npm - @better-auth/sso - Versions diffs - 1.6.15 → 1.6.17 - Mend

@better-auth/sso 1.6.15 → 1.6.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/client.d.mts +1 -1
package/dist/client.mjs +1 -1
package/dist/{index-DbZYHOJt.d.mts → index-D9brFUE1.d.mts} +2 -2
package/dist/index.d.mts +1 -1
package/dist/index.mjs +249 -220
package/dist/{version-BPpah8cV.mjs → version-BeZU0Td6.mjs} +1 -1
package/package.json +8 -8

package/dist/client.d.mts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { t as SSOPlugin } from "./index-DbZYHOJt.mjs";
+import { t as SSOPlugin } from "./index-D9brFUE1.mjs";
 //#region src/client.d.ts
 interface SSOClientOptions {

package/dist/client.mjs CHANGED Viewed

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-BPpah8cV.mjs";
+import { t as PACKAGE_VERSION } from "./version-BeZU0Td6.mjs";
 //#region src/client.ts
 const ssoClient = (options) => {
 	return {

package/dist/{index-DbZYHOJt.d.mts → index-D9brFUE1.d.mts} RENAMED Viewed

@@ -1359,7 +1359,7 @@ declare const callbackSSOShared: (options?: SSOOptions) => better_call0.StrictEn
   allowedMediaTypes: readonly ["application/x-www-form-urlencoded", "application/json"];
 }, void>;
 declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/callback/:providerId", {
-  method: ("POST" | "GET")[];
+  method: ("GET" | "POST")[];
   body: z.ZodOptional<z.ZodObject<{
     SAMLResponse: z.ZodString;
     RelayState: z.ZodOptional<z.ZodString>;
@@ -1410,7 +1410,7 @@ declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint
   };
 }, never>;
 declare const sloEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/slo/:providerId", {
-  method: ("POST" | "GET")[];
+  method: ("GET" | "POST")[];
   body: z.ZodOptional<z.ZodObject<{
     SAMLRequest: z.ZodOptional<z.ZodString>;
     SAMLResponse: z.ZodOptional<z.ZodString>;

package/dist/index.d.mts CHANGED Viewed

@@ -1,2 +1,2 @@
-import { A as DataEncryptionAlgorithm, C as TimestampValidationOptions, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as SAMLConditions, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as DEFAULT_MAX_SAML_METADATA_SIZE, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as validateSAMLTimestamp, x as DEFAULT_MAX_SAML_RESPONSE_SIZE, y as DEFAULT_CLOCK_SKEW_MS } from "./index-DbZYHOJt.mjs";
+import { A as DataEncryptionAlgorithm, C as TimestampValidationOptions, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as SAMLConditions, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as DEFAULT_MAX_SAML_METADATA_SIZE, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as validateSAMLTimestamp, x as DEFAULT_MAX_SAML_RESPONSE_SIZE, y as DEFAULT_CLOCK_SKEW_MS } from "./index-D9brFUE1.mjs";
 export { AlgorithmValidationOptions, DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };

package/dist/index.mjs CHANGED Viewed

@@ -1,11 +1,11 @@
-import { t as PACKAGE_VERSION } from "./version-BPpah8cV.mjs";
+import { t as PACKAGE_VERSION } from "./version-BeZU0Td6.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { XMLParser, XMLValidator } from "fast-xml-parser";
 import { X509Certificate } from "node:crypto";
 import { getHostname } from "tldts";
 import { generateRandomString } from "better-auth/crypto";
 import * as z from "zod";
-import { isPublicRoutableHost } from "@better-auth/core/utils/host";
+import { classifyHost, isPublicRoutableHost } from "@better-auth/core/utils/host";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
 import { base64 } from "@better-auth/utils/base64";
 import { isAPIError } from "@better-auth/core/utils/is-api-error";
@@ -24,8 +24,6 @@ import samlifyDefault from "samlify";
 */
 /** Prefix for AuthnRequest IDs used in InResponseTo validation */
 const AUTHN_REQUEST_KEY_PREFIX = "saml-authn-request:";
-/** Prefix for used Assertion IDs used in replay protection */
-const USED_ASSERTION_KEY_PREFIX = "saml-used-assertion:";
 /** Prefix for SAML session data (NameID + SessionIndex) for SLO */
 const SAML_SESSION_KEY_PREFIX = "saml-session:";
 /** Prefix for reverse lookup of SAML session by Better Auth session ID */
@@ -86,6 +84,16 @@ const domainMatches = (searchDomain, domainList) => {
 	return domainList.split(",").map((d) => d.trim().toLowerCase()).filter(Boolean).some((d) => search === d || search.endsWith(`.${d}`));
 };
 /**
+* Strictly parse a provider-supplied email-verification claim.
