better_auth 0.1.1 → 0.2.0

data/lib/better_auth/plugins/oauth_protocol.rb

@@ -0,0 +1,348 @@
+# frozen_string_literal: true
+
+require "base64"
+require "openssl"
+require "uri"
+
+module BetterAuth
+  module Plugins
+    module OAuthProtocol
+      AUTH_CODE_GRANT = "authorization_code"
+      REFRESH_GRANT = "refresh_token"
+      CLIENT_CREDENTIALS_GRANT = "client_credentials"
+      DEVICE_CODE_GRANT = "urn:ietf:params:oauth:grant-type:device_code"
+
+      module_function
+
+      def parse_scopes(value)
+        case value
+        when Array
+          value.map(&:to_s).reject(&:empty?)
+        else
+          value.to_s.split(/\s+/).reject(&:empty?)
+        end
+      end
+
+      def scope_string(value)
+        parse_scopes(value).join(" ")
+      end
+
+      def issuer(ctx)
+        ctx.context.options.base_url.to_s.empty? ? origin_for(ctx.context.base_url) : ctx.context.options.base_url
+      end
+
+      def endpoint_base(ctx)
+        ctx.context.base_url
+      end
+
+      def origin_for(url)
+        uri = URI.parse(url.to_s)
+        port = uri.port
+        default_port = (uri.scheme == "http" && port == 80) || (uri.scheme == "https" && port == 443)
+        default_port ? "#{uri.scheme}://#{uri.host}" : "#{uri.scheme}://#{uri.host}:#{port}"
+      end
+
+      def redirect_uri_with_params(uri, params)
+        parsed = URI.parse(uri.to_s)
+        existing = URI.decode_www_form(parsed.query.to_s)
+        params.each { |key, value| existing << [key.to_s, value.to_s] unless value.nil? }
+        parsed.query = URI.encode_www_form(existing)
+        parsed.to_s
+      end
+
+      def validate_redirect_uri!(client, redirect_uri)
+        redirects = client_redirect_uris(client)
+        return if redirects.include?(redirect_uri.to_s)
+
+        raise APIError.new("BAD_REQUEST", message: "invalid redirect_uri")
+      end
+
+      def client_redirect_uris(client)
+        value = client["redirectUris"] || client["redirectUrls"] || client[:redirect_uris] || client[:redirectUrls]
+        return value if value.is_a?(Array)
+
+        value.to_s.split(",").map(&:strip).reject(&:empty?)
+      end
+
+      def client_logout_redirect_uris(client)
+        value = client["postLogoutRedirectUris"] || client[:post_logout_redirect_uris]
+        return value if value.is_a?(Array)
+
+        value.to_s.split(",").map(&:strip).reject(&:empty?)
+      end
+
+      def create_client(ctx, model:, body:, owner_session: nil, default_auth_method: "client_secret_basic", store_client_secret: "plain")
+        body = stringify_keys(body || {})
+        auth_method = body["token_endpoint_auth_method"] || default_auth_method
+        public_client = auth_method == "none"
+        client_id = body["client_id"] || Crypto.random_string(32)
+        client_secret = public_client ? nil : (body["client_secret"] || Crypto.random_string(32))
+        redirects = Array(body["redirect_uris"]).map(&:to_s)
+        raise APIError.new("BAD_REQUEST", message: "redirect_uris is required") if redirects.empty?
