npm - @better-auth/sso - Versions diffs - 1.4.10-beta.1 → 1.4.11-beta.1 - Mend

@better-auth/sso 1.4.10-beta.1 → 1.4.11-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/.turbo/turbo-build.log +7 -7
package/dist/client.d.mts +1 -1
package/dist/{index-CvpS40sl.d.mts → index-D4Ey-vkQ.d.mts} +35 -1
package/dist/index.d.mts +2 -2
package/dist/index.mjs +113 -25
package/package.json +4 -3
package/src/constants.ts +16 -0
package/src/index.ts +6 -0
package/src/routes/sso.ts +64 -9
package/src/saml/algorithms.ts +1 -31
package/src/saml/assertions.test.ts +239 -0
package/src/saml/assertions.ts +62 -0
package/src/saml/index.ts +2 -0
package/src/saml/parser.ts +56 -0
package/src/saml.test.ts +361 -5
package/src/types.ts +12 -0

package/.turbo/turbo-build.log CHANGED Viewed

@@ -1,5 +1,5 @@
-> @better-auth/sso@1.4.10-beta.1 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.4.11-beta.1 build /home/runner/work/better-auth/better-auth/packages/sso
 > tsdown
 [34mℹ[39m tsdown [2mv0.17.2[22m powered by rolldown [2mv1.0.0-beta.53[22m
@@ -7,10 +7,10 @@
 [34mℹ[39m entry: [34msrc/index.ts, src/client.ts[39m
 [34mℹ[39m tsconfig: [34mtsconfig.json[39m
 [34mℹ[39m Build start
-[34mℹ[39m [2mdist/[22m[1mindex.mjs[22m             [2m95.91 kB[22m [2m│ gzip: 18.60 kB[22m
+[34mℹ[39m [2mdist/[22m[1mindex.mjs[22m             [2m99.53 kB[22m [2m│ gzip: 19.50 kB[22m
 [34mℹ[39m [2mdist/[22m[1mclient.mjs[22m            [2m 0.15 kB[22m [2m│ gzip:  0.14 kB[22m
-[34mℹ[39m [2mdist/[22m[32m[1mindex.d.mts[22m[39m           [2m 1.48 kB[22m [2m│ gzip:  0.51 kB[22m
-[34mℹ[39m [2mdist/[22m[32m[1mclient.d.mts[22m[39m          [2m 0.49 kB[22m [2m│ gzip:  0.29 kB[22m
-[34mℹ[39m [2mdist/[22m[32mindex-CvpS40sl.d.mts[39m  [2m43.12 kB[22m [2m│ gzip:  8.83 kB[22m
-[34mℹ[39m 5 files, total: 141.14 kB
-[32m✔[39m Build complete in [32m16051ms[39m
+[34mℹ[39m [2mdist/[22m[32m[1mindex.d.mts[22m[39m           [2m 1.67 kB[22m [2m│ gzip:  0.57 kB[22m
+[34mℹ[39m [2mdist/[22m[32m[1mclient.d.mts[22m[39m          [2m 0.49 kB[22m [2m│ gzip:  0.30 kB[22m
+[34mℹ[39m [2mdist/[22m[32mindex-D4Ey-vkQ.d.mts[39m  [2m44.21 kB[22m [2m│ gzip:  9.10 kB[22m
+[34mℹ[39m 5 files, total: 146.05 kB
+[32m✔[39m Build complete in [32m23049ms[39m

package/dist/client.d.mts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { t as SSOPlugin } from "./index-CvpS40sl.mjs";
+import { t as SSOPlugin } from "./index-D4Ey-vkQ.mjs";
 //#region src/client.d.ts
 interface SSOClientOptions {

