Files
better-auth/packages/sso/CHANGELOG.md
2026-05-31 12:41:17 +01:00

27 KiB

@better-auth/sso

1.6.13

Patch Changes

  • #9818 43c08a2 Thanks @gustavovalverde! - Fix SAML Single Logout leaving the user signed in. The logout handlers passed the session row id to a delete that matches on the session token, so the session was never removed. The stored SAML session record now carries the session token, and all three logout paths revoke the session by token.

  • #9821 4c3bbc4 Thanks @gustavovalverde! - Fix a high-severity XML injection in signed SAML assertions (GHSA-34r5-q4jw-r36m) by updating samlify from 2.10.2 to 2.13.1. A crafted AttributeValue could escalate privileges.

    samlify 2.11 replaced node-forge with Node's native crypto, which parses private keys through OpenSSL 3 and rejects PEM blocks that carry leading whitespace. SAML private keys are now normalized before they reach samlify, so a key pasted with indentation (for example from an indented YAML or JSON config) keeps loading.

    IdP-initiated Single Logout now derives its response from the parsed logout request, which fixes response generation under samlify 2.13. When mapping SAML attributes to user fields, a multi-valued attribute is read by its first value.

  • Updated dependencies [d3919dc, 5f282bd, 43c08a2, 43c08a2, be32012, 87c1a0c, 5c3e248, 9c8ded6, 23d7cbf]:

    • better-auth@1.6.13
    • @better-auth/core@1.6.13

1.6.12

Patch Changes

1.6.11

Patch Changes

  • #9220 86765f1 Thanks @stewartjarod! - fix(sso): require org admin role to register SSO providers

    POST /sso/register previously allowed any organization member to register an SSO provider for the organization when organizationId was supplied, only checking membership and not role. This brings it in line with the other provider endpoints (get/update/delete), which go through checkProviderAccessisOrgAdmin and restrict access to owner or admin roles.

    Closes #9133.

  • #9574 37f60cb Thanks @gustavovalverde! - fix(sso): validate user-supplied OIDC endpoint URLs at provider registration and update

    When skipDiscovery: true was passed to POST /sso/register, or any oidcConfig URL was passed to POST /sso/update-provider, the supplied authorizationEndpoint, tokenEndpoint, userInfoEndpoint, jwksEndpoint, and discoveryEndpoint values were persisted on the provider row without origin validation, then fetched server-side at OIDC callback time. An authenticated user could register or update an SSO provider with internal URLs (RFC 1918, link-local, cloud-metadata FQDNs like 169.254.169.254, loopback) and use the callback handler to coerce the server into making requests to those hosts.

    Both endpoints now run user-supplied OIDC URLs through a layered gate:

    1. URL parsing + http(s) scheme requirement
    2. isPublicRoutableHost from @better-auth/core/utils/host (rejects loopback, RFC 1918, link-local, ULA, cloud-metadata FQDNs, multicast, broadcast, and reserved ranges per RFC 6890)
    3. trustedOrigins allowlist as the documented escape hatch for customers running internal IdPs on private networks

    A request that fails the gate is rejected with BAD_REQUEST and the new discovery_private_host error code (or discovery_invalid_url for malformed URLs / non-http(s) schemes).

  • Updated dependencies [0cbddb8, a26333b, 99a254a, ee93485, 5f09d56, b4bc65a, da7e50b, a1c9f3c, 23094a6, 142b86c, 1f2ff42, b0ef96f, 699b09a, e21d744]:

    • @better-auth/core@1.6.11
    • better-auth@1.6.11

1.6.10

Patch Changes

1.6.9

Patch Changes

  • Updated dependencies [815ecf6]:
    • @better-auth/core@1.6.9
    • better-auth@1.6.9

1.6.8

Patch Changes

  • Updated dependencies [856ab24, 9aa8e63]:
    • better-auth@1.6.8
    • @better-auth/core@1.6.8

1.6.7

Patch Changes

1.6.6

Patch Changes

1.6.5

Patch Changes

  • Updated dependencies [938dd80, 0538627]:
    • better-auth@1.6.5
    • @better-auth/core@1.6.5

1.6.4

Patch Changes

1.6.3

Patch Changes

  • #9097 52c4751 Thanks @gustavovalverde! - fix(sso): unify SAML response processing and fix provider/config bugs

    Bug fixes:

    • Fix SP metadata endpoint using internal row ID instead of providerId in ACS URL
    • Fix acsEndpoint skipping DB provider lookup when defaultSSO is configured
    • Fix acsEndpoint missing encryption fields (isAssertionEncrypted, encPrivateKey), which caused silent decryption failures
    • Fix defaultSSO config parsing in callback path (safeJsonParse on already-parsed objects)
    • Fix createSP missing callbackUrl fallback to auto-generated ACS URL
    • Complete createSP/createIdP helpers with all encryption and signing fields

    Behavioral changes:

    • ACS error redirect query parameters now use uppercase error codes (e.g. error=SAML_MULTIPLE_ASSERTIONS instead of error=multiple_assertions). If your application parses these error codes from the redirect URL, update the expected values.
    • SAML provider registration now rejects configs with no usable IdP entry point (no valid entryPoint URL, no idpMetadata.metadata, and no idpMetadata.singleSignOnService). Previously these would register successfully but fail at sign-in.
    • entryPoint validation tightened from startsWith("http") to new URL() parsing, rejecting malformed URLs like http:evil or http//missing-colon.

    Refactoring (no API changes):

    • Extract shared processSAMLResponse pipeline to eliminate ~500 lines of duplicated logic between callbackSSOSAML and acsEndpoint
    • Move validateSAMLTimestamp to saml/timestamp.ts (re-exported from original location for compatibility)
  • Updated dependencies [5142e9c, 484ce6a, f875897, 6ce30cf, f6428d0, 9a6d475, 513dabb, c5066fe, 5f84335]:

    • better-auth@1.6.3
    • @better-auth/core@1.6.3

1.6.2

Patch Changes

  • #8968 5e5d3f6 Thanks @cyphercodes! - fix(sso): strip whitespace from SAMLResponse before base64 decoding

    Some SAML IDPs send SAMLResponse with line-wrapped base64 (per RFC 2045), which caused decoding failures. Whitespace is now stripped at the request boundary before any processing.

  • Updated dependencies [9deb793, 2cbcb9b, b20fa42, 608d8c3, 8409843, e78a7b1]:

    • better-auth@1.6.2
    • @better-auth/core@1.6.2

1.6.1

Patch Changes

1.6.0

Minor Changes

Patch Changes

1.6.0-beta.0

Minor Changes

Patch Changes