+
+        scopes = parse_scopes(body["scope"] || body["scopes"])
+        data = {
+          "clientId" => client_id,
+          "clientSecret" => client_secret ? store_client_secret_value(ctx, client_secret, store_client_secret) : nil,
+          "type" => public_client ? "public" : "web",
+          "name" => body["client_name"] || body["name"] || "OAuth Client",
+          "icon" => body["logo_uri"],
+          "uri" => body["client_uri"],
+          "redirectUris" => redirects,
+          "redirectUrls" => redirects.join(","),
+          "postLogoutRedirectUris" => Array(body["post_logout_redirect_uris"]).map(&:to_s),
+          "tokenEndpointAuthMethod" => auth_method,
+          "grantTypes" => Array(body["grant_types"] || [AUTH_CODE_GRANT]),
+          "responseTypes" => Array(body["response_types"] || ["code"]),
+          "scopes" => scopes,
+          "skipConsent" => body["skip_consent"] || body["skipConsent"] || false,
+          "metadata" => body["metadata"] || {},
+          "disabled" => false
+        }
+        data["userId"] = owner_session[:user]["id"] if owner_session
+        created = ctx.context.adapter.create(model: model, data: data)
+        client_response(created).merge(
+          client_secret: client_secret,
+          client_id_issued_at: Time.now.to_i,
+          client_secret_expires_at: 0
+        ).compact
+      end
+
+      def client_response(client, include_secret: true)
+        data = stringify_keys(client || {})
+        response = {
+          client_id: data["clientId"],
+          client_name: data["name"],
+          client_uri: data["uri"],
+          logo_uri: data["icon"],
+          redirect_uris: client_redirect_uris(data),
+          post_logout_redirect_uris: client_logout_redirect_uris(data),
+          token_endpoint_auth_method: data["tokenEndpointAuthMethod"] || "client_secret_basic",
+          grant_types: data["grantTypes"] || [],
+          response_types: data["responseTypes"] || [],
+          skip_consent: !!data["skipConsent"],
+          scope: scope_string(data["scopes"]),
+          metadata: data["metadata"]
+        }
+        response[:client_secret] = data["clientSecret"] if include_secret && data["clientSecret"]
+        response
+      end
+
+      def find_client(ctx, model, client_id)
+        ctx.context.adapter.find_one(model: model, where: [{field: "clientId", value: client_id.to_s}])
+      end
+
+      def authenticate_client!(ctx, model, store_client_secret: "plain")
+        body = stringify_keys(ctx.body || {})
+        client_id = body["client_id"]
+        client_secret = body["client_secret"]
+
+        authorization = ctx.headers["authorization"]
+        if authorization.to_s.start_with?("Basic ") && client_id.to_s.empty?
+          decoded = Base64.decode64(authorization.delete_prefix("Basic "))
+          client_id, client_secret = decoded.split(":", 2)
+        end
+
+        client = find_client(ctx, model, client_id)
+        raise APIError.new("UNAUTHORIZED", message: "invalid_client") unless client
+
+        method = stringify_keys(client)["tokenEndpointAuthMethod"] || "client_secret_basic"
+        if method != "none" && !verify_client_secret(ctx, stringify_keys(client)["clientSecret"], client_secret, store_client_secret)
+          raise APIError.new("UNAUTHORIZED", message: "invalid_client")
+        end
+
+        client
+      rescue ArgumentError
+        raise APIError.new("UNAUTHORIZED", message: "invalid_client")
+      end
+
+      def store_code(store, code:, client_id:, redirect_uri:, session:, scopes:, code_challenge: nil, code_challenge_method: nil)
+        store[:codes][code] = {
+          client_id: client_id,
+          redirect_uri: redirect_uri,
+          session: session,
+          scopes: parse_scopes(scopes),
+          code_challenge: code_challenge,
+          code_challenge_method: code_challenge_method,
+          expires_at: Time.now + 600
+        }
+      end
+
+      def consume_code!(store, code, client_id:, redirect_uri:, code_verifier: nil)
+        data = store[:codes].delete(code.to_s)
+        raise APIError.new("BAD_REQUEST", message: "invalid_grant") unless data
+        raise APIError.new("BAD_REQUEST", message: "invalid_grant") if data[:expires_at] <= Time.now
+        raise APIError.new("BAD_REQUEST", message: "invalid_grant") unless data[:client_id] == client_id.to_s
+        raise APIError.new("BAD_REQUEST", message: "invalid_grant") unless data[:redirect_uri] == redirect_uri.to_s
+        verify_pkce!(data, code_verifier) if data[:code_challenge]
+
+        data
+      end
+
+      def verify_pkce!(code_data, verifier)
+        raise APIError.new("BAD_REQUEST", message: "invalid_grant") if verifier.to_s.empty?
