@better-auth/sso 1.6.12 → 1.6.13

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-dnGn0OgM.mjs";
+import { t as PACKAGE_VERSION } from "./version-BcVD6vO4.mjs";
 //#region src/client.ts
 const ssoClient = (options) => {
 	return {

package/dist/index.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-dnGn0OgM.mjs";
+import { t as PACKAGE_VERSION } from "./version-BcVD6vO4.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { XMLParser, XMLValidator } from "fast-xml-parser";
 import { X509Certificate } from "node:crypto";
@@ -57,7 +57,6 @@ const DEFAULT_MAX_SAML_RESPONSE_SIZE = 256 * 1024;
 * Protects against oversized metadata documents.
 */
 const DEFAULT_MAX_SAML_METADATA_SIZE = 100 * 1024;
-const SAML_STATUS_SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success";
 //#endregion
 //#region src/utils.ts
 /**
@@ -104,6 +103,10 @@ function parseCertificate(certPem) {
 		publicKeyAlgorithm: cert.publicKey.asymmetricKeyType?.toUpperCase() || "UNKNOWN"
 	};
 }
+function normalizePem(key) {
+	if (!key) return key;
+	return `${key.split("\n").map((line) => line.trim()).join("\n").trim()}\n`;
+}
 function getHostnameFromDomain(domain) {
 	return getHostname(domain) || null;
 }
@@ -1529,10 +1532,10 @@ function createSP(config, baseURL, providerId, opts) {
 		wantLogoutRequestSigned: opts?.sloOptions?.wantLogoutRequestSigned ?? false,
 		wantLogoutResponseSigned: opts?.sloOptions?.wantLogoutResponseSigned ?? false,
 		metadata: spData?.metadata,
-		privateKey: spData?.privateKey || config.privateKey,
+		privateKey: normalizePem(spData?.privateKey || config.privateKey),
 		privateKeyPass: spData?.privateKeyPass,
 		isAssertionEncrypted: spData?.isAssertionEncrypted || false,
-		encPrivateKey: spData?.encPrivateKey,
+		encPrivateKey: normalizePem(spData?.encPrivateKey),
 		encPrivateKeyPass: spData?.encPrivateKeyPass,
 		nameIDFormat: config.identifierFormat ? [config.identifierFormat] : void 0,
 		relayState: opts?.relayState
@@ -1542,10 +1545,10 @@ function createIdP(config) {
 	const idpData = config.idpMetadata;
 	if (idpData?.metadata) return saml.IdentityProvider({
 		metadata: idpData.metadata,
-		privateKey: idpData.privateKey,
+		privateKey: normalizePem(idpData.privateKey),
 		privateKeyPass: idpData.privateKeyPass,
 		isAssertionEncrypted: idpData.isAssertionEncrypted,
-		encPrivateKey: idpData.encPrivateKey,
+		encPrivateKey: normalizePem(idpData.encPrivateKey),
 		encPrivateKeyPass: idpData.encPrivateKeyPass
 	});
 	return saml.IdentityProvider({
@@ -1558,7 +1561,7 @@ function createIdP(config) {
 		signingCert: idpData?.cert || config.cert,
 		wantAuthnRequestsSigned: config.authnRequestsSigned || false,
 		isAssertionEncrypted: idpData?.isAssertionEncrypted || false,
-		encPrivateKey: idpData?.encPrivateKey,
+		encPrivateKey: normalizePem(idpData?.encPrivateKey),
 		encPrivateKeyPass: idpData?.encPrivateKeyPass
 	});
 }
@@ -1792,12 +1795,16 @@ async function processSAMLResponse(ctx, params, options) {
 	} else ctx.context.logger.warn("Could not extract assertion ID for replay protection", { providerId });
 	const attributes = extract.attributes || {};
 	const mapping = parsedSamlConfig.mapping ?? {};
+	const attr = (key) => {
+		const value = attributes[key];
+		return Array.isArray(value) ? value[0] : value;
+	};
 	const userInfo = {
 		...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, attributes[value]])),
-		id: attributes[mapping.id || "nameID"] || extract.nameID,
-		email: (attributes[mapping.email || "email"] || extract.nameID).toLowerCase(),
-		name: [attributes[mapping.firstName || "givenName"], attributes[mapping.lastName || "surname"]].filter(Boolean).join(" ") || attributes[mapping.name || "displayName"] || extract.nameID,
-		emailVerified: options?.trustEmailVerified && mapping.emailVerified ? attributes[mapping.emailVerified] || false : false
+		id: attr(mapping.id || "nameID") || extract.nameID,
+		email: (attr(mapping.email || "email") || extract.nameID || "").toLowerCase(),
+		name: [attr(mapping.firstName || "givenName"), attr(mapping.lastName || "surname")].filter(Boolean).join(" ") || attr(mapping.name || "displayName") || extract.nameID,
+		emailVerified: options?.trustEmailVerified && mapping.emailVerified ? attr(mapping.emailVerified) || false : false
 	};
 	if (!userInfo.id || !userInfo.email) {
 		ctx.context.logger.error("Missing essential user info from SAML response", {
@@ -1867,6 +1874,7 @@ async function processSAMLResponse(ctx, params, options) {
 		const samlSessionKey = `${SAML_SESSION_KEY_PREFIX}${providerId}:${extract.nameID}`;
 		const samlSessionData = {
 			sessionId: session.id,
+			sessionToken: session.token,
 			providerId,
 			nameID: extract.nameID,
 			sessionIndex: extract.sessionIndex
@@ -2543,7 +2551,7 @@ const signInSSO = (options) => {
 			const sp = saml.ServiceProvider({
 				metadata,
 				allowCreate: true,
