npm - @better-auth/sso - Versions diffs - 1.4.6-beta.2 → 1.4.6-beta.6 - Mend

@better-auth/sso 1.4.6-beta.2 → 1.4.6-beta.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/.turbo/turbo-build.log +7 -7
package/bump.config.ts +5 -0
package/dist/client.d.mts +1 -1
package/dist/{index-DCyJckhH.d.mts → index-CYgzSZS4.d.mts} +18 -12
package/dist/index.d.mts +1 -1
package/dist/index.mjs +174 -146
package/package.json +8 -6
package/src/oidc.test.ts +164 -0
package/src/routes/domain-verification.ts +6 -6
package/src/routes/sso.ts +336 -333
package/src/saml.test.ts +346 -0
package/src/types.ts +6 -0
package/src/utils.ts +31 -0

package/.turbo/turbo-build.log CHANGED Viewed

@@ -1,16 +1,16 @@
-> @better-auth/sso@1.4.6-beta.2 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.4.6-beta.6 build /home/runner/work/better-auth/better-auth/packages/sso
 > tsdown
-[34mℹ[39m tsdown [2mv0.16.6[22m powered by rolldown [2mv1.0.0-beta.51[22m
-[34mℹ[39m Using tsdown config: [4m/home/runner/work/better-auth/better-auth/packages/sso/tsdown.config.ts[24m
+[34mℹ[39m tsdown [2mv0.17.0[22m powered by rolldown [2mv1.0.0-beta.53[22m
+[34mℹ[39m config file: [4m/home/runner/work/better-auth/better-auth/packages/sso/tsdown.config.ts[24m
 [34mℹ[39m entry: [34msrc/index.ts, src/client.ts[39m
 [34mℹ[39m tsconfig: [34mtsconfig.json[39m
 [34mℹ[39m Build start
-[34mℹ[39m [2mdist/[22m[1mindex.mjs[22m             [2m58.49 kB[22m [2m│ gzip: 10.33 kB[22m
+[34mℹ[39m [2mdist/[22m[1mindex.mjs[22m             [2m59.70 kB[22m [2m│ gzip: 10.49 kB[22m
 [34mℹ[39m [2mdist/[22m[1mclient.mjs[22m            [2m 0.15 kB[22m [2m│ gzip:  0.14 kB[22m
 [34mℹ[39m [2mdist/[22m[32m[1mclient.d.mts[22m[39m          [2m 0.49 kB[22m [2m│ gzip:  0.29 kB[22m
 [34mℹ[39m [2mdist/[22m[32m[1mindex.d.mts[22m[39m           [2m 0.21 kB[22m [2m│ gzip:  0.15 kB[22m
-[34mℹ[39m [2mdist/[22m[32mindex-DCyJckhH.d.mts[39m  [2m25.42 kB[22m [2m│ gzip:  3.96 kB[22m
-[34mℹ[39m 5 files, total: 84.77 kB
-[32m✔[39m Build complete in [32m11114ms[39m
+[34mℹ[39m [2mdist/[22m[32mindex-CYgzSZS4.d.mts[39m  [2m25.84 kB[22m [2m│ gzip:  4.13 kB[22m
+[34mℹ[39m 5 files, total: 86.39 kB
+[32m✔[39m Build complete in [32m11274ms[39m

package/bump.config.ts ADDED Viewed

@@ -0,0 +1,5 @@
+import { defineConfig } from "bumpp";
+export default defineConfig({
+	files: ["package.json"],
+});

package/dist/client.d.mts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { t as SSOPlugin } from "./index-DCyJckhH.mjs";
+import { t as SSOPlugin } from "./index-CYgzSZS4.mjs";
 //#region src/client.d.ts
 interface SSOClientOptions {

package/dist/{index-DCyJckhH.d.mts → index-CYgzSZS4.d.mts} RENAMED Viewed

@@ -1,6 +1,6 @@
 import * as z from "zod/v4";
 import { OAuth2Tokens, User } from "better-auth";
-import * as better_call7 from "better-call";
+import * as better_call0 from "better-call";
 //#region src/types.d.ts
 interface OIDCMapping {
@@ -216,7 +216,13 @@ interface SSOOptions {
    *
    * If you want to allow account linking for specific trusted providers, enable the `accountLinking` option in your auth config and specify those
    * providers in the `trustedProviders` list.
