@better-auth/sso 1.4.7 → 1.4.8-beta.2

package/src/types.ts

@@ -1,5 +1,5 @@
-import type { OAuth2Tokens, User } from "better-auth";
-import type { AuthnRequestStore } from "./authn-request-store";
+import type { Awaitable, OAuth2Tokens, User } from "better-auth";
+import type { AlgorithmValidationOptions } from "./saml/algorithms";
 
 export interface OIDCMapping {
 	id?: string | undefined;
@@ -121,7 +121,7 @@ export interface SSOOptions {
 				 * The SSO provider
 				 */
 				provider: SSOProvider<SSOOptions>;
-		  }) => Promise<void>)
+		  }) => Awaitable<void>)
 		| undefined;
 	/**
 	 * Organization provisioning options
@@ -222,9 +222,7 @@ export interface SSOOptions {
 	 * ```
 	 * @default 10
 	 */
-	providersLimit?:
-		| (number | ((user: User) => Promise<number> | number))
-		| undefined;
+	providersLimit?: (number | ((user: User) => Awaitable<number>)) | undefined;
 	/**
 	 * Trust the email verified flag from the provider.
 	 *
@@ -233,7 +231,13 @@ export interface SSOOptions {
 	 *
 	 * If you want to allow account linking for specific trusted providers, enable the `accountLinking` option in your auth config and specify those
 	 * providers in the `trustedProviders` list.
+	 *
 	 * @default false
+	 *
+	 * @deprecated This option is discouraged for new projects. Relying on provider-level `email_verified` is a weaker
+	 * trust signal compared to using `trustedProviders` in `accountLinking` or enabling `domainVerification` for SSO.
+	 * Existing configurations will continue to work, but new integrations should use explicit trust mechanisms.
+	 * This option may be removed in a future major version.
 	 */
 	trustEmailVerified?: boolean | undefined;
 	/**
@@ -291,16 +295,6 @@ export interface SSOOptions {
 		 * @default 300000 (5 minutes)
 		 */
 		requestTTL?: number;
-		/**
-		 * Custom AuthnRequest store implementation.
-		 * Use this to provide a custom storage backend (e.g., Redis-backed store).
-		 *
-		 * Providing a custom store automatically enables InResponseTo validation.
-		 *
-		 * Note: When not provided, the default storage (secondaryStorage with
-		 * verification table fallback) is used automatically.
-		 */
-		authnRequestStore?: AuthnRequestStore;
 		/**
 		 * Clock skew tolerance for SAML assertion timestamp validation in milliseconds.
 		 * Allows for minor time differences between IdP and SP servers.
@@ -333,5 +327,19 @@ export interface SSOOptions {
 		 * @default false
 		 */
 		requireTimestamps?: boolean;
+		/**
+		 * Algorithm validation options for SAML responses.
+		 *
+		 * Controls behavior when deprecated algorithms (SHA-1, RSA1_5, 3DES)
+		 * are detected in SAML responses.
+		 *
+		 * @example
+		 * ```ts
+		 * algorithms: {
+		 *   onDeprecated: "reject" // Reject deprecated algorithms
+		 * }
+		 * ```
+		 */
+		algorithms?: AlgorithmValidationOptions;
 	};
 }

package/src/authn-request-store.ts

@@ -1,76 +0,0 @@
-/**
- * AuthnRequest Store
- *
- * Tracks SAML AuthnRequest IDs to enable InResponseTo validation.
- * This prevents:
- * - Unsolicited SAML responses
- * - Cross-provider response injection
- * - Replay attacks
- * - Expired login completions
- */
-
-export interface AuthnRequestRecord {
-	id: string;
-	providerId: string;
-	createdAt: number;
-	expiresAt: number;
-}
-
-export interface AuthnRequestStore {
-	save(record: AuthnRequestRecord): Promise<void>;
-	get(id: string): Promise<AuthnRequestRecord | null>;
-	delete(id: string): Promise<void>;
-}
-
-/**
- * Default TTL for AuthnRequest records (5 minutes).
- * This should be sufficient for most IdPs while protecting against stale requests.
- */
-export const DEFAULT_AUTHN_REQUEST_TTL_MS = 5 * 60 * 1000;
-
-/**
- * In-memory implementation of AuthnRequestStore.
- * ⚠️ Only suitable for testing or single-instance non-serverless deployments.
