@better-auth/sso 1.5.0-beta.18 → 1.5.0-beta.19

package/src/routes/domain-verification.ts

@@ -1,297 +0,0 @@
-import type { Verification } from "better-auth";
-import {
-	APIError,
-	createAuthEndpoint,
-	sessionMiddleware,
-} from "better-auth/api";
-import { generateRandomString } from "better-auth/crypto";
-import * as z from "zod/v4";
-import type { SSOOptions, SSOProvider } from "../types";
-
-const DNS_LABEL_MAX_LENGTH = 63;
-const DEFAULT_TOKEN_PREFIX = "better-auth-token";
-
-const domainVerificationBodySchema = z.object({
-	providerId: z.string(),
-});
-
-export function getVerificationIdentifier(
-	options: SSOOptions,
-	providerId: string,
-): string {
-	const tokenPrefix =
-		options.domainVerification?.tokenPrefix || DEFAULT_TOKEN_PREFIX;
-	return `_${tokenPrefix}-${providerId}`;
-}
-
-export const requestDomainVerification = (options: SSOOptions) => {
-	return createAuthEndpoint(
-		"/sso/request-domain-verification",
-		{
-			method: "POST",
-			body: domainVerificationBodySchema,
-			metadata: {
-				openapi: {
-					summary: "Request a domain verification",
-					description:
-						"Request a domain verification for the given SSO provider",
-					responses: {
-						"404": {
-							description: "Provider not found",
-						},
-						"409": {
-							description: "Domain has already been verified",
-						},
-						"201": {
-							description: "Domain submitted for verification",
-						},
-					},
-				},
-			},
-			use: [sessionMiddleware],
-		},
-		async (ctx) => {
-			const body = ctx.body;
-			const provider = await ctx.context.adapter.findOne<
-				SSOProvider<SSOOptions>
-			>({
-				model: "ssoProvider",
-				where: [{ field: "providerId", value: body.providerId }],
-			});
-
-			if (!provider) {
-				throw new APIError("NOT_FOUND", {
-					message: "Provider not found",
-					code: "PROVIDER_NOT_FOUND",
-				});
-			}
-
-			const userId = ctx.context.session.user.id;
-			let isOrgMember = true;
-			if (provider.organizationId) {
-				const membershipsCount = await ctx.context.adapter.count({
-					model: "member",
-					where: [
-						{ field: "userId", value: userId },
-						{ field: "organizationId", value: provider.organizationId },
-					],
-				});
-
-				isOrgMember = membershipsCount > 0;
-			}
-
-			if (provider.userId !== userId || !isOrgMember) {
-				throw new APIError("FORBIDDEN", {
-					message:
-						"User must be owner of or belong to the SSO provider organization",
-					code: "INSUFICCIENT_ACCESS",
-				});
-			}
-
-			if ("domainVerified" in provider && provider.domainVerified) {
-				throw new APIError("CONFLICT", {
-					message: "Domain has already been verified",
-					code: "DOMAIN_VERIFIED",
-				});
-			}
-
-			const identifier = getVerificationIdentifier(
-				options,
-				provider.providerId,
-			);
-
-			const activeVerification =
-				await ctx.context.adapter.findOne<Verification>({
-					model: "verification",
-					where: [
-						{
-							field: "identifier",
-							value: identifier,
-						},
-						{ field: "expiresAt", value: new Date(), operator: "gt" },
-					],
-				});
-
-			if (activeVerification) {
-				ctx.setStatus(201);
-				return ctx.json({ domainVerificationToken: activeVerification.value });
-			}
-
-			const domainVerificationToken = generateRandomString(24);
-			await ctx.context.adapter.create<Verification>({
-				model: "verification",
-				data: {
-					identifier,
-					createdAt: new Date(),
-					updatedAt: new Date(),
-					value: domainVerificationToken,
-					expiresAt: new Date(Date.now() + 3600 * 24 * 7 * 1000), // 1 week
-				},
-			});
-
-			ctx.setStatus(201);
-			return ctx.json({
-				domainVerificationToken,
-			});
-		},
-	);
-};
-
-export const verifyDomain = (options: SSOOptions) => {
-	return createAuthEndpoint(
-		"/sso/verify-domain",
-		{
-			method: "POST",
-			body: domainVerificationBodySchema,
-			metadata: {
-				openapi: {
-					summary: "Verify the provider domain ownership",
-					description: "Verify the provider domain ownership via DNS records",
