@better-auth/sso 1.4.7-beta.3 → 1.4.7

package/src/oidc/types.ts

@@ -0,0 +1,219 @@
+/**
+ * OIDC Discovery Types
+ *
+ * Types for the OIDC discovery document and hydrated configuration.
+ * Based on OpenID Connect Discovery 1.0 specification.
+ *
+ * @see https://openid.net/specs/openid-connect-discovery-1_0.html
+ */
+
+/**
+ * Raw OIDC Discovery Document as returned by the IdP's
+ * .well-known/openid-configuration endpoint.
+ *
+ * Required fields for Better Auth's OIDC support:
+ * - issuer
+ * - authorization_endpoint
+ * - token_endpoint
+ * - jwks_uri (required for ID token validation)
+ *
+ */
+export interface OIDCDiscoveryDocument {
+	/** REQUIRED. URL using the https scheme that the OP asserts as its Issuer Identifier. */
+	issuer: string;
+
+	/** REQUIRED. URL of the OP's OAuth 2.0 Authorization Endpoint. */
+	authorization_endpoint: string;
+
+	/**
+	 * REQUIRED (spec says "unless only implicit flow is used").
+	 * URL of the OP's OAuth 2.0 Token Endpoint.
+	 * We only support authorization code flow.
+	 */
+	token_endpoint: string;
+
+	/** REQUIRED. URL of the OP's JSON Web Key Set document for ID token validation. */
+	jwks_uri: string;
+
+	/** RECOMMENDED. URL of the OP's UserInfo Endpoint. */
+	userinfo_endpoint?: string;
+
+	/**
+	 * OPTIONAL. JSON array containing a list of Client Authentication methods
+	 * supported by this Token Endpoint.
+	 * Default: ["client_secret_basic"]
+	 */
+	token_endpoint_auth_methods_supported?: string[];
+
+	/** OPTIONAL. JSON array containing a list of the OAuth 2.0 scope values that this server supports. */
+	scopes_supported?: string[];
+
+	/** OPTIONAL. JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. */
+	response_types_supported?: string[];
+
+	/** OPTIONAL. JSON array containing a list of the Subject Identifier types that this OP supports. */
+	subject_types_supported?: string[];
+
+	/** OPTIONAL. JSON array containing a list of the JWS signing algorithms supported by the OP. */
+	id_token_signing_alg_values_supported?: string[];
+
+	/** OPTIONAL. JSON array containing a list of the claim names that the OP may supply values for. */
+	claims_supported?: string[];
+
+	/** OPTIONAL. URL of a page containing human-readable information about the OP. */
+	service_documentation?: string;
+
+	/** OPTIONAL. Boolean value specifying whether the OP supports use of the claims parameter. */
+	claims_parameter_supported?: boolean;
+
+	/** OPTIONAL. Boolean value specifying whether the OP supports use of the request parameter. */
+	request_parameter_supported?: boolean;
+
+	/** OPTIONAL. Boolean value specifying whether the OP supports use of the request_uri parameter. */
+	request_uri_parameter_supported?: boolean;
+
+	/** OPTIONAL. Boolean value specifying whether the OP requires any request_uri values to be pre-registered. */
+	require_request_uri_registration?: boolean;
+
+	/** OPTIONAL. URL of the OP's end session endpoint. */
+	end_session_endpoint?: string;
+
+	/** OPTIONAL. URL of the OP's revocation endpoint. */
+	revocation_endpoint?: string;
+
+	/** OPTIONAL. URL of the OP's introspection endpoint. */
+	introspection_endpoint?: string;
+
+	/** OPTIONAL. JSON array of PKCE code challenge methods supported (e.g., "S256", "plain"). */
+	code_challenge_methods_supported?: string[];
+
+	/** Allow additional fields from the discovery document */
+	[key: string]: unknown;
+}
+
+/**
+ * Error codes for OIDC discovery operations.
+ */
+export type DiscoveryErrorCode =
+	/** Request to discovery endpoint timed out */
