npm - @better-auth/sso - Versions diffs - 1.6.14 → 1.6.16 - Mend

@better-auth/sso 1.6.14 → 1.6.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/client.mjs +1 -1
package/dist/index.mjs +114 -29
package/dist/{version-ekzjMTDh.mjs → version-KncHedVM.mjs} +1 -1
package/package.json +8 -8

package/dist/client.mjs CHANGED Viewed

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-ekzjMTDh.mjs";
+import { t as PACKAGE_VERSION } from "./version-KncHedVM.mjs";
 //#region src/client.ts
 const ssoClient = (options) => {
 	return {

package/dist/index.mjs CHANGED Viewed

@@ -1,11 +1,11 @@
-import { t as PACKAGE_VERSION } from "./version-ekzjMTDh.mjs";
+import { t as PACKAGE_VERSION } from "./version-KncHedVM.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { XMLParser, XMLValidator } from "fast-xml-parser";
 import { X509Certificate } from "node:crypto";
 import { getHostname } from "tldts";
 import { generateRandomString } from "better-auth/crypto";
 import * as z from "zod";
-import { isPublicRoutableHost } from "@better-auth/core/utils/host";
+import { classifyHost, isPublicRoutableHost } from "@better-auth/core/utils/host";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
 import { base64 } from "@better-auth/utils/base64";
 import { isAPIError } from "@better-auth/core/utils/is-api-error";
@@ -527,6 +527,75 @@ function validateSkipDiscoveryEndpoints(config, isTrustedOrigin) {
 	for (const [name, url] of fields) if (url) validateSkipDiscoveryEndpoint(name, url, isTrustedOrigin);
 }
 /**
+* Re-validate an endpoint by resolving its hostname and rejecting any resolved
+* address that is not publicly routable.
+*
+* {@link validateSkipDiscoveryEndpoint} only classifies the literal hostname, so
+* a host like `idp.example` whose DNS record points at `127.0.0.1`,
+* `169.254.169.254`, or an RFC 1918 address passes that check unchanged. This
+* function closes that gap by performing the same RFC 6890 classification on the
+* addresses the host actually resolves to, right before the server-side fetch.
+*
+* Best-effort by design:
+*   - Operator-allowlisted origins (trustedOrigins) are skipped — this is the
+*     documented escape hatch for internal IdPs.
+*   - IP-literal hosts are already fully covered by the synchronous check.
+*   - On runtimes without `node:dns` (e.g. Cloudflare Workers / edge), DNS
+*     resolution is unavailable; we fall back to the synchronous host check and
+*     the platform's own egress controls.
+*
+* Note: this resolves once and validates the result; it does not pin the address
+* for the subsequent connection, so a change in the resolved address between
+* this lookup and the fetch remains theoretically possible. It nonetheless
+* rejects the common case of a DNS record that statically points at an internal
+* address.
+*
+* @throws DiscoveryError(discovery_private_host) if any resolved address is not public
+*/
+async function assertEndpointResolvesPublic(name, endpoint, isTrustedOrigin) {
+	const parsed = parseURL(name, endpoint);
+	if (isTrustedOrigin(parsed.toString())) return;
+	const host = parsed.hostname;
+	if (classifyHost(host).literal !== "fqdn") return;
+	let dns;
+	try {
+		dns = await import("node:dns/promises");
+	} catch {
+		return;
+	}
+	let resolved;
+	try {
+		resolved = await dns.lookup(host, { all: true });
+	} catch {
+		return;
+	}
+	for (const { address } of resolved) if (!isPublicRoutableHost(address)) throw new DiscoveryError("discovery_private_host", `The ${name} host "${host}" resolves to a non-publicly-routable address (${address}). If this is an internal IdP, add its origin to trustedOrigins.`, {
+		endpoint: name,
+		url: endpoint,
+		hostname: host,
+		resolved: address
+	});
+}
+/**
+* Re-validate, at fetch time, every OIDC endpoint that is fetched server-side
+* (token, userinfo, jwks). Runs the synchronous host classification plus the
+* best-effort DNS resolution check. `authorizationEndpoint` is intentionally
+* excluded — it is a browser redirect target, not a server-side fetch, so these
+* checks don't apply to it.
+*/
+async function assertOIDCEndpointsResolvePublic(config, isTrustedOrigin) {
+	const fields = [
+		["tokenEndpoint", config.tokenEndpoint],
+		["userInfoEndpoint", config.userInfoEndpoint],
+		["jwksEndpoint", config.jwksEndpoint]
