@better-auth/sso 1.5.0-beta.1 → 1.5.0-beta.3

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @better-auth/sso@1.5.0-beta.1 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.5.0-beta.3 build /home/runner/work/better-auth/better-auth/packages/sso
 > tsdown
 
 ℹ tsdown v0.17.2 powered by rolldown v1.0.0-beta.53
@@ -7,10 +7,10 @@
 ℹ entry: src/index.ts, src/client.ts
 ℹ tsconfig: tsconfig.json
 ℹ Build start
-ℹ dist/index.mjs             95.91 kB │ gzip: 18.60 kB
+ℹ dist/index.mjs             99.53 kB │ gzip: 19.50 kB
 ℹ dist/client.mjs             0.15 kB │ gzip:  0.14 kB
-ℹ dist/index.d.mts            1.48 kB │ gzip:  0.51 kB
-ℹ dist/client.d.mts           0.49 kB │ gzip:  0.29 kB
-ℹ dist/index-CvpS40sl.d.mts  43.12 kB │ gzip:  8.83 kB
-ℹ 5 files, total: 141.14 kB
-✔ Build complete in 15982ms
+ℹ dist/index.d.mts            1.67 kB │ gzip:  0.57 kB
+ℹ dist/client.d.mts           0.49 kB │ gzip:  0.30 kB
+ℹ dist/index-BLMoKtp1.d.mts  44.35 kB │ gzip:  9.16 kB
+ℹ 5 files, total: 146.19 kB
+✔ Build complete in 17127ms

package/LICENSE.md

@@ -1,17 +1,20 @@
 The MIT License (MIT)
 Copyright (c) 2024 - present, Bereket Engida
 
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software
-and associated documentation files (the "Software"), to deal in the Software without restriction,
-including without limitation the rights to use, copy, modify, merge, publish, distribute,
-sublicense, and/or sell copies of the Software, and to permit persons to whom the Software
-is furnished to do so, subject to the following conditions:
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the “Software”), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
 
-The above copyright notice and this permission notice shall be included in all copies or
-substantial portions of the Software.
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING
-BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
-DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+DEALINGS IN THE SOFTWARE.

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { t as SSOPlugin } from "./index-CvpS40sl.mjs";
+import { t as SSOPlugin } from "./index-BLMoKtp1.mjs";
 
