@better-auth/sso 1.5.0-beta.13 → 1.5.0-beta.16

package/src/types.ts

@@ -60,6 +60,10 @@ export interface SAMLConfig {
 					Binding: string;
 					Location: string;
 				}>;
+				singleLogoutService?: Array<{
+					Binding: string;
+					Location: string;
+				}>;
 		  }
 		| undefined;
 	spMetadata: {
@@ -83,6 +87,25 @@ export interface SAMLConfig {
 	mapping?: SAMLMapping | undefined;
 }
 
+/** Session data stored during SAML login for Single Logout */
+export interface SAMLSessionRecord {
+	sessionId: string;
+	providerId: string;
+	nameID: string;
+	sessionIndex?: string;
+}
+
+/** Parsed SAML assertion extract from samlify */
+export interface SAMLAssertionExtract {
+	nameID?: string;
+	sessionIndex?: string;
+	inResponseTo?: string;
+	conditions?: {
+		notBefore?: string;
+		notOnOrAfter?: string;
+	};
+}
+
 type BaseSSOProvider = {
 	issuer: string;
 	oidcConfig?: OIDCConfig | undefined;
@@ -253,12 +276,20 @@ export interface SSOOptions {
 		 */
 		enabled?: boolean;
 		/**
-		 * Prefix used to generate the domain verification token
+		 * Prefix used to generate the domain verification token.
+		 * An underscore is automatically prepended to follow DNS
+		 * infrastructure subdomain conventions (RFC 8552), so do
+		 * not include a leading underscore.
 		 *
-		 * @default "better-auth-token-"
+		 * @default "better-auth-token"
 		 */
 		tokenPrefix?: string;
 	};
+	/**
+	 * A shared redirect URI used by all OIDC providers instead of
+	 * per-provider callback URLs. Can be a path or a full URL.
+	 */
+	redirectURI?: string;
 	/**
 	 * SAML security options for AuthnRequest/InResponseTo validation.
 	 * This prevents unsolicited responses, replay attacks, and cross-provider injection.
@@ -354,6 +385,26 @@ export interface SSOOptions {
 		 * @default 102400 (100KB)
 		 */
 		maxMetadataSize?: number;
+		/**
+		 * Enable SAML Single Logout
+		 * @default false
+		 */
+		enableSingleLogout?: boolean;
+		/**
+		 * TTL for LogoutRequest records in milliseconds
+		 * @default 300000 (5 minutes)
+		 */
+		logoutRequestTTL?: number;
+		/**
+		 * Require signed LogoutRequests from IdP
+		 * @default false
+		 */
+		wantLogoutRequestSigned?: boolean;
+		/**
+		 * Require signed LogoutResponses from IdP
+		 * @default false
+		 */
+		wantLogoutResponseSigned?: boolean;
 	};
 }
 

package/src/utils.test.ts

@@ -1,6 +1,9 @@
 import { describe, expect, it } from "vitest";
 import { validateEmailDomain } from "./utils";
 
+/**
+ * @see https://github.com/better-auth/better-auth/issues/7324
+ */
 describe("validateEmailDomain", () => {
 	// Tests for issue #7324: Enterprise multi-domain SSO support
 	// https://github.com/better-auth/better-auth/issues/7324

package/vitest.config.ts

@@ -1,3 +1,8 @@
 import { defineProject } from "vitest/config";
 
-export default defineProject({});
+export default defineProject({
+	test: {
+		clearMocks: true,
+		restoreMocks: true,
+	},
+});