npm - @better-auth/sso - Versions diffs - 1.4.8-beta.3 → 1.4.8-beta.6 - Mend

@better-auth/sso 1.4.8-beta.3 → 1.4.8-beta.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/.turbo/turbo-build.log +5 -5
package/dist/client.d.mts +1 -1
package/dist/{index-DNWhGQW-.d.mts → index-D6Q3ojGP.d.mts} +12 -12
package/dist/index.d.mts +1 -1
package/dist/index.mjs +12 -6
package/package.json +4 -4
package/src/index.ts +1 -0
package/src/linking/org-assignment.test.ts +325 -0
package/src/linking/org-assignment.ts +13 -2

package/.turbo/turbo-build.log CHANGED Viewed

@@ -1,5 +1,5 @@
-> @better-auth/sso@1.4.8-beta.3 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.4.8-beta.6 build /home/runner/work/better-auth/better-auth/packages/sso
 > tsdown
 [34mℹ[39m tsdown [2mv0.17.2[22m powered by rolldown [2mv1.0.0-beta.53[22m
@@ -7,10 +7,10 @@
 [34mℹ[39m entry: [34msrc/index.ts, src/client.ts[39m
 [34mℹ[39m tsconfig: [34mtsconfig.json[39m
 [34mℹ[39m Build start
-[34mℹ[39m [2mdist/[22m[1mindex.mjs[22m             [2m92.45 kB[22m [2m│ gzip: 18.08 kB[22m
+[34mℹ[39m [2mdist/[22m[1mindex.mjs[22m             [2m92.65 kB[22m [2m│ gzip: 18.13 kB[22m
 [34mℹ[39m [2mdist/[22m[1mclient.mjs[22m            [2m 0.15 kB[22m [2m│ gzip:  0.14 kB[22m
 [34mℹ[39m [2mdist/[22m[32m[1mindex.d.mts[22m[39m           [2m 1.48 kB[22m [2m│ gzip:  0.51 kB[22m
 [34mℹ[39m [2mdist/[22m[32m[1mclient.d.mts[22m[39m          [2m 0.49 kB[22m [2m│ gzip:  0.30 kB[22m
-[34mℹ[39m [2mdist/[22m[32mindex-DNWhGQW-.d.mts[39m  [2m42.86 kB[22m [2m│ gzip:  8.79 kB[22m
-[34mℹ[39m 5 files, total: 137.43 kB
-[32m✔[39m Build complete in [32m11758ms[39m
+[34mℹ[39m [2mdist/[22m[32mindex-D6Q3ojGP.d.mts[39m  [2m42.86 kB[22m [2m│ gzip:  8.79 kB[22m
+[34mℹ[39m 5 files, total: 137.63 kB
+[32m✔[39m Build complete in [32m11966ms[39m

package/dist/client.d.mts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { t as SSOPlugin } from "./index-DNWhGQW-.mjs";
+import { t as SSOPlugin } from "./index-D6Q3ojGP.mjs";
 //#region src/client.d.ts
 interface SSOClientOptions {

