@better-auth/sso 1.4.0-beta.2 → 1.4.0-beta.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (22) hide show
  1. package/.turbo/turbo-build.log +14 -15
  2. package/dist/client.d.mts +6 -8
  3. package/dist/client.mjs +7 -5
  4. package/dist/index-C091fIpa.d.mts +675 -0
  5. package/dist/index.d.mts +2 -959
  6. package/dist/index.mjs +1220 -1579
  7. package/package.json +28 -21
  8. package/src/client.ts +1 -1
  9. package/src/index.ts +34 -2112
  10. package/src/oidc.test.ts +133 -212
  11. package/src/routes/sso.ts +2033 -0
  12. package/src/saml.test.ts +204 -28
  13. package/src/types.ts +208 -0
  14. package/tsconfig.json +7 -16
  15. package/tsdown.config.ts +8 -0
  16. package/build.config.ts +0 -12
  17. package/dist/client.cjs +0 -10
  18. package/dist/client.d.cts +0 -11
  19. package/dist/client.d.ts +0 -11
  20. package/dist/index.cjs +0 -1600
  21. package/dist/index.d.cts +0 -959
  22. package/dist/index.d.ts +0 -959
package/dist/index-C091fIpa.d.mts ADDED
@@ -0,0 +1,675 @@
1
+ import { OAuth2Tokens, User } from "better-auth";
2
+ import * as z from "zod/v4";
3
+ import * as better_call0 from "better-call";
4
+
5
+ //#region src/types.d.ts
6
+ interface OIDCMapping {
7
+ id?: string | undefined;
8
+ email?: string | undefined;
9
+ emailVerified?: string | undefined;
10
+ name?: string | undefined;
11
+ image?: string | undefined;
12
+ extraFields?: Record<string, string> | undefined;
13
+ }
14
+ interface SAMLMapping {
15
+ id?: string | undefined;
16
+ email?: string | undefined;
17
+ emailVerified?: string | undefined;
18
+ name?: string | undefined;
19
+ firstName?: string | undefined;
20
+ lastName?: string | undefined;
21
+ extraFields?: Record<string, string> | undefined;
22
+ }
23
+ interface OIDCConfig {
24
+ issuer: string;
25
+ pkce: boolean;
26
+ clientId: string;
27
+ clientSecret: string;
28
+ authorizationEndpoint?: string | undefined;
29
+ discoveryEndpoint: string;
30
+ userInfoEndpoint?: string | undefined;
31
+ scopes?: string[] | undefined;
32
+ overrideUserInfo?: boolean | undefined;
33
+ tokenEndpoint?: string | undefined;
34
+ tokenEndpointAuthentication?: ("client_secret_post" | "client_secret_basic") | undefined;
35
+ jwksEndpoint?: string | undefined;
36
+ mapping?: OIDCMapping | undefined;
37
+ }
38
+ interface SAMLConfig {
39
+ issuer: string;
40
+ entryPoint: string;
41
+ cert: string;
42
+ callbackUrl: string;
43
+ audience?: string | undefined;
44
+ idpMetadata?: {
45
+ metadata?: string;
46
+ entityID?: string;
47
+ entityURL?: string;
48
+ redirectURL?: string;
49
+ cert?: string;
50
+ privateKey?: string;
51
+ privateKeyPass?: string;
52
+ isAssertionEncrypted?: boolean;
53
+ encPrivateKey?: string;
54
+ encPrivateKeyPass?: string;
55
+ singleSignOnService?: Array<{
56
+ Binding: string;
57
+ Location: string;
58
+ }>;
59
+ } | undefined;
60
+ spMetadata: {
61
+ metadata?: string | undefined;
62
+ entityID?: string | undefined;
63
+ binding?: string | undefined;
64
+ privateKey?: string | undefined;
65
+ privateKeyPass?: string | undefined;
66
+ isAssertionEncrypted?: boolean | undefined;
67
+ encPrivateKey?: string | undefined;
68
+ encPrivateKeyPass?: string | undefined;
69
+ };
70
+ wantAssertionsSigned?: boolean | undefined;
71
+ signatureAlgorithm?: string | undefined;
72
+ digestAlgorithm?: string | undefined;
73
+ identifierFormat?: string | undefined;
74
+ privateKey?: string | undefined;
75
+ decryptionPvk?: string | undefined;
76
+ additionalParams?: Record<string, any> | undefined;
77
+ mapping?: SAMLMapping | undefined;
78
+ }
79
+ type SSOProvider = {
80
+ issuer: string;
81
+ oidcConfig?: OIDCConfig | undefined;
82
+ samlConfig?: SAMLConfig | undefined;
83
+ userId: string;
84
+ providerId: string;
85
+ organizationId?: string | undefined;
86
+ domain: string;
87
+ };
88
+ interface SSOOptions {
89
+ /**
90
+ * custom function to provision a user when they sign in with an SSO provider.
