@better-auth/sso 1.4.0-beta.9 → 1.4.0

package/src/saml.test.ts

@@ -1,31 +1,31 @@
-import {
-	afterAll,
-	beforeAll,
-	beforeEach,
-	describe,
-	expect,
-	it,
-	vi,
-} from "vitest";
+import { betterFetch } from "@better-fetch/fetch";
 import { betterAuth } from "better-auth";
 import { memoryAdapter } from "better-auth/adapters/memory";
 import { createAuthClient } from "better-auth/client";
-import { betterFetch } from "@better-fetch/fetch";
 import { setCookieToHeader } from "better-auth/cookies";
 import { bearer } from "better-auth/plugins";
-import { sso } from ".";
-import { ssoClient } from "./client";
-import { createServer } from "http";
-import * as saml from "samlify";
+import { getTestInstance } from "better-auth/test";
+import bodyParser from "body-parser";
+import { randomUUID } from "crypto";
 import type {
 	Application as ExpressApp,
 	Request as ExpressRequest,
 	Response as ExpressResponse,
 } from "express";
 import express from "express";
-import bodyParser from "body-parser";
-import { randomUUID } from "crypto";
-import { getTestInstanceMemory } from "better-auth/test";
+import type { createServer } from "http";
+import * as saml from "samlify";
+import {
+	afterAll,
+	beforeAll,
+	beforeEach,
+	describe,
+	expect,
+	it,
+	vi,
+} from "vitest";
+import { sso } from ".";
+import { ssoClient } from "./client";
 
 const spMetadata = `
     <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://localhost:3001/api/sso/saml2/sp/metadata">
@@ -926,7 +926,7 @@ describe("SAML SSO", async () => {
 	});
 
 	it("should not allow creating a provider if limit is set to 0", async () => {
-		const { auth, signInWithTestUser } = await getTestInstanceMemory({
+		const { auth, signInWithTestUser } = await getTestInstance({
 			plugins: [sso({ providersLimit: 0 })],
 		});
 		const { headers } = await signInWithTestUser();
@@ -957,7 +957,7 @@ describe("SAML SSO", async () => {
 	});
 
 	it("should not allow creating a provider if limit is reached", async () => {
-		const { auth, signInWithTestUser } = await getTestInstanceMemory({
+		const { auth, signInWithTestUser } = await getTestInstance({
 			plugins: [sso({ providersLimit: 1 })],
 		});
 		const { headers } = await signInWithTestUser();
@@ -1011,7 +1011,7 @@ describe("SAML SSO", async () => {
 	});
 