+	| "discovery_timeout"
+	/** Discovery endpoint returned 404 or similar */
+	| "discovery_not_found"
+	/** Discovery endpoint returned invalid JSON */
+	| "discovery_invalid_json"
+	/** Discovery URL is invalid or malformed */
+	| "discovery_invalid_url"
+	/** Discovery URL is not trusted by the trusted origins configuration */
+	| "discovery_untrusted_origin"
+	/** Discovery document issuer doesn't match configured issuer */
+	| "issuer_mismatch"
+	/** Discovery document is missing required fields */
+	| "discovery_incomplete"
+	/** IdP only advertises token auth methods that Better Auth doesn't currently support */
+	| "unsupported_token_auth_method"
+	/** Catch-all for unexpected errors */
+	| "discovery_unexpected_error";
+
+/**
+ * Custom error class for OIDC discovery failures.
+ * Can be caught and mapped to APIError at the edge.
+ */
+export class DiscoveryError extends Error {
+	public readonly code: DiscoveryErrorCode;
+	public readonly details?: Record<string, unknown>;
+
+	constructor(
+		code: DiscoveryErrorCode,
+		message: string,
+		details?: Record<string, unknown>,
+		options?: { cause?: unknown },
+	) {
+		super(message, options);
+		this.name = "DiscoveryError";
+		this.code = code;
+		this.details = details;
+
+		// Maintains proper stack trace for where the error was thrown
+		if (Error.captureStackTrace) {
+			Error.captureStackTrace(this, DiscoveryError);
+		}
+	}
+}
+
+/**
+ * Hydrated OIDC configuration after discovery.
+ * This is the normalized shape that gets persisted to the database
+ * or merged into provider config at runtime.
+ *
+ * Field names are camelCase to match Better Auth conventions.
+ */
+export interface HydratedOIDCConfig {
+	/** The issuer URL (validated to match configured issuer) */
+	issuer: string;
+
+	/** The discovery endpoint URL */
+	discoveryEndpoint: string;
+
+	/** URL of the authorization endpoint */
+	authorizationEndpoint: string;
+
+	/** URL of the token endpoint */
+	tokenEndpoint: string;
+
+	/** URL of the JWKS endpoint */
+	jwksEndpoint: string;
+
+	/** URL of the userinfo endpoint (optional) */
+	userInfoEndpoint?: string;
+
+	/** Token endpoint authentication method */
+	tokenEndpointAuthentication?: "client_secret_basic" | "client_secret_post";
+
+	/** Scopes supported by the IdP */
+	scopesSupported?: string[];
+}
+
+/**
+ * Parameters for the discoverOIDCConfig function.
+ */
+export interface DiscoverOIDCConfigParams {
+	/** The issuer URL to discover configuration from */
+	issuer: string;
+
+	/**
+	 * Optional existing configuration.
+	 * Values provided here will override discovered values.
+	 */
+	existingConfig?: Partial<HydratedOIDCConfig>;
+
+	/**
+	 * Optional custom discovery endpoint URL.
+	 * If not provided, defaults to <issuer>/.well-known/openid-configuration
+	 */
+	discoveryEndpoint?: string;
+
+	/**
+	 * Optional timeout in milliseconds for the discovery request.
+	 * @default 10000 (10 seconds)
+	 */
+	timeout?: number;
+
+	/**
+	 * Trusted origin predicate. See "trustedOrigins" option
+	 * @param url the url to test
+	 * @returns {boolean} return true for urls that belong to a trusted origin and false otherwise
+	 */
+	isTrustedOrigin: (url: string) => boolean;
+}
+
+/**
+ * Required fields that must be present in a valid discovery document.
+ */
+export const REQUIRED_DISCOVERY_FIELDS = [
+	"issuer",
+	"authorization_endpoint",
+	"token_endpoint",
+	"jwks_uri",
+] as const;
+
+export type RequiredDiscoveryField = (typeof REQUIRED_DISCOVERY_FIELDS)[number];

