@better-auth/sso 1.4.0-beta.19 → 1.4.0-beta.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. package/.turbo/turbo-build.log +6 -6
  2. package/dist/client.d.mts +1 -1
  3. package/dist/client.mjs +1 -1
  4. package/dist/index-Ba2niv2R.d.mts +669 -0
  5. package/dist/index.d.mts +2 -2
  6. package/dist/index.mjs +1 -1
  7. package/dist/src-BUIX9n33.mjs +1215 -0
  8. package/package.json +3 -3
  9. package/src/index.ts +34 -2245
  10. package/src/routes/sso.ts +2019 -0
  11. package/src/types.ts +208 -0
  12. package/dist/index-D8XmWYZn.d.mts +0 -694
  13. package/dist/src-D0TWWO55.mjs +0 -1218
package/dist/index-D8XmWYZn.d.mts DELETED
@@ -1,694 +0,0 @@
1
- import { OAuth2Tokens, User } from "better-auth";
2
- import * as z from "zod/v4";
3
- import * as better_call0 from "better-call";
4
-
5
- //#region src/index.d.ts
6
- interface OIDCMapping {
7
- id?: string | undefined;
8
- email?: string | undefined;
9
- emailVerified?: string | undefined;
10
- name?: string | undefined;
11
- image?: string | undefined;
12
- extraFields?: Record<string, string> | undefined;
13
- }
14
- interface SAMLMapping {
15
- id?: string | undefined;
16
- email?: string | undefined;
17
- emailVerified?: string | undefined;
18
- name?: string | undefined;
19
- firstName?: string | undefined;
20
- lastName?: string | undefined;
21
- extraFields?: Record<string, string> | undefined;
22
- }
23
- interface OIDCConfig {
24
- issuer: string;
25
- pkce: boolean;
26
- clientId: string;
27
- clientSecret: string;
28
- authorizationEndpoint?: string | undefined;
29
- discoveryEndpoint: string;
30
- userInfoEndpoint?: string | undefined;
31
- scopes?: string[] | undefined;
32
- overrideUserInfo?: boolean | undefined;
33
- tokenEndpoint?: string | undefined;
34
- tokenEndpointAuthentication?: ("client_secret_post" | "client_secret_basic") | undefined;
35
- jwksEndpoint?: string | undefined;
36
- mapping?: OIDCMapping | undefined;
37
- }
38
- interface SAMLConfig {
39
- issuer: string;
40
- entryPoint: string;
41
- cert: string;
42
- callbackUrl: string;
43
- audience?: string | undefined;
44
- idpMetadata?: {
45
- metadata?: string;
46
- entityID?: string;
47
- entityURL?: string;
48
- redirectURL?: string;
49
- cert?: string;
50
- privateKey?: string;
51
- privateKeyPass?: string;
52
- isAssertionEncrypted?: boolean;
53
- encPrivateKey?: string;
54
- encPrivateKeyPass?: string;
55
- singleSignOnService?: Array<{
56
- Binding: string;
57
- Location: string;
58
- }>;
59
- } | undefined;
60
- spMetadata: {
61
- metadata?: string | undefined;
62
- entityID?: string | undefined;
63
- binding?: string | undefined;
64
- privateKey?: string | undefined;
65
- privateKeyPass?: string | undefined;
66
- isAssertionEncrypted?: boolean | undefined;
67
- encPrivateKey?: string | undefined;
68
- encPrivateKeyPass?: string | undefined;
69
- };
70
- wantAssertionsSigned?: boolean | undefined;
71
- signatureAlgorithm?: string | undefined;
72
- digestAlgorithm?: string | undefined;
73
- identifierFormat?: string | undefined;
74
- privateKey?: string | undefined;
75
- decryptionPvk?: string | undefined;
76
- additionalParams?: Record<string, any> | undefined;
77
- mapping?: SAMLMapping | undefined;
78
- }
79
- interface SSOProvider {
80
- issuer: string;
81
- oidcConfig?: OIDCConfig | undefined;
82
- samlConfig?: SAMLConfig | undefined;
83
- userId: string;
84
- providerId: string;
85
- organizationId?: string | undefined;
86
- }
87
- interface SSOOptions {
88
- /**
89
- * custom function to provision a user when they sign in with an SSO provider.
