@hammadj/better-auth-sso 1.5.0-beta.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (42) hide show
  1. package/.turbo/turbo-build.log +116 -0
  2. package/LICENSE.md +20 -0
  3. package/dist/client.d.mts +10 -0
  4. package/dist/client.mjs +15 -0
  5. package/dist/client.mjs.map +1 -0
  6. package/dist/index.d.mts +738 -0
  7. package/dist/index.mjs +2953 -0
  8. package/dist/index.mjs.map +1 -0
  9. package/package.json +87 -0
  10. package/src/client.ts +29 -0
  11. package/src/constants.ts +58 -0
  12. package/src/domain-verification.test.ts +551 -0
  13. package/src/index.ts +265 -0
  14. package/src/linking/index.ts +2 -0
  15. package/src/linking/org-assignment.test.ts +325 -0
  16. package/src/linking/org-assignment.ts +176 -0
  17. package/src/linking/types.ts +10 -0
  18. package/src/oidc/discovery.test.ts +1157 -0
  19. package/src/oidc/discovery.ts +494 -0
  20. package/src/oidc/errors.ts +92 -0
  21. package/src/oidc/index.ts +31 -0
  22. package/src/oidc/types.ts +219 -0
  23. package/src/oidc.test.ts +688 -0
  24. package/src/providers.test.ts +1326 -0
  25. package/src/routes/domain-verification.ts +275 -0
  26. package/src/routes/providers.ts +565 -0
  27. package/src/routes/schemas.ts +96 -0
  28. package/src/routes/sso.ts +2750 -0
  29. package/src/saml/algorithms.test.ts +449 -0
  30. package/src/saml/algorithms.ts +338 -0
  31. package/src/saml/assertions.test.ts +239 -0
  32. package/src/saml/assertions.ts +62 -0
  33. package/src/saml/index.ts +13 -0
  34. package/src/saml/parser.ts +56 -0
  35. package/src/saml-state.ts +78 -0
  36. package/src/saml.test.ts +4319 -0
  37. package/src/types.ts +365 -0
  38. package/src/utils.test.ts +103 -0
  39. package/src/utils.ts +81 -0
  40. package/tsconfig.json +14 -0
  41. package/tsdown.config.ts +9 -0
  42. package/vitest.config.ts +3 -0
package/package.json ADDED
@@ -0,0 +1,87 @@
1
+ {
2
+ "name": "@hammadj/better-auth-sso",
3
+ "author": "Bereket Engida",
4
+ "version": "1.5.0-beta.9",
5
+ "type": "module",
6
+ "main": "dist/index.mjs",
7
+ "types": "dist/index.d.mts",
8
+ "homepage": "https://www.better-auth.com/docs/plugins/sso",
9
+ "repository": {
10
+ "type": "git",
11
+ "url": "git+https://github.com/META-DREAMER/better-auth.git",
12
+ "directory": "packages/sso"
13
+ },
14
+ "license": "MIT",
15
+ "keywords": [
16
+ "sso",
17
+ "auth",
18
+ "sso",
19
+ "saml",
20
+ "oauth",
21
+ "oidc",
22
+ "openid",
23
+ "openid connect",
24
+ "openid connect",
25
+ "single sign on"
26
+ ],
27
+ "publishConfig": {
28
+ "access": "public"
29
+ },
30
+ "module": "dist/index.mjs",
31
+ "description": "SSO plugin for Better Auth",
32
+ "exports": {
33
+ ".": {
34
+ "dev-source": "./src/index.ts",
35
+ "types": "./dist/index.d.mts",
36
+ "default": "./dist/index.mjs"
37
+ },
38
+ "./client": {
39
+ "dev-source": "./src/client.ts",
40
+ "types": "./dist/client.d.mts",
41
+ "default": "./dist/client.mjs"
42
+ }
43
+ },
44
+ "typesVersions": {
45
+ "*": {
46
+ "*": [
47
+ "./dist/index.d.mts"
48
+ ],
49
+ "client": [
50
+ "./dist/client.d.mts"
51
+ ]
52
+ }
53
+ },
54
+ "dependencies": {
55
+ "@better-auth/utils": "0.3.1",
56
+ "@better-fetch/fetch": "1.1.21",
57
+ "fast-xml-parser": "^5.3.3",
58
+ "jose": "^6.1.0",
59
+ "samlify": "^2.10.2",
60
+ "zod": "^4.3.6"
61
+ },
62
+ "devDependencies": {
63
+ "@types/body-parser": "^1.19.6",
64
+ "@types/express": "^5.0.6",
65
+ "better-call": "1.2.0",
66
+ "body-parser": "^2.2.2",
67
+ "express": "^5.2.1",
68
+ "oauth2-mock-server": "^8.2.1",
69
+ "tsdown": "^0.20.1",
70
+ "@hammadj/better-auth-core": "1.5.0-beta.9",
71
