@better-auth/sso 1.4.4-beta.1 → 1.4.4-beta.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/.turbo/turbo-build.log +5 -5
  2. package/dist/client.d.mts +1 -1
  3. package/dist/index-D-JmJR9N.d.mts +853 -0
  4. package/dist/index.d.mts +1 -1
  5. package/package.json +7 -8
  6. package/dist/index-B7qWG1sd.d.mts +0 -288
package/.turbo/turbo-build.log CHANGED
@@ -1,8 +1,8 @@
1
1
 
2
- > @better-auth/sso@1.4.4-beta.1 build /home/runner/work/better-auth/better-auth/packages/sso
2
+ > @better-auth/sso@1.4.4-beta.2 build /home/runner/work/better-auth/better-auth/packages/sso
3
3
  > tsdown
4
4
 
5
- ℹ tsdown v0.16.6 powered by rolldown v1.0.0-beta.51
5
+ ℹ tsdown v0.16.5 powered by rolldown v1.0.0-beta.50
6
6
  ℹ Using tsdown config: /home/runner/work/better-auth/better-auth/packages/sso/tsdown.config.ts
7
7
  ℹ entry: src/index.ts, src/client.ts
8
8
  ℹ tsconfig: tsconfig.json
@@ -11,6 +11,6 @@
11
11
  ℹ dist/client.mjs  0.15 kB │ gzip: 0.14 kB
12
12
  ℹ dist/client.d.mts  0.49 kB │ gzip: 0.30 kB
13
13
  ℹ dist/index.d.mts  0.21 kB │ gzip: 0.15 kB
14
- ℹ dist/index-B7qWG1sd.d.mts  8.55 kB │ gzip: 2.37 kB
15
- ℹ 5 files, total: 67.90 kB
16
- ✔ Build complete in 16543ms
14
+ ℹ dist/index-D-JmJR9N.d.mts 25.42 kB │ gzip: 3.95 kB
15
+ ℹ 5 files, total: 84.77 kB
16
+ ✔ Build complete in 12025ms
package/dist/client.d.mts CHANGED
@@ -1,4 +1,4 @@
1
- import { t as SSOPlugin } from "./index-B7qWG1sd.mjs";
1
+ import { t as SSOPlugin } from "./index-D-JmJR9N.mjs";
2
2
 
3
3
  //#region src/client.d.ts
4
4
  interface SSOClientOptions {
package/dist/index-D-JmJR9N.d.mts ADDED
@@ -0,0 +1,853 @@
1
+ import * as z from "zod/v4";
2
+ import { OAuth2Tokens, User } from "better-auth";
3
+ import * as better_call0 from "better-call";
4
+
5
+ //#region src/types.d.ts
6
+ interface OIDCMapping {
7
+ id?: string | undefined;
8
+ email?: string | undefined;
9
+ emailVerified?: string | undefined;
10
+ name?: string | undefined;
11
+ image?: string | undefined;
12
+ extraFields?: Record<string, string> | undefined;
13
+ }
14
+ interface SAMLMapping {
15
+ id?: string | undefined;
16
+ email?: string | undefined;
17
+ emailVerified?: string | undefined;
18
+ name?: string | undefined;
19
+ firstName?: string | undefined;
20
+ lastName?: string | undefined;
21
+ extraFields?: Record<string, string> | undefined;
22
+ }
23
+ interface OIDCConfig {
24
+ issuer: string;
25
+ pkce: boolean;
26
+ clientId: string;
27
+ clientSecret: string;
28
+ authorizationEndpoint?: string | undefined;
29
+ discoveryEndpoint: string;
30
+ userInfoEndpoint?: string | undefined;
31
+ scopes?: string[] | undefined;
32
+ overrideUserInfo?: boolean | undefined;
33
+ tokenEndpoint?: string | undefined;
34
+ tokenEndpointAuthentication?: ("client_secret_post" | "client_secret_basic") | undefined;
35
+ jwksEndpoint?: string | undefined;
36
+ mapping?: OIDCMapping | undefined;
37
+ }
38
+ interface SAMLConfig {
39
+ issuer: string;
40
+ entryPoint: string;
41
+ cert: string;
42
+ callbackUrl: string;
43
+ audience?: string | undefined;
44
+ idpMetadata?: {
45
+ metadata?: string;
46
+ entityID?: string;
47
+ entityURL?: string;
48
+ redirectURL?: string;
49
+ cert?: string;
50
+ privateKey?: string;
51
+ privateKeyPass?: string;
52
+ isAssertionEncrypted?: boolean;
53
+ encPrivateKey?: string;
54
+ encPrivateKeyPass?: string;
55
+ singleSignOnService?: Array<{
56
+ Binding: string;
57
+ Location: string;
58
+ }>;
59
+ } | undefined;
60
+ spMetadata: {
61
+ metadata?: string | undefined;
62
+ entityID?: string | undefined;
63
+ binding?: string | undefined;
64
+ privateKey?: string | undefined;
65
+ privateKeyPass?: string | undefined;
66
+ isAssertionEncrypted?: boolean | undefined;
67
+ encPrivateKey?: string | undefined;
68
+ encPrivateKeyPass?: string | undefined;
69
+ };
70
+ wantAssertionsSigned?: boolean | undefined;
71
+ signatureAlgorithm?: string | undefined;
72
+ digestAlgorithm?: string | undefined;
73
+ identifierFormat?: string | undefined;
74
+ privateKey?: string | undefined;
75
+ decryptionPvk?: string | undefined;
76
+ additionalParams?: Record<string, any> | undefined;
77
+ mapping?: SAMLMapping | undefined;
78
+ }
79
+ type BaseSSOProvider = {
80
+ issuer: string;
81
+ oidcConfig?: OIDCConfig | undefined;
82
+ samlConfig?: SAMLConfig | undefined;
83
+ userId: string;
84
+ providerId: string;
85
+ organizationId?: string | undefined;
86
+ domain: string;
87
+ };
88
+ type SSOProvider<O extends SSOOptions> = O["domainVerification"] extends {
89
+ enabled: true;
90
+ } ? {
91
+ domainVerified: boolean;
92
+ } & BaseSSOProvider : BaseSSOProvider;
93
+ interface SSOOptions {
94
+ /**
95
+ * custom function to provision a user when they sign in with an SSO provider.
