@better-auth/sso 1.7.0-beta.1 → 1.7.0-beta.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/client.d.mts +10 -1
- package/dist/client.mjs +1 -1
- package/dist/{index-CagV4mMx.d.mts → index-A_DJ_AqL.d.mts} +183 -156
- package/dist/index.d.mts +1 -1
- package/dist/index.mjs +2379 -1604
- package/dist/{version-C22JHwcK.mjs → version-C-W6yUfI.mjs} +1 -1
- package/package.json +14 -14
package/dist/client.d.mts
CHANGED
|
@@ -1,10 +1,18 @@
|
|
|
1
|
-
import { t as SSOPlugin } from "./index-
|
|
1
|
+
import { t as SSOPlugin } from "./index-A_DJ_AqL.mjs";
|
|
2
|
+
import { DBFieldAttribute } from "better-auth/db";
|
|
2
3
|
|
|
3
4
|
//#region src/client.d.ts
|
|
4
5
|
interface SSOClientOptions {
|
|
5
6
|
domainVerification?: {
|
|
6
7
|
enabled: boolean;
|
|
7
8
|
} | undefined;
|
|
9
|
+
schema?: {
|
|
10
|
+
ssoProvider?: {
|
|
11
|
+
additionalFields?: {
|
|
12
|
+
[key: string]: DBFieldAttribute;
|
|
13
|
+
};
|
|
14
|
+
};
|
|
15
|
+
} | undefined;
|
|
8
16
|
}
|
|
9
17
|
declare const ssoClient: <CO extends SSOClientOptions>(options?: CO | undefined) => {
|
|
10
18
|
id: "sso-client";
|
|
@@ -15,6 +23,7 @@ declare const ssoClient: <CO extends SSOClientOptions>(options?: CO | undefined)
|
|
|
15
23
|
enabled: true;
|
|
16
24
|
} ? true : false;
|
|
17
25
|
};
|
|
26
|
+
schema: CO["schema"];
|
|
18
27
|
}>;
|
|
19
28
|
pathMethods: {
|
|
20
29
|
"/sso/providers": "GET";
|
package/dist/client.mjs
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
import { APIError } from "better-auth/api";
|
|
2
2
|
import * as z from "zod";
|
|
3
|
-
import {
|
|
3
|
+
import { DBFieldAttribute, FieldAttributeToObject, InferAdditionalFieldsFromPluginOptions, RemoveFieldsWithReturnedFalse } from "better-auth/db";
|
|
4
|
+
import { Awaitable, OAuth2Tokens, User } from "better-auth";
|
|
4
5
|
import * as better_call0 from "better-call";
|
|
5
6
|
|
|
6
7
|
//#region src/saml/algorithms.d.ts
|
|
@@ -79,6 +80,15 @@ interface OIDCConfig {
|
|
|
79
80
|
privateKeyAlgorithm?: string | undefined;
|
|
80
81
|
jwksEndpoint?: string | undefined;
|
|
81
82
|
mapping?: OIDCMapping | undefined;
|
|
83
|
+
/**
|
|
84
|
+
* Accept callbacks from OIDC providers that initiate the OAuth flow
|
|
85
|
+
* without sending a `state` parameter. When enabled, stateless callbacks
|
|
86
|
+
* restart the OAuth flow server-side with a fresh `state` and PKCE
|
|
87
|
+
* verifier. See the SSO docs for details.
|
|
88
|
+
*
|
|
89
|
+
* @default false
|
|
90
|
+
*/
|
|
91
|
+
allowIdpInitiated?: boolean | undefined;
|
|
82
92
|
}
|
|
83
93
|
interface SAMLConfig {
|
|
84
94
|
/**
|
|
@@ -94,17 +104,29 @@ interface SAMLConfig {
|
|
|
94
104
|
*/
|
|
95
105
|
entryPoint: string;
|
|
96
106
|
/**
|
|
97
|
-
* IdP signing certificate. Used to verify SAML response signatures
|
|
98
|
-
*
|
|
99
|
-
*
|
|
100
|
-
*
|
|
107
|
+
* IdP signing certificate(s). Used to verify SAML response signatures when
|
|
108
|
+
* `idpMetadata.metadata` is not provided. Ignored when IdP metadata XML is
|
|
109
|
+
* set (the certificate is extracted from the XML). When both this and
|
|
110
|
+
* `idpMetadata.cert` are set, `idpMetadata.cert` takes precedence. Pass an
|
|
111
|
+
* array of PEM strings for rolling rotation; responses signed by any
|
|
112
|
+
* listed cert are accepted.
|
|
101
113
|
*/
|
|
102
|
-
cert
|
|
114
|
+
cert?: string | string[];
|
|
103
115
|
audience?: string | undefined;
|
|
116
|
+
/**
|
|
117
|
+
* Provider-level post-auth redirect URL for IdP-initiated or fallback SAML
|
|
118
|
+
* flows when no RelayState callback URL is available.
