@better-auth/sso 1.4.7-beta.2 → 1.4.7-beta.4

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.4.7-beta.2",
+  "version": "1.4.7-beta.4",
   "type": "module",
   "main": "dist/index.mjs",
   "types": "dist/index.d.mts",
@@ -52,7 +52,7 @@
     }
   },
   "dependencies": {
-    "@better-fetch/fetch": "1.1.18",
+    "@better-fetch/fetch": "1.1.21",
     "fast-xml-parser": "^5.2.5",
     "jose": "^6.1.0",
     "samlify": "^2.10.1",
@@ -66,10 +66,10 @@
     "express": "^5.1.0",
     "oauth2-mock-server": "^8.2.0",
     "tsdown": "^0.17.2",
-    "better-auth": "1.4.7-beta.2"
+    "better-auth": "1.4.7-beta.4"
   },
   "peerDependencies": {
-    "better-auth": "1.4.7-beta.2"
+    "better-auth": "1.4.7-beta.4"
   },
   "scripts": {
     "test": "vitest",

package/src/authn-request-store.ts

@@ -0,0 +1,76 @@
+/**
+ * AuthnRequest Store
+ *
+ * Tracks SAML AuthnRequest IDs to enable InResponseTo validation.
+ * This prevents:
+ * - Unsolicited SAML responses
+ * - Cross-provider response injection
+ * - Replay attacks
+ * - Expired login completions
+ */
+
+export interface AuthnRequestRecord {
+	id: string;
+	providerId: string;
+	createdAt: number;
+	expiresAt: number;
+}
+
+export interface AuthnRequestStore {
+	save(record: AuthnRequestRecord): Promise<void>;
+	get(id: string): Promise<AuthnRequestRecord | null>;
+	delete(id: string): Promise<void>;
+}
+
+/**
+ * Default TTL for AuthnRequest records (5 minutes).
+ * This should be sufficient for most IdPs while protecting against stale requests.
+ */
+export const DEFAULT_AUTHN_REQUEST_TTL_MS = 5 * 60 * 1000;
+
+/**
+ * In-memory implementation of AuthnRequestStore.
+ * ⚠️ Only suitable for testing or single-instance non-serverless deployments.
+ * For production, rely on the default behavior (uses verification table)
+ * or provide a custom Redis-backed store.
+ */
+export function createInMemoryAuthnRequestStore(): AuthnRequestStore {
+	const store = new Map<string, AuthnRequestRecord>();
+
+	const cleanup = () => {
+		const now = Date.now();
+		for (const [id, record] of store.entries()) {
+			if (record.expiresAt < now) {
+				store.delete(id);
+			}
+		}
+	};
+
+	const cleanupInterval = setInterval(cleanup, 60 * 1000);
+
+	if (typeof cleanupInterval.unref === "function") {
+		cleanupInterval.unref();
+	}
+
+	return {
+		async save(record: AuthnRequestRecord): Promise<void> {
+			store.set(record.id, record);
+		},
+
+		async get(id: string): Promise<AuthnRequestRecord | null> {
+			const record = store.get(id);
+			if (!record) {
+				return null;
+			}
+			if (record.expiresAt < Date.now()) {
+				store.delete(id);
+				return null;
+			}
+			return record;
+		},
+
+		async delete(id: string): Promise<void> {
+			store.delete(id);
+		},
+	};
+}

