@better-auth/sso 1.5.0 → 1.5.1-beta.2

package/dist/client.d.mts

@@ -1,5 +1,4 @@
-import "./index-BQp9TZiG.mjs";
-import { SSOPlugin } from "./index.mjs";
+import { t as SSOPlugin } from "./index-DoxMd-mL.mjs";
 
 //#region src/client.d.ts
 interface SSOClientOptions {

package/dist/{index-BQp9TZiG.d.mts → index-DoxMd-mL.d.mts}

@@ -1,7 +1,6 @@
 import { APIError } from "better-auth/api";
-import * as z$1 from "zod/v4";
-import z from "zod/v4";
-import { Awaitable, OAuth2Tokens, User } from "better-auth";
+import * as z from "zod";
+import { Awaitable, BetterAuthPlugin, OAuth2Tokens, User } from "better-auth";
 import * as better_call0 from "better-call";
 
 //#region src/saml/algorithms.d.ts
@@ -418,9 +417,9 @@ interface SSOOptions {
 //#region src/routes/domain-verification.d.ts
 declare const requestDomainVerification: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/request-domain-verification", {
   method: "POST";
-  body: z$1.ZodObject<{
-    providerId: z$1.ZodString;
-  }, z$1.core.$strip>;
+  body: z.ZodObject<{
+    providerId: z.ZodString;
+  }, z.core.$strip>;
   metadata: {
     openapi: {
       summary: string;
@@ -466,9 +465,9 @@ declare const requestDomainVerification: (options: SSOOptions) => better_call0.S
 }>;
 declare const verifyDomain: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/verify-domain", {
   method: "POST";
-  body: z$1.ZodObject<{
-    providerId: z$1.ZodString;
-  }, z$1.core.$strip>;
+  body: z.ZodObject<{
+    providerId: z.ZodString;
+  }, z.core.$strip>;
   metadata: {
     openapi: {
       summary: string;
@@ -1721,5 +1720,56 @@ declare function selectTokenEndpointAuthMethod(doc: OIDCDiscoveryDocument, exist
  */
 declare function needsRuntimeDiscovery(config: Partial<HydratedOIDCConfig> | undefined): boolean;
 //#endregion
-export { spMetadata as A, SSOOptions as B, callbackSSO as C, registerSSOProvider as D, initiateSLO as E, updateSSOProvider as F, DigestAlgorithm as G, AlgorithmValidationOptions as H, requestDomainVerification as I, KeyEncryptionAlgorithm as K, verifyDomain as L, deleteSSOProvider as M, getSSOProvider as N, signInSSO as O, listSSOProviders as P, OIDCConfig as R, acsEndpoint as S, callbackSSOShared as T, DataEncryptionAlgorithm as U, SSOProvider as V, DeprecatedAlgorithmBehavior as W, DEFAULT_CLOCK_SKEW_MS as _, normalizeDiscoveryUrls as a, SAMLConditions as b, validateDiscoveryDocument as c, DiscoveryError as d, DiscoveryErrorCode as f, RequiredDiscoveryField as g, REQUIRED_DISCOVERY_FIELDS as h, needsRuntimeDiscovery as i, validateSAMLTimestamp as j, sloEndpoint as k, validateDiscoveryUrl as l, OIDCDiscoveryDocument as m, discoverOIDCConfig as n, normalizeUrl as o, HydratedOIDCConfig as p, SignatureAlgorithm as q, fetchDiscoveryDocument as r, selectTokenEndpointAuthMethod as s, computeDiscoveryUrl as t, DiscoverOIDCConfigParams as u, DEFAULT_MAX_SAML_METADATA_SIZE as v, callbackSSOSAML as w, TimestampValidationOptions as x, DEFAULT_MAX_SAML_RESPONSE_SIZE as y, SAMLConfig as z };
