@better-auth/sso 1.6.0 → 1.6.2

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-Cf5gNNxE.mjs";
+import { t as PACKAGE_VERSION } from "./version-BVfKiZvw.mjs";
 //#region src/client.ts
 const ssoClient = (options) => {
 	return {

package/dist/index.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-Cf5gNNxE.mjs";
+import { t as PACKAGE_VERSION } from "./version-BVfKiZvw.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { XMLParser, XMLValidator } from "fast-xml-parser";
 import * as saml from "samlify";
@@ -606,7 +606,7 @@ function countAssertions(xml) {
 function validateSingleAssertion(samlResponse) {
 	let xml;
 	try {
-		xml = new TextDecoder().decode(base64.decode(samlResponse));
+		xml = new TextDecoder().decode(base64.decode(samlResponse.replace(/\s+/g, "")));
 		if (!xml.includes("<")) throw new Error("Not XML");
 	} catch {
 		throw new APIError("BAD_REQUEST", {
@@ -2181,7 +2181,8 @@ const signInSSO = (options) => {
 		if (provider.samlConfig) {
 			const parsedSamlConfig = typeof provider.samlConfig === "object" ? provider.samlConfig : safeJsonParse(provider.samlConfig);
 			if (!parsedSamlConfig) throw new APIError("BAD_REQUEST", { message: "Invalid SAML configuration" });
-			if (parsedSamlConfig.authnRequestsSigned && !parsedSamlConfig.spMetadata?.privateKey && !parsedSamlConfig.privateKey) ctx.context.logger.warn("authnRequestsSigned is enabled but no privateKey provided - AuthnRequests will not be signed", { providerId: provider.providerId });
+			if (parsedSamlConfig.authnRequestsSigned && !parsedSamlConfig.spMetadata?.privateKey && !parsedSamlConfig.privateKey) throw new APIError("BAD_REQUEST", { message: "authnRequestsSigned is enabled but no privateKey provided in spMetadata or samlConfig" });
+			const { state: relayState } = await generateRelayState(ctx, void 0, false);
 			let metadata = parsedSamlConfig.spMetadata.metadata;
 			if (!metadata) metadata = saml.SPMetadata({
 				entityID: parsedSamlConfig.spMetadata?.entityID || parsedSamlConfig.issuer,
@@ -2197,7 +2198,8 @@ const signInSSO = (options) => {
 				metadata,
 				allowCreate: true,
 				privateKey: parsedSamlConfig.spMetadata?.privateKey || parsedSamlConfig.privateKey,
-				privateKeyPass: parsedSamlConfig.spMetadata?.privateKeyPass
+				privateKeyPass: parsedSamlConfig.spMetadata?.privateKeyPass,
+				relayState
 			});
 			const idpData = parsedSamlConfig.idpMetadata;
 			let idp;
@@ -2223,7 +2225,6 @@ const signInSSO = (options) => {
 			});
 			const loginRequest = sp.createLoginRequest(idp, "redirect");
 			if (!loginRequest) throw new APIError("BAD_REQUEST", { message: "Invalid SAML request" });
-			const { state: relayState } = await generateRelayState(ctx, void 0, false);
 			if (loginRequest.id && options?.saml?.enableInResponseToValidation !== false) {
 				const ttl = options?.saml?.requestTTL ?? 3e5;
 				const record = {
@@ -2239,7 +2240,7 @@ const signInSSO = (options) => {
 				});
 			}
 			return ctx.json({
-				url: `${loginRequest.context}&RelayState=${encodeURIComponent(relayState)}`,
+				url: loginRequest.context,
 				redirect: true
 			});
 		}
@@ -2534,9 +2535,9 @@ const callbackSSOSAML = (options) => {
 			throw ctx.redirect(safeRedirectUrl);
 		}
 		if (!ctx.body?.SAMLResponse) throw new APIError("BAD_REQUEST", { message: "SAMLResponse is required for POST requests" });
-		const { SAMLResponse } = ctx.body;
 		const maxResponseSize = options?.saml?.maxResponseSize ?? 262144;
-		if (new TextEncoder().encode(SAMLResponse).length > maxResponseSize) throw new APIError("BAD_REQUEST", { message: `SAML response exceeds maximum allowed size (${maxResponseSize} bytes)` });
+		if (new TextEncoder().encode(ctx.body.SAMLResponse).length > maxResponseSize) throw new APIError("BAD_REQUEST", { message: `SAML response exceeds maximum allowed size (${maxResponseSize} bytes)` });
+		const SAMLResponse = ctx.body.SAMLResponse.replace(/\s+/g, "");
 		let relayState = null;
 		if (ctx.body.RelayState) try {
 			relayState = await parseRelayState(ctx);
@@ -2811,12 +2812,12 @@ const acsEndpoint = (options) => {
 			}
 		}
 	}, async (ctx) => {
-		const { SAMLResponse } = ctx.body;
 		const { providerId } = ctx.params;
 		const currentCallbackPath = `${ctx.context.baseURL}/sso/saml2/sp/acs/${providerId}`;
 		const appOrigin = new URL(ctx.context.baseURL).origin;
 		const maxResponseSize = options?.saml?.maxResponseSize ?? 262144;
-		if (new TextEncoder().encode(SAMLResponse).length > maxResponseSize) throw new APIError("BAD_REQUEST", { message: `SAML response exceeds maximum allowed size (${maxResponseSize} bytes)` });
+		if (new TextEncoder().encode(ctx.body.SAMLResponse).length > maxResponseSize) throw new APIError("BAD_REQUEST", { message: `SAML response exceeds maximum allowed size (${maxResponseSize} bytes)` });
+		const SAMLResponse = ctx.body.SAMLResponse.replace(/\s+/g, "");
 		let relayState = null;
 		if (ctx.body.RelayState) try {
 			relayState = await parseRelayState(ctx);

package/dist/{version-Cf5gNNxE.mjs → version-BVfKiZvw.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.6.0";
+const PACKAGE_VERSION = "1.6.2";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/sso",
-  "version": "1.6.0",
+  "version": "1.6.2",
   "description": "SSO plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -70,15 +70,15 @@
     "express": "^5.2.1",
     "oauth2-mock-server": "^8.2.2",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.6.0",
-    "better-auth": "1.6.0"
+    "@better-auth/core": "1.6.2",
+    "better-auth": "1.6.2"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.0",
     "@better-fetch/fetch": "1.1.21",
     "better-call": "1.3.5",
-    "@better-auth/core": "^1.6.0",
-    "better-auth": "^1.6.0"
+    "@better-auth/core": "^1.6.2",
+    "better-auth": "^1.6.2"
   },
   "scripts": {
     "build": "tsdown",