package/src/authn-request.test.ts

@@ -0,0 +1,99 @@
+import { describe, expect, it } from "vitest";
+import {
+	createInMemoryAuthnRequestStore,
+	DEFAULT_AUTHN_REQUEST_TTL_MS,
+} from "./authn-request-store";
+
+describe("AuthnRequest Store", () => {
+	describe("In-Memory Store", () => {
+		it("should save and retrieve an AuthnRequest record", async () => {
+			const store = createInMemoryAuthnRequestStore();
+
+			const record = {
+				id: "_test-request-id-1",
+				providerId: "saml-provider-1",
+				createdAt: Date.now(),
+				expiresAt: Date.now() + DEFAULT_AUTHN_REQUEST_TTL_MS,
+			};
+
+			await store.save(record);
+			const retrieved = await store.get(record.id);
+
+			expect(retrieved).toEqual(record);
+		});
+
+		it("should return null for non-existent request ID", async () => {
+			const store = createInMemoryAuthnRequestStore();
+
+			const retrieved = await store.get("_non-existent-id");
+
+			expect(retrieved).toBeNull();
+		});
+
+		it("should return null for expired request ID", async () => {
+			const store = createInMemoryAuthnRequestStore();
+
+			const record = {
+				id: "_expired-request-id",
+				providerId: "saml-provider-1",
+				createdAt: Date.now() - 10000,
+				expiresAt: Date.now() - 1000, // Already expired
+			};
+
+			await store.save(record);
+			const retrieved = await store.get(record.id);
+
+			expect(retrieved).toBeNull();
+		});
+
+		it("should delete a request ID", async () => {
+			const store = createInMemoryAuthnRequestStore();
+
+			const record = {
+				id: "_delete-me",
+				providerId: "saml-provider-1",
+				createdAt: Date.now(),
+				expiresAt: Date.now() + DEFAULT_AUTHN_REQUEST_TTL_MS,
+			};
+
+			await store.save(record);
+			await store.delete(record.id);
+
+			const retrieved = await store.get(record.id);
+			expect(retrieved).toBeNull();
+		});
+
+		it("should handle multiple providers with different request IDs", async () => {
+			const store = createInMemoryAuthnRequestStore();
+
+			const record1 = {
+				id: "_request-provider-1",
+				providerId: "saml-provider-1",
+				createdAt: Date.now(),
+				expiresAt: Date.now() + DEFAULT_AUTHN_REQUEST_TTL_MS,
+			};
+
+			const record2 = {
+				id: "_request-provider-2",
+				providerId: "saml-provider-2",
+				createdAt: Date.now(),
+				expiresAt: Date.now() + DEFAULT_AUTHN_REQUEST_TTL_MS,
+			};
+
+			await store.save(record1);
+			await store.save(record2);
+
+			const retrieved1 = await store.get(record1.id);
+			const retrieved2 = await store.get(record2.id);
+
+			expect(retrieved1?.providerId).toBe("saml-provider-1");
+			expect(retrieved2?.providerId).toBe("saml-provider-2");
+		});
+	});
+
+	describe("DEFAULT_AUTHN_REQUEST_TTL_MS", () => {
+		it("should be 5 minutes in milliseconds", () => {
+			expect(DEFAULT_AUTHN_REQUEST_TTL_MS).toBe(5 * 60 * 1000);
+		});
+	});
+});

package/src/index.ts

@@ -1,6 +1,14 @@
 import type { BetterAuthPlugin } from "better-auth";
 import { XMLValidator } from "fast-xml-parser";
 import * as saml from "samlify";
+import type {
+	AuthnRequestRecord,
+	AuthnRequestStore,
+} from "./authn-request-store";
+import {
+	createInMemoryAuthnRequestStore,
+	DEFAULT_AUTHN_REQUEST_TTL_MS,
+} from "./authn-request-store";
 import {
 	requestDomainVerification,
 	verifyDomain,
@@ -13,9 +21,38 @@ import {
 	signInSSO,
 	spMetadata,
 } from "./routes/sso";
+
+export {
+	DEFAULT_CLOCK_SKEW_MS,
+	type SAMLConditions,
+	type TimestampValidationOptions,
+	validateSAMLTimestamp,
+} from "./routes/sso";
+
 import type { OIDCConfig, SAMLConfig, SSOOptions, SSOProvider } from "./types";
 
 export type { SAMLConfig, OIDCConfig, SSOOptions, SSOProvider };
+export type { AuthnRequestStore, AuthnRequestRecord };
+export { createInMemoryAuthnRequestStore, DEFAULT_AUTHN_REQUEST_TTL_MS };
+
+export {
+	computeDiscoveryUrl,
+	type DiscoverOIDCConfigParams,
+	DiscoveryError,
+	type DiscoveryErrorCode,
+	discoverOIDCConfig,
+	fetchDiscoveryDocument,
+	type HydratedOIDCConfig,
+	needsRuntimeDiscovery,
+	normalizeDiscoveryUrls,
+	normalizeUrl,
+	type OIDCDiscoveryDocument,
+	REQUIRED_DISCOVERY_FIELDS,
+	type RequiredDiscoveryField,
+	selectTokenEndpointAuthMethod,
+	validateDiscoveryDocument,
+	validateDiscoveryUrl,
+} from "./oidc";
 
 const fastValidator = {
 	async validate(xml: string) {
@@ -71,19 +108,21 @@ export function sso<O extends SSOOptions>(
 };
 
 export function sso<O extends SSOOptions>(options?: O | undefined): any {
+	const optionsWithStore = options as O;
+
 	let endpoints = {
 		spMetadata: spMetadata(),
-		registerSSOProvider: registerSSOProvider(options as O),
-		signInSSO: signInSSO(options as O),
-		callbackSSO: callbackSSO(options as O),
-		callbackSSOSAML: callbackSSOSAML(options as O),
-		acsEndpoint: acsEndpoint(options as O),
+		registerSSOProvider: registerSSOProvider(optionsWithStore),
+		signInSSO: signInSSO(optionsWithStore),
+		callbackSSO: callbackSSO(optionsWithStore),
+		callbackSSOSAML: callbackSSOSAML(optionsWithStore),
+		acsEndpoint: acsEndpoint(optionsWithStore),
 	};
 
 	if (options?.domainVerification?.enabled) {
 		const domainVerificationEndpoints = {
-			requestDomainVerification: requestDomainVerification(options as O),
-			verifyDomain: verifyDomain(options as O),
+			requestDomainVerification: requestDomainVerification(optionsWithStore),
+			verifyDomain: verifyDomain(optionsWithStore),
 		};
 
 		endpoints = {