package/dist/{index-DNWhGQW-.d.mts → index-D6Q3ojGP.d.mts} RENAMED Viewed

@@ -2,7 +2,7 @@ import { APIError } from "better-auth/api";
 import * as z$1 from "zod/v4";
 import z from "zod/v4";
 import { Awaitable, OAuth2Tokens, User } from "better-auth";
-import * as better_call0 from "better-call";
+import * as better_call7 from "better-call";
 //#region src/saml/algorithms.d.ts
 declare const SignatureAlgorithm: {
@@ -371,7 +371,7 @@ interface SSOOptions {
 }
 //#endregion
 //#region src/routes/domain-verification.d.ts
-declare const requestDomainVerification: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/request-domain-verification", {
+declare const requestDomainVerification: (options: SSOOptions) => better_call7.StrictEndpoint<"/sso/request-domain-verification", {
   method: "POST";
   body: z$1.ZodObject<{
     providerId: z$1.ZodString;
@@ -393,7 +393,7 @@ declare const requestDomainVerification: (options: SSOOptions) => better_call0.S
       };
     };
   };
-  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call7.MiddlewareInputContext<better_call7.MiddlewareOptions>) => Promise<{
     session: {
       session: Record<string, any> & {
         id: string;
@@ -419,7 +419,7 @@ declare const requestDomainVerification: (options: SSOOptions) => better_call0.S
 }, {
   domainVerificationToken: string;
 }>;
-declare const verifyDomain: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/verify-domain", {
+declare const verifyDomain: (options: SSOOptions) => better_call7.StrictEndpoint<"/sso/verify-domain", {
   method: "POST";
   body: z$1.ZodObject<{
     providerId: z$1.ZodString;
@@ -444,7 +444,7 @@ declare const verifyDomain: (options: SSOOptions) => better_call0.StrictEndpoint
       };
     };
   };
-  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call7.MiddlewareInputContext<better_call7.MiddlewareOptions>) => Promise<{
     session: {
       session: Record<string, any> & {
         id: string;
@@ -488,7 +488,7 @@ interface SAMLConditions {
  * @throws {APIError} If timestamps are invalid, expired, or not yet valid
  */
 declare function validateSAMLTimestamp(conditions: SAMLConditions | undefined, options?: TimestampValidationOptions): void;
-declare const spMetadata: () => better_call0.StrictEndpoint<"/sso/saml2/sp/metadata", {
+declare const spMetadata: () => better_call7.StrictEndpoint<"/sso/saml2/sp/metadata", {
   method: "GET";
   query: z.ZodObject<{
     providerId: z.ZodString;
@@ -510,7 +510,7 @@ declare const spMetadata: () => better_call0.StrictEndpoint<"/sso/saml2/sp/metad
     };
   };
 }, Response>;
-declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_call0.StrictEndpoint<"/sso/register", {
+declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_call7.StrictEndpoint<"/sso/register", {
   method: "POST";
   body: z.ZodObject<{
     providerId: z.ZodString;
@@ -589,7 +589,7 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
     organizationId: z.ZodOptional<z.ZodString>;
     overrideUserInfo: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
   }, z.core.$strip>;
-  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call7.MiddlewareInputContext<better_call7.MiddlewareOptions>) => Promise<{
     session: {
       session: Record<string, any> & {
         id: string;
@@ -779,7 +779,7 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
   domainVerified: boolean;
   domainVerificationToken: string;
 } & SSOProvider<O> : SSOProvider<O>>;
-declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sign-in/sso", {
+declare const signInSSO: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sign-in/sso", {
   method: "POST";
   body: z.ZodObject<{
     email: z.ZodOptional<z.ZodString>;
@@ -873,7 +873,7 @@ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"
   url: string;
   redirect: boolean;
 }>;
-declare const callbackSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/callback/:providerId", {
+declare const callbackSSO: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sso/callback/:providerId", {
   method: "GET";
   query: z.ZodObject<{
     code: z.ZodOptional<z.ZodString>;
@@ -896,7 +896,7 @@ declare const callbackSSO: (options?: SSOOptions) => better_call0.StrictEndpoint
     scope: "server";
   };
 }, never>;
-declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/callback/:providerId", {
+declare const callbackSSOSAML: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sso/saml2/callback/:providerId", {
   method: "POST";
   body: z.ZodObject<{
     SAMLResponse: z.ZodString;
@@ -923,7 +923,7 @@ declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndp
     scope: "server";
   };
 }, never>;
-declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
+declare const acsEndpoint: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
   method: "POST";
   params: z.ZodObject<{
     providerId: z.ZodOptional<z.ZodString>;

package/dist/index.d.mts CHANGED Viewed

@@ -1,2 +1,2 @@
-import { A as KeyEncryptionAlgorithm, C as SAMLConfig, D as DataEncryptionAlgorithm, E as AlgorithmValidationOptions, O as DeprecatedAlgorithmBehavior, S as OIDCConfig, T as SSOProvider, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as TimestampValidationOptions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as SignatureAlgorithm, k as DigestAlgorithm, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as SSOOptions, x as validateSAMLTimestamp, y as SAMLConditions } from "./index-DNWhGQW-.mjs";
+import { A as KeyEncryptionAlgorithm, C as SAMLConfig, D as DataEncryptionAlgorithm, E as AlgorithmValidationOptions, O as DeprecatedAlgorithmBehavior, S as OIDCConfig, T as SSOProvider, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as TimestampValidationOptions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as SignatureAlgorithm, k as DigestAlgorithm, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as SSOOptions, x as validateSAMLTimestamp, y as SAMLConditions } from "./index-D6Q3ojGP.mjs";
 export { AlgorithmValidationOptions, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };

package/dist/index.mjs CHANGED Viewed

@@ -55,17 +55,22 @@ async function assignOrganizationFromProvider(ctx, options) {
 * (e.g., Google OAuth with @acme.com email gets added to Acme's org).
 */
 async function assignOrganizationByDomain(ctx, options) {
-	const { user, provisioningOptions } = options;
+	const { user, provisioningOptions, domainVerification } = options;
 	if (provisioningOptions?.disabled) return;
 	if (!ctx.context.options.plugins?.find((plugin) => plugin.id === "organization")) return;
 	const domain = user.email.split("@")[1];
 	if (!domain) return;
+	const whereClause = [{
+		field: "domain",
+		value: domain
+	}];
+	if (domainVerification?.enabled) whereClause.push({
+		field: "domainVerified",
+		value: true
+	});
 	const ssoProvider = await ctx.context.adapter.findOne({
 		model: "ssoProvider",
-		where: [{
-			field: "domain",
-			value: domain
-		}]
+		where: whereClause
 	});
 	if (!ssoProvider || !ssoProvider.organizationId) return;
 	if (await ctx.context.adapter.findOne({
@@ -2203,7 +2208,8 @@ function sso(options) {
 				if (!ctx.context.options.plugins?.find((plugin) => plugin.id === "organization")) return;
 				await assignOrganizationByDomain(ctx, {
 					user: newSession.user,
-					provisioningOptions: options?.organizationProvisioning
+					provisioningOptions: options?.organizationProvisioning,
+					domainVerification: options?.domainVerification
 				});
 			})
 		}] },

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.4.8-beta.3",
+  "version": "1.4.8-beta.6",
   "type": "module",
   "main": "dist/index.mjs",
   "types": "dist/index.d.mts",
@@ -61,15 +61,15 @@
   "devDependencies": {
     "@types/body-parser": "^1.19.6",
     "@types/express": "^5.0.5",
-    "better-call": "1.1.5",
+    "better-call": "1.1.7",
     "body-parser": "^2.2.1",
     "express": "^5.1.0",
     "oauth2-mock-server": "^8.2.0",
     "tsdown": "^0.17.2",
-    "better-auth": "1.4.8-beta.3"
+    "better-auth": "1.4.8-beta.6"
   },
   "peerDependencies": {
-    "better-auth": "1.4.8-beta.3"
+    "better-auth": "1.4.8-beta.6"
   },
   "scripts": {
     "test": "vitest",

package/src/index.ts CHANGED Viewed

@@ -156,6 +156,7 @@ export function sso<O extends SSOOptions>(options?: O | undefined): any {
 						await assignOrganizationByDomain(ctx, {
 							user: newSession.user,
 							provisioningOptions: options?.organizationProvisioning,
+							domainVerification: options?.domainVerification,
 						});
 					}),
 				},