+*
+* OIDC userInfo, OIDC id-token, and SAML attribute values are frequently
+* strings, so a loose `Boolean(value)` or truthy fallback treats the string
+* `"false"` as verified. Only a boolean `true` or the exact string `"true"`
+* count as verified; every other value, including `"false"`, `"0"`, `""`,
+* numbers, arrays, and objects, is unverified.
+*/
+const parseProviderEmailVerified = (value) => value === true || value === "true";
+/**
 * Validates email domain against allowed domain(s).
 * Supports comma-separated domains for multi-domain SSO.
 */
@@ -211,171 +219,6 @@ async function assignOrganizationByDomain(ctx, options) {
 	});
 }
 //#endregion
-//#region src/routes/domain-verification.ts
-const DNS_LABEL_MAX_LENGTH = 63;
-const DEFAULT_TOKEN_PREFIX = "better-auth-token";
-const domainVerificationBodySchema = z.object({ providerId: z.string() });
-function getVerificationIdentifier(options, providerId) {
-	return `_${options.domainVerification?.tokenPrefix || DEFAULT_TOKEN_PREFIX}-${providerId}`;
-}
-const requestDomainVerification = (options) => {
-	return createAuthEndpoint("/sso/request-domain-verification", {
-		method: "POST",
-		body: domainVerificationBodySchema,
-		metadata: { openapi: {
-			summary: "Request a domain verification",
-			description: "Request a domain verification for the given SSO provider",
-			responses: {
-				"404": { description: "Provider not found" },
-				"409": { description: "Domain has already been verified" },
-				"201": { description: "Domain submitted for verification" }
-			}
-		} },
-		use: [sessionMiddleware]
-	}, async (ctx) => {
-		const body = ctx.body;
-		const provider = await ctx.context.adapter.findOne({
-			model: "ssoProvider",
-			where: [{
-				field: "providerId",
-				value: body.providerId
-			}]
-		});
-		if (!provider) throw new APIError("NOT_FOUND", {
-			message: "Provider not found",
-			code: "PROVIDER_NOT_FOUND"
-		});
-		const userId = ctx.context.session.user.id;
-		let isOrgMember = true;
-		if (provider.organizationId) isOrgMember = await ctx.context.adapter.count({
-			model: "member",
-			where: [{
-				field: "userId",
-				value: userId
-			}, {
-				field: "organizationId",
-				value: provider.organizationId
-			}]
-		}) > 0;
-		if (provider.userId !== userId || !isOrgMember) throw new APIError("FORBIDDEN", {
-			message: "User must be owner of or belong to the SSO provider organization",
-			code: "INSUFICCIENT_ACCESS"
-		});
-		if ("domainVerified" in provider && provider.domainVerified) throw new APIError("CONFLICT", {
-			message: "Domain has already been verified",
-			code: "DOMAIN_VERIFIED"
-		});
-		const identifier = getVerificationIdentifier(options, provider.providerId);
-		const activeVerification = await ctx.context.internalAdapter.findVerificationValue(identifier);
-		if (activeVerification && new Date(activeVerification.expiresAt) > /* @__PURE__ */ new Date()) {
-			ctx.setStatus(201);
-			return ctx.json({ domainVerificationToken: activeVerification.value });
-		}
-		const domainVerificationToken = generateRandomString(24);
-		await ctx.context.internalAdapter.createVerificationValue({
-			identifier,
-			value: domainVerificationToken,
-			expiresAt: new Date(Date.now() + 3600 * 24 * 7 * 1e3)
-		});
-		ctx.setStatus(201);
-		return ctx.json({ domainVerificationToken });
-	});
-};
-const verifyDomain = (options) => {
-	return createAuthEndpoint("/sso/verify-domain", {
-		method: "POST",
-		body: domainVerificationBodySchema,
-		metadata: { openapi: {