+ "@hammadj/better-auth": "1.5.0-beta.9"
72
+ },
73
+ "peerDependencies": {
74
+ "@better-auth/utils": "0.3.1",
75
+ "@hammadj/better-auth-core": "1.5.0-beta.9",
76
+ "@hammadj/better-auth": "1.5.0-beta.9"
77
+ },
78
+ "scripts": {
79
+ "test": "vitest",
80
+ "coverage": "vitest run --coverage --coverage.provider=istanbul",
81
+ "lint:package": "publint run --strict",
82
+ "lint:types": "attw --profile esm-only --pack .",
83
+ "build": "tsdown",
84
+ "dev": "tsdown --watch",
85
+ "typecheck": "tsc --project tsconfig.json"
86
+ }
87
+ }
package/src/client.ts ADDED
@@ -0,0 +1,29 @@
1
+ import type { BetterAuthClientPlugin } from "better-auth/client";
2
+ import type { SSOPlugin } from "./index";
3
+
4
+ interface SSOClientOptions {
5
+ domainVerification?:
6
+ | {
7
+ enabled: boolean;
8
+ }
9
+ | undefined;
10
+ }
11
+
12
+ export const ssoClient = <CO extends SSOClientOptions>(
13
+ options?: CO | undefined,
14
+ ) => {
15
+ return {
16
+ id: "sso-client",
17
+ $InferServerPlugin: {} as SSOPlugin<{
18
+ domainVerification: {
19
+ enabled: CO["domainVerification"] extends { enabled: true }
20
+ ? true
21
+ : false;
22
+ };
23
+ }>,
24
+ pathMethods: {
25
+ "/sso/providers": "GET",
26
+ "/sso/providers/:providerId": "GET",
27
+ },
28
+ } satisfies BetterAuthClientPlugin;
29
+ };
package/src/constants.ts ADDED
@@ -0,0 +1,58 @@
1
+ /**
2
+ * SAML Constants
3
+ *
4
+ * Centralized constants for SAML SSO functionality.
5
+ */
6
+
7
+ // ============================================================================
8
+ // Key Prefixes (for verification table storage)
9
+ // ============================================================================
10
+
11
+ /** Prefix for AuthnRequest IDs used in InResponseTo validation */
12
+ export const AUTHN_REQUEST_KEY_PREFIX = "saml-authn-request:";
13
+
14
+ /** Prefix for used Assertion IDs used in replay protection */
15
+ export const USED_ASSERTION_KEY_PREFIX = "saml-used-assertion:";
16
+
17
+ // ============================================================================
18
+ // Time-To-Live (TTL) Defaults
19
+ // ============================================================================
20
+
21
+ /**
22
+ * Default TTL for AuthnRequest records (5 minutes).
23
+ * This should be sufficient for most IdPs while protecting against stale requests.
24
+ */
25
+ export const DEFAULT_AUTHN_REQUEST_TTL_MS = 5 * 60 * 1000;
26
+
27
+ /**
28
+ * Default TTL for used assertion records (15 minutes).
29
+ * This should match the maximum expected NotOnOrAfter window plus clock skew.
30
+ */
31
+ export const DEFAULT_ASSERTION_TTL_MS = 15 * 60 * 1000;
32
+
33
+ /**
34
+ * Default clock skew tolerance (5 minutes).
35
+ * Allows for minor time differences between IdP and SP servers.
36
+ *
37
+ * Accommodates:
38
+ * - Network latency and processing time
39
+ * - Clock synchronization differences (NTP drift)
40
+ * - Distributed systems across timezones
41
+ */
42
+ export const DEFAULT_CLOCK_SKEW_MS = 5 * 60 * 1000;
43
+
44
+ // ============================================================================
45
+ // Size Limits (DoS Protection)
46
+ // ============================================================================
47
+
48
+ /**
49
+ * Default maximum size for SAML responses (256 KB).
50
+ * Protects against memory exhaustion from oversized SAML payloads.
51
+ */
52
+ export const DEFAULT_MAX_SAML_RESPONSE_SIZE = 256 * 1024;
53
+
54
+ /**
55
+ * Default maximum size for IdP metadata (100 KB).
56
+ * Protects against oversized metadata documents.
57
+ */
58
+ export const DEFAULT_MAX_SAML_METADATA_SIZE = 100 * 1024;