 //#region src/client.d.ts
 interface SSOClientOptions {

package/dist/{index-CvpS40sl.d.mts → index-BLMoKtp1.d.mts}

@@ -367,6 +367,18 @@ interface SSOOptions {
      * ```
      */
     algorithms?: AlgorithmValidationOptions;
+    /**
+     * Maximum allowed size for SAML responses in bytes.
+     *
+     * @default 262144 (256KB)
+     */
+    maxResponseSize?: number;
+    /**
+     * Maximum allowed size for IdP metadata XML in bytes.
+     *
+     * @default 102400 (100KB)
+     */
+    maxMetadataSize?: number;
   };
 }
 //#endregion
@@ -956,6 +968,28 @@ declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint
   };
 }, never>;
 //#endregion
+//#region src/constants.d.ts
+/**
+ * Default clock skew tolerance (5 minutes).
+ * Allows for minor time differences between IdP and SP servers.
+ *
+ * Accommodates:
+ * - Network latency and processing time
+ * - Clock synchronization differences (NTP drift)
+ * - Distributed systems across timezones
+ */
+declare const DEFAULT_CLOCK_SKEW_MS: number;
+/**
+ * Default maximum size for SAML responses (256 KB).
+ * Protects against memory exhaustion from oversized SAML payloads.
+ */
+declare const DEFAULT_MAX_SAML_RESPONSE_SIZE: number;
+/**
+ * Default maximum size for IdP metadata (100 KB).
+ * Protects against oversized metadata documents.
+ */
+declare const DEFAULT_MAX_SAML_METADATA_SIZE: number;
+//#endregion
 //#region src/oidc/types.d.ts
 /**
  * OIDC Discovery Types
@@ -1215,6 +1249,13 @@ declare function selectTokenEndpointAuthMethod(doc: OIDCDiscoveryDocument, exist
 declare function needsRuntimeDiscovery(config: Partial<HydratedOIDCConfig> | undefined): boolean;
 //#endregion
 //#region src/index.d.ts
+declare module "@better-auth/core" {
+  interface BetterAuthPluginRegistry<Auth, Context> {
+    sso: {
+      creator: typeof sso;
+    };
+  }
+}
 type DomainVerificationEndpoints = {
   requestDomainVerification: ReturnType<typeof requestDomainVerification>;
   verifyDomain: ReturnType<typeof verifyDomain>;
@@ -1250,4 +1291,4 @@ declare function sso<O extends SSOOptions>(options?: O | undefined): {
   endpoints: SSOEndpoints<O>;
 };
 //#endregion
-export { KeyEncryptionAlgorithm as A, SAMLConfig as C, DataEncryptionAlgorithm as D, AlgorithmValidationOptions as E, DeprecatedAlgorithmBehavior as O, OIDCConfig as S, SSOProvider as T, REQUIRED_DISCOVERY_FIELDS as _, fetchDiscoveryDocument as a, TimestampValidationOptions as b, normalizeUrl as c, validateDiscoveryUrl as d, DiscoverOIDCConfigParams as f, OIDCDiscoveryDocument as g, HydratedOIDCConfig as h, discoverOIDCConfig as i, SignatureAlgorithm as j, DigestAlgorithm as k, selectTokenEndpointAuthMethod as l, DiscoveryErrorCode as m, sso as n, needsRuntimeDiscovery as o, DiscoveryError as p, computeDiscoveryUrl as r, normalizeDiscoveryUrls as s, SSOPlugin as t, validateDiscoveryDocument as u, RequiredDiscoveryField as v, SSOOptions as w, validateSAMLTimestamp as x, SAMLConditions as y };
+export { DataEncryptionAlgorithm as A, TimestampValidationOptions as C, SSOOptions as D, SAMLConfig as E, DigestAlgorithm as M, KeyEncryptionAlgorithm as N, SSOProvider as O, SignatureAlgorithm as P, SAMLConditions as S, OIDCConfig as T, REQUIRED_DISCOVERY_FIELDS as _, fetchDiscoveryDocument as a, DEFAULT_MAX_SAML_METADATA_SIZE as b, normalizeUrl as c, validateDiscoveryUrl as d, DiscoverOIDCConfigParams as f, OIDCDiscoveryDocument as g, HydratedOIDCConfig as h, discoverOIDCConfig as i, DeprecatedAlgorithmBehavior as j, AlgorithmValidationOptions as k, selectTokenEndpointAuthMethod as l, DiscoveryErrorCode as m, sso as n, needsRuntimeDiscovery as o, DiscoveryError as p, computeDiscoveryUrl as r, normalizeDiscoveryUrls as s, SSOPlugin as t, validateDiscoveryDocument as u, RequiredDiscoveryField as v, validateSAMLTimestamp as w, DEFAULT_MAX_SAML_RESPONSE_SIZE as x, DEFAULT_CLOCK_SKEW_MS as y };

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { A as KeyEncryptionAlgorithm, C as SAMLConfig, D as DataEncryptionAlgorithm, E as AlgorithmValidationOptions, O as DeprecatedAlgorithmBehavior, S as OIDCConfig, T as SSOProvider, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as TimestampValidationOptions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as SignatureAlgorithm, k as DigestAlgorithm, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as SSOOptions, x as validateSAMLTimestamp, y as SAMLConditions } from "./index-CvpS40sl.mjs";
-export { AlgorithmValidationOptions, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };
+import { A as DataEncryptionAlgorithm, C as TimestampValidationOptions, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as SAMLConditions, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as DEFAULT_MAX_SAML_METADATA_SIZE, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as validateSAMLTimestamp, x as DEFAULT_MAX_SAML_RESPONSE_SIZE, y as DEFAULT_CLOCK_SKEW_MS } from "./index-BLMoKtp1.mjs";
+export { AlgorithmValidationOptions, DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };

package/dist/index.mjs

@@ -4,12 +4,12 @@ import * as saml from "samlify";
 import { generateRandomString } from "better-auth/crypto";
 import * as z$1 from "zod/v4";
 import z from "zod/v4";
-import { base64 } from "@better-auth/utils/base64";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
 import { HIDE_METADATA, createAuthorizationURL, generateState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
 import { setSessionCookie } from "better-auth/cookies";
 import { handleOAuthUserInfo } from "better-auth/oauth2";
 import { decodeJwt } from "jose";
+import { base64 } from "@better-auth/utils/base64";
 
