@better-auth/sso 1.4.18 → 1.4.20

package/src/routes/sso.ts

@@ -1,3 +1,4 @@
+import { base64 } from "@better-auth/utils/base64";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
 import type { User, Verification } from "better-auth";
 import {
@@ -24,6 +25,7 @@ import type { BindingContext } from "samlify/types/src/entity";
 import type { IdentityProvider } from "samlify/types/src/entity-idp";
 import type { FlowResult } from "samlify/types/src/flow";
 import z from "zod/v4";
+import { getVerificationIdentifier } from "./domain-verification";
 
 interface AuthnRequestRecord {
 	id: string;
@@ -228,6 +230,7 @@ export const spMetadata = () => {
 									`${ctx.context.baseURL}/sso/saml2/sp/acs/${provider.id}`,
 							},
 						],
+						authnRequestsSigned: parsedSamlConfig.authnRequestsSigned || false,
 						wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
 						nameIDFormat: parsedSamlConfig.identifierFormat
 							? [parsedSamlConfig.identifierFormat]
@@ -860,9 +863,7 @@ export const registerSSOProvider = <O extends SSOOptions>(options: O) => {
 				await ctx.context.adapter.create<Verification>({
 					model: "verification",
 					data: {
-						identifier: options.domainVerification?.tokenPrefix
-							? `${options.domainVerification?.tokenPrefix}-${provider.providerId}`
-							: `better-auth-token-${provider.providerId}`,
+						identifier: getVerificationIdentifier(options, provider.providerId),
 						createdAt: new Date(),
 						updatedAt: new Date(),
 						value: domainVerificationToken as string,
@@ -1283,6 +1284,8 @@ export const signInSSO = (options?: SSOOptions) => {
 											`${ctx.context.baseURL}/sso/saml2/sp/acs/${provider.providerId}`,
 									},
 								],
+								authnRequestsSigned:
+									parsedSamlConfig.authnRequestsSigned || false,
 								wantMessageSigned:
 									parsedSamlConfig.wantAssertionsSigned || false,
 								nameIDFormat: parsedSamlConfig.identifierFormat
@@ -1294,16 +1297,41 @@ export const signInSSO = (options?: SSOOptions) => {
 
 				const sp = saml.ServiceProvider({
 					metadata: metadata,
+					privateKey:
+						parsedSamlConfig.spMetadata?.privateKey ||
+						parsedSamlConfig.privateKey,
+					privateKeyPass: parsedSamlConfig.spMetadata?.privateKeyPass,
 					allowCreate: true,
 				});
 
-				const idp = saml.IdentityProvider({
-					metadata: parsedSamlConfig.idpMetadata?.metadata,
-					entityID: parsedSamlConfig.idpMetadata?.entityID,
-					encryptCert: parsedSamlConfig.idpMetadata?.cert,
-					singleSignOnService:
-						parsedSamlConfig.idpMetadata?.singleSignOnService,
-				});
+				const idpData = parsedSamlConfig.idpMetadata;
+				let idp: IdentityProvider;
+				if (!idpData?.metadata) {
+					idp = saml.IdentityProvider({
+						entityID: idpData?.entityID || parsedSamlConfig.issuer,
+						singleSignOnService: idpData?.singleSignOnService || [
+							{
+								Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+								Location: parsedSamlConfig.entryPoint,
+							},
+						],
+						signingCert: idpData?.cert || parsedSamlConfig.cert,
+						wantAuthnRequestsSigned:
+							parsedSamlConfig.authnRequestsSigned || false,
+						isAssertionEncrypted: idpData?.isAssertionEncrypted || false,
+						encPrivateKey: idpData?.encPrivateKey,
+						encPrivateKeyPass: idpData?.encPrivateKeyPass,
+					});
+				} else {
+					idp = saml.IdentityProvider({
+						metadata: idpData.metadata,
+						privateKey: idpData.privateKey,
+						privateKeyPass: idpData.privateKeyPass,
+						isAssertionEncrypted: idpData.isAssertionEncrypted,
+						encPrivateKey: idpData.encPrivateKey,
+						encPrivateKeyPass: idpData.encPrivateKeyPass,
+					});
+				}
 				const loginRequest = sp.createLoginRequest(
 					idp,
 					"redirect",
@@ -1447,7 +1475,7 @@ export const callbackSSO = (options?: SSOOptions) => {
 				throw ctx.redirect(
 					`${
 						errorURL || callbackURL
-					}/error?error=invalid_provider&error_description=provider not found`,
+					}?error=invalid_provider&error_description=provider not found`,
 				);
 			}
 
