@better-auth/sso 1.7.0-beta.4 → 1.7.0-beta.5

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-5EiO_U3Z.mjs";
+import { t as PACKAGE_VERSION } from "./version-DzWb5tB_.mjs";
 //#region src/client.ts
 const ssoClient = (options) => {
 	return {

package/dist/index.mjs

@@ -1,18 +1,18 @@
-import { t as PACKAGE_VERSION } from "./version-5EiO_U3Z.mjs";
-import { APIError, createAuthEndpoint, createAuthMiddleware, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
+import { t as PACKAGE_VERSION } from "./version-DzWb5tB_.mjs";
+import { APIError, addOAuthServerContext, createAuthEndpoint, createAuthMiddleware, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { XMLParser, XMLValidator } from "fast-xml-parser";
 import { X509Certificate } from "node:crypto";
 import { getHostname } from "tldts";
 import { generateRandomString } from "better-auth/crypto";
 import * as z from "zod";
-import { isPublicRoutableHost } from "@better-auth/core/utils/host";
+import { classifyHost, isPublicRoutableHost } from "@better-auth/core/utils/host";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
 import { base64 } from "@better-auth/utils/base64";
 import { defineErrorCodes } from "@better-auth/core/utils/error-codes";
 import { isAPIError } from "@better-auth/core/utils/is-api-error";
 import { HIDE_METADATA, PRIVATE_KEY_JWT_SIGNING_ALGORITHMS, createAuthorizationURL, createPrivateKeyJwtClientAssertionGetter, generateGenericState, generateState, parseGenericState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
 import { deleteSessionCookie, setSessionCookie } from "better-auth/cookies";
-import { additionalAuthorizationParamsSchema, handleOAuthUserInfo } from "better-auth/oauth2";
+import { additionalAuthorizationParamsSchema, signInWithOAuthIdentity } from "better-auth/oauth2";
 import { decodeJwt } from "jose";
 import * as samlifyNamespace from "samlify";
 import samlifyDefault from "samlify";
@@ -527,6 +527,75 @@ function validateSkipDiscoveryEndpoints(config, isTrustedOrigin) {
 	for (const [name, url] of fields) if (url) validateSkipDiscoveryEndpoint(name, url, isTrustedOrigin);
 }
 /**
+* Re-validate an endpoint by resolving its hostname and rejecting any resolved
+* address that is not publicly routable.
+*
+* {@link validateSkipDiscoveryEndpoint} only classifies the literal hostname, so
+* a host like `idp.example` whose DNS record points at `127.0.0.1`,
+* `169.254.169.254`, or an RFC 1918 address passes that check unchanged. This
+* function closes that gap by performing the same RFC 6890 classification on the
+* addresses the host actually resolves to, right before the server-side fetch.
+*
+* Best-effort by design:
+*   - Operator-allowlisted origins (trustedOrigins) are skipped — this is the
+*     documented escape hatch for internal IdPs.
+*   - IP-literal hosts are already fully covered by the synchronous check.
+*   - On runtimes without `node:dns` (e.g. Cloudflare Workers / edge), DNS
+*     resolution is unavailable; we fall back to the synchronous host check and
+*     the platform's own egress controls.
+*
+* Note: this resolves once and validates the result; it does not pin the address
+* for the subsequent connection, so a change in the resolved address between
+* this lookup and the fetch remains theoretically possible. It nonetheless
+* rejects the common case of a DNS record that statically points at an internal
+* address.
+*
+* @throws DiscoveryError(discovery_private_host) if any resolved address is not public
+*/
+async function assertEndpointResolvesPublic(name, endpoint, isTrustedOrigin) {
+	const parsed = parseURL(name, endpoint);
+	if (isTrustedOrigin(parsed.toString())) return;
+	const host = parsed.hostname;
+	if (classifyHost(host).literal !== "fqdn") return;
+	let dns;
+	try {
+		dns = await import("node:dns/promises");
+	} catch {
+		return;
+	}
+	let resolved;
+	try {
+		resolved = await dns.lookup(host, { all: true });
+	} catch {
+		return;
+	}
+	for (const { address } of resolved) if (!isPublicRoutableHost(address)) throw new DiscoveryError("discovery_private_host", `The ${name} host "${host}" resolves to a non-publicly-routable address (${address}). If this is an internal IdP, add its origin to trustedOrigins.`, {
+		endpoint: name,
+		url: endpoint,
+		hostname: host,
+		resolved: address
+	});
+}
+/**
+* Re-validate, at fetch time, every OIDC endpoint that is fetched server-side
+* (token, userinfo, jwks). Runs the synchronous host classification plus the
+* best-effort DNS resolution check. `authorizationEndpoint` is intentionally
+* excluded — it is a browser redirect target, not a server-side fetch, so these
+* checks don't apply to it.