96
+ */
97
+ provisionUser?: ((data: {
98
+ /**
99
+ * The user object from the database
100
+ */
101
+ user: User & Record<string, any>;
102
+ /**
103
+ * The user info object from the provider
104
+ */
105
+ userInfo: Record<string, any>;
106
+ /**
107
+ * The OAuth2 tokens from the provider
108
+ */
109
+ token?: OAuth2Tokens;
110
+ /**
111
+ * The SSO provider
112
+ */
113
+ provider: SSOProvider<SSOOptions>;
114
+ }) => Promise<void>) | undefined;
115
+ /**
116
+ * Organization provisioning options
117
+ */
118
+ organizationProvisioning?: {
119
+ disabled?: boolean;
120
+ defaultRole?: "member" | "admin";
121
+ getRole?: (data: {
122
+ /**
123
+ * The user object from the database
124
+ */
125
+ user: User & Record<string, any>;
126
+ /**
127
+ * The user info object from the provider
128
+ */
129
+ userInfo: Record<string, any>;
130
+ /**
131
+ * The OAuth2 tokens from the provider
132
+ */
133
+ token?: OAuth2Tokens;
134
+ /**
135
+ * The SSO provider
136
+ */
137
+ provider: SSOProvider<SSOOptions>;
138
+ }) => Promise<"member" | "admin">;
139
+ } | undefined;
140
+ /**
141
+ * Default SSO provider configurations for testing.
142
+ * These will take the precedence over the database providers.
143
+ */
144
+ defaultSSO?: Array<{
145
+ /**
146
+ * The domain to match for this default provider.
147
+ * This is only used to match incoming requests to this default provider.
148
+ */
149
+ domain: string;
150
+ /**
151
+ * The provider ID to use
152
+ */
153
+ providerId: string;
154
+ /**
155
+ * SAML configuration
156
+ */
157
+ samlConfig?: SAMLConfig;
158
+ /**
159
+ * OIDC configuration
160
+ */
161
+ oidcConfig?: OIDCConfig;
162
+ }> | undefined;
163
+ /**
164
+ * Override user info with the provider info.
165
+ * @default false
166
+ */
167
+ defaultOverrideUserInfo?: boolean | undefined;
168
+ /**
169
+ * Disable implicit sign up for new users. When set to true for the provider,
170
+ * sign-in need to be called with with requestSignUp as true to create new users.
171
+ */
172
+ disableImplicitSignUp?: boolean | undefined;
173
+ /**
174
+ * The model name for the SSO provider table. Defaults to "ssoProvider".
175
+ */
176
+ modelName?: string;
177
+ /**
178
+ * Map fields
179
+ *
180
+ * @example
181
+ * ```ts
182
+ * {
183
+ * samlConfig: "saml_config"
184
+ * }
185
+ * ```
186
+ */
187
+ fields?: {
188
+ issuer?: string | undefined;
189
+ oidcConfig?: string | undefined;
190
+ samlConfig?: string | undefined;
191
+ userId?: string | undefined;
192
+ providerId?: string | undefined;
193
+ organizationId?: string | undefined;
194
+ domain?: string | undefined;
195
+ };
196
+ /**
197
+ * Configure the maximum number of SSO providers a user can register.
198
+ * You can also pass a function that returns a number.
199
+ * Set to 0 to disable SSO provider registration.
200
+ *
201
+ * @example
202
+ * ```ts
203
+ * providersLimit: async (user) => {
204
+ * const plan = await getUserPlan(user);
205
+ * return plan.name === "pro" ? 10 : 1;
206
+ * }
207
+ * ```
208
+ * @default 10
209
+ */
210
+ providersLimit?: (number | ((user: User) => Promise<number> | number)) | undefined;
211
+ /**
212
+ * Trust the email verified flag from the provider.
213
+ *
214
+ * ⚠️ Use this with caution — it can lead to account takeover if misused. Only enable it if users **cannot freely register new providers**. You can
215
+ * prevent that by using `disabledPaths` or other safeguards to block provider registration from the client.
216
+ *
217
+ * If you want to allow account linking for specific trusted providers, enable the `accountLinking` option in your auth config and specify those
218
+ * providers in the `trustedProviders` list.
219
+ * @default false
220
+ */
221
+ trustEmailVerified?: boolean | undefined;
222
+ /**
223
+ * Enable domain verification on SSO providers
224
+ *
225
+ * When this option is enabled, new SSO providers will require the associated domain to be verified by the owner
226
+ * prior to allowing sign-ins.
