@better-auth/sso 1.4.18 → 1.4.20

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.4.18",
+  "version": "1.4.20",
   "type": "module",
   "main": "dist/index.mjs",
   "types": "dist/index.d.mts",
@@ -67,11 +67,12 @@
     "express": "^5.1.0",
     "oauth2-mock-server": "^8.2.0",
     "tsdown": "^0.17.2",
-    "better-auth": "1.4.18"
+    "better-auth": "1.4.20"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.3.0",
-    "better-auth": "1.4.18"
+    "better-call": "1.1.8",
+    "better-auth": "1.4.20"
   },
   "scripts": {
     "test": "vitest",

package/src/domain-verification.test.ts

@@ -286,7 +286,7 @@ describe("Domain verification", async () => {
 
 			dnsMock.resolveTxt.mockResolvedValue([
 				[
-					`better-auth-token-saml-provider-1=${provider.domainVerificationToken}`,
+					`_better-auth-token-saml-provider-1=${provider.domainVerificationToken}`,
 				],
 			]);
 
@@ -471,7 +471,7 @@ describe("Domain verification", async () => {
 					"v=spf1 ip4:50.242.118.232/29 include:_spf.google.com include:mail.zendesk.com ~all",
 				],
 				[
-					`better-auth-token-saml-provider-1=${provider.domainVerificationToken}`,
+					`_better-auth-token-saml-provider-1=${provider.domainVerificationToken}`,
 				],
 			]);
 
@@ -484,6 +484,9 @@ describe("Domain verification", async () => {
 			});
 
 			expect(response.status).toBe(204);
+			expect(dnsMock.resolveTxt).toHaveBeenCalledWith(
+				"_better-auth-token-saml-provider-1.hello.com",
+			);
 		});
 
 		it("should verify a provider domain ownership (custom token verification prefix)", async () => {
@@ -498,7 +501,7 @@ describe("Domain verification", async () => {
 				[
 					"v=spf1 ip4:50.242.118.232/29 include:_spf.google.com include:mail.zendesk.com ~all",
 				],
-				[`auth-prefix-saml-provider-1=${provider.domainVerificationToken}`],
+				[`_auth-prefix-saml-provider-1=${provider.domainVerificationToken}`],
 			]);
 
 			const response = await auth.api.verifyDomain({
@@ -510,6 +513,45 @@ describe("Domain verification", async () => {
 			});
 
 			expect(response.status).toBe(204);
+			expect(dnsMock.resolveTxt).toHaveBeenCalledWith(
+				"_auth-prefix-saml-provider-1.hello.com",
+			);
+		});
+
+		it("should return bad request when provider ID exceeds DNS label limit", async () => {
+			const longProviderId = "a".repeat(50);
+			const { auth, getAuthHeaders } = createTestAuth();
+			const headers = await getAuthHeaders(testUser);
+
+			await auth.api.registerSSOProvider({
+				body: {
+					providerId: longProviderId,
+					issuer: "http://hello.com:8081",
+					domain: "http://hello.com:8081",
+					samlConfig: {
+						entryPoint: "http://idp.com:",
+						cert: "the-cert",
+						callbackUrl: "http://hello.com:8081/api/sso/saml2/callback",
+						spMetadata: {},
+					},
+				},
+				headers,
+			});
+
+			const response = await auth.api.verifyDomain({
+				body: {
+					providerId: longProviderId,
+				},
+				headers,
+				asResponse: true,
+			});
+
+			expect(response.status).toBe(400);
+			expect(await response.json()).toEqual({
+				message:
+					"Verification identifier exceeds the DNS label limit of 63 characters",
+				code: "IDENTIFIER_TOO_LONG",
+			});
 		});
 
 		it("should fail to verify an already verified domain", async () => {
@@ -519,7 +561,7 @@ describe("Domain verification", async () => {
 
 			dnsMock.resolveTxt.mockResolvedValue([
 				[
-					`better-auth-token-saml-provider-1=${provider.domainVerificationToken}`,
+					`_better-auth-token-saml-provider-1=${provider.domainVerificationToken}`,
 				],
 			]);
 

package/src/linking/org-assignment.ts

@@ -5,13 +5,13 @@ import type { NormalizedSSOProfile } from "./types";
 
