@better-auth/sso 1.5.0-beta.1 → 1.5.0-beta.10

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.5.0-beta.1",
+  "version": "1.5.0-beta.10",
   "type": "module",
   "main": "dist/index.mjs",
   "types": "dist/index.d.mts",
@@ -52,29 +52,32 @@
     }
   },
   "dependencies": {
-    "@better-auth/utils": "0.3.0",
+    "@better-auth/utils": "0.3.1",
     "@better-fetch/fetch": "1.1.21",
-    "fast-xml-parser": "^5.2.5",
+    "fast-xml-parser": "^5.3.3",
     "jose": "^6.1.0",
-    "samlify": "^2.10.1",
-    "zod": "^4.1.12"
+    "samlify": "^2.10.2",
+    "zod": "^4.3.6"
   },
   "devDependencies": {
     "@types/body-parser": "^1.19.6",
-    "@types/express": "^5.0.5",
-    "better-call": "1.1.7",
-    "body-parser": "^2.2.1",
-    "express": "^5.1.0",
-    "oauth2-mock-server": "^8.2.0",
-    "tsdown": "^0.17.2",
-    "better-auth": "1.5.0-beta.1"
+    "@types/express": "^5.0.6",
+    "better-call": "1.2.0",
+    "body-parser": "^2.2.2",
+    "express": "^5.2.1",
+    "oauth2-mock-server": "^8.2.1",
+    "tsdown": "^0.20.1",
+    "@better-auth/core": "1.5.0-beta.10",
+    "better-auth": "1.5.0-beta.10"
   },
   "peerDependencies": {
-    "better-auth": "1.5.0-beta.1"
+    "@better-auth/utils": "0.3.1",
+    "@better-auth/core": "1.5.0-beta.10",
+    "better-auth": "1.5.0-beta.10"
   },
   "scripts": {
     "test": "vitest",
-    "coverage": "vitest run --coverage",
+    "coverage": "vitest run --coverage --coverage.provider=istanbul",
     "lint:package": "publint run --strict",
     "lint:types": "attw --profile esm-only --pack .",
     "build": "tsdown",

package/src/client.ts

@@ -1,4 +1,4 @@
-import type { BetterAuthClientPlugin } from "better-auth";
+import type { BetterAuthClientPlugin } from "better-auth/client";
 import type { SSOPlugin } from "./index";
 
 interface SSOClientOptions {
@@ -21,5 +21,9 @@ export const ssoClient = <CO extends SSOClientOptions>(
 					: false;
 			};
 		}>,
+		pathMethods: {
+			"/sso/providers": "GET",
+			"/sso/providers/:providerId": "GET",
+		},
 	} satisfies BetterAuthClientPlugin;
 };

package/src/constants.ts

@@ -40,3 +40,19 @@ export const DEFAULT_ASSERTION_TTL_MS = 15 * 60 * 1000;
  * - Distributed systems across timezones
  */
 export const DEFAULT_CLOCK_SKEW_MS = 5 * 60 * 1000;
+
+// ============================================================================
+// Size Limits (DoS Protection)
+// ============================================================================
+
+/**
+ * Default maximum size for SAML responses (256 KB).
+ * Protects against memory exhaustion from oversized SAML payloads.
+ */
+export const DEFAULT_MAX_SAML_RESPONSE_SIZE = 256 * 1024;
+
+/**
+ * Default maximum size for IdP metadata (100 KB).
+ * Protects against oversized metadata documents.
+ */
+export const DEFAULT_MAX_SAML_METADATA_SIZE = 100 * 1024;

package/src/index.ts

@@ -7,6 +7,12 @@ import {
 	requestDomainVerification,
 	verifyDomain,
 } from "./routes/domain-verification";
+import {
+	deleteSSOProvider,
+	getSSOProvider,
+	listSSOProviders,
+	updateSSOProvider,
+} from "./routes/providers";
 import {
 	acsEndpoint,
 	callbackSSO,
@@ -16,6 +22,12 @@ import {
 	spMetadata,
 } from "./routes/sso";
 