227
+ */
228
+ domainVerification?: {
229
+ /**
230
+ * Enables or disables the domain verification feature
231
+ */
232
+ enabled?: boolean;
233
+ /**
234
+ * Prefix used to generate the domain verification token
235
+ *
236
+ * @default "better-auth-token-"
237
+ */
238
+ tokenPrefix?: string;
239
+ };
240
+ }
241
+ //#endregion
242
+ //#region src/routes/domain-verification.d.ts
243
+ declare const requestDomainVerification: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/request-domain-verification", {
244
+ method: "POST";
245
+ body: z.ZodObject<{
246
+ providerId: z.ZodString;
247
+ }, z.core.$strip>;
248
+ metadata: {
249
+ openapi: {
250
+ summary: string;
251
+ description: string;
252
+ responses: {
253
+ "404": {
254
+ description: string;
255
+ };
256
+ "409": {
257
+ description: string;
258
+ };
259
+ "201": {
260
+ description: string;
261
+ };
262
+ };
263
+ };
264
+ };
265
+ use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
266
+ session: {
267
+ session: Record<string, any> & {
268
+ id: string;
269
+ createdAt: Date;
270
+ updatedAt: Date;
271
+ userId: string;
272
+ expiresAt: Date;
273
+ token: string;
274
+ ipAddress?: string | null | undefined;
275
+ userAgent?: string | null | undefined;
276
+ };
277
+ user: Record<string, any> & {
278
+ id: string;
279
+ createdAt: Date;
280
+ updatedAt: Date;
281
+ email: string;
282
+ emailVerified: boolean;
283
+ name: string;
284
+ image?: string | null | undefined;
285
+ };
286
+ };
287
+ }>)[];
288
+ } & {
289
+ use: any[];
290
+ }, {
291
+ domainVerificationToken: string;
292
+ }>;
293
+ declare const verifyDomain: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/verify-domain", {
294
+ method: "POST";
295
+ body: z.ZodObject<{
296
+ providerId: z.ZodString;
297
+ }, z.core.$strip>;
298
+ metadata: {
299
+ openapi: {
300
+ summary: string;
301
+ description: string;
302
+ responses: {
303
+ "404": {
304
+ description: string;
305
+ };
306
+ "409": {
307
+ description: string;
308
+ };
309
+ "502": {
310
+ description: string;
311
+ };
312
+ "204": {
313
+ description: string;
314
+ };
315
+ };
316
+ };
317
+ };
318
+ use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
319
+ session: {
320
+ session: Record<string, any> & {
321
+ id: string;
322
+ createdAt: Date;
323
+ updatedAt: Date;
324
+ userId: string;
325
+ expiresAt: Date;
326
+ token: string;
327
+ ipAddress?: string | null | undefined;
328
+ userAgent?: string | null | undefined;
329
+ };
330
+ user: Record<string, any> & {
331
+ id: string;
332
+ createdAt: Date;
333
+ updatedAt: Date;
334
+ email: string;
335
+ emailVerified: boolean;
336
+ name: string;
337
+ image?: string | null | undefined;
338
+ };
339
+ };
340
+ }>)[];
341
+ } & {
342
+ use: any[];
343
+ }, void>;
344
+ //#endregion
345
+ //#region src/routes/sso.d.ts
346
+ declare const spMetadata: () => better_call0.StrictEndpoint<"/sso/saml2/sp/metadata", {
347
+ method: "GET";
348
+ query: z.ZodObject<{
349
+ providerId: z.ZodString;
350
+ format: z.ZodDefault<z.ZodEnum<{
351
+ xml: "xml";
352
+ json: "json";
353
+ }>>;
354
+ }, z.core.$strip>;
355
+ metadata: {
356
+ openapi: {
357
+ operationId: string;
358
+ summary: string;
359
+ description: string;
360
+ responses: {
361
+ "200": {
362
+ description: string;
363
+ };
364
+ };
365
+ };
366
+ };
367
+ } & {
368
+ use: any[];
369
+ }, Response>;
370
+ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_call0.StrictEndpoint<"/sso/register", {
371
+ method: "POST";
372
+ body: z.ZodObject<{
373
+ providerId: z.ZodString;
374
+ issuer: z.ZodString;
375
+ domain: z.ZodString;
376
+ oidcConfig: z.ZodOptional<z.ZodObject<{
377
+ clientId: z.ZodString;
378
+ clientSecret: z.ZodString;
379
+ authorizationEndpoint: z.ZodOptional<z.ZodString>;
380
+ tokenEndpoint: z.ZodOptional<z.ZodString>;
381
+ userInfoEndpoint: z.ZodOptional<z.ZodString>;
382
+ tokenEndpointAuthentication: z.ZodOptional<z.ZodEnum<{
383
+ client_secret_post: "client_secret_post";
384
+ client_secret_basic: "client_secret_basic";
385
+ }>>;
386
+ jwksEndpoint: z.ZodOptional<z.ZodString>;
387
+ discoveryEndpoint: z.ZodOptional<z.ZodString>;
388
+ scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
389
+ pkce: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
390
+ mapping: z.ZodOptional<z.ZodObject<{
391
+ id: z.ZodString;
392
+ email: z.ZodString;
393
+ emailVerified: z.ZodOptional<z.ZodString>;
394