 //#region src/linking/org-assignment.ts
 /**
@@ -306,6 +306,16 @@ const DEFAULT_ASSERTION_TTL_MS = 900 * 1e3;
 * - Distributed systems across timezones
 */
 const DEFAULT_CLOCK_SKEW_MS = 300 * 1e3;
+/**
+* Default maximum size for SAML responses (256 KB).
+* Protects against memory exhaustion from oversized SAML payloads.
+*/
+const DEFAULT_MAX_SAML_RESPONSE_SIZE = 256 * 1024;
+/**
+* Default maximum size for IdP metadata (100 KB).
+* Protects against oversized metadata documents.
+*/
+const DEFAULT_MAX_SAML_METADATA_SIZE = 100 * 1024;
 
 //#endregion
 //#region src/oidc/types.ts
@@ -653,6 +663,41 @@ function mapDiscoveryErrorToAPIError(error) {
 	}
 }
 
+//#endregion
+//#region src/saml/parser.ts
+const xmlParser = new XMLParser({
+	ignoreAttributes: false,
+	attributeNamePrefix: "@_",
+	removeNSPrefix: true,
+	processEntities: false
+});
+function findNode(obj, nodeName) {
+	if (!obj || typeof obj !== "object") return null;
+	const record = obj;
+	if (nodeName in record) return record[nodeName];
+	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) {
+		const found = findNode(item, nodeName);
+		if (found) return found;
+	}
+	else if (typeof value === "object" && value !== null) {
+		const found = findNode(value, nodeName);
+		if (found) return found;
+	}
+	return null;
+}
+function countAllNodes(obj, nodeName) {
+	if (!obj || typeof obj !== "object") return 0;
+	let count = 0;
+	const record = obj;
+	if (nodeName in record) {
+		const node = record[nodeName];
+		count += Array.isArray(node) ? node.length : 1;
+	}
+	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) count += countAllNodes(item, nodeName);
+	else if (typeof value === "object" && value !== null) count += countAllNodes(value, nodeName);
+	return count;
+}
+
 //#endregion
 //#region src/saml/algorithms.ts
 const SignatureAlgorithm = {
@@ -726,25 +771,6 @@ function normalizeSignatureAlgorithm(alg) {
 function normalizeDigestAlgorithm(alg) {
 	return SHORT_FORM_DIGEST_TO_URI[alg.toLowerCase()] ?? alg;
 }
-const xmlParser = new XMLParser({
-	ignoreAttributes: false,
-	attributeNamePrefix: "@_",
-	removeNSPrefix: true
-});
-function findNode(obj, nodeName) {
-	if (!obj || typeof obj !== "object") return null;
-	const record = obj;
-	if (nodeName in record) return record[nodeName];
-	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) {
-		const found = findNode(item, nodeName);
-		if (found) return found;
-	}
-	else if (typeof value === "object" && value !== null) {
-		const found = findNode(value, nodeName);
-		if (found) return found;
-	}
-	return null;
-}
 function extractEncryptionAlgorithms(xml) {
 	try {
 		const parsed = xmlParser.parse(xml);
@@ -853,6 +879,49 @@ function validateConfigAlgorithms(config, options = {}) {
 	}
 }
 