|
|
119
|
+
*/
|
|
120
|
+
callbackUrl?: string | undefined;
|
|
104
121
|
idpMetadata?: {
|
|
105
122
|
metadata?: string;
|
|
106
123
|
entityID?: string;
|
|
107
|
-
|
|
124
|
+
/**
|
|
125
|
+
* IdP signing certificate(s). Pass a single PEM string or an array
|
|
126
|
+
* for rolling rotation. Takes precedence over the top-level `cert`
|
|
127
|
+
* when both are set. Omit when `metadata` XML is supplied.
|
|
128
|
+
*/
|
|
129
|
+
cert?: string | string[];
|
|
108
130
|
privateKey?: string;
|
|
109
131
|
privateKeyPass?: string;
|
|
110
132
|
isAssertionEncrypted?: boolean;
|
|
@@ -156,11 +178,32 @@ type BaseSSOProvider = {
|
|
|
156
178
|
organizationId?: string | undefined;
|
|
157
179
|
domain: string;
|
|
158
180
|
};
|
|
181
|
+
type SSOProviderAdditionalFields<O extends SSOOptions, IsClientSide extends boolean> = O["schema"] extends {
|
|
182
|
+
ssoProvider?: {
|
|
183
|
+
additionalFields: infer Field extends Record<string, DBFieldAttribute>;
|
|
184
|
+
};
|
|
185
|
+
} ? IsClientSide extends true ? FieldAttributeToObject<RemoveFieldsWithReturnedFalse<Field>> : FieldAttributeToObject<Field> : {};
|
|
186
|
+
type SSOProviderAdditionalFieldsInput<O extends SSOOptions, IsClientSide extends boolean = true> = InferAdditionalFieldsFromPluginOptions<"ssoProvider", O, IsClientSide>;
|
|
187
|
+
type InferSSOProvider<O extends SSOOptions, IsClientSide extends boolean = true> = (O["domainVerification"] extends {
|
|
188
|
+
enabled: true;
|
|
189
|
+
} ? {
|
|
190
|
+
domainVerified: boolean;
|
|
191
|
+
} & BaseSSOProvider : BaseSSOProvider) & SSOProviderAdditionalFields<O, IsClientSide>;
|
|
159
192
|
type SSOProvider<O extends SSOOptions> = O["domainVerification"] extends {
|
|
160
193
|
enabled: true;
|
|
161
194
|
} ? {
|
|
162
195
|
domainVerified: boolean;
|
|
163
|
-
} & BaseSSOProvider : BaseSSOProvider
|
|
196
|
+
} & BaseSSOProvider & SSOProviderAdditionalFields<O, false> : BaseSSOProvider & SSOProviderAdditionalFields<O, false>;
|
|
197
|
+
type SSOProviderSchema<O extends SSOOptions> = {
|
|
198
|
+
ssoProvider: {
|
|
199
|
+
modelName: string;
|
|
200
|
+
fields: Record<string, DBFieldAttribute> & (O["schema"] extends {
|
|
201
|
+
ssoProvider?: {
|
|
202
|
+
additionalFields: infer Field extends Record<string, DBFieldAttribute>;
|
|
203
|
+
};
|
|
204
|
+
} ? Field : {});
|
|
205
|
+
};
|
|
206
|
+
};
|
|
164
207
|
interface SSOOptions {
|
|
165
208
|
/**
|
|
166
209
|
* custom function to provision a user when they sign in with an SSO provider.
|
|
@@ -282,6 +325,25 @@ interface SSOOptions {
|
|
|
282
325
|
organizationId?: string | undefined;
|
|
283
326
|
domain?: string | undefined;
|
|
284
327
|
};
|
|
328
|
+
/**
|
|
329
|
+
* The schema for the SSO plugin.
|
|
330
|
+
*/
|
|
331
|
+
schema?: {
|
|
332
|
+
ssoProvider?: {
|
|
333
|
+
modelName?: string | undefined;
|
|
334
|
+
fields?: {
|
|
335
|
+
issuer?: string | undefined;
|
|
336
|
+
oidcConfig?: string | undefined;
|
|
337
|
+
samlConfig?: string | undefined;
|
|
338
|
+
userId?: string | undefined;
|
|
339
|
+
providerId?: string | undefined;
|
|
340
|
+
organizationId?: string | undefined;
|
|
341
|
+
domain?: string | undefined;
|
|
342
|
+
domainVerified?: string | undefined;
|
|
343
|
+
};
|
|
344
|
+
additionalFields?: { [key in string]: DBFieldAttribute };
|
|
345
|
+
};
|
|
346
|
+
} | undefined;
|
|
285
347
|
/**
|
|
286
348
|
* Configure the maximum number of SSO providers a user can register.
|
|
287
349
|
* You can also pass a function that returns a number.
