@better-auth/sso 1.4.0-beta.5 → 1.4.0-beta.7

package/.turbo/turbo-build.log

@@ -1,17 +1,17 @@
 
-> @better-auth/sso@1.4.0-beta.5 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.4.0-beta.7 build /home/runner/work/better-auth/better-auth/packages/sso
 > unbuild
 
 [info] Automatically detected entries: src/index, src/client [esm] [cjs] [dts]
 [info] Building sso
 [success] Build succeeded for sso
-[log]   dist/index.cjs (total size: 67.2 kB, chunk size: 67.2 kB, exports: sso)
+[log]   dist/index.cjs (total size: 69 kB, chunk size: 69 kB, exports: sso)
 
 [log]   dist/client.cjs (total size: 141 B, chunk size: 141 B, exports: ssoClient)
 
-[log]   dist/index.mjs (total size: 65.5 kB, chunk size: 65.5 kB, exports: sso)
+[log]   dist/index.mjs (total size: 67.3 kB, chunk size: 67.3 kB, exports: sso)
 
 [log]   dist/client.mjs (total size: 117 B, chunk size: 117 B, exports: ssoClient)
 
-Σ Total dist size (byte size): 260 kB
+Σ Total dist size (byte size): 263 kB
 [log]

package/dist/index.cjs

@@ -36,6 +36,22 @@ const fastValidator = {
   }
 };
 saml__namespace.setSchemaValidator(fastValidator);
+function safeJsonParse(value) {
+  if (!value) return null;
+  if (typeof value === "object") {
+    return value;
+  }
+  if (typeof value === "string") {
+    try {
+      return JSON.parse(value);
+    } catch (error) {
+      throw new Error(
+        `Failed to parse JSON: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+    }
+  }
+  return null;
+}
 const sso = (options) => {
   return {
     id: "sso",
@@ -75,7 +91,14 @@ const sso = (options) => {
               message: "No provider found for the given providerId"
             });
           }
-          const parsedSamlConfig = JSON.parse(provider.samlConfig);
+          const parsedSamlConfig = safeJsonParse(
+            provider.samlConfig
+          );
+          if (!parsedSamlConfig) {
+            throw new api.APIError("BAD_REQUEST", {
+              message: "Invalid SAML configuration"
+            });
+          }
           const sp = parsedSamlConfig.spMetadata.metadata ? saml__namespace.ServiceProvider({
             metadata: parsedSamlConfig.spMetadata.metadata
           }) : saml__namespace.SPMetadata({
@@ -448,6 +471,23 @@ const sso = (options) => {
               });
             }
           }
+          const existingProvider = await ctx.context.adapter.findOne({
+            model: "ssoProvider",
+            where: [
+              {
+                field: "providerId",
+                value: body.providerId
+              }
+            ]
+          });
+          if (existingProvider) {
+            ctx.context.logger.info(
+              `SSO provider creation attempt with existing providerId: ${body.providerId}`
+            );
+            throw new api.APIError("UNPROCESSABLE_ENTITY", {
+              message: "SSO provider with this providerId already exists"
+            });
+          }
           const provider = await ctx.context.adapter.create({
             model: "ssoProvider",
             data: {
@@ -667,8 +707,12 @@ const sso = (options) => {
               }
               return {
                 ...res,
-                oidcConfig: res.oidcConfig ? JSON.parse(res.oidcConfig) : void 0,
-                samlConfig: res.samlConfig ? JSON.parse(res.samlConfig) : void 0
+                oidcConfig: res.oidcConfig ? safeJsonParse(
+                  res.oidcConfig
+                ) || void 0 : void 0,
+                samlConfig: res.samlConfig ? safeJsonParse(
+                  res.samlConfig
+                ) || void 0 : void 0
               };
             });
           }
@@ -701,7 +745,7 @@ const sso = (options) => {
               redirectURI,
               state: state.state,
