@better-auth/sso 1.4.6 → 1.4.7-beta.3

package/.turbo/turbo-build.log

@@ -1,16 +1,16 @@
 
-> @better-auth/sso@1.4.6 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.4.7-beta.3 build /home/runner/work/better-auth/better-auth/packages/sso
 > tsdown
 
-ℹ tsdown v0.17.0 powered by rolldown v1.0.0-beta.53
+ℹ tsdown v0.17.2 powered by rolldown v1.0.0-beta.53
 ℹ config file: /home/runner/work/better-auth/better-auth/packages/sso/tsdown.config.ts 
 ℹ entry: src/index.ts, src/client.ts
 ℹ tsconfig: tsconfig.json
 ℹ Build start
-ℹ dist/index.mjs             59.70 kB │ gzip: 10.49 kB
+ℹ dist/index.mjs             65.14 kB │ gzip: 11.40 kB
 ℹ dist/client.mjs             0.15 kB │ gzip:  0.14 kB
-ℹ dist/client.d.mts           0.49 kB │ gzip:  0.30 kB
-ℹ dist/index.d.mts            0.21 kB │ gzip:  0.15 kB
-ℹ dist/index-D-JmJR9N.d.mts  25.42 kB │ gzip:  3.95 kB
-ℹ 5 files, total: 85.98 kB
-✔ Build complete in 11585ms
+ℹ dist/client.d.mts           0.49 kB │ gzip:  0.29 kB
+ℹ dist/index.d.mts            0.43 kB │ gzip:  0.23 kB
+ℹ dist/index-m7FISidt.d.mts  28.63 kB │ gzip:  5.07 kB
+ℹ 5 files, total: 94.85 kB
+✔ Build complete in 11484ms

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { t as SSOPlugin } from "./index-D-JmJR9N.mjs";
+import { t as SSOPlugin } from "./index-m7FISidt.mjs";
 
 //#region src/client.d.ts
 interface SSOClientOptions {

package/dist/{index-D-JmJR9N.d.mts → index-m7FISidt.d.mts}

@@ -2,6 +2,42 @@ import * as z from "zod/v4";
 import { OAuth2Tokens, User } from "better-auth";
 import * as better_call0 from "better-call";
 
