@better-auth/sso 1.7.0-beta.3 → 1.7.0-beta.5

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { t as SSOPlugin } from "./index-CagV4mMx.mjs";
+import { t as SSOPlugin } from "./index-DCkGGu_2.mjs";
 
 //#region src/client.d.ts
 interface SSOClientOptions {

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-CLqkeI3u.mjs";
+import { t as PACKAGE_VERSION } from "./version-DzWb5tB_.mjs";
 //#region src/client.ts
 const ssoClient = (options) => {
 	return {

package/dist/{index-CagV4mMx.d.mts → index-DCkGGu_2.d.mts}

@@ -79,6 +79,15 @@ interface OIDCConfig {
   privateKeyAlgorithm?: string | undefined;
   jwksEndpoint?: string | undefined;
   mapping?: OIDCMapping | undefined;
+  /**
+   * Accept callbacks from OIDC providers that initiate the OAuth flow
+   * without sending a `state` parameter. When enabled, stateless callbacks
+   * restart the OAuth flow server-side with a fresh `state` and PKCE
+   * verifier. See the SSO docs for details.
+   *
+   * @default false
+   */
+  allowIdpInitiated?: boolean | undefined;
 }
 interface SAMLConfig {
   /**
@@ -94,17 +103,24 @@ interface SAMLConfig {
    */
   entryPoint: string;
   /**
-   * IdP signing certificate. Used to verify SAML response signatures
-   * when `idpMetadata.metadata` is not provided. Ignored when IdP
-   * metadata XML is set (the certificate is extracted from the XML).
-   * When both this and `idpMetadata.cert` are set, `idpMetadata.cert` takes precedence.
+   * IdP signing certificate(s). Used to verify SAML response signatures when
+   * `idpMetadata.metadata` is not provided. Ignored when IdP metadata XML is
+   * set (the certificate is extracted from the XML). When both this and
+   * `idpMetadata.cert` are set, `idpMetadata.cert` takes precedence. Pass an
+   * array of PEM strings for rolling rotation; responses signed by any
+   * listed cert are accepted.
    */
-  cert: string;
+  cert?: string | string[];
   audience?: string | undefined;
   idpMetadata?: {
     metadata?: string;
     entityID?: string;
-    cert?: string;
+    /**
+     * IdP signing certificate(s). Pass a single PEM string or an array
+     * for rolling rotation. Takes precedence over the top-level `cert`
+     * when both are set. Omit when `metadata` XML is supplied.
+     */
+    cert?: string | string[];
     privateKey?: string;
     privateKeyPass?: string;
     isAssertionEncrypted?: boolean;
@@ -576,7 +592,19 @@ declare const verifyDomain: (options: SSOOptions) => better_call0.StrictEndpoint
   }>)[];
 }, void>;
 //#endregion
+//#region src/utils.d.ts
+declare function parseCertificate(certPem: string): {
+  fingerprintSha256: string;
+  notBefore: string;
+  notAfter: string;
+  publicKeyAlgorithm: string;
+};
+//#endregion
 //#region src/routes/providers.d.ts
+type ParsedCert = ReturnType<typeof parseCertificate>;
+type SanitizedCert = ParsedCert | {
+  error: string;
+};
 declare const listSSOProviders: () => better_call0.StrictEndpoint<"/sso/providers", {
   method: "GET";
   use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
@@ -641,14 +669,7 @@ declare const listSSOProviders: () => better_call0.StrictEndpoint<"/sso/provider
       identifierFormat: string | undefined;
       signatureAlgorithm: string | undefined;
       digestAlgorithm: string | undefined;
-      certificate: {
-        fingerprintSha256: string;
-        notBefore: string;
-        notAfter: string;
-        publicKeyAlgorithm: string;
-      } | {
-        error: string;
-      };
+      certificate: SanitizedCert[] | undefined;
     } | undefined;
     spMetadataUrl: string;
   }[];
@@ -725,14 +746,7 @@ declare const getSSOProvider: () => better_call0.StrictEndpoint<"/sso/get-provid
     identifierFormat: string | undefined;
     signatureAlgorithm: string | undefined;
     digestAlgorithm: string | undefined;
-    certificate: {
-      fingerprintSha256: string;
-      notBefore: string;
-      notAfter: string;
-      publicKeyAlgorithm: string;
-    } | {
-      error: string;
-    };
+    certificate: SanitizedCert[] | undefined;
   } | undefined;
   spMetadataUrl: string;
 }>;
@@ -766,39 +780,40 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
     domain: z.ZodOptional<z.ZodString>;
     oidcConfig: z.ZodOptional<z.ZodObject<{
       clientId: z.ZodOptional<z.ZodString>;
-      clientSecret: z.ZodOptional<z.ZodString>;
-      authorizationEndpoint: z.ZodOptional<z.ZodString>;
-      tokenEndpoint: z.ZodOptional<z.ZodString>;
