better_auth 0.1.1 → 0.3.0

data/lib/better_auth/plugins/anonymous.rb

@@ -0,0 +1,198 @@
+# frozen_string_literal: true
+
+require "securerandom"
+
+module BetterAuth
+  module Plugins
+    ANONYMOUS_ERROR_CODES = {
+      "INVALID_EMAIL_FORMAT" => "Email was not generated in a valid format",
+      "FAILED_TO_CREATE_USER" => "Failed to create user",
+      "COULD_NOT_CREATE_SESSION" => "Could not create session",
+      "ANONYMOUS_USERS_CANNOT_SIGN_IN_AGAIN_ANONYMOUSLY" => "Anonymous users cannot sign in again anonymously",
+      "FAILED_TO_DELETE_ANONYMOUS_USER" => "Failed to delete anonymous user",
+      "USER_IS_NOT_ANONYMOUS" => "User is not anonymous",
+      "DELETE_ANONYMOUS_USER_DISABLED" => "Deleting anonymous users is disabled"
+    }.freeze
+
+    module_function
+
+    def anonymous(options = {})
+      config = normalize_hash(options)
+
+      Plugin.new(
+        id: "anonymous",
+        endpoints: {
+          sign_in_anonymous: sign_in_anonymous_endpoint(config),
+          delete_anonymous_user: delete_anonymous_user_endpoint(config)
+        },
+        hooks: {
+          after: [
+            {
+              matcher: ->(ctx) { anonymous_link_path?(ctx.path) },
+              handler: ->(ctx) { link_anonymous_user(ctx, config) }
+            }
+          ]
+        },
+        schema: anonymous_schema(config),
+        error_codes: ANONYMOUS_ERROR_CODES,
+        options: config
+      )
+    end
+
+    def sign_in_anonymous_endpoint(config)
+      Endpoint.new(path: "/sign-in/anonymous", method: "POST") do |ctx|
+        existing_session = Session.find_current(ctx, disable_refresh: true)
+        if existing_session&.dig(:user, "isAnonymous")
+          raise APIError.new("BAD_REQUEST", message: ANONYMOUS_ERROR_CODES["ANONYMOUS_USERS_CANNOT_SIGN_IN_AGAIN_ANONYMOUSLY"])
+        end
+
+        email = anonymous_email(config)
+        name = anonymous_name(ctx, config)
+        user = ctx.context.internal_adapter.create_user(
+          email: email,
+          emailVerified: false,
+          isAnonymous: true,
+          name: name,
+          createdAt: Time.now,
+          updatedAt: Time.now
+        )
+        raise APIError.new("INTERNAL_SERVER_ERROR", message: ANONYMOUS_ERROR_CODES["FAILED_TO_CREATE_USER"]) unless user
+
+        session = ctx.context.internal_adapter.create_session(user["id"])
+        raise APIError.new("BAD_REQUEST", message: ANONYMOUS_ERROR_CODES["COULD_NOT_CREATE_SESSION"]) unless session
+
+        Cookies.set_session_cookie(ctx, {session: session, user: user})
+        ctx.json({token: session["token"], user: Schema.parse_output(ctx.context.options, "user", user)})
+      end
+    end
+
+    def delete_anonymous_user_endpoint(config)
+      Endpoint.new(path: "/delete-anonymous-user", method: "POST") do |ctx|
+        session = Routes.current_session(ctx, sensitive: true)
+
+        if config[:disable_delete_anonymous_user]
+          raise APIError.new("BAD_REQUEST", message: ANONYMOUS_ERROR_CODES["DELETE_ANONYMOUS_USER_DISABLED"])
+        end
+
+        unless session[:user]["isAnonymous"]
+          raise APIError.new("FORBIDDEN", message: ANONYMOUS_ERROR_CODES["USER_IS_NOT_ANONYMOUS"])
+        end
+
+        begin
+          ctx.context.internal_adapter.delete_user(session[:user]["id"])
+        rescue
+          raise APIError.new("INTERNAL_SERVER_ERROR", message: ANONYMOUS_ERROR_CODES["FAILED_TO_DELETE_ANONYMOUS_USER"])
+        end
+
+        Cookies.delete_session_cookie(ctx)
+        ctx.json({success: true})
+      end
+    end
+
+    def anonymous_schema(config)
+      field_name = anonymous_schema_field_name(config) || "is_anonymous"
+      {
+        user: {
+          fields: {
+            isAnonymous: {
+              type: "boolean",
+              required: false,
+              input: false,
+              default_value: false,
+              field_name: field_name
+            }
+          }
+        }
+      }
+    end
+
+    def anonymous_email(config)
+      generator = config[:generate_random_email]
+      email = generator.call if generator.respond_to?(:call)
+      if email && email != ""
+        unless email.is_a?(String) && !email.empty? && Routes::EMAIL_PATTERN.match?(email)
+          raise APIError.new("BAD_REQUEST", message: ANONYMOUS_ERROR_CODES["INVALID_EMAIL_FORMAT"])
+        end
+        return email
+      end
+
+      id = SecureRandom.hex(16)
+      domain = config[:email_domain_name]
+      domain ? "temp-#{id}@#{domain}" : "temp@#{id}.com"
+    end
+
+    def anonymous_name(ctx, config)
+      generator = config[:generate_name]
+      name = generator.call(ctx) if generator.respond_to?(:call)
+      return name if present_string?(name)
+
+      "Anonymous"
+    end
+
+    def link_anonymous_user(ctx, config)
+      set_cookie = ctx.response_headers["set-cookie"].to_s
+      return if set_cookie.empty?
