better_auth-sinatra 0.6.1 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 286615dfbfdc63c86fc4ac0c65b8bd5a96781472f8d6893403fcea0f4f242218
-  data.tar.gz: e9d71a166e6fbac411dc0c4b7ac3878a9ea33485530ac2650480a41f613b25ba
+  metadata.gz: 14d141007853cbd143bb23e5ac0557790a28bfb65e386b340e545d9cd0cb55c0
+  data.tar.gz: 6b21abf9d5f9b8e8633c83f9255e7861818e310bf0c614b1368e4530460eeaaa
 SHA512:
-  metadata.gz: 91cb983141d5d37966e9f17df4c96765d0e3f92335b2c902b83d7dcadcadd52f15c3e28ab2a74364c1b89fb1fff11dceccde12f0c0fd65cba172d9d76ef67da1
-  data.tar.gz: 5a17343aeaa31e4c54eaf3f2ada457a778a876c215ba9df52cc96a60c22a320c09ab703c4f469dcbaa12c4c47eb3a6396783b07b42d6577b66cfa04a241a18f6
+  metadata.gz: a1766d030b0eb07b9e0ad84896b8b0d8efe4d3f2f01d9eb46a95e5fdb9a2f2e629904d924108a970d4fb70308e68e5cd6480832789e2edc5bd4a5d1a5167899f
+  data.tar.gz: 48323869049ff91d30ad0f0b465e89c8802d88b5f3d92df37f1d08c9f401e9fcfb5ffdc38fcf2d9a828296739a913dba3171e71bd00667a852111b1a98a9707d

data/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## Unreleased
+
+## 0.7.0 - 2026-05-05
+
+- Fixed auth dispatch when Rack splits mounted paths across `SCRIPT_NAME` and `PATH_INFO`.
+- Rejected `better_auth at: "/"` to avoid capturing every Sinatra route.
+- Stopped swallowing real migration bookkeeping query errors while preserving empty-state behavior for missing schema tables.
+- Split simple single-line multi-statement SQL migration files.
+- Passed versioned `secrets` through Sinatra configuration to core auth.
+- Warned when `better_auth` is configured more than once on the same Sinatra app class.
+- Returned JSON-shaped 401 responses from `require_authentication` when JSON is preferred.
+- Removed duplicate Rake task wiring and clarified `better_auth:routes` output.
+- Documented mount path, Rack nesting, SQL migration, and helper auth caveats.
+
 ## 0.1.1 - 2026-04-29
 
 - Fixed mounted base-path propagation when creating the Sinatra auth instance.

data/README.md

@@ -39,9 +39,26 @@ class App < Sinatra::Base
 end
 ```
 
-The extension mounts the core Rack app at `/api/auth` by default. The core app
-still owns routes such as `/ok`, `/sign-up/email`, `/sign-in/email`, and plugin
-endpoints.
+The extension mounts the core Rack app at `/api/auth` by default. The mount path
+cannot be `/`, because that would capture every Sinatra route before the app can
+handle it. The core app still owns routes such as `/ok`, `/sign-up/email`,
+`/sign-in/email`, and plugin endpoints.
+
+`better_auth at:` sets the path prefix that Better Auth uses as its core
+`base_path`. The adapter supports two common Rack mount patterns:
+
+- Natural Sinatra nesting: mount the Sinatra app under a parent `Rack::URLMap`,
+  for example at `/api`, and configure `better_auth at: "/auth"`. Auth routes
+  are available at `/api/auth/*`.
+- Shared auth mount: mount the Sinatra app itself at the same path as auth, for
+  example `/api/auth`, and configure `better_auth at: "/api/auth"`. The adapter
+  reconstructs the logical path from Rack `SCRIPT_NAME` and `PATH_INFO`.
+
+When using reverse proxies, `Rack::URLMap`, or another parent app, make sure the
+`PATH_INFO` visible to Sinatra still aligns with the configured auth prefix.
+`SCRIPT_NAME` handling depends on the Rack server and mount stack, so verify
+redirect URLs and cookie paths in integration tests when mounting below a
+sub-path.
 
 ## Helpers
 
@@ -51,6 +68,14 @@ endpoints.
 - `require_authentication`
 
 `require_authentication` halts with `401` when no Better Auth user is present.
+Requests that prefer JSON receive the same JSON error shape used by the core
+router.
+
+Sinatra helpers resolve sessions through the core `get-session` API path, so
+Better Auth plugin hooks that affect session lookup, such as the bearer plugin,
+run for `current_user` and `require_authentication`. Helper session lookup may
+emit Better Auth `Set-Cookie` headers when stale cookies need to be cleared or
+session cookies need to be refreshed.
