@better-auth/sso 1.4.0-beta.21 → 1.4.0-beta.22

package/.turbo/turbo-build.log

@@ -1,16 +1,16 @@
 
-> @better-auth/sso@1.4.0-beta.21 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.4.0-beta.22 build /home/runner/work/better-auth/better-auth/packages/sso
 > tsdown
 
-ℹ tsdown v0.16.0 powered by rolldown v1.0.0-beta.46
+ℹ tsdown v0.16.5 powered by rolldown v1.0.0-beta.50
 ℹ Using tsdown config: /home/runner/work/better-auth/better-auth/packages/sso/tsdown.config.ts
-ℹ entry: src/client.ts, src/index.ts
+ℹ entry: src/index.ts, src/client.ts
 ℹ tsconfig: tsconfig.json
 ℹ Build start
-ℹ dist/index.mjs             47.64 kB │ gzip: 8.57 kB
+ℹ dist/index.mjs             48.56 kB │ gzip: 8.72 kB
 ℹ dist/client.mjs             0.15 kB │ gzip: 0.14 kB
 ℹ dist/client.d.mts           0.21 kB │ gzip: 0.18 kB
 ℹ dist/index.d.mts            0.18 kB │ gzip: 0.14 kB
-ℹ dist/index-C091fIpa.d.mts  20.75 kB │ gzip: 3.37 kB
-ℹ 5 files, total: 68.93 kB
-✔ Build complete in 10064ms
+ℹ dist/index-DOws6HlV.d.mts  21.24 kB │ gzip: 3.48 kB
+ℹ 5 files, total: 70.34 kB
+✔ Build complete in 11501ms

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { t as sso } from "./index-C091fIpa.mjs";
+import { t as sso } from "./index-DOws6HlV.mjs";
 
 //#region src/client.d.ts
 declare const ssoClient: () => {

package/dist/{index-C091fIpa.d.mts → index-DOws6HlV.d.mts}

@@ -165,6 +165,29 @@ interface SSOOptions {
    * sign-in need to be called with with requestSignUp as true to create new users.
    */
   disableImplicitSignUp?: boolean | undefined;
+  /**
+   * The model name for the SSO provider table. Defaults to "ssoProvider".
+   */
+  modelName?: string;
+  /**
+   * Map fields
+   *
+   * @example
+   * ```ts
+   * {
+   *  samlConfig: "saml_config"
+   * }
+   * ```
+   */
+  fields?: {
+    issuer?: string | undefined;
+    oidcConfig?: string | undefined;
+    samlConfig?: string | undefined;
+    userId?: string | undefined;
+    providerId?: string | undefined;
+    organizationId?: string | undefined;
+    domain?: string | undefined;
+  };
   /**
    * Configure the maximum number of SSO providers a user can register.
    * You can also pass a function that returns a number.

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { a as SSOProvider, i as SSOOptions, n as OIDCConfig, r as SAMLConfig, t as sso } from "./index-C091fIpa.mjs";
+import { a as SSOProvider, i as SSOOptions, n as OIDCConfig, r as SAMLConfig, t as sso } from "./index-DOws6HlV.mjs";
 export { OIDCConfig, SAMLConfig, SSOOptions, SSOProvider, sso };