+*/
+async function assertOIDCEndpointsResolvePublic(config, isTrustedOrigin) {
+	const fields = [
+		["tokenEndpoint", config.tokenEndpoint],
+		["userInfoEndpoint", config.userInfoEndpoint],
+		["jwksEndpoint", config.jwksEndpoint]
+	];
+	for (const [name, url] of fields) {
+		if (!url) continue;
+		validateSkipDiscoveryEndpoint(name, url, isTrustedOrigin);
+		await assertEndpointResolvesPublic(name, url, isTrustedOrigin);
+	}
+}
+/**
 * Fetch the OIDC discovery document from the IdP.
 *
 * @param url - The discovery endpoint URL
@@ -538,7 +607,8 @@ async function fetchDiscoveryDocument(url, timeout = DEFAULT_DISCOVERY_TIMEOUT)
 	try {
 		const response = await betterFetch(url, {
 			method: "GET",
-			timeout
+			timeout,
+			redirect: "error"
 		});
 		if (response.error) {
 			const { status } = response.error;
@@ -708,20 +778,24 @@ function needsRuntimeDiscovery(config) {
 * Throws if discovery fails.
 */
 async function ensureRuntimeDiscovery(config, issuer, isTrustedOrigin) {
-	if (!needsRuntimeDiscovery(config)) return config;
-	const hydrated = await discoverOIDCConfig({
-		issuer,
-		existingConfig: config,
-		isTrustedOrigin
-	});
-	return {
-		...config,
-		authorizationEndpoint: hydrated.authorizationEndpoint,
-		tokenEndpoint: hydrated.tokenEndpoint,
-		tokenEndpointAuthentication: hydrated.tokenEndpointAuthentication,
-		userInfoEndpoint: hydrated.userInfoEndpoint,
-		jwksEndpoint: hydrated.jwksEndpoint
-	};
+	let resolved = config;
+	if (needsRuntimeDiscovery(config)) {
+		const hydrated = await discoverOIDCConfig({
+			issuer,
+			existingConfig: config,
+			isTrustedOrigin
+		});
+		resolved = {
+			...config,
+			authorizationEndpoint: hydrated.authorizationEndpoint,
+			tokenEndpoint: hydrated.tokenEndpoint,
+			tokenEndpointAuthentication: hydrated.tokenEndpointAuthentication,
+			userInfoEndpoint: hydrated.userInfoEndpoint,
+			jwksEndpoint: hydrated.jwksEndpoint
+		};
+	}
+	await assertOIDCEndpointsResolvePublic(resolved, isTrustedOrigin);
+	return resolved;
 }
 //#endregion
 //#region src/oidc/errors.ts
@@ -1125,11 +1199,10 @@ async function validateInResponseTo(c, ctx) {
 	const inResponseTo = ctx.extract.response?.inResponseTo;
 	const allowIdpInitiated = ctx.options.allowIdpInitiated ?? false;
 	if (inResponseTo) {
+		const consumed = await c.context.internalAdapter.consumeVerificationValue(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
 		let storedRequest = null;
-		const verification = await c.context.internalAdapter.findVerificationValue(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
-		if (verification) try {
-			storedRequest = JSON.parse(verification.value);
-			if (storedRequest && storedRequest.expiresAt < Date.now()) storedRequest = null;
+		if (consumed) try {
+			storedRequest = JSON.parse(consumed.value);
 		} catch {
 			storedRequest = null;
 		}
@@ -1146,10 +1219,8 @@ async function validateInResponseTo(c, ctx) {
 				expectedProvider: storedRequest.providerId,
 				actualProvider: ctx.providerId
 			});
-			await c.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
 			throw c.redirect(errorRedirectUrl(ctx.redirectUrl, "invalid_saml_response", "Provider mismatch"));
 		}
-		await c.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
 	} else if (!allowIdpInitiated) {
 		c.context.logger.error("SAML IdP-initiated SSO rejected: InResponseTo missing and allowIdpInitiated is false", { providerId: ctx.providerId });
 		throw c.redirect(errorRedirectUrl(ctx.redirectUrl, "unsolicited_response", "IdP-initiated SSO not allowed"));
@@ -1590,14 +1661,12 @@ const deleteSSOProvider = () => {
 };
 //#endregion
 //#region src/saml-state.ts
-async function generateRelayState(c, link, additionalData) {
+async function generateRelayState(c, link) {
 	const callbackURL = c.body.callbackURL;
 	if (!callbackURL) throw new APIError("BAD_REQUEST", { message: "callbackURL is required" });
-	const codeVerifier = generateRandomString(128);
 	const stateData = {
-		...additionalData ? additionalData : {},