+      return unless set_cookie_value(set_cookie, ctx.context.auth_cookies[:session_token].name)
+
+      anonymous_session = Session.find_current(ctx, disable_refresh: true)
+      return unless anonymous_session&.dig(:user, "isAnonymous")
+
+      new_session = ctx.context.new_session
+      return unless new_session && new_session[:user] && new_session[:session]
+
+      on_link_account = config[:on_link_account]
+      if on_link_account.respond_to?(:call)
+        on_link_account.call(
+          anonymous_user: anonymous_session,
+          new_user: new_session,
+          ctx: ctx
+        )
+      end
+
+      new_user = new_session[:user]
+      return if config[:disable_delete_anonymous_user]
+      return if new_user["id"] == anonymous_session[:user]["id"]
+      return if new_user["isAnonymous"]
+
+      ctx.context.internal_adapter.delete_user(anonymous_session[:user]["id"])
+      nil
+    end
+
+    def set_cookie_value(set_cookie, name)
+      set_cookie.to_s.lines.each do |line|
+        cookie_pair = line.split(";", 2).first.to_s.strip
+        cookie_name, value = cookie_pair.split("=", 2)
+        return value if cookie_name == name && !value.nil?
+      end
+
+      nil
+    end
+
+    def anonymous_link_path?(path)
+      path.to_s.start_with?(
+        "/sign-in",
+        "/sign-up",
+        "/callback",
+        "/oauth2/callback",
+        "/magic-link/verify",
+        "/email-otp/verify-email",
+        "/one-tap/callback",
+        "/passkey/verify-authentication",
+        "/phone-number/verify"
+      )
+    end
+
+    def anonymous_schema_field_name(config)
+      fields = config.dig(:schema, :user, :fields) || {}
+      mapping = fields[:is_anonymous] || fields[:isAnonymous] || fields["isAnonymous"]
+      return mapping if mapping.is_a?(String)
+      return mapping[:field_name] || mapping[:fieldName] if mapping.is_a?(Hash)
+
+      nil
+    end
+
+    def present_string?(value)
+      value.is_a?(String) && !value.empty?
+    end
+  end
+end

data/lib/better_auth/plugins/api_key.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Plugins
+    module_function
+
+    def api_key(*args)
+      Kernel.require "better_auth/api_key"
+      BetterAuth::Plugins.api_key(*args)
+    rescue LoadError => error
+      raise if error.path && error.path != "better_auth/api_key"
+
+      raise LoadError, "BetterAuth::Plugins.api_key requires the better_auth-api-key gem. Add `gem \"better_auth-api-key\"` and `require \"better_auth/api_key\"`."