+   *
    * @default false
+   *
+   * @deprecated This option is discouraged for new projects. Relying on provider-level `email_verified` is a weaker
+   * trust signal compared to using `trustedProviders` in `accountLinking` or enabling `domainVerification` for SSO.
+   * Existing configurations will continue to work, but new integrations should use explicit trust mechanisms.
+   * This option may be removed in a future major version.
    */
   trustEmailVerified?: boolean | undefined;
   /**
@@ -240,7 +246,7 @@ interface SSOOptions {
 }
 //#endregion
 //#region src/routes/domain-verification.d.ts
-declare const requestDomainVerification: (options: SSOOptions) => better_call7.StrictEndpoint<"/sso/request-domain-verification", {
+declare const requestDomainVerification: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/request-domain-verification", {
   method: "POST";
   body: z.ZodObject<{
     providerId: z.ZodString;
@@ -262,7 +268,7 @@ declare const requestDomainVerification: (options: SSOOptions) => better_call7.S
       };
     };
   };
-  use: ((inputContext: better_call7.MiddlewareInputContext<better_call7.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
     session: {
       session: Record<string, any> & {
         id: string;
@@ -290,7 +296,7 @@ declare const requestDomainVerification: (options: SSOOptions) => better_call7.S
 }, {
   domainVerificationToken: string;
 }>;
-declare const verifyDomain: (options: SSOOptions) => better_call7.StrictEndpoint<"/sso/verify-domain", {
+declare const verifyDomain: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/verify-domain", {
   method: "POST";
   body: z.ZodObject<{
     providerId: z.ZodString;
@@ -315,7 +321,7 @@ declare const verifyDomain: (options: SSOOptions) => better_call7.StrictEndpoint
       };
     };
   };
-  use: ((inputContext: better_call7.MiddlewareInputContext<better_call7.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
     session: {
       session: Record<string, any> & {
         id: string;
@@ -343,7 +349,7 @@ declare const verifyDomain: (options: SSOOptions) => better_call7.StrictEndpoint
 }, void>;
 //#endregion
 //#region src/routes/sso.d.ts
-declare const spMetadata: () => better_call7.StrictEndpoint<"/sso/saml2/sp/metadata", {
+declare const spMetadata: () => better_call0.StrictEndpoint<"/sso/saml2/sp/metadata", {
   method: "GET";
   query: z.ZodObject<{
     providerId: z.ZodString;
@@ -367,7 +373,7 @@ declare const spMetadata: () => better_call7.StrictEndpoint<"/sso/saml2/sp/metad
 } & {
   use: any[];
 }, Response>;
-declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_call7.StrictEndpoint<"/sso/register", {
+declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_call0.StrictEndpoint<"/sso/register", {
   method: "POST";
   body: z.ZodObject<{
     providerId: z.ZodString;
@@ -445,7 +451,7 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
     organizationId: z.ZodOptional<z.ZodString>;
     overrideUserInfo: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
   }, z.core.$strip>;
-  use: ((inputContext: better_call7.MiddlewareInputContext<better_call7.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
     session: {
       session: Record<string, any> & {
         id: string;
@@ -637,7 +643,7 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
   domainVerified: boolean;
   domainVerificationToken: string;
 } & SSOProvider<O> : SSOProvider<O>>;
-declare const signInSSO: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sign-in/sso", {
+declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sign-in/sso", {