               codeVerifier: provider.oidcConfig.pkce ? state.codeVerifier : void 0,
-              scopes: ctx.body.scopes || [
+              scopes: ctx.body.scopes || provider.oidcConfig.scopes || [
                 "openid",
                 "email",
                 "profile",
@@ -715,7 +759,14 @@ const sso = (options) => {
             });
           }
           if (provider.samlConfig) {
-            const parsedSamlConfig = typeof provider.samlConfig === "object" ? provider.samlConfig : JSON.parse(provider.samlConfig);
+            const parsedSamlConfig = typeof provider.samlConfig === "object" ? provider.samlConfig : safeJsonParse(
+              provider.samlConfig
+            );
+            if (!parsedSamlConfig) {
+              throw new api.APIError("BAD_REQUEST", {
+                message: "Invalid SAML configuration"
+              });
+            }
             const sp = saml__namespace.ServiceProvider({
               metadata: parsedSamlConfig.spMetadata.metadata,
               allowCreate: true
@@ -811,7 +862,7 @@ const sso = (options) => {
               }
               return {
                 ...res,
-                oidcConfig: JSON.parse(res.oidcConfig)
+                oidcConfig: safeJsonParse(res.oidcConfig) || void 0
               };
             });
           }
@@ -1059,7 +1110,9 @@ const sso = (options) => {
               if (!res) return null;
               return {
                 ...res,
-                samlConfig: res.samlConfig ? JSON.parse(res.samlConfig) : void 0
+                samlConfig: res.samlConfig ? safeJsonParse(
+                  res.samlConfig
+                ) || void 0 : void 0
               };
             });
           }
@@ -1068,25 +1121,30 @@ const sso = (options) => {
               message: "No provider found for the given providerId"
             });
           }
-          const parsedSamlConfig = JSON.parse(
+          const parsedSamlConfig = safeJsonParse(
             provider.samlConfig
           );
+          if (!parsedSamlConfig) {
+            throw new api.APIError("BAD_REQUEST", {
+              message: "Invalid SAML configuration"
+            });
+          }
           const idpData = parsedSamlConfig.idpMetadata;
           let idp = null;
           if (!idpData?.metadata) {
             idp = saml__namespace.IdentityProvider({
-              entityID: idpData.entityID || parsedSamlConfig.issuer,
+              entityID: idpData?.entityID || parsedSamlConfig.issuer,
               singleSignOnService: [
                 {
                   Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
                   Location: parsedSamlConfig.entryPoint
                 }
               ],
-              signingCert: idpData.cert || parsedSamlConfig.cert,
+              signingCert: idpData?.cert || parsedSamlConfig.cert,
               wantAuthnRequestsSigned: parsedSamlConfig.wantAssertionsSigned || false,
-              isAssertionEncrypted: idpData.isAssertionEncrypted || false,
-              encPrivateKey: idpData.encPrivateKey,
-              encPrivateKeyPass: idpData.encPrivateKeyPass
+              isAssertionEncrypted: idpData?.isAssertionEncrypted || false,
+              encPrivateKey: idpData?.encPrivateKey,
+              encPrivateKeyPass: idpData?.encPrivateKeyPass
             });
           } else {
             idp = saml__namespace.IdentityProvider({
@@ -1333,7 +1391,9 @@ const sso = (options) => {
               if (!res) return null;
               return {
                 ...res,
-                samlConfig: res.samlConfig ? JSON.parse(res.samlConfig) : void 0
+                samlConfig: res.samlConfig ? safeJsonParse(
+                  res.samlConfig
+                ) || void 0 : void 0
               };
             });
           }