-					responses: {
-						"404": {
-							description: "Provider not found",
-						},
-						"409": {
-							description:
-								"Domain has already been verified or no pending verification exists",
-						},
-						"502": {
-							description:
-								"Unable to verify domain ownership due to upstream validator error",
-						},
-						"204": {
-							description: "Domain ownership was verified",
-						},
-					},
-				},
-			},
-			use: [sessionMiddleware],
-		},
-		async (ctx) => {
-			const body = ctx.body;
-			const provider = await ctx.context.adapter.findOne<
-				SSOProvider<SSOOptions>
-			>({
-				model: "ssoProvider",
-				where: [{ field: "providerId", value: body.providerId }],
-			});
-
-			if (!provider) {
-				throw new APIError("NOT_FOUND", {
-					message: "Provider not found",
-					code: "PROVIDER_NOT_FOUND",
-				});
-			}
-
-			const userId = ctx.context.session.user.id;
-			let isOrgMember = true;
-			if (provider.organizationId) {
-				const membershipsCount = await ctx.context.adapter.count({
-					model: "member",
-					where: [
-						{ field: "userId", value: userId },
-						{ field: "organizationId", value: provider.organizationId },
-					],
-				});
-
-				isOrgMember = membershipsCount > 0;
-			}
-
-			if (provider.userId !== userId || !isOrgMember) {
-				throw new APIError("FORBIDDEN", {
-					message:
-						"User must be owner of or belong to the SSO provider organization",
-					code: "INSUFICCIENT_ACCESS",
-				});
-			}
-
-			if ("domainVerified" in provider && provider.domainVerified) {
-				throw new APIError("CONFLICT", {
-					message: "Domain has already been verified",
-					code: "DOMAIN_VERIFIED",
-				});
-			}
-
-			const identifier = getVerificationIdentifier(
-				options,
-				provider.providerId,
-			);
-
-			if (identifier.length > DNS_LABEL_MAX_LENGTH) {
-				throw new APIError("BAD_REQUEST", {
-					message: `Verification identifier exceeds the DNS label limit of ${DNS_LABEL_MAX_LENGTH} characters`,
-					code: "IDENTIFIER_TOO_LONG",
-				});
-			}
-
-			const activeVerification =
-				await ctx.context.adapter.findOne<Verification>({
-					model: "verification",
-					where: [
-						{
-							field: "identifier",
-							value: identifier,
-						},
-						{ field: "expiresAt", value: new Date(), operator: "gt" },
-					],
-				});
-
-			if (!activeVerification) {
-				throw new APIError("NOT_FOUND", {
-					message: "No pending domain verification exists",
-					code: "NO_PENDING_VERIFICATION",
-				});
-			}
-
-			let records: string[] = [];
-			let dns: typeof import("node:dns/promises");
-
-			try {
-				dns = await import("node:dns/promises");
-			} catch (error) {
-				ctx.context.logger.error(
-					"The core node:dns module is required for the domain verification feature",
-					error,
-				);
-				throw new APIError("INTERNAL_SERVER_ERROR", {
-					message: "Unable to verify domain ownership due to server error",
-					code: "DOMAIN_VERIFICATION_FAILED",
-				});
-			}
-
-			try {
-				const hostname = new URL(provider.domain).hostname;
-				const dnsRecords = await dns.resolveTxt(`${identifier}.${hostname}`);
-				records = dnsRecords.flat();
-			} catch (error) {
-				ctx.context.logger.warn(
-					"DNS resolution failure while validating domain ownership",
-					error,
-				);
-			}
-
-			const record = records.find((record) =>
-				record.includes(
-					`${activeVerification.identifier}=${activeVerification.value}`,
-				),
-			);
-			if (!record) {
-				throw new APIError("BAD_GATEWAY", {
-					message: "Unable to verify domain ownership. Try again later",
-					code: "DOMAIN_VERIFICATION_FAILED",
-				});
-			}
-
-			await ctx.context.adapter.update<SSOProvider<SSOOptions>>({
-				model: "ssoProvider",
-				where: [{ field: "providerId", value: provider.providerId }],
-				update: {
-					domainVerified: true,
-				},
-			});
-
-			ctx.setStatus(204);
-			return;
-		},
-	);
-};

package/src/routes/helpers.ts

@@ -1,126 +0,0 @@