|
|
@@ -576,8 +638,20 @@ declare const verifyDomain: (options: SSOOptions) => better_call0.StrictEndpoint
|
|
|
576
638
|
}>)[];
|
|
577
639
|
}, void>;
|
|
578
640
|
//#endregion
|
|
641
|
+
//#region src/utils.d.ts
|
|
642
|
+
declare function parseCertificate(certPem: string): {
|
|
643
|
+
fingerprintSha256: string;
|
|
644
|
+
notBefore: string;
|
|
645
|
+
notAfter: string;
|
|
646
|
+
publicKeyAlgorithm: string;
|
|
647
|
+
};
|
|
648
|
+
//#endregion
|
|
579
649
|
//#region src/routes/providers.d.ts
|
|
580
|
-
|
|
650
|
+
type ParsedCert = ReturnType<typeof parseCertificate>;
|
|
651
|
+
type SanitizedCert = ParsedCert | {
|
|
652
|
+
error: string;
|
|
653
|
+
};
|
|
654
|
+
declare const listSSOProviders: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/providers", {
|
|
581
655
|
method: "GET";
|
|
582
656
|
use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
|
|
583
657
|
session: {
|
|
@@ -641,19 +715,12 @@ declare const listSSOProviders: () => better_call0.StrictEndpoint<"/sso/provider
|
|
|
641
715
|
identifierFormat: string | undefined;
|
|
642
716
|
signatureAlgorithm: string | undefined;
|
|
643
717
|
digestAlgorithm: string | undefined;
|
|
644
|
-
certificate:
|
|
645
|
-
fingerprintSha256: string;
|
|
646
|
-
notBefore: string;
|
|
647
|
-
notAfter: string;
|
|
648
|
-
publicKeyAlgorithm: string;
|
|
649
|
-
} | {
|
|
650
|
-
error: string;
|
|
651
|
-
};
|
|
718
|
+
certificate: SanitizedCert[] | undefined;
|
|
652
719
|
} | undefined;
|
|
653
720
|
spMetadataUrl: string;
|
|
654
721
|
}[];
|
|
655
722
|
}>;
|
|
656
|
-
declare const getSSOProvider: () => better_call0.StrictEndpoint<"/sso/get-provider", {
|
|
723
|
+
declare const getSSOProvider: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/get-provider", {
|
|
657
724
|
method: "GET";
|
|
658
725
|
use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
|
|
659
726
|
session: {
|
|
@@ -725,14 +792,7 @@ declare const getSSOProvider: () => better_call0.StrictEndpoint<"/sso/get-provid
|
|
|
725
792
|
identifierFormat: string | undefined;
|
|
726
793
|
signatureAlgorithm: string | undefined;
|
|
727
794
|
digestAlgorithm: string | undefined;
|
|
728
|
-
certificate:
|
|
729
|
-
fingerprintSha256: string;
|
|
730
|
-
notBefore: string;
|
|
731
|
-
notAfter: string;
|
|
732
|
-
publicKeyAlgorithm: string;
|
|
733
|
-
} | {
|
|
734
|
-
error: string;
|
|
735
|
-
};
|
|
795
|
+
certificate: SanitizedCert[] | undefined;
|
|
736
796
|
} | undefined;
|
|
737
797
|
spMetadataUrl: string;
|
|
738
798
|
}>;
|
|
@@ -766,39 +826,41 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
|
|
|
766
826
|
domain: z.ZodOptional<z.ZodString>;
|
|
767
827
|
oidcConfig: z.ZodOptional<z.ZodObject<{
|
|
768
828
|
clientId: z.ZodOptional<z.ZodString>;
|
|
769
|
-
clientSecret: z.ZodOptional<z.ZodString
|
|
770
|
-
authorizationEndpoint: z.ZodOptional<z.ZodString
|
|
771
|
-
tokenEndpoint: z.ZodOptional<z.ZodString
|
|
772
|
-
userInfoEndpoint: z.ZodOptional<z.ZodString
|
|
773
|
-
tokenEndpointAuthentication: z.ZodOptional<z.ZodEnum<{
|
|
829
|
+
clientSecret: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
830
|
+
authorizationEndpoint: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
831
|
+
tokenEndpoint: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
832
|
+
userInfoEndpoint: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
833
|
+
tokenEndpointAuthentication: z.ZodOptional<z.ZodOptional<z.ZodEnum<{
|
|
774
834
|
client_secret_post: "client_secret_post";
|
|
775
835
|
client_secret_basic: "client_secret_basic";
|
|
776
836
|
private_key_jwt: "private_key_jwt";
|
|
777
|
-
}
|
|
778
|
-
privateKeyId: z.ZodOptional<z.ZodString
|
|
779
|
-
privateKeyAlgorithm: z.ZodOptional<z.ZodString
|
|
780
|
-
jwksEndpoint: z.ZodOptional<z.ZodString
|
|
781
|
-
discoveryEndpoint: z.ZodOptional<z.ZodString
|
|
782
|
-
|
|
783
|
-
|
|
784
|
-
|
|
785
|
-
|
|
786
|
-
|
|
787
|
-
|
|
837
|
+
}>>>;
|
|
838
|
+
privateKeyId: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
839
|
+
privateKeyAlgorithm: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
840
|
+
jwksEndpoint: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
841
|
+
discoveryEndpoint: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
842
|
+
skipDiscovery: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
|
|
843
|
+
scopes: z.ZodOptional<z.ZodOptional<z.ZodArray<z.ZodString>>>;
|
|
844
|
+
pkce: z.ZodOptional<z.ZodOptional<z.ZodDefault<z.ZodBoolean>>>;
|
|
845
|
+
overrideUserInfo: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
|
|
846
|
+
mapping: z.ZodOptional<z.ZodOptional<z.ZodObject<{
|
|
847
|
+
id: z.ZodString;
|
|
848
|
+
email: z.ZodString;
|
|
788
849
|
emailVerified: z.ZodOptional<z.ZodString>;
|
|
789
|
-
name: z.
