@better-auth/sso 1.6.11 → 1.6.13

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-D_ggtAOl.mjs";
+import { t as PACKAGE_VERSION } from "./version-BcVD6vO4.mjs";
 //#region src/client.ts
 const ssoClient = (options) => {
 	return {

package/dist/index.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-D_ggtAOl.mjs";
+import { t as PACKAGE_VERSION } from "./version-BcVD6vO4.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { XMLParser, XMLValidator } from "fast-xml-parser";
 import { X509Certificate } from "node:crypto";
@@ -8,6 +8,7 @@ import * as z from "zod";
 import { isPublicRoutableHost } from "@better-auth/core/utils/host";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
 import { base64 } from "@better-auth/utils/base64";
+import { isAPIError } from "@better-auth/core/utils/is-api-error";
 import { HIDE_METADATA, createAuthorizationURL, generateGenericState, generateState, parseGenericState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
 import { deleteSessionCookie, setSessionCookie } from "better-auth/cookies";
 import { handleOAuthUserInfo } from "better-auth/oauth2";
@@ -56,7 +57,6 @@ const DEFAULT_MAX_SAML_RESPONSE_SIZE = 256 * 1024;
 * Protects against oversized metadata documents.
 */
 const DEFAULT_MAX_SAML_METADATA_SIZE = 100 * 1024;
-const SAML_STATUS_SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success";
 //#endregion
 //#region src/utils.ts
 /**
@@ -103,6 +103,10 @@ function parseCertificate(certPem) {
 		publicKeyAlgorithm: cert.publicKey.asymmetricKeyType?.toUpperCase() || "UNKNOWN"
 	};
 }
+function normalizePem(key) {
+	if (!key) return key;
+	return `${key.split("\n").map((line) => line.trim()).join("\n").trim()}\n`;
+}
 function getHostnameFromDomain(domain) {
 	return getHostname(domain) || null;
 }
@@ -1528,10 +1532,10 @@ function createSP(config, baseURL, providerId, opts) {
 		wantLogoutRequestSigned: opts?.sloOptions?.wantLogoutRequestSigned ?? false,
 		wantLogoutResponseSigned: opts?.sloOptions?.wantLogoutResponseSigned ?? false,
 		metadata: spData?.metadata,
-		privateKey: spData?.privateKey || config.privateKey,
+		privateKey: normalizePem(spData?.privateKey || config.privateKey),
 		privateKeyPass: spData?.privateKeyPass,
 		isAssertionEncrypted: spData?.isAssertionEncrypted || false,
-		encPrivateKey: spData?.encPrivateKey,
+		encPrivateKey: normalizePem(spData?.encPrivateKey),
 		encPrivateKeyPass: spData?.encPrivateKeyPass,
 		nameIDFormat: config.identifierFormat ? [config.identifierFormat] : void 0,
 		relayState: opts?.relayState
@@ -1541,10 +1545,10 @@ function createIdP(config) {
 	const idpData = config.idpMetadata;
 	if (idpData?.metadata) return saml.IdentityProvider({
 		metadata: idpData.metadata,
-		privateKey: idpData.privateKey,
+		privateKey: normalizePem(idpData.privateKey),
 		privateKeyPass: idpData.privateKeyPass,
 		isAssertionEncrypted: idpData.isAssertionEncrypted,
-		encPrivateKey: idpData.encPrivateKey,
+		encPrivateKey: normalizePem(idpData.encPrivateKey),
 		encPrivateKeyPass: idpData.encPrivateKeyPass
 	});
 	return saml.IdentityProvider({
@@ -1557,7 +1561,7 @@ function createIdP(config) {
 		signingCert: idpData?.cert || config.cert,
 		wantAuthnRequestsSigned: config.authnRequestsSigned || false,
 		isAssertionEncrypted: idpData?.isAssertionEncrypted || false,
-		encPrivateKey: idpData?.encPrivateKey,
+		encPrivateKey: normalizePem(idpData?.encPrivateKey),
 		encPrivateKeyPass: idpData?.encPrivateKeyPass
 	});
 }
@@ -1791,12 +1795,16 @@ async function processSAMLResponse(ctx, params, options) {
 	} else ctx.context.logger.warn("Could not extract assertion ID for replay protection", { providerId });
 	const attributes = extract.attributes || {};
 	const mapping = parsedSamlConfig.mapping ?? {};
+	const attr = (key) => {
+		const value = attributes[key];
