@better-auth/sso 1.5.0-beta.1 → 1.5.0-beta.10

package/src/routes/sso.ts

@@ -1,4 +1,3 @@
-import { base64 } from "@better-auth/utils/base64";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
 import type { User, Verification } from "better-auth";
 import {
@@ -12,6 +11,7 @@ import {
 import {
 	APIError,
 	createAuthEndpoint,
+	getSessionFromCtx,
 	sessionMiddleware,
 } from "better-auth/api";
 import { setSessionCookie } from "better-auth/cookies";
@@ -37,6 +37,8 @@ import {
 	DEFAULT_ASSERTION_TTL_MS,
 	DEFAULT_AUTHN_REQUEST_TTL_MS,
 	DEFAULT_CLOCK_SKEW_MS,
+	DEFAULT_MAX_SAML_METADATA_SIZE,
+	DEFAULT_MAX_SAML_RESPONSE_SIZE,
 	USED_ASSERTION_KEY_PREFIX,
 } from "../constants";
 import { assignOrganizationFromProvider } from "../linking";
@@ -46,9 +48,14 @@ import {
 	discoverOIDCConfig,
 	mapDiscoveryErrorToAPIError,
 } from "../oidc";
-import { validateConfigAlgorithms, validateSAMLAlgorithms } from "../saml";
+import {
+	validateConfigAlgorithms,
+	validateSAMLAlgorithms,
+	validateSingleAssertion,
+} from "../saml";
+import { generateRelayState, parseRelayState } from "../saml-state";
 import type { OIDCConfig, SAMLConfig, SSOOptions, SSOProvider } from "../types";
-import { safeJsonParse, validateEmailDomain } from "../utils";
+import { domainMatches, safeJsonParse, validateEmailDomain } from "../utils";
 
 export interface TimestampValidationOptions {
 	clockSkew?: number;
@@ -160,6 +167,8 @@ const spMetadataQuerySchema = z.object({
 	format: z.enum(["xml", "json"]).default("xml"),
 });
 
