npm - @better-auth/sso - Versions diffs - 1.5.5 → 1.5.7-beta.1 - Mend

@better-auth/sso 1.5.5 → 1.5.7-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/client.d.mts +1 -1
package/dist/client.mjs +1 -1
package/dist/{index-DHITQH_m.d.mts → index-N-z2Csye.d.mts} +716 -801
package/dist/index.d.mts +1 -1
package/dist/index.mjs +19 -43
package/dist/index.mjs.map +1 -1
package/package.json +9 -9

package/dist/index.d.mts CHANGED Viewed

@@ -1,2 +1,2 @@
-import { A as DataEncryptionAlgorithm, C as TimestampValidationOptions, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as SAMLConditions, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as DEFAULT_MAX_SAML_METADATA_SIZE, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as validateSAMLTimestamp, x as DEFAULT_MAX_SAML_RESPONSE_SIZE, y as DEFAULT_CLOCK_SKEW_MS } from "./index-DHITQH_m.mjs";
+import { A as DataEncryptionAlgorithm, C as TimestampValidationOptions, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as SAMLConditions, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as DEFAULT_MAX_SAML_METADATA_SIZE, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as validateSAMLTimestamp, x as DEFAULT_MAX_SAML_RESPONSE_SIZE, y as DEFAULT_CLOCK_SKEW_MS } from "./index-N-z2Csye.mjs";
 export { AlgorithmValidationOptions, DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };

package/dist/index.mjs CHANGED Viewed

@@ -1,11 +1,10 @@
 import { APIError, createAuthEndpoint, createAuthMiddleware, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { XMLParser, XMLValidator } from "fast-xml-parser";
-import saml from "samlify";
+import * as saml from "samlify";
 import { X509Certificate } from "node:crypto";
 import { getHostname } from "tldts";
 import { generateRandomString } from "better-auth/crypto";
-import * as z$1 from "zod/v4";
-import z from "zod/v4";
+import * as z from "zod";
 import { base64 } from "@better-auth/utils/base64";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
 import { HIDE_METADATA, createAuthorizationURL, generateGenericState, generateState, parseGenericState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
@@ -13,7 +12,6 @@ import { deleteSessionCookie, setSessionCookie } from "better-auth/cookies";
 import { handleOAuthUserInfo } from "better-auth/oauth2";
 import { decodeJwt } from "jose";
 import { defineErrorCodes } from "@better-auth/core/utils/error-codes";
 //#region src/constants.ts
 /**
 * SAML Constants
@@ -31,21 +29,11 @@ const SAML_SESSION_BY_ID_PREFIX = "saml-session-by-id:";
 /** Prefix for LogoutRequest IDs used in SP-initiated SLO validation */
 const LOGOUT_REQUEST_KEY_PREFIX = "saml-logout-request:";
 /**
-* Default TTL for AuthnRequest records (5 minutes).
-* This should be sufficient for most IdPs while protecting against stale requests.
-*/
-const DEFAULT_AUTHN_REQUEST_TTL_MS = 300 * 1e3;
-/**
 * Default TTL for used assertion records (15 minutes).
 * This should match the maximum expected NotOnOrAfter window plus clock skew.
 */
 const DEFAULT_ASSERTION_TTL_MS = 900 * 1e3;
 /**
-* Default TTL for LogoutRequest records (5 minutes).
-* Should be sufficient for IdP to process and respond.
-*/
-const DEFAULT_LOGOUT_REQUEST_TTL_MS = 300 * 1e3;
-/**
 * Default clock skew tolerance (5 minutes).
 * Allows for minor time differences between IdP and SP servers.