   method: "POST";
   body: z.ZodObject<{
     email: z.ZodOptional<z.ZodString>;
@@ -733,7 +739,7 @@ declare const signInSSO: (options?: SSOOptions) => better_call7.StrictEndpoint<"
   url: string;
   redirect: boolean;
 }>;
-declare const callbackSSO: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sso/callback/:providerId", {
+declare const callbackSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/callback/:providerId", {
   method: "GET";
   query: z.ZodObject<{
     code: z.ZodOptional<z.ZodString>;
@@ -758,7 +764,7 @@ declare const callbackSSO: (options?: SSOOptions) => better_call7.StrictEndpoint
 } & {
   use: any[];
 }, never>;
-declare const callbackSSOSAML: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sso/saml2/callback/:providerId", {
+declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/callback/:providerId", {
   method: "POST";
   body: z.ZodObject<{
     SAMLResponse: z.ZodString;
@@ -787,7 +793,7 @@ declare const callbackSSOSAML: (options?: SSOOptions) => better_call7.StrictEndp
 } & {
   use: any[];
 }, never>;
-declare const acsEndpoint: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
+declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
   method: "POST";
   params: z.ZodObject<{
     providerId: z.ZodOptional<z.ZodString>;

package/dist/index.d.mts CHANGED Viewed

@@ -1,2 +1,2 @@
-import { a as SSOOptions, i as SAMLConfig, n as sso, o as SSOProvider, r as OIDCConfig, t as SSOPlugin } from "./index-DCyJckhH.mjs";
+import { a as SSOOptions, i as SAMLConfig, n as sso, o as SSOProvider, r as OIDCConfig, t as SSOPlugin } from "./index-CYgzSZS4.mjs";
 export { OIDCConfig, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, sso };

package/dist/index.mjs CHANGED Viewed

@@ -10,10 +10,11 @@ import { handleOAuthUserInfo } from "better-auth/oauth2";
 import { decodeJwt } from "jose";
 //#region src/routes/domain-verification.ts
+const domainVerificationBodySchema = z.object({ providerId: z.string() });
 const requestDomainVerification = (options) => {
 	return createAuthEndpoint("/sso/request-domain-verification", {
 		method: "POST",
-		body: z.object({ providerId: z.string() }),
+		body: domainVerificationBodySchema,
 		metadata: { openapi: {
 			summary: "Request a domain verification",
 			description: "Request a domain verification for the given SSO provider",
@@ -90,7 +91,7 @@ const requestDomainVerification = (options) => {
 const verifyDomain = (options) => {
 	return createAuthEndpoint("/sso/verify-domain", {
 		method: "POST",
-		body: z.object({ providerId: z.string() }),
+		body: domainVerificationBodySchema,
 		metadata: { openapi: {
 			summary: "Verify the provider domain ownership",
 			description: "Verify the provider domain ownership via DNS records",
@@ -184,19 +185,14 @@ const verifyDomain = (options) => {
 //#endregion
 //#region src/utils.ts
-const validateEmailDomain = (email, domain) => {
-	const emailDomain = email.split("@")[1]?.toLowerCase();
-	const providerDomain = domain.toLowerCase();
-	if (!emailDomain || !providerDomain) return false;
-	return emailDomain === providerDomain || emailDomain.endsWith(`.${providerDomain}`);
-};
-//#endregion
-//#region src/routes/sso.ts
 /**
-* Safely parses a value that might be a JSON string or already a parsed object
+* Safely parses a value that might be a JSON string or already a parsed object.
 * This handles cases where ORMs like Drizzle might return already parsed objects
-* instead of JSON strings from TEXT/JSON columns
+* instead of JSON strings from TEXT/JSON columns.
