@better-auth/sso 1.6.15 → 1.6.16

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-BPpah8cV.mjs";
+import { t as PACKAGE_VERSION } from "./version-KncHedVM.mjs";
 //#region src/client.ts
 const ssoClient = (options) => {
 	return {

package/dist/index.mjs

@@ -1,11 +1,11 @@
-import { t as PACKAGE_VERSION } from "./version-BPpah8cV.mjs";
+import { t as PACKAGE_VERSION } from "./version-KncHedVM.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { XMLParser, XMLValidator } from "fast-xml-parser";
 import { X509Certificate } from "node:crypto";
 import { getHostname } from "tldts";
 import { generateRandomString } from "better-auth/crypto";
 import * as z from "zod";
-import { isPublicRoutableHost } from "@better-auth/core/utils/host";
+import { classifyHost, isPublicRoutableHost } from "@better-auth/core/utils/host";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
 import { base64 } from "@better-auth/utils/base64";
 import { isAPIError } from "@better-auth/core/utils/is-api-error";
@@ -527,6 +527,75 @@ function validateSkipDiscoveryEndpoints(config, isTrustedOrigin) {
 	for (const [name, url] of fields) if (url) validateSkipDiscoveryEndpoint(name, url, isTrustedOrigin);
 }
 /**
+* Re-validate an endpoint by resolving its hostname and rejecting any resolved
+* address that is not publicly routable.
+*
+* {@link validateSkipDiscoveryEndpoint} only classifies the literal hostname, so
+* a host like `idp.example` whose DNS record points at `127.0.0.1`,
+* `169.254.169.254`, or an RFC 1918 address passes that check unchanged. This
+* function closes that gap by performing the same RFC 6890 classification on the
+* addresses the host actually resolves to, right before the server-side fetch.
+*
+* Best-effort by design:
+*   - Operator-allowlisted origins (trustedOrigins) are skipped — this is the
+*     documented escape hatch for internal IdPs.
+*   - IP-literal hosts are already fully covered by the synchronous check.
+*   - On runtimes without `node:dns` (e.g. Cloudflare Workers / edge), DNS
+*     resolution is unavailable; we fall back to the synchronous host check and
+*     the platform's own egress controls.
+*
+* Note: this resolves once and validates the result; it does not pin the address
+* for the subsequent connection, so a change in the resolved address between
+* this lookup and the fetch remains theoretically possible. It nonetheless
+* rejects the common case of a DNS record that statically points at an internal
+* address.
+*
+* @throws DiscoveryError(discovery_private_host) if any resolved address is not public
+*/
+async function assertEndpointResolvesPublic(name, endpoint, isTrustedOrigin) {
+	const parsed = parseURL(name, endpoint);
+	if (isTrustedOrigin(parsed.toString())) return;
+	const host = parsed.hostname;
+	if (classifyHost(host).literal !== "fqdn") return;
+	let dns;
+	try {
+		dns = await import("node:dns/promises");
+	} catch {
+		return;
+	}
+	let resolved;
+	try {
+		resolved = await dns.lookup(host, { all: true });
+	} catch {
+		return;
+	}
+	for (const { address } of resolved) if (!isPublicRoutableHost(address)) throw new DiscoveryError("discovery_private_host", `The ${name} host "${host}" resolves to a non-publicly-routable address (${address}). If this is an internal IdP, add its origin to trustedOrigins.`, {
+		endpoint: name,
+		url: endpoint,
+		hostname: host,
+		resolved: address
+	});
+}
+/**
+* Re-validate, at fetch time, every OIDC endpoint that is fetched server-side
+* (token, userinfo, jwks). Runs the synchronous host classification plus the
+* best-effort DNS resolution check. `authorizationEndpoint` is intentionally
+* excluded — it is a browser redirect target, not a server-side fetch, so these
+* checks don't apply to it.
