@better-auth/sso 1.4.0-beta.22 → 1.4.0-beta.23

package/dist/index.mjs

@@ -1,13 +1,197 @@
 import { XMLValidator } from "fast-xml-parser";
 import * as saml from "samlify";
+import { APIError, createAuthEndpoint, sessionMiddleware } from "better-auth/api";
+import { generateRandomString } from "better-auth/crypto";
+import * as z from "zod/v4";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
 import { createAuthorizationURL, generateState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
-import { APIError, createAuthEndpoint, sessionMiddleware } from "better-auth/api";
 import { setSessionCookie } from "better-auth/cookies";
 import { handleOAuthUserInfo } from "better-auth/oauth2";
 import { decodeJwt } from "jose";
-import * as z from "zod/v4";
 
+//#region src/routes/domain-verification.ts
+const requestDomainVerification = (options) => {
+	return createAuthEndpoint("/sso/request-domain-verification", {
+		method: "POST",
+		body: z.object({ providerId: z.string() }),
+		metadata: { openapi: {
+			summary: "Request a domain verification",
+			description: "Request a domain verification for the given SSO provider",
+			responses: {
+				"404": { description: "Provider not found" },
+				"409": { description: "Domain has already been verified" },
+				"201": { description: "Domain submitted for verification" }
+			}
+		} },
+		use: [sessionMiddleware]
+	}, async (ctx) => {
+		const body = ctx.body;
+		const provider = await ctx.context.adapter.findOne({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: body.providerId
+			}]
+		});
+		if (!provider) throw new APIError("NOT_FOUND", {
+			message: "Provider not found",
+			code: "PROVIDER_NOT_FOUND"
+		});
+		const userId = ctx.context.session.user.id;
+		let isOrgMember = true;
+		if (provider.organizationId) isOrgMember = await ctx.context.adapter.count({
+			model: "member",
+			where: [{
+				field: "userId",
+				value: userId
+			}, {
+				field: "organizationId",
+				value: provider.organizationId
+			}]
+		}) > 0;
+		if (provider.userId !== userId || !isOrgMember) throw new APIError("FORBIDDEN", {
+			message: "User must be owner of or belong to the SSO provider organization",
+			code: "INSUFICCIENT_ACCESS"
+		});
+		if ("domainVerified" in provider && provider.domainVerified) throw new APIError("CONFLICT", {
+			message: "Domain has already been verified",
+			code: "DOMAIN_VERIFIED"
+		});
+		const activeVerification = await ctx.context.adapter.findOne({
+			model: "verification",
+			where: [{
+				field: "identifier",
+				value: options.domainVerification?.tokenPrefix ? `${options.domainVerification?.tokenPrefix}-${provider.providerId}` : `better-auth-token-${provider.providerId}`
+			}, {
+				field: "expiresAt",
+				value: /* @__PURE__ */ new Date(),
+				operator: "gt"
+			}]
+		});
+		if (activeVerification) {
+			ctx.setStatus(201);
+			return ctx.json({ domainVerificationToken: activeVerification.value });
+		}
+		const domainVerificationToken = generateRandomString(24);
+		await ctx.context.adapter.create({
+			model: "verification",
+			data: {
+				identifier: options.domainVerification?.tokenPrefix ? `${options.domainVerification?.tokenPrefix}-${provider.providerId}` : `better-auth-token-${provider.providerId}`,
+				createdAt: /* @__PURE__ */ new Date(),
+				updatedAt: /* @__PURE__ */ new Date(),
+				value: domainVerificationToken,
+				expiresAt: new Date(Date.now() + 3600 * 24 * 7 * 1e3)
+			}
+		});
+		ctx.setStatus(201);
+		return ctx.json({ domainVerificationToken });
+	});
+};
+const verifyDomain = (options) => {
+	return createAuthEndpoint("/sso/verify-domain", {
+		method: "POST",
+		body: z.object({ providerId: z.string() }),
+		metadata: { openapi: {
+			summary: "Verify the provider domain ownership",
+			description: "Verify the provider domain ownership via DNS records",
+			responses: {
+				"404": { description: "Provider not found" },
+				"409": { description: "Domain has already been verified or no pending verification exists" },
+				"502": { description: "Unable to verify domain ownership due to upstream validator error" },
+				"204": { description: "Domain ownership was verified" }
+			}
+		} },
+		use: [sessionMiddleware]
+	}, async (ctx) => {
+		const body = ctx.body;