-//# sourceMappingURL=index-BQp9TZiG.d.mts.map
+//#region src/index.d.ts
+declare module "@better-auth/core" {
+  interface BetterAuthPluginRegistry<AuthOptions, Options> {
+    sso: {
+      creator: typeof sso;
+    };
+  }
+}
+type DomainVerificationEndpoints = {
+  requestDomainVerification: ReturnType<typeof requestDomainVerification>;
+  verifyDomain: ReturnType<typeof verifyDomain>;
+};
+type SSOEndpoints<O extends SSOOptions> = {
+  spMetadata: ReturnType<typeof spMetadata>;
+  registerSSOProvider: ReturnType<typeof registerSSOProvider<O>>;
+  signInSSO: ReturnType<typeof signInSSO>;
+  callbackSSO: ReturnType<typeof callbackSSO>;
+  callbackSSOShared: ReturnType<typeof callbackSSOShared>;
+  callbackSSOSAML: ReturnType<typeof callbackSSOSAML>;
+  acsEndpoint: ReturnType<typeof acsEndpoint>;
+  sloEndpoint: ReturnType<typeof sloEndpoint>;
+  initiateSLO: ReturnType<typeof initiateSLO>;
+  listSSOProviders: ReturnType<typeof listSSOProviders>;
+  getSSOProvider: ReturnType<typeof getSSOProvider>;
+  updateSSOProvider: ReturnType<typeof updateSSOProvider>;
+  deleteSSOProvider: ReturnType<typeof deleteSSOProvider>;
+};
+type SSOPlugin<O extends SSOOptions> = {
+  id: "sso";
+  endpoints: SSOEndpoints<O> & (O extends {
+    domainVerification: {
+      enabled: true;
+    };
+  } ? DomainVerificationEndpoints : {});
+};
+declare function sso<O extends SSOOptions & {
+  domainVerification?: {
+    enabled: true;
+  };
+}>(options?: O | undefined): {
+  id: "sso";
+  endpoints: SSOEndpoints<O> & DomainVerificationEndpoints;
+  schema: NonNullable<BetterAuthPlugin["schema"]>;
+  options: O;
+};
+declare function sso<O extends SSOOptions>(options?: O | undefined): {
+  id: "sso";
+  endpoints: SSOEndpoints<O>;
+  options: O;
+};
+//#endregion
+export { DataEncryptionAlgorithm as A, TimestampValidationOptions as C, SSOOptions as D, SAMLConfig as E, DigestAlgorithm as M, KeyEncryptionAlgorithm as N, SSOProvider as O, SignatureAlgorithm as P, SAMLConditions as S, OIDCConfig as T, REQUIRED_DISCOVERY_FIELDS as _, fetchDiscoveryDocument as a, DEFAULT_MAX_SAML_METADATA_SIZE as b, normalizeUrl as c, validateDiscoveryUrl as d, DiscoverOIDCConfigParams as f, OIDCDiscoveryDocument as g, HydratedOIDCConfig as h, discoverOIDCConfig as i, DeprecatedAlgorithmBehavior as j, AlgorithmValidationOptions as k, selectTokenEndpointAuthMethod as l, DiscoveryErrorCode as m, sso as n, needsRuntimeDiscovery as o, DiscoveryError as p, computeDiscoveryUrl as r, normalizeDiscoveryUrls as s, SSOPlugin as t, validateDiscoveryDocument as u, RequiredDiscoveryField as v, validateSAMLTimestamp as w, DEFAULT_MAX_SAML_RESPONSE_SIZE as x, DEFAULT_CLOCK_SKEW_MS as y };
+//# sourceMappingURL=index-DoxMd-mL.d.mts.map