+//#endregion
+//#region src/saml/assertions.ts
+/** @lintignore used in tests */
+function countAssertions(xml) {
+	let parsed;
+	try {
+		parsed = xmlParser.parse(xml);
+	} catch {
+		throw new APIError("BAD_REQUEST", {
+			message: "Failed to parse SAML response XML",
+			code: "SAML_INVALID_XML"
+		});
+	}
+	const assertions = countAllNodes(parsed, "Assertion");
+	const encryptedAssertions = countAllNodes(parsed, "EncryptedAssertion");
+	return {
+		assertions,
+		encryptedAssertions,
+		total: assertions + encryptedAssertions
+	};
+}
+function validateSingleAssertion(samlResponse) {
+	let xml;
+	try {
+		xml = new TextDecoder().decode(base64.decode(samlResponse));
+		if (!xml.includes("<")) throw new Error("Not XML");
+	} catch {
+		throw new APIError("BAD_REQUEST", {
+			message: "Invalid base64-encoded SAML response",
+			code: "SAML_INVALID_ENCODING"
+		});
+	}
+	const counts = countAssertions(xml);
+	if (counts.total === 0) throw new APIError("BAD_REQUEST", {
+		message: "SAML response contains no assertions",
+		code: "SAML_NO_ASSERTION"
+	});
+	if (counts.total > 1) throw new APIError("BAD_REQUEST", {
+		message: `SAML response contains ${counts.total} assertions, expected exactly 1`,
+		code: "SAML_MULTIPLE_ASSERTIONS"
+	});
+}
+
 //#endregion
 //#region src/utils.ts
 /**
@@ -1239,6 +1308,10 @@ const registerSSOProvider = (options) => {
 		})).length >= limit) throw new APIError("FORBIDDEN", { message: "You have reached the maximum number of SSO providers" });
 		const body = ctx.body;
 		if (z.string().url().safeParse(body.issuer).error) throw new APIError("BAD_REQUEST", { message: "Invalid issuer. Must be a valid URL" });
+		if (body.samlConfig?.idpMetadata?.metadata) {
+			const maxMetadataSize = options?.saml?.maxMetadataSize ?? DEFAULT_MAX_SAML_METADATA_SIZE;
+			if (new TextEncoder().encode(body.samlConfig.idpMetadata.metadata).length > maxMetadataSize) throw new APIError("BAD_REQUEST", { message: `IdP metadata exceeds maximum allowed size (${maxMetadataSize} bytes)` });
+		}
 		if (ctx.body.organizationId) {
 			if (!await ctx.context.adapter.findOne({
 				model: "member",
@@ -1273,7 +1346,7 @@ const registerSSOProvider = (options) => {
 					userInfoEndpoint: body.oidcConfig.userInfoEndpoint,
 					tokenEndpointAuthentication: body.oidcConfig.tokenEndpointAuthentication
 				},
-				isTrustedOrigin: ctx.context.isTrustedOrigin
+				isTrustedOrigin: (url) => ctx.context.isTrustedOrigin(url)
 			});
 		} catch (error) {
 			if (error instanceof DiscoveryError) throw mapDiscoveryErrorToAPIError(error);
@@ -1773,6 +1846,8 @@ const callbackSSOSAML = (options) => {
 	}, async (ctx) => {
 		const { SAMLResponse, RelayState } = ctx.body;
 		const { providerId } = ctx.params;
+		const maxResponseSize = options?.saml?.maxResponseSize ?? DEFAULT_MAX_SAML_RESPONSE_SIZE;
+		if (new TextEncoder().encode(SAMLResponse).length > maxResponseSize) throw new APIError("BAD_REQUEST", { message: `SAML response exceeds maximum allowed size (${maxResponseSize} bytes)` });
 		let provider = null;
 		if (options?.defaultSSO?.length) {
 			const matchingDefault = options.defaultSSO.find((defaultProvider) => defaultProvider.providerId === providerId);
@@ -1838,6 +1913,7 @@ const callbackSSOSAML = (options) => {
 			wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
 			nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
 		});
+		validateSingleAssertion(SAMLResponse);
 		let parsedResponse;
 		try {
 			parsedResponse = await sp.parseLoginResponse(idp, "post", { body: {
@@ -1848,7 +1924,7 @@ const callbackSSOSAML = (options) => {
 		} catch (error) {
 			ctx.context.logger.error("SAML response validation failed", {
 				error,
-				decodedResponse: new TextDecoder().decode(base64.decode(SAMLResponse))
+				decodedResponse: Buffer.from(SAMLResponse, "base64").toString("utf-8")
 			});
 			throw new APIError("BAD_REQUEST", {
 				message: "Invalid SAML response",
@@ -2024,6 +2100,8 @@ const acsEndpoint = (options) => {
 	}, async (ctx) => {
 		const { SAMLResponse, RelayState = "" } = ctx.body;
 		const { providerId } = ctx.params;
+		const maxResponseSize = options?.saml?.maxResponseSize ?? DEFAULT_MAX_SAML_RESPONSE_SIZE;
+		if (new TextEncoder().encode(SAMLResponse).length > maxResponseSize) throw new APIError("BAD_REQUEST", { message: `SAML response exceeds maximum allowed size (${maxResponseSize} bytes)` });
 		let provider = null;
 		if (options?.defaultSSO?.length) {
 			const matchingDefault = providerId ? options.defaultSSO.find((defaultProvider) => defaultProvider.providerId === providerId) : options.defaultSSO[0];
@@ -2072,6 +2150,16 @@ const acsEndpoint = (options) => {
 			}],
 			signingCert: idpData?.cert || parsedSamlConfig.cert
 		}) : saml.IdentityProvider({ metadata: idpData.metadata });
+		try {
+			validateSingleAssertion(SAMLResponse);
+		} catch (error) {
+			if (error instanceof APIError) {
+				const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+				const errorCode = error.body?.code === "SAML_MULTIPLE_ASSERTIONS" ? "multiple_assertions" : "no_assertion";
+				throw ctx.redirect(`${redirectUrl}?error=${errorCode}&error_description=${encodeURIComponent(error.message)}`);
+			}
+			throw error;
+		}
 		let parsedResponse;
 		try {
 			parsedResponse = await sp.parseLoginResponse(idp, "post", { body: {
@@ -2082,7 +2170,7 @@ const acsEndpoint = (options) => {
 		} catch (error) {
 			ctx.context.logger.error("SAML response validation failed", {
 				error,
-				decodedResponse: new TextDecoder().decode(base64.decode(SAMLResponse))
+				decodedResponse: Buffer.from(SAMLResponse, "base64").toString("utf-8")
 			});
 			throw new APIError("BAD_REQUEST", {
 				message: "Invalid SAML response",
@@ -2133,7 +2221,7 @@ const acsEndpoint = (options) => {
 				throw ctx.redirect(`${redirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`);
 			}
 		}
-		const assertionIdAcs = extractAssertionId(new TextDecoder().decode(base64.decode(SAMLResponse)));
+		const assertionIdAcs = extractAssertionId(Buffer.from(SAMLResponse, "base64").toString("utf-8"));
 		if (assertionIdAcs) {
 			const issuer = idp.entityMeta.getEntityID();
 			const conditions = extract.conditions;
@@ -2332,4 +2420,4 @@ function sso(options) {
 }
 