-import type { DBAdapter } from "@better-auth/core/db/adapter";
-import saml from "samlify";
-import type { SAMLConfig, SSOOptions, SSOProvider } from "../types";
-import { safeJsonParse } from "../utils";
-
-export async function findSAMLProvider(
-	providerId: string,
-	options: SSOOptions | undefined,
-	adapter: DBAdapter,
-): Promise<SSOProvider<SSOOptions> | null> {
-	if (options?.defaultSSO?.length) {
-		const match = options.defaultSSO.find((p) => p.providerId === providerId);
-		if (match) {
-			return {
-				...match,
-				userId: "default",
-				issuer: match.samlConfig?.issuer || "",
-				...(options.domainVerification?.enabled
-					? { domainVerified: true }
-					: {}),
-			} as SSOProvider<SSOOptions>;
-		}
-	}
-
-	const res = await adapter.findOne<SSOProvider<SSOOptions>>({
-		model: "ssoProvider",
-		where: [{ field: "providerId", value: providerId }],
-	});
-
-	if (!res) return null;
-
-	return {
-		...res,
-		samlConfig: res.samlConfig
-			? safeJsonParse<SAMLConfig>(res.samlConfig as unknown as string) ||
-				undefined
-			: undefined,
-	};
-}
-
-export function createSP(
-	config: SAMLConfig,
-	baseURL: string,
-	providerId: string,
-	sloOptions?: {
-		wantLogoutRequestSigned?: boolean;
-		wantLogoutResponseSigned?: boolean;
-	},
-) {
-	const sloLocation = `${baseURL}/sso/saml2/sp/slo/${providerId}`;
-	return saml.ServiceProvider({
-		entityID: config.spMetadata?.entityID || config.issuer,
-		assertionConsumerService: [
-			{
-				Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-				Location:
-					config.callbackUrl || `${baseURL}/sso/saml2/sp/acs/${providerId}`,
-			},
-		],
-		singleLogoutService: [
-			{
-				Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-				Location: sloLocation,
-			},
-			{
-				Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
-				Location: sloLocation,
-			},
-		],
-		wantMessageSigned: config.wantAssertionsSigned || false,
-		wantLogoutRequestSigned: sloOptions?.wantLogoutRequestSigned ?? false,
-		wantLogoutResponseSigned: sloOptions?.wantLogoutResponseSigned ?? false,
-		metadata: config.spMetadata?.metadata,
-		privateKey: config.spMetadata?.privateKey || config.privateKey,
-		privateKeyPass: config.spMetadata?.privateKeyPass,
-	});
-}
-
-export function createIdP(config: SAMLConfig) {
-	const idpData = config.idpMetadata;
-	if (idpData?.metadata) {
-		return saml.IdentityProvider({
-			metadata: idpData.metadata,
-			privateKey: idpData.privateKey,
-			privateKeyPass: idpData.privateKeyPass,
-			encPrivateKey: idpData.encPrivateKey,
-			encPrivateKeyPass: idpData.encPrivateKeyPass,
-		});
-	}
-	return saml.IdentityProvider({
-		entityID: idpData?.entityID || config.issuer,
-		singleSignOnService: idpData?.singleSignOnService || [
-			{
-				Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
-				Location: config.entryPoint,
-			},
-		],
-		singleLogoutService: idpData?.singleLogoutService,
-		signingCert: idpData?.cert || config.cert,
-	});
-}
-
-function escapeHtml(str: string | undefined | null): string {
-	if (!str) return "";
-	return String(str)
-		.replace(/&/g, "&amp;")
-		.replace(/</g, "&lt;")
-		.replace(/>/g, "&gt;")
-		.replace(/"/g, "&quot;")
-		.replace(/'/g, "&#39;");
-}
-
-export function createSAMLPostForm(
-	action: string,
-	samlParam: string,
-	samlValue: string,
-	relayState?: string,
-): Response {
-	const safeAction = escapeHtml(action);
-	const safeSamlParam = escapeHtml(samlParam);
-	const safeSamlValue = escapeHtml(samlValue);
-	const safeRelayState = relayState ? escapeHtml(relayState) : undefined;
-
-	const html = `<!DOCTYPE html><html><body onload="document.forms[0].submit();"><form method="POST" action="${safeAction}"><input type="hidden" name="${safeSamlParam}" value="${safeSamlValue}" />${safeRelayState ? `<input type="hidden" name="RelayState" value="${safeRelayState}" />` : ""}<noscript><input type="submit" value="Continue" /></noscript></form></body></html>`;
-	return new Response(html, { headers: { "Content-Type": "text/html" } });
-}