package/dist/index.mjs

@@ -1,7 +1,7 @@
-import { createAuthorizationURL, generateState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
 import { XMLValidator } from "fast-xml-parser";
 import * as saml from "samlify";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
+import { createAuthorizationURL, generateState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
 import { APIError, createAuthEndpoint, sessionMiddleware } from "better-auth/api";
 import { setSessionCookie } from "better-auth/cookies";
 import { handleOAuthUserInfo } from "better-auth/oauth2";
@@ -504,6 +504,12 @@ const signInSSO = (options) => {
 			if (body.providerType === "saml" && !provider.samlConfig) throw new APIError("BAD_REQUEST", { message: "SAML provider is not configured" });
 		}
 		if (provider.oidcConfig && body.providerType !== "saml") {
+			let finalAuthUrl = provider.oidcConfig.authorizationEndpoint;
+			if (!finalAuthUrl && provider.oidcConfig.discoveryEndpoint) {
+				const discovery = await betterFetch(provider.oidcConfig.discoveryEndpoint, { method: "GET" });
+				if (discovery.data) finalAuthUrl = discovery.data.authorization_endpoint;
+			}
+			if (!finalAuthUrl) throw new APIError("BAD_REQUEST", { message: "Invalid OIDC configuration. Authorization URL not found." });
 			const state = await generateState(ctx, void 0, false);
 			const redirectURI = `${ctx.context.baseURL}/sso/callback/${provider.providerId}`;
 			const authorizationURL = await createAuthorizationURL({
@@ -522,7 +528,7 @@ const signInSSO = (options) => {
 					"offline_access"
 				],
 				loginHint: ctx.body.loginHint || email,
-				authorizationEndpoint: provider.oidcConfig.authorizationEndpoint
+				authorizationEndpoint: finalAuthUrl
 			});
 			return ctx.json({
 				url: authorizationURL.toString(),
@@ -1183,40 +1189,50 @@ function sso(options) {
 			callbackSSOSAML: callbackSSOSAML(options),
 			acsEndpoint: acsEndpoint(options)
 		},
-		schema: { ssoProvider: { fields: {
-			issuer: {
-				type: "string",
-				required: true
-			},
-			oidcConfig: {
-				type: "string",
-				required: false
-			},
-			samlConfig: {
-				type: "string",
-				required: false
-			},
-			userId: {
-				type: "string",
-				references: {
-					model: "user",
-					field: "id"
+		schema: { ssoProvider: {
+			modelName: options?.modelName ?? "ssoProvider",
+			fields: {
+				issuer: {
+					type: "string",
+					required: true,
+					fieldName: options?.fields?.issuer ?? "issuer"
+				},
+				oidcConfig: {
+					type: "string",
+					required: false,
+					fieldName: options?.fields?.oidcConfig ?? "oidcConfig"
+				},
+				samlConfig: {
+					type: "string",
+					required: false,
+					fieldName: options?.fields?.samlConfig ?? "samlConfig"
+				},
+				userId: {
+					type: "string",
+					references: {
+						model: "user",
+						field: "id"
+					},
+					fieldName: options?.fields?.userId ?? "userId"
+				},
+				providerId: {
+					type: "string",
+					required: true,
+					unique: true,
+					fieldName: options?.fields?.providerId ?? "providerId"
+				},
+				organizationId: {
+					type: "string",
+					required: false,
+					fieldName: options?.fields?.organizationId ?? "organizationId"
+				},
+				domain: {
+					type: "string",
+					required: true,
+					fieldName: options?.fields?.domain ?? "domain"
 				}
-			},
-			providerId: {
-				type: "string",
-				required: true,
-				unique: true
-			},
-			organizationId: {
-				type: "string",
-				required: false
-			},
-			domain: {
-				type: "string",
-				required: true
 			}
-		} } }
+		} }
 	};
 }
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.4.0-beta.21",
+  "version": "1.4.0-beta.22",
   "type": "module",
   "main": "dist/index.mjs",
   "homepage": "https://www.better-auth.com/docs/plugins/sso",
@@ -65,10 +65,10 @@
     "express": "^5.1.0",
     "oauth2-mock-server": "^7.2.1",
     "tsdown": "^0.16.0",
-    "better-auth": "1.4.0-beta.21"
+    "better-auth": "1.4.0-beta.22"
   },
   "peerDependencies": {
-    "better-auth": "1.4.0-beta.21"
+    "better-auth": "1.4.0-beta.22"
   },
   "scripts": {
     "test": "vitest",

