npm - @objectstack/plugin-auth - Versions diffs - 11.0.0 → 11.2.0 - Mend

@objectstack/plugin-auth 11.0.0 → 11.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.mjs CHANGED Viewed

@@ -522,7 +522,13 @@ var AUTH_SSO_PROVIDER_SCHEMA = {
     oidcConfig: "oidc_config",
     samlConfig: "saml_config",
     userId: "user_id",
-    organizationId: "organization_id"
+    organizationId: "organization_id",
+    // DNS domain-ownership proof (ADR-0024 ②). @better-auth/sso writes
+    // `domainVerified` on its `ssoProvider` model when domain verification is
+    // enabled; map it so the env can surface a verified/unverified badge. The
+    // one-time `domainVerificationToken` is NOT a provider column — it lives in
+    // the verification table and is returned only from request-domain-verification.
+    domainVerified: "domain_verified"
   }
 };
 var AUTH_SCIM_PROVIDER_SCHEMA = {
@@ -601,9 +607,36 @@ function readDisableSignUpEnv() {
 function readSsoOnlyEnv() {
   return readBooleanEnv("OS_AUTH_SSO_ONLY");
 }
+function ipv4ToInt(ip) {
+  const m = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/.exec(ip.trim());
+  if (!m) return null;
+  const p = [Number(m[1]), Number(m[2]), Number(m[3]), Number(m[4])];
+  if (p.some((n) => n > 255)) return null;
+  return (p[0] << 24 >>> 0) + (p[1] << 16) + (p[2] << 8) + p[3] >>> 0;
+}
+function ipMatchesRange(ip, range) {
+  const r = (range || "").trim();
+  if (!r) return false;
+  if (r.includes("/")) {
+    const [base, bitsStr] = r.split("/");
+    const bits = Number(bitsStr);
+    const ipInt = ipv4ToInt(ip);
+    const baseInt = ipv4ToInt(base);
+    if (ipInt === null || baseInt === null || !(bits >= 0 && bits <= 32)) {
+      return ip.trim() === base.trim();
+    }
+    const mask = bits === 0 ? 0 : ~0 << 32 - bits >>> 0;
+    return (ipInt & mask) >>> 0 === (baseInt & mask) >>> 0;
+  }
+  return ip.trim() === r;
+}
 var AuthManager = class {
   constructor(config) {
     this.auth = null;
+    // ADR-0069 — cached "does any org require MFA" flag (per-org tightening).
+    // Refreshed lazily with a TTL so isAuthGateActive() stays synchronous + cheap.
+    this._orgMfaCache = { value: false, at: 0 };
+    this._orgMfaRefreshing = false;
     this.config = config;
     installWebContainerRequestStatePolyfill();
     if (config.authInstance) {
@@ -808,6 +841,7 @@ var AuthManager = class {
             if (candidate && (ctx?.path === "/reset-password" || ctx?.path === "/change-password")) {
               const userId = await this.resolvePasswordChangeUserId(ctx).catch(() => void 0);
               if (userId) {
+                ctx.context.__osPwChangeUserId = userId;
                 const pw = ctx?.context?.password;
                 const verify = typeof pw?.verify === "function" ? pw.verify.bind(pw) : void 0;
                 const oldHash = await this.assertPasswordNotReused(userId, candidate, verify);
@@ -947,25 +981,43 @@ var AuthManager = class {
                 succeeded = !(ctx?.context?.returned instanceof Error);
               }
               await this.recordSignInOutcome(email, succeeded);
+              if (succeeded) {
+                const uid = ctx?.context?.returned?.user?.id;
+                if (typeof uid === "string") await this.enforceConcurrentCap(uid);
+              }
             }
             return;
           }
           if (ctx?.path === "/change-password" || ctx?.path === "/reset-password") {
-            const stash = ctx?.context?.__osPwHistory;
-            if (stash?.userId) {
-              let succeeded = true;
-              try {
-                const { isAPIError } = await import("better-auth/api");
-                succeeded = !isAPIError(ctx?.context?.returned);
-              } catch {
-                succeeded = !(ctx?.context?.returned instanceof Error);
-              }
-              if (succeeded) await this.recordPasswordHistory(stash.userId, stash.oldHash);
-              delete ctx.context.__osPwHistory;
+            let succeeded;
+            try {
+              const { isAPIError } = await import("better-auth/api");
+              succeeded = !isAPIError(ctx?.context?.returned);
+            } catch {
+              succeeded = !(ctx?.context?.returned instanceof Error);
             }
+            if (succeeded) {
+              const stampId = ctx?.context?.__osPwChangeUserId;
+              if (stampId) await this.stampPasswordChangedAt(stampId);
+              const stash = ctx?.context?.__osPwHistory;
+              if (stash?.userId) await this.recordPasswordHistory(stash.userId, stash.oldHash);
+            }
+            delete ctx.context.__osPwChangeUserId;
+            delete ctx.context.__osPwHistory;
             return;
           }
           if (ctx?.path !== "/sign-up/email") return;
+          {
+            const newUserId = ctx?.context?.returned?.user?.id;
+            let signupOk;
+            try {
+              const { isAPIError } = await import("better-auth/api");
+              signupOk = !isAPIError(ctx?.context?.returned);
+            } catch {
+              signupOk = !(ctx?.context?.returned instanceof Error);
+            }
+            if (signupOk && typeof newUserId === "string") await this.stampPasswordChangedAt(newUserId);
+          }
           const ep = ctx?.context?.options?.emailAndPassword;
           if (ep && ctx.context.__osDisableSignUpOrig !== void 0) {
             ep.disableSignUp = ctx.context.__osDisableSignUpOrig;
@@ -977,7 +1029,7 @@ var AuthManager = class {
       // Auto-includes origins from OS_CORS_ORIGIN env var so CORS and CSRF stay in sync.