 	it("should not allow creating a provider if limit from function is reached", async () => {
-		const { auth, signInWithTestUser } = await getTestInstanceMemory({
+		const { auth, signInWithTestUser } = await getTestInstance({
 			plugins: [
 				sso({
 					providersLimit: async (user) => {
@@ -1118,4 +1118,210 @@ describe("SAML SSO", async () => {
 			},
 		});
 	});
+
+	it("should reject SAML sign-in when disableImplicitSignUp is true and user doesn't exist", async () => {
+		const { auth: authWithDisabledSignUp, signInWithTestUser } =
+			await getTestInstance({
+				plugins: [sso({ disableImplicitSignUp: true })],
+			});
+
+		const { headers } = await signInWithTestUser();
+
+		// Register SAML provider
+		await authWithDisabledSignUp.api.registerSSOProvider({
+			body: {
+				providerId: "saml-test-provider",
+				issuer: "http://localhost:8081",
+				domain: "http://localhost:8081",
+				samlConfig: {
+					entryPoint: "http://localhost:8081/api/sso/saml2/idp/post",
+					cert: certificate,
+					callbackUrl: "http://localhost:3000/dashboard",
+					wantAssertionsSigned: false,
+					signatureAlgorithm: "sha256",
+					digestAlgorithm: "sha256",
+					idpMetadata: {
+						metadata: idpMetadata,
+					},
+					spMetadata: {
+						metadata: spMetadata,
+					},
+					identifierFormat:
+						"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+				},
+			},
+			headers: headers,
+		});
+
+		// Identity Provider-initiated: Get SAML response directly from IdP
+		// The mock IdP will return test@email.com, which doesn't exist in the DB
+		let samlResponse: any;
+		await betterFetch("http://localhost:8081/api/sso/saml2/idp/post", {
+			onSuccess: async (context) => {
+				samlResponse = await context.data;
+			},
+		});
+
+		// Attempt to complete SAML callback - should fail because test@email.com doesn't exist
+		// and disableImplicitSignUp is true
+		await expect(
+			authWithDisabledSignUp.api.callbackSSOSAML({
+				body: {
+					SAMLResponse: samlResponse.samlResponse,
+					RelayState: "http://localhost:3000/dashboard",
+				},
+				params: {
+					providerId: "saml-test-provider",
+				},
+			}),
+		).rejects.toMatchObject({
+			status: "UNAUTHORIZED",
+			body: {
+				message:
+					"User not found and implicit sign up is disabled for this provider",
+			},
+		});
+	});
+});
+
+describe("SAML SSO with custom fields", () => {
+	const ssoOptions = {
+		modelName: "sso_provider",
+		fields: {
+			issuer: "the_issuer",
+			oidcConfig: "oidc_config",
+			samlConfig: "saml_config",
+			userId: "user_id",
+			providerId: "provider_id",
+			organizationId: "organization_id",
+			domain: "the_domain",
+		},
+	};
+
+	const data = {
+		user: [],
+		session: [],
+		verification: [],
+		account: [],
+		sso_provider: [],
+	};
+
+	const memory = memoryAdapter(data);
+	const mockIdP = createMockSAMLIdP(8081); // Different port from your main app
+
+	const auth = betterAuth({
+		database: memory,
+		baseURL: "http://localhost:3000",
+		emailAndPassword: {
+			enabled: true,
+		},
+		plugins: [sso(ssoOptions)],
+	});
+
+	const authClient = createAuthClient({
+		baseURL: "http://localhost:3000",
+		plugins: [bearer(), ssoClient()],
+		fetchOptions: {
+			customFetchImpl: async (url, init) => {
+				return auth.handler(new Request(url, init));
+			},
+		},
+	});
+
+	const testUser = {
+		email: "test@email.com",
+		password: "password",
+		name: "Test User",
+	};
+
+	beforeAll(async () => {
+		await mockIdP.start();
+		const res = await authClient.signUp.email({
+			email: testUser.email,
+			password: testUser.password,
+			name: testUser.name,
+		});
+	});
+
+	afterAll(async () => {
+		await mockIdP.stop();
+	});
+
+	beforeEach(() => {
+		data.user = [];
+		data.session = [];
+		data.verification = [];
+		data.account = [];
+		data.sso_provider = [];
+
+		vi.clearAllMocks();
+	});
+
+	async function getAuthHeaders() {
+		const headers = new Headers();
+		await authClient.signUp.email({
+			email: testUser.email,
+			password: testUser.password,
+			name: testUser.name,
+		});
+		await authClient.signIn.email(testUser, {
+			throw: true,
+			onSuccess: setCookieToHeader(headers),
+		});
+		return headers;
+	}
+
+	it("should register a new SAML provider", async () => {
+		const headers = await getAuthHeaders();
+
+		const provider = await auth.api.registerSSOProvider({
+			body: {
+				providerId: "saml-provider-1",
+				issuer: "http://localhost:8081",
+				domain: "http://localhost:8081",
+				samlConfig: {
+					entryPoint: mockIdP.metadataUrl,
+					cert: certificate,
+					callbackUrl: "http://localhost:8081/api/sso/saml2/callback",
+					wantAssertionsSigned: false,
+					signatureAlgorithm: "sha256",
+					digestAlgorithm: "sha256",
+					idpMetadata: {
+						metadata: idpMetadata,
+						privateKey: idpPrivateKey,
+						privateKeyPass: "q9ALNhGT5EhfcRmp8Pg7e9zTQeP2x1bW",
+						isAssertionEncrypted: true,
+						encPrivateKey: idpEncryptionKey,
+						encPrivateKeyPass: "g7hGcRmp8PxT5QeP2q9Ehf1bWe9zTALN",
+					},
+					spMetadata: {
+						metadata: spMetadata,
+						binding: "post",
+						privateKey: spPrivateKey,
+						privateKeyPass: "VHOSp5RUiBcrsjrcAuXFwU1NKCkGA8px",
+						isAssertionEncrypted: true,
+						encPrivateKey: spEncryptionKey,
+						encPrivateKeyPass: "BXFNKpxrsjrCkGA8cAu5wUVHOSpci1RU",
+					},
+					identifierFormat:
+						"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+				},
+			},
+			headers,
+		});
+		expect(provider).toMatchObject({
+			id: expect.any(String),
+			issuer: "http://localhost:8081",
+			samlConfig: {
+				entryPoint: mockIdP.metadataUrl,
+				cert: expect.any(String),
+				callbackUrl: "http://localhost:8081/api/sso/saml2/callback",
+				wantAssertionsSigned: false,
+				signatureAlgorithm: "sha256",
+				digestAlgorithm: "sha256",
+				identifierFormat:
+					"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+			},
+		});
+	});
 });