+*/
+async function assertOIDCEndpointsResolvePublic(config, isTrustedOrigin) {
+	const fields = [
+		["tokenEndpoint", config.tokenEndpoint],
+		["userInfoEndpoint", config.userInfoEndpoint],
+		["jwksEndpoint", config.jwksEndpoint]
+	];
+	for (const [name, url] of fields) {
+		if (!url) continue;
+		validateSkipDiscoveryEndpoint(name, url, isTrustedOrigin);
+		await assertEndpointResolvesPublic(name, url, isTrustedOrigin);
+	}
+}
+/**
 * Fetch the OIDC discovery document from the IdP.
 *
 * @param url - The discovery endpoint URL
@@ -538,7 +607,8 @@ async function fetchDiscoveryDocument(url, timeout = DEFAULT_DISCOVERY_TIMEOUT)
 	try {
 		const response = await betterFetch(url, {
 			method: "GET",
-			timeout
+			timeout,
+			redirect: "error"
 		});
 		if (response.error) {
 			const { status } = response.error;
@@ -706,20 +776,24 @@ function needsRuntimeDiscovery(config) {
 * Throws if discovery fails.
 */
 async function ensureRuntimeDiscovery(config, issuer, isTrustedOrigin) {
-	if (!needsRuntimeDiscovery(config)) return config;
-	const hydrated = await discoverOIDCConfig({
-		issuer,
-		existingConfig: config,
-		isTrustedOrigin
-	});
-	return {
-		...config,
-		authorizationEndpoint: hydrated.authorizationEndpoint,
-		tokenEndpoint: hydrated.tokenEndpoint,
-		tokenEndpointAuthentication: hydrated.tokenEndpointAuthentication,
-		userInfoEndpoint: hydrated.userInfoEndpoint,
-		jwksEndpoint: hydrated.jwksEndpoint
-	};
+	let resolved = config;
+	if (needsRuntimeDiscovery(config)) {
+		const hydrated = await discoverOIDCConfig({
+			issuer,
+			existingConfig: config,
+			isTrustedOrigin
+		});
+		resolved = {
+			...config,
+			authorizationEndpoint: hydrated.authorizationEndpoint,
+			tokenEndpoint: hydrated.tokenEndpoint,
+			tokenEndpointAuthentication: hydrated.tokenEndpointAuthentication,
+			userInfoEndpoint: hydrated.userInfoEndpoint,
+			jwksEndpoint: hydrated.jwksEndpoint
+		};
+	}
+	await assertOIDCEndpointsResolvePublic(resolved, isTrustedOrigin);
+	return resolved;
 }
 //#endregion
 //#region src/oidc/errors.ts
@@ -1727,11 +1801,10 @@ async function processSAMLResponse(ctx, params, options) {
 	if (options?.saml?.enableInResponseToValidation !== false) {
 		const allowIdpInitiated = options?.saml?.allowIdpInitiated !== false;
 		if (inResponseTo) {
+			const consumed = await ctx.context.internalAdapter.consumeVerificationValue(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
 			let storedRequest = null;
-			const verification = await ctx.context.internalAdapter.findVerificationValue(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
-			if (verification) try {
-				storedRequest = JSON.parse(verification.value);
-				if (storedRequest && storedRequest.expiresAt < Date.now()) storedRequest = null;
+			if (consumed) try {
+				storedRequest = JSON.parse(consumed.value);
 			} catch {
 				storedRequest = null;
 			}
@@ -1748,10 +1821,8 @@ async function processSAMLResponse(ctx, params, options) {
 					expectedProvider: storedRequest.providerId,
 					actualProvider: providerId
 				});
-				await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
 				throw ctx.redirect(`${samlRedirectUrl}?error=invalid_saml_response&error_description=Provider+mismatch`);
 			}
-			await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
 		} else if (!allowIdpInitiated) {
 			ctx.context.logger.error("SAML IdP-initiated SSO rejected: InResponseTo missing and allowIdpInitiated is false", { providerId });
 			throw ctx.redirect(`${samlRedirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`);
@@ -1816,7 +1887,7 @@ async function processSAMLResponse(ctx, params, options) {
 		});
