npm - @better-auth/sso - Versions diffs - 1.4.7 → 1.4.8-beta.1 - Mend

@better-auth/sso 1.4.7 → 1.4.8-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/.turbo/turbo-build.log +6 -6
package/dist/client.d.mts +1 -1
package/dist/{index-B9WMxRdD.d.mts → index-DNWhGQW-.d.mts} +81 -69
package/dist/index.d.mts +2 -2
package/dist/index.mjs +462 -264
package/package.json +3 -3
package/src/constants.ts +42 -0
package/src/domain-verification.test.ts +1 -0
package/src/index.ts +38 -11
package/src/linking/index.ts +2 -0
package/src/linking/org-assignment.ts +158 -0
package/src/linking/types.ts +10 -0
package/src/routes/sso.ts +338 -332
package/src/saml/algorithms.test.ts +205 -0
package/src/saml/algorithms.ts +259 -0
package/src/saml/index.ts +9 -0
package/src/saml.test.ts +350 -127
package/src/types.ts +24 -16
package/src/authn-request-store.ts +0 -76
package/src/authn-request.test.ts +0 -99

package/.turbo/turbo-build.log CHANGED Viewed

@@ -1,5 +1,5 @@
-> @better-auth/sso@1.4.7 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.4.8-beta.1 build /home/runner/work/better-auth/better-auth/packages/sso
 > tsdown
 [34mℹ[39m tsdown [2mv0.17.2[22m powered by rolldown [2mv1.0.0-beta.53[22m
@@ -7,10 +7,10 @@
 [34mℹ[39m entry: [34msrc/index.ts, src/client.ts[39m
 [34mℹ[39m tsconfig: [34mtsconfig.json[39m
 [34mℹ[39m Build start
-[34mℹ[39m [2mdist/[22m[1mindex.mjs[22m             [2m83.77 kB[22m [2m│ gzip: 15.84 kB[22m
+[34mℹ[39m [2mdist/[22m[1mindex.mjs[22m             [2m92.44 kB[22m [2m│ gzip: 18.07 kB[22m
 [34mℹ[39m [2mdist/[22m[1mclient.mjs[22m            [2m 0.15 kB[22m [2m│ gzip:  0.14 kB[22m
-[34mℹ[39m [2mdist/[22m[32m[1mindex.d.mts[22m[39m           [2m 1.44 kB[22m [2m│ gzip:  0.52 kB[22m
+[34mℹ[39m [2mdist/[22m[32m[1mindex.d.mts[22m[39m           [2m 1.48 kB[22m [2m│ gzip:  0.51 kB[22m
 [34mℹ[39m [2mdist/[22m[32m[1mclient.d.mts[22m[39m          [2m 0.49 kB[22m [2m│ gzip:  0.30 kB[22m
-[34mℹ[39m [2mdist/[22m[32mindex-B9WMxRdD.d.mts[39m  [2m41.59 kB[22m [2m│ gzip:  8.59 kB[22m
-[34mℹ[39m 5 files, total: 127.44 kB
-[32m✔[39m Build complete in [32m12101ms[39m
+[34mℹ[39m [2mdist/[22m[32mindex-DNWhGQW-.d.mts[39m  [2m42.86 kB[22m [2m│ gzip:  8.79 kB[22m
+[34mℹ[39m 5 files, total: 137.41 kB
+[32m✔[39m Build complete in [32m12113ms[39m

package/dist/client.d.mts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { t as SSOPlugin } from "./index-B9WMxRdD.mjs";
+import { t as SSOPlugin } from "./index-DNWhGQW-.mjs";
 //#region src/client.d.ts
 interface SSOClientOptions {