-			summary: "Verify the provider domain ownership",
-			description: "Verify the provider domain ownership via DNS records",
-			responses: {
-				"404": { description: "Provider not found" },
-				"409": { description: "Domain has already been verified or no pending verification exists" },
-				"502": { description: "Unable to verify domain ownership due to upstream validator error" },
-				"204": { description: "Domain ownership was verified" }
-			}
-		} },
-		use: [sessionMiddleware]
-	}, async (ctx) => {
-		const body = ctx.body;
-		const provider = await ctx.context.adapter.findOne({
-			model: "ssoProvider",
-			where: [{
-				field: "providerId",
-				value: body.providerId
-			}]
-		});
-		if (!provider) throw new APIError("NOT_FOUND", {
-			message: "Provider not found",
-			code: "PROVIDER_NOT_FOUND"
-		});
-		const userId = ctx.context.session.user.id;
-		let isOrgMember = true;
-		if (provider.organizationId) isOrgMember = await ctx.context.adapter.count({
-			model: "member",
-			where: [{
-				field: "userId",
-				value: userId
-			}, {
-				field: "organizationId",
-				value: provider.organizationId
-			}]
-		}) > 0;
-		if (provider.userId !== userId || !isOrgMember) throw new APIError("FORBIDDEN", {
-			message: "User must be owner of or belong to the SSO provider organization",
-			code: "INSUFICCIENT_ACCESS"
-		});
-		if ("domainVerified" in provider && provider.domainVerified) throw new APIError("CONFLICT", {
-			message: "Domain has already been verified",
-			code: "DOMAIN_VERIFIED"
-		});
-		const identifier = getVerificationIdentifier(options, provider.providerId);
-		if (identifier.length > DNS_LABEL_MAX_LENGTH) throw new APIError("BAD_REQUEST", {
-			message: `Verification identifier exceeds the DNS label limit of ${DNS_LABEL_MAX_LENGTH} characters`,
-			code: "IDENTIFIER_TOO_LONG"
-		});
-		const activeVerification = await ctx.context.internalAdapter.findVerificationValue(identifier);
-		if (!activeVerification || new Date(activeVerification.expiresAt) <= /* @__PURE__ */ new Date()) throw new APIError("NOT_FOUND", {
-			message: "No pending domain verification exists",
-			code: "NO_PENDING_VERIFICATION"
-		});
-		let records = [];
-		let dns;
-		try {
-			dns = await import("node:dns/promises");
-		} catch (error) {
-			ctx.context.logger.error("The core node:dns module is required for the domain verification feature", error);
-			throw new APIError("INTERNAL_SERVER_ERROR", {
-				message: "Unable to verify domain ownership due to server error",
-				code: "DOMAIN_VERIFICATION_FAILED"
-			});
-		}
-		const hostname = getHostnameFromDomain(provider.domain);
-		if (!hostname) throw new APIError("BAD_REQUEST", {
-			message: "Invalid domain",
-			code: "INVALID_DOMAIN"
-		});
-		try {
-			records = (await dns.resolveTxt(`${identifier}.${hostname}`)).flat();
-		} catch (error) {
-			ctx.context.logger.warn("DNS resolution failure while validating domain ownership", error);
-		}
-		if (!records.find((record) => record.includes(`${activeVerification.identifier}=${activeVerification.value}`))) throw new APIError("BAD_GATEWAY", {
-			message: "Unable to verify domain ownership. Try again later",
-			code: "DOMAIN_VERIFICATION_FAILED"
-		});
-		await ctx.context.adapter.update({
-			model: "ssoProvider",
-			where: [{
-				field: "providerId",
-				value: provider.providerId
-			}],
-			update: { domainVerified: true }
-		});
-		ctx.setStatus(204);
-	});
-};
-//#endregion
 //#region src/oidc/types.ts
 /**
 * Custom error class for OIDC discovery failures.
@@ -527,6 +370,75 @@ function validateSkipDiscoveryEndpoints(config, isTrustedOrigin) {
 	for (const [name, url] of fields) if (url) validateSkipDiscoveryEndpoint(name, url, isTrustedOrigin);
 }
 /**
+* Re-validate an endpoint by resolving its hostname and rejecting any resolved
+* address that is not publicly routable.
+*
+* {@link validateSkipDiscoveryEndpoint} only classifies the literal hostname, so
+* a host like `idp.example` whose DNS record points at `127.0.0.1`,
+* `169.254.169.254`, or an RFC 1918 address passes that check unchanged. This
+* function closes that gap by performing the same RFC 6890 classification on the
+* addresses the host actually resolves to, right before the server-side fetch.
+*
+* Best-effort by design:
+*   - Operator-allowlisted origins (trustedOrigins) are skipped — this is the
+*     documented escape hatch for internal IdPs.
+*   - IP-literal hosts are already fully covered by the synchronous check.
+*   - On runtimes without `node:dns` (e.g. Cloudflare Workers / edge), DNS
+*     resolution is unavailable; we fall back to the synchronous host check and
+*     the platform's own egress controls.
+*
+* Note: this resolves once and validates the result; it does not pin the address
+* for the subsequent connection, so a change in the resolved address between
+* this lookup and the fetch remains theoretically possible. It nonetheless
+* rejects the common case of a DNS record that statically points at an internal
+* address.
+*
+* @throws DiscoveryError(discovery_private_host) if any resolved address is not public
+*/
+async function assertEndpointResolvesPublic(name, endpoint, isTrustedOrigin) {
+	const parsed = parseURL(name, endpoint);
+	if (isTrustedOrigin(parsed.toString())) return;
+	const host = parsed.hostname;
+	if (classifyHost(host).literal !== "fqdn") return;
+	let dns;
+	try {
+		dns = await import("node:dns/promises");
+	} catch {
+		return;
+	}
+	let resolved;
+	try {
+		resolved = await dns.lookup(host, { all: true });
+	} catch {
+		return;
+	}
+	for (const { address } of resolved) if (!isPublicRoutableHost(address)) throw new DiscoveryError("discovery_private_host", `The ${name} host "${host}" resolves to a non-publicly-routable address (${address}). If this is an internal IdP, add its origin to trustedOrigins.`, {
+		endpoint: name,
+		url: endpoint,
+		hostname: host,
+		resolved: address
+	});
+}
+/**
+* Re-validate, at fetch time, every OIDC endpoint that is fetched server-side
+* (token, userinfo, jwks). Runs the synchronous host classification plus the
+* best-effort DNS resolution check. `authorizationEndpoint` is intentionally
+* excluded — it is a browser redirect target, not a server-side fetch, so these
+* checks don't apply to it.
+*/
+async function assertOIDCEndpointsResolvePublic(config, isTrustedOrigin) {
+	const fields = [
+		["tokenEndpoint", config.tokenEndpoint],
+		["userInfoEndpoint", config.userInfoEndpoint],
+		["jwksEndpoint", config.jwksEndpoint]
+	];
+	for (const [name, url] of fields) {
+		if (!url) continue;
+		validateSkipDiscoveryEndpoint(name, url, isTrustedOrigin);
+		await assertEndpointResolvesPublic(name, url, isTrustedOrigin);
+	}
+}
+/**
 * Fetch the OIDC discovery document from the IdP.
 *
 * @param url - The discovery endpoint URL
@@ -538,7 +450,8 @@ async function fetchDiscoveryDocument(url, timeout = DEFAULT_DISCOVERY_TIMEOUT)
 	try {
 		const response = await betterFetch(url, {
 			method: "GET",
-			timeout
+			timeout,
+			redirect: "error"
 		});
 		if (response.error) {
 			const { status } = response.error;
@@ -706,20 +619,24 @@ function needsRuntimeDiscovery(config) {
 * Throws if discovery fails.