91
+ */
92
+ provisionUser?: ((data: {
93
+ /**
94
+ * The user object from the database
95
+ */
96
+ user: User & Record<string, any>;
97
+ /**
98
+ * The user info object from the provider
99
+ */
100
+ userInfo: Record<string, any>;
101
+ /**
102
+ * The OAuth2 tokens from the provider
103
+ */
104
+ token?: OAuth2Tokens;
105
+ /**
106
+ * The SSO provider
107
+ */
108
+ provider: SSOProvider;
109
+ }) => Promise<void>) | undefined;
110
+ /**
111
+ * Organization provisioning options
112
+ */
113
+ organizationProvisioning?: {
114
+ disabled?: boolean;
115
+ defaultRole?: "member" | "admin";
116
+ getRole?: (data: {
117
+ /**
118
+ * The user object from the database
119
+ */
120
+ user: User & Record<string, any>;
121
+ /**
122
+ * The user info object from the provider
123
+ */
124
+ userInfo: Record<string, any>;
125
+ /**
126
+ * The OAuth2 tokens from the provider
127
+ */
128
+ token?: OAuth2Tokens;
129
+ /**
130
+ * The SSO provider
131
+ */
132
+ provider: SSOProvider;
133
+ }) => Promise<"member" | "admin">;
134
+ } | undefined;
135
+ /**
136
+ * Default SSO provider configurations for testing.
137
+ * These will take the precedence over the database providers.
138
+ */
139
+ defaultSSO?: Array<{
140
+ /**
141
+ * The domain to match for this default provider.
142
+ * This is only used to match incoming requests to this default provider.
143
+ */
144
+ domain: string;
145
+ /**
146
+ * The provider ID to use
147
+ */
148
+ providerId: string;
149
+ /**
150
+ * SAML configuration
151
+ */
152
+ samlConfig?: SAMLConfig;
153
+ /**
154
+ * OIDC configuration
155
+ */
156
+ oidcConfig?: OIDCConfig;
157
+ }> | undefined;
158
+ /**
159
+ * Override user info with the provider info.
160
+ * @default false
161
+ */
162
+ defaultOverrideUserInfo?: boolean | undefined;
163
+ /**
164
+ * Disable implicit sign up for new users. When set to true for the provider,
165
+ * sign-in need to be called with with requestSignUp as true to create new users.
166
+ */
167
+ disableImplicitSignUp?: boolean | undefined;
168
+ /**
169
+ * Configure the maximum number of SSO providers a user can register.
170
+ * You can also pass a function that returns a number.
171
+ * Set to 0 to disable SSO provider registration.
172
+ *
173
+ * @example
174
+ * ```ts
175
+ * providersLimit: async (user) => {
176
+ * const plan = await getUserPlan(user);
177
+ * return plan.name === "pro" ? 10 : 1;
178
+ * }
179
+ * ```
180
+ * @default 10
181
+ */
182
+ providersLimit?: (number | ((user: User) => Promise<number> | number)) | undefined;
183
+ /**
184
+ * Trust the email verified flag from the provider.
185
+ *
186
+ * ⚠️ Use this with caution — it can lead to account takeover if misused. Only enable it if users **cannot freely register new providers**. You can
187
+ * prevent that by using `disabledPaths` or other safeguards to block provider registration from the client.
188
+ *
189
+ * If you want to allow account linking for specific trusted providers, enable the `accountLinking` option in your auth config and specify those
190
+ * providers in the `trustedProviders` list.
191
+ * @default false
192
+ */
193
+ trustEmailVerified?: boolean | undefined;
194
+ }
195
+ //#endregion
196
+ //#region src/routes/sso.d.ts
197
+ declare const spMetadata: () => better_call0.StrictEndpoint<"/sso/saml2/sp/metadata", {
198
+ method: "GET";
199
+ query: z.ZodObject<{
200
+ providerId: z.ZodString;
201
+ format: z.ZodDefault<z.ZodEnum<{
202
+ xml: "xml";
203
+ json: "json";
204
+ }>>;
205
+ }, z.core.$strip>;
206
+ metadata: {
207
+ openapi: {
208
+ operationId: string;
209
+ summary: string;
210
+ description: string;
211
+ responses: {
212
+ "200": {
213
+ description: string;
214
+ };
215
+ };
216
+ };
217
+ };
218
+ } & {
219
+ use: any[];
220
+ }, Response>;
221
+ declare const registerSSOProvider: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/register", {
222
+ method: "POST";
223
+ body: z.ZodObject<{
224
+ providerId: z.ZodString;
225
+ issuer: z.ZodString;
226
+ domain: z.ZodString;
227
+ oidcConfig: z.ZodOptional<z.ZodObject<{
228
+ clientId: z.ZodString;
229
+ clientSecret: z.ZodString;
230
+ authorizationEndpoint: z.ZodOptional<z.ZodString>;
231
+ tokenEndpoint: z.ZodOptional<z.ZodString>;
232
+ userInfoEndpoint: z.ZodOptional<z.ZodString>;
233
+ tokenEndpointAuthentication: z.ZodOptional<z.ZodEnum<{
234
+ client_secret_post: "client_secret_post";
235
+ client_secret_basic: "client_secret_basic";
236
+ }>>;
237
+ jwksEndpoint: z.ZodOptional<z.ZodString>;
238
+ discoveryEndpoint: z.ZodOptional<z.ZodString>;
239
+ scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
240
+ pkce: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
241
+ mapping: z.ZodOptional<z.ZodObject<{
242
+ id: z.ZodString;
243
+ email: z.ZodString;
244
+ emailVerified: z.ZodOptional<z.ZodString>;
245
+ name: z.ZodString;
246
+ image: z.ZodOptional<z.ZodString>;
247
+ extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
248
+ }, z.core.$strip>>;
249
+ }, z.core.$strip>>;
250
+ samlConfig: z.ZodOptional<z.ZodObject<{
251
+ entryPoint: z.ZodString;
252
+ cert: z.ZodString;
253
+ callbackUrl: z.ZodString;
254
+ audience: z.ZodOptional<z.ZodString>;
255
+ idpMetadata: z.ZodOptional<z.ZodObject<{
256
+ metadata: z.ZodOptional<z.ZodString>;
257
+ entityID: z.ZodOptional<z.ZodString>;
258
+ cert: z.ZodOptional<z.ZodString>;
259
+ privateKey: z.ZodOptional<z.ZodString>;
260
+ privateKeyPass: z.ZodOptional<z.ZodString>;
261
+ isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
262
+ encPrivateKey: z.ZodOptional<z.ZodString>;
263
+ encPrivateKeyPass: z.ZodOptional<z.ZodString>;
264
+ singleSignOnService: z.ZodOptional<z.ZodArray<z.ZodObject<{
265
+ Binding: z.ZodString;
266
+ Location: z.ZodString;
267
+ }, z.core.$strip>>>;
268
+ }, z.core.$strip>>;
269
+ spMetadata: z.ZodObject<{
270
