@better-auth/sso 1.7.0-beta.1 → 1.7.0-beta.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/client.d.mts CHANGED
@@ -1,10 +1,18 @@
1
- import { t as SSOPlugin } from "./index-CagV4mMx.mjs";
1
+ import { t as SSOPlugin } from "./index-A_DJ_AqL.mjs";
2
+ import { DBFieldAttribute } from "better-auth/db";
2
3
 
3
4
  //#region src/client.d.ts
4
5
  interface SSOClientOptions {
5
6
  domainVerification?: {
6
7
  enabled: boolean;
7
8
  } | undefined;
9
+ schema?: {
10
+ ssoProvider?: {
11
+ additionalFields?: {
12
+ [key: string]: DBFieldAttribute;
13
+ };
14
+ };
15
+ } | undefined;
8
16
  }
9
17
  declare const ssoClient: <CO extends SSOClientOptions>(options?: CO | undefined) => {
10
18
  id: "sso-client";
@@ -15,6 +23,7 @@ declare const ssoClient: <CO extends SSOClientOptions>(options?: CO | undefined)
15
23
  enabled: true;
16
24
  } ? true : false;
17
25
  };
26
+ schema: CO["schema"];
18
27
  }>;
19
28
  pathMethods: {
20
29
  "/sso/providers": "GET";
package/dist/client.mjs CHANGED
@@ -1,4 +1,4 @@
1
- import { t as PACKAGE_VERSION } from "./version-C22JHwcK.mjs";
1
+ import { t as PACKAGE_VERSION } from "./version-C-W6yUfI.mjs";
2
2
  //#region src/client.ts
3
3
  const ssoClient = (options) => {
4
4
  return {
@@ -1,6 +1,7 @@
1
1
  import { APIError } from "better-auth/api";
2
2
  import * as z from "zod";
3
- import { Awaitable, BetterAuthPlugin, OAuth2Tokens, User } from "better-auth";
3
+ import { DBFieldAttribute, FieldAttributeToObject, InferAdditionalFieldsFromPluginOptions, RemoveFieldsWithReturnedFalse } from "better-auth/db";
4
+ import { Awaitable, OAuth2Tokens, User } from "better-auth";
4
5
  import * as better_call0 from "better-call";
5
6
 
6
7
  //#region src/saml/algorithms.d.ts
@@ -79,6 +80,15 @@ interface OIDCConfig {
79
80
  privateKeyAlgorithm?: string | undefined;
80
81
  jwksEndpoint?: string | undefined;
81
82
  mapping?: OIDCMapping | undefined;
83
+ /**
84
+ * Accept callbacks from OIDC providers that initiate the OAuth flow
85
+ * without sending a `state` parameter. When enabled, stateless callbacks
86
+ * restart the OAuth flow server-side with a fresh `state` and PKCE
87
+ * verifier. See the SSO docs for details.
88
+ *
89
+ * @default false
90
+ */
91
+ allowIdpInitiated?: boolean | undefined;
82
92
  }
83
93
  interface SAMLConfig {
84
94
  /**
@@ -94,17 +104,29 @@ interface SAMLConfig {
94
104
  */
95
105
  entryPoint: string;
96
106
  /**
97
- * IdP signing certificate. Used to verify SAML response signatures
98
- * when `idpMetadata.metadata` is not provided. Ignored when IdP
99
- * metadata XML is set (the certificate is extracted from the XML).
100
- * When both this and `idpMetadata.cert` are set, `idpMetadata.cert` takes precedence.
107
+ * IdP signing certificate(s). Used to verify SAML response signatures when
108
+ * `idpMetadata.metadata` is not provided. Ignored when IdP metadata XML is
109
+ * set (the certificate is extracted from the XML). When both this and
110
+ * `idpMetadata.cert` are set, `idpMetadata.cert` takes precedence. Pass an
111
+ * array of PEM strings for rolling rotation; responses signed by any
112
+ * listed cert are accepted.
101
113
  */
102
- cert: string;
114
+ cert?: string | string[];
103
115
  audience?: string | undefined;
116
+ /**
117
+ * Provider-level post-auth redirect URL for IdP-initiated or fallback SAML
118
+ * flows when no RelayState callback URL is available.