+		const provider = await ctx.context.adapter.findOne({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: body.providerId
+			}]
+		});
+		if (!provider) throw new APIError("NOT_FOUND", {
+			message: "Provider not found",
+			code: "PROVIDER_NOT_FOUND"
+		});
+		const userId = ctx.context.session.user.id;
+		let isOrgMember = true;
+		if (provider.organizationId) isOrgMember = await ctx.context.adapter.count({
+			model: "member",
+			where: [{
+				field: "userId",
+				value: userId
+			}, {
+				field: "organizationId",
+				value: provider.organizationId
+			}]
+		}) > 0;
+		if (provider.userId !== userId || !isOrgMember) throw new APIError("FORBIDDEN", {
+			message: "User must be owner of or belong to the SSO provider organization",
+			code: "INSUFICCIENT_ACCESS"
+		});
+		if ("domainVerified" in provider && provider.domainVerified) throw new APIError("CONFLICT", {
+			message: "Domain has already been verified",
+			code: "DOMAIN_VERIFIED"
+		});
+		const activeVerification = await ctx.context.adapter.findOne({
+			model: "verification",
+			where: [{
+				field: "identifier",
+				value: options.domainVerification?.tokenPrefix ? `${options.domainVerification?.tokenPrefix}-${provider.providerId}` : `better-auth-token-${provider.providerId}`
+			}, {
+				field: "expiresAt",
+				value: /* @__PURE__ */ new Date(),
+				operator: "gt"
+			}]
+		});
+		if (!activeVerification) throw new APIError("NOT_FOUND", {
+			message: "No pending domain verification exists",
+			code: "NO_PENDING_VERIFICATION"
+		});
+		let records = [];
+		let dns;
+		try {
+			dns = await import("node:dns/promises");
+		} catch (error) {
+			ctx.context.logger.error("The core node:dns module is required for the domain verification feature", error);
+			throw new APIError("INTERNAL_SERVER_ERROR", {
+				message: "Unable to verify domain ownership due to server error",
+				code: "DOMAIN_VERIFICATION_FAILED"
+			});
+		}
+		try {
+			records = (await dns.resolveTxt(new URL(provider.domain).hostname)).flat();
+		} catch (error) {
+			ctx.context.logger.warn("DNS resolution failure while validating domain ownership", error);
+		}
+		if (!records.find((record) => record.includes(`${activeVerification.identifier}=${activeVerification.value}`))) throw new APIError("BAD_GATEWAY", {
+			message: "Unable to verify domain ownership. Try again later",
+			code: "DOMAIN_VERIFICATION_FAILED"
+		});
+		await ctx.context.adapter.update({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: provider.providerId
+			}],
+			update: { domainVerified: true }
+		});
+		ctx.setStatus(204);
+	});
+};
+
+//#endregion
+//#region src/utils.ts
+const validateEmailDomain = (email, domain) => {
+	const emailDomain = email.split("@")[1]?.toLowerCase();
+	const providerDomain = domain.toLowerCase();
+	if (!emailDomain || !providerDomain) return false;
+	return emailDomain === providerDomain || emailDomain.endsWith(`.${providerDomain}`);
+};
+
+//#endregion
 //#region src/routes/sso.ts
 /**
 * Safely parses a value that might be a JSON string or already a parsed object
@@ -155,6 +339,14 @@ const registerSSOProvider = (options) => {
 							type: "string",
 							description: "The domain of the provider, used for email matching"
 						},
+						domainVerified: {
+							type: "boolean",
+							description: "A boolean indicating whether the domain has been verified or not"
+						},
+						domainVerificationToken: {
+							type: "string",
+							description: "Domain verification token. It can be used to prove ownership over the SSO domain"
+						},
 						oidcConfig: {
 							type: "object",
 							properties: {
@@ -336,6 +528,7 @@ const registerSSOProvider = (options) => {
 			data: {
 				issuer: body.issuer,
 				domain: body.domain,
+				domainVerified: false,
 				oidcConfig: body.oidcConfig ? JSON.stringify({
 					issuer: body.issuer,
 					clientId: body.oidcConfig.clientId,
@@ -373,11 +566,29 @@ const registerSSOProvider = (options) => {
 				providerId: body.providerId
 			}
 		});
+		let domainVerificationToken;
+		let domainVerified;
+		if (options?.domainVerification?.enabled) {
+			domainVerified = false;
+			domainVerificationToken = generateRandomString(24);
+			await ctx.context.adapter.create({
+				model: "verification",
+				data: {