+    end
+  end
+end

data/lib/better_auth/plugins/bearer.rb

@@ -0,0 +1,128 @@
+# frozen_string_literal: true
+
+require "uri"
+
+module BetterAuth
+  module Plugins
+    BEARER_SCHEME = "bearer "
+
+    module_function
+
+    def bearer(options = {})
+      config = normalize_hash(options)
+
+      Plugin.new(
+        id: "bearer",
+        hooks: {
+          before: [
+            {
+              matcher: ->(ctx) { authorization_header(ctx) },
+              handler: ->(ctx) { apply_bearer_token(ctx, config) }
+            }
+          ],
+          after: [
+            {
+              matcher: ->(_ctx) { true },
+              handler: ->(ctx) { expose_auth_token(ctx) }
+            }
+          ]
+        },
+        options: config
+      )
+    end
+
+    def authorization_header(ctx)
+      ctx.headers["authorization"] || ctx.headers["Authorization"]
+    end
+
+    def apply_bearer_token(ctx, config)
+      auth_header = authorization_header(ctx).to_s
+      return unless auth_header[0, BEARER_SCHEME.length].to_s.downcase == BEARER_SCHEME
+
+      token = auth_header[BEARER_SCHEME.length..].to_s.strip
+      return if token.empty?
+
+      signed_token = if token.include?(".")
+        normalize_signed_bearer_token(token)
+      else
+        sign_bearer_token(ctx, token, config)
+      end
+      return unless signed_token && valid_signed_token?(ctx, signed_token)
+
+      cookie_name = ctx.context.auth_cookies[:session_token].name
+      cookie = [ctx.headers["cookie"], "#{cookie_name}=#{signed_token}"].compact.reject(&:empty?).join("; ")
+      {context: {headers: ctx.headers.merge("cookie" => cookie)}}
+    end
+
+    def sign_bearer_token(ctx, token, config)
+      return if config[:require_signature]
+
+      signature = Crypto.hmac_signature(token, ctx.context.secret, encoding: :base64url)
+      "#{token}.#{signature}"
+    end
+
+    def valid_signed_token?(ctx, signed_token)
+      payload, signature = signed_token.rpartition(".").values_at(0, 2)
+      return false if payload.empty? || signature.empty?
+
+      Crypto.verify_hmac_signature(payload, signature, ctx.context.secret, encoding: :base64url)
+    rescue
+      false
+    end
+
+    def normalize_signed_bearer_token(token)
+      token.include?("%") ? safe_decode_bearer_token(token) : safe_decode_bearer_token(safe_encode_bearer_token(token))
+    end
+
+    def safe_encode_bearer_token(token)
+      URI.encode_www_form_component(token.to_s).gsub("+", "%20")
+    rescue
+      token.to_s
+    end
+
+    def safe_decode_bearer_token(token)
+      token.to_s.gsub(/%[0-9a-fA-F]{2}/) { |encoded| encoded[1, 2].to_i(16).chr }
+    rescue
+      token.to_s
+    end
+
+    def bearer_session_cookie(line)
+      first, *attributes = line.to_s.split(";").map(&:strip)
+      name, value = first.split("=", 2)
+      return unless name && value
+
+      {
+        name: name,
+        value: value,
+        attributes: attributes.each_with_object({}) do |attribute, result|
+          key, attribute_value = attribute.split("=", 2)
+          result[key.to_s.downcase] = attribute_value || true unless key.to_s.empty?
+        end
+      }
+    end
+
+    def expired_bearer_cookie?(cookie)
+      max_age = cookie[:attributes]["max-age"]
+      max_age.to_s.strip.match?(/\A[+-]?\d+\z/) && max_age.to_i == 0
+    end
+
+    def expose_auth_token(ctx)
+      set_cookie = ctx.response_headers["set-cookie"].to_s
+      token_name = ctx.context.auth_cookies[:session_token].name
+      token = set_cookie.lines.filter_map do |line|
+        cookie = bearer_session_cookie(line)
+        next unless cookie && cookie[:name] == token_name
+        next if cookie[:value].empty? || expired_bearer_cookie?(cookie)
+
+        cookie[:value]
+      end.first
+      return unless token
+
+      exposed = ctx.response_headers["access-control-expose-headers"].to_s.split(",").map(&:strip).reject(&:empty?)