+
+        challenge = if code_data[:code_challenge_method].to_s == "S256"
+          Base64.urlsafe_encode64(OpenSSL::Digest.digest("SHA256", verifier.to_s), padding: false)
+        else
+          verifier.to_s
+        end
+        raise APIError.new("BAD_REQUEST", message: "invalid_grant") unless challenge == code_data[:code_challenge]
+      end
+
+      def issue_tokens(ctx, store, model:, client:, session:, scopes:, include_refresh: false, issuer: nil, jwt_audience: nil, access_token_expires_in: 3600, id_token_signer: nil)
+        data = stringify_keys(session || {})
+        user = stringify_keys(data["user"] || data[:user] || {})
+        session_data = stringify_keys(data["session"] || data[:session] || {})
+        client_data = stringify_keys(client)
+        access_token = "ba_at_#{Crypto.random_string(32)}"
+        refresh_token = include_refresh ? "ba_rt_#{Crypto.random_string(32)}" : nil
+        scope = scope_string(scopes)
+        expires_at = Time.now + access_token_expires_in.to_i
+        record = {
+          "accessToken" => access_token,
+          "token" => access_token,
+          "refreshToken" => refresh_token,
+          "accessTokenExpiresAt" => expires_at,
+          "expiresAt" => expires_at,
+          "clientId" => client_data["clientId"],
+          "userId" => user["id"],
+          "sessionId" => session_data["id"],
+          "scope" => scope,
+          "scopes" => parse_scopes(scope),
+          "revoked" => nil
+        }
+        ctx.context.adapter.create(model: model, data: record)
+        stored_record = record.merge("user" => user, "session" => session_data, "client" => client_data)
+        store[:tokens][access_token] = stored_record
+        store[:refresh_tokens][refresh_token] = stored_record if refresh_token
+
+        response = {
+          access_token: access_token,
+          token_type: "Bearer",
+          expires_in: access_token_expires_in.to_i,
+          scope: scope
+        }
+        response[:refresh_token] = refresh_token if refresh_token
+        response[:id_token] = id_token(user, client_data["clientId"], issuer || issuer(ctx), jwt_audience || client_data["clientId"], ctx: ctx, signer: id_token_signer) if parse_scopes(scope).include?("openid")
+        response
+      end
+
+      def refresh_tokens(ctx, store, model:, client:, refresh_token:, scopes: nil, issuer: nil, access_token_expires_in: 3600, id_token_signer: nil)
+        data = store[:refresh_tokens].delete(refresh_token.to_s)
+        raise APIError.new("BAD_REQUEST", message: "invalid_grant") unless data
+        requested = scopes ? parse_scopes(scopes) : data["scopes"]
+        unless requested.all? { |scope| data["scopes"].include?(scope) }
+          raise APIError.new("BAD_REQUEST", message: "invalid_scope")
+        end
+
+        issue_tokens(
+          ctx,
+          store,
+          model: model,
+          client: client,
+          session: {"user" => data["user"], "session" => data["session"]},
+          scopes: requested,
+          include_refresh: true,
+          issuer: issuer,
+          access_token_expires_in: access_token_expires_in,
+          id_token_signer: id_token_signer
+        )
+      end
+
+      def token_record(store, token)
+        data = store[:tokens][token.to_s]
+        return nil unless data
+        return nil if data["revoked"]
+        return nil if data["expiresAt"] && data["expiresAt"] <= Time.now
+
+        data
+      end
+
+      def userinfo(store, authorization, additional_claim: nil)
+        token = authorization.to_s.delete_prefix("Bearer ").strip
+        record = token_record(store, token)
+        raise APIError.new("UNAUTHORIZED", message: "invalid_token") unless record
+        user = stringify_keys(record["user"])
+        scopes = parse_scopes(record["scope"] || record["scopes"])
+        response = {sub: user["id"]}
+        response[:name] = user["name"] if scopes.include?("profile")
+        if scopes.include?("email")
+          response[:email] = user["email"]
+          response[:email_verified] = !!user["emailVerified"]
+        end
+        if additional_claim.respond_to?(:call)
+          extra = additional_claim.call(user, scopes, stringify_keys(record["client"] || {}))
+          response.merge!(extra) if extra.is_a?(Hash)
+        end
+        response
+      end
+
+      def id_token(user, client_id, issuer_value, audience, ctx: nil, signer: nil)
+        payload = {
+          sub: user["id"],
+          iss: issuer_value,
+          aud: audience || client_id,