+					identifier: options.domainVerification?.tokenPrefix ? `${options.domainVerification?.tokenPrefix}-${provider.providerId}` : `better-auth-token-${provider.providerId}`,
+					createdAt: /* @__PURE__ */ new Date(),
+					updatedAt: /* @__PURE__ */ new Date(),
+					value: domainVerificationToken,
+					expiresAt: new Date(Date.now() + 3600 * 24 * 7 * 1e3)
+				}
+			});
+		}
 		return ctx.json({
 			...provider,
 			oidcConfig: JSON.parse(provider.oidcConfig),
 			samlConfig: JSON.parse(provider.samlConfig),
-			redirectURI: `${ctx.context.baseURL}/sso/callback/${provider.providerId}`
+			redirectURI: `${ctx.context.baseURL}/sso/callback/${provider.providerId}`,
+			...options?.domainVerification?.enabled ? { domainVerified } : {},
+			...options?.domainVerification?.enabled ? { domainVerificationToken } : {}
 		});
 	});
 };
@@ -480,7 +691,8 @@ const signInSSO = (options) => {
 				userId: "default",
 				oidcConfig: matchingDefault.oidcConfig,
 				samlConfig: matchingDefault.samlConfig,
-				domain: matchingDefault.domain
+				domain: matchingDefault.domain,
+				...options.domainVerification?.enabled ? { domainVerified: true } : {}
 			};
 		}
 		if (!providerId && !orgId && !domain) throw new APIError("BAD_REQUEST", { message: "providerId, orgId or domain is required" });
@@ -503,6 +715,7 @@ const signInSSO = (options) => {
 			if (body.providerType === "oidc" && !provider.oidcConfig) throw new APIError("BAD_REQUEST", { message: "OIDC provider is not configured" });
 			if (body.providerType === "saml" && !provider.samlConfig) throw new APIError("BAD_REQUEST", { message: "SAML provider is not configured" });
 		}
+		if (options?.domainVerification?.enabled && !("domainVerified" in provider && provider.domainVerified)) throw new APIError("UNAUTHORIZED", { message: "Provider domain has not been verified" });
 		if (provider.oidcConfig && body.providerType !== "saml") {
 			let finalAuthUrl = provider.oidcConfig.authorizationEndpoint;
 			if (!finalAuthUrl && provider.oidcConfig.discoveryEndpoint) {
@@ -567,6 +780,7 @@ const callbackSSO = (options) => {
 			error: z.string().optional(),
 			error_description: z.string().optional()
 		}),
+		allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"],
 		metadata: {
 			isAction: false,
 			openapi: {
@@ -591,7 +805,8 @@ const callbackSSO = (options) => {
 			if (matchingDefault) provider = {
 				...matchingDefault,
 				issuer: matchingDefault.oidcConfig?.issuer || "",
-				userId: "default"
+				userId: "default",
+				...options.domainVerification?.enabled ? { domainVerified: true } : {}
 			};
 		}
 		if (!provider) provider = await ctx.context.adapter.findOne({
@@ -608,6 +823,7 @@ const callbackSSO = (options) => {
 			};
 		});
 		if (!provider) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=provider not found`);
+		if (options?.domainVerification?.enabled && !("domainVerified" in provider && provider.domainVerified)) throw new APIError("UNAUTHORIZED", { message: "Provider domain has not been verified" });
 		let config = provider.oidcConfig;
 		if (!config) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=provider not found`);
 		const discovery = await betterFetch(config.discoveryEndpoint);
@@ -769,7 +985,8 @@ const callbackSSOSAML = (options) => {
 			if (matchingDefault) provider = {
 				...matchingDefault,
 				userId: "default",
-				issuer: matchingDefault.samlConfig?.issuer || ""
+				issuer: matchingDefault.samlConfig?.issuer || "",
+				...options.domainVerification?.enabled ? { domainVerified: true } : {}
 			};
 		}
 		if (!provider) provider = await ctx.context.adapter.findOne({
@@ -786,6 +1003,7 @@ const callbackSSOSAML = (options) => {
 			};
 		});
 		if (!provider) throw new APIError("NOT_FOUND", { message: "No provider found for the given providerId" });
+		if (options?.domainVerification?.enabled && !("domainVerified" in provider && provider.domainVerified)) throw new APIError("UNAUTHORIZED", { message: "Provider domain has not been verified" });
 		const parsedSamlConfig = safeJsonParse(provider.samlConfig);
 		if (!parsedSamlConfig) throw new APIError("BAD_REQUEST", { message: "Invalid SAML configuration" });
 		const idpData = parsedSamlConfig.idpMetadata;
@@ -985,7 +1203,8 @@ const acsEndpoint = (options) => {
 				providerId: matchingDefault.providerId,
 				userId: "default",