package/dist/{index-CvpS40sl.d.mts → index-D4Ey-vkQ.d.mts} RENAMED Viewed

@@ -367,6 +367,18 @@ interface SSOOptions {
      * ```
      */
     algorithms?: AlgorithmValidationOptions;
+    /**
+     * Maximum allowed size for SAML responses in bytes.
+     *
+     * @default 262144 (256KB)
+     */
+    maxResponseSize?: number;
+    /**
+     * Maximum allowed size for IdP metadata XML in bytes.
+     *
+     * @default 102400 (100KB)
+     */
+    maxMetadataSize?: number;
   };
 }
 //#endregion
@@ -956,6 +968,28 @@ declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint
   };
 }, never>;
 //#endregion
+//#region src/constants.d.ts
+/**
+ * Default clock skew tolerance (5 minutes).
+ * Allows for minor time differences between IdP and SP servers.
+ *
+ * Accommodates:
+ * - Network latency and processing time
+ * - Clock synchronization differences (NTP drift)
+ * - Distributed systems across timezones
+ */
+declare const DEFAULT_CLOCK_SKEW_MS: number;
+/**
+ * Default maximum size for SAML responses (256 KB).
+ * Protects against memory exhaustion from oversized SAML payloads.
+ */
+declare const DEFAULT_MAX_SAML_RESPONSE_SIZE: number;
+/**
+ * Default maximum size for IdP metadata (100 KB).
+ * Protects against oversized metadata documents.
+ */
+declare const DEFAULT_MAX_SAML_METADATA_SIZE: number;
+//#endregion
 //#region src/oidc/types.d.ts
 /**
  * OIDC Discovery Types
@@ -1250,4 +1284,4 @@ declare function sso<O extends SSOOptions>(options?: O | undefined): {
   endpoints: SSOEndpoints<O>;
 };
 //#endregion
-export { KeyEncryptionAlgorithm as A, SAMLConfig as C, DataEncryptionAlgorithm as D, AlgorithmValidationOptions as E, DeprecatedAlgorithmBehavior as O, OIDCConfig as S, SSOProvider as T, REQUIRED_DISCOVERY_FIELDS as _, fetchDiscoveryDocument as a, TimestampValidationOptions as b, normalizeUrl as c, validateDiscoveryUrl as d, DiscoverOIDCConfigParams as f, OIDCDiscoveryDocument as g, HydratedOIDCConfig as h, discoverOIDCConfig as i, SignatureAlgorithm as j, DigestAlgorithm as k, selectTokenEndpointAuthMethod as l, DiscoveryErrorCode as m, sso as n, needsRuntimeDiscovery as o, DiscoveryError as p, computeDiscoveryUrl as r, normalizeDiscoveryUrls as s, SSOPlugin as t, validateDiscoveryDocument as u, RequiredDiscoveryField as v, SSOOptions as w, validateSAMLTimestamp as x, SAMLConditions as y };
+export { DataEncryptionAlgorithm as A, TimestampValidationOptions as C, SSOOptions as D, SAMLConfig as E, DigestAlgorithm as M, KeyEncryptionAlgorithm as N, SSOProvider as O, SignatureAlgorithm as P, SAMLConditions as S, OIDCConfig as T, REQUIRED_DISCOVERY_FIELDS as _, fetchDiscoveryDocument as a, DEFAULT_MAX_SAML_METADATA_SIZE as b, normalizeUrl as c, validateDiscoveryUrl as d, DiscoverOIDCConfigParams as f, OIDCDiscoveryDocument as g, HydratedOIDCConfig as h, discoverOIDCConfig as i, DeprecatedAlgorithmBehavior as j, AlgorithmValidationOptions as k, selectTokenEndpointAuthMethod as l, DiscoveryErrorCode as m, sso as n, needsRuntimeDiscovery as o, DiscoveryError as p, computeDiscoveryUrl as r, normalizeDiscoveryUrls as s, SSOPlugin as t, validateDiscoveryDocument as u, RequiredDiscoveryField as v, validateSAMLTimestamp as w, DEFAULT_MAX_SAML_RESPONSE_SIZE as x, DEFAULT_CLOCK_SKEW_MS as y };

package/dist/index.d.mts CHANGED Viewed

@@ -1,2 +1,2 @@
-import { A as KeyEncryptionAlgorithm, C as SAMLConfig, D as DataEncryptionAlgorithm, E as AlgorithmValidationOptions, O as DeprecatedAlgorithmBehavior, S as OIDCConfig, T as SSOProvider, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as TimestampValidationOptions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as SignatureAlgorithm, k as DigestAlgorithm, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as SSOOptions, x as validateSAMLTimestamp, y as SAMLConditions } from "./index-CvpS40sl.mjs";
-export { AlgorithmValidationOptions, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };
+import { A as DataEncryptionAlgorithm, C as TimestampValidationOptions, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as SAMLConditions, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as DEFAULT_MAX_SAML_METADATA_SIZE, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as validateSAMLTimestamp, x as DEFAULT_MAX_SAML_RESPONSE_SIZE, y as DEFAULT_CLOCK_SKEW_MS } from "./index-D4Ey-vkQ.mjs";
+export { AlgorithmValidationOptions, DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };

package/dist/index.mjs CHANGED Viewed

@@ -4,12 +4,12 @@ import * as saml from "samlify";
 import { generateRandomString } from "better-auth/crypto";
 import * as z$1 from "zod/v4";
 import z from "zod/v4";
-import { base64 } from "@better-auth/utils/base64";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
 import { HIDE_METADATA, createAuthorizationURL, generateState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
 import { setSessionCookie } from "better-auth/cookies";
 import { handleOAuthUserInfo } from "better-auth/oauth2";
 import { decodeJwt } from "jose";
+import { base64 } from "@better-auth/utils/base64";
 //#region src/linking/org-assignment.ts
 /**
@@ -306,6 +306,16 @@ const DEFAULT_ASSERTION_TTL_MS = 900 * 1e3;
 * - Distributed systems across timezones
 */
 const DEFAULT_CLOCK_SKEW_MS = 300 * 1e3;
+/**
+* Default maximum size for SAML responses (256 KB).
+* Protects against memory exhaustion from oversized SAML payloads.
+*/
+const DEFAULT_MAX_SAML_RESPONSE_SIZE = 256 * 1024;
+/**
+* Default maximum size for IdP metadata (100 KB).
+* Protects against oversized metadata documents.
+*/
+const DEFAULT_MAX_SAML_METADATA_SIZE = 100 * 1024;
 //#endregion
 //#region src/oidc/types.ts
@@ -653,6 +663,41 @@ function mapDiscoveryErrorToAPIError(error) {
 	}
 }
+//#endregion
+//#region src/saml/parser.ts
+const xmlParser = new XMLParser({
+	ignoreAttributes: false,
+	attributeNamePrefix: "@_",
+	removeNSPrefix: true,
+	processEntities: false
+});
+function findNode(obj, nodeName) {
+	if (!obj || typeof obj !== "object") return null;
+	const record = obj;
+	if (nodeName in record) return record[nodeName];
+	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) {
+		const found = findNode(item, nodeName);
+		if (found) return found;
+	}
+	else if (typeof value === "object" && value !== null) {
+		const found = findNode(value, nodeName);
+		if (found) return found;
+	}
+	return null;
+}
+function countAllNodes(obj, nodeName) {
+	if (!obj || typeof obj !== "object") return 0;
+	let count = 0;
+	const record = obj;
+	if (nodeName in record) {
+		const node = record[nodeName];
+		count += Array.isArray(node) ? node.length : 1;
+	}
+	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) count += countAllNodes(item, nodeName);
+	else if (typeof value === "object" && value !== null) count += countAllNodes(value, nodeName);
+	return count;
+}
 //#endregion
 //#region src/saml/algorithms.ts
 const SignatureAlgorithm = {
@@ -726,25 +771,6 @@ function normalizeSignatureAlgorithm(alg) {
 function normalizeDigestAlgorithm(alg) {
 	return SHORT_FORM_DIGEST_TO_URI[alg.toLowerCase()] ?? alg;
 }
-const xmlParser = new XMLParser({
-	ignoreAttributes: false,
-	attributeNamePrefix: "@_",
-	removeNSPrefix: true
-});
-function findNode(obj, nodeName) {
-	if (!obj || typeof obj !== "object") return null;
-	const record = obj;
-	if (nodeName in record) return record[nodeName];
-	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) {
-		const found = findNode(item, nodeName);
-		if (found) return found;
-	}
-	else if (typeof value === "object" && value !== null) {
-		const found = findNode(value, nodeName);
-		if (found) return found;
-	}
-	return null;
-}
 function extractEncryptionAlgorithms(xml) {
 	try {
 		const parsed = xmlParser.parse(xml);
@@ -853,6 +879,49 @@ function validateConfigAlgorithms(config, options = {}) {
 	}
 }
+//#endregion
+//#region src/saml/assertions.ts
+/** @lintignore used in tests */
+function countAssertions(xml) {
+	let parsed;
+	try {
