better_auth-hanami 0.8.0 → 0.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 38b660cd7b5342ffeb1604a0b1c31ec6b0258016e496f6910764d0c166242edb
-  data.tar.gz: b8857da84de1c4d1ca206892aeaf438fd633ee729290074e2e68872930964428
+  metadata.gz: b23720fd336f4026363d337c886f73c6ab60369d3e3f8679d25b989712caf74d
+  data.tar.gz: 809a0912aaafdce964e6622c05f7fdc77892165524901f7e56970a7e34abac99
 SHA512:
-  metadata.gz: 40d10b9a1922dc8b80c90362c124f4513b98e6cb0cd1895eae17cafb07fa30d5ec6473f19b3ce828ecf3db22181472c20edcbf6d98d888889f2c389c789b3cec
-  data.tar.gz: 9c44539d3fbaee60870d67bb2e9fa79ef75b7d3d9cc1cc48cc1979fc256347fe282b29cb24eed9689d1c7850bd728a0b2208fbb7d3d7752d72f21626b9cc8a65
+  metadata.gz: ddad200e1d991c7b81a746828854b65359b01545f0e161a342ce8a1a7cfdf8ae1f82fd7ec1703d58ce728e10ec1b71defbcb2049508627eb0241988a1a256945
+  data.tar.gz: '038a9aaa4497e56a9fcf64ca88d650b3f750a75256c0d3a08b505dfbe58894d7a2d17d54ecd1cbce8a709c7b3d5187daee3b8912b41c59d7b3c1b6d09c790a04'

data/CHANGELOG.md

@@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.10.0] - 2026-05-21
+
+### Fixed
+
+- Preserved migration foreign keys and improved generated migration output.
+- Hardened Hanami routing, helpers, rate limits, rake tasks, and Sequel adapter behavior.
+
 ## [0.7.0] - 2026-05-05
 
 ### Fixed

data/README.md

@@ -40,11 +40,15 @@ bin/hanami db migrate
 ```
 
 When you add plugins that introduce schema tables or fields, regenerate both
-the migration and the app query objects before migrating a new app:
+the migration and the app query objects. If the base migration already exists
+and Hanami can connect to the current Sequel database, the migration generator
+creates a new incremental update migration for missing plugin tables, additional
+fields, and indexes:
 
 ```bash
 bundle exec rake better_auth:generate:migration
 bundle exec rake better_auth:generate:relations
+bundle exec rake better_auth:doctor
 ```
 
 ## Configuration
@@ -58,14 +62,17 @@ Hanami.app.register_provider(:better_auth) do
   end
 
   start do
+    better_auth_url = target["settings"].better_auth_url.to_s
+    raise "better_auth_url must be configured" if better_auth_url.empty?
+
     BetterAuth::Hanami.configure do |config|
       config.secret = target["settings"].better_auth_secret
-      config.base_url = target["settings"].better_auth_url
+      config.base_url = better_auth_url
       config.base_path = "/api/auth"
       config.database = ->(options) {
         BetterAuth::Hanami::SequelAdapter.from_container(target, options)
       }
-      config.trusted_origins = [target["settings"].better_auth_url].compact
+      config.trusted_origins = [better_auth_url]
       config.email_and_password = {enabled: true}
       config.plugins = []
     end
@@ -84,8 +91,10 @@ CORS middleware in your Hanami app as well so preflight requests and
 policy. For the shared Rack/CORS/CSRF boundary, see
 [`host-app-responsibilities.md`](../../.docs/features/host-app-responsibilities.md).
 
-Do not rely on a Hanami-only empty `trusted_origins` list as a strict
-deny-all-origin policy; set real deployment URLs in app settings. Keep
+Do not rely on a Hanami-only empty `trusted_origins` list or inferred request
+hosts as a strict deny-all-origin policy; set a canonical deployment URL in app
+settings. The generated provider raises when `better_auth_url` is blank so auth
+URLs and origin checks are not derived from an untrusted `Host` header. Keep
 `BetterAuth::Hanami::MountedApp` behavior aligned with Hanami's router instead
 of copying Rails mount internals without integration tests. Be cautious with
 relation or inflector overrides generated for an app, because overwriting
@@ -174,6 +183,10 @@ BetterAuth::Hanami.configure do |config|
 end
 ```
 
+When no Hanami `db.gateway` is available, the adapter still falls back to
+memory storage in development and tests with a warning. In production it raises
+instead, unless you intentionally set `config.allow_memory_fallback = true`.
+
 ## Limitations
 
 - Supports Hanami 2.3+ only. Better Auth core depends on Rack 3, and Hanami 2.3 is the first Hanami line that allows Rack 3.

data/lib/better_auth/hanami/action_helpers.rb

@@ -20,6 +20,7 @@ module BetterAuth
       def require_authentication(request, response)
         return true if authenticated?(request)
 