+		return Array.isArray(value) ? value[0] : value;
+	};
 	const userInfo = {
 		...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, attributes[value]])),
-		id: attributes[mapping.id || "nameID"] || extract.nameID,
-		email: (attributes[mapping.email || "email"] || extract.nameID).toLowerCase(),
-		name: [attributes[mapping.firstName || "givenName"], attributes[mapping.lastName || "surname"]].filter(Boolean).join(" ") || attributes[mapping.name || "displayName"] || extract.nameID,
-		emailVerified: options?.trustEmailVerified && mapping.emailVerified ? attributes[mapping.emailVerified] || false : false
+		id: attr(mapping.id || "nameID") || extract.nameID,
+		email: (attr(mapping.email || "email") || extract.nameID || "").toLowerCase(),
+		name: [attr(mapping.firstName || "givenName"), attr(mapping.lastName || "surname")].filter(Boolean).join(" ") || attr(mapping.name || "displayName") || extract.nameID,
+		emailVerified: options?.trustEmailVerified && mapping.emailVerified ? attr(mapping.emailVerified) || false : false
 	};
 	if (!userInfo.id || !userInfo.email) {
 		ctx.context.logger.error("Missing essential user info from SAML response", {
@@ -1809,23 +1817,35 @@ async function processSAMLResponse(ctx, params, options) {
 	}
 	const isTrustedProvider = ctx.context.trustedProviders.includes(providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
 	const callbackUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
-	const result = await handleOAuthUserInfo(ctx, {
-		userInfo: {
-			email: userInfo.email,
-			name: userInfo.name || userInfo.email,
-			id: userInfo.id,
-			emailVerified: Boolean(userInfo.emailVerified)
-		},
-		account: {
-			providerId,
-			accountId: userInfo.id,
-			accessToken: "",
-			refreshToken: ""
-		},
-		callbackURL: callbackUrl,
-		disableSignUp: options?.disableImplicitSignUp,
-		isTrustedProvider
-	});
+	const errorUrl = relayState?.errorURL || samlRedirectUrl;
+	let result;
+	try {
+		result = await handleOAuthUserInfo(ctx, {
+			userInfo: {
+				email: userInfo.email,
+				name: userInfo.name || userInfo.email,
+				id: userInfo.id,
+				emailVerified: Boolean(userInfo.emailVerified)
+			},
+			account: {
+				providerId,
+				accountId: userInfo.id,
+				accessToken: "",
+				refreshToken: ""
+			},
+			callbackURL: callbackUrl,
+			disableSignUp: options?.disableImplicitSignUp,
+			isTrustedProvider
+		});
+	} catch (e) {
+		if (isAPIError(e) && e.body?.code) {
+			const params = new URLSearchParams({ error: e.body.code });
+			if (e.body.message) params.set("error_description", e.body.message);
+			const sep = errorUrl.includes("?") ? "&" : "?";
+			throw ctx.redirect(`${errorUrl}${sep}${params.toString()}`);
+		}
+		throw e;
+	}
 	if (result.error) throw ctx.redirect(`${callbackUrl}?error=${result.error.split(" ").join("_")}`);
 	const { session, user } = result.data;
 	if (options?.provisionUser && (result.isRegister || options.provisionUserOnEveryLogin)) await options.provisionUser({
@@ -1854,6 +1874,7 @@ async function processSAMLResponse(ctx, params, options) {
 		const samlSessionKey = `${SAML_SESSION_KEY_PREFIX}${providerId}:${extract.nameID}`;
 		const samlSessionData = {
 			sessionId: session.id,
+			sessionToken: session.token,
 			providerId,
 			nameID: extract.nameID,
 			sessionIndex: extract.sessionIndex
@@ -2530,7 +2551,7 @@ const signInSSO = (options) => {
 			const sp = saml.ServiceProvider({
 				metadata,
 				allowCreate: true,
-				privateKey: parsedSamlConfig.spMetadata?.privateKey || parsedSamlConfig.privateKey,
+				privateKey: normalizePem(parsedSamlConfig.spMetadata?.privateKey || parsedSamlConfig.privateKey),
 				privateKeyPass: parsedSamlConfig.spMetadata?.privateKeyPass,
 				relayState
 			});
@@ -2545,15 +2566,15 @@ const signInSSO = (options) => {
