27 KiB
@better-auth/sso
1.6.13
Patch Changes
-
#9818
43c08a2Thanks @gustavovalverde! - Fix SAML Single Logout leaving the user signed in. The logout handlers passed the session row id to a delete that matches on the session token, so the session was never removed. The stored SAML session record now carries the session token, and all three logout paths revoke the session by token. -
#9821
4c3bbc4Thanks @gustavovalverde! - Fix a high-severity XML injection in signed SAML assertions (GHSA-34r5-q4jw-r36m) by updatingsamlifyfrom 2.10.2 to 2.13.1. A craftedAttributeValuecould escalate privileges.samlify 2.11 replaced
node-forgewith Node's native crypto, which parses private keys through OpenSSL 3 and rejects PEM blocks that carry leading whitespace. SAML private keys are now normalized before they reach samlify, so a key pasted with indentation (for example from an indented YAML or JSON config) keeps loading.IdP-initiated Single Logout now derives its response from the parsed logout request, which fixes response generation under samlify 2.13. When mapping SAML attributes to user fields, a multi-valued attribute is read by its first value.
-
Updated dependencies [
d3919dc,5f282bd,43c08a2,43c08a2,be32012,87c1a0c,5c3e248,9c8ded6,23d7cbf]:- better-auth@1.6.13
- @better-auth/core@1.6.13
1.6.12
Patch Changes
-
#9702
23dbe1aThanks @bytaesu! - Banned users signing in with an OAuth provider now redirect to theerrorCallbackURLpassed tosignIn.social, with?error=BANNED_USER&error_description=<message>in the query string. Previously the redirect went to the auth server's default error page with?error=banned, which broke multi-domain deployments where the auth host and frontend host differ. Theoauth-proxy, SSO OIDC, and SAML callbacks now also redirect hook rejections to the error URL (previously returned JSON 403), andoauth-proxyURL-encodes theerrorquery value across all its redirects. -
#9662
e637c7dThanks @gustavovalverde! - Raise the XML parser dependency floor used by SSO to a patched release. -
#9722
f47aa4aThanks @bytaesu! - SSO OIDC callback now URL-encodes theerrorquery value when redirecting onhandleOAuthUserInfoerrors (e.g.?error=signup+disabledinstead of?error=signup disabled). Multi-word error values previously produced broken URLs with raw whitespace. -
Updated dependencies [
9bd53e1,23dbe1a,7a12072,09a1d50,a6f144a,f77060a,dcb2e6d,c92cd74,f5fcc9d,9d91eb7,a3b0c63,1b40dac,5626e1b,ad9ad82,62dabf6,276d67f,2d73fff,c5b9f93,ac96316,0a7cb70,015f96b,43cc49c,f5e29ea,1d372bb,3f8f310,83fa369,17cd433,c01b2f1,6b44606,04303a9,7bf5449,2b7937f]:- better-auth@1.6.12
- @better-auth/core@1.6.12
1.6.11
Patch Changes
-
#9220
86765f1Thanks @stewartjarod! - fix(sso): require org admin role to register SSO providersPOST /sso/registerpreviously allowed any organization member to register an SSO provider for the organization whenorganizationIdwas supplied, only checking membership and not role. This brings it in line with the other provider endpoints (get/update/delete), which go throughcheckProviderAccess→isOrgAdminand restrict access toowneroradminroles.Closes #9133.
-
#9574
37f60cbThanks @gustavovalverde! - fix(sso): validate user-supplied OIDC endpoint URLs at provider registration and updateWhen
skipDiscovery: truewas passed toPOST /sso/register, or anyoidcConfigURL was passed toPOST /sso/update-provider, the suppliedauthorizationEndpoint,tokenEndpoint,userInfoEndpoint,jwksEndpoint, anddiscoveryEndpointvalues were persisted on the provider row without origin validation, then fetched server-side at OIDC callback time. An authenticated user could register or update an SSO provider with internal URLs (RFC 1918, link-local, cloud-metadata FQDNs like169.254.169.254, loopback) and use the callback handler to coerce the server into making requests to those hosts.Both endpoints now run user-supplied OIDC URLs through a layered gate:
- URL parsing +
http(s)scheme requirement isPublicRoutableHostfrom@better-auth/core/utils/host(rejects loopback, RFC 1918, link-local, ULA, cloud-metadata FQDNs, multicast, broadcast, and reserved ranges per RFC 6890)trustedOriginsallowlist as the documented escape hatch for customers running internal IdPs on private networks
A request that fails the gate is rejected with
BAD_REQUESTand the newdiscovery_private_hosterror code (ordiscovery_invalid_urlfor malformed URLs / non-http(s)schemes). - URL parsing +
-
Updated dependencies [
0cbddb8,a26333b,99a254a,ee93485,5f09d56,b4bc65a,da7e50b,a1c9f3c,23094a6,142b86c,1f2ff42,b0ef96f,699b09a,e21d744]:- @better-auth/core@1.6.11
- better-auth@1.6.11
1.6.10
Patch Changes
-
#9398
006e809Thanks @Craga89! - fix(sso): use findSAMLProvider in spMetadata so defaultSSO providers resolve/sso/saml2/sp/metadatawas the only SAML endpoint that calledadapter.findOnedirectly, so providers configured viadefaultSSO(which are not persisted to the database) caused it to throwNOT_FOUND. The endpoint now uses the sharedfindSAMLProviderhelper, matchingsignInSSO, the SAML callback handler, andsignOut. -
Updated dependencies [
1e0f26d,8c1e917,b2d655c,09f1327,906b7b3,e9c978e,e71aad3,80a655d,15ff28a,88a7c67,9a7b51d,1b25902,cf59136,a597ee0,fc02ced,9f1ef1f,36ef808,c1336c5,3a9a2c3,fde0432,2220a6d]:- better-auth@1.6.10
- @better-auth/core@1.6.10
1.6.9
Patch Changes
- Updated dependencies [
815ecf6]:- @better-auth/core@1.6.9
- better-auth@1.6.9
1.6.8
Patch Changes
1.6.7
Patch Changes
- Updated dependencies [
307196a,4a180f0,4f373ee,e1b1cfc,d053a45]:- better-auth@1.6.7
- @better-auth/core@1.6.7
1.6.6
Patch Changes
-
#9262
fe5f36cThanks @jonathansamines! - Fix ESM/CJS compat issue when loading samlify -
Updated dependencies [
b5742f9,4debfb6,9ea7eb1,a844c7d,ab4c10f,a61083e,e64ff72]:- @better-auth/core@1.6.6
- better-auth@1.6.6
1.6.5
Patch Changes
1.6.4
Patch Changes
1.6.3
Patch Changes
-
#9097
52c4751Thanks @gustavovalverde! - fix(sso): unify SAML response processing and fix provider/config bugsBug fixes:
- Fix SP metadata endpoint using internal row ID instead of
providerIdin ACS URL - Fix
acsEndpointskipping DB provider lookup whendefaultSSOis configured - Fix
acsEndpointmissing encryption fields (isAssertionEncrypted,encPrivateKey), which caused silent decryption failures - Fix
defaultSSOconfig parsing in callback path (safeJsonParseon already-parsed objects) - Fix
createSPmissingcallbackUrlfallback to auto-generated ACS URL - Complete
createSP/createIdPhelpers with all encryption and signing fields
Behavioral changes:
- ACS error redirect query parameters now use uppercase error codes (e.g.
error=SAML_MULTIPLE_ASSERTIONSinstead oferror=multiple_assertions). If your application parses these error codes from the redirect URL, update the expected values. - SAML provider registration now rejects configs with no usable IdP entry point (no valid
entryPointURL, noidpMetadata.metadata, and noidpMetadata.singleSignOnService). Previously these would register successfully but fail at sign-in. entryPointvalidation tightened fromstartsWith("http")tonew URL()parsing, rejecting malformed URLs likehttp:evilorhttp//missing-colon.
Refactoring (no API changes):
- Extract shared
processSAMLResponsepipeline to eliminate ~500 lines of duplicated logic betweencallbackSSOSAMLandacsEndpoint - Move
validateSAMLTimestamptosaml/timestamp.ts(re-exported from original location for compatibility)
- Fix SP metadata endpoint using internal row ID instead of
-
Updated dependencies [
5142e9c,484ce6a,f875897,6ce30cf,f6428d0,9a6d475,513dabb,c5066fe,5f84335]:- better-auth@1.6.3
- @better-auth/core@1.6.3
1.6.2
Patch Changes
-
#8968
5e5d3f6Thanks @cyphercodes! - fix(sso): strip whitespace from SAMLResponse before base64 decodingSome SAML IDPs send SAMLResponse with line-wrapped base64 (per RFC 2045), which caused decoding failures. Whitespace is now stripped at the request boundary before any processing.
-
Updated dependencies [
9deb793,2cbcb9b,b20fa42,608d8c3,8409843,e78a7b1]:- better-auth@1.6.2
- @better-auth/core@1.6.2
1.6.1
Patch Changes
1.6.0
Minor Changes
-
#8836
5dd9e44Thanks @gustavovalverde! - Enable InResponseTo validation by default for SAML flows -
#8836
5dd9e44Thanks @gustavovalverde! - Add optional version field to the plugin interface and expose version from all built-in plugins
Patch Changes
-
#8838
ee8b40dThanks @gustavovalverde! - pinsamlifyto~2.10.2to avoid breaking changes in v2.11.0 and patch transitivenode-forgevulnerability (4 HIGH CVEs: signature forgery, cert chain bypass, DoS) -
#8836
5dd9e44Thanks @gustavovalverde! - Fix provisionUser inconsistency between OIDC and SAML and add provisionUserOnEveryLogin option -
Updated dependencies [
dd537cb,bd9bd58,5dd9e44,5dd9e44,5dd9e44,5dd9e44,5dd9e44,5dd9e44,5dd9e44,5dd9e44,5dd9e44,5dd9e44,5dd9e44,5dd9e44,5dd9e44,469eee6,560230f]:- better-auth@1.6.0
- @better-auth/core@1.6.0
1.6.0-beta.0
Minor Changes
-
28b1291Thanks @gustavovalverde! - Enable InResponseTo validation by default for SAML flows -
28b1291Thanks @gustavovalverde! - Add optional version field to the plugin interface and expose version from all built-in plugins
Patch Changes
-
28b1291Thanks @gustavovalverde! - Fix provisionUser inconsistency between OIDC and SAML and add provisionUserOnEveryLogin option -
Updated dependencies [
28b1291,28b1291,28b1291,28b1291,28b1291,28b1291,28b1291,28b1291,28b1291,28b1291,28b1291,28b1291,28b1291]:- better-auth@1.6.0-beta.0
- @better-auth/core@1.6.0-beta.0