better_auth-hanami 0.5.0 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c1c6552c515f275dd9c70eefc5177892d0717aae7bf133ef8042eca0b5033f19
-  data.tar.gz: e70020d52e489d99047e09f254872e84c118c3faaf1d957f107649545eaef92e
+  metadata.gz: e621a185cce9796daa7123db9fda9e9794c1a6ea69320c3d0f22f0e302dfeead
+  data.tar.gz: b016d7df8af71a441b731af82d141cb3b8e63e96c2ebf4297f617b6a32587ed6
 SHA512:
-  metadata.gz: 72cf74b3d30eb60e13b85d8340e24c062fe46bc49f65e8816599b065f85f89265de7a60064e27b3d163d041855f5e68f208750a9693b1e8691e8bfca25204aac
-  data.tar.gz: 2d19ac81d33d23098ff8bb367ea658517c2a76a2f67d2d557b78ddd1410766411d506052626d189d8d80afdc235a7e25bada1587e732e6cb5146d24f5d653e58
+  metadata.gz: 9c47fa9eb76a9196f1a7a1179b2fb58359fb49e2b54789f14d42a9617d6a3e890c1c63522c2d27c805f0eabb27e38bbfc09db86bb1c0869705ac847c16a7899f
+  data.tar.gz: 91165382044cc8d14c8d6fc044930ca9a896cecb3d7f35b2fcd3c9f076a8841eefaff1fd6e6cdc06e0a25c4b1d7c0d3b0c1ed6e0e96ff12eeb453dcfb809ffe8

data/CHANGELOG.md

@@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.7.0] - 2026-05-05
+
+### Fixed
+
+- Aligned Hanami route mounting, action helpers, install generator, and migration generator behavior with the shared Rack and schema semantics.
+- Hardened the Sequel adapter for upstream-shaped filtering, joins, falsey values, and limit behavior.
+
 ## [0.1.1] - 2026-04-29
 
 ### Fixed

data/README.md

@@ -65,6 +65,7 @@ Hanami.app.register_provider(:better_auth) do
       config.database = ->(options) {
         BetterAuth::Hanami::SequelAdapter.from_container(target, options)
       }
+      config.trusted_origins = [target["settings"].better_auth_url].compact
       config.email_and_password = {enabled: true}
       config.plugins = []
     end
@@ -76,6 +77,37 @@ Hanami.app.register_provider(:better_auth) do
 end
 ```
 
+`trusted_origins` controls Better Auth origin and redirect URL validation. If
+your browser client calls the auth endpoints from another origin, configure Rack
+CORS middleware in your Hanami app as well so preflight requests and
+`Access-Control-*` response headers match your frontend origin and credentials
+policy. For the shared Rack/CORS/CSRF boundary, see
+[`host-app-responsibilities.md`](../../.docs/features/host-app-responsibilities.md).
+
+Do not rely on a Hanami-only empty `trusted_origins` list as a strict
+deny-all-origin policy; set real deployment URLs in app settings. Keep
+`BetterAuth::Hanami::MountedApp` behavior aligned with Hanami's router instead
+of copying Rails mount internals without integration tests. Be cautious with
+relation or inflector overrides generated for an app, because overwriting
+application-specific Hanami relations can be destructive.
+
+## Regenerating Migrations
+
+The migration generator skips an existing `*_create_better_auth_tables.rb` file
+by default so user-edited migrations are not overwritten. To intentionally
+regenerate the base migration for a new app or after changing plugin schemas,
+call the Ruby API with `force: true`:
+
+```ruby
+BetterAuth::Hanami::Generators::MigrationGenerator.new.run(force: true)
+```
+
+The generated rake task keeps the non-overwriting behavior:
+
+```bash
+bundle exec rake better_auth:generate:migration
+```
+
 ## Routes
 
 The generated `config/routes.rb` includes:
@@ -98,6 +130,11 @@ By default this mounts Better Auth at `/api/auth`. Customize the path:
 better_auth at: "/auth"
 ```
 
+`BetterAuth::Hanami::MountedApp` expects `PATH_INFO` in the shape produced by
+Hanami's router; see `spec/better_auth/hanami/routing_spec.rb`. Custom Rack
+stacks with different `SCRIPT_NAME` conventions may need application-level path
+rewriting.
+
 ## Action Helpers
 
 Include helpers in your base action:

data/lib/better_auth/hanami/action_helpers.rb

@@ -34,6 +34,9 @@ module BetterAuth
       end
 
       def resolve_better_auth_session(request)
+        auth = BetterAuth::Hanami.auth
+        auth.context.prepare_for_request!(request) if auth.context.respond_to?(:prepare_for_request!)
+
         context = BetterAuth::Endpoint::Context.new(
           path: request_path(request),
           method: request_method(request),
@@ -41,7 +44,7 @@ module BetterAuth
           body: {},
           params: {},
           headers: {"cookie" => request_cookie(request)},
-          context: BetterAuth::Hanami.auth.context,
+          context: auth.context,
           request: request
         )
         BetterAuth::Session.find_current(context, disable_refresh: true)

data/lib/better_auth/hanami/generators/install_generator.rb

@@ -43,10 +43,14 @@ module BetterAuth
 
         def update_routes
           path = File.join(destination_root, "config/routes.rb")
-          return unless File.exist?(path)
+          unless File.exist?(path)
+            Kernel.warn("[better_auth-hanami] InstallGenerator: #{path} not found; skipping routes wiring. Add Hanami routes manually.")
+            return
+          end
 
           content = File.read(path)
           content = content.gsub(%(require "better_auth/hanami/routing"), %(require "better_auth/hanami"))
+          content = dedupe_better_auth_requires(content)
           content = %(require "better_auth/hanami"\n) + content unless content.include?(%("better_auth/hanami"))
           content = content.sub("class Routes < Hanami::Routes\n", "class Routes < Hanami::Routes\n    include BetterAuth::Hanami::Routing\n") unless content.include?("include BetterAuth::Hanami::Routing")
           content = content.sub(/(include BetterAuth::Hanami::Routing\n)(?!\s*better_auth)/, "\\1    better_auth\n") unless content.match?(/^\s*better_auth\b/)
@@ -55,7 +59,10 @@ module BetterAuth
 
         def update_settings
           path = File.join(destination_root, "config/settings.rb")
-          return unless File.exist?(path)
+          unless File.exist?(path)
+            Kernel.warn("[better_auth-hanami] InstallGenerator: #{path} not found; skipping settings wiring. Add better_auth_secret and better_auth_url manually.")
+            return
+          end
 
           content = File.read(path)
           return if content.include?("setting :better_auth_secret")
@@ -64,10 +71,21 @@ module BetterAuth
             "    setting :better_auth_secret, constructor: Types::String.constrained(min_size: 32)",
             "    setting :better_auth_url, constructor: Types::String.optional"
           ].join("\n")
-          content = content.sub("class Settings < Hanami::Settings\n", "class Settings < Hanami::Settings\n#{insertion}\n")
+          content = content.sub(/(class[ \t]+Settings[ \t]*<[ \t]*Hanami::Settings[ \t]*\n)/, "\\1#{insertion}\n")
           File.write(path, content)
         end
 
+        def dedupe_better_auth_requires(content)
+          previous = nil
+          content.lines.each_with_object([]) do |line, output|
+            stripped = line.strip
+            next if stripped == previous && stripped == %(require "better_auth/hanami")
+
+            output << line
+            previous = stripped
+          end.join
+        end
+
         def provider_template
           <<~RUBY
             # frozen_string_literal: true

data/lib/better_auth/hanami/generators/migration_generator.rb

@@ -7,25 +7,28 @@ module BetterAuth
   module Hanami
     module Generators
       class MigrationGenerator
-        def initialize(destination_root: Dir.pwd, configuration: nil)
+        def initialize(destination_root: Dir.pwd, configuration: nil, force: false)
           @destination_root = destination_root
           @configuration = configuration
+          @force = force
         end
 
-        def run
-          return migration_path if existing_migration?
+        def run(force: nil)
+          force = @force if force.nil?
+          return existing_migration_path if existing_migration_path && !force
 
-          FileUtils.mkdir_p(File.dirname(migration_path))
-          File.write(migration_path, BetterAuth::Hanami::Migration.render(generator_config))
-          migration_path
+          path = existing_migration_path || migration_path
+          FileUtils.mkdir_p(File.dirname(path))
+          File.write(path, BetterAuth::Hanami::Migration.render(generator_config))
+          path
         end
 
         private
 
         attr_reader :destination_root, :configuration
 
-        def existing_migration?
-          Dir[File.join(destination_root, "config/db/migrate/*_create_better_auth_tables.rb")].any?
+        def existing_migration_path
+          @existing_migration_path ||= Dir[File.join(destination_root, "config/db/migrate/*_create_better_auth_tables.rb")].min
         end
 
         def migration_path

data/lib/better_auth/hanami/mounted_app.rb

@@ -2,6 +2,11 @@
 
 module BetterAuth
   module Hanami
+    # Rewrites PATH_INFO so the core router sees paths under +mount_path+.
+    # Hanami's +Slice::Router+ passes PATH_INFO as exercised in routing specs;
+    # custom Rack mounts that differ from that contract may need app-level
+    # rewriting adjustments. Compare the Rails adapter when debugging path
+    # behavior involving SCRIPT_NAME.
     class MountedApp
       def initialize(auth, mount_path:)
         @auth = auth

data/lib/better_auth/hanami/sequel_adapter.rb

@@ -1,19 +1,22 @@
 # frozen_string_literal: true
 
 require "securerandom"
+require "json"
 require "time"
 require "sequel"
 
 module BetterAuth
   module Hanami
     class SequelAdapter < BetterAuth::Adapters::Base
+      include BetterAuth::Adapters::JoinSupport
+
       attr_reader :connection
 
       def self.from_hanami(options, container: nil)
         if container.nil? && defined?(::Hanami) && ::Hanami.respond_to?(:app)
           container = ::Hanami.app
         end
-        return BetterAuth::Adapters::Memory.new(options) unless container
+        return memory_fallback(options) unless container
 
         from_container(container, options)
       end
@@ -24,7 +27,7 @@ module BetterAuth
         elsif container.respond_to?(:[]) && safe_fetch(container, "db.gateway")
           container["db.gateway"]
         end
-        return BetterAuth::Adapters::Memory.new(options) unless gateway
+        return memory_fallback(options) unless gateway
 
         connection = gateway.respond_to?(:connection) ? gateway.connection : gateway
         new(options, connection: connection)
@@ -36,6 +39,14 @@ module BetterAuth
         nil
       end
 
+      def self.memory_fallback(options)
+        Kernel.warn(
+          "[better_auth-hanami] SequelAdapter: using BetterAuth::Adapters::Memory " \
+          "(no Hanami container or db.gateway). Persisted auth data will not survive process restart."
+        )
+        BetterAuth::Adapters::Memory.new(options)
+      end
+
       def initialize(options, connection:)
         super(options)
         @connection = connection
@@ -125,19 +136,21 @@ module BetterAuth
         column = storage_field(model, field)
         identifier = Sequel[column.to_sym]
         operator = (fetch_key(clause, :operator) || "eq").to_s
-        value = fetch_key(clause, :value)
+        attributes = schema_for(model).fetch(:fields).fetch(field)
+        raw_value = fetch_key(clause, :value)
+        value = coerce_where_value(raw_value, attributes)
 
         case operator
-        when "in" then {column.to_sym => Array(value)}
-        when "not_in" then Sequel.~(column.to_sym => Array(value))
+        when "in" then {column.to_sym => Array(raw_value).map { |entry| coerce_where_value(entry, attributes) }}
+        when "not_in" then Sequel.~(column.to_sym => Array(raw_value).map { |entry| coerce_where_value(entry, attributes) })
         when "ne" then Sequel.~(column.to_sym => value)
         when "gt" then identifier > value
         when "gte" then identifier >= value
         when "lt" then identifier < value
         when "lte" then identifier <= value
-        when "contains" then Sequel.like(identifier, "%#{value}%")
-        when "starts_with" then Sequel.like(identifier, "#{value}%")
-        when "ends_with" then Sequel.like(identifier, "%#{value}")
+        when "contains" then Sequel.like(identifier, "%#{escape_like(value)}%", escape: "\\")
+        when "starts_with" then Sequel.like(identifier, "#{escape_like(value)}%", escape: "\\")
+        when "ends_with" then Sequel.like(identifier, "%#{escape_like(value)}", escape: "\\")
         else {column.to_sym => value}
         end
       end
@@ -155,20 +168,57 @@ module BetterAuth
       def attach_joins(model, records, join)
         return records unless join
 
+        join_config = normalized_join(model, join)
         records.each do |record|
-          join.each_key do |join_model|
-            join_model = join_model.to_s
-            case [model.to_s, join_model]
-            when ["session", "user"], ["account", "user"]
-              record[join_model] = find_one(model: join_model, where: [{field: "id", value: record["userId"]}])
-            when ["user", "account"]
-              record[join_model] = find_many(model: "account", where: [{field: "userId", value: record["id"]}])
-            end
+          join_config.each do |join_model, config|
+            record[join_model] = joined_records(record, join_model, config)
           end
         end
         records
       end
 
+      def joined_records(record, join_model, config)
+        local_value = record[config.fetch(:from)]
+        where = [{field: config.fetch(:to), value: local_value}]
+
+        if one_to_one_join?(config)
+          find_one(model: join_model, where: where)
+        else
+          records = find_many(model: join_model, where: where)
+          config[:limit] ? records.first(Integer(config[:limit])) : records
+        end
+      end
+
+      def one_to_one_join?(config)
+        config[:relation] == "one-to-one" || config[:unique] == true
+      end
+
+      def inferred_join_config(model, join_model)
+        foreign_keys = schema_for(join_model).fetch(:fields).select do |_field, attributes|
+          reference_model_matches?(attributes, model)
+        end
+        forward_join = true
+
+        if foreign_keys.empty?
+          foreign_keys = schema_for(model).fetch(:fields).select do |_field, attributes|
+            reference_model_matches?(attributes, join_model)
+          end
+          forward_join = false
+        end
+
+        raise Error, "No foreign key found for model #{join_model} and base model #{model} while performing join operation." if foreign_keys.empty?
+        raise Error, "Multiple foreign keys found for model #{join_model} and base model #{model} while performing join operation. Only one foreign key is supported." if foreign_keys.length > 1
+
+        foreign_key, attributes = foreign_keys.first
+        reference = attributes.fetch(:references)
+        if forward_join
+          unique = attributes[:unique] == true
+          {from: reference.fetch(:field).to_s, to: foreign_key, relation: unique ? "one-to-one" : "one-to-many", unique: unique}
+        else
+          {from: foreign_key, to: reference.fetch(:field).to_s, relation: "one-to-one", unique: true}
+        end
+      end
+
       def transform_input(model, data, action, force_allow_id)
         fields = schema_for(model).fetch(:fields)
         input = stringify_keys(data)
@@ -242,6 +292,7 @@ module BetterAuth
       def coerce_value(value, attributes)
         return value if value.nil?
         return Time.parse(value) if attributes[:type] == "date" && value.is_a?(String)
+        return JSON.generate(value) if json_like?(attributes) && !value.is_a?(String)
 
         value
       end
@@ -250,10 +301,37 @@ module BetterAuth
         return value if value.nil?
         return coerce_boolean(value) if attributes[:type] == "boolean"
         return Time.parse(value.to_s) if attributes[:type] == "date" && !value.is_a?(Time)
+        return parse_json_value(value) if json_like?(attributes) && value.is_a?(String)
 
         value
       end
 
+      def coerce_where_value(value, attributes)
+        return value if value.nil?
+
+        case attributes[:type]
+        when "boolean"
+          return coerce_value(false, attributes) if value == false || value == 0 || value.to_s.downcase == "false" || value.to_s == "0"
+          return coerce_value(true, attributes) if value == true || value == 1 || value.to_s.downcase == "true" || value.to_s == "1"
+        when "number"
+          return coerce_number(value)
+        when "date"
+          return Time.parse(value) if value.is_a?(String)
+        end
+
+        coerce_value(value, attributes)
+      end
+
+      def json_like?(attributes)
+        %w[json string[] number[]].include?(attributes[:type])
+      end
+
+      def parse_json_value(value)
+        JSON.parse(value)
+      rescue JSON::ParserError
+        value
+      end
+
       def coerce_boolean(value)
         return value if value == true || value == false
         return false if value == 0 || value.to_s == "0" || value.to_s.downcase == "f" || value.to_s.downcase == "false"
@@ -262,6 +340,18 @@ module BetterAuth
         value
       end
 
+      def coerce_number(value)
+        return value unless value.is_a?(String)
+        return value.to_i if /\A-?\d+\z/.match?(value)
+        return value.to_f if /\A-?\d+\.\d+\z/.match?(value)
+
+        value
+      end
+
+      def escape_like(value)
+        value.to_s.gsub(/[\\%_]/) { |match| "\\#{match}" }
+      end
+
       def stringify_keys(data)
         data.each_with_object({}) do |(key, value), result|
           result[storage_key(key)] = value

data/lib/better_auth/hanami/version.rb

@@ -2,6 +2,6 @@
 
 module BetterAuth
   module Hanami
-    VERSION = "0.5.0"
+    VERSION = "0.7.0"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: better_auth-hanami
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.7.0
 platform: ruby
 authors:
 - Sebastian Sala