119
+ */
120
+ callbackUrl?: string | undefined;
104
121
  idpMetadata?: {
105
122
  metadata?: string;
106
123
  entityID?: string;
107
- cert?: string;
124
+ /**
125
+ * IdP signing certificate(s). Pass a single PEM string or an array
126
+ * for rolling rotation. Takes precedence over the top-level `cert`
127
+ * when both are set. Omit when `metadata` XML is supplied.
128
+ */
129
+ cert?: string | string[];
108
130
  privateKey?: string;
109
131
  privateKeyPass?: string;
110
132
  isAssertionEncrypted?: boolean;
@@ -156,11 +178,32 @@ type BaseSSOProvider = {
156
178
  organizationId?: string | undefined;
157
179
  domain: string;
158
180
  };
181
+ type SSOProviderAdditionalFields<O extends SSOOptions, IsClientSide extends boolean> = O["schema"] extends {
182
+ ssoProvider?: {
183
+ additionalFields: infer Field extends Record<string, DBFieldAttribute>;
184
+ };
185
+ } ? IsClientSide extends true ? FieldAttributeToObject<RemoveFieldsWithReturnedFalse<Field>> : FieldAttributeToObject<Field> : {};
186
+ type SSOProviderAdditionalFieldsInput<O extends SSOOptions, IsClientSide extends boolean = true> = InferAdditionalFieldsFromPluginOptions<"ssoProvider", O, IsClientSide>;
187
+ type InferSSOProvider<O extends SSOOptions, IsClientSide extends boolean = true> = (O["domainVerification"] extends {
188
+ enabled: true;
189
+ } ? {
190
+ domainVerified: boolean;
191
+ } & BaseSSOProvider : BaseSSOProvider) & SSOProviderAdditionalFields<O, IsClientSide>;
159
192
  type SSOProvider<O extends SSOOptions> = O["domainVerification"] extends {
160
193
  enabled: true;
161
194
  } ? {
162
195
  domainVerified: boolean;
163
- } & BaseSSOProvider : BaseSSOProvider;
196
+ } & BaseSSOProvider & SSOProviderAdditionalFields<O, false> : BaseSSOProvider & SSOProviderAdditionalFields<O, false>;
197
+ type SSOProviderSchema<O extends SSOOptions> = {
198
+ ssoProvider: {
199
+ modelName: string;
200
+ fields: Record<string, DBFieldAttribute> & (O["schema"] extends {
201
+ ssoProvider?: {
202
+ additionalFields: infer Field extends Record<string, DBFieldAttribute>;
203
+ };
204
+ } ? Field : {});
205
+ };
206
+ };
164
207
  interface SSOOptions {
165
208
  /**
166
209
  * custom function to provision a user when they sign in with an SSO provider.
@@ -282,6 +325,25 @@ interface SSOOptions {
282
325
  organizationId?: string | undefined;
283
326
  domain?: string | undefined;
284
327
  };
328
+ /**
329
+ * The schema for the SSO plugin.
330
+ */
331
+ schema?: {
332
+ ssoProvider?: {
333
+ modelName?: string | undefined;
334
+ fields?: {
335
+ issuer?: string | undefined;
336
+ oidcConfig?: string | undefined;
337
+ samlConfig?: string | undefined;
338
+ userId?: string | undefined;
339
+ providerId?: string | undefined;
340
+ organizationId?: string | undefined;
341
+ domain?: string | undefined;
342
+ domainVerified?: string | undefined;
343
+ };
344
+ additionalFields?: { [key in string]: DBFieldAttribute };
345
+ };
346
+ } | undefined;
285
347
  /**
286
348
  * Configure the maximum number of SSO providers a user can register.
287
349
  * You can also pass a function that returns a number.