       ...(() => {
         const origins = [...this.config.trustedOrigins || []];
-        const corsOrigin = readEnvWithDeprecation("OS_CORS_ORIGIN", "CORS_ORIGIN");
+        const corsOrigin = readEnvWithDeprecation("OS_CORS_ORIGIN", "CORS_ORIGIN", { silent: true });
         if (corsOrigin && corsOrigin !== "*") {
           corsOrigin.split(",").map((s) => s.trim()).filter(Boolean).forEach((o) => {
             if (!origins.includes(o)) origins.push(o);
@@ -1077,12 +1129,10 @@ var AuthManager = class {
   async buildPluginList() {
     const pluginConfig = this.config.plugins ?? {};
     const plugins = [];
-    const oidcEnv = globalThis?.process?.env?.OS_OIDC_PROVIDER_ENABLED;
-    const oidcFromEnv = oidcEnv != null ? String(oidcEnv).toLowerCase() === "true" : void 0;
-    const ssoEnv = globalThis?.process?.env?.OS_SSO_ENABLED;
-    const ssoFromEnv = ssoEnv != null ? String(ssoEnv).toLowerCase() === "true" : void 0;
-    const scimEnv = globalThis?.process?.env?.OS_SCIM_ENABLED;
-    const scimFromEnv = scimEnv != null ? String(scimEnv).toLowerCase() === "true" : void 0;
+    const oidcFromEnv = readBooleanEnv("OS_OIDC_PROVIDER_ENABLED");
+    const ssoFromEnv = readBooleanEnv("OS_SSO_ENABLED");
+    const scimFromEnv = readBooleanEnv("OS_SCIM_ENABLED");
+    const ssoDomainVerifyFromEnv = readBooleanEnv("OS_SSO_DOMAIN_VERIFICATION");
     const scimEffective = scimFromEnv ?? pluginConfig.scim ?? false;
     const twoFactorFromEnv = readBooleanEnv("OS_AUTH_TWO_FACTOR");
     const hibpFromEnv = readBooleanEnv("OS_AUTH_PASSWORD_REJECT_BREACHED");
@@ -1096,6 +1146,7 @@ var AuthManager = class {
       deviceAuthorization: pluginConfig.deviceAuthorization ?? false,
       admin: pluginConfig.admin ?? scimEffective,
       sso: ssoFromEnv ?? pluginConfig.sso ?? false,
+      ssoDomainVerification: ssoDomainVerifyFromEnv ?? pluginConfig.ssoDomainVerification ?? false,
       scim: scimEffective
     };
     const { bearer } = await import("better-auth/plugins/bearer");
@@ -1179,9 +1230,8 @@ var AuthManager = class {
           // The plugin itself is always installed (so list/update/invite endpoints
           // keep responding); only the `create` operation is denied when the
           // deployment is provisioned in single-org mode. Resolution order:
-          // 1. explicit `OS_MULTI_ORG_ENABLED` (wins for backwards compat),
-          // 2. else `OS_MULTI_TENANT` (multi-tenant deployments are always
-          //    multi-org), default `'false'` → single-org / per-env runtime.
+          // `OS_MULTI_ORG_ENABLED` (default `'false'` → single-org /
+          // per-env runtime).
           beforeCreateOrganization: async () => {
             if (!resolveMultiOrgEnabled()) {
               const { APIError } = await import("better-auth/api");
@@ -1362,7 +1412,8 @@ var AuthManager = class {
     if (enabled.sso) {
       const { sso } = await import("@better-auth/sso");
       plugins.push(sso({
-        organizationProvisioning: { defaultRole: "member" }
+        organizationProvisioning: { defaultRole: "member" },
+        ...enabled.ssoDomainVerification ? { domainVerification: { enabled: true } } : {}
       }));
     }
     if (enabled.scim) {
@@ -1434,7 +1485,16 @@ var AuthManager = class {
           ...orgRoles,
           ...platformAdmin ? [BUILTIN_ROLE_PLATFORM_ADMIN] : []
         ]));
-        return { user: { ...user, roles, isPlatformAdmin: platformAdmin }, session };
+        await this.enforceSessionControls(session?.id, session?.createdAt);
+        const authGate = await this.computeAuthGate(
+          user.id,
+          session?.activeOrganizationId,
+          user?.twoFactorEnabled === true
+        );
+        return {
+          user: { ...user, roles, isPlatformAdmin: platformAdmin, ...authGate ? { authGate } : {} },
+          session
+        };
       }));
     }
     return plugins;
@@ -1464,7 +1524,7 @@ var AuthManager = class {
    * Generate a secure secret if not provided
    */
   generateSecret() {
-    const envSecret = readEnvWithDeprecation("OS_AUTH_SECRET", ["AUTH_SECRET", "BETTER_AUTH_SECRET"]);
+    const envSecret = readEnvWithDeprecation("OS_AUTH_SECRET", ["AUTH_SECRET", "BETTER_AUTH_SECRET"], { silent: true });
     if (envSecret) return envSecret;
     if (process.env.NODE_ENV === "production") {
       throw new Error(
@@ -1739,12 +1799,28 @@ var AuthManager = class {
    * in `buildPlugins()` (`ssoFromEnv ?? pluginConfig.sso ?? false`) so the
    * advertised capability can never disagree with the actual `/sign-in/sso`
    * route. `OS_SSO_ENABLED` (when set) wins over the config-file setting.
