better_auth 0.1.1 → 0.2.0

data/lib/better_auth/database_hooks.rb

@@ -0,0 +1,114 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  class DatabaseHooks
+    attr_reader :adapter, :options
+
+    def initialize(adapter, options)
+      @adapter = adapter
+      @options = options
+    end
+
+    def create(data, model, custom: nil, context: nil)
+      run_before(model, :create, data, context) do |actual_data|
+        created = custom ? custom.call(actual_data) : adapter.create(model: model, data: actual_data, force_allow_id: true)
+        run_after(model, :create, created)
+        created
+      end
+    end
+
+    def update(data, where, model, custom: nil, context: nil)
+      run_before(model, :update, data, context) do |actual_data|
+        updated = custom ? custom.call(actual_data) : adapter.update(model: model, where: where, update: actual_data)
+        run_after(model, :update, updated) if updated
+        updated
+      end
+    end
+
+    def update_many(data, where, model, custom: nil, context: nil)
+      run_before(model, :update, data, context) do |actual_data|
+        updated = custom ? custom.call(actual_data) : adapter.update_many(model: model, where: where, update: actual_data)
+        run_after(model, :update, updated) if updated
+        updated
+      end
+    end
+
+    def delete(where, model, custom: nil, context: nil)
+      entity = adapter.find_one(model: model, where: where)
+      return custom ? custom.call(where) : adapter.delete(model: model, where: where) unless entity
+
+      return nil if before_hooks(model, :delete).any? { |hook| hook.call(entity, context) == false }
+
+      deleted = custom ? custom.call(where) : adapter.delete(model: model, where: where)
+      after_hooks(model, :delete).each { |hook| hook.call(entity, context) }
+      deleted
+    end
+
+    def delete_many(where, model, custom: nil, context: nil)
+      entities = adapter.find_many(model: model, where: where)
+      entities.each do |entity|
+        return nil if before_hooks(model, :delete).any? { |hook| hook.call(entity, context) == false }
+      end
+      deleted = custom ? custom.call(where) : adapter.delete_many(model: model, where: where)
+      entities.each { |entity| after_hooks(model, :delete).each { |hook| hook.call(entity, context) } }
+      deleted
+    end
+
+    private
+
+    def run_before(model, action, data, context)
+      actual_data = stringify_keys(data)
+      before_hooks(model, action).each do |hook|
+        result = hook.call(actual_data, context)
+        return nil if result == false
+
+        hook_data = result.is_a?(Hash) ? (result[:data] || result["data"]) : nil
+        actual_data = actual_data.merge(stringify_keys(hook_data)) if hook_data
+      end
+      yield actual_data
+    end
+
+    def run_after(model, action, data)
+      after_hooks(model, action).each { |hook| hook.call(data, nil) }
+    end
+
+    def before_hooks(model, action)
+      hooks_for(model, action, :before)
+    end
+
+    def after_hooks(model, action)
+      hooks_for(model, action, :after)
+    end
+
+    def hooks_for(model, action, phase)
+      all_hooks.filter_map do |hooks|
+        model_hooks = hooks[model.to_sym] || hooks[model.to_s]
+        action_hooks = model_hooks&.fetch(action, nil) || model_hooks&.fetch(action.to_s, nil)
+        action_hooks&.fetch(phase, nil) || action_hooks&.fetch(phase.to_s, nil)
+      end
+    end
+
+    def all_hooks
+      direct = if options.database_hooks.nil?