 				samlConfig: matchingDefault.samlConfig,
-				domain: matchingDefault.domain
+				domain: matchingDefault.domain,
+				...options.domainVerification?.enabled ? { domainVerified: true } : {}
 			};
 		} else provider = await ctx.context.adapter.findOne({
 			model: "ssoProvider",
@@ -1001,6 +1220,7 @@ const acsEndpoint = (options) => {
 			};
 		});
 		if (!provider?.samlConfig) throw new APIError("NOT_FOUND", { message: "No SAML provider found" });
+		if (options?.domainVerification?.enabled && !("domainVerified" in provider && provider.domainVerified)) throw new APIError("UNAUTHORIZED", { message: "Provider domain has not been verified" });
 		const parsedSamlConfig = provider.samlConfig;
 		const sp = saml.ServiceProvider({
 			entityID: parsedSamlConfig.spMetadata?.entityID || parsedSamlConfig.issuer,
@@ -1101,7 +1321,7 @@ const acsEndpoint = (options) => {
 					}
 				]
 			})) {
-				if (!ctx.context.options.account?.accountLinking?.trustedProviders?.includes(provider.providerId)) throw ctx.redirect(`${parsedSamlConfig.callbackUrl}?error=account_not_found`);
+				if (!(ctx.context.options.account?.accountLinking?.trustedProviders?.includes(provider.providerId) || "domainVerified" in provider && provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain))) throw ctx.redirect(`${parsedSamlConfig.callbackUrl}?error=account_not_found`);
 				await ctx.context.internalAdapter.createAccount({
 					userId: existingUser.id,
 					providerId: provider.providerId,
@@ -1179,16 +1399,27 @@ saml.setSchemaValidator({ async validate(xml) {
 	throw "ERR_INVALID_XML";
 } });
 function sso(options) {
+	let endpoints = {
+		spMetadata: spMetadata(),
+		registerSSOProvider: registerSSOProvider(options),
+		signInSSO: signInSSO(options),
+		callbackSSO: callbackSSO(options),
+		callbackSSOSAML: callbackSSOSAML(options),
+		acsEndpoint: acsEndpoint(options)
+	};
+	if (options?.domainVerification?.enabled) {
+		const domainVerificationEndpoints = {
+			requestDomainVerification: requestDomainVerification(options),
+			verifyDomain: verifyDomain(options)
+		};
+		endpoints = {
+			...endpoints,
+			...domainVerificationEndpoints
+		};
+	}
 	return {
 		id: "sso",
-		endpoints: {
-			spMetadata: spMetadata(),
-			registerSSOProvider: registerSSOProvider(options),
-			signInSSO: signInSSO(options),
-			callbackSSO: callbackSSO(options),
-			callbackSSOSAML: callbackSSOSAML(options),
-			acsEndpoint: acsEndpoint(options)
-		},
+		endpoints,
 		schema: { ssoProvider: {
 			modelName: options?.modelName ?? "ssoProvider",
 			fields: {
@@ -1230,7 +1461,11 @@ function sso(options) {
 					type: "string",
 					required: true,
 					fieldName: options?.fields?.domain ?? "domain"
-				}
+				},
+				...options?.domainVerification?.enabled ? { domainVerified: {
+					type: "boolean",
+					required: false
+				} } : {}
 			}
 		} }
 	};

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.4.0-beta.22",
+  "version": "1.4.0-beta.23",
   "type": "module",
   "main": "dist/index.mjs",
   "homepage": "https://www.better-auth.com/docs/plugins/sso",
@@ -60,15 +60,15 @@
   "devDependencies": {
     "@types/body-parser": "^1.19.6",
     "@types/express": "^5.0.5",
-    "better-call": "1.0.26",
+    "better-call": "1.0.28",
     "body-parser": "^2.2.0",
     "express": "^5.1.0",
     "oauth2-mock-server": "^7.2.1",
     "tsdown": "^0.16.0",
-    "better-auth": "1.4.0-beta.22"
+    "better-auth": "1.4.0-beta.23"
   },
   "peerDependencies": {
-    "better-auth": "1.4.0-beta.22"
+    "better-auth": "1.4.0-beta.23"
   },
   "scripts": {
     "test": "vitest",

package/src/client.ts

@@ -1,8 +1,25 @@
 import type { BetterAuthClientPlugin } from "better-auth";
-import type { sso } from "./index";
-export const ssoClient = () => {
+import type { SSOPlugin } from "./index";
+
+interface SSOClientOptions {
+	domainVerification?:
+		| {
+				enabled: boolean;
+		  }
+		| undefined;
+}
+
+export const ssoClient = <CO extends SSOClientOptions>(
+	options?: CO | undefined,
+) => {
 	return {
 		id: "sso-client",
-		$InferServerPlugin: {} as ReturnType<typeof sso>,
+		$InferServerPlugin: {} as SSOPlugin<{
+			domainVerification: {
+				enabled: CO["domainVerification"] extends { enabled: true }
+					? true
+					: false;
+			};
+		}>,
 	} satisfies BetterAuthClientPlugin;
 };