@better-auth/sso 1.4.7 → 1.4.8-beta.2

package/src/saml.test.ts

@@ -25,13 +25,9 @@ import {
 	it,
 	vi,
 } from "vitest";
-import {
-	createInMemoryAuthnRequestStore,
-	DEFAULT_CLOCK_SKEW_MS,
-	sso,
-	validateSAMLTimestamp,
-} from ".";
+import { sso, validateSAMLTimestamp } from ".";
 import { ssoClient } from "./client";
+import { DEFAULT_CLOCK_SKEW_MS } from "./constants";
 
 const spMetadata = `
     <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://localhost:3001/api/sso/saml2/sp/metadata">
@@ -495,6 +491,17 @@ const createMockSAMLIdP = (port: number) => {
 	return { start, stop, metadataUrl };
 };
 
+// Shared mock SAML IdP for all tests
+const sharedMockIdP = createMockSAMLIdP(8081);
+
+beforeAll(async () => {
+	await sharedMockIdP.start();
+});
+
+afterAll(async () => {
+	await sharedMockIdP.stop();
+});
+
 describe("SAML SSO with defaultSSO array", async () => {
 	const data = {
 		user: [],
@@ -505,7 +512,6 @@ describe("SAML SSO with defaultSSO array", async () => {
 	};
 
 	const memory = memoryAdapter(data);
-	const mockIdP = createMockSAMLIdP(8081); // Different port from your main app
 
 	const ssoOptions = {
 		defaultSSO: [
@@ -552,14 +558,6 @@ describe("SAML SSO with defaultSSO array", async () => {
 		plugins: [sso(ssoOptions)],
 	});
 
-	beforeAll(async () => {
-		await mockIdP.start();
-	});
-
-	afterAll(async () => {
-		await mockIdP.stop();
-	});
-
 	it("should use default SAML SSO provider from array when no provider found in database", async () => {
 		const signInResponse = await auth.api.signInSSO({
 			body: {
@@ -585,7 +583,6 @@ describe("SAML SSO", async () => {
 	};
 
 	const memory = memoryAdapter(data);
-	const mockIdP = createMockSAMLIdP(8081); // Different port from your main app
 
 	const ssoOptions = {
 		provisionUser: vi
@@ -626,7 +623,6 @@ describe("SAML SSO", async () => {
 	};
 
 	beforeAll(async () => {
-		await mockIdP.start();
 		await authClient.signUp.email({
 			email: testUser.email,
 			password: testUser.password,
@@ -634,10 +630,6 @@ describe("SAML SSO", async () => {
 		});
 	});
 