@@ -576,8 +638,20 @@ declare const verifyDomain: (options: SSOOptions) => better_call0.StrictEndpoint
576
638
  }>)[];
577
639
  }, void>;
578
640
  //#endregion
641
+ //#region src/utils.d.ts
642
+ declare function parseCertificate(certPem: string): {
643
+ fingerprintSha256: string;
644
+ notBefore: string;
645
+ notAfter: string;
646
+ publicKeyAlgorithm: string;
647
+ };
648
+ //#endregion
579
649
  //#region src/routes/providers.d.ts
580
- declare const listSSOProviders: () => better_call0.StrictEndpoint<"/sso/providers", {
650
+ type ParsedCert = ReturnType<typeof parseCertificate>;
651
+ type SanitizedCert = ParsedCert | {
652
+ error: string;
653
+ };
654
+ declare const listSSOProviders: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/providers", {
581
655
  method: "GET";
582
656
  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
583
657
  session: {
@@ -641,19 +715,12 @@ declare const listSSOProviders: () => better_call0.StrictEndpoint<"/sso/provider
641
715
  identifierFormat: string | undefined;
642
716
  signatureAlgorithm: string | undefined;
643
717
  digestAlgorithm: string | undefined;
644
- certificate: {
645
- fingerprintSha256: string;
646
- notBefore: string;
647
- notAfter: string;
648
- publicKeyAlgorithm: string;
649
- } | {
650
- error: string;
651
- };
718
+ certificate: SanitizedCert[] | undefined;
652
719
  } | undefined;
653
720
  spMetadataUrl: string;
654
721
  }[];
655
722
  }>;
656
- declare const getSSOProvider: () => better_call0.StrictEndpoint<"/sso/get-provider", {
723
+ declare const getSSOProvider: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/get-provider", {
657
724
  method: "GET";
658
725
  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
659
726
  session: {
@@ -725,14 +792,7 @@ declare const getSSOProvider: () => better_call0.StrictEndpoint<"/sso/get-provid
725
792
  identifierFormat: string | undefined;
726
793
  signatureAlgorithm: string | undefined;
727
794
  digestAlgorithm: string | undefined;
728
- certificate: {
729
- fingerprintSha256: string;
730
- notBefore: string;
731
- notAfter: string;
732
- publicKeyAlgorithm: string;
733
- } | {
734
- error: string;
735
- };
795
+ certificate: SanitizedCert[] | undefined;
736
796
  } | undefined;
737
797
  spMetadataUrl: string;
738
798
  }>;
@@ -766,39 +826,41 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
766
826
  domain: z.ZodOptional<z.ZodString>;
767
827
  oidcConfig: z.ZodOptional<z.ZodObject<{
768
828
  clientId: z.ZodOptional<z.ZodString>;
769
- clientSecret: z.ZodOptional<z.ZodString>;
770
- authorizationEndpoint: z.ZodOptional<z.ZodString>;
771
- tokenEndpoint: z.ZodOptional<z.ZodString>;
772
- userInfoEndpoint: z.ZodOptional<z.ZodString>;
773
- tokenEndpointAuthentication: z.ZodOptional<z.ZodEnum<{
829
+ clientSecret: z.ZodOptional<z.ZodOptional<z.ZodString>>;
830
+ authorizationEndpoint: z.ZodOptional<z.ZodOptional<z.ZodString>>;
831
+ tokenEndpoint: z.ZodOptional<z.ZodOptional<z.ZodString>>;
832
+ userInfoEndpoint: z.ZodOptional<z.ZodOptional<z.ZodString>>;
833
+ tokenEndpointAuthentication: z.ZodOptional<z.ZodOptional<z.ZodEnum<{
774
834
  client_secret_post: "client_secret_post";
775
835
  client_secret_basic: "client_secret_basic";
776
836
  private_key_jwt: "private_key_jwt";
777
- }>>;
778
- privateKeyId: z.ZodOptional<z.ZodString>;
779
- privateKeyAlgorithm: z.ZodOptional<z.ZodString>;
780
- jwksEndpoint: z.ZodOptional<z.ZodString>;
781
- discoveryEndpoint: z.ZodOptional<z.ZodString>;
782
- scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
783
- pkce: z.ZodOptional<z.ZodBoolean>;
784
- overrideUserInfo: z.ZodOptional<z.ZodBoolean>;
785
- mapping: z.ZodOptional<z.ZodObject<{
786
- id: z.ZodOptional<z.ZodString>;
787
- email: z.ZodOptional<z.ZodString>;
837
+ }>>>;
838