90
- */
91
- provisionUser?: ((data: {
92
- /**
93
- * The user object from the database
94
- */
95
- user: User & Record<string, any>;
96
- /**
97
- * The user info object from the provider
98
- */
99
- userInfo: Record<string, any>;
100
- /**
101
- * The OAuth2 tokens from the provider
102
- */
103
- token?: OAuth2Tokens;
104
- /**
105
- * The SSO provider
106
- */
107
- provider: SSOProvider;
108
- }) => Promise<void>) | undefined;
109
- /**
110
- * Organization provisioning options
111
- */
112
- organizationProvisioning?: {
113
- disabled?: boolean;
114
- defaultRole?: "member" | "admin";
115
- getRole?: (data: {
116
- /**
117
- * The user object from the database
118
- */
119
- user: User & Record<string, any>;
120
- /**
121
- * The user info object from the provider
122
- */
123
- userInfo: Record<string, any>;
124
- /**
125
- * The OAuth2 tokens from the provider
126
- */
127
- token?: OAuth2Tokens;
128
- /**
129
- * The SSO provider
130
- */
131
- provider: SSOProvider;
132
- }) => Promise<"member" | "admin">;
133
- } | undefined;
134
- /**
135
- * Default SSO provider configurations for testing.
136
- * These will take the precedence over the database providers.
137
- */
138
- defaultSSO?: Array<{
139
- /**
140
- * The domain to match for this default provider.
141
- * This is only used to match incoming requests to this default provider.
142
- */
143
- domain: string;
144
- /**
145
- * The provider ID to use
146
- */
147
- providerId: string;
148
- /**
149
- * SAML configuration
150
- */
151
- samlConfig?: SAMLConfig;
152
- /**
153
- * OIDC configuration
154
- */
155
- oidcConfig?: OIDCConfig;
156
- }> | undefined;
157
- /**
158
- * Override user info with the provider info.
159
- * @default false
160
- */
161
- defaultOverrideUserInfo?: boolean | undefined;
162
- /**
163
- * Disable implicit sign up for new users. When set to true for the provider,
164
- * sign-in need to be called with with requestSignUp as true to create new users.
165
- */
166
- disableImplicitSignUp?: boolean | undefined;
167
- /**
168
- * Configure the maximum number of SSO providers a user can register.
169
- * You can also pass a function that returns a number.
170
- * Set to 0 to disable SSO provider registration.
171
- *
172
- * @example
173
- * ```ts
174
- * providersLimit: async (user) => {
175
- * const plan = await getUserPlan(user);
176
- * return plan.name === "pro" ? 10 : 1;
177
- * }
178
- * ```
179
- * @default 10
180
- */
181
- providersLimit?: (number | ((user: User) => Promise<number> | number)) | undefined;
182
- /**
183
- * Trust the email verified flag from the provider.
184
- *
185
- * ⚠️ Use this with caution — it can lead to account takeover if misused. Only enable it if users **cannot freely register new providers**. You can
186
- * prevent that by using `disabledPaths` or other safeguards to block provider registration from the client.
187
- *
188
- * If you want to allow account linking for specific trusted providers, enable the `accountLinking` option in your auth config and specify those
189
- * providers in the `trustedProviders` list.
190
- * @default false
191
- */
192
- trustEmailVerified?: boolean | undefined;
193
- }
194
- declare const sso: (options?: SSOOptions | undefined) => {
195
- id: "sso";
196
- endpoints: {
197
- spMetadata: better_call0.StrictEndpoint<"/sso/saml2/sp/metadata", {
198
- method: "GET";
199
- query: z.ZodObject<{
200
- providerId: z.ZodString;
201
- format: z.ZodDefault<z.ZodEnum<{
202
- xml: "xml";
203
- json: "json";
204
- }>>;
205
- }, z.core.$strip>;
206
- metadata: {
207
- openapi: {
208
- summary: string;
209
- description: string;
210
- responses: {
211
- "200": {
212
- description: string;
213
- };
214
- };
215
- };
216
- };
217
- } & {
218
- use: any[];
219
- }, Response>;
220
- registerSSOProvider: better_call0.StrictEndpoint<"/sso/register", {
221
- method: "POST";