-	afterAll(async () => {
-		await mockIdP.stop();
-	});
-
 	beforeEach(() => {
 		data.user = [];
 		data.session = [];
@@ -675,7 +667,7 @@ describe("SAML SSO", async () => {
 				issuer: "http://localhost:8081",
 				domain: "http://localhost:8081",
 				samlConfig: {
-					entryPoint: mockIdP.metadataUrl,
+					entryPoint: sharedMockIdP.metadataUrl,
 					cert: certificate,
 					callbackUrl: "http://localhost:8081/api/sso/saml2/callback",
 					wantAssertionsSigned: false,
@@ -708,7 +700,7 @@ describe("SAML SSO", async () => {
 			id: expect.any(String),
 			issuer: "http://localhost:8081",
 			samlConfig: {
-				entryPoint: mockIdP.metadataUrl,
+				entryPoint: sharedMockIdP.metadataUrl,
 				cert: expect.any(String),
 				callbackUrl: "http://localhost:8081/api/sso/saml2/callback",
 				wantAssertionsSigned: false,
@@ -731,7 +723,7 @@ describe("SAML SSO", async () => {
 				issuer: "http://localhost:8081",
 				domain: "http://localhost:8081",
 				samlConfig: {
-					entryPoint: mockIdP.metadataUrl,
+					entryPoint: sharedMockIdP.metadataUrl,
 					cert: certificate,
 					callbackUrl: "http://localhost:8081/api/sso/saml2/sp/acs",
 					wantAssertionsSigned: false,
@@ -783,7 +775,7 @@ describe("SAML SSO", async () => {
 				issuer: issuer,
 				domain: issuer,
 				samlConfig: {
-					entryPoint: mockIdP.metadataUrl,
+					entryPoint: sharedMockIdP.metadataUrl,
 					cert: certificate,
 					callbackUrl: `${issuer}/api/sso/saml2/sp/acs`,
 					wantAssertionsSigned: false,
@@ -925,7 +917,7 @@ describe("SAML SSO", async () => {
 					issuer: "http://localhost:8081",
 					domain: "http://localhost:8081",
 					samlConfig: {
-						entryPoint: mockIdP.metadataUrl,
+						entryPoint: sharedMockIdP.metadataUrl,
 						cert: certificate,
 						callbackUrl: "http://localhost:8081/api/sso/saml2/callback",
 						wantAssertionsSigned: false,
@@ -956,7 +948,7 @@ describe("SAML SSO", async () => {
 				issuer: "http://localhost:8081",
 				domain: "http://localhost:8081",
 				samlConfig: {
-					entryPoint: mockIdP.metadataUrl,
+					entryPoint: sharedMockIdP.metadataUrl,
 					cert: certificate,
 					callbackUrl: "http://localhost:8081/api/sso/saml2/callback",
 					wantAssertionsSigned: false,
@@ -977,7 +969,7 @@ describe("SAML SSO", async () => {
 					issuer: "http://localhost:8081",
 					domain: "http://localhost:8081",
 					samlConfig: {
-						entryPoint: mockIdP.metadataUrl,
+						entryPoint: sharedMockIdP.metadataUrl,
 						cert: certificate,
 						callbackUrl: "http://localhost:8081/api/sso/saml2/callback",
 						wantAssertionsSigned: false,
@@ -1016,7 +1008,7 @@ describe("SAML SSO", async () => {
 				issuer: "http://localhost:8081",
 				domain: "http://localhost:8081",
 				samlConfig: {
-					entryPoint: mockIdP.metadataUrl,
+					entryPoint: sharedMockIdP.metadataUrl,
 					cert: certificate,
 					callbackUrl: "http://localhost:8081/api/sso/saml2/callback",
 					wantAssertionsSigned: false,
@@ -1037,7 +1029,7 @@ describe("SAML SSO", async () => {
 					issuer: "http://localhost:8081",
 					domain: "http://localhost:8081",
 					samlConfig: {
-						entryPoint: mockIdP.metadataUrl,
+						entryPoint: sharedMockIdP.metadataUrl,
 						cert: certificate,
 						callbackUrl: "http://localhost:8081/api/sso/saml2/callback",
 						wantAssertionsSigned: false,
@@ -1071,7 +1063,7 @@ describe("SAML SSO", async () => {
 				issuer: "http://localhost:8081",
 				domain: "http://localhost:8081",
 				samlConfig: {
-					entryPoint: mockIdP.metadataUrl,
+					entryPoint: sharedMockIdP.metadataUrl,
 					cert: certificate,
 					callbackUrl: "http://localhost:8081/api/sso/saml2/callback",
 					spMetadata: {
@@ -1089,7 +1081,7 @@ describe("SAML SSO", async () => {
 					issuer: "http://localhost:8082",
 					domain: "http://localhost:8082",
 					samlConfig: {
-						entryPoint: mockIdP.metadataUrl,
+						entryPoint: sharedMockIdP.metadataUrl,
 						cert: certificate,
 						callbackUrl: "http://localhost:8082/api/sso/saml2/callback",
 						spMetadata: {
@@ -1150,25 +1142,86 @@ describe("SAML SSO", async () => {
 			},
 		});
 