+ metadata: z.ZodOptional<z.ZodString>;
271
+ entityID: z.ZodOptional<z.ZodString>;
272
+ binding: z.ZodOptional<z.ZodString>;
273
+ privateKey: z.ZodOptional<z.ZodString>;
274
+ privateKeyPass: z.ZodOptional<z.ZodString>;
275
+ isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
276
+ encPrivateKey: z.ZodOptional<z.ZodString>;
277
+ encPrivateKeyPass: z.ZodOptional<z.ZodString>;
278
+ }, z.core.$strip>;
279
+ wantAssertionsSigned: z.ZodOptional<z.ZodBoolean>;
280
+ signatureAlgorithm: z.ZodOptional<z.ZodString>;
281
+ digestAlgorithm: z.ZodOptional<z.ZodString>;
282
+ identifierFormat: z.ZodOptional<z.ZodString>;
283
+ privateKey: z.ZodOptional<z.ZodString>;
284
+ decryptionPvk: z.ZodOptional<z.ZodString>;
285
+ additionalParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
286
+ mapping: z.ZodOptional<z.ZodObject<{
287
+ id: z.ZodString;
288
+ email: z.ZodString;
289
+ emailVerified: z.ZodOptional<z.ZodString>;
290
+ name: z.ZodString;
291
+ firstName: z.ZodOptional<z.ZodString>;
292
+ lastName: z.ZodOptional<z.ZodString>;
293
+ extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
294
+ }, z.core.$strip>>;
295
+ }, z.core.$strip>>;
296
+ organizationId: z.ZodOptional<z.ZodString>;
297
+ overrideUserInfo: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
298
+ }, z.core.$strip>;
299
+ use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
300
+ session: {
301
+ session: Record<string, any> & {
302
+ id: string;
303
+ createdAt: Date;
304
+ updatedAt: Date;
305
+ userId: string;
306
+ expiresAt: Date;
307
+ token: string;
308
+ ipAddress?: string | null | undefined;
309
+ userAgent?: string | null | undefined;
310
+ };
311
+ user: Record<string, any> & {
312
+ id: string;
313
+ createdAt: Date;
314
+ updatedAt: Date;
315
+ email: string;
316
+ emailVerified: boolean;
317
+ name: string;
318
+ image?: string | null | undefined;
319
+ };
320
+ };
321
+ }>)[];
322
+ metadata: {
323
+ openapi: {
324
+ operationId: string;
325
+ summary: string;
326
+ description: string;
327
+ responses: {
328
+ "200": {
329
+ description: string;
330
+ content: {
331
+ "application/json": {
332
+ schema: {
333
+ type: "object";
334
+ properties: {
335
+ issuer: {
336
+ type: string;
337
+ format: string;
338
+ description: string;
339
+ };
340
+ domain: {
341
+ type: string;
342
+ description: string;
343
+ };
344
+ oidcConfig: {
345
+ type: string;
346
+ properties: {
347
+ issuer: {
348
+ type: string;
349
+ format: string;
350
+ description: string;
351
+ };
352
+ pkce: {
353
+ type: string;
354
+ description: string;
355
+ };
356
+ clientId: {
357
+ type: string;
358
+ description: string;
359
+ };
360
+ clientSecret: {
361
+ type: string;
362
+ description: string;
363
+ };
364
+ authorizationEndpoint: {
365
+ type: string;
366
+ format: string;
367
+ nullable: boolean;
368
+ description: string;
369
+ };
370
+ discoveryEndpoint: {
371
+ type: string;
372
+ format: string;
373
+ description: string;
374
+ };
375
+ userInfoEndpoint: {
376
+ type: string;
377
+ format: string;
378
+ nullable: boolean;
379
+ description: string;
380
+ };
381
+ scopes: {
382
+ type: string;
383
+ items: {
384
+ type: string;
385
+ };
386
+ nullable: boolean;
387
+ description: string;
388
+ };
389
+ tokenEndpoint: {