 */
 async function ensureRuntimeDiscovery(config, issuer, isTrustedOrigin) {
-	if (!needsRuntimeDiscovery(config)) return config;
-	const hydrated = await discoverOIDCConfig({
-		issuer,
-		existingConfig: config,
-		isTrustedOrigin
-	});
-	return {
-		...config,
-		authorizationEndpoint: hydrated.authorizationEndpoint,
-		tokenEndpoint: hydrated.tokenEndpoint,
-		tokenEndpointAuthentication: hydrated.tokenEndpointAuthentication,
-		userInfoEndpoint: hydrated.userInfoEndpoint,
-		jwksEndpoint: hydrated.jwksEndpoint
-	};
+	let resolved = config;
+	if (needsRuntimeDiscovery(config)) {
+		const hydrated = await discoverOIDCConfig({
+			issuer,
+			existingConfig: config,
+			isTrustedOrigin
+		});
+		resolved = {
+			...config,
+			authorizationEndpoint: hydrated.authorizationEndpoint,
+			tokenEndpoint: hydrated.tokenEndpoint,
+			tokenEndpointAuthentication: hydrated.tokenEndpointAuthentication,
+			userInfoEndpoint: hydrated.userInfoEndpoint,
+			jwksEndpoint: hydrated.jwksEndpoint
+		};
+	}
+	await assertOIDCEndpointsResolvePublic(resolved, isTrustedOrigin);
+	return resolved;
 }
 //#endregion
 //#region src/oidc/errors.ts
@@ -1431,6 +1348,119 @@ const deleteSSOProvider = () => {
 	});
 };
 //#endregion
+//#region src/routes/domain-verification.ts
+const DNS_LABEL_MAX_LENGTH = 63;
+const DEFAULT_TOKEN_PREFIX = "better-auth-token";
+const domainVerificationBodySchema = z.object({ providerId: z.string() });
+function getVerificationIdentifier(options, providerId) {
+	return `_${options.domainVerification?.tokenPrefix || DEFAULT_TOKEN_PREFIX}-${providerId}`;
+}
+const requestDomainVerification = (options) => {
+	return createAuthEndpoint("/sso/request-domain-verification", {
+		method: "POST",
+		body: domainVerificationBodySchema,
+		metadata: { openapi: {
+			summary: "Request a domain verification",
+			description: "Request a domain verification for the given SSO provider",
+			responses: {
+				"404": { description: "Provider not found" },
+				"409": { description: "Domain has already been verified" },
+				"201": { description: "Domain submitted for verification" }
+			}
+		} },
+		use: [sessionMiddleware]
+	}, async (ctx) => {
+		const body = ctx.body;
+		const provider = await checkProviderAccess(ctx, body.providerId);
+		if (provider.domainVerified) throw new APIError("CONFLICT", {
+			message: "Domain has already been verified",
+			code: "DOMAIN_VERIFIED"
+		});
+		const identifier = getVerificationIdentifier(options, provider.providerId);
+		const activeVerification = await ctx.context.internalAdapter.findVerificationValue(identifier);
+		if (activeVerification && new Date(activeVerification.expiresAt) > /* @__PURE__ */ new Date()) {
+			ctx.setStatus(201);
+			return ctx.json({ domainVerificationToken: activeVerification.value });
+		}
+		const domainVerificationToken = generateRandomString(24);
+		await ctx.context.internalAdapter.createVerificationValue({
+			identifier,
+			value: domainVerificationToken,
+			expiresAt: new Date(Date.now() + 3600 * 24 * 7 * 1e3)
+		});
+		ctx.setStatus(201);
+		return ctx.json({ domainVerificationToken });
+	});
+};
+const verifyDomain = (options) => {
+	return createAuthEndpoint("/sso/verify-domain", {
+		method: "POST",
+		body: domainVerificationBodySchema,
+		metadata: { openapi: {
+			summary: "Verify the provider domain ownership",
+			description: "Verify the provider domain ownership via DNS records",
+			responses: {
+				"404": { description: "Provider not found" },
+				"409": { description: "Domain has already been verified or no pending verification exists" },
+				"502": { description: "Unable to verify domain ownership due to upstream validator error" },
+				"204": { description: "Domain ownership was verified" }
+			}
+		} },
+		use: [sessionMiddleware]
+	}, async (ctx) => {
+		const body = ctx.body;
+		const provider = await checkProviderAccess(ctx, body.providerId);
+		if (provider.domainVerified) throw new APIError("CONFLICT", {
