@better-auth/sso 1.4.8-beta.6 → 1.4.8

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @better-auth/sso@1.4.8-beta.6 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.4.8 build /home/runner/work/better-auth/better-auth/packages/sso
 > tsdown
 
 ℹ tsdown v0.17.2 powered by rolldown v1.0.0-beta.53
@@ -7,10 +7,10 @@
 ℹ entry: src/index.ts, src/client.ts
 ℹ tsconfig: tsconfig.json
 ℹ Build start
-ℹ dist/index.mjs             92.65 kB │ gzip: 18.13 kB
+ℹ dist/index.mjs             92.73 kB │ gzip: 18.16 kB
 ℹ dist/client.mjs             0.15 kB │ gzip:  0.14 kB
 ℹ dist/index.d.mts            1.48 kB │ gzip:  0.51 kB
 ℹ dist/client.d.mts           0.49 kB │ gzip:  0.30 kB
-ℹ dist/index-D6Q3ojGP.d.mts  42.86 kB │ gzip:  8.79 kB
-ℹ 5 files, total: 137.63 kB
-✔ Build complete in 11966ms
+ℹ dist/index-ZWFEs7WQ.d.mts  42.70 kB │ gzip:  8.67 kB
+ℹ 5 files, total: 137.55 kB
+✔ Build complete in 15873ms

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { t as SSOPlugin } from "./index-D6Q3ojGP.mjs";
+import { t as SSOPlugin } from "./index-ZWFEs7WQ.mjs";
 
 //#region src/client.d.ts
 interface SSOClientOptions {

package/dist/{index-D6Q3ojGP.d.mts → index-ZWFEs7WQ.d.mts}

@@ -2,7 +2,7 @@ import { APIError } from "better-auth/api";
 import * as z$1 from "zod/v4";
 import z from "zod/v4";
 import { Awaitable, OAuth2Tokens, User } from "better-auth";
-import * as better_call7 from "better-call";
+import * as better_call0 from "better-call";
 
