@better-auth/sso 1.4.6 → 1.4.7-beta.2

package/.turbo/turbo-build.log

@@ -1,16 +1,16 @@
 
-> @better-auth/sso@1.4.6 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.4.7-beta.2 build /home/runner/work/better-auth/better-auth/packages/sso
 > tsdown
 
-ℹ tsdown v0.17.0 powered by rolldown v1.0.0-beta.53
+ℹ tsdown v0.17.2 powered by rolldown v1.0.0-beta.53
 ℹ config file: /home/runner/work/better-auth/better-auth/packages/sso/tsdown.config.ts 
 ℹ entry: src/index.ts, src/client.ts
 ℹ tsconfig: tsconfig.json
 ℹ Build start
-ℹ dist/index.mjs             59.70 kB │ gzip: 10.49 kB
+ℹ dist/index.mjs             59.70 kB │ gzip: 10.48 kB
 ℹ dist/client.mjs             0.15 kB │ gzip:  0.14 kB
 ℹ dist/client.d.mts           0.49 kB │ gzip:  0.30 kB
 ℹ dist/index.d.mts            0.21 kB │ gzip:  0.15 kB
-ℹ dist/index-D-JmJR9N.d.mts  25.42 kB │ gzip:  3.95 kB
-ℹ 5 files, total: 85.98 kB
-✔ Build complete in 11585ms
+ℹ dist/index-BWvN4yrs.d.mts  25.84 kB │ gzip:  4.13 kB
+ℹ 5 files, total: 86.39 kB
+✔ Build complete in 12102ms

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { t as SSOPlugin } from "./index-D-JmJR9N.mjs";
+import { t as SSOPlugin } from "./index-BWvN4yrs.mjs";
 
 //#region src/client.d.ts
 interface SSOClientOptions {

package/dist/{index-D-JmJR9N.d.mts → index-BWvN4yrs.d.mts}

@@ -1,6 +1,6 @@
 import * as z from "zod/v4";
 import { OAuth2Tokens, User } from "better-auth";
-import * as better_call0 from "better-call";
+import * as better_call7 from "better-call";
 
 //#region src/types.d.ts
 interface OIDCMapping {
@@ -216,7 +216,13 @@ interface SSOOptions {
    *
    * If you want to allow account linking for specific trusted providers, enable the `accountLinking` option in your auth config and specify those
    * providers in the `trustedProviders` list.
+   *
    * @default false
+   *
+   * @deprecated This option is discouraged for new projects. Relying on provider-level `email_verified` is a weaker
+   * trust signal compared to using `trustedProviders` in `accountLinking` or enabling `domainVerification` for SSO.
+   * Existing configurations will continue to work, but new integrations should use explicit trust mechanisms.
+   * This option may be removed in a future major version.
    */
   trustEmailVerified?: boolean | undefined;
   /**
@@ -240,7 +246,7 @@ interface SSOOptions {
 }
 //#endregion
 //#region src/routes/domain-verification.d.ts
-declare const requestDomainVerification: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/request-domain-verification", {
+declare const requestDomainVerification: (options: SSOOptions) => better_call7.StrictEndpoint<"/sso/request-domain-verification", {
   method: "POST";
   body: z.ZodObject<{
     providerId: z.ZodString;
@@ -262,7 +268,7 @@ declare const requestDomainVerification: (options: SSOOptions) => better_call0.S
       };
     };
   };
-  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call7.MiddlewareInputContext<better_call7.MiddlewareOptions>) => Promise<{
     session: {
       session: Record<string, any> & {
         id: string;
@@ -290,7 +296,7 @@ declare const requestDomainVerification: (options: SSOOptions) => better_call0.S
 }, {
   domainVerificationToken: string;
 }>;
-declare const verifyDomain: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/verify-domain", {
+declare const verifyDomain: (options: SSOOptions) => better_call7.StrictEndpoint<"/sso/verify-domain", {
   method: "POST";
   body: z.ZodObject<{
     providerId: z.ZodString;
@@ -315,7 +321,7 @@ declare const verifyDomain: (options: SSOOptions) => better_call0.StrictEndpoint
       };
     };
   };
-  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call7.MiddlewareInputContext<better_call7.MiddlewareOptions>) => Promise<{
     session: {
       session: Record<string, any> & {
         id: string;
@@ -343,7 +349,7 @@ declare const verifyDomain: (options: SSOOptions) => better_call0.StrictEndpoint
 }, void>;
 //#endregion
 //#region src/routes/sso.d.ts
-declare const spMetadata: () => better_call0.StrictEndpoint<"/sso/saml2/sp/metadata", {
+declare const spMetadata: () => better_call7.StrictEndpoint<"/sso/saml2/sp/metadata", {
   method: "GET";
   query: z.ZodObject<{
     providerId: z.ZodString;
@@ -367,7 +373,7 @@ declare const spMetadata: () => better_call0.StrictEndpoint<"/sso/saml2/sp/metad
 } & {
   use: any[];
 }, Response>;
-declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_call0.StrictEndpoint<"/sso/register", {
+declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_call7.StrictEndpoint<"/sso/register", {
   method: "POST";
   body: z.ZodObject<{
     providerId: z.ZodString;
@@ -445,7 +451,7 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
     organizationId: z.ZodOptional<z.ZodString>;
     overrideUserInfo: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
   }, z.core.$strip>;
-  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call7.MiddlewareInputContext<better_call7.MiddlewareOptions>) => Promise<{
     session: {
       session: Record<string, any> & {
         id: string;
@@ -637,7 +643,7 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
   domainVerified: boolean;
   domainVerificationToken: string;
 } & SSOProvider<O> : SSOProvider<O>>;
-declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sign-in/sso", {
+declare const signInSSO: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sign-in/sso", {
   method: "POST";
   body: z.ZodObject<{
     email: z.ZodOptional<z.ZodString>;
@@ -733,7 +739,7 @@ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"
   url: string;
   redirect: boolean;
 }>;
-declare const callbackSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/callback/:providerId", {
+declare const callbackSSO: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sso/callback/:providerId", {
   method: "GET";
   query: z.ZodObject<{
     code: z.ZodOptional<z.ZodString>;
@@ -758,7 +764,7 @@ declare const callbackSSO: (options?: SSOOptions) => better_call0.StrictEndpoint
 } & {
   use: any[];
 }, never>;
-declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/callback/:providerId", {
+declare const callbackSSOSAML: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sso/saml2/callback/:providerId", {
   method: "POST";
   body: z.ZodObject<{
     SAMLResponse: z.ZodString;
@@ -787,7 +793,7 @@ declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndp
 } & {
   use: any[];
 }, never>;
-declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
+declare const acsEndpoint: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
   method: "POST";
   params: z.ZodObject<{
     providerId: z.ZodOptional<z.ZodString>;