+        apply_better_auth_session_headers(request, response)
         response.status = 401 if response.respond_to?(:status=)
         false
       end
@@ -36,18 +37,28 @@ module BetterAuth
       def resolve_better_auth_session(request)
         auth = BetterAuth::Hanami.auth
         auth.context.prepare_for_request!(request) if auth.context.respond_to?(:prepare_for_request!)
-
-        context = BetterAuth::Endpoint::Context.new(
-          path: request_path(request),
-          method: request_method(request),
-          query: request_params(request),
+        endpoint = auth.api.endpoints.fetch(:get_session)
+        endpoint_context = BetterAuth::Endpoint::Context.new(
+          path: endpoint.path,
+          method: "GET",
+          query: {"disableRefresh" => "true"},
           body: {},
           params: {},
-          headers: {"cookie" => request_cookie(request)},
+          headers: request_headers(request),
           context: auth.context,
           request: request
         )
-        BetterAuth::Session.find_current(context, disable_refresh: true)
+        result = auth.api.execute(endpoint, endpoint_context)
+        request_env(request)["better_auth.session_headers"] = result.headers || {}
+        session = result.response
+        return nil unless session
+        return nil if session.is_a?(BetterAuth::APIError)
+
+        {session: session["session"] || session[:session], user: session["user"] || session[:user]}
+      rescue BetterAuth::APIError
+        nil
+      ensure
+        auth.context.clear_runtime! if defined?(auth) && auth.context.respond_to?(:clear_runtime!)
       end
 
       def request_env(request)
@@ -72,6 +83,52 @@ module BetterAuth
         headers = request.respond_to?(:headers) ? request.headers : {}
         headers["cookie"] || headers["Cookie"]
       end
+
+      def request_authorization(request)
+        return request.get_header("HTTP_AUTHORIZATION") if request.respond_to?(:get_header)
+
+        headers = request.respond_to?(:headers) ? request.headers : {}
+        headers["authorization"] || headers["Authorization"]
+      end
+
+      def request_headers(request)
+        headers = headers_from_env(request_env(request))
+        cookie = request_cookie(request)
+        authorization = request_authorization(request)
+        headers["cookie"] = cookie if cookie
+        headers["authorization"] = authorization if authorization
+        if request.respond_to?(:headers)
+          request.headers.each { |key, value| headers[key.to_s] ||= value }
+        end
+        headers
+      end
+
+      def headers_from_env(env)
+        env.each_with_object({}) do |(key, value), headers|
+          case key
+          when "CONTENT_TYPE"
+            headers["content-type"] = value if value
+          when "CONTENT_LENGTH"
+            headers["content-length"] = value if value
+          else
+            next unless key.start_with?("HTTP_")
+
+            headers[key.delete_prefix("HTTP_").downcase.tr("_", "-")] = value
+          end
+        end
+      end
+
+      def apply_better_auth_session_headers(request, response)
+        headers = request_env(request)["better_auth.session_headers"]
+        return unless headers && headers["set-cookie"]
+
+        if response.respond_to?(:headers) && response.headers.respond_to?(:[]=)
+          existing = response.headers["set-cookie"]
+          response.headers["set-cookie"] = [existing, headers["set-cookie"]].compact.join("\n")
+        elsif response.respond_to?(:[]=)
+          response["set-cookie"] = headers["set-cookie"]
+        end
+      end
     end
   end
 end

data/lib/better_auth/hanami/configuration.rb

@@ -30,13 +30,14 @@ module BetterAuth
         logger
       ].freeze
 
-      attr_accessor(*AUTH_OPTION_NAMES)
+      attr_accessor(*AUTH_OPTION_NAMES, :allow_memory_fallback)
 
       def initialize
         @base_path = BetterAuth::Configuration::DEFAULT_BASE_PATH
         @plugins = []
         @trusted_origins = []
-        @database = ->(options) { SequelAdapter.from_hanami(options) }
+        @allow_memory_fallback = false
+        @database = ->(options) { SequelAdapter.from_hanami(options, allow_memory_fallback: allow_memory_fallback) }
       end
 
       def to_auth_options

data/lib/better_auth/hanami/generators/install_generator.rb

@@ -65,11 +65,16 @@ module BetterAuth
           end
 
           content = File.read(path)
-          return if content.include?("setting :better_auth_secret")
+          required_url_setting = "setting :better_auth_url, constructor: Types::String.constrained(min_size: 1)"
+          content = content.gsub("setting :better_auth_url, constructor: Types::String.optional", required_url_setting)
+          if content.include?("setting :better_auth_secret")
+            File.write(path, content)
+            return
+          end
 
           insertion = [
             "    setting :better_auth_secret, constructor: Types::String.constrained(min_size: 32)",
-            "    setting :better_auth_url, constructor: Types::String.optional"
+            "    #{required_url_setting}"
           ].join("\n")
           content = content.sub(/(class[ \t]+Settings[ \t]*<[ \t]*Hanami::Settings[ \t]*\n)/, "\\1#{insertion}\n")
           File.write(path, content)
@@ -96,14 +101,17 @@ module BetterAuth
               end
 
