (user) => {

package/tsdown.config.ts

@@ -2,7 +2,7 @@ import { defineConfig } from "tsdown";
 
 export default defineConfig({
 	dts: { build: true, incremental: true },
-	format: ["esm", "cjs"],
+	format: ["esm"],
 	entry: ["./src/index.ts", "./src/client.ts"],
 	external: ["better-auth", "better-call", "@better-fetch/fetch", "stripe"],
 });

package/dist/client.cjs

@@ -1,12 +0,0 @@
-require('./src-BsLnNXTo.cjs');
-
-//#region src/client.ts
-const ssoClient = () => {
-	return {
-		id: "sso-client",
-		$InferServerPlugin: {}
-	};
-};
-
-//#endregion
-exports.ssoClient = ssoClient;

package/dist/client.d.ts

@@ -1,9 +0,0 @@
-import { s as sso } from "./index-CdeDxbNh.js";
-
-//#region src/client.d.ts
-declare const ssoClient: () => {
-  id: "sso-client";
-  $InferServerPlugin: ReturnType<typeof sso>;
-};
-//#endregion
-export { ssoClient };