+*
+* @param value - The value to parse (string, object, null, or undefined)
+* @returns The parsed object or null
+* @throws Error if string parsing fails
 */
 function safeJsonParse(value) {
 	if (!value) return null;
@@ -208,13 +204,23 @@ function safeJsonParse(value) {
 	}
 	return null;
 }
+const validateEmailDomain = (email, domain) => {
+	const emailDomain = email.split("@")[1]?.toLowerCase();
+	const providerDomain = domain.toLowerCase();
+	if (!emailDomain || !providerDomain) return false;
+	return emailDomain === providerDomain || emailDomain.endsWith(`.${providerDomain}`);
+};
+//#endregion
+//#region src/routes/sso.ts
+const spMetadataQuerySchema = z.object({
+	providerId: z.string(),
+	format: z.enum(["xml", "json"]).default("xml")
+});
 const spMetadata = () => {
 	return createAuthEndpoint("/sso/saml2/sp/metadata", {
 		method: "GET",
-		query: z.object({
-			providerId: z.string(),
-			format: z.enum(["xml", "json"]).default("xml")
-		}),
+		query: spMetadataQuerySchema,
 		metadata: { openapi: {
 			operationId: "getSSOServiceProviderMetadata",
 			summary: "Get Service Provider metadata",
@@ -244,82 +250,83 @@ const spMetadata = () => {
 		return new Response(sp.getMetadata(), { headers: { "Content-Type": "application/xml" } });
 	});
 };
+const ssoProviderBodySchema = z.object({
+	providerId: z.string({}).meta({ description: "The ID of the provider. This is used to identify the provider during login and callback" }),
+	issuer: z.string({}).meta({ description: "The issuer of the provider" }),
+	domain: z.string({}).meta({ description: "The domain of the provider. This is used for email matching" }),
+	oidcConfig: z.object({
+		clientId: z.string({}).meta({ description: "The client ID" }),
+		clientSecret: z.string({}).meta({ description: "The client secret" }),
+		authorizationEndpoint: z.string({}).meta({ description: "The authorization endpoint" }).optional(),
+		tokenEndpoint: z.string({}).meta({ description: "The token endpoint" }).optional(),
+		userInfoEndpoint: z.string({}).meta({ description: "The user info endpoint" }).optional(),
+		tokenEndpointAuthentication: z.enum(["client_secret_post", "client_secret_basic"]).optional(),
+		jwksEndpoint: z.string({}).meta({ description: "The JWKS endpoint" }).optional(),
+		discoveryEndpoint: z.string().optional(),
+		scopes: z.array(z.string(), {}).meta({ description: "The scopes to request. Defaults to ['openid', 'email', 'profile', 'offline_access']" }).optional(),
+		pkce: z.boolean({}).meta({ description: "Whether to use PKCE for the authorization flow" }).default(true).optional(),
+		mapping: z.object({
+			id: z.string({}).meta({ description: "Field mapping for user ID (defaults to 'sub')" }),
+			email: z.string({}).meta({ description: "Field mapping for email (defaults to 'email')" }),
+			emailVerified: z.string({}).meta({ description: "Field mapping for email verification (defaults to 'email_verified')" }).optional(),
+			name: z.string({}).meta({ description: "Field mapping for name (defaults to 'name')" }),
+			image: z.string({}).meta({ description: "Field mapping for image (defaults to 'picture')" }).optional(),
+			extraFields: z.record(z.string(), z.any()).optional()
+		}).optional()
+	}).optional(),
+	samlConfig: z.object({
+		entryPoint: z.string({}).meta({ description: "The entry point of the provider" }),
+		cert: z.string({}).meta({ description: "The certificate of the provider" }),
+		callbackUrl: z.string({}).meta({ description: "The callback URL of the provider" }),
+		audience: z.string().optional(),
+		idpMetadata: z.object({
+			metadata: z.string().optional(),
+			entityID: z.string().optional(),
+			cert: z.string().optional(),
+			privateKey: z.string().optional(),
+			privateKeyPass: z.string().optional(),
+			isAssertionEncrypted: z.boolean().optional(),
+			encPrivateKey: z.string().optional(),
+			encPrivateKeyPass: z.string().optional(),
+			singleSignOnService: z.array(z.object({
+				Binding: z.string().meta({ description: "The binding type for the SSO service" }),
+				Location: z.string().meta({ description: "The URL for the SSO service" })
+			})).optional().meta({ description: "Single Sign-On service configuration" })