 
 ## Rake Tasks
 
@@ -78,6 +103,11 @@ Sinatra does not include a Rails-style database layer or migration command.
 This adapter uses Better Auth core SQL adapters for migrations. Set
 `BETTER_AUTH_DIALECT=postgres`, `mysql`, or `sqlite` when generating SQL.
 
+Generated SQL should keep one statement per line ending with `;`. The migration
+runner handles simple single-line multi-statement files, but hand-edited SQL
+with semicolons inside string literals can confuse the splitter. DDL rollback
+behavior depends on the database, so back up production data before migrating.
+
 ActiveRecord-backed Sinatra migrations are not supported yet. Apps that already
 use `sinatra-activerecord` can still configure Better Auth manually, but the v1
 Rake tasks do not emit ActiveRecord migrations.

data/lib/better_auth/sinatra/configuration.rb

@@ -8,6 +8,7 @@ module BetterAuth
         base_url
         base_path
         secret
+        secrets
         database
         plugins
         trusted_origins

data/lib/better_auth/sinatra/extension.rb

@@ -11,6 +11,13 @@ module BetterAuth
       module ClassMethods
         def better_auth(at: BetterAuth::Configuration::DEFAULT_BASE_PATH, auth: nil, **overrides)
           mount_path = normalize_better_auth_mount_path(at)
+          if mount_path == "/"
+            raise ArgumentError,
+              "better_auth mount path cannot be '/' (it would capture every request). " \
+              "Use a prefix such as #{BetterAuth::Configuration::DEFAULT_BASE_PATH.inspect}."
+          end
+          warn "[better_auth-sinatra] better_auth is already configured for this app; the new configuration will be appended." if respond_to?(:better_auth_auth)
+
           config = BetterAuth::Sinatra.configuration.copy
           yield config if block_given?
           config.base_path = mount_path

data/lib/better_auth/sinatra/helpers.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "json"
+
 module BetterAuth
   module Sinatra
     module Helpers
@@ -20,11 +22,29 @@ module BetterAuth
       def require_authentication
         return true if authenticated?
 
+        if prefers_json_response?
+          error = BetterAuth::APIError.new("UNAUTHORIZED")
+          halt 401, {"content-type" => "application/json"}, JSON.generate(error.to_h)
+        end
+
         halt 401, ""
       end
 
       private
 
+      def prefers_json_response?
+        accept = request.env["HTTP_ACCEPT"].to_s
+        return false if accept.empty? || accept == "*/*"
+
+        preferred = request.preferred_type(["application/json", "text/html"]) if request.respond_to?(:preferred_type)
+        return preferred.to_s == "application/json" if preferred
+
+        accept.split(",").any? do |entry|
+          media_type = entry.split(";", 2).first.to_s.strip
+          media_type == "application/json" || media_type.end_with?("+json")
+        end
+      end
+
       def better_auth_session_data
         return request.env["better_auth.session"] if request.env.key?("better_auth.session")
 
@@ -33,18 +53,35 @@ module BetterAuth
 
       def resolve_better_auth_session
         auth = better_auth_auth
-        auth.context.prepare_for_request!(request) if auth.context.respond_to?(:prepare_for_request!)
-        context = BetterAuth::Endpoint::Context.new(
-          path: request.path_info,
-          method: request.request_method,
-          query: request.GET,
-          body: {},
-          params: params,
-          headers: {"cookie" => request.env["HTTP_COOKIE"]},
-          context: auth.context,
-          request: request
+        result = auth.api.get_session(
+          headers: better_auth_request_headers,
+          return_headers: true
         )
-        BetterAuth::Session.find_current(context, disable_refresh: true)
+        apply_better_auth_response_headers(result[:headers] || result["headers"] || {})
+        result[:response] || result["response"]
+      end
+
+      def better_auth_request_headers
+        request.env.each_with_object({}) do |(key, value), headers|
+          case key
+          when "CONTENT_TYPE"
+            headers["content-type"] = value if value
+          when "CONTENT_LENGTH"
+            headers["content-length"] = value if value
+          else
+            next unless key.start_with?("HTTP_")
+
+            headers[key.delete_prefix("HTTP_").downcase.tr("_", "-")] = value
+          end
+        end
+      end
+
+      def apply_better_auth_response_headers(headers)
+        set_cookie = headers["set-cookie"] || headers["Set-Cookie"] || headers[:set_cookie]
+        return if set_cookie.to_s.empty?