+   * Public so `AuthPlugin` can gate the Setup-nav "SSO Providers" entry on it
+   * (captures both self-host `OS_SSO_ENABLED` and the cloud per-env
+   * `planAllowsSso` config, since that arrives via `plugins.sso`).
    */
   isSsoWired() {
-    const ssoEnv = globalThis?.process?.env?.OS_SSO_ENABLED;
-    const ssoFromEnv = ssoEnv != null ? String(ssoEnv).toLowerCase() === "true" : void 0;
+    const ssoFromEnv = readBooleanEnv("OS_SSO_ENABLED");
     return ssoFromEnv ?? this.config.plugins?.sso ?? false;
   }
+  /**
+   * Whether opt-in DNS domain-verification (ADR-0024 ②) is wired — i.e. the
+   * `/sso/request-domain-verification` + `/sso/verify-domain` endpoints are
+   * mounted (and the hard "domain must be verified to log in" gate is active).
+   * Resolved with the EXACT logic `buildPluginList` uses for the `sso()`
+   * `domainVerification.enabled` option, so the bridge can return a clear
+   * "not enabled for this environment" instead of a bare 404 when off.
+   * Implies `isSsoWired()` (the sso plugin must be loaded to honor it).
+   */
+  isSsoDomainVerificationEnabled() {
+    if (!this.isSsoWired()) return false;
+    const fromEnv = readBooleanEnv("OS_SSO_DOMAIN_VERIFICATION");
+    return fromEnv ?? this.config.plugins?.ssoDomainVerification ?? false;
+  }
   /**
    * Whether enterprise SSO is actually *usable*, not merely wired: the plugin
    * is on AND at least one `sys_sso_provider` row exists. Per-email domain→IdP
@@ -2004,6 +2080,119 @@ var AuthManager = class {
       });
     }
   }
+  /**
+   * ADR-0069 — is any authentication-policy gate enabled? Cheap, synchronous;
+   * lets the transport seams skip session lookups entirely when off (the
+   * default), keeping the gate zero-overhead until an admin opts in.
+   */
+  isAuthGateActive() {
+    this.refreshOrgMfaCacheIfStale();
+    return Math.floor(Number(this.config.passwordExpiryDays) || 0) > 0 || this.config.mfaRequired === true || this._orgMfaCache.value;
+  }
+  /**
+   * ADR-0069 — refresh the "any org requires MFA" cache in the background when
+   * stale (60s TTL). Fire-and-forget: a brand-new per-org requirement activates
+   * the gate on the next request, never blocking this one. No-op when global MFA
+   * is already on (the gate is active regardless).
+   */
+  refreshOrgMfaCacheIfStale() {
+    if (this.config.mfaRequired === true) return;
+    if (this._orgMfaRefreshing) return;
+    if (Date.now() - this._orgMfaCache.at < 6e4) return;
+    const engine = this.getDataEngine();
+    if (!engine) return;
+    this._orgMfaRefreshing = true;
+    void (async () => {
+      try {
+        const SYSTEM_CTX = { isSystem: true, roles: [], permissions: [] };
+        const n = await engine.count("sys_organization", {
+          where: { require_mfa: true },
+          context: SYSTEM_CTX
+        });
+        this._orgMfaCache = { value: typeof n === "number" && n > 0, at: Date.now() };
+      } catch {
+      } finally {
+        this._orgMfaRefreshing = false;
+      }
+    })();
+  }
+  /**
+   * ADR-0069 — compute the auth-policy gate posture for a session. Returns an
+   * `{ code, message }` when the user is currently blocked (e.g. password
+   * expired), else undefined. No-op (and no DB read) when no gate feature is
+   * enabled. Fails OPEN on any lookup error — a transient hiccup must never lock
+   * a compliant user out.
+   */
+  async computeAuthGate(userId, _activeOrgId, _twoFactorEnabledHint) {
+    const expiryDays = Math.floor(Number(this.config.passwordExpiryDays) || 0);
+    const mfaGlobal = this.config.mfaRequired === true;
+    const orgMaybeRequires = !mfaGlobal && !!_activeOrgId && this._orgMfaCache.value;
+    if (expiryDays <= 0 && !mfaGlobal && !orgMaybeRequires) return void 0;
+    const engine = this.getDataEngine();
+    if (!engine || !userId) return void 0;
+    try {
+      const SYSTEM_CTX = { isSystem: true, roles: [], permissions: [] };
+      const u = await engine.findOne("sys_user", {
+        where: { id: userId },
+        fields: ["password_changed_at", "two_factor_enabled", "mfa_required_at"],
+        context: SYSTEM_CTX
+      });
+      let mfaRequired = mfaGlobal;
+      if (!mfaRequired && orgMaybeRequires) {
+        const org = await engine.findOne("sys_organization", {
+          where: { id: _activeOrgId },
+          fields: ["require_mfa"],
+          context: SYSTEM_CTX
+        });
+        mfaRequired = org?.require_mfa === true || org?.require_mfa === 1;
+      }
+      if (expiryDays > 0) {
+        const changed = u?.password_changed_at;
+        if (changed && Date.now() - new Date(changed).getTime() > expiryDays * 864e5) {
+          return {
+            code: "PASSWORD_EXPIRED",
+            message: "Your password has expired. Please change it to continue."