+ privateKeyId: z.ZodOptional<z.ZodOptional<z.ZodString>>;
839
+ privateKeyAlgorithm: z.ZodOptional<z.ZodOptional<z.ZodString>>;
840
+ jwksEndpoint: z.ZodOptional<z.ZodOptional<z.ZodString>>;
841
+ discoveryEndpoint: z.ZodOptional<z.ZodOptional<z.ZodString>>;
842
+ skipDiscovery: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
843
+ scopes: z.ZodOptional<z.ZodOptional<z.ZodArray<z.ZodString>>>;
844
+ pkce: z.ZodOptional<z.ZodOptional<z.ZodDefault<z.ZodBoolean>>>;
845
+ overrideUserInfo: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
846
+ mapping: z.ZodOptional<z.ZodOptional<z.ZodObject<{
847
+ id: z.ZodString;
848
+ email: z.ZodString;
788
849
  emailVerified: z.ZodOptional<z.ZodString>;
789
- name: z.ZodOptional<z.ZodString>;
850
+ name: z.ZodString;
790
851
  image: z.ZodOptional<z.ZodString>;
791
852
  extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
792
- }, z.core.$strip>>;
853
+ }, z.core.$strip>>>;
793
854
  }, z.core.$strip>>;
794
855
  samlConfig: z.ZodOptional<z.ZodObject<{
795
856
  entryPoint: z.ZodOptional<z.ZodString>;
796
- cert: z.ZodOptional<z.ZodString>;
797
- audience: z.ZodOptional<z.ZodString>;
798
- idpMetadata: z.ZodOptional<z.ZodObject<{
857
+ cert: z.ZodOptional<z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>>;
858
+ audience: z.ZodOptional<z.ZodOptional<z.ZodString>>;
859
+ callbackUrl: z.ZodOptional<z.ZodOptional<z.ZodString>>;
860
+ idpMetadata: z.ZodOptional<z.ZodOptional<z.ZodObject<{
799
861
  metadata: z.ZodOptional<z.ZodString>;
800
862
  entityID: z.ZodOptional<z.ZodString>;
801
- cert: z.ZodOptional<z.ZodString>;
863
+ cert: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
802
864
  privateKey: z.ZodOptional<z.ZodString>;
803
865
  privateKeyPass: z.ZodOptional<z.ZodString>;
804
866
  isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
@@ -808,8 +870,12 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
808
870
  Binding: z.ZodString;
809
871
  Location: z.ZodString;
810
872
  }, z.core.$strip>>>;
811
- }, z.core.$strip>>;
812
- spMetadata: z.ZodOptional<z.ZodObject<{
873
+ singleLogoutService: z.ZodOptional<z.ZodArray<z.ZodObject<{
874
+ Binding: z.ZodString;
875
+ Location: z.ZodString;
876
+ }, z.core.$strip>>>;
877
+ }, z.core.$strip>>>;
878
+ spMetadata: z.ZodOptional<z.ZodOptional<z.ZodObject<{
813
879
  metadata: z.ZodOptional<z.ZodString>;
814
880
  entityID: z.ZodOptional<z.ZodString>;
815
881
  binding: z.ZodOptional<z.ZodString>;
@@ -818,22 +884,22 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
818
884
  isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
819
885
  encPrivateKey: z.ZodOptional<z.ZodString>;
820
886
  encPrivateKeyPass: z.ZodOptional<z.ZodString>;
821
- }, z.core.$strip>>;
822
- wantAssertionsSigned: z.ZodOptional<z.ZodBoolean>;
823
- authnRequestsSigned: z.ZodOptional<z.ZodBoolean>;
824
- signatureAlgorithm: z.ZodOptional<z.ZodString>;
825
- digestAlgorithm: z.ZodOptional<z.ZodString>;
826
- identifierFormat: z.ZodOptional<z.ZodString>;
827
- privateKey: z.ZodOptional<z.ZodString>;
828
- mapping: z.ZodOptional<z.ZodObject<{
829
- id: z.ZodOptional<z.ZodString>;
830
- email: z.ZodOptional<z.ZodString>;
887
+ }, z.core.$strip>>>;
888
+ wantAssertionsSigned: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
889
+ authnRequestsSigned: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
890
+ signatureAlgorithm: z.ZodOptional<z.ZodOptional<z.ZodString>>;
891
+ digestAlgorithm: z.ZodOptional<z.ZodOptional<z.ZodString>>;
892
+ identifierFormat: z.ZodOptional<z.ZodOptional<z.ZodString>>;
893
+ privateKey: z.ZodOptional<z.ZodOptional<z.ZodString>>;
894
+ mapping: z.ZodOptional<z.ZodOptional<z.ZodObject<{
895
+ id: z.ZodString;
896
+ email: z.ZodString;
831
897
  emailVerified: z.ZodOptional<z.ZodString>;
832
- name: z.ZodOptional<z.ZodString>;
898
+ name: z.ZodString;
833
899
  firstName: z.ZodOptional<z.ZodString>;
834
900
  lastName: z.ZodOptional<z.ZodString>;
835
901
  extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
836
- }, z.core.$strip>>;
902
+ }, z.core.$strip>>>;
837
903
  }, z.core.$strip>>;
838
904
  providerId: z.ZodString;
839
905
  }, z.core.$strip>;
@@ -881,14 +947,7 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
881
947
  identifierFormat: string | undefined;
882
948
  signatureAlgorithm: string | undefined;
883
949
  digestAlgorithm: string | undefined;
884
- certificate: {
885
- fingerprintSha256: string;
886
- notBefore: string;
887
- notAfter: string;
888
- publicKeyAlgorithm: string;
889
- } | {
890
- error: string;
891
- };
950
+ certificate: SanitizedCert[] | undefined;
892
951
  } | undefined;
893
952
  spMetadataUrl: string;
894
953
  }>;
@@ -964,82 +1023,7 @@ declare const spMetadata: (options?: SSOOptions) => better_call0.StrictEndpoint<
964
1023
  declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_call0.StrictEndpoint<"/sso/register", {
965
1024
  method: "POST";
966
1025
  body: z.ZodObject<{
967
- providerId: z.ZodString;
968
- issuer: z.ZodString;
969
- domain: z.ZodString;
970
- oidcConfig: z.ZodOptional<z.ZodObject<{
971
- clientId: z.ZodString;
972
- clientSecret: z.ZodOptional<z.ZodString>;
973
- authorizationEndpoint: z.ZodOptional<z.ZodString>;
974
- tokenEndpoint: z.ZodOptional<z.ZodString>;
975
- userInfoEndpoint: z.ZodOptional<z.ZodString>;
976
- tokenEndpointAuthentication: z.ZodOptional<z.ZodEnum<{
977
- client_secret_post: "client_secret_post";
978
- client_secret_basic: "client_secret_basic";
979
- private_key_jwt: "private_key_jwt";
980
- }>>;
981
- privateKeyId: z.ZodOptional<z.ZodString>;
982
- privateKeyAlgorithm: z.ZodOptional<z.ZodString>;
983
- jwksEndpoint: z.ZodOptional<z.ZodString>;
984
- discoveryEndpoint: z.ZodOptional<z.ZodString>;
985
- skipDiscovery: z.ZodOptional<z.ZodBoolean>;
986
- scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
987
- pkce: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
988
- mapping: z.ZodOptional<z.ZodObject<{
989
- id: z.ZodString;
990
- email: z.ZodString;
991
- emailVerified: z.ZodOptional<z.ZodString>;
992
- name: z.ZodString;
993
- image: z.ZodOptional<z.ZodString>;
994
- extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
995
- }, z.core.$strip>>;
996
- }, z.core.$strip>>;
997
- samlConfig: z.ZodOptional<z.ZodObject<{
998
- entryPoint: z.ZodString;
999
- cert: z.ZodString;
1000
- audience: z.ZodOptional<z.ZodString>;
1001
- idpMetadata: z.ZodOptional<z.ZodObject<{
1002
- metadata: z.ZodOptional<z.ZodString>;
1003
- entityID: z.ZodOptional<z.ZodString>;
1004
- cert: z.ZodOptional<z.ZodString>;
1005
- privateKey: z.ZodOptional<z.ZodString>;
1006
- privateKeyPass: z.ZodOptional<z.ZodString>;
1007
- isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
1008
- encPrivateKey: z.ZodOptional<z.ZodString>;
1009
- encPrivateKeyPass: z.ZodOptional<z.ZodString>;
1010
- singleSignOnService: z.ZodOptional<z.ZodArray<z.ZodObject<{
1011
- Binding: z.ZodString;
1012
- Location: z.ZodString;
1013
- }, z.core.$strip>>>;
1014
- }, z.core.$strip>>;
1015
- spMetadata: z.ZodOptional<z.ZodObject<{
1016
- metadata: z.ZodOptional<z.ZodString>;
1017
- entityID: z.ZodOptional<z.ZodString>;
1018
- binding: z.ZodOptional<z.ZodString>;
1019
- privateKey: z.ZodOptional<z.ZodString>;
1020
- privateKeyPass: z.ZodOptional<z.ZodString>;
1021
- isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
1022
- encPrivateKey: z.ZodOptional<z.ZodString>;
1023
- encPrivateKeyPass: z.ZodOptional<z.ZodString>;
1024
- }, z.core.$strip>>;
1025
- wantAssertionsSigned: z.ZodOptional<z.ZodBoolean>;
1026
- authnRequestsSigned: z.ZodOptional<z.ZodBoolean>;
1027
- signatureAlgorithm: z.ZodOptional<z.ZodString>;
1028
- digestAlgorithm: z.ZodOptional<z.ZodString>;
1029
- identifierFormat: z.ZodOptional<z.ZodString>;
1030
- privateKey: z.ZodOptional<z.ZodString>;
1031
- mapping: z.ZodOptional<z.ZodObject<{
1032
- id: z.ZodString;
1033
- email: z.ZodString;
1034
- emailVerified: z.ZodOptional<z.ZodString>;
1035
- name: z.ZodString;
1036
- firstName: z.ZodOptional<z.ZodString>;
1037
- lastName: z.ZodOptional<z.ZodString>;
1038
- extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
1039
- }, z.core.$strip>>;
1040
- }, z.core.$strip>>;
1041
- organizationId: z.ZodOptional<z.ZodString>;
1042
- overrideUserInfo: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
1026
+ [x: string]: z.ZodOptional<z.ZodAny>;
1043
1027
  }, z.core.$strip>;
1044
1028
  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
1045
1029
  session: {
@@ -1065,6 +1049,9 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
1065
1049
  };
1066
1050
  }>)[];
1067
1051
  metadata: {
1052
+ $Infer: {
1053
+ body: Record<string, any> & SSOProviderAdditionalFieldsInput<O>;
1054
+ };
1068
1055
  openapi: {
1069
1056
  operationId: string;
1070
1057
  summary: string;
@@ -1231,14 +1218,14 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
1231
1218
  redirectURI: string;
1232
1219
  oidcConfig: OIDCConfig | null;
1233
1220
  samlConfig: SAMLConfig | null;
1234
- } & Omit<SSOProvider<O>, "oidcConfig" | "samlConfig"> & {
1221
+ } & Omit<InferSSOProvider<O>, "oidcConfig" | "samlConfig"> & {
1235
1222
  domainVerified: boolean;
1236
1223
  domainVerificationToken: string;
1237
1224
  } : {
1238
1225
  redirectURI: string;
1239
1226
  oidcConfig: OIDCConfig | null;
1240
1227
  samlConfig: SAMLConfig | null;
1241
- } & Omit<SSOProvider<O>, "oidcConfig" | "samlConfig">>;
1228
+ } & Omit<InferSSOProvider<O>, "oidcConfig" | "samlConfig">>;
1242
1229
  declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sign-in/sso", {
1243
1230
  method: "POST";
1244
1231
  body: z.ZodObject<{
@@ -1251,6 +1238,7 @@ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"
1251
1238
  newUserCallbackURL: z.ZodOptional<z.ZodString>;
1252
1239
  scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
1253
1240
  loginHint: z.ZodOptional<z.ZodString>;
1241
+ additionalParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
1254
1242
  requestSignUp: z.ZodOptional<z.ZodBoolean>;
1255
1243
  providerType: z.ZodOptional<z.ZodEnum<{
1256
1244
  saml: "saml";
@@ -1272,7 +1260,7 @@ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"
1272
1260
  type: string;
1273
1261
  description: string;
1274
1262
  };
1275
- issuer: {
1263
+ organizationSlug: {
1276
1264
  type: string;
1277
1265
  description: string;
1278
1266
  };
@@ -1280,6 +1268,10 @@ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"
1280
1268
  type: string;
1281
1269
  description: string;
1282
1270
  };
1271
+ domain: {
1272
+ type: string;
1273
+ description: string;
1274
+ };
1283
1275
  callbackURL: {
1284
1276
  type: string;
1285
1277
  description: string;
@@ -1292,10 +1284,33 @@ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"
1292
1284
  type: string;
1293
1285
  description: string;
1294
1286
  };
1287
+ scopes: {
1288
+ type: string;
1289
+ items: {
1290
+ type: string;
1291
+ };
1292
+ description: string;
1293
+ };
1295
1294
  loginHint: {
1296
1295
  type: string;
1297
1296
  description: string;
1298
1297
  };
1298
+ additionalParams: {
1299
+ type: string;
1300
+ additionalProperties: {
1301
+ type: string;
1302
+ };
1303
+ description: string;
1304
+ };
1305
+ requestSignUp: {
1306
+ type: string;
1307
+ description: string;
1308
+ };
1309
+ providerType: {
1310
+ type: string;
1311
+ enum: string[];
1312
+ description: string;
1313
+ };
1299
1314
  };
1300
1315
  required: string[];
1301
1316
  };
@@ -1337,7 +1352,7 @@ declare const callbackSSO: (options?: SSOOptions) => better_call0.StrictEndpoint
1337
1352
  method: "GET";
1338
1353
  query: z.ZodObject<{
1339
1354
  code: z.ZodOptional<z.ZodString>;
1340
- state: z.ZodString;
1355
+ state: z.ZodOptional<z.ZodString>;
1341
1356
  error: z.ZodOptional<z.ZodString>;
1342
1357
  error_description: z.ZodOptional<z.ZodString>;
1343
1358
  }, z.core.$strip>;
@@ -1378,14 +1393,14 @@ declare const callbackSSOShared: (options?: SSOOptions) => better_call0.StrictEn
1378
1393
  method: "GET";
1379
1394
  query: z.ZodObject<{
1380
1395
  code: z.ZodOptional<z.ZodString>;
1381
- state: z.ZodString;
1396
+ state: z.ZodOptional<z.ZodString>;
1382
1397
  error: z.ZodOptional<z.ZodString>;
1383
1398
  error_description: z.ZodOptional<z.ZodString>;
1384
1399
  }, z.core.$strip>;
1385
1400
  allowedMediaTypes: readonly ["application/x-www-form-urlencoded", "application/json"];
1386
1401
  }, void>;
1387
1402
  declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
1388
- method: ("POST" | "GET")[];
1403
+ method: ("GET" | "POST")[];
1389
1404
  body: z.ZodOptional<z.ZodObject<{
1390
1405
  SAMLResponse: z.ZodString;
1391
1406
  RelayState: z.ZodOptional<z.ZodString>;
@@ -1415,7 +1430,7 @@ declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint
1415
1430
  };
1416
1431
  }, never>;
1417
1432
  declare const sloEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/slo/:providerId", {
1418
- method: ("POST" | "GET")[];
1433
+ method: ("GET" | "POST")[];
1419
1434
  body: z.ZodOptional<z.ZodObject<{
1420
1435
  SAMLRequest: z.ZodOptional<z.ZodString>;
1421
1436
  SAMLResponse: z.ZodOptional<z.ZodString>;
@@ -1585,7 +1600,7 @@ interface OIDCDiscoveryDocument {
1585
1600
  /**
1586
1601
  * Error codes for OIDC discovery operations.
1587
1602
  */
1588
- type DiscoveryErrorCode = /** Request to discovery endpoint timed out */"discovery_timeout" /** Discovery endpoint returned 404 or similar */ | "discovery_not_found" /** Discovery endpoint returned invalid JSON */ | "discovery_invalid_json" /** Discovery URL is invalid or malformed */ | "discovery_invalid_url" /** Discovery URL is not trusted by the trusted origins configuration */ | "discovery_untrusted_origin" /** Discovery document issuer doesn't match configured issuer */ | "issuer_mismatch" /** Discovery document is missing required fields */ | "discovery_incomplete" /** IdP only advertises token auth methods that Better Auth doesn't currently support */ | "unsupported_token_auth_method" /** Catch-all for unexpected errors */ | "discovery_unexpected_error";
1603
+ type DiscoveryErrorCode = /** Request to discovery endpoint timed out */"discovery_timeout" /** Discovery endpoint returned 404 or similar */ | "discovery_not_found" /** Discovery endpoint returned invalid JSON */ | "discovery_invalid_json" /** OIDC endpoint URL (discovery or per-endpoint: authorization, token, userinfo, jwks) is invalid, malformed, or uses a non-`http(s)` scheme */ | "discovery_invalid_url" /** OIDC endpoint URL is not trusted by the trusted origins configuration */ | "discovery_untrusted_origin" /** OIDC endpoint URL (discovery or per-endpoint) points to a host that is not publicly routable (loopback, RFC 1918, link-local, cloud metadata FQDN, etc.) */ | "discovery_private_host" /** Server-side OIDC endpoint fetch received an HTTP redirect response */ | "oidc_endpoint_redirect" /** Discovery document issuer doesn't match configured issuer */ | "issuer_mismatch" /** Discovery document is missing required fields */ | "discovery_incomplete" /** IdP only advertises token auth methods that Better Auth doesn't currently support */ | "unsupported_token_auth_method" /** Catch-all for unexpected errors */ | "discovery_unexpected_error";
1589
1604
  /**
1590
1605
  * Custom error class for OIDC discovery failures.
1591
1606
  * Can be caught and mapped to APIError at the edge.
@@ -1700,7 +1715,7 @@ declare function validateDiscoveryUrl(url: string, isTrustedOrigin: DiscoverOIDC
1700
1715
  * @returns The parsed discovery document
1701
1716
  * @throws DiscoveryError on network errors, timeouts, or invalid responses
1702
1717
  */
1703
- declare function fetchDiscoveryDocument(url: string, timeout?: number): Promise<OIDCDiscoveryDocument>;
1718
+ declare function fetchDiscoveryDocument(url: string, timeout?: number, isTrustedOrigin?: (url: string) => boolean): Promise<OIDCDiscoveryDocument>;
1704
1719
  /**
1705
1720
  * Validate a discovery document.
1706
1721
  *
@@ -1791,6 +1806,11 @@ type SSOPlugin<O extends SSOOptions> = {
1791
1806
  enabled: true;
1792
1807
  };
1793
1808
  } ? DomainVerificationEndpoints : {});
1809
+ schema: SSOProviderSchema<O>;
1810
+ $Infer: {
1811
+ SSOProvider: InferSSOProvider<O>;
1812
+ };
1813
+ options: NoInfer<O>;
1794
1814
  };
1795
1815
  declare function sso<O extends SSOOptions & {
1796
1816
  domainVerification?: {
@@ -1800,13 +1820,20 @@ declare function sso<O extends SSOOptions & {
1800
1820
  id: "sso";
1801
1821
  version: string;
1802
1822
  endpoints: SSOEndpoints<O> & DomainVerificationEndpoints;
1803
- schema: NonNullable<BetterAuthPlugin["schema"]>;
1823
+ schema: SSOProviderSchema<O>;
1824
+ $Infer: {
1825
+ SSOProvider: InferSSOProvider<O>;
1826
+ };
1804
1827
  options: NoInfer<O>;
1805
1828
  };
1806
1829
  declare function sso<O extends SSOOptions>(options?: O | undefined): {
1807
1830
  id: "sso";
1808
1831
  version: string;
1809
1832
  endpoints: SSOEndpoints<O>;
1833
+ schema: SSOProviderSchema<O>;
1834
+ $Infer: {
1835
+ SSOProvider: InferSSOProvider<O>;
1836
+ };
1810
1837
  options: NoInfer<O>;
1811
1838
  };
1812
1839
  //#endregion
package/dist/index.d.mts CHANGED
@@ -1,2 +1,2 @@
1
- import { A as DataEncryptionAlgorithm, C as DEFAULT_MAX_SAML_METADATA_SIZE, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as DEFAULT_CLOCK_SKEW_MS, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as TimestampValidationOptions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as DEFAULT_MAX_SAML_RESPONSE_SIZE, x as validateSAMLTimestamp, y as SAMLConditions } from "./index-CagV4mMx.mjs";
1
+ import { A as DataEncryptionAlgorithm, C as DEFAULT_MAX_SAML_METADATA_SIZE, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as DEFAULT_CLOCK_SKEW_MS, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as TimestampValidationOptions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as DEFAULT_MAX_SAML_RESPONSE_SIZE, x as validateSAMLTimestamp, y as SAMLConditions } from "./index-A_DJ_AqL.mjs";
2
2
  export { AlgorithmValidationOptions, DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };