@better-auth/sso 1.4.6-beta.2 → 1.4.6

package/src/oidc.test.ts

@@ -571,3 +571,167 @@ describe("provisioning", async (ctx) => {
 		expect(res.url).toContain("http://localhost:8080/authorize");
 	});
 });
+
+describe("OIDC account linking with domainVerified", async () => {
+	const { auth, signInWithTestUser, customFetchImpl, cookieSetter } =
+		await getTestInstance({
+			account: {
+				accountLinking: {
+					enabled: true,
+					trustedProviders: [],
+				},
+			},
+			plugins: [
+				sso({
+					domainVerification: {
+						enabled: true,
+					},
+				}),
+			],
+		});
+
+	const authClient = createAuthClient({
+		plugins: [ssoClient()],
+		baseURL: "http://localhost:3000",
+		fetchOptions: {
+			customFetchImpl,
+		},
+	});
+
+	beforeAll(async () => {
+		await server.issuer.keys.generate("RS256");
+		await server.start(8080, "localhost");
+	});
+
+	afterAll(async () => {
+		await server.stop().catch(() => {});
+	});
+
+	async function simulateOAuthFlow(authUrl: string, headers: Headers) {
+		let location: string | null = null;
+		await betterFetch(authUrl, {
+			method: "GET",
+			redirect: "manual",
+			onError(context) {
+				location = context.response.headers.get("location");
+			},
+		});
+
+		if (!location) throw new Error("No redirect location found");
+
+		let callbackURL = "";
+		const newHeaders = new Headers();
+		await betterFetch(location, {
+			method: "GET",
+			customFetchImpl,
+			headers,
+			onError(context) {
+				callbackURL = context.response.headers.get("location") || "";
+				cookieSetter(newHeaders)(context);
+			},
+		});
+
+		return { callbackURL, headers: newHeaders };
+	}
+
+	it("should allow account linking when domain is verified and email domain matches", async () => {
+		const testEmail = "linking-test@verified-oidc.com";
+		const testDomain = "verified-oidc.com";
+
+		server.service.on("beforeTokenSigning", (token) => {
+			token.payload.email = testEmail;
+			token.payload.email_verified = false;
+			token.payload.name = "Domain Verified User";
+			token.payload.sub = "oidc-domain-verified-user";
+		});
+
+		const { headers } = await signInWithTestUser();
+
+		const provider = await auth.api.registerSSOProvider({
+			body: {
+				providerId: "domain-verified-oidc",
+				issuer: server.issuer.url!,
+				domain: testDomain,
+				oidcConfig: {
+					clientId: "test",
+					clientSecret: "test",
+					authorizationEndpoint: `${server.issuer.url}/authorize`,
+					tokenEndpoint: `${server.issuer.url}/token`,
+					jwksEndpoint: `${server.issuer.url}/jwks`,
+					discoveryEndpoint: `${server.issuer.url}/.well-known/openid-configuration`,
+					mapping: {
+						id: "sub",
+						email: "email",
+						emailVerified: "email_verified",
+						name: "name",
+					},
+				},
+			},
+			headers,
+		});
+
+		expect(provider.domainVerified).toBe(false);
+
+		const ctx = await auth.$context;
+		await ctx.adapter.update({
+			model: "ssoProvider",
+			where: [{ field: "providerId", value: provider.providerId }],
+			update: {
+				domainVerified: true,
+			},
+		});
+
+		const updatedProvider = await ctx.adapter.findOne<{
+			domainVerified: boolean;
+			domain: string;
+		}>({
+			model: "ssoProvider",
+			where: [{ field: "providerId", value: provider.providerId }],
+		});
+		expect(updatedProvider?.domainVerified).toBe(true);
+
+		await ctx.adapter.create({
+			model: "user",
+			data: {
+				id: "existing-oidc-domain-user",
+				email: testEmail,
+				name: "Existing User",
+				emailVerified: true,
+				createdAt: new Date(),
+				updatedAt: new Date(),
+			},
+			forceAllowId: true,
+		});
+
+		const newHeaders = new Headers();
+		const res = await authClient.signIn.sso({
+			providerId: "domain-verified-oidc",
+			callbackURL: "/dashboard",
+			fetchOptions: {
+				throw: true,
+				onSuccess: cookieSetter(newHeaders),
+			},
+		});
+
+		expect(res.url).toContain("http://localhost:8080/authorize");
+
+		const { callbackURL } = await simulateOAuthFlow(res.url, newHeaders);
+
+		expect(callbackURL).toContain("/dashboard");
+		expect(callbackURL).not.toContain("error");
+
+		const accounts = await ctx.adapter.findMany<{
+			providerId: string;
+			accountId: string;
+			userId: string;
+		}>({
+			model: "account",
+			where: [{ field: "userId", value: "existing-oidc-domain-user" }],
+		});
+		const linkedAccount = accounts.find(
+			(a) => a.providerId === "domain-verified-oidc",
+		);
+		expect(linkedAccount).toBeTruthy();
+		expect(linkedAccount?.accountId).toBe("oidc-domain-verified-user");
+	});
+});

package/src/routes/domain-verification.ts

@@ -8,14 +8,16 @@ import { generateRandomString } from "better-auth/crypto";
 import * as z from "zod/v4";
 import type { SSOOptions, SSOProvider } from "../types";
 
+const domainVerificationBodySchema = z.object({
+	providerId: z.string(),
+});
+
 export const requestDomainVerification = (options: SSOOptions) => {
 	return createAuthEndpoint(
 		"/sso/request-domain-verification",
 		{
 			method: "POST",
-			body: z.object({
-				providerId: z.string(),
-			}),
+			body: domainVerificationBodySchema,
 			metadata: {
 				openapi: {
 					summary: "Request a domain verification",
@@ -127,9 +129,7 @@ export const verifyDomain = (options: SSOOptions) => {
 		"/sso/verify-domain",
 		{
 			method: "POST",
-			body: z.object({
-				providerId: z.string(),
-			}),
+			body: domainVerificationBodySchema,
 			metadata: {
 				openapi: {
 					summary: "Verify the provider domain ownership",