+ name: z.ZodString;
395
+ image: z.ZodOptional<z.ZodString>;
396
+ extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
397
+ }, z.core.$strip>>;
398
+ }, z.core.$strip>>;
399
+ samlConfig: z.ZodOptional<z.ZodObject<{
400
+ entryPoint: z.ZodString;
401
+ cert: z.ZodString;
402
+ callbackUrl: z.ZodString;
403
+ audience: z.ZodOptional<z.ZodString>;
404
+ idpMetadata: z.ZodOptional<z.ZodObject<{
405
+ metadata: z.ZodOptional<z.ZodString>;
406
+ entityID: z.ZodOptional<z.ZodString>;
407
+ cert: z.ZodOptional<z.ZodString>;
408
+ privateKey: z.ZodOptional<z.ZodString>;
409
+ privateKeyPass: z.ZodOptional<z.ZodString>;
410
+ isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
411
+ encPrivateKey: z.ZodOptional<z.ZodString>;
412
+ encPrivateKeyPass: z.ZodOptional<z.ZodString>;
413
+ singleSignOnService: z.ZodOptional<z.ZodArray<z.ZodObject<{
414
+ Binding: z.ZodString;
415
+ Location: z.ZodString;
416
+ }, z.core.$strip>>>;
417
+ }, z.core.$strip>>;
418
+ spMetadata: z.ZodObject<{
419
+ metadata: z.ZodOptional<z.ZodString>;
420
+ entityID: z.ZodOptional<z.ZodString>;
421
+ binding: z.ZodOptional<z.ZodString>;
422
+ privateKey: z.ZodOptional<z.ZodString>;
423
+ privateKeyPass: z.ZodOptional<z.ZodString>;
424
+ isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
425
+ encPrivateKey: z.ZodOptional<z.ZodString>;
426
+ encPrivateKeyPass: z.ZodOptional<z.ZodString>;
427
+ }, z.core.$strip>;
428
+ wantAssertionsSigned: z.ZodOptional<z.ZodBoolean>;
429
+ signatureAlgorithm: z.ZodOptional<z.ZodString>;
430
+ digestAlgorithm: z.ZodOptional<z.ZodString>;
431
+ identifierFormat: z.ZodOptional<z.ZodString>;
432
+ privateKey: z.ZodOptional<z.ZodString>;
433
+ decryptionPvk: z.ZodOptional<z.ZodString>;
434
+ additionalParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
435
+ mapping: z.ZodOptional<z.ZodObject<{
436
+ id: z.ZodString;
437
+ email: z.ZodString;
438
+ emailVerified: z.ZodOptional<z.ZodString>;
439
+ name: z.ZodString;
440
+ firstName: z.ZodOptional<z.ZodString>;
441
+ lastName: z.ZodOptional<z.ZodString>;
442
+ extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
443
+ }, z.core.$strip>>;
444
+ }, z.core.$strip>>;
445
+ organizationId: z.ZodOptional<z.ZodString>;
446
+ overrideUserInfo: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
447
+ }, z.core.$strip>;
448
+ use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
449
+ session: {
450
+ session: Record<string, any> & {
451
+ id: string;
452
+ createdAt: Date;
453
+ updatedAt: Date;
454
+ userId: string;
455
+ expiresAt: Date;
456
+ token: string;
457
+ ipAddress?: string | null | undefined;
458
+ userAgent?: string | null | undefined;
459
+ };
460
+ user: Record<string, any> & {
461
+ id: string;
462
+ createdAt: Date;
463
+ updatedAt: Date;
464
+ email: string;
465
+ emailVerified: boolean;
466
+ name: string;
467
+ image?: string | null | undefined;
468
+ };
469
+ };
470
+ }>)[];
471
+ metadata: {
472
+ openapi: {
473
+ operationId: string;
474
+ summary: string;
475
+ description: string;
476
+ responses: {
477
+ "200": {
478
+ description: string;
479
+ content: {
480
+ "application/json": {
481
+ schema: {
482
+ type: "object";
483
+ properties: {
484
+ issuer: {
485
+ type: string;
486
+ format: string;
487
+ description: string;
488
+ };
489
+ domain: {
490
+ type: string;
491
+ description: string;
492
+ };
493
+ domainVerified: {
494
+ type: string;
495
+ description: string;
496
+ };
497
+ domainVerificationToken: {
498
+ type: string;
499
+ description: string;
500
+ };
501
+ oidcConfig: {
502
+ type: string;
503
+ properties: {
504
+ issuer: {
505
+ type: string;
506
+ format: string;
507
+ description: string;
508
+ };
509
+ pkce: {
510
+ type: string;
511
+ description: string;
512
+ };
513
+ clientId: {
514
+ type: string;
515
+ description: string;
516
+ };
517
+ clientSecret: {
518
+ type: string;
519
+ description: string;
520
+ };
521
+ authorizationEndpoint: {
522
+ type: string;
523
+ format: string;
524
+ nullable: boolean;
525
+ description: string;
526
+ };
527
+ discoveryEndpoint: {
528
+ type: string;
529
+ format: string;
530
+ description: string;
531
+ };
532
+ userInfoEndpoint: {
533
+ type: string;
534
+ format: string;
535
+ nullable: boolean;
536
+ description: string;
537
+ };
538
+ scopes: {
539
+ type: string;
540
+ items: {
541
+ type: string;
542
+ };
543
+ nullable: boolean;
544
+ description: string;
545
+ };
546
