@better-auth/sso 1.5.0-beta.13 → 1.5.0-beta.15

package/src/providers.test.ts

@@ -459,11 +459,11 @@ describe("SSO provider read endpoints", () => {
 		});
 	});
 
-	describe("GET /sso/providers/:providerId", () => {
+	describe("GET /sso/get-provider", () => {
 		it("should return 401 when not authenticated", async () => {
 			const { auth } = createTestAuth();
 			const response = await auth.api.getSSOProvider({
-				params: { providerId: "test" },
+				query: { providerId: "test" },
 				asResponse: true,
 			});
 			expect(response.status).toBe(401);
@@ -478,7 +478,7 @@ describe("SSO provider read endpoints", () => {
 			});
 
 			const response = await auth.api.getSSOProvider({
-				params: { providerId: "nonexistent" },
+				query: { providerId: "nonexistent" },
 				headers,
 				asResponse: true,
 			});
@@ -504,7 +504,7 @@ describe("SSO provider read endpoints", () => {
 			});
 
 			const response = await auth.api.getSSOProvider({
-				params: { providerId: "other-provider" },
+				query: { providerId: "other-provider" },
 				headers: otherHeaders,
 				asResponse: true,
 			});
@@ -524,7 +524,7 @@ describe("SSO provider read endpoints", () => {
 			await registerSAMLProvider(headers, "my-saml-provider");
 
 			const response = await auth.api.getSSOProvider({
-				params: { providerId: "my-saml-provider" },
+				query: { providerId: "my-saml-provider" },
 				headers,
 			});
 
@@ -559,7 +559,7 @@ describe("SSO provider read endpoints", () => {
 			);
 
 			const response = await auth.api.getSSOProvider({
-				params: { providerId: "my-oidc-provider" },
+				query: { providerId: "my-oidc-provider" },
 				headers,
 			});
 
@@ -589,7 +589,7 @@ describe("SSO provider read endpoints", () => {
 			createOIDCProviderData(user!.id, "my-oidc-provider", "client123");
 
 			const response = await auth.api.getSSOProvider({
-				params: { providerId: "my-oidc-provider" },
+				query: { providerId: "my-oidc-provider" },
 				headers,
 			});
 
@@ -629,7 +629,7 @@ describe("SSO provider read endpoints", () => {
 			});
 
 			const response = await auth.api.getSSOProvider({
-				params: { providerId: "my-provider" },
+				query: { providerId: "my-provider" },
 				headers,
 			});
 
@@ -671,7 +671,7 @@ describe("SSO provider read endpoints", () => {
 
 			// Owner should be able to access it since they created the org (are admin)
 			const ownerResponse = await auth.api.getSSOProvider({
-				params: { providerId: "user-owned-org-provider" },
+				query: { providerId: "user-owned-org-provider" },
 				headers: ownerHeaders,
 			});
 
@@ -685,7 +685,7 @@ describe("SSO provider read endpoints", () => {
 			});
 
 			const nonAdminResponse = await auth.api.getSSOProvider({
-				params: { providerId: "user-owned-org-provider" },
+				query: { providerId: "user-owned-org-provider" },
 				headers: nonAdminHeaders,
 				asResponse: true,
 			});
@@ -709,7 +709,7 @@ describe("SSO provider read endpoints", () => {
 			await registerSAMLProvider(headers, "my-saml-provider");
 
 			const response = await auth.api.getSSOProvider({
-				params: { providerId: "my-saml-provider" },
+				query: { providerId: "my-saml-provider" },
 				headers,
 			});
 
@@ -745,7 +745,7 @@ describe("SSO provider read endpoints", () => {
 			});
 
 			const response = await auth.api.getSSOProvider({
-				params: { providerId: "my-saml-provider" },
+				query: { providerId: "my-saml-provider" },
 				headers,
 			});
 