@@ -1466,7 +1494,7 @@ export const callbackSSO = (options?: SSOOptions) => {
 				throw ctx.redirect(
 					`${
 						errorURL || callbackURL
-					}/error?error=invalid_provider&error_description=provider not found`,
+					}?error=invalid_provider&error_description=provider not found`,
 				);
 			}
 
@@ -1493,7 +1521,7 @@ export const callbackSSO = (options?: SSOOptions) => {
 				throw ctx.redirect(
 					`${
 						errorURL || callbackURL
-					}/error?error=invalid_provider&error_description=token_endpoint_not_found`,
+					}?error=invalid_provider&error_description=token_endpoint_not_found`,
 				);
 			}
 
@@ -1524,7 +1552,7 @@ export const callbackSSO = (options?: SSOOptions) => {
 				throw ctx.redirect(
 					`${
 						errorURL || callbackURL
-					}/error?error=invalid_provider&error_description=token_response_not_found`,
+					}?error=invalid_provider&error_description=token_response_not_found`,
 				);
 			}
 			let userInfo: {
@@ -1541,12 +1569,16 @@ export const callbackSSO = (options?: SSOOptions) => {
 					throw ctx.redirect(
 						`${
 							errorURL || callbackURL
-						}/error?error=invalid_provider&error_description=jwks_endpoint_not_found`,
+						}?error=invalid_provider&error_description=jwks_endpoint_not_found`,
 					);
 				}
 				const verified = await validateToken(
 					tokenResponse.idToken,
 					config.jwksEndpoint,
+					{
+						audience: config.clientId,
+						issuer: provider.issuer,
+					},
 				).catch((e) => {
 					ctx.context.logger.error(e);
 					return null;
@@ -1555,14 +1587,7 @@ export const callbackSSO = (options?: SSOOptions) => {
 					throw ctx.redirect(
 						`${
 							errorURL || callbackURL
-						}/error?error=invalid_provider&error_description=token_not_verified`,
-					);
-				}
-				if (verified.payload.iss !== provider.issuer) {
-					throw ctx.redirect(
-						`${
-							errorURL || callbackURL
-						}/error?error=invalid_provider&error_description=issuer_mismatch`,
+						}?error=invalid_provider&error_description=token_not_verified`,
 					);
 				}
 
@@ -1595,7 +1620,7 @@ export const callbackSSO = (options?: SSOOptions) => {
 					throw ctx.redirect(
 						`${
 							errorURL || callbackURL
-						}/error?error=invalid_provider&error_description=user_info_endpoint_not_found`,
+						}?error=invalid_provider&error_description=user_info_endpoint_not_found`,
 					);
 				}
 				const userInfoResponse = await betterFetch<{
@@ -1613,7 +1638,7 @@ export const callbackSSO = (options?: SSOOptions) => {
 					throw ctx.redirect(
 						`${
 							errorURL || callbackURL
-						}/error?error=invalid_provider&error_description=${
+						}?error=invalid_provider&error_description=${
 							userInfoResponse.error.message
 						}`,
 					);
@@ -1625,7 +1650,7 @@ export const callbackSSO = (options?: SSOOptions) => {
 				throw ctx.redirect(
 					`${
 						errorURL || callbackURL
-					}/error?error=invalid_provider&error_description=missing_user_info`,
+					}?error=invalid_provider&error_description=missing_user_info`,
 				);
 			}
 			const isTrustedProvider =
@@ -1659,9 +1684,7 @@ export const callbackSSO = (options?: SSOOptions) => {
 				isTrustedProvider,
 			});
 			if (linked.error) {
-				throw ctx.redirect(
-					`${errorURL || callbackURL}/error?error=${linked.error}`,
-				);
+				throw ctx.redirect(`${errorURL || callbackURL}?error=${linked.error}`);
 			}
 			const { session, user } = linked.data!;
 
@@ -1913,6 +1936,21 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 					message: "Invalid SAML configuration",
 				});
 			}
+
+			const isTrusted = (
+				url: string,
+				settings?: { allowRelativePaths: boolean },
+			) => ctx.context.isTrustedOrigin(url, settings);
+
+			const safeErrorUrl = getSafeRedirectUrl(
+				relayState?.errorURL ||
+					relayState?.callbackURL ||
+					parsedSamlConfig.callbackUrl,
+				currentCallbackPath,
+				appOrigin,
+				isTrusted,
+			);
+
 			const idpData = parsedSamlConfig.idpMetadata;
 			let idp: IdentityProvider | null = null;
 