               start do
+                better_auth_url = target["settings"].better_auth_url.to_s
+                raise "better_auth_url must be configured" if better_auth_url.empty?
+
                 BetterAuth::Hanami.configure do |config|
                   config.secret = target["settings"].better_auth_secret
-                  config.base_url = target["settings"].better_auth_url
+                  config.base_url = better_auth_url
                   config.base_path = "/api/auth"
                   config.database = ->(options) {
                     BetterAuth::Hanami::SequelAdapter.from_container(target, options)
                   }
-                  config.trusted_origins = [target["settings"].better_auth_url].compact
+                  config.trusted_origins = [better_auth_url]
                   config.email_and_password = {enabled: true}
                   config.plugins = []
                 end

data/lib/better_auth/hanami/generators/migration_generator.rb

@@ -15,7 +15,7 @@ module BetterAuth
 
         def run(force: nil)
           force = @force if force.nil?
-          return existing_migration_path if existing_migration_path && !force
+          return incremental_migration_path_if_needed if existing_migration_path && !force
 
           path = existing_migration_path || migration_path
           FileUtils.mkdir_p(File.dirname(path))
@@ -35,8 +35,20 @@ module BetterAuth
           @migration_path ||= File.join(destination_root, "config/db/migrate", "#{timestamp}_create_better_auth_tables.rb")
         end
 
+        def incremental_migration_path_if_needed
+          plan = BetterAuth::Hanami::Migration.plan_pending(generator_config)
+          return existing_migration_path if plan.empty?
+
+          path = File.join(destination_root, "config/db/migrate", "#{timestamp}_update_better_auth_tables.rb")
+          FileUtils.mkdir_p(File.dirname(path))
+          File.write(path, BetterAuth::Hanami::Migration.render_pending(plan))
+          path
+        rescue BetterAuth::SQLMigration::UnsupportedAdapterError
+          existing_migration_path
+        end
+
         def timestamp
-          Time.now.utc.strftime("%Y%m%d%H%M%S")
+          @timestamp ||= Time.now.utc.strftime("%Y%m%d%H%M%S")
         end
 
         def generator_config

data/lib/better_auth/hanami/migration.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "better_auth/sql_migration"
+
 module BetterAuth
   module Hanami
     module Migration
@@ -21,6 +23,88 @@ module BetterAuth
         lines.join("\n")
       end
 
+      def render_pending(plan)
+        created_tables = plan.to_create.map(&:table_name).to_set
+        lines = [
+          "# frozen_string_literal: true",
+          "",
+          "require \"date\"",
+          "require \"rom-sql\"",
+          "",
+          "ROM::SQL.migration do",
+          "  change do"
+        ]
+        plan.to_create.each { |change| lines.concat(create_table_lines(change.table, plan.tables)) }
+        plan.to_add.each { |change| lines.concat(alter_table_lines(change, plan.tables)) }
+        plan.to_index.reject { |change| created_tables.include?(change.table_name) }.each do |change|
+          lines.concat(alter_table_index_lines(change))
+        end
+        lines.concat(["  end", "end", ""])
+        lines.join("\n")
+      end
+
+      def plan_pending(options)
+        config = BetterAuth::SQLMigration.configuration_for(options)
+        if config.database == :memory
+          raise BetterAuth::SQLMigration::UnsupportedAdapterError, "Better Auth Hanami incremental migrations require a Sequel connection"
+        end
+        if default_hanami_database?(config.database) && !(defined?(::Hanami) && ::Hanami.respond_to?(:app))
+          raise BetterAuth::SQLMigration::UnsupportedAdapterError, "Better Auth Hanami incremental migrations require a Sequel connection"
+        end
+        auth = BetterAuth.auth(config.to_h)
+        adapter = auth.context.adapter
+        connection = adapter.connection if adapter.respond_to?(:connection)
+        raise BetterAuth::SQLMigration::UnsupportedAdapterError, "Better Auth Hanami incremental migrations require a Sequel connection" unless connection
+
+        BetterAuth::SQLMigration.plan_from_existing(
+          config,
+          existing: current_schema(connection),
+          dialect: sequel_dialect(connection)
+        )
+      end
+
+      def sequel_dialect(connection)
+        type = connection.respond_to?(:database_type) ? connection.database_type.to_s : ""
+        case type
+        when /postgres/
+          :postgres
+        when /mysql/
+          :mysql
+        when /sqlite/
+          :sqlite
+        when /mssql|sqlserver|sql_server/
+          :mssql
+        else
+          :postgres
+        end
+      end
+
+      def current_schema(connection)
+        connection.tables.each_with_object({}) do |table_name, schema|
+          columns = connection.schema(table_name).each_with_object({}) do |entry, result|
+            column, metadata = entry
+            result[column.to_s] = (metadata[:db_type] || metadata[:type]).to_s
+          end
+          indexes = {names: Set.new, columns: Set.new, unique_columns: Set.new}
+          connection.indexes(table_name).each do |name, metadata|
+            indexes[:names] << name.to_s
+            Array(metadata[:columns]).each do |column|
+              column = column.to_s
+              indexes[:columns] << column
+              indexes[:unique_columns] << column if metadata[:unique]
+            end
+          end
+          schema[table_name.to_s] = {name: table_name.to_s, columns: columns, indexes: indexes}
+        end
+      end
+
+      def default_hanami_database?(database)
+        return false unless database.respond_to?(:source_location)
+
+        path, = database.source_location
+        path.to_s.end_with?("better_auth/hanami/configuration.rb")
+      end
+
       def create_table_lines(table, options)
         table_name = table.fetch(:model_name)
         lines = ["", "    create_table :#{table_name} do"]
@@ -37,16 +121,9 @@ module BetterAuth
       end
 