 *
@@ -66,7 +54,6 @@ const DEFAULT_MAX_SAML_RESPONSE_SIZE = 256 * 1024;
 */
 const DEFAULT_MAX_SAML_METADATA_SIZE = 100 * 1024;
 const SAML_STATUS_SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success";
 //#endregion
 //#region src/utils.ts
 /**
@@ -120,7 +107,6 @@ function maskClientId(clientId) {
 	if (clientId.length <= 4) return "****";
 	return `****${clientId.slice(-4)}`;
 }
 //#endregion
 //#region src/linking/org-assignment.ts
 /**
@@ -217,12 +203,11 @@ async function assignOrganizationByDomain(ctx, options) {
 		}
 	});
 }
 //#endregion
 //#region src/routes/domain-verification.ts
 const DNS_LABEL_MAX_LENGTH = 63;
 const DEFAULT_TOKEN_PREFIX = "better-auth-token";
-const domainVerificationBodySchema = z$1.object({ providerId: z$1.string() });
+const domainVerificationBodySchema = z.object({ providerId: z.string() });
 function getVerificationIdentifier(options, providerId) {
 	return `_${options.domainVerification?.tokenPrefix || DEFAULT_TOKEN_PREFIX}-${providerId}`;
 }
@@ -383,7 +368,6 @@ const verifyDomain = (options) => {
 		ctx.setStatus(204);
 	});
 };
 //#endregion
 //#region src/saml/parser.ts
 const xmlParser = new XMLParser({
@@ -418,7 +402,6 @@ function countAllNodes(obj, nodeName) {
 	else if (typeof value === "object" && value !== null) count += countAllNodes(value, nodeName);
 	return count;
 }
 //#endregion
 //#region src/saml/algorithms.ts
 const SignatureAlgorithm = {
@@ -599,7 +582,6 @@ function validateConfigAlgorithms(config, options = {}) {
 		});
 	}
 }
 //#endregion
 //#region src/saml/assertions.ts
 /** @lintignore used in tests */
@@ -642,7 +624,6 @@ function validateSingleAssertion(samlResponse) {
 		code: "SAML_MULTIPLE_ASSERTIONS"
 	});
 }
 //#endregion
 //#region src/routes/schemas.ts
 const oidcMappingSchema = z.object({
@@ -721,7 +702,6 @@ const updateSSOProviderBodySchema = z.object({
 	oidcConfig: oidcConfigSchema.optional(),
 	samlConfig: samlConfigSchema.optional()
 });
 //#endregion
 //#region src/routes/providers.ts
 const ADMIN_ROLES = ["owner", "admin"];
@@ -951,7 +931,7 @@ const updateSSOProvider = (options) => {
 		}
 		if (body.samlConfig) {
 			if (body.samlConfig.idpMetadata?.metadata) {
-				const maxMetadataSize = options?.saml?.maxMetadataSize ?? DEFAULT_MAX_SAML_METADATA_SIZE;
+				const maxMetadataSize = options?.saml?.maxMetadataSize ?? 102400;
 				if (new TextEncoder().encode(body.samlConfig.idpMetadata.metadata).length > maxMetadataSize) throw new APIError("BAD_REQUEST", { message: `IdP metadata exceeds maximum allowed size (${maxMetadataSize} bytes)` });
 			}
 			if (body.samlConfig.signatureAlgorithm !== void 0 || body.samlConfig.digestAlgorithm !== void 0) validateConfigAlgorithms({
@@ -1014,7 +994,6 @@ const deleteSSOProvider = () => {
 		return ctx.json({ success: true });
 	});
 };
 //#endregion
 //#region src/oidc/types.ts
 /**
@@ -1041,7 +1020,6 @@ const REQUIRED_DISCOVERY_FIELDS = [
 	"token_endpoint",
 	"jwks_uri"
 ];
 //#endregion
 //#region src/oidc/discovery.ts
 /**
@@ -1308,7 +1286,6 @@ async function ensureRuntimeDiscovery(config, issuer, isTrustedOrigin) {
 		jwksEndpoint: hydrated.jwksEndpoint
 	};
 }
 //#endregion
 //#region src/oidc/errors.ts
 /**
@@ -1379,7 +1356,6 @@ function mapDiscoveryErrorToAPIError(error) {
 			});
 	}
 }
 //#endregion
 //#region src/saml/error-codes.ts
 const SAML_ERROR_CODES = defineErrorCodes({
@@ -1390,7 +1366,6 @@ const SAML_ERROR_CODES = defineErrorCodes({
 	IDP_SLO_NOT_SUPPORTED: "IdP does not support Single Logout Service",
 	SAML_PROVIDER_NOT_FOUND: "SAML provider not found"
 });
 //#endregion
 //#region src/saml-state.ts
 async function generateRelayState(c, link, additionalData) {
@@ -1422,7 +1397,10 @@ async function parseRelayState(c) {