- * For production, rely on the default behavior (uses verification table)
- * or provide a custom Redis-backed store.
- */
-export function createInMemoryAuthnRequestStore(): AuthnRequestStore {
-	const store = new Map<string, AuthnRequestRecord>();
-
-	const cleanup = () => {
-		const now = Date.now();
-		for (const [id, record] of store.entries()) {
-			if (record.expiresAt < now) {
-				store.delete(id);
-			}
-		}
-	};
-
-	const cleanupInterval = setInterval(cleanup, 60 * 1000);
-
-	if (typeof cleanupInterval.unref === "function") {
-		cleanupInterval.unref();
-	}
-
-	return {
-		async save(record: AuthnRequestRecord): Promise<void> {
-			store.set(record.id, record);
-		},
-
-		async get(id: string): Promise<AuthnRequestRecord | null> {
-			const record = store.get(id);
-			if (!record) {
-				return null;
-			}
-			if (record.expiresAt < Date.now()) {
-				store.delete(id);
-				return null;
-			}
-			return record;
-		},
-
-		async delete(id: string): Promise<void> {
-			store.delete(id);
-		},
-	};
-}

package/src/authn-request.test.ts

@@ -1,99 +0,0 @@
-import { describe, expect, it } from "vitest";
-import {
-	createInMemoryAuthnRequestStore,
-	DEFAULT_AUTHN_REQUEST_TTL_MS,
-} from "./authn-request-store";
-
-describe("AuthnRequest Store", () => {
-	describe("In-Memory Store", () => {
-		it("should save and retrieve an AuthnRequest record", async () => {
-			const store = createInMemoryAuthnRequestStore();
-
-			const record = {
-				id: "_test-request-id-1",
-				providerId: "saml-provider-1",
-				createdAt: Date.now(),
-				expiresAt: Date.now() + DEFAULT_AUTHN_REQUEST_TTL_MS,
-			};
-
-			await store.save(record);
-			const retrieved = await store.get(record.id);
-
-			expect(retrieved).toEqual(record);
-		});
-
-		it("should return null for non-existent request ID", async () => {
-			const store = createInMemoryAuthnRequestStore();
-
-			const retrieved = await store.get("_non-existent-id");
-
-			expect(retrieved).toBeNull();
-		});
-
-		it("should return null for expired request ID", async () => {
-			const store = createInMemoryAuthnRequestStore();
-
-			const record = {
-				id: "_expired-request-id",
-				providerId: "saml-provider-1",
-				createdAt: Date.now() - 10000,
-				expiresAt: Date.now() - 1000, // Already expired
-			};
-
-			await store.save(record);
-			const retrieved = await store.get(record.id);
-
-			expect(retrieved).toBeNull();
-		});
-
-		it("should delete a request ID", async () => {
-			const store = createInMemoryAuthnRequestStore();
-
-			const record = {
-				id: "_delete-me",
-				providerId: "saml-provider-1",
-				createdAt: Date.now(),
-				expiresAt: Date.now() + DEFAULT_AUTHN_REQUEST_TTL_MS,
-			};
-
-			await store.save(record);
-			await store.delete(record.id);
-
-			const retrieved = await store.get(record.id);
-			expect(retrieved).toBeNull();
-		});
-
-		it("should handle multiple providers with different request IDs", async () => {
-			const store = createInMemoryAuthnRequestStore();
-
-			const record1 = {
-				id: "_request-provider-1",
-				providerId: "saml-provider-1",
-				createdAt: Date.now(),
-				expiresAt: Date.now() + DEFAULT_AUTHN_REQUEST_TTL_MS,
-			};
-
-			const record2 = {
-				id: "_request-provider-2",
-				providerId: "saml-provider-2",
-				createdAt: Date.now(),
-				expiresAt: Date.now() + DEFAULT_AUTHN_REQUEST_TTL_MS,
-			};
-
-			await store.save(record1);
-			await store.save(record2);
-
-			const retrieved1 = await store.get(record1.id);
-			const retrieved2 = await store.get(record2.id);
-
-			expect(retrieved1?.providerId).toBe("saml-provider-1");
-			expect(retrieved2?.providerId).toBe("saml-provider-2");
-		});
-	});
-
-	describe("DEFAULT_AUTHN_REQUEST_TTL_MS", () => {
-		it("should be 5 minutes in milliseconds", () => {
-			expect(DEFAULT_AUTHN_REQUEST_TTL_MS).toBe(5 * 60 * 1000);
-		});
-	});
-});