package/dist/index.mjs

@@ -19,6 +19,22 @@ const fastValidator = {
   }
 };
 saml.setSchemaValidator(fastValidator);
+function safeJsonParse(value) {
+  if (!value) return null;
+  if (typeof value === "object") {
+    return value;
+  }
+  if (typeof value === "string") {
+    try {
+      return JSON.parse(value);
+    } catch (error) {
+      throw new Error(
+        `Failed to parse JSON: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+    }
+  }
+  return null;
+}
 const sso = (options) => {
   return {
     id: "sso",
@@ -58,7 +74,14 @@ const sso = (options) => {
               message: "No provider found for the given providerId"
             });
           }
-          const parsedSamlConfig = JSON.parse(provider.samlConfig);
+          const parsedSamlConfig = safeJsonParse(
+            provider.samlConfig
+          );
+          if (!parsedSamlConfig) {
+            throw new APIError("BAD_REQUEST", {
+              message: "Invalid SAML configuration"
+            });
+          }
           const sp = parsedSamlConfig.spMetadata.metadata ? saml.ServiceProvider({
             metadata: parsedSamlConfig.spMetadata.metadata
           }) : saml.SPMetadata({
@@ -431,6 +454,23 @@ const sso = (options) => {
               });
             }
           }
+          const existingProvider = await ctx.context.adapter.findOne({
+            model: "ssoProvider",
+            where: [
+              {
+                field: "providerId",
+                value: body.providerId
+              }
+            ]
+          });
+          if (existingProvider) {
+            ctx.context.logger.info(
+              `SSO provider creation attempt with existing providerId: ${body.providerId}`
+            );
+            throw new APIError("UNPROCESSABLE_ENTITY", {
+              message: "SSO provider with this providerId already exists"
+            });
+          }
           const provider = await ctx.context.adapter.create({
             model: "ssoProvider",
             data: {
@@ -650,8 +690,12 @@ const sso = (options) => {
               }
               return {
                 ...res,
-                oidcConfig: res.oidcConfig ? JSON.parse(res.oidcConfig) : void 0,
-                samlConfig: res.samlConfig ? JSON.parse(res.samlConfig) : void 0
+                oidcConfig: res.oidcConfig ? safeJsonParse(
+                  res.oidcConfig
+                ) || void 0 : void 0,
+                samlConfig: res.samlConfig ? safeJsonParse(
+                  res.samlConfig
+                ) || void 0 : void 0
               };
             });
           }
@@ -684,7 +728,7 @@ const sso = (options) => {
               redirectURI,
               state: state.state,
               codeVerifier: provider.oidcConfig.pkce ? state.codeVerifier : void 0,
-              scopes: ctx.body.scopes || [
+              scopes: ctx.body.scopes || provider.oidcConfig.scopes || [
                 "openid",
                 "email",
                 "profile",
@@ -698,7 +742,14 @@ const sso = (options) => {
             });
           }
           if (provider.samlConfig) {
-            const parsedSamlConfig = typeof provider.samlConfig === "object" ? provider.samlConfig : JSON.parse(provider.samlConfig);
+            const parsedSamlConfig = typeof provider.samlConfig === "object" ? provider.samlConfig : safeJsonParse(
+              provider.samlConfig
+            );
+            if (!parsedSamlConfig) {
+              throw new APIError("BAD_REQUEST", {
+                message: "Invalid SAML configuration"
+              });
+            }
             const sp = saml.ServiceProvider({
               metadata: parsedSamlConfig.spMetadata.metadata,
               allowCreate: true
@@ -794,7 +845,7 @@ const sso = (options) => {
               }
               return {
                 ...res,
-                oidcConfig: JSON.parse(res.oidcConfig)
+                oidcConfig: safeJsonParse(res.oidcConfig) || void 0
               };
             });
           }
@@ -1042,7 +1093,9 @@ const sso = (options) => {
               if (!res) return null;
               return {
                 ...res,
-                samlConfig: res.samlConfig ? JSON.parse(res.samlConfig) : void 0
+                samlConfig: res.samlConfig ? safeJsonParse(
+                  res.samlConfig
+                ) || void 0 : void 0
               };
             });
           }
@@ -1051,25 +1104,30 @@ const sso = (options) => {
               message: "No provider found for the given providerId"
             });
           }
-          const parsedSamlConfig = JSON.parse(
+          const parsedSamlConfig = safeJsonParse(
             provider.samlConfig
           );
+          if (!parsedSamlConfig) {
+            throw new APIError("BAD_REQUEST", {
+              message: "Invalid SAML configuration"
+            });
+          }
           const idpData = parsedSamlConfig.idpMetadata;
           let idp = null;
           if (!idpData?.metadata) {
             idp = saml.IdentityProvider({
-              entityID: idpData.entityID || parsedSamlConfig.issuer,
+              entityID: idpData?.entityID || parsedSamlConfig.issuer,
               singleSignOnService: [
                 {
                   Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
                   Location: parsedSamlConfig.entryPoint
                 }
               ],
-              signingCert: idpData.cert || parsedSamlConfig.cert,
+              signingCert: idpData?.cert || parsedSamlConfig.cert,
               wantAuthnRequestsSigned: parsedSamlConfig.wantAssertionsSigned || false,
-              isAssertionEncrypted: idpData.isAssertionEncrypted || false,
-              encPrivateKey: idpData.encPrivateKey,
-              encPrivateKeyPass: idpData.encPrivateKeyPass
+              isAssertionEncrypted: idpData?.isAssertionEncrypted || false,
+              encPrivateKey: idpData?.encPrivateKey,
+              encPrivateKeyPass: idpData?.encPrivateKeyPass
             });
           } else {
             idp = saml.IdentityProvider({
@@ -1316,7 +1374,9 @@ const sso = (options) => {
               if (!res) return null;
               return {
                 ...res,
-                samlConfig: res.samlConfig ? JSON.parse(res.samlConfig) : void 0
+                samlConfig: res.samlConfig ? safeJsonParse(
+                  res.samlConfig
+                ) || void 0 : void 0
               };
             });
           }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.4.0-beta.5",
+  "version": "1.4.0-beta.7",
   "main": "dist/index.cjs",
   "license": "MIT",
   "keywords": [
@@ -44,7 +44,7 @@
     }
   },
   "dependencies": {
-    "@better-fetch/fetch": "^1.1.18",
+    "@better-fetch/fetch": "1.1.18",
     "fast-xml-parser": "^5.2.5",
     "jose": "^6.1.0",
     "oauth2-mock-server": "^7.2.1",
@@ -58,10 +58,10 @@
     "body-parser": "^2.2.0",
     "express": "^5.1.0",
     "unbuild": "3.6.1",
-    "better-auth": "^1.4.0-beta.5"
+    "better-auth": "^1.4.0-beta.7"
   },
   "peerDependencies": {
-    "better-auth": "1.4.0-beta.5"
+    "better-auth": "1.4.0-beta.7"
   },
   "scripts": {
     "test": "vitest",

package/src/index.ts

@@ -38,6 +38,34 @@ const fastValidator = {
 
 saml.setSchemaValidator(fastValidator);
 
+/**
+ * Safely parses a value that might be a JSON string or already a parsed object
+ * This handles cases where ORMs like Drizzle might return already parsed objects
+ * instead of JSON strings from TEXT/JSON columns
+ */
+function safeJsonParse<T>(value: string | T | null | undefined): T | null {
+	if (!value) return null;
+
+	// If it's already an object (not a string), return it as-is
+	if (typeof value === "object") {
+		return value as T;
+	}
+
+	// If it's a string, try to parse it
+	if (typeof value === "string") {
+		try {
+			return JSON.parse(value) as T;
+		} catch (error) {
+			// If parsing fails, this might indicate the string is not valid JSON
+			throw new Error(
+				`Failed to parse JSON: ${error instanceof Error ? error.message : "Unknown error"}`,
+			);
+		}
+	}
+
+	return null;
+}
+
 export interface OIDCMapping {
 	id?: string;
 	email?: string;
@@ -269,7 +297,14 @@ export const sso = (options?: SSOOptions) => {
 						});
 					}
 
-					const parsedSamlConfig: SAMLConfig = JSON.parse(provider.samlConfig);
+					const parsedSamlConfig = safeJsonParse<SAMLConfig>(
+						provider.samlConfig,
+					);
+					if (!parsedSamlConfig) {
+						throw new APIError("BAD_REQUEST", {
+							message: "Invalid SAML configuration",
+						});
+					}
 					const sp = parsedSamlConfig.spMetadata.metadata
 						? saml.ServiceProvider({
 								metadata: parsedSamlConfig.spMetadata.metadata,
@@ -745,6 +780,26 @@ export const sso = (options?: SSOOptions) => {
 							});
 						}
 					}
+
+					const existingProvider = await ctx.context.adapter.findOne({
+						model: "ssoProvider",
+						where: [
+							{
+								field: "providerId",
+								value: body.providerId,
+							},
+						],
+					});
+
+					if (existingProvider) {
+						ctx.context.logger.info(
+							`SSO provider creation attempt with existing providerId: ${body.providerId}`,
+						);
+						throw new APIError("UNPROCESSABLE_ENTITY", {
+							message: "SSO provider with this providerId already exists",
+						});
+					}
+
 					const provider = await ctx.context.adapter.create<
 						Record<string, any>,
 						SSOProvider
@@ -1040,10 +1095,14 @@ export const sso = (options?: SSOOptions) => {
 								return {
 									...res,
 									oidcConfig: res.oidcConfig
-										? JSON.parse(res.oidcConfig as unknown as string)
+										? safeJsonParse<OIDCConfig>(
+												res.oidcConfig as unknown as string,
+											) || undefined
 										: undefined,
 									samlConfig: res.samlConfig
-										? JSON.parse(res.samlConfig as unknown as string)
+										? safeJsonParse<SAMLConfig>(
+												res.samlConfig as unknown as string,
+											) || undefined
 										: undefined,
 								};
 							});
@@ -1080,12 +1139,13 @@ export const sso = (options?: SSOOptions) => {
 							codeVerifier: provider.oidcConfig.pkce
 								? state.codeVerifier
 								: undefined,
-							scopes: ctx.body.scopes || [
-								"openid",
-								"email",
-								"profile",
-								"offline_access",
-							],
+							scopes: ctx.body.scopes ||
+								provider.oidcConfig.scopes || [
+									"openid",
+									"email",
+									"profile",
+									"offline_access",
+								],
 							authorizationEndpoint: provider.oidcConfig.authorizationEndpoint!,
 						});
 						return ctx.json({
@@ -1094,10 +1154,17 @@ export const sso = (options?: SSOOptions) => {
 						});
 					}
 					if (provider.samlConfig) {
-						const parsedSamlConfig: SAMLConfig =
+						const parsedSamlConfig =
 							typeof provider.samlConfig === "object"
 								? provider.samlConfig
-								: JSON.parse(provider.samlConfig as unknown as string);
+								: safeJsonParse<SAMLConfig>(
+										provider.samlConfig as unknown as string,
+									);
+						if (!parsedSamlConfig) {
+							throw new APIError("BAD_REQUEST", {
+								message: "Invalid SAML configuration",
+							});
+						}
 						const sp = saml.ServiceProvider({
 							metadata: parsedSamlConfig.spMetadata.metadata,
 							allowCreate: true,
@@ -1206,7 +1273,8 @@ export const sso = (options?: SSOOptions) => {
 								}
 								return {
 									...res,
-									oidcConfig: JSON.parse(res.oidcConfig),
+									oidcConfig:
+										safeJsonParse<OIDCConfig>(res.oidcConfig) || undefined,
 								} as SSOProvider;
 							});
 					}
@@ -1533,7 +1601,9 @@ export const sso = (options?: SSOOptions) => {
 								return {
 									...res,
 									samlConfig: res.samlConfig
-										? JSON.parse(res.samlConfig as unknown as string)
+										? safeJsonParse<SAMLConfig>(
+												res.samlConfig as unknown as string,
+											) || undefined
 										: undefined,
 								};
 							});
@@ -1544,28 +1614,33 @@ export const sso = (options?: SSOOptions) => {
 							message: "No provider found for the given providerId",
 						});
 					}
-					const parsedSamlConfig = JSON.parse(
+					const parsedSamlConfig = safeJsonParse<SAMLConfig>(
 						provider.samlConfig as unknown as string,
 					);
+					if (!parsedSamlConfig) {
+						throw new APIError("BAD_REQUEST", {
+							message: "Invalid SAML configuration",
+						});
+					}
 					const idpData = parsedSamlConfig.idpMetadata;
 					let idp: IdentityProvider | null = null;
 