390
+ type: string;
391
+ format: string;
392
+ nullable: boolean;
393
+ description: string;
394
+ };
395
+ tokenEndpointAuthentication: {
396
+ type: string;
397
+ enum: string[];
398
+ nullable: boolean;
399
+ description: string;
400
+ };
401
+ jwksEndpoint: {
402
+ type: string;
403
+ format: string;
404
+ nullable: boolean;
405
+ description: string;
406
+ };
407
+ mapping: {
408
+ type: string;
409
+ nullable: boolean;
410
+ properties: {
411
+ id: {
412
+ type: string;
413
+ description: string;
414
+ };
415
+ email: {
416
+ type: string;
417
+ description: string;
418
+ };
419
+ emailVerified: {
420
+ type: string;
421
+ nullable: boolean;
422
+ description: string;
423
+ };
424
+ name: {
425
+ type: string;
426
+ description: string;
427
+ };
428
+ image: {
429
+ type: string;
430
+ nullable: boolean;
431
+ description: string;
432
+ };
433
+ extraFields: {
434
+ type: string;
435
+ additionalProperties: {
436
+ type: string;
437
+ };
438
+ nullable: boolean;
439
+ description: string;
440
+ };
441
+ };
442
+ required: string[];
443
+ };
444
+ };
445
+ required: string[];
446
+ description: string;
447
+ };
448
+ organizationId: {
449
+ type: string;
450
+ nullable: boolean;
451
+ description: string;
452
+ };
453
+ userId: {
454
+ type: string;
455
+ description: string;
456
+ };
457
+ providerId: {
458
+ type: string;
459
+ description: string;
460
+ };
461
+ redirectURI: {
462
+ type: string;
463
+ format: string;
464
+ description: string;
465
+ };
466
+ };
467
+ required: string[];
468
+ };
469
+ };
470
+ };
471
+ };
472
+ };
473
+ };
474
+ };
475
+ } & {
476
+ use: any[];
477
+ }, {
478
+ oidcConfig: OIDCConfig;
479
+ samlConfig: SAMLConfig;
480
+ redirectURI: string;
481
+ issuer: string;
482
+ userId: string;
483
+ providerId: string;
484
+ organizationId?: string | undefined;
485
+ domain: string;
486
+ }>;
487
+ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sign-in/sso", {
488
+ method: "POST";
489
+ body: z.ZodObject<{
490
+ email: z.ZodOptional<z.ZodString>;
491
+ organizationSlug: z.ZodOptional<z.ZodString>;
492
+ providerId: z.ZodOptional<z.ZodString>;
493
+ domain: z.ZodOptional<z.ZodString>;
494
+ callbackURL: z.ZodString;
495
+ errorCallbackURL: z.ZodOptional<z.ZodString>;
496
+ newUserCallbackURL: z.ZodOptional<z.ZodString>;
497
+ scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
498
+ loginHint: z.ZodOptional<z.ZodString>;
499
+ requestSignUp: z.ZodOptional<z.ZodBoolean>;
500
+ providerType: z.ZodOptional<z.ZodEnum<{
501
+ oidc: "oidc";
502
+ saml: "saml";
503
+ }>>;
504
+ }, z.core.$strip>;
505
+ metadata: {
506
+ openapi: {
507
+ operationId: string;
508
+ summary: string;
509
+ description: string;
510
+ requestBody: {
511
+ content: {
512
+ "application/json": {
513
+ schema: {
514
+ type: "object";
515
+ properties: {
516
+ email: {
517
+ type: string;
518
+ description: string;
519
+ };
520
+ issuer: {
521
+ type: string;
522
+ description: string;
523
+ };
524
+ providerId: {
525
+ type: string;
526
+ description: string;
527
+ };
528
+ callbackURL: {
529
+ type: string;
530
+ description: string;
531
+ };
532
+ errorCallbackURL: {
533
+ type: string;
534
+ description: string;
535
+ };
536
+ newUserCallbackURL: {
537