 		callbackURL,
-		codeVerifier,
+		codeVerifier: generateRandomString(128),
 		errorURL: c.body.errorCallbackURL,
 		newUserURL: c.body.newUserCallbackURL,
 		link,
@@ -1699,7 +1768,8 @@ function createSP(config, baseURL, providerId, opts) {
 		isAssertionEncrypted: spData?.isAssertionEncrypted || false,
 		encPrivateKey: normalizePem(spData?.encPrivateKey),
 		encPrivateKeyPass: spData?.encPrivateKeyPass,
-		relayState: opts?.relayState
+		relayState: opts?.relayState,
+		clockDrifts: opts?.clockSkew && opts?.clockSkew !== 0 ? [-opts.clockSkew, opts.clockSkew] : void 0
 	});
 }
 function createIdP(config) {
@@ -1855,7 +1925,7 @@ async function processSAMLResponse(ctx, params, options) {
 	if (options?.domainVerification?.enabled && !("domainVerified" in provider && provider.domainVerified)) throw new APIError("UNAUTHORIZED", { message: "Provider domain has not been verified" });
 	const parsedSamlConfig = typeof provider.samlConfig === "object" ? provider.samlConfig : safeJsonParse(provider.samlConfig);
 	if (!parsedSamlConfig) throw new APIError("BAD_REQUEST", { message: "Invalid SAML configuration" });
-	const sp = createSP(parsedSamlConfig, ctx.context.baseURL, providerId);
+	const sp = createSP(parsedSamlConfig, ctx.context.baseURL, providerId, { clockSkew: options?.saml?.clockSkew });
 	const idp = createIdP(parsedSamlConfig);
 	const samlRedirectUrl = getSafeRedirectUrl(relayState?.callbackURL, params.currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
 	validateSingleAssertion(SAMLResponse);
@@ -1957,27 +2027,32 @@ async function processSAMLResponse(ctx, params, options) {
 		});
 		throw new APIError("BAD_REQUEST", { message: "Unable to extract user ID or email from SAML response" });
 	}
-	const isTrustedProvider = ctx.context.trustedProviders.includes(providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
+	const isTrustedProvider = "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
 	const postAuthRedirect = relayState?.callbackURL || ctx.context.baseURL;
 	const errorUrl = relayState?.errorURL || samlRedirectUrl;
 	let result;
 	try {
-		result = await handleOAuthUserInfo(ctx, {
+		result = await signInWithOAuthIdentity(ctx, {
 			userInfo: {
 				email: userInfo.email,
 				name: userInfo.name || userInfo.email,
 				id: userInfo.id,
 				emailVerified: Boolean(userInfo.emailVerified)
 			},
-			account: {
-				providerId,
-				accountId: userInfo.id,
-				accessToken: "",
-				refreshToken: ""
-			},
+			providerId,
+			accountId: userInfo.id,
+			tokens: {},
 			callbackURL: postAuthRedirect,
 			disableSignUp: options?.disableImplicitSignUp,
-			isTrustedProvider
+			source: {
+				method: "sso-saml",
+				sso: {
+					providerId,
+					profile: attributes
+				}
+			},
+			isTrustedProvider,
+			trustProviderByName: false
 		});
 	} catch (e) {
 		if (isAPIError(e) && e.body?.code) {
@@ -2274,6 +2349,14 @@ const registerSSOProvider = (options) => {
 			if (!member) throw new APIError("BAD_REQUEST", { message: "You are not a member of the organization" });
 			if (ctx.context.hasPlugin("organization") && !hasOrgAdminRole(member)) throw new APIError("FORBIDDEN", { message: "You must be an organization owner or admin to register SSO providers" });
 		}
+		if (new Set([
+			"credential",
+			...ctx.context.socialProviders.map((p) => p.id),
+			...ctx.context.trustedProviders
+		]).has(body.providerId)) {
+			ctx.context.logger.warn(`SSO provider registration rejected for reserved providerId: ${body.providerId}`);
+			throw new APIError("UNPROCESSABLE_ENTITY", { message: "This providerId is reserved and cannot be used for an SSO provider" });
+		}
 		if (await ctx.context.adapter.findOne({
 			model: "ssoProvider",
 			where: [{
@@ -2589,9 +2672,16 @@ const signInSSO = (options) => {
 				throw error;
 			}
 			if (!config.authorizationEndpoint) throw new APIError("BAD_REQUEST", { message: "Invalid OIDC configuration. Authorization URL not found." });