+//#region src/authn-request-store.d.ts
+
+/**
+ * AuthnRequest Store
+ *
+ * Tracks SAML AuthnRequest IDs to enable InResponseTo validation.
+ * This prevents:
+ * - Unsolicited SAML responses
+ * - Cross-provider response injection
+ * - Replay attacks
+ * - Expired login completions
+ */
+interface AuthnRequestRecord {
+  id: string;
+  providerId: string;
+  createdAt: number;
+  expiresAt: number;
+}
+interface AuthnRequestStore {
+  save(record: AuthnRequestRecord): Promise<void>;
+  get(id: string): Promise<AuthnRequestRecord | null>;
+  delete(id: string): Promise<void>;
+}
+/**
+ * Default TTL for AuthnRequest records (5 minutes).
+ * This should be sufficient for most IdPs while protecting against stale requests.
+ */
+declare const DEFAULT_AUTHN_REQUEST_TTL_MS: number;
+/**
+ * In-memory implementation of AuthnRequestStore.
+ * ⚠️ Only suitable for testing or single-instance non-serverless deployments.
+ * For production, rely on the default behavior (uses verification table)
+ * or provide a custom Redis-backed store.
+ */
+declare function createInMemoryAuthnRequestStore(): AuthnRequestStore;
+//#endregion
 //#region src/types.d.ts
 interface OIDCMapping {
   id?: string | undefined;
@@ -216,7 +252,13 @@ interface SSOOptions {
    *
    * If you want to allow account linking for specific trusted providers, enable the `accountLinking` option in your auth config and specify those
    * providers in the `trustedProviders` list.
+   *
    * @default false
+   *
+   * @deprecated This option is discouraged for new projects. Relying on provider-level `email_verified` is a weaker
+   * trust signal compared to using `trustedProviders` in `accountLinking` or enabling `domainVerification` for SSO.
+   * Existing configurations will continue to work, but new integrations should use explicit trust mechanisms.
+   * This option may be removed in a future major version.
    */
   trustEmailVerified?: boolean | undefined;
   /**
@@ -237,6 +279,54 @@ interface SSOOptions {
      */
     tokenPrefix?: string;
   };
+  /**
+   * SAML security options for AuthnRequest/InResponseTo validation.
+   * This prevents unsolicited responses, replay attacks, and cross-provider injection.
+   */
+  saml?: {
+    /**
+     * Enable InResponseTo validation for SP-initiated SAML flows.
+     * When enabled, AuthnRequest IDs are tracked and validated against SAML responses.
+     *
+     * Storage behavior:
+     * - Uses `secondaryStorage` (e.g., Redis) if configured in your auth options
+     * - Falls back to the verification table in the database otherwise
+     *
+     * This works correctly in serverless environments without any additional configuration.
+     *
+     * @default false
+     */
+    enableInResponseToValidation?: boolean;
+    /**
+     * Allow IdP-initiated SSO (unsolicited SAML responses).
+     * When true, responses without InResponseTo are accepted.
+     * When false, all responses must correlate to a stored AuthnRequest.
+     *
+     * Only applies when InResponseTo validation is enabled.
+     *
+     * @default true
+     */
+    allowIdpInitiated?: boolean;
+    /**
+     * TTL for AuthnRequest records in milliseconds.
+     * Requests older than this will be rejected.
+     *
+     * Only applies when InResponseTo validation is enabled.
+     *
+     * @default 300000 (5 minutes)
+     */
+    requestTTL?: number;
+    /**
+     * Custom AuthnRequest store implementation.
+     * Use this to provide a custom storage backend (e.g., Redis-backed store).
+     *
+     * Providing a custom store automatically enables InResponseTo validation.
+     *
+     * Note: When not provided, the default storage (secondaryStorage with
+     * verification table fallback) is used automatically.
+     */
+    authnRequestStore?: AuthnRequestStore;
+  };
 }
 //#endregion
 //#region src/routes/domain-verification.d.ts
@@ -285,8 +375,6 @@ declare const requestDomainVerification: (options: SSOOptions) => better_call0.S
       };
     };
   }>)[];
-} & {
-  use: any[];
 }, {
   domainVerificationToken: string;
 }>;
@@ -338,8 +426,6 @@ declare const verifyDomain: (options: SSOOptions) => better_call0.StrictEndpoint
       };
     };
   }>)[];
-} & {
-  use: any[];
 }, void>;
 //#endregion
 //#region src/routes/sso.d.ts
@@ -364,8 +450,6 @@ declare const spMetadata: () => better_call0.StrictEndpoint<"/sso/saml2/sp/metad
       };
     };
   };
-} & {
-  use: any[];
 }, Response>;
 declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_call0.StrictEndpoint<"/sso/register", {
   method: "POST";
@@ -629,8 +713,6 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
       };
     };
   };
-} & {
-  use: any[];
 }, O["domainVerification"] extends {
   enabled: true;
 } ? {
@@ -651,8 +733,8 @@ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"
     loginHint: z.ZodOptional<z.ZodString>;
     requestSignUp: z.ZodOptional<z.ZodBoolean>;
     providerType: z.ZodOptional<z.ZodEnum<{
-      oidc: "oidc";
       saml: "saml";
+      oidc: "oidc";
     }>>;
   }, z.core.$strip>;
   metadata: {
@@ -727,8 +809,6 @@ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"
       };
     };
   };
-} & {
-  use: any[];
 }, {
   url: string;
   redirect: boolean;
@@ -743,7 +823,6 @@ declare const callbackSSO: (options?: SSOOptions) => better_call0.StrictEndpoint
   }, z.core.$strip>;
   allowedMediaTypes: string[];
   metadata: {
-    isAction: false;
     openapi: {
       operationId: string;
       summary: string;
@@ -754,9 +833,8 @@ declare const callbackSSO: (options?: SSOOptions) => better_call0.StrictEndpoint
         };
       };
     };
+    scope: "server";
   };
-} & {
-  use: any[];
 }, never>;
 declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/callback/:providerId", {
   method: "POST";
@@ -765,7 +843,6 @@ declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndp
     RelayState: z.ZodOptional<z.ZodString>;
   }, z.core.$strip>;
   metadata: {
-    isAction: false;
     allowedMediaTypes: string[];
     openapi: {
       operationId: string;
@@ -783,9 +860,8 @@ declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndp
         };
       };
     };
+    scope: "server";
   };
-} & {
-  use: any[];
 }, never>;
 declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
   method: "POST";
@@ -797,7 +873,6 @@ declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint
     RelayState: z.ZodOptional<z.ZodString>;
   }, z.core.$strip>;
   metadata: {
-    isAction: false;
     allowedMediaTypes: string[];
     openapi: {
       operationId: string;
@@ -809,9 +884,8 @@ declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint
         };
       };
     };
+    scope: "server";
   };
-} & {
-  use: any[];
 }, never>;
 //#endregion
 //#region src/index.d.ts
@@ -850,4 +924,4 @@ declare function sso<O extends SSOOptions>(options?: O | undefined): {
   endpoints: SSOEndpoints<O>;
 };
 //#endregion
-export { SSOOptions as a, SAMLConfig as i, sso as n, SSOProvider as o, OIDCConfig as r, SSOPlugin as t };
+export { SSOOptions as a, AuthnRequestStore as c, SAMLConfig as i, DEFAULT_AUTHN_REQUEST_TTL_MS as l, sso as n, SSOProvider as o, OIDCConfig as r, AuthnRequestRecord as s, SSOPlugin as t, createInMemoryAuthnRequestStore as u };