@@ -771,7 +771,7 @@ describe("SSO provider read endpoints", () => {
 			createOIDCProviderData(user!.id, "my-oidc-provider", "abc");
 
 			const response = await auth.api.getSSOProvider({
-				params: { providerId: "my-oidc-provider" },
+				query: { providerId: "my-oidc-provider" },
 				headers,
 			});
 
@@ -779,12 +779,11 @@ describe("SSO provider read endpoints", () => {
 		});
 	});
 
-	describe("PATCH /sso/providers/:providerId", () => {
+	describe("POST /sso/update-provider", () => {
 		it("should return 401 when not authenticated", async () => {
 			const { auth } = createTestAuth();
 			const response = await auth.api.updateSSOProvider({
-				params: { providerId: "test" },
-				body: { domain: "new-domain.com" },
+				body: { providerId: "test", domain: "new-domain.com" },
 				asResponse: true,
 			});
 			expect(response.status).toBe(401);
@@ -799,8 +798,7 @@ describe("SSO provider read endpoints", () => {
 			});
 
 			const response = await auth.api.updateSSOProvider({
-				params: { providerId: "nonexistent" },
-				body: { domain: "new-domain.com" },
+				body: { providerId: "nonexistent", domain: "new-domain.com" },
 				headers,
 				asResponse: true,
 			});
@@ -826,8 +824,7 @@ describe("SSO provider read endpoints", () => {
 			});
 
 			const response = await auth.api.updateSSOProvider({
-				params: { providerId: "other-provider" },
-				body: { domain: "new-domain.com" },
+				body: { providerId: "other-provider", domain: "new-domain.com" },
 				headers: otherHeaders,
 				asResponse: true,
 			});
@@ -849,8 +846,7 @@ describe("SSO provider read endpoints", () => {
 			await registerSAMLProvider(headers, "my-saml-provider");
 
 			const updated = await auth.api.updateSSOProvider({
-				params: { providerId: "my-saml-provider" },
-				body: { domain: "new-domain.com" },
+				body: { providerId: "my-saml-provider", domain: "new-domain.com" },
 				headers,
 			});
 
@@ -871,8 +867,8 @@ describe("SSO provider read endpoints", () => {
 			await registerSAMLProvider(headers, "my-saml-provider");
 
 			const updated = await auth.api.updateSSOProvider({
-				params: { providerId: "my-saml-provider" },
 				body: {
+					providerId: "my-saml-provider",
 					samlConfig: {
 						audience: "new-audience",
 						wantAssertionsSigned: false,
@@ -904,8 +900,8 @@ describe("SSO provider read endpoints", () => {
 			createOIDCProviderData(user!.id, "my-oidc-provider", "client123");
 
 			const updated = await auth.api.updateSSOProvider({
-				params: { providerId: "my-oidc-provider" },
 				body: {
+					providerId: "my-oidc-provider",
 					oidcConfig: {
 						scopes: ["openid", "email", "profile", "custom"],
 						pkce: false,
@@ -936,8 +932,10 @@ describe("SSO provider read endpoints", () => {
 			await registerSAMLProvider(headers, "my-saml-provider");
 
 			const updated = await auth.api.updateSSOProvider({
-				params: { providerId: "my-saml-provider" },
-				body: { issuer: "https://new-issuer.example.com" },
+				body: {
+					providerId: "my-saml-provider",
+					issuer: "https://new-issuer.example.com",
+				},
 				headers,
 			});
 
@@ -957,8 +955,7 @@ describe("SSO provider read endpoints", () => {
 			await registerSAMLProvider(headers, "my-saml-provider");
 
 			const response = await auth.api.updateSSOProvider({
-				params: { providerId: "my-saml-provider" },
-				body: { issuer: "invalid-url" },
+				body: { providerId: "my-saml-provider", issuer: "invalid-url" },
 				headers,
 				asResponse: true,
 			});
@@ -979,8 +976,7 @@ describe("SSO provider read endpoints", () => {
 			await registerSAMLProvider(headers, "my-saml-provider");
 
 			const response = await auth.api.updateSSOProvider({
-				params: { providerId: "my-saml-provider" },
-				body: {},
+				body: { providerId: "my-saml-provider" },
 				headers,
 				asResponse: true,
 			});
@@ -1020,8 +1016,7 @@ describe("SSO provider read endpoints", () => {
 			await addMember(adminUser!.id, org!.id, "admin", ownerHeaders);
 
 			const updated = await auth.api.updateSSOProvider({
-				params: { providerId: "org-provider" },
-				body: { domain: "new-domain.com" },
+				body: { providerId: "org-provider", domain: "new-domain.com" },
 				headers: adminHeaders,
 			});
 
