{"id":16707,"library":"better-auth-cas","title":"CAS Plugin for Better Auth","description":"The `better-auth-cas` package, currently at version `0.1.8`, is an early-stage plugin designed to integrate Central Authentication Service (CAS) functionality into the `better-auth` authentication framework. It provides standard CAS sign-in and callback endpoints, handles CAS ticket validation via `serviceValidate`, and includes robust profile mapping capabilities to translate CAS user attributes into `better-auth` user and session data. A key feature is the optional `onProfileResolved` hook, enabling custom persistence logic. It emphasizes solutions for common CAS integration challenges, such as managing CAS's separate SSO session cookies to prevent \"auto-login\" after a local logout and addressing `service` URL allowlist mismatches in CAS deployments. While in a pre-1.0 state, implying potential API changes, its initial release (v0.1.0 on 2026-03-19) indicates active development and a focused approach to providing a ready-to-use CAS solution for `better-auth` applications, shipping with TypeScript types for better developer experience.","status":"active","version":"0.1.8","language":"javascript","source_language":"en","source_url":"https://github.com/Travins/better-auth-cas","tags":["javascript","typescript"],"install":[{"cmd":"npm install better-auth-cas","lang":"bash","label":"npm"},{"cmd":"yarn add better-auth-cas","lang":"bash","label":"yarn"},{"cmd":"pnpm add better-auth-cas","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"This package is a plugin specifically designed to extend `better-auth` functionality.","package":"better-auth","optional":false}],"imports":[{"note":"The library ships with TypeScript types and is primarily designed for ESM usage. While CJS is technically possible with transpilation, direct `require` is not the idiomatic approach.","wrong":"const createStandardCasPlugin = require('better-auth-cas').createStandardCasPlugin;","symbol":"createStandardCasPlugin","correct":"import { createStandardCasPlugin } from 'better-auth-cas';"},{"note":"The `auth` instance is typically an instance of `betterAuth` initialized in a local application file, not directly imported from `better-auth-cas`.","symbol":"auth","correct":"import { auth } from '@/lib/auth';"},{"note":"These types are used in examples demonstrating integration within a Next.js environment, particularly for logout handlers. They are not direct exports of `better-auth-cas`.","symbol":"NextRequest, NextResponse","correct":"import { NextRequest, NextResponse } from 'next/server';"}],"quickstart":{"code":"import { betterAuth } from 'better-auth';\nimport { createStandardCasPlugin } from 'better-auth-cas';\n\n// In a production environment, casBaseUrl should come from environment variables.\nconst casBaseUrl = process.env.CAS_BASE_URL || 'https://cas.example.com/cas';\nconst callbackPath = process.env.CAS_CALLBACK_PATH || '/api/auth/cas/callback';\nconst providerId = process.env.CAS_PROVIDER_ID || 'cas';\n\nexport const auth = betterAuth({\n  emailAndPassword: {\n    enabled: true,\n  },\n  plugins: [\n    createStandardCasPlugin({\n      casBaseUrl: casBaseUrl,\n      callbackPath: callbackPath,\n      providerId: providerId,\n      // Optional: Set redirectUri if your CAS server requires an exact match for the service URL\n      // redirectUri: process.env.CAS_REDIRECT_URI || 'http://localhost:3000/api/auth/cas/callback',\n      // Optional: Custom profile mapping if CAS attributes differ from defaults\n      // profileMapping: {\n      //   stableId: ['sAMAccountName', 'uid'],\n      //   name: ['displayName'],\n      //   email: ['mail'],\n      //   image: ['thumbnailPhoto']\n      // }\n    }),\n  ],\n});","lang":"typescript","description":"Initializes `better-auth` with the standard CAS plugin, demonstrating how to configure the CAS base URL, callback path, and provider ID. It also highlights optional configuration for `redirectUri` and `profileMapping` using environment variables."},"warnings":[{"fix":"Implement a global logout route that first clears the local Better Auth session and then redirects the user to the CAS `/logout` endpoint with a `service` parameter pointing back to your application's public URL. Refer to the 'Recommended global logout' section in the README.","message":"Users may appear to 'auto-login' immediately after a local logout from your application because CAS maintains its own separate SSO session cookie. Clearing only the local session will not invalidate the CAS session.","severity":"gotcha","affected_versions":">=0.1.0"},{"fix":"Explicitly set the `redirectUri` option in `createStandardCasPlugin` to your application's exact, absolute callback URL. This ensures the `service` parameter in the CAS login request matches the allowlisted value.","message":"Many CAS deployments require the `service` URL (the callback URL provided during login) to be explicitly allowlisted. A mismatch between the URL generated by the plugin and the allowlisted URL will result in CAS rejecting the authentication attempt.","severity":"gotcha","affected_versions":">=0.1.0"},{"fix":"Monitor the project's changelog and release notes closely when updating to new versions. Thoroughly test your integration after any update to ensure continued functionality.","message":"As this package is in a pre-1.0 release (0.1.x), the API and configuration options are subject to change without adhering to strict semantic versioning. While stable for initial use, be prepared for potential API adjustments in minor or patch releases.","severity":"breaking","affected_versions":">=0.1.0"}],"env_vars":null,"last_verified":"2026-04-22T00:00:00.000Z","next_check":"2026-07-21T00:00:00.000Z","problems":[{"fix":"Ensure the `redirectUri` option in `createStandardCasPlugin` is set to the exact, absolute URL of your CAS callback endpoint (e.g., `http://localhost:3000/api/auth/cas/callback`) and that this URL is allowlisted on your CAS server.","cause":"The `service` parameter in the CAS login request does not match an allowlisted URL on the CAS server, or the `redirectUri` configured in the plugin is incorrect.","error":"CAS Login Failed: Service URL Mismatch"},{"fix":"Implement a comprehensive logout strategy that clears both the local `better-auth` session and redirects the user to the CAS server's logout endpoint. Refer to the 'Recommended global logout' example in the README.","cause":"The CAS SSO session cookie remains active even after a local `better-auth` session is cleared, leading to immediate re-authentication via CAS if the user attempts to log in again.","error":"User appears logged in after local signOut()"}],"ecosystem":"npm"}