+			message: "Domain has already been verified",
+			code: "DOMAIN_VERIFIED"
+		});
+		const identifier = getVerificationIdentifier(options, provider.providerId);
+		if (identifier.length > DNS_LABEL_MAX_LENGTH) throw new APIError("BAD_REQUEST", {
+			message: `Verification identifier exceeds the DNS label limit of ${DNS_LABEL_MAX_LENGTH} characters`,
+			code: "IDENTIFIER_TOO_LONG"
+		});
+		const activeVerification = await ctx.context.internalAdapter.findVerificationValue(identifier);
+		if (!activeVerification || new Date(activeVerification.expiresAt) <= /* @__PURE__ */ new Date()) throw new APIError("NOT_FOUND", {
+			message: "No pending domain verification exists",
+			code: "NO_PENDING_VERIFICATION"
+		});
+		let records = [];
+		let dns;
+		try {
+			dns = await import("node:dns/promises");
+		} catch (error) {
+			ctx.context.logger.error("The core node:dns module is required for the domain verification feature", error);
+			throw new APIError("INTERNAL_SERVER_ERROR", {
+				message: "Unable to verify domain ownership due to server error",
+				code: "DOMAIN_VERIFICATION_FAILED"
+			});
+		}
+		const hostname = getHostnameFromDomain(provider.domain);
+		if (!hostname) throw new APIError("BAD_REQUEST", {
+			message: "Invalid domain",
+			code: "INVALID_DOMAIN"
+		});
+		try {
+			records = (await dns.resolveTxt(`${identifier}.${hostname}`)).flat();
+		} catch (error) {
+			ctx.context.logger.warn("DNS resolution failure while validating domain ownership", error);
+		}
+		if (!records.find((record) => record.includes(`${activeVerification.identifier}=${activeVerification.value}`))) throw new APIError("BAD_GATEWAY", {
+			message: "Unable to verify domain ownership. Try again later",
+			code: "DOMAIN_VERIFICATION_FAILED"
+		});
+		await ctx.context.adapter.update({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: provider.providerId
+			}],
+			update: { domainVerified: true }
+		});
+		ctx.setStatus(204);
+	});
+};
+//#endregion
 //#region src/saml/error-codes.ts
 const SAML_ERROR_CODES = defineErrorCodes({
 	SINGLE_LOGOUT_NOT_ENABLED: "Single Logout is not enabled",
@@ -1727,11 +1757,10 @@ async function processSAMLResponse(ctx, params, options) {
 	if (options?.saml?.enableInResponseToValidation !== false) {
 		const allowIdpInitiated = options?.saml?.allowIdpInitiated !== false;
 		if (inResponseTo) {
+			const consumed = await ctx.context.internalAdapter.consumeVerificationValue(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
 			let storedRequest = null;
-			const verification = await ctx.context.internalAdapter.findVerificationValue(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
-			if (verification) try {
-				storedRequest = JSON.parse(verification.value);
-				if (storedRequest && storedRequest.expiresAt < Date.now()) storedRequest = null;
+			if (consumed) try {
+				storedRequest = JSON.parse(consumed.value);
 			} catch {
 				storedRequest = null;
 			}
@@ -1748,10 +1777,8 @@ async function processSAMLResponse(ctx, params, options) {
 					expectedProvider: storedRequest.providerId,
 					actualProvider: providerId
 				});
-				await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
 				throw ctx.redirect(`${samlRedirectUrl}?error=invalid_saml_response&error_description=Provider+mismatch`);
 			}
-			await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
 		} else if (!allowIdpInitiated) {
 			ctx.context.logger.error("SAML IdP-initiated SSO rejected: InResponseTo missing and allowIdpInitiated is false", { providerId });
 			throw ctx.redirect(`${samlRedirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`);
@@ -1764,26 +1791,8 @@ async function processSAMLResponse(ctx, params, options) {
 		const conditions = extract.conditions;
 		const clockSkew = options?.saml?.clockSkew ?? 3e5;
 		const expiresAt = conditions?.notOnOrAfter ? new Date(conditions.notOnOrAfter).getTime() + clockSkew : Date.now() + DEFAULT_ASSERTION_TTL_MS;