-				privateKey: parsedSamlConfig.spMetadata?.privateKey || parsedSamlConfig.privateKey,
+				privateKey: normalizePem(parsedSamlConfig.spMetadata?.privateKey || parsedSamlConfig.privateKey),
 				privateKeyPass: parsedSamlConfig.spMetadata?.privateKeyPass,
 				relayState
 			});
@@ -2558,15 +2566,15 @@ const signInSSO = (options) => {
 				signingCert: idpData?.cert || parsedSamlConfig.cert,
 				wantAuthnRequestsSigned: parsedSamlConfig.authnRequestsSigned || false,
 				isAssertionEncrypted: idpData?.isAssertionEncrypted || false,
-				encPrivateKey: idpData?.encPrivateKey,
+				encPrivateKey: normalizePem(idpData?.encPrivateKey),
 				encPrivateKeyPass: idpData?.encPrivateKeyPass
 			});
 			else idp = saml.IdentityProvider({
 				metadata: idpData.metadata,
-				privateKey: idpData.privateKey,
+				privateKey: normalizePem(idpData.privateKey),
 				privateKeyPass: idpData.privateKeyPass,
 				isAssertionEncrypted: idpData.isAssertionEncrypted,
-				encPrivateKey: idpData.encPrivateKey,
+				encPrivateKey: normalizePem(idpData.encPrivateKey),
 				encPrivateKeyPass: idpData.encPrivateKeyPass
 			});
 			const loginRequest = sp.createLoginRequest(idp, "redirect");
@@ -3007,7 +3015,7 @@ async function handleLogoutRequest(ctx, sp, idp, relayState, providerId) {
 	if (stored) {
 		const data = safeJsonParse(stored.value);
 		if (data) if (!sessionIndex || !data.sessionIndex || sessionIndex === data.sessionIndex) {
-			await ctx.context.internalAdapter.deleteSession(data.sessionId).catch((e) => ctx.context.logger.warn("Failed to delete session during SLO", { error: e }));
+			await ctx.context.internalAdapter.deleteSession(data.sessionToken).catch((e) => ctx.context.logger.warn("Failed to delete session during SLO", { error: e }));
 			await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${SAML_SESSION_BY_ID_PREFIX}${data.sessionId}`).catch((e) => ctx.context.logger.warn("Failed to delete SAML session lookup during SLO", e));
 		} else ctx.context.logger.warn("SessionIndex mismatch in LogoutRequest - skipping session deletion", {
 			providerId,
@@ -3017,10 +3025,9 @@ async function handleLogoutRequest(ctx, sp, idp, relayState, providerId) {
 		await ctx.context.internalAdapter.deleteVerificationByIdentifier(key).catch((e) => ctx.context.logger.warn("Failed to delete SAML session key during SLO", e));
 	}
 	const currentSession = await getSessionFromCtx(ctx);
-	if (currentSession?.session) await ctx.context.internalAdapter.deleteSession(currentSession.session.id);
+	if (currentSession?.session) await ctx.context.internalAdapter.deleteSession(currentSession.session.token);
 	deleteSessionCookie(ctx);
-	const requestId = parsed.extract.request?.id || "";
-	const res = sp.createLogoutResponse(idp, null, binding, relayState || "", (template) => template.replace("{InResponseTo}", requestId).replace("{StatusCode}", SAML_STATUS_SUCCESS));
+	const res = sp.createLogoutResponse(idp, parsed, binding, relayState || "");
 	if (binding === "post" && res.entityEndpoint) return createSAMLPostForm(res.entityEndpoint, "SAMLResponse", res.context, relayState);
 	throw ctx.redirect(res.context);
 }
@@ -3073,7 +3080,7 @@ const initiateSLO = (options) => {
 		});
 		if (samlSessionKey) await ctx.context.internalAdapter.deleteVerificationByIdentifier(samlSessionKey).catch((e) => ctx.context.logger.warn("Failed to delete SAML session key during logout", e));
 		await ctx.context.internalAdapter.deleteVerificationByIdentifier(sessionLookupKey).catch((e) => ctx.context.logger.warn("Failed to delete session lookup key during logout", e));
-		await ctx.context.internalAdapter.deleteSession(session.session.id);
+		await ctx.context.internalAdapter.deleteSession(session.session.token);
 		deleteSessionCookie(ctx);
 		throw ctx.redirect(logoutRequest.context);
 	});

package/dist/{version-dnGn0OgM.mjs → version-BcVD6vO4.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.6.12";
+const PACKAGE_VERSION = "1.6.13";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/sso",
-  "version": "1.6.12",
+  "version": "1.6.13",
   "description": "SSO plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -58,7 +58,7 @@
   "dependencies": {
     "fast-xml-parser": "^5.8.0",
     "jose": "^6.1.3",
-    "samlify": "~2.10.2",
+    "samlify": "^2.13.1",
     "tldts": "^6.1.0",
     "zod": "^4.3.6"
   },
@@ -70,15 +70,15 @@
     "express": "^5.2.1",
     "oauth2-mock-server": "^8.2.2",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.6.12",
-    "better-auth": "1.6.12"
+    "@better-auth/core": "1.6.13",
+    "better-auth": "1.6.13"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.1",
     "@better-fetch/fetch": "1.1.21",
     "better-call": "1.3.5",
-    "@better-auth/core": "^1.6.12",
-    "better-auth": "^1.6.12"
+    "@better-auth/core": "^1.6.13",
+    "better-auth": "^1.6.13"
   },
   "scripts": {
     "build": "tsdown",