package/src/types.ts

@@ -0,0 +1,256 @@
+import type { OAuth2Tokens, User } from "better-auth";
+
+export interface OIDCMapping {
+	id?: string | undefined;
+	email?: string | undefined;
+	emailVerified?: string | undefined;
+	name?: string | undefined;
+	image?: string | undefined;
+	extraFields?: Record<string, string> | undefined;
+}
+
+export interface SAMLMapping {
+	id?: string | undefined;
+	email?: string | undefined;
+	emailVerified?: string | undefined;
+	name?: string | undefined;
+	firstName?: string | undefined;
+	lastName?: string | undefined;
+	extraFields?: Record<string, string> | undefined;
+}
+
+export interface OIDCConfig {
+	issuer: string;
+	pkce: boolean;
+	clientId: string;
+	clientSecret: string;
+	authorizationEndpoint?: string | undefined;
+	discoveryEndpoint: string;
+	userInfoEndpoint?: string | undefined;
+	scopes?: string[] | undefined;
+	overrideUserInfo?: boolean | undefined;
+	tokenEndpoint?: string | undefined;
+	tokenEndpointAuthentication?:
+		| ("client_secret_post" | "client_secret_basic")
+		| undefined;
+	jwksEndpoint?: string | undefined;
+	mapping?: OIDCMapping | undefined;
+}
+
+export interface SAMLConfig {
+	issuer: string;
+	entryPoint: string;
+	cert: string;
+	callbackUrl: string;
+	audience?: string | undefined;
+	idpMetadata?:
+		| {
+				metadata?: string;
+				entityID?: string;
+				entityURL?: string;
+				redirectURL?: string;
+				cert?: string;
+				privateKey?: string;
+				privateKeyPass?: string;
+				isAssertionEncrypted?: boolean;
+				encPrivateKey?: string;
+				encPrivateKeyPass?: string;
+				singleSignOnService?: Array<{
+					Binding: string;
+					Location: string;
+				}>;
+		  }
+		| undefined;
+	spMetadata: {
+		metadata?: string | undefined;
+		entityID?: string | undefined;
+		binding?: string | undefined;
+		privateKey?: string | undefined;
+		privateKeyPass?: string | undefined;
+		isAssertionEncrypted?: boolean | undefined;
+		encPrivateKey?: string | undefined;
+		encPrivateKeyPass?: string | undefined;
+	};
+	wantAssertionsSigned?: boolean | undefined;
+	signatureAlgorithm?: string | undefined;
+	digestAlgorithm?: string | undefined;
+	identifierFormat?: string | undefined;
+	privateKey?: string | undefined;
+	decryptionPvk?: string | undefined;
+	additionalParams?: Record<string, any> | undefined;
+	mapping?: SAMLMapping | undefined;
+}
+
+type BaseSSOProvider = {
+	issuer: string;
+	oidcConfig?: OIDCConfig | undefined;
+	samlConfig?: SAMLConfig | undefined;
+	userId: string;
+	providerId: string;
+	organizationId?: string | undefined;
+	domain: string;
+};
+
+export type SSOProvider<O extends SSOOptions> =
+	O["domainVerification"] extends { enabled: true }
+		? {
+				domainVerified: boolean;
+			} & BaseSSOProvider
+		: BaseSSOProvider;
+
+export interface SSOOptions {
+	/**
+	 * custom function to provision a user when they sign in with an SSO provider.
+	 */
+	provisionUser?:
+		| ((data: {
+				/**
+				 * The user object from the database
+				 */
+				user: User & Record<string, any>;
+				/**
+				 * The user info object from the provider
+				 */
+				userInfo: Record<string, any>;
+				/**
+				 * The OAuth2 tokens from the provider
+				 */
+				token?: OAuth2Tokens;
+				/**
+				 * The SSO provider
+				 */
+				provider: SSOProvider<SSOOptions>;
+		  }) => Promise<void>)
+		| undefined;
+	/**
+	 * Organization provisioning options
+	 */
+	organizationProvisioning?:
+		| {
+				disabled?: boolean;
