@better-auth/sso 1.5.1-beta.1 → 1.5.1-beta.2

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { t as SSOPlugin } from "./index-DHITQH_m.mjs";
+import { t as SSOPlugin } from "./index-DoxMd-mL.mjs";
 
 //#region src/client.d.ts
 interface SSOClientOptions {

package/dist/{index-DHITQH_m.d.mts → index-DoxMd-mL.d.mts}

@@ -1,6 +1,5 @@
 import { APIError } from "better-auth/api";
-import * as z$1 from "zod/v4";
-import z from "zod/v4";
+import * as z from "zod";
 import { Awaitable, BetterAuthPlugin, OAuth2Tokens, User } from "better-auth";
 import * as better_call0 from "better-call";
 
@@ -418,9 +417,9 @@ interface SSOOptions {
 //#region src/routes/domain-verification.d.ts
 declare const requestDomainVerification: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/request-domain-verification", {
   method: "POST";
-  body: z$1.ZodObject<{
-    providerId: z$1.ZodString;
-  }, z$1.core.$strip>;
+  body: z.ZodObject<{
+    providerId: z.ZodString;
+  }, z.core.$strip>;
   metadata: {
     openapi: {
       summary: string;
@@ -466,9 +465,9 @@ declare const requestDomainVerification: (options: SSOOptions) => better_call0.S
 }>;
 declare const verifyDomain: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/verify-domain", {
   method: "POST";
-  body: z$1.ZodObject<{
-    providerId: z$1.ZodString;
-  }, z$1.core.$strip>;
+  body: z.ZodObject<{
+    providerId: z.ZodString;
+  }, z.core.$strip>;
   metadata: {
     openapi: {
       summary: string;
@@ -1773,4 +1772,4 @@ declare function sso<O extends SSOOptions>(options?: O | undefined): {
 };
 //#endregion
 export { DataEncryptionAlgorithm as A, TimestampValidationOptions as C, SSOOptions as D, SAMLConfig as E, DigestAlgorithm as M, KeyEncryptionAlgorithm as N, SSOProvider as O, SignatureAlgorithm as P, SAMLConditions as S, OIDCConfig as T, REQUIRED_DISCOVERY_FIELDS as _, fetchDiscoveryDocument as a, DEFAULT_MAX_SAML_METADATA_SIZE as b, normalizeUrl as c, validateDiscoveryUrl as d, DiscoverOIDCConfigParams as f, OIDCDiscoveryDocument as g, HydratedOIDCConfig as h, discoverOIDCConfig as i, DeprecatedAlgorithmBehavior as j, AlgorithmValidationOptions as k, selectTokenEndpointAuthMethod as l, DiscoveryErrorCode as m, sso as n, needsRuntimeDiscovery as o, DiscoveryError as p, computeDiscoveryUrl as r, normalizeDiscoveryUrls as s, SSOPlugin as t, validateDiscoveryDocument as u, RequiredDiscoveryField as v, validateSAMLTimestamp as w, DEFAULT_MAX_SAML_RESPONSE_SIZE as x, DEFAULT_CLOCK_SKEW_MS as y };
-//# sourceMappingURL=index-DHITQH_m.d.mts.map
+//# sourceMappingURL=index-DoxMd-mL.d.mts.map

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { A as DataEncryptionAlgorithm, C as TimestampValidationOptions, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as SAMLConditions, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as DEFAULT_MAX_SAML_METADATA_SIZE, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as validateSAMLTimestamp, x as DEFAULT_MAX_SAML_RESPONSE_SIZE, y as DEFAULT_CLOCK_SKEW_MS } from "./index-DHITQH_m.mjs";
+import { A as DataEncryptionAlgorithm, C as TimestampValidationOptions, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as SAMLConditions, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as DEFAULT_MAX_SAML_METADATA_SIZE, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as validateSAMLTimestamp, x as DEFAULT_MAX_SAML_RESPONSE_SIZE, y as DEFAULT_CLOCK_SKEW_MS } from "./index-DoxMd-mL.mjs";
 export { AlgorithmValidationOptions, DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };

package/dist/index.mjs

@@ -3,8 +3,7 @@ import { XMLParser, XMLValidator } from "fast-xml-parser";
 import saml from "samlify";
 import { X509Certificate } from "node:crypto";
 import { generateRandomString } from "better-auth/crypto";
-import * as z$1 from "zod/v4";
-import z from "zod/v4";
+import * as z from "zod";
 import { base64 } from "@better-auth/utils/base64";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
 import { HIDE_METADATA, createAuthorizationURL, generateGenericState, generateState, parseGenericState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
@@ -218,7 +217,7 @@ async function assignOrganizationByDomain(ctx, options) {
 //#region src/routes/domain-verification.ts
 const DNS_LABEL_MAX_LENGTH = 63;
 const DEFAULT_TOKEN_PREFIX = "better-auth-token";
-const domainVerificationBodySchema = z$1.object({ providerId: z$1.string() });
+const domainVerificationBodySchema = z.object({ providerId: z.string() });
 function getVerificationIdentifier(options, providerId) {
 	return `_${options.domainVerification?.tokenPrefix || DEFAULT_TOKEN_PREFIX}-${providerId}`;
 }
@@ -2374,7 +2373,20 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 	});
 	if (!tokenResponse) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_response_not_found`);
 	let userInfo = null;
-	if (tokenResponse.idToken) {
+	const mapping = config.mapping || {};
+	if (config.userInfoEndpoint) {
+		const userInfoResponse = await betterFetch(config.userInfoEndpoint, { headers: { Authorization: `Bearer ${tokenResponse.accessToken}` } });
+		if (userInfoResponse.error) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${userInfoResponse.error.message}`);
+		const rawUserInfo = userInfoResponse.data;
+		userInfo = {
+			...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, rawUserInfo[value]])),
+			id: rawUserInfo[mapping.id || "sub"],
+			email: rawUserInfo[mapping.email || "email"],
+			emailVerified: options?.trustEmailVerified ? rawUserInfo[mapping.emailVerified || "email_verified"] : false,
+			name: rawUserInfo[mapping.name || "name"],
+			image: rawUserInfo[mapping.image || "picture"]
+		};
+	} else if (tokenResponse.idToken) {
 		const idToken = decodeJwt(tokenResponse.idToken);
 		if (!config.jwksEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=jwks_endpoint_not_found`);
 		const verified = await validateToken(tokenResponse.idToken, config.jwksEndpoint, {
@@ -2385,7 +2397,6 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 			return null;
 		});
 		if (!verified) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_not_verified`);
-		const mapping = config.mapping || {};
 		userInfo = {
 			...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, verified.payload[value]])),
 			id: idToken[mapping.id || "sub"],
@@ -2394,13 +2405,7 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 			name: idToken[mapping.name || "name"],
 			image: idToken[mapping.image || "picture"]
 		};
-	}
-	if (!userInfo) {
-		if (!config.userInfoEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=user_info_endpoint_not_found`);
-		const userInfoResponse = await betterFetch(config.userInfoEndpoint, { headers: { Authorization: `Bearer ${tokenResponse.accessToken}` } });
-		if (userInfoResponse.error) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${userInfoResponse.error.message}`);
-		userInfo = userInfoResponse.data;
-	}
+	} else throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=user_info_endpoint_not_found`);
 	if (!userInfo.email || !userInfo.id) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=missing_user_info`);
 	const isTrustedProvider = "domainVerified" in provider && provider.domainVerified === true && validateEmailDomain(userInfo.email, provider.domain);
 	const linked = await handleOAuthUserInfo(ctx, {