+type RelayState = Awaited<ReturnType<typeof parseRelayState>>;
+
 export const spMetadata = () => {
 	return createAuthEndpoint(
 		"/sso/saml2/sp/metadata",
@@ -220,6 +229,7 @@ export const spMetadata = () => {
 							},
 						],
 						wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
+						authnRequestsSigned: parsedSamlConfig.authnRequestsSigned || false,
 						nameIDFormat: parsedSamlConfig.identifierFormat
 							? [parsedSamlConfig.identifierFormat]
 							: undefined,
@@ -242,7 +252,8 @@ const ssoProviderBodySchema = z.object({
 		description: "The issuer of the provider",
 	}),
 	domain: z.string({}).meta({
-		description: "The domain of the provider. This is used for email matching",
+		description:
+			"The domain(s) of the provider. For enterprise multi-domain SSO where a single IdP serves multiple email domains, use comma-separated values (e.g., 'company.com,subsidiary.com,acquired-company.com')",
 	}),
 	oidcConfig: z
 		.object({
@@ -380,6 +391,7 @@ const ssoProviderBodySchema = z.object({
 				encPrivateKeyPass: z.string().optional(),
 			}),
 			wantAssertionsSigned: z.boolean().optional(),
+			authnRequestsSigned: z.boolean().optional(),
 			signatureAlgorithm: z.string().optional(),
 			digestAlgorithm: z.string().optional(),
 			identifierFormat: z.string().optional(),
@@ -666,6 +678,20 @@ export const registerSSOProvider = <O extends SSOOptions>(options: O) => {
 					message: "Invalid issuer. Must be a valid URL",
 				});
 			}
+
+			if (body.samlConfig?.idpMetadata?.metadata) {
+				const maxMetadataSize =
+					options?.saml?.maxMetadataSize ?? DEFAULT_MAX_SAML_METADATA_SIZE;
+				if (
+					new TextEncoder().encode(body.samlConfig.idpMetadata.metadata)
+						.length > maxMetadataSize
+				) {
+					throw new APIError("BAD_REQUEST", {
+						message: `IdP metadata exceeds maximum allowed size (${maxMetadataSize} bytes)`,
+					});
+				}
+			}
+
 			if (ctx.body.organizationId) {
 				const organization = await ctx.context.adapter.findOne({
 					model: "member",
@@ -720,7 +746,7 @@ export const registerSSOProvider = <O extends SSOOptions>(options: O) => {
 							tokenEndpointAuthentication:
 								body.oidcConfig.tokenEndpointAuthentication,
 						},
-						isTrustedOrigin: ctx.context.isTrustedOrigin,
+						isTrustedOrigin: (url: string) => ctx.context.isTrustedOrigin(url),
 					});
 				} catch (error) {
 					if (error instanceof DiscoveryError) {
@@ -811,6 +837,7 @@ export const registerSSOProvider = <O extends SSOOptions>(options: O) => {
 								idpMetadata: body.samlConfig.idpMetadata,
 								spMetadata: body.samlConfig.spMetadata,
 								wantAssertionsSigned: body.samlConfig.wantAssertionsSigned,
+								authnRequestsSigned: body.samlConfig.authnRequestsSigned,
 								signatureAlgorithm: body.samlConfig.signatureAlgorithm,
 								digestAlgorithm: body.samlConfig.digestAlgorithm,
 								identifierFormat: body.samlConfig.identifierFormat,
@@ -1102,38 +1129,58 @@ export const signInSSO = (options?: SSOOptions) => {
 			}
 			// Try to find provider in database
 			if (!provider) {
-				provider = await ctx.context.adapter
-					.findOne<SSOProvider<SSOOptions>>({
-						model: "ssoProvider",
-						where: [
-							{
-								field: providerId
-									? "providerId"
-									: orgId
-										? "organizationId"
-										: "domain",
-								value: providerId || orgId || domain!,
-							},
-						],
-					})
-					.then((res) => {
-						if (!res) {
-							return null;
-						}
-						return {
-							...res,
-							oidcConfig: res.oidcConfig
-								? safeJsonParse<OIDCConfig>(
-										res.oidcConfig as unknown as string,
-									) || undefined
-								: undefined,
-							samlConfig: res.samlConfig
-								? safeJsonParse<SAMLConfig>(
-										res.samlConfig as unknown as string,
-									) || undefined
-								: undefined,
-						};
-					});
+				const parseProvider = (res: SSOProvider<SSOOptions> | null) => {
+					if (!res) return null;
+					return {
+						...res,
+						oidcConfig: res.oidcConfig
+							? safeJsonParse<OIDCConfig>(
+									res.oidcConfig as unknown as string,
+								) || undefined
+							: undefined,
+						samlConfig: res.samlConfig
+							? safeJsonParse<SAMLConfig>(
+									res.samlConfig as unknown as string,
+								) || undefined
+							: undefined,
+					};
+				};
+
+				if (providerId || orgId) {
+					// Exact match for providerId or orgId
+					provider = parseProvider(
+						await ctx.context.adapter.findOne<SSOProvider<SSOOptions>>({
+							model: "ssoProvider",
+							where: [
+								{
+									field: providerId ? "providerId" : "organizationId",
+									value: providerId || orgId!,
+								},
+							],
+						}),
+					);
+				} else if (domain) {
+					// For domain lookup, support comma-separated domains
+					// First try exact match (fast path)
+					provider = parseProvider(
+						await ctx.context.adapter.findOne<SSOProvider<SSOOptions>>({
+							model: "ssoProvider",
+							where: [{ field: "domain", value: domain }],
+						}),
+					);
+					// If not found, search all providers for comma-separated domain match
+					if (!provider) {
+						const allProviders = await ctx.context.adapter.findMany<
+							SSOProvider<SSOOptions>
+						>({
+							model: "ssoProvider",
+						});
+						const matchingProvider = allProviders.find((p) =>
+							domainMatches(domain, p.domain),
+						);
+						provider = parseProvider(matchingProvider ?? null);
+					}
+				}
 			}
 
 			if (!provider) {
@@ -1222,6 +1269,17 @@ export const signInSSO = (options?: SSOOptions) => {
 					});
 				}
 