       def column_line(logical_field, attributes, options)
-        column = attributes[:field_name] || physical_name(logical_field)
-        reference = attributes[:references]
-        if reference
-          target = foreign_key_target(reference.fetch(:model), options)
-          parts = ["foreign_key :#{column}, :#{target}", "type: #{hanami_type(attributes)}"]
-          parts << "null: false" if attributes[:required]
-          parts << "on_delete: :#{reference[:on_delete]}" if reference[:on_delete]
-          return "      #{parts.join(", ")}"
-        end
+        return foreign_key_line("foreign_key", logical_field, attributes, options) if attributes[:references]
 
+        column = attributes[:field_name] || physical_name(logical_field)
         parts = ["column :#{column}", hanami_type(attributes)]
         parts << "null: false" if attributes[:required]
         default = default_value(attributes)
@@ -62,6 +139,36 @@ module BetterAuth
         "      index :#{column}#{unique}"
       end
 
+      def alter_table_lines(change, tables)
+        lines = ["", "    alter_table :#{change.table_name} do"]
+        change.fields.each do |logical_field, attributes|
+          lines << add_column_line(logical_field, attributes, tables)
+        end
+        lines << "    end"
+        lines
+      end
+
+      def add_column_line(logical_field, attributes, tables)
+        return foreign_key_line("add_foreign_key", logical_field, attributes, tables) if attributes[:references]
+
+        column = attributes[:field_name] || physical_name(logical_field)
+        parts = ["add_column :#{column}", hanami_type(attributes)]
+        parts << "null: false" if attributes[:required]
+        default = default_value(attributes)
+        parts << "default: #{default}" unless default.nil?
+        "      #{parts.join(", ")}"
+      end
+
+      def alter_table_index_lines(change)
+        unique = change.unique ? ", unique: true" : ""
+        [
+          "",
+          "    alter_table :#{change.table_name} do",
+          "      add_index :#{change.field_name}#{unique}",
+          "    end"
+        ]
+      end
+
       def hanami_type(attributes)
         case attributes[:type]
         when "boolean" then "TrueClass"
@@ -84,9 +191,42 @@ module BetterAuth
         end
       end
 
-      def foreign_key_target(model, options)
-        tables = BetterAuth::Schema.auth_tables(options)
-        tables.fetch(model.to_s, nil)&.fetch(:model_name) || model
+      def foreign_key_line(command, logical_field, attributes, options_or_tables)
+        column = attributes[:field_name] || physical_name(logical_field)
+        reference = attributes.fetch(:references)
+        target, target_key = foreign_key_target(reference, options_or_tables)
+        parts = ["#{command} :#{column}, :#{target}", "type: #{hanami_type(attributes)}"]
+        parts << "null: false" if attributes[:required]
+        parts << "key: :#{target_key}" unless target_key == "id"
+        parts << "on_delete: :#{reference[:on_delete]}" if reference[:on_delete]
+        "      #{parts.join(", ")}"
+      end
+
+      def foreign_key_target(reference, options_or_tables)
+        tables = auth_tables_for(options_or_tables)
+        model = reference.fetch(:model).to_s
+        table = tables.fetch(model, nil) || tables.each_value.find { |candidate| candidate.fetch(:model_name).to_s == model }
+        target = table&.fetch(:model_name) || model
+        [target, foreign_key_target_field(reference, table)]
+      end
+
+      def foreign_key_target_field(reference, table)
+        field = reference.fetch(:field).to_s
+        return physical_name(field) unless table
+
+        attributes = table.fetch(:fields).fetch(field, nil)
+        return attributes[:field_name] || physical_name(field) if attributes
+        return field if table.fetch(:fields).each_value.any? { |data| data[:field_name].to_s == field }
+
+        physical_name(field)
+      end
+
+      def auth_tables_for(options_or_tables)
+        if options_or_tables.is_a?(Hash) && options_or_tables.values.all? { |value| value.is_a?(Hash) && value.key?(:fields) && value.key?(:model_name) }
+          options_or_tables
+        else
+          BetterAuth::Schema.auth_tables(options_or_tables)
+        end
       end
 