 //#region src/saml/algorithms.d.ts
 declare const SignatureAlgorithm: {
@@ -257,13 +257,7 @@ interface SSOOptions {
    *
    * If you want to allow account linking for specific trusted providers, enable the `accountLinking` option in your auth config and specify those
    * providers in the `trustedProviders` list.
-   *
    * @default false
-   *
-   * @deprecated This option is discouraged for new projects. Relying on provider-level `email_verified` is a weaker
-   * trust signal compared to using `trustedProviders` in `accountLinking` or enabling `domainVerification` for SSO.
-   * Existing configurations will continue to work, but new integrations should use explicit trust mechanisms.
-   * This option may be removed in a future major version.
    */
   trustEmailVerified?: boolean | undefined;
   /**
@@ -371,7 +365,7 @@ interface SSOOptions {
 }
 //#endregion
 //#region src/routes/domain-verification.d.ts
-declare const requestDomainVerification: (options: SSOOptions) => better_call7.StrictEndpoint<"/sso/request-domain-verification", {
+declare const requestDomainVerification: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/request-domain-verification", {
   method: "POST";
   body: z$1.ZodObject<{
     providerId: z$1.ZodString;
@@ -393,7 +387,7 @@ declare const requestDomainVerification: (options: SSOOptions) => better_call7.S
       };
     };
   };
-  use: ((inputContext: better_call7.MiddlewareInputContext<better_call7.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
     session: {
       session: Record<string, any> & {
         id: string;
@@ -419,7 +413,7 @@ declare const requestDomainVerification: (options: SSOOptions) => better_call7.S
 }, {
   domainVerificationToken: string;
 }>;
-declare const verifyDomain: (options: SSOOptions) => better_call7.StrictEndpoint<"/sso/verify-domain", {
+declare const verifyDomain: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/verify-domain", {
   method: "POST";
   body: z$1.ZodObject<{
     providerId: z$1.ZodString;
@@ -444,7 +438,7 @@ declare const verifyDomain: (options: SSOOptions) => better_call7.StrictEndpoint
       };
     };
   };
-  use: ((inputContext: better_call7.MiddlewareInputContext<better_call7.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
     session: {
       session: Record<string, any> & {
         id: string;
@@ -488,7 +482,7 @@ interface SAMLConditions {
  * @throws {APIError} If timestamps are invalid, expired, or not yet valid
  */
 declare function validateSAMLTimestamp(conditions: SAMLConditions | undefined, options?: TimestampValidationOptions): void;
-declare const spMetadata: () => better_call7.StrictEndpoint<"/sso/saml2/sp/metadata", {
+declare const spMetadata: () => better_call0.StrictEndpoint<"/sso/saml2/sp/metadata", {
   method: "GET";
   query: z.ZodObject<{
     providerId: z.ZodString;
@@ -510,7 +504,7 @@ declare const spMetadata: () => better_call7.StrictEndpoint<"/sso/saml2/sp/metad
     };
   };
 }, Response>;
-declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_call7.StrictEndpoint<"/sso/register", {
+declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_call0.StrictEndpoint<"/sso/register", {
   method: "POST";
   body: z.ZodObject<{
     providerId: z.ZodString;
@@ -589,7 +583,7 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
     organizationId: z.ZodOptional<z.ZodString>;
     overrideUserInfo: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
   }, z.core.$strip>;
-  use: ((inputContext: better_call7.MiddlewareInputContext<better_call7.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
     session: {
       session: Record<string, any> & {
         id: string;
@@ -776,10 +770,18 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
 }, O["domainVerification"] extends {
   enabled: true;
 } ? {
+  redirectURI: string;
+  oidcConfig: OIDCConfig | null;
+  samlConfig: SAMLConfig | null;
+} & Omit<SSOProvider<O>, "oidcConfig" | "samlConfig"> & {
   domainVerified: boolean;
   domainVerificationToken: string;
-} & SSOProvider<O> : SSOProvider<O>>;
-declare const signInSSO: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sign-in/sso", {
+} : {
+  redirectURI: string;
+  oidcConfig: OIDCConfig | null;
+  samlConfig: SAMLConfig | null;
+} & Omit<SSOProvider<O>, "oidcConfig" | "samlConfig">>;
+declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sign-in/sso", {
   method: "POST";
   body: z.ZodObject<{
     email: z.ZodOptional<z.ZodString>;
@@ -873,7 +875,7 @@ declare const signInSSO: (options?: SSOOptions) => better_call7.StrictEndpoint<"
   url: string;
   redirect: boolean;
 }>;
-declare const callbackSSO: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sso/callback/:providerId", {
+declare const callbackSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/callback/:providerId", {
   method: "GET";
   query: z.ZodObject<{
     code: z.ZodOptional<z.ZodString>;
@@ -896,7 +898,7 @@ declare const callbackSSO: (options?: SSOOptions) => better_call7.StrictEndpoint
     scope: "server";
   };
 }, never>;
-declare const callbackSSOSAML: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sso/saml2/callback/:providerId", {
+declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/callback/:providerId", {
   method: "POST";
   body: z.ZodObject<{
     SAMLResponse: z.ZodString;
@@ -923,7 +925,7 @@ declare const callbackSSOSAML: (options?: SSOOptions) => better_call7.StrictEndp
     scope: "server";
   };
 }, never>;
-declare const acsEndpoint: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
+declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
   method: "POST";
   params: z.ZodObject<{
     providerId: z.ZodOptional<z.ZodString>;

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { A as KeyEncryptionAlgorithm, C as SAMLConfig, D as DataEncryptionAlgorithm, E as AlgorithmValidationOptions, O as DeprecatedAlgorithmBehavior, S as OIDCConfig, T as SSOProvider, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as TimestampValidationOptions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as SignatureAlgorithm, k as DigestAlgorithm, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as SSOOptions, x as validateSAMLTimestamp, y as SAMLConditions } from "./index-D6Q3ojGP.mjs";
+import { A as KeyEncryptionAlgorithm, C as SAMLConfig, D as DataEncryptionAlgorithm, E as AlgorithmValidationOptions, O as DeprecatedAlgorithmBehavior, S as OIDCConfig, T as SSOProvider, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as TimestampValidationOptions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as SignatureAlgorithm, k as DigestAlgorithm, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as SSOOptions, x as validateSAMLTimestamp, y as SAMLConditions } from "./index-ZWFEs7WQ.mjs";
 export { AlgorithmValidationOptions, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };

package/dist/index.mjs

@@ -4,6 +4,7 @@ import * as saml from "samlify";
 import { generateRandomString } from "better-auth/crypto";
 import * as z$1 from "zod/v4";
 import z from "zod/v4";
+import { base64 } from "@better-auth/utils/base64";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
 import { HIDE_METADATA, createAuthorizationURL, generateState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
 import { setSessionCookie } from "better-auth/cookies";
@@ -1297,14 +1298,15 @@ const registerSSOProvider = (options) => {
 				}
 			});
 		}
-		return ctx.json({
+		const result = {
 			...provider,
 			oidcConfig: safeJsonParse(provider.oidcConfig),
 			samlConfig: safeJsonParse(provider.samlConfig),
 			redirectURI: `${ctx.context.baseURL}/sso/callback/${provider.providerId}`,
 			...options?.domainVerification?.enabled ? { domainVerified } : {},
 			...options?.domainVerification?.enabled ? { domainVerificationToken } : {}
-		});
+		};
+		return ctx.json(result);
 	});
 };
 const signInSSOBodySchema = z.object({
@@ -1782,7 +1784,7 @@ const callbackSSOSAML = (options) => {
 		} catch (error) {
 			ctx.context.logger.error("SAML response validation failed", {
 				error,
-				decodedResponse: Buffer.from(SAMLResponse, "base64").toString("utf-8")
+				decodedResponse: new TextDecoder().decode(base64.decode(SAMLResponse))
 			});
 			throw new APIError("BAD_REQUEST", {
 				message: "Invalid SAML response",
@@ -2016,7 +2018,7 @@ const acsEndpoint = (options) => {
 		} catch (error) {
 			ctx.context.logger.error("SAML response validation failed", {
 				error,
-				decodedResponse: Buffer.from(SAMLResponse, "base64").toString("utf-8")
+				decodedResponse: new TextDecoder().decode(base64.decode(SAMLResponse))
 			});
 			throw new APIError("BAD_REQUEST", {
 				message: "Invalid SAML response",
@@ -2067,7 +2069,7 @@ const acsEndpoint = (options) => {
 				throw ctx.redirect(`${redirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`);
 			}
 		}
-		const assertionIdAcs = extractAssertionId(Buffer.from(SAMLResponse, "base64").toString("utf-8"));
+		const assertionIdAcs = extractAssertionId(new TextDecoder().decode(base64.decode(SAMLResponse)));
 		if (assertionIdAcs) {
 			const issuer = idp.entityMeta.getEntityID();
 			const conditions = extract.conditions;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.4.8-beta.6",
+  "version": "1.4.8",
   "type": "module",
   "main": "dist/index.mjs",
   "types": "dist/index.d.mts",
@@ -52,6 +52,7 @@
     }
   },
   "dependencies": {
+    "@better-auth/utils": "0.3.0",
     "@better-fetch/fetch": "1.1.21",
     "fast-xml-parser": "^5.2.5",
     "jose": "^6.1.0",
@@ -66,10 +67,10 @@
     "express": "^5.1.0",
     "oauth2-mock-server": "^8.2.0",
     "tsdown": "^0.17.2",
-    "better-auth": "1.4.8-beta.6"
+    "better-auth": "1.4.8"
   },
   "peerDependencies": {
-    "better-auth": "1.4.8-beta.6"
+    "better-auth": "1.4.8"
   },
   "scripts": {
     "test": "vitest",

package/src/index.ts

@@ -153,7 +153,7 @@ export function sso<O extends SSOOptions>(options?: O | undefined): any {
 							return;
 						}
 
-						await assignOrganizationByDomain(ctx, {
+						await assignOrganizationByDomain(ctx as any, {
 							user: newSession.user,
 							provisioningOptions: options?.organizationProvisioning,
 							domainVerification: options?.domainVerification,

package/src/linking/org-assignment.ts

@@ -1,7 +1,25 @@
-import type { GenericEndpointContext, OAuth2Tokens, User } from "better-auth";
+import type { OAuth2Tokens, User } from "better-auth";
 import type { SSOOptions, SSOProvider } from "../types";
 import type { NormalizedSSOProfile } from "./types";
 
