better_auth 0.1.1 → 0.2.0

data/lib/better_auth/cookies.rb

@@ -0,0 +1,278 @@
+# frozen_string_literal: true
+
+require "json"
+require "time"
+require "uri"
+
+module BetterAuth
+  module Cookies
+    SECURE_COOKIE_PREFIX = "__Secure-"
+    HOST_COOKIE_PREFIX = "__Host-"
+
+    Cookie = Struct.new(:name, :attributes, keyword_init: true) do
+      alias_method :options, :attributes
+    end
+
+    module_function
+
+    def get_cookies(options)
+      {
+        session_token: create_cookie(options, "session_token", max_age: options.session[:expires_in] || 60 * 60 * 24 * 7),
+        session_data: create_cookie(options, "session_data", max_age: options.session.dig(:cookie_cache, :max_age) || 60 * 5),
+        account_data: create_cookie(options, "account_data", max_age: options.session.dig(:cookie_cache, :max_age) || 60 * 5),
+        dont_remember: create_cookie(options, "dont_remember")
+      }
+    end
+
+    def create_cookie(options, cookie_name, override_attributes = {})
+      advanced = options.advanced || {}
+      secure = if advanced.key?(:use_secure_cookies)
+        advanced[:use_secure_cookies]
+      elsif options.base_url.to_s.start_with?("https://")
+        true
+      else
+        production_environment?
+      end
+      cross_subdomain = advanced.dig(:cross_subdomain_cookies, :enabled)
+      domain = if cross_subdomain
+        advanced.dig(:cross_subdomain_cookies, :domain) || begin
+          uri = URI.parse(options.base_url.to_s)
+          uri.host unless uri.host.to_s.empty?
+        end
+      end
+      raise Error, "base_url is required when cross_subdomain_cookies are enabled" if cross_subdomain && domain.to_s.empty?
+
+      custom = advanced.dig(:cookies, cookie_name.to_sym) || {}
+      prefix = advanced[:cookie_prefix] || "better-auth"
+      name = custom[:name] || "#{prefix}.#{cookie_name}"
+      attributes = {
+        secure: !!secure,
+        same_site: "lax",
+        path: "/",
+        http_only: true
+      }
+      attributes[:domain] = domain if domain
+      attributes = attributes
+        .merge(advanced[:default_cookie_attributes] || {})
+        .merge(override_attributes || {})
+        .merge(custom[:attributes] || {})
+        .compact
+
+      cookie_prefix = secure ? SECURE_COOKIE_PREFIX : ""
+      Cookie.new(name: "#{cookie_prefix}#{name}", attributes: attributes)
+    end
+
+    def parse_cookies(cookie_header)
+      cookie_header.to_s.split(/;\s*/).each_with_object({}) do |pair, result|
+        name, value = pair.split("=", 2)
+        next if name.to_s.empty? || value.nil?
+
+        result[name.strip] = value.strip
+      end
+    end
+
+    def strip_secure_cookie_prefix(name)
+      name.to_s.delete_prefix(SECURE_COOKIE_PREFIX).delete_prefix(HOST_COOKIE_PREFIX)
+    end
+
+    def get_session_cookie(request_or_cookie_header, config = {})
+      cookie_header = header_value(request_or_cookie_header)
+      return nil if cookie_header.to_s.empty?