+ tokenEndpoint: {
547
+ type: string;
548
+ format: string;
549
+ nullable: boolean;
550
+ description: string;
551
+ };
552
+ tokenEndpointAuthentication: {
553
+ type: string;
554
+ enum: string[];
555
+ nullable: boolean;
556
+ description: string;
557
+ };
558
+ jwksEndpoint: {
559
+ type: string;
560
+ format: string;
561
+ nullable: boolean;
562
+ description: string;
563
+ };
564
+ mapping: {
565
+ type: string;
566
+ nullable: boolean;
567
+ properties: {
568
+ id: {
569
+ type: string;
570
+ description: string;
571
+ };
572
+ email: {
573
+ type: string;
574
+ description: string;
575
+ };
576
+ emailVerified: {
577
+ type: string;
578
+ nullable: boolean;
579
+ description: string;
580
+ };
581
+ name: {
582
+ type: string;
583
+ description: string;
584
+ };
585
+ image: {
586
+ type: string;
587
+ nullable: boolean;
588
+ description: string;
589
+ };
590
+ extraFields: {
591
+ type: string;
592
+ additionalProperties: {
593
+ type: string;
594
+ };
595
+ nullable: boolean;
596
+ description: string;
597
+ };
598
+ };
599
+ required: string[];
600
+ };
601
+ };
602
+ required: string[];
603
+ description: string;
604
+ };
605
+ organizationId: {
606
+ type: string;
607
+ nullable: boolean;
608
+ description: string;
609
+ };
610
+ userId: {
611
+ type: string;
612
+ description: string;
613
+ };
614
+ providerId: {
615
+ type: string;
616
+ description: string;
617
+ };
618
+ redirectURI: {
619
+ type: string;
620
+ format: string;
621
+ description: string;
622
+ };
623
+ };
624
+ required: string[];
625
+ };
626
+ };
627
+ };
628
+ };
629
+ };
630
+ };
631
+ };
632
+ } & {
633
+ use: any[];
634
+ }, O["domainVerification"] extends {
635
+ enabled: true;
636
+ } ? {
637
+ domainVerified: boolean;
638
+ domainVerificationToken: string;
639
+ } & SSOProvider<O> : SSOProvider<O>>;
640
+ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sign-in/sso", {
641
+ method: "POST";
642
+ body: z.ZodObject<{
643
+ email: z.ZodOptional<z.ZodString>;
644
+ organizationSlug: z.ZodOptional<z.ZodString>;
645
+ providerId: z.ZodOptional<z.ZodString>;
646
+ domain: z.ZodOptional<z.ZodString>;
647
+ callbackURL: z.ZodString;
648
+ errorCallbackURL: z.ZodOptional<z.ZodString>;
649
+ newUserCallbackURL: z.ZodOptional<z.ZodString>;
650
+ scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
651
+ loginHint: z.ZodOptional<z.ZodString>;
652
+ requestSignUp: z.ZodOptional<z.ZodBoolean>;
653
+ providerType: z.ZodOptional<z.ZodEnum<{
654
+ oidc: "oidc";
655
+ saml: "saml";
656
+ }>>;
657
+ }, z.core.$strip>;
658
+ metadata: {
659
+ openapi: {
660
+ operationId: string;
661
+ summary: string;
662
+ description: string;
663
+ requestBody: {
664
+ content: {
665
+ "application/json": {
666
+ schema: {
667
+ type: "object";
668
+ properties: {
669
+ email: {
670
+ type: string;
671
+ description: string;
672
+ };
673
+ issuer: {
674
+ type: string;
675
+ description: string;
676
+ };
677
+ providerId: {
678
+ type: string;
679
+ description: string;
680
+ };
681
+ callbackURL: {
682
+ type: string;
683
+ description: string;
684
+ };
685
+ errorCallbackURL: {
686
+ type: string;
687
+ description: string;
688
+ };
689
+ newUserCallbackURL: {
690
+ type: string;
691
+ description: string;
692
+ };
693
+ loginHint: {
694
+ type: string;
695
+ description: string;
696
+ };
697
+ };
698
+ required: string[];
699
+ };
700
+ };
701
+ };
702
+ };
703
+ responses: {
704
+ "200": {
705
+ description: string;
706
+ content: {
707
+ "application/json": {
708
+ schema: {
709
+ type: "object";
710
+ properties: {
711
+ url: {
712
+ type: string;
713
+ format: string;
714
+ description: string;
715
+ };
716
+ redirect: {
717
+ type: string;
718
+ description: string;
719
+ enum: boolean[];
720
+ };
721
+ };
722
+ required: string[];
723
+ };
724
+ };
725
+ };
726
+ };
727
+ };
728
+ };
729
+ };
730
+ } & {
731
+ use: any[];
732
+ }, {
733
+ url: string;
734
+ redirect: boolean;
735
+ }>;
736
+ declare const callbackSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/callback/:providerId", {
737
+ method: "GET";
738
+ query: z.ZodObject<{
739
+ code: z.ZodOptional<z.ZodString>;
740
+ state: z.ZodString;
741
+ error: z.ZodOptional<z.ZodString>;
742
+ error_description: z.ZodOptional<z.ZodString>;
743
+ }, z.core.$strip>;
744
+ allowedMediaTypes: string[];
745
+ metadata: {
746
+ isAction: false;
747
+ openapi: {
748
+ operationId: string;
749
+ summary: string;