+				defaultRole?: "member" | "admin";
+				getRole?: (data: {
+					/**
+					 * The user object from the database
+					 */
+					user: User & Record<string, any>;
+					/**
+					 * The user info object from the provider
+					 */
+					userInfo: Record<string, any>;
+					/**
+					 * The OAuth2 tokens from the provider
+					 */
+					token?: OAuth2Tokens;
+					/**
+					 * The SSO provider
+					 */
+					provider: SSOProvider<SSOOptions>;
+				}) => Promise<"member" | "admin">;
+		  }
+		| undefined;
+	/**
+	 * Default SSO provider configurations for testing.
+	 * These will take the precedence over the database providers.
+	 */
+	defaultSSO?:
+		| Array<{
+				/**
+				 * The domain to match for this default provider.
+				 * This is only used to match incoming requests to this default provider.
+				 */
+				domain: string;
+				/**
+				 * The provider ID to use
+				 */
+				providerId: string;
+				/**
+				 * SAML configuration
+				 */
+				samlConfig?: SAMLConfig;
+				/**
+				 * OIDC configuration
+				 */
+				oidcConfig?: OIDCConfig;
+		  }>
+		| undefined;
+	/**
+	 * Override user info with the provider info.
+	 * @default false
+	 */
+	defaultOverrideUserInfo?: boolean | undefined;
+	/**
+	 * Disable implicit sign up for new users. When set to true for the provider,
+	 * sign-in need to be called with with requestSignUp as true to create new users.
+	 */
+	disableImplicitSignUp?: boolean | undefined;
+	/**
+	 * The model name for the SSO provider table. Defaults to "ssoProvider".
+	 */
+	modelName?: string;
+	/**
+	 * Map fields
+	 *
+	 * @example
+	 * ```ts
+	 * {
+	 *  samlConfig: "saml_config"
+	 * }
+	 * ```
+	 */
+	fields?: {
+		issuer?: string | undefined;
+		oidcConfig?: string | undefined;
+		samlConfig?: string | undefined;
+		userId?: string | undefined;
+		providerId?: string | undefined;
+		organizationId?: string | undefined;
+		domain?: string | undefined;
+	};
+	/**
+	 * Configure the maximum number of SSO providers a user can register.
+	 * You can also pass a function that returns a number.
+	 * Set to 0 to disable SSO provider registration.
+	 *
+	 * @example
+	 * ```ts
+	 * providersLimit: async (user) => {
+	 *   const plan = await getUserPlan(user);
+	 *   return plan.name === "pro" ? 10 : 1;
+	 * }
+	 * ```
+	 * @default 10
+	 */
+	providersLimit?:
+		| (number | ((user: User) => Promise<number> | number))
+		| undefined;
+	/**
+	 * Trust the email verified flag from the provider.
+	 *
+	 * ⚠️ Use this with caution — it can lead to account takeover if misused. Only enable it if users **cannot freely register new providers**. You can
+	 * prevent that by using `disabledPaths` or other safeguards to block provider registration from the client.
+	 *
+	 * If you want to allow account linking for specific trusted providers, enable the `accountLinking` option in your auth config and specify those
+	 * providers in the `trustedProviders` list.
+	 * @default false
+	 */
+	trustEmailVerified?: boolean | undefined;
+	/**
+	 * Enable domain verification on SSO providers
+	 *
+	 * When this option is enabled, new SSO providers will require the associated domain to be verified by the owner
+	 * prior to allowing sign-ins.
+	 */
+	domainVerification?: {
+		/**
+		 * Enables or disables the domain verification feature
+		 */
+		enabled?: boolean;
+		/**
+		 * Prefix used to generate the domain verification token
+		 *
+		 * @default "better-auth-token-"
+		 */
+		tokenPrefix?: string;
+	};
+}

package/src/utils.ts

@@ -0,0 +1,10 @@
+export const validateEmailDomain = (email: string, domain: string) => {
+	const emailDomain = email.split("@")[1]?.toLowerCase();
+	const providerDomain = domain.toLowerCase();
+	if (!emailDomain || !providerDomain) {
+		return false;
+	}
+	return (
+		emailDomain === providerDomain || emailDomain.endsWith(`.${providerDomain}`)
+	);
+};

package/tsconfig.json

@@ -1,9 +1,11 @@
 {
-  "extends": "../../tsconfig.json",
+  "extends": "../../tsconfig.base.json",
   "compilerOptions": {
-    "rootDir": "./src",
-    "outDir": "./dist",
     "lib": ["esnext", "dom", "dom.iterable"]
   },
-  "include": ["src"]
+  "references": [
+    {
+      "path": "../better-auth/tsconfig.json"
+    }
+  ]
 }

package/tsdown.config.ts

@@ -0,0 +1,8 @@
+import { defineConfig } from "tsdown";
+
+export default defineConfig({
+	dts: { build: true, incremental: true },
+	format: ["esm"],
+	entry: ["./src/index.ts", "./src/client.ts"],
+	external: ["better-auth", "better-call", "@better-fetch/fetch", "stripe"],
+});

package/vitest.config.ts

@@ -0,0 +1,3 @@
+import { defineProject } from "vitest/config";
+
+export default defineProject({});

package/build.config.ts

@@ -1,12 +0,0 @@
-import { defineBuildConfig } from "unbuild";
-
-export default defineBuildConfig({
-	declaration: true,
-	rollup: {
-		emitCJS: true,
-	},
-	outDir: "dist",
-	clean: false,
-	failOnWarn: false,
-	externals: ["better-auth", "better-call", "@better-fetch/fetch", "stripe"],
-});

package/dist/client.cjs

@@ -1,10 +0,0 @@
-'use strict';
-
-const ssoClient = () => {
-  return {
-    id: "sso-client",
-    $InferServerPlugin: {}
-  };
-};
-
-exports.ssoClient = ssoClient;

package/dist/client.d.cts

@@ -1,11 +0,0 @@
-import { sso } from './index.cjs';
-import 'better-call';
-import 'better-auth';
-import 'zod/v4';
-
-declare const ssoClient: () => {
-    id: "sso-client";
-    $InferServerPlugin: ReturnType<typeof sso>;
-};
-
-export { ssoClient };

package/dist/client.d.ts

@@ -1,11 +0,0 @@
-import { sso } from './index.js';
-import 'better-call';
-import 'better-auth';
-import 'zod/v4';
-
-declare const ssoClient: () => {
-    id: "sso-client";
-    $InferServerPlugin: ReturnType<typeof sso>;
-};
-
-export { ssoClient };