222
- body: z.ZodObject<{
223
- providerId: z.ZodString;
224
- issuer: z.ZodString;
225
- domain: z.ZodString;
226
- oidcConfig: z.ZodOptional<z.ZodObject<{
227
- clientId: z.ZodString;
228
- clientSecret: z.ZodString;
229
- authorizationEndpoint: z.ZodOptional<z.ZodString>;
230
- tokenEndpoint: z.ZodOptional<z.ZodString>;
231
- userInfoEndpoint: z.ZodOptional<z.ZodString>;
232
- tokenEndpointAuthentication: z.ZodOptional<z.ZodEnum<{
233
- client_secret_post: "client_secret_post";
234
- client_secret_basic: "client_secret_basic";
235
- }>>;
236
- jwksEndpoint: z.ZodOptional<z.ZodString>;
237
- discoveryEndpoint: z.ZodOptional<z.ZodString>;
238
- scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
239
- pkce: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
240
- mapping: z.ZodOptional<z.ZodObject<{
241
- id: z.ZodString;
242
- email: z.ZodString;
243
- emailVerified: z.ZodOptional<z.ZodString>;
244
- name: z.ZodString;
245
- image: z.ZodOptional<z.ZodString>;
246
- extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
247
- }, z.core.$strip>>;
248
- }, z.core.$strip>>;
249
- samlConfig: z.ZodOptional<z.ZodObject<{
250
- entryPoint: z.ZodString;
251
- cert: z.ZodString;
252
- callbackUrl: z.ZodString;
253
- audience: z.ZodOptional<z.ZodString>;
254
- idpMetadata: z.ZodOptional<z.ZodObject<{
255
- metadata: z.ZodOptional<z.ZodString>;
256
- entityID: z.ZodOptional<z.ZodString>;
257
- cert: z.ZodOptional<z.ZodString>;
258
- privateKey: z.ZodOptional<z.ZodString>;
259
- privateKeyPass: z.ZodOptional<z.ZodString>;
260
- isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
261
- encPrivateKey: z.ZodOptional<z.ZodString>;
262
- encPrivateKeyPass: z.ZodOptional<z.ZodString>;
263
- singleSignOnService: z.ZodOptional<z.ZodArray<z.ZodObject<{
264
- Binding: z.ZodString;
265
- Location: z.ZodString;
266
- }, z.core.$strip>>>;
267
- }, z.core.$strip>>;
268
- spMetadata: z.ZodObject<{
269
- metadata: z.ZodOptional<z.ZodString>;
270
- entityID: z.ZodOptional<z.ZodString>;
271
- binding: z.ZodOptional<z.ZodString>;
272
- privateKey: z.ZodOptional<z.ZodString>;
273
- privateKeyPass: z.ZodOptional<z.ZodString>;
274
- isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
275
- encPrivateKey: z.ZodOptional<z.ZodString>;
276
- encPrivateKeyPass: z.ZodOptional<z.ZodString>;
277
- }, z.core.$strip>;
278
- wantAssertionsSigned: z.ZodOptional<z.ZodBoolean>;
279
- signatureAlgorithm: z.ZodOptional<z.ZodString>;
280
- digestAlgorithm: z.ZodOptional<z.ZodString>;
281
- identifierFormat: z.ZodOptional<z.ZodString>;
282
- privateKey: z.ZodOptional<z.ZodString>;
283
- decryptionPvk: z.ZodOptional<z.ZodString>;
284
- additionalParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
285
- mapping: z.ZodOptional<z.ZodObject<{
286
- id: z.ZodString;
287
- email: z.ZodString;
288
- emailVerified: z.ZodOptional<z.ZodString>;
289
- name: z.ZodString;
290
- firstName: z.ZodOptional<z.ZodString>;
291
- lastName: z.ZodOptional<z.ZodString>;
292
- extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
293
- }, z.core.$strip>>;
294
- }, z.core.$strip>>;
295
- organizationId: z.ZodOptional<z.ZodString>;
296
- overrideUserInfo: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
297
- }, z.core.$strip>;
298
- use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
299
- session: {
300
- session: Record<string, any> & {
301
- id: string;
302
- createdAt: Date;
303
- updatedAt: Date;
304
- userId: string;
305
- expiresAt: Date;
306
- token: string;
307
- ipAddress?: string | null | undefined;
308
- userAgent?: string | null | undefined;
309
- };
310
- user: Record<string, any> & {
311
- id: string;
312
- createdAt: Date;
313
- updatedAt: Date;
314
- email: string;
315
- emailVerified: boolean;
316
- name: string;
317
- image?: string | null | undefined;
318
- };
319
- };
320
- }>)[];
321
- metadata: {
322
- openapi: {
323