@@ -1060,8 +1055,7 @@ describe("SSO provider read endpoints", () => {
 			await addMember(memberUser!.id, org!.id, "member", ownerHeaders);
 
 			const response = await auth.api.updateSSOProvider({
-				params: { providerId: "org-provider" },
-				body: { domain: "new-domain.com" },
+				body: { providerId: "org-provider", domain: "new-domain.com" },
 				headers: memberHeaders,
 				asResponse: true,
 			});
@@ -1085,8 +1079,8 @@ describe("SSO provider read endpoints", () => {
 			createOIDCProviderData(user!.id, "my-oidc-provider", "client123");
 
 			const response = await auth.api.updateSSOProvider({
-				params: { providerId: "my-oidc-provider" },
 				body: {
+					providerId: "my-oidc-provider",
 					samlConfig: {
 						entryPoint: "https://idp.example.com/sso",
 						cert: TEST_CERT,
@@ -1114,8 +1108,8 @@ describe("SSO provider read endpoints", () => {
 			await registerSAMLProvider(headers, "my-saml-provider");
 
 			const response = await auth.api.updateSSOProvider({
-				params: { providerId: "my-saml-provider" },
 				body: {
+					providerId: "my-saml-provider",
 					oidcConfig: {
 						clientId: "new-client-id",
 						clientSecret: "new-secret",
@@ -1129,11 +1123,11 @@ describe("SSO provider read endpoints", () => {
 		});
 	});
 
-	describe("DELETE /sso/providers/:providerId", () => {
+	describe("POST /sso/delete-provider", () => {
 		it("should return 401 when not authenticated", async () => {
 			const { auth } = createTestAuth();
 			const response = await auth.api.deleteSSOProvider({
-				params: { providerId: "test" },
+				body: { providerId: "test" },
 				asResponse: true,
 			});
 			expect(response.status).toBe(401);
@@ -1148,7 +1142,7 @@ describe("SSO provider read endpoints", () => {
 			});
 
 			const response = await auth.api.deleteSSOProvider({
-				params: { providerId: "nonexistent" },
+				body: { providerId: "nonexistent" },
 				headers,
 				asResponse: true,
 			});
@@ -1174,7 +1168,7 @@ describe("SSO provider read endpoints", () => {
 			});
 
 			const response = await auth.api.deleteSSOProvider({
-				params: { providerId: "other-provider" },
+				body: { providerId: "other-provider" },
 				headers: otherHeaders,
 				asResponse: true,
 			});
@@ -1194,14 +1188,14 @@ describe("SSO provider read endpoints", () => {
 			await registerSAMLProvider(headers, "my-saml-provider");
 
 			const deleteResponse = await auth.api.deleteSSOProvider({
-				params: { providerId: "my-saml-provider" },
+				body: { providerId: "my-saml-provider" },
 				headers,
 			});
 
 			expect(deleteResponse.success).toBe(true);
 
 			const getResponse = await auth.api.getSSOProvider({
-				params: { providerId: "my-saml-provider" },
+				query: { providerId: "my-saml-provider" },
 				headers,
 				asResponse: true,
 			});
@@ -1241,7 +1235,7 @@ describe("SSO provider read endpoints", () => {
 			await addMember(adminUser!.id, org!.id, "admin", ownerHeaders);
 
 			const deleteResponse = await auth.api.deleteSSOProvider({
-				params: { providerId: "org-provider" },
+				body: { providerId: "org-provider" },
 				headers: adminHeaders,
 			});
 
