@better-auth/sso 1.5.4 → 1.5.6

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { t as SSOPlugin } from "./index-DHITQH_m.mjs";
+import { t as SSOPlugin } from "./index-DoxMd-mL.mjs";
 
 //#region src/client.d.ts
 interface SSOClientOptions {

package/dist/{index-DHITQH_m.d.mts → index-DoxMd-mL.d.mts}

@@ -1,6 +1,5 @@
 import { APIError } from "better-auth/api";
-import * as z$1 from "zod/v4";
-import z from "zod/v4";
+import * as z from "zod";
 import { Awaitable, BetterAuthPlugin, OAuth2Tokens, User } from "better-auth";
 import * as better_call0 from "better-call";
 
@@ -418,9 +417,9 @@ interface SSOOptions {
 //#region src/routes/domain-verification.d.ts
 declare const requestDomainVerification: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/request-domain-verification", {
   method: "POST";
-  body: z$1.ZodObject<{
-    providerId: z$1.ZodString;
-  }, z$1.core.$strip>;
+  body: z.ZodObject<{
+    providerId: z.ZodString;
+  }, z.core.$strip>;
   metadata: {
     openapi: {
       summary: string;
@@ -466,9 +465,9 @@ declare const requestDomainVerification: (options: SSOOptions) => better_call0.S
 }>;
 declare const verifyDomain: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/verify-domain", {
   method: "POST";
-  body: z$1.ZodObject<{
-    providerId: z$1.ZodString;
-  }, z$1.core.$strip>;
+  body: z.ZodObject<{
+    providerId: z.ZodString;
+  }, z.core.$strip>;
   metadata: {
     openapi: {
       summary: string;
@@ -1773,4 +1772,4 @@ declare function sso<O extends SSOOptions>(options?: O | undefined): {
 };
 //#endregion
 export { DataEncryptionAlgorithm as A, TimestampValidationOptions as C, SSOOptions as D, SAMLConfig as E, DigestAlgorithm as M, KeyEncryptionAlgorithm as N, SSOProvider as O, SignatureAlgorithm as P, SAMLConditions as S, OIDCConfig as T, REQUIRED_DISCOVERY_FIELDS as _, fetchDiscoveryDocument as a, DEFAULT_MAX_SAML_METADATA_SIZE as b, normalizeUrl as c, validateDiscoveryUrl as d, DiscoverOIDCConfigParams as f, OIDCDiscoveryDocument as g, HydratedOIDCConfig as h, discoverOIDCConfig as i, DeprecatedAlgorithmBehavior as j, AlgorithmValidationOptions as k, selectTokenEndpointAuthMethod as l, DiscoveryErrorCode as m, sso as n, needsRuntimeDiscovery as o, DiscoveryError as p, computeDiscoveryUrl as r, normalizeDiscoveryUrls as s, SSOPlugin as t, validateDiscoveryDocument as u, RequiredDiscoveryField as v, validateSAMLTimestamp as w, DEFAULT_MAX_SAML_RESPONSE_SIZE as x, DEFAULT_CLOCK_SKEW_MS as y };
-//# sourceMappingURL=index-DHITQH_m.d.mts.map
+//# sourceMappingURL=index-DoxMd-mL.d.mts.map

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { A as DataEncryptionAlgorithm, C as TimestampValidationOptions, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as SAMLConditions, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as DEFAULT_MAX_SAML_METADATA_SIZE, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as validateSAMLTimestamp, x as DEFAULT_MAX_SAML_RESPONSE_SIZE, y as DEFAULT_CLOCK_SKEW_MS } from "./index-DHITQH_m.mjs";
+import { A as DataEncryptionAlgorithm, C as TimestampValidationOptions, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as SAMLConditions, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as DEFAULT_MAX_SAML_METADATA_SIZE, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as validateSAMLTimestamp, x as DEFAULT_MAX_SAML_RESPONSE_SIZE, y as DEFAULT_CLOCK_SKEW_MS } from "./index-DoxMd-mL.mjs";
 export { AlgorithmValidationOptions, DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };

package/dist/index.mjs

@@ -1,10 +1,10 @@
 import { APIError, createAuthEndpoint, createAuthMiddleware, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { XMLParser, XMLValidator } from "fast-xml-parser";
-import saml from "samlify";
+import * as saml from "samlify";
 import { X509Certificate } from "node:crypto";
+import { getHostname } from "tldts";
 import { generateRandomString } from "better-auth/crypto";
-import * as z$1 from "zod/v4";
-import z from "zod/v4";
+import * as z from "zod";
 import { base64 } from "@better-auth/utils/base64";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
 import { HIDE_METADATA, createAuthorizationURL, generateGenericState, generateState, parseGenericState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
@@ -112,6 +112,9 @@ function parseCertificate(certPem) {
 		publicKeyAlgorithm: cert.publicKey.asymmetricKeyType?.toUpperCase() || "UNKNOWN"
 	};
 }
+function getHostnameFromDomain(domain) {
+	return getHostname(domain) || null;
+}
 function maskClientId(clientId) {
 	if (clientId.length <= 4) return "****";
 	return `****${clientId.slice(-4)}`;
@@ -218,7 +221,7 @@ async function assignOrganizationByDomain(ctx, options) {
 //#region src/routes/domain-verification.ts
 const DNS_LABEL_MAX_LENGTH = 63;
 const DEFAULT_TOKEN_PREFIX = "better-auth-token";
-const domainVerificationBodySchema = z$1.object({ providerId: z$1.string() });
+const domainVerificationBodySchema = z.object({ providerId: z.string() });
 function getVerificationIdentifier(options, providerId) {
 	return `_${options.domainVerification?.tokenPrefix || DEFAULT_TOKEN_PREFIX}-${providerId}`;
 }
@@ -354,8 +357,12 @@ const verifyDomain = (options) => {
 				code: "DOMAIN_VERIFICATION_FAILED"
 			});
 		}
+		const hostname = getHostnameFromDomain(provider.domain);
+		if (!hostname) throw new APIError("BAD_REQUEST", {
+			message: "Invalid domain",
+			code: "INVALID_DOMAIN"
+		});
 		try {
-			const hostname = new URL(provider.domain).hostname;
 			records = (await dns.resolveTxt(`${identifier}.${hostname}`)).flat();
 		} catch (error) {
 			ctx.context.logger.warn("DNS resolution failure while validating domain ownership", error);