|
|
850
|
+
name: z.ZodString;
|
|
790
851
|
image: z.ZodOptional<z.ZodString>;
|
|
791
852
|
extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
|
|
792
|
-
}, z.core.$strip
|
|
853
|
+
}, z.core.$strip>>>;
|
|
793
854
|
}, z.core.$strip>>;
|
|
794
855
|
samlConfig: z.ZodOptional<z.ZodObject<{
|
|
795
856
|
entryPoint: z.ZodOptional<z.ZodString>;
|
|
796
|
-
cert: z.ZodOptional<z.ZodString
|
|
797
|
-
audience: z.ZodOptional<z.ZodString
|
|
798
|
-
|
|
857
|
+
cert: z.ZodOptional<z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>>;
|
|
858
|
+
audience: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
859
|
+
callbackUrl: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
860
|
+
idpMetadata: z.ZodOptional<z.ZodOptional<z.ZodObject<{
|
|
799
861
|
metadata: z.ZodOptional<z.ZodString>;
|
|
800
862
|
entityID: z.ZodOptional<z.ZodString>;
|
|
801
|
-
cert: z.ZodOptional<z.ZodString
|
|
863
|
+
cert: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
|
|
802
864
|
privateKey: z.ZodOptional<z.ZodString>;
|
|
803
865
|
privateKeyPass: z.ZodOptional<z.ZodString>;
|
|
804
866
|
isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
|
|
@@ -808,8 +870,12 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
|
|
|
808
870
|
Binding: z.ZodString;
|
|
809
871
|
Location: z.ZodString;
|
|
810
872
|
}, z.core.$strip>>>;
|
|
811
|
-
|
|
812
|
-
|
|
873
|
+
singleLogoutService: z.ZodOptional<z.ZodArray<z.ZodObject<{
|
|
874
|
+
Binding: z.ZodString;
|
|
875
|
+
Location: z.ZodString;
|
|
876
|
+
}, z.core.$strip>>>;
|
|
877
|
+
}, z.core.$strip>>>;
|
|
878
|
+
spMetadata: z.ZodOptional<z.ZodOptional<z.ZodObject<{
|
|
813
879
|
metadata: z.ZodOptional<z.ZodString>;
|
|
814
880
|
entityID: z.ZodOptional<z.ZodString>;
|
|
815
881
|
binding: z.ZodOptional<z.ZodString>;
|
|
@@ -818,22 +884,22 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
|
|
|
818
884
|
isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
|
|
819
885
|
encPrivateKey: z.ZodOptional<z.ZodString>;
|
|
820
886
|
encPrivateKeyPass: z.ZodOptional<z.ZodString>;
|
|
821
|
-
}, z.core.$strip
|
|
822
|
-
wantAssertionsSigned: z.ZodOptional<z.ZodBoolean
|
|
823
|
-
authnRequestsSigned: z.ZodOptional<z.ZodBoolean
|
|
824
|
-
signatureAlgorithm: z.ZodOptional<z.ZodString
|
|
825
|
-
digestAlgorithm: z.ZodOptional<z.ZodString
|
|
826
|
-
identifierFormat: z.ZodOptional<z.ZodString
|
|
827
|
-
privateKey: z.ZodOptional<z.ZodString
|
|
828
|
-
mapping: z.ZodOptional<z.ZodObject<{
|
|
829
|
-
id: z.
|
|
830
|
-
email: z.
|
|
887
|
+
}, z.core.$strip>>>;
|
|
888
|
+
wantAssertionsSigned: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
|
|
889
|
+
authnRequestsSigned: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
|
|
890
|
+
signatureAlgorithm: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
891
|
+
digestAlgorithm: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
892
|
+
identifierFormat: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
893
|
+
privateKey: z.ZodOptional<z.ZodOptional<z.ZodString>>;
|
|
894
|
+
mapping: z.ZodOptional<z.ZodOptional<z.ZodObject<{
|
|
895
|
+
id: z.ZodString;
|
|
896
|
+
email: z.ZodString;
|
|
831
897
|
emailVerified: z.ZodOptional<z.ZodString>;
|
|
832
|
-
name: z.