+ type: string;
538
+ description: string;
539
+ };
540
+ loginHint: {
541
+ type: string;
542
+ description: string;
543
+ };
544
+ };
545
+ required: string[];
546
+ };
547
+ };
548
+ };
549
+ };
550
+ responses: {
551
+ "200": {
552
+ description: string;
553
+ content: {
554
+ "application/json": {
555
+ schema: {
556
+ type: "object";
557
+ properties: {
558
+ url: {
559
+ type: string;
560
+ format: string;
561
+ description: string;
562
+ };
563
+ redirect: {
564
+ type: string;
565
+ description: string;
566
+ enum: boolean[];
567
+ };
568
+ };
569
+ required: string[];
570
+ };
571
+ };
572
+ };
573
+ };
574
+ };
575
+ };
576
+ };
577
+ } & {
578
+ use: any[];
579
+ }, {
580
+ url: string;
581
+ redirect: boolean;
582
+ }>;
583
+ declare const callbackSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/callback/:providerId", {
584
+ method: "GET";
585
+ query: z.ZodObject<{
586
+ code: z.ZodOptional<z.ZodString>;
587
+ state: z.ZodString;
588
+ error: z.ZodOptional<z.ZodString>;
589
+ error_description: z.ZodOptional<z.ZodString>;
590
+ }, z.core.$strip>;
591
+ metadata: {
592
+ isAction: boolean;
593
+ openapi: {
594
+ operationId: string;
595
+ summary: string;
596
+ description: string;
597
+ responses: {
598
+ "302": {
599
+ description: string;
600
+ };
601
+ };
602
+ };
603
+ };
604
+ } & {
605
+ use: any[];
606
+ }, never>;
607
+ declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/callback/:providerId", {
608
+ method: "POST";
609
+ body: z.ZodObject<{
610
+ SAMLResponse: z.ZodString;
611
+ RelayState: z.ZodOptional<z.ZodString>;
612
+ }, z.core.$strip>;
613
+ metadata: {
614
+ isAction: boolean;
615
+ openapi: {
616
+ operationId: string;
617
+ summary: string;
618
+ description: string;
619
+ responses: {
620
+ "302": {
621
+ description: string;
622
+ };
623
+ "400": {
624
+ description: string;
625
+ };
626
+ "401": {
627
+ description: string;
628
+ };
629
+ };
630
+ };
631
+ };
632
+ } & {
633
+ use: any[];
634
+ }, never>;
635
+ declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
636
+ method: "POST";
637
+ params: z.ZodObject<{
638
+ providerId: z.ZodOptional<z.ZodString>;
639
+ }, z.core.$strip>;
640
+ body: z.ZodObject<{
641
+ SAMLResponse: z.ZodString;
642
+ RelayState: z.ZodOptional<z.ZodString>;
643
+ }, z.core.$strip>;
644
+ metadata: {
645
+ isAction: boolean;
646
+ openapi: {
647
+ operationId: string;
648
+ summary: string;
649
+ description: string;
650
+ responses: {
651
+ "302": {
652
+ description: string;
653
+ };
654
+ };
655
+ };
656
+ };
657
+ } & {
658
+ use: any[];
659
+ }, never>;
660
+ //#endregion
661
+ //#region src/index.d.ts
662
+ type SSOEndpoints = {
663
+ spMetadata: ReturnType<typeof spMetadata>;
664
+ registerSSOProvider: ReturnType<typeof registerSSOProvider>;
665
+ signInSSO: ReturnType<typeof signInSSO>;
666
+ callbackSSO: ReturnType<typeof callbackSSO>;
667
+ callbackSSOSAML: ReturnType<typeof callbackSSOSAML>;
668
+ acsEndpoint: ReturnType<typeof acsEndpoint>;
669
+ };
670
+ declare function sso<O extends SSOOptions>(options?: O | undefined): {
671
+ id: "sso";
672
+ endpoints: SSOEndpoints;
673
+ };
674
+ //#endregion
675
+ export { SSOProvider as a, SSOOptions as i, OIDCConfig as n, SAMLConfig as r, sso as t };