+      exposed << "set-auth-token"
+      ctx.set_header("set-auth-token", token)
+      ctx.set_header("access-control-expose-headers", exposed.uniq.join(", "))
+      nil
+    end
+  end
+end

data/lib/better_auth/plugins/captcha.rb

@@ -0,0 +1,159 @@
+# frozen_string_literal: true
+
+require "json"
+require "net/http"
+require "uri"
+
+module BetterAuth
+  module Plugins
+    CAPTCHA_EXTERNAL_ERROR_CODES = {
+      "VERIFICATION_FAILED" => "Captcha verification failed",
+      "MISSING_RESPONSE" => "Missing CAPTCHA response",
+      "UNKNOWN_ERROR" => "Something went wrong"
+    }.freeze
+
+    CAPTCHA_INTERNAL_ERROR_CODES = {
+      "MISSING_SECRET_KEY" => "Missing secret key",
+      "SERVICE_UNAVAILABLE" => "CAPTCHA service unavailable"
+    }.freeze
+
+    CAPTCHA_DEFAULT_ENDPOINTS = [
+      "/sign-up/email",
+      "/sign-in/email",
+      "/request-password-reset"
+    ].freeze
+
+    CAPTCHA_SITE_VERIFY_URLS = {
+      "cloudflare-turnstile" => "https://challenges.cloudflare.com/turnstile/v0/siteverify",
+      "google-recaptcha" => "https://www.google.com/recaptcha/api/siteverify",
+      "hcaptcha" => "https://api.hcaptcha.com/siteverify",
+      "captchafox" => "https://api.captchafox.com/siteverify"
+    }.freeze
+
+    module_function
+
+    def captcha(options = {})
+      config = normalize_hash(options)
+      Plugin.new(
+        id: "captcha",
+        on_request: lambda do |request, context|
+          captcha_on_request(request, context, config)
+        end,
+        error_codes: CAPTCHA_EXTERNAL_ERROR_CODES,
+        options: config
+      )
+    end
+
+    def captcha_on_request(request, context, config)
+      endpoints = Array(config[:endpoints]).empty? ? CAPTCHA_DEFAULT_ENDPOINTS : Array(config[:endpoints])
+      return nil unless endpoints.any? { |endpoint| request.path_info.include?(endpoint.to_s) || request.url.include?(endpoint.to_s) }
+
+      raise CAPTCHA_INTERNAL_ERROR_CODES["MISSING_SECRET_KEY"] if config[:secret_key].to_s.empty?
+
+      response_token = request.get_header("HTTP_X_CAPTCHA_RESPONSE")
+      if response_token.to_s.empty?
+        return {response: captcha_response(400, "MISSING_RESPONSE", CAPTCHA_EXTERNAL_ERROR_CODES["MISSING_RESPONSE"])}
+      end
+
+      result = captcha_verify(config, response_token, captcha_remote_ip(request, context))
+      return nil if captcha_success?(config, result)
+
+      {response: captcha_response(403, "VERIFICATION_FAILED", CAPTCHA_EXTERNAL_ERROR_CODES["VERIFICATION_FAILED"])}
+    rescue => error
+      captcha_log(context, error.message)
+      {response: captcha_response(500, "UNKNOWN_ERROR", CAPTCHA_EXTERNAL_ERROR_CODES["UNKNOWN_ERROR"])}
+    end
+
+    def captcha_verify(config, response_token, remote_ip)
+      provider = config[:provider].to_s
+      url = config[:site_verify_url_override] || CAPTCHA_SITE_VERIFY_URLS.fetch(provider)
+      params = {
+        site_verify_url: url,
+        secret_key: config[:secret_key],
+        captcha_response: response_token,
+        remote_ip: remote_ip,
+        site_key: config[:site_key],
+        min_score: config[:min_score],
+        provider: provider
+      }
+      return captcha_normalize_verifier_response(config[:verifier].call(captcha_verifier_params(params))) if config[:verifier].respond_to?(:call)
+
+      captcha_http_verify(params)
+    end
+
+    def captcha_verifier_params(params)
+      provider = params.fetch(:provider)
+      payload = captcha_payload(provider, params)
+      content_type = (provider == "cloudflare-turnstile") ? "application/json" : "application/x-www-form-urlencoded"
+      {
+        url: params.fetch(:site_verify_url),
+        content_type: content_type,
+        payload: payload,
+        provider: provider
+      }
+    end
+
+    def captcha_http_verify(params)
+      verifier = captcha_verifier_params(params)
+      uri = URI.parse(verifier[:url])
+      request = Net::HTTP::Post.new(uri)
+      request["Content-Type"] = verifier[:content_type]
+      request.body = if verifier[:content_type] == "application/json"
+        JSON.generate(verifier[:payload])
+      else
+        URI.encode_www_form(verifier[:payload])
+      end
+      response = Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https") { |http| http.request(request) }
