npm - @better-auth/sso - Versions diffs - 1.4.6-beta.2 → 1.4.6 - Mend

@better-auth/sso 1.4.6-beta.2 → 1.4.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/.turbo/turbo-build.log +8 -8
package/dist/client.d.mts +1 -1
package/dist/{index-DCyJckhH.d.mts → index-D-JmJR9N.d.mts} +12 -12
package/dist/index.d.mts +1 -1
package/dist/index.mjs +174 -146
package/package.json +8 -6
package/src/oidc.test.ts +164 -0
package/src/routes/domain-verification.ts +6 -6
package/src/routes/sso.ts +336 -333
package/src/saml.test.ts +346 -0
package/src/utils.ts +31 -0

package/src/saml.test.ts CHANGED Viewed

@@ -1182,6 +1182,171 @@ describe("SAML SSO", async () => {
 			},
 		});
 	});
+	it("should deny account linking when provider is not trusted and domain is not verified", async () => {
+		const {
+			auth: authUntrusted,
+			signInWithTestUser,
+			client,
+		} = await getTestInstance({
+			account: {
+				accountLinking: {
+					enabled: true,
+					trustedProviders: [],
+				},
+			},
+			plugins: [sso()],
+		});
+		const { headers } = await signInWithTestUser();
+		await authUntrusted.api.registerSSOProvider({
+			body: {
+				providerId: "untrusted-saml-provider",
+				issuer: "http://localhost:8081",
+				domain: "http://localhost:8081",
+				samlConfig: {
+					entryPoint: "http://localhost:8081/api/sso/saml2/idp/post",
+					cert: certificate,
+					callbackUrl: "http://localhost:3000/dashboard",
+					wantAssertionsSigned: false,
+					signatureAlgorithm: "sha256",
+					digestAlgorithm: "sha256",
+					idpMetadata: {
+						metadata: idpMetadata,
+					},
+					spMetadata: {
+						metadata: spMetadata,
+					},
+					identifierFormat:
+						"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+				},
+			},
+			headers,
+		});
+		const ctx = await authUntrusted.$context;
+		await ctx.adapter.create({
+			model: "user",
+			data: {
+				id: "existing-user-id",
+				email: "test@email.com",
+				name: "Existing User",
+				emailVerified: true,
+				createdAt: new Date(),
+				updatedAt: new Date(),
+			},
+		});
+		let samlResponse: any;
+		await betterFetch("http://localhost:8081/api/sso/saml2/idp/post", {
+			onSuccess: async (context) => {
+				samlResponse = await context.data;
+			},
+		});
+		const response = await authUntrusted.handler(
+			new Request(
+				"http://localhost:3000/api/auth/sso/saml2/callback/untrusted-saml-provider",
+				{
+					method: "POST",
+					headers: {
+						"Content-Type": "application/x-www-form-urlencoded",
+					},
+					body: new URLSearchParams({
+						SAMLResponse: samlResponse.samlResponse,
+						RelayState: "http://localhost:3000/dashboard",
+					}),
+				},
+			),
+		);
+		expect(response.status).toBe(302);
+		const redirectLocation = response.headers.get("location") || "";
+		expect(redirectLocation).toContain("error=account_not_linked");
+	});
+	it("should allow account linking when provider is in trustedProviders", async () => {
+		const { auth: authWithTrusted, signInWithTestUser } = await getTestInstance(
+			{
+				account: {
+					accountLinking: {
+						enabled: true,
+						trustedProviders: ["trusted-saml-provider"],
+					},
+				},
+				plugins: [sso()],
+			},
+		);
+		const { headers } = await signInWithTestUser();
+		await authWithTrusted.api.registerSSOProvider({
+			body: {
+				providerId: "trusted-saml-provider",
+				issuer: "http://localhost:8081",
+				domain: "http://localhost:8081",
+				samlConfig: {
+					entryPoint: "http://localhost:8081/api/sso/saml2/idp/post",
+					cert: certificate,
+					callbackUrl: "http://localhost:3000/dashboard",
+					wantAssertionsSigned: false,
+					signatureAlgorithm: "sha256",
+					digestAlgorithm: "sha256",
+					idpMetadata: {
+						metadata: idpMetadata,
+					},
+					spMetadata: {