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { a as SSOOptions, i as SAMLConfig, n as sso, o as SSOProvider, r as OIDCConfig, t as SSOPlugin } from "./index-D-JmJR9N.mjs";
-export { OIDCConfig, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, sso };
+import { a as SSOOptions, c as AuthnRequestStore, i as SAMLConfig, l as DEFAULT_AUTHN_REQUEST_TTL_MS, n as sso, o as SSOProvider, r as OIDCConfig, s as AuthnRequestRecord, t as SSOPlugin, u as createInMemoryAuthnRequestStore } from "./index-m7FISidt.mjs";
+export { AuthnRequestRecord, AuthnRequestStore, DEFAULT_AUTHN_REQUEST_TTL_MS, OIDCConfig, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, createInMemoryAuthnRequestStore, sso };

package/dist/index.mjs

@@ -4,11 +4,51 @@ import { APIError, createAuthEndpoint, sessionMiddleware } from "better-auth/api
 import { generateRandomString } from "better-auth/crypto";
 import * as z from "zod/v4";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
-import { createAuthorizationURL, generateState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
+import { HIDE_METADATA, createAuthorizationURL, generateState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
 import { setSessionCookie } from "better-auth/cookies";
 import { handleOAuthUserInfo } from "better-auth/oauth2";
 import { decodeJwt } from "jose";
 
+//#region src/authn-request-store.ts
+/**
+* Default TTL for AuthnRequest records (5 minutes).
+* This should be sufficient for most IdPs while protecting against stale requests.
+*/
+const DEFAULT_AUTHN_REQUEST_TTL_MS = 300 * 1e3;
+/**
+* In-memory implementation of AuthnRequestStore.
+* ⚠️ Only suitable for testing or single-instance non-serverless deployments.
+* For production, rely on the default behavior (uses verification table)
+* or provide a custom Redis-backed store.
+*/
+function createInMemoryAuthnRequestStore() {
+	const store = /* @__PURE__ */ new Map();
+	const cleanup = () => {
+		const now = Date.now();
+		for (const [id, record] of store.entries()) if (record.expiresAt < now) store.delete(id);
+	};
+	const cleanupInterval = setInterval(cleanup, 60 * 1e3);
+	if (typeof cleanupInterval.unref === "function") cleanupInterval.unref();
+	return {
+		async save(record) {
+			store.set(record.id, record);
+		},
+		async get(id) {
+			const record = store.get(id);
+			if (!record) return null;
+			if (record.expiresAt < Date.now()) {
+				store.delete(id);
+				return null;
+			}
+			return record;
+		},
+		async delete(id) {
+			store.delete(id);
+		}
+	};
+}
+
+//#endregion
 //#region src/routes/domain-verification.ts
 const domainVerificationBodySchema = z.object({ providerId: z.string() });
 const requestDomainVerification = (options) => {
@@ -213,6 +253,7 @@ const validateEmailDomain = (email, domain) => {
 