       def physical_name(value)

data/lib/better_auth/hanami/routing.rb

@@ -11,7 +11,7 @@ module BetterAuth
 
       def better_auth(auth: nil, at: BetterAuth::Configuration::DEFAULT_BASE_PATH)
         mount_path = normalize_better_auth_mount_path(at)
-        auth ||= BetterAuth::Hanami.auth(base_path: mount_path)
+        auth ||= auth_for_better_auth_mount(mount_path)
         app = BetterAuth::Hanami::MountedApp.new(auth, mount_path: mount_path)
 
         HTTP_METHODS.each do |method_name|
@@ -29,6 +29,13 @@ module BetterAuth
         normalized = normalized.delete_suffix("/") unless normalized == "/"
         normalized.empty? ? "/" : normalized
       end
+
+      def auth_for_better_auth_mount(mount_path)
+        configured_path = normalize_better_auth_mount_path(BetterAuth::Hanami.configuration.base_path)
+        return BetterAuth::Hanami.auth if mount_path == configured_path
+
+        BetterAuth::Hanami.auth(base_path: mount_path)
+      end
     end
   end
 end

data/lib/better_auth/hanami/sequel_adapter.rb

@@ -10,24 +10,26 @@ module BetterAuth
     class SequelAdapter < BetterAuth::Adapters::Base
       include BetterAuth::Adapters::JoinSupport
 
+      WHERE_OPERATORS = %w[eq ne gt gte lt lte in not_in contains starts_with ends_with].freeze
+
       attr_reader :connection
 
-      def self.from_hanami(options, container: nil)
+      def self.from_hanami(options, container: nil, allow_memory_fallback: false)
         if container.nil? && defined?(::Hanami) && ::Hanami.respond_to?(:app)
           container = ::Hanami.app
         end
-        return memory_fallback(options) unless container
+        return memory_fallback(options, allow_memory_fallback: allow_memory_fallback) unless container
 
-        from_container(container, options)
+        from_container(container, options, allow_memory_fallback: allow_memory_fallback)
       end
 
-      def self.from_container(container, options)
+      def self.from_container(container, options, allow_memory_fallback: false)
         gateway = if container.respond_to?(:key?) && container.key?("db.gateway")
           container["db.gateway"]
         elsif container.respond_to?(:[]) && safe_fetch(container, "db.gateway")
           container["db.gateway"]
         end
-        return memory_fallback(options) unless gateway
+        return memory_fallback(options, allow_memory_fallback: allow_memory_fallback) unless gateway
 
         connection = gateway.respond_to?(:connection) ? gateway.connection : gateway
         new(options, connection: connection)
@@ -39,7 +41,11 @@ module BetterAuth
         nil
       end
 
-      def self.memory_fallback(options)
+      def self.memory_fallback(options, allow_memory_fallback: false)
+        if options.respond_to?(:production?) && options.production? && !allow_memory_fallback
+          raise Error, "Hanami db.gateway is required in production. Set config.allow_memory_fallback = true to use volatile memory storage intentionally."
+        end
+
         Kernel.warn(
           "[better_auth-hanami] SequelAdapter: using BetterAuth::Adapters::Memory " \
           "(no Hanami container or db.gateway). Persisted auth data will not survive process restart."
@@ -56,7 +62,8 @@ module BetterAuth
         model = model.to_s
         input = transform_input(model, data, "create", force_allow_id)
         table_dataset(model).insert(physical_attributes(model, input))
-        find_one(model: model, where: [{field: "id", value: input.fetch("id")}])
+        lookup = create_lookup(model, input)
+        lookup ? find_one(model: model, where: [lookup]) : input
       end
 
       def find_one(model:, where: [], select: nil, join: nil)
@@ -67,32 +74,41 @@ module BetterAuth
         model = model.to_s
         dataset = table_dataset(model)
         dataset = apply_where(model, dataset, where || [])
-        dataset = apply_select(model, dataset, select) if select
+        join_config = normalized_join(model, join)
+        requested_select = select ? Array(select).map { |field| storage_key(field) } : nil
+        effective_select = select_fields_for_join(requested_select, join_config)
+        dataset = apply_select(model, dataset, effective_select) if effective_select
         dataset = apply_order(model, dataset, sort_by) if sort_by
-        dataset = dataset.limit(Integer(limit)) if limit
-        dataset = dataset.offset(Integer(offset)) if offset
+        dataset = dataset.limit(coerce_pagination(limit, "limit")) if limit
+        dataset = dataset.offset(coerce_pagination(offset, "offset")) if offset
 
         records = dataset.all.map { |row| normalize_record(model, row) }
-        attach_joins(model, records, join)
+        records = attach_joins(model, records, join_config)
+        trim_unrequested_select_fields(records, requested_select, join_config) if requested_select
+        records
       end
 