-		const existingAssertion = await ctx.context.internalAdapter.findVerificationValue(`${USED_ASSERTION_KEY_PREFIX}${assertionId}`);
-		let isReplay = false;
-		if (existingAssertion) try {
-			if (JSON.parse(existingAssertion.value).expiresAt >= Date.now()) isReplay = true;
-		} catch (error) {
-			ctx.context.logger.warn("Failed to parse stored assertion record", {
-				assertionId,
-				error
-			});
-		}
-		if (isReplay) {
-			ctx.context.logger.error("SAML assertion replay detected: assertion ID already used", {
-				assertionId,
-				issuer,
-				providerId
-			});
-			throw ctx.redirect(`${samlRedirectUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`);
-		}
-		await ctx.context.internalAdapter.createVerificationValue({
-			identifier: `${USED_ASSERTION_KEY_PREFIX}${assertionId}`,
+		if (!await ctx.context.internalAdapter.reserveVerificationValue({
+			identifier: `saml-used-assertion:${assertionId}`,
 			value: JSON.stringify({
 				assertionId,
 				issuer,
@@ -1792,7 +1801,14 @@ async function processSAMLResponse(ctx, params, options) {
 				expiresAt
 			}),
 			expiresAt: new Date(expiresAt)
-		});
+		})) {
+			ctx.context.logger.error("SAML assertion replay detected: assertion ID already used", {
+				assertionId,
+				issuer,
+				providerId
+			});
+			throw ctx.redirect(`${samlRedirectUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`);
+		}
 	} else ctx.context.logger.warn("Could not extract assertion ID for replay protection", { providerId });
 	const attributes = extract.attributes || {};
 	const mapping = parsedSamlConfig.mapping ?? {};
@@ -1805,7 +1821,7 @@ async function processSAMLResponse(ctx, params, options) {
 		id: attr(mapping.id || "nameID") || extract.nameID,
 		email: (attr(mapping.email || "email") || extract.nameID || "").toLowerCase(),
 		name: [attr(mapping.firstName || "givenName"), attr(mapping.lastName || "surname")].filter(Boolean).join(" ") || attr(mapping.name || "displayName") || extract.nameID,
-		emailVerified: options?.trustEmailVerified && mapping.emailVerified ? attr(mapping.emailVerified) || false : false
+		emailVerified: options?.trustEmailVerified && mapping.emailVerified ? parseProviderEmailVerified(attr(mapping.emailVerified)) : false
 	};
 	if (!userInfo.id || !userInfo.email) {
 		ctx.context.logger.error("Missing essential user info from SAML response", {
@@ -1816,7 +1832,7 @@ async function processSAMLResponse(ctx, params, options) {
 		});
 		throw new APIError("BAD_REQUEST", { message: "Unable to extract user ID or email from SAML response" });
 	}
-	const isTrustedProvider = ctx.context.trustedProviders.includes(providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
+	const isTrustedProvider = "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
 	const callbackUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
 	const errorUrl = relayState?.errorURL || samlRedirectUrl;
 	let result;
@@ -1826,7 +1842,7 @@ async function processSAMLResponse(ctx, params, options) {
 				email: userInfo.email,
 				name: userInfo.name || userInfo.email,
 				id: userInfo.id,
-				emailVerified: Boolean(userInfo.emailVerified)
+				emailVerified: userInfo.emailVerified
 			},
 			account: {
 				providerId,
@@ -1836,7 +1852,8 @@ async function processSAMLResponse(ctx, params, options) {
 			},
 			callbackURL: callbackUrl,
 			disableSignUp: options?.disableImplicitSignUp,
-			isTrustedProvider
+			isTrustedProvider,
+			trustProviderByName: false
 		});
 	} catch (e) {
 		if (isAPIError(e) && e.body?.code) {
@@ -1861,7 +1878,7 @@ async function processSAMLResponse(ctx, params, options) {
 			providerId,
 			accountId: userInfo.id,
 			email: userInfo.email,
-			emailVerified: Boolean(userInfo.emailVerified),
+			emailVerified: userInfo.emailVerified,
 			rawAttributes: attributes
 		},
 		provider,
@@ -2227,6 +2244,14 @@ const registerSSOProvider = (options) => {
 			if (!member) throw new APIError("BAD_REQUEST", { message: "You are not a member of the organization" });