-		// Attempt to complete SAML callback - should fail because test@email.com doesn't exist
-		// and disableImplicitSignUp is true
-		await expect(
-			authWithDisabledSignUp.api.callbackSSOSAML({
-				body: {
-					SAMLResponse: samlResponse.samlResponse,
-					RelayState: "http://localhost:3000/dashboard",
-				},
-				params: {
-					providerId: "saml-test-provider",
+		const response = await authWithDisabledSignUp.handler(
+			new Request(
+				"http://localhost:3000/api/auth/sso/saml2/callback/saml-test-provider",
+				{
+					method: "POST",
+					headers: {
+						"Content-Type": "application/x-www-form-urlencoded",
+					},
+					body: new URLSearchParams({
+						SAMLResponse: samlResponse.samlResponse,
+						RelayState: "http://localhost:3000/dashboard",
+					}),
 				},
-			}),
-		).rejects.toMatchObject({
-			status: "UNAUTHORIZED",
+			),
+		);
+
+		expect(response.status).toBe(302);
+		const redirectLocation = response.headers.get("location") || "";
+		expect(redirectLocation).toContain("error=signup_disabled");
+	});
+
+	it("should reject SAML ACS (IdP-initiated) when disableImplicitSignUp is true and user doesn't exist", async () => {
+		const { auth: authWithDisabledSignUp, signInWithTestUser } =
+			await getTestInstance({
+				plugins: [sso({ disableImplicitSignUp: true })],
+			});
+
+		const { headers } = await signInWithTestUser();
+
+		await authWithDisabledSignUp.api.registerSSOProvider({
 			body: {
-				message:
-					"User not found and implicit sign up is disabled for this provider",
+				providerId: "saml-acs-test-provider",
+				issuer: "http://localhost:8081",
+				domain: "http://localhost:8081",
+				samlConfig: {
+					entryPoint: "http://localhost:8081/api/sso/saml2/idp/post",
+					cert: certificate,
+					callbackUrl: "http://localhost:3000/dashboard",
+					wantAssertionsSigned: false,
+					signatureAlgorithm: "sha256",
+					digestAlgorithm: "sha256",
+					idpMetadata: {
+						metadata: idpMetadata,
+					},
+					spMetadata: {
+						metadata: spMetadata,
+					},
+					identifierFormat:
+						"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+				},
 			},
+			headers: headers,
 		});
+
+		let samlResponse: any;
+		await betterFetch("http://localhost:8081/api/sso/saml2/idp/post", {
+			onSuccess: async (context) => {
+				samlResponse = await context.data;
+			},
+		});
+
+		const response = await authWithDisabledSignUp.handler(
+			new Request(
+				"http://localhost:3000/api/auth/sso/saml2/sp/acs/saml-acs-test-provider",
+				{
+					method: "POST",
+					headers: {
+						"Content-Type": "application/x-www-form-urlencoded",
+					},
+					body: new URLSearchParams({
+						SAMLResponse: samlResponse.samlResponse,
+						RelayState: "http://localhost:3000/dashboard",
+					}),
+				},
+			),
+		);
+
+		expect(response.status).toBe(302);
+		const redirectLocation = response.headers.get("location") || "";
+		expect(redirectLocation).toContain("error=signup_disabled");
 	});
 
 	it("should deny account linking when provider is not trusted and domain is not verified", async () => {
@@ -1526,78 +1579,7 @@ describe("SAML SSO", async () => {
 		expect(redirectLocation).not.toContain("error=");
 	});
 
-	it("should enable validation automatically when custom authnRequestStore is provided", async () => {
-		const customStore = createInMemoryAuthnRequestStore();
-
-		const { auth, signInWithTestUser } = await getTestInstance({
-			plugins: [
-				sso({
-					saml: {
-						authnRequestStore: customStore,
-						allowIdpInitiated: false,
-					},
-				}),
-			],
-		});
-
-		const { headers } = await signInWithTestUser();
-
-		await auth.api.registerSSOProvider({
-			body: {
-				providerId: "custom-store-provider",
-				issuer: "http://localhost:8081",
-				domain: "http://localhost:8081",
-				samlConfig: {
-					entryPoint: "http://localhost:8081/api/sso/saml2/idp/post",
-					cert: certificate,
-					callbackUrl: "http://localhost:3000/dashboard",
-					wantAssertionsSigned: false,
-					signatureAlgorithm: "sha256",
-					digestAlgorithm: "sha256",
-					idpMetadata: {
-						metadata: idpMetadata,
-					},
-					spMetadata: {
-						metadata: spMetadata,
-					},
-					identifierFormat:
-						"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
-				},
-			},
-			headers,
-		});
-
-		let samlResponse: any;
-		await betterFetch("http://localhost:8081/api/sso/saml2/idp/post", {
-			onSuccess: async (context) => {
-				samlResponse = await context.data;
-			},
-		});
-
-		const response = await auth.handler(
-			new Request(
-				"http://localhost:3000/api/auth/sso/saml2/callback/custom-store-provider",
-				{
-					method: "POST",
-					headers: {
-						"Content-Type": "application/x-www-form-urlencoded",
-					},
-					body: new URLSearchParams({
-						SAMLResponse: samlResponse.samlResponse,
-						RelayState: "http://localhost:3000/dashboard",
-					}),
-				},
-			),
-		);
-
-		expect(response.status).toBe(302);
-		const redirectLocation = response.headers.get("location") || "";
-		expect(redirectLocation).toContain("error=unsolicited_response");
-	});
-
-	it("should use verification table for InResponseTo validation when no custom store is provided", async () => {
-		// When enableInResponseToValidation is true and no custom authnRequestStore is provided,
-		// the plugin uses the verification table (database) for storing AuthnRequest IDs
+	it("should use verification table for InResponseTo validation", async () => {
 		const { auth, signInWithTestUser } = await getTestInstance({
 			plugins: [
 				sso({
@@ -1691,7 +1673,6 @@ describe("SAML SSO with custom fields", () => {
 	};
 
 	const memory = memoryAdapter(data);
-	const mockIdP = createMockSAMLIdP(8081); // Different port from your main app
 
 	const auth = betterAuth({
 		database: memory,
@@ -1719,7 +1700,6 @@ describe("SAML SSO with custom fields", () => {
 	};
 
 	beforeAll(async () => {
-		await mockIdP.start();
 		await authClient.signUp.email({
 			email: testUser.email,
 			password: testUser.password,
@@ -1727,10 +1707,6 @@ describe("SAML SSO with custom fields", () => {
 		});
 	});
 
-	afterAll(async () => {
-		await mockIdP.stop();
-	});
-
 	beforeEach(() => {
 		data.user = [];
 		data.session = [];
@@ -1764,7 +1740,7 @@ describe("SAML SSO with custom fields", () => {
 				issuer: "http://localhost:8081",
 				domain: "http://localhost:8081",
 				samlConfig: {
-					entryPoint: mockIdP.metadataUrl,
+					entryPoint: sharedMockIdP.metadataUrl,
 					cert: certificate,
 					callbackUrl: "http://localhost:8081/api/sso/saml2/callback",
 					wantAssertionsSigned: false,
@@ -1797,7 +1773,7 @@ describe("SAML SSO with custom fields", () => {
 			id: expect.any(String),
 			issuer: "http://localhost:8081",
 			samlConfig: {
-				entryPoint: mockIdP.metadataUrl,
+				entryPoint: sharedMockIdP.metadataUrl,
 				cert: expect.any(String),
 				callbackUrl: "http://localhost:8081/api/sso/saml2/callback",
 				wantAssertionsSigned: false,
@@ -2383,3 +2359,250 @@ describe("SAML SSO - Timestamp Validation", () => {
 		});
 	});
 });
+
+describe("SAML SSO - Assertion Replay Protection", () => {
+	it("should reject replayed SAML assertion (same assertion submitted twice)", async () => {
+		const { auth, signInWithTestUser } = await getTestInstance({
+			plugins: [sso()],
+		});
+
+		const { headers } = await signInWithTestUser();
+
+		await auth.api.registerSSOProvider({
+			body: {
+				providerId: "replay-test-provider",
+				issuer: "http://localhost:8081",
+				domain: "http://localhost:8081",
+				samlConfig: {
+					entryPoint: "http://localhost:8081/api/sso/saml2/idp/post",
+					cert: certificate,
+					callbackUrl: "http://localhost:3000/dashboard",
+					wantAssertionsSigned: false,
+					signatureAlgorithm: "sha256",
+					digestAlgorithm: "sha256",
+					idpMetadata: {
+						metadata: idpMetadata,
+					},
+					spMetadata: {
+						metadata: spMetadata,
+					},
+					identifierFormat:
+						"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+				},
+			},
+			headers,
+		});
+
+		let samlResponse: any;
+		await betterFetch("http://localhost:8081/api/sso/saml2/idp/post", {
+			onSuccess: async (context) => {
+				samlResponse = await context.data;
+			},
+		});
+
+		// First submission should succeed
+		const firstResponse = await auth.handler(
+			new Request(
+				"http://localhost:3000/api/auth/sso/saml2/callback/replay-test-provider",
+				{
+					method: "POST",
+					headers: {
+						"Content-Type": "application/x-www-form-urlencoded",
+					},
+					body: new URLSearchParams({
+						SAMLResponse: samlResponse.samlResponse,
+						RelayState: "http://localhost:3000/dashboard",
+					}),
+				},
+			),
+		);
+
+		expect(firstResponse.status).toBe(302);
+		const firstLocation = firstResponse.headers.get("location") || "";
+		expect(firstLocation).not.toContain("error");
+
+		// Second submission (replay) should be rejected
+		const replayResponse = await auth.handler(
+			new Request(
+				"http://localhost:3000/api/auth/sso/saml2/callback/replay-test-provider",
+				{
+					method: "POST",
+					headers: {
+						"Content-Type": "application/x-www-form-urlencoded",
+					},
+					body: new URLSearchParams({
+						SAMLResponse: samlResponse.samlResponse,
+						RelayState: "http://localhost:3000/dashboard",
+					}),
+				},
+			),
+		);
+
+		expect(replayResponse.status).toBe(302);
+		const replayLocation = replayResponse.headers.get("location") || "";
+		expect(replayLocation).toContain("error=replay_detected");
+	});
+
+	it("should reject replayed SAML assertion on ACS endpoint", async () => {
+		const { auth, signInWithTestUser } = await getTestInstance({
+			plugins: [sso()],
+		});
+
+		const { headers } = await signInWithTestUser();
+
+		await auth.api.registerSSOProvider({
+			body: {
+				providerId: "acs-replay-test-provider",
+				issuer: "http://localhost:8081",
+				domain: "http://localhost:8081",
+				samlConfig: {
+					entryPoint: "http://localhost:8081/api/sso/saml2/idp/post",
+					cert: certificate,
+					callbackUrl: "http://localhost:3000/dashboard",
+					wantAssertionsSigned: false,
+					signatureAlgorithm: "sha256",
+					digestAlgorithm: "sha256",
+					idpMetadata: {