       def update(model:, where:, update:)
         model = model.to_s
-        existing = find_one(model: model, where: where, select: ["id"])
+        existing = find_one(model: model, where: where)
         return nil unless existing
 
         update_many(model: model, where: where, update: update)
-        find_one(model: model, where: [{field: "id", value: existing.fetch("id")}])
+        lookup = record_lookup(model, existing)
+        lookup ? find_one(model: model, where: [lookup]) : find_one(model: model, where: where)
       end
 
       def update_many(model:, where:, update:, returning: false)
         model = model.to_s
-        existing = returning ? find_many(model: model, where: where, select: ["id"]) : []
+        existing = returning ? find_many(model: model, where: where) : []
         attributes = physical_attributes(model, transform_input(model, update, "update", true))
         apply_where(model, table_dataset(model), where || []).update(attributes)
         return unless returning
 
-        existing.map { |record| find_one(model: model, where: [{field: "id", value: record.fetch("id")}]) }
+        existing.map do |record|
+          lookup = record_lookup(model, record)
+          lookup ? find_one(model: model, where: [lookup]) : record
+        end
       end
 
       def delete(model:, where:)
@@ -136,22 +152,34 @@ module BetterAuth
         column = storage_field(model, field)
         identifier = Sequel[column.to_sym]
         operator = (fetch_key(clause, :operator) || "eq").to_s
+        raise APIError.new("BAD_REQUEST", message: "Invalid operator #{operator}") unless WHERE_OPERATORS.include?(operator)
+
+        mode = (fetch_key(clause, :mode) || "sensitive").to_s
         attributes = schema_for(model).fetch(:fields).fetch(field)
         raw_value = fetch_key(clause, :value)
         value = coerce_where_value(raw_value, attributes)
+        insensitive = insensitive_string_mode?(mode, attributes)
+        comparable = insensitive ? Sequel.function(:lower, identifier) : identifier
+        compare_value = insensitive ? downcase_where_value(value) : value
 
         case operator
-        when "in" then {column.to_sym => Array(raw_value).map { |entry| coerce_where_value(entry, attributes) }}
-        when "not_in" then Sequel.~(column.to_sym => Array(raw_value).map { |entry| coerce_where_value(entry, attributes) })
-        when "ne" then Sequel.~(column.to_sym => value)
-        when "gt" then identifier > value
-        when "gte" then identifier >= value
-        when "lt" then identifier < value
-        when "lte" then identifier <= value
-        when "contains" then Sequel.like(identifier, "%#{escape_like(value)}%", escape: "\\")
-        when "starts_with" then Sequel.like(identifier, "#{escape_like(value)}%", escape: "\\")
-        when "ends_with" then Sequel.like(identifier, "%#{escape_like(value)}", escape: "\\")
-        else {column.to_sym => value}
+        when "in"
+          values = Array(raw_value).map { |entry| coerce_where_value(entry, attributes) }
+          values = downcase_where_value(values) if insensitive
+          insensitive ? Sequel.expr(comparable => values) : {column.to_sym => values}
+        when "not_in"
+          values = Array(raw_value).map { |entry| coerce_where_value(entry, attributes) }
+          values = downcase_where_value(values) if insensitive
+          Sequel.~(insensitive ? Sequel.expr(comparable => values) : {column.to_sym => values})
+        when "ne" then insensitive ? Sequel.~(Sequel.expr(comparable => compare_value)) : Sequel.~(column.to_sym => value)
+        when "gt" then comparable > compare_value
+        when "gte" then comparable >= compare_value
+        when "lt" then comparable < compare_value
+        when "lte" then comparable <= compare_value
+        when "contains" then Sequel.like(comparable, "%#{escape_like(compare_value)}%", escape: "\\")
+        when "starts_with" then Sequel.like(comparable, "#{escape_like(compare_value)}%", escape: "\\")
+        when "ends_with" then Sequel.like(comparable, "%#{escape_like(compare_value)}", escape: "\\")
+        else insensitive ? Sequel.expr(comparable => compare_value) : {column.to_sym => value}
         end
       end
 
@@ -165,27 +193,50 @@ module BetterAuth
         dataset.order(direction)
       end
 
-      def attach_joins(model, records, join)
-        return records unless join
+      def attach_joins(_model, records, join_config)
+        return records if join_config.empty? || records.empty?
 
-        join_config = normalized_join(model, join)
         records.each do |record|
           join_config.each do |join_model, config|
-            record[join_model] = joined_records(record, join_model, config)
+            record[join_model] = one_to_one_join?(config) ? nil : []
           end
         end
+        join_config.each do |join_model, config|
+          attach_join(model_records: records, join_model: join_model, config: config)
+        end
         records
       end
 
+      def attach_join(model_records:, join_model:, config:)
+        values = model_records.map { |record| record[config.fetch(:from)] }.compact.uniq
+        return if values.empty?
+
+        joined = if one_to_one_join?(config)
+          find_many(model: join_model, where: [{field: config.fetch(:to), operator: "in", value: values}])
+        else
+          values.flat_map do |value|
+            find_many(model: join_model, where: [{field: config.fetch(:to), value: value}], limit: join_limit(config))
+          end
+        end
+        grouped = joined.group_by { |record| record[config.fetch(:to)] }
+        model_records.each do |record|
+          records = grouped.fetch(record[config.fetch(:from)], [])
+          record[join_model] = if one_to_one_join?(config)
+            records.first
+          else
+            records.first(join_limit(config))
+          end
+        end
+      end
+
       def joined_records(record, join_model, config)
         local_value = record[config.fetch(:from)]
         where = [{field: config.fetch(:to), value: local_value}]
-
         if one_to_one_join?(config)
           find_one(model: join_model, where: where)
         else
           records = find_many(model: join_model, where: where)
-          config[:limit] ? records.first(Integer(config[:limit])) : records
+          records.first(join_limit(config))
         end
       end
 
@@ -213,9 +264,9 @@ module BetterAuth
         reference = attributes.fetch(:references)
         if forward_join
           unique = attributes[:unique] == true
-          {from: reference.fetch(:field).to_s, to: foreign_key, relation: unique ? "one-to-one" : "one-to-many", unique: unique}
+          {from: reference.fetch(:field).to_s, to: foreign_key, relation: unique ? "one-to-one" : "one-to-many", unique: unique, limit: unique ? 1 : default_find_many_limit}
         else
-          {from: foreign_key, to: reference.fetch(:field).to_s, relation: "one-to-one", unique: true}
+          {from: foreign_key, to: reference.fetch(:field).to_s, relation: "one-to-one", unique: true, limit: 1}
         end
       end
 
@@ -233,7 +284,7 @@ module BetterAuth
             raise APIError.new("BAD_REQUEST", message: "#{field} is not allowed to be set")
           end
 
-          if !value_provided && action == "create" && attributes.key?(:default_value)
+          if action == "create" && attributes.key?(:default_value) && (!value_provided || (attributes[:required] && value.nil?))
             value = resolve_default(attributes[:default_value])
             value_provided = true
           elsif !value_provided && action == "update" && attributes[:on_update]
@@ -246,10 +297,30 @@ module BetterAuth
           output[field] = coerce_value(value, attributes) if value_provided
         end
 
-        output["id"] = generated_id if action == "create" && !output.key?("id")
+        output["id"] = generated_id if action == "create" && !output.key?("id") && fields.key?("id")
         output
       end
 
+      def create_lookup(model, input)
+        fields = schema_for(model).fetch(:fields)
+        return {field: "id", value: input.fetch("id")} if fields.key?("id") && input.key?("id")
+
+        unique_field = fields.find { |field, attributes| attributes[:unique] && input.key?(field) }
+        return {field: unique_field.first, value: input.fetch(unique_field.first)} if unique_field
+
+        nil
+      end
+
+      def record_lookup(model, record)
+        fields = schema_for(model).fetch(:fields)
+        return {field: "id", value: record.fetch("id")} if fields.key?("id") && record.key?("id")
+
+        unique_field = fields.find { |field, attributes| attributes[:unique] && record.key?(field) }
+        return {field: unique_field.first, value: record.fetch(unique_field.first)} if unique_field
+
+        nil
+      end
+
       def physical_attributes(model, logical)
         logical.each_with_object({}) do |(field, value), attributes|
           attributes[storage_field(model, field).to_sym] = value
@@ -271,10 +342,16 @@ module BetterAuth
 
       def schema_for(model)
         BetterAuth::Schema.auth_tables(options).fetch(model.to_s)
+      rescue KeyError
+        raise APIError.new("BAD_REQUEST", message: "Invalid model #{model}")
       end
 
       def storage_field(model, field)
-        schema_for(model).fetch(:fields).fetch(field.to_s).fetch(:field_name, physical_name(field))
+        fields = schema_for(model).fetch(:fields)
+        attributes = fields[field.to_s]
+        raise APIError.new("BAD_REQUEST", message: "Invalid field #{field} for model #{model}") unless attributes
+
+        attributes.fetch(:field_name, physical_name(field))
       end
 
       def generated_id
@@ -291,7 +368,7 @@ module BetterAuth
 
       def coerce_value(value, attributes)
         return value if value.nil?
-        return Time.parse(value) if attributes[:type] == "date" && value.is_a?(String)
+        return parse_time_value(value) if attributes[:type] == "date" && value.is_a?(String)
         return JSON.generate(value) if json_like?(attributes) && !value.is_a?(String)
 
         value
@@ -316,7 +393,7 @@ module BetterAuth
         when "number"
           return coerce_number(value)
         when "date"
-          return Time.parse(value) if value.is_a?(String)
+          return parse_time_value(value) if value.is_a?(String)
         end
 
         coerce_value(value, attributes)
@@ -348,6 +425,57 @@ module BetterAuth
         value
       end
 