+		parsed = xmlParser.parse(xml);
+	} catch {
+		throw new APIError("BAD_REQUEST", {
+			message: "Failed to parse SAML response XML",
+			code: "SAML_INVALID_XML"
+		});
+	}
+	const assertions = countAllNodes(parsed, "Assertion");
+	const encryptedAssertions = countAllNodes(parsed, "EncryptedAssertion");
+	return {
+		assertions,
+		encryptedAssertions,
+		total: assertions + encryptedAssertions
+	};
+}
+function validateSingleAssertion(samlResponse) {
+	let xml;
+	try {
+		xml = new TextDecoder().decode(base64.decode(samlResponse));
+		if (!xml.includes("<")) throw new Error("Not XML");
+	} catch {
+		throw new APIError("BAD_REQUEST", {
+			message: "Invalid base64-encoded SAML response",
+			code: "SAML_INVALID_ENCODING"
+		});
+	}
+	const counts = countAssertions(xml);
+	if (counts.total === 0) throw new APIError("BAD_REQUEST", {
+		message: "SAML response contains no assertions",
+		code: "SAML_NO_ASSERTION"
+	});
+	if (counts.total > 1) throw new APIError("BAD_REQUEST", {
+		message: `SAML response contains ${counts.total} assertions, expected exactly 1`,
+		code: "SAML_MULTIPLE_ASSERTIONS"
+	});
+}
 //#endregion
 //#region src/utils.ts
 /**
@@ -1239,6 +1308,10 @@ const registerSSOProvider = (options) => {
 		})).length >= limit) throw new APIError("FORBIDDEN", { message: "You have reached the maximum number of SSO providers" });
 		const body = ctx.body;
 		if (z.string().url().safeParse(body.issuer).error) throw new APIError("BAD_REQUEST", { message: "Invalid issuer. Must be a valid URL" });
+		if (body.samlConfig?.idpMetadata?.metadata) {
+			const maxMetadataSize = options?.saml?.maxMetadataSize ?? DEFAULT_MAX_SAML_METADATA_SIZE;
+			if (new TextEncoder().encode(body.samlConfig.idpMetadata.metadata).length > maxMetadataSize) throw new APIError("BAD_REQUEST", { message: `IdP metadata exceeds maximum allowed size (${maxMetadataSize} bytes)` });
+		}
 		if (ctx.body.organizationId) {
 			if (!await ctx.context.adapter.findOne({
 				model: "member",
@@ -1273,7 +1346,7 @@ const registerSSOProvider = (options) => {
 					userInfoEndpoint: body.oidcConfig.userInfoEndpoint,
 					tokenEndpointAuthentication: body.oidcConfig.tokenEndpointAuthentication
 				},
-				isTrustedOrigin: ctx.context.isTrustedOrigin
+				isTrustedOrigin: (url) => ctx.context.isTrustedOrigin(url)
 			});
 		} catch (error) {
 			if (error instanceof DiscoveryError) throw mapDiscoveryErrorToAPIError(error);
@@ -1773,6 +1846,8 @@ const callbackSSOSAML = (options) => {
 	}, async (ctx) => {
 		const { SAMLResponse, RelayState } = ctx.body;
 		const { providerId } = ctx.params;
+		const maxResponseSize = options?.saml?.maxResponseSize ?? DEFAULT_MAX_SAML_RESPONSE_SIZE;
+		if (new TextEncoder().encode(SAMLResponse).length > maxResponseSize) throw new APIError("BAD_REQUEST", { message: `SAML response exceeds maximum allowed size (${maxResponseSize} bytes)` });
 		let provider = null;
 		if (options?.defaultSSO?.length) {
 			const matchingDefault = options.defaultSSO.find((defaultProvider) => defaultProvider.providerId === providerId);
@@ -1838,6 +1913,7 @@ const callbackSSOSAML = (options) => {
 			wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
 			nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
 		});
+		validateSingleAssertion(SAMLResponse);
 		let parsedResponse;
 		try {
 			parsedResponse = await sp.parseLoginResponse(idp, "post", { body: {
@@ -1848,7 +1924,7 @@ const callbackSSOSAML = (options) => {
 		} catch (error) {
 			ctx.context.logger.error("SAML response validation failed", {
 				error,
-				decodedResponse: new TextDecoder().decode(base64.decode(SAMLResponse))
+				decodedResponse: Buffer.from(SAMLResponse, "base64").toString("utf-8")
 			});
 			throw new APIError("BAD_REQUEST", {
 				message: "Invalid SAML response",
@@ -2024,6 +2100,8 @@ const acsEndpoint = (options) => {
 	}, async (ctx) => {
 		const { SAMLResponse, RelayState = "" } = ctx.body;
 		const { providerId } = ctx.params;
+		const maxResponseSize = options?.saml?.maxResponseSize ?? DEFAULT_MAX_SAML_RESPONSE_SIZE;
+		if (new TextEncoder().encode(SAMLResponse).length > maxResponseSize) throw new APIError("BAD_REQUEST", { message: `SAML response exceeds maximum allowed size (${maxResponseSize} bytes)` });
 		let provider = null;
 		if (options?.defaultSSO?.length) {
 			const matchingDefault = providerId ? options.defaultSSO.find((defaultProvider) => defaultProvider.providerId === providerId) : options.defaultSSO[0];
@@ -2072,6 +2150,16 @@ const acsEndpoint = (options) => {
 			}],
 			signingCert: idpData?.cert || parsedSamlConfig.cert
 		}) : saml.IdentityProvider({ metadata: idpData.metadata });
+		try {
+			validateSingleAssertion(SAMLResponse);
+		} catch (error) {
+			if (error instanceof APIError) {
+				const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+				const errorCode = error.body?.code === "SAML_MULTIPLE_ASSERTIONS" ? "multiple_assertions" : "no_assertion";
+				throw ctx.redirect(`${redirectUrl}?error=${errorCode}&error_description=${encodeURIComponent(error.message)}`);
+			}
+			throw error;
+		}
 		let parsedResponse;
 		try {
 			parsedResponse = await sp.parseLoginResponse(idp, "post", { body: {
@@ -2082,7 +2170,7 @@ const acsEndpoint = (options) => {
 		} catch (error) {
 			ctx.context.logger.error("SAML response validation failed", {
 				error,
-				decodedResponse: new TextDecoder().decode(base64.decode(SAMLResponse))
+				decodedResponse: Buffer.from(SAMLResponse, "base64").toString("utf-8")
 			});
 			throw new APIError("BAD_REQUEST", {
 				message: "Invalid SAML response",
@@ -2133,7 +2221,7 @@ const acsEndpoint = (options) => {
 				throw ctx.redirect(`${redirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`);
 			}
 		}
-		const assertionIdAcs = extractAssertionId(new TextDecoder().decode(base64.decode(SAMLResponse)));
+		const assertionIdAcs = extractAssertionId(Buffer.from(SAMLResponse, "base64").toString("utf-8"));
 		if (assertionIdAcs) {
 			const issuer = idp.entityMeta.getEntityID();
 			const conditions = extract.conditions;
@@ -2332,4 +2420,4 @@ function sso(options) {
 }
 //#endregion
-export { DataEncryptionAlgorithm, DigestAlgorithm, DiscoveryError, KeyEncryptionAlgorithm, REQUIRED_DISCOVERY_FIELDS, SignatureAlgorithm, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };
+export { DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DigestAlgorithm, DiscoveryError, KeyEncryptionAlgorithm, REQUIRED_DISCOVERY_FIELDS, SignatureAlgorithm, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.4.10-beta.1",
+  "version": "1.4.11-beta.1",
   "type": "module",
   "main": "dist/index.mjs",
   "types": "dist/index.d.mts",
@@ -67,10 +67,11 @@
     "express": "^5.1.0",
     "oauth2-mock-server": "^8.2.0",
     "tsdown": "^0.17.2",
-    "better-auth": "1.4.10-beta.1"
+    "better-auth": "1.4.11-beta.1"
   },
   "peerDependencies": {
-    "better-auth": "1.4.10-beta.1"
+    "@better-auth/utils": "0.3.0",
+    "better-auth": "1.4.11-beta.1"
   },
   "scripts": {
     "test": "vitest",