 		throw new APIError("BAD_REQUEST", { message: "Unable to extract user ID or email from SAML response" });
 	}
-	const isTrustedProvider = ctx.context.trustedProviders.includes(providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
+	const isTrustedProvider = "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
 	const callbackUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 	const errorUrl = relayState?.errorURL || samlRedirectUrl;
 	let result;
@@ -1836,7 +1907,8 @@ async function processSAMLResponse(ctx, params, options) {
 			},
 			callbackURL: callbackUrl,
 			disableSignUp: options?.disableImplicitSignUp,
-			isTrustedProvider
+			isTrustedProvider,
+			trustProviderByName: false
 		});
 	} catch (e) {
 		if (isAPIError(e) && e.body?.code) {
@@ -2227,6 +2299,14 @@ const registerSSOProvider = (options) => {
 			if (!member) throw new APIError("BAD_REQUEST", { message: "You are not a member of the organization" });
 			if (ctx.context.hasPlugin("organization") && !hasOrgAdminRole(member)) throw new APIError("FORBIDDEN", { message: "You must be an organization owner or admin to register SSO providers" });
 		}
+		if (new Set([
+			"credential",
+			...ctx.context.socialProviders.map((p) => p.id),
+			...ctx.context.trustedProviders
+		]).has(body.providerId)) {
+			ctx.context.logger.warn(`SSO provider registration rejected for reserved providerId: ${body.providerId}`);
+			throw new APIError("UNPROCESSABLE_ENTITY", { message: "This providerId is reserved and cannot be used for an SSO provider" });
+		}
 		if (await ctx.context.adapter.findOne({
 			model: "ssoProvider",
 			where: [{
@@ -2687,7 +2767,10 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 	let userInfo = null;
 	const mapping = config.mapping || {};
 	if (config.userInfoEndpoint) {
-		const userInfoResponse = await betterFetch(config.userInfoEndpoint, { headers: { Authorization: `Bearer ${tokenResponse.accessToken}` } });
+		const userInfoResponse = await betterFetch(config.userInfoEndpoint, {
+			headers: { Authorization: `Bearer ${tokenResponse.accessToken}` },
+			redirect: "error"
+		});
 		if (userInfoResponse.error) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${userInfoResponse.error.message}`);
 		const rawUserInfo = userInfoResponse.data;
 		userInfo = {
@@ -2743,7 +2826,8 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 			callbackURL,
 			disableSignUp: options?.disableImplicitSignUp && !requestSignUp,
 			overrideUserInfo: config.overrideUserInfo,
-			isTrustedProvider
+			isTrustedProvider,
+			trustProviderByName: false
 		});
 	} catch (e) {
 		if (isAPIError(e) && e.body?.code) {

package/dist/{version-BPpah8cV.mjs → version-KncHedVM.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.6.15";
+const PACKAGE_VERSION = "1.6.16";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/sso",
-  "version": "1.6.15",
+  "version": "1.6.16",
   "description": "SSO plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -65,20 +65,20 @@
   "devDependencies": {
     "@types/body-parser": "^1.19.6",
     "@types/express": "^5.0.6",
-    "better-call": "1.3.5",
+    "better-call": "1.3.6",
     "body-parser": "^2.2.2",
     "express": "^5.2.1",
     "oauth2-mock-server": "^8.2.2",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.6.15",
-    "better-auth": "1.6.15"
+    "@better-auth/core": "1.6.16",
+    "better-auth": "1.6.16"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.1.21",
-    "better-call": "1.3.5",
-    "@better-auth/core": "^1.6.15",
-    "better-auth": "^1.6.15"
+    "@better-fetch/fetch": "1.2.2",
+    "better-call": "1.3.6",
+    "@better-auth/core": "^1.6.16",
+    "better-auth": "^1.6.16"
   },
   "scripts": {
     "build": "tsdown",