+
+      parsed = parse_cookies(cookie_header)
+      cookie_name = config[:cookie_name] || "session_token"
+      cookie_prefix = config[:cookie_prefix] || "better-auth"
+      candidates = [
+        "#{cookie_prefix}.#{cookie_name}",
+        "#{SECURE_COOKIE_PREFIX}#{cookie_prefix}.#{cookie_name}",
+        "#{cookie_prefix}-#{cookie_name}",
+        "#{SECURE_COOKIE_PREFIX}#{cookie_prefix}-#{cookie_name}"
+      ]
+      candidates.lazy.filter_map { |candidate| parsed[candidate] }.first
+    end
+
+    def set_session_cookie(ctx, session, dont_remember_me = false, overrides = {})
+      token_cookie = ctx.context.auth_cookies[:session_token]
+      max_age = dont_remember_me ? nil : ctx.context.session_config[:expires_in]
+      ctx.set_signed_cookie(token_cookie.name, session.fetch(:session).fetch("token"), ctx.context.secret, token_cookie.attributes.merge(max_age: max_age).merge(overrides || {}))
+
+      if dont_remember_me
+        dont_remember_cookie = ctx.context.auth_cookies[:dont_remember]
+        ctx.set_signed_cookie(dont_remember_cookie.name, "true", ctx.context.secret, dont_remember_cookie.attributes)
+      end
+
+      set_cookie_cache(ctx, session, dont_remember_me)
+      ctx.context.set_new_session(session) if ctx.context.respond_to?(:set_new_session)
+    end
+
+    def set_cookie_cache(ctx, session, dont_remember_me)
+      config = ctx.context.session_config[:cookie_cache] || {}
+      return unless config[:enabled]
+
+      cookie = ctx.context.auth_cookies[:session_data]
+      max_age = dont_remember_me ? nil : cookie.attributes[:max_age]
+      data = filtered_cache_data(ctx, session)
+      value = encode_cookie_cache(data, ctx.context.secret, strategy: config[:strategy] || "compact", max_age: max_age || 60 * 5)
+      attributes = cookie.attributes.merge(max_age: max_age)
+      store = SessionStore.new(cookie.name, attributes, ctx)
+
+      if value.length > SessionStore::CHUNK_SIZE
+        store.set_cookies(store.chunk(value, attributes))
+      else
+        store.set_cookies(store.clean) if store.chunks?
+        ctx.set_cookie(cookie.name, value, attributes)
+      end
+    end
+
+    def set_account_cookie(ctx, account_data)
+      return unless ctx.context.options.account[:store_account_cookie]
+
+      cookie = ctx.context.auth_cookies[:account_data]
+      attributes = cookie.attributes.merge(max_age: cookie.attributes[:max_age] || 60 * 5)
+      value = Crypto.symmetric_encode_jwt(stringify_keys(account_data), ctx.context.secret, "better-auth-account", expires_in: attributes[:max_age])
+      store = SessionStore.new(cookie.name, attributes, ctx)
+
+      if value.length > SessionStore::CHUNK_SIZE
+        store.set_cookies(store.chunk(value, attributes))
+      else
+        store.set_cookies(store.clean) if store.chunks?
+        ctx.set_cookie(cookie.name, value, attributes)
+      end
+    end
+
+    def get_account_cookie(ctx)
+      cookie = ctx.context.auth_cookies[:account_data]
+      value = SessionStore.get_chunked_cookie(ctx, cookie.name)
+      return nil unless value
+
+      Crypto.symmetric_decode_jwt(value, ctx.context.secret, "better-auth-account")
+    end
+
+    def get_cookie_cache(request_or_cookie_header, secret:, strategy: "compact", version: nil, cookie_prefix: "better-auth", cookie_name: "session_data", is_secure: nil)
+      cookie_header = header_value(request_or_cookie_header)
+      return nil if cookie_header.to_s.empty?
+
+      parsed = parse_cookies(cookie_header)
+      name = if is_secure.nil?