 	const errorURL = c.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;
 	let parsedData;
 	try {
-		parsedData = await parseGenericState(c, state, { cookieName: "relay_state" });
+		parsedData = await parseGenericState(c, state, {
+			cookieName: "relay_state",
+			skipStateCookieCheck: true
+		});
 	} catch (error) {
 		c.context.logger.error("Failed to parse relay state", error);
 		throw new APIError("BAD_REQUEST", {
@@ -1433,7 +1411,6 @@ async function parseRelayState(c) {
 	if (!parsedData.errorURL) parsedData.errorURL = errorURL;
 	return parsedData;
 }
 //#endregion
 //#region src/routes/helpers.ts
 async function findSAMLProvider(providerId, options, adapter) {
@@ -1513,7 +1490,6 @@ function createSAMLPostForm(action, samlParam, samlValue, relayState) {
 	const html = `<!DOCTYPE html><html><body onload="document.forms[0].submit();"><form method="POST" action="${safeAction}"><input type="hidden" name="${safeSamlParam}" value="${safeSamlValue}" />${safeRelayState ? `<input type="hidden" name="RelayState" value="${safeRelayState}" />` : ""}<noscript><input type="submit" value="Continue" /></noscript></form></body></html>`;
 	return new Response(html, { headers: { "Content-Type": "text/html" } });
 }
 //#endregion
 //#region src/routes/sso.ts
 /**
@@ -1535,7 +1511,7 @@ function getOIDCRedirectURI(baseURL, providerId, options) {
 * @throws {APIError} If timestamps are invalid, expired, or not yet valid
 */
 function validateSAMLTimestamp(conditions, options = {}) {
-	const clockSkew = options.clockSkew ?? DEFAULT_CLOCK_SKEW_MS;
+	const clockSkew = options.clockSkew ?? 3e5;
 	if (!(conditions?.notBefore || conditions?.notOnOrAfter)) {
 		if (options.requireTimestamps) throw new APIError("BAD_REQUEST", {
 			message: "SAML assertion missing required timestamp conditions",
@@ -1897,7 +1873,7 @@ const registerSSOProvider = (options) => {
 		const body = ctx.body;
 		if (z.string().url().safeParse(body.issuer).error) throw new APIError("BAD_REQUEST", { message: "Invalid issuer. Must be a valid URL" });
 		if (body.samlConfig?.idpMetadata?.metadata) {
-			const maxMetadataSize = options?.saml?.maxMetadataSize ?? DEFAULT_MAX_SAML_METADATA_SIZE;
+			const maxMetadataSize = options?.saml?.maxMetadataSize ?? 102400;
 			if (new TextEncoder().encode(body.samlConfig.idpMetadata.metadata).length > maxMetadataSize) throw new APIError("BAD_REQUEST", { message: `IdP metadata exceeds maximum allowed size (${maxMetadataSize} bytes)` });
 		}
 		if (ctx.body.organizationId) {
@@ -2249,7 +2225,7 @@ const signInSSO = (options) => {
 			if (!loginRequest) throw new APIError("BAD_REQUEST", { message: "Invalid SAML request" });
 			const { state: relayState } = await generateRelayState(ctx, void 0, false);
 			if (loginRequest.id && options?.saml?.enableInResponseToValidation) {
-				const ttl = options?.saml?.requestTTL ?? DEFAULT_AUTHN_REQUEST_TTL_MS;
+				const ttl = options?.saml?.requestTTL ?? 3e5;
 				const record = {
 					id: loginRequest.id,
 					providerId: provider.providerId,
@@ -2347,6 +2323,7 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 		tokenEndpoint: config.tokenEndpoint,
 		authentication: config.tokenEndpointAuthentication === "client_secret_post" ? "post" : "basic"
 	}).catch((e) => {
+		ctx.context.logger.error("Error validating authorization code", e);
 		if (e instanceof BetterFetchError) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${e.message}`);
 		return null;
 	});
@@ -2558,7 +2535,7 @@ const callbackSSOSAML = (options) => {
 		}
 		if (!ctx.body?.SAMLResponse) throw new APIError("BAD_REQUEST", { message: "SAMLResponse is required for POST requests" });
 		const { SAMLResponse } = ctx.body;