+	];
+	for (const [name, url] of fields) {
+		if (!url) continue;
+		validateSkipDiscoveryEndpoint(name, url, isTrustedOrigin);
+		await assertEndpointResolvesPublic(name, url, isTrustedOrigin);
+	}
+}
+/**
 * Fetch the OIDC discovery document from the IdP.
 *
 * @param url - The discovery endpoint URL
@@ -538,7 +607,8 @@ async function fetchDiscoveryDocument(url, timeout = DEFAULT_DISCOVERY_TIMEOUT)
 	try {
 		const response = await betterFetch(url, {
 			method: "GET",
-			timeout
+			timeout,
+			redirect: "error"
 		});
 		if (response.error) {
 			const { status } = response.error;
@@ -706,20 +776,24 @@ function needsRuntimeDiscovery(config) {
 * Throws if discovery fails.
 */
 async function ensureRuntimeDiscovery(config, issuer, isTrustedOrigin) {
-	if (!needsRuntimeDiscovery(config)) return config;
-	const hydrated = await discoverOIDCConfig({
-		issuer,
-		existingConfig: config,
-		isTrustedOrigin
-	});
-	return {
-		...config,
-		authorizationEndpoint: hydrated.authorizationEndpoint,
-		tokenEndpoint: hydrated.tokenEndpoint,
-		tokenEndpointAuthentication: hydrated.tokenEndpointAuthentication,
-		userInfoEndpoint: hydrated.userInfoEndpoint,
-		jwksEndpoint: hydrated.jwksEndpoint
-	};
+	let resolved = config;
+	if (needsRuntimeDiscovery(config)) {
+		const hydrated = await discoverOIDCConfig({
+			issuer,
+			existingConfig: config,
+			isTrustedOrigin
+		});
+		resolved = {
+			...config,
+			authorizationEndpoint: hydrated.authorizationEndpoint,
+			tokenEndpoint: hydrated.tokenEndpoint,
+			tokenEndpointAuthentication: hydrated.tokenEndpointAuthentication,
+			userInfoEndpoint: hydrated.userInfoEndpoint,
+			jwksEndpoint: hydrated.jwksEndpoint
+		};
+	}
+	await assertOIDCEndpointsResolvePublic(resolved, isTrustedOrigin);
+	return resolved;
 }
 //#endregion
 //#region src/oidc/errors.ts
@@ -1538,7 +1612,8 @@ function createSP(config, baseURL, providerId, opts) {
 		encPrivateKey: normalizePem(spData?.encPrivateKey),
 		encPrivateKeyPass: spData?.encPrivateKeyPass,
 		nameIDFormat: config.identifierFormat ? [config.identifierFormat] : void 0,
-		relayState: opts?.relayState
+		relayState: opts?.relayState,
+		clockDrifts: opts?.clockSkew && opts?.clockSkew !== 0 ? [-opts.clockSkew, opts.clockSkew] : void 0
 	});
 }
 function createIdP(config) {
@@ -1694,7 +1769,7 @@ async function processSAMLResponse(ctx, params, options) {
 	if (options?.domainVerification?.enabled && !("domainVerified" in provider && provider.domainVerified)) throw new APIError("UNAUTHORIZED", { message: "Provider domain has not been verified" });
 	const parsedSamlConfig = typeof provider.samlConfig === "object" ? provider.samlConfig : safeJsonParse(provider.samlConfig);
 	if (!parsedSamlConfig) throw new APIError("BAD_REQUEST", { message: "Invalid SAML configuration" });
-	const sp = createSP(parsedSamlConfig, ctx.context.baseURL, providerId);
+	const sp = createSP(parsedSamlConfig, ctx.context.baseURL, providerId, { clockSkew: options?.saml?.clockSkew });
 	const idp = createIdP(parsedSamlConfig);
 	const samlRedirectUrl = getSafeRedirectUrl(relayState?.callbackURL || parsedSamlConfig.callbackUrl, params.currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
 	validateSingleAssertion(SAMLResponse);
@@ -1726,11 +1801,10 @@ async function processSAMLResponse(ctx, params, options) {
 	if (options?.saml?.enableInResponseToValidation !== false) {
 		const allowIdpInitiated = options?.saml?.allowIdpInitiated !== false;
 		if (inResponseTo) {
+			const consumed = await ctx.context.internalAdapter.consumeVerificationValue(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
 			let storedRequest = null;
-			const verification = await ctx.context.internalAdapter.findVerificationValue(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
-			if (verification) try {
-				storedRequest = JSON.parse(verification.value);
-				if (storedRequest && storedRequest.expiresAt < Date.now()) storedRequest = null;
+			if (consumed) try {
+				storedRequest = JSON.parse(consumed.value);
 			} catch {
 				storedRequest = null;
 			}
@@ -1747,10 +1821,8 @@ async function processSAMLResponse(ctx, params, options) {
 					expectedProvider: storedRequest.providerId,
 					actualProvider: providerId
 				});
-				await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
 				throw ctx.redirect(`${samlRedirectUrl}?error=invalid_saml_response&error_description=Provider+mismatch`);
 			}
-			await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
 		} else if (!allowIdpInitiated) {
 			ctx.context.logger.error("SAML IdP-initiated SSO rejected: InResponseTo missing and allowIdpInitiated is false", { providerId });
 			throw ctx.redirect(`${samlRedirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`);
@@ -1815,7 +1887,7 @@ async function processSAMLResponse(ctx, params, options) {
 		});
 		throw new APIError("BAD_REQUEST", { message: "Unable to extract user ID or email from SAML response" });
 	}
-	const isTrustedProvider = ctx.context.trustedProviders.includes(providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
+	const isTrustedProvider = "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
 	const callbackUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 	const errorUrl = relayState?.errorURL || samlRedirectUrl;
 	let result;
@@ -1835,7 +1907,8 @@ async function processSAMLResponse(ctx, params, options) {
 			},
 			callbackURL: callbackUrl,
 			disableSignUp: options?.disableImplicitSignUp,
-			isTrustedProvider
+			isTrustedProvider,
+			trustProviderByName: false
 		});
 	} catch (e) {
 		if (isAPIError(e) && e.body?.code) {
@@ -2226,6 +2299,14 @@ const registerSSOProvider = (options) => {
 			if (!member) throw new APIError("BAD_REQUEST", { message: "You are not a member of the organization" });
 			if (ctx.context.hasPlugin("organization") && !hasOrgAdminRole(member)) throw new APIError("FORBIDDEN", { message: "You must be an organization owner or admin to register SSO providers" });
 		}
+		if (new Set([
+			"credential",
+			...ctx.context.socialProviders.map((p) => p.id),
+			...ctx.context.trustedProviders
+		]).has(body.providerId)) {
+			ctx.context.logger.warn(`SSO provider registration rejected for reserved providerId: ${body.providerId}`);
+			throw new APIError("UNPROCESSABLE_ENTITY", { message: "This providerId is reserved and cannot be used for an SSO provider" });
+		}
 		if (await ctx.context.adapter.findOne({
 			model: "ssoProvider",
 			where: [{
@@ -2686,7 +2767,10 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 	let userInfo = null;
 	const mapping = config.mapping || {};
 	if (config.userInfoEndpoint) {
-		const userInfoResponse = await betterFetch(config.userInfoEndpoint, { headers: { Authorization: `Bearer ${tokenResponse.accessToken}` } });
+		const userInfoResponse = await betterFetch(config.userInfoEndpoint, {
+			headers: { Authorization: `Bearer ${tokenResponse.accessToken}` },
+			redirect: "error"
+		});
 		if (userInfoResponse.error) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${userInfoResponse.error.message}`);
 		const rawUserInfo = userInfoResponse.data;
 		userInfo = {
@@ -2742,7 +2826,8 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 			callbackURL,
 			disableSignUp: options?.disableImplicitSignUp && !requestSignUp,
 			overrideUserInfo: config.overrideUserInfo,
-			isTrustedProvider
+			isTrustedProvider,
+			trustProviderByName: false
 		});
 	} catch (e) {
 		if (isAPIError(e) && e.body?.code) {

package/dist/{version-ekzjMTDh.mjs → version-KncHedVM.mjs} RENAMED Viewed

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.6.14";
+const PACKAGE_VERSION = "1.6.16";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/sso",
-  "version": "1.6.14",
+  "version": "1.6.16",
   "description": "SSO plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -65,20 +65,20 @@
   "devDependencies": {
     "@types/body-parser": "^1.19.6",
     "@types/express": "^5.0.6",
-    "better-call": "1.3.5",
+    "better-call": "1.3.6",
     "body-parser": "^2.2.2",
     "express": "^5.2.1",
     "oauth2-mock-server": "^8.2.2",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.6.14",
-    "better-auth": "1.6.14"
+    "@better-auth/core": "1.6.16",
+    "better-auth": "1.6.16"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.1.21",
-    "better-call": "1.3.5",
-    "@better-auth/core": "^1.6.14",
-    "better-auth": "^1.6.14"
+    "@better-fetch/fetch": "1.2.2",
+    "better-call": "1.3.6",
+    "@better-auth/core": "^1.6.16",
+    "better-auth": "^1.6.16"
   },
   "scripts": {
     "build": "tsdown",