 //#endregion
 //#region src/routes/sso.ts
+const AUTHN_REQUEST_KEY_PREFIX = "saml-authn-request:";
 const spMetadataQuerySchema = z.object({
 	providerId: z.string(),
 	format: z.enum(["xml", "json"]).default("xml")
@@ -781,6 +822,21 @@ const signInSSO = (options) => {
 			});
 			const loginRequest = sp.createLoginRequest(idp, "redirect");
 			if (!loginRequest) throw new APIError("BAD_REQUEST", { message: "Invalid SAML request" });
+			if (loginRequest.id && (options?.saml?.authnRequestStore || options?.saml?.enableInResponseToValidation)) {
+				const ttl = options?.saml?.requestTTL ?? DEFAULT_AUTHN_REQUEST_TTL_MS;
+				const record = {
+					id: loginRequest.id,
+					providerId: provider.providerId,
+					createdAt: Date.now(),
+					expiresAt: Date.now() + ttl
+				};
+				if (options?.saml?.authnRequestStore) await options.saml.authnRequestStore.save(record);
+				else await ctx.context.internalAdapter.createVerificationValue({
+					identifier: `${AUTHN_REQUEST_KEY_PREFIX}${record.id}`,
+					value: JSON.stringify(record),
+					expiresAt: new Date(record.expiresAt)
+				});
+			}
 			return ctx.json({
 				url: `${loginRequest.context}&RelayState=${encodeURIComponent(body.callbackURL)}`,
 				redirect: true
@@ -801,7 +857,7 @@ const callbackSSO = (options) => {
 		query: callbackSSOQuerySchema,
 		allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"],
 		metadata: {
-			isAction: false,
+			...HIDE_METADATA,
 			openapi: {
 				operationId: "handleSSOCallback",
 				summary: "Callback URL for SSO provider",
@@ -810,7 +866,7 @@ const callbackSSO = (options) => {
 			}
 		}
 	}, async (ctx) => {
-		const { code, state, error, error_description } = ctx.query;
+		const { code, error, error_description } = ctx.query;
 		const stateData = await parseState(ctx);
 		if (!stateData) {
 			const errorURL$1 = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
@@ -986,7 +1042,7 @@ const callbackSSOSAML = (options) => {
 		method: "POST",
 		body: callbackSSOSAMLBodySchema,
 		metadata: {
-			isAction: false,
+			...HIDE_METADATA,
 			allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"],
 			openapi: {
 				operationId: "handleSAMLCallback",
@@ -1069,22 +1125,10 @@ const callbackSSOSAML = (options) => {
 		});
 		let parsedResponse;
 		try {
-			const decodedResponse = Buffer.from(SAMLResponse, "base64").toString("utf-8");
-			try {
-				parsedResponse = await sp.parseLoginResponse(idp, "post", { body: {
-					SAMLResponse,
-					RelayState: RelayState || void 0
-				} });
-			} catch (parseError) {
-				const nameIDMatch = decodedResponse.match(/<saml2:NameID[^>]*>([^<]+)<\/saml2:NameID>/);
-				if (!nameIDMatch) throw parseError;
-				parsedResponse = { extract: {
-					nameID: nameIDMatch[1],
-					attributes: { nameID: nameIDMatch[1] },
-					sessionIndex: {},
-					conditions: {}
-				} };
-			}
+			parsedResponse = await sp.parseLoginResponse(idp, "post", { body: {
+				SAMLResponse,
+				RelayState: RelayState || void 0
+			} });
 			if (!parsedResponse?.extract) throw new Error("Invalid SAML response structure");
 		} catch (error) {
 			ctx.context.logger.error("SAML response validation failed", {
@@ -1097,6 +1141,47 @@ const callbackSSOSAML = (options) => {
 			});
 		}
 		const { extract } = parsedResponse;
+		const inResponseTo = extract.inResponseTo;
+		if (options?.saml?.authnRequestStore || options?.saml?.enableInResponseToValidation) {
+			const allowIdpInitiated = options?.saml?.allowIdpInitiated !== false;
+			if (inResponseTo) {
+				let storedRequest = null;
+				if (options?.saml?.authnRequestStore) storedRequest = await options.saml.authnRequestStore.get(inResponseTo);
+				else {
+					const verification = await ctx.context.internalAdapter.findVerificationValue(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
+					if (verification) try {
+						storedRequest = JSON.parse(verification.value);
+					} catch {
+						storedRequest = null;
+					}
+				}
+				if (!storedRequest) {
+					ctx.context.logger.error("SAML InResponseTo validation failed: unknown or expired request ID", {
+						inResponseTo,
+						providerId: provider.providerId
+					});
+					const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+					throw ctx.redirect(`${redirectUrl}?error=invalid_saml_response&error_description=Unknown+or+expired+request+ID`);
+				}
+				if (storedRequest.providerId !== provider.providerId) {
+					ctx.context.logger.error("SAML InResponseTo validation failed: provider mismatch", {
+						inResponseTo,
+						expectedProvider: storedRequest.providerId,
+						actualProvider: provider.providerId
+					});
+					if (options?.saml?.authnRequestStore) await options.saml.authnRequestStore.delete(inResponseTo);
+					else await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
+					const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+					throw ctx.redirect(`${redirectUrl}?error=invalid_saml_response&error_description=Provider+mismatch`);
+				}
+				if (options?.saml?.authnRequestStore) await options.saml.authnRequestStore.delete(inResponseTo);
+				else await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
+			} else if (!allowIdpInitiated) {
+				ctx.context.logger.error("SAML IdP-initiated SSO rejected: InResponseTo missing and allowIdpInitiated is false", { providerId: provider.providerId });
+				const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+				throw ctx.redirect(`${redirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`);
+			}
+		}
 		const attributes = extract.attributes || {};
