@better-auth/sso 1.7.0-beta.0 → 1.7.0-beta.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,6 +1,7 @@
1
1
  import { APIError } from "better-auth/api";
2
2
  import * as z from "zod";
3
- import { Awaitable, BetterAuthPlugin, OAuth2Tokens, User } from "better-auth";
3
+ import { DBFieldAttribute, FieldAttributeToObject, InferAdditionalFieldsFromPluginOptions, RemoveFieldsWithReturnedFalse } from "better-auth/db";
4
+ import { Awaitable, OAuth2Tokens, User } from "better-auth";
4
5
  import * as better_call0 from "better-call";
5
6
 
6
7
  //#region src/saml/algorithms.d.ts
@@ -79,19 +80,53 @@ interface OIDCConfig {
79
80
  privateKeyAlgorithm?: string | undefined;
80
81
  jwksEndpoint?: string | undefined;
81
82
  mapping?: OIDCMapping | undefined;
83
+ /**
84
+ * Accept callbacks from OIDC providers that initiate the OAuth flow
85
+ * without sending a `state` parameter. When enabled, stateless callbacks
86
+ * restart the OAuth flow server-side with a fresh `state` and PKCE
87
+ * verifier. See the SSO docs for details.
88
+ *
89
+ * @default false
90
+ */
91
+ allowIdpInitiated?: boolean | undefined;
82
92
  }
83
93
  interface SAMLConfig {
94
+ /**
95
+ * SP Entity ID. Used as the `entityID` in SP metadata when
96
+ * `spMetadata.entityID` is not set. Also used as the expected
97
+ * audience for SAML assertion validation when `audience` is not set.
98
+ */
84
99
  issuer: string;
100
+ /**
101
+ * IdP SSO URL. Used as the redirect destination when
102
+ * `idpMetadata.metadata` is not provided. Ignored when
103
+ * IdP metadata XML is set (the SSO URL is extracted from the XML).
104
+ */
85
105
  entryPoint: string;
86
- cert: string;
87
- callbackUrl: string;
106
+ /**
107
+ * IdP signing certificate(s). Used to verify SAML response signatures when
108
+ * `idpMetadata.metadata` is not provided. Ignored when IdP metadata XML is
109
+ * set (the certificate is extracted from the XML). When both this and
110
+ * `idpMetadata.cert` are set, `idpMetadata.cert` takes precedence. Pass an
111
+ * array of PEM strings for rolling rotation; responses signed by any
112
+ * listed cert are accepted.
113
+ */
114
+ cert?: string | string[];
88
115
  audience?: string | undefined;
116
+ /**
117
+ * Provider-level post-auth redirect URL for IdP-initiated or fallback SAML
118
+ * flows when no RelayState callback URL is available.
119
+ */
120
+ callbackUrl?: string | undefined;
89
121
  idpMetadata?: {
90
122
  metadata?: string;
91
123
  entityID?: string;
92
- entityURL?: string;
93
- redirectURL?: string;
94
- cert?: string;
124
+ /**
125
+ * IdP signing certificate(s). Pass a single PEM string or an array
126
+ * for rolling rotation. Takes precedence over the top-level `cert`
127
+ * when both are set. Omit when `metadata` XML is supplied.
128
+ */
129
+ cert?: string | string[];
95
130
  privateKey?: string;
96
131
  privateKeyPass?: string;
97
132
  isAssertionEncrypted?: boolean;
@@ -106,7 +141,12 @@ interface SAMLConfig {
106
141
  Location: string;
107
142
  }>;
108
143
  } | undefined;
109
- spMetadata: {
144
+ /**
145
+ * SP metadata configuration. All fields are optional; when omitted,
146
+ * SP metadata is auto-generated from `issuer`, `wantAssertionsSigned`,
147
+ * `authnRequestsSigned`, and `identifierFormat`.
148
+ */
149
+ spMetadata?: {
110
150
  metadata?: string | undefined;
111
151
  entityID?: string | undefined;
112
152
  binding?: string | undefined;
@@ -116,14 +156,17 @@ interface SAMLConfig {
116
156
  encPrivateKey?: string | undefined;
117
157
  encPrivateKeyPass?: string | undefined;
118
158
  };
159
+ /**
160
+ * Request signed assertions from the IdP. When true, the SP metadata
161
+ * advertises `WantAssertionsSigned="true"` and samlify will reject
162
+ * unsigned assertions.