package/src/oidc.test.ts

@@ -12,6 +12,7 @@ let server = new OAuth2Server();
 describe("SSO", async () => {
 	const { auth, signInWithTestUser, customFetchImpl, cookieSetter } =
 		await getTestInstance({
+			trustedOrigins: ["http://localhost:8080"],
 			plugins: [sso(), organization()],
 		});
 
@@ -257,6 +258,7 @@ describe("SSO", async () => {
 describe("SSO disable implicit sign in", async () => {
 	const { auth, signInWithTestUser, customFetchImpl, cookieSetter } =
 		await getTestInstance({
+			trustedOrigins: ["http://localhost:8080"],
 			plugins: [sso({ disableImplicitSignUp: true }), organization()],
 		});
 
@@ -419,6 +421,7 @@ describe("SSO disable implicit sign in", async () => {
 describe("provisioning", async (ctx) => {
 	const { auth, signInWithTestUser, customFetchImpl, cookieSetter } =
 		await getTestInstance({
+			trustedOrigins: ["http://localhost:8080"],
 			plugins: [sso(), organization()],
 		});
 
@@ -571,167 +574,3 @@ describe("provisioning", async (ctx) => {
 		expect(res.url).toContain("http://localhost:8080/authorize");
 	});
 });
-
-describe("OIDC account linking with domainVerified", async () => {
-	const { auth, signInWithTestUser, customFetchImpl, cookieSetter } =
-		await getTestInstance({
-			account: {
-				accountLinking: {
-					enabled: true,
-					trustedProviders: [],
-				},
-			},
-			plugins: [
-				sso({
-					domainVerification: {
-						enabled: true,
-					},
-				}),
-			],
-		});
-
-	const authClient = createAuthClient({
-		plugins: [ssoClient()],
-		baseURL: "http://localhost:3000",
-		fetchOptions: {
-			customFetchImpl,
-		},
-	});
-
-	beforeAll(async () => {
-		await server.issuer.keys.generate("RS256");
-		await server.start(8080, "localhost");
-	});
-
-	afterAll(async () => {
-		await server.stop().catch(() => {});
-	});
-
-	async function simulateOAuthFlow(authUrl: string, headers: Headers) {
-		let location: string | null = null;
-		await betterFetch(authUrl, {
-			method: "GET",
-			redirect: "manual",
-			onError(context) {
-				location = context.response.headers.get("location");
-			},
-		});
-
-		if (!location) throw new Error("No redirect location found");
-
-		let callbackURL = "";
-		const newHeaders = new Headers();
-		await betterFetch(location, {
-			method: "GET",
-			customFetchImpl,
-			headers,
-			onError(context) {
-				callbackURL = context.response.headers.get("location") || "";
-				cookieSetter(newHeaders)(context);
-			},
-		});
-
-		return { callbackURL, headers: newHeaders };
-	}
-
-	it("should allow account linking when domain is verified and email domain matches", async () => {
-		const testEmail = "linking-test@verified-oidc.com";
-		const testDomain = "verified-oidc.com";
-
-		server.service.on("beforeTokenSigning", (token) => {
-			token.payload.email = testEmail;
-			token.payload.email_verified = false;
-			token.payload.name = "Domain Verified User";
-			token.payload.sub = "oidc-domain-verified-user";
-		});
-
-		const { headers } = await signInWithTestUser();
-
-		const provider = await auth.api.registerSSOProvider({
-			body: {
-				providerId: "domain-verified-oidc",
-				issuer: server.issuer.url!,
-				domain: testDomain,
-				oidcConfig: {
-					clientId: "test",
-					clientSecret: "test",
-					authorizationEndpoint: `${server.issuer.url}/authorize`,
-					tokenEndpoint: `${server.issuer.url}/token`,
-					jwksEndpoint: `${server.issuer.url}/jwks`,
-					discoveryEndpoint: `${server.issuer.url}/.well-known/openid-configuration`,
-					mapping: {
-						id: "sub",
-						email: "email",
-						emailVerified: "email_verified",
-						name: "name",
-					},
-				},
-			},
-			headers,
-		});
-
-		expect(provider.domainVerified).toBe(false);
-
-		const ctx = await auth.$context;
-		await ctx.adapter.update({
-			model: "ssoProvider",
-			where: [{ field: "providerId", value: provider.providerId }],
-			update: {
-				domainVerified: true,
-			},
-		});
-
-		const updatedProvider = await ctx.adapter.findOne<{
-			domainVerified: boolean;
-			domain: string;
-		}>({
-			model: "ssoProvider",
-			where: [{ field: "providerId", value: provider.providerId }],
-		});
-		expect(updatedProvider?.domainVerified).toBe(true);
-
-		await ctx.adapter.create({
-			model: "user",
-			data: {
-				id: "existing-oidc-domain-user",
-				email: testEmail,
-				name: "Existing User",
-				emailVerified: true,
-				createdAt: new Date(),
-				updatedAt: new Date(),
-			},
-			forceAllowId: true,
-		});
-
-		const newHeaders = new Headers();
-		const res = await authClient.signIn.sso({
-			providerId: "domain-verified-oidc",
-			callbackURL: "/dashboard",
-			fetchOptions: {
-				throw: true,
-				onSuccess: cookieSetter(newHeaders),
-			},
-		});
-
-		expect(res.url).toContain("http://localhost:8080/authorize");
-
-		const { callbackURL } = await simulateOAuthFlow(res.url, newHeaders);
-
-		expect(callbackURL).toContain("/dashboard");
-		expect(callbackURL).not.toContain("error");
-
-		const accounts = await ctx.adapter.findMany<{
-			providerId: string;
-			accountId: string;
-			userId: string;
-		}>({
-			model: "account",
-			where: [{ field: "userId", value: "existing-oidc-domain-user" }],
-		});
-		const linkedAccount = accounts.find(
-			(a) => a.providerId === "domain-verified-oidc",
-		);
-		expect(linkedAccount).toBeTruthy();
-		expect(linkedAccount?.accountId).toBe("oidc-domain-verified-user");
-	});
-});

package/src/routes/sso.ts

@@ -24,11 +24,98 @@ import type { FlowResult } from "samlify/types/src/flow";
 import * as z from "zod/v4";
 import type { AuthnRequestRecord } from "../authn-request-store";
 import { DEFAULT_AUTHN_REQUEST_TTL_MS } from "../authn-request-store";
+import type { HydratedOIDCConfig } from "../oidc";
+import {
+	DiscoveryError,
+	discoverOIDCConfig,
+	mapDiscoveryErrorToAPIError,
+} from "../oidc";
 import type { OIDCConfig, SAMLConfig, SSOOptions, SSOProvider } from "../types";
 
 import { safeJsonParse, validateEmailDomain } from "../utils";
 
 const AUTHN_REQUEST_KEY_PREFIX = "saml-authn-request:";
+
+/** Default clock skew tolerance: 5 minutes */
+export const DEFAULT_CLOCK_SKEW_MS = 5 * 60 * 1000;
+
+export interface TimestampValidationOptions {
+	clockSkew?: number;
+	requireTimestamps?: boolean;
+	logger?: {
+		warn: (message: string, data?: Record<string, unknown>) => void;
+	};
+}
+
+/** Conditions extracted from SAML assertion */
+export interface SAMLConditions {
+	notBefore?: string;
+	notOnOrAfter?: string;
+}
+
+/**
+ * Validates SAML assertion timestamp conditions (NotBefore/NotOnOrAfter).
+ * Prevents acceptance of expired or future-dated assertions.
+ * @throws {APIError} If timestamps are invalid, expired, or not yet valid
+ */
+export function validateSAMLTimestamp(
+	conditions: SAMLConditions | undefined,
+	options: TimestampValidationOptions = {},
+): void {
+	const clockSkew = options.clockSkew ?? DEFAULT_CLOCK_SKEW_MS;
+	const hasTimestamps = conditions?.notBefore || conditions?.notOnOrAfter;
+
+	if (!hasTimestamps) {
+		if (options.requireTimestamps) {
+			throw new APIError("BAD_REQUEST", {
+				message: "SAML assertion missing required timestamp conditions",
+				details:
+					"Assertions must include NotBefore and/or NotOnOrAfter conditions",
+			});
+		}
+		// Log warning for missing timestamps when not required
+		options.logger?.warn(
+			"SAML assertion accepted without timestamp conditions",
+			{ hasConditions: !!conditions },
+		);
+		return;
+	}
+
+	const now = Date.now();
+
+	if (conditions?.notBefore) {
+		const notBeforeTime = new Date(conditions.notBefore).getTime();
+		if (Number.isNaN(notBeforeTime)) {
+			throw new APIError("BAD_REQUEST", {
+				message: "SAML assertion has invalid NotBefore timestamp",
+				details: `Unable to parse NotBefore value: ${conditions.notBefore}`,
+			});
+		}
+		if (now < notBeforeTime - clockSkew) {
+			throw new APIError("BAD_REQUEST", {
+				message: "SAML assertion is not yet valid",
+				details: `Current time is before NotBefore (with ${clockSkew}ms clock skew tolerance)`,
+			});
+		}
+	}
+
+	if (conditions?.notOnOrAfter) {
+		const notOnOrAfterTime = new Date(conditions.notOnOrAfter).getTime();
+		if (Number.isNaN(notOnOrAfterTime)) {
+			throw new APIError("BAD_REQUEST", {
+				message: "SAML assertion has invalid NotOnOrAfter timestamp",
+				details: `Unable to parse NotOnOrAfter value: ${conditions.notOnOrAfter}`,
+			});
+		}
+		if (now > notOnOrAfterTime + clockSkew) {
+			throw new APIError("BAD_REQUEST", {
+				message: "SAML assertion has expired",
+				details: `Current time is after NotOnOrAfter (with ${clockSkew}ms clock skew tolerance)`,
+			});
+		}
+	}
+}
+
 const spMetadataQuerySchema = z.object({
 	providerId: z.string(),
 	format: z.enum(["xml", "json"]).default("xml"),
@@ -154,6 +241,13 @@ const ssoProviderBodySchema = z.object({
 				})
 				.optional(),
 			discoveryEndpoint: z.string().optional(),
+			skipDiscovery: z
+				.boolean()
+				.meta({
+					description:
+						"Skip OIDC discovery during registration. When true, you must provide authorizationEndpoint, tokenEndpoint, and jwksEndpoint manually.",
+				})
+				.optional(),
 			scopes: z
 				.array(z.string(), {})
 				.meta({
@@ -573,6 +667,81 @@ export const registerSSOProvider = <O extends SSOOptions>(options: O) => {
 				});
 			}
 
+			let hydratedOIDCConfig: HydratedOIDCConfig | null = null;
+			if (body.oidcConfig && !body.oidcConfig.skipDiscovery) {
+				try {
+					hydratedOIDCConfig = await discoverOIDCConfig({
+						issuer: body.issuer,
+						existingConfig: {
+							discoveryEndpoint: body.oidcConfig.discoveryEndpoint,
+							authorizationEndpoint: body.oidcConfig.authorizationEndpoint,
+							tokenEndpoint: body.oidcConfig.tokenEndpoint,
+							jwksEndpoint: body.oidcConfig.jwksEndpoint,
+							userInfoEndpoint: body.oidcConfig.userInfoEndpoint,
+							tokenEndpointAuthentication:
+								body.oidcConfig.tokenEndpointAuthentication,
+						},
+						isTrustedOrigin: ctx.context.isTrustedOrigin,
+					});
+				} catch (error) {
+					if (error instanceof DiscoveryError) {
+						throw mapDiscoveryErrorToAPIError(error);
+					}
+					throw error;
+				}
+			}
+
+			const buildOIDCConfig = () => {
+				if (!body.oidcConfig) return null;
+
+				if (body.oidcConfig.skipDiscovery) {
+					return JSON.stringify({
+						issuer: body.issuer,
+						clientId: body.oidcConfig.clientId,
+						clientSecret: body.oidcConfig.clientSecret,
+						authorizationEndpoint: body.oidcConfig.authorizationEndpoint,
+						tokenEndpoint: body.oidcConfig.tokenEndpoint,
+						tokenEndpointAuthentication:
+							body.oidcConfig.tokenEndpointAuthentication ||
+							"client_secret_basic",
+						jwksEndpoint: body.oidcConfig.jwksEndpoint,
+						pkce: body.oidcConfig.pkce,
+						discoveryEndpoint:
+							body.oidcConfig.discoveryEndpoint ||
+							`${body.issuer}/.well-known/openid-configuration`,
+						mapping: body.oidcConfig.mapping,
+						scopes: body.oidcConfig.scopes,
+						userInfoEndpoint: body.oidcConfig.userInfoEndpoint,
+						overrideUserInfo:
+							ctx.body.overrideUserInfo ||
+							options?.defaultOverrideUserInfo ||
+							false,
+					});
+				}
+
+				if (!hydratedOIDCConfig) return null;
+
+				return JSON.stringify({
+					issuer: hydratedOIDCConfig.issuer,
+					clientId: body.oidcConfig.clientId,
+					clientSecret: body.oidcConfig.clientSecret,
+					authorizationEndpoint: hydratedOIDCConfig.authorizationEndpoint,
+					tokenEndpoint: hydratedOIDCConfig.tokenEndpoint,
+					tokenEndpointAuthentication:
+						hydratedOIDCConfig.tokenEndpointAuthentication,
+					jwksEndpoint: hydratedOIDCConfig.jwksEndpoint,
+					pkce: body.oidcConfig.pkce,
+					discoveryEndpoint: hydratedOIDCConfig.discoveryEndpoint,
+					mapping: body.oidcConfig.mapping,
+					scopes: body.oidcConfig.scopes,
+					userInfoEndpoint: hydratedOIDCConfig.userInfoEndpoint,
+					overrideUserInfo:
+						ctx.body.overrideUserInfo ||
+						options?.defaultOverrideUserInfo ||
+						false,
+				});
+			};
+
 			const provider = await ctx.context.adapter.create<
 				Record<string, any>,
 				SSOProvider<O>
@@ -582,29 +751,7 @@ export const registerSSOProvider = <O extends SSOOptions>(options: O) => {
 					issuer: body.issuer,
 					domain: body.domain,
 					domainVerified: false,
-					oidcConfig: body.oidcConfig
-						? JSON.stringify({
-								issuer: body.issuer,
-								clientId: body.oidcConfig.clientId,
-								clientSecret: body.oidcConfig.clientSecret,
-								authorizationEndpoint: body.oidcConfig.authorizationEndpoint,
-								tokenEndpoint: body.oidcConfig.tokenEndpoint,
-								tokenEndpointAuthentication:
-									body.oidcConfig.tokenEndpointAuthentication,
-								jwksEndpoint: body.oidcConfig.jwksEndpoint,
-								pkce: body.oidcConfig.pkce,
-								discoveryEndpoint:
-									body.oidcConfig.discoveryEndpoint ||
-									`${body.issuer}/.well-known/openid-configuration`,
-								mapping: body.oidcConfig.mapping,
-								scopes: body.oidcConfig.scopes,
-								userInfoEndpoint: body.oidcConfig.userInfoEndpoint,
-								overrideUserInfo:
-									ctx.body.overrideUserInfo ||
-									options?.defaultOverrideUserInfo ||
-									false,
-							})
-						: null,
+					oidcConfig: buildOIDCConfig(),
 					samlConfig: body.samlConfig
 						? JSON.stringify({
 								issuer: body.issuer,
@@ -1661,6 +1808,12 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 
 			const { extract } = parsedResponse!;
 
+			validateSAMLTimestamp((extract as any).conditions, {
+				clockSkew: options?.saml?.clockSkew,
+				requireTimestamps: options?.saml?.requireTimestamps,
+				logger: ctx.context.logger,
+			});
+
 			const inResponseTo = (extract as any).inResponseTo as string | undefined;
 			const shouldValidateInResponseTo =
 				options?.saml?.authnRequestStore ||
@@ -1685,6 +1838,13 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 								storedRequest = JSON.parse(
 									verification.value,
 								) as AuthnRequestRecord;
+								// Validate expiration for database-stored records
+								// Note: Cleanup of expired records is handled automatically by
+								// findVerificationValue, but we still need to check expiration
+								// since the record is returned before cleanup runs
+								if (storedRequest && storedRequest.expiresAt < Date.now()) {
+									storedRequest = null;
+								}
 							} catch {
 								storedRequest = null;
 							}
@@ -2086,6 +2246,12 @@ export const acsEndpoint = (options?: SSOOptions) => {
 
 			const { extract } = parsedResponse!;
 
+			validateSAMLTimestamp((extract as any).conditions, {
+				clockSkew: options?.saml?.clockSkew,
+				requireTimestamps: options?.saml?.requireTimestamps,
+				logger: ctx.context.logger,
+			});
+
 			const inResponseToAcs = (extract as any).inResponseTo as
 				| string
 				| undefined;
@@ -2112,6 +2278,9 @@ export const acsEndpoint = (options?: SSOOptions) => {
 								storedRequest = JSON.parse(
 									verification.value,
 								) as AuthnRequestRecord;
+								if (storedRequest && storedRequest.expiresAt < Date.now()) {
+									storedRequest = null;
+								}
 							} catch {
 								storedRequest = null;
 							}