package/src/linking/org-assignment.test.ts ADDED Viewed

@@ -0,0 +1,325 @@
+import type { GenericEndpointContext, User } from "better-auth";
+import { betterAuth } from "better-auth";
+import { memoryAdapter } from "better-auth/adapters/memory";
+import { organization } from "better-auth/plugins";
+import { describe, expect, it } from "vitest";
+import { sso } from "..";
+import { assignOrganizationByDomain } from "./org-assignment";
+describe("assignOrganizationByDomain", () => {
+	const createTestContext = () => {
+		const data = {
+			user: [] as User[],
+			session: [] as { id: string }[],
+			account: [] as { id: string }[],
+			ssoProvider: [] as {
+				id: string;
+				providerId: string;
+				issuer: string;
+				domain: string;
+				domainVerified: boolean;
+				organizationId: string | null;
+				userId: string;
+			}[],
+			member: [] as {
+				id: string;
+				organizationId: string;
+				userId: string;
+				role: string;
+				createdAt: Date;
+			}[],
+			organization: [] as {
+				id: string;
+				name: string;
+				slug: string;
+				createdAt: Date;
+			}[],
+		};
+		const memory = memoryAdapter(data);
+		const auth = betterAuth({
+			database: memory,
+			baseURL: "http://localhost:3000",
+			emailAndPassword: {
+				enabled: true,
+			},
+			plugins: [
+				sso({
+					domainVerification: {
+						enabled: true,
+					},
+				}),
+				organization(),
+			],
+		});
+		const createContext = async () => {
+			const context = await auth.$context;
+			return { context } as Partial<GenericEndpointContext>;
+		};
+		return { auth, data, createContext };
+	};
+	const createUser = (overrides: Partial<User> = {}): User => ({
+		id: "user-1",
+		email: "alice@example.com",
+		name: "Alice",
+		emailVerified: true,
+		createdAt: new Date(),
+		updatedAt: new Date(),
+		...overrides,
+	});
+	const createOrg = (
+		overrides: Partial<{ id: string; name: string; slug: string }> = {},
+	) => ({
+		id: "org-1",
+		name: "Test Org",
+		slug: "test-org",
+		createdAt: new Date(),
+		...overrides,
+	});
+	const createProvider = (
+		overrides: Partial<{
+			id: string;
+			providerId: string;
+			issuer: string;
+			domain: string;
+			domainVerified: boolean;
+			organizationId: string | null;
+			userId: string;
+		}> = {},
+	) => ({
+		id: "provider-1",
+		providerId: "test-provider",
+		issuer: "https://idp.example.com",
+		domain: "example.com",
+		domainVerified: false,
+		organizationId: "org-1" as string | null,
+		userId: "user-1",
+		...overrides,
+	});
+	it("should NOT assign user to org when provider domain is unverified", async () => {
+		const { data, createContext } = createTestContext();
+		data.organization.push(createOrg());
+		data.ssoProvider.push(createProvider({ domainVerified: false }));
+		const user = createUser();
+		data.user.push(user);
+		const ctx = (await createContext()) as GenericEndpointContext;
+		await assignOrganizationByDomain(ctx, {
+			user,
+			domainVerification: { enabled: true },
+		});
+		const members = data.member.filter((m) => m.userId === user.id);
+		expect(members).toHaveLength(0);
+	});
+	it("should assign user to org when provider domain is verified", async () => {
+		const { data, createContext } = createTestContext();
+		const org = createOrg();
+		data.organization.push(org);
+		data.ssoProvider.push(
+			createProvider({ domainVerified: true, organizationId: org.id }),
+		);
+		const user = createUser();
+		data.user.push(user);
+		const ctx = (await createContext()) as GenericEndpointContext;
+		await assignOrganizationByDomain(ctx, {
+			user,
+			domainVerification: { enabled: true },
+		});
+		const members = data.member.filter((m) => m.userId === user.id);
+		expect(members).toHaveLength(1);
+		expect(members[0]?.organizationId).toBe(org.id);
+		expect(members[0]?.role).toBe("member");
+	});
+	it("should NOT assign user when email domain does not match any provider", async () => {
+		const { data, createContext } = createTestContext();
+		data.organization.push(createOrg());
+		data.ssoProvider.push(createProvider({ domainVerified: true }));
+		const user = createUser({ email: "alice@other-domain.com" });
+		data.user.push(user);
+		const ctx = (await createContext()) as GenericEndpointContext;
+		await assignOrganizationByDomain(ctx, {
+			user,
+			domainVerification: { enabled: true },
+		});
+		const members = data.member.filter((m) => m.userId === user.id);
+		expect(members).toHaveLength(0);
+	});
+	it("should NOT assign user when provider has no organizationId", async () => {
+		const { data, createContext } = createTestContext();
+		data.ssoProvider.push(
+			createProvider({ domainVerified: true, organizationId: null }),
+		);
+		const user = createUser();
+		data.user.push(user);
+		const ctx = (await createContext()) as GenericEndpointContext;
+		await assignOrganizationByDomain(ctx, {
+			user,
+			domainVerification: { enabled: true },
+		});
+		const members = data.member.filter((m) => m.userId === user.id);
+		expect(members).toHaveLength(0);
+	});
+	it("should NOT assign user when provider has no domainVerified field (verification enabled)", async () => {
+		const { data, createContext } = createTestContext();
+		const org = createOrg();
+		data.organization.push(org);
+		data.ssoProvider.push({
+			id: "provider-1",
+			providerId: "test-provider",
+			issuer: "https://idp.example.com",
+			domain: "example.com",
+			organizationId: org.id,
+			userId: "user-1",
+		} as {
+			id: string;
+			providerId: string;
+			issuer: string;
+			domain: string;
+			domainVerified: boolean;
+			organizationId: string | null;
+			userId: string;
+		});
+		const user = createUser();
+		data.user.push(user);
+		const ctx = (await createContext()) as GenericEndpointContext;
+		await assignOrganizationByDomain(ctx, {
+			user,
+			domainVerification: { enabled: true },
+		});
+		const members = data.member.filter((m) => m.userId === user.id);
+		expect(members).toHaveLength(0);
+	});
+	it("should assign user when verification is disabled (no domainVerified check)", async () => {
+		const { data, createContext } = createTestContext();
+		const org = createOrg();
+		data.organization.push(org);
+		data.ssoProvider.push(
+			createProvider({ domainVerified: false, organizationId: org.id }),
+		);
+		const user = createUser();
+		data.user.push(user);
+		const ctx = (await createContext()) as GenericEndpointContext;
+		await assignOrganizationByDomain(ctx, {
+			user,
+			domainVerification: { enabled: false },
+		});
+		const members = data.member.filter((m) => m.userId === user.id);
+		expect(members).toHaveLength(1);
+		expect(members[0]?.organizationId).toBe(org.id);
+	});
+	it("should NOT assign user when already a member of the org", async () => {
+		const { data, createContext } = createTestContext();
+		const org = createOrg();
+		data.organization.push(org);
+		data.ssoProvider.push(
+			createProvider({ domainVerified: true, organizationId: org.id }),
+		);
+		const user = createUser();
+		data.user.push(user);
+		data.member.push({
+			id: "member-1",
+			organizationId: org.id,
+			userId: user.id,
+			role: "admin",
+			createdAt: new Date(),
+		});
+		const ctx = (await createContext()) as GenericEndpointContext;
+		await assignOrganizationByDomain(ctx, {
+			user,
+			domainVerification: { enabled: true },
+		});
+		const members = data.member.filter((m) => m.userId === user.id);
+		expect(members).toHaveLength(1);
+		expect(members[0]?.role).toBe("admin");
+	});
+	it("should only find verified provider when multiple providers claim same domain", async () => {
+		const { data, createContext } = createTestContext();
+		const legitOrg = createOrg({
+			id: "legit-org",
+			name: "Legit Org",
+			slug: "legit-org",
+		});
+		const attackerOrg = createOrg({
+			id: "attacker-org",
+			name: "Attacker Org",
+			slug: "attacker-org",
+		});
+		data.organization.push(legitOrg, attackerOrg);
+		data.ssoProvider.push(
+			createProvider({
+				id: "attacker-provider",
+				providerId: "attacker-provider",
+				issuer: "https://attacker.com",
+				domainVerified: false,
+				organizationId: attackerOrg.id,
+			}),
+		);
+		data.ssoProvider.push(
+			createProvider({
+				id: "legit-provider",
+				providerId: "legit-provider",
+				domainVerified: true,
+				organizationId: legitOrg.id,
+			}),
+		);
+		const user = createUser();
+		data.user.push(user);
+		const ctx = (await createContext()) as GenericEndpointContext;
+		await assignOrganizationByDomain(ctx, {
+			user,
+			domainVerification: { enabled: true },
+		});
+		const members = data.member.filter((m) => m.userId === user.id);
+		expect(members).toHaveLength(1);
+		expect(members[0]?.organizationId).toBe(legitOrg.id);
+	});
+});