 //#endregion
-export { DataEncryptionAlgorithm, DigestAlgorithm, DiscoveryError, KeyEncryptionAlgorithm, REQUIRED_DISCOVERY_FIELDS, SignatureAlgorithm, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };
+export { DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DigestAlgorithm, DiscoveryError, KeyEncryptionAlgorithm, REQUIRED_DISCOVERY_FIELDS, SignatureAlgorithm, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.5.0-beta.1",
+  "version": "1.5.0-beta.3",
   "type": "module",
   "main": "dist/index.mjs",
   "types": "dist/index.d.mts",
@@ -62,15 +62,18 @@
   "devDependencies": {
     "@types/body-parser": "^1.19.6",
     "@types/express": "^5.0.5",
-    "better-call": "1.1.7",
+    "better-call": "1.1.8",
     "body-parser": "^2.2.1",
     "express": "^5.1.0",
     "oauth2-mock-server": "^8.2.0",
     "tsdown": "^0.17.2",
-    "better-auth": "1.5.0-beta.1"
+    "@better-auth/core": "1.5.0-beta.3",
+    "better-auth": "1.5.0-beta.3"
   },
   "peerDependencies": {
-    "better-auth": "1.5.0-beta.1"
+    "@better-auth/utils": "0.3.0",
+    "@better-auth/core": "1.5.0-beta.3",
+    "better-auth": "1.5.0-beta.3"
   },
   "scripts": {
     "test": "vitest",

package/src/constants.ts

@@ -40,3 +40,19 @@ export const DEFAULT_ASSERTION_TTL_MS = 15 * 60 * 1000;
  * - Distributed systems across timezones
  */
 export const DEFAULT_CLOCK_SKEW_MS = 5 * 60 * 1000;
+
+// ============================================================================
+// Size Limits (DoS Protection)
+// ============================================================================
+
+/**
+ * Default maximum size for SAML responses (256 KB).
+ * Protects against memory exhaustion from oversized SAML payloads.
+ */
+export const DEFAULT_MAX_SAML_RESPONSE_SIZE = 256 * 1024;
+
+/**
+ * Default maximum size for IdP metadata (100 KB).
+ * Protects against oversized metadata documents.
+ */
+export const DEFAULT_MAX_SAML_METADATA_SIZE = 100 * 1024;

package/src/index.ts

@@ -16,6 +16,12 @@ import {
 	spMetadata,
 } from "./routes/sso";
 
