@better-auth/sso 1.4.7-beta.2 → 1.4.7-beta.3

package/src/authn-request-store.ts

@@ -0,0 +1,76 @@
+/**
+ * AuthnRequest Store
+ *
+ * Tracks SAML AuthnRequest IDs to enable InResponseTo validation.
+ * This prevents:
+ * - Unsolicited SAML responses
+ * - Cross-provider response injection
+ * - Replay attacks
+ * - Expired login completions
+ */
+
+export interface AuthnRequestRecord {
+	id: string;
+	providerId: string;
+	createdAt: number;
+	expiresAt: number;
+}
+
+export interface AuthnRequestStore {
+	save(record: AuthnRequestRecord): Promise<void>;
+	get(id: string): Promise<AuthnRequestRecord | null>;
+	delete(id: string): Promise<void>;
+}
+
+/**
+ * Default TTL for AuthnRequest records (5 minutes).
+ * This should be sufficient for most IdPs while protecting against stale requests.
+ */
+export const DEFAULT_AUTHN_REQUEST_TTL_MS = 5 * 60 * 1000;
+
+/**
+ * In-memory implementation of AuthnRequestStore.
+ * ⚠️ Only suitable for testing or single-instance non-serverless deployments.
+ * For production, rely on the default behavior (uses verification table)
+ * or provide a custom Redis-backed store.
+ */
+export function createInMemoryAuthnRequestStore(): AuthnRequestStore {
+	const store = new Map<string, AuthnRequestRecord>();
+
+	const cleanup = () => {
+		const now = Date.now();
+		for (const [id, record] of store.entries()) {
+			if (record.expiresAt < now) {
+				store.delete(id);
+			}
+		}
+	};
+
+	const cleanupInterval = setInterval(cleanup, 60 * 1000);
+
+	if (typeof cleanupInterval.unref === "function") {
+		cleanupInterval.unref();
+	}
+
+	return {
+		async save(record: AuthnRequestRecord): Promise<void> {
+			store.set(record.id, record);
+		},
+
+		async get(id: string): Promise<AuthnRequestRecord | null> {
+			const record = store.get(id);
+			if (!record) {
+				return null;
+			}
+			if (record.expiresAt < Date.now()) {
+				store.delete(id);
+				return null;
+			}
+			return record;
+		},
+
+		async delete(id: string): Promise<void> {
+			store.delete(id);
+		},
+	};
+}

package/src/authn-request.test.ts

@@ -0,0 +1,99 @@
+import { describe, expect, it } from "vitest";
+import {
+	createInMemoryAuthnRequestStore,
+	DEFAULT_AUTHN_REQUEST_TTL_MS,
+} from "./authn-request-store";
+
+describe("AuthnRequest Store", () => {
+	describe("In-Memory Store", () => {
+		it("should save and retrieve an AuthnRequest record", async () => {
+			const store = createInMemoryAuthnRequestStore();
+
+			const record = {
+				id: "_test-request-id-1",
+				providerId: "saml-provider-1",
+				createdAt: Date.now(),
+				expiresAt: Date.now() + DEFAULT_AUTHN_REQUEST_TTL_MS,
+			};
+
+			await store.save(record);
+			const retrieved = await store.get(record.id);
+
+			expect(retrieved).toEqual(record);
+		});
+
+		it("should return null for non-existent request ID", async () => {
+			const store = createInMemoryAuthnRequestStore();
+
+			const retrieved = await store.get("_non-existent-id");
+
+			expect(retrieved).toBeNull();
+		});
+
+		it("should return null for expired request ID", async () => {
+			const store = createInMemoryAuthnRequestStore();
+
+			const record = {
+				id: "_expired-request-id",
+				providerId: "saml-provider-1",
+				createdAt: Date.now() - 10000,
+				expiresAt: Date.now() - 1000, // Already expired
+			};
+
+			await store.save(record);
+			const retrieved = await store.get(record.id);
+
+			expect(retrieved).toBeNull();
+		});
+
+		it("should delete a request ID", async () => {
+			const store = createInMemoryAuthnRequestStore();
+
+			const record = {
+				id: "_delete-me",
+				providerId: "saml-provider-1",
+				createdAt: Date.now(),
+				expiresAt: Date.now() + DEFAULT_AUTHN_REQUEST_TTL_MS,
+			};
+
+			await store.save(record);
+			await store.delete(record.id);
+
+			const retrieved = await store.get(record.id);
+			expect(retrieved).toBeNull();
+		});
+
+		it("should handle multiple providers with different request IDs", async () => {
+			const store = createInMemoryAuthnRequestStore();
+
+			const record1 = {
+				id: "_request-provider-1",
+				providerId: "saml-provider-1",
+				createdAt: Date.now(),
+				expiresAt: Date.now() + DEFAULT_AUTHN_REQUEST_TTL_MS,
+			};
+
+			const record2 = {
+				id: "_request-provider-2",
+				providerId: "saml-provider-2",
+				createdAt: Date.now(),
+				expiresAt: Date.now() + DEFAULT_AUTHN_REQUEST_TTL_MS,
+			};
+
+			await store.save(record1);
+			await store.save(record2);
+
+			const retrieved1 = await store.get(record1.id);
+			const retrieved2 = await store.get(record2.id);
+
+			expect(retrieved1?.providerId).toBe("saml-provider-1");
+			expect(retrieved2?.providerId).toBe("saml-provider-2");
+		});
+	});
+
+	describe("DEFAULT_AUTHN_REQUEST_TTL_MS", () => {
+		it("should be 5 minutes in milliseconds", () => {
+			expect(DEFAULT_AUTHN_REQUEST_TTL_MS).toBe(5 * 60 * 1000);
+		});
+	});
+});