 					// Construct IDP with fallback to manual configuration
 					if (!idpData?.metadata) {
 						idp = saml.IdentityProvider({
-							entityID: idpData.entityID || parsedSamlConfig.issuer,
+							entityID: idpData?.entityID || parsedSamlConfig.issuer,
 							singleSignOnService: [
 								{
 									Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
 									Location: parsedSamlConfig.entryPoint,
 								},
 							],
-							signingCert: idpData.cert || parsedSamlConfig.cert,
+							signingCert: idpData?.cert || parsedSamlConfig.cert,
 							wantAuthnRequestsSigned:
 								parsedSamlConfig.wantAssertionsSigned || false,
-							isAssertionEncrypted: idpData.isAssertionEncrypted || false,
-							encPrivateKey: idpData.encPrivateKey,
-							encPrivateKeyPass: idpData.encPrivateKeyPass,
+							isAssertionEncrypted: idpData?.isAssertionEncrypted || false,
+							encPrivateKey: idpData?.encPrivateKey,
+							encPrivateKeyPass: idpData?.encPrivateKeyPass,
 						});
 					} else {
 						idp = saml.IdentityProvider({
@@ -1865,7 +1940,9 @@ export const sso = (options?: SSOOptions) => {
 								return {
 									...res,
 									samlConfig: res.samlConfig
-										? JSON.parse(res.samlConfig as unknown as string)
+										? safeJsonParse<SAMLConfig>(
+												res.samlConfig as unknown as string,
+											) || undefined
 										: undefined,
 								};
 							});

package/src/oidc.test.ts

@@ -1,18 +1,28 @@
 import { afterAll, beforeAll, describe, expect, it } from "vitest";
+import { getTestInstanceMemory as getTestInstance } from "better-auth/test";
 import { sso } from ".";
 import { OAuth2Server } from "oauth2-mock-server";
 import { betterFetch } from "@better-fetch/fetch";
-import { organization } from "better-auth/plugins/organization";
-import { getTestInstanceMemory } from "better-auth/test";
+import { organization } from "better-auth/plugins";
+import { createAuthClient } from "better-auth/client";
+import { ssoClient } from "./client";
 
 let server = new OAuth2Server();
 
 describe("SSO", async () => {
-	const { auth, signInWithTestUser, customFetchImpl } =
-		await getTestInstanceMemory({
+	const { auth, signInWithTestUser, customFetchImpl, cookieSetter } =
+		await getTestInstance({
 			plugins: [sso(), organization()],
 		});
 
+	const authClient = createAuthClient({
+		plugins: [ssoClient()],
+		baseURL: "http://localhost:3000",
+		fetchOptions: {
+			customFetchImpl,
+		},
+	});
+
 	beforeAll(async () => {
 		await server.issuer.keys.generate("RS256");
 		server.issuer.on;
@@ -57,7 +67,7 @@ describe("SSO", async () => {
 		});
 
 		if (!location) throw new Error("No redirect location found");
-
+		const newHeaders = new Headers();
 		let callbackURL = "";
 		await betterFetch(location, {
 			method: "GET",
@@ -65,10 +75,11 @@ describe("SSO", async () => {
 			headers,
 			onError(context) {
 				callbackURL = context.response.headers.get("location") || "";
+				cookieSetter(newHeaders)(context);
 			},
 		});
 
-		return callbackURL;
+		return { callbackURL, headers: newHeaders };
 	}
 
 	it("should register a new SSO provider", async () => {
@@ -146,123 +157,114 @@ describe("SSO", async () => {
 		}
 	});
 
-	it("should sign in with SSO provider with email matching", async () => {
-		const res = await auth.api.signInSSO({
+	it("should not allow creating a provider with duplicate providerId", async () => {
+		const { headers } = await signInWithTestUser();
+
+		await auth.api.registerSSOProvider({
 			body: {
-				email: "my-email@localhost.com",
-				callbackURL: "/dashboard",
+				issuer: server.issuer.url!,
+				domain: "duplicate.com",
+				providerId: "duplicate-oidc-provider",
+				oidcConfig: {
+					clientId: "test",
+					clientSecret: "test",
+				},
 			},
+			headers,
 		});
-		expect(res.url).toContain("http://localhost:8080/authorize");
-		expect(res.url).toContain(
-			"redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fsso%2Fcallback%2Ftest",
-		);
-		const headers = new Headers();
-		const callbackURL = await simulateOAuthFlow(res.url, headers);
-		expect(callbackURL).toContain("/dashboard");
-	});
 