+          email: user["email"],
+          email_verified: !!user["emailVerified"],
+          name: user["name"]
+        }
+        return signer.call(ctx, payload) if signer.respond_to?(:call)
+
+        Crypto.sign_jwt(
+          payload,
+          client_id.to_s.empty? ? "better-auth" : client_id.to_s,
+          expires_in: 3600
+        )
+      end
+
+      def store_client_secret_value(ctx, secret, mode)
+        mode = normalize_secret_storage_mode(mode)
+        return Crypto.sha256(secret, encoding: :base64url) if mode == "hashed"
+        return Crypto.symmetric_encrypt(key: ctx.context.secret, data: secret) if mode == "encrypted"
+
+        if mode.is_a?(Hash)
+          return mode[:hash].call(secret) if mode[:hash].respond_to?(:call)
+          return mode[:encrypt].call(secret) if mode[:encrypt].respond_to?(:call)
+        end
+
+        secret
+      end
+
+      def verify_client_secret(ctx, stored_secret, provided_secret, mode)
+        mode = normalize_secret_storage_mode(mode)
+        return Crypto.constant_time_compare(Crypto.sha256(provided_secret, encoding: :base64url), stored_secret.to_s) if mode == "hashed"
+        return Crypto.symmetric_decrypt(key: ctx.context.secret, data: stored_secret) == provided_secret.to_s if mode == "encrypted"
+
+        if mode.is_a?(Hash)
+          return mode[:hash].call(provided_secret).to_s == stored_secret.to_s if mode[:hash].respond_to?(:call)
+          return mode[:decrypt].call(stored_secret).to_s == provided_secret.to_s if mode[:decrypt].respond_to?(:call)
+        end
+
+        Crypto.constant_time_compare(stored_secret.to_s, provided_secret.to_s)
+      end
+
+      def normalize_secret_storage_mode(mode)
+        return stringify_keys(mode).transform_keys(&:to_sym) if mode.is_a?(Hash)
+
+        mode.to_s
+      end
+
+      def stores
+        {
+          codes: {},
+          tokens: {},
+          refresh_tokens: {},
+          consents: {}
+        }
+      end
+
+      def stringify_keys(value)
+        return value.each_with_object({}) { |(key, object_value), result| result[key.to_s] = stringify_keys(object_value) } if value.is_a?(Hash)
+        return value.map { |entry| stringify_keys(entry) } if value.is_a?(Array)
+
+        value
+      end
+    end
+  end
+end

data/lib/better_auth/plugins/oauth_provider.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Plugins
+    module_function
+
+    def oauth_provider(*args)
+      Kernel.require "better_auth/oauth_provider"
+      BetterAuth::Plugins.oauth_provider(*args)
+    rescue LoadError => error
+      raise if error.path && error.path != "better_auth/oauth_provider"
+
+      raise LoadError, "BetterAuth::Plugins.oauth_provider requires the better_auth-oauth-provider gem. Add `gem \"better_auth-oauth-provider\"` and `require \"better_auth/oauth_provider\"`."
+    end
+  end
+end

data/lib/better_auth/plugins/oauth_proxy.rb

@@ -0,0 +1,257 @@
+# frozen_string_literal: true
+
+require "json"
+require "rack/utils"
+require "uri"
+
+module BetterAuth
+  module Plugins
+    module_function
+
+    def oauth_proxy(options = {})
+      config = {max_age: 60}.merge(normalize_hash(options))
+
+      Plugin.new(
+        id: "oauth-proxy",
+        endpoints: {
+          o_auth_proxy: oauth_proxy_endpoint(config)
+        },
+        hooks: {
+          before: [
+            {
+              matcher: ->(ctx) { oauth_proxy_sign_in_path?(ctx.path) },
+              handler: ->(ctx) { oauth_proxy_before_sign_in(ctx, config) }
+            },
+            {
+              matcher: ->(ctx) { oauth_proxy_callback_path?(ctx.path) },
+              handler: ->(ctx) { oauth_proxy_restore_state_package(ctx, config) }
+            }
+          ],
+          after: [
+            {
+              matcher: ->(ctx) { oauth_proxy_sign_in_path?(ctx.path) },
+              handler: ->(ctx) { oauth_proxy_after_sign_in(ctx, config) }
+            },
+            {
+              matcher: ->(ctx) { oauth_proxy_callback_path?(ctx.path) },
+              handler: ->(ctx) { oauth_proxy_after_callback(ctx, config) }
+            }
+          ]
+        },
+        options: config
+      )
+    end
+
+    def oauth_proxy_endpoint(config)
+      Endpoint.new(path: "/oauth-proxy-callback", method: "GET") do |ctx|
+        query = normalize_hash(ctx.query)
+        callback_url = query[:callback_url] || "/"
+        oauth_proxy_validate_callback!(ctx, callback_url)
+
+        decrypted = Crypto.symmetric_decrypt(key: ctx.context.secret, data: query[:cookies].to_s)