 export interface OrganizationProvisioningOptions {
 	disabled?: boolean;
-	defaultRole?: "member" | "admin";
+	defaultRole?: string;
 	getRole?: (data: {
 		user: User & Record<string, any>;
 		userInfo: Record<string, any>;
 		token?: OAuth2Tokens;
 		provider: SSOProvider<SSOOptions>;
-	}) => Promise<"member" | "admin">;
+	}) => Promise<string>;
 }
 
 export interface AssignOrganizationFromProviderOptions {

package/src/oidc.test.ts

@@ -393,9 +393,7 @@ describe("SSO disable implicit sign in", async () => {
 			"redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fsso%2Fcallback%2Ftest",
 		);
 		const { callbackURL } = await simulateOAuthFlow(res.url, headers);
-		expect(callbackURL).toContain(
-			"/api/auth/error/error?error=signup disabled",
-		);
+		expect(callbackURL).toContain("/api/auth/error?error=signup disabled");
 	});
 
 	it("should create user with SSO provider when sign ups are disabled but sign up is requested", async () => {

package/src/routes/domain-verification.ts

@@ -8,10 +8,22 @@ import { generateRandomString } from "better-auth/crypto";
 import * as z from "zod/v4";
 import type { SSOOptions, SSOProvider } from "../types";
 
+const DNS_LABEL_MAX_LENGTH = 63;
+const DEFAULT_TOKEN_PREFIX = "better-auth-token";
+
 const domainVerificationBodySchema = z.object({
 	providerId: z.string(),
 });
 
+export function getVerificationIdentifier(
+	options: SSOOptions,
+	providerId: string,
+): string {
+	const tokenPrefix =
+		options.domainVerification?.tokenPrefix || DEFAULT_TOKEN_PREFIX;
+	return `_${tokenPrefix}-${providerId}`;
+}
+
 export const requestDomainVerification = (options: SSOOptions) => {
 	return createAuthEndpoint(
 		"/sso/request-domain-verification",
@@ -83,15 +95,18 @@ export const requestDomainVerification = (options: SSOOptions) => {
 				});
 			}
 
+			const identifier = getVerificationIdentifier(
+				options,
+				provider.providerId,
+			);
+
 			const activeVerification =
 				await ctx.context.adapter.findOne<Verification>({
 					model: "verification",
 					where: [
 						{
 							field: "identifier",
-							value: options.domainVerification?.tokenPrefix
-								? `${options.domainVerification?.tokenPrefix}-${provider.providerId}`
-								: `better-auth-token-${provider.providerId}`,
+							value: identifier,
 						},
 						{ field: "expiresAt", value: new Date(), operator: "gt" },
 					],
@@ -106,9 +121,7 @@ export const requestDomainVerification = (options: SSOOptions) => {
 			await ctx.context.adapter.create<Verification>({
 				model: "verification",
 				data: {
-					identifier: options.domainVerification?.tokenPrefix
-						? `${options.domainVerification?.tokenPrefix}-${provider.providerId}`
-						: `better-auth-token-${provider.providerId}`,
+					identifier,
 					createdAt: new Date(),
 					updatedAt: new Date(),
 					value: domainVerificationToken,
@@ -199,15 +212,25 @@ export const verifyDomain = (options: SSOOptions) => {
 				});
 			}
 
+			const identifier = getVerificationIdentifier(
+				options,
+				provider.providerId,
+			);
+
+			if (identifier.length > DNS_LABEL_MAX_LENGTH) {
+				throw new APIError("BAD_REQUEST", {
+					message: `Verification identifier exceeds the DNS label limit of ${DNS_LABEL_MAX_LENGTH} characters`,
+					code: "IDENTIFIER_TOO_LONG",
+				});
+			}
+
 			const activeVerification =
 				await ctx.context.adapter.findOne<Verification>({
 					model: "verification",
 					where: [
 						{
 							field: "identifier",
-							value: options.domainVerification?.tokenPrefix
-								? `${options.domainVerification?.tokenPrefix}-${provider.providerId}`
-								: `better-auth-token-${provider.providerId}`,
+							value: identifier,
 						},
 						{ field: "expiresAt", value: new Date(), operator: "gt" },
 					],
@@ -237,9 +260,8 @@ export const verifyDomain = (options: SSOOptions) => {
 			}
 
 			try {
-				const dnsRecords = await dns.resolveTxt(
-					new URL(provider.domain).hostname,
-				);
+				const hostname = new URL(provider.domain).hostname;
+				const dnsRecords = await dns.resolveTxt(`${identifier}.${hostname}`);
 				records = dnsRecords.flat();
 			} catch (error) {
 				ctx.context.logger.warn(