@better-auth/sso 1.7.0-beta.0 → 1.7.0-beta.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/client.d.mts +10 -1
- package/dist/client.mjs +1 -1
- package/dist/{index-DVg_iWRX.d.mts → index-A_DJ_AqL.d.mts} +208 -195
- package/dist/index.d.mts +1 -1
- package/dist/index.mjs +2420 -1730
- package/dist/{version-CzfTSPRz.mjs → version-C-W6yUfI.mjs} +1 -1
- package/package.json +14 -14
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
import { APIError } from "better-auth/api";
|
|
2
2
|
import * as z from "zod";
|
|
3
|
-
import {
|
|
3
|
+
import { DBFieldAttribute, FieldAttributeToObject, InferAdditionalFieldsFromPluginOptions, RemoveFieldsWithReturnedFalse } from "better-auth/db";
|
|
4
|
+
import { Awaitable, OAuth2Tokens, User } from "better-auth";
|
|
4
5
|
import * as better_call0 from "better-call";
|
|
5
6
|
|
|
6
7
|
//#region src/saml/algorithms.d.ts
|
|
@@ -79,19 +80,53 @@ interface OIDCConfig {
|
|
|
79
80
|
privateKeyAlgorithm?: string | undefined;
|
|
80
81
|
jwksEndpoint?: string | undefined;
|
|
81
82
|
mapping?: OIDCMapping | undefined;
|
|
83
|
+
/**
|
|
84
|
+
* Accept callbacks from OIDC providers that initiate the OAuth flow
|
|
85
|
+
* without sending a `state` parameter. When enabled, stateless callbacks
|
|
86
|
+
* restart the OAuth flow server-side with a fresh `state` and PKCE
|
|
87
|
+
* verifier. See the SSO docs for details.
|
|
88
|
+
*
|
|
89
|
+
* @default false
|
|
90
|
+
*/
|
|
91
|
+
allowIdpInitiated?: boolean | undefined;
|
|
82
92
|
}
|
|
83
93
|
interface SAMLConfig {
|
|
94
|
+
/**
|
|
95
|
+
* SP Entity ID. Used as the `entityID` in SP metadata when
|
|
96
|
+
* `spMetadata.entityID` is not set. Also used as the expected
|
|
97
|
+
* audience for SAML assertion validation when `audience` is not set.
|
|
98
|
+
*/
|
|
84
99
|
issuer: string;
|
|
100
|
+
/**
|
|
101
|
+
* IdP SSO URL. Used as the redirect destination when
|
|
102
|
+
* `idpMetadata.metadata` is not provided. Ignored when
|
|
103
|
+
* IdP metadata XML is set (the SSO URL is extracted from the XML).
|
|
104
|
+
*/
|
|
85
105
|
entryPoint: string;
|
|
86
|
-
|
|
87
|
-
|
|
106
|
+
/**
|
|
107
|
+
* IdP signing certificate(s). Used to verify SAML response signatures when
|
|
108
|
+
* `idpMetadata.metadata` is not provided. Ignored when IdP metadata XML is
|
|
109
|
+
* set (the certificate is extracted from the XML). When both this and
|
|
110
|
+
* `idpMetadata.cert` are set, `idpMetadata.cert` takes precedence. Pass an
|
|
111
|
+
* array of PEM strings for rolling rotation; responses signed by any
|
|
112
|
+
* listed cert are accepted.
|
|
113
|
+
*/
|
|
114
|
+
cert?: string | string[];
|
|
88
115
|
audience?: string | undefined;
|
|
116
|
+
/**
|
|
117
|
+
* Provider-level post-auth redirect URL for IdP-initiated or fallback SAML
|
|
118
|
+
* flows when no RelayState callback URL is available.
|
|
119
|
+
*/
|
|
120
|
+
callbackUrl?: string | undefined;
|
|
89
121
|
idpMetadata?: {
|
|
90
122
|
metadata?: string;
|
|
91
123
|
entityID?: string;
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
124
|
+
/**
|
|
125
|
+
* IdP signing certificate(s). Pass a single PEM string or an array
|
|
126
|
+
* for rolling rotation. Takes precedence over the top-level `cert`
|
|
127
|
+
* when both are set. Omit when `metadata` XML is supplied.
|
|
128
|
+
*/
|
|
129
|
+
cert?: string | string[];
|
|
95
130
|
privateKey?: string;
|
|
96
131
|
privateKeyPass?: string;
|
|
97
132
|
isAssertionEncrypted?: boolean;
|
|
@@ -106,7 +141,12 @@ interface SAMLConfig {
|
|
|
106
141
|
Location: string;
|
|
107
142
|
}>;
|
|
108
143
|
} | undefined;
|
|
109
|
-
|
|
144
|
+
/**
|
|
145
|
+
* SP metadata configuration. All fields are optional; when omitted,
|
|
146
|
+
* SP metadata is auto-generated from `issuer`, `wantAssertionsSigned`,
|
|
147
|
+
* `authnRequestsSigned`, and `identifierFormat`.
|
|
148
|
+
*/
|
|
149
|
+
spMetadata?: {
|
|
110
150
|
metadata?: string | undefined;
|
|
111
151
|
entityID?: string | undefined;
|
|
112
152
|
binding?: string | undefined;
|
|
@@ -116,14 +156,17 @@ interface SAMLConfig {
|
|
|
116
156
|
encPrivateKey?: string | undefined;
|
|
117
157
|
encPrivateKeyPass?: string | undefined;
|
|
118
158
|
};
|
|
159
|
+
/**
|
|
160
|
+
* Request signed assertions from the IdP. When true, the SP metadata
|
|
161
|
+
* advertises `WantAssertionsSigned="true"` and samlify will reject
|
|
162
|
+
* unsigned assertions.