 				signingCert: idpData?.cert || parsedSamlConfig.cert,
 				wantAuthnRequestsSigned: parsedSamlConfig.authnRequestsSigned || false,
 				isAssertionEncrypted: idpData?.isAssertionEncrypted || false,
-				encPrivateKey: idpData?.encPrivateKey,
+				encPrivateKey: normalizePem(idpData?.encPrivateKey),
 				encPrivateKeyPass: idpData?.encPrivateKeyPass
 			});
 			else idp = saml.IdentityProvider({
 				metadata: idpData.metadata,
-				privateKey: idpData.privateKey,
+				privateKey: normalizePem(idpData.privateKey),
 				privateKeyPass: idpData.privateKeyPass,
 				isAssertionEncrypted: idpData.isAssertionEncrypted,
-				encPrivateKey: idpData.encPrivateKey,
+				encPrivateKey: normalizePem(idpData.encPrivateKey),
 				encPrivateKeyPass: idpData.encPrivateKeyPass
 			});
 			const loginRequest = sp.createLoginRequest(idp, "redirect");
@@ -2698,30 +2719,47 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 	} else throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=user_info_endpoint_not_found`);
 	if (!userInfo.email || !userInfo.id) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=missing_user_info`);
 	const isTrustedProvider = "domainVerified" in provider && provider.domainVerified === true && validateEmailDomain(userInfo.email, provider.domain);
-	const linked = await handleOAuthUserInfo(ctx, {
-		userInfo: {
-			email: userInfo.email,
-			name: userInfo.name || "",
-			id: userInfo.id,
-			image: userInfo.image,
-			emailVerified: options?.trustEmailVerified ? userInfo.emailVerified || false : false
-		},
-		account: {
-			idToken: tokenResponse.idToken,
-			accessToken: tokenResponse.accessToken,
-			refreshToken: tokenResponse.refreshToken,
-			accountId: userInfo.id,
-			providerId: provider.providerId,
-			accessTokenExpiresAt: tokenResponse.accessTokenExpiresAt,
-			refreshTokenExpiresAt: tokenResponse.refreshTokenExpiresAt,
-			scope: tokenResponse.scopes?.join(",")
-		},
-		callbackURL,
-		disableSignUp: options?.disableImplicitSignUp && !requestSignUp,
-		overrideUserInfo: config.overrideUserInfo,
-		isTrustedProvider
-	});
-	if (linked.error) throw ctx.redirect(`${errorURL || callbackURL}?error=${linked.error}`);
+	let linked;
+	try {
+		linked = await handleOAuthUserInfo(ctx, {
+			userInfo: {
+				email: userInfo.email,
+				name: userInfo.name || "",
+				id: userInfo.id,
+				image: userInfo.image,
+				emailVerified: options?.trustEmailVerified ? userInfo.emailVerified || false : false
+			},
+			account: {
+				idToken: tokenResponse.idToken,
+				accessToken: tokenResponse.accessToken,
+				refreshToken: tokenResponse.refreshToken,
+				accountId: userInfo.id,
+				providerId: provider.providerId,
+				accessTokenExpiresAt: tokenResponse.accessTokenExpiresAt,
+				refreshTokenExpiresAt: tokenResponse.refreshTokenExpiresAt,
+				scope: tokenResponse.scopes?.join(",")
+			},
+			callbackURL,
+			disableSignUp: options?.disableImplicitSignUp && !requestSignUp,
+			overrideUserInfo: config.overrideUserInfo,
+			isTrustedProvider
+		});
+	} catch (e) {
+		if (isAPIError(e) && e.body?.code) {
+			const baseURL = errorURL || callbackURL;
+			const params = new URLSearchParams({ error: e.body.code });
+			if (e.body.message) params.set("error_description", e.body.message);
+			const sep = baseURL.includes("?") ? "&" : "?";
+			throw ctx.redirect(`${baseURL}${sep}${params.toString()}`);
+		}
+		throw e;
+	}
+	if (linked.error) {
+		const baseURL = errorURL || callbackURL;
+		const params = new URLSearchParams({ error: linked.error });
+		const sep = baseURL.includes("?") ? "&" : "?";
+		throw ctx.redirect(`${baseURL}${sep}${params.toString()}`);
+	}
 	const { session, user } = linked.data;
 	if (options?.provisionUser && (linked.isRegister || options.provisionUserOnEveryLogin)) await options.provisionUser({