+		}).optional(),
+		spMetadata: z.object({
+			metadata: z.string().optional(),
+			entityID: z.string().optional(),
+			binding: z.string().optional(),
+			privateKey: z.string().optional(),
+			privateKeyPass: z.string().optional(),
+			isAssertionEncrypted: z.boolean().optional(),
+			encPrivateKey: z.string().optional(),
+			encPrivateKeyPass: z.string().optional()
+		}),
+		wantAssertionsSigned: z.boolean().optional(),
+		signatureAlgorithm: z.string().optional(),
+		digestAlgorithm: z.string().optional(),
+		identifierFormat: z.string().optional(),
+		privateKey: z.string().optional(),
+		decryptionPvk: z.string().optional(),
+		additionalParams: z.record(z.string(), z.any()).optional(),
+		mapping: z.object({
+			id: z.string({}).meta({ description: "Field mapping for user ID (defaults to 'nameID')" }),
+			email: z.string({}).meta({ description: "Field mapping for email (defaults to 'email')" }),
+			emailVerified: z.string({}).meta({ description: "Field mapping for email verification" }).optional(),
+			name: z.string({}).meta({ description: "Field mapping for name (defaults to 'displayName')" }),
+			firstName: z.string({}).meta({ description: "Field mapping for first name (defaults to 'givenName')" }).optional(),
+			lastName: z.string({}).meta({ description: "Field mapping for last name (defaults to 'surname')" }).optional(),
+			extraFields: z.record(z.string(), z.any()).optional()
+		}).optional()
+	}).optional(),
+	organizationId: z.string({}).meta({ description: "If organization plugin is enabled, the organization id to link the provider to" }).optional(),
+	overrideUserInfo: z.boolean({}).meta({ description: "Override user info with the provider info. Defaults to false" }).default(false).optional()
+});
 const registerSSOProvider = (options) => {
 	return createAuthEndpoint("/sso/register", {
 		method: "POST",
-		body: z.object({
-			providerId: z.string({}).meta({ description: "The ID of the provider. This is used to identify the provider during login and callback" }),
-			issuer: z.string({}).meta({ description: "The issuer of the provider" }),
-			domain: z.string({}).meta({ description: "The domain of the provider. This is used for email matching" }),
-			oidcConfig: z.object({
-				clientId: z.string({}).meta({ description: "The client ID" }),
-				clientSecret: z.string({}).meta({ description: "The client secret" }),
-				authorizationEndpoint: z.string({}).meta({ description: "The authorization endpoint" }).optional(),
-				tokenEndpoint: z.string({}).meta({ description: "The token endpoint" }).optional(),
-				userInfoEndpoint: z.string({}).meta({ description: "The user info endpoint" }).optional(),
-				tokenEndpointAuthentication: z.enum(["client_secret_post", "client_secret_basic"]).optional(),
-				jwksEndpoint: z.string({}).meta({ description: "The JWKS endpoint" }).optional(),
-				discoveryEndpoint: z.string().optional(),
-				scopes: z.array(z.string(), {}).meta({ description: "The scopes to request. Defaults to ['openid', 'email', 'profile', 'offline_access']" }).optional(),
-				pkce: z.boolean({}).meta({ description: "Whether to use PKCE for the authorization flow" }).default(true).optional(),
-				mapping: z.object({
-					id: z.string({}).meta({ description: "Field mapping for user ID (defaults to 'sub')" }),
-					email: z.string({}).meta({ description: "Field mapping for email (defaults to 'email')" }),
-					emailVerified: z.string({}).meta({ description: "Field mapping for email verification (defaults to 'email_verified')" }).optional(),
-					name: z.string({}).meta({ description: "Field mapping for name (defaults to 'name')" }),
-					image: z.string({}).meta({ description: "Field mapping for image (defaults to 'picture')" }).optional(),
-					extraFields: z.record(z.string(), z.any()).optional()
-				}).optional()
-			}).optional(),
-			samlConfig: z.object({
-				entryPoint: z.string({}).meta({ description: "The entry point of the provider" }),
-				cert: z.string({}).meta({ description: "The certificate of the provider" }),
-				callbackUrl: z.string({}).meta({ description: "The callback URL of the provider" }),
-				audience: z.string().optional(),
-				idpMetadata: z.object({
-					metadata: z.string().optional(),
-					entityID: z.string().optional(),
-					cert: z.string().optional(),
-					privateKey: z.string().optional(),
-					privateKeyPass: z.string().optional(),
-					isAssertionEncrypted: z.boolean().optional(),
-					encPrivateKey: z.string().optional(),
-					encPrivateKeyPass: z.string().optional(),
-					singleSignOnService: z.array(z.object({
-						Binding: z.string().meta({ description: "The binding type for the SSO service" }),
-						Location: z.string().meta({ description: "The URL for the SSO service" })
-					})).optional().meta({ description: "Single Sign-On service configuration" })
-				}).optional(),
-				spMetadata: z.object({
-					metadata: z.string().optional(),
-					entityID: z.string().optional(),
-					binding: z.string().optional(),
-					privateKey: z.string().optional(),
-					privateKeyPass: z.string().optional(),
-					isAssertionEncrypted: z.boolean().optional(),
-					encPrivateKey: z.string().optional(),
-					encPrivateKeyPass: z.string().optional()
-				}),
-				wantAssertionsSigned: z.boolean().optional(),
-				signatureAlgorithm: z.string().optional(),
-				digestAlgorithm: z.string().optional(),
-				identifierFormat: z.string().optional(),
-				privateKey: z.string().optional(),
-				decryptionPvk: z.string().optional(),
-				additionalParams: z.record(z.string(), z.any()).optional(),
-				mapping: z.object({
-					id: z.string({}).meta({ description: "Field mapping for user ID (defaults to 'nameID')" }),
-					email: z.string({}).meta({ description: "Field mapping for email (defaults to 'email')" }),
-					emailVerified: z.string({}).meta({ description: "Field mapping for email verification" }).optional(),
-					name: z.string({}).meta({ description: "Field mapping for name (defaults to 'displayName')" }),
-					firstName: z.string({}).meta({ description: "Field mapping for first name (defaults to 'givenName')" }).optional(),
-					lastName: z.string({}).meta({ description: "Field mapping for last name (defaults to 'surname')" }).optional(),
-					extraFields: z.record(z.string(), z.any()).optional()
-				}).optional()
-			}).optional(),
-			organizationId: z.string({}).meta({ description: "If organization plugin is enabled, the organization id to link the provider to" }).optional(),
-			overrideUserInfo: z.boolean({}).meta({ description: "Override user info with the provider info. Defaults to false" }).default(false).optional()
-		}),
+		body: ssoProviderBodySchema,
 		use: [sessionMiddleware],
 		metadata: { openapi: {
 			operationId: "registerSSOProvider",
@@ -584,30 +591,31 @@ const registerSSOProvider = (options) => {
 		}
 		return ctx.json({
 			...provider,
-			oidcConfig: JSON.parse(provider.oidcConfig),
-			samlConfig: JSON.parse(provider.samlConfig),
+			oidcConfig: safeJsonParse(provider.oidcConfig),
+			samlConfig: safeJsonParse(provider.samlConfig),
 			redirectURI: `${ctx.context.baseURL}/sso/callback/${provider.providerId}`,
 			...options?.domainVerification?.enabled ? { domainVerified } : {},
 			...options?.domainVerification?.enabled ? { domainVerificationToken } : {}
 		});
 	});
 };
+const signInSSOBodySchema = z.object({
+	email: z.string({}).meta({ description: "The email address to sign in with. This is used to identify the issuer to sign in with. It's optional if the issuer is provided" }).optional(),
+	organizationSlug: z.string({}).meta({ description: "The slug of the organization to sign in with" }).optional(),
+	providerId: z.string({}).meta({ description: "The ID of the provider to sign in with. This can be provided instead of email or issuer" }).optional(),
+	domain: z.string({}).meta({ description: "The domain of the provider." }).optional(),
+	callbackURL: z.string({}).meta({ description: "The URL to redirect to after login" }),
+	errorCallbackURL: z.string({}).meta({ description: "The URL to redirect to after login" }).optional(),
+	newUserCallbackURL: z.string({}).meta({ description: "The URL to redirect to after login if the user is new" }).optional(),
+	scopes: z.array(z.string(), {}).meta({ description: "Scopes to request from the provider." }).optional(),
+	loginHint: z.string({}).meta({ description: "Login hint to send to the identity provider (e.g., email or identifier). If supported, will be sent as 'login_hint'." }).optional(),
+	requestSignUp: z.boolean({}).meta({ description: "Explicitly request sign-up. Useful when disableImplicitSignUp is true for this provider" }).optional(),
+	providerType: z.enum(["oidc", "saml"]).optional()
+});
 const signInSSO = (options) => {
 	return createAuthEndpoint("/sign-in/sso", {
 		method: "POST",
-		body: z.object({
-			email: z.string({}).meta({ description: "The email address to sign in with. This is used to identify the issuer to sign in with. It's optional if the issuer is provided" }).optional(),
-			organizationSlug: z.string({}).meta({ description: "The slug of the organization to sign in with" }).optional(),
-			providerId: z.string({}).meta({ description: "The ID of the provider to sign in with. This can be provided instead of email or issuer" }).optional(),
-			domain: z.string({}).meta({ description: "The domain of the provider." }).optional(),
-			callbackURL: z.string({}).meta({ description: "The URL to redirect to after login" }),
-			errorCallbackURL: z.string({}).meta({ description: "The URL to redirect to after login" }).optional(),
-			newUserCallbackURL: z.string({}).meta({ description: "The URL to redirect to after login if the user is new" }).optional(),
-			scopes: z.array(z.string(), {}).meta({ description: "Scopes to request from the provider." }).optional(),
-			loginHint: z.string({}).meta({ description: "Login hint to send to the identity provider (e.g., email or identifier). If supported, will be sent as 'login_hint'." }).optional(),
-			requestSignUp: z.boolean({}).meta({ description: "Explicitly request sign-up. Useful when disableImplicitSignUp is true for this provider" }).optional(),
-			providerType: z.enum(["oidc", "saml"]).optional()
-		}),
+		body: signInSSOBodySchema,
 		metadata: { openapi: {
 			operationId: "signInWithSSO",
 			summary: "Sign in with SSO provider",
@@ -781,15 +789,16 @@ const signInSSO = (options) => {
 		throw new APIError("BAD_REQUEST", { message: "Invalid SSO provider" });
 	});
 };
+const callbackSSOQuerySchema = z.object({
+	code: z.string().optional(),
+	state: z.string(),
+	error: z.string().optional(),
+	error_description: z.string().optional()
+});
 const callbackSSO = (options) => {
 	return createAuthEndpoint("/sso/callback/:providerId", {
 		method: "GET",
-		query: z.object({
-			code: z.string().optional(),
-			state: z.string(),
-			error: z.string().optional(),
-			error_description: z.string().optional()
-		}),
+		query: callbackSSOQuerySchema,
 		allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"],
 		metadata: {
 			isAction: false,
@@ -892,6 +901,7 @@ const callbackSSO = (options) => {
 			userInfo = userInfoResponse.data;
 		}
 		if (!userInfo.email || !userInfo.id) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=missing_user_info`);
+		const isTrustedProvider = "domainVerified" in provider && provider.domainVerified === true && validateEmailDomain(userInfo.email, provider.domain);
 		const linked = await handleOAuthUserInfo(ctx, {
 			userInfo: {
 				email: userInfo.email,
@@ -912,7 +922,8 @@ const callbackSSO = (options) => {
 			},
 			callbackURL,
 			disableSignUp: options?.disableImplicitSignUp && !requestSignUp,
-			overrideUserInfo: config.overrideUserInfo
+			overrideUserInfo: config.overrideUserInfo,
+			isTrustedProvider
 		});
 		if (linked.error) throw ctx.redirect(`${errorURL || callbackURL}/error?error=${linked.error}`);
 		const { session, user } = linked.data;
@@ -966,13 +977,14 @@ const callbackSSO = (options) => {
 		throw ctx.redirect(toRedirectTo);
 	});
 };
+const callbackSSOSAMLBodySchema = z.object({
+	SAMLResponse: z.string(),
+	RelayState: z.string().optional()
+});
 const callbackSSOSAML = (options) => {
 	return createAuthEndpoint("/sso/saml2/callback/:providerId", {
 		method: "POST",
-		body: z.object({
-			SAMLResponse: z.string(),
-			RelayState: z.string().optional()
-		}),
+		body: callbackSSOSAMLBodySchema,
 		metadata: {
 			isAction: false,
 			allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"],
@@ -1111,38 +1123,52 @@ const callbackSSOSAML = (options) => {
 				value: userInfo.email
 			}]
 		});
-		if (existingUser) user = existingUser;
-		else {
+		if (existingUser) {
+			if (!await ctx.context.adapter.findOne({
+				model: "account",
+				where: [
+					{
+						field: "userId",
+						value: existingUser.id
+					},
+					{
+						field: "providerId",
+						value: provider.providerId
+					},
+					{
+						field: "accountId",
+						value: userInfo.id
+					}
+				]
+			})) {
+				if (!(ctx.context.options.account?.accountLinking?.trustedProviders?.includes(provider.providerId) || "domainVerified" in provider && provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain))) {
+					const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+					throw ctx.redirect(`${redirectUrl}?error=account_not_linked`);
+				}
+				await ctx.context.internalAdapter.createAccount({
+					userId: existingUser.id,
+					providerId: provider.providerId,
+					accountId: userInfo.id,
+					accessToken: "",
+					refreshToken: ""
+				});
+			}
+			user = existingUser;
+		} else {
 			if (options?.disableImplicitSignUp) throw new APIError("UNAUTHORIZED", { message: "User not found and implicit sign up is disabled for this provider" });
 			user = await ctx.context.internalAdapter.createUser({
 				email: userInfo.email,
 				name: userInfo.name,
 				emailVerified: userInfo.emailVerified
 			});
+			await ctx.context.internalAdapter.createAccount({
+				userId: user.id,
+				providerId: provider.providerId,
+				accountId: userInfo.id,
+				accessToken: "",
+				refreshToken: ""
+			});
 		}
-		if (!await ctx.context.adapter.findOne({
-			model: "account",
-			where: [
-				{
-					field: "userId",
-					value: user.id
-				},
-				{
-					field: "providerId",
-					value: provider.providerId
-				},
-				{
-					field: "accountId",
-					value: userInfo.id
-				}
-			]
-		})) await ctx.context.internalAdapter.createAccount({
-			userId: user.id,
-			providerId: provider.providerId,
-			accountId: userInfo.id,
-			accessToken: "",
-			refreshToken: ""
-		});
 		if (options?.provisionUser) await options.provisionUser({
 			user,
 			userInfo,
@@ -1186,14 +1212,16 @@ const callbackSSOSAML = (options) => {
 		throw ctx.redirect(callbackUrl);
 	});
 };
+const acsEndpointParamsSchema = z.object({ providerId: z.string().optional() });
+const acsEndpointBodySchema = z.object({
+	SAMLResponse: z.string(),
+	RelayState: z.string().optional()
+});
 const acsEndpoint = (options) => {
 	return createAuthEndpoint("/sso/saml2/sp/acs/:providerId", {
 		method: "POST",
-		params: z.object({ providerId: z.string().optional() }),
-		body: z.object({
-			SAMLResponse: z.string(),
-			RelayState: z.string().optional()
-		}),
+		params: acsEndpointParamsSchema,
+		body: acsEndpointBodySchema,
 		metadata: {
 			isAction: false,
 			allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"],

package/package.json CHANGED Viewed

@@ -1,13 +1,14 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.4.6-beta.2",
+  "version": "1.4.6-beta.6",
   "type": "module",
   "main": "dist/index.mjs",
+  "types": "dist/index.d.mts",
   "homepage": "https://www.better-auth.com/docs/plugins/sso",
   "repository": {
     "type": "git",
-    "url": "https://github.com/better-auth/better-auth",
+    "url": "git+https://github.com/better-auth/better-auth.git",
     "directory": "packages/sso"
   },
   "license": "MIT",
@@ -60,18 +61,19 @@
   "devDependencies": {
     "@types/body-parser": "^1.19.6",
     "@types/express": "^5.0.5",
-    "better-call": "1.1.4",
+    "better-call": "1.1.5",
     "body-parser": "^2.2.1",
     "express": "^5.1.0",
     "oauth2-mock-server": "^8.2.0",
-    "tsdown": "^0.16.0",
-    "better-auth": "1.4.6-beta.2"
+    "tsdown": "^0.17.0",
+    "better-auth": "1.4.6-beta.6"
   },
   "peerDependencies": {
-    "better-auth": "1.4.6-beta.2"
+    "better-auth": "1.4.6-beta.6"
   },
   "scripts": {
     "test": "vitest",
+    "coverage": "vitest run --coverage",
     "lint:package": "publint run --strict",
     "build": "tsdown",
     "dev": "tsdown --watch",