|
|
163
|
+
*/
|
|
119
164
|
wantAssertionsSigned?: boolean | undefined;
|
|
120
165
|
authnRequestsSigned?: boolean | undefined;
|
|
121
166
|
signatureAlgorithm?: string | undefined;
|
|
122
167
|
digestAlgorithm?: string | undefined;
|
|
123
168
|
identifierFormat?: string | undefined;
|
|
124
169
|
privateKey?: string | undefined;
|
|
125
|
-
decryptionPvk?: string | undefined;
|
|
126
|
-
additionalParams?: Record<string, any> | undefined;
|
|
127
170
|
mapping?: SAMLMapping | undefined;
|
|
128
171
|
}
|
|
129
172
|
type BaseSSOProvider = {
|
|
@@ -135,11 +178,32 @@ type BaseSSOProvider = {
|
|
|
135
178
|
organizationId?: string | undefined;
|
|
136
179
|
domain: string;
|
|
137
180
|
};
|
|
181
|
+
type SSOProviderAdditionalFields<O extends SSOOptions, IsClientSide extends boolean> = O["schema"] extends {
|
|
182
|
+
ssoProvider?: {
|
|
183
|
+
additionalFields: infer Field extends Record<string, DBFieldAttribute>;
|
|
184
|
+
};
|
|
185
|
+
} ? IsClientSide extends true ? FieldAttributeToObject<RemoveFieldsWithReturnedFalse<Field>> : FieldAttributeToObject<Field> : {};
|
|
186
|
+
type SSOProviderAdditionalFieldsInput<O extends SSOOptions, IsClientSide extends boolean = true> = InferAdditionalFieldsFromPluginOptions<"ssoProvider", O, IsClientSide>;
|
|
187
|
+
type InferSSOProvider<O extends SSOOptions, IsClientSide extends boolean = true> = (O["domainVerification"] extends {
|
|
188
|
+
enabled: true;
|
|
189
|
+
} ? {
|
|
190
|
+
domainVerified: boolean;
|
|
191
|
+
} & BaseSSOProvider : BaseSSOProvider) & SSOProviderAdditionalFields<O, IsClientSide>;
|
|
138
192
|
type SSOProvider<O extends SSOOptions> = O["domainVerification"] extends {
|
|
139
193
|
enabled: true;
|
|
140
194
|
} ? {
|
|
141
195
|
domainVerified: boolean;
|
|
142
|
-
} & BaseSSOProvider : BaseSSOProvider
|
|
196
|
+
} & BaseSSOProvider & SSOProviderAdditionalFields<O, false> : BaseSSOProvider & SSOProviderAdditionalFields<O, false>;
|
|
197
|
+
type SSOProviderSchema<O extends SSOOptions> = {
|
|
198
|
+
ssoProvider: {
|
|
199
|
+
modelName: string;
|
|
200
|
+
fields: Record<string, DBFieldAttribute> & (O["schema"] extends {
|
|
201
|
+
ssoProvider?: {
|
|
202
|
+
additionalFields: infer Field extends Record<string, DBFieldAttribute>;
|
|
203
|
+
};
|
|
204
|
+
} ? Field : {});
|
|
205
|
+
};
|
|
206
|
+
};
|
|
143
207
|
interface SSOOptions {
|
|
144
208
|
/**
|
|
145
209
|
* custom function to provision a user when they sign in with an SSO provider.
|
|
@@ -261,6 +325,25 @@ interface SSOOptions {
|
|
|
261
325
|
organizationId?: string | undefined;
|
|
262
326
|
domain?: string | undefined;
|
|
263
327
|
};
|
|
328
|
+
/**
|
|
329
|
+
* The schema for the SSO plugin.
|
|
330
|
+
*/
|
|
331
|
+
schema?: {
|
|
332
|
+
ssoProvider?: {
|
|
333
|
+
modelName?: string | undefined;
|
|
334
|
+
fields?: {
|
|
335
|
+
issuer?: string | undefined;
|
|
336
|
+
oidcConfig?: string | undefined;
|
|
337
|
+
samlConfig?: string | undefined;
|
|
338
|
+
userId?: string | undefined;
|
|
339
|
+
providerId?: string | undefined;
|
|
340
|
+
organizationId?: string | undefined;
|
|
341
|
+
domain?: string | undefined;
|
|
342
|
+
domainVerified?: string | undefined;
|
|
343
|
+
};
|
|
344
|
+
additionalFields?: { [key in string]: DBFieldAttribute };
|
|
345
|
+
};
|
|
346
|
+
} | undefined;
|
|
264
347
|
/**
|
|
265
348
|
* Configure the maximum number of SSO providers a user can register.
|
|
266
349
|
* You can also pass a function that returns a number.
|
|
@@ -555,8 +638,20 @@ declare const verifyDomain: (options: SSOOptions) => better_call0.StrictEndpoint
|
|
|
555
638
|
}>)[];
|
|
556
639
|
}, void>;
|
|
557
640
|
//#endregion
|
|
641
|
+
//#region src/utils.d.ts
|
|
642
|
+
declare function parseCertificate(certPem: string): {
|
|
643
|
+
fingerprintSha256: string;
|
|
644
|
+
notBefore: string;
|
|
645
|
+
notAfter: string;
|
|
646
|
+
publicKeyAlgorithm: string;
|
|
647
|
+
};
|
|
648
|
+
//#endregion
|
|
558
649
|
//#region src/routes/providers.d.ts
|
|
559
|
-
|
|
650
|
+
type ParsedCert = ReturnType<typeof parseCertificate>;
|
|
651
|
+
type SanitizedCert = ParsedCert | {
|
|
652
|
+
error: string;
|
|
653
|
+
};
|
|
654
|
+
declare const listSSOProviders: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/providers", {
|
|
560
655
|
method: "GET";
|
|
561
656
|
use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
|
|
562
657
|
session: {
|
|
@@ -614,26 +709,18 @@ declare const listSSOProviders: () => better_call0.StrictEndpoint<"/sso/provider
|
|
|
614
709
|
} | undefined;
|
|
615
710
|
samlConfig: {
|
|
616
711
|
entryPoint: string;
|
|
617
|
-
callbackUrl: string;
|
|
618
712
|
audience: string | undefined;
|
|
619
713
|
wantAssertionsSigned: boolean | undefined;
|
|
620
714
|
authnRequestsSigned: boolean | undefined;
|
|
621
715
|
identifierFormat: string | undefined;
|
|
622
716
|
signatureAlgorithm: string | undefined;
|
|
623
717
|
digestAlgorithm: string | undefined;
|
|
624
|
-
certificate:
|
|
625
|
-
fingerprintSha256: string;
|
|
626
|
-
notBefore: string;
|
|
627
|
-
notAfter: string;
|
|
628
|
-
publicKeyAlgorithm: string;
|
|
629
|
-
} | {
|
|
630
|
-
error: string;
|
|
631
|
-
};
|
|
718
|
+
certificate: SanitizedCert[] | undefined;
|
|
632
719
|
} | undefined;
|
|
633
720
|
spMetadataUrl: string;
|
|
634
721
|
}[];
|
|
635
722
|
}>;
|
|
636
|
-
declare const getSSOProvider: () => better_call0.StrictEndpoint<"/sso/get-provider", {
|
|
723
|
+
declare const getSSOProvider: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/get-provider", {
|
|
637
724
|
method: "GET";
|
|
638
725
|
use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
|
|
639
726
|
session: {
|
|
@@ -699,21 +786,13 @@ declare const getSSOProvider: () => better_call0.StrictEndpoint<"/sso/get-provid
|
|
|
699
786
|
} | undefined;
|
|
700
787
|
samlConfig: {
|
|
701
788
|
entryPoint: string;
|
|
702
|
-
callbackUrl: string;
|
|
703
789
|
audience: string | undefined;
|
|
704
790
|
wantAssertionsSigned: boolean | undefined;
|
|
705
791
|
authnRequestsSigned: boolean | undefined;
|
|
706
792
|
identifierFormat: string | undefined;
|
|
707
793
|
signatureAlgorithm: string | undefined;
|
|
708
794
|
digestAlgorithm: string | undefined;
|
|
709
|
-
certificate:
|
|
710
|
-
fingerprintSha256: string;
|
|
711
|
-
notBefore: string;
|
|
712
|
-
notAfter: string;
|
|
713
|
-
publicKeyAlgorithm: string;
|
|
714
|
-
} | {
|
|
715
|
-
error: string;
|
|
716
|
-
};
|
|
795
|
+
certificate: SanitizedCert[] | undefined;
|
|
717
796
|
} | undefined;
|
|
718
797
|
spMetadataUrl: string;
|
|
719
798
|
}>;
|
|
@@ -747,40 +826,41 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
|
|
|
747
826
|
domain: z.ZodOptional<z.ZodString>;
|
|
748
827
|
oidcConfig: z.ZodOptional<z.ZodObject<{
|
|
749
828
|
clientId: z.ZodOptional<z.ZodString>;
|
|
750
|
-
clientSecret: z.ZodOptional<z.ZodString
|
|
751
|
-
authorizationEndpoint: z.ZodOptional<z.ZodString
|
|
752
|
-
tokenEndpoint: z.ZodOptional<z.ZodString
|
|
753
|
-
userInfoEndpoint: z.ZodOptional<z.ZodString
|
|
754
|
-
tokenEndpointAuthentication: z.ZodOptional<z.ZodEnum<{
|
|
829
|
+
clientSecret: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
830
|
+
authorizationEndpoint: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
831
|
+
tokenEndpoint: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
832
|
+
userInfoEndpoint: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
833
|
+
tokenEndpointAuthentication: z.ZodOptional<z.ZodOptional<z.ZodEnum<{
|
|
755
834
|
client_secret_post: "client_secret_post";
|
|
756
835
|
client_secret_basic: "client_secret_basic";
|
|
757
836
|
private_key_jwt: "private_key_jwt";
|
|
758
|
-
}
|
|
759
|
-
privateKeyId: z.ZodOptional<z.ZodString
|
|
760
|
-
privateKeyAlgorithm: z.ZodOptional<z.ZodString
|
|
761
|
-
jwksEndpoint: z.ZodOptional<z.ZodString
|
|
762
|
-
discoveryEndpoint: z.ZodOptional<z.ZodString
|
|
763
|
-
|
|
764
|
-
|
|
765
|
-
|
|
766
|
-
|
|
767
|
-
|
|
768
|
-
|
|
837
|
+
}>>>;
|
|
838
|
+
privateKeyId: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
839
|
+
privateKeyAlgorithm: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
840
|
+
jwksEndpoint: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
841
|
+
discoveryEndpoint: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
842
|
+
skipDiscovery: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
|
|
843
|
+
scopes: z.ZodOptional<z.ZodOptional<z.ZodArray<z.ZodString>>>;
|
|
844
|
+
pkce: z.ZodOptional<z.ZodOptional<z.ZodDefault<z.ZodBoolean>>>;
|
|
845
|
+
overrideUserInfo: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
|
|
846
|
+
mapping: z.ZodOptional<z.ZodOptional<z.ZodObject<{
|
|
847
|
+
id: z.ZodString;
|
|
848
|
+
email: z.ZodString;
|
|
769
849
|
emailVerified: z.ZodOptional<z.ZodString>;
|
|
770
|
-
name: z.
|
|
850
|
+
name: z.ZodString;
|
|
771
851
|
image: z.ZodOptional<z.ZodString>;
|
|
772
852
|
extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
|
|
773
|
-
}, z.core.$strip
|
|
853
|
+
}, z.core.$strip>>>;
|
|
774
854
|
}, z.core.$strip>>;
|
|
775
855
|
samlConfig: z.ZodOptional<z.ZodObject<{
|
|
776
856
|
entryPoint: z.ZodOptional<z.ZodString>;
|
|
777
|
-
cert: z.ZodOptional<z.ZodString
|
|
778
|
-
|
|
779
|
-
|
|
780
|
-
idpMetadata: z.ZodOptional<z.ZodObject<{
|
|
857
|
+
cert: z.ZodOptional<z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>>;
|
|
858
|
+
audience: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
859
|
+
callbackUrl: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
860
|
+
idpMetadata: z.ZodOptional<z.ZodOptional<z.ZodObject<{
|
|
781
861
|
metadata: z.ZodOptional<z.ZodString>;
|
|
782
862
|
entityID: z.ZodOptional<z.ZodString>;
|
|
783
|
-
cert: z.ZodOptional<z.ZodString
|
|
863
|
+
cert: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
|
|
784
864
|
privateKey: z.ZodOptional<z.ZodString>;
|
|
785
865
|
privateKeyPass: z.ZodOptional<z.ZodString>;
|
|
786
866
|
isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
|
|
@@ -790,8 +870,12 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
|
|
|
790
870
|
Binding: z.ZodString;
|
|
791
871
|
Location: z.ZodString;
|
|
792
872
|
}, z.core.$strip>>>;
|
|
793
|
-
|
|
794
|
-
|
|
873
|
+
singleLogoutService: z.ZodOptional<z.ZodArray<z.ZodObject<{
|
|
874
|
+
Binding: z.ZodString;
|
|
875
|
+
Location: z.ZodString;
|
|
876
|
+
}, z.core.$strip>>>;
|
|
877
|
+
}, z.core.$strip>>>;
|
|
878
|
+
spMetadata: z.ZodOptional<z.ZodOptional<z.ZodObject<{
|
|
795
879
|
metadata: z.ZodOptional<z.ZodString>;
|
|
796
880
|
entityID: z.ZodOptional<z.ZodString>;
|
|
797
881
|
binding: z.ZodOptional<z.ZodString>;
|
|
@@ -800,24 +884,22 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
|
|
|
800
884
|
isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
|
|
801
885
|
encPrivateKey: z.ZodOptional<z.ZodString>;
|
|
802
886
|
encPrivateKeyPass: z.ZodOptional<z.ZodString>;
|
|
803
|
-
}, z.core.$strip
|
|
804
|
-
wantAssertionsSigned: z.ZodOptional<z.ZodBoolean
|
|
805
|
-
authnRequestsSigned: z.ZodOptional<z.ZodBoolean
|
|
806
|
-
signatureAlgorithm: z.ZodOptional<z.ZodString
|
|
807
|
-
digestAlgorithm: z.ZodOptional<z.ZodString
|
|
808
|
-
identifierFormat: z.ZodOptional<z.ZodString
|
|
809
|
-
privateKey: z.ZodOptional<z.ZodString
|
|
810
|
-
|
|
811
|
-
|
|
812
|
-
|
|
813
|
-
id: z.ZodOptional<z.ZodString>;
|
|
814
|
-
email: z.ZodOptional<z.ZodString>;
|
|
887
|
+
}, z.core.$strip>>>;
|
|
888
|
+
wantAssertionsSigned: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
|
|
889
|
+
authnRequestsSigned: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
|
|
890
|
+
signatureAlgorithm: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
891
|
+
digestAlgorithm: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
892
|
+
identifierFormat: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
893
|
+
privateKey: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
894
|
+
mapping: z.ZodOptional<z.ZodOptional<z.ZodObject<{
|
|
895
|
+
id: z.ZodString;
|
|
896
|
+
email: z.ZodString;
|
|
815
897
|
emailVerified: z.ZodOptional<z.ZodString>;
|
|
816
|
-
name: z.
|
|
898
|
+
name: z.ZodString;
|
|
817
899
|
firstName: z.ZodOptional<z.ZodString>;
|
|
818
900
|
lastName: z.ZodOptional<z.ZodString>;
|
|
819
901
|
extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
|
|
820
|
-
}, z.core.$strip
|
|
902
|
+
}, z.core.$strip>>>;
|
|
821
903
|
}, z.core.$strip>>;
|
|
822
904
|
providerId: z.ZodString;
|
|
823
905
|
}, z.core.$strip>;
|
|
@@ -859,21 +941,13 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
|
|
|
859
941
|
} | undefined;
|
|
860
942
|
samlConfig: {
|
|
861
943
|
entryPoint: string;
|
|
862
|
-
callbackUrl: string;
|
|
863
944
|
audience: string | undefined;
|
|
864
945
|
wantAssertionsSigned: boolean | undefined;
|
|
865
946
|
authnRequestsSigned: boolean | undefined;
|
|
866
947
|
identifierFormat: string | undefined;
|
|
867
948
|
signatureAlgorithm: string | undefined;
|
|
868
949
|
digestAlgorithm: string | undefined;
|
|
869
|
-
certificate:
|
|
870
|
-
fingerprintSha256: string;
|
|
871
|
-
notBefore: string;
|
|
872
|
-
notAfter: string;
|
|
873
|
-
publicKeyAlgorithm: string;
|
|
874
|
-
} | {
|
|
875
|
-
error: string;
|
|
876
|
-
};
|
|
950
|
+
certificate: SanitizedCert[] | undefined;
|
|
877
951
|
} | undefined;
|
|
878
952
|
spMetadataUrl: string;
|
|
879
953
|
}>;
|
|
@@ -932,10 +1006,6 @@ declare const spMetadata: (options?: SSOOptions) => better_call0.StrictEndpoint<
|
|
|
932
1006
|
method: "GET";
|
|
933
1007
|
query: z.ZodObject<{
|
|
934
1008
|
providerId: z.ZodString;
|
|
935
|
-
format: z.ZodDefault<z.ZodEnum<{
|
|
936
|
-
json: "json";
|
|
937
|
-
xml: "xml";
|
|
938
|
-
}>>;
|
|
939
1009
|
}, z.core.$strip>;
|
|
940
1010
|
metadata: {
|
|
941
1011
|
openapi: {
|
|
@@ -953,85 +1023,7 @@ declare const spMetadata: (options?: SSOOptions) => better_call0.StrictEndpoint<
|
|
|
953
1023
|
declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_call0.StrictEndpoint<"/sso/register", {
|
|
954
1024
|
method: "POST";
|
|
955
1025
|
body: z.ZodObject<{
|
|
956
|
-
|
|
957
|
-
issuer: z.ZodString;
|
|
958
|
-
domain: z.ZodString;
|
|
959
|
-
oidcConfig: z.ZodOptional<z.ZodObject<{
|
|
960
|
-
clientId: z.ZodString;
|
|
961
|
-
clientSecret: z.ZodOptional<z.ZodString>;
|
|
962
|
-
authorizationEndpoint: z.ZodOptional<z.ZodString>;
|
|
963
|
-
tokenEndpoint: z.ZodOptional<z.ZodString>;
|
|
964
|
-
userInfoEndpoint: z.ZodOptional<z.ZodString>;
|
|
965
|
-
tokenEndpointAuthentication: z.ZodOptional<z.ZodEnum<{
|
|
966
|
-
client_secret_post: "client_secret_post";
|
|
967
|
-
client_secret_basic: "client_secret_basic";
|
|
968
|
-
private_key_jwt: "private_key_jwt";
|
|
969
|
-
}>>;
|
|
970
|
-
privateKeyId: z.ZodOptional<z.ZodString>;
|
|
971
|
-
privateKeyAlgorithm: z.ZodOptional<z.ZodString>;
|
|
972
|
-
jwksEndpoint: z.ZodOptional<z.ZodString>;
|
|
973
|
-
discoveryEndpoint: z.ZodOptional<z.ZodString>;
|
|
974
|
-
skipDiscovery: z.ZodOptional<z.ZodBoolean>;
|
|
975
|
-
scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
976
|
-
pkce: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
|
|
977
|
-
mapping: z.ZodOptional<z.ZodObject<{
|
|
978
|
-
id: z.ZodString;
|
|
979
|
-
email: z.ZodString;
|
|
980
|
-
emailVerified: z.ZodOptional<z.ZodString>;
|
|
981
|
-
name: z.ZodString;
|
|
982
|
-
image: z.ZodOptional<z.ZodString>;
|
|
983
|
-
extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
|
|
984
|
-
}, z.core.$strip>>;
|
|
985
|
-
}, z.core.$strip>>;
|
|
986
|
-
samlConfig: z.ZodOptional<z.ZodObject<{
|
|
987
|
-
entryPoint: z.ZodString;
|
|
988
|
-
cert: z.ZodString;
|
|
989
|
-
callbackUrl: z.ZodString;
|
|
990
|
-
audience: z.ZodOptional<z.ZodString>;
|
|
991
|
-
idpMetadata: z.ZodOptional<z.ZodObject<{
|
|
992
|
-
metadata: z.ZodOptional<z.ZodString>;
|
|
993
|
-
entityID: z.ZodOptional<z.ZodString>;
|
|
994
|
-
cert: z.ZodOptional<z.ZodString>;
|
|
995
|
-
privateKey: z.ZodOptional<z.ZodString>;
|
|
996
|
-
privateKeyPass: z.ZodOptional<z.ZodString>;
|
|
997
|
-
isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
|
|
998
|
-
encPrivateKey: z.ZodOptional<z.ZodString>;
|
|
999
|
-
encPrivateKeyPass: z.ZodOptional<z.ZodString>;
|
|
1000
|
-
singleSignOnService: z.ZodOptional<z.ZodArray<z.ZodObject<{
|
|
1001
|
-
Binding: z.ZodString;
|
|
1002
|
-
Location: z.ZodString;
|
|
1003
|
-
}, z.core.$strip>>>;
|
|
1004
|
-
}, z.core.$strip>>;
|
|
1005
|
-
spMetadata: z.ZodObject<{
|
|
1006
|
-
metadata: z.ZodOptional<z.ZodString>;
|
|
1007
|
-
entityID: z.ZodOptional<z.ZodString>;
|
|
1008
|
-
binding: z.ZodOptional<z.ZodString>;
|
|
1009
|
-
privateKey: z.ZodOptional<z.ZodString>;
|
|
1010
|
-
privateKeyPass: z.ZodOptional<z.ZodString>;
|
|
1011
|
-
isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
|
|
1012
|
-
encPrivateKey: z.ZodOptional<z.ZodString>;
|
|
1013
|
-
encPrivateKeyPass: z.ZodOptional<z.ZodString>;
|
|
1014
|
-
}, z.core.$strip>;
|
|
1015
|
-
wantAssertionsSigned: z.ZodOptional<z.ZodBoolean>;
|
|
1016
|
-
authnRequestsSigned: z.ZodOptional<z.ZodBoolean>;
|
|
1017
|
-
signatureAlgorithm: z.ZodOptional<z.ZodString>;
|
|
1018
|
-
digestAlgorithm: z.ZodOptional<z.ZodString>;
|
|
1019
|
-
identifierFormat: z.ZodOptional<z.ZodString>;
|
|
1020
|
-
privateKey: z.ZodOptional<z.ZodString>;
|
|
1021
|
-
decryptionPvk: z.ZodOptional<z.ZodString>;
|
|
1022
|
-
additionalParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
|
|
1023
|
-
mapping: z.ZodOptional<z.ZodObject<{
|
|
1024
|
-
id: z.ZodString;
|
|
1025
|
-
email: z.ZodString;
|
|
1026
|
-
emailVerified: z.ZodOptional<z.ZodString>;
|
|
1027
|
-
name: z.ZodString;
|
|
1028
|
-
firstName: z.ZodOptional<z.ZodString>;
|
|
1029
|
-
lastName: z.ZodOptional<z.ZodString>;
|
|
1030
|
-
extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
|
|
1031
|
-
}, z.core.$strip>>;
|
|
1032
|
-
}, z.core.$strip>>;
|
|
1033
|
-
organizationId: z.ZodOptional<z.ZodString>;
|
|
1034
|
-
overrideUserInfo: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
|
|
1026
|
+
[x: string]: z.ZodOptional<z.ZodAny>;
|
|
1035
1027
|
}, z.core.$strip>;
|
|
1036
1028
|
use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
|
|
1037
1029
|
session: {
|
|
@@ -1057,6 +1049,9 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
|
|
|
1057
1049
|
};
|
|
1058
1050
|
}>)[];
|
|
1059
1051
|
metadata: {
|
|
1052
|
+
$Infer: {
|
|
1053
|
+
body: Record<string, any> & SSOProviderAdditionalFieldsInput<O>;
|
|
1054
|
+
};
|
|
1060
1055
|
openapi: {
|
|
1061
1056
|
operationId: string;
|
|
1062
1057
|
summary: string;
|
|
@@ -1223,14 +1218,14 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
|
|
|
1223
1218
|
redirectURI: string;
|
|
1224
1219
|
oidcConfig: OIDCConfig | null;
|
|
1225
1220
|
samlConfig: SAMLConfig | null;
|
|
1226
|
-
} & Omit<
|
|
1221
|
+
} & Omit<InferSSOProvider<O>, "oidcConfig" | "samlConfig"> & {
|
|
1227
1222
|
domainVerified: boolean;
|
|
1228
1223
|
domainVerificationToken: string;
|
|
1229
1224
|
} : {
|
|
1230
1225
|
redirectURI: string;
|
|
1231
1226
|
oidcConfig: OIDCConfig | null;
|
|
1232
1227
|
samlConfig: SAMLConfig | null;
|
|
1233
|
-
} & Omit<
|
|
1228
|
+
} & Omit<InferSSOProvider<O>, "oidcConfig" | "samlConfig">>;
|
|
1234
1229
|
declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sign-in/sso", {
|
|
1235
1230
|
method: "POST";
|
|
1236
1231
|
body: z.ZodObject<{
|
|
@@ -1243,6 +1238,7 @@ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"
|
|
|
1243
1238
|
newUserCallbackURL: z.ZodOptional<z.ZodString>;
|
|
1244
1239
|
scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
1245
1240
|
loginHint: z.ZodOptional<z.ZodString>;
|
|
1241
|
+
additionalParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
|
|
1246
1242
|
requestSignUp: z.ZodOptional<z.ZodBoolean>;
|
|
1247
1243
|
providerType: z.ZodOptional<z.ZodEnum<{
|
|
1248
1244
|
saml: "saml";
|
|
@@ -1264,7 +1260,7 @@ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"
|
|
|
1264
1260
|
type: string;
|
|
1265
1261
|
description: string;
|
|
1266
1262
|
};
|
|
1267
|
-
|
|
1263
|
+
organizationSlug: {
|
|
1268
1264
|
type: string;
|
|
1269
1265
|
description: string;
|
|
1270
1266
|
};
|
|
@@ -1272,6 +1268,10 @@ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"
|
|
|
1272
1268
|
type: string;
|
|
1273
1269
|
description: string;
|
|
1274
1270
|
};
|
|
1271
|
+
domain: {
|
|
1272
|
+
type: string;
|
|
1273
|
+
description: string;
|
|
1274
|
+
};
|
|
1275
1275
|
callbackURL: {
|
|
1276
1276
|
type: string;
|
|
1277
1277
|
description: string;
|
|
@@ -1284,10 +1284,33 @@ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"
|
|
|
1284
1284
|
type: string;
|
|
1285
1285
|
description: string;
|
|
1286
1286
|
};
|
|
1287
|
+
scopes: {
|
|
1288
|
+
type: string;
|
|
1289
|
+
items: {
|
|
1290
|
+
type: string;
|
|
1291
|
+
};
|
|
1292
|
+
description: string;
|
|
1293
|
+
};
|
|
1287
1294
|
loginHint: {
|
|
1288
1295
|
type: string;
|
|
1289
1296
|
description: string;
|
|
1290
1297
|
};
|
|
1298
|
+
additionalParams: {
|
|
1299
|
+
type: string;
|
|
1300
|
+
additionalProperties: {
|
|
1301
|
+
type: string;
|
|
1302
|
+
};
|
|
1303
|
+
description: string;
|
|
1304
|
+
};
|
|
1305
|
+
requestSignUp: {
|
|
1306
|
+
type: string;
|
|
1307
|
+
description: string;
|
|
1308
|
+
};
|
|
1309
|
+
providerType: {
|
|
1310
|
+
type: string;
|
|
1311
|
+
enum: string[];
|
|
1312
|
+
description: string;
|
|
1313
|
+
};
|
|
1291
1314
|
};
|
|
1292
1315
|
required: string[];
|
|
1293
1316
|
};
|
|
@@ -1329,7 +1352,7 @@ declare const callbackSSO: (options?: SSOOptions) => better_call0.StrictEndpoint
|
|
|
1329
1352
|
method: "GET";
|
|
1330
1353
|
query: z.ZodObject<{
|
|
1331
1354
|
code: z.ZodOptional<z.ZodString>;
|
|
1332
|
-
state: z.ZodString
|
|
1355
|
+
state: z.ZodOptional<z.ZodString>;
|
|
1333
1356
|
error: z.ZodOptional<z.ZodString>;
|
|
1334
1357
|
error_description: z.ZodOptional<z.ZodString>;
|
|
1335
1358
|
}, z.core.$strip>;
|
|
@@ -1370,14 +1393,14 @@ declare const callbackSSOShared: (options?: SSOOptions) => better_call0.StrictEn
|
|
|
1370
1393
|
method: "GET";
|
|
1371
1394
|
query: z.ZodObject<{
|
|
1372
1395
|
code: z.ZodOptional<z.ZodString>;
|
|
1373
|
-
state: z.ZodString
|
|
1396
|
+
state: z.ZodOptional<z.ZodString>;
|
|
1374
1397
|
error: z.ZodOptional<z.ZodString>;
|
|
1375
1398
|
error_description: z.ZodOptional<z.ZodString>;
|
|
1376
1399
|
}, z.core.$strip>;
|
|
1377
1400
|
allowedMediaTypes: readonly ["application/x-www-form-urlencoded", "application/json"];
|
|
1378
1401
|
}, void>;
|
|
1379
|
-
declare const
|
|
1380
|
-
method: ("
|
|
1402
|
+
declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
|
|
1403
|
+
method: ("GET" | "POST")[];
|
|
1381
1404
|
body: z.ZodOptional<z.ZodObject<{
|
|
1382
1405
|
SAMLResponse: z.ZodString;
|
|
1383
1406
|
RelayState: z.ZodOptional<z.ZodString>;
|
|
@@ -1398,28 +1421,7 @@ declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndp
|
|
|
1398
1421
|
"400": {
|
|
1399
1422
|
description: string;
|
|
1400
1423
|
};
|
|
1401
|
-
"
|
|
1402
|
-
description: string;
|
|
1403
|
-
};
|
|
1404
|
-
};
|
|
1405
|
-
};
|
|
1406
|
-
scope: "server";
|
|
1407
|
-
};
|
|
1408
|
-
}, never>;
|
|
1409
|
-
declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
|
|
1410
|
-
method: "POST";
|
|
1411
|
-
body: z.ZodObject<{
|
|
1412
|
-
SAMLResponse: z.ZodString;
|
|
1413
|
-
RelayState: z.ZodOptional<z.ZodString>;
|
|
1414
|
-
}, z.core.$strip>;
|
|
1415
|
-
metadata: {
|
|
1416
|
-
allowedMediaTypes: string[];
|
|
1417
|
-
openapi: {
|
|
1418
|
-
operationId: string;
|
|
1419
|
-
summary: string;
|
|
1420
|
-
description: string;
|
|
1421
|
-
responses: {
|
|
1422
|
-
"302": {
|
|
1424
|
+
"404": {
|
|
1423
1425
|
description: string;
|
|
1424
1426
|
};
|
|
1425
1427
|
};
|
|
@@ -1428,7 +1430,7 @@ declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint
|
|
|
1428
1430
|
};
|
|
1429
1431
|
}, never>;
|
|
1430
1432
|
declare const sloEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/slo/:providerId", {
|
|
1431
|
-
method: ("
|
|
1433
|
+
method: ("GET" | "POST")[];
|
|
1432
1434
|
body: z.ZodOptional<z.ZodObject<{
|
|
1433
1435
|
SAMLRequest: z.ZodOptional<z.ZodString>;
|
|
1434
1436
|
SAMLResponse: z.ZodOptional<z.ZodString>;
|
|
@@ -1598,7 +1600,7 @@ interface OIDCDiscoveryDocument {
|
|
|
1598
1600
|
/**
|
|
1599
1601
|
* Error codes for OIDC discovery operations.
|
|
1600
1602
|
*/
|
|
1601
|
-
type DiscoveryErrorCode = /** Request to discovery endpoint timed out */"discovery_timeout" /** Discovery endpoint returned 404 or similar */ | "discovery_not_found" /** Discovery endpoint returned invalid JSON */ | "discovery_invalid_json" /**
|
|
1603
|
+
type DiscoveryErrorCode = /** Request to discovery endpoint timed out */"discovery_timeout" /** Discovery endpoint returned 404 or similar */ | "discovery_not_found" /** Discovery endpoint returned invalid JSON */ | "discovery_invalid_json" /** OIDC endpoint URL (discovery or per-endpoint: authorization, token, userinfo, jwks) is invalid, malformed, or uses a non-`http(s)` scheme */ | "discovery_invalid_url" /** OIDC endpoint URL is not trusted by the trusted origins configuration */ | "discovery_untrusted_origin" /** OIDC endpoint URL (discovery or per-endpoint) points to a host that is not publicly routable (loopback, RFC 1918, link-local, cloud metadata FQDN, etc.) */ | "discovery_private_host" /** Server-side OIDC endpoint fetch received an HTTP redirect response */ | "oidc_endpoint_redirect" /** Discovery document issuer doesn't match configured issuer */ | "issuer_mismatch" /** Discovery document is missing required fields */ | "discovery_incomplete" /** IdP only advertises token auth methods that Better Auth doesn't currently support */ | "unsupported_token_auth_method" /** Catch-all for unexpected errors */ | "discovery_unexpected_error";
|
|
1602
1604
|
/**
|
|
1603
1605
|
* Custom error class for OIDC discovery failures.
|
|
1604
1606
|
* Can be caught and mapped to APIError at the edge.
|
|
@@ -1713,7 +1715,7 @@ declare function validateDiscoveryUrl(url: string, isTrustedOrigin: DiscoverOIDC
|
|
|
1713
1715
|
* @returns The parsed discovery document
|
|
1714
1716
|
* @throws DiscoveryError on network errors, timeouts, or invalid responses
|
|
1715
1717
|
*/
|
|
1716
|
-
declare function fetchDiscoveryDocument(url: string, timeout?: number): Promise<OIDCDiscoveryDocument>;
|
|
1718
|
+
declare function fetchDiscoveryDocument(url: string, timeout?: number, isTrustedOrigin?: (url: string) => boolean): Promise<OIDCDiscoveryDocument>;
|
|
1717
1719
|
/**
|
|
1718
1720
|
* Validate a discovery document.
|
|
1719
1721
|
*
|
|
@@ -1788,7 +1790,6 @@ type SSOEndpoints<O extends SSOOptions> = {
|
|
|
1788
1790
|
signInSSO: ReturnType<typeof signInSSO>;
|
|
1789
1791
|
callbackSSO: ReturnType<typeof callbackSSO>;
|
|
1790
1792
|
callbackSSOShared: ReturnType<typeof callbackSSOShared>;
|
|
1791
|
-
callbackSSOSAML: ReturnType<typeof callbackSSOSAML>;
|
|
1792
1793
|
acsEndpoint: ReturnType<typeof acsEndpoint>;
|
|
1793
1794
|
sloEndpoint: ReturnType<typeof sloEndpoint>;
|
|
1794
1795
|
initiateSLO: ReturnType<typeof initiateSLO>;
|
|
@@ -1805,6 +1806,11 @@ type SSOPlugin<O extends SSOOptions> = {
|
|
|
1805
1806
|
enabled: true;
|
|
1806
1807
|
};
|
|
1807
1808
|
} ? DomainVerificationEndpoints : {});
|
|
1809
|
+
schema: SSOProviderSchema<O>;
|
|
1810
|
+
$Infer: {
|
|
1811
|
+
SSOProvider: InferSSOProvider<O>;
|
|
1812
|
+
};
|
|
1813
|
+
options: NoInfer<O>;
|
|
1808
1814
|
};
|
|
1809
1815
|
declare function sso<O extends SSOOptions & {
|
|
1810
1816
|
domainVerification?: {
|
|
@@ -1814,13 +1820,20 @@ declare function sso<O extends SSOOptions & {
|
|
|
1814
1820
|
id: "sso";
|
|
1815
1821
|
version: string;
|
|
1816
1822
|
endpoints: SSOEndpoints<O> & DomainVerificationEndpoints;
|
|
1817
|
-
schema:
|
|
1823
|
+
schema: SSOProviderSchema<O>;
|
|
1824
|
+
$Infer: {
|
|
1825
|
+
SSOProvider: InferSSOProvider<O>;
|
|
1826
|
+
};
|
|
1818
1827
|
options: NoInfer<O>;
|
|
1819
1828
|
};
|
|
1820
1829
|
declare function sso<O extends SSOOptions>(options?: O | undefined): {
|
|
1821
1830
|
id: "sso";
|
|
1822
1831
|
version: string;
|
|
1823
1832
|
endpoints: SSOEndpoints<O>;
|
|
1833
|
+
schema: SSOProviderSchema<O>;
|
|
1834
|
+
$Infer: {
|
|
1835
|
+
SSOProvider: InferSSOProvider<O>;
|
|
1836
|
+
};
|
|
1824
1837
|
options: NoInfer<O>;
|
|
1825
1838
|
};
|
|
1826
1839
|
//#endregion
|