@@ -1280,7 +1274,7 @@ describe("SSO provider read endpoints", () => {
 			await addMember(memberUser!.id, org!.id, "member", ownerHeaders);
 
 			const response = await auth.api.deleteSSOProvider({
-				params: { providerId: "org-provider" },
+				body: { providerId: "org-provider" },
 				headers: memberHeaders,
 				asResponse: true,
 			});
@@ -1316,7 +1310,7 @@ describe("SSO provider read endpoints", () => {
 			const accountCountBefore = data.account.length;
 
 			await auth.api.deleteSSOProvider({
-				params: { providerId: "my-saml-provider" },
+				body: { providerId: "my-saml-provider" },
 				headers,
 			});
 

package/src/routes/domain-verification.ts

@@ -8,10 +8,22 @@ import { generateRandomString } from "better-auth/crypto";
 import * as z from "zod/v4";
 import type { SSOOptions, SSOProvider } from "../types";
 
+const DNS_LABEL_MAX_LENGTH = 63;
+const DEFAULT_TOKEN_PREFIX = "better-auth-token";
+
 const domainVerificationBodySchema = z.object({
 	providerId: z.string(),
 });
 
+export function getVerificationIdentifier(
+	options: SSOOptions,
+	providerId: string,
+): string {
+	const tokenPrefix =
+		options.domainVerification?.tokenPrefix || DEFAULT_TOKEN_PREFIX;
+	return `_${tokenPrefix}-${providerId}`;
+}
+
 export const requestDomainVerification = (options: SSOOptions) => {
 	return createAuthEndpoint(
 		"/sso/request-domain-verification",
@@ -83,15 +95,18 @@ export const requestDomainVerification = (options: SSOOptions) => {
 				});
 			}
 
+			const identifier = getVerificationIdentifier(
+				options,
+				provider.providerId,
+			);
+
 			const activeVerification =
 				await ctx.context.adapter.findOne<Verification>({
 					model: "verification",
 					where: [
 						{
 							field: "identifier",
-							value: options.domainVerification?.tokenPrefix
-								? `${options.domainVerification?.tokenPrefix}-${provider.providerId}`
-								: `better-auth-token-${provider.providerId}`,
+							value: identifier,
 						},
 						{ field: "expiresAt", value: new Date(), operator: "gt" },
 					],
@@ -106,9 +121,7 @@ export const requestDomainVerification = (options: SSOOptions) => {
 			await ctx.context.adapter.create<Verification>({
 				model: "verification",
 				data: {
-					identifier: options.domainVerification?.tokenPrefix
-						? `${options.domainVerification?.tokenPrefix}-${provider.providerId}`
-						: `better-auth-token-${provider.providerId}`,
+					identifier,
 					createdAt: new Date(),
 					updatedAt: new Date(),
 					value: domainVerificationToken,
@@ -199,15 +212,25 @@ export const verifyDomain = (options: SSOOptions) => {
 				});
 			}
 
+			const identifier = getVerificationIdentifier(
+				options,
+				provider.providerId,
+			);
+
+			if (identifier.length > DNS_LABEL_MAX_LENGTH) {
+				throw new APIError("BAD_REQUEST", {
+					message: `Verification identifier exceeds the DNS label limit of ${DNS_LABEL_MAX_LENGTH} characters`,
+					code: "IDENTIFIER_TOO_LONG",
+				});
+			}
+
 			const activeVerification =
 				await ctx.context.adapter.findOne<Verification>({
 					model: "verification",
 					where: [
 						{
 							field: "identifier",
-							value: options.domainVerification?.tokenPrefix
-								? `${options.domainVerification?.tokenPrefix}-${provider.providerId}`
-								: `better-auth-token-${provider.providerId}`,
+							value: identifier,
 						},
 						{ field: "expiresAt", value: new Date(), operator: "gt" },
 					],
@@ -237,9 +260,8 @@ export const verifyDomain = (options: SSOOptions) => {
 			}
 