-      userInfoEndpoint: z.ZodOptional<z.ZodString>;
-      tokenEndpointAuthentication: z.ZodOptional<z.ZodEnum<{
+      clientSecret: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+      authorizationEndpoint: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+      tokenEndpoint: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+      userInfoEndpoint: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+      tokenEndpointAuthentication: z.ZodOptional<z.ZodOptional<z.ZodEnum<{
         client_secret_post: "client_secret_post";
         client_secret_basic: "client_secret_basic";
         private_key_jwt: "private_key_jwt";
-      }>>;
-      privateKeyId: z.ZodOptional<z.ZodString>;
-      privateKeyAlgorithm: z.ZodOptional<z.ZodString>;
-      jwksEndpoint: z.ZodOptional<z.ZodString>;
-      discoveryEndpoint: z.ZodOptional<z.ZodString>;
-      scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
-      pkce: z.ZodOptional<z.ZodBoolean>;
-      overrideUserInfo: z.ZodOptional<z.ZodBoolean>;
-      mapping: z.ZodOptional<z.ZodObject<{
-        id: z.ZodOptional<z.ZodString>;
-        email: z.ZodOptional<z.ZodString>;
+      }>>>;
+      privateKeyId: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+      privateKeyAlgorithm: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+      jwksEndpoint: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+      discoveryEndpoint: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+      skipDiscovery: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
+      scopes: z.ZodOptional<z.ZodOptional<z.ZodArray<z.ZodString>>>;
+      pkce: z.ZodOptional<z.ZodOptional<z.ZodDefault<z.ZodBoolean>>>;
+      overrideUserInfo: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
+      mapping: z.ZodOptional<z.ZodOptional<z.ZodObject<{
+        id: z.ZodString;
+        email: z.ZodString;
         emailVerified: z.ZodOptional<z.ZodString>;
-        name: z.ZodOptional<z.ZodString>;
+        name: z.ZodString;
         image: z.ZodOptional<z.ZodString>;
         extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
-      }, z.core.$strip>>;
+      }, z.core.$strip>>>;
     }, z.core.$strip>>;
     samlConfig: z.ZodOptional<z.ZodObject<{
       entryPoint: z.ZodOptional<z.ZodString>;
-      cert: z.ZodOptional<z.ZodString>;
-      audience: z.ZodOptional<z.ZodString>;
-      idpMetadata: z.ZodOptional<z.ZodObject<{
+      cert: z.ZodOptional<z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>>;
+      audience: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+      idpMetadata: z.ZodOptional<z.ZodOptional<z.ZodObject<{
         metadata: z.ZodOptional<z.ZodString>;
         entityID: z.ZodOptional<z.ZodString>;
-        cert: z.ZodOptional<z.ZodString>;
+        cert: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
         privateKey: z.ZodOptional<z.ZodString>;
         privateKeyPass: z.ZodOptional<z.ZodString>;
         isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
@@ -808,8 +823,12 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
           Binding: z.ZodString;
           Location: z.ZodString;
         }, z.core.$strip>>>;
-      }, z.core.$strip>>;
-      spMetadata: z.ZodOptional<z.ZodObject<{
+        singleLogoutService: z.ZodOptional<z.ZodArray<z.ZodObject<{
+          Binding: z.ZodString;
+          Location: z.ZodString;
+        }, z.core.$strip>>>;
+      }, z.core.$strip>>>;
+      spMetadata: z.ZodOptional<z.ZodOptional<z.ZodObject<{
         metadata: z.ZodOptional<z.ZodString>;
         entityID: z.ZodOptional<z.ZodString>;
         binding: z.ZodOptional<z.ZodString>;
@@ -818,22 +837,22 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
         isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
         encPrivateKey: z.ZodOptional<z.ZodString>;
         encPrivateKeyPass: z.ZodOptional<z.ZodString>;
-      }, z.core.$strip>>;
-      wantAssertionsSigned: z.ZodOptional<z.ZodBoolean>;
-      authnRequestsSigned: z.ZodOptional<z.ZodBoolean>;
-      signatureAlgorithm: z.ZodOptional<z.ZodString>;
-      digestAlgorithm: z.ZodOptional<z.ZodString>;
-      identifierFormat: z.ZodOptional<z.ZodString>;
-      privateKey: z.ZodOptional<z.ZodString>;
-      mapping: z.ZodOptional<z.ZodObject<{
-        id: z.ZodOptional<z.ZodString>;
-        email: z.ZodOptional<z.ZodString>;
+      }, z.core.$strip>>>;
+      wantAssertionsSigned: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