|
|
898
|
+
name: z.ZodString;
|
|
833
899
|
firstName: z.ZodOptional<z.ZodString>;
|
|
834
900
|
lastName: z.ZodOptional<z.ZodString>;
|
|
835
901
|
extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
|
|
836
|
-
}, z.core.$strip
|
|
902
|
+
}, z.core.$strip>>>;
|
|
837
903
|
}, z.core.$strip>>;
|
|
838
904
|
providerId: z.ZodString;
|
|
839
905
|
}, z.core.$strip>;
|
|
@@ -881,14 +947,7 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
|
|
|
881
947
|
identifierFormat: string | undefined;
|
|
882
948
|
signatureAlgorithm: string | undefined;
|
|
883
949
|
digestAlgorithm: string | undefined;
|
|
884
|
-
certificate:
|
|
885
|
-
fingerprintSha256: string;
|
|
886
|
-
notBefore: string;
|
|
887
|
-
notAfter: string;
|
|
888
|
-
publicKeyAlgorithm: string;
|
|
889
|
-
} | {
|
|
890
|
-
error: string;
|
|
891
|
-
};
|
|
950
|
+
certificate: SanitizedCert[] | undefined;
|
|
892
951
|
} | undefined;
|
|
893
952
|
spMetadataUrl: string;
|
|
894
953
|
}>;
|
|
@@ -964,82 +1023,7 @@ declare const spMetadata: (options?: SSOOptions) => better_call0.StrictEndpoint<
|
|
|
964
1023
|
declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_call0.StrictEndpoint<"/sso/register", {
|
|
965
1024
|
method: "POST";
|
|
966
1025
|
body: z.ZodObject<{
|
|
967
|
-
|
|
968
|
-
issuer: z.ZodString;
|
|
969
|
-
domain: z.ZodString;
|
|
970
|
-
oidcConfig: z.ZodOptional<z.ZodObject<{
|
|
971
|
-
clientId: z.ZodString;
|
|
972
|
-
clientSecret: z.ZodOptional<z.ZodString>;
|
|
973
|
-
authorizationEndpoint: z.ZodOptional<z.ZodString>;
|
|
974
|
-
tokenEndpoint: z.ZodOptional<z.ZodString>;
|
|
975
|
-
userInfoEndpoint: z.ZodOptional<z.ZodString>;
|
|
976
|
-
tokenEndpointAuthentication: z.ZodOptional<z.ZodEnum<{
|
|
977
|
-
client_secret_post: "client_secret_post";
|
|
978
|
-
client_secret_basic: "client_secret_basic";
|
|
979
|
-
private_key_jwt: "private_key_jwt";
|
|
980
|
-
}>>;
|
|
981
|
-
privateKeyId: z.ZodOptional<z.ZodString>;
|
|
982
|
-
privateKeyAlgorithm: z.ZodOptional<z.ZodString>;
|
|
983
|
-
jwksEndpoint: z.ZodOptional<z.ZodString>;
|
|
984
|
-
discoveryEndpoint: z.ZodOptional<z.ZodString>;
|
|
985
|
-
skipDiscovery: z.ZodOptional<z.ZodBoolean>;
|
|
986
|
-
scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
987
|
-
pkce: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
|
|
988
|
-
mapping: z.ZodOptional<z.ZodObject<{
|
|
989
|
-
id: z.ZodString;
|
|
990
|
-
email: z.ZodString;
|
|
991
|
-
emailVerified: z.ZodOptional<z.ZodString>;
|
|
992
|
-
name: z.ZodString;
|
|
993
|
-
image: z.ZodOptional<z.ZodString>;
|
|
994
|
-
extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
|
|
995
|
-
}, z.core.$strip>>;
|
|
996
|
-
}, z.core.$strip>>;
|
|
997
|
-
samlConfig: z.ZodOptional<z.ZodObject<{
|
|
998
|
-
entryPoint: z.ZodString;
|
|
999
|
-
cert: z.ZodString;
|
|
1000
|
-
audience: z.ZodOptional<z.ZodString>;
|
|
1001
|
-
idpMetadata: z.ZodOptional<z.ZodObject<{
|
|
1002
|
-
metadata: z.ZodOptional<z.ZodString>;
|
|
1003
|
-
entityID: z.ZodOptional<z.ZodString>;
|
|
1004
|
-
cert: z.ZodOptional<z.ZodString>;
|
|
1005
|
-
privateKey: z.ZodOptional<z.ZodString>;
|
|
1006
|
-
privateKeyPass: z.ZodOptional<z.ZodString>;
|
|
1007
|
-
isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
|
|
1008
|
-
encPrivateKey: z.ZodOptional<z.ZodString>;
|
|
1009
|
-
encPrivateKeyPass: z.ZodOptional<z.ZodString>;
|
|
1010
|
-
singleSignOnService: z.ZodOptional<z.ZodArray<z.ZodObject<{
|
|
1011
|
-
Binding: z.ZodString;
|
|
1012
|
-