+						metadata: idpMetadata,
+					},
+					spMetadata: {
+						metadata: spMetadata,
+					},
+					identifierFormat:
+						"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+				},
+			},
+			headers,
+		});
+
+		let samlResponse: any;
+		await betterFetch("http://localhost:8081/api/sso/saml2/idp/post", {
+			onSuccess: async (context) => {
+				samlResponse = await context.data;
+			},
+		});
+
+		// First submission to ACS endpoint should succeed
+		const firstResponse = await auth.handler(
+			new Request(
+				"http://localhost:3000/api/auth/sso/saml2/sp/acs/acs-replay-test-provider",
+				{
+					method: "POST",
+					headers: {
+						"Content-Type": "application/x-www-form-urlencoded",
+					},
+					body: new URLSearchParams({
+						SAMLResponse: samlResponse.samlResponse,
+						RelayState: "http://localhost:3000/dashboard",
+					}),
+				},
+			),
+		);
+
+		expect(firstResponse.status).toBe(302);
+		const firstLocation = firstResponse.headers.get("location") || "";
+		expect(firstLocation).not.toContain("error");
+
+		// Second submission (replay) to ACS endpoint should be rejected
+		const replayResponse = await auth.handler(
+			new Request(
+				"http://localhost:3000/api/auth/sso/saml2/sp/acs/acs-replay-test-provider",
+				{
+					method: "POST",
+					headers: {
+						"Content-Type": "application/x-www-form-urlencoded",
+					},
+					body: new URLSearchParams({
+						SAMLResponse: samlResponse.samlResponse,
+						RelayState: "http://localhost:3000/dashboard",
+					}),
+				},
+			),
+		);
+
+		expect(replayResponse.status).toBe(302);
+		const replayLocation = replayResponse.headers.get("location") || "";
+		expect(replayLocation).toContain("error=replay_detected");
+	});
+
+	it("should reject cross-endpoint replay (callback → ACS)", async () => {
+		const { auth, signInWithTestUser } = await getTestInstance({
+			plugins: [sso()],
+		});
+
+		const { headers } = await signInWithTestUser();
+
+		await auth.api.registerSSOProvider({
+			body: {
+				providerId: "cross-endpoint-provider",
+				issuer: "http://localhost:8081",
+				domain: "http://localhost:8081",
+				samlConfig: {
+					entryPoint: "http://localhost:8081/api/sso/saml2/idp/post",
+					cert: certificate,
+					callbackUrl: "http://localhost:3000/dashboard",
+					wantAssertionsSigned: false,
+					signatureAlgorithm: "sha256",
+					digestAlgorithm: "sha256",
+					idpMetadata: {
+						metadata: idpMetadata,
+					},
+					spMetadata: {
+						metadata: spMetadata,
+					},
+					identifierFormat:
+						"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+				},
+			},
+			headers,
+		});
+
+		let samlResponse: any;
+		await betterFetch("http://localhost:8081/api/sso/saml2/idp/post", {
+			onSuccess: async (context) => {
+				samlResponse = await context.data;
+			},
+		});
+
+		// First: Submit to callback endpoint (should succeed)
+		const callbackResponse = await auth.handler(
+			new Request(
+				"http://localhost:3000/api/auth/sso/saml2/callback/cross-endpoint-provider",
+				{
+					method: "POST",
+					headers: {
+						"Content-Type": "application/x-www-form-urlencoded",
+					},
+					body: new URLSearchParams({
+						SAMLResponse: samlResponse.samlResponse,
+						RelayState: "http://localhost:3000/dashboard",
+					}),
+				},
+			),
+		);
+
+		expect(callbackResponse.status).toBe(302);
+		expect(callbackResponse.headers.get("location")).not.toContain("error");
+
+		// Second: Replay same assertion to ACS endpoint (should be rejected)
+		const acsReplayResponse = await auth.handler(
+			new Request(
+				"http://localhost:3000/api/auth/sso/saml2/sp/acs/cross-endpoint-provider",
+				{
+					method: "POST",
+					headers: {
+						"Content-Type": "application/x-www-form-urlencoded",
+					},
+					body: new URLSearchParams({
+						SAMLResponse: samlResponse.samlResponse,
+						RelayState: "http://localhost:3000/dashboard",
+					}),
+				},
+			),
+		);
+
+		expect(acsReplayResponse.status).toBe(302);
+		const acsLocation = acsReplayResponse.headers.get("location") || "";
+		expect(acsLocation).toContain("error=replay_detected");
+	});
+});