package/src/constants.ts CHANGED Viewed

@@ -40,3 +40,19 @@ export const DEFAULT_ASSERTION_TTL_MS = 15 * 60 * 1000;
  * - Distributed systems across timezones
  */
 export const DEFAULT_CLOCK_SKEW_MS = 5 * 60 * 1000;
+// ============================================================================
+// Size Limits (DoS Protection)
+// ============================================================================
+/**
+ * Default maximum size for SAML responses (256 KB).
+ * Protects against memory exhaustion from oversized SAML payloads.
+ */
+export const DEFAULT_MAX_SAML_RESPONSE_SIZE = 256 * 1024;
+/**
+ * Default maximum size for IdP metadata (100 KB).
+ * Protects against oversized metadata documents.
+ */
+export const DEFAULT_MAX_SAML_METADATA_SIZE = 100 * 1024;

package/src/index.ts CHANGED Viewed

@@ -16,6 +16,12 @@ import {
 	spMetadata,
 } from "./routes/sso";
+export {
+	DEFAULT_CLOCK_SKEW_MS,
+	DEFAULT_MAX_SAML_METADATA_SIZE,
+	DEFAULT_MAX_SAML_RESPONSE_SIZE,
+} from "./constants";
 export {
 	type SAMLConditions,
 	type TimestampValidationOptions,

package/src/routes/sso.ts CHANGED Viewed

@@ -1,4 +1,3 @@
-import { base64 } from "@better-auth/utils/base64";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
 import type { User, Verification } from "better-auth";
 import {
@@ -37,6 +36,8 @@ import {
 	DEFAULT_ASSERTION_TTL_MS,
 	DEFAULT_AUTHN_REQUEST_TTL_MS,
 	DEFAULT_CLOCK_SKEW_MS,
+	DEFAULT_MAX_SAML_METADATA_SIZE,
+	DEFAULT_MAX_SAML_RESPONSE_SIZE,
 	USED_ASSERTION_KEY_PREFIX,
 } from "../constants";
 import { assignOrganizationFromProvider } from "../linking";
@@ -46,7 +47,11 @@ import {
 	discoverOIDCConfig,
 	mapDiscoveryErrorToAPIError,
 } from "../oidc";
-import { validateConfigAlgorithms, validateSAMLAlgorithms } from "../saml";
+import {
+	validateConfigAlgorithms,
+	validateSAMLAlgorithms,
+	validateSingleAssertion,
+} from "../saml";
 import type { OIDCConfig, SAMLConfig, SSOOptions, SSOProvider } from "../types";
 import { safeJsonParse, validateEmailDomain } from "../utils";
@@ -666,6 +671,20 @@ export const registerSSOProvider = <O extends SSOOptions>(options: O) => {
 					message: "Invalid issuer. Must be a valid URL",
 				});
 			}
+			if (body.samlConfig?.idpMetadata?.metadata) {
+				const maxMetadataSize =
+					options?.saml?.maxMetadataSize ?? DEFAULT_MAX_SAML_METADATA_SIZE;
+				if (
+					new TextEncoder().encode(body.samlConfig.idpMetadata.metadata)
+						.length > maxMetadataSize
+				) {
+					throw new APIError("BAD_REQUEST", {
+						message: `IdP metadata exceeds maximum allowed size (${maxMetadataSize} bytes)`,
+					});
+				}
+			}
 			if (ctx.body.organizationId) {
 				const organization = await ctx.context.adapter.findOne({
 					model: "member",
@@ -720,7 +739,7 @@ export const registerSSOProvider = <O extends SSOOptions>(options: O) => {
 							tokenEndpointAuthentication:
 								body.oidcConfig.tokenEndpointAuthentication,
 						},
-						isTrustedOrigin: ctx.context.isTrustedOrigin,
+						isTrustedOrigin: (url: string) => ctx.context.isTrustedOrigin(url),
 					});
 				} catch (error) {
 					if (error instanceof DiscoveryError) {
@@ -1698,6 +1717,15 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 		async (ctx) => {
 			const { SAMLResponse, RelayState } = ctx.body;
 			const { providerId } = ctx.params;
+			const maxResponseSize =
+				options?.saml?.maxResponseSize ?? DEFAULT_MAX_SAML_RESPONSE_SIZE;
+			if (new TextEncoder().encode(SAMLResponse).length > maxResponseSize) {
+				throw new APIError("BAD_REQUEST", {
+					message: `SAML response exceeds maximum allowed size (${maxResponseSize} bytes)`,
+				});
+			}
 			let provider: SSOProvider<SSOOptions> | null = null;
 			if (options?.defaultSSO?.length) {
 				const matchingDefault = options.defaultSSO.find(
@@ -1811,6 +1839,8 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 					: undefined,
 			});
+			validateSingleAssertion(SAMLResponse);
 			let parsedResponse: FlowResult;
 			try {
 				parsedResponse = await sp.parseLoginResponse(idp, "post", {
@@ -1826,8 +1856,8 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 			} catch (error) {
 				ctx.context.logger.error("SAML response validation failed", {
 					error,
-					decodedResponse: new TextDecoder().decode(
-						base64.decode(SAMLResponse),
+					decodedResponse: Buffer.from(SAMLResponse, "base64").toString(
+						"utf-8",
 					),
 				});
 				throw new APIError("BAD_REQUEST", {
@@ -2137,6 +2167,14 @@ export const acsEndpoint = (options?: SSOOptions) => {
 			const { SAMLResponse, RelayState = "" } = ctx.body;
 			const { providerId } = ctx.params;
+			const maxResponseSize =
+				options?.saml?.maxResponseSize ?? DEFAULT_MAX_SAML_RESPONSE_SIZE;
+			if (new TextEncoder().encode(SAMLResponse).length > maxResponseSize) {
+				throw new APIError("BAD_REQUEST", {
+					message: `SAML response exceeds maximum allowed size (${maxResponseSize} bytes)`,
+				});
+			}
 			// If defaultSSO is configured, use it as the provider
 			let provider: SSOProvider<SSOOptions> | null = null;
@@ -2240,6 +2278,23 @@ export const acsEndpoint = (options?: SSOOptions) => {
 						metadata: idpData.metadata,
 					});
+			try {
+				validateSingleAssertion(SAMLResponse);
+			} catch (error) {
+				if (error instanceof APIError) {
+					const redirectUrl =
+						RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+					const errorCode =
+						error.body?.code === "SAML_MULTIPLE_ASSERTIONS"
+							? "multiple_assertions"
+							: "no_assertion";
+					throw ctx.redirect(
+						`${redirectUrl}?error=${errorCode}&error_description=${encodeURIComponent(error.message)}`,
+					);
+				}
+				throw error;
+			}
 			// Parse and validate SAML response
 			let parsedResponse: FlowResult;
 			try {
@@ -2256,8 +2311,8 @@ export const acsEndpoint = (options?: SSOOptions) => {
 			} catch (error) {
 				ctx.context.logger.error("SAML response validation failed", {
 					error,
-					decodedResponse: new TextDecoder().decode(
-						base64.decode(SAMLResponse),
+					decodedResponse: Buffer.from(SAMLResponse, "base64").toString(
+						"utf-8",
 					),
 				});
 				throw new APIError("BAD_REQUEST", {
@@ -2353,8 +2408,8 @@ export const acsEndpoint = (options?: SSOOptions) => {
 			}
 			// Assertion Replay Protection
-			const samlContentAcs = new TextDecoder().decode(
-				base64.decode(SAMLResponse),
+			const samlContentAcs = Buffer.from(SAMLResponse, "base64").toString(
+				"utf-8",
 			);
 			const assertionIdAcs = extractAssertionId(samlContentAcs);

package/src/saml/algorithms.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { APIError } from "better-auth/api";
-import { XMLParser } from "fast-xml-parser";
+import { findNode, xmlParser } from "./parser";
 export const SignatureAlgorithm = {
 	RSA_SHA1: "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
@@ -102,36 +102,6 @@ export interface AlgorithmValidationOptions {
 	allowedDataEncryptionAlgorithms?: string[];
 }
-const xmlParser = new XMLParser({
-	ignoreAttributes: false,
-	attributeNamePrefix: "@_",
-	removeNSPrefix: true,
-});
-function findNode(obj: unknown, nodeName: string): unknown {
-	if (!obj || typeof obj !== "object") return null;
-	const record = obj as Record<string, unknown>;
-	if (nodeName in record) {
-		return record[nodeName];
-	}
-	for (const value of Object.values(record)) {
-		if (Array.isArray(value)) {
-			for (const item of value) {
-				const found = findNode(item, nodeName);
-				if (found) return found;
-			}
-		} else if (typeof value === "object" && value !== null) {
-			const found = findNode(value, nodeName);
-			if (found) return found;
-		}
-	}
-	return null;
-}
 function extractEncryptionAlgorithms(xml: string): {
 	keyEncryption: string | null;
 	dataEncryption: string | null;