@better-auth/sso 1.4.0-beta.9 → 1.4.0

package/src/oidc.test.ts

@@ -1,10 +1,10 @@
-import { afterAll, beforeAll, describe, expect, it } from "vitest";
-import { getTestInstanceMemory as getTestInstance } from "better-auth/test";
-import { sso } from ".";
-import { OAuth2Server } from "oauth2-mock-server";
 import { betterFetch } from "@better-fetch/fetch";
-import { organization } from "better-auth/plugins";
 import { createAuthClient } from "better-auth/client";
+import { organization } from "better-auth/plugins";
+import { getTestInstance } from "better-auth/test";
+import { OAuth2Server } from "oauth2-mock-server";
+import { afterAll, beforeAll, describe, expect, it } from "vitest";
+import { sso } from ".";
 import { ssoClient } from "./client";
 
 let server = new OAuth2Server();
@@ -208,6 +208,7 @@ describe("SSO", async () => {
 		expect(res.url).toContain(
 			"redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fsso%2Fcallback%2Ftest",
 		);
+		expect(res.url).toContain("login_hint=my-email%40localhost.com");
 		const { callbackURL } = await simulateOAuthFlow(res.url, headers);
 		expect(callbackURL).toContain("/dashboard");
 	});
@@ -235,6 +236,7 @@ describe("SSO", async () => {
 		const headers = new Headers();
 		const res = await authClient.signIn.sso({
 			providerId: "test",
+			loginHint: "user@example.com",
 			callbackURL: "/dashboard",
 			fetchOptions: {
 				throw: true,
@@ -245,6 +247,7 @@ describe("SSO", async () => {
 		expect(res.url).toContain(
 			"redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fsso%2Fcallback%2Ftest",
 		);
+		expect(res.url).toContain("login_hint=user%40example.com");
 
 		const { callbackURL } = await simulateOAuthFlow(res.url, headers);
 		expect(callbackURL).toContain("/dashboard");

package/src/routes/domain-verification.ts

@@ -0,0 +1,275 @@
+import type { Verification } from "better-auth";
+import {
+	APIError,
+	createAuthEndpoint,
+	sessionMiddleware,
+} from "better-auth/api";
+import { generateRandomString } from "better-auth/crypto";
+import * as z from "zod/v4";
+import type { SSOOptions, SSOProvider } from "../types";
+
+export const requestDomainVerification = (options: SSOOptions) => {
+	return createAuthEndpoint(
+		"/sso/request-domain-verification",
+		{
+			method: "POST",
+			body: z.object({
+				providerId: z.string(),
+			}),
+			metadata: {
+				openapi: {
+					summary: "Request a domain verification",
+					description:
+						"Request a domain verification for the given SSO provider",
+					responses: {
+						"404": {
+							description: "Provider not found",
+						},
+						"409": {
+							description: "Domain has already been verified",
+						},
+						"201": {
+							description: "Domain submitted for verification",
+						},
+					},
+				},
+			},
+			use: [sessionMiddleware],
+		},
+		async (ctx) => {
+			const body = ctx.body;
+			const provider = await ctx.context.adapter.findOne<
+				SSOProvider<SSOOptions>
+			>({
+				model: "ssoProvider",
+				where: [{ field: "providerId", value: body.providerId }],
+			});
+
+			if (!provider) {
+				throw new APIError("NOT_FOUND", {
+					message: "Provider not found",
+					code: "PROVIDER_NOT_FOUND",
+				});
+			}
+
+			const userId = ctx.context.session.user.id;
+			let isOrgMember = true;
+			if (provider.organizationId) {
+				const membershipsCount = await ctx.context.adapter.count({
+					model: "member",
+					where: [
+						{ field: "userId", value: userId },
+						{ field: "organizationId", value: provider.organizationId },
+					],
+				});
+
+				isOrgMember = membershipsCount > 0;
+			}
+
+			if (provider.userId !== userId || !isOrgMember) {
+				throw new APIError("FORBIDDEN", {
+					message:
+						"User must be owner of or belong to the SSO provider organization",
+					code: "INSUFICCIENT_ACCESS",
+				});
+			}
+
+			if ("domainVerified" in provider && provider.domainVerified) {
+				throw new APIError("CONFLICT", {
+					message: "Domain has already been verified",
+					code: "DOMAIN_VERIFIED",
+				});
+			}
+
+			const activeVerification =
+				await ctx.context.adapter.findOne<Verification>({
+					model: "verification",
+					where: [
+						{
+							field: "identifier",
+							value: options.domainVerification?.tokenPrefix
+								? `${options.domainVerification?.tokenPrefix}-${provider.providerId}`
+								: `better-auth-token-${provider.providerId}`,
+						},
+						{ field: "expiresAt", value: new Date(), operator: "gt" },
+					],
+				});
+
+			if (activeVerification) {
+				ctx.setStatus(201);
+				return ctx.json({ domainVerificationToken: activeVerification.value });
+			}
+
+			const domainVerificationToken = generateRandomString(24);
+			await ctx.context.adapter.create<Verification>({
+				model: "verification",
+				data: {
+					identifier: options.domainVerification?.tokenPrefix
+						? `${options.domainVerification?.tokenPrefix}-${provider.providerId}`
+						: `better-auth-token-${provider.providerId}`,
+					createdAt: new Date(),
+					updatedAt: new Date(),
+					value: domainVerificationToken,
+					expiresAt: new Date(Date.now() + 3600 * 24 * 7 * 1000), // 1 week
+				},
+			});
+
+			ctx.setStatus(201);
+			return ctx.json({
+				domainVerificationToken,
+			});
+		},
+	);
+};
+
+export const verifyDomain = (options: SSOOptions) => {
+	return createAuthEndpoint(
+		"/sso/verify-domain",
+		{
+			method: "POST",
+			body: z.object({
+				providerId: z.string(),
+			}),
+			metadata: {
+				openapi: {
+					summary: "Verify the provider domain ownership",
+					description: "Verify the provider domain ownership via DNS records",
+					responses: {
+						"404": {
+							description: "Provider not found",
+						},
+						"409": {
+							description:
+								"Domain has already been verified or no pending verification exists",
+						},
+						"502": {
+							description:
+								"Unable to verify domain ownership due to upstream validator error",
+						},
+						"204": {
+							description: "Domain ownership was verified",
+						},
+					},
+				},
+			},
+			use: [sessionMiddleware],
+		},
+		async (ctx) => {
+			const body = ctx.body;
+			const provider = await ctx.context.adapter.findOne<
+				SSOProvider<SSOOptions>
+			>({
+				model: "ssoProvider",
+				where: [{ field: "providerId", value: body.providerId }],
+			});
+
+			if (!provider) {
+				throw new APIError("NOT_FOUND", {
+					message: "Provider not found",
+					code: "PROVIDER_NOT_FOUND",
+				});
+			}
+
+			const userId = ctx.context.session.user.id;
+			let isOrgMember = true;
+			if (provider.organizationId) {
+				const membershipsCount = await ctx.context.adapter.count({
+					model: "member",
+					where: [
+						{ field: "userId", value: userId },
+						{ field: "organizationId", value: provider.organizationId },
+					],
+				});
+
+				isOrgMember = membershipsCount > 0;
+			}
+
+			if (provider.userId !== userId || !isOrgMember) {
+				throw new APIError("FORBIDDEN", {
+					message:
+						"User must be owner of or belong to the SSO provider organization",
+					code: "INSUFICCIENT_ACCESS",
+				});
+			}
+
+			if ("domainVerified" in provider && provider.domainVerified) {
+				throw new APIError("CONFLICT", {
+					message: "Domain has already been verified",
+					code: "DOMAIN_VERIFIED",
+				});
+			}
+
+			const activeVerification =
+				await ctx.context.adapter.findOne<Verification>({
+					model: "verification",
+					where: [
+						{
+							field: "identifier",
+							value: options.domainVerification?.tokenPrefix
+								? `${options.domainVerification?.tokenPrefix}-${provider.providerId}`
+								: `better-auth-token-${provider.providerId}`,
+						},
+						{ field: "expiresAt", value: new Date(), operator: "gt" },
+					],
+				});
+
+			if (!activeVerification) {
+				throw new APIError("NOT_FOUND", {
+					message: "No pending domain verification exists",
+					code: "NO_PENDING_VERIFICATION",
+				});
+			}
+
+			let records: string[] = [];
+			let dns: typeof import("node:dns/promises");
+
+			try {
+				dns = await import("node:dns/promises");
+			} catch (error) {
+				ctx.context.logger.error(
+					"The core node:dns module is required for the domain verification feature",
+					error,
+				);
+				throw new APIError("INTERNAL_SERVER_ERROR", {
+					message: "Unable to verify domain ownership due to server error",
+					code: "DOMAIN_VERIFICATION_FAILED",
+				});
+			}
+
+			try {
+				const dnsRecords = await dns.resolveTxt(
+					new URL(provider.domain).hostname,
+				);
+				records = dnsRecords.flat();
+			} catch (error) {
+				ctx.context.logger.warn(
+					"DNS resolution failure while validating domain ownership",
+					error,
+				);
+			}
+
+			const record = records.find((record) =>
+				record.includes(
+					`${activeVerification.identifier}=${activeVerification.value}`,
+				),
+			);
+			if (!record) {
+				throw new APIError("BAD_GATEWAY", {
+					message: "Unable to verify domain ownership. Try again later",
+					code: "DOMAIN_VERIFICATION_FAILED",
+				});
+			}
+
+			await ctx.context.adapter.update<SSOProvider<SSOOptions>>({
+				model: "ssoProvider",
+				where: [{ field: "providerId", value: provider.providerId }],
+				update: {
+					domainVerified: true,
+				},
+			});
+
+			ctx.setStatus(204);
+			return;
+		},
+	);
+};