package/dist/index.d.mts

@@ -1,56 +1,2 @@
-import { A as spMetadata, B as SSOOptions, C as callbackSSO, D as registerSSOProvider, E as initiateSLO, F as updateSSOProvider, G as DigestAlgorithm, H as AlgorithmValidationOptions, I as requestDomainVerification, K as KeyEncryptionAlgorithm, L as verifyDomain, M as deleteSSOProvider, N as getSSOProvider, O as signInSSO, P as listSSOProviders, R as OIDCConfig, S as acsEndpoint, T as callbackSSOShared, U as DataEncryptionAlgorithm, V as SSOProvider, W as DeprecatedAlgorithmBehavior, _ as DEFAULT_CLOCK_SKEW_MS, a as normalizeDiscoveryUrls, b as SAMLConditions, c as validateDiscoveryDocument, d as DiscoveryError, f as DiscoveryErrorCode, g as RequiredDiscoveryField, h as REQUIRED_DISCOVERY_FIELDS, i as needsRuntimeDiscovery, j as validateSAMLTimestamp, k as sloEndpoint, l as validateDiscoveryUrl, m as OIDCDiscoveryDocument, n as discoverOIDCConfig, o as normalizeUrl, p as HydratedOIDCConfig, q as SignatureAlgorithm, r as fetchDiscoveryDocument, s as selectTokenEndpointAuthMethod, t as computeDiscoveryUrl, u as DiscoverOIDCConfigParams, v as DEFAULT_MAX_SAML_METADATA_SIZE, w as callbackSSOSAML, x as TimestampValidationOptions, y as DEFAULT_MAX_SAML_RESPONSE_SIZE, z as SAMLConfig } from "./index-BQp9TZiG.mjs";
-import { BetterAuthPlugin } from "better-auth";
-
-//#region src/index.d.ts
-declare module "@better-auth/core" {
-  interface BetterAuthPluginRegistry<AuthOptions, Options> {
-    sso: {
-      creator: typeof sso;
-    };
-  }
-}
-type DomainVerificationEndpoints = {
-  requestDomainVerification: ReturnType<typeof requestDomainVerification>;
-  verifyDomain: ReturnType<typeof verifyDomain>;
-};
-type SSOEndpoints<O extends SSOOptions> = {
-  spMetadata: ReturnType<typeof spMetadata>;
-  registerSSOProvider: ReturnType<typeof registerSSOProvider<O>>;
-  signInSSO: ReturnType<typeof signInSSO>;
-  callbackSSO: ReturnType<typeof callbackSSO>;
-  callbackSSOShared: ReturnType<typeof callbackSSOShared>;
-  callbackSSOSAML: ReturnType<typeof callbackSSOSAML>;
-  acsEndpoint: ReturnType<typeof acsEndpoint>;
-  sloEndpoint: ReturnType<typeof sloEndpoint>;
-  initiateSLO: ReturnType<typeof initiateSLO>;
-  listSSOProviders: ReturnType<typeof listSSOProviders>;
-  getSSOProvider: ReturnType<typeof getSSOProvider>;
-  updateSSOProvider: ReturnType<typeof updateSSOProvider>;
-  deleteSSOProvider: ReturnType<typeof deleteSSOProvider>;
-};
-type SSOPlugin<O extends SSOOptions> = {
-  id: "sso";
-  endpoints: SSOEndpoints<O> & (O extends {
-    domainVerification: {
-      enabled: true;
-    };
-  } ? DomainVerificationEndpoints : {});
-};
-declare function sso<O extends SSOOptions & {
-  domainVerification?: {
-    enabled: true;
-  };
-}>(options?: O | undefined): {
-  id: "sso";
-  endpoints: SSOEndpoints<O> & DomainVerificationEndpoints;
-  schema: NonNullable<BetterAuthPlugin["schema"]>;
-  options: O;
-};
-declare function sso<O extends SSOOptions>(options?: O | undefined): {
-  id: "sso";
-  endpoints: SSOEndpoints<O>;
-  options: O;
-};
-//#endregion
-export { type AlgorithmValidationOptions, DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, type DeprecatedAlgorithmBehavior, DigestAlgorithm, type DiscoverOIDCConfigParams, DiscoveryError, type DiscoveryErrorCode, type HydratedOIDCConfig, KeyEncryptionAlgorithm, type OIDCConfig, type OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, type RequiredDiscoveryField, type SAMLConditions, type SAMLConfig, type SSOOptions, SSOPlugin, type SSOProvider, SignatureAlgorithm, type TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };
-//# sourceMappingURL=index.d.mts.map
+import { A as DataEncryptionAlgorithm, C as TimestampValidationOptions, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as SAMLConditions, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as DEFAULT_MAX_SAML_METADATA_SIZE, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as validateSAMLTimestamp, x as DEFAULT_MAX_SAML_RESPONSE_SIZE, y as DEFAULT_CLOCK_SKEW_MS } from "./index-DoxMd-mL.mjs";
+export { AlgorithmValidationOptions, DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };

package/dist/index.mjs

@@ -3,8 +3,7 @@ import { XMLParser, XMLValidator } from "fast-xml-parser";
 import saml from "samlify";
 import { X509Certificate } from "node:crypto";
 import { generateRandomString } from "better-auth/crypto";
-import * as z$1 from "zod/v4";
-import z from "zod/v4";
+import * as z from "zod";
 import { base64 } from "@better-auth/utils/base64";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
 import { HIDE_METADATA, createAuthorizationURL, generateGenericState, generateState, parseGenericState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
@@ -218,7 +217,7 @@ async function assignOrganizationByDomain(ctx, options) {
 //#region src/routes/domain-verification.ts
 const DNS_LABEL_MAX_LENGTH = 63;
 const DEFAULT_TOKEN_PREFIX = "better-auth-token";
-const domainVerificationBodySchema = z$1.object({ providerId: z$1.string() });
+const domainVerificationBodySchema = z.object({ providerId: z.string() });
 function getVerificationIdentifier(options, providerId) {
 	return `_${options.domainVerification?.tokenPrefix || DEFAULT_TOKEN_PREFIX}-${providerId}`;
 }
@@ -2374,7 +2373,20 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 	});
 	if (!tokenResponse) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_response_not_found`);
 	let userInfo = null;
-	if (tokenResponse.idToken) {
+	const mapping = config.mapping || {};
+	if (config.userInfoEndpoint) {
+		const userInfoResponse = await betterFetch(config.userInfoEndpoint, { headers: { Authorization: `Bearer ${tokenResponse.accessToken}` } });
+		if (userInfoResponse.error) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${userInfoResponse.error.message}`);
+		const rawUserInfo = userInfoResponse.data;
+		userInfo = {
+			...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, rawUserInfo[value]])),
+			id: rawUserInfo[mapping.id || "sub"],
+			email: rawUserInfo[mapping.email || "email"],
+			emailVerified: options?.trustEmailVerified ? rawUserInfo[mapping.emailVerified || "email_verified"] : false,
+			name: rawUserInfo[mapping.name || "name"],
+			image: rawUserInfo[mapping.image || "picture"]
+		};
+	} else if (tokenResponse.idToken) {
 		const idToken = decodeJwt(tokenResponse.idToken);
 		if (!config.jwksEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=jwks_endpoint_not_found`);
 		const verified = await validateToken(tokenResponse.idToken, config.jwksEndpoint, {
@@ -2385,7 +2397,6 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 			return null;
 		});
 		if (!verified) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_not_verified`);
-		const mapping = config.mapping || {};
 		userInfo = {
 			...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, verified.payload[value]])),
 			id: idToken[mapping.id || "sub"],
@@ -2394,13 +2405,7 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 			name: idToken[mapping.name || "name"],
 			image: idToken[mapping.image || "picture"]
 		};
-	}
-	if (!userInfo) {
-		if (!config.userInfoEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=user_info_endpoint_not_found`);
-		const userInfoResponse = await betterFetch(config.userInfoEndpoint, { headers: { Authorization: `Bearer ${tokenResponse.accessToken}` } });
-		if (userInfoResponse.error) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${userInfoResponse.error.message}`);
-		userInfo = userInfoResponse.data;
-	}
+	} else throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=user_info_endpoint_not_found`);
 	if (!userInfo.email || !userInfo.id) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=missing_user_info`);
 	const isTrustedProvider = "domainVerified" in provider && provider.domainVerified === true && validateEmailDomain(userInfo.email, provider.domain);
 	const linked = await handleOAuthUserInfo(ctx, {
@@ -3161,7 +3166,7 @@ async function handleLogoutResponse(ctx, sp, idp, relayState, providerId) {