+export {
+	DEFAULT_CLOCK_SKEW_MS,
+	DEFAULT_MAX_SAML_METADATA_SIZE,
+	DEFAULT_MAX_SAML_RESPONSE_SIZE,
+} from "./constants";
+
 export {
 	type SAMLConditions,
 	type TimestampValidationOptions,
@@ -35,6 +41,15 @@ import type { OIDCConfig, SAMLConfig, SSOOptions, SSOProvider } from "./types";
 
 export type { SAMLConfig, OIDCConfig, SSOOptions, SSOProvider };
 
+declare module "@better-auth/core" {
+	// biome-ignore lint/correctness/noUnusedVariables: Auth and Context need to be same as declared in the module
+	interface BetterAuthPluginRegistry<Auth, Context> {
+		sso: {
+			creator: typeof sso;
+		};
+	}
+}
+
 export {
 	computeDiscoveryUrl,
 	type DiscoverOIDCConfigParams,

package/src/routes/sso.ts

@@ -1,4 +1,3 @@
-import { base64 } from "@better-auth/utils/base64";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
 import type { User, Verification } from "better-auth";
 import {
@@ -37,6 +36,8 @@ import {
 	DEFAULT_ASSERTION_TTL_MS,
 	DEFAULT_AUTHN_REQUEST_TTL_MS,
 	DEFAULT_CLOCK_SKEW_MS,
+	DEFAULT_MAX_SAML_METADATA_SIZE,
+	DEFAULT_MAX_SAML_RESPONSE_SIZE,
 	USED_ASSERTION_KEY_PREFIX,
 } from "../constants";
 import { assignOrganizationFromProvider } from "../linking";
@@ -46,7 +47,11 @@ import {
 	discoverOIDCConfig,
 	mapDiscoveryErrorToAPIError,
 } from "../oidc";
-import { validateConfigAlgorithms, validateSAMLAlgorithms } from "../saml";
+import {
+	validateConfigAlgorithms,
+	validateSAMLAlgorithms,
+	validateSingleAssertion,
+} from "../saml";
 import type { OIDCConfig, SAMLConfig, SSOOptions, SSOProvider } from "../types";
 import { safeJsonParse, validateEmailDomain } from "../utils";
 
@@ -666,6 +671,20 @@ export const registerSSOProvider = <O extends SSOOptions>(options: O) => {
 					message: "Invalid issuer. Must be a valid URL",
 				});
 			}
+
+			if (body.samlConfig?.idpMetadata?.metadata) {
+				const maxMetadataSize =
+					options?.saml?.maxMetadataSize ?? DEFAULT_MAX_SAML_METADATA_SIZE;
+				if (
+					new TextEncoder().encode(body.samlConfig.idpMetadata.metadata)
+						.length > maxMetadataSize
+				) {
+					throw new APIError("BAD_REQUEST", {
+						message: `IdP metadata exceeds maximum allowed size (${maxMetadataSize} bytes)`,
+					});
+				}
+			}
+
 			if (ctx.body.organizationId) {
 				const organization = await ctx.context.adapter.findOne({
 					model: "member",
@@ -720,7 +739,7 @@ export const registerSSOProvider = <O extends SSOOptions>(options: O) => {
 							tokenEndpointAuthentication:
 								body.oidcConfig.tokenEndpointAuthentication,
 						},
-						isTrustedOrigin: ctx.context.isTrustedOrigin,
+						isTrustedOrigin: (url: string) => ctx.context.isTrustedOrigin(url),
 					});
 				} catch (error) {
 					if (error instanceof DiscoveryError) {
@@ -1698,6 +1717,15 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 		async (ctx) => {
 			const { SAMLResponse, RelayState } = ctx.body;
 			const { providerId } = ctx.params;
+
+			const maxResponseSize =
+				options?.saml?.maxResponseSize ?? DEFAULT_MAX_SAML_RESPONSE_SIZE;
+			if (new TextEncoder().encode(SAMLResponse).length > maxResponseSize) {
+				throw new APIError("BAD_REQUEST", {
+					message: `SAML response exceeds maximum allowed size (${maxResponseSize} bytes)`,
+				});
+			}
+
 			let provider: SSOProvider<SSOOptions> | null = null;
 			if (options?.defaultSSO?.length) {
 				const matchingDefault = options.defaultSSO.find(
@@ -1811,6 +1839,8 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 					: undefined,
 			});
 