+				if (
+					parsedSamlConfig.authnRequestsSigned &&
+					!parsedSamlConfig.spMetadata?.privateKey &&
+					!parsedSamlConfig.privateKey
+				) {
+					ctx.context.logger.warn(
+						"authnRequestsSigned is enabled but no privateKey provided - AuthnRequests will not be signed",
+						{ providerId: provider.providerId },
+					);
+				}
+
 				let metadata = parsedSamlConfig.spMetadata.metadata;
 
 				if (!metadata) {
@@ -1241,6 +1299,8 @@ export const signInSSO = (options?: SSOOptions) => {
 								],
 								wantMessageSigned:
 									parsedSamlConfig.wantAssertionsSigned || false,
+								authnRequestsSigned:
+									parsedSamlConfig.authnRequestsSigned || false,
 								nameIDFormat: parsedSamlConfig.identifierFormat
 									? [parsedSamlConfig.identifierFormat]
 									: undefined,
@@ -1251,6 +1311,10 @@ export const signInSSO = (options?: SSOOptions) => {
 				const sp = saml.ServiceProvider({
 					metadata: metadata,
 					allowCreate: true,
+					privateKey:
+						parsedSamlConfig.spMetadata?.privateKey ||
+						parsedSamlConfig.privateKey,
+					privateKeyPass: parsedSamlConfig.spMetadata?.privateKeyPass,
 				});
 
 				const idp = saml.IdentityProvider({
@@ -1274,6 +1338,12 @@ export const signInSSO = (options?: SSOOptions) => {
 					});
 				}
 
+				const { state: relayState } = await generateRelayState(
+					ctx,
+					undefined,
+					false,
+				);
+
 				const shouldSaveRequest =
 					loginRequest.id && options?.saml?.enableInResponseToValidation;
 				if (shouldSaveRequest) {
@@ -1292,9 +1362,7 @@ export const signInSSO = (options?: SSOOptions) => {
 				}
 
 				return ctx.json({
-					url: `${loginRequest.context}&RelayState=${encodeURIComponent(
-						body.callbackURL,
-					)}`,
+					url: `${loginRequest.context}&RelayState=${encodeURIComponent(relayState)}`,
 					redirect: true,
 				});
 			}
@@ -1664,12 +1732,71 @@ const callbackSSOSAMLBodySchema = z.object({
 	RelayState: z.string().optional(),
 });
 