 	if (inResponseTo) {
 		const key = `${LOGOUT_REQUEST_KEY_PREFIX}${inResponseTo}`;
 		if (!await ctx.context.internalAdapter.findVerificationValue(key)) ctx.context.logger.warn("LogoutResponse references unknown or expired request", { inResponseTo });
-		await ctx.context.internalAdapter.deleteVerificationValue(key).catch((e) => ctx.context.logger.warn("Failed to delete logout request verification value", e));
+		await ctx.context.internalAdapter.deleteVerificationByIdentifier(key).catch((e) => ctx.context.logger.warn("Failed to delete logout request verification value", e));
 	}
 	deleteSessionCookie(ctx);
 	const appOrigin = new URL(ctx.context.baseURL).origin;
@@ -3189,13 +3194,13 @@ async function handleLogoutRequest(ctx, sp, idp, relayState, providerId) {
 		const data = safeJsonParse(stored.value);
 		if (data) if (!sessionIndex || !data.sessionIndex || sessionIndex === data.sessionIndex) {
 			await ctx.context.internalAdapter.deleteSession(data.sessionId).catch((e) => ctx.context.logger.warn("Failed to delete session during SLO", { error: e }));
-			await ctx.context.internalAdapter.deleteVerificationValue(`${SAML_SESSION_BY_ID_PREFIX}${data.sessionId}`).catch((e) => ctx.context.logger.warn("Failed to delete SAML session lookup during SLO", e));
+			await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${SAML_SESSION_BY_ID_PREFIX}${data.sessionId}`).catch((e) => ctx.context.logger.warn("Failed to delete SAML session lookup during SLO", e));
 		} else ctx.context.logger.warn("SessionIndex mismatch in LogoutRequest - skipping session deletion", {
 			providerId,
 			requestedSessionIndex: sessionIndex,
 			storedSessionIndex: data.sessionIndex
 		});
-		await ctx.context.internalAdapter.deleteVerificationValue(key).catch((e) => ctx.context.logger.warn("Failed to delete SAML session key during SLO", e));
+		await ctx.context.internalAdapter.deleteVerificationByIdentifier(key).catch((e) => ctx.context.logger.warn("Failed to delete SAML session key during SLO", e));
 	}
 	const currentSession = await getSessionFromCtx(ctx);
 	if (currentSession?.session) await ctx.context.internalAdapter.deleteSession(currentSession.session.id);
@@ -3252,8 +3257,8 @@ const initiateSLO = (options) => {
 			value: providerId,
 			expiresAt: new Date(Date.now() + ttl)
 		});
-		if (samlSessionKey) await ctx.context.internalAdapter.deleteVerificationValue(samlSessionKey).catch((e) => ctx.context.logger.warn("Failed to delete SAML session key during logout", e));
-		await ctx.context.internalAdapter.deleteVerificationValue(sessionLookupKey).catch((e) => ctx.context.logger.warn("Failed to delete session lookup key during logout", e));
+		if (samlSessionKey) await ctx.context.internalAdapter.deleteVerificationByIdentifier(samlSessionKey).catch((e) => ctx.context.logger.warn("Failed to delete SAML session key during logout", e));
+		await ctx.context.internalAdapter.deleteVerificationByIdentifier(sessionLookupKey).catch((e) => ctx.context.logger.warn("Failed to delete session lookup key during logout", e));
 		await ctx.context.internalAdapter.deleteSession(session.session.id);
 		deleteSessionCookie(ctx);
 		throw ctx.redirect(logoutRequest.context);
@@ -3323,8 +3328,8 @@ function sso(options) {
 					const sessionLookupKey = `${SAML_SESSION_BY_ID_PREFIX}${session.session.id}`;
 					const sessionLookup = await ctx.context.internalAdapter.findVerificationValue(sessionLookupKey);
 					if (sessionLookup?.value) {
-						await ctx.context.internalAdapter.deleteVerificationValue(sessionLookup.value).catch(() => {});
-						await ctx.context.internalAdapter.deleteVerificationValue(sessionLookupKey).catch(() => {});
+						await ctx.context.internalAdapter.deleteVerificationByIdentifier(sessionLookup.value).catch(() => {});
+						await ctx.context.internalAdapter.deleteVerificationByIdentifier(sessionLookupKey).catch(() => {});
 					}
 				})
 			}],