better_auth 0.1.1 → 0.2.0

data/lib/better_auth/routes/social.rb

@@ -0,0 +1,188 @@
+# frozen_string_literal: true
+
+require "uri"
+require "securerandom"
+
+module BetterAuth
+  module Routes
+    def self.sign_in_social
+      Endpoint.new(path: "/sign-in/social", method: "POST") do |ctx|
+        body = normalize_hash(ctx.body)
+        provider_id = body["provider"].to_s
+        provider = social_provider(ctx.context, provider_id)
+        raise APIError.new("NOT_FOUND", message: BASE_ERROR_CODES["PROVIDER_NOT_FOUND"]) unless provider
+
+        id_token = fetch_value(body, "idToken")
+        if id_token
+          data = social_user_from_id_token!(ctx, provider, id_token)
+          session_data = persist_social_user(ctx, provider_id, data[:user], data[:account])
+          Cookies.set_session_cookie(ctx, session_data)
+          next ctx.json({
+            redirect: false,
+            token: session_data[:session]["token"],
+            url: nil,
+            user: Schema.parse_output(ctx.context.options, "user", session_data[:user])
+          })
+        end
+
+        state = Crypto.sign_jwt(
+          {
+            "callbackURL" => body["callbackURL"] || body["callbackUrl"] || body["callback_url"] || "/",
+            "errorCallbackURL" => body["errorCallbackURL"] || body["errorCallbackUrl"] || body["error_callback_url"],
+            "newUserCallbackURL" => body["newUserCallbackURL"] || body["newUserCallbackUrl"] || body["new_user_callback_url"],
+            "requestSignUp" => body["requestSignUp"] || body["request_sign_up"]
+          },
+          ctx.context.secret,
+          expires_in: 600
+        )
+        code_verifier = SecureRandom.hex(16)
+        url = call_provider(provider, :create_authorization_url, {
+          state: state,
+          codeVerifier: code_verifier,
+          code_verifier: code_verifier,
+          redirectURI: "#{ctx.context.base_url}/callback/#{provider_id}",
+          redirect_uri: "#{ctx.context.base_url}/callback/#{provider_id}",
+          scopes: body["scopes"],
+          loginHint: body["loginHint"] || body["login_hint"]
+        })
+        ctx.set_header("location", url.to_s) unless body["disableRedirect"] || body["disable_redirect"]
+        ctx.json({url: url.to_s, redirect: !(body["disableRedirect"] || body["disable_redirect"])})
+      end
+    end
+
+    def self.callback_oauth
+      Endpoint.new(
+        path: "/callback/:providerId",
+        method: ["GET", "POST"],
+        metadata: {allowed_media_types: ["application/x-www-form-urlencoded", "application/json"]}
+      ) do |ctx|
+        source = (ctx.method == "POST") ? ctx.body.merge(ctx.query) : ctx.query
+        data = normalize_hash(source)
+        provider_id = fetch_value(ctx.params, "providerId").to_s
+        provider = social_provider(ctx.context, provider_id)
+        state = data["state"].to_s
+        state_data = Crypto.verify_jwt(state, ctx.context.secret) || {}
+        error_url = state_data["errorCallbackURL"] || "#{ctx.context.base_url}/error"
+
+        raise ctx.redirect(oauth_error_url(error_url, data["error"], data["errorDescription"] || data["error_description"])) if data["error"]
+        raise ctx.redirect(oauth_error_url(error_url, "oauth_provider_not_found")) unless provider
+        raise ctx.redirect(oauth_error_url(error_url, "state_not_found")) if state.empty?
+        raise ctx.redirect(oauth_error_url(error_url, "no_code")) if data["code"].to_s.empty?
+
+        tokens = call_provider(provider, :validate_authorization_code, {
+          code: data["code"],
+          codeVerifier: state_data["codeVerifier"],
+          code_verifier: state_data["codeVerifier"],
+          redirectURI: "#{ctx.context.base_url}/callback/#{provider_id}",
+          redirect_uri: "#{ctx.context.base_url}/callback/#{provider_id}"
+        })
+        raise ctx.redirect(oauth_error_url(error_url, "invalid_code")) unless tokens
+
+        user_info = call_provider(provider, :get_user_info, token_hash(tokens))
+        user = user_info[:user] || user_info["user"] if user_info
+        raise ctx.redirect(oauth_error_url(error_url, "unable_to_get_user_info")) unless user
+        raise ctx.redirect(oauth_error_url(error_url, "email_not_found")) if fetch_value(user, "email").to_s.empty?