+interface EndpointContext {
+	context: {
+		options: {
+			plugins?: Array<{ id: string }>;
+		};
+		adapter: {
+			findOne: <T>(options: {
+				model: string;
+				where: Array<{ field: string; value: unknown }>;
+			}) => Promise<T | null>;
+			create: (options: {
+				model: string;
+				data: Record<string, unknown>;
+			}) => Promise<unknown>;
+		};
+	};
+}
+
 export interface OrganizationProvisioningOptions {
 	disabled?: boolean;
 	defaultRole?: "member" | "admin";
@@ -26,7 +44,7 @@ export interface AssignOrganizationFromProviderOptions {
  * Used in SSO flows (OIDC, SAML) where the provider is already linked to an org.
  */
 export async function assignOrganizationFromProvider(
-	ctx: GenericEndpointContext,
+	ctx: EndpointContext,
 	options: AssignOrganizationFromProviderOptions,
 ): Promise<void> {
 	const { user, profile, provider, token, provisioningOptions } = options;
@@ -96,7 +114,7 @@ export interface AssignOrganizationByDomainOptions {
  * (e.g., Google OAuth with @acme.com email gets added to Acme's org).
  */
 export async function assignOrganizationByDomain(
-	ctx: GenericEndpointContext,
+	ctx: EndpointContext,
 	options: AssignOrganizationByDomainOptions,
 ): Promise<void> {
 	const { user, provisioningOptions, domainVerification } = options;

package/src/routes/sso.ts

@@ -1,3 +1,4 @@
+import { base64 } from "@better-auth/utils/base64";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
 import type { User, Verification } from "better-auth";
 import {
@@ -836,14 +837,20 @@ export const registerSSOProvider = <O extends SSOOptions>(options: O) => {
 				});
 			}
 
+			type SSOProviderResponse = {
+				redirectURI: string;
+				oidcConfig: OIDCConfig | null;
+				samlConfig: SAMLConfig | null;
+			} & Omit<SSOProvider<O>, "oidcConfig" | "samlConfig">;
+
 			type SSOProviderReturn = O["domainVerification"] extends { enabled: true }
-				? {
+				? SSOProviderResponse & {
 						domainVerified: boolean;
 						domainVerificationToken: string;
-					} & SSOProvider<O>
-				: SSOProvider<O>;
+					}
+				: SSOProviderResponse;
 
-			return ctx.json({
+			const result = {
 				...provider,
 				oidcConfig: safeJsonParse<OIDCConfig>(
 					provider.oidcConfig as unknown as string,
@@ -856,7 +863,9 @@ export const registerSSOProvider = <O extends SSOOptions>(options: O) => {
 				...(options?.domainVerification?.enabled
 					? { domainVerificationToken }
 					: {}),
-			} as unknown as SSOProviderReturn);
+			};
+
+			return ctx.json(result as SSOProviderReturn);
 		},
 	);
 };
@@ -1807,8 +1816,8 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 			} catch (error) {
 				ctx.context.logger.error("SAML response validation failed", {
 					error,
-					decodedResponse: Buffer.from(SAMLResponse, "base64").toString(
-						"utf-8",
+					decodedResponse: new TextDecoder().decode(
+						base64.decode(SAMLResponse),
 					),
 				});
 				throw new APIError("BAD_REQUEST", {
@@ -2237,8 +2246,8 @@ export const acsEndpoint = (options?: SSOOptions) => {
 			} catch (error) {
 				ctx.context.logger.error("SAML response validation failed", {
 					error,
-					decodedResponse: Buffer.from(SAMLResponse, "base64").toString(
-						"utf-8",
+					decodedResponse: new TextDecoder().decode(
+						base64.decode(SAMLResponse),
 					),
 				});
 				throw new APIError("BAD_REQUEST", {
@@ -2334,8 +2343,8 @@ export const acsEndpoint = (options?: SSOOptions) => {
 			}
 
 			// Assertion Replay Protection
-			const samlContentAcs = Buffer.from(SAMLResponse, "base64").toString(
-				"utf-8",
+			const samlContentAcs = new TextDecoder().decode(
+				base64.decode(SAMLResponse),
 			);
 			const assertionIdAcs = extractAssertionId(samlContentAcs);
 

package/src/types.ts

@@ -231,13 +231,7 @@ export interface SSOOptions {
 	 *
 	 * If you want to allow account linking for specific trusted providers, enable the `accountLinking` option in your auth config and specify those
 	 * providers in the `trustedProviders` list.
-	 *
 	 * @default false
-	 *
-	 * @deprecated This option is discouraged for new projects. Relying on provider-level `email_verified` is a weaker
-	 * trust signal compared to using `trustedProviders` in `accountLinking` or enabling `domainVerification` for SSO.
-	 * Existing configurations will continue to work, but new integrations should use explicit trust mechanisms.
-	 * This option may be removed in a future major version.
 	 */
 	trustEmailVerified?: boolean | undefined;
 	/**