+						metadata: spMetadata,
+					},
+					identifierFormat:
+						"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+				},
+			},
+			headers,
+		});
+		const ctx = await authWithTrusted.$context;
+		await ctx.adapter.create({
+			model: "user",
+			data: {
+				id: "existing-user-id-2",
+				email: "test@email.com",
+				name: "Existing User",
+				emailVerified: true,
+				createdAt: new Date(),
+				updatedAt: new Date(),
+			},
+		});
+		let samlResponse: any;
+		await betterFetch("http://localhost:8081/api/sso/saml2/idp/post", {
+			onSuccess: async (context) => {
+				samlResponse = await context.data;
+			},
+		});
+		const response = await authWithTrusted.handler(
+			new Request(
+				"http://localhost:3000/api/auth/sso/saml2/callback/trusted-saml-provider",
+				{
+					method: "POST",
+					headers: {
+						"Content-Type": "application/x-www-form-urlencoded",
+					},
+					body: new URLSearchParams({
+						SAMLResponse: samlResponse.samlResponse,
+						RelayState: "http://localhost:3000/dashboard",
+					}),
+				},
+			),
+		);
+		expect(response.status).toBe(302);
+		const redirectLocation = response.headers.get("location") || "";
+		expect(redirectLocation).not.toContain("error");
+		expect(redirectLocation).toContain("dashboard");
+	});
 });
 describe("SAML SSO with custom fields", () => {
@@ -1325,3 +1490,184 @@ describe("SAML SSO with custom fields", () => {
 		});
 	});
 });
+import { safeJsonParse } from "./utils";
+describe("safeJsonParse", () => {
+	it("returns object as-is when value is already an object", () => {
+		const obj = { a: 1, nested: { b: 2 } };
+		const result = safeJsonParse<typeof obj>(obj);
+		expect(result).toBe(obj); // same reference
+		expect(result).toEqual({ a: 1, nested: { b: 2 } });
+	});
+	it("parses stringified JSON when value is a string", () => {
+		const json = '{"a":1,"nested":{"b":2}}';
+		const result = safeJsonParse<{ a: number; nested: { b: number } }>(json);
+		expect(result).toEqual({ a: 1, nested: { b: 2 } });
+	});
+	it("returns null for null input", () => {
+		const result = safeJsonParse<{ a: number }>(null);
+		expect(result).toBeNull();
+	});
+	it("returns null for undefined input", () => {
+		const result = safeJsonParse<{ a: number }>(undefined);
+		expect(result).toBeNull();
+	});
+	it("throws error for invalid JSON string", () => {
+		expect(() => safeJsonParse<{ a: number }>("not valid json")).toThrow(
+			"Failed to parse JSON",
+		);
+	});
+	it("handles empty object", () => {
+		const obj = {};
+		const result = safeJsonParse<typeof obj>(obj);
+		expect(result).toBe(obj);
+	});
+	it("handles empty string JSON", () => {
+		const result = safeJsonParse<Record<string, never>>("{}");
+		expect(result).toEqual({});
+	});
+});
+describe("SSO Provider Config Parsing", () => {
+	it("returns parsed SAML config and avoids [object Object] in response", async () => {
+		const data = {
+			user: [] as any[],
+			session: [] as any[],
+			verification: [] as any[],
+			account: [] as any[],
+			ssoProvider: [] as any[],
+		};
+		const memory = memoryAdapter(data);
+		const auth = betterAuth({
+			database: memory,
+			baseURL: "http://localhost:3000",
+			emailAndPassword: { enabled: true },
+			plugins: [sso()],
+		});
+		const authClient = createAuthClient({
+			baseURL: "http://localhost:3000",
+			plugins: [bearer(), ssoClient()],
+			fetchOptions: {
+				customFetchImpl: async (url, init) =>
+					auth.handler(new Request(url, init)),
+			},
+		});
+		const headers = new Headers();
+		await authClient.signUp.email({
+			email: "test@example.com",
+			password: "password123",
+			name: "Test User",
+		});
+		await authClient.signIn.email(
+			{ email: "test@example.com", password: "password123" },
+			{ onSuccess: setCookieToHeader(headers) },
+		);
+		const provider = await auth.api.registerSSOProvider({
+			body: {
+				providerId: "saml-config-provider",
+				issuer: "http://localhost:8081",
+				domain: "example.com",
+				samlConfig: {
+					entryPoint: "http://localhost:8081/sso",
+					cert: "test-cert",
+					callbackUrl: "http://localhost:3000/callback",
+					spMetadata: {
+						entityID: "test-entity",
+					},
+				},
+			},
+			headers,
+		});
+		expect(provider.samlConfig).toBeDefined();
+		expect(typeof provider.samlConfig).toBe("object");
+		expect(provider.samlConfig?.entryPoint).toBe("http://localhost:8081/sso");
+		expect(provider.samlConfig?.cert).toBe("test-cert");
+		const serialized = JSON.stringify(provider.samlConfig);
+		expect(serialized).not.toContain("[object Object]");
+		expect(provider.samlConfig?.spMetadata?.entityID).toBe("test-entity");
+	});
+	it("returns parsed OIDC config and avoids [object Object] in response", async () => {
+		const data = {
+			user: [] as any[],
+			session: [] as any[],
+			verification: [] as any[],
+			account: [] as any[],
+			ssoProvider: [] as any[],
+		};
+		const memory = memoryAdapter(data);
+		const auth = betterAuth({
+			database: memory,
+			baseURL: "http://localhost:3000",
+			emailAndPassword: { enabled: true },
+			plugins: [sso()],
+		});
+		const authClient = createAuthClient({
+			baseURL: "http://localhost:3000",
+			plugins: [bearer(), ssoClient()],
+			fetchOptions: {
+				customFetchImpl: async (url, init) =>
+					auth.handler(new Request(url, init)),
+			},
+		});
+		const headers = new Headers();
+		await authClient.signUp.email({
+			email: "test@example.com",
+			password: "password123",
+			name: "Test User",
+		});
+		await authClient.signIn.email(
+			{ email: "test@example.com", password: "password123" },
+			{ onSuccess: setCookieToHeader(headers) },
+		);
+		const provider = await auth.api.registerSSOProvider({
+			body: {
+				providerId: "oidc-config-provider",
+				issuer: "http://localhost:8080",
+				domain: "example.com",
+				oidcConfig: {
+					clientId: "test-client",
+					clientSecret: "test-secret",
+					discoveryEndpoint:
+						"http://localhost:8080/.well-known/openid-configuration",
+					mapping: {
+						id: "sub",
+						email: "email",
+						name: "name",
+					},
+				},
+			},
+			headers,
+		});
+		expect(provider.oidcConfig).toBeDefined();
+		expect(typeof provider.oidcConfig).toBe("object");
+		expect(provider.oidcConfig?.clientId).toBe("test-client");
+		expect(provider.oidcConfig?.clientSecret).toBe("test-secret");
+		const serialized = JSON.stringify(provider.oidcConfig);
+		expect(serialized).not.toContain("[object Object]");
+		expect(provider.oidcConfig?.mapping?.id).toBe("sub");
+	});
+});

package/src/utils.ts CHANGED Viewed

@@ -1,3 +1,34 @@
+/**
+ * Safely parses a value that might be a JSON string or already a parsed object.
+ * This handles cases where ORMs like Drizzle might return already parsed objects
+ * instead of JSON strings from TEXT/JSON columns.
+ *
+ * @param value - The value to parse (string, object, null, or undefined)
+ * @returns The parsed object or null
+ * @throws Error if string parsing fails
+ */
+export function safeJsonParse<T>(
+	value: string | T | null | undefined,
+): T | null {
+	if (!value) return null;
+	if (typeof value === "object") {
+		return value as T;
+	}
+	if (typeof value === "string") {
+		try {
+			return JSON.parse(value) as T;
+		} catch (error) {
+			throw new Error(
+				`Failed to parse JSON: ${error instanceof Error ? error.message : "Unknown error"}`,
+			);
+		}
+	}
+	return null;
+}
 export const validateEmailDomain = (email: string, domain: string) => {
 	const emailDomain = email.split("@")[1]?.toLowerCase();
 	const providerDomain = domain.toLowerCase();