+        raise ctx.redirect(oauth_proxy_error_url(ctx, "OAuthProxy - Invalid cookies or secret")) unless decrypted
+
+        payload = JSON.parse(decrypted)
+        cookies = payload["cookies"]
+        timestamp = payload["timestamp"]
+        unless cookies.is_a?(String) && timestamp.is_a?(Numeric)
+          raise ctx.redirect(oauth_proxy_error_url(ctx, "OAuthProxy - Invalid payload structure"))
+        end
+
+        age = ((Time.now.to_f * 1000) - timestamp.to_f) / 1000
+        if age > config[:max_age].to_i || age < -10
+          raise ctx.redirect(oauth_proxy_error_url(ctx, "OAuthProxy - Payload expired or invalid"))
+        end
+
+        oauth_proxy_parse_set_cookie(cookies).each do |cookie|
+          ctx.set_cookie(cookie[:name], cookie[:value], cookie[:options])
+        end
+        raise ctx.redirect(callback_url)
+      rescue JSON::ParserError
+        raise ctx.redirect(oauth_proxy_error_url(ctx, "OAuthProxy - Invalid payload format"))
+      end
+    end
+
+    def oauth_proxy_before_sign_in(ctx, config)
+      return if oauth_proxy_skip?(ctx, config)
+      return unless ctx.body.is_a?(Hash)
+
+      original_callback = ctx.body["callbackURL"] || ctx.body["callbackUrl"] || ctx.body["callback_url"] || ctx.body[:callbackURL] || ctx.body[:callback_url] || ctx.context.base_url
+      current = oauth_proxy_current_uri(ctx, config)
+      callback = "#{oauth_proxy_strip_trailing(current.origin)}#{ctx.context.options.base_path}/oauth-proxy-callback?callbackURL=#{URI.encode_www_form_component(original_callback)}"
+      ctx.body = ctx.body.merge("callbackURL" => callback, :callback_url => callback)
+      nil
+    end
+
+    def oauth_proxy_restore_state_package(ctx, _config)
+      state = fetch_value(ctx.query, "state") || fetch_value(ctx.body, "state")
+      return if state.to_s.empty?
+
+      decrypted = Crypto.symmetric_decrypt(key: ctx.context.secret, data: state.to_s)
+      return unless decrypted
+
+      package = JSON.parse(decrypted)
+      return unless package["isOAuthProxy"] && package["state"] && package["stateCookie"]
+
+      cookie = ctx.context.create_auth_cookie("oauth_state")
+      current_cookie = ctx.headers["cookie"].to_s
+      restored_cookie = "#{cookie.name}=#{package["stateCookie"]}"
+      ctx.headers["cookie"] = current_cookie.empty? ? restored_cookie : "#{current_cookie}; #{restored_cookie}"
+      ctx.query = ctx.query.merge(:state => package["state"], "state" => package["state"])
+      ctx.body = ctx.body.merge(:state => package["state"], "state" => package["state"]) if ctx.body.is_a?(Hash)
+      nil
+    rescue JSON::ParserError
+      nil
+    end
+
+    def oauth_proxy_after_sign_in(ctx, config)
+      return if oauth_proxy_skip?(ctx, config)
+      return unless ctx.context.options.account[:store_state_strategy].to_s == "cookie"
+      return unless ctx.returned.is_a?(Hash)
+
+      provider_url = fetch_value(ctx.returned, "url").to_s
+      return if provider_url.empty?
+
+      uri = URI.parse(provider_url)
+      params = Rack::Utils.parse_query(uri.query)
+      original_state = params["state"]
+      return if original_state.to_s.empty?
+
+      state_cookie = oauth_proxy_state_cookie_value(ctx)
+      return if state_cookie.to_s.empty?
+
+      encrypted_package = Crypto.symmetric_encrypt(
+        key: ctx.context.secret,
+        data: JSON.generate({
+          state: original_state,
+          stateCookie: state_cookie,
+          isOAuthProxy: true
+        })
+      )
+      params["state"] = encrypted_package
+      uri.query = URI.encode_www_form(params)
+
+      response = ctx.returned.dup
+      if response.key?(:url)
+        response[:url] = uri.to_s
+      else
+        response["url"] = uri.to_s
+      end
+      ctx.returned = response
+      ctx.json(response)
+    rescue URI::InvalidURIError
+      nil
+    end
+
+    def oauth_proxy_after_callback(ctx, config)
+      location = ctx.response_headers["location"]
+      return unless location.to_s.include?("/oauth-proxy-callback?callbackURL")
+      return unless location.to_s.start_with?("http")
+
+      location_uri = URI.parse(location)
+      production = oauth_proxy_production_uri(ctx, config)
+      if location_uri.origin == production.origin
+        original = Rack::Utils.parse_query(location_uri.query).fetch("callbackURL", nil)
+        oauth_proxy_set_location(ctx, original) if original
+        return nil
+      end
+
+      set_cookie = ctx.response_headers["set-cookie"]
+      return if set_cookie.to_s.empty?
+
+      encrypted = Crypto.symmetric_encrypt(
+        key: ctx.context.secret,
+        data: JSON.generate({
+          cookies: set_cookie,
+          timestamp: (Time.now.to_f * 1000).to_i
+        })
+      )
+      separator = location.include?("?") ? "&" : "?"
+      oauth_proxy_set_location(ctx, "#{location}#{separator}cookies=#{URI.encode_www_form_component(encrypted)}")
+      nil
+    rescue URI::InvalidURIError
+      nil
+    end
+
+    def oauth_proxy_state_cookie_value(ctx)
+      cookie = ctx.context.create_auth_cookie("oauth_state")
+      parsed = oauth_proxy_parse_set_cookie(ctx.response_headers["set-cookie"])
+      exact = parsed.find { |entry| entry[:name] == cookie.name || entry[:name] == Cookies.strip_secure_cookie_prefix(cookie.name) }
+      exact && exact[:value]
+    end
+
+    def oauth_proxy_sign_in_path?(path)
+      path.to_s.start_with?("/sign-in/social", "/sign-in/oauth2")
+    end
+
+    def oauth_proxy_callback_path?(path)
+      path.to_s.start_with?("/callback", "/oauth2/callback")
+    end
+
+    def oauth_proxy_skip?(ctx, config)
+      current = oauth_proxy_current_uri(ctx, config)
+      production = oauth_proxy_production_uri(ctx, config)
+      current.origin == production.origin
+    rescue URI::InvalidURIError
+      false
+    end
+
+    def oauth_proxy_current_uri(ctx, config)
+      URI.parse((config[:current_url] || ctx.context.options.base_url || ctx.context.base_url).to_s)
+    end
+
+    def oauth_proxy_production_uri(ctx, config)
+      URI.parse((config[:production_url] || ctx.context.options.base_url || ctx.context.base_url).to_s)
+    end
+
+    def oauth_proxy_strip_trailing(value)
+      value.to_s.sub(%r{/+\z}, "")
+    end
+
+    def oauth_proxy_validate_callback!(ctx, callback_url)
+      return if callback_url.to_s.empty?
+      return if ctx.context.trusted_origin?(callback_url.to_s, allow_relative_paths: true)
+
+      raise APIError.new("FORBIDDEN", message: "Invalid callbackURL")
+    end
+
+    def oauth_proxy_error_url(ctx, message)
+      base = ctx.context.options.on_api_error[:error_url] || "#{oauth_proxy_strip_trailing(ctx.context.base_url)}/error"
+      uri = URI.parse(base)
+      params = URI.decode_www_form(uri.query.to_s)
+      params << ["error", message]
+      uri.query = URI.encode_www_form(params)
+      uri.to_s
+    end
+
+    def oauth_proxy_set_location(ctx, location)
+      ctx.set_header("location", location)
+      return unless ctx.returned.is_a?(APIError)
+
+      headers = ctx.returned.headers.merge("location" => location)
+      ctx.returned.instance_variable_set(:@headers, headers)
+    end
+
+    def oauth_proxy_parse_set_cookie(header)
+      header.to_s.split(/\n|,(?=\s*[^;,]+=)/).filter_map do |line|
+        parts = line.strip.split(/;\s*/)
+        name, value = parts.shift.to_s.split("=", 2)
+        next if name.to_s.empty?
+
+        options = {}
+        parts.each do |part|
+          key, option_value = part.split("=", 2)
+          case key.to_s.downcase
+          when "path" then options[:path] = option_value
+          when "expires" then options[:expires] = option_value
+          when "samesite" then options[:same_site] = option_value
+          when "httponly" then options[:http_only] = true
+          when "secure" then options[:secure] = true
+          when "max-age" then options[:max_age] = option_value
+          end
+        end
+        {name: Cookies.strip_secure_cookie_prefix(name), value: URI.decode_www_form_component(value.to_s), options: options}
+      end
+    end
+  end
+end