package/dist/{index-B9WMxRdD.d.mts → index-DNWhGQW-.d.mts} RENAMED Viewed

@@ -1,43 +1,47 @@
 import { APIError } from "better-auth/api";
-import * as z from "zod/v4";
-import { OAuth2Tokens, User } from "better-auth";
-import * as better_call7 from "better-call";
+import * as z$1 from "zod/v4";
+import z from "zod/v4";
+import { Awaitable, OAuth2Tokens, User } from "better-auth";
+import * as better_call0 from "better-call";
-//#region src/authn-request-store.d.ts
-/**
- * AuthnRequest Store
- *
- * Tracks SAML AuthnRequest IDs to enable InResponseTo validation.
- * This prevents:
- * - Unsolicited SAML responses
- * - Cross-provider response injection
- * - Replay attacks
- * - Expired login completions
- */
-interface AuthnRequestRecord {
-  id: string;
-  providerId: string;
-  createdAt: number;
-  expiresAt: number;
-}
-interface AuthnRequestStore {
-  save(record: AuthnRequestRecord): Promise<void>;
-  get(id: string): Promise<AuthnRequestRecord | null>;
-  delete(id: string): Promise<void>;
+//#region src/saml/algorithms.d.ts
+declare const SignatureAlgorithm: {
+  readonly RSA_SHA1: "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
+  readonly RSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
+  readonly RSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384";
+  readonly RSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512";
+  readonly ECDSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256";
+  readonly ECDSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384";
+  readonly ECDSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512";
+};
+declare const DigestAlgorithm: {
+  readonly SHA1: "http://www.w3.org/2000/09/xmldsig#sha1";
+  readonly SHA256: "http://www.w3.org/2001/04/xmlenc#sha256";
+  readonly SHA384: "http://www.w3.org/2001/04/xmldsig-more#sha384";
+  readonly SHA512: "http://www.w3.org/2001/04/xmlenc#sha512";
+};
+declare const KeyEncryptionAlgorithm: {
+  readonly RSA_1_5: "http://www.w3.org/2001/04/xmlenc#rsa-1_5";
+  readonly RSA_OAEP: "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";
+  readonly RSA_OAEP_SHA256: "http://www.w3.org/2009/xmlenc11#rsa-oaep";
+};
+declare const DataEncryptionAlgorithm: {
+  readonly TRIPLEDES_CBC: "http://www.w3.org/2001/04/xmlenc#tripledes-cbc";
+  readonly AES_128_CBC: "http://www.w3.org/2001/04/xmlenc#aes128-cbc";
+  readonly AES_192_CBC: "http://www.w3.org/2001/04/xmlenc#aes192-cbc";
+  readonly AES_256_CBC: "http://www.w3.org/2001/04/xmlenc#aes256-cbc";
+  readonly AES_128_GCM: "http://www.w3.org/2009/xmlenc11#aes128-gcm";
+  readonly AES_192_GCM: "http://www.w3.org/2009/xmlenc11#aes192-gcm";
+  readonly AES_256_GCM: "http://www.w3.org/2009/xmlenc11#aes256-gcm";
+};
+type DeprecatedAlgorithmBehavior = "reject" | "warn" | "allow";
+interface AlgorithmValidationOptions {
+  onDeprecated?: DeprecatedAlgorithmBehavior;
+  allowedSignatureAlgorithms?: string[];
+  allowedDigestAlgorithms?: string[];
+  allowedKeyEncryptionAlgorithms?: string[];
+  allowedDataEncryptionAlgorithms?: string[];
 }
-/**
- * Default TTL for AuthnRequest records (5 minutes).
- * This should be sufficient for most IdPs while protecting against stale requests.
- */
-declare const DEFAULT_AUTHN_REQUEST_TTL_MS: number;
-/**
- * In-memory implementation of AuthnRequestStore.
- * ⚠️ Only suitable for testing or single-instance non-serverless deployments.
- * For production, rely on the default behavior (uses verification table)
- * or provide a custom Redis-backed store.
- */
-declare function createInMemoryAuthnRequestStore(): AuthnRequestStore;
 //#endregion
 //#region src/types.d.ts
 interface OIDCMapping {
@@ -148,7 +152,7 @@ interface SSOOptions {
      * The SSO provider
      */
     provider: SSOProvider<SSOOptions>;
-  }) => Promise<void>) | undefined;
+  }) => Awaitable<void>) | undefined;
   /**
    * Organization provisioning options
    */
@@ -244,7 +248,7 @@ interface SSOOptions {
    * ```
    * @default 10
    */
-  providersLimit?: (number | ((user: User) => Promise<number> | number)) | undefined;
+  providersLimit?: (number | ((user: User) => Awaitable<number>)) | undefined;
   /**
    * Trust the email verified flag from the provider.
    *
@@ -253,7 +257,13 @@ interface SSOOptions {
    *
    * If you want to allow account linking for specific trusted providers, enable the `accountLinking` option in your auth config and specify those
    * providers in the `trustedProviders` list.
+   *
    * @default false
+   *
+   * @deprecated This option is discouraged for new projects. Relying on provider-level `email_verified` is a weaker
+   * trust signal compared to using `trustedProviders` in `accountLinking` or enabling `domainVerification` for SSO.
+   * Existing configurations will continue to work, but new integrations should use explicit trust mechanisms.
+   * This option may be removed in a future major version.
    */
   trustEmailVerified?: boolean | undefined;
   /**
@@ -311,16 +321,6 @@ interface SSOOptions {
      * @default 300000 (5 minutes)
      */
     requestTTL?: number;
-    /**
-     * Custom AuthnRequest store implementation.
-     * Use this to provide a custom storage backend (e.g., Redis-backed store).
-     *
-     * Providing a custom store automatically enables InResponseTo validation.
-     *
-     * Note: When not provided, the default storage (secondaryStorage with
-     * verification table fallback) is used automatically.
-     */
-    authnRequestStore?: AuthnRequestStore;
     /**
      * Clock skew tolerance for SAML assertion timestamp validation in milliseconds.
      * Allows for minor time differences between IdP and SP servers.
@@ -353,15 +353,29 @@ interface SSOOptions {
      * @default false
      */
     requireTimestamps?: boolean;
+    /**
+     * Algorithm validation options for SAML responses.
+     *
+     * Controls behavior when deprecated algorithms (SHA-1, RSA1_5, 3DES)
+     * are detected in SAML responses.
+     *
+     * @example
+     * ```ts
+     * algorithms: {
+     *   onDeprecated: "reject" // Reject deprecated algorithms
+     * }
+     * ```
+     */
+    algorithms?: AlgorithmValidationOptions;
   };
 }
 //#endregion
 //#region src/routes/domain-verification.d.ts
-declare const requestDomainVerification: (options: SSOOptions) => better_call7.StrictEndpoint<"/sso/request-domain-verification", {
+declare const requestDomainVerification: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/request-domain-verification", {
   method: "POST";
-  body: z.ZodObject<{
-    providerId: z.ZodString;
-  }, z.core.$strip>;
+  body: z$1.ZodObject<{
+    providerId: z$1.ZodString;
+  }, z$1.core.$strip>;
   metadata: {
     openapi: {
       summary: string;
@@ -379,7 +393,7 @@ declare const requestDomainVerification: (options: SSOOptions) => better_call7.S
       };
     };
   };
-  use: ((inputContext: better_call7.MiddlewareInputContext<better_call7.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
     session: {
       session: Record<string, any> & {
         id: string;
@@ -405,11 +419,11 @@ declare const requestDomainVerification: (options: SSOOptions) => better_call7.S
 }, {
   domainVerificationToken: string;
 }>;
-declare const verifyDomain: (options: SSOOptions) => better_call7.StrictEndpoint<"/sso/verify-domain", {
+declare const verifyDomain: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/verify-domain", {
   method: "POST";
-  body: z.ZodObject<{
-    providerId: z.ZodString;
-  }, z.core.$strip>;
+  body: z$1.ZodObject<{
+    providerId: z$1.ZodString;
+  }, z$1.core.$strip>;
   metadata: {
     openapi: {
       summary: string;
@@ -430,7 +444,7 @@ declare const verifyDomain: (options: SSOOptions) => better_call7.StrictEndpoint
       };
     };
   };
-  use: ((inputContext: better_call7.MiddlewareInputContext<better_call7.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
     session: {
       session: Record<string, any> & {
         id: string;
@@ -456,8 +470,6 @@ declare const verifyDomain: (options: SSOOptions) => better_call7.StrictEndpoint
 }, void>;
 //#endregion
 //#region src/routes/sso.d.ts
-/** Default clock skew tolerance: 5 minutes */
-declare const DEFAULT_CLOCK_SKEW_MS: number;
 interface TimestampValidationOptions {
   clockSkew?: number;
   requireTimestamps?: boolean;
@@ -476,7 +488,7 @@ interface SAMLConditions {
  * @throws {APIError} If timestamps are invalid, expired, or not yet valid
  */
 declare function validateSAMLTimestamp(conditions: SAMLConditions | undefined, options?: TimestampValidationOptions): void;
-declare const spMetadata: () => better_call7.StrictEndpoint<"/sso/saml2/sp/metadata", {
+declare const spMetadata: () => better_call0.StrictEndpoint<"/sso/saml2/sp/metadata", {
   method: "GET";
   query: z.ZodObject<{
     providerId: z.ZodString;
@@ -498,7 +510,7 @@ declare const spMetadata: () => better_call7.StrictEndpoint<"/sso/saml2/sp/metad
     };
   };
 }, Response>;
-declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_call7.StrictEndpoint<"/sso/register", {
+declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_call0.StrictEndpoint<"/sso/register", {
   method: "POST";
   body: z.ZodObject<{
     providerId: z.ZodString;
@@ -577,7 +589,7 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
     organizationId: z.ZodOptional<z.ZodString>;
     overrideUserInfo: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
   }, z.core.$strip>;
-  use: ((inputContext: better_call7.MiddlewareInputContext<better_call7.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
     session: {
       session: Record<string, any> & {
         id: string;
@@ -767,7 +779,7 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
   domainVerified: boolean;
   domainVerificationToken: string;
 } & SSOProvider<O> : SSOProvider<O>>;
-declare const signInSSO: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sign-in/sso", {
+declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sign-in/sso", {
   method: "POST";
   body: z.ZodObject<{
     email: z.ZodOptional<z.ZodString>;
@@ -861,7 +873,7 @@ declare const signInSSO: (options?: SSOOptions) => better_call7.StrictEndpoint<"
   url: string;
   redirect: boolean;
 }>;
-declare const callbackSSO: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sso/callback/:providerId", {
+declare const callbackSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/callback/:providerId", {
   method: "GET";
   query: z.ZodObject<{
     code: z.ZodOptional<z.ZodString>;
@@ -884,7 +896,7 @@ declare const callbackSSO: (options?: SSOOptions) => better_call7.StrictEndpoint
     scope: "server";
   };
 }, never>;
-declare const callbackSSOSAML: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sso/saml2/callback/:providerId", {
+declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/callback/:providerId", {
   method: "POST";
   body: z.ZodObject<{
     SAMLResponse: z.ZodString;
@@ -911,7 +923,7 @@ declare const callbackSSOSAML: (options?: SSOOptions) => better_call7.StrictEndp
     scope: "server";
   };
 }, never>;
-declare const acsEndpoint: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
+declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
   method: "POST";
   params: z.ZodObject<{
     providerId: z.ZodOptional<z.ZodString>;
@@ -1230,4 +1242,4 @@ declare function sso<O extends SSOOptions>(options?: O | undefined): {
   endpoints: SSOEndpoints<O>;
 };
 //#endregion
-export { createInMemoryAuthnRequestStore as A, OIDCConfig as C, AuthnRequestRecord as D, SSOProvider as E, AuthnRequestStore as O, validateSAMLTimestamp as S, SSOOptions as T, REQUIRED_DISCOVERY_FIELDS as _, fetchDiscoveryDocument as a, SAMLConditions as b, normalizeUrl as c, validateDiscoveryUrl as d, DiscoverOIDCConfigParams as f, OIDCDiscoveryDocument as g, HydratedOIDCConfig as h, discoverOIDCConfig as i, DEFAULT_AUTHN_REQUEST_TTL_MS as k, selectTokenEndpointAuthMethod as l, DiscoveryErrorCode as m, sso as n, needsRuntimeDiscovery as o, DiscoveryError as p, computeDiscoveryUrl as r, normalizeDiscoveryUrls as s, SSOPlugin as t, validateDiscoveryDocument as u, RequiredDiscoveryField as v, SAMLConfig as w, TimestampValidationOptions as x, DEFAULT_CLOCK_SKEW_MS as y };
+export { KeyEncryptionAlgorithm as A, SAMLConfig as C, DataEncryptionAlgorithm as D, AlgorithmValidationOptions as E, DeprecatedAlgorithmBehavior as O, OIDCConfig as S, SSOProvider as T, REQUIRED_DISCOVERY_FIELDS as _, fetchDiscoveryDocument as a, TimestampValidationOptions as b, normalizeUrl as c, validateDiscoveryUrl as d, DiscoverOIDCConfigParams as f, OIDCDiscoveryDocument as g, HydratedOIDCConfig as h, discoverOIDCConfig as i, SignatureAlgorithm as j, DigestAlgorithm as k, selectTokenEndpointAuthMethod as l, DiscoveryErrorCode as m, sso as n, needsRuntimeDiscovery as o, DiscoveryError as p, computeDiscoveryUrl as r, normalizeDiscoveryUrls as s, SSOPlugin as t, validateDiscoveryDocument as u, RequiredDiscoveryField as v, SSOOptions as w, validateSAMLTimestamp as x, SAMLConditions as y };

package/dist/index.d.mts CHANGED Viewed

@@ -1,2 +1,2 @@
-import { A as createInMemoryAuthnRequestStore, C as OIDCConfig, D as AuthnRequestRecord, E as SSOProvider, O as AuthnRequestStore, S as validateSAMLTimestamp, T as SSOOptions, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as SAMLConditions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, k as DEFAULT_AUTHN_REQUEST_TTL_MS, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as SAMLConfig, x as TimestampValidationOptions, y as DEFAULT_CLOCK_SKEW_MS } from "./index-B9WMxRdD.mjs";
-export { AuthnRequestRecord, AuthnRequestStore, DEFAULT_AUTHN_REQUEST_TTL_MS, DEFAULT_CLOCK_SKEW_MS, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, TimestampValidationOptions, computeDiscoveryUrl, createInMemoryAuthnRequestStore, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };
+import { A as KeyEncryptionAlgorithm, C as SAMLConfig, D as DataEncryptionAlgorithm, E as AlgorithmValidationOptions, O as DeprecatedAlgorithmBehavior, S as OIDCConfig, T as SSOProvider, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as TimestampValidationOptions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as SignatureAlgorithm, k as DigestAlgorithm, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as SSOOptions, x as validateSAMLTimestamp, y as SAMLConditions } from "./index-DNWhGQW-.mjs";
+export { AlgorithmValidationOptions, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };