@better-auth/sso 1.4.0-beta.2 → 1.4.0-beta.4

package/.turbo/turbo-build.log

@@ -1,17 +1,17 @@
 
-> @better-auth/sso@1.4.0-beta.2 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.4.0-beta.4 build /home/runner/work/better-auth/better-auth/packages/sso
 > unbuild
 
 [info] Automatically detected entries: src/index, src/client [esm] [cjs] [dts]
 [info] Building sso
 [success] Build succeeded for sso
-[log]   dist/index.cjs (total size: 66.4 kB, chunk size: 66.4 kB, exports: sso)
+[log]   dist/index.cjs (total size: 67.2 kB, chunk size: 67.2 kB, exports: sso)
 
 [log]   dist/client.cjs (total size: 141 B, chunk size: 141 B, exports: ssoClient)
 
-[log]   dist/index.mjs (total size: 64.7 kB, chunk size: 64.7 kB, exports: sso)
+[log]   dist/index.mjs (total size: 65.5 kB, chunk size: 65.5 kB, exports: sso)
 
 [log]   dist/client.mjs (total size: 117 B, chunk size: 117 B, exports: ssoClient)
 
-Σ Total dist size (byte size): 258 kB
+Σ Total dist size (byte size): 260 kB
 [log]

package/dist/index.cjs

@@ -76,8 +76,18 @@ const sso = (options) => {
             });
           }
           const parsedSamlConfig = JSON.parse(provider.samlConfig);
-          const sp = saml__namespace.ServiceProvider({
+          const sp = parsedSamlConfig.spMetadata.metadata ? saml__namespace.ServiceProvider({
             metadata: parsedSamlConfig.spMetadata.metadata
+          }) : saml__namespace.SPMetadata({
+            entityID: parsedSamlConfig.spMetadata?.entityID || parsedSamlConfig.issuer,
+            assertionConsumerService: [
+              {
+                Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+                Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs/${provider.id}`
+              }
+            ],
+            wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
+            nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
           });
           return new Response(sp.getMetadata(), {
             headers: {
@@ -711,10 +721,10 @@ const sso = (options) => {
               allowCreate: true
             });
             const idp = saml__namespace.IdentityProvider({
-              metadata: parsedSamlConfig.idpMetadata.metadata,
-              entityID: parsedSamlConfig.idpMetadata.entityID,
-              encryptCert: parsedSamlConfig.idpMetadata.cert,
-              singleSignOnService: parsedSamlConfig.idpMetadata.singleSignOnService
+              metadata: parsedSamlConfig.idpMetadata?.metadata,
+              entityID: parsedSamlConfig.idpMetadata?.entityID,
+              encryptCert: parsedSamlConfig.idpMetadata?.cert,
+              singleSignOnService: parsedSamlConfig.idpMetadata?.singleSignOnService
             });
             const loginRequest = sp.createLoginRequest(
               idp,
@@ -1103,7 +1113,8 @@ const sso = (options) => {
             isAssertionEncrypted: spData?.isAssertionEncrypted || false,
             encPrivateKey: spData?.encPrivateKey,
             encPrivateKeyPass: spData?.encPrivateKeyPass,
-            wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false
+            wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
+            nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
           });
           let parsedResponse;
           try {
@@ -1337,13 +1348,14 @@ const sso = (options) => {
             assertionConsumerService: [
               {
                 Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-                Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs`
+                Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs/${providerId}`
               }
             ],
             wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
             metadata: parsedSamlConfig.spMetadata?.metadata,
             privateKey: parsedSamlConfig.spMetadata?.privateKey || parsedSamlConfig.privateKey,
-            privateKeyPass: parsedSamlConfig.spMetadata?.privateKeyPass
+            privateKeyPass: parsedSamlConfig.spMetadata?.privateKeyPass,
+            nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
           });
           const idpData = parsedSamlConfig.idpMetadata;
           const idp = !idpData?.metadata ? saml__namespace.IdentityProvider({