 			if (ctx.context.hasPlugin("organization") && !hasOrgAdminRole(member)) throw new APIError("FORBIDDEN", { message: "You must be an organization owner or admin to register SSO providers" });
 		}
+		if (new Set([
+			"credential",
+			...ctx.context.socialProviders.map((p) => p.id),
+			...ctx.context.trustedProviders
+		]).has(body.providerId)) {
+			ctx.context.logger.warn(`SSO provider registration rejected for reserved providerId: ${body.providerId}`);
+			throw new APIError("UNPROCESSABLE_ENTITY", { message: "This providerId is reserved and cannot be used for an SSO provider" });
+		}
 		if (await ctx.context.adapter.findOne({
 			model: "ssoProvider",
 			where: [{
@@ -2687,14 +2712,17 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 	let userInfo = null;
 	const mapping = config.mapping || {};
 	if (config.userInfoEndpoint) {
-		const userInfoResponse = await betterFetch(config.userInfoEndpoint, { headers: { Authorization: `Bearer ${tokenResponse.accessToken}` } });
+		const userInfoResponse = await betterFetch(config.userInfoEndpoint, {
+			headers: { Authorization: `Bearer ${tokenResponse.accessToken}` },
+			redirect: "error"
+		});
 		if (userInfoResponse.error) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${userInfoResponse.error.message}`);
 		const rawUserInfo = userInfoResponse.data;
 		userInfo = {
 			...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, rawUserInfo[value]])),
 			id: rawUserInfo[mapping.id || "sub"],
 			email: rawUserInfo[mapping.email || "email"],
-			emailVerified: options?.trustEmailVerified ? rawUserInfo[mapping.emailVerified || "email_verified"] : false,
+			emailVerified: options?.trustEmailVerified ? parseProviderEmailVerified(rawUserInfo[mapping.emailVerified || "email_verified"]) : false,
 			name: rawUserInfo[mapping.name || "name"],
 			image: rawUserInfo[mapping.image || "picture"]
 		};
@@ -2713,7 +2741,7 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 			...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, verified.payload[value]])),
 			id: idToken[mapping.id || "sub"],
 			email: idToken[mapping.email || "email"],
-			emailVerified: options?.trustEmailVerified ? idToken[mapping.emailVerified || "email_verified"] : false,
+			emailVerified: options?.trustEmailVerified ? parseProviderEmailVerified(idToken[mapping.emailVerified || "email_verified"]) : false,
 			name: idToken[mapping.name || "name"],
 			image: idToken[mapping.image || "picture"]
 		};
@@ -2743,7 +2771,8 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 			callbackURL,
 			disableSignUp: options?.disableImplicitSignUp && !requestSignUp,
 			overrideUserInfo: config.overrideUserInfo,
-			isTrustedProvider
+			isTrustedProvider,
+			trustProviderByName: false
 		});
 	} catch (e) {
 		if (isAPIError(e) && e.body?.code) {

package/dist/{version-BPpah8cV.mjs → version-BeZU0Td6.mjs} RENAMED Viewed

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.6.15";
+const PACKAGE_VERSION = "1.6.17";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/sso",
-  "version": "1.6.15",
+  "version": "1.6.17",
   "description": "SSO plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -65,20 +65,20 @@
   "devDependencies": {
     "@types/body-parser": "^1.19.6",
     "@types/express": "^5.0.6",
-    "better-call": "1.3.5",
+    "better-call": "1.3.6",
     "body-parser": "^2.2.2",
     "express": "^5.2.1",
     "oauth2-mock-server": "^8.2.2",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.6.15",
-    "better-auth": "1.6.15"
+    "better-auth": "1.6.17",
+    "@better-auth/core": "1.6.17"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.1.21",
-    "better-call": "1.3.5",
-    "@better-auth/core": "^1.6.15",
-    "better-auth": "^1.6.15"
+    "@better-fetch/fetch": "1.3.0",
+    "better-call": "1.3.6",
+    "@better-auth/core": "^1.6.17",
+    "better-auth": "^1.6.17"
   },
   "scripts": {
     "build": "tsdown",