 		user,
@@ -2977,7 +3015,7 @@ async function handleLogoutRequest(ctx, sp, idp, relayState, providerId) {
 	if (stored) {
 		const data = safeJsonParse(stored.value);
 		if (data) if (!sessionIndex || !data.sessionIndex || sessionIndex === data.sessionIndex) {
-			await ctx.context.internalAdapter.deleteSession(data.sessionId).catch((e) => ctx.context.logger.warn("Failed to delete session during SLO", { error: e }));
+			await ctx.context.internalAdapter.deleteSession(data.sessionToken).catch((e) => ctx.context.logger.warn("Failed to delete session during SLO", { error: e }));
 			await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${SAML_SESSION_BY_ID_PREFIX}${data.sessionId}`).catch((e) => ctx.context.logger.warn("Failed to delete SAML session lookup during SLO", e));
 		} else ctx.context.logger.warn("SessionIndex mismatch in LogoutRequest - skipping session deletion", {
 			providerId,
@@ -2987,10 +3025,9 @@ async function handleLogoutRequest(ctx, sp, idp, relayState, providerId) {
 		await ctx.context.internalAdapter.deleteVerificationByIdentifier(key).catch((e) => ctx.context.logger.warn("Failed to delete SAML session key during SLO", e));
 	}
 	const currentSession = await getSessionFromCtx(ctx);
-	if (currentSession?.session) await ctx.context.internalAdapter.deleteSession(currentSession.session.id);
+	if (currentSession?.session) await ctx.context.internalAdapter.deleteSession(currentSession.session.token);
 	deleteSessionCookie(ctx);
-	const requestId = parsed.extract.request?.id || "";
-	const res = sp.createLogoutResponse(idp, null, binding, relayState || "", (template) => template.replace("{InResponseTo}", requestId).replace("{StatusCode}", SAML_STATUS_SUCCESS));
+	const res = sp.createLogoutResponse(idp, parsed, binding, relayState || "");
 	if (binding === "post" && res.entityEndpoint) return createSAMLPostForm(res.entityEndpoint, "SAMLResponse", res.context, relayState);
 	throw ctx.redirect(res.context);
 }
@@ -3043,7 +3080,7 @@ const initiateSLO = (options) => {
 		});
 		if (samlSessionKey) await ctx.context.internalAdapter.deleteVerificationByIdentifier(samlSessionKey).catch((e) => ctx.context.logger.warn("Failed to delete SAML session key during logout", e));
 		await ctx.context.internalAdapter.deleteVerificationByIdentifier(sessionLookupKey).catch((e) => ctx.context.logger.warn("Failed to delete session lookup key during logout", e));
-		await ctx.context.internalAdapter.deleteSession(session.session.id);
+		await ctx.context.internalAdapter.deleteSession(session.session.token);
 		deleteSessionCookie(ctx);
 		throw ctx.redirect(logoutRequest.context);
 	});

package/dist/{version-D_ggtAOl.mjs → version-BcVD6vO4.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.6.11";
+const PACKAGE_VERSION = "1.6.13";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/sso",
-  "version": "1.6.11",
+  "version": "1.6.13",
   "description": "SSO plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -56,9 +56,9 @@
     }
   },
   "dependencies": {
-    "fast-xml-parser": "^5.5.7",
+    "fast-xml-parser": "^5.8.0",
     "jose": "^6.1.3",
-    "samlify": "~2.10.2",
+    "samlify": "^2.13.1",
     "tldts": "^6.1.0",
     "zod": "^4.3.6"
   },
@@ -70,15 +70,15 @@
     "express": "^5.2.1",
     "oauth2-mock-server": "^8.2.2",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.6.11",
-    "better-auth": "1.6.11"
+    "@better-auth/core": "1.6.13",
+    "better-auth": "1.6.13"
   },
   "peerDependencies": {
-    "@better-auth/utils": "0.4.0",
+    "@better-auth/utils": "0.4.1",
     "@better-fetch/fetch": "1.1.21",
     "better-call": "1.3.5",
-    "@better-auth/core": "^1.6.11",
-    "better-auth": "^1.6.11"
+    "@better-auth/core": "^1.6.13",
+    "better-auth": "^1.6.13"
   },
   "scripts": {
     "build": "tsdown",