- summary: string;
324
- description: string;
325
- responses: {
326
- "200": {
327
- description: string;
328
- content: {
329
- "application/json": {
330
- schema: {
331
- type: "object";
332
- properties: {
333
- issuer: {
334
- type: string;
335
- format: string;
336
- description: string;
337
- };
338
- domain: {
339
- type: string;
340
- description: string;
341
- };
342
- oidcConfig: {
343
- type: string;
344
- properties: {
345
- issuer: {
346
- type: string;
347
- format: string;
348
- description: string;
349
- };
350
- pkce: {
351
- type: string;
352
- description: string;
353
- };
354
- clientId: {
355
- type: string;
356
- description: string;
357
- };
358
- clientSecret: {
359
- type: string;
360
- description: string;
361
- };
362
- authorizationEndpoint: {
363
- type: string;
364
- format: string;
365
- nullable: boolean;
366
- description: string;
367
- };
368
- discoveryEndpoint: {
369
- type: string;
370
- format: string;
371
- description: string;
372
- };
373
- userInfoEndpoint: {
374
- type: string;
375
- format: string;
376
- nullable: boolean;
377
- description: string;
378
- };
379
- scopes: {
380
- type: string;
381
- items: {
382
- type: string;
383
- };
384
- nullable: boolean;
385
- description: string;
386
- };
387
- tokenEndpoint: {
388
- type: string;
389
- format: string;
390
- nullable: boolean;
391
- description: string;
392
- };
393
- tokenEndpointAuthentication: {
394
- type: string;
395
- enum: string[];
396
- nullable: boolean;
397
- description: string;
398
- };
399
- jwksEndpoint: {
400
- type: string;
401
- format: string;
402
- nullable: boolean;
403
- description: string;
404
- };
405
- mapping: {
406
- type: string;
407
- nullable: boolean;
408
- properties: {
409
- id: {
410
- type: string;
411
- description: string;
412
- };
413
- email: {
414
- type: string;
415
- description: string;
416
- };
417
- emailVerified: {
418
- type: string;
419
- nullable: boolean;
420
- description: string;
421
- };
422
- name: {
423
- type: string;
424
- description: string;
425
- };
426
- image: {
427
- type: string;
428
- nullable: boolean;
429
- description: string;
430
- };
431
- extraFields: {
432
- type: string;
433
- additionalProperties: {
434
- type: string;
435
- };
436
- nullable: boolean;
437
- description: string;
438
- };
439
- };
440
- required: string[];
441
- };
442
- };
443
- required: string[];
444
- description: string;
445
- };
446
- organizationId: {
447
- type: string;
448
- nullable: boolean;
449
- description: string;
450
- };
451
- userId: {
452
- type: string;
453
- description: string;
454
- };
455
- providerId: {
456
- type: string;
457
- description: string;
458
- };
459
- redirectURI: {
460
- type: string;
461
- format: string;
462
- description: string;
463
- };
464
- };
465
- required: string[];
466
- };
467
- };
468
- };
469
- };
470
- };
471
- };
472
- };
473
- } & {
474
- use: any[];
475
- }, {
476
- oidcConfig: OIDCConfig;
477
- samlConfig: SAMLConfig;
478
- redirectURI: string;
479
- issuer: string;
480
- userId: string;
481
- providerId: string;
482
- organizationId?: string | undefined;
483
- }>;
484
- signInSSO: better_call0.StrictEndpoint<"/sign-in/sso", {
485
- method: "POST";
486
- body: z.ZodObject<{
487
- email: z.ZodOptional<z.ZodString>;
488
- organizationSlug: z.ZodOptional<z.ZodString>;
489
- providerId: z.ZodOptional<z.ZodString>;
490
- domain: z.ZodOptional<z.ZodString>;
491
- callbackURL: z.ZodString;
492
- errorCallbackURL: z.ZodOptional<z.ZodString>;
493
- newUserCallbackURL: z.ZodOptional<z.ZodString>;
494
- scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
495
- loginHint: z.ZodOptional<z.ZodString>;
496
- requestSignUp: z.ZodOptional<z.ZodBoolean>;
497
- providerType: z.ZodOptional<z.ZodEnum<{
498
- oidc: "oidc";
499
- saml: "saml";
500
- }>>;
501
- }, z.core.$strip>;
502
- metadata: {
503
- openapi: {
504
- summary: string;