package/src/index.ts

@@ -1,4 +1,4 @@
-import { type BetterAuthPlugin } from "better-auth";
+import type { BetterAuthPlugin } from "better-auth";
 import { XMLValidator } from "fast-xml-parser";
 import * as saml from "samlify";
 import {
@@ -54,18 +54,22 @@ export function sso<O extends SSOOptions>(options?: O | undefined): any {
 		},
 		schema: {
 			ssoProvider: {
+				modelName: options?.modelName ?? "ssoProvider",
 				fields: {
 					issuer: {
 						type: "string",
 						required: true,
+						fieldName: options?.fields?.issuer ?? "issuer",
 					},
 					oidcConfig: {
 						type: "string",
 						required: false,
+						fieldName: options?.fields?.oidcConfig ?? "oidcConfig",
 					},
 					samlConfig: {
 						type: "string",
 						required: false,
+						fieldName: options?.fields?.samlConfig ?? "samlConfig",
 					},
 					userId: {
 						type: "string",
@@ -73,19 +77,23 @@ export function sso<O extends SSOOptions>(options?: O | undefined): any {
 							model: "user",
 							field: "id",
 						},
+						fieldName: options?.fields?.userId ?? "userId",
 					},
 					providerId: {
 						type: "string",
 						required: true,
 						unique: true,
+						fieldName: options?.fields?.providerId ?? "providerId",
 					},
 					organizationId: {
 						type: "string",
 						required: false,
+						fieldName: options?.fields?.organizationId ?? "organizationId",
 					},
 					domain: {
 						type: "string",
 						required: true,
+						fieldName: options?.fields?.domain ?? "domain",
 					},
 				},
 			},

package/src/routes/sso.ts

@@ -1,11 +1,9 @@
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
+import type { Account, Session, User } from "better-auth";
 import {
-	type Account,
 	createAuthorizationURL,
 	generateState,
 	parseState,
-	type Session,
-	type User,
 	validateAuthorizationCode,
 	validateToken,
 } from "better-auth";
@@ -928,6 +926,22 @@ export const signInSSO = (options?: SSOOptions) => {
 			}
 
 			if (provider.oidcConfig && body.providerType !== "saml") {
+				let finalAuthUrl = provider.oidcConfig.authorizationEndpoint;
+				if (!finalAuthUrl && provider.oidcConfig.discoveryEndpoint) {
+					const discovery = await betterFetch<{
+						authorization_endpoint: string;
+					}>(provider.oidcConfig.discoveryEndpoint, {
+						method: "GET",
+					});
+					if (discovery.data) {
+						finalAuthUrl = discovery.data.authorization_endpoint;
+					}
+				}
+				if (!finalAuthUrl) {
+					throw new APIError("BAD_REQUEST", {
+						message: "Invalid OIDC configuration. Authorization URL not found.",
+					});
+				}
 				const state = await generateState(ctx, undefined, false);
 				const redirectURI = `${ctx.context.baseURL}/sso/callback/${provider.providerId}`;
 				const authorizationURL = await createAuthorizationURL({
@@ -949,7 +963,7 @@ export const signInSSO = (options?: SSOOptions) => {
 							"offline_access",
 						],
 					loginHint: ctx.body.loginHint || email,
-					authorizationEndpoint: provider.oidcConfig.authorizationEndpoint!,
+					authorizationEndpoint: finalAuthUrl,
 				});
 				return ctx.json({
 					url: authorizationURL.toString(),

