@better-auth/sso 1.4.0-beta.20 → 1.4.0-beta.21

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.4.0-beta.20",
+  "version": "1.4.0-beta.21",
   "type": "module",
   "main": "dist/index.mjs",
   "homepage": "https://www.better-auth.com/docs/plugins/sso",
@@ -65,10 +65,10 @@
     "express": "^5.1.0",
     "oauth2-mock-server": "^7.2.1",
     "tsdown": "^0.16.0",
-    "better-auth": "1.4.0-beta.20"
+    "better-auth": "1.4.0-beta.21"
   },
   "peerDependencies": {
-    "better-auth": "1.4.0-beta.20"
+    "better-auth": "1.4.0-beta.21"
   },
   "scripts": {
     "test": "vitest",

package/src/client.ts

@@ -1,5 +1,5 @@
 import type { BetterAuthClientPlugin } from "better-auth";
-import { sso } from "./index";
+import type { sso } from "./index";
 export const ssoClient = () => {
 	return {
 		id: "sso-client",

package/src/index.ts

@@ -9,9 +9,9 @@ import {
 	signInSSO,
 	spMetadata,
 } from "./routes/sso";
-import type { OIDCConfig, SAMLConfig, SSOOptions } from "./types";
+import type { OIDCConfig, SAMLConfig, SSOOptions, SSOProvider } from "./types";
 
-export type { SAMLConfig, OIDCConfig, SSOOptions };
+export type { SAMLConfig, OIDCConfig, SSOOptions, SSOProvider };
 
 const fastValidator = {
 	async validate(xml: string) {

package/src/routes/sso.ts

@@ -63,6 +63,7 @@ export const spMetadata = () => {
 			}),
 			metadata: {
 				openapi: {
+					operationId: "getSSOServiceProviderMetadata",
 					summary: "Get Service Provider metadata",
 					description: "Returns the SAML metadata for the Service Provider",
 					responses: {
@@ -337,6 +338,7 @@ export const registerSSOProvider = (options?: SSOOptions) => {
 			use: [sessionMiddleware],
 			metadata: {
 				openapi: {
+					operationId: "registerSSOProvider",
 					summary: "Register an OIDC provider",
 					description:
 						"This endpoint is used to register an OIDC provider. This is used to configure the provider and link it to an organization",
@@ -726,6 +728,7 @@ export const signInSSO = (options?: SSOOptions) => {
 			}),
 			metadata: {
 				openapi: {
+					operationId: "signInWithSSO",
 					summary: "Sign in with SSO provider",
 					description:
 						"This endpoint is used to sign in with an SSO provider. It redirects to the provider's authorization URL",
@@ -1014,6 +1017,7 @@ export const callbackSSO = (options?: SSOOptions) => {
 			metadata: {
 				isAction: false,
 				openapi: {
+					operationId: "handleSSOCallback",
 					summary: "Callback URL for SSO provider",
 					description:
 						"This endpoint is used as the callback URL for SSO providers. It handles the authorization code and exchanges it for an access token",
@@ -1362,6 +1366,7 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 			metadata: {
 				isAction: false,
 				openapi: {
+					operationId: "handleSAMLCallback",
 					summary: "Callback URL for SAML provider",
 					description:
 						"This endpoint is used as the callback URL for SAML providers.",
@@ -1584,6 +1589,14 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 			if (existingUser) {
 				user = existingUser;
 			} else {
+				// if implicit sign up is disabled, we should not create a new user nor a new account.
+				if (options?.disableImplicitSignUp) {
+					throw new APIError("UNAUTHORIZED", {
+						message:
+							"User not found and implicit sign up is disabled for this provider",
+					});
+				}
+
 				user = await ctx.context.internalAdapter.createUser({
 					email: userInfo.email,
 					name: userInfo.name,
@@ -1687,6 +1700,7 @@ export const acsEndpoint = (options?: SSOOptions) => {
 			metadata: {
 				isAction: false,
 				openapi: {
+					operationId: "handleSAMLAssertionConsumerService",
 					summary: "SAML Assertion Consumer Service",
 					description:
 						"Handles SAML responses from IdP after successful authentication",

package/src/saml.test.ts

@@ -1118,4 +1118,68 @@ describe("SAML SSO", async () => {
 			},
 		});
 	});
+
+	it("should reject SAML sign-in when disableImplicitSignUp is true and user doesn't exist", async () => {
+		const { auth: authWithDisabledSignUp, signInWithTestUser } =
+			await getTestInstance({
+				plugins: [sso({ disableImplicitSignUp: true })],
+			});
+
+		const { headers } = await signInWithTestUser();
+
+		// Register SAML provider
+		await authWithDisabledSignUp.api.registerSSOProvider({
+			body: {
+				providerId: "saml-test-provider",
+				issuer: "http://localhost:8081",
+				domain: "http://localhost:8081",
+				samlConfig: {
+					entryPoint: "http://localhost:8081/api/sso/saml2/idp/post",
+					cert: certificate,
+					callbackUrl: "http://localhost:3000/dashboard",
+					wantAssertionsSigned: false,
+					signatureAlgorithm: "sha256",
+					digestAlgorithm: "sha256",
+					idpMetadata: {
+						metadata: idpMetadata,
+					},
+					spMetadata: {
+						metadata: spMetadata,
+					},
+					identifierFormat:
+						"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+				},
+			},
+			headers: headers,
+		});
+
+		// Identity Provider-initiated: Get SAML response directly from IdP
+		// The mock IdP will return test@email.com, which doesn't exist in the DB
+		let samlResponse: any;
+		await betterFetch("http://localhost:8081/api/sso/saml2/idp/post", {
+			onSuccess: async (context) => {
+				samlResponse = await context.data;
+			},
+		});
+
+		// Attempt to complete SAML callback - should fail because test@email.com doesn't exist
+		// and disableImplicitSignUp is true
+		await expect(
+			authWithDisabledSignUp.api.callbackSSOSAML({
+				body: {
+					SAMLResponse: samlResponse.samlResponse,
+					RelayState: "http://localhost:3000/dashboard",
+				},
+				params: {
+					providerId: "saml-test-provider",
+				},
+			}),
+		).rejects.toMatchObject({
+			status: "UNAUTHORIZED",
+			body: {
+				message:
+					"User not found and implicit sign up is disabled for this provider",
+			},
+		});
+	});
 });