750
+ description: string;
751
+ responses: {
752
+ "302": {
753
+ description: string;
754
+ };
755
+ };
756
+ };
757
+ };
758
+ } & {
759
+ use: any[];
760
+ }, never>;
761
+ declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/callback/:providerId", {
762
+ method: "POST";
763
+ body: z.ZodObject<{
764
+ SAMLResponse: z.ZodString;
765
+ RelayState: z.ZodOptional<z.ZodString>;
766
+ }, z.core.$strip>;
767
+ metadata: {
768
+ isAction: false;
769
+ allowedMediaTypes: string[];
770
+ openapi: {
771
+ operationId: string;
772
+ summary: string;
773
+ description: string;
774
+ responses: {
775
+ "302": {
776
+ description: string;
777
+ };
778
+ "400": {
779
+ description: string;
780
+ };
781
+ "401": {
782
+ description: string;
783
+ };
784
+ };
785
+ };
786
+ };
787
+ } & {
788
+ use: any[];
789
+ }, never>;
790
+ declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
791
+ method: "POST";
792
+ params: z.ZodObject<{
793
+ providerId: z.ZodOptional<z.ZodString>;
794
+ }, z.core.$strip>;
795
+ body: z.ZodObject<{
796
+ SAMLResponse: z.ZodString;
797
+ RelayState: z.ZodOptional<z.ZodString>;
798
+ }, z.core.$strip>;
799
+ metadata: {
800
+ isAction: false;
801
+ allowedMediaTypes: string[];
802
+ openapi: {
803
+ operationId: string;
804
+ summary: string;
805
+ description: string;
806
+ responses: {
807
+ "302": {
808
+ description: string;
809
+ };
810
+ };
811
+ };
812
+ };
813
+ } & {
814
+ use: any[];
815
+ }, never>;
816
+ //#endregion
817
+ //#region src/index.d.ts
818
+ type DomainVerificationEndpoints = {
819
+ requestDomainVerification: ReturnType<typeof requestDomainVerification>;
820
+ verifyDomain: ReturnType<typeof verifyDomain>;
821
+ };
822
+ type SSOEndpoints<O extends SSOOptions> = {
823
+ spMetadata: ReturnType<typeof spMetadata>;
824
+ registerSSOProvider: ReturnType<typeof registerSSOProvider<O>>;
825
+ signInSSO: ReturnType<typeof signInSSO>;
826
+ callbackSSO: ReturnType<typeof callbackSSO>;
827
+ callbackSSOSAML: ReturnType<typeof callbackSSOSAML>;
828
+ acsEndpoint: ReturnType<typeof acsEndpoint>;
829
+ };
830
+ type SSOPlugin<O extends SSOOptions> = {
831
+ id: "sso";
832
+ endpoints: SSOEndpoints<O> & (O extends {
833
+ domainVerification: {
834
+ enabled: true;
835
+ };
836
+ } ? DomainVerificationEndpoints : {});
837
+ };
838
+ declare function sso<O extends SSOOptions & {
839
+ domainVerification?: {
840
+ enabled: true;
841
+ };
842
+ }>(options?: O | undefined): {
843
+ id: "sso";
844
+ endpoints: SSOEndpoints<O> & DomainVerificationEndpoints;
845
+ schema: any;
846
+ options: O;
847
+ };
848
+ declare function sso<O extends SSOOptions>(options?: O | undefined): {
849
+ id: "sso";
850
+ endpoints: SSOEndpoints<O>;
851
+ };
852
+ //#endregion
853
+ export { SSOOptions as a, SAMLConfig as i, sso as n, SSOProvider as o, OIDCConfig as r, SSOPlugin as t };
package/dist/index.d.mts CHANGED
@@ -1,2 +1,2 @@
1
- import { a as SSOOptions, i as SAMLConfig, n as sso, o as SSOProvider, r as OIDCConfig, t as SSOPlugin } from "./index-B7qWG1sd.mjs";
1
+ import { a as SSOOptions, i as SAMLConfig, n as sso, o as SSOProvider, r as OIDCConfig, t as SSOPlugin } from "./index-D-JmJR9N.mjs";
2
2
  export { OIDCConfig, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, sso };
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@better-auth/sso",
3
3
  "author": "Bereket Engida",
4
- "version": "1.4.4-beta.1",
4
+ "version": "1.4.4-beta.2",
5
5
  "type": "module",
6
6
  "main": "dist/index.mjs",
7
7
  "homepage": "https://www.better-auth.com/docs/plugins/sso",
@@ -60,19 +60,18 @@
60
60
  "devDependencies": {
61
61
  "@types/body-parser": "^1.19.6",
62
62
  "@types/express": "^5.0.5",
63
- "better-call": "1.1.1",
64
- "body-parser": "^2.2.1",
63
+ "better-call": "1.1.3",
64
+ "body-parser": "^2.2.0",
65
65
  "express": "^5.1.0",
66
- "oauth2-mock-server": "^8.2.0",
67
- "tsdown": "^0.16.6",
68
- "better-auth": "1.4.4-beta.1"
66
+ "oauth2-mock-server": "^7.2.1",
67
+ "tsdown": "^0.16.0",
68
+ "better-auth": "1.4.4-beta.2"
69
69
  },
70
70
  "peerDependencies": {
71
- "better-auth": "1.4.4-beta.1"
71
+ "better-auth": "1.4.4-beta.2"
72
72
  },
73
73
  "scripts": {
74
74
  "test": "vitest",
75
- "lint:package": "publint run --strict",
76
75
  "build": "tsdown",
77
76
  "dev": "tsdown --watch",
78
77
  "typecheck": "tsc --project tsconfig.json"
package/dist/index-B7qWG1sd.d.mts DELETED
@@ -1,288 +0,0 @@
1