+/**
+ * Validates and returns a safe redirect URL.
+ * - Prevents open redirect attacks by validating against trusted origins
+ * - Prevents redirect loops by checking if URL points to callback route
+ * - Falls back to appOrigin if URL is invalid or unsafe
+ */
+const getSafeRedirectUrl = (
+	url: string | undefined,
+	callbackPath: string,
+	appOrigin: string,
+	isTrustedOrigin: (
+		url: string,
+		settings?: { allowRelativePaths: boolean },
+	) => boolean,
+): string => {
+	if (!url) {
+		return appOrigin;
+	}
+
+	if (url.startsWith("/") && !url.startsWith("//")) {
+		try {
+			const absoluteUrl = new URL(url, appOrigin);
+			if (absoluteUrl.origin !== appOrigin) {
+				return appOrigin;
+			}
+			const callbackPathname = new URL(callbackPath).pathname;
+			if (absoluteUrl.pathname === callbackPathname) {
+				return appOrigin;
+			}
+		} catch {
+			return appOrigin;
+		}
+		return url;
+	}
+
+	if (!isTrustedOrigin(url, { allowRelativePaths: false })) {
+		return appOrigin;
+	}
+
+	try {
+		const callbackPathname = new URL(callbackPath).pathname;
+		const urlPathname = new URL(url).pathname;
+		if (urlPathname === callbackPathname) {
+			return appOrigin;
+		}
+	} catch {
+		if (url === callbackPath || url.startsWith(`${callbackPath}?`)) {
+			return appOrigin;
+		}
+	}
+
+	return url;
+};
+
 export const callbackSSOSAML = (options?: SSOOptions) => {
 	return createAuthEndpoint(
 		"/sso/saml2/callback/:providerId",
 		{
-			method: "POST",
-			body: callbackSSOSAMLBodySchema,
+			method: ["GET", "POST"],
+			body: callbackSSOSAMLBodySchema.optional(),
+			query: z
+				.object({
+					RelayState: z.string().optional(),
+				})
+				.optional(),
 			metadata: {
 				...HIDE_METADATA,
 				allowedMediaTypes: [
@@ -1680,7 +1807,7 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 					operationId: "handleSAMLCallback",
 					summary: "Callback URL for SAML provider",
 					description:
-						"This endpoint is used as the callback URL for SAML providers.",
+						"This endpoint is used as the callback URL for SAML providers. Supports both GET and POST methods for IdP-initiated and SP-initiated flows.",
 					responses: {
 						"302": {
 							description: "Redirects to the callback URL",
@@ -1696,8 +1823,58 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 			},
 		},
 		async (ctx) => {
-			const { SAMLResponse, RelayState } = ctx.body;
 			const { providerId } = ctx.params;
+			const appOrigin = new URL(ctx.context.baseURL).origin;
+			const errorURL =
+				ctx.context.options.onAPIError?.errorURL || `${appOrigin}/error`;
+			const currentCallbackPath = `${ctx.context.baseURL}/sso/saml2/callback/${providerId}`;
+
+			// Determine if this is a GET request by checking both method AND body presence
+			// When called via auth.api.*, ctx.method may not be reliable, so we also check for body
+			const isGetRequest = ctx.method === "GET" && !ctx.body?.SAMLResponse;
+
+			if (isGetRequest) {
+				const session = await getSessionFromCtx(ctx);
+
+				if (!session?.session) {
+					throw ctx.redirect(`${errorURL}?error=invalid_request`);
+				}
+
+				const relayState = ctx.query?.RelayState as string | undefined;
+				const safeRedirectUrl = getSafeRedirectUrl(
+					relayState,
+					currentCallbackPath,
+					appOrigin,
+					(url, settings) => ctx.context.isTrustedOrigin(url, settings),
+				);
+
+				throw ctx.redirect(safeRedirectUrl);
+			}
+
+			if (!ctx.body?.SAMLResponse) {
+				throw new APIError("BAD_REQUEST", {
+					message: "SAMLResponse is required for POST requests",
+				});
+			}
+
+			const { SAMLResponse } = ctx.body;
+
+			const maxResponseSize =
+				options?.saml?.maxResponseSize ?? DEFAULT_MAX_SAML_RESPONSE_SIZE;
+			if (new TextEncoder().encode(SAMLResponse).length > maxResponseSize) {
+				throw new APIError("BAD_REQUEST", {
+					message: `SAML response exceeds maximum allowed size (${maxResponseSize} bytes)`,
+				});
+			}
+
+			let relayState: RelayState | null = null;
+			if (ctx.body.RelayState) {
+				try {
+					relayState = await parseRelayState(ctx);
+				} catch {
+					relayState = null;
+				}
+			}
 			let provider: SSOProvider<SSOOptions> | null = null;
 			if (options?.defaultSSO?.length) {
 				const matchingDefault = options.defaultSSO.find(
@@ -1811,12 +1988,14 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 					: undefined,
 			});
 
+			validateSingleAssertion(SAMLResponse);
+
 			let parsedResponse: FlowResult;
 			try {
 				parsedResponse = await sp.parseLoginResponse(idp, "post", {
 					body: {
 						SAMLResponse,
-						RelayState: RelayState || undefined,
+						RelayState: ctx.body.RelayState || undefined,
 					},
 				});
 
@@ -1826,8 +2005,8 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 			} catch (error) {
 				ctx.context.logger.error("SAML response validation failed", {
 					error,
-					decodedResponse: new TextDecoder().decode(
-						base64.decode(SAMLResponse),
+					decodedResponse: Buffer.from(SAMLResponse, "base64").toString(
+						"utf-8",
 					),
 				});
 				throw new APIError("BAD_REQUEST", {
@@ -1879,7 +2058,9 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 							{ inResponseTo, providerId: provider.providerId },
 						);
 						const redirectUrl =
-							RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+							relayState?.callbackURL ||
+							parsedSamlConfig.callbackUrl ||
+							ctx.context.baseURL;
 						throw ctx.redirect(
 							`${redirectUrl}?error=invalid_saml_response&error_description=Unknown+or+expired+request+ID`,
 						);
@@ -1899,7 +2080,9 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 							`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`,
 						);
 						const redirectUrl =
-							RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+							relayState?.callbackURL ||
+							parsedSamlConfig.callbackUrl ||
+							ctx.context.baseURL;
 						throw ctx.redirect(
 							`${redirectUrl}?error=invalid_saml_response&error_description=Provider+mismatch`,
 						);
@@ -1914,7 +2097,9 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 						{ providerId: provider.providerId },
 					);
 					const redirectUrl =
-						RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+						relayState?.callbackURL ||
+						parsedSamlConfig.callbackUrl ||
+						ctx.context.baseURL;
 					throw ctx.redirect(
 						`${redirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`,
 					);
@@ -1967,7 +2152,9 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 						},
 					);
 					const redirectUrl =
-						RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+						relayState?.callbackURL ||
+						parsedSamlConfig.callbackUrl ||
+						ctx.context.baseURL;
 					throw ctx.redirect(
 						`${redirectUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`,
 					);
@@ -2002,7 +2189,9 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 					]),
 				),
 				id: attributes[mapping.id || "nameID"] || extract.nameID,
-				email: attributes[mapping.email || "email"] || extract.nameID,
+				email: (
+					attributes[mapping.email || "email"] || extract.nameID
+				).toLowerCase(),
 				name:
 					[
 						attributes[mapping.firstName || "givenName"],
@@ -2041,7 +2230,9 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 					validateEmailDomain(userInfo.email as string, provider.domain));
 
 			const callbackUrl =
-				RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+				relayState?.callbackURL ||
+				parsedSamlConfig.callbackUrl ||
+				ctx.context.baseURL;
 
 			const result = await handleOAuthUserInfo(ctx, {
 				userInfo: {
@@ -2092,15 +2283,18 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 			});
 
 			await setSessionCookie(ctx, { session, user });
-			throw ctx.redirect(callbackUrl);
+
+			const safeRedirectUrl = getSafeRedirectUrl(
+				relayState?.callbackURL || parsedSamlConfig.callbackUrl,
+				currentCallbackPath,
+				appOrigin,
+				(url, settings) => ctx.context.isTrustedOrigin(url, settings),
+			);
+			throw ctx.redirect(safeRedirectUrl);
 		},
 	);
 };
 
-const acsEndpointParamsSchema = z.object({
-	providerId: z.string().optional(),
-});
-
 const acsEndpointBodySchema = z.object({
 	SAMLResponse: z.string(),
 	RelayState: z.string().optional(),
@@ -2111,7 +2305,6 @@ export const acsEndpoint = (options?: SSOOptions) => {
 		"/sso/saml2/sp/acs/:providerId",
 		{
 			method: "POST",
-			params: acsEndpointParamsSchema,
 			body: acsEndpointBodySchema,
 			metadata: {
 				...HIDE_METADATA,
@@ -2137,6 +2330,14 @@ export const acsEndpoint = (options?: SSOOptions) => {
 			const { SAMLResponse, RelayState = "" } = ctx.body;
 			const { providerId } = ctx.params;
 
+			const maxResponseSize =
+				options?.saml?.maxResponseSize ?? DEFAULT_MAX_SAML_RESPONSE_SIZE;
+			if (new TextEncoder().encode(SAMLResponse).length > maxResponseSize) {
+				throw new APIError("BAD_REQUEST", {
+					message: `SAML response exceeds maximum allowed size (${maxResponseSize} bytes)`,
+				});
+			}
+
 			// If defaultSSO is configured, use it as the provider
 			let provider: SSOProvider<SSOOptions> | null = null;
 