-	it("should sign in with SSO provider with domain", async () => {
-		const res = await auth.api.signInSSO({
+		await expect(
+			auth.api.registerSSOProvider({
+				body: {
+					issuer: server.issuer.url!,
+					domain: "another-duplicate.com",
+					providerId: "duplicate-oidc-provider",
+					oidcConfig: {
+						clientId: "test2",
+						clientSecret: "test2",
+					},
+				},
+				headers,
+			}),
+		).rejects.toMatchObject({
+			status: "UNPROCESSABLE_ENTITY",
 			body: {
-				email: "my-email@test.com",
-				domain: "localhost.com",
-				callbackURL: "/dashboard",
+				message: "SSO provider with this providerId already exists",
 			},
 		});
-		expect(res.url).toContain("http://localhost:8080/authorize");
-		expect(res.url).toContain(
-			"redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fsso%2Fcallback%2Ftest",
-		);
-		const headers = new Headers();
-		const callbackURL = await simulateOAuthFlow(res.url, headers);
-		expect(callbackURL).toContain("/dashboard");
 	});
 
-	it("should sign in with SSO provider with providerId", async () => {
-		const res = await auth.api.signInSSO({
-			body: {
-				providerId: "test",
-				callbackURL: "/dashboard",
+	it("should sign in with SSO provider with email matching", async () => {
+		const headers = new Headers();
+		const res = await authClient.signIn.sso({
+			email: "my-email@localhost.com",
+			callbackURL: "/dashboard",
+			fetchOptions: {
+				throw: true,
+				onSuccess: cookieSetter(headers),
 			},
 		});
 		expect(res.url).toContain("http://localhost:8080/authorize");
 		expect(res.url).toContain(
 			"redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fsso%2Fcallback%2Ftest",
 		);
-		const headers = new Headers();
-		const callbackURL = await simulateOAuthFlow(res.url, headers);
+		const { callbackURL } = await simulateOAuthFlow(res.url, headers);
 		expect(callbackURL).toContain("/dashboard");
 	});
-});
-
-describe("SSO with defaultSSO array", async () => {
-	const { auth, signInWithTestUser, customFetchImpl } =
-		await getTestInstanceMemory({
-			plugins: [
-				sso({
-					defaultSSO: [
-						{
-							domain: "localhost.com",
-							providerId: "default-test",
-							oidcConfig: {
-								issuer: "http://localhost:8080",
-								clientId: "test",
-								clientSecret: "test",
-								authorizationEndpoint: "http://localhost:8080/authorize",
-								tokenEndpoint: "http://localhost:8080/token",
-								jwksEndpoint: "http://localhost:8080/jwks",
-								discoveryEndpoint:
-									"http://localhost:8080/.well-known/openid-configuration",
-								pkce: true,
-								mapping: {
-									id: "sub",
-									email: "email",
-									emailVerified: "email_verified",
-									name: "name",
-									image: "picture",
-								},
-							},
-						},
-					],
-				}),
-				organization(),
-			],
-		});
 
-	it("should use default SSO provider from array when no provider found in database using providerId", async () => {
-		const res = await auth.api.signInSSO({
-			body: {
-				providerId: "default-test",
-				callbackURL: "/dashboard",
+	it("should sign in with SSO provider with domain", async () => {
+		const headers = new Headers();
+		const res = await authClient.signIn.sso({
+			email: "my-email@test.com",
+			domain: "localhost.com",
+			callbackURL: "/dashboard",
+			fetchOptions: {
+				throw: true,
+				onSuccess: cookieSetter(headers),
 			},
 		});
 		expect(res.url).toContain("http://localhost:8080/authorize");
 		expect(res.url).toContain(
-			"redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fsso%2Fcallback%2Fdefault-test",
+			"redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fsso%2Fcallback%2Ftest",
 		);
+		const { callbackURL } = await simulateOAuthFlow(res.url, headers);
+		expect(callbackURL).toContain("/dashboard");
 	});
 
-	it("should use default SSO provider from array when no provider found in database using domain fallback", async () => {
-		const res = await auth.api.signInSSO({
-			body: {
-				email: "test@localhost.com",
-				callbackURL: "/dashboard",
+	it("should sign in with SSO provider with providerId", async () => {
+		const headers = new Headers();
+		const res = await authClient.signIn.sso({
+			providerId: "test",
+			callbackURL: "/dashboard",
+			fetchOptions: {
+				throw: true,
+				onSuccess: cookieSetter(headers),
 			},
 		});
 		expect(res.url).toContain("http://localhost:8080/authorize");
 		expect(res.url).toContain(
-			"redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fsso%2Fcallback%2Fdefault-test",
+			"redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fsso%2Fcallback%2Ftest",
 		);
+
+		const { callbackURL } = await simulateOAuthFlow(res.url, headers);
+		expect(callbackURL).toContain("/dashboard");
 	});
 });
 
 describe("SSO disable implicit sign in", async () => {
-	const { auth, signInWithTestUser, customFetchImpl } =
-		await getTestInstanceMemory({
+	const { auth, signInWithTestUser, customFetchImpl, cookieSetter } =
+		await getTestInstance({
 			plugins: [sso({ disableImplicitSignUp: true }), organization()],
 		});
 