+
+        existing = response.headers["set-cookie"].to_s
+        response.headers["set-cookie"] = [existing, set_cookie.to_s].reject(&:empty?).join("\n")
       end
 
       def better_auth_auth

data/lib/better_auth/sinatra/migration.rb

@@ -6,6 +6,13 @@ module BetterAuth
   module Sinatra
     module Migration
       DEFAULT_MIGRATIONS_PATH = "db/better_auth/migrate"
+      MISSING_MIGRATIONS_TABLE_MESSAGES = [
+        /no such table/i,
+        /relation .* does not exist/i,
+        /table .* doesn't exist/i,
+        /undefined table/i,
+        /invalid object name/i
+      ].freeze
 
       class UnsupportedAdapterError < StandardError; end
 
@@ -83,7 +90,11 @@ module BetterAuth
       def applied_migrations(connection, dialect)
         rows = execute_sql(connection, "SELECT #{quote("version", dialect)} FROM #{quote("better_auth_schema_migrations", dialect)};")
         Array(rows).map { |row| row["version"] || row[:version] }
-      rescue
+      rescue UnsupportedAdapterError
+        raise
+      rescue => error
+        raise error unless missing_schema_migrations_table?(error)
+
         []
       end
 
@@ -109,7 +120,112 @@ module BetterAuth
       end
 
       def statements(sql)
-        sql.split(/;\s*$/).map(&:strip).reject(&:empty?)
+        normalized = sql.to_s.gsub("\r\n", "\n").strip
+        return [] if normalized.empty?
+
+        split_sql_statements(normalized)
+      end
+
+      def split_sql_statements(sql)
+        output = []
+        buffer = +""
+        index = 0
+        quote = nil
+        line_comment = false
+        block_comment = false
+        dollar_tag = nil
+
+        while index < sql.length
+          state = {
+            quote: quote,
+            line_comment: line_comment,
+            block_comment: block_comment,
+            dollar_tag: dollar_tag
+          }
+          index, quote, line_comment, block_comment, dollar_tag = scan_sql_character(sql, buffer, index, state, output)
+        end
+
+        tail = buffer.strip
+        output << tail unless tail.empty?
+        output
+      end
+
+      def scan_sql_character(sql, buffer, index, state, output)
+        char = sql[index]
+        next_char = sql[index + 1]
+        quote = state[:quote]
+        line_comment = state[:line_comment]
+        block_comment = state[:block_comment]
+        dollar_tag = state[:dollar_tag]
+
+        return scan_line_comment(buffer, index, char) + [quote, false, block_comment, dollar_tag] if line_comment && char == "\n"
+        return scan_line_comment(buffer, index, char) + [quote, true, block_comment, dollar_tag] if line_comment
+        return scan_block_comment(buffer, index, char, next_char, quote, line_comment, dollar_tag) if block_comment
+        return scan_dollar_quote(sql, buffer, index, char, quote, line_comment, block_comment, dollar_tag) if dollar_tag
+        return scan_quoted_string(sql, buffer, index, char, quote, line_comment, block_comment, dollar_tag) if quote
+        return [index + 2, quote, true, block_comment, dollar_tag].tap { buffer << char << next_char } if char == "-" && next_char == "-"
+        return [index + 2, quote, line_comment, true, dollar_tag].tap { buffer << char << next_char } if char == "/" && next_char == "*"
+
+        tag = dollar_quote_tag_at(sql, index)
+        return [index + tag.length, quote, line_comment, block_comment, tag].tap { buffer << tag } if tag
+        return [index + 1, char, line_comment, block_comment, dollar_tag].tap { buffer << char } if char == "'" || char == "\""
+
+        if char == ";"
+          statement = buffer.strip
+          output << statement unless statement.empty?
+          buffer.clear
+          return [index + 1, quote, line_comment, block_comment, dollar_tag]
+        end
+
+        buffer << char
+        [index + 1, quote, line_comment, block_comment, dollar_tag]
+      end
+
+      def scan_line_comment(buffer, index, char)
+        buffer << char
+        [index + 1]
+      end
+
+      def scan_block_comment(buffer, index, char, next_char, quote, line_comment, dollar_tag)
+        buffer << char
+        if char == "*" && next_char == "/"
+          buffer << next_char
+          [index + 2, quote, line_comment, false, dollar_tag]
+        else
+          [index + 1, quote, line_comment, true, dollar_tag]
+        end
+      end
+
+      def scan_dollar_quote(sql, buffer, index, char, quote, line_comment, block_comment, dollar_tag)
+        if sql[index, dollar_tag.length] == dollar_tag
+          buffer << dollar_tag
+          [index + dollar_tag.length, quote, line_comment, block_comment, nil]
+        else
+          buffer << char
+          [index + 1, quote, line_comment, block_comment, dollar_tag]
+        end
+      end
+
+      def scan_quoted_string(sql, buffer, index, char, quote, line_comment, block_comment, dollar_tag)
+        buffer << char
+        if char == quote && sql[index + 1] == quote
+          buffer << sql[index + 1]
+          [index + 2, quote, line_comment, block_comment, dollar_tag]
+        elsif char == quote
+          [index + 1, nil, line_comment, block_comment, dollar_tag]
+        else
+          [index + 1, quote, line_comment, block_comment, dollar_tag]
+        end
+      end
+
+      def dollar_quote_tag_at(sql, index)
+        match = sql[index..]&.match(/\A\$[A-Za-z_][A-Za-z0-9_]*\$|\A\$\$/)
+        match&.[](0)
+      end
+
+      def missing_schema_migrations_table?(error)
+        message = error.message.to_s
+        MISSING_MIGRATIONS_TABLE_MESSAGES.any? { |pattern| message.match?(pattern) }
       end
 
       def quote(identifier, dialect)

data/lib/better_auth/sinatra/mounted_app.rb

@@ -10,9 +10,12 @@ module BetterAuth
       end
 
       def call(env)
-        return auth.call(env) if mounted_path?(env["PATH_INFO"])
+        return @app.call(env) unless mount_matches?(env)
 
-        @app.call(env)
+        rewritten_path = mounted_path_info(env)
+        next_env = env.merge("PATH_INFO" => rewritten_path)
+        next_env["SCRIPT_NAME"] = "" if shared_mount_rewrite?(env, rewritten_path)
+        auth.call(next_env)
       end
 
       private
@@ -23,11 +26,39 @@ module BetterAuth
         @auth
       end
 
-      def mounted_path?(path)
-        normalized = normalize_path(path)
-        return true if @mount_path == "/"
+      def mount_matches?(env)
+        return false if @mount_path == "/"
 
-        normalized == @mount_path || normalized.start_with?("#{@mount_path}/")
+        path_info = normalize_path(env["PATH_INFO"])
+        return true if path_info == @mount_path || path_info.start_with?("#{@mount_path}/")
+
+        full = full_request_path(env)
+        full == @mount_path || full.start_with?("#{@mount_path}/")
+      end
+
+      def full_request_path(env)
+        script = env.fetch("SCRIPT_NAME", "").to_s
+        path = env.fetch("PATH_INFO", "").to_s
+        normalize_path("#{script}#{path}")
+      end
+
+      def mounted_path_info(env)
+        path_info = normalize_path(env["PATH_INFO"])
+        return path_info if path_info == @mount_path || path_info.start_with?("#{@mount_path}/")
+
+        script_name = normalize_path(env["SCRIPT_NAME"])
+        prefix = (script_name == "/") ? @mount_path : script_name
+        return path_info if path_info == prefix || path_info.start_with?("#{prefix}/")
+
+        normalize_path("#{prefix}/#{path_info.delete_prefix("/")}")
+      end
+
+      def shared_mount_rewrite?(env, rewritten_path)
+        script_name = normalize_path(env["SCRIPT_NAME"])
+        original_path = normalize_path(env["PATH_INFO"])
+        script_name != "/" &&
+          !original_path.start_with?("#{@mount_path}/") &&
+          rewritten_path.start_with?("#{@mount_path}/")
       end
 
       def normalize_path(path)

data/lib/better_auth/sinatra/tasks.rb

@@ -30,11 +30,6 @@ namespace :better_auth do
     end
   end
 
-  desc "Create the Better Auth SQL migration"
-  task "generate:migration" do
-    Rake::Task["better_auth:generate:migration"].invoke
-  end
-
   desc "Run pending Better Auth SQL migrations"
   task :migrate do
     BetterAuth::Sinatra.load_app_config
@@ -44,6 +39,8 @@ namespace :better_auth do
   desc "Print Better Auth Sinatra mount information"
   task :routes do
     BetterAuth::Sinatra.load_app_config
-    puts "#{BetterAuth::Sinatra.configuration.base_path}/* -> BetterAuth.auth"
+    mount_path = BetterAuth::Sinatra.configuration.base_path
+    puts "#{mount_path}/* -> BetterAuth.auth"
+    puts "Core routes are handled by Better Auth; use the OpenAPI plugin or HTTP API docs for endpoint details."
   end
 end

data/lib/better_auth/sinatra/version.rb

@@ -2,6 +2,6 @@
 
 module BetterAuth
   module Sinatra
-    VERSION = "0.6.1"
+    VERSION = "0.7.0"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: better_auth-sinatra
 version: !ruby/object:Gem::Version
-  version: 0.6.1
+  version: 0.7.0
 platform: ruby
 authors:
 - Sebastian Sala