- import { OAuth2Tokens, User } from "better-auth";
2
-
3
- //#region src/types.d.ts
4
- interface OIDCMapping {
5
- id?: string | undefined;
6
- email?: string | undefined;
7
- emailVerified?: string | undefined;
8
- name?: string | undefined;
9
- image?: string | undefined;
10
- extraFields?: Record<string, string> | undefined;
11
- }
12
- interface SAMLMapping {
13
- id?: string | undefined;
14
- email?: string | undefined;
15
- emailVerified?: string | undefined;
16
- name?: string | undefined;
17
- firstName?: string | undefined;
18
- lastName?: string | undefined;
19
- extraFields?: Record<string, string> | undefined;
20
- }
21
- interface OIDCConfig {
22
- issuer: string;
23
- pkce: boolean;
24
- clientId: string;
25
- clientSecret: string;
26
- authorizationEndpoint?: string | undefined;
27
- discoveryEndpoint: string;
28
- userInfoEndpoint?: string | undefined;
29
- scopes?: string[] | undefined;
30
- overrideUserInfo?: boolean | undefined;
31
- tokenEndpoint?: string | undefined;
32
- tokenEndpointAuthentication?: ("client_secret_post" | "client_secret_basic") | undefined;
33
- jwksEndpoint?: string | undefined;
34
- mapping?: OIDCMapping | undefined;
35
- }
36
- interface SAMLConfig {
37
- issuer: string;
38
- entryPoint: string;
39
- cert: string;
40
- callbackUrl: string;
41
- audience?: string | undefined;
42
- idpMetadata?: {
43
- metadata?: string;
44
- entityID?: string;
45
- entityURL?: string;
46
- redirectURL?: string;
47
- cert?: string;
48
- privateKey?: string;
49
- privateKeyPass?: string;
50
- isAssertionEncrypted?: boolean;
51
- encPrivateKey?: string;
52
- encPrivateKeyPass?: string;
53
- singleSignOnService?: Array<{
54
- Binding: string;
55
- Location: string;
56
- }>;
57
- } | undefined;
58
- spMetadata: {
59
- metadata?: string | undefined;
60
- entityID?: string | undefined;
61
- binding?: string | undefined;
62
- privateKey?: string | undefined;
63
- privateKeyPass?: string | undefined;
64
- isAssertionEncrypted?: boolean | undefined;
65
- encPrivateKey?: string | undefined;
66
- encPrivateKeyPass?: string | undefined;
67
- };
68
- wantAssertionsSigned?: boolean | undefined;
69
- signatureAlgorithm?: string | undefined;
70
- digestAlgorithm?: string | undefined;
71
- identifierFormat?: string | undefined;
72
- privateKey?: string | undefined;
73
- decryptionPvk?: string | undefined;
74
- additionalParams?: Record<string, any> | undefined;
75
- mapping?: SAMLMapping | undefined;
76
- }
77
- type BaseSSOProvider = {
78
- issuer: string;
79
- oidcConfig?: OIDCConfig | undefined;
80
- samlConfig?: SAMLConfig | undefined;
81
- userId: string;
82
- providerId: string;
83
- organizationId?: string | undefined;
84
- domain: string;
85
- };
86
- type SSOProvider<O extends SSOOptions> = O["domainVerification"] extends {
87
- enabled: true;
88
- } ? {
89
- domainVerified: boolean;
90
- } & BaseSSOProvider : BaseSSOProvider;
91
- interface SSOOptions {
92
- /**
93
- * custom function to provision a user when they sign in with an SSO provider.
94
- */
95
- provisionUser?: ((data: {
96
- /**
97
- * The user object from the database
98
- */
99
- user: User & Record<string, any>;
100
- /**
101
- * The user info object from the provider
102
- */
103
- userInfo: Record<string, any>;
104
- /**
105
- * The OAuth2 tokens from the provider
106
- */
107
- token?: OAuth2Tokens;
108
- /**
109
- * The SSO provider
110
- */
111
- provider: SSOProvider<SSOOptions>;
112
- }) => Promise<void>) | undefined;
113
- /**
114
- * Organization provisioning options
115
- */
116
- organizationProvisioning?: {
117
- disabled?: boolean;
118
- defaultRole?: "member" | "admin";
119
- getRole?: (data: {
120
- /**
121
- * The user object from the database
122
- */
123
- user: User & Record<string, any>;
124
- /**
125
- * The user info object from the provider
126
- */
127
- userInfo: Record<string, any>;
128
- /**
129
- * The OAuth2 tokens from the provider
130
- */
131
- token?: OAuth2Tokens;
132
- /**
133
- * The SSO provider
134
- */
135
- provider: SSOProvider<SSOOptions>;
136
- }) => Promise<"member" | "admin">;
137
- } | undefined;
138
- /**
139
- * Default SSO provider configurations for testing.
140
- * These will take the precedence over the database providers.
141
- */
142
- defaultSSO?: Array<{
143
- /**
144
- * The domain to match for this default provider.
145
- * This is only used to match incoming requests to this default provider.