-		const maxResponseSize = options?.saml?.maxResponseSize ?? DEFAULT_MAX_SAML_RESPONSE_SIZE;
+		const maxResponseSize = options?.saml?.maxResponseSize ?? 262144;
 		if (new TextEncoder().encode(SAMLResponse).length > maxResponseSize) throw new APIError("BAD_REQUEST", { message: `SAML response exceeds maximum allowed size (${maxResponseSize} bytes)` });
 		let relayState = null;
 		if (ctx.body.RelayState) try {
@@ -2698,7 +2675,7 @@ const callbackSSOSAML = (options) => {
 		if (assertionId) {
 			const issuer = idp.entityMeta.getEntityID();
 			const conditions = extract.conditions;
-			const clockSkew = options?.saml?.clockSkew ?? DEFAULT_CLOCK_SKEW_MS;
+			const clockSkew = options?.saml?.clockSkew ?? 3e5;
 			const expiresAt = conditions?.notOnOrAfter ? new Date(conditions.notOnOrAfter).getTime() + clockSkew : Date.now() + DEFAULT_ASSERTION_TTL_MS;
 			const existingAssertion = await ctx.context.internalAdapter.findVerificationValue(`${USED_ASSERTION_KEY_PREFIX}${assertionId}`);
 			let isReplay = false;
@@ -2838,7 +2815,7 @@ const acsEndpoint = (options) => {
 		const { providerId } = ctx.params;
 		const currentCallbackPath = `${ctx.context.baseURL}/sso/saml2/sp/acs/${providerId}`;
 		const appOrigin = new URL(ctx.context.baseURL).origin;
-		const maxResponseSize = options?.saml?.maxResponseSize ?? DEFAULT_MAX_SAML_RESPONSE_SIZE;
+		const maxResponseSize = options?.saml?.maxResponseSize ?? 262144;
 		if (new TextEncoder().encode(SAMLResponse).length > maxResponseSize) throw new APIError("BAD_REQUEST", { message: `SAML response exceeds maximum allowed size (${maxResponseSize} bytes)` });
 		let relayState = null;
 		if (ctx.body.RelayState) try {
@@ -2969,7 +2946,7 @@ const acsEndpoint = (options) => {
 		if (assertionIdAcs) {
 			const issuer = idp.entityMeta.getEntityID();
 			const conditions = extract.conditions;
-			const clockSkew = options?.saml?.clockSkew ?? DEFAULT_CLOCK_SKEW_MS;
+			const clockSkew = options?.saml?.clockSkew ?? 3e5;
 			const expiresAt = conditions?.notOnOrAfter ? new Date(conditions.notOnOrAfter).getTime() + clockSkew : Date.now() + DEFAULT_ASSERTION_TTL_MS;
 			const existingAssertion = await ctx.context.internalAdapter.findVerificationValue(`${USED_ASSERTION_KEY_PREFIX}${assertionIdAcs}`);
 			let isReplay = false;
@@ -3137,7 +3114,7 @@ async function handleLogoutResponse(ctx, sp, idp, relayState, providerId) {
 	}
 	const extract = parsed?.extract;
 	const statusCode = extract?.statusCode || extract?.status || parsed?.samlContent?.status?.statusCode;
-	if (statusCode && statusCode !== SAML_STATUS_SUCCESS) {
+	if (statusCode && statusCode !== "urn:oasis:names:tc:SAML:2.0:status:Success") {
 		ctx.context.logger.warn("LogoutResponse indicates failure", { statusCode });
 		throw APIError.from("BAD_REQUEST", SAML_ERROR_CODES.LOGOUT_FAILED_AT_IDP);
 	}
@@ -3230,7 +3207,7 @@ const initiateSLO = (options) => {
 			sessionIndex,
 			relayState: callbackURL
 		});
-		const ttl = options?.saml?.logoutRequestTTL ?? DEFAULT_LOGOUT_REQUEST_TTL_MS;
+		const ttl = options?.saml?.logoutRequestTTL ?? 3e5;
 		await ctx.context.internalAdapter.createVerificationValue({
 			identifier: `${LOGOUT_REQUEST_KEY_PREFIX}${logoutRequest.id}`,
 			value: providerId,
@@ -3243,7 +3220,6 @@ const initiateSLO = (options) => {
 		throw ctx.redirect(logoutRequest.context);
 	});
 };
 //#endregion
 //#region src/index.ts
 saml.setSchemaValidator({ async validate(xml) {
@@ -3379,7 +3355,7 @@ function sso(options) {
 		options
 	};
 }
 //#endregion
 export { DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DigestAlgorithm, DiscoveryError, KeyEncryptionAlgorithm, REQUIRED_DISCOVERY_FIELDS, SignatureAlgorithm, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };
 //# sourceMappingURL=index.mjs.map