+          };
+        }
+      }
+      if (mfaRequired && !(u?.two_factor_enabled === true || u?.two_factor_enabled === 1)) {
+        const graceDays = Math.max(0, Math.floor(Number(this.config.mfaGracePeriodDays ?? 7)));
+        let requiredAt = u?.mfa_required_at;
+        if (!requiredAt) {
+          requiredAt = /* @__PURE__ */ new Date();
+          engine.update("sys_user", { id: userId, mfa_required_at: requiredAt }, { context: SYSTEM_CTX }).catch(() => void 0);
+        }
+        const elapsedMs = Date.now() - new Date(requiredAt).getTime();
+        if (elapsedMs > graceDays * 864e5) {
+          return {
+            code: "MFA_REQUIRED",
+            message: "Multi-factor authentication is required. Please set up an authenticator app to continue."
+          };
+        }
+      }
+    } catch {
+      return void 0;
+    }
+    return void 0;
+  }
+  /**
+   * ADR-0069 D1 — stamp `sys_user.password_changed_at = now` after a password is
+   * set (sign-up / change / reset). Best-effort; never throws. Written as a Date
+   * (never epoch-ms) per ADR-0074.
+   */
+  async stampPasswordChangedAt(userId) {
+    const engine = this.getDataEngine();
+    if (!engine || !userId) return;
+    try {
+      const SYSTEM_CTX = { isSystem: true, roles: [], permissions: [] };
+      await engine.update(
+        "sys_user",
+        { id: userId, password_changed_at: /* @__PURE__ */ new Date() },
+        { context: SYSTEM_CTX }
+      );
+    } catch {
+    }
+  }
   /**
    * ADR-0069 D1 — parse the bounded `previous_password_hashes` JSON column into
    * a string[] of hashes, tolerating null / malformed values.
@@ -2220,6 +2409,96 @@ var AuthManager = class {
     );
     return true;
   }
+  /**
+   * ADR-0069 D4 — idle / absolute session enforcement, run per request from
+   * `customSession`. No-op when both are off. Revokes (expires in place +
+   * stamps revoked_at/revoke_reason) when a limit is exceeded so better-auth
+   * returns no session on the NEXT request; otherwise touches `last_activity_at`
+   * (throttled to once a minute). Best-effort — never throws.
+   */
+  async enforceSessionControls(sessionId, createdAtHint) {
+    const idleMin = Math.floor(Number(this.config.sessionIdleTimeoutMinutes) || 0);
+    const absHrs = Math.floor(Number(this.config.sessionAbsoluteMaxHours) || 0);
+    if (idleMin <= 0 && absHrs <= 0) return;
+    const engine = this.getDataEngine();
+    if (!engine || !sessionId) return;
+    try {
+      const SYSTEM_CTX = { isSystem: true, roles: [], permissions: [] };
+      const srow = await engine.findOne("sys_session", {
+        where: { id: sessionId },
+        fields: ["id", "created_at", "last_activity_at", "revoked_at"],
+        context: SYSTEM_CTX
+      });
+      if (!srow?.id || srow.revoked_at) return;
+      const now = Date.now();
+      let reason;
+      if (absHrs > 0) {
+        const created = srow.created_at ?? createdAtHint;
+        if (created && now - new Date(created).getTime() > absHrs * 36e5) reason = "absolute_max";
+      }
+      if (!reason && idleMin > 0) {
+        const last = srow.last_activity_at ?? srow.created_at ?? createdAtHint;
+        if (last && now - new Date(last).getTime() > idleMin * 6e4) reason = "idle_timeout";
+      }
+      if (reason) {
+        await engine.update(
+          "sys_session",
+          { id: sessionId, expires_at: new Date(now - 1e3), revoked_at: new Date(now), revoke_reason: reason },
+          { context: SYSTEM_CTX }
+        ).catch(() => void 0);
+        return;
+      }
+      if (idleMin > 0) {
+        const la = srow.last_activity_at ? new Date(srow.last_activity_at).getTime() : 0;
+        if (now - la > 6e4) {
+          await engine.update("sys_session", { id: sessionId, last_activity_at: new Date(now) }, { context: SYSTEM_CTX }).catch(() => void 0);
+        }
+      }
+    } catch {
+    }
+  }
+  /**
+   * ADR-0069 D4 — concurrent-session cap, run from the sign-in after-hook.
+   * Keeps the newest `maxConcurrentSessions` live sessions for the user and
+   * revokes the rest (oldest first). No-op when off. Best-effort.
+   */
+  async enforceConcurrentCap(userId) {
+    const cap = Math.floor(Number(this.config.maxConcurrentSessions) || 0);
+    if (cap <= 0 || !userId) return;
+    const engine = this.getDataEngine();
+    if (!engine) return;
+    try {
+      const SYSTEM_CTX = { isSystem: true, roles: [], permissions: [] };
+      const rows = await engine.find("sys_session", {
+        where: { user_id: userId },
+        fields: ["id", "created_at", "expires_at", "revoked_at"],
+        limit: 200,
+        context: SYSTEM_CTX
+      });
+      const now = Date.now();
+      const live = (Array.isArray(rows) ? rows : []).filter((sn) => !sn.revoked_at && (!sn.expires_at || new Date(sn.expires_at).getTime() > now)).sort((a, b) => new Date(b.created_at ?? 0).getTime() - new Date(a.created_at ?? 0).getTime());
+      for (const sn of live.slice(cap)) {
+        await engine.update(
+          "sys_session",
+          { id: sn.id, expires_at: new Date(now - 1e3), revoked_at: new Date(now), revoke_reason: "concurrent_cap" },
+          { context: SYSTEM_CTX }
+        ).catch(() => void 0);
+      }
+    } catch {
+    }
+  }
+  /**
+   * ADR-0069 D5 — is `ip` within the configured allow-list? True (allow) when no
+   * ranges are configured, OR when the IP can't be determined (fail-open so a
+   * misconfigured proxy never locks everyone out — an admin enabling this must
+   * ensure forwarded headers are trusted). Supports IPv4 CIDR + exact IPv4/IPv6.