163
+ */
119
164
  wantAssertionsSigned?: boolean | undefined;
120
165
  authnRequestsSigned?: boolean | undefined;
121
166
  signatureAlgorithm?: string | undefined;
122
167
  digestAlgorithm?: string | undefined;
123
168
  identifierFormat?: string | undefined;
124
169
  privateKey?: string | undefined;
125
- decryptionPvk?: string | undefined;
126
- additionalParams?: Record<string, any> | undefined;
127
170
  mapping?: SAMLMapping | undefined;
128
171
  }
129
172
  type BaseSSOProvider = {
@@ -135,11 +178,32 @@ type BaseSSOProvider = {
135
178
  organizationId?: string | undefined;
136
179
  domain: string;
137
180
  };
181
+ type SSOProviderAdditionalFields<O extends SSOOptions, IsClientSide extends boolean> = O["schema"] extends {
182
+ ssoProvider?: {
183
+ additionalFields: infer Field extends Record<string, DBFieldAttribute>;
184
+ };
185
+ } ? IsClientSide extends true ? FieldAttributeToObject<RemoveFieldsWithReturnedFalse<Field>> : FieldAttributeToObject<Field> : {};
186
+ type SSOProviderAdditionalFieldsInput<O extends SSOOptions, IsClientSide extends boolean = true> = InferAdditionalFieldsFromPluginOptions<"ssoProvider", O, IsClientSide>;
187
+ type InferSSOProvider<O extends SSOOptions, IsClientSide extends boolean = true> = (O["domainVerification"] extends {
188
+ enabled: true;
189
+ } ? {
190
+ domainVerified: boolean;
191
+ } & BaseSSOProvider : BaseSSOProvider) & SSOProviderAdditionalFields<O, IsClientSide>;
138
192
  type SSOProvider<O extends SSOOptions> = O["domainVerification"] extends {
139
193
  enabled: true;
140
194
  } ? {
141
195
  domainVerified: boolean;
142
- } & BaseSSOProvider : BaseSSOProvider;
196
+ } & BaseSSOProvider & SSOProviderAdditionalFields<O, false> : BaseSSOProvider & SSOProviderAdditionalFields<O, false>;
197
+ type SSOProviderSchema<O extends SSOOptions> = {
198
+ ssoProvider: {
199
+ modelName: string;
200
+ fields: Record<string, DBFieldAttribute> & (O["schema"] extends {
201
+ ssoProvider?: {
202
+ additionalFields: infer Field extends Record<string, DBFieldAttribute>;
203
+ };
204
+ } ? Field : {});
205
+ };
206
+ };
143
207
  interface SSOOptions {
144
208
  /**
145
209
  * custom function to provision a user when they sign in with an SSO provider.
@@ -261,6 +325,25 @@ interface SSOOptions {
261
325
  organizationId?: string | undefined;
262
326
  domain?: string | undefined;
263
327
  };
328
+ /**
329
+ * The schema for the SSO plugin.
330
+ */
331
+ schema?: {
332
+ ssoProvider?: {
333
+ modelName?: string | undefined;
334
+ fields?: {
335
+ issuer?: string | undefined;
336
+ oidcConfig?: string | undefined;
337
+ samlConfig?: string | undefined;
338
+ userId?: string | undefined;
339
+ providerId?: string | undefined;
340
+ organizationId?: string | undefined;
341
+ domain?: string | undefined;
342
+ domainVerified?: string | undefined;
343
+ };
344
+ additionalFields?: { [key in string]: DBFieldAttribute };
345
+ };
346
+ } | undefined;
264
347
  /**
265
348
  * Configure the maximum number of SSO providers a user can register.
266
349
  * You can also pass a function that returns a number.
@@ -555,8 +638,20 @@ declare const verifyDomain: (options: SSOOptions) => better_call0.StrictEndpoint
555
638
  }>)[];
556
639
  }, void>;
557
640
  //#endregion
641
+ //#region src/utils.d.ts
642
+ declare function parseCertificate(certPem: string): {
643
+ fingerprintSha256: string;
644
+ notBefore: string;
645
+ notAfter: string;
646
+ publicKeyAlgorithm: string;
647
+ };
648
+ //#endregion
558
649
  //#region src/routes/providers.d.ts
559
- declare const listSSOProviders: () => better_call0.StrictEndpoint<"/sso/providers", {
650
+ type ParsedCert = ReturnType<typeof parseCertificate>;
651
+ type SanitizedCert = ParsedCert | {
652
+ error: string;
653
+ };
654
+ declare const listSSOProviders: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/providers", {
560
655
  method: "GET";
561
656
  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
562
657
  session: {
@@ -614,26 +709,18 @@ declare const listSSOProviders: () => better_call0.StrictEndpoint<"/sso/provider
614
709
  } | undefined;
615
710
  samlConfig: {
616
711
  entryPoint: string;
617
- callbackUrl: string;
618
712
  audience: string | undefined;
619
713
  wantAssertionsSigned: boolean | undefined;
620
714
  authnRequestsSigned: boolean | undefined;
621
715
  identifierFormat: string | undefined;
622
716
  signatureAlgorithm: string | undefined;
623
717
  digestAlgorithm: string | undefined;
624
- certificate: {
625
- fingerprintSha256: string;
626
- notBefore: string;
627
- notAfter: string;
628
- publicKeyAlgorithm: string;
629
- } | {
630
- error: string;
631
- };
718
+ certificate: SanitizedCert[] | undefined;
632
719
  } | undefined;
633
720
  spMetadataUrl: string;
634
721
  }[];
635
722
  }>;
636
- declare const getSSOProvider: () => better_call0.StrictEndpoint<"/sso/get-provider", {
723
+ declare const getSSOProvider: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/get-provider", {
637
724
  method: "GET";
638
725
  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
639
726
  session: {
@@ -699,21 +786,13 @@ declare const getSSOProvider: () => better_call0.StrictEndpoint<"/sso/get-provid
699
786
  } | undefined;
700
787
  samlConfig: {
701
788
  entryPoint: string;
702
- callbackUrl: string;
703
789
  audience: string | undefined;
704
790
  wantAssertionsSigned: boolean | undefined;
705
791
  authnRequestsSigned: boolean | undefined;
706
792
  identifierFormat: string | undefined;
707
793
  signatureAlgorithm: string | undefined;
708
794
  digestAlgorithm: string | undefined;
709
- certificate: {
710
- fingerprintSha256: string;
711
- notBefore: string;
712
- notAfter: string;
713
- publicKeyAlgorithm: string;
714
- } | {
715
- error: string;
716
- };
795
+ certificate: SanitizedCert[] | undefined;
717
796
  } | undefined;
718
797
  spMetadataUrl: string;
719
798
  }>;
@@ -747,40 +826,41 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
747
826
  domain: z.ZodOptional<z.ZodString>;
748
827
  oidcConfig: z.ZodOptional<z.ZodObject<{
749
828
  clientId: z.ZodOptional<z.ZodString>;
750
- clientSecret: z.ZodOptional<z.ZodString>;
751
- authorizationEndpoint: z.ZodOptional<z.ZodString>;
752
- tokenEndpoint: z.ZodOptional<z.ZodString>;
753
- userInfoEndpoint: z.ZodOptional<z.ZodString>;
754
- tokenEndpointAuthentication: z.ZodOptional<z.ZodEnum<{
829
+ clientSecret: z.ZodOptional<z.ZodOptional<z.ZodString>>;
830
+ authorizationEndpoint: z.ZodOptional<z.ZodOptional<z.ZodString>>;
831
+ tokenEndpoint: z.ZodOptional<z.ZodOptional<z.ZodString>>;
832
+ userInfoEndpoint: z.ZodOptional<z.ZodOptional<z.ZodString>>;
833
+ tokenEndpointAuthentication: z.ZodOptional<z.ZodOptional<z.ZodEnum<{
755
834
  client_secret_post: "client_secret_post";
756
835
  client_secret_basic: "client_secret_basic";
757
836
  private_key_jwt: "private_key_jwt";
758
- }>>;
759
- privateKeyId: z.ZodOptional<z.ZodString>;
760
- privateKeyAlgorithm: z.ZodOptional<z.ZodString>;
761
- jwksEndpoint: z.ZodOptional<z.ZodString>;
762
- discoveryEndpoint: z.ZodOptional<z.ZodString>;
763
- scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
764
- pkce: z.ZodOptional<z.ZodBoolean>;
765
- overrideUserInfo: z.ZodOptional<z.ZodBoolean>;
766
- mapping: z.ZodOptional<z.ZodObject<{
767
- id: z.ZodOptional<z.ZodString>;
768
- email: z.ZodOptional<z.ZodString>;
837
+ }>>>;
838
+ privateKeyId: z.ZodOptional<z.ZodOptional<z.ZodString>>;
839
+ privateKeyAlgorithm: z.ZodOptional<z.ZodOptional<z.ZodString>>;
840
+ jwksEndpoint: z.ZodOptional<z.ZodOptional<z.ZodString>>;
841
+ discoveryEndpoint: z.ZodOptional<z.ZodOptional<z.ZodString>>;
842
+ skipDiscovery: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
843
+ scopes: z.ZodOptional<z.ZodOptional<z.ZodArray<z.ZodString>>>;
844
+ pkce: z.ZodOptional<z.ZodOptional<z.ZodDefault<z.ZodBoolean>>>;
845
+ overrideUserInfo: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
846
+ mapping: z.ZodOptional<z.ZodOptional<z.ZodObject<{
847
+ id: z.ZodString;
848
+ email: z.ZodString;
769
849
  emailVerified: z.ZodOptional<z.ZodString>;
770
- name: z.ZodOptional<z.ZodString>;
850
+ name: z.ZodString;
771
851
  image: z.ZodOptional<z.ZodString>;
772
852
  extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
773
- }, z.core.$strip>>;
853
+ }, z.core.$strip>>>;
774
854
  }, z.core.$strip>>;
775
855
  samlConfig: z.ZodOptional<z.ZodObject<{
776
856
  entryPoint: z.ZodOptional<z.ZodString>;
777
- cert: z.ZodOptional<z.ZodString>;
778
- callbackUrl: z.ZodOptional<z.ZodString>;
779
- audience: z.ZodOptional<z.ZodString>;
780
- idpMetadata: z.ZodOptional<z.ZodObject<{
857
+ cert: z.ZodOptional<z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>>;
858
+ audience: z.ZodOptional<z.ZodOptional<z.ZodString>>;
859
+ callbackUrl: z.ZodOptional<z.ZodOptional<z.ZodString>>;
860
+ idpMetadata: z.ZodOptional<z.ZodOptional<z.ZodObject<{
781
861
  metadata: z.ZodOptional<z.ZodString>;
782
862
  entityID: z.ZodOptional<z.ZodString>;
783
- cert: z.ZodOptional<z.ZodString>;
863
+ cert: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
784
864
  privateKey: z.ZodOptional<z.ZodString>;
785
865
  privateKeyPass: z.ZodOptional<z.ZodString>;
786
866
  isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
@@ -790,8 +870,12 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
790
870
  Binding: z.ZodString;
791
871
  Location: z.ZodString;
792
872
  }, z.core.$strip>>>;
793
- }, z.core.$strip>>;
794
- spMetadata: z.ZodOptional<z.ZodObject<{
873
+ singleLogoutService: z.ZodOptional<z.ZodArray<z.ZodObject<{
874
+ Binding: z.ZodString;
875
+ Location: z.ZodString;
876
+ }, z.core.$strip>>>;
877
+ }, z.core.$strip>>>;
878
+ spMetadata: z.ZodOptional<z.ZodOptional<z.ZodObject<{
795
879
  metadata: z.ZodOptional<z.ZodString>;
796
880
  entityID: z.ZodOptional<z.ZodString>;
797
881
  binding: z.ZodOptional<z.ZodString>;
@@ -800,24 +884,22 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
800
884
  isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
801
885
  encPrivateKey: z.ZodOptional<z.ZodString>;
802
886
  encPrivateKeyPass: z.ZodOptional<z.ZodString>;
803
- }, z.core.$strip>>;
804
- wantAssertionsSigned: z.ZodOptional<z.ZodBoolean>;
805
- authnRequestsSigned: z.ZodOptional<z.ZodBoolean>;
806
- signatureAlgorithm: z.ZodOptional<z.ZodString>;
807
- digestAlgorithm: z.ZodOptional<z.ZodString>;
808
- identifierFormat: z.ZodOptional<z.ZodString>;
809
- privateKey: z.ZodOptional<z.ZodString>;
810
- decryptionPvk: z.ZodOptional<z.ZodString>;
811
- additionalParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
812
- mapping: z.ZodOptional<z.ZodObject<{
813
- id: z.ZodOptional<z.ZodString>;
814
- email: z.ZodOptional<z.ZodString>;
887
+ }, z.core.$strip>>>;
888
+ wantAssertionsSigned: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
889
+ authnRequestsSigned: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
890
+ signatureAlgorithm: z.ZodOptional<z.ZodOptional<z.ZodString>>;
891
+ digestAlgorithm: z.ZodOptional<z.ZodOptional<z.ZodString>>;
892
+ identifierFormat: z.ZodOptional<z.ZodOptional<z.ZodString>>;
893
+ privateKey: z.ZodOptional<z.ZodOptional<z.ZodString>>;
894
+ mapping: z.ZodOptional<z.ZodOptional<z.ZodObject<{
895
+ id: z.ZodString;
896
+ email: z.ZodString;
815
897
  emailVerified: z.ZodOptional<z.ZodString>;
816
- name: z.ZodOptional<z.ZodString>;
898
+ name: z.ZodString;
817
899
  firstName: z.ZodOptional<z.ZodString>;
818
900
  lastName: z.ZodOptional<z.ZodString>;
819
901
  extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
820
- }, z.core.$strip>>;
902
+ }, z.core.$strip>>>;
821
903
  }, z.core.$strip>>;
822
904
  providerId: z.ZodString;
823
905
  }, z.core.$strip>;
@@ -859,21 +941,13 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
859
941
  } | undefined;
860
942
  samlConfig: {
861
943
  entryPoint: string;
862
- callbackUrl: string;
863
944
  audience: string | undefined;
864
945
  wantAssertionsSigned: boolean | undefined;
865
946
  authnRequestsSigned: boolean | undefined;
866
947
  identifierFormat: string | undefined;
867
948
  signatureAlgorithm: string | undefined;
868
949
  digestAlgorithm: string | undefined;
869
- certificate: {
870
- fingerprintSha256: string;
871
- notBefore: string;
872
- notAfter: string;
873
- publicKeyAlgorithm: string;
874
- } | {
875
- error: string;
876
- };
950
+ certificate: SanitizedCert[] | undefined;
877
951
  } | undefined;
878
952
  spMetadataUrl: string;
879
953
  }>;
@@ -932,10 +1006,6 @@ declare const spMetadata: (options?: SSOOptions) => better_call0.StrictEndpoint<
932
1006
  method: "GET";
933
1007
  query: z.ZodObject<{
934
1008
  providerId: z.ZodString;
935
- format: z.ZodDefault<z.ZodEnum<{
936
- json: "json";
937
- xml: "xml";
938
- }>>;
939
1009
  }, z.core.$strip>;
940
1010
  metadata: {
941
1011
  openapi: {
@@ -953,85 +1023,7 @@ declare const spMetadata: (options?: SSOOptions) => better_call0.StrictEndpoint<
953
1023
  declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_call0.StrictEndpoint<"/sso/register", {
954
1024
  method: "POST";
955
1025
  body: z.ZodObject<{
956
- providerId: z.ZodString;
957
- issuer: z.ZodString;
958
- domain: z.ZodString;
959
- oidcConfig: z.ZodOptional<z.ZodObject<{
960
- clientId: z.ZodString;
961
- clientSecret: z.ZodOptional<z.ZodString>;
962
- authorizationEndpoint: z.ZodOptional<z.ZodString>;
963
- tokenEndpoint: z.ZodOptional<z.ZodString>;
964
- userInfoEndpoint: z.ZodOptional<z.ZodString>;
965
- tokenEndpointAuthentication: z.ZodOptional<z.ZodEnum<{
966
- client_secret_post: "client_secret_post";
967
- client_secret_basic: "client_secret_basic";
968
- private_key_jwt: "private_key_jwt";
969
- }>>;
970
- privateKeyId: z.ZodOptional<z.ZodString>;
971
- privateKeyAlgorithm: z.ZodOptional<z.ZodString>;
972
- jwksEndpoint: z.ZodOptional<z.ZodString>;
973
- discoveryEndpoint: z.ZodOptional<z.ZodString>;
974
- skipDiscovery: z.ZodOptional<z.ZodBoolean>;
975
- scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
976
- pkce: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
977
- mapping: z.ZodOptional<z.ZodObject<{
978
- id: z.ZodString;
979
- email: z.ZodString;
980
- emailVerified: z.ZodOptional<z.ZodString>;
981
- name: z.ZodString;
982
- image: z.ZodOptional<z.ZodString>;
983
- extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
984
- }, z.core.$strip>>;
985
- }, z.core.$strip>>;
986
- samlConfig: z.ZodOptional<z.ZodObject<{
987
- entryPoint: z.ZodString;
988
- cert: z.ZodString;
989
- callbackUrl: z.ZodString;
990
- audience: z.ZodOptional<z.ZodString>;
991
- idpMetadata: z.ZodOptional<z.ZodObject<{
992
- metadata: z.ZodOptional<z.ZodString>;
993
- entityID: z.ZodOptional<z.ZodString>;
994
- cert: z.ZodOptional<z.ZodString>;
995
- privateKey: z.ZodOptional<z.ZodString>;
996
- privateKeyPass: z.ZodOptional<z.ZodString>;
997
- isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
998
- encPrivateKey: z.ZodOptional<z.ZodString>;
999
- encPrivateKeyPass: z.ZodOptional<z.ZodString>;
1000
- singleSignOnService: z.ZodOptional<z.ZodArray<z.ZodObject<{
1001
- Binding: z.ZodString;
1002
- Location: z.ZodString;
1003
- }, z.core.$strip>>>;
1004
- }, z.core.$strip>>;
1005
- spMetadata: z.ZodObject<{
1006
- metadata: z.ZodOptional<z.ZodString>;
1007
- entityID: z.ZodOptional<z.ZodString>;
1008
- binding: z.ZodOptional<z.ZodString>;
1009
- privateKey: z.ZodOptional<z.ZodString>;
1010
- privateKeyPass: z.ZodOptional<z.ZodString>;
1011
- isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
1012
- encPrivateKey: z.ZodOptional<z.ZodString>;
1013
- encPrivateKeyPass: z.ZodOptional<z.ZodString>;
1014
- }, z.core.$strip>;
1015
- wantAssertionsSigned: z.ZodOptional<z.ZodBoolean>;
1016
- authnRequestsSigned: z.ZodOptional<z.ZodBoolean>;
1017
- signatureAlgorithm: z.ZodOptional<z.ZodString>;
1018
- digestAlgorithm: z.ZodOptional<z.ZodString>;
1019
- identifierFormat: z.ZodOptional<z.ZodString>;
1020
- privateKey: z.ZodOptional<z.ZodString>;
1021
- decryptionPvk: z.ZodOptional<z.ZodString>;
1022
- additionalParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
1023
- mapping: z.ZodOptional<z.ZodObject<{
1024
- id: z.ZodString;
1025
- email: z.ZodString;
1026
- emailVerified: z.ZodOptional<z.ZodString>;
1027
- name: z.ZodString;
1028
- firstName: z.ZodOptional<z.ZodString>;
1029
- lastName: z.ZodOptional<z.ZodString>;
1030
- extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
1031
- }, z.core.$strip>>;
1032
- }, z.core.$strip>>;
1033
- organizationId: z.ZodOptional<z.ZodString>;
1034
- overrideUserInfo: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
1026
+ [x: string]: z.ZodOptional<z.ZodAny>;
1035
1027
  }, z.core.$strip>;
1036
1028
  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
1037
1029
  session: {
@@ -1057,6 +1049,9 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
1057
1049
  };
1058
1050
  }>)[];
1059
1051
  metadata: {
1052
+ $Infer: {
1053
+ body: Record<string, any> & SSOProviderAdditionalFieldsInput<O>;
1054
+ };
1060
1055
  openapi: {
1061
1056
  operationId: string;
1062
1057
  summary: string;
@@ -1223,14 +1218,14 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
1223
1218
  redirectURI: string;
1224
1219
  oidcConfig: OIDCConfig | null;
1225
1220
  samlConfig: SAMLConfig | null;
1226
- } & Omit<SSOProvider<O>, "oidcConfig" | "samlConfig"> & {
1221
+ } & Omit<InferSSOProvider<O>, "oidcConfig" | "samlConfig"> & {
1227
1222
  domainVerified: boolean;
1228
1223
  domainVerificationToken: string;
1229
1224
  } : {
1230
1225
  redirectURI: string;
1231
1226
  oidcConfig: OIDCConfig | null;
1232
1227
  samlConfig: SAMLConfig | null;
1233
- } & Omit<SSOProvider<O>, "oidcConfig" | "samlConfig">>;
1228
+ } & Omit<InferSSOProvider<O>, "oidcConfig" | "samlConfig">>;
1234
1229
  declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sign-in/sso", {
1235
1230
  method: "POST";
1236
1231
  body: z.ZodObject<{
@@ -1243,6 +1238,7 @@ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"
1243
1238
  newUserCallbackURL: z.ZodOptional<z.ZodString>;
1244
1239
  scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
1245
1240
  loginHint: z.ZodOptional<z.ZodString>;
1241
+ additionalParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
1246
1242
  requestSignUp: z.ZodOptional<z.ZodBoolean>;
1247
1243
  providerType: z.ZodOptional<z.ZodEnum<{
1248
1244
  saml: "saml";
@@ -1264,7 +1260,7 @@ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"
1264
1260
  type: string;
1265
1261
  description: string;
1266
1262
  };
1267
- issuer: {
1263
+ organizationSlug: {
1268
1264
  type: string;
1269
1265
  description: string;
1270
1266
  };
@@ -1272,6 +1268,10 @@ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"
1272
1268
  type: string;
1273
1269
  description: string;
1274
1270
  };
1271
+ domain: {
1272
+ type: string;
1273
+ description: string;
1274
+ };
1275
1275
  callbackURL: {
1276
1276
  type: string;
1277
1277
  description: string;
@@ -1284,10 +1284,33 @@ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"
1284
1284
  type: string;
1285
1285
  description: string;
1286
1286
  };
1287
+ scopes: {
1288
+ type: string;
1289
+ items: {
1290
+ type: string;
1291
+ };
1292
+ description: string;
1293
+ };
1287
1294
  loginHint: {
1288
1295
  type: string;
1289
1296
  description: string;
1290
1297
  };
1298
+ additionalParams: {
1299
+ type: string;
1300
+ additionalProperties: {
1301
+ type: string;
1302
+ };
1303
+ description: string;
1304
+ };
1305
+ requestSignUp: {
1306
+ type: string;
1307
+ description: string;
1308
+ };
1309
+ providerType: {
1310
+ type: string;
1311
+ enum: string[];
1312
+ description: string;
1313
+ };
1291
1314
  };
1292
1315
  required: string[];
1293
1316
  };
@@ -1329,7 +1352,7 @@ declare const callbackSSO: (options?: SSOOptions) => better_call0.StrictEndpoint
1329
1352
  method: "GET";
1330
1353
  query: z.ZodObject<{
1331
1354
  code: z.ZodOptional<z.ZodString>;
1332
- state: z.ZodString;
1355
+ state: z.ZodOptional<z.ZodString>;
1333
1356
  error: z.ZodOptional<z.ZodString>;
1334
1357
  error_description: z.ZodOptional<z.ZodString>;
1335
1358
  }, z.core.$strip>;
@@ -1370,14 +1393,14 @@ declare const callbackSSOShared: (options?: SSOOptions) => better_call0.StrictEn
1370
1393
  method: "GET";
1371
1394
  query: z.ZodObject<{
1372
1395
  code: z.ZodOptional<z.ZodString>;
1373
- state: z.ZodString;
1396
+ state: z.ZodOptional<z.ZodString>;
1374
1397
  error: z.ZodOptional<z.ZodString>;
1375
1398
  error_description: z.ZodOptional<z.ZodString>;
1376
1399
  }, z.core.$strip>;
1377
1400
  allowedMediaTypes: readonly ["application/x-www-form-urlencoded", "application/json"];
1378
1401
  }, void>;
1379
- declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/callback/:providerId", {
1380
- method: ("POST" | "GET")[];
1402
+ declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
1403
+ method: ("GET" | "POST")[];
1381
1404
  body: z.ZodOptional<z.ZodObject<{
1382
1405
  SAMLResponse: z.ZodString;
1383
1406
  RelayState: z.ZodOptional<z.ZodString>;
@@ -1398,28 +1421,7 @@ declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndp
1398
1421
  "400": {
1399
1422
  description: string;
1400
1423
  };
1401
- "401": {
1402
- description: string;
1403
- };
1404
- };
1405
- };
1406
- scope: "server";
1407
- };
1408
- }, never>;
1409
- declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
1410
- method: "POST";
1411
- body: z.ZodObject<{
1412
- SAMLResponse: z.ZodString;
1413
- RelayState: z.ZodOptional<z.ZodString>;
1414
- }, z.core.$strip>;
1415
- metadata: {
1416
- allowedMediaTypes: string[];
1417
- openapi: {
1418
- operationId: string;
1419
- summary: string;
1420
- description: string;
1421
- responses: {
1422
- "302": {
1424
+ "404": {
1423
1425
  description: string;
1424
1426
  };
1425
1427
  };
@@ -1428,7 +1430,7 @@ declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint
1428
1430
  };
1429
1431
  }, never>;
1430
1432
  declare const sloEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/slo/:providerId", {
1431
- method: ("POST" | "GET")[];
1433
+ method: ("GET" | "POST")[];
1432
1434
  body: z.ZodOptional<z.ZodObject<{
1433
1435
  SAMLRequest: z.ZodOptional<z.ZodString>;
1434
1436
  SAMLResponse: z.ZodOptional<z.ZodString>;
@@ -1598,7 +1600,7 @@ interface OIDCDiscoveryDocument {
1598
1600
  /**
1599
1601
  * Error codes for OIDC discovery operations.
1600
1602
  */
1601
- type DiscoveryErrorCode = /** Request to discovery endpoint timed out */"discovery_timeout" /** Discovery endpoint returned 404 or similar */ | "discovery_not_found" /** Discovery endpoint returned invalid JSON */ | "discovery_invalid_json" /** Discovery URL is invalid or malformed */ | "discovery_invalid_url" /** Discovery URL is not trusted by the trusted origins configuration */ | "discovery_untrusted_origin" /** Discovery document issuer doesn't match configured issuer */ | "issuer_mismatch" /** Discovery document is missing required fields */ | "discovery_incomplete" /** IdP only advertises token auth methods that Better Auth doesn't currently support */ | "unsupported_token_auth_method" /** Catch-all for unexpected errors */ | "discovery_unexpected_error";
1603
+ type DiscoveryErrorCode = /** Request to discovery endpoint timed out */"discovery_timeout" /** Discovery endpoint returned 404 or similar */ | "discovery_not_found" /** Discovery endpoint returned invalid JSON */ | "discovery_invalid_json" /** OIDC endpoint URL (discovery or per-endpoint: authorization, token, userinfo, jwks) is invalid, malformed, or uses a non-`http(s)` scheme */ | "discovery_invalid_url" /** OIDC endpoint URL is not trusted by the trusted origins configuration */ | "discovery_untrusted_origin" /** OIDC endpoint URL (discovery or per-endpoint) points to a host that is not publicly routable (loopback, RFC 1918, link-local, cloud metadata FQDN, etc.) */ | "discovery_private_host" /** Server-side OIDC endpoint fetch received an HTTP redirect response */ | "oidc_endpoint_redirect" /** Discovery document issuer doesn't match configured issuer */ | "issuer_mismatch" /** Discovery document is missing required fields */ | "discovery_incomplete" /** IdP only advertises token auth methods that Better Auth doesn't currently support */ | "unsupported_token_auth_method" /** Catch-all for unexpected errors */ | "discovery_unexpected_error";
1602
1604
  /**
1603
1605
  * Custom error class for OIDC discovery failures.
1604
1606
  * Can be caught and mapped to APIError at the edge.
@@ -1713,7 +1715,7 @@ declare function validateDiscoveryUrl(url: string, isTrustedOrigin: DiscoverOIDC
1713
1715
  * @returns The parsed discovery document
1714
1716
  * @throws DiscoveryError on network errors, timeouts, or invalid responses
1715
1717
  */
1716
- declare function fetchDiscoveryDocument(url: string, timeout?: number): Promise<OIDCDiscoveryDocument>;
1718
+ declare function fetchDiscoveryDocument(url: string, timeout?: number, isTrustedOrigin?: (url: string) => boolean): Promise<OIDCDiscoveryDocument>;
1717
1719
  /**
1718
1720
  * Validate a discovery document.
1719
1721
  *
@@ -1788,7 +1790,6 @@ type SSOEndpoints<O extends SSOOptions> = {
1788
1790
  signInSSO: ReturnType<typeof signInSSO>;
1789
1791
  callbackSSO: ReturnType<typeof callbackSSO>;
1790
1792
  callbackSSOShared: ReturnType<typeof callbackSSOShared>;
1791
- callbackSSOSAML: ReturnType<typeof callbackSSOSAML>;
1792
1793
  acsEndpoint: ReturnType<typeof acsEndpoint>;
1793
1794
  sloEndpoint: ReturnType<typeof sloEndpoint>;
1794
1795
  initiateSLO: ReturnType<typeof initiateSLO>;
@@ -1805,6 +1806,11 @@ type SSOPlugin<O extends SSOOptions> = {
1805
1806
  enabled: true;
1806
1807
  };
1807
1808
  } ? DomainVerificationEndpoints : {});
1809
+ schema: SSOProviderSchema<O>;
1810
+ $Infer: {
1811
+ SSOProvider: InferSSOProvider<O>;
1812
+ };
1813
+ options: NoInfer<O>;
1808
1814
  };
1809
1815
  declare function sso<O extends SSOOptions & {
1810
1816
  domainVerification?: {
@@ -1814,13 +1820,20 @@ declare function sso<O extends SSOOptions & {
1814
1820
  id: "sso";
1815
1821
  version: string;
1816
1822
  endpoints: SSOEndpoints<O> & DomainVerificationEndpoints;
1817
- schema: NonNullable<BetterAuthPlugin["schema"]>;
1823
+ schema: SSOProviderSchema<O>;
1824
+ $Infer: {
1825
+ SSOProvider: InferSSOProvider<O>;
1826
+ };
1818
1827
  options: NoInfer<O>;
1819
1828
  };
1820
1829
  declare function sso<O extends SSOOptions>(options?: O | undefined): {
1821
1830
  id: "sso";
1822
1831
  version: string;
1823
1832
  endpoints: SSOEndpoints<O>;
1833
+ schema: SSOProviderSchema<O>;
1834
+ $Infer: {
1835
+ SSOProvider: InferSSOProvider<O>;
1836
+ };
1824
1837
  options: NoInfer<O>;
1825
1838
  };
1826
1839
  //#endregion