+      authnRequestsSigned: z.ZodOptional<z.ZodOptional<z.ZodBoolean>>;
+      signatureAlgorithm: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+      digestAlgorithm: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+      identifierFormat: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+      privateKey: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+      mapping: z.ZodOptional<z.ZodOptional<z.ZodObject<{
+        id: z.ZodString;
+        email: z.ZodString;
         emailVerified: z.ZodOptional<z.ZodString>;
-        name: z.ZodOptional<z.ZodString>;
+        name: z.ZodString;
         firstName: z.ZodOptional<z.ZodString>;
         lastName: z.ZodOptional<z.ZodString>;
         extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
-      }, z.core.$strip>>;
+      }, z.core.$strip>>>;
     }, z.core.$strip>>;
     providerId: z.ZodString;
   }, z.core.$strip>;
@@ -881,14 +900,7 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
     identifierFormat: string | undefined;
     signatureAlgorithm: string | undefined;
     digestAlgorithm: string | undefined;
-    certificate: {
-      fingerprintSha256: string;
-      notBefore: string;
-      notAfter: string;
-      publicKeyAlgorithm: string;
-    } | {
-      error: string;
-    };
+    certificate: SanitizedCert[] | undefined;
   } | undefined;
   spMetadataUrl: string;
 }>;
@@ -985,6 +997,7 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
       skipDiscovery: z.ZodOptional<z.ZodBoolean>;
       scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
       pkce: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
+      overrideUserInfo: z.ZodOptional<z.ZodBoolean>;
       mapping: z.ZodOptional<z.ZodObject<{
         id: z.ZodString;
         email: z.ZodString;
@@ -996,12 +1009,12 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
     }, z.core.$strip>>;
     samlConfig: z.ZodOptional<z.ZodObject<{
       entryPoint: z.ZodString;
-      cert: z.ZodString;
+      cert: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
       audience: z.ZodOptional<z.ZodString>;
       idpMetadata: z.ZodOptional<z.ZodObject<{
         metadata: z.ZodOptional<z.ZodString>;
         entityID: z.ZodOptional<z.ZodString>;
-        cert: z.ZodOptional<z.ZodString>;
+        cert: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
         privateKey: z.ZodOptional<z.ZodString>;
         privateKeyPass: z.ZodOptional<z.ZodString>;
         isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
@@ -1011,6 +1024,10 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
           Binding: z.ZodString;
           Location: z.ZodString;
         }, z.core.$strip>>>;
+        singleLogoutService: z.ZodOptional<z.ZodArray<z.ZodObject<{
+          Binding: z.ZodString;
+          Location: z.ZodString;
+        }, z.core.$strip>>>;
       }, z.core.$strip>>;
       spMetadata: z.ZodOptional<z.ZodObject<{
         metadata: z.ZodOptional<z.ZodString>;
@@ -1251,6 +1268,7 @@ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"
     newUserCallbackURL: z.ZodOptional<z.ZodString>;
     scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
     loginHint: z.ZodOptional<z.ZodString>;
+    additionalParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
     requestSignUp: z.ZodOptional<z.ZodBoolean>;
     providerType: z.ZodOptional<z.ZodEnum<{
       saml: "saml";
@@ -1272,7 +1290,7 @@ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"
                   type: string;
                   description: string;
                 };
-                issuer: {
+                organizationSlug: {
                   type: string;
                   description: string;
                 };
@@ -1280,6 +1298,10 @@ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"
                   type: string;
                   description: string;
                 };
+                domain: {
+                  type: string;
+                  description: string;
+                };
                 callbackURL: {
                   type: string;
                   description: string;
@@ -1292,10 +1314,33 @@ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"
                   type: string;
                   description: string;
                 };
+                scopes: {
+                  type: string;
+                  items: {
+                    type: string;
+                  };
+                  description: string;