+   */
+  isClientIpAllowed(ip) {
+    const ranges = this.config.allowedIpRanges;
+    if (!ranges || ranges.length === 0) return true;
+    if (!ip) return true;
+    return ranges.some((r) => ipMatchesRange(ip, r));
+  }
   /**
    * Returns the data engine wired into this auth manager. Used by route
    * handlers (e.g. bootstrap-status) that need to query identity tables
@@ -2261,6 +2540,283 @@ function mapSetPasswordError(error) {
   return { status, body: { success: false, error: { code, message } } };
 }
+// src/register-sso-provider.ts
+async function resolveActiveOrganizationId(handle, registerUrl, headers) {
+  try {
+    const sessionUrl = registerUrl.replace(/\/sso\/register$/, "/get-session");
+    if (sessionUrl === registerUrl) return void 0;
+    const h = new Headers({ accept: "application/json" });
+    const cookie = headers.get("cookie");
+    if (cookie) h.set("cookie", cookie);
+    const authz = headers.get("authorization");
+    if (authz) h.set("authorization", authz);
+    const resp = await handle(new Request(sessionUrl, { method: "GET", headers: h }));
+    if (!resp.ok) return void 0;
+    const data = await resp.json().catch(() => null);
+    const org = data?.session?.activeOrganizationId ?? data?.activeOrganizationId;
+    return typeof org === "string" && org.length > 0 ? org : void 0;
+  } catch {
+    return void 0;
+  }
+}
+async function runRegisterSsoProviderFromForm(handle, request) {
+  let body;
+  try {
+    body = await request.json();
+  } catch {
+    body = {};
+  }
+  const str = (v) => typeof v === "string" ? v.trim() : "";
+  const providerId = str(body?.providerId);
+  const issuer = str(body?.issuer);
+  const domain = str(body?.domain);
+  const clientId = str(body?.clientId);
+  const clientSecret = str(body?.clientSecret);
+  const discoveryEndpoint = str(body?.discoveryEndpoint);
+  const scopesRaw = str(body?.scopes);
+  const missing = [
+    ["providerId", providerId],
+    ["issuer", issuer],
+    ["domain", domain],
+    ["clientId", clientId],
+    ["clientSecret", clientSecret]
+  ].filter(([, v]) => !v).map(([k]) => k);
+  if (missing.length) {
+    return {
+      status: 400,
+      body: { success: false, error: { code: "invalid_request", message: `Missing required field(s): ${missing.join(", ")}` } }
+    };
+  }
+  const oidcConfig = { clientId, clientSecret };
+  if (discoveryEndpoint) oidcConfig.discoveryEndpoint = discoveryEndpoint;
+  oidcConfig.scopes = scopesRaw ? scopesRaw.split(/[\s,]+/).filter(Boolean) : ["openid", "email", "profile"];
+  oidcConfig.mapping = {
+    id: str(body?.mapId) || "sub",
+    email: str(body?.mapEmail) || "email",
+    name: str(body?.mapName) || "name"
+  };
+  let innerUrl;
+  let origin;
+  try {
+    const url = new URL(request.url);
+    origin = url.origin;
+    innerUrl = `${origin}${url.pathname.replace(/\/admin\/sso\/register$/, "/sso/register")}`;
+  } catch {
+    return { status: 400, body: { success: false, error: { code: "invalid_request", message: "Bad request URL" } } };
+  }
+  const headers = new Headers({ "content-type": "application/json" });
+  const cookie = request.headers.get("cookie");
+  if (cookie) headers.set("cookie", cookie);
+  const authz = request.headers.get("authorization");
+  if (authz) headers.set("authorization", authz);
+  headers.set("origin", request.headers.get("origin") || origin);
+  const organizationId = await resolveActiveOrganizationId(handle, innerUrl, headers);
+  const innerReq = new Request(innerUrl, {
+    method: "POST",
+    headers,
+    body: JSON.stringify({ providerId, issuer, domain, oidcConfig, ...organizationId ? { organizationId } : {} })
+  });
+  const resp = await handle(innerReq);
+  let parsed = {};
+  try {
+    const t = await resp.text();
+    parsed = t ? JSON.parse(t) : {};
+  } catch {
+    parsed = {};
+  }
+  if (!resp.ok) {
+    return {
+      status: resp.status,
+      body: { success: false, error: { code: "sso_register_failed", message: parsed?.message || "SSO provider registration failed" } }
+    };
+  }
+  return { status: 200, body: { success: true, data: { providerId: parsed?.providerId ?? providerId } } };
+}
+async function runRegisterSamlProviderFromForm(handle, request) {
+  let body;
+  try {
+    body = await request.json();
+  } catch {
+    body = {};
+  }
+  const str = (v) => typeof v === "string" ? v.trim() : "";
+  const providerId = str(body?.providerId);
+  const issuer = str(body?.issuer);
+  const domain = str(body?.domain);
+  const entryPoint = str(body?.entryPoint);
+  const cert = str(body?.cert);
+  const identifierFormat = str(body?.identifierFormat);
+  const missing = [
+    ["providerId", providerId],
+    ["issuer", issuer],
+    ["domain", domain],
+    ["entryPoint", entryPoint],
+    ["cert", cert]
+  ].filter(([, v]) => !v).map(([k]) => k);
+  if (missing.length) {
+    return { status: 400, body: { success: false, error: { code: "invalid_request", message: `Missing required field(s): ${missing.join(", ")}` } } };
+  }
+  let origin;
+  let prefix;
+  let innerUrl;
+  try {
+    const url = new URL(request.url);
+    origin = url.origin;
+    prefix = url.pathname.replace(/\/admin\/sso\/register-saml$/, "");
+    innerUrl = `${origin}${prefix}/sso/register`;
+  } catch {
+    return { status: 400, body: { success: false, error: { code: "invalid_request", message: "Bad request URL" } } };
+  }
+  const acsUrl = `${origin}${prefix}/sso/saml2/sp/acs/${encodeURIComponent(providerId)}`;
+  const spMetadataUrl = `${origin}${prefix}/sso/saml2/sp/metadata?providerId=${encodeURIComponent(providerId)}`;
+  const samlConfig = {
+    entryPoint,
+    cert,
+    callbackUrl: acsUrl,
+    // better-auth requires an SP descriptor (its inner fields are optional). Use
+    // the SP metadata URL as our EntityID — the value the IdP keys this SP on.