Location: z.ZodString;
|
|
1013
|
-
}, z.core.$strip>>>;
|
|
1014
|
-
}, z.core.$strip>>;
|
|
1015
|
-
spMetadata: z.ZodOptional<z.ZodObject<{
|
|
1016
|
-
metadata: z.ZodOptional<z.ZodString>;
|
|
1017
|
-
entityID: z.ZodOptional<z.ZodString>;
|
|
1018
|
-
binding: z.ZodOptional<z.ZodString>;
|
|
1019
|
-
privateKey: z.ZodOptional<z.ZodString>;
|
|
1020
|
-
privateKeyPass: z.ZodOptional<z.ZodString>;
|
|
1021
|
-
isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
|
|
1022
|
-
encPrivateKey: z.ZodOptional<z.ZodString>;
|
|
1023
|
-
encPrivateKeyPass: z.ZodOptional<z.ZodString>;
|
|
1024
|
-
}, z.core.$strip>>;
|
|
1025
|
-
wantAssertionsSigned: z.ZodOptional<z.ZodBoolean>;
|
|
1026
|
-
authnRequestsSigned: z.ZodOptional<z.ZodBoolean>;
|
|
1027
|
-
signatureAlgorithm: z.ZodOptional<z.ZodString>;
|
|
1028
|
-
digestAlgorithm: z.ZodOptional<z.ZodString>;
|
|
1029
|
-
identifierFormat: z.ZodOptional<z.ZodString>;
|
|
1030
|
-
privateKey: z.ZodOptional<z.ZodString>;
|
|
1031
|
-
mapping: z.ZodOptional<z.ZodObject<{
|
|
1032
|
-
id: z.ZodString;
|
|
1033
|
-
email: z.ZodString;
|
|
1034
|
-
emailVerified: z.ZodOptional<z.ZodString>;
|
|
1035
|
-
name: z.ZodString;
|
|
1036
|
-
firstName: z.ZodOptional<z.ZodString>;
|
|
1037
|
-
lastName: z.ZodOptional<z.ZodString>;
|
|
1038
|
-
extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
|
|
1039
|
-
}, z.core.$strip>>;
|
|
1040
|
-
}, z.core.$strip>>;
|
|
1041
|
-
organizationId: z.ZodOptional<z.ZodString>;
|
|
1042
|
-
overrideUserInfo: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
|
|
1026
|
+
[x: string]: z.ZodOptional<z.ZodAny>;
|
|
1043
1027
|
}, z.core.$strip>;
|
|
1044
1028
|
use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
|
|
1045
1029
|
session: {
|
|
@@ -1065,6 +1049,9 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
|
|
|
1065
1049
|
};
|
|
1066
1050
|
}>)[];
|
|
1067
1051
|
metadata: {
|
|
1052
|
+
$Infer: {
|
|
1053
|
+
body: Record<string, any> & SSOProviderAdditionalFieldsInput<O>;
|
|
1054
|
+
};
|
|
1068
1055
|
openapi: {
|
|
1069
1056
|
operationId: string;
|
|
1070
1057
|
summary: string;
|
|
@@ -1231,14 +1218,14 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
|
|
|
1231
1218
|
redirectURI: string;
|
|
1232
1219
|
oidcConfig: OIDCConfig | null;
|
|
1233
1220
|
samlConfig: SAMLConfig | null;
|
|
1234
|
-
} & Omit<
|
|
1221
|
+
} & Omit<InferSSOProvider<O>, "oidcConfig" | "samlConfig"> & {
|
|
1235
1222
|
domainVerified: boolean;
|
|
1236
1223
|
domainVerificationToken: string;
|
|
1237
1224
|
} : {
|
|
1238
1225
|
redirectURI: string;
|
|
1239
1226
|
oidcConfig: OIDCConfig | null;
|
|
1240
1227
|
samlConfig: SAMLConfig | null;
|
|
1241
|
-
} & Omit<
|
|
1228
|
+
} & Omit<InferSSOProvider<O>, "oidcConfig" | "samlConfig">>;
|
|
1242
1229
|
declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sign-in/sso", {
|
|
1243
1230
|
method: "POST";
|
|
1244
1231
|
body: z.ZodObject<{
|
|
@@ -1251,6 +1238,7 @@ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"
|
|
|
1251
1238
|
newUserCallbackURL: z.ZodOptional<z.ZodString>;
|
|
1252
1239
|
scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
1253
1240
|
loginHint: z.ZodOptional<z.ZodString>;
|
|
1241
|
+
additionalParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
|
|
1254
1242
|
requestSignUp: z.ZodOptional<z.ZodBoolean>;
|
|
1255
1243
|
providerType: z.ZodOptional<z.ZodEnum<{
|
|
1256
1244
|
saml: "saml";
|
|
@@ -1272,7 +1260,7 @@ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"
|
|
|
1272
1260
|
type: string;
|
|
1273
1261
|
description: string;
|
|
1274
1262
|
};
|
|
1275
|
-
|
|
1263
|
+
organizationSlug: {
|
|
1276
1264
|
type: string;
|
|
1277
1265
|
description: string;
|
|
1278
1266
|
};
|
|
@@ -1280,6 +1268,10 @@ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"
|
|
|
1280
1268
|
type: string;
|
|
1281
1269
|
description: string;
|
|
1282
1270
|
};
|
|
1271
|
+
domain: {
|
|
1272
|
+
type: string;
|
|
1273
|
+
description: string;
|
|
1274
|
+
};
|
|
1283
1275
|
callbackURL: {
|
|
1284
1276
|
type: string;
|
|
1285
1277
|
description: string;
|
|
@@ -1292,10 +1284,33 @@ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"
|
|
|
1292
1284
|
type: string;
|
|
1293
1285
|
description: string;
|
|
1294
1286
|
};
|
|
1287
|
+
scopes: {
|
|
1288
|
+
type: string;
|
|
1289
|
+
items: {
|
|
1290
|
+
type: string;
|
|
1291
|
+
};
|
|
1292
|
+
description: string;
|
|
1293
|
+
};
|
|
1295
1294
|
loginHint: {
|
|
1296
1295
|
type: string;
|
|
1297
1296
|
description: string;
|
|
1298
1297
|
};
|
|
1298
|
+
additionalParams: {
|
|
1299
|
+
type: string;
|
|
1300
|
+
additionalProperties: {
|
|
1301
|
+
type: string;
|
|
1302
|
+
};
|
|
1303
|
+
description: string;
|
|
1304
|
+
};
|
|
1305
|
+
requestSignUp: {
|
|
1306
|
+
type: string;
|
|
1307
|
+
description: string;
|
|
1308
|
+
};
|
|
1309
|
+
providerType: {
|
|
1310
|
+
type: string;
|
|
1311
|
+
enum: string[];
|
|
1312
|
+
description: string;
|
|
1313
|
+
};
|
|
1299
1314
|
};
|
|
1300
1315
|
required: string[];
|
|
1301
1316
|
};
|
|
@@ -1337,7 +1352,7 @@ declare const callbackSSO: (options?: SSOOptions) => better_call0.StrictEndpoint
|
|
|
1337
1352
|
method: "GET";
|
|
1338
1353
|
query: z.ZodObject<{
|
|
1339
1354
|
code: z.ZodOptional<z.ZodString>;
|
|
1340
|
-
state: z.ZodString
|
|
1355
|
+
state: z.ZodOptional<z.ZodString>;
|
|
1341
1356
|
error: z.ZodOptional<z.ZodString>;
|
|
1342
1357
|
error_description: z.ZodOptional<z.ZodString>;
|
|
1343
1358
|
}, z.core.$strip>;
|
|
@@ -1378,14 +1393,14 @@ declare const callbackSSOShared: (options?: SSOOptions) => better_call0.StrictEn
|
|
|
1378
1393
|
method: "GET";
|
|
1379
1394
|
query: z.ZodObject<{
|
|
1380
1395
|
code: z.ZodOptional<z.ZodString>;
|
|
1381
|
-
state: z.ZodString
|
|
1396
|
+
state: z.ZodOptional<z.ZodString>;
|
|
1382
1397
|
error: z.ZodOptional<z.ZodString>;
|
|
1383
1398
|
error_description: z.ZodOptional<z.ZodString>;
|
|
1384
1399
|
}, z.core.$strip>;
|
|
1385
1400
|
allowedMediaTypes: readonly ["application/x-www-form-urlencoded", "application/json"];
|
|
1386
1401
|
}, void>;
|
|
1387
1402
|
declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
|
|
1388
|
-
method: ("
|
|
1403
|
+
method: ("GET" | "POST")[];
|
|
1389
1404
|
body: z.ZodOptional<z.ZodObject<{
|
|
1390
1405
|
SAMLResponse: z.ZodString;
|
|
1391
1406
|
RelayState: z.ZodOptional<z.ZodString>;
|
|
@@ -1415,7 +1430,7 @@ declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint
|
|
|
1415
1430
|
};
|
|
1416
1431
|
}, never>;
|
|
1417
1432
|
declare const sloEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/slo/:providerId", {
|
|
1418
|
-
method: ("
|
|
1433
|
+
method: ("GET" | "POST")[];
|
|
1419
1434
|
body: z.ZodOptional<z.ZodObject<{
|
|
1420
1435
|
SAMLRequest: z.ZodOptional<z.ZodString>;
|
|
1421
1436
|
SAMLResponse: z.ZodOptional<z.ZodString>;
|
|
@@ -1585,7 +1600,7 @@ interface OIDCDiscoveryDocument {
|
|
|
1585
1600
|
/**
|
|
1586
1601
|
* Error codes for OIDC discovery operations.