146
- */
147
- domain: string;
148
- /**
149
- * The provider ID to use
150
- */
151
- providerId: string;
152
- /**
153
- * SAML configuration
154
- */
155
- samlConfig?: SAMLConfig;
156
- /**
157
- * OIDC configuration
158
- */
159
- oidcConfig?: OIDCConfig;
160
- }> | undefined;
161
- /**
162
- * Override user info with the provider info.
163
- * @default false
164
- */
165
- defaultOverrideUserInfo?: boolean | undefined;
166
- /**
167
- * Disable implicit sign up for new users. When set to true for the provider,
168
- * sign-in need to be called with with requestSignUp as true to create new users.
169
- */
170
- disableImplicitSignUp?: boolean | undefined;
171
- /**
172
- * The model name for the SSO provider table. Defaults to "ssoProvider".
173
- */
174
- modelName?: string;
175
- /**
176
- * Map fields
177
- *
178
- * @example
179
- * ```ts
180
- * {
181
- * samlConfig: "saml_config"
182
- * }
183
- * ```
184
- */
185
- fields?: {
186
- issuer?: string | undefined;
187
- oidcConfig?: string | undefined;
188
- samlConfig?: string | undefined;
189
- userId?: string | undefined;
190
- providerId?: string | undefined;
191
- organizationId?: string | undefined;
192
- domain?: string | undefined;
193
- };
194
- /**
195
- * Configure the maximum number of SSO providers a user can register.
196
- * You can also pass a function that returns a number.
197
- * Set to 0 to disable SSO provider registration.
198
- *
199
- * @example
200
- * ```ts
201
- * providersLimit: async (user) => {
202
- * const plan = await getUserPlan(user);
203
- * return plan.name === "pro" ? 10 : 1;
204
- * }
205
- * ```
206
- * @default 10
207
- */
208
- providersLimit?: (number | ((user: User) => Promise<number> | number)) | undefined;
209
- /**
210
- * Trust the email verified flag from the provider.
211
- *
212
- * ⚠️ Use this with caution — it can lead to account takeover if misused. Only enable it if users **cannot freely register new providers**. You can
213
- * prevent that by using `disabledPaths` or other safeguards to block provider registration from the client.
214
- *
215
- * If you want to allow account linking for specific trusted providers, enable the `accountLinking` option in your auth config and specify those
216
- * providers in the `trustedProviders` list.
217
- * @default false
218
- */
219
- trustEmailVerified?: boolean | undefined;
220
- /**
221
- * Enable domain verification on SSO providers
222
- *
223
- * When this option is enabled, new SSO providers will require the associated domain to be verified by the owner
224
- * prior to allowing sign-ins.
225
- */
226
- domainVerification?: {
227
- /**
228
- * Enables or disables the domain verification feature
229
- */
230
- enabled?: boolean;
231
- /**
232
- * Prefix used to generate the domain verification token
233
- *
234
- * @default "better-auth-token-"
235
- */
236
- tokenPrefix?: string;
237
- };
238
- }
239
- //#endregion
240
- //#region src/routes/domain-verification.d.ts
241
- declare const requestDomainVerification: (options: SSOOptions) => any;
242
- declare const verifyDomain: (options: SSOOptions) => any;
243
- //#endregion
244
- //#region src/routes/sso.d.ts
245
- declare const spMetadata: () => any;
246
- declare const registerSSOProvider: <O extends SSOOptions>(options: O) => any;
247
- declare const signInSSO: (options?: SSOOptions) => any;
248
- declare const callbackSSO: (options?: SSOOptions) => any;
249
- declare const callbackSSOSAML: (options?: SSOOptions) => any;
250
- declare const acsEndpoint: (options?: SSOOptions) => any;
251
- //#endregion
252
- //#region src/index.d.ts
253
- type DomainVerificationEndpoints = {
254
- requestDomainVerification: ReturnType<typeof requestDomainVerification>;
255
- verifyDomain: ReturnType<typeof verifyDomain>;
256
- };
257
- type SSOEndpoints<O extends SSOOptions> = {
258
- spMetadata: ReturnType<typeof spMetadata>;
259
- registerSSOProvider: ReturnType<typeof registerSSOProvider<O>>;
260
- signInSSO: ReturnType<typeof signInSSO>;
261
- callbackSSO: ReturnType<typeof callbackSSO>;
262
- callbackSSOSAML: ReturnType<typeof callbackSSOSAML>;
263
- acsEndpoint: ReturnType<typeof acsEndpoint>;
264
- };
265
- type SSOPlugin<O extends SSOOptions> = {
266
- id: "sso";
267
- endpoints: SSOEndpoints<O> & (O extends {
268
- domainVerification: {
269
- enabled: true;
270
- };
271
- } ? DomainVerificationEndpoints : {});
272
- };
273
- declare function sso<O extends SSOOptions & {
274
- domainVerification?: {
275
- enabled: true;
276
- };
277
- }>(options?: O | undefined): {
278
- id: "sso";
279
- endpoints: SSOEndpoints<O> & DomainVerificationEndpoints;
280
- schema: any;
281
- options: O;
282
- };
283
- declare function sso<O extends SSOOptions>(options?: O | undefined): {
284
- id: "sso";
285
- endpoints: SSOEndpoints<O>;
286
- };
287
- //#endregion
288
- export { SSOOptions as a, SAMLConfig as i, sso as n, SSOProvider as o, OIDCConfig as r, SSOPlugin as t };