+    spMetadata: { entityID: spMetadataUrl }
+  };
+  if (identifierFormat) samlConfig.identifierFormat = identifierFormat;
+  const headers = new Headers({ "content-type": "application/json" });
+  const cookie = request.headers.get("cookie");
+  if (cookie) headers.set("cookie", cookie);
+  const authz = request.headers.get("authorization");
+  if (authz) headers.set("authorization", authz);
+  headers.set("origin", request.headers.get("origin") || origin);
+  const organizationId = await resolveActiveOrganizationId(handle, innerUrl, headers);
+  const innerReq = new Request(innerUrl, {
+    method: "POST",
+    headers,
+    body: JSON.stringify({ providerId, issuer, domain, samlConfig, ...organizationId ? { organizationId } : {} })
+  });
+  const resp = await handle(innerReq);
+  let parsed = {};
+  try {
+    const t = await resp.text();
+    parsed = t ? JSON.parse(t) : {};
+  } catch {
+    parsed = {};
+  }
+  if (!resp.ok) {
+    return { status: resp.status, body: { success: false, error: { code: "saml_register_failed", message: parsed?.message || "SAML provider registration failed" } } };
+  }
+  return { status: 200, body: { success: true, data: { providerId: parsed?.providerId ?? providerId }, acsUrl, spMetadataUrl } };
+}
+var SSO_DOMAIN_TOKEN_PREFIX = "better-auth-token";
+function bareHostname(domain) {
+  let d = domain.trim();
+  if (!d) return d;
+  const schemeIdx = d.indexOf("://");
+  if (schemeIdx !== -1) {
+    try {
+      return new URL(d).hostname;
+    } catch {
+      d = d.slice(schemeIdx + 3);
+    }
+  }
+  for (const sep of ["/", ":", "?", "#"]) {
+    const i = d.indexOf(sep);
+    if (i !== -1) d = d.slice(0, i);
+  }
+  return d;
+}
+function rewriteSsoAdminUrl(request, fromSuffix, toPath) {
+  try {
+    const url = new URL(request.url);
+    return { origin: url.origin, innerUrl: `${url.origin}${url.pathname.replace(fromSuffix, toPath)}` };
+  } catch {
+    return null;
+  }
+}
+function forwardAuthHeaders(request, origin) {
+  const headers = new Headers({ "content-type": "application/json" });
+  const cookie = request.headers.get("cookie");
+  if (cookie) headers.set("cookie", cookie);
+  const authz = request.headers.get("authorization");
+  if (authz) headers.set("authorization", authz);
+  headers.set("origin", request.headers.get("origin") || origin);
+  return headers;
+}
+async function runRequestDomainVerification(handle, request) {
+  let body;
+  try {
+    body = await request.json();
+  } catch {
+    body = {};
+  }
+  const str = (v) => typeof v === "string" ? v.trim() : "";
+  const providerId = str(body?.providerId);
+  const domain = bareHostname(str(body?.domain));
+  if (!providerId) {
+    return { status: 400, body: { success: false, error: { code: "invalid_request", message: "Missing required field: providerId" } } };
+  }
+  const rw = rewriteSsoAdminUrl(request, /\/admin\/sso\/request-domain-verification$/, "/sso/request-domain-verification");
+  if (!rw) return { status: 400, body: { success: false, error: { code: "invalid_request", message: "Bad request URL" } } };
+  const headers = forwardAuthHeaders(request, rw.origin);
+  const resp = await handle(new Request(rw.innerUrl, { method: "POST", headers, body: JSON.stringify({ providerId }) }));
+  let parsed = {};
+  try {
+    const t = await resp.text();
+    parsed = t ? JSON.parse(t) : {};
+  } catch {
+    parsed = {};
+  }
+  if (!resp.ok) {
+    if (resp.status === 404 && !parsed?.code) {
+      return { status: 400, body: { success: false, error: { code: "domain_verification_disabled", message: "Domain verification is not enabled for this environment (set OS_SSO_DOMAIN_VERIFICATION)." } } };
+    }
+    return { status: resp.status, body: { success: false, error: { code: parsed?.code || "request_domain_verification_failed", message: parsed?.message || "Failed to request domain verification" } } };
+  }
+  const token = str(parsed?.domainVerificationToken);
+  const label = `_${SSO_DOMAIN_TOKEN_PREFIX}-${providerId}`;
+  const dnsRecordName = domain ? `${label}.${domain}` : label;
+  const dnsRecordValue = `${label}=${token}`;
+  return {
+    status: 200,
+    body: {
+      success: true,
+      data: { providerId, domain, token, dnsRecordType: "TXT", dnsRecordName, dnsRecordValue }
+    }
+  };
+}
+async function runVerifyDomain(handle, request) {
+  let body;
+  try {
+    body = await request.json();
+  } catch {
+    body = {};
+  }
+  const str = (v) => typeof v === "string" ? v.trim() : "";
+  const providerId = str(body?.providerId);
+  if (!providerId) {
+    return { status: 400, body: { success: false, error: { code: "invalid_request", message: "Missing required field: providerId" } } };
+  }
+  const rw = rewriteSsoAdminUrl(request, /\/admin\/sso\/verify-domain$/, "/sso/verify-domain");
+  if (!rw) return { status: 400, body: { success: false, error: { code: "invalid_request", message: "Bad request URL" } } };
+  const headers = forwardAuthHeaders(request, rw.origin);
+  const resp = await handle(new Request(rw.innerUrl, { method: "POST", headers, body: JSON.stringify({ providerId }) }));
+  let parsed = {};
+  try {
+    const t = await resp.text();
+    parsed = t ? JSON.parse(t) : {};
+  } catch {
+    parsed = {};
+  }
+  if (resp.ok) {
+    return { status: 200, body: { success: true, data: { providerId, verified: true, message: "Domain ownership verified \u2014 this provider can now sign users in." } } };
+  }
+  let message = parsed?.message || "Domain verification failed";
+  if (resp.status === 404 && !parsed?.code) {
+    message = "Domain verification is not enabled for this environment (set OS_SSO_DOMAIN_VERIFICATION).";
+  } else if (parsed?.code === "NO_PENDING_VERIFICATION") {
+    message = "No pending verification \u2014 click \u201CRequest Domain Verification\u201D first to get the DNS record.";
+  } else if (parsed?.code === "DOMAIN_VERIFICATION_FAILED") {
+    message = "DNS TXT record not found yet. Add the record shown when you requested verification, allow time for DNS to propagate, then retry.";
+  }
+  return { status: resp.status, body: { success: false, error: { code: parsed?.code || "verify_domain_failed", message } } };
+}
 // src/manifest.ts
 import {
   SysAccount,
@@ -2399,7 +2955,33 @@ var AuthPlugin = class {
       // source of truth.
       dashboards: [SystemOverviewDashboard],
       // ADR-0021 — datasets backing the System Overview dashboard's widgets.
-      datasets: SystemOverviewDatasets
+      datasets: SystemOverviewDatasets,
+      // ADR-0024 / cloud#551 — surface "SSO Providers" (sys_sso_provider) in the
+      // Setup app's Access Control group, but ONLY when the external-IdP RP is
+      // wired (self-host `OS_SSO_ENABLED`, or the cloud per-env `planAllowsSso`
+      // arriving via `plugins.sso`). Without the gate the entry would render an
+      // empty list + a "Register" button whose endpoint 404s when SSO is off.
+      // Owning-plugin-contributes pattern (ADR-0029 K2), mirroring plugin-security.
+      ...this.authManager.isSsoWired() ? {
+        navigationContributions: [
+          {
+            app: "setup",
+            group: "group_access_control",
+            // After Roles/Permission-Sets (100) and Sharing (200), near API Keys (300).
+            priority: 250,
+            items: [
+              {
+                id: "nav_sso_providers",
+                type: "object",
+                label: "SSO Providers",
+                objectName: "sys_sso_provider",
+                icon: "log-in",
+                requiredPermissions: ["manage_platform_settings"]
+              }
+            ]
+          }
+        ]
+      } : {}
     });
     ctx.logger.info("Auth Plugin initialized successfully");
   }
@@ -2624,6 +3206,24 @@ var AuthPlugin = class {
           const n = Math.floor(Number(values.password_history_count));
           if (Number.isFinite(n) && n >= 0) patch.passwordHistoryCount = Math.min(24, n);
         }
+        if (isExplicit("password_expiry_days")) {
+          const n = Math.floor(Number(values.password_expiry_days));
+          if (Number.isFinite(n) && n >= 0) patch.passwordExpiryDays = Math.min(3650, n);
+        }
+        if (isExplicit("mfa_required")) {
+          const on = asBoolean(values.mfa_required, false);
+          patch.mfaRequired = on;
+          if (on) {
+            patch.plugins = {
+              ...patch.plugins ?? {},
+              twoFactor: true
+            };
+          }
+        }
+        if (isExplicit("mfa_grace_period_days")) {
+          const n = Math.floor(Number(values.mfa_grace_period_days));
+          if (Number.isFinite(n) && n >= 0) patch.mfaGracePeriodDays = Math.min(90, n);
+        }
         const session = {};
         if (isExplicit("session_expiry_days")) {
           const d = asPositiveInt(values.session_expiry_days);
@@ -2636,6 +3236,26 @@ var AuthPlugin = class {
         if (Object.keys(session).length > 0) {
           patch.session = session;
         }
+        const asNonNeg = (v) => {
+          const n = Math.floor(Number(v));
+          return Number.isFinite(n) && n >= 0 ? n : void 0;
+        };
+        if (isExplicit("session_idle_timeout_minutes")) {
+          const n = asNonNeg(values.session_idle_timeout_minutes);
+          if (n !== void 0) patch.sessionIdleTimeoutMinutes = n;
+        }
+        if (isExplicit("session_absolute_max_hours")) {
+          const n = asNonNeg(values.session_absolute_max_hours);
+          if (n !== void 0) patch.sessionAbsoluteMaxHours = n;
+        }
+        if (isExplicit("max_concurrent_sessions_per_user")) {
+          const n = asNonNeg(values.max_concurrent_sessions_per_user);
+          if (n !== void 0) patch.maxConcurrentSessions = n;
+        }
+        if (isExplicit("allowed_ip_ranges")) {
+          const raw = asTrimmedString(values.allowed_ip_ranges) ?? "";
+          patch.allowedIpRanges = raw.split(/[\n,]+/).map((r) => r.trim()).filter(Boolean);
+        }
         const asNonNegativeInt = (value) => {
           const n = Math.floor(Number(value));
           return Number.isFinite(n) && n >= 0 ? n : void 0;
@@ -2784,6 +3404,21 @@ var AuthPlugin = class {
       );
     }
     const rawApp = httpServer.getRawApp();
+    if (typeof rawApp.use === "function") rawApp.use(`${basePath}/*`, async (c, next) => {
+      const mgr = this.authManager;
+      if (!mgr || typeof mgr.isClientIpAllowed !== "function") return next();
+      const path = c.req.path || "";
+      if (path.endsWith("/config") || path.endsWith("/bootstrap-status")) return next();
+      const fwd = c.req.header("x-forwarded-for");
+      const ip = typeof fwd === "string" && fwd.split(",")[0].trim() || c.req.header("cf-connecting-ip") || c.req.header("x-real-ip") || void 0;
+      if (!mgr.isClientIpAllowed(ip)) {
+        return c.json(
+          { success: false, error: { code: "IP_NOT_ALLOWED", message: "Sign-in is not allowed from your network." } },
+          403
+        );
+      }
+      return next();
+    });
     rawApp.get(`${basePath}/config`, async (c) => {
       try {
         const config = this.authManager.getPublicConfig();
@@ -2875,6 +3510,19 @@ var AuthPlugin = class {
         return c.json({ success: false, error: { code: "internal", message: err.message } }, 500);
       }
     });
+    rawApp.post(`${basePath}/admin/sso/register`, async (c) => {
+      try {
+        const { status, body } = await runRegisterSsoProviderFromForm(
+          (req) => this.authManager.handleRequest(req),
+          c.req.raw
+        );
+        return c.json(body, status);
+      } catch (error) {
+        const err = error instanceof Error ? error : new Error(String(error));
+        ctx.logger.error("[AuthPlugin] sso/register bridge failed", err);
+        return c.json({ success: false, error: { code: "internal", message: err.message } }, 500);
+      }
+    });
     rawApp.post(`${basePath}/admin/unlock-user`, async (c) => {
       try {
         let body = {};
@@ -2908,6 +3556,45 @@ var AuthPlugin = class {
         return c.json({ success: false, error: { code: "internal", message: err.message } }, 500);
       }
     });
+    rawApp.post(`${basePath}/admin/sso/register-saml`, async (c) => {
+      try {
+        const { status, body } = await runRegisterSamlProviderFromForm(
+          (req) => this.authManager.handleRequest(req),
+          c.req.raw
+        );
+        return c.json(body, status);
+      } catch (error) {
+        const err = error instanceof Error ? error : new Error(String(error));
+        ctx.logger.error("[AuthPlugin] sso/register-saml bridge failed", err);
+        return c.json({ success: false, error: { code: "internal", message: err.message } }, 500);
+      }
+    });
+    rawApp.post(`${basePath}/admin/sso/request-domain-verification`, async (c) => {
+      try {
+        const { status, body } = await runRequestDomainVerification(
+          (req) => this.authManager.handleRequest(req),
+          c.req.raw
+        );
+        return c.json(body, status);
+      } catch (error) {
+        const err = error instanceof Error ? error : new Error(String(error));
+        ctx.logger.error("[AuthPlugin] sso/request-domain-verification bridge failed", err);
+        return c.json({ success: false, error: { code: "internal", message: err.message } }, 500);
+      }
+    });
+    rawApp.post(`${basePath}/admin/sso/verify-domain`, async (c) => {
+      try {
+        const { status, body } = await runVerifyDomain(
+          (req) => this.authManager.handleRequest(req),
+          c.req.raw
+        );
+        return c.json(body, status);
+      } catch (error) {
+        const err = error instanceof Error ? error : new Error(String(error));
+        ctx.logger.error("[AuthPlugin] sso/verify-domain bridge failed", err);
+        return c.json({ success: false, error: { code: "internal", message: err.message } }, 500);
+      }
+    });
     rawApp.post(`${basePath}/sys-oauth-application/register`, async (c) => {
       try {
         let body = {};
@@ -3073,8 +3760,13 @@ export {
   buildTwoFactorPluginSchema,
   createObjectQLAdapter,
   createObjectQLAdapterFactory,
+  ipMatchesRange,
   resolveProtocolName,
+  runRegisterSamlProviderFromForm,
+  runRegisterSsoProviderFromForm,
+  runRequestDomainVerification,
   runSetInitialPassword,
+  runVerifyDomain,
   withSystemReadContext
 };
 //# sourceMappingURL=index.mjs.map