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { a as SSOOptions, i as SAMLConfig, n as sso, o as SSOProvider, r as OIDCConfig, t as SSOPlugin } from "./index-D-JmJR9N.mjs";
+import { a as SSOOptions, i as SAMLConfig, n as sso, o as SSOProvider, r as OIDCConfig, t as SSOPlugin } from "./index-BWvN4yrs.mjs";
 export { OIDCConfig, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, sso };

package/dist/index.mjs

@@ -810,7 +810,7 @@ const callbackSSO = (options) => {
 			}
 		}
 	}, async (ctx) => {
-		const { code, state, error, error_description } = ctx.query;
+		const { code, error, error_description } = ctx.query;
 		const stateData = await parseState(ctx);
 		if (!stateData) {
 			const errorURL$1 = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.4.6",
+  "version": "1.4.7-beta.2",
   "type": "module",
   "main": "dist/index.mjs",
   "types": "dist/index.d.mts",
@@ -65,16 +65,17 @@
     "body-parser": "^2.2.1",
     "express": "^5.1.0",
     "oauth2-mock-server": "^8.2.0",
-    "tsdown": "^0.17.0",
-    "better-auth": "1.4.6"
+    "tsdown": "^0.17.2",
+    "better-auth": "1.4.7-beta.2"
   },
   "peerDependencies": {
-    "better-auth": "1.4.6"
+    "better-auth": "1.4.7-beta.2"
   },
   "scripts": {
     "test": "vitest",
     "coverage": "vitest run --coverage",
     "lint:package": "publint run --strict",
+    "lint:types": "attw --profile esm-only --pack .",
     "build": "tsdown",
     "dev": "tsdown --watch",
     "typecheck": "tsc --project tsconfig.json"

package/src/routes/sso.ts

@@ -1107,7 +1107,7 @@ export const callbackSSO = (options?: SSOOptions) => {
 			},
 		},
 		async (ctx) => {
-			const { code, state, error, error_description } = ctx.query;
+			const { code, error, error_description } = ctx.query;
 			const stateData = await parseState(ctx);
 			if (!stateData) {
 				const errorURL =

package/src/saml.test.ts

@@ -448,13 +448,9 @@ const createMockSAMLIdP = (port: number) => {
 		async (req: ExpressRequest, res: ExpressResponse) => {
 			const { SAMLResponse, RelayState } = req.body;
 			try {
-				const parseResult = await sp.parseLoginResponse(
-					idp,
-					saml.Constants.wording.binding.post,
-					{ body: { SAMLResponse } },
-				);
-
-				const { attributes, nameID } = parseResult.extract;
+				await sp.parseLoginResponse(idp, saml.Constants.wording.binding.post, {
+					body: { SAMLResponse },
+				});
 
 				res.redirect(302, RelayState || "http://localhost:3000/dashboard");
 			} catch (error) {
@@ -550,18 +546,6 @@ describe("SAML SSO with defaultSSO array", async () => {
 		plugins: [sso(ssoOptions)],
 	});
 
-	const ctx = await auth.$context;
-
-	const authClient = createAuthClient({
-		baseURL: "http://localhost:3000",
-		plugins: [bearer(), ssoClient()],
-		fetchOptions: {
-			customFetchImpl: async (url, init) => {
-				return auth.handler(new Request(url, init));
-			},
-		},
-	});
-
 	beforeAll(async () => {
 		await mockIdP.start();
 	});
@@ -619,8 +603,6 @@ describe("SAML SSO", async () => {
 		plugins: [sso(ssoOptions)],
 	});
 
-	const ctx = await auth.$context;
-
 	const authClient = createAuthClient({
 		baseURL: "http://localhost:3000",
 		plugins: [bearer(), ssoClient()],
@@ -639,7 +621,7 @@ describe("SAML SSO", async () => {
 
 	beforeAll(async () => {
 		await mockIdP.start();
-		const res = await authClient.signUp.email({
+		await authClient.signUp.email({
 			email: testUser.email,
 			password: testUser.password,
 			name: testUser.name,
@@ -667,7 +649,7 @@ describe("SAML SSO", async () => {
 			password: testUser.password,
 			name: testUser.name,
 		});
-		const res = await authClient.signIn.email(testUser, {
+		await authClient.signIn.email(testUser, {
 			throw: true,
 			onSuccess: setCookieToHeader(headers),
 		});
@@ -676,7 +658,7 @@ describe("SAML SSO", async () => {
 
 	it("should register a new SAML provider", async () => {
 		const headers = await getAuthHeaders();
-		const res = await authClient.signIn.email(testUser, {
+		await authClient.signIn.email(testUser, {
 			throw: true,
 			onSuccess: setCookieToHeader(headers),
 		});
@@ -847,11 +829,11 @@ describe("SAML SSO", async () => {
 	});
 	it("should initiate SAML login and handle response", async () => {
 		const headers = await getAuthHeaders();
-		const res = await authClient.signIn.email(testUser, {
+		await authClient.signIn.email(testUser, {
 			throw: true,
 			onSuccess: setCookieToHeader(headers),
 		});
-		const provider = await auth.api.registerSSOProvider({
+		await auth.api.registerSSOProvider({
 			body: {
 				providerId: "saml-provider-1",
 				issuer: "http://localhost:8081",
@@ -1184,11 +1166,7 @@ describe("SAML SSO", async () => {
 	});
 
 	it("should deny account linking when provider is not trusted and domain is not verified", async () => {
-		const {
-			auth: authUntrusted,
-			signInWithTestUser,
-			client,
-		} = await getTestInstance({
+		const { auth: authUntrusted, signInWithTestUser } = await getTestInstance({
 			account: {
 				accountLinking: {
 					enabled: true,
@@ -1401,7 +1379,7 @@ describe("SAML SSO with custom fields", () => {
 
 	beforeAll(async () => {
 		await mockIdP.start();
-		const res = await authClient.signUp.email({
+		await authClient.signUp.email({
 			email: testUser.email,
 			password: testUser.password,
 			name: testUser.name,

package/src/types.ts

@@ -232,7 +232,13 @@ export interface SSOOptions {
 	 *
 	 * If you want to allow account linking for specific trusted providers, enable the `accountLinking` option in your auth config and specify those
 	 * providers in the `trustedProviders` list.
+	 *
 	 * @default false
+	 *
+	 * @deprecated This option is discouraged for new projects. Relying on provider-level `email_verified` is a weaker
+	 * trust signal compared to using `trustedProviders` in `accountLinking` or enabling `domainVerification` for SSO.
+	 * Existing configurations will continue to work, but new integrations should use explicit trust mechanisms.
+	 * This option may be removed in a future major version.
 	 */
 	trustEmailVerified?: boolean | undefined;
 	/**