@@ -1920,7 +1958,7 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 			if (!idpData?.metadata) {
 				idp = saml.IdentityProvider({
 					entityID: idpData?.entityID || parsedSamlConfig.issuer,
-					singleSignOnService: [
+					singleSignOnService: idpData?.singleSignOnService || [
 						{
 							Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
 							Location: parsedSamlConfig.entryPoint,
@@ -1928,7 +1966,7 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 					],
 					signingCert: idpData?.cert || parsedSamlConfig.cert,
 					wantAuthnRequestsSigned:
-						parsedSamlConfig.wantAssertionsSigned || false,
+						parsedSamlConfig.authnRequestsSigned || false,
 					isAssertionEncrypted: idpData?.isAssertionEncrypted || false,
 					encPrivateKey: idpData?.encPrivateKey,
 					encPrivateKeyPass: idpData?.encPrivateKeyPass,
@@ -1985,8 +2023,8 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 			} catch (error) {
 				ctx.context.logger.error("SAML response validation failed", {
 					error,
-					decodedResponse: Buffer.from(SAMLResponse, "base64").toString(
-						"utf-8",
+					decodedResponse: new TextDecoder().decode(
+						base64.decode(SAMLResponse),
 					),
 				});
 				throw new APIError("BAD_REQUEST", {
@@ -2037,12 +2075,8 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 							"SAML InResponseTo validation failed: unknown or expired request ID",
 							{ inResponseTo, providerId: provider.providerId },
 						);
-						const redirectUrl =
-							relayState?.callbackURL ||
-							parsedSamlConfig.callbackUrl ||
-							ctx.context.baseURL;
 						throw ctx.redirect(
-							`${redirectUrl}?error=invalid_saml_response&error_description=Unknown+or+expired+request+ID`,
+							`${safeErrorUrl}?error=invalid_saml_response&error_description=Unknown+or+expired+request+ID`,
 						);
 					}
 
@@ -2059,12 +2093,8 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 						await ctx.context.internalAdapter.deleteVerificationByIdentifier(
 							`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`,
 						);
-						const redirectUrl =
-							relayState?.callbackURL ||
-							parsedSamlConfig.callbackUrl ||
-							ctx.context.baseURL;
 						throw ctx.redirect(
-							`${redirectUrl}?error=invalid_saml_response&error_description=Provider+mismatch`,
+							`${safeErrorUrl}?error=invalid_saml_response&error_description=Provider+mismatch`,
 						);
 					}
 
@@ -2076,12 +2106,8 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 						"SAML IdP-initiated SSO rejected: InResponseTo missing and allowIdpInitiated is false",
 						{ providerId: provider.providerId },
 					);
-					const redirectUrl =
-						relayState?.callbackURL ||
-						parsedSamlConfig.callbackUrl ||
-						ctx.context.baseURL;
 					throw ctx.redirect(
-						`${redirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`,
+						`${safeErrorUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`,
 					);
 				}
 			}
@@ -2131,12 +2157,8 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 							providerId: provider.providerId,
 						},
 					);
-					const redirectUrl =
-						relayState?.callbackURL ||
-						parsedSamlConfig.callbackUrl ||
-						ctx.context.baseURL;
 					throw ctx.redirect(
-						`${redirectUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`,
+						`${safeErrorUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`,
 					);
 				}
 
@@ -2207,10 +2229,12 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 					!!(provider as { domainVerified?: boolean }).domainVerified &&
 					validateEmailDomain(userInfo.email as string, provider.domain));
 
-			const callbackUrl =
-				relayState?.callbackURL ||
-				parsedSamlConfig.callbackUrl ||
-				ctx.context.baseURL;
+			const safeCallbackUrl = getSafeRedirectUrl(
+				relayState?.callbackURL || parsedSamlConfig.callbackUrl,
+				currentCallbackPath,
+				appOrigin,
+				isTrusted,
+			);
 
 			const result = await handleOAuthUserInfo(ctx, {
 				userInfo: {
@@ -2225,14 +2249,14 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 					accessToken: "",
 					refreshToken: "",
 				},
-				callbackURL: callbackUrl,
+				callbackURL: safeCallbackUrl,
 				disableSignUp: options?.disableImplicitSignUp,
 				isTrustedProvider,
 			});
 
 			if (result.error) {
 				throw ctx.redirect(
-					`${callbackUrl}?error=${result.error.split(" ").join("_")}`,
+					`${safeCallbackUrl}?error=${result.error.split(" ").join("_")}`,
 				);
 			}
 
@@ -2261,14 +2285,7 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 			});
 
 			await setSessionCookie(ctx, { session, user });
-
-			const safeRedirectUrl = getSafeRedirectUrl(
-				relayState?.callbackURL || parsedSamlConfig.callbackUrl,
-				currentCallbackPath,
-				appOrigin,
-				(url, settings) => ctx.context.isTrustedOrigin(url, settings),
-			);
-			throw ctx.redirect(safeRedirectUrl);
+			throw ctx.redirect(safeCallbackUrl);
 		},
 	);
 };
@@ -2305,8 +2322,10 @@ export const acsEndpoint = (options?: SSOOptions) => {
 			},
 		},
 		async (ctx) => {
-			const { SAMLResponse, RelayState = "" } = ctx.body;
+			const { SAMLResponse } = ctx.body;
 			const { providerId } = ctx.params;
+			const currentCallbackPath = `${ctx.context.baseURL}/sso/saml2/sp/acs/${providerId}`;
+			const appOrigin = new URL(ctx.context.baseURL).origin;
 
 			const maxResponseSize =
 				options?.saml?.maxResponseSize ?? DEFAULT_MAX_SAML_RESPONSE_SIZE;
@@ -2315,6 +2334,14 @@ export const acsEndpoint = (options?: SSOOptions) => {
 					message: `SAML response exceeds maximum allowed size (${maxResponseSize} bytes)`,
 				});
 			}
+			let relayState: RelayState | null = null;
+			if (ctx.body.RelayState) {
+				try {
+					relayState = await parseRelayState(ctx);
+				} catch {
+					relayState = null;
+				}
+			}
 
 			// If defaultSSO is configured, use it as the provider
 			let provider: SSOProvider<SSOOptions> | null = null;
@@ -2379,6 +2406,23 @@ export const acsEndpoint = (options?: SSOOptions) => {
 			}
 
 			const parsedSamlConfig = provider.samlConfig;
+
+			const isTrusted = (
+				url: string,
+				settings?: { allowRelativePaths: boolean },
+			) => ctx.context.isTrustedOrigin(url, settings);
+
+			// Compute a safe error redirect URL once, reused by all error paths.
+			// Prefers errorURL from relay state, falls back to callbackURL, then provider config, then baseURL.
+			const safeErrorUrl = getSafeRedirectUrl(
+				relayState?.errorURL ||
+					relayState?.callbackURL ||
+					parsedSamlConfig.callbackUrl,
+				currentCallbackPath,
+				appOrigin,
+				isTrusted,
+			);
+
 			// Configure SP and IdP
 			const sp = saml.ServiceProvider({
 				entityID:
@@ -2423,14 +2467,12 @@ export const acsEndpoint = (options?: SSOOptions) => {
 				validateSingleAssertion(SAMLResponse);
 			} catch (error) {
 				if (error instanceof APIError) {
-					const redirectUrl =
-						RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 					const errorCode =
 						error.body?.code === "SAML_MULTIPLE_ASSERTIONS"
 							? "multiple_assertions"
 							: "no_assertion";
 					throw ctx.redirect(
-						`${redirectUrl}?error=${errorCode}&error_description=${encodeURIComponent(error.message)}`,
+						`${safeErrorUrl}?error=${errorCode}&error_description=${encodeURIComponent(error.message)}`,
 					);
 				}
 				throw error;
@@ -2442,7 +2484,7 @@ export const acsEndpoint = (options?: SSOOptions) => {
 				parsedResponse = await sp.parseLoginResponse(idp, "post", {
 					body: {
 						SAMLResponse,
-						RelayState: RelayState || undefined,
+						RelayState: ctx.body.RelayState || undefined,
 					},
 				});
 
@@ -2452,8 +2494,8 @@ export const acsEndpoint = (options?: SSOOptions) => {
 			} catch (error) {
 				ctx.context.logger.error("SAML response validation failed", {
 					error,
-					decodedResponse: Buffer.from(SAMLResponse, "base64").toString(
-						"utf-8",
+					decodedResponse: new TextDecoder().decode(
+						base64.decode(SAMLResponse),
 					),
 				});
 				throw new APIError("BAD_REQUEST", {
@@ -2506,10 +2548,8 @@ export const acsEndpoint = (options?: SSOOptions) => {
 							"SAML InResponseTo validation failed: unknown or expired request ID",
 							{ inResponseTo: inResponseToAcs, providerId },
 						);
-						const redirectUrl =
-							RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 						throw ctx.redirect(
-							`${redirectUrl}?error=invalid_saml_response&error_description=Unknown+or+expired+request+ID`,
+							`${safeErrorUrl}?error=invalid_saml_response&error_description=Unknown+or+expired+request+ID`,
 						);
 					}
 
@@ -2525,10 +2565,8 @@ export const acsEndpoint = (options?: SSOOptions) => {
 						await ctx.context.internalAdapter.deleteVerificationByIdentifier(
 							`${AUTHN_REQUEST_KEY_PREFIX}${inResponseToAcs}`,
 						);
-						const redirectUrl =
-							RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 						throw ctx.redirect(
-							`${redirectUrl}?error=invalid_saml_response&error_description=Provider+mismatch`,
+							`${safeErrorUrl}?error=invalid_saml_response&error_description=Provider+mismatch`,
 						);
 					}
 
@@ -2540,17 +2578,15 @@ export const acsEndpoint = (options?: SSOOptions) => {
 						"SAML IdP-initiated SSO rejected: InResponseTo missing and allowIdpInitiated is false",
 						{ providerId },
 					);
-					const redirectUrl =
-						RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 					throw ctx.redirect(
-						`${redirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`,
+						`${safeErrorUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`,
 					);
 				}
 			}
 
 			// Assertion Replay Protection
-			const samlContentAcs = Buffer.from(SAMLResponse, "base64").toString(
-				"utf-8",
+			const samlContentAcs = new TextDecoder().decode(
+				base64.decode(SAMLResponse),
 			);
 			const assertionIdAcs = extractAssertionId(samlContentAcs);
 
@@ -2593,10 +2629,8 @@ export const acsEndpoint = (options?: SSOOptions) => {
 							providerId,
 						},
 					);
-					const redirectUrl =
-						RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 					throw ctx.redirect(
-						`${redirectUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`,
+						`${safeErrorUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`,
 					);
 				}
 
@@ -2668,8 +2702,12 @@ export const acsEndpoint = (options?: SSOOptions) => {
 					!!(provider as { domainVerified?: boolean }).domainVerified &&
 					validateEmailDomain(userInfo.email as string, provider.domain));
 
-			const callbackUrl =
-				RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+			const safeCallbackUrl = getSafeRedirectUrl(
+				relayState?.callbackURL || parsedSamlConfig.callbackUrl,
+				currentCallbackPath,
+				appOrigin,
+				isTrusted,
+			);
 
 			const result = await handleOAuthUserInfo(ctx, {
 				userInfo: {
@@ -2684,14 +2722,14 @@ export const acsEndpoint = (options?: SSOOptions) => {
 					accessToken: "",
 					refreshToken: "",
 				},
-				callbackURL: callbackUrl,
+				callbackURL: safeCallbackUrl,
 				disableSignUp: options?.disableImplicitSignUp,
 				isTrustedProvider,
 			});
 
 			if (result.error) {
 				throw ctx.redirect(
-					`${callbackUrl}?error=${result.error.split(" ").join("_")}`,
+					`${safeCallbackUrl}?error=${result.error.split(" ").join("_")}`,
 				);
 			}
 
@@ -2720,7 +2758,7 @@ export const acsEndpoint = (options?: SSOOptions) => {
 			});
 
 			await setSessionCookie(ctx, { session, user });
-			throw ctx.redirect(callbackUrl);
+			throw ctx.redirect(safeCallbackUrl);
 		},
 	);
 };

package/src/saml-state.ts

@@ -1,7 +1,7 @@
 import type { GenericEndpointContext, StateData } from "better-auth";
 import { generateGenericState, parseGenericState } from "better-auth";
+import { APIError } from "better-auth/api";
 import { generateRandomString } from "better-auth/crypto";
-import { APIError } from "better-call";
 
 export async function generateRelayState(
 	c: GenericEndpointContext,