505
- description: string;
506
- requestBody: {
507
- content: {
508
- "application/json": {
509
- schema: {
510
- type: "object";
511
- properties: {
512
- email: {
513
- type: string;
514
- description: string;
515
- };
516
- issuer: {
517
- type: string;
518
- description: string;
519
- };
520
- providerId: {
521
- type: string;
522
- description: string;
523
- };
524
- callbackURL: {
525
- type: string;
526
- description: string;
527
- };
528
- errorCallbackURL: {
529
- type: string;
530
- description: string;
531
- };
532
- newUserCallbackURL: {
533
- type: string;
534
- description: string;
535
- };
536
- loginHint: {
537
- type: string;
538
- description: string;
539
- };
540
- };
541
- required: string[];
542
- };
543
- };
544
- };
545
- };
546
- responses: {
547
- "200": {
548
- description: string;
549
- content: {
550
- "application/json": {
551
- schema: {
552
- type: "object";
553
- properties: {
554
- url: {
555
- type: string;
556
- format: string;
557
- description: string;
558
- };
559
- redirect: {
560
- type: string;
561
- description: string;
562
- enum: boolean[];
563
- };
564
- };
565
- required: string[];
566
- };
567
- };
568
- };
569
- };
570
- };
571
- };
572
- };
573
- } & {
574
- use: any[];
575
- }, {
576
- url: string;
577
- redirect: boolean;
578
- }>;
579
- callbackSSO: better_call0.StrictEndpoint<"/sso/callback/:providerId", {
580
- method: "GET";
581
- query: z.ZodObject<{
582
- code: z.ZodOptional<z.ZodString>;
583
- state: z.ZodString;
584
- error: z.ZodOptional<z.ZodString>;
585
- error_description: z.ZodOptional<z.ZodString>;
586
- }, z.core.$strip>;
587
- metadata: {
588
- isAction: boolean;
589
- openapi: {
590
- summary: string;
591
- description: string;
592
- responses: {
593
- "302": {
594
- description: string;
595
- };
596
- };
597
- };
598
- };
599
- } & {
600
- use: any[];
601
- }, never>;
602
- callbackSSOSAML: better_call0.StrictEndpoint<"/sso/saml2/callback/:providerId", {
603
- method: "POST";
604
- body: z.ZodObject<{
605
- SAMLResponse: z.ZodString;
606
- RelayState: z.ZodOptional<z.ZodString>;
607
- }, z.core.$strip>;
608
- metadata: {
609
- isAction: boolean;
610
- openapi: {
611
- summary: string;
612
- description: string;
613
- responses: {
614
- "302": {
615
- description: string;
616
- };
617
- "400": {
618
- description: string;
619
- };
620
- "401": {
621
- description: string;
622
- };
623
- };
624
- };
625
- };
626
- } & {
627
- use: any[];
628
- }, never>;
629
- acsEndpoint: better_call0.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
630
- method: "POST";
631
- params: z.ZodObject<{
632
- providerId: z.ZodOptional<z.ZodString>;
633
- }, z.core.$strip>;
634
- body: z.ZodObject<{
635
- SAMLResponse: z.ZodString;
636
- RelayState: z.ZodOptional<z.ZodString>;
637
- }, z.core.$strip>;
638
- metadata: {
639
- isAction: boolean;
640
- openapi: {
641
- summary: string;
642
- description: string;
643
- responses: {
644
- "302": {
645
- description: string;
646
- };
647
- };
648
- };
649
- };
650
- } & {
651
- use: any[];
652
- }, never>;
653
- };
654
- schema: {
655
- ssoProvider: {
656
- fields: {
657
- issuer: {
658
- type: "string";
659
- required: true;
660
- };
661
- oidcConfig: {
662
- type: "string";
663
- required: false;
664
- };
665
- samlConfig: {
666
- type: "string";
667
- required: false;
668
- };
669
- userId: {
670
- type: "string";
671
- references: {
672
- model: string;
673
- field: string;
674
- };
675
- };
676
- providerId: {
677
- type: "string";
678
- required: true;
679
- unique: true;
680
- };
681
- organizationId: {
682
- type: "string";
683
- required: false;
684
- };
685
- domain: {
686
- type: "string";
687
- required: true;
688
- };
689
- };
690
- };
691
- };
692
- };
693
- //#endregion
694
- export { SSOOptions as a, SAMLMapping as i, OIDCMapping as n, SSOProvider as o, SAMLConfig as r, sso as s, OIDCConfig as t };