@better-auth/sso 1.5.0-beta.1 → 1.5.0-beta.10

package/src/types.ts

@@ -73,6 +73,7 @@ export interface SAMLConfig {
 		encPrivateKeyPass?: string | undefined;
 	};
 	wantAssertionsSigned?: boolean | undefined;
+	authnRequestsSigned?: boolean | undefined;
 	signatureAlgorithm?: string | undefined;
 	digestAlgorithm?: string | undefined;
 	identifierFormat?: string | undefined;
@@ -341,5 +342,24 @@ export interface SSOOptions {
 		 * ```
 		 */
 		algorithms?: AlgorithmValidationOptions;
+		/**
+		 * Maximum allowed size for SAML responses in bytes.
+		 *
+		 * @default 262144 (256KB)
+		 */
+		maxResponseSize?: number;
+		/**
+		 * Maximum allowed size for IdP metadata XML in bytes.
+		 *
+		 * @default 102400 (100KB)
+		 */
+		maxMetadataSize?: number;
 	};
 }
+
+export interface Member {
+	id: string;
+	userId: string;
+	organizationId: string;
+	role: string;
+}

package/src/utils.test.ts

@@ -0,0 +1,103 @@
+import { describe, expect, it } from "vitest";
+import { validateEmailDomain } from "./utils";
+
+describe("validateEmailDomain", () => {
+	// Tests for issue #7324: Enterprise multi-domain SSO support
+	// https://github.com/better-auth/better-auth/issues/7324
+
+	describe("single domain", () => {
+		it("should validate email matches domain exactly", () => {
+			expect(validateEmailDomain("user@company.com", "company.com")).toBe(true);
+		});
+
+		it("should validate email matches subdomain", () => {
+			expect(validateEmailDomain("user@hr.company.com", "company.com")).toBe(
+				true,
+			);
+			expect(
+				validateEmailDomain("user@dept.hr.company.com", "company.com"),
+			).toBe(true);
+		});
+
+		it("should reject email from different domain", () => {
+			expect(validateEmailDomain("user@other.com", "company.com")).toBe(false);
+		});
+
+		it("should reject email where domain is a suffix but not subdomain", () => {
+			// "notcompany.com" should not match "company.com"
+			expect(validateEmailDomain("user@notcompany.com", "company.com")).toBe(
+				false,
+			);
+		});
+
+		it("should be case-insensitive", () => {
+			expect(validateEmailDomain("USER@COMPANY.COM", "company.com")).toBe(true);
+			expect(validateEmailDomain("user@company.com", "COMPANY.COM")).toBe(true);
+		});
+	});
+
+	describe("multiple domains (enterprise multi-domain SSO)", () => {
+		// Issue #7324: Single IdP (e.g., Okta) serving multiple email domains
+		it("should validate email against any domain in comma-separated list", () => {
+			const domains = "company.com,subsidiary.com,acquired-company.com";
+			expect(validateEmailDomain("user@company.com", domains)).toBe(true);
+			expect(validateEmailDomain("user@subsidiary.com", domains)).toBe(true);
+			expect(validateEmailDomain("user@acquired-company.com", domains)).toBe(
+				true,
+			);
+		});
+
+		it("should validate subdomains for any domain in the list", () => {
+			const domains = "company.com,subsidiary.com";
+			expect(validateEmailDomain("user@hr.company.com", domains)).toBe(true);
+			expect(validateEmailDomain("user@dept.subsidiary.com", domains)).toBe(
+				true,
+			);
+		});
+
+		it("should reject email not matching any domain", () => {
+			const domains = "company.com,subsidiary.com,acquired-company.com";
+			expect(validateEmailDomain("user@other.com", domains)).toBe(false);
+			expect(validateEmailDomain("user@notcompany.com", domains)).toBe(false);
+		});
+
+		it("should handle whitespace in domain list", () => {
+			const domains = "company.com, subsidiary.com , acquired-company.com";
+			expect(validateEmailDomain("user@company.com", domains)).toBe(true);
+			expect(validateEmailDomain("user@subsidiary.com", domains)).toBe(true);
+			expect(validateEmailDomain("user@acquired-company.com", domains)).toBe(
+				true,
+			);
+		});
+
+		it("should handle empty domains in list gracefully", () => {
+			const domains = "company.com,,subsidiary.com";
+			expect(validateEmailDomain("user@company.com", domains)).toBe(true);
+			expect(validateEmailDomain("user@subsidiary.com", domains)).toBe(true);
+		});
+
+		it("should be case-insensitive for multiple domains", () => {
+			const domains = "Company.COM,SUBSIDIARY.com";
+			expect(validateEmailDomain("user@company.com", domains)).toBe(true);
+			expect(validateEmailDomain("USER@SUBSIDIARY.COM", domains)).toBe(true);
+		});
+	});
+
+	describe("edge cases", () => {
+		it("should return false for empty email", () => {
+			expect(validateEmailDomain("", "company.com")).toBe(false);
+		});
+
+		it("should return false for empty domain", () => {
+			expect(validateEmailDomain("user@company.com", "")).toBe(false);
+		});
+
+		it("should return false for email without @", () => {
+			expect(validateEmailDomain("usercompany.com", "company.com")).toBe(false);
+		});
+
+		it("should return false for domain list with only whitespace/commas", () => {
+			expect(validateEmailDomain("user@company.com", ", ,")).toBe(false);
+		});
+	});
+});

package/src/utils.ts

@@ -1,3 +1,5 @@
+import { X509Certificate } from "node:crypto";
+
 /**
  * Safely parses a value that might be a JSON string or already a parsed object.
  * This handles cases where ORMs like Drizzle might return already parsed objects
@@ -29,13 +31,51 @@ export function safeJsonParse<T>(
 	return null;
 }
 
+/**
+ * Checks if a domain matches any domain in a comma-separated list.
+ */
+export const domainMatches = (searchDomain: string, domainList: string) => {
+	const search = searchDomain.toLowerCase();
+	const domains = domainList
+		.split(",")
+		.map((d) => d.trim().toLowerCase())
+		.filter(Boolean);
+	return domains.some((d) => search === d || search.endsWith(`.${d}`));
+};
+
+/**
+ * Validates email domain against allowed domain(s).
+ * Supports comma-separated domains for multi-domain SSO.
+ */
 export const validateEmailDomain = (email: string, domain: string) => {
 	const emailDomain = email.split("@")[1]?.toLowerCase();
-	const providerDomain = domain.toLowerCase();
-	if (!emailDomain || !providerDomain) {
+	if (!emailDomain || !domain) {
 		return false;
 	}
-	return (
-		emailDomain === providerDomain || emailDomain.endsWith(`.${providerDomain}`)
-	);
+	return domainMatches(emailDomain, domain);
 };
+
+export function parseCertificate(certPem: string) {
+	// SAML metadata X509Certificate elements contain raw base64 without PEM headers,
+	// but users may also provide full PEM-formatted certificates. Normalize to PEM.
+	const normalized = certPem.includes("-----BEGIN")
+		? certPem
+		: `-----BEGIN CERTIFICATE-----\n${certPem}\n-----END CERTIFICATE-----`;
+
+	const cert = new X509Certificate(normalized);
+
+	return {
+		fingerprintSha256: cert.fingerprint256,
+		notBefore: cert.validFrom,
+		notAfter: cert.validTo,
+		publicKeyAlgorithm:
+			cert.publicKey.asymmetricKeyType?.toUpperCase() || "UNKNOWN",
+	};
+}
+
+export function maskClientId(clientId: string): string {
+	if (clientId.length <= 4) {
+		return "****";
+	}
+	return `****${clientId.slice(-4)}`;
+}

package/tsconfig.json

@@ -6,6 +6,9 @@
   "references": [
     {
       "path": "../better-auth/tsconfig.json"
+    },
+    {
+      "path": "../core/tsconfig.json"
     }
   ]
 }

package/tsdown.config.ts

@@ -5,4 +5,5 @@ export default defineConfig({
 	format: ["esm"],
 	entry: ["./src/index.ts", "./src/client.ts"],
 	external: ["better-auth", "better-call", "@better-fetch/fetch", "stripe"],
+	sourcemap: true,
 });