@@ -2167,7 +2368,7 @@ export const acsEndpoint = (options?: SSOOptions) => {
 						where: [
 							{
 								field: "providerId",
-								value: providerId ?? "sso",
+								value: providerId,
 							},
 						],
 					})
@@ -2240,6 +2441,23 @@ export const acsEndpoint = (options?: SSOOptions) => {
 						metadata: idpData.metadata,
 					});
 
+			try {
+				validateSingleAssertion(SAMLResponse);
+			} catch (error) {
+				if (error instanceof APIError) {
+					const redirectUrl =
+						RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+					const errorCode =
+						error.body?.code === "SAML_MULTIPLE_ASSERTIONS"
+							? "multiple_assertions"
+							: "no_assertion";
+					throw ctx.redirect(
+						`${redirectUrl}?error=${errorCode}&error_description=${encodeURIComponent(error.message)}`,
+					);
+				}
+				throw error;
+			}
+
 			// Parse and validate SAML response
 			let parsedResponse: FlowResult;
 			try {
@@ -2256,8 +2474,8 @@ export const acsEndpoint = (options?: SSOOptions) => {
 			} catch (error) {
 				ctx.context.logger.error("SAML response validation failed", {
 					error,
-					decodedResponse: new TextDecoder().decode(
-						base64.decode(SAMLResponse),
+					decodedResponse: Buffer.from(SAMLResponse, "base64").toString(
+						"utf-8",
 					),
 				});
 				throw new APIError("BAD_REQUEST", {
@@ -2353,8 +2571,8 @@ export const acsEndpoint = (options?: SSOOptions) => {
 			}
 
 			// Assertion Replay Protection
-			const samlContentAcs = new TextDecoder().decode(
-				base64.decode(SAMLResponse),
+			const samlContentAcs = Buffer.from(SAMLResponse, "base64").toString(
+				"utf-8",
 			);
 			const assertionIdAcs = extractAssertionId(samlContentAcs);
 
@@ -2433,7 +2651,9 @@ export const acsEndpoint = (options?: SSOOptions) => {
 					]),
 				),
 				id: attributes[mapping.id || "nameID"] || extract.nameID,
-				email: attributes[mapping.email || "email"] || extract.nameID,
+				email: (
+					attributes[mapping.email || "email"] || extract.nameID
+				).toLowerCase(),
 				name:
 					[
 						attributes[mapping.firstName || "givenName"],

package/src/saml/algorithms.ts

@@ -1,5 +1,5 @@
 import { APIError } from "better-auth/api";
-import { XMLParser } from "fast-xml-parser";
+import { findNode, xmlParser } from "./parser";
 
 export const SignatureAlgorithm = {
 	RSA_SHA1: "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
@@ -102,36 +102,6 @@ export interface AlgorithmValidationOptions {
 	allowedDataEncryptionAlgorithms?: string[];
 }
 
-const xmlParser = new XMLParser({
-	ignoreAttributes: false,
-	attributeNamePrefix: "@_",
-	removeNSPrefix: true,
-});
-
-function findNode(obj: unknown, nodeName: string): unknown {
-	if (!obj || typeof obj !== "object") return null;
-
-	const record = obj as Record<string, unknown>;
-
-	if (nodeName in record) {
-		return record[nodeName];
-	}
-
-	for (const value of Object.values(record)) {
-		if (Array.isArray(value)) {
-			for (const item of value) {
-				const found = findNode(item, nodeName);
-				if (found) return found;
-			}
-		} else if (typeof value === "object" && value !== null) {
-			const found = findNode(value, nodeName);
-			if (found) return found;
-		}
-	}
-
-	return null;
-}
-
 function extractEncryptionAlgorithms(xml: string): {
 	keyEncryption: string | null;
 	dataEncryption: string | null;