better_auth-hanami 0.6.2 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e5298b67e2375f8b2000c168f3e7620c0564ed05f2af098b0c54047abd718f95
-  data.tar.gz: bad1e66f1db21001b3f803328c1987adc33c2d2e5f92cfdd1eba19726bde04a7
+  metadata.gz: 38b660cd7b5342ffeb1604a0b1c31ec6b0258016e496f6910764d0c166242edb
+  data.tar.gz: b8857da84de1c4d1ca206892aeaf438fd633ee729290074e2e68872930964428
 SHA512:
-  metadata.gz: c4ff56fada7c5b08ece3c16c07fc9796972e34f136f7c7985f2a588f02d76612cbb46bb9069cc9bacd3365dd25248ee5b6dc41766e86cd18302f70941f5614ee
-  data.tar.gz: dd5b9d85f2fd4505bd1141fbfb49d8dafd099323437fe5399cd3a65cec674660593e476d0b0ee3158cbf1c850cfedd0c9f2ab2128868cbd7a0b0f6088b9b4ba0
+  metadata.gz: 40d10b9a1922dc8b80c90362c124f4513b98e6cb0cd1895eae17cafb07fa30d5ec6473f19b3ce828ecf3db22181472c20edcbf6d98d888889f2c389c789b3cec
+  data.tar.gz: 9c44539d3fbaee60870d67bb2e9fa79ef75b7d3d9cc1cc48cc1979fc256347fe282b29cb24eed9689d1c7850bd728a0b2208fbb7d3d7752d72f21626b9cc8a65

data/CHANGELOG.md

@@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.7.0] - 2026-05-05
+
+### Fixed
+
+- Aligned Hanami route mounting, action helpers, install generator, and migration generator behavior with the shared Rack and schema semantics.
+- Hardened the Sequel adapter for upstream-shaped filtering, joins, falsey values, and limit behavior.
+
 ## [0.1.1] - 2026-04-29
 
 ### Fixed

data/README.md

@@ -65,6 +65,7 @@ Hanami.app.register_provider(:better_auth) do
       config.database = ->(options) {
         BetterAuth::Hanami::SequelAdapter.from_container(target, options)
       }
+      config.trusted_origins = [target["settings"].better_auth_url].compact
       config.email_and_password = {enabled: true}
       config.plugins = []
     end
@@ -76,6 +77,37 @@ Hanami.app.register_provider(:better_auth) do
 end
 ```
 
+`trusted_origins` controls Better Auth origin and redirect URL validation. If
+your browser client calls the auth endpoints from another origin, configure Rack
+CORS middleware in your Hanami app as well so preflight requests and
+`Access-Control-*` response headers match your frontend origin and credentials
+policy. For the shared Rack/CORS/CSRF boundary, see
+[`host-app-responsibilities.md`](../../.docs/features/host-app-responsibilities.md).
+
+Do not rely on a Hanami-only empty `trusted_origins` list as a strict
+deny-all-origin policy; set real deployment URLs in app settings. Keep
+`BetterAuth::Hanami::MountedApp` behavior aligned with Hanami's router instead
+of copying Rails mount internals without integration tests. Be cautious with
+relation or inflector overrides generated for an app, because overwriting
+application-specific Hanami relations can be destructive.
+
+## Regenerating Migrations
+
+The migration generator skips an existing `*_create_better_auth_tables.rb` file
+by default so user-edited migrations are not overwritten. To intentionally
+regenerate the base migration for a new app or after changing plugin schemas,
+call the Ruby API with `force: true`:
+
+```ruby
+BetterAuth::Hanami::Generators::MigrationGenerator.new.run(force: true)
+```
+
+The generated rake task keeps the non-overwriting behavior:
+
+```bash
+bundle exec rake better_auth:generate:migration
+```
+
 ## Routes
 
 The generated `config/routes.rb` includes:
@@ -98,6 +130,11 @@ By default this mounts Better Auth at `/api/auth`. Customize the path:
 better_auth at: "/auth"
 ```
 
+`BetterAuth::Hanami::MountedApp` expects `PATH_INFO` in the shape produced by
+Hanami's router; see `spec/better_auth/hanami/routing_spec.rb`. Custom Rack
+stacks with different `SCRIPT_NAME` conventions may need application-level path
+rewriting.
+
 ## Action Helpers
 
 Include helpers in your base action:

data/lib/better_auth/hanami/action_helpers.rb

@@ -34,6 +34,9 @@ module BetterAuth
       end
 
       def resolve_better_auth_session(request)
+        auth = BetterAuth::Hanami.auth
+        auth.context.prepare_for_request!(request) if auth.context.respond_to?(:prepare_for_request!)
+
         context = BetterAuth::Endpoint::Context.new(
           path: request_path(request),
           method: request_method(request),
@@ -41,7 +44,7 @@ module BetterAuth
           body: {},
           params: {},
           headers: {"cookie" => request_cookie(request)},
-          context: BetterAuth::Hanami.auth.context,
+          context: auth.context,
           request: request
         )
         BetterAuth::Session.find_current(context, disable_refresh: true)

data/lib/better_auth/hanami/generators/install_generator.rb

@@ -43,10 +43,14 @@ module BetterAuth
 
         def update_routes
           path = File.join(destination_root, "config/routes.rb")
-          return unless File.exist?(path)
+          unless File.exist?(path)
+            Kernel.warn("[better_auth-hanami] InstallGenerator: #{path} not found; skipping routes wiring. Add Hanami routes manually.")
+            return
+          end
 
           content = File.read(path)
           content = content.gsub(%(require "better_auth/hanami/routing"), %(require "better_auth/hanami"))
+          content = dedupe_better_auth_requires(content)
           content = %(require "better_auth/hanami"\n) + content unless content.include?(%("better_auth/hanami"))
           content = content.sub("class Routes < Hanami::Routes\n", "class Routes < Hanami::Routes\n    include BetterAuth::Hanami::Routing\n") unless content.include?("include BetterAuth::Hanami::Routing")
           content = content.sub(/(include BetterAuth::Hanami::Routing\n)(?!\s*better_auth)/, "\\1    better_auth\n") unless content.match?(/^\s*better_auth\b/)
@@ -55,7 +59,10 @@ module BetterAuth
 
         def update_settings
           path = File.join(destination_root, "config/settings.rb")
-          return unless File.exist?(path)
+          unless File.exist?(path)
+            Kernel.warn("[better_auth-hanami] InstallGenerator: #{path} not found; skipping settings wiring. Add better_auth_secret and better_auth_url manually.")
+            return
+          end
 
           content = File.read(path)
           return if content.include?("setting :better_auth_secret")
@@ -64,10 +71,21 @@ module BetterAuth
             "    setting :better_auth_secret, constructor: Types::String.constrained(min_size: 32)",
             "    setting :better_auth_url, constructor: Types::String.optional"
           ].join("\n")
-          content = content.sub("class Settings < Hanami::Settings\n", "class Settings < Hanami::Settings\n#{insertion}\n")
+          content = content.sub(/(class[ \t]+Settings[ \t]*<[ \t]*Hanami::Settings[ \t]*\n)/, "\\1#{insertion}\n")
           File.write(path, content)
         end
 
+        def dedupe_better_auth_requires(content)
+          previous = nil
+          content.lines.each_with_object([]) do |line, output|
+            stripped = line.strip
+            next if stripped == previous && stripped == %(require "better_auth/hanami")
+
+            output << line
+            previous = stripped
+          end.join
+        end
+
         def provider_template
           <<~RUBY
             # frozen_string_literal: true

data/lib/better_auth/hanami/generators/migration_generator.rb

@@ -7,25 +7,28 @@ module BetterAuth
   module Hanami
     module Generators
       class MigrationGenerator
-        def initialize(destination_root: Dir.pwd, configuration: nil)
+        def initialize(destination_root: Dir.pwd, configuration: nil, force: false)
           @destination_root = destination_root
           @configuration = configuration
+          @force = force
         end
 
-        def run
-          return migration_path if existing_migration?
+        def run(force: nil)
+          force = @force if force.nil?
+          return existing_migration_path if existing_migration_path && !force
 
-          FileUtils.mkdir_p(File.dirname(migration_path))
-          File.write(migration_path, BetterAuth::Hanami::Migration.render(generator_config))
-          migration_path
+          path = existing_migration_path || migration_path
+          FileUtils.mkdir_p(File.dirname(path))
+          File.write(path, BetterAuth::Hanami::Migration.render(generator_config))
+          path
         end
 
         private
 
         attr_reader :destination_root, :configuration
 
-        def existing_migration?
-          Dir[File.join(destination_root, "config/db/migrate/*_create_better_auth_tables.rb")].any?
+        def existing_migration_path
+          @existing_migration_path ||= Dir[File.join(destination_root, "config/db/migrate/*_create_better_auth_tables.rb")].min
         end
 
         def migration_path

data/lib/better_auth/hanami/mounted_app.rb

@@ -2,6 +2,11 @@
 
 module BetterAuth
   module Hanami
+    # Rewrites PATH_INFO so the core router sees paths under +mount_path+.
+    # Hanami's +Slice::Router+ passes PATH_INFO as exercised in routing specs;
+    # custom Rack mounts that differ from that contract may need app-level
+    # rewriting adjustments. Compare the Rails adapter when debugging path
+    # behavior involving SCRIPT_NAME.
     class MountedApp
       def initialize(auth, mount_path:)
         @auth = auth

data/lib/better_auth/hanami/sequel_adapter.rb

@@ -1,19 +1,22 @@
 # frozen_string_literal: true
 
 require "securerandom"
+require "json"
 require "time"
 require "sequel"
 
 module BetterAuth
   module Hanami
     class SequelAdapter < BetterAuth::Adapters::Base
+      include BetterAuth::Adapters::JoinSupport
+
       attr_reader :connection
 
       def self.from_hanami(options, container: nil)
         if container.nil? && defined?(::Hanami) && ::Hanami.respond_to?(:app)
           container = ::Hanami.app
         end
-        return BetterAuth::Adapters::Memory.new(options) unless container
+        return memory_fallback(options) unless container
 
         from_container(container, options)
       end
@@ -24,7 +27,7 @@ module BetterAuth
         elsif container.respond_to?(:[]) && safe_fetch(container, "db.gateway")
           container["db.gateway"]
         end
-        return BetterAuth::Adapters::Memory.new(options) unless gateway
+        return memory_fallback(options) unless gateway
 
         connection = gateway.respond_to?(:connection) ? gateway.connection : gateway
         new(options, connection: connection)
@@ -36,6 +39,14 @@ module BetterAuth
         nil
       end
 
+      def self.memory_fallback(options)
+        Kernel.warn(
+          "[better_auth-hanami] SequelAdapter: using BetterAuth::Adapters::Memory " \
+          "(no Hanami container or db.gateway). Persisted auth data will not survive process restart."
+        )
+        BetterAuth::Adapters::Memory.new(options)
+      end
+
       def initialize(options, connection:)
         super(options)
         @connection = connection
@@ -125,19 +136,21 @@ module BetterAuth
         column = storage_field(model, field)
         identifier = Sequel[column.to_sym]
         operator = (fetch_key(clause, :operator) || "eq").to_s
-        value = fetch_key(clause, :value)
+        attributes = schema_for(model).fetch(:fields).fetch(field)
+        raw_value = fetch_key(clause, :value)
+        value = coerce_where_value(raw_value, attributes)
 
         case operator
-        when "in" then {column.to_sym => Array(value)}
-        when "not_in" then Sequel.~(column.to_sym => Array(value))
+        when "in" then {column.to_sym => Array(raw_value).map { |entry| coerce_where_value(entry, attributes) }}
+        when "not_in" then Sequel.~(column.to_sym => Array(raw_value).map { |entry| coerce_where_value(entry, attributes) })
         when "ne" then Sequel.~(column.to_sym => value)
         when "gt" then identifier > value
         when "gte" then identifier >= value
         when "lt" then identifier < value
         when "lte" then identifier <= value
-        when "contains" then Sequel.like(identifier, "%#{value}%")
-        when "starts_with" then Sequel.like(identifier, "#{value}%")
-        when "ends_with" then Sequel.like(identifier, "%#{value}")
+        when "contains" then Sequel.like(identifier, "%#{escape_like(value)}%", escape: "\\")
+        when "starts_with" then Sequel.like(identifier, "#{escape_like(value)}%", escape: "\\")
+        when "ends_with" then Sequel.like(identifier, "%#{escape_like(value)}", escape: "\\")
         else {column.to_sym => value}
         end
       end
@@ -155,20 +168,57 @@ module BetterAuth
       def attach_joins(model, records, join)
         return records unless join
 
+        join_config = normalized_join(model, join)
         records.each do |record|
-          join.each_key do |join_model|
-            join_model = join_model.to_s
-            case [model.to_s, join_model]
-            when ["session", "user"], ["account", "user"]
-              record[join_model] = find_one(model: join_model, where: [{field: "id", value: record["userId"]}])
-            when ["user", "account"]
-              record[join_model] = find_many(model: "account", where: [{field: "userId", value: record["id"]}])
-            end
+          join_config.each do |join_model, config|
+            record[join_model] = joined_records(record, join_model, config)
           end
         end
         records
       end
 
+      def joined_records(record, join_model, config)
+        local_value = record[config.fetch(:from)]
+        where = [{field: config.fetch(:to), value: local_value}]
+
+        if one_to_one_join?(config)
+          find_one(model: join_model, where: where)
+        else
+          records = find_many(model: join_model, where: where)
+          config[:limit] ? records.first(Integer(config[:limit])) : records
+        end
+      end
+
+      def one_to_one_join?(config)
+        config[:relation] == "one-to-one" || config[:unique] == true
+      end
+
+      def inferred_join_config(model, join_model)
+        foreign_keys = schema_for(join_model).fetch(:fields).select do |_field, attributes|
+          reference_model_matches?(attributes, model)
+        end
+        forward_join = true
+
+        if foreign_keys.empty?
+          foreign_keys = schema_for(model).fetch(:fields).select do |_field, attributes|
+            reference_model_matches?(attributes, join_model)
+          end
+          forward_join = false
+        end
+
+        raise Error, "No foreign key found for model #{join_model} and base model #{model} while performing join operation." if foreign_keys.empty?
+        raise Error, "Multiple foreign keys found for model #{join_model} and base model #{model} while performing join operation. Only one foreign key is supported." if foreign_keys.length > 1
+
+        foreign_key, attributes = foreign_keys.first
+        reference = attributes.fetch(:references)
+        if forward_join
+          unique = attributes[:unique] == true
+          {from: reference.fetch(:field).to_s, to: foreign_key, relation: unique ? "one-to-one" : "one-to-many", unique: unique}
+        else
+          {from: foreign_key, to: reference.fetch(:field).to_s, relation: "one-to-one", unique: true}
+        end
+      end
+
       def transform_input(model, data, action, force_allow_id)
         fields = schema_for(model).fetch(:fields)
         input = stringify_keys(data)
@@ -242,6 +292,7 @@ module BetterAuth
       def coerce_value(value, attributes)
         return value if value.nil?
         return Time.parse(value) if attributes[:type] == "date" && value.is_a?(String)
+        return JSON.generate(value) if json_like?(attributes) && !value.is_a?(String)
 
         value
       end
@@ -250,10 +301,37 @@ module BetterAuth
         return value if value.nil?
         return coerce_boolean(value) if attributes[:type] == "boolean"
         return Time.parse(value.to_s) if attributes[:type] == "date" && !value.is_a?(Time)
+        return parse_json_value(value) if json_like?(attributes) && value.is_a?(String)
 
         value
       end
 
+      def coerce_where_value(value, attributes)
+        return value if value.nil?
+
+        case attributes[:type]
+        when "boolean"
+          return coerce_value(false, attributes) if value == false || value == 0 || value.to_s.downcase == "false" || value.to_s == "0"
+          return coerce_value(true, attributes) if value == true || value == 1 || value.to_s.downcase == "true" || value.to_s == "1"
+        when "number"
+          return coerce_number(value)
+        when "date"
+          return Time.parse(value) if value.is_a?(String)
+        end
+
+        coerce_value(value, attributes)
+      end
+
+      def json_like?(attributes)
+        %w[json string[] number[]].include?(attributes[:type])
+      end
+
+      def parse_json_value(value)
+        JSON.parse(value)
+      rescue JSON::ParserError
+        value
+      end
+
       def coerce_boolean(value)
         return value if value == true || value == false
         return false if value == 0 || value.to_s == "0" || value.to_s.downcase == "f" || value.to_s.downcase == "false"
@@ -262,6 +340,18 @@ module BetterAuth
         value
       end
 
+      def coerce_number(value)
+        return value unless value.is_a?(String)
+        return value.to_i if /\A-?\d+\z/.match?(value)
+        return value.to_f if /\A-?\d+\.\d+\z/.match?(value)
+
+        value
+      end
+
+      def escape_like(value)
+        value.to_s.gsub(/[\\%_]/) { |match| "\\#{match}" }
+      end
+
       def stringify_keys(data)
         data.each_with_object({}) do |(key, value), result|
           result[storage_key(key)] = value

data/lib/better_auth/hanami/version.rb

@@ -2,6 +2,6 @@
 
 module BetterAuth
   module Hanami
-    VERSION = "0.6.2"
+    VERSION = "0.8.0"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: better_auth-hanami
 version: !ruby/object:Gem::Version
-  version: 0.6.2
+  version: 0.8.0
 platform: ruby
 authors:
 - Sebastian Sala
@@ -181,8 +181,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
-description: Hanami integration for Better Auth Ruby. Provides route mounting, ROM/Sequel
-  persistence, migrations, helpers, and generators.
+description: Hanami integration for Better Auth Ruby. Better Auth Ruby is an independent
+  modern authentication framework for Ruby inspired by Better Auth. Provides route
+  mounting, ROM/Sequel persistence, migrations, helpers, and generators.
 email:
 - sebastian.sala.tech@gmail.com
 executables: []