package/src/saml.test.ts

@@ -13,7 +13,7 @@ import type {
 	Response as ExpressResponse,
 } from "express";
 import express from "express";
-import { createServer } from "http";
+import type { createServer } from "http";
 import * as saml from "samlify";
 import {
 	afterAll,
@@ -1183,3 +1183,145 @@ describe("SAML SSO", async () => {
 		});
 	});
 });
+
+describe("SAML SSO with custom fields", () => {
+	const ssoOptions = {
+		modelName: "sso_provider",
+		fields: {
+			issuer: "the_issuer",
+			oidcConfig: "oidc_config",
+			samlConfig: "saml_config",
+			userId: "user_id",
+			providerId: "provider_id",
+			organizationId: "organization_id",
+			domain: "the_domain",
+		},
+	};
+
+	const data = {
+		user: [],
+		session: [],
+		verification: [],
+		account: [],
+		sso_provider: [],
+	};
+
+	const memory = memoryAdapter(data);
+	const mockIdP = createMockSAMLIdP(8081); // Different port from your main app
+
+	const auth = betterAuth({
+		database: memory,
+		baseURL: "http://localhost:3000",
+		emailAndPassword: {
+			enabled: true,
+		},
+		plugins: [sso(ssoOptions)],
+	});
+
+	const authClient = createAuthClient({
+		baseURL: "http://localhost:3000",
+		plugins: [bearer(), ssoClient()],
+		fetchOptions: {
+			customFetchImpl: async (url, init) => {
+				return auth.handler(new Request(url, init));
+			},
+		},
+	});
+
+	const testUser = {
+		email: "test@email.com",
+		password: "password",
+		name: "Test User",
+	};
+
+	beforeAll(async () => {
+		await mockIdP.start();
+		const res = await authClient.signUp.email({
+			email: testUser.email,
+			password: testUser.password,
+			name: testUser.name,
+		});
+	});
+
+	afterAll(async () => {
+		await mockIdP.stop();
+	});
+
+	beforeEach(() => {
+		data.user = [];
+		data.session = [];
+		data.verification = [];
+		data.account = [];
+		data.sso_provider = [];
+
+		vi.clearAllMocks();
+	});
+
+	async function getAuthHeaders() {
+		const headers = new Headers();
+		await authClient.signUp.email({
+			email: testUser.email,
+			password: testUser.password,
+			name: testUser.name,
+		});
+		await authClient.signIn.email(testUser, {
+			throw: true,
+			onSuccess: setCookieToHeader(headers),
+		});
+		return headers;
+	}
+
+	it("should register a new SAML provider", async () => {
+		const headers = await getAuthHeaders();
+
+		const provider = await auth.api.registerSSOProvider({
+			body: {
+				providerId: "saml-provider-1",
+				issuer: "http://localhost:8081",
+				domain: "http://localhost:8081",
+				samlConfig: {
+					entryPoint: mockIdP.metadataUrl,
+					cert: certificate,
+					callbackUrl: "http://localhost:8081/api/sso/saml2/callback",
+					wantAssertionsSigned: false,
+					signatureAlgorithm: "sha256",
+					digestAlgorithm: "sha256",
+					idpMetadata: {
+						metadata: idpMetadata,
+						privateKey: idpPrivateKey,
+						privateKeyPass: "q9ALNhGT5EhfcRmp8Pg7e9zTQeP2x1bW",
+						isAssertionEncrypted: true,
+						encPrivateKey: idpEncryptionKey,
+						encPrivateKeyPass: "g7hGcRmp8PxT5QeP2q9Ehf1bWe9zTALN",
+					},
+					spMetadata: {
+						metadata: spMetadata,
+						binding: "post",
+						privateKey: spPrivateKey,
+						privateKeyPass: "VHOSp5RUiBcrsjrcAuXFwU1NKCkGA8px",
+						isAssertionEncrypted: true,
+						encPrivateKey: spEncryptionKey,
+						encPrivateKeyPass: "BXFNKpxrsjrCkGA8cAu5wUVHOSpci1RU",
+					},
+					identifierFormat:
+						"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+				},
+			},
+			headers,
+		});
+		expect(provider).toMatchObject({
+			id: expect.any(String),
+			issuer: "http://localhost:8081",
+			samlConfig: {
+				entryPoint: mockIdP.metadataUrl,
+				cert: expect.any(String),
+				callbackUrl: "http://localhost:8081/api/sso/saml2/callback",
+				wantAssertionsSigned: false,
+				signatureAlgorithm: "sha256",
+				digestAlgorithm: "sha256",
+				identifierFormat:
+					"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+			},
+		});
+	});
+});

package/src/types.ts

@@ -177,6 +177,29 @@ export interface SSOOptions {
 	 * sign-in need to be called with with requestSignUp as true to create new users.
 	 */
 	disableImplicitSignUp?: boolean | undefined;
+	/**
+	 * The model name for the SSO provider table. Defaults to "ssoProvider".
+	 */
+	modelName?: string;
+	/**
+	 * Map fields
+	 *
+	 * @example
+	 * ```ts
+	 * {
+	 *  samlConfig: "saml_config"
+	 * }
+	 * ```
+	 */
+	fields?: {
+		issuer?: string | undefined;
+		oidcConfig?: string | undefined;
+		samlConfig?: string | undefined;
+		userId?: string | undefined;
+		providerId?: string | undefined;
+		organizationId?: string | undefined;
+		domain?: string | undefined;
+	};
 	/**
 	 * Configure the maximum number of SSO providers a user can register.
 	 * You can also pass a function that returns a number.

package/vitest.config.ts

@@ -0,0 +1,3 @@
+import { defineProject } from "vitest/config";
+
+export default defineProject({});