-			const state = await generateState(ctx, void 0, options?.redirectURI?.trim() ? { ssoProviderId: provider.providerId } : false);
+			const requestedScopes = ctx.body.scopes || config.scopes || [
+				"openid",
+				"email",
+				"profile",
+				"offline_access"
+			];
+			if (options?.redirectURI?.trim()) await addOAuthServerContext({ ssoProviderId: provider.providerId });
+			const state = await generateState(ctx, { requestedScopes });
 			const redirectURI = getOIDCRedirectURI(ctx.context.baseURL, provider.providerId, options);
-			const authorizationURL = await createAuthorizationURL({
+			const { url: authorizationURL } = await createAuthorizationURL({
 				id: provider.issuer,
 				options: {
 					clientId: config.clientId,
@@ -2600,12 +2690,7 @@ const signInSSO = (options) => {
 				redirectURI,
 				state: state.state,
 				codeVerifier: config.pkce ? state.codeVerifier : void 0,
-				scopes: ctx.body.scopes || config.scopes || [
-					"openid",
-					"email",
-					"profile",
-					"offline_access"
-				],
+				scopes: requestedScopes,
 				loginHint: ctx.body.loginHint || email,
 				authorizationEndpoint: config.authorizationEndpoint,
 				additionalParams: ctx.body.additionalParams
@@ -2620,7 +2705,7 @@ const signInSSO = (options) => {
 			const parsedSamlConfig = typeof provider.samlConfig === "object" ? provider.samlConfig : safeJsonParse(provider.samlConfig);
 			if (!parsedSamlConfig) throw new APIError("BAD_REQUEST", { message: "Invalid SAML configuration" });
 			if (parsedSamlConfig.authnRequestsSigned && !parsedSamlConfig.spMetadata?.privateKey && !parsedSamlConfig.privateKey) throw new APIError("BAD_REQUEST", { message: "authnRequestsSigned is enabled but no privateKey provided in spMetadata or samlConfig" });
-			const { state: relayState } = await generateRelayState(ctx, void 0, false);
+			const { state: relayState } = await generateRelayState(ctx, void 0);
 			const sp = createSP(parsedSamlConfig, ctx.context.baseURL, provider.providerId, { relayState });
 			const idp = createIdP(parsedSamlConfig);
 			const loginRequest = sp.createLoginRequest(idp, "redirect");
@@ -2668,7 +2753,7 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 		const errorURL = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
 		throw ctx.redirect(`${errorURL}?error=invalid_state`);
 	}
-	const { callbackURL, errorURL, newUserURL, requestSignUp } = stateData;
+	const { callbackURL, errorURL, newUserURL, requestSignUp, requestedScopes } = stateData;
 	if (!code || error) throw ctx.redirect(`${errorURL || callbackURL}?error=${error}&error_description=${error_description}`);
 	const provider = await resolveOIDCProvider(ctx, options, providerId);
 	if (!provider) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=provider not found`);
@@ -2731,10 +2816,15 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 	if (!tokenResponse) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_response_not_found`);
 	let userInfo = null;
 	const mapping = config.mapping || {};
+	let rawProfile;
 	if (config.userInfoEndpoint) {
-		const userInfoResponse = await betterFetch(config.userInfoEndpoint, { headers: { Authorization: `Bearer ${tokenResponse.accessToken}` } });
+		const userInfoResponse = await betterFetch(config.userInfoEndpoint, {
+			headers: { Authorization: `Bearer ${tokenResponse.accessToken}` },
+			redirect: "error"
+		});
 		if (userInfoResponse.error) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${userInfoResponse.error.message}`);
 		const rawUserInfo = userInfoResponse.data;
+		rawProfile = rawUserInfo;
 		userInfo = {
 			...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, rawUserInfo[value]])),
 			id: rawUserInfo[mapping.id || "sub"],
@@ -2745,6 +2835,7 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 		};
 	} else if (tokenResponse.idToken) {
 		const idToken = decodeJwt(tokenResponse.idToken);
+		rawProfile = idToken;
 		if (!config.jwksEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=jwks_endpoint_not_found`);
 		const verified = await validateToken(tokenResponse.idToken, config.jwksEndpoint, {
