better_auth 0.1.1 → 0.2.0

data/lib/better_auth/routes/error.rb

@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+
+require "uri"
+
+module BetterAuth
+  module Routes
+    def self.error
+      Endpoint.new(
+        path: "/error",
+        method: "GET",
+        metadata: {hide: true}
+      ) do |ctx|
+        query = ctx.query || {}
+        raw_code = query["error"] || query[:error] || "UNKNOWN"
+        raw_description = query["error_description"] || query[:error_description]
+        safe_code = valid_error_code?(raw_code) ? raw_code.to_s : "UNKNOWN"
+        query_params = error_query_params(safe_code, raw_description)
+        error_url = ctx.context.options.on_api_error[:error_url]
+
+        if error_url
+          location = append_query(error_url, query_params)
+          next [302, {"location" => location}, [""]]
+        end
+
+        if ctx.context.options.production? && !ctx.context.options.on_api_error[:customize_default_error_page]
+          next [302, {"location" => "/?#{query_params}"}, [""]]
+        end
+
+        [
+          200,
+          {"content-type" => "text/html"},
+          [error_html(safe_code, raw_description)]
+        ]
+      end
+    end
+
+    def self.valid_error_code?(value)
+      /\A['A-Za-z0-9_-]+\z/.match?(value.to_s)
+    end
+
+    def self.error_query_params(code, description)
+      params = {error: code}
+      params[:error_description] = description if description
+      URI.encode_www_form(params)
+    end
+
+    def self.append_query(url, query)
+      separator = url.include?("?") ? "&" : "?"
+      "#{url}#{separator}#{query}"
+    end
+
+    def self.error_html(code, description)
+      safe_code = sanitize_html(code)
+      safe_description = description ? sanitize_html(description) : default_error_description(safe_code)
+
+      <<~HTML
+        <!DOCTYPE html>
+        <html lang="en">
+          <head>
+            <meta charset="UTF-8">
+            <meta name="viewport" content="width=device-width, initial-scale=1.0">
+            <title>Error</title>
+            <style>
+              body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; margin: 0; min-height: 100vh; display: grid; place-items: center; background: #fff; color: #171717; }
+              main { width: min(42rem, calc(100% - 2rem)); border: 2px solid #d4d4d4; padding: 1.5rem; text-align: center; }
+              h1 { margin: 0 0 1rem; font-size: 3rem; line-height: 1; }
+              code { display: inline-block; border: 1px solid #d4d4d4; padding: 0.375rem 0.75rem; margin-bottom: 1rem; word-break: break-all; }
+              p { color: #525252; line-height: 1.5; }
+              a { color: inherit; }
+              @media (prefers-color-scheme: dark) {
+                body { background: #171717; color: #fafafa; }
+                main, code { border-color: #404040; }
+                p { color: #d4d4d4; }
+              }
+            </style>
+          </head>
+          <body>
+            <main>
+              <h1>ERROR</h1>
+              <code>#{safe_code}</code>
+              <p>#{safe_description}</p>
+            </main>
+          </body>
+        </html>
+      HTML
+    end
+
+    def self.default_error_description(code)
+      "We encountered an unexpected error. You can find more information about this error at " \
+        "<a href=\"https://better-auth.com/docs/reference/errors/#{URI.encode_www_form_component(code)}\">Better Auth docs</a>."
+    end
+
+    def self.sanitize_html(value)
+      value.to_s
+        .gsub("<", "&lt;")
+        .gsub(">", "&gt;")
+        .gsub('"', "&quot;")
+        .gsub("'", "&#39;")
+        .gsub(/&(?!(?:amp|lt|gt|quot|#39|#x[0-9a-fA-F]+|#[0-9]+);)/, "&amp;")
+    end
+  end
+end

data/lib/better_auth/routes/ok.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Routes
+    def self.ok
+      Endpoint.new(
+        path: "/ok",
+        method: "GET",
+        metadata: {hide: true}
+      ) do |ctx|
+        ctx.json({ok: true})
+      end
+    end
+  end
+end

data/lib/better_auth/routes/password.rb

@@ -0,0 +1,164 @@
+# frozen_string_literal: true
+
+require "securerandom"
+require "uri"
+
+module BetterAuth
+  module Routes
+    PASSWORD_RESET_MESSAGE = "If this email exists in our system, check your email for the reset link"
+
+    def self.request_password_reset
+      Endpoint.new(path: "/request-password-reset", method: "POST") do |ctx|
+        sender = ctx.context.options.email_and_password[:send_reset_password]
+        raise APIError.new("BAD_REQUEST", message: "Reset password isn't enabled") unless sender.respond_to?(:call)
+
+        body = normalize_hash(ctx.body)
+        email = body["email"].to_s.downcase
+        found = ctx.context.internal_adapter.find_user_by_email(email, include_accounts: true)
+        unless found
+          SecureRandom.hex(12)
+          ctx.context.internal_adapter.find_verification_value("dummy-verification-token")
+          next ctx.json({status: true, message: PASSWORD_RESET_MESSAGE})
+        end
+
+        token = SecureRandom.hex(12)
+        expires_in = ctx.context.options.email_and_password[:reset_password_token_expires_in] || 3600
+        ctx.context.internal_adapter.create_verification_value(
+          identifier: "reset-password:#{token}",
+          value: found[:user]["id"],
+          expiresAt: Time.now + expires_in.to_i
+        )
+
+        redirect_to = body["redirectTo"] || body["redirect_to"]
+        callback = redirect_to ? URI.encode_www_form_component(redirect_to) : ""
+        url = "#{ctx.context.base_url}/reset-password/#{token}?callbackURL=#{callback}"
+        sender.call({user: found[:user], url: url, token: token}, ctx.request)
+        ctx.json({status: true, message: PASSWORD_RESET_MESSAGE})
+      end
+    end
+
+    def self.request_password_reset_callback
+      Endpoint.new(path: "/reset-password/:token", method: "GET") do |ctx|
+        token = ctx.params[:token].to_s
+        callback_url = fetch_value(ctx.query, "callbackURL") || "/error"
+        verification = ctx.context.internal_adapter.find_verification_value("reset-password:#{token}")
+
+        unless verification && !expired_time?(verification["expiresAt"])
+          raise ctx.redirect(absolute_callback(ctx.context, callback_url, error: "INVALID_TOKEN"))
+        end
+
+        raise ctx.redirect(absolute_callback(ctx.context, callback_url, token: token))
+      end
+    end
+
+    def self.reset_password
+      Endpoint.new(path: "/reset-password", method: "POST") do |ctx|
+        body = normalize_hash(ctx.body)
+        token = body["token"] || fetch_value(ctx.query, "token")
+        raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_TOKEN"]) if token.to_s.empty?
+
+        password = body["newPassword"] || body["new_password"]
+        validate_password_length!(password, ctx.context.options.email_and_password)
+
+        verification = ctx.context.internal_adapter.find_verification_value("reset-password:#{token}")
+        raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_TOKEN"]) unless verification && !expired_time?(verification["expiresAt"])
+
+        user_id = verification["value"]
+        hashed = hash_password(ctx, password)
+        account = ctx.context.internal_adapter.find_accounts(user_id).find { |entry| entry["providerId"] == "credential" }
+        if account
+          ctx.context.internal_adapter.update_password(user_id, hashed)
+        else
+          ctx.context.internal_adapter.create_account(userId: user_id, providerId: "credential", accountId: user_id, password: hashed)
+        end
+        ctx.context.internal_adapter.delete_verification_value(verification["id"])
+
+        if (callback = ctx.context.options.email_and_password[:on_password_reset])
+          user = ctx.context.internal_adapter.find_user_by_id(user_id)
+          callback.call({user: user}, ctx.request) if user
+        end
+        ctx.context.internal_adapter.delete_sessions(user_id) if ctx.context.options.email_and_password[:revoke_sessions_on_password_reset]
+
+        ctx.json({status: true})
+      end
+    end
+
+    def self.verify_password
+      Endpoint.new(path: "/verify-password", method: "POST") do |ctx|
+        session = current_session(ctx, sensitive: true)
+        password = normalize_hash(ctx.body)["password"].to_s
+        account = credential_account(ctx, session[:user]["id"])
+        valid = account && account["password"] && verify_password_value(ctx, password, account["password"])
+        raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_PASSWORD"]) unless valid
+
+        ctx.json({status: true})
+      end
+    end
+
+    def self.validate_password_length!(password, email_config)
+      unless password.is_a?(String) && !password.empty?
+        raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_PASSWORD"])
+      end
+      raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["PASSWORD_TOO_SHORT"]) if password.length < email_config[:min_password_length].to_i
+      raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["PASSWORD_TOO_LONG"]) if password.length > email_config[:max_password_length].to_i
+    end
+
+    def self.hash_password(ctx, password)
+      hasher = ctx.context.options.email_and_password.dig(:password, :hash)
+      if hasher.respond_to?(:call)
+        return hasher_arity_accepts_context?(hasher) ? hasher.call(password, ctx) : hasher.call(password)
+      end
+
+      Password.hash(
+        password,
+        algorithm: ctx.context.options.password_hasher
+      )
+    end
+
+    def self.hasher_arity_accepts_context?(hasher)
+      arity = hasher.arity
+      arity != 1 && arity != -1
+    end
+
+    def self.verify_password_value(ctx, password, digest)
+      Password.verify(
+        password: password,
+        hash: digest,
+        verifier: ctx.context.options.email_and_password.dig(:password, :verify),
+        algorithm: ctx.context.options.password_hasher
+      )
+    end
+
+    def self.credential_account(ctx, user_id)
+      ctx.context.internal_adapter.find_accounts(user_id).find { |entry| entry["providerId"] == "credential" }
+    end
+
+    def self.expired_time?(value)
+      value && value < Time.now
+    end
+
+    def self.fetch_value(hash, key)
+      snake_key = key.to_s
+        .gsub(/([a-z\d])([A-Z])/, "\\1_\\2")
+        .tr("-", "_")
+        .downcase
+      hash[key] ||
+        hash[key.to_s] ||
+        hash[key.to_sym] ||
+        hash[Schema.storage_key(key)] ||
+        hash[Schema.storage_key(key).to_sym] ||
+        hash[snake_key] ||
+        hash[snake_key.to_sym]
+    end
+
+    def self.absolute_callback(context, callback_url, params)
+      uri = URI.parse(callback_url.to_s)
+      origin = Configuration.origin_for(URI.parse(context.base_url))
+      url = uri.relative? ? URI.join("#{origin}/", callback_url.to_s.delete_prefix("/")) : uri
+      query = URI.decode_www_form(url.query.to_s)
+      params.each { |key, value| query << [key.to_s, value] }
+      url.query = URI.encode_www_form(query)
+      url.to_s
+    end
+  end
+end

data/lib/better_auth/routes/session.rb

@@ -0,0 +1,137 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Routes
+    def self.get_session
+      Endpoint.new(path: "/get-session", method: "GET") do |ctx|
+        session = current_session(ctx, allow_nil: true)
+        next ctx.json(nil) unless session
+
+        ctx.json(parsed_session_response(ctx, session))
+      rescue APIError
+        raise
+      rescue => error
+        log(ctx.context, :error, "FAILED_TO_GET_SESSION #{error.message}")
+        raise APIError.new("INTERNAL_SERVER_ERROR", message: BASE_ERROR_CODES["FAILED_TO_GET_SESSION"])
+      end
+    end
+
+    def self.list_sessions
+      Endpoint.new(path: "/list-sessions", method: "GET") do |ctx|
+        session = current_session(ctx)
+        sessions = ctx.context.internal_adapter.list_sessions(session[:user]["id"])
+        active = sessions
+          .map { |entry| stringify_keys(entry) }
+          .select { |entry| !Session.expired?(entry) }
+          .map { |entry| Schema.parse_output(ctx.context.options, "session", entry) }
+        ctx.json(active)
+      end
+    end
+
+    def self.update_session
+      Endpoint.new(path: "/update-session", method: "POST") do |ctx|
+        session = current_session(ctx, sensitive: true)
+        body = Routes.parse_declared_input(ctx, "session", ctx.body, allowed_base: [])
+        raise APIError.new("BAD_REQUEST", message: "No fields to update") if body.empty?
+
+        updated = ctx.context.internal_adapter.update_session(session[:session]["token"], body)
+        merged = session[:session].merge(updated || body)
+        Cookies.set_session_cookie(ctx, {session: merged, user: session[:user]}, Cookies.dont_remember?(ctx))
+        ctx.json({status: true})
+      end
+    end
+
+    def self.revoke_session
+      Endpoint.new(path: "/revoke-session", method: "POST") do |ctx|
+        session = current_session(ctx, sensitive: true)
+        body = normalize_hash(ctx.body)
+        token = body["token"].to_s
+        found = ctx.context.internal_adapter.find_session(token)
+
+        if found && stringify_keys(found[:session] || found["session"])["userId"] == session[:user]["id"]
+          ctx.context.internal_adapter.delete_session(token)
+        end
+
+        ctx.json({status: true})
+      end
+    end
+
+    def self.revoke_sessions
+      Endpoint.new(path: "/revoke-sessions", method: "POST") do |ctx|
+        session = current_session(ctx, sensitive: true)
+        ctx.context.internal_adapter.delete_sessions(session[:user]["id"])
+        Cookies.delete_session_cookie(ctx)
+        ctx.json({status: true})
+      end
+    end
+
+    def self.revoke_other_sessions
+      Endpoint.new(path: "/revoke-other-sessions", method: "POST") do |ctx|
+        session = current_session(ctx, sensitive: true)
+        current_token = session[:session]["token"]
+        sessions = ctx.context.internal_adapter.list_sessions(session[:user]["id"])
+        sessions.each do |entry|
+          data = stringify_keys(entry)
+          next if Session.expired?(data) || data["token"] == current_token
+
+          ctx.context.internal_adapter.delete_session(data["token"])
+        end
+        ctx.json({status: true})
+      end
+    end
+
+    def self.current_session(ctx, allow_nil: false, sensitive: false)
+      data = Session.find_current(
+        ctx,
+        disable_cookie_cache: truthy_query?(ctx.query, "disableCookieCache"),
+        disable_refresh: truthy_query?(ctx.query, "disableRefresh"),
+        sensitive: sensitive
+      )
+      return nil if allow_nil && data.nil?
+
+      raise APIError.new("UNAUTHORIZED") unless data
+
+      {
+        session: stringify_keys(data[:session] || data["session"]),
+        user: stringify_keys(data[:user] || data["user"])
+      }
+    end
+
+    def self.parsed_session_response(ctx, session)
+      {
+        session: Schema.parse_output(ctx.context.options, "session", session[:session]),
+        user: Schema.parse_output(ctx.context.options, "user", session[:user])
+      }
+    end
+
+    def self.truthy_query?(query, key)
+      snake_key = key.to_s
+        .gsub(/([a-z\d])([A-Z])/, "\\1_\\2")
+        .tr("-", "_")
+        .downcase
+      value = query[key] ||
+        query[key.to_sym] ||
+        query[Schema.storage_key(key)] ||
+        query[Schema.storage_key(key).to_sym] ||
+        query[snake_key] ||
+        query[snake_key.to_sym]
+      value == true || value.to_s == "true"
+    end
+
+    def self.stringify_keys(value)
+      return value.each_with_object({}) { |(key, object_value), result| result[key.to_s] = stringify_keys(object_value) } if value.is_a?(Hash)
+      return value.map { |entry| stringify_keys(entry) } if value.is_a?(Array)
+
+      value
+    end
+
+    def self.log(context, level, message)
+      logger = context.logger
+      if logger.respond_to?(:call)
+        logger.call(level, message)
+      elsif logger.respond_to?(level)
+        logger.public_send(level, message)
+      end
+    end
+  end
+end

data/lib/better_auth/routes/sign_in.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+require "uri"
+
+module BetterAuth
+  module Routes
+    def self.sign_in_email
+      Endpoint.new(
+        path: "/sign-in/email",
+        method: "POST",
+        metadata: {
+          allowed_media_types: [
+            "application/x-www-form-urlencoded",
+            "application/json"
+          ]
+        }
+      ) do |ctx|
+        options = ctx.context.options
+        email_config = options.email_and_password
+        if email_config[:enabled] == false
+          raise APIError.new("BAD_REQUEST", message: "Email and password is not enabled")
+        end
+
+        body = normalize_hash(ctx.body)
+        email = body["email"].to_s
+        password = body["password"].to_s
+        callback_url = body["callbackURL"] || body["callbackUrl"] || body["callback_url"]
+        remember_me = body.key?("rememberMe") ? body["rememberMe"] : body["remember_me"]
+
+        unless EMAIL_PATTERN.match?(email)
+          raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_EMAIL"])
+        end
+
+        found = ctx.context.internal_adapter.find_user_by_email(email, include_accounts: true)
+        unless found
+          hash_password(ctx, password)
+          raise APIError.new("UNAUTHORIZED", message: BASE_ERROR_CODES["INVALID_EMAIL_OR_PASSWORD"])
+        end
+
+        user = found[:user] || found["user"]
+        accounts = found[:accounts] || found["accounts"] || []
+        credential_account = accounts.find { |account| account["providerId"] == "credential" || account[:providerId] == "credential" }
+        current_password = credential_account && (credential_account["password"] || credential_account[:password])
+        unless current_password && verify_password_value(ctx, password, current_password)
+          hash_password(ctx, password) unless current_password
+          raise APIError.new("UNAUTHORIZED", message: BASE_ERROR_CODES["INVALID_EMAIL_OR_PASSWORD"])
+        end
+
+        if email_config[:require_email_verification] && !user["emailVerified"]
+          send_sign_in_verification_email(ctx, user, callback_url)
+          raise APIError.new("FORBIDDEN", message: BASE_ERROR_CODES["EMAIL_NOT_VERIFIED"])
+        end
+
+        dont_remember_me = remember_me == false || remember_me.to_s == "false"
+        session = ctx.context.internal_adapter.create_session(
+          user["id"],
+          dont_remember_me,
+          session_overrides(ctx),
+          true,
+          ctx
+        )
+        raise APIError.new("UNAUTHORIZED", message: BASE_ERROR_CODES["FAILED_TO_CREATE_SESSION"]) unless session
+
+        Cookies.set_session_cookie(ctx, {session: session, user: user}, dont_remember_me)
+        ctx.set_header("location", callback_url) if callback_url
+        ctx.json({
+          redirect: !!callback_url,
+          token: session["token"],
+          url: callback_url,
+          user: Schema.parse_output(options, "user", user)
+        })
+      end
+    end
+
+    def self.send_sign_in_verification_email(ctx, user, callback_url)
+      verification = ctx.context.options.email_verification
+      sender = verification[:send_verification_email]
+      return unless verification[:send_on_sign_in] && sender.respond_to?(:call)
+
+      token = Crypto.sign_jwt(
+        {"email" => user["email"].to_s.downcase},
+        ctx.context.secret,
+        expires_in: verification[:expires_in] || 3600
+      )
+      callback = URI.encode_www_form_component(callback_url || "/")
+      url = "#{ctx.context.base_url}/verify-email?token=#{URI.encode_www_form_component(token)}&callbackURL=#{callback}"
+      sender.call({user: user, url: url, token: token}, ctx.request)
+    end
+  end
+end

data/lib/better_auth/routes/sign_out.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Routes
+    def self.sign_out
+      Endpoint.new(path: "/sign-out", method: "POST") do |ctx|
+        token_cookie = ctx.context.auth_cookies[:session_token]
+        token = ctx.get_signed_cookie(token_cookie.name, ctx.context.secret)
+        ctx.context.internal_adapter.delete_session(token) if token
+        Cookies.delete_session_cookie(ctx)
+        ctx.json({success: true})
+      end
+    end
+  end
+end

data/lib/better_auth/routes/sign_up.rb

@@ -0,0 +1,145 @@
+# frozen_string_literal: true
+
+require "uri"
+
+module BetterAuth
+  module Routes
+    EMAIL_PATTERN = /\A[^@\s]+@[^@\s]+\.[^@\s]+\z/
+
+    def self.sign_up_email
+      Endpoint.new(
+        path: "/sign-up/email",
+        method: "POST",
+        metadata: {
+          allowed_media_types: [
+            "application/x-www-form-urlencoded",
+            "application/json"
+          ]
+        }
+      ) do |ctx|
+        options = ctx.context.options
+        email_config = options.email_and_password
+        if email_config[:enabled] == false || email_config[:disable_sign_up]
+          raise APIError.new("BAD_REQUEST", message: "Email and password sign up is not enabled")
+        end
+
+        body = normalize_hash(ctx.body)
+        name = body["name"].to_s
+        email = body["email"].to_s
+        password = body["password"]
+        image = body["image"]
+        callback_url = body["callbackURL"] || body["callbackUrl"] || body["callback_url"]
+        remember_me = body.key?("rememberMe") ? body["rememberMe"] : body["remember_me"]
+
+        validate_sign_up_input!(email, password, email_config)
+
+        ctx.context.adapter.transaction do
+          existing = ctx.context.internal_adapter.find_user_by_email(email)
+          if existing
+            raise APIError.new(
+              "UNPROCESSABLE_ENTITY",
+              message: BASE_ERROR_CODES["USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL"]
+            )
+          end
+
+          hashed_password = hash_password(ctx, password)
+          created_user = create_sign_up_user(ctx, body, email, name, image)
+          raise APIError.new("UNPROCESSABLE_ENTITY", message: BASE_ERROR_CODES["FAILED_TO_CREATE_USER"]) unless created_user
+
+          ctx.context.internal_adapter.link_account(
+            userId: created_user["id"],
+            providerId: "credential",
+            accountId: created_user["id"],
+            password: hashed_password
+          )
+
+          send_sign_up_verification_email(ctx, created_user, callback_url)
+
+          if email_config[:auto_sign_in] == false || email_config[:require_email_verification]
+            next ctx.json({token: nil, user: Schema.parse_output(options, "user", created_user)})
+          end
+
+          dont_remember_me = remember_me == false || remember_me.to_s == "false"
+          session = ctx.context.internal_adapter.create_session(
+            created_user["id"],
+            dont_remember_me,
+            session_overrides(ctx),
+            true,
+            ctx
+          )
+          raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["FAILED_TO_CREATE_SESSION"]) unless session
+
+          Cookies.set_session_cookie(ctx, {session: session, user: created_user}, dont_remember_me)
+          ctx.json({token: session["token"], user: Schema.parse_output(options, "user", created_user)})
+        end
+      end
+    end
+
+    def self.validate_sign_up_input!(email, password, email_config)
+      unless EMAIL_PATTERN.match?(email)
+        raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_EMAIL"])
+      end
+
+      unless password.is_a?(String) && !password.empty?
+        raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_PASSWORD"])
+      end
+
+      if password.length < email_config[:min_password_length].to_i
+        raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["PASSWORD_TOO_SHORT"])
+      end
+
+      if password.length > email_config[:max_password_length].to_i
+        raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["PASSWORD_TOO_LONG"])
+      end
+    end
+
+    def self.create_sign_up_user(ctx, body, email, name, image)
+      reserved = %w[email password name image callbackURL callbackUrl callback_url rememberMe remember_me]
+      additional = parse_declared_input(ctx, "user", body.except(*reserved), allowed_base: [])
+      ctx.context.internal_adapter.create_user(
+        additional.merge(
+          "email" => email.downcase,
+          "name" => name,
+          "image" => image,
+          "emailVerified" => false
+        )
+      )
+    rescue APIError
+      raise
+    rescue
+      raise APIError.new("UNPROCESSABLE_ENTITY", message: BASE_ERROR_CODES["FAILED_TO_CREATE_USER"])
+    end
+
+    def self.send_sign_up_verification_email(ctx, user, callback_url)
+      verification = ctx.context.options.email_verification
+      password_config = ctx.context.options.email_and_password
+      send_on_sign_up = verification.key?(:send_on_sign_up) ? verification[:send_on_sign_up] : password_config[:require_email_verification]
+      return unless send_on_sign_up
+
+      sender = verification[:send_verification_email]
+      return unless sender.respond_to?(:call)
+
+      token = Crypto.sign_jwt(
+        {"email" => user["email"].to_s.downcase},
+        ctx.context.secret,
+        expires_in: verification[:expires_in] || 3600
+      )
+      callback = URI.encode_www_form_component(callback_url || "/")
+      url = "#{ctx.context.base_url}/verify-email?token=#{URI.encode_www_form_component(token)}&callbackURL=#{callback}"
+      sender.call({user: user, url: url, token: token}, ctx.request)
+    end
+
+    def self.session_overrides(ctx)
+      {
+        ipAddress: RequestIP.client_ip(ctx, ctx.context.options).to_s,
+        userAgent: ctx.headers["user-agent"].to_s
+      }
+    end
+
+    def self.normalize_hash(value)
+      value.each_with_object({}) do |(key, object_value), result|
+        result[Schema.storage_key(key)] = object_value
+      end
+    end
+  end
+end