+      raise CAPTCHA_INTERNAL_ERROR_CODES["SERVICE_UNAVAILABLE"] unless response.is_a?(Net::HTTPSuccess)
+
+      JSON.parse(response.body.to_s)
+    rescue JSON::ParserError
+      raise CAPTCHA_INTERNAL_ERROR_CODES["SERVICE_UNAVAILABLE"]
+    end
+
+    def captcha_payload(provider, params)
+      payload = {
+        "secret" => params[:secret_key],
+        "response" => params[:captcha_response]
+      }
+      payload["sitekey"] = params[:site_key] if params[:site_key] && ["hcaptcha", "captchafox"].include?(provider)
+      if params[:remote_ip]
+        payload[(provider == "captchafox") ? "remoteIp" : "remoteip"] = params[:remote_ip]
+      end
+      payload
+    end
+
+    def captcha_success?(config, result)
+      return false unless result && result["success"]
+
+      if config[:provider].to_s == "google-recaptcha" && result.key?("score")
+        return result["score"].to_f >= (config[:min_score] || 0.5).to_f
+      end
+
+      true
+    end
+
+    def captcha_normalize_verifier_response(value)
+      return value.transform_keys(&:to_s) if value.is_a?(Hash)
+
+      {}
+    end
+
+    def captcha_response(status, code, message)
+      [status, {"content-type" => "application/json"}, [JSON.generate({code: code, message: message})]]
+    end
+
+    def captcha_remote_ip(request, context)
+      RequestIP.client_ip(request, context.options)
+    end
+
+    def captcha_log(context, message)
+      logger = context.logger
+      if logger.respond_to?(:call)
+        logger.call(:error, message)
+      elsif logger.respond_to?(:error)
+        logger.error(message)
+      end
+    end
+  end
+end

data/lib/better_auth/plugins/custom_session.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Plugins
+    module_function
+
+    def custom_session(resolver, options = nil, plugin_options = nil, **keywords)
+      config = normalize_hash(plugin_options || {})
+      config = config.merge(normalize_hash(options)) if options && !options.key?(:plugins)
+      config = config.merge(normalize_hash(keywords))
+
+      Plugin.new(
+        id: "custom-session",
+        endpoints: {
+          get_session: Endpoint.new(
+            path: "/get-session",
+            method: "GET",
+            query_schema: ->(query) { query || {} },
+            metadata: {
+              CUSTOM_SESSION: true,
+              openapi: {
+                description: "Get custom session data",
+                responses: {
+                  "200" => {
+                    description: "Success",
+                    content: {
+                      "application/json" => {
+                        schema: {
+                          type: "object",
+                          nullable: true
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          ) do |ctx|
+            session = Session.find_current(
+              ctx,
+              disable_cookie_cache: truthy_value?(fetch_value(ctx.query, "disableCookieCache")),
+              disable_refresh: truthy_value?(fetch_value(ctx.query, "disableRefresh"))
+            )
+            next ctx.json(nil) unless session
+
+            Cookies.set_session_cookie(ctx, session, false) if ctx.response_headers["set-cookie"].to_s.empty?
+            ctx.json(resolver.call(Routes.parsed_session_response(ctx, session), ctx))
+          end
+        },
+        hooks: {
+          after: [
+            {
+              matcher: ->(ctx) { ctx.path == "/multi-session/list-device-sessions" && config[:should_mutate_list_device_sessions_endpoint] },
+              handler: lambda do |ctx|
+                list = Array(ctx.returned)
+                ctx.json(list.map { |entry| resolver.call(symbolize_session(entry), ctx) })
+              end
+            }
+          ]
+        },
+        options: config
+      )
+    end
+
+    def truthy_value?(value)
+      value == true || value.to_s == "true"
+    end
+
+    def symbolize_session(entry)
+      data = stringify_keys(entry)
+      {
+        session: data["session"],
+        user: data["user"]
+      }
+    end
+
+    def stringify_keys(value)
+      return value.each_with_object({}) { |(key, object_value), result| result[key.to_s] = stringify_keys(object_value) } if value.is_a?(Hash)
+      return value.map { |entry| stringify_keys(entry) } if value.is_a?(Array)
+
+      value
+    end
+  end
+end