+                };
                 loginHint: {
                   type: string;
                   description: string;
                 };
+                additionalParams: {
+                  type: string;
+                  additionalProperties: {
+                    type: string;
+                  };
+                  description: string;
+                };
+                requestSignUp: {
+                  type: string;
+                  description: string;
+                };
+                providerType: {
+                  type: string;
+                  enum: string[];
+                  description: string;
+                };
               };
               required: string[];
             };
@@ -1337,7 +1382,7 @@ declare const callbackSSO: (options?: SSOOptions) => better_call0.StrictEndpoint
   method: "GET";
   query: z.ZodObject<{
     code: z.ZodOptional<z.ZodString>;
-    state: z.ZodString;
+    state: z.ZodOptional<z.ZodString>;
     error: z.ZodOptional<z.ZodString>;
     error_description: z.ZodOptional<z.ZodString>;
   }, z.core.$strip>;
@@ -1378,7 +1423,7 @@ declare const callbackSSOShared: (options?: SSOOptions) => better_call0.StrictEn
   method: "GET";
   query: z.ZodObject<{
     code: z.ZodOptional<z.ZodString>;
-    state: z.ZodString;
+    state: z.ZodOptional<z.ZodString>;
     error: z.ZodOptional<z.ZodString>;
     error_description: z.ZodOptional<z.ZodString>;
   }, z.core.$strip>;
@@ -1585,7 +1630,7 @@ interface OIDCDiscoveryDocument {
 /**
  * Error codes for OIDC discovery operations.
  */
-type DiscoveryErrorCode = /** Request to discovery endpoint timed out */"discovery_timeout" /** Discovery endpoint returned 404 or similar */ | "discovery_not_found" /** Discovery endpoint returned invalid JSON */ | "discovery_invalid_json" /** Discovery URL is invalid or malformed */ | "discovery_invalid_url" /** Discovery URL is not trusted by the trusted origins configuration */ | "discovery_untrusted_origin" /** Discovery document issuer doesn't match configured issuer */ | "issuer_mismatch" /** Discovery document is missing required fields */ | "discovery_incomplete" /** IdP only advertises token auth methods that Better Auth doesn't currently support */ | "unsupported_token_auth_method" /** Catch-all for unexpected errors */ | "discovery_unexpected_error";
+type DiscoveryErrorCode = /** Request to discovery endpoint timed out */"discovery_timeout" /** Discovery endpoint returned 404 or similar */ | "discovery_not_found" /** Discovery endpoint returned invalid JSON */ | "discovery_invalid_json" /** OIDC endpoint URL (discovery or per-endpoint: authorization, token, userinfo, jwks) is invalid, malformed, or uses a non-`http(s)` scheme */ | "discovery_invalid_url" /** OIDC endpoint URL is not trusted by the trusted origins configuration */ | "discovery_untrusted_origin" /** OIDC endpoint URL (discovery or per-endpoint) points to a host that is not publicly routable (loopback, RFC 1918, link-local, cloud metadata FQDN, etc.) */ | "discovery_private_host" /** Discovery document issuer doesn't match configured issuer */ | "issuer_mismatch" /** Discovery document is missing required fields */ | "discovery_incomplete" /** IdP only advertises token auth methods that Better Auth doesn't currently support */ | "unsupported_token_auth_method" /** Catch-all for unexpected errors */ | "discovery_unexpected_error";
 /**
  * Custom error class for OIDC discovery failures.
  * Can be caught and mapped to APIError at the edge.

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { A as DataEncryptionAlgorithm, C as DEFAULT_MAX_SAML_METADATA_SIZE, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as DEFAULT_CLOCK_SKEW_MS, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as TimestampValidationOptions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as DEFAULT_MAX_SAML_RESPONSE_SIZE, x as validateSAMLTimestamp, y as SAMLConditions } from "./index-CagV4mMx.mjs";
+import { A as DataEncryptionAlgorithm, C as DEFAULT_MAX_SAML_METADATA_SIZE, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as DEFAULT_CLOCK_SKEW_MS, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as TimestampValidationOptions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as DEFAULT_MAX_SAML_RESPONSE_SIZE, x as validateSAMLTimestamp, y as SAMLConditions } from "./index-DCkGGu_2.mjs";
 export { AlgorithmValidationOptions, DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };