@better-auth/sso 1.4.7 → 1.4.8-beta.2

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.4.7",
+  "version": "1.4.8-beta.2",
   "type": "module",
   "main": "dist/index.mjs",
   "types": "dist/index.d.mts",
@@ -66,10 +66,10 @@
     "express": "^5.1.0",
     "oauth2-mock-server": "^8.2.0",
     "tsdown": "^0.17.2",
-    "better-auth": "1.4.7"
+    "better-auth": "1.4.8-beta.2"
   },
   "peerDependencies": {
-    "better-auth": "1.4.7"
+    "better-auth": "1.4.8-beta.2"
   },
   "scripts": {
     "test": "vitest",

package/src/constants.ts

@@ -0,0 +1,42 @@
+/**
+ * SAML Constants
+ *
+ * Centralized constants for SAML SSO functionality.
+ */
+
+// ============================================================================
+// Key Prefixes (for verification table storage)
+// ============================================================================
+
+/** Prefix for AuthnRequest IDs used in InResponseTo validation */
+export const AUTHN_REQUEST_KEY_PREFIX = "saml-authn-request:";
+
+/** Prefix for used Assertion IDs used in replay protection */
+export const USED_ASSERTION_KEY_PREFIX = "saml-used-assertion:";
+
+// ============================================================================
+// Time-To-Live (TTL) Defaults
+// ============================================================================
+
+/**
+ * Default TTL for AuthnRequest records (5 minutes).
+ * This should be sufficient for most IdPs while protecting against stale requests.
+ */
+export const DEFAULT_AUTHN_REQUEST_TTL_MS = 5 * 60 * 1000;
+
+/**
+ * Default TTL for used assertion records (15 minutes).
+ * This should match the maximum expected NotOnOrAfter window plus clock skew.
+ */
+export const DEFAULT_ASSERTION_TTL_MS = 15 * 60 * 1000;
+
+/**
+ * Default clock skew tolerance (5 minutes).
+ * Allows for minor time differences between IdP and SP servers.
+ *
+ * Accommodates:
+ * - Network latency and processing time
+ * - Clock synchronization differences (NTP drift)
+ * - Distributed systems across timezones
+ */
+export const DEFAULT_CLOCK_SKEW_MS = 5 * 60 * 1000;

package/src/domain-verification.test.ts

@@ -92,6 +92,7 @@ describe("Domain verification", async () => {
 					body: {
 						userId: response.data.user.id,
 						role: "member",
+						organizationId,
 					},
 					headers,
 				});

package/src/index.ts

@@ -1,14 +1,8 @@
 import type { BetterAuthPlugin } from "better-auth";
+import { createAuthMiddleware } from "better-auth/api";
 import { XMLValidator } from "fast-xml-parser";
 import * as saml from "samlify";
-import type {
-	AuthnRequestRecord,
-	AuthnRequestStore,
-} from "./authn-request-store";
-import {
-	createInMemoryAuthnRequestStore,
-	DEFAULT_AUTHN_REQUEST_TTL_MS,
-} from "./authn-request-store";
+import { assignOrganizationByDomain } from "./linking";
 import {
 	requestDomainVerification,
 	verifyDomain,
@@ -23,17 +17,23 @@ import {
 } from "./routes/sso";
 
 export {
-	DEFAULT_CLOCK_SKEW_MS,
 	type SAMLConditions,
 	type TimestampValidationOptions,
 	validateSAMLTimestamp,
 } from "./routes/sso";
 
+export {
+	type AlgorithmValidationOptions,
+	DataEncryptionAlgorithm,
+	type DeprecatedAlgorithmBehavior,
+	DigestAlgorithm,
+	KeyEncryptionAlgorithm,
+	SignatureAlgorithm,
+} from "./saml";
+
 import type { OIDCConfig, SAMLConfig, SSOOptions, SSOProvider } from "./types";
 
 export type { SAMLConfig, OIDCConfig, SSOOptions, SSOProvider };
-export type { AuthnRequestStore, AuthnRequestRecord };
-export { createInMemoryAuthnRequestStore, DEFAULT_AUTHN_REQUEST_TTL_MS };
 
 export {
 	computeDiscoveryUrl,
@@ -134,6 +134,33 @@ export function sso<O extends SSOOptions>(options?: O | undefined): any {
 	return {
 		id: "sso",
 		endpoints,
+		hooks: {
+			after: [
+				{
+					matcher(context) {
+						return context.path?.startsWith("/callback/") ?? false;
+					},
+					handler: createAuthMiddleware(async (ctx) => {
+						const newSession = ctx.context.newSession;
+						if (!newSession?.user) {
+							return;
+						}
+
+						const isOrgPluginEnabled = ctx.context.options.plugins?.find(
+							(plugin: { id: string }) => plugin.id === "organization",
+						);
+						if (!isOrgPluginEnabled) {
+							return;
+						}
+
+						await assignOrganizationByDomain(ctx, {
+							user: newSession.user,
+							provisioningOptions: options?.organizationProvisioning,
+						});
+					}),
+				},
+			],
+		},
 		schema: {
 			ssoProvider: {
 				modelName: options?.modelName ?? "ssoProvider",
@@ -183,5 +210,6 @@ export function sso<O extends SSOOptions>(options?: O | undefined): any {
 				},
 			},
 		},
+		options: options as NoInfer<O>,
 	} satisfies BetterAuthPlugin;
 }

package/src/linking/index.ts

@@ -0,0 +1,2 @@
+export * from "./org-assignment";
+export * from "./types";

package/src/linking/org-assignment.ts

@@ -0,0 +1,158 @@
+import type { GenericEndpointContext, OAuth2Tokens, User } from "better-auth";
+import type { SSOOptions, SSOProvider } from "../types";
+import type { NormalizedSSOProfile } from "./types";
+
+export interface OrganizationProvisioningOptions {
+	disabled?: boolean;
+	defaultRole?: "member" | "admin";
+	getRole?: (data: {
+		user: User & Record<string, any>;
+		userInfo: Record<string, any>;
+		token?: OAuth2Tokens;
+		provider: SSOProvider<SSOOptions>;
+	}) => Promise<"member" | "admin">;
+}
+
+export interface AssignOrganizationFromProviderOptions {
+	user: User;
+	profile: NormalizedSSOProfile;
+	provider: SSOProvider<SSOOptions>;
+	token?: OAuth2Tokens;
+	provisioningOptions?: OrganizationProvisioningOptions;
+}
+
+/**
+ * Assigns a user to an organization based on the SSO provider's organizationId.
+ * Used in SSO flows (OIDC, SAML) where the provider is already linked to an org.
+ */
+export async function assignOrganizationFromProvider(
+	ctx: GenericEndpointContext,
+	options: AssignOrganizationFromProviderOptions,
+): Promise<void> {
+	const { user, profile, provider, token, provisioningOptions } = options;
+
+	if (!provider.organizationId) {
+		return;
+	}
+
+	if (provisioningOptions?.disabled) {
+		return;
+	}
+
+	const isOrgPluginEnabled = ctx.context.options.plugins?.find(
+		(plugin) => plugin.id === "organization",
+	);
+
+	if (!isOrgPluginEnabled) {
+		return;
+	}
+
+	const isAlreadyMember = await ctx.context.adapter.findOne({
+		model: "member",
+		where: [
+			{ field: "organizationId", value: provider.organizationId },
+			{ field: "userId", value: user.id },
+		],
+	});
+
+	if (isAlreadyMember) {
+		return;
+	}
+
+	const role = provisioningOptions?.getRole
+		? await provisioningOptions.getRole({
+				user,
+				userInfo: profile.rawAttributes || {},
+				token,
+				provider,
+			})
+		: provisioningOptions?.defaultRole || "member";
+
+	await ctx.context.adapter.create({
+		model: "member",
+		data: {
+			organizationId: provider.organizationId,
+			userId: user.id,
+			role,
+			createdAt: new Date(),
+		},
+	});
+}
+
+export interface AssignOrganizationByDomainOptions {
+	user: User;
+	provisioningOptions?: OrganizationProvisioningOptions;
+}
+
+/**
+ * Assigns a user to an organization based on their email domain.
+ * Looks up SSO providers that match the user's email domain and assigns
+ * the user to the associated organization.
+ *
+ * This enables domain-based org assignment for non-SSO sign-in methods
+ * (e.g., Google OAuth with @acme.com email gets added to Acme's org).
+ */
+export async function assignOrganizationByDomain(
+	ctx: GenericEndpointContext,
+	options: AssignOrganizationByDomainOptions,
+): Promise<void> {
+	const { user, provisioningOptions } = options;
+
+	if (provisioningOptions?.disabled) {
+		return;
+	}
+
+	const isOrgPluginEnabled = ctx.context.options.plugins?.find(
+		(plugin) => plugin.id === "organization",
+	);
+
+	if (!isOrgPluginEnabled) {
+		return;
+	}
+
+	const domain = user.email.split("@")[1];
+	if (!domain) {
+		return;
+	}
+
+	const ssoProvider = await ctx.context.adapter.findOne<
+		SSOProvider<SSOOptions>
+	>({
+		model: "ssoProvider",
+		where: [{ field: "domain", value: domain }],
+	});
+
+	if (!ssoProvider || !ssoProvider.organizationId) {
+		return;
+	}
+
+	const isAlreadyMember = await ctx.context.adapter.findOne({
+		model: "member",
+		where: [
+			{ field: "organizationId", value: ssoProvider.organizationId },
+			{ field: "userId", value: user.id },
+		],
+	});
+
+	if (isAlreadyMember) {
+		return;
+	}
+
+	const role = provisioningOptions?.getRole
+		? await provisioningOptions.getRole({
+				user,
+				userInfo: {},
+				provider: ssoProvider,
+			})
+		: provisioningOptions?.defaultRole || "member";
+
+	await ctx.context.adapter.create({
+		model: "member",
+		data: {
+			organizationId: ssoProvider.organizationId,
+			userId: user.id,
+			role,
+			createdAt: new Date(),
+		},
+	});
+}

package/src/linking/types.ts

@@ -0,0 +1,10 @@
+export interface NormalizedSSOProfile {
+	providerType: "saml" | "oidc";
+	providerId: string;
+	accountId: string;
+	email: string;
+	emailVerified: boolean;
+	name?: string;
+	image?: string;
+	rawAttributes?: Record<string, unknown>;
+}