+      def coerce_pagination(value, label)
+        Integer(value).tap do |integer|
+          raise ArgumentError if integer.negative?
+        end
+      rescue ArgumentError, TypeError
+        raise APIError.new("BAD_REQUEST", message: "Invalid #{label}")
+      end
+
+      def select_fields_for_join(select, join_config)
+        return select unless select && !join_config.empty?
+
+        join_config.each_value.with_object(select.dup) do |config, fields|
+          from = storage_key(config.fetch(:from))
+          fields << from unless fields.include?(from)
+        end
+      end
+
+      def trim_unrequested_select_fields(records, requested_select, join_config)
+        hidden = join_config.each_value.map { |config| storage_key(config.fetch(:from)) } - requested_select
+        records.each { |record| hidden.each { |field| record.delete(field) } }
+      end
+
+      def insensitive_string_mode?(mode, attributes)
+        mode == "insensitive" && attributes[:type].to_s == "string"
+      end
+
+      def downcase_where_value(value)
+        return value.map { |entry| downcase_where_value(entry) } if value.is_a?(Array)
+        return value.downcase if value.is_a?(String)
+
+        value
+      end
+
+      def default_find_many_limit
+        database_options = options.advanced[:database] || {}
+        coerce_pagination(
+          database_options[:default_find_many_limit] || database_options[:defaultFindManyLimit] || 100,
+          "limit"
+        )
+      end
+
+      def join_limit(config)
+        coerce_pagination(config[:limit] || default_find_many_limit, "limit")
+      end
+
+      def parse_time_value(value)
+        Time.parse(value)
+      rescue ArgumentError
+        raise APIError.new("BAD_REQUEST", message: "Invalid date")
+      end
+
       def escape_like(value)
         value.to_s.gsub(/[\\%_]/) { |match| "\\#{match}" }
       end

data/lib/better_auth/hanami/version.rb

@@ -2,6 +2,6 @@
 
 module BetterAuth
   module Hanami
-    VERSION = "0.8.0"
+    VERSION = "0.10.0"
   end
 end

data/lib/better_auth/hanami.rb

@@ -20,16 +20,24 @@ module BetterAuth
       end
 
       def configure
-        yield configuration
-        @auth = nil
+        auth_mutex.synchronize do
+          yield configuration
+          @auth = nil
+        end
       end
 
       def auth(overrides = nil)
         options = configuration.to_auth_options
-        return @auth ||= BetterAuth.auth(options) if overrides.nil? || overrides.empty?
+        return auth_mutex.synchronize { @auth ||= BetterAuth.auth(options) } if overrides.nil? || overrides.empty?
 
         BetterAuth.auth(options.merge(overrides))
       end
+
+      private
+
+      def auth_mutex
+        @auth_mutex ||= Mutex.new
+      end
     end
   end
 end

data/lib/tasks/better_auth.rake

@@ -19,4 +19,11 @@ namespace :better_auth do
       BetterAuth::Hanami::Generators::RelationGenerator.new.run
     end
   end
+
+  desc "Check Better Auth configuration and schema health"
+  task :doctor do
+    config = BetterAuth::Configuration.new(BetterAuth::Hanami.configuration.to_auth_options)
+    exit_code = BetterAuth::Doctor.print(BetterAuth::Doctor.check(config), stdout: $stdout, stderr: $stderr)
+    abort if exit_code != 0
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: better_auth-hanami
 version: !ruby/object:Gem::Version
-  version: 0.8.0
+  version: 0.10.0
 platform: ruby
 authors:
 - Sebastian Sala
@@ -206,14 +206,14 @@ files:
 - lib/better_auth/hanami/version.rb
 - lib/better_auth_hanami.rb
 - lib/tasks/better_auth.rake
-homepage: https://github.com/sebasxsala/better-auth
+homepage: https://github.com/sebasxsala/better-auth-rb
 licenses:
 - MIT
 metadata:
-  homepage_uri: https://github.com/sebasxsala/better-auth
-  source_code_uri: https://github.com/sebasxsala/better-auth
-  changelog_uri: https://github.com/sebasxsala/better-auth/blob/main/packages/better_auth-hanami/CHANGELOG.md
-  bug_tracker_uri: https://github.com/sebasxsala/better-auth/issues
+  homepage_uri: https://github.com/sebasxsala/better-auth-rb
+  source_code_uri: https://github.com/sebasxsala/better-auth-rb
+  changelog_uri: https://github.com/sebasxsala/better-auth-rb/blob/main/packages/better_auth-hanami/CHANGELOG.md
+  bug_tracker_uri: https://github.com/sebasxsala/better-auth-rb/issues
 rdoc_options: []
 require_paths:
 - lib