+        production_environment? ? "#{SECURE_COOKIE_PREFIX}#{cookie_prefix}.#{cookie_name}" : "#{cookie_prefix}.#{cookie_name}"
+      else
+        secure_prefix = is_secure ? SECURE_COOKIE_PREFIX : ""
+        "#{secure_prefix}#{cookie_prefix}.#{cookie_name}"
+      end
+      raw = parsed[name] || chunked_value(parsed, name)
+      return nil unless raw
+
+      payload = decode_cookie_cache(raw, secret, strategy: strategy)
+      return nil unless payload && payload["session"] && payload["user"]
+
+      expected_version = cookie_cache_version(version, payload["session"], payload["user"])
+      return nil if version && (payload["version"] || "1") != expected_version
+
+      payload
+    end
+
+    def expire_cookie(ctx, cookie)
+      ctx.set_cookie(cookie.name, "", cookie.attributes.merge(max_age: 0))
+    end
+
+    def delete_session_cookie(ctx, skip_dont_remember_me: false)
+      expire_cookie(ctx, ctx.context.auth_cookies[:session_token])
+      expire_cookie(ctx, ctx.context.auth_cookies[:session_data])
+      expire_cookie(ctx, ctx.context.auth_cookies[:account_data]) if ctx.context.options.account[:store_account_cookie]
+
+      store = SessionStore.new(ctx.context.auth_cookies[:session_data].name, ctx.context.auth_cookies[:session_data].attributes, ctx)
+      store.set_cookies(store.clean)
+      expire_cookie(ctx, ctx.context.auth_cookies[:dont_remember]) unless skip_dont_remember_me
+    end
+
+    def dont_remember?(ctx)
+      cookie = ctx.context.auth_cookies[:dont_remember]
+      ctx.get_signed_cookie(cookie.name, ctx.context.secret) == "true"
+    end
+
+    def encode_cookie_cache(data, secret, strategy:, max_age:)
+      case strategy.to_s
+      when "jwt"
+        Crypto.sign_jwt(data, secret, expires_in: max_age)
+      when "jwe"
+        Crypto.symmetric_encode_jwt(data, secret, "better-auth-session", expires_in: max_age)
+      else
+        expires_at = current_millis + (max_age.to_i * 1000)
+        signed = data.merge("expiresAt" => expires_at)
+        signature = Crypto.hmac_signature(JSON.generate(signed), secret, encoding: :base64url)
+        Crypto.base64url_encode(JSON.generate({"session" => data, "expiresAt" => expires_at, "signature" => signature}))
+      end
+    end
+
+    def decode_cookie_cache(value, secret, strategy:)
+      case strategy.to_s
+      when "jwt"
+        Crypto.verify_jwt(value, secret)
+      when "jwe"
+        Crypto.symmetric_decode_jwt(value, secret, "better-auth-session")
+      else
+        payload = JSON.parse(Crypto.base64url_decode(value))
+        return nil if payload["expiresAt"].to_i <= current_millis
+
+        signed = payload.fetch("session").merge("expiresAt" => payload.fetch("expiresAt"))
+        valid = Crypto.verify_hmac_signature(JSON.generate(signed), payload["signature"], secret, encoding: :base64url)
+        valid ? payload["session"] : nil
+      end
+    rescue JSON::ParserError, KeyError, ArgumentError, JWT::DecodeError
+      nil
+    end
+
+    def filtered_cache_data(ctx, session)
+      {
+        "session" => stringify_keys(Schema.parse_output(ctx.context.options, "session", stringify_keys(session.fetch(:session)))),
+        "user" => stringify_keys(Schema.parse_output(ctx.context.options, "user", stringify_keys(session.fetch(:user)))),
+        "updatedAt" => current_millis,
+        "version" => cookie_cache_version(
+          ctx.context.session_config.dig(:cookie_cache, :version),
+          session.fetch(:session),
+          session.fetch(:user)
+        )
+      }
+    end
+
+    def chunked_value(cookies, name)
+      chunks = cookies.each_with_object([]) do |(cookie_name, value), result|
+        next unless cookie_name.start_with?("#{name}.")
+
+        result << [SessionStore.chunk_index(cookie_name), value]
+      end
+      return nil if chunks.empty?
+
+      chunks.sort_by(&:first).map(&:last).join
+    end
+
+    def header_value(request_or_cookie_header)
+      return request_or_cookie_header.headers["cookie"] if request_or_cookie_header.respond_to?(:headers)
+      return request_or_cookie_header.get_header("HTTP_COOKIE") if request_or_cookie_header.respond_to?(:get_header)
+
+      request_or_cookie_header.to_s
+    end
+
+    def cookie_cache_version(config, session, user)
+      return "1" unless config
+      return config.to_s unless config.respond_to?(:call)
+
+      config.call(session, user).to_s
+    end
+
+    def current_millis
+      (Time.now.to_f * 1000).to_i
+    end
+
+    def stringify_keys(value)
+      return value.each_with_object({}) { |(key, object_value), result| result[key.to_s] = stringify_keys(object_value) } if value.is_a?(Hash)
+      return value.map { |entry| stringify_keys(entry) } if value.is_a?(Array)
+
+      value
+    end
+
+    def production_environment?
+      ENV["RACK_ENV"] == "production" || ENV["RAILS_ENV"] == "production" || ENV["APP_ENV"] == "production"
+    end
+  end
+end

data/lib/better_auth/core.rb

@@ -1,7 +1,43 @@
 # frozen_string_literal: true
 
+require_relative "request_ip"
+
 module BetterAuth
   module Core
-    # Core authentication logic goes here
+    def self.base_endpoints
+      {
+        ok: Routes.ok,
+        error: Routes.error,
+        sign_up_email: Routes.sign_up_email,
+        sign_in_email: Routes.sign_in_email,
+        sign_in_social: Routes.sign_in_social,
+        callback_oauth: Routes.callback_oauth,
+        sign_out: Routes.sign_out,
+        get_session: Routes.get_session,
+        list_sessions: Routes.list_sessions,
+        update_session: Routes.update_session,
+        revoke_session: Routes.revoke_session,
+        revoke_sessions: Routes.revoke_sessions,
+        revoke_other_sessions: Routes.revoke_other_sessions,
+        request_password_reset: Routes.request_password_reset,
+        request_password_reset_callback: Routes.request_password_reset_callback,
+        reset_password: Routes.reset_password,
+        verify_password: Routes.verify_password,
+        send_verification_email: Routes.send_verification_email,
+        verify_email: Routes.verify_email,
+        update_user: Routes.update_user,
+        change_email: Routes.change_email,
+        change_password: Routes.change_password,
+        set_password: Routes.set_password,
+        delete_user: Routes.delete_user,
+        delete_user_callback: Routes.delete_user_callback,
+        list_accounts: Routes.list_accounts,
+        link_social: Routes.link_social,
+        unlink_account: Routes.unlink_account,
+        get_access_token: Routes.get_access_token,
+        refresh_token: Routes.refresh_token,
+        account_info: Routes.account_info
+      }
+    end
   end
 end

data/lib/better_auth/crypto/jwe.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+require "base64"
+require "json"
+require "openssl"
+require "securerandom"
+
+previous_verbose = $VERBOSE
+$VERBOSE = nil
+require "jwe"
+$VERBOSE = previous_verbose
+
+module BetterAuth
+  module Crypto
+    module JWE
+      ALG = "dir"
+      ENC = "A256CBC-HS512"
+      INFO = "BetterAuth.js Generated Encryption Key"
+      CLOCK_TOLERANCE = 15
+
+      module_function
+
+      def encode(payload, secret, salt, expires_in: 3600)
+        claims = Crypto.stringify_keys(payload).merge(
+          "iat" => Time.now.to_i,
+          "exp" => Time.now.to_i + expires_in.to_i,
+          "jti" => SecureRandom.uuid
+        )
+        key = encryption_key(secret, salt)
+        ::JWE.encrypt(JSON.generate(claims), key, alg: ALG, enc: ENC, kid: thumbprint(key))
+      end
+
+      def decode(token, secret, salt)
+        return nil if token.to_s.empty?
+
+        header = protected_header(token)
+        return nil unless valid_header?(header)
+        return nil unless header["kid"].nil? || header["kid"] == thumbprint(encryption_key(secret, salt))
+
+        payload = JSON.parse(::JWE.decrypt(token.to_s, encryption_key(secret, salt)))
+        return nil if expired?(payload)
+
+        payload
+      rescue JSON::ParserError, ArgumentError, ::JWE::DecodeError, ::JWE::InvalidData, ::JWE::BadCEK
+        nil
+      end
+
+      def encryption_key(secret, salt)
+        OpenSSL::KDF.hkdf(secret.to_s, salt: salt.to_s, info: INFO, length: 64, hash: "SHA256")
+      end
+
+      def thumbprint(key)
+        jwk = {
+          "k" => Base64.urlsafe_encode64(key, padding: false),
+          "kty" => "oct"
+        }
+        Crypto.base64url_encode(OpenSSL::Digest.digest("SHA256", JSON.generate(jwk)))
+      end
+
+      def protected_header(token)
+        first_segment = token.to_s.split(".", 2).first
+        JSON.parse(Crypto.base64url_decode(first_segment))
+      rescue JSON::ParserError, ArgumentError
+        {}
+      end
+
+      def valid_header?(header)
+        header["alg"] == ALG && header["enc"] == ENC
+      end
+
+      def expired?(payload)
+        payload["exp"] && payload["exp"].to_i < Time.now.to_i - CLOCK_TOLERANCE
+      end
+    end
+  end
+end

data/lib/better_auth/crypto.rb

@@ -0,0 +1,191 @@
+# frozen_string_literal: true
+
+require "base64"
+require "json"
+require "jwt"
+require "openssl"
+require "securerandom"
+require_relative "crypto/jwe"
+
+module BetterAuth
+  module Crypto
+    URL_SAFE_ALPHABET = [*"a".."z", *"A".."Z", *"0".."9", "-", "_"].freeze
+    MASK_64 = (1 << 64) - 1
+    KECCAK_ROUND_CONSTANTS = [
+      0x0000000000000001, 0x0000000000008082, 0x800000000000808a, 0x8000000080008000,
+      0x000000000000808b, 0x0000000080000001, 0x8000000080008081, 0x8000000000008009,
+      0x000000000000008a, 0x0000000000000088, 0x0000000080008009, 0x000000008000000a,
+      0x000000008000808b, 0x800000000000008b, 0x8000000000008089, 0x8000000000008003,
+      0x8000000000008002, 0x8000000000000080, 0x000000000000800a, 0x800000008000000a,
+      0x8000000080008081, 0x8000000000008080, 0x0000000080000001, 0x8000000080008008
+    ].freeze
+    KECCAK_ROTATION_OFFSETS = [
+      [0, 36, 3, 41, 18],
+      [1, 44, 10, 45, 2],
+      [62, 6, 43, 15, 61],
+      [28, 55, 25, 21, 56],
+      [27, 20, 39, 8, 14]
+    ].freeze
+
+    module_function
+
+    def random_string(length = 32)
+      Array.new(length) { URL_SAFE_ALPHABET[SecureRandom.random_number(URL_SAFE_ALPHABET.length)] }.join
+    end
+
+    def uuid
+      SecureRandom.uuid
+    end
+
+    def sha256(value, encoding: :hex)
+      digest = OpenSSL::Digest.digest("SHA256", value.to_s)
+      (encoding == :base64url) ? base64url_encode(digest) : digest.unpack1("H*")
+    end
+
+    def keccak256(value, encoding: :hex)
+      digest = keccak256_bytes(value.to_s.b)
+      (encoding == :bytes) ? digest : digest.unpack1("H*")
+    end
+
+    def to_checksum_address(address)
+      normalized = address.to_s.downcase.delete_prefix("0x")
+      hash = keccak256(normalized)
+
+      "0x" + normalized.chars.each_with_index.map do |char, index|
+        (hash[index].to_i(16) >= 8) ? char.upcase : char
+      end.join
+    end
+
+    def hmac_signature(value, secret, encoding: :base64)
+      digest = OpenSSL::HMAC.digest("SHA256", secret.to_s, value.to_s)
+      (encoding == :base64url) ? base64url_encode(digest) : Base64.strict_encode64(digest)
+    end
+
+    def verify_hmac_signature(value, signature, secret, encoding: :base64)
+      expected = hmac_signature(value, secret, encoding: encoding)
+      constant_time_compare(expected, signature.to_s)
+    end
+
+    def constant_time_compare(left, right)
+      return false unless left.bytesize == right.bytesize
+
+      OpenSSL.fixed_length_secure_compare(left, right)
+    end
+
+    def symmetric_encrypt(key:, data:)
+      cipher = OpenSSL::Cipher.new("aes-256-gcm")
+      cipher.encrypt
+      cipher.key = OpenSSL::Digest.digest("SHA256", key.to_s)
+      iv = SecureRandom.random_bytes(12)
+      cipher.iv = iv
+      ciphertext = cipher.update(data.to_s) + cipher.final
+      payload = {
+        "iv" => base64url_encode(iv),
+        "data" => base64url_encode(ciphertext),
+        "tag" => base64url_encode(cipher.auth_tag)
+      }
+      base64url_encode(JSON.generate(payload))
+    end
+
+    def symmetric_decrypt(key:, data:)
+      payload = JSON.parse(base64url_decode(data.to_s))
+      cipher = OpenSSL::Cipher.new("aes-256-gcm")
+      cipher.decrypt
+      cipher.key = OpenSSL::Digest.digest("SHA256", key.to_s)
+      cipher.iv = base64url_decode(payload.fetch("iv"))
+      cipher.auth_tag = base64url_decode(payload.fetch("tag"))
+      cipher.update(base64url_decode(payload.fetch("data"))) + cipher.final
+    rescue JSON::ParserError, KeyError, OpenSSL::Cipher::CipherError, ArgumentError
+      nil
+    end
+
+    def sign_jwt(payload, secret, expires_in: 3600)
+      claims = stringify_keys(payload).merge(
+        "iat" => Time.now.to_i,
+        "exp" => Time.now.to_i + expires_in.to_i
+      )
+      JWT.encode(claims, secret.to_s, "HS256")
+    end
+
+    def verify_jwt(token, secret)
+      decoded, = JWT.decode(token.to_s, secret.to_s, true, algorithm: "HS256")
+      decoded
+    rescue JWT::DecodeError
+      nil
+    end
+
+    def symmetric_encode_jwt(payload, secret, salt, expires_in: 3600)
+      JWE.encode(payload, secret, salt, expires_in: expires_in)
+    end
+
+    def symmetric_decode_jwt(token, secret, salt)
+      JWE.decode(token, secret, salt)
+    end
+
+    def base64url_encode(value)
+      Base64.urlsafe_encode64(value.to_s, padding: false)
+    end
+
+    def base64url_decode(value)
+      Base64.urlsafe_decode64(value.to_s)
+    end
+
+    def stringify_keys(value)
+      return value.each_with_object({}) { |(key, object_value), result| result[key.to_s] = stringify_keys(object_value) } if value.is_a?(Hash)
+      return value.map { |entry| stringify_keys(entry) } if value.is_a?(Array)
+
+      value
+    end
+
+    def keccak256_bytes(input)
+      rate = 136
+      state = Array.new(25, 0)
+      padded = input.bytes
+      padded << 0x01
+      padded << 0 while (padded.length % rate) != rate - 1
+      padded << 0x80
+
+      padded.each_slice(rate) do |block|
+        block.each_with_index do |byte, index|
+          state[index / 8] ^= byte << (8 * (index % 8))
+        end
+        keccak_permute!(state)
+      end
+
+      state.pack("Q<*").byteslice(0, 32)
+    end
+
+    def keccak_permute!(state)
+      KECCAK_ROUND_CONSTANTS.each do |round_constant|
+        columns = Array.new(5) { |x| state[x] ^ state[x + 5] ^ state[x + 10] ^ state[x + 15] ^ state[x + 20] }
+        deltas = Array.new(5) { |x| columns[(x - 1) % 5] ^ rotate_left_64(columns[(x + 1) % 5], 1) }
+        5.times do |x|
+          5.times { |y| state[x + (5 * y)] = (state[x + (5 * y)] ^ deltas[x]) & MASK_64 }
+        end
+
+        rotated = Array.new(25, 0)
+        5.times do |x|
+          5.times do |y|
+            rotated[y + (5 * ((2 * x + 3 * y) % 5))] =
+              rotate_left_64(state[x + (5 * y)], KECCAK_ROTATION_OFFSETS[x][y])
+          end
+        end
+
+        5.times do |y|
+          5.times do |x|
+            state[x + (5 * y)] =
+              (rotated[x + (5 * y)] ^ ((~rotated[((x + 1) % 5) + (5 * y)]) & rotated[((x + 2) % 5) + (5 * y)])) & MASK_64
+          end
+        end
+        state[0] = (state[0] ^ round_constant) & MASK_64
+      end
+    end
+
+    def rotate_left_64(value, shift)
+      shift %= 64
+      return value & MASK_64 if shift.zero?
+
+      ((value << shift) | (value >> (64 - shift))) & MASK_64
+    end
+  end
+end