+	const authClient = createAuthClient({
+		plugins: [ssoClient()],
+		baseURL: "http://localhost:3000",
+		fetchOptions: {
+			customFetchImpl,
+		},
+	});
+
 	beforeAll(async () => {
 		await server.issuer.keys.generate("RS256");
 		server.issuer.on;
@@ -307,7 +309,7 @@ describe("SSO disable implicit sign in", async () => {
 		});
 
 		if (!location) throw new Error("No redirect location found");
-
+		const newHeaders = new Headers(headers);
 		let callbackURL = "";
 		await betterFetch(location, {
 			method: "GET",
@@ -315,10 +317,11 @@ describe("SSO disable implicit sign in", async () => {
 			headers,
 			onError(context) {
 				callbackURL = context.response.headers.get("location") || "";
+				cookieSetter(newHeaders)(context);
 			},
 		});
 
-		return callbackURL;
+		return { callbackURL, headers: newHeaders };
 	}
 
 	it("should register a new SSO provider", async () => {
@@ -369,150 +372,61 @@ describe("SSO disable implicit sign in", async () => {
 			userId: expect.any(String),
 		});
 	});
-	it("should not allow creating a provider if limit is set to 0", async () => {
-		const { auth, signInWithTestUser } = await getTestInstanceMemory({
-			plugins: [sso({ providersLimit: 0 })],
-		});
-		const { headers } = await signInWithTestUser();
-		await expect(
-			auth.api.registerSSOProvider({
-				body: {
-					issuer: server.issuer.url!,
-					domain: "localhost.com",
-					oidcConfig: {
-						clientId: "test",
-						clientSecret: "test",
-					},
-					providerId: "test",
-				},
-				headers,
-			}),
-		).rejects.toMatchObject({
-			status: "FORBIDDEN",
-			body: { message: "SSO provider registration is disabled" },
-		});
-	});
-	it("should not allow creating a provider if limit is reached", async () => {
-		const { auth, signInWithTestUser } = await getTestInstanceMemory({
-			plugins: [sso({ providersLimit: 1 })],
-		});
-		const { headers } = await signInWithTestUser();
-
-		await auth.api.registerSSOProvider({
-			body: {
-				issuer: server.issuer.url!,
-				domain: "localhost.com",
-				oidcConfig: {
-					clientId: "test",
-					clientSecret: "test",
-				},
-				providerId: "test-1",
-			},
-			headers,
-		});
-
-		await expect(
-			auth.api.registerSSOProvider({
-				body: {
-					issuer: server.issuer.url!,
-					domain: "localhost.com",
-					oidcConfig: {
-						clientId: "test",
-						clientSecret: "test",
-					},
-					providerId: "test-2",
-				},
-				headers,
-			}),
-		).rejects.toMatchObject({
-			status: "FORBIDDEN",
-			body: {
-				message: "You have reached the maximum number of SSO providers",
-			},
-		});
-	});
-
-	it("should not allow creating a provider if limit from function is reached", async () => {
-		const { auth, signInWithTestUser } = await getTestInstanceMemory({
-			plugins: [sso({ providersLimit: async () => 1 })],
-		});
-		const { headers } = await signInWithTestUser();
-
-		await auth.api.registerSSOProvider({
-			body: {
-				issuer: server.issuer.url!,
-				domain: "localhost.com",
-				oidcConfig: {
-					clientId: "test",
-					clientSecret: "test",
-				},
-				providerId: "test-1",
-			},
-			headers,
-		});
 
-		await expect(
-			auth.api.registerSSOProvider({
-				body: {
-					issuer: server.issuer.url!,
-					domain: "localhost.com",
-					oidcConfig: {
-						clientId: "test",
-						clientSecret: "test",
-					},
-					providerId: "test-2",
-				},
-				headers,
-			}),
-		).rejects.toMatchObject({
-			status: "FORBIDDEN",
-			body: {
-				message: "You have reached the maximum number of SSO providers",
-			},
-		});
-	});
 	it("should not create user with SSO provider when sign ups are disabled", async () => {
-		const res = await auth.api.signInSSO({
-			body: {
-				email: "my-email@localhost.com",
-				callbackURL: "/dashboard",
+		const headers = new Headers();
+		const res = await authClient.signIn.sso({
+			email: "my-email@localhost.com",
+			callbackURL: "/dashboard",
+			fetchOptions: {
+				throw: true,
+				onSuccess: cookieSetter(headers),
 			},
 		});
 		expect(res.url).toContain("http://localhost:8080/authorize");
 		expect(res.url).toContain(
 			"redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fsso%2Fcallback%2Ftest",
 		);
-		const headers = new Headers();
-		const callbackURL = await simulateOAuthFlow(res.url, headers);
+		const { callbackURL } = await simulateOAuthFlow(res.url, headers);
 		expect(callbackURL).toContain(
 			"/api/auth/error/error?error=signup disabled",
 		);
 	});
 
 	it("should create user with SSO provider when sign ups are disabled but sign up is requested", async () => {
-		const res = await auth.api.signInSSO({
-			body: {
-				email: "my-email@localhost.com",
-				callbackURL: "/dashboard",
-				requestSignUp: true,
+		const headers = new Headers();
+		const res = await authClient.signIn.sso({
+			email: "my-email@localhost.com",
+			callbackURL: "/dashboard",
+			requestSignUp: true,
+			fetchOptions: {
+				throw: true,
+				onSuccess: cookieSetter(headers),
 			},
 		});
 		expect(res.url).toContain("http://localhost:8080/authorize");
 		expect(res.url).toContain(
 			"redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fsso%2Fcallback%2Ftest",
 		);
-		const headers = new Headers();
-		const callbackURL = await simulateOAuthFlow(res.url, headers);
+		const { callbackURL } = await simulateOAuthFlow(res.url, headers);
 		expect(callbackURL).toContain("/dashboard");
 	});
 });
 
 describe("provisioning", async (ctx) => {
-	const { auth, signInWithTestUser, customFetchImpl } =
-		await getTestInstanceMemory({
+	const { auth, signInWithTestUser, customFetchImpl, cookieSetter } =
+		await getTestInstance({
 			plugins: [sso(), organization()],
 		});
 
+	const authClient = createAuthClient({
+		plugins: [ssoClient()],
+		baseURL: "http://localhost:3000",
+		fetchOptions: {
+			customFetchImpl,
+		},
+	});
+
 	beforeAll(async () => {
 		await server.issuer.keys.generate("RS256");
 		server.issuer.on;
@@ -540,12 +454,14 @@ describe("provisioning", async (ctx) => {
 		if (!location) throw new Error("No redirect location found");
 
 		let callbackURL = "";
+		const newHeaders = new Headers();
 		await betterFetch(location, {
 			method: "GET",
 			customFetchImpl: fetchImpl || customFetchImpl,
 			headers,
 			onError(context) {
 				callbackURL = context.response.headers.get("location") || "";
+				cookieSetter(newHeaders)(context);
 			},
 		});
 
@@ -605,18 +521,20 @@ describe("provisioning", async (ctx) => {
 		expect(provider).toMatchObject({
 			organizationId: organization?.id,
 		});
-
-		const res = await auth.api.signInSSO({
-			body: {
-				email: "my-email@localhost.com",
-				callbackURL: "/dashboard",
+		const newHeaders = new Headers();
+		const res = await authClient.signIn.sso({
+			email: "my-email@localhost.com",
+			callbackURL: "/dashboard",
+			fetchOptions: {
+				onSuccess: cookieSetter(newHeaders),
+				throw: true,
 			},
 		});
 		expect(res.url).toContain("http://localhost:8080/authorize");
 		expect(res.url).toContain(
 			"redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fsso%2Fcallback%2Ftest",
 		);
-		const newHeaders = new Headers();
+
 		const callbackURL = await simulateOAuthFlow(res.url, newHeaders);
 		expect(callbackURL).toContain("/dashboard");
 		const org = await auth.api.getFullOrganization({

package/src/saml.test.ts

@@ -1069,4 +1069,53 @@ describe("SAML SSO", async () => {
 			},
 		});
 	});
+
+	it("should not allow creating a provider with duplicate providerId", async () => {
+		const headers = await getAuthHeaders();
+		await authClient.signIn.email(testUser, {
+			throw: true,
+			onSuccess: setCookieToHeader(headers),
+		});
+
+		await auth.api.registerSSOProvider({
+			body: {
+				providerId: "duplicate-provider",
+				issuer: "http://localhost:8081",
+				domain: "http://localhost:8081",
+				samlConfig: {
+					entryPoint: mockIdP.metadataUrl,
+					cert: certificate,
+					callbackUrl: "http://localhost:8081/api/sso/saml2/callback",
+					spMetadata: {
+						metadata: spMetadata,
+					},
+				},
+			},
+			headers,
+		});
+
+		await expect(
+			auth.api.registerSSOProvider({
+				body: {
+					providerId: "duplicate-provider",
+					issuer: "http://localhost:8082",
+					domain: "http://localhost:8082",
+					samlConfig: {
+						entryPoint: mockIdP.metadataUrl,
+						cert: certificate,
+						callbackUrl: "http://localhost:8082/api/sso/saml2/callback",
+						spMetadata: {
+							metadata: spMetadata,
+						},
+					},
+				},
+				headers,
+			}),
+		).rejects.toMatchObject({
+			status: "UNPROCESSABLE_ENTITY",
+			body: {
+				message: "SSO provider with this providerId already exists",
+			},
+		});
+	});
 });

package/tsconfig.json

@@ -5,10 +5,5 @@
     "outDir": "./dist",
     "lib": ["esnext", "dom", "dom.iterable"]
   },
-  "references": [
-    {
-      "path": "../better-auth/tsconfig.json"
-    }
-  ],
   "include": ["src"]
 }