package/dist/index.mjs

@@ -59,8 +59,18 @@ const sso = (options) => {
             });
           }
           const parsedSamlConfig = JSON.parse(provider.samlConfig);
-          const sp = saml.ServiceProvider({
+          const sp = parsedSamlConfig.spMetadata.metadata ? saml.ServiceProvider({
             metadata: parsedSamlConfig.spMetadata.metadata
+          }) : saml.SPMetadata({
+            entityID: parsedSamlConfig.spMetadata?.entityID || parsedSamlConfig.issuer,
+            assertionConsumerService: [
+              {
+                Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+                Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs/${provider.id}`
+              }
+            ],
+            wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
+            nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
           });
           return new Response(sp.getMetadata(), {
             headers: {
@@ -694,10 +704,10 @@ const sso = (options) => {
               allowCreate: true
             });
             const idp = saml.IdentityProvider({
-              metadata: parsedSamlConfig.idpMetadata.metadata,
-              entityID: parsedSamlConfig.idpMetadata.entityID,
-              encryptCert: parsedSamlConfig.idpMetadata.cert,
-              singleSignOnService: parsedSamlConfig.idpMetadata.singleSignOnService
+              metadata: parsedSamlConfig.idpMetadata?.metadata,
+              entityID: parsedSamlConfig.idpMetadata?.entityID,
+              encryptCert: parsedSamlConfig.idpMetadata?.cert,
+              singleSignOnService: parsedSamlConfig.idpMetadata?.singleSignOnService
             });
             const loginRequest = sp.createLoginRequest(
               idp,
@@ -1086,7 +1096,8 @@ const sso = (options) => {
             isAssertionEncrypted: spData?.isAssertionEncrypted || false,
             encPrivateKey: spData?.encPrivateKey,
             encPrivateKeyPass: spData?.encPrivateKeyPass,
-            wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false
+            wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
+            nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
           });
           let parsedResponse;
           try {
@@ -1320,13 +1331,14 @@ const sso = (options) => {
             assertionConsumerService: [
               {
                 Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-                Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs`
+                Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs/${providerId}`
               }
             ],
             wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
             metadata: parsedSamlConfig.spMetadata?.metadata,
             privateKey: parsedSamlConfig.spMetadata?.privateKey || parsedSamlConfig.privateKey,
-            privateKeyPass: parsedSamlConfig.spMetadata?.privateKeyPass
+            privateKeyPass: parsedSamlConfig.spMetadata?.privateKeyPass,
+            nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
           });
           const idpData = parsedSamlConfig.idpMetadata;
           const idp = !idpData?.metadata ? saml.IdentityProvider({

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.4.0-beta.2",
+  "version": "1.4.0-beta.4",
   "main": "dist/index.cjs",
   "license": "MIT",
   "keywords": [
@@ -58,15 +58,15 @@
     "body-parser": "^2.2.0",
     "express": "^5.1.0",
     "unbuild": "3.6.1",
-    "better-auth": "^1.4.0-beta.2"
+    "better-auth": "^1.4.0-beta.4"
   },
   "peerDependencies": {
-    "better-auth": "1.4.0-beta.2"
+    "better-auth": "1.4.0-beta.4"
   },
   "scripts": {
     "test": "vitest",
     "build": "unbuild",
-    "typecheck": "tsc --noEmit",
-    "dev": "unbuild --watch"
+    "dev": "unbuild --watch",
+    "typecheck": "tsc --project tsconfig.json"
   }
 }

package/src/index.ts

@@ -252,6 +252,7 @@ export const sso = (options?: SSOOptions) => {
 				},
 				async (ctx) => {
 					const provider = await ctx.context.adapter.findOne<{
+						id: string;
 						samlConfig: string;
 					}>({
 						model: "ssoProvider",
@@ -268,10 +269,29 @@ export const sso = (options?: SSOOptions) => {
 						});
 					}
 
-					const parsedSamlConfig = JSON.parse(provider.samlConfig);
-					const sp = saml.ServiceProvider({
-						metadata: parsedSamlConfig.spMetadata.metadata,
-					});
+					const parsedSamlConfig: SAMLConfig = JSON.parse(provider.samlConfig);
+					const sp = parsedSamlConfig.spMetadata.metadata
+						? saml.ServiceProvider({
+								metadata: parsedSamlConfig.spMetadata.metadata,
+							})
+						: saml.SPMetadata({
+								entityID:
+									parsedSamlConfig.spMetadata?.entityID ||
+									parsedSamlConfig.issuer,
+								assertionConsumerService: [
+									{
+										Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+										Location:
+											parsedSamlConfig.callbackUrl ||
+											`${ctx.context.baseURL}/sso/saml2/sp/acs/${provider.id}`,
+									},
+								],
+								wantMessageSigned:
+									parsedSamlConfig.wantAssertionsSigned || false,
+								nameIDFormat: parsedSamlConfig.identifierFormat
+									? [parsedSamlConfig.identifierFormat]
+									: undefined,
+							});
 					return new Response(sp.getMetadata(), {
 						headers: {
 							"Content-Type": "application/xml",
@@ -1074,7 +1094,7 @@ export const sso = (options?: SSOOptions) => {
 						});
 					}
 					if (provider.samlConfig) {
-						const parsedSamlConfig =
+						const parsedSamlConfig: SAMLConfig =
 							typeof provider.samlConfig === "object"
 								? provider.samlConfig
 								: JSON.parse(provider.samlConfig as unknown as string);
@@ -1084,11 +1104,11 @@ export const sso = (options?: SSOOptions) => {
 						});
 
 						const idp = saml.IdentityProvider({
-							metadata: parsedSamlConfig.idpMetadata.metadata,
-							entityID: parsedSamlConfig.idpMetadata.entityID,
-							encryptCert: parsedSamlConfig.idpMetadata.cert,
+							metadata: parsedSamlConfig.idpMetadata?.metadata,
+							entityID: parsedSamlConfig.idpMetadata?.entityID,
+							encryptCert: parsedSamlConfig.idpMetadata?.cert,
 							singleSignOnService:
-								parsedSamlConfig.idpMetadata.singleSignOnService,
+								parsedSamlConfig.idpMetadata?.singleSignOnService,
 						});
 						const loginRequest = sp.createLoginRequest(
 							idp,
@@ -1577,6 +1597,9 @@ export const sso = (options?: SSOOptions) => {
 						encPrivateKey: spData?.encPrivateKey,
 						encPrivateKeyPass: spData?.encPrivateKeyPass,
 						wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
+						nameIDFormat: parsedSamlConfig.identifierFormat
+							? [parsedSamlConfig.identifierFormat]
+							: undefined,
 					});
 
 					let parsedResponse: FlowResult;
@@ -1864,7 +1887,7 @@ export const sso = (options?: SSOOptions) => {
 								Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
 								Location:
 									parsedSamlConfig.callbackUrl ||
-									`${ctx.context.baseURL}/sso/saml2/sp/acs`,
+									`${ctx.context.baseURL}/sso/saml2/sp/acs/${providerId}`,
 							},
 						],
 						wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
@@ -1873,6 +1896,9 @@ export const sso = (options?: SSOOptions) => {
 							parsedSamlConfig.spMetadata?.privateKey ||
 							parsedSamlConfig.privateKey,
 						privateKeyPass: parsedSamlConfig.spMetadata?.privateKeyPass,
+						nameIDFormat: parsedSamlConfig.identifierFormat
+							? [parsedSamlConfig.identifierFormat]
+							: undefined,
 					});
 
 					// Update where we construct the IdP

package/src/saml.test.ts

@@ -242,7 +242,7 @@ const certificate = `
     yyoWAJDUHiAmvFA=
     -----END CERTIFICATE-----
     `;
-const idpEncyptionKey = `
+const idpEncryptionKey = `
     -----BEGIN RSA PRIVATE KEY-----
     Proc-Type: 4,ENCRYPTED
     DEK-Info: DES-EDE3-CBC,860FDB9F3BE14699
@@ -274,7 +274,7 @@ const idpEncyptionKey = `
     ISbutnQPUN5fsaIsgKDIV3T7n6519t6brobcW5bdigmf5ebFeZJ16/lYy6V77UM5
     -----END RSA PRIVATE KEY-----
     `;
-const spEncyptionKey = `
+const spEncryptionKey = `
     -----BEGIN RSA PRIVATE KEY-----
     Proc-Type: 4,ENCRYPTED
     DEK-Info: DES-EDE3-CBC,860FDB9F3BE14699
@@ -698,7 +698,7 @@ describe("SAML SSO", async () => {
 						privateKey: idpPrivateKey,
 						privateKeyPass: "q9ALNhGT5EhfcRmp8Pg7e9zTQeP2x1bW",
 						isAssertionEncrypted: true,
-						encPrivateKey: idpEncyptionKey,
+						encPrivateKey: idpEncryptionKey,
 						encPrivateKeyPass: "g7hGcRmp8PxT5QeP2q9Ehf1bWe9zTALN",
 					},
 					spMetadata: {
@@ -707,7 +707,7 @@ describe("SAML SSO", async () => {
 						privateKey: spPrivateKey,
 						privateKeyPass: "VHOSp5RUiBcrsjrcAuXFwU1NKCkGA8px",
 						isAssertionEncrypted: true,
-						encPrivateKey: spEncyptionKey,
+						encPrivateKey: spEncryptionKey,
 						encPrivateKeyPass: "BXFNKpxrsjrCkGA8cAu5wUVHOSpci1RU",
 					},
 					identifierFormat:
@@ -754,7 +754,7 @@ describe("SAML SSO", async () => {
 						privateKey: idpPrivateKey,
 						privateKeyPass: "q9ALNhGT5EhfcRmp8Pg7e9zTQeP2x1bW",
 						isAssertionEncrypted: true,
-						encPrivateKey: idpEncyptionKey,
+						encPrivateKey: idpEncryptionKey,
 						encPrivateKeyPass: "g7hGcRmp8PxT5QeP2q9Ehf1bWe9zTALN",
 					},
 					spMetadata: {
@@ -763,7 +763,7 @@ describe("SAML SSO", async () => {
 						privateKey: spPrivateKey,
 						privateKeyPass: "VHOSp5RUiBcrsjrcAuXFwU1NKCkGA8px",
 						isAssertionEncrypted: true,
-						encPrivateKey: spEncyptionKey,
+						encPrivateKey: spEncryptionKey,
 						encPrivateKeyPass: "BXFNKpxrsjrCkGA8cAu5wUVHOSpci1RU",
 					},
 					identifierFormat:
@@ -782,6 +782,69 @@ describe("SAML SSO", async () => {
 		expect(spMetadataRes.status).toBe(200);
 		expect(spMetadataResResValue).toBe(spMetadata);
 	});
+	it("Should fetch sp metadata", async () => {
+		const headers = await getAuthHeaders();
+		await authClient.signIn.email(testUser, {
+			throw: true,
+			onSuccess: setCookieToHeader(headers),
+		});
+		const issuer = "http://localhost:8081";
+		const provider = await auth.api.registerSSOProvider({
+			body: {
+				providerId: "saml-provider-1",
+				issuer: issuer,
+				domain: issuer,
+				samlConfig: {
+					entryPoint: mockIdP.metadataUrl,
+					cert: certificate,
+					callbackUrl: `${issuer}/api/sso/saml2/sp/acs`,
+					wantAssertionsSigned: false,
+					signatureAlgorithm: "sha256",
+					digestAlgorithm: "sha256",
+					idpMetadata: {
+						metadata: idpMetadata,
+						privateKey: idpPrivateKey,
+						privateKeyPass: "q9ALNhGT5EhfcRmp8Pg7e9zTQeP2x1bW",
+						isAssertionEncrypted: true,
+						encPrivateKey: idpEncryptionKey,
+						encPrivateKeyPass: "g7hGcRmp8PxT5QeP2q9Ehf1bWe9zTALN",
+					},
+					spMetadata: {
+						binding: "post",
+						privateKey: spPrivateKey,
+						privateKeyPass: "VHOSp5RUiBcrsjrcAuXFwU1NKCkGA8px",
+						isAssertionEncrypted: true,
+						encPrivateKey: spEncryptionKey,
+						encPrivateKeyPass: "BXFNKpxrsjrCkGA8cAu5wUVHOSpci1RU",
+					},
+					identifierFormat:
+						"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+				},
+			},
+			headers,
+		});
+
+		const spMetadataRes = await auth.api.spMetadata({
+			query: {
+				providerId: provider.providerId,
+			},
+		});
+		const spMetadataResResValue = await spMetadataRes.text();
+		expect(spMetadataRes.status).toBe(200);
+		expect(spMetadataResResValue).toBeDefined();
+		expect(spMetadataResResValue).toContain(
+			"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+		);
+		expect(spMetadataResResValue).toContain(
+			"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+		);
+		expect(spMetadataResResValue).toContain(
+			`<EntityDescriptor entityID="${issuer}"`,
+		);
+		expect(spMetadataResResValue).toContain(
+			`Location="${issuer}/api/sso/saml2/sp/acs"`,
+		);
+	});
 	it("should initiate SAML login and handle response", async () => {
 		const headers = await getAuthHeaders();
 		const res = await authClient.signIn.email(testUser, {
@@ -805,7 +868,7 @@ describe("SAML SSO", async () => {
 						privateKey: idpPrivateKey,
 						privateKeyPass: "q9ALNhGT5EhfcRmp8Pg7e9zTQeP2x1bW",
 						isAssertionEncrypted: true,
-						encPrivateKey: idpEncyptionKey,
+						encPrivateKey: idpEncryptionKey,
 						encPrivateKeyPass: "g7hGcRmp8PxT5QeP2q9Ehf1bWe9zTALN",
 					},
 					spMetadata: {
@@ -814,7 +877,7 @@ describe("SAML SSO", async () => {
 						privateKey: spPrivateKey,
 						privateKeyPass: "VHOSp5RUiBcrsjrcAuXFwU1NKCkGA8px",
 						isAssertionEncrypted: true,
-						encPrivateKey: spEncyptionKey,
+						encPrivateKey: spEncryptionKey,
 						encPrivateKeyPass: "BXFNKpxrsjrCkGA8cAu5wUVHOSpci1RU",
 					},
 					identifierFormat:

package/tsconfig.json

@@ -1,20 +1,14 @@
 {
+  "extends": "../../tsconfig.json",
   "compilerOptions": {
-    "esModuleInterop": true,
-    "skipLibCheck": true,
-    "target": "es2022",
-    "allowJs": true,
-    "resolveJsonModule": true,
-    "module": "ESNext",
-    "noEmit": true,
-    "moduleResolution": "Bundler",
-    "moduleDetection": "force",
-    "isolatedModules": true,
-    "verbatimModuleSyntax": true,
-    "strict": true,
-    "noImplicitOverride": true,
-    "noFallthroughCasesInSwitch": true
+    "rootDir": "./src",
+    "outDir": "./dist",
+    "lib": ["esnext", "dom", "dom.iterable"]
   },
-  "exclude": ["node_modules", "dist"],
+  "references": [
+    {
+      "path": "../better-auth/tsconfig.json"
+    }
+  ],
   "include": ["src"]
 }