+			validateSingleAssertion(SAMLResponse);
+
 			let parsedResponse: FlowResult;
 			try {
 				parsedResponse = await sp.parseLoginResponse(idp, "post", {
@@ -1826,8 +1856,8 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 			} catch (error) {
 				ctx.context.logger.error("SAML response validation failed", {
 					error,
-					decodedResponse: new TextDecoder().decode(
-						base64.decode(SAMLResponse),
+					decodedResponse: Buffer.from(SAMLResponse, "base64").toString(
+						"utf-8",
 					),
 				});
 				throw new APIError("BAD_REQUEST", {
@@ -2137,6 +2167,14 @@ export const acsEndpoint = (options?: SSOOptions) => {
 			const { SAMLResponse, RelayState = "" } = ctx.body;
 			const { providerId } = ctx.params;
 
+			const maxResponseSize =
+				options?.saml?.maxResponseSize ?? DEFAULT_MAX_SAML_RESPONSE_SIZE;
+			if (new TextEncoder().encode(SAMLResponse).length > maxResponseSize) {
+				throw new APIError("BAD_REQUEST", {
+					message: `SAML response exceeds maximum allowed size (${maxResponseSize} bytes)`,
+				});
+			}
+
 			// If defaultSSO is configured, use it as the provider
 			let provider: SSOProvider<SSOOptions> | null = null;
 
@@ -2240,6 +2278,23 @@ export const acsEndpoint = (options?: SSOOptions) => {
 						metadata: idpData.metadata,
 					});
 
+			try {
+				validateSingleAssertion(SAMLResponse);
+			} catch (error) {
+				if (error instanceof APIError) {
+					const redirectUrl =
+						RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+					const errorCode =
+						error.body?.code === "SAML_MULTIPLE_ASSERTIONS"
+							? "multiple_assertions"
+							: "no_assertion";
+					throw ctx.redirect(
+						`${redirectUrl}?error=${errorCode}&error_description=${encodeURIComponent(error.message)}`,
+					);
+				}
+				throw error;
+			}
+
 			// Parse and validate SAML response
 			let parsedResponse: FlowResult;
 			try {
@@ -2256,8 +2311,8 @@ export const acsEndpoint = (options?: SSOOptions) => {
 			} catch (error) {
 				ctx.context.logger.error("SAML response validation failed", {
 					error,
-					decodedResponse: new TextDecoder().decode(
-						base64.decode(SAMLResponse),
+					decodedResponse: Buffer.from(SAMLResponse, "base64").toString(
+						"utf-8",
 					),
 				});
 				throw new APIError("BAD_REQUEST", {
@@ -2353,8 +2408,8 @@ export const acsEndpoint = (options?: SSOOptions) => {
 			}
 
 			// Assertion Replay Protection
-			const samlContentAcs = new TextDecoder().decode(
-				base64.decode(SAMLResponse),
+			const samlContentAcs = Buffer.from(SAMLResponse, "base64").toString(
+				"utf-8",
 			);
 			const assertionIdAcs = extractAssertionId(samlContentAcs);
 

package/src/saml/algorithms.ts

@@ -1,5 +1,5 @@
 import { APIError } from "better-auth/api";
-import { XMLParser } from "fast-xml-parser";
+import { findNode, xmlParser } from "./parser";
 
 export const SignatureAlgorithm = {
 	RSA_SHA1: "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
@@ -102,36 +102,6 @@ export interface AlgorithmValidationOptions {
 	allowedDataEncryptionAlgorithms?: string[];
 }
 
-const xmlParser = new XMLParser({
-	ignoreAttributes: false,
-	attributeNamePrefix: "@_",
-	removeNSPrefix: true,
-});
-
-function findNode(obj: unknown, nodeName: string): unknown {
-	if (!obj || typeof obj !== "object") return null;
-
-	const record = obj as Record<string, unknown>;
-
-	if (nodeName in record) {
-		return record[nodeName];
-	}
-
-	for (const value of Object.values(record)) {
-		if (Array.isArray(value)) {
-			for (const item of value) {
-				const found = findNode(item, nodeName);
-				if (found) return found;
-			}
-		} else if (typeof value === "object" && value !== null) {
-			const found = findNode(value, nodeName);
-			if (found) return found;
-		}
-	}
-
-	return null;
-}
-
 function extractEncryptionAlgorithms(xml: string): {
 	keyEncryption: string | null;
 	dataEncryption: string | null;