+export {
+	DEFAULT_CLOCK_SKEW_MS,
+	DEFAULT_MAX_SAML_METADATA_SIZE,
+	DEFAULT_MAX_SAML_RESPONSE_SIZE,
+} from "./constants";
+
 export {
 	type SAMLConditions,
 	type TimestampValidationOptions,
@@ -35,6 +47,14 @@ import type { OIDCConfig, SAMLConfig, SSOOptions, SSOProvider } from "./types";
 
 export type { SAMLConfig, OIDCConfig, SSOOptions, SSOProvider };
 
+declare module "@better-auth/core" {
+	interface BetterAuthPluginRegistry<AuthOptions, Options> {
+		sso: {
+			creator: typeof sso;
+		};
+	}
+}
+
 export {
 	computeDiscoveryUrl,
 	type DiscoverOIDCConfigParams,
@@ -78,6 +98,10 @@ type SSOEndpoints<O extends SSOOptions> = {
 	callbackSSO: ReturnType<typeof callbackSSO>;
 	callbackSSOSAML: ReturnType<typeof callbackSSOSAML>;
 	acsEndpoint: ReturnType<typeof acsEndpoint>;
+	listSSOProviders: ReturnType<typeof listSSOProviders>;
+	getSSOProvider: ReturnType<typeof getSSOProvider>;
+	updateSSOProvider: ReturnType<typeof updateSSOProvider>;
+	deleteSSOProvider: ReturnType<typeof deleteSSOProvider>;
 };
 
 export type SSOPlugin<O extends SSOOptions> = {
@@ -88,6 +112,16 @@ export type SSOPlugin<O extends SSOOptions> = {
 			: {});
 };
 
+/**
+ * SAML endpoint paths that should skip origin check validation.
+ * These endpoints receive POST requests from external Identity Providers,
+ * which won't have a matching Origin header.
+ */
+const SAML_SKIP_ORIGIN_CHECK_PATHS = [
+	"/sso/saml2/callback", // SP-initiated SSO callback (prefix matches /callback/:providerId)
+	"/sso/saml2/sp/acs", // IdP-initiated SSO ACS (prefix matches /sp/acs/:providerId)
+];
+
 export function sso<
 	O extends SSOOptions & {
 		domainVerification?: { enabled: true };
@@ -97,7 +131,7 @@ export function sso<
 ): {
 	id: "sso";
 	endpoints: SSOEndpoints<O> & DomainVerificationEndpoints;
-	schema: any;
+	schema: NonNullable<BetterAuthPlugin["schema"]>;
 	options: O;
 };
 export function sso<O extends SSOOptions>(
@@ -107,7 +141,9 @@ export function sso<O extends SSOOptions>(
 	endpoints: SSOEndpoints<O>;
 };
 
-export function sso<O extends SSOOptions>(options?: O | undefined): any {
+export function sso<O extends SSOOptions>(
+	options?: O | undefined,
+): BetterAuthPlugin {
 	const optionsWithStore = options as O;
 
 	let endpoints = {
@@ -117,6 +153,10 @@ export function sso<O extends SSOOptions>(options?: O | undefined): any {
 		callbackSSO: callbackSSO(optionsWithStore),
 		callbackSSOSAML: callbackSSOSAML(optionsWithStore),
 		acsEndpoint: acsEndpoint(optionsWithStore),
+		listSSOProviders: listSSOProviders(),
+		getSSOProvider: getSSOProvider(),
+		updateSSOProvider: updateSSOProvider(optionsWithStore),
+		deleteSSOProvider: deleteSSOProvider(),
 	};
 
 	if (options?.domainVerification?.enabled) {
@@ -133,6 +173,18 @@ export function sso<O extends SSOOptions>(options?: O | undefined): any {
 
 	return {
 		id: "sso",
+		init(ctx) {
+			const existing = ctx.skipOriginCheck;
+			if (existing === true) {
+				return {};
+			}
+			const existingPaths = Array.isArray(existing) ? existing : [];
+			return {
+				context: {
+					skipOriginCheck: [...existingPaths, ...SAML_SKIP_ORIGIN_CHECK_PATHS],
+				},
+			};
+		},
 		endpoints,
 		hooks: {
 			after: [
@@ -146,10 +198,7 @@ export function sso<O extends SSOOptions>(options?: O | undefined): any {
 							return;
 						}
 
-						const isOrgPluginEnabled = ctx.context.options.plugins?.find(
-							(plugin: { id: string }) => plugin.id === "organization",
-						);
-						if (!isOrgPluginEnabled) {
+						if (!ctx.context.hasPlugin("organization")) {
 							return;
 						}
 

package/src/linking/org-assignment.test.ts

@@ -56,7 +56,7 @@ describe("assignOrganizationByDomain", () => {
 
 		const createContext = async () => {
 			const context = await auth.$context;
-			return { context } as Partial<GenericEndpointContext>;
+			return { context } as unknown as Partial<GenericEndpointContext>;
 		};
 
 		return { auth, data, createContext };

package/src/linking/org-assignment.ts

@@ -1,5 +1,6 @@
 import type { GenericEndpointContext, OAuth2Tokens, User } from "better-auth";
 import type { SSOOptions, SSOProvider } from "../types";
+import { domainMatches } from "../utils";
 import type { NormalizedSSOProfile } from "./types";
 
 export interface OrganizationProvisioningOptions {
@@ -39,11 +40,7 @@ export async function assignOrganizationFromProvider(
 		return;
 	}
 
-	const isOrgPluginEnabled = ctx.context.options.plugins?.find(
-		(plugin) => plugin.id === "organization",
-	);
-
-	if (!isOrgPluginEnabled) {
+	if (!ctx.context.hasPlugin("organization")) {
 		return;
 	}
 
@@ -105,11 +102,7 @@ export async function assignOrganizationByDomain(
 		return;
 	}
 
-	const isOrgPluginEnabled = ctx.context.options.plugins?.find(
-		(plugin) => plugin.id === "organization",
-	);
-
-	if (!isOrgPluginEnabled) {
+	if (!ctx.context.hasPlugin("organization")) {
 		return;
 	}
 
@@ -118,6 +111,8 @@ export async function assignOrganizationByDomain(
 		return;
 	}
 
+	// Support comma-separated domains for multi-domain SSO
+	// First try exact match (fast path)
 	const whereClause: { field: string; value: string | boolean }[] = [
 		{ field: "domain", value: domain },
 	];
@@ -126,13 +121,25 @@ export async function assignOrganizationByDomain(
 		whereClause.push({ field: "domainVerified", value: true });
 	}
 
-	const ssoProvider = await ctx.context.adapter.findOne<
-		SSOProvider<SSOOptions>
-	>({
+	let ssoProvider = await ctx.context.adapter.findOne<SSOProvider<SSOOptions>>({
 		model: "ssoProvider",
 		where: whereClause,
 	});
 
+	// If not found, search all providers for comma-separated domain match
+	if (!ssoProvider) {
+		const allProviders = await ctx.context.adapter.findMany<
+			SSOProvider<SSOOptions>
+		>({
+			model: "ssoProvider",
+			where: domainVerification?.enabled
+				? [{ field: "domainVerified", value: true }]
+				: [],
+		});
+		ssoProvider =
+			allProviders.find((p) => domainMatches(domain, p.domain)) ?? null;
+	}
+
 	if (!ssoProvider || !ssoProvider.organizationId) {
 		return;
 	}

package/src/oidc.test.ts

@@ -7,7 +7,7 @@ import { afterAll, beforeAll, describe, expect, it } from "vitest";
 import { sso } from ".";
 import { ssoClient } from "./client";
 
-let server = new OAuth2Server();
+const server = new OAuth2Server();
 
 describe("SSO", async () => {
 	const { auth, signInWithTestUser, customFetchImpl, cookieSetter } =
@@ -253,6 +253,118 @@ describe("SSO", async () => {
 		const { callbackURL } = await simulateOAuthFlow(res.url, headers);
 		expect(callbackURL).toContain("/dashboard");
 	});
+
+	it("should normalize email to lowercase in OIDC authentication", async () => {
+		const { headers } = await signInWithTestUser();
+
+		// Register a new provider for this test
+		await auth.api.registerSSOProvider({
+			body: {
+				providerId: "email-case-oidc-provider",
+				issuer: server.issuer.url!,
+				domain: "email-case-test.com",
+				oidcConfig: {
+					clientId: "email-case-test-client",
+					clientSecret: "test-client-secret",
+					discoveryEndpoint: `${server.issuer.url!}/.well-known/openid-configuration`,
+					pkce: false,
+				},
+			},
+			headers,
+		});
+
+		// Store original listeners and set up mixed-case email
+		const originalUserinfoListeners =
+			server.service.listeners("beforeUserinfo");
+		const originalTokenListeners =
+			server.service.listeners("beforeTokenSigning");
+
+		server.service.removeAllListeners("beforeUserinfo");
+		server.service.removeAllListeners("beforeTokenSigning");
+
+		const mixedCaseEmail = "OIDCUser@Example.COM";
+
+		server.service.on("beforeUserinfo", (userInfoResponse) => {
+			userInfoResponse.body = {
+				email: mixedCaseEmail,
+				name: "OIDC Test User",
+				sub: "oidc-email-case-test-user",
+				picture: "https://test.com/picture.png",
+				email_verified: true,
+			};
+			userInfoResponse.statusCode = 200;
+		});
+
+		server.service.on("beforeTokenSigning", (token) => {
+			token.payload.email = mixedCaseEmail;
+			token.payload.email_verified = true;
+			token.payload.name = "OIDC Test User";
+			token.payload.sub = "oidc-email-case-test-user";
+		});
+
+		try {
+			// First sign in - should create user with lowercase email
+			const signInHeaders1 = new Headers();
+			const res1 = await authClient.signIn.sso({
+				email: `user@email-case-test.com`,
+				callbackURL: "/dashboard",
+				fetchOptions: {
+					throw: true,
+					onSuccess: cookieSetter(signInHeaders1),
+				},
+			});
+
+			const { callbackURL: callbackURL1, headers: sessionHeaders1 } =
+				await simulateOAuthFlow(res1.url, signInHeaders1);
+			expect(callbackURL1).toContain("/dashboard");
+
+			// Get session and verify email is lowercase
+			const session1 = await authClient.getSession({
+				fetchOptions: {
+					headers: sessionHeaders1,
+				},
+			});
+
+			expect(session1.data?.user.email).toBe("oidcuser@example.com");
+			const firstUserId = session1.data?.user.id;
+			expect(firstUserId).toBeDefined();
+
+			// Second sign in with same mixed-case email - should find existing user
+			const signInHeaders2 = new Headers();
+			const res2 = await authClient.signIn.sso({
+				email: `user@email-case-test.com`,
+				callbackURL: "/dashboard",
+				fetchOptions: {
+					throw: true,
+					onSuccess: cookieSetter(signInHeaders2),
+				},
+			});
+
+			const { callbackURL: callbackURL2, headers: sessionHeaders2 } =
+				await simulateOAuthFlow(res2.url, signInHeaders2);
+			expect(callbackURL2).toContain("/dashboard");
+
+			// Verify same user is returned
+			const session2 = await authClient.getSession({
+				fetchOptions: {
+					headers: sessionHeaders2,
+				},
+			});
+
+			expect(session2.data?.user.id).toBe(firstUserId);
+			expect(session2.data?.user.email).toBe("oidcuser@example.com");
+		} finally {
+			// Restore original listeners
+			server.service.removeAllListeners("beforeUserinfo");
+			server.service.removeAllListeners("beforeTokenSigning");
+			for (const listener of originalUserinfoListeners) {
+				server.service.on("beforeUserinfo", listener);
+			}
+			for (const listener of originalTokenListeners) {
+				server.service.on("beforeTokenSigning", listener);
+			}
+		}
+	});
 });
 
 describe("SSO disable implicit sign in", async () => {