+        []
+      elsif options.database_hooks.is_a?(Array)
+        options.database_hooks
+      else
+        [options.database_hooks]
+      end
+      plugin_hooks = options.plugins.filter_map do |plugin|
+        init_options = plugin.dig(:options, :database_hooks) || plugin.dig("options", "databaseHooks")
+        plugin[:database_hooks] || plugin["databaseHooks"] || init_options
+      end
+      direct + plugin_hooks
+    end
+
+    def stringify_keys(data)
+      return {} unless data
+
+      data.each_with_object({}) do |(key, value), result|
+        result[Schema.storage_key(key)] = value
+      end
+    end
+  end
+end

data/lib/better_auth/endpoint.rb

@@ -0,0 +1,326 @@
+# frozen_string_literal: true
+
+require "json"
+
+module BetterAuth
+  class Endpoint
+    attr_reader :path,
+      :body_schema,
+      :query_schema,
+      :headers_schema,
+      :metadata,
+      :use,
+      :handler
+
+    def initialize(path: nil, method: nil, body_schema: nil, query_schema: nil, headers_schema: nil, metadata: {}, use: [], &handler)
+      @path = path
+      @methods = Array(method || "*").map { |value| value.to_s.upcase }
+      @body_schema = body_schema
+      @query_schema = query_schema
+      @headers_schema = headers_schema
+      @metadata = metadata || {}
+      @use = Array(use)
+      @handler = handler || ->(_ctx) {}
+    end
+
+    def methods
+      @methods.empty? ? ["*"] : @methods
+    end
+
+    def matches_method?(method)
+      methods.include?("*") || methods.include?(method.to_s.upcase)
+    end
+
+    def call(context)
+      apply_schemas!(context)
+
+      use.each do |middleware|
+        middleware_result = middleware.call(context)
+        return Result.from_value(middleware_result, context) if middleware_result
+      end
+
+      Result.from_value(handler.call(context), context)
+    end
+
+    private
+
+    def apply_schemas!(context)
+      context.body = validate_schema(:body, body_schema, context.body)
+      context.query = validate_schema(:query, query_schema, context.query)
+      context.headers = context.send(:normalize_headers, validate_schema(:headers, headers_schema, context.headers))
+    end
+
+    def validate_schema(_label, schema, value)
+      return value unless schema
+
+      parsed = parse_schema(schema, value)
+      return value if parsed.nil?
+      raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["VALIDATION_ERROR"]) if parsed == false
+
+      parsed
+    rescue APIError
+      raise
+    rescue => error
+      raise APIError.new("BAD_REQUEST", message: error.message.empty? ? BASE_ERROR_CODES["VALIDATION_ERROR"] : error.message)
+    end
+
+    def parse_schema(schema, value)
+      if schema.respond_to?(:parse)
+        schema.parse(value)
+      elsif schema.respond_to?(:call)
+        normalize_schema_result(schema.call(value))
+      else
+        value
+      end
+    end
+
+    def normalize_schema_result(result)
+      if result.respond_to?(:success?)
+        return result.to_h if result.success? && result.respond_to?(:to_h)
+        return false unless result.success?
+      end
+
+      result
+    end
+
+    class Result
+      attr_accessor :response, :status, :headers
+
+      def initialize(response:, status: 200, headers: {}, raw_response: nil)
+        @response = response
+        @status = status
+        @headers = normalize_headers(headers)
+        @raw_response = raw_response
+      end
+
+      def self.from_value(value, context)
+        return value if value.is_a?(self)
+
+        if value.is_a?(APIError)
+          return new(response: value, status: value.status_code, headers: value.headers)
+        end
+
+        if rack_response?(value)
+          return new(response: nil, status: value[0], headers: value[1], raw_response: value)
+        end
+
+        headers = context.response_headers.dup
+        if value.is_a?(self)
+          headers = merge_headers(headers, value.headers)
+          return new(response: value.response, status: value.status, headers: headers)
+        end
+
+        new(response: value, status: context.status, headers: headers)
+      end
+
+      def self.rack_response?(value)
+        value.is_a?(Array) && value.length == 3 && value[0].is_a?(Integer) && value[1].is_a?(Hash)
+      end
+
+      def self.merge_headers(base, extra)
+        extra.each_with_object(base.dup) do |(key, value), result|
+          normalized = key.to_s.downcase
+          result[normalized] = if normalized == "set-cookie" && result[normalized]
+            [result[normalized], value].join("\n")
+          else
+            value
+          end
+        end
+      end
+
+      def raw_response?
+        !@raw_response.nil?
+      end
+
+      def to_rack_response
+        return @raw_response if raw_response?
+
+        body = if response.nil?
+          [""]
+        elsif response.is_a?(String)
+          [response]
+        else
+          [JSON.generate(response)]
+        end
+        response_headers = {"content-type" => "application/json"}.merge(headers)
+        [status, response_headers, body]
+      end
+
+      private
+
+      def normalize_headers(headers)
+        headers.each_with_object({}) do |(key, value), result|
+          result[key.to_s.downcase] = value
+        end
+      end
+    end
+
+    class Context
+      attr_accessor :path,
+        :method,
+        :query,
+        :body,
+        :params,
+        :headers,
+        :context,
+        :request,
+        :status,
+        :returned,
+        :response_headers
+
+      def initialize(path:, method:, query:, body:, params:, headers:, context:, request: nil)
+        @path = path
+        @method = method.to_s.upcase
+        @query = query || {}
+        @body = body || {}
+        @params = params || {}
+        @headers = normalize_headers(headers || {})
+        @context = context
+        @request = request
+        @status = 200
+        @response_headers = {}
+        @returned = nil
+      end
+
+      def set_status(value)
+        @status = value
+      end
+
+      def set_header(key, value)
+        normalized = safe_header_name(key)
+        safe_value = safe_header_value(value)
+        response_headers[normalized] = if normalized == "set-cookie" && response_headers[normalized]
+          [response_headers[normalized], safe_value].join("\n")
+        else
+          safe_value
+        end
+      end
+
+      def set_cookie(name, value, options = {})
+        attributes = cookie_attributes(options)
+        cookie = (["#{name}=#{value}"] + attributes).join("; ")
+        set_header("set-cookie", cookie)
+      end
+
+      def get_cookie(name)
+        cookies[name.to_s]
+      end
+
+      def cookies
+        BetterAuth::Cookies.parse_cookies(headers["cookie"])
+      end
+
+      def set_signed_cookie(name, value, secret, options = {})
+        signature = BetterAuth::Crypto.hmac_signature(value, secret, encoding: :base64url)
+        set_cookie(name, "#{value}.#{signature}", options)
+      end
+
+      def get_signed_cookie(name, secret)
+        value = get_cookie(name)
+        return nil unless value
+
+        payload, signature = value.rpartition(".").values_at(0, 2)
+        return nil if payload.empty? || signature.empty?
+
+        BetterAuth::Crypto.verify_hmac_signature(payload, signature, secret, encoding: :base64url) ? payload : nil
+      end
+
+      def json(value, status: nil, headers: {})
+        set_status(status) if status
+        headers.each { |key, header_value| set_header(key, header_value) }
+        Result.new(response: value, status: self.status, headers: response_headers)
+      end
+
+      def error(status, message: nil, headers: {})
+        APIError.new(status, message: message, headers: headers)
+      end
+
+      def redirect(location, status: 302)
+        code = (status == 302) ? "FOUND" : status
+        APIError.new(code, message: "Redirect", headers: {"location" => location})
+      end
+
+      def merge_context!(data)
+        data.each do |key, value|
+          case key.to_sym
+          when :query
+            @query = deep_merge(query, value)
+          when :body
+            @body = deep_merge(body, value)
+          when :params
+            @params = deep_merge(params, value)
+          when :headers
+            @headers = normalize_headers(deep_merge(headers, value))
+          else
+            public_send("#{key}=", value) if respond_to?("#{key}=")
+          end
+        end
+      end
+
+      private
+
+      def normalize_headers(value)
+        value.each_with_object({}) do |(key, header_value), result|
+          result[key.to_s.downcase.tr("_", "-")] = header_value
+        end
+      end
+
+      def deep_merge(base, override)
+        return override unless base.is_a?(Hash) && override.is_a?(Hash)
+
+        base.merge(override) do |_key, old_value, new_value|
+          if old_value.is_a?(Hash) && new_value.is_a?(Hash)
+            deep_merge(old_value, new_value)
+          else
+            new_value
+          end
+        end
+      end
+
+      def safe_header_name(value)
+        name = value.to_s.downcase
+        raise APIError.new("INTERNAL_SERVER_ERROR", message: "Invalid header name") if name.match?(/[\r\n]/)
+
+        name
+      end
+
+      def safe_header_value(value)
+        header_value = value.to_s
+        raise APIError.new("INTERNAL_SERVER_ERROR", message: "Invalid header value") if header_value.match?(/[\r\n]/)
+
+        header_value
+      end
+
+      def cookie_attributes(options)
+        options.compact.filter_map do |key, option_value|
+          next if option_value == false
+
+          name = cookie_attribute_name(key)
+          if option_value == true
+            name
+          else
+            "#{name}=#{cookie_attribute_value(key, option_value)}"
+          end
+        end
+      end
+
+      def cookie_attribute_name(key)
+        case key.to_sym
+        when :max_age then "Max-Age"
+        when :http_only, :httponly then "HttpOnly"
+        when :same_site, :samesite then "SameSite"
+        else
+          key.to_s.split("_").map(&:capitalize).join("-")
+        end
+      end
+
+      def cookie_attribute_value(key, value)
+        if [:same_site, :samesite].include?(key.to_sym)
+          return value.to_s.capitalize
+        end
+
+        value
+      end
+    end
+  end
+end

data/lib/better_auth/error.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  class Error < StandardError
+  end
+
+  BASE_ERROR_CODES = {
+    "USER_NOT_FOUND" => "User not found",
+    "FAILED_TO_CREATE_USER" => "Failed to create user",
+    "FAILED_TO_CREATE_SESSION" => "Failed to create session",
+    "FAILED_TO_UPDATE_USER" => "Failed to update user",
+    "FAILED_TO_GET_SESSION" => "Failed to get session",
+    "INVALID_PASSWORD" => "Invalid password",
+    "INVALID_EMAIL" => "Invalid email",
+    "INVALID_EMAIL_OR_PASSWORD" => "Invalid email or password",
+    "SOCIAL_ACCOUNT_ALREADY_LINKED" => "Social account already linked",
+    "PROVIDER_NOT_FOUND" => "Provider not found",
+    "INVALID_TOKEN" => "Invalid token",
+    "ID_TOKEN_NOT_SUPPORTED" => "id_token not supported",
+    "FAILED_TO_GET_USER_INFO" => "Failed to get user info",
+    "USER_EMAIL_NOT_FOUND" => "User email not found",
+    "EMAIL_NOT_VERIFIED" => "Email not verified",
+    "PASSWORD_TOO_SHORT" => "Password too short",
+    "PASSWORD_TOO_LONG" => "Password too long",
+    "USER_ALREADY_EXISTS" => "User already exists.",
+    "USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL" => "User already exists. Use another email.",
+    "EMAIL_CAN_NOT_BE_UPDATED" => "Email can not be updated",
+    "CREDENTIAL_ACCOUNT_NOT_FOUND" => "Credential account not found",
+    "SESSION_EXPIRED" => "Session expired. Re-authenticate to perform this action.",
+    "FAILED_TO_UNLINK_LAST_ACCOUNT" => "You can't unlink your last account",
+    "ACCOUNT_NOT_FOUND" => "Account not found",
+    "USER_ALREADY_HAS_PASSWORD" => "User already has a password. Provide that to delete the account.",
+    "CROSS_SITE_NAVIGATION_LOGIN_BLOCKED" => "Cross-site navigation login blocked. This request appears to be a CSRF attack.",
+    "VERIFICATION_EMAIL_NOT_ENABLED" => "Verification email isn't enabled",
+    "EMAIL_ALREADY_VERIFIED" => "Email is already verified",
+    "EMAIL_MISMATCH" => "Email mismatch",
+    "SESSION_NOT_FRESH" => "Session is not fresh",
+    "LINKED_ACCOUNT_ALREADY_EXISTS" => "Linked account already exists",
+    "INVALID_ORIGIN" => "Invalid origin",
+    "INVALID_CALLBACK_URL" => "Invalid callbackURL",
+    "INVALID_REDIRECT_URL" => "Invalid redirectURL",
+    "INVALID_ERROR_CALLBACK_URL" => "Invalid errorCallbackURL",
+    "INVALID_NEW_USER_CALLBACK_URL" => "Invalid newUserCallbackURL",
+    "MISSING_OR_NULL_ORIGIN" => "Missing or null Origin",
+    "CALLBACK_URL_REQUIRED" => "callbackURL is required",
+    "FAILED_TO_CREATE_VERIFICATION" => "Unable to create verification",
+    "FIELD_NOT_ALLOWED" => "Field not allowed to be set",
+    "ASYNC_VALIDATION_NOT_SUPPORTED" => "Async validation is not supported",
+    "VALIDATION_ERROR" => "Validation Error",
+    "MISSING_FIELD" => "Field is required"
+  }.freeze
+end

data/lib/better_auth/middleware/origin_check.rb

@@ -0,0 +1,128 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Middleware
+    class OriginCheck
+      DEPRECATION_WARNING = "[Deprecation] disableOriginCheck: true currently also disables CSRF checks. In a future version, disableOriginCheck will ONLY disable URL validation. To keep CSRF disabled, add disableCSRFCheck: true to your config."
+
+      def initialize
+        @warned_backward_compat = false
+      end
+
+      def call(endpoint_context)
+        return if %w[GET OPTIONS HEAD].include?(endpoint_context.method)
+
+        validate_origin(endpoint_context)
+        validate_fetch_metadata(endpoint_context)
+        return if skip_origin_check?(endpoint_context)
+
+        validate_callback_urls(endpoint_context)
+        nil
+      rescue APIError => error
+        Endpoint::Result.new(response: error.to_h, status: error.status_code, headers: error.headers).to_rack_response
+      end
+
+      private
+
+      def validate_origin(endpoint_context, force: false)
+        return if skip_csrf_check?(endpoint_context)
+        return if skip_csrf_for_backward_compat?(endpoint_context)
+        return if skip_origin_path?(endpoint_context)
+
+        headers = endpoint_context.headers
+        should_validate = force || headers.key?("cookie")
+        return unless should_validate
+
+        origin = headers["origin"] || headers["referer"] || ""
+        if origin.empty? || origin == "null"
+          raise APIError.new("FORBIDDEN", message: BASE_ERROR_CODES["MISSING_OR_NULL_ORIGIN"])
+        end
+
+        unless endpoint_context.context.trusted_origin?(origin)
+          log(endpoint_context.context, :error, "Invalid origin: #{origin}")
+          raise APIError.new("FORBIDDEN", message: "Invalid origin")
+        end
+      end
+
+      def validate_fetch_metadata(endpoint_context)
+        return if skip_csrf_check?(endpoint_context)
+        return if skip_csrf_for_backward_compat?(endpoint_context)
+
+        headers = endpoint_context.headers
+        return if headers.key?("cookie")
+
+        site = headers["sec-fetch-site"]
+        mode = headers["sec-fetch-mode"]
+        dest = headers["sec-fetch-dest"]
+        has_metadata = [site, mode, dest].any? { |value| value && !value.to_s.strip.empty? }
+        return unless has_metadata
+
+        if site == "cross-site" && mode == "navigate"
+          log(endpoint_context.context, :error, "Blocked cross-site navigation login attempt (CSRF protection)")
+          raise APIError.new("FORBIDDEN", message: BASE_ERROR_CODES["CROSS_SITE_NAVIGATION_LOGIN_BLOCKED"])
+        end
+
+        validate_origin(endpoint_context, force: true)
+      end
+
+      def validate_callback_urls(endpoint_context)
+        {
+          "callbackURL" => "callbackURL",
+          "redirectTo" => "redirectURL",
+          "errorCallbackURL" => "errorCallbackURL",
+          "newUserCallbackURL" => "newUserCallbackURL"
+        }.each do |key, label|
+          value = fetch_data(endpoint_context.body, key) || fetch_data(endpoint_context.query, key)
+          next if value.nil? || value == ""
+
+          unless endpoint_context.context.trusted_origin?(value, allow_relative_paths: label != "origin")
+            log(endpoint_context.context, :error, "Invalid #{label}: #{value}")
+            raise APIError.new("FORBIDDEN", message: "Invalid #{label}")
+          end
+        end
+      end
+
+      def skip_csrf_check?(endpoint_context)
+        endpoint_context.context.options.advanced[:disable_csrf_check] == true
+      end
+
+      def skip_origin_check?(endpoint_context)
+        !!endpoint_context.context.options.advanced[:disable_origin_check]
+      end
+
+      def skip_csrf_for_backward_compat?(endpoint_context)
+        advanced = endpoint_context.context.options.advanced
+        return false unless advanced[:disable_origin_check] == true
+        return false if advanced.key?(:disable_csrf_check)
+
+        unless @warned_backward_compat
+          log(endpoint_context.context, :warn, DEPRECATION_WARNING)
+          @warned_backward_compat = true
+        end
+        true
+      end
+
+      def skip_origin_path?(endpoint_context)
+        skip = endpoint_context.context.options.advanced[:disable_origin_check]
+        return false unless skip.is_a?(Array)
+
+        skip.any? { |path| endpoint_context.path.start_with?(path.to_s) }
+      end
+
+      def fetch_data(data, key)
+        return unless data.is_a?(Hash)
+
+        data[key] || data[key.to_sym]
+      end
+
+      def log(context, level, message)
+        logger = context.logger
+        if logger.respond_to?(:call)
+          logger.call(level, message)
+        elsif logger.respond_to?(level)
+          logger.public_send(level, message)
+        end
+      end
+    end
+  end
+end