 			try {
-				const dnsRecords = await dns.resolveTxt(
-					new URL(provider.domain).hostname,
-				);
+				const hostname = new URL(provider.domain).hostname;
+				const dnsRecords = await dns.resolveTxt(`${identifier}.${hostname}`);
 				records = dnsRecords.flat();
 			} catch (error) {
 				ctx.context.logger.warn(

package/src/routes/helpers.ts

@@ -0,0 +1,126 @@
+import type { DBAdapter } from "@better-auth/core/db/adapter";
+import * as saml from "samlify";
+import type { SAMLConfig, SSOOptions, SSOProvider } from "../types";
+import { safeJsonParse } from "../utils";
+
+export async function findSAMLProvider(
+	providerId: string,
+	options: SSOOptions | undefined,
+	adapter: DBAdapter,
+): Promise<SSOProvider<SSOOptions> | null> {
+	if (options?.defaultSSO?.length) {
+		const match = options.defaultSSO.find((p) => p.providerId === providerId);
+		if (match) {
+			return {
+				...match,
+				userId: "default",
+				issuer: match.samlConfig?.issuer || "",
+				...(options.domainVerification?.enabled
+					? { domainVerified: true }
+					: {}),
+			} as SSOProvider<SSOOptions>;
+		}
+	}
+
+	const res = await adapter.findOne<SSOProvider<SSOOptions>>({
+		model: "ssoProvider",
+		where: [{ field: "providerId", value: providerId }],
+	});
+
+	if (!res) return null;
+
+	return {
+		...res,
+		samlConfig: res.samlConfig
+			? safeJsonParse<SAMLConfig>(res.samlConfig as unknown as string) ||
+				undefined
+			: undefined,
+	};
+}
+
+export function createSP(
+	config: SAMLConfig,
+	baseURL: string,
+	providerId: string,
+	sloOptions?: {
+		wantLogoutRequestSigned?: boolean;
+		wantLogoutResponseSigned?: boolean;
+	},
+) {
+	const sloLocation = `${baseURL}/sso/saml2/sp/slo/${providerId}`;
+	return saml.ServiceProvider({
+		entityID: config.spMetadata?.entityID || config.issuer,
+		assertionConsumerService: [
+			{
+				Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+				Location:
+					config.callbackUrl || `${baseURL}/sso/saml2/sp/acs/${providerId}`,
+			},
+		],
+		singleLogoutService: [
+			{
+				Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+				Location: sloLocation,
+			},
+			{
+				Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+				Location: sloLocation,
+			},
+		],
+		wantMessageSigned: config.wantAssertionsSigned || false,
+		wantLogoutRequestSigned: sloOptions?.wantLogoutRequestSigned ?? false,
+		wantLogoutResponseSigned: sloOptions?.wantLogoutResponseSigned ?? false,
+		metadata: config.spMetadata?.metadata,
+		privateKey: config.spMetadata?.privateKey || config.privateKey,
+		privateKeyPass: config.spMetadata?.privateKeyPass,
+	});
+}
+
+export function createIdP(config: SAMLConfig) {
+	const idpData = config.idpMetadata;
+	if (idpData?.metadata) {
+		return saml.IdentityProvider({
+			metadata: idpData.metadata,
+			privateKey: idpData.privateKey,
+			privateKeyPass: idpData.privateKeyPass,
+			encPrivateKey: idpData.encPrivateKey,
+			encPrivateKeyPass: idpData.encPrivateKeyPass,
+		});
+	}
+	return saml.IdentityProvider({
+		entityID: idpData?.entityID || config.issuer,
+		singleSignOnService: idpData?.singleSignOnService || [
+			{
+				Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
+				Location: config.entryPoint,
+			},
+		],
+		singleLogoutService: idpData?.singleLogoutService,
+		signingCert: idpData?.cert || config.cert,
+	});
+}
+
+function escapeHtml(str: string | undefined | null): string {
+	if (!str) return "";
+	return String(str)
+		.replace(/&/g, "&amp;")
+		.replace(/</g, "&lt;")
+		.replace(/>/g, "&gt;")
+		.replace(/"/g, "&quot;")
+		.replace(/'/g, "&#39;");
+}
+
+export function createSAMLPostForm(
+	action: string,
+	samlParam: string,
+	samlValue: string,
+	relayState?: string,
+): Response {
+	const safeAction = escapeHtml(action);
+	const safeSamlParam = escapeHtml(samlParam);
+	const safeSamlValue = escapeHtml(samlValue);
+	const safeRelayState = relayState ? escapeHtml(relayState) : undefined;
+
+	const html = `<!DOCTYPE html><html><body onload="document.forms[0].submit();"><form method="POST" action="${safeAction}"><input type="hidden" name="${safeSamlParam}" value="${safeSamlValue}" />${safeRelayState ? `<input type="hidden" name="RelayState" value="${safeRelayState}" />` : ""}<noscript><input type="submit" value="Continue" /></noscript></form></body></html>`;
+	return new Response(html, { headers: { "Content-Type": "text/html" } });
+}