+
+        session_data = persist_social_user(ctx, provider_id, user, token_hash(tokens).merge("accountId" => fetch_value(user, "id").to_s))
+        Cookies.set_session_cookie(ctx, session_data)
+        callback_url = state_data["callbackURL"] || "/"
+        raise ctx.redirect(callback_url)
+      end
+    end
+
+    def self.link_social
+      Endpoint.new(path: "/link-social", method: "POST") do |ctx|
+        session = current_session(ctx)
+        body = normalize_hash(ctx.body)
+        provider_id = body["provider"].to_s
+        provider = social_provider(ctx.context, provider_id)
+        raise APIError.new("NOT_FOUND", message: BASE_ERROR_CODES["PROVIDER_NOT_FOUND"]) unless provider
+
+        id_token = fetch_value(body, "idToken")
+        if id_token
+          data = social_user_from_id_token!(ctx, provider, id_token)
+          email = fetch_value(data[:user], "email").to_s.downcase
+          unless email == session[:user]["email"].to_s.downcase || ctx.context.options.account.dig(:account_linking, :allow_different_emails)
+            raise APIError.new("UNAUTHORIZED", message: "Account not linked - different emails not allowed")
+          end
+
+          account_id = fetch_value(data[:user], "id").to_s
+          existing = ctx.context.internal_adapter.find_accounts(session[:user]["id"]).find do |account|
+            account["providerId"] == provider_id && account["accountId"] == account_id
+          end
+          unless existing
+            ctx.context.internal_adapter.create_account(data[:account].merge("userId" => session[:user]["id"]))
+          end
+          next ctx.json({url: "", status: true, redirect: false})
+        end
+
+        raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_TOKEN"])
+      end
+    end
+
+    def self.social_user_from_id_token!(ctx, provider, id_token)
+      token = fetch_value(id_token, "token").to_s
+      valid = call_provider(provider, :verify_id_token, token, fetch_value(id_token, "nonce"))
+      raise APIError.new("UNAUTHORIZED", message: BASE_ERROR_CODES["INVALID_TOKEN"]) unless valid
+
+      user_info = call_provider(provider, :get_user_info, {
+        idToken: token,
+        id_token: token,
+        accessToken: fetch_value(id_token, "accessToken"),
+        access_token: fetch_value(id_token, "accessToken"),
+        refreshToken: fetch_value(id_token, "refreshToken"),
+        refresh_token: fetch_value(id_token, "refreshToken")
+      })
+      user = user_info[:user] || user_info["user"] if user_info
+      raise APIError.new("UNAUTHORIZED", message: BASE_ERROR_CODES["FAILED_TO_GET_USER_INFO"]) unless user
+      raise APIError.new("UNAUTHORIZED", message: BASE_ERROR_CODES["USER_EMAIL_NOT_FOUND"]) if fetch_value(user, "email").to_s.empty?
+
+      {
+        user: user,
+        account: {
+          "providerId" => fetch_value(provider, "id").to_s,
+          "accountId" => fetch_value(user, "id").to_s,
+          "accessToken" => fetch_value(id_token, "accessToken"),
+          "refreshToken" => fetch_value(id_token, "refreshToken"),
+          "idToken" => token
+        }
+      }
+    end
+
+    def self.persist_social_user(ctx, provider_id, user_info, account_info)
+      email = fetch_value(user_info, "email").to_s.downcase
+      account_id = (account_info["accountId"] || account_info[:accountId] || account_info[:account_id] || fetch_value(user_info, "id")).to_s
+      existing = ctx.context.internal_adapter.find_oauth_user(email, account_id, provider_id)
+
+      if existing && existing[:linked_account]
+        user = existing[:user]
+      elsif existing
+        user = existing[:user]
+        ctx.context.internal_adapter.create_account(account_info.merge("providerId" => provider_id, "accountId" => account_id, "userId" => user["id"]))
+      else
+        created = ctx.context.internal_adapter.create_oauth_user(
+          {
+            email: email,
+            name: fetch_value(user_info, "name").to_s,
+            image: fetch_value(user_info, "image"),
+            emailVerified: !!fetch_value(user_info, "emailVerified")
+          },
+          account_info.merge("providerId" => provider_id, "accountId" => account_id)
+        )
+        user = created[:user]
+      end
+
+      session = ctx.context.internal_adapter.create_session(user["id"], false, session_overrides(ctx), true, ctx)
+      {session: session, user: user}
+    end
+
+    def self.oauth_error_url(base_url, error, description = nil)
+      uri = URI.parse(base_url.to_s)
+      query = URI.decode_www_form(uri.query.to_s)
+      query << ["error", error.to_s]
+      query << ["error_description", description.to_s] if description
+      uri.query = URI.encode_www_form(query)
+      uri.to_s
+    end
+  end
+end

data/lib/better_auth/routes/user.rb

@@ -0,0 +1,193 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Routes
+    def self.update_user
+      Endpoint.new(path: "/update-user", method: "POST") do |ctx|
+        session = current_session(ctx)
+        body = normalize_hash(ctx.body)
+        raise APIError.new("BAD_REQUEST", message: "Body must be an object") unless body.is_a?(Hash)
+        raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["EMAIL_CAN_NOT_BE_UPDATED"]) if body.key?("email")
+        update = parse_declared_input(ctx, "user", body, allowed_base: ["name", "image"])
+        raise APIError.new("BAD_REQUEST", message: "No fields to update") if update.empty?
+
+        updated = ctx.context.internal_adapter.update_user(session[:user]["id"], update)
+        Cookies.set_session_cookie(ctx, {session: session[:session], user: updated}, Cookies.dont_remember?(ctx))
+        ctx.json({status: true})
+      end
+    end
+
+    def self.change_password
+      Endpoint.new(path: "/change-password", method: "POST") do |ctx|
+        session = current_session(ctx, sensitive: true)
+        body = normalize_hash(ctx.body)
+        new_password = body["newPassword"] || body["new_password"]
+        current_password = body["currentPassword"] || body["current_password"]
+        validate_password_length!(new_password, ctx.context.options.email_and_password)
+        account = credential_account(ctx, session[:user]["id"])
+        unless account && account["password"] && verify_password_value(ctx, current_password.to_s, account["password"])
+          raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_PASSWORD"])
+        end
+
+        ctx.context.internal_adapter.update_account(account["id"], password: hash_password(ctx, new_password))
+        token = nil
+        if body["revokeOtherSessions"] || body["revoke_other_sessions"]
+          ctx.context.internal_adapter.delete_sessions(session[:user]["id"])
+          new_session = ctx.context.internal_adapter.create_session(session[:user]["id"])
+          Cookies.set_session_cookie(ctx, {session: new_session, user: session[:user]})
+          token = new_session["token"]
+        end
+        ctx.json({token: token, user: Schema.parse_output(ctx.context.options, "user", session[:user])})
+      end
+    end
+
+    def self.set_password
+      Endpoint.new(path: "/set-password", method: "POST") do |ctx|
+        session = current_session(ctx, sensitive: true)
+        body = normalize_hash(ctx.body)
+        new_password = body["newPassword"] || body["new_password"]
+        validate_password_length!(new_password, ctx.context.options.email_and_password)
+        account = credential_account(ctx, session[:user]["id"])
+        raise APIError.new("BAD_REQUEST", message: "user already has a password") if account && account["password"]
+
+        ctx.context.internal_adapter.link_account(
+          userId: session[:user]["id"],
+          providerId: "credential",
+          accountId: session[:user]["id"],
+          password: hash_password(ctx, new_password)
+        )
+        ctx.json({status: true})
+      end
+    end
+
+    def self.delete_user
+      Endpoint.new(path: "/delete-user", method: "POST") do |ctx|
+        enabled = ctx.context.options.user.dig(:delete_user, :enabled)
+        raise APIError.new("NOT_FOUND") unless enabled
+
+        session = current_session(ctx, sensitive: true)
+        body = normalize_hash(ctx.body)
+        if body["password"]
+          account = credential_account(ctx, session[:user]["id"])
+          unless account && account["password"] && verify_password_value(ctx, body["password"], account["password"])
+            raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_PASSWORD"])
+          end
+        end
+
+        if body["token"]
+          delete_user_by_token!(ctx, session, body["token"])
+        elsif (sender = ctx.context.options.user.dig(:delete_user, :send_delete_account_verification))
+          token = SecureRandom.hex(16)
+          ctx.context.internal_adapter.create_verification_value(
+            identifier: "delete-account-#{token}",
+            value: session[:user]["id"],
+            expiresAt: Time.now + ctx.context.options.user.dig(:delete_user, :delete_token_expires_in).to_i
+          )
+          sender.call({user: session[:user], token: token}, ctx.request)
+          next ctx.json({success: true, message: "Verification email sent"})
+        end
+
+        delete_current_user!(ctx, session)
+        ctx.json({success: true, message: "User deleted"})
+      end
+    end
+
+    def self.delete_user_callback
+      Endpoint.new(path: "/delete-user/callback", method: "GET") do |ctx|
+        enabled = ctx.context.options.user.dig(:delete_user, :enabled)
+        raise APIError.new("NOT_FOUND") unless enabled
+        session = current_session(ctx)
+        token = fetch_value(ctx.query, "token")
+        delete_user_by_token!(ctx, session, token)
+        delete_current_user!(ctx, session)
+        callback_url = fetch_value(ctx.query, "callbackURL")
+        raise ctx.redirect(callback_url) if callback_url
+
+        ctx.json({success: true, message: "User deleted"})
+      end
+    end
+
+    def self.change_email
+      Endpoint.new(path: "/change-email", method: "POST") do |ctx|
+        enabled = ctx.context.options.user.dig(:change_email, :enabled)
+        raise APIError.new("BAD_REQUEST", message: "Change email is disabled") unless enabled
+        session = current_session(ctx, sensitive: true)
+        body = normalize_hash(ctx.body)
+        new_email = (body["newEmail"] || body["new_email"]).to_s.downcase
+        raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_EMAIL"]) unless EMAIL_PATTERN.match?(new_email)
+        raise APIError.new("BAD_REQUEST", message: "Email is the same") if new_email == session[:user]["email"]
+        raise APIError.new("UNPROCESSABLE_ENTITY", message: BASE_ERROR_CODES["USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL"]) if ctx.context.internal_adapter.find_user_by_email(new_email)
+
+        if !session[:user]["emailVerified"] && ctx.context.options.user.dig(:change_email, :update_email_without_verification)
+          updated = ctx.context.internal_adapter.update_user_by_email(session[:user]["email"], email: new_email)
+          Cookies.set_session_cookie(ctx, {session: session[:session], user: updated})
+          next ctx.json({status: true})
+        end
+
+        sender = ctx.context.options.email_verification[:send_verification_email]
+        raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["VERIFICATION_EMAIL_NOT_ENABLED"]) unless sender.respond_to?(:call)
+
+        token = create_email_verification_token(ctx, session[:user]["email"], update_to: new_email, extra: {"requestType" => "change-email-verification"})
+        sender.call({user: session[:user].merge("email" => new_email), token: token}, ctx.request)
+        ctx.json({status: true})
+      end
+    end
+
+    def self.delete_user_by_token!(ctx, session, token)
+      verification = ctx.context.internal_adapter.find_verification_value("delete-account-#{token}")
+      unless verification && verification["value"] == session[:user]["id"] && !expired_time?(verification["expiresAt"])
+        raise APIError.new("NOT_FOUND", message: BASE_ERROR_CODES["INVALID_TOKEN"])
+      end
+      ctx.context.internal_adapter.delete_verification_value(verification["id"])
+    end
+
+    def self.delete_current_user!(ctx, session)
+      config = ctx.context.options.user[:delete_user] || {}
+      call_option(config[:before_delete], session[:user], ctx.request)
+      ctx.context.internal_adapter.delete_user(session[:user]["id"])
+      ctx.context.internal_adapter.delete_sessions(session[:user]["id"])
+      Cookies.delete_session_cookie(ctx)
+      call_option(config[:after_delete], session[:user], ctx.request)
+    end
+
+    def self.parse_declared_input(ctx, model, data, allowed_base: [])
+      input = normalize_hash(data || {})
+      table = Schema.auth_tables(ctx.context.options)[model.to_s]
+      fields = table ? table.fetch(:fields) : {}
+      additional = ctx.context.options.public_send(model.to_sym)[:additional_fields] || {}
+      fields = fields.merge(additional.each_with_object({}) { |(key, value), result| result[Schema.storage_key(key)] = value }) if model.to_s == "session"
+      declared_fields = fields.keys - core_model_fields(model)
+      allowed = (Array(allowed_base).map { |field| Schema.storage_key(field) } + declared_fields).uniq
+
+      input.each_with_object({}) do |(field, value), result|
+        next unless fields.key?(field)
+        next unless allowed.include?(field)
+
+        attributes = fields.fetch(field)
+        if attributes[:input] == false
+          raise APIError.new("BAD_REQUEST", message: "#{field} is not allowed to be set")
+        end
+
+        result[field] = coerce_input_value(value, attributes)
+      end
+    end
+
+    def self.coerce_input_value(value, attributes)
+      return value if value.nil?
+      return Time.parse(value) if attributes[:type] == "date" && value.is_a?(String)
+
+      value
+    end
+
+    def self.core_model_fields(model)
+      case model.to_s
+      when "user"
+        %w[id name email emailVerified image createdAt updatedAt]
+      when "session"
+        %w[id expiresAt token ipAddress userAgent userId createdAt updatedAt]
+      else
+        %w[id createdAt updatedAt]
+      end
+    end
+  end
+end

data/lib/better_auth/schema/sql.rb

@@ -0,0 +1,191 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Schema
+    module SQL
+      module_function
+
+      def create_statements(options, dialect:)
+        dialect = dialect.to_sym
+        tables = Schema.auth_tables(options)
+        statements = tables.map { |logical_name, table| create_table_statement(logical_name, table, dialect, tables) }
+        statements.concat(tables.flat_map { |_logical_name, table| index_statements(table, dialect) })
+      end
+
+      def create_table_statement(logical_name, table, dialect, tables = nil)
+        table_name = table.fetch(:model_name)
+        columns = table.fetch(:fields).map do |logical_field, attributes|
+          column_definition(table_name, logical_field, attributes, dialect)
+        end
+        constraints = table.fetch(:fields).flat_map do |logical_field, attributes|
+          field_constraints(table_name, logical_field, attributes, dialect, tables)
+        end
+        body = (columns + constraints).join(",\n  ")
+
+        case dialect
+        when :postgres, :sqlite
+          %(CREATE TABLE IF NOT EXISTS #{quote(table_name, dialect)} (\n  #{body}\n);)
+        when :mysql
+          %(CREATE TABLE IF NOT EXISTS #{quote(table_name, dialect)} (\n  #{body}\n) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;)
+        when :mssql
+          %(IF OBJECT_ID(N'#{quote(table_name, dialect)}', N'U') IS NULL\nCREATE TABLE #{quote(table_name, dialect)} (\n  #{body}\n);)
+        else
+          raise ArgumentError, "Unsupported SQL dialect: #{dialect}"
+        end
+      end
+
+      def column_definition(table_name, logical_field, attributes, dialect)
+        column = quote(attributes[:field_name] || physical_name(logical_field), dialect)
+        parts = [column, sql_type(logical_field, attributes, dialect)]
+        parts << "PRIMARY KEY" if logical_field == "id"
+        if attributes[:required]
+          parts << "NOT NULL"
+        elsif dialect == :mssql
+          parts << "NULL"
+        end
+        default = default_sql(attributes, dialect)
+        parts << "DEFAULT #{default}" if default
+        parts.join(" ")
+      end
+
+      def field_constraints(table_name, logical_field, attributes, dialect, tables = nil)
+        constraints = []
+        column = attributes[:field_name] || physical_name(logical_field)
+
+        if attributes[:unique] && logical_field != "id"
+          constraints << unique_constraint(table_name, column, dialect)
+        end
+
+        reference = attributes[:references]
+        if reference
+          constraints << foreign_key_constraint(table_name, column, reference, dialect, tables)
+        end
+
+        constraints
+      end
+
+      def index_statements(table, dialect)
+        table_name = table.fetch(:model_name)
+        table.fetch(:fields).filter_map do |logical_field, attributes|
+          next unless attributes[:index]
+
+          column = attributes[:field_name] || Schema.physical_name(logical_field)
+          name = "index_#{table_name}_on_#{column}"
+          case dialect
+          when :postgres, :sqlite
+            %(CREATE INDEX IF NOT EXISTS #{quote(name, dialect)} ON #{quote(table_name, dialect)} (#{quote(column, dialect)});)
+          when :mysql
+            %(CREATE INDEX #{quote(name, dialect)} ON #{quote(table_name, dialect)} (#{quote(column, dialect)});)
+          when :mssql
+            %(IF NOT EXISTS (SELECT name FROM sys.indexes WHERE name = '#{name.gsub("'", "''")}' AND object_id = OBJECT_ID(N'#{quote(table_name, dialect)}')) CREATE INDEX #{quote(name, dialect)} ON #{quote(table_name, dialect)} (#{quote(column, dialect)});)
+          end
+        end
+      end
+
+      def sql_type(logical_field, attributes, dialect)
+        case attributes[:type]
+        when "boolean"
+          case dialect
+          when :mysql
+            "tinyint(1)"
+          when :sqlite
+            "integer"
+          when :mssql
+            "smallint"
+          else
+            "boolean"
+          end
+        when "date"
+          case dialect
+          when :mysql
+            "datetime(6)"
+          when :sqlite
+            "date"
+          when :mssql
+            "datetime2(3)"
+          else
+            "timestamptz"
+          end
+        when "number"
+          attributes[:bigint] ? "bigint" : "integer"
+        else
+          if dialect == :mysql
+            indexed = logical_field == "id" || attributes[:unique] || attributes[:index] || attributes[:references]
+            indexed ? "varchar(191)" : "text"
+          elsif dialect == :mssql
+            indexed = logical_field == "id" || attributes[:unique] || attributes[:index] || attributes[:references] || attributes[:sortable]
+            indexed ? "varchar(255)" : "varchar(8000)"
+          else
+            "text"
+          end
+        end
+      end
+
+      def default_sql(attributes, dialect)
+        default = attributes[:default_value]
+        return unless default == false || default == true || default.is_a?(Numeric) || default.is_a?(String) || default.respond_to?(:call)
+
+        if attributes[:type] == "date" && default.respond_to?(:call)
+          return (dialect == :mysql) ? "CURRENT_TIMESTAMP(6)" : "CURRENT_TIMESTAMP"
+        end
+
+        case default
+        when true
+          (dialect == :mysql || dialect == :sqlite || dialect == :mssql) ? "1" : "true"
+        when false
+          (dialect == :mysql || dialect == :sqlite || dialect == :mssql) ? "0" : "false"
+        when Numeric
+          default.to_s
+        when String
+          "'#{default.gsub("'", "''")}'"
+        end
+      end
+
+      def unique_constraint(table_name, column, dialect)
+        case dialect
+        when :postgres, :sqlite
+          %(UNIQUE (#{quote(column, dialect)}))
+        when :mysql
+          %(UNIQUE KEY #{quote("uniq_#{table_name}_#{column}", dialect)} (#{quote(column, dialect)}))
+        when :mssql
+          %(CONSTRAINT #{quote("uniq_#{table_name}_#{column}", dialect)} UNIQUE (#{quote(column, dialect)}))
+        end
+      end
+
+      def foreign_key_constraint(table_name, column, reference, dialect, tables = nil)
+        target_model = tables&.fetch(reference.fetch(:model).to_s, nil)&.fetch(:model_name) || reference.fetch(:model)
+        target_field = reference.fetch(:field)
+        on_delete = reference[:on_delete] ? " ON DELETE #{reference[:on_delete].to_s.upcase}" : ""
+
+        case dialect
+        when :postgres, :sqlite
+          %(FOREIGN KEY (#{quote(column, dialect)}) REFERENCES #{quote(target_model, dialect)} (#{quote(target_field, dialect)})#{on_delete})
+        when :mysql
+          %(CONSTRAINT #{quote("fk_#{table_name}_#{column}", dialect)} FOREIGN KEY (#{quote(column, dialect)}) REFERENCES #{quote(target_model, dialect)} (#{quote(target_field, dialect)})#{on_delete})
+        when :mssql
+          %(CONSTRAINT #{quote("fk_#{table_name}_#{column}", dialect)} FOREIGN KEY (#{quote(column, dialect)}) REFERENCES #{quote(target_model, dialect)} (#{quote(target_field, dialect)})#{on_delete})
+        end
+      end
+
+      def quote(identifier, dialect)
+        case dialect
+        when :postgres, :sqlite
+          %("#{identifier.to_s.gsub("\"", "\"\"")}")
+        when :mysql
+          "`#{identifier.to_s.gsub("`", "``")}`"
+        when :mssql
+          "[#{identifier.to_s.gsub("]", "]]")}]"
+        else
+          raise ArgumentError, "Unsupported SQL dialect: #{dialect}"
+        end
+      end
+
+      def physical_name(value)
+        value.to_s
+          .gsub(/([a-z\d])([A-Z])/, "\\1_\\2")
+          .tr("-", "_")
+          .downcase
+      end
+    end
+  end
+end