package/src/index.ts

@@ -1,6 +1,14 @@
 import type { BetterAuthPlugin } from "better-auth";
 import { XMLValidator } from "fast-xml-parser";
 import * as saml from "samlify";
+import type {
+	AuthnRequestRecord,
+	AuthnRequestStore,
+} from "./authn-request-store";
+import {
+	createInMemoryAuthnRequestStore,
+	DEFAULT_AUTHN_REQUEST_TTL_MS,
+} from "./authn-request-store";
 import {
 	requestDomainVerification,
 	verifyDomain,
@@ -16,6 +24,8 @@ import {
 import type { OIDCConfig, SAMLConfig, SSOOptions, SSOProvider } from "./types";
 
 export type { SAMLConfig, OIDCConfig, SSOOptions, SSOProvider };
+export type { AuthnRequestStore, AuthnRequestRecord };
+export { createInMemoryAuthnRequestStore, DEFAULT_AUTHN_REQUEST_TTL_MS };
 
 const fastValidator = {
 	async validate(xml: string) {
@@ -71,19 +81,21 @@ export function sso<O extends SSOOptions>(
 };
 
 export function sso<O extends SSOOptions>(options?: O | undefined): any {
+	const optionsWithStore = options as O;
+
 	let endpoints = {
 		spMetadata: spMetadata(),
-		registerSSOProvider: registerSSOProvider(options as O),
-		signInSSO: signInSSO(options as O),
-		callbackSSO: callbackSSO(options as O),
-		callbackSSOSAML: callbackSSOSAML(options as O),
-		acsEndpoint: acsEndpoint(options as O),
+		registerSSOProvider: registerSSOProvider(optionsWithStore),
+		signInSSO: signInSSO(optionsWithStore),
+		callbackSSO: callbackSSO(optionsWithStore),
+		callbackSSOSAML: callbackSSOSAML(optionsWithStore),
+		acsEndpoint: acsEndpoint(optionsWithStore),
 	};
 
 	if (options?.domainVerification?.enabled) {
 		const domainVerificationEndpoints = {
-			requestDomainVerification: requestDomainVerification(options as O),
-			verifyDomain: verifyDomain(options as O),
+			requestDomainVerification: requestDomainVerification(optionsWithStore),
+			verifyDomain: verifyDomain(optionsWithStore),
 		};
 
 		endpoints = {

package/src/routes/sso.ts

@@ -3,6 +3,7 @@ import type { Account, Session, User, Verification } from "better-auth";
 import {
 	createAuthorizationURL,
 	generateState,
+	HIDE_METADATA,
 	parseState,
 	validateAuthorizationCode,
 	validateToken,
@@ -21,9 +22,13 @@ import type { BindingContext } from "samlify/types/src/entity";
 import type { IdentityProvider } from "samlify/types/src/entity-idp";
 import type { FlowResult } from "samlify/types/src/flow";
 import * as z from "zod/v4";
+import type { AuthnRequestRecord } from "../authn-request-store";
+import { DEFAULT_AUTHN_REQUEST_TTL_MS } from "../authn-request-store";
 import type { OIDCConfig, SAMLConfig, SSOOptions, SSOProvider } from "../types";
+
 import { safeJsonParse, validateEmailDomain } from "../utils";
 