|
|
1587
1602
|
*/
|
|
1588
|
-
type DiscoveryErrorCode = /** Request to discovery endpoint timed out */"discovery_timeout" /** Discovery endpoint returned 404 or similar */ | "discovery_not_found" /** Discovery endpoint returned invalid JSON */ | "discovery_invalid_json" /**
|
|
1603
|
+
type DiscoveryErrorCode = /** Request to discovery endpoint timed out */"discovery_timeout" /** Discovery endpoint returned 404 or similar */ | "discovery_not_found" /** Discovery endpoint returned invalid JSON */ | "discovery_invalid_json" /** OIDC endpoint URL (discovery or per-endpoint: authorization, token, userinfo, jwks) is invalid, malformed, or uses a non-`http(s)` scheme */ | "discovery_invalid_url" /** OIDC endpoint URL is not trusted by the trusted origins configuration */ | "discovery_untrusted_origin" /** OIDC endpoint URL (discovery or per-endpoint) points to a host that is not publicly routable (loopback, RFC 1918, link-local, cloud metadata FQDN, etc.) */ | "discovery_private_host" /** Server-side OIDC endpoint fetch received an HTTP redirect response */ | "oidc_endpoint_redirect" /** Discovery document issuer doesn't match configured issuer */ | "issuer_mismatch" /** Discovery document is missing required fields */ | "discovery_incomplete" /** IdP only advertises token auth methods that Better Auth doesn't currently support */ | "unsupported_token_auth_method" /** Catch-all for unexpected errors */ | "discovery_unexpected_error";
|
|
1589
1604
|
/**
|
|
1590
1605
|
* Custom error class for OIDC discovery failures.
|
|
1591
1606
|
* Can be caught and mapped to APIError at the edge.
|
|
@@ -1700,7 +1715,7 @@ declare function validateDiscoveryUrl(url: string, isTrustedOrigin: DiscoverOIDC
|
|
|
1700
1715
|
* @returns The parsed discovery document
|
|
1701
1716
|
* @throws DiscoveryError on network errors, timeouts, or invalid responses
|
|
1702
1717
|
*/
|
|
1703
|
-
declare function fetchDiscoveryDocument(url: string, timeout?: number): Promise<OIDCDiscoveryDocument>;
|
|
1718
|
+
declare function fetchDiscoveryDocument(url: string, timeout?: number, isTrustedOrigin?: (url: string) => boolean): Promise<OIDCDiscoveryDocument>;
|
|
1704
1719
|
/**
|
|
1705
1720
|
* Validate a discovery document.
|
|
1706
1721
|
*
|
|
@@ -1791,6 +1806,11 @@ type SSOPlugin<O extends SSOOptions> = {
|
|
|
1791
1806
|
enabled: true;
|
|
1792
1807
|
};
|
|
1793
1808
|
} ? DomainVerificationEndpoints : {});
|
|
1809
|
+
schema: SSOProviderSchema<O>;
|
|
1810
|
+
$Infer: {
|
|
1811
|
+
SSOProvider: InferSSOProvider<O>;
|
|
1812
|
+
};
|
|
1813
|
+
options: NoInfer<O>;
|
|
1794
1814
|
};
|
|
1795
1815
|
declare function sso<O extends SSOOptions & {
|
|
1796
1816
|
domainVerification?: {
|
|
@@ -1800,13 +1820,20 @@ declare function sso<O extends SSOOptions & {
|
|
|
1800
1820
|
id: "sso";
|
|
1801
1821
|
version: string;
|
|
1802
1822
|
endpoints: SSOEndpoints<O> & DomainVerificationEndpoints;
|
|
1803
|
-
schema:
|
|
1823
|
+
schema: SSOProviderSchema<O>;
|
|
1824
|
+
$Infer: {
|
|
1825
|
+
SSOProvider: InferSSOProvider<O>;
|
|
1826
|
+
};
|
|
1804
1827
|
options: NoInfer<O>;
|
|
1805
1828
|
};
|
|
1806
1829
|
declare function sso<O extends SSOOptions>(options?: O | undefined): {
|
|
1807
1830
|
id: "sso";
|
|
1808
1831
|
version: string;
|
|
1809
1832
|
endpoints: SSOEndpoints<O>;
|
|
1833
|
+
schema: SSOProviderSchema<O>;
|
|
1834
|
+
$Infer: {
|
|
1835
|
+
SSOProvider: InferSSOProvider<O>;
|
|
1836
|
+
};
|
|
1810
1837
|
options: NoInfer<O>;
|
|
1811
1838
|
};
|
|
1812
1839
|
//#endregion
|
package/dist/index.d.mts
CHANGED
|
@@ -1,2 +1,2 @@
|
|
|
1
|
-
import { A as DataEncryptionAlgorithm, C as DEFAULT_MAX_SAML_METADATA_SIZE, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as DEFAULT_CLOCK_SKEW_MS, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as TimestampValidationOptions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as DEFAULT_MAX_SAML_RESPONSE_SIZE, x as validateSAMLTimestamp, y as SAMLConditions } from "./index-
|
|
1
|
+
import { A as DataEncryptionAlgorithm, C as DEFAULT_MAX_SAML_METADATA_SIZE, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as DEFAULT_CLOCK_SKEW_MS, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as TimestampValidationOptions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as DEFAULT_MAX_SAML_RESPONSE_SIZE, x as validateSAMLTimestamp, y as SAMLConditions } from "./index-A_DJ_AqL.mjs";
|
|
2
2
|
export { AlgorithmValidationOptions, DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };
|