 		const mapping = parsedSamlConfig.mapping ?? {};
 		const userInfo = {
@@ -1223,7 +1308,7 @@ const acsEndpoint = (options) => {
 		params: acsEndpointParamsSchema,
 		body: acsEndpointBodySchema,
 		metadata: {
-			isAction: false,
+			...HIDE_METADATA,
 			allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"],
 			openapi: {
 				operationId: "handleSAMLAssertionConsumerService",
@@ -1285,26 +1370,10 @@ const acsEndpoint = (options) => {
 		}) : saml.IdentityProvider({ metadata: idpData.metadata });
 		let parsedResponse;
 		try {
-			let decodedResponse = Buffer.from(SAMLResponse, "base64").toString("utf-8");
-			if (!decodedResponse.includes("StatusCode")) {
-				const insertPoint = decodedResponse.indexOf("</saml2:Issuer>");
-				if (insertPoint !== -1) decodedResponse = decodedResponse.slice(0, insertPoint + 14) + "<saml2:Status><saml2:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"/></saml2:Status>" + decodedResponse.slice(insertPoint + 14);
-			} else if (!decodedResponse.includes("saml2:Success")) decodedResponse = decodedResponse.replace(/<saml2:StatusCode Value="[^"]+"/, "<saml2:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"");
-			try {
-				parsedResponse = await sp.parseLoginResponse(idp, "post", { body: {
-					SAMLResponse,
-					RelayState: RelayState || void 0
-				} });
-			} catch (parseError) {
-				const nameIDMatch = decodedResponse.match(/<saml2:NameID[^>]*>([^<]+)<\/saml2:NameID>/);
-				if (!nameIDMatch) throw parseError;
-				parsedResponse = { extract: {
-					nameID: nameIDMatch[1],
-					attributes: { nameID: nameIDMatch[1] },
-					sessionIndex: {},
-					conditions: {}
-				} };
-			}
+			parsedResponse = await sp.parseLoginResponse(idp, "post", { body: {
+				SAMLResponse,
+				RelayState: RelayState || void 0
+			} });
 			if (!parsedResponse?.extract) throw new Error("Invalid SAML response structure");
 		} catch (error) {
 			ctx.context.logger.error("SAML response validation failed", {
@@ -1317,6 +1386,47 @@ const acsEndpoint = (options) => {
 			});
 		}
 		const { extract } = parsedResponse;
+		const inResponseToAcs = extract.inResponseTo;
+		if (options?.saml?.authnRequestStore || options?.saml?.enableInResponseToValidation) {
+			const allowIdpInitiated = options?.saml?.allowIdpInitiated !== false;
+			if (inResponseToAcs) {
+				let storedRequest = null;
+				if (options?.saml?.authnRequestStore) storedRequest = await options.saml.authnRequestStore.get(inResponseToAcs);
+				else {
+					const verification = await ctx.context.internalAdapter.findVerificationValue(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseToAcs}`);
+					if (verification) try {
+						storedRequest = JSON.parse(verification.value);
+					} catch {
+						storedRequest = null;
+					}
+				}
+				if (!storedRequest) {
+					ctx.context.logger.error("SAML InResponseTo validation failed: unknown or expired request ID", {
+						inResponseTo: inResponseToAcs,
+						providerId
+					});
+					const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+					throw ctx.redirect(`${redirectUrl}?error=invalid_saml_response&error_description=Unknown+or+expired+request+ID`);
+				}
+				if (storedRequest.providerId !== providerId) {
+					ctx.context.logger.error("SAML InResponseTo validation failed: provider mismatch", {
+						inResponseTo: inResponseToAcs,
+						expectedProvider: storedRequest.providerId,
+						actualProvider: providerId
+					});
+					if (options?.saml?.authnRequestStore) await options.saml.authnRequestStore.delete(inResponseToAcs);
+					else await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseToAcs}`);
+					const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+					throw ctx.redirect(`${redirectUrl}?error=invalid_saml_response&error_description=Provider+mismatch`);
+				}
+				if (options?.saml?.authnRequestStore) await options.saml.authnRequestStore.delete(inResponseToAcs);
+				else await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseToAcs}`);
+			} else if (!allowIdpInitiated) {
+				ctx.context.logger.error("SAML IdP-initiated SSO rejected: InResponseTo missing and allowIdpInitiated is false", { providerId });
+				const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+				throw ctx.redirect(`${redirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`);
+			}
+		}
 		const attributes = extract.attributes || {};
 		const mapping = parsedSamlConfig.mapping ?? {};
 		const userInfo = {
@@ -1439,18 +1549,19 @@ saml.setSchemaValidator({ async validate(xml) {
 	throw "ERR_INVALID_XML";
 } });
 function sso(options) {
+	const optionsWithStore = options;
 	let endpoints = {
 		spMetadata: spMetadata(),
-		registerSSOProvider: registerSSOProvider(options),
-		signInSSO: signInSSO(options),
-		callbackSSO: callbackSSO(options),
-		callbackSSOSAML: callbackSSOSAML(options),
-		acsEndpoint: acsEndpoint(options)
+		registerSSOProvider: registerSSOProvider(optionsWithStore),
+		signInSSO: signInSSO(optionsWithStore),
+		callbackSSO: callbackSSO(optionsWithStore),
+		callbackSSOSAML: callbackSSOSAML(optionsWithStore),
+		acsEndpoint: acsEndpoint(optionsWithStore)
 	};
 	if (options?.domainVerification?.enabled) {
 		const domainVerificationEndpoints = {
-			requestDomainVerification: requestDomainVerification(options),
-			verifyDomain: verifyDomain(options)
+			requestDomainVerification: requestDomainVerification(optionsWithStore),
+			verifyDomain: verifyDomain(optionsWithStore)
 		};
 		endpoints = {
 			...endpoints,
@@ -1512,4 +1623,4 @@ function sso(options) {
 }
 
 //#endregion
-export { sso };
+export { DEFAULT_AUTHN_REQUEST_TTL_MS, createInMemoryAuthnRequestStore, sso };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.4.6",
+  "version": "1.4.7-beta.3",
   "type": "module",
   "main": "dist/index.mjs",
   "types": "dist/index.d.mts",
@@ -52,7 +52,7 @@
     }
   },
   "dependencies": {
-    "@better-fetch/fetch": "1.1.18",
+    "@better-fetch/fetch": "1.1.21",
     "fast-xml-parser": "^5.2.5",
     "jose": "^6.1.0",
     "samlify": "^2.10.1",
@@ -65,16 +65,17 @@
     "body-parser": "^2.2.1",
     "express": "^5.1.0",
     "oauth2-mock-server": "^8.2.0",
-    "tsdown": "^0.17.0",
-    "better-auth": "1.4.6"
+    "tsdown": "^0.17.2",
+    "better-auth": "1.4.7-beta.3"
   },
   "peerDependencies": {
-    "better-auth": "1.4.6"
+    "better-auth": "1.4.7-beta.3"
   },
   "scripts": {
     "test": "vitest",
     "coverage": "vitest run --coverage",
     "lint:package": "publint run --strict",
+    "lint:types": "attw --profile esm-only --pack .",
     "build": "tsdown",
     "dev": "tsdown --watch",
     "typecheck": "tsc --project tsconfig.json"

package/src/authn-request-store.ts

@@ -0,0 +1,76 @@
+/**
+ * AuthnRequest Store
+ *
+ * Tracks SAML AuthnRequest IDs to enable InResponseTo validation.
+ * This prevents:
+ * - Unsolicited SAML responses
+ * - Cross-provider response injection
+ * - Replay attacks
+ * - Expired login completions
+ */
+
+export interface AuthnRequestRecord {
+	id: string;
+	providerId: string;
+	createdAt: number;
+	expiresAt: number;
+}
+
+export interface AuthnRequestStore {
+	save(record: AuthnRequestRecord): Promise<void>;
+	get(id: string): Promise<AuthnRequestRecord | null>;
+	delete(id: string): Promise<void>;
+}
+
+/**
+ * Default TTL for AuthnRequest records (5 minutes).
+ * This should be sufficient for most IdPs while protecting against stale requests.
+ */
+export const DEFAULT_AUTHN_REQUEST_TTL_MS = 5 * 60 * 1000;
+
+/**
+ * In-memory implementation of AuthnRequestStore.
+ * ⚠️ Only suitable for testing or single-instance non-serverless deployments.
+ * For production, rely on the default behavior (uses verification table)
+ * or provide a custom Redis-backed store.
+ */
+export function createInMemoryAuthnRequestStore(): AuthnRequestStore {
+	const store = new Map<string, AuthnRequestRecord>();
+
+	const cleanup = () => {
+		const now = Date.now();
+		for (const [id, record] of store.entries()) {
+			if (record.expiresAt < now) {
+				store.delete(id);
+			}
+		}
+	};
+
+	const cleanupInterval = setInterval(cleanup, 60 * 1000);
+
+	if (typeof cleanupInterval.unref === "function") {
+		cleanupInterval.unref();
+	}
+
+	return {
+		async save(record: AuthnRequestRecord): Promise<void> {
+			store.set(record.id, record);
+		},
+
+		async get(id: string): Promise<AuthnRequestRecord | null> {
+			const record = store.get(id);
+			if (!record) {
+				return null;
+			}
+			if (record.expiresAt < Date.now()) {
+				store.delete(id);
+				return null;
+			}
+			return record;
+		},
+
+		async delete(id: string): Promise<void> {
+			store.delete(id);
+		},
+	};
+}