feat(sso): update SAML registration dialog and settings for improved metadata handling

- Added support for IdP metadata XML in the SAML registration dialog, allowing users to paste full metadata for configuration.
- Updated the callback URL and audience handling to dynamically incorporate the base URL.
- Refactored the SSO settings to enable SAML provider registration and improved the display of callback URLs based on provider details.
- Enhanced trusted origins configuration in the authentication logic to include additional domains for development and production environments.
This commit is contained in:
Mauricio Siu
2026-02-01 19:50:33 -06:00
parent 11082f25d7
commit aa558b3a8c
4 changed files with 84 additions and 65 deletions

View File

@@ -25,7 +25,7 @@ export const { handler, api } = betterAuth({
schema: schema,
}),
disabledPaths: [
"/sso/register",
// "/sso/register",
"/organization/create",
"/organization/update",
"/organization/delete",
@@ -44,30 +44,35 @@ export const { handler, api } = betterAuth({
logger: {
disabled: process.env.NODE_ENV === "production",
},
...(!IS_CLOUD && {
async trustedOrigins() {
const settings = await getWebServerSettings();
if (!settings) {
return [];
}
// ...(!IS_CLOUD && {
async trustedOrigins() {
const settings = await getWebServerSettings();
if (!settings) {
return [];
}
const providers = await getSSOProviders();
const domains = providers.map((provider) => provider.issuer);
return [
...(settings?.serverIp ? [`http://${settings?.serverIp}:3000`] : []),
...(settings?.host ? [`https://${settings?.host}`] : []),
...domains.map((domain) => domain),
...(process.env.NODE_ENV === "development"
? [
"http://localhost:3000",
"https://absolutely-handy-falcon.ngrok-free.app",
"https://dev-pee8hhc3qbjlqedb.us.auth0.com",
"https://trial-2804699.okta.com",
]
: []),
];
},
}),
const providers = await getSSOProviders();
const issuerOrigins = providers.map((provider) => provider.issuer);
return [
...(settings?.serverIp ? [`http://${settings?.serverIp}:3000`] : []),
...(settings?.host ? [`https://${settings?.host}`] : []),
...issuerOrigins,
...(process.env.NODE_ENV === "development"
? [
"http://localhost:3000",
"https://absolutely-handy-falcon.ngrok-free.app",
"https://dev-pee8hhc3qbjlqedb.us.auth0.com",
"https://trial-2804699.okta.com",
"https://login.microsoftonline.com",
"https://graph.microsoft.com",
]
: []),
];
},
// Untrusted OIDC discovery URL: The main discovery endpoint "https://login.microsoftonline.com/9f26c287-38e9-4731-9d1d-506365a6cc8e/.well-known/openid-configuration" is not trusted by your trusted origins configuration.
// }),
emailVerification: {
sendOnSignUp: true,
autoSignInAfterVerification: true,
@@ -120,7 +125,7 @@ export const { handler, api } = betterAuth({
});
}
} else {
const isSSORequest = context?.path.includes("/sso/callback");
const isSSORequest = context?.path.includes("/sso");
if (isSSORequest) {
return;
}
@@ -136,7 +141,7 @@ export const { handler, api } = betterAuth({
}
},
after: async (user, context) => {
const isSSORequest = context?.path.includes("/sso/callback");
const isSSORequest = context?.path.includes("/sso");
const isAdminPresent = await db.query.member.findFirst({
where: eq(schema.member.role, "owner"),
});