package/src/linking/org-assignment.ts CHANGED Viewed

@@ -82,6 +82,9 @@ export async function assignOrganizationFromProvider(
 export interface AssignOrganizationByDomainOptions {
 	user: User;
 	provisioningOptions?: OrganizationProvisioningOptions;
+	domainVerification?: {
+		enabled?: boolean;
+	};
 }
 /**
@@ -96,7 +99,7 @@ export async function assignOrganizationByDomain(
 	ctx: GenericEndpointContext,
 	options: AssignOrganizationByDomainOptions,
 ): Promise<void> {
-	const { user, provisioningOptions } = options;
+	const { user, provisioningOptions, domainVerification } = options;
 	if (provisioningOptions?.disabled) {
 		return;
@@ -115,11 +118,19 @@ export async function assignOrganizationByDomain(
 		return;
 	}
+	const whereClause: { field: string; value: string | boolean }[] = [
+		{ field: "domain", value: domain },
+	];
+	if (domainVerification?.enabled) {
+		whereClause.push({ field: "domainVerified", value: true });
+	}
 	const ssoProvider = await ctx.context.adapter.findOne<
 		SSOProvider<SSOOptions>
 	>({
 		model: "ssoProvider",
-		where: [{ field: "domain", value: domain }],
+		where: whereClause,
 	});
 	if (!ssoProvider || !ssoProvider.organizationId) {