 			audience: config.clientId,
@@ -2767,7 +2858,7 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 	const isTrustedProvider = "domainVerified" in provider && provider.domainVerified === true && validateEmailDomain(userInfo.email, provider.domain);
 	let linked;
 	try {
-		linked = await handleOAuthUserInfo(ctx, {
+		linked = await signInWithOAuthIdentity(ctx, {
 			userInfo: {
 				email: userInfo.email,
 				name: userInfo.name || "",
@@ -2775,20 +2866,22 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 				image: userInfo.image,
 				emailVerified: options?.trustEmailVerified ? userInfo.emailVerified || false : false
 			},
-			account: {
-				idToken: tokenResponse.idToken,
-				accessToken: tokenResponse.accessToken,
-				refreshToken: tokenResponse.refreshToken,
-				accountId: userInfo.id,
-				providerId: provider.providerId,
-				accessTokenExpiresAt: tokenResponse.accessTokenExpiresAt,
-				refreshTokenExpiresAt: tokenResponse.refreshTokenExpiresAt,
-				scope: tokenResponse.scopes?.join(",")
-			},
+			providerId: provider.providerId,
+			accountId: userInfo.id,
+			tokens: tokenResponse,
+			requestedScopes,
 			callbackURL,
 			disableSignUp: options?.disableImplicitSignUp && !requestSignUp,
 			overrideUserInfo: config.overrideUserInfo,
-			isTrustedProvider
+			source: {
+				method: "sso-oidc",
+				sso: {
+					providerId: provider.providerId,
+					profile: rawProfile
+				}
+			},
+			isTrustedProvider,
+			trustProviderByName: false
 		});
 	} catch (e) {
 		if (isAPIError(e) && e.body?.code) {
@@ -2906,9 +2999,15 @@ async function bounceIfIdpInitiated(ctx, options, providerId) {
 		});
 		return;
 	}
-	const state = await generateState(ctx, void 0, options?.redirectURI?.trim() ? { ssoProviderId: provider.providerId } : false);
+	if (options?.redirectURI?.trim()) await addOAuthServerContext({ ssoProviderId: provider.providerId });
+	const state = await generateState(ctx, { requestedScopes: config.scopes || [
+		"openid",
+		"email",
+		"profile",
+		"offline_access"
+	] });
 	const redirectURI = getOIDCRedirectURI(ctx.context.baseURL, provider.providerId, options);
-	const authorizationURL = await createAuthorizationURL({
+	const { url: authorizationURL } = await createAuthorizationURL({
 		id: provider.issuer,
 		options: {
 			clientId: config.clientId,
@@ -2957,7 +3056,7 @@ const callbackSSOShared = (options) => {
 			const errorURL = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
 			throw ctx.redirect(`${errorURL}?error=invalid_state`);
 		}
-		const providerId = stateData.ssoProviderId;
+		const providerId = stateData.serverContext?.ssoProviderId;
 		if (!providerId) {
 			const errorURL = stateData.errorURL || stateData.callbackURL;
 			throw ctx.redirect(`${errorURL}?error=invalid_state&error_description=missing_provider_id`);

package/dist/{version-5EiO_U3Z.mjs → version-DzWb5tB_.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.7.0-beta.4";
+const PACKAGE_VERSION = "1.7.0-beta.5";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/sso",
-  "version": "1.7.0-beta.4",
+  "version": "1.7.0-beta.5",
   "description": "SSO plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -65,20 +65,20 @@
   "devDependencies": {
     "@types/body-parser": "^1.19.6",
     "@types/express": "^5.0.6",
-    "better-call": "1.3.5",
+    "better-call": "1.3.6",
     "body-parser": "^2.2.2",
     "express": "^5.2.1",
     "oauth2-mock-server": "^8.2.2",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.7.0-beta.4",
-    "better-auth": "1.7.0-beta.4"
+    "@better-auth/core": "1.7.0-beta.5",
+    "better-auth": "1.7.0-beta.5"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.1.21",
-    "better-call": "1.3.5",
-    "@better-auth/core": "^1.7.0-beta.4",
-    "better-auth": "^1.7.0-beta.4"
+    "@better-fetch/fetch": "1.2.2",
+    "better-call": "1.3.6",
+    "@better-auth/core": "^1.7.0-beta.5",
+    "better-auth": "^1.7.0-beta.5"
   },
   "scripts": {
     "build": "tsdown",