+const AUTHN_REQUEST_KEY_PREFIX = "saml-authn-request:";
 const spMetadataQuerySchema = z.object({
 	providerId: z.string(),
 	format: z.enum(["xml", "json"]).default("xml"),
@@ -1054,12 +1059,40 @@ export const signInSSO = (options?: SSOOptions) => {
 				const loginRequest = sp.createLoginRequest(
 					idp,
 					"redirect",
-				) as BindingContext & { entityEndpoint: string; type: string };
+				) as BindingContext & {
+					entityEndpoint: string;
+					type: string;
+					id: string;
+				};
 				if (!loginRequest) {
 					throw new APIError("BAD_REQUEST", {
 						message: "Invalid SAML request",
 					});
 				}
+
+				const shouldSaveRequest =
+					loginRequest.id &&
+					(options?.saml?.authnRequestStore ||
+						options?.saml?.enableInResponseToValidation);
+				if (shouldSaveRequest) {
+					const ttl = options?.saml?.requestTTL ?? DEFAULT_AUTHN_REQUEST_TTL_MS;
+					const record: AuthnRequestRecord = {
+						id: loginRequest.id,
+						providerId: provider.providerId,
+						createdAt: Date.now(),
+						expiresAt: Date.now() + ttl,
+					};
+					if (options?.saml?.authnRequestStore) {
+						await options.saml.authnRequestStore.save(record);
+					} else {
+						await ctx.context.internalAdapter.createVerificationValue({
+							identifier: `${AUTHN_REQUEST_KEY_PREFIX}${record.id}`,
+							value: JSON.stringify(record),
+							expiresAt: new Date(record.expiresAt),
+						});
+					}
+				}
+
 				return ctx.json({
 					url: `${loginRequest.context}&RelayState=${encodeURIComponent(
 						body.callbackURL,
@@ -1092,7 +1125,7 @@ export const callbackSSO = (options?: SSOOptions) => {
 				"application/json",
 			],
 			metadata: {
-				isAction: false,
+				...HIDE_METADATA,
 				openapi: {
 					operationId: "handleSSOCallback",
 					summary: "Callback URL for SSO provider",
@@ -1461,7 +1494,7 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 			method: "POST",
 			body: callbackSSOSAMLBodySchema,
 			metadata: {
-				isAction: false,
+				...HIDE_METADATA,
 				allowedMediaTypes: [
 					"application/x-www-form-urlencoded",
 					"application/json",
@@ -1603,31 +1636,12 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 
 			let parsedResponse: FlowResult;
 			try {
-				const decodedResponse = Buffer.from(SAMLResponse, "base64").toString(
-					"utf-8",
-				);
-
-				try {
-					parsedResponse = await sp.parseLoginResponse(idp, "post", {
-						body: {
-							SAMLResponse,
-							RelayState: RelayState || undefined,
-						},
-					});
-				} catch (parseError) {
-					const nameIDMatch = decodedResponse.match(
-						/<saml2:NameID[^>]*>([^<]+)<\/saml2:NameID>/,
-					);
-					if (!nameIDMatch) throw parseError;
-					parsedResponse = {
-						extract: {
-							nameID: nameIDMatch[1],
-							attributes: { nameID: nameIDMatch[1] },
-							sessionIndex: {},
-							conditions: {},
-						},
-					} as FlowResult;
-				}
+				parsedResponse = await sp.parseLoginResponse(idp, "post", {
+					body: {
+						SAMLResponse,
+						RelayState: RelayState || undefined,
+					},
+				});
 
 				if (!parsedResponse?.extract) {
 					throw new Error("Invalid SAML response structure");
@@ -1646,6 +1660,93 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 			}
 
 			const { extract } = parsedResponse!;
+
+			const inResponseTo = (extract as any).inResponseTo as string | undefined;
+			const shouldValidateInResponseTo =
+				options?.saml?.authnRequestStore ||
+				options?.saml?.enableInResponseToValidation;
+
+			if (shouldValidateInResponseTo) {
+				const allowIdpInitiated = options?.saml?.allowIdpInitiated !== false;
+
+				if (inResponseTo) {
+					let storedRequest: AuthnRequestRecord | null = null;
+
+					if (options?.saml?.authnRequestStore) {
+						storedRequest =
+							await options.saml.authnRequestStore.get(inResponseTo);
+					} else {
+						const verification =
+							await ctx.context.internalAdapter.findVerificationValue(
+								`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`,
+							);
+						if (verification) {
+							try {
+								storedRequest = JSON.parse(
+									verification.value,
+								) as AuthnRequestRecord;
+							} catch {
+								storedRequest = null;
+							}
+						}
+					}
+
+					if (!storedRequest) {
+						ctx.context.logger.error(
+							"SAML InResponseTo validation failed: unknown or expired request ID",
+							{ inResponseTo, providerId: provider.providerId },
+						);
+						const redirectUrl =
+							RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+						throw ctx.redirect(
+							`${redirectUrl}?error=invalid_saml_response&error_description=Unknown+or+expired+request+ID`,
+						);
+					}
+
+					if (storedRequest.providerId !== provider.providerId) {
+						ctx.context.logger.error(
+							"SAML InResponseTo validation failed: provider mismatch",
+							{
+								inResponseTo,
+								expectedProvider: storedRequest.providerId,
+								actualProvider: provider.providerId,
+							},
+						);
+
+						if (options?.saml?.authnRequestStore) {
+							await options.saml.authnRequestStore.delete(inResponseTo);
+						} else {
+							await ctx.context.internalAdapter.deleteVerificationByIdentifier(
+								`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`,
+							);
+						}
+						const redirectUrl =
+							RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+						throw ctx.redirect(
+							`${redirectUrl}?error=invalid_saml_response&error_description=Provider+mismatch`,
+						);
+					}
+
+					if (options?.saml?.authnRequestStore) {
+						await options.saml.authnRequestStore.delete(inResponseTo);
+					} else {
+						await ctx.context.internalAdapter.deleteVerificationByIdentifier(
+							`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`,
+						);
+					}
+				} else if (!allowIdpInitiated) {
+					ctx.context.logger.error(
+						"SAML IdP-initiated SSO rejected: InResponseTo missing and allowIdpInitiated is false",
+						{ providerId: provider.providerId },
+					);
+					const redirectUrl =
+						RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+					throw ctx.redirect(
+						`${redirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`,
+					);
+				}
+			}
+
 			const attributes = extract.attributes || {};
 			const mapping = parsedSamlConfig.mapping ?? {};
 
@@ -1831,7 +1932,7 @@ export const acsEndpoint = (options?: SSOOptions) => {
 			params: acsEndpointParamsSchema,
 			body: acsEndpointBodySchema,
 			metadata: {
-				isAction: false,
+				...HIDE_METADATA,
 				allowedMediaTypes: [
 					"application/x-www-form-urlencoded",
 					"application/json",
@@ -1960,50 +2061,12 @@ export const acsEndpoint = (options?: SSOOptions) => {
 			// Parse and validate SAML response
 			let parsedResponse: FlowResult;
 			try {
-				let decodedResponse = Buffer.from(SAMLResponse, "base64").toString(
-					"utf-8",
-				);
-
-				// Patch the SAML response if status is missing or not success
-				if (!decodedResponse.includes("StatusCode")) {
-					// Insert a success status if missing
-					const insertPoint = decodedResponse.indexOf("</saml2:Issuer>");
-					if (insertPoint !== -1) {
-						decodedResponse =
-							decodedResponse.slice(0, insertPoint + 14) +
-							'<saml2:Status><saml2:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2:Status>' +
-							decodedResponse.slice(insertPoint + 14);
-					}
-				} else if (!decodedResponse.includes("saml2:Success")) {
-					// Replace existing non-success status with success
-					decodedResponse = decodedResponse.replace(
-						/<saml2:StatusCode Value="[^"]+"/,
-						'<saml2:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"',
-					);
-				}
-
-				try {
-					parsedResponse = await sp.parseLoginResponse(idp, "post", {
-						body: {
-							SAMLResponse,
-							RelayState: RelayState || undefined,
-						},
-					});
-				} catch (parseError) {
-					const nameIDMatch = decodedResponse.match(
-						/<saml2:NameID[^>]*>([^<]+)<\/saml2:NameID>/,
-					);
-					// due to different spec. we have to make sure to handle that.
-					if (!nameIDMatch) throw parseError;
-					parsedResponse = {
-						extract: {
-							nameID: nameIDMatch[1],
-							attributes: { nameID: nameIDMatch[1] },
-							sessionIndex: {},
-							conditions: {},
-						},
-					} as FlowResult;
-				}
+				parsedResponse = await sp.parseLoginResponse(idp, "post", {
+					body: {
+						SAMLResponse,
+						RelayState: RelayState || undefined,
+					},
+				});
 
 				if (!parsedResponse?.extract) {
 					throw new Error("Invalid SAML response structure");
@@ -2022,6 +2085,94 @@ export const acsEndpoint = (options?: SSOOptions) => {
 			}
 
 			const { extract } = parsedResponse!;
+
+			const inResponseToAcs = (extract as any).inResponseTo as
+				| string
+				| undefined;
+			const shouldValidateInResponseToAcs =
+				options?.saml?.authnRequestStore ||
+				options?.saml?.enableInResponseToValidation;
+
+			if (shouldValidateInResponseToAcs) {
+				const allowIdpInitiated = options?.saml?.allowIdpInitiated !== false;
+
+				if (inResponseToAcs) {
+					let storedRequest: AuthnRequestRecord | null = null;
+
+					if (options?.saml?.authnRequestStore) {
+						storedRequest =
+							await options.saml.authnRequestStore.get(inResponseToAcs);
+					} else {
+						const verification =
+							await ctx.context.internalAdapter.findVerificationValue(
+								`${AUTHN_REQUEST_KEY_PREFIX}${inResponseToAcs}`,
+							);
+						if (verification) {
+							try {
+								storedRequest = JSON.parse(
+									verification.value,
+								) as AuthnRequestRecord;
+							} catch {
+								storedRequest = null;
+							}
+						}
+					}
+
+					if (!storedRequest) {
+						ctx.context.logger.error(
+							"SAML InResponseTo validation failed: unknown or expired request ID",
+							{ inResponseTo: inResponseToAcs, providerId },
+						);
+						const redirectUrl =
+							RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+						throw ctx.redirect(
+							`${redirectUrl}?error=invalid_saml_response&error_description=Unknown+or+expired+request+ID`,
+						);
+					}
+
+					if (storedRequest.providerId !== providerId) {
+						ctx.context.logger.error(
+							"SAML InResponseTo validation failed: provider mismatch",
+							{
+								inResponseTo: inResponseToAcs,
+								expectedProvider: storedRequest.providerId,
+								actualProvider: providerId,
+							},
+						);
+						if (options?.saml?.authnRequestStore) {
+							await options.saml.authnRequestStore.delete(inResponseToAcs);
+						} else {
+							await ctx.context.internalAdapter.deleteVerificationByIdentifier(
+								`${AUTHN_REQUEST_KEY_PREFIX}${inResponseToAcs}`,
+							);
+						}
+						const redirectUrl =
+							RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+						throw ctx.redirect(
+							`${redirectUrl}?error=invalid_saml_response&error_description=Provider+mismatch`,
+						);
+					}
+
+					if (options?.saml?.authnRequestStore) {
+						await options.saml.authnRequestStore.delete(inResponseToAcs);
+					} else {
+						await ctx.context.internalAdapter.deleteVerificationByIdentifier(
+							`${AUTHN_REQUEST_KEY_PREFIX}${inResponseToAcs}`,
+						);
+					}
+				} else if (!allowIdpInitiated) {
+					ctx.context.logger.error(
+						"SAML IdP-initiated SSO rejected: InResponseTo missing and allowIdpInitiated is false",
+						{ providerId },
+					);
+					const redirectUrl =
+						RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+					throw ctx.redirect(
+						`${redirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`,
+					);
+				}
+			}
+
 			const attributes = extract.attributes || {};
 			const mapping = parsedSamlConfig.mapping ?? {};