package/src/routes/providers.ts

@@ -233,7 +233,7 @@ export const listSSOProviders = () => {
 	);
 };
 
-const getSSOProviderParamsSchema = z.object({
+const getSSOProviderQuerySchema = z.object({
 	providerId: z.string(),
 });
 
@@ -280,11 +280,11 @@ async function checkProviderAccess(
 
 export const getSSOProvider = () => {
 	return createAuthEndpoint(
-		"/sso/providers/:providerId",
+		"/sso/get-provider",
 		{
 			method: "GET",
 			use: [sessionMiddleware],
-			params: getSSOProviderParamsSchema,
+			query: getSSOProviderQuerySchema,
 			metadata: {
 				openapi: {
 					operationId: "getSSOProvider",
@@ -305,7 +305,7 @@ export const getSSOProvider = () => {
 			},
 		},
 		async (ctx) => {
-			const { providerId } = ctx.params;
+			const { providerId } = ctx.query;
 
 			const provider = await checkProviderAccess(ctx, providerId);
 
@@ -387,12 +387,13 @@ function mergeOIDCConfig(
 
 export const updateSSOProvider = (options: SSOOptions) => {
 	return createAuthEndpoint(
-		"/sso/providers/:providerId",
+		"/sso/update-provider",
 		{
-			method: "PATCH",
+			method: "POST",
 			use: [sessionMiddleware],
-			params: getSSOProviderParamsSchema,
-			body: updateSSOProviderBodySchema,
+			body: updateSSOProviderBodySchema.extend({
+				providerId: z.string(),
+			}),
 			metadata: {
 				openapi: {
 					operationId: "updateSSOProvider",
@@ -414,8 +415,7 @@ export const updateSSOProvider = (options: SSOOptions) => {
 			},
 		},
 		async (ctx) => {
-			const { providerId } = ctx.params;
-			const body = ctx.body;
+			const { providerId, ...body } = ctx.body;
 
 			const { issuer, domain, samlConfig, oidcConfig } = body;
 			if (!issuer && !domain && !samlConfig && !oidcConfig) {
@@ -525,11 +525,13 @@ export const updateSSOProvider = (options: SSOOptions) => {
 
 export const deleteSSOProvider = () => {
 	return createAuthEndpoint(
-		"/sso/providers/:providerId",
+		"/sso/delete-provider",
 		{
-			method: "DELETE",
+			method: "POST",
 			use: [sessionMiddleware],
-			params: getSSOProviderParamsSchema,
+			body: z.object({
+				providerId: z.string(),
+			}),
 			metadata: {
 				openapi: {
 					operationId: "deleteSSOProvider",
@@ -550,7 +552,7 @@ export const deleteSSOProvider = () => {
 			},
 		},
 		async (ctx) => {
-			const { providerId } = ctx.params;
+			const { providerId } = ctx.body;
 
 			await checkProviderAccess(ctx, providerId);