RubyGems - better_auth - Versions diffs - 0.1.1 → 0.3.0 - Mend

better_auth 0.1.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (136) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +23 -0
data/README.md +110 -18
data/lib/better_auth/adapters/base.rb +49 -0
data/lib/better_auth/adapters/internal_adapter.rb +589 -0
data/lib/better_auth/adapters/memory.rb +235 -0
data/lib/better_auth/adapters/mongodb.rb +9 -0
data/lib/better_auth/adapters/mssql.rb +42 -0
data/lib/better_auth/adapters/mysql.rb +33 -0
data/lib/better_auth/adapters/postgres.rb +17 -0
data/lib/better_auth/adapters/sql.rb +441 -0
data/lib/better_auth/adapters/sqlite.rb +20 -0
data/lib/better_auth/api.rb +226 -0
data/lib/better_auth/api_error.rb +53 -0
data/lib/better_auth/auth.rb +42 -0
data/lib/better_auth/configuration.rb +399 -0
data/lib/better_auth/context.rb +211 -0
data/lib/better_auth/cookies.rb +278 -0
data/lib/better_auth/core.rb +37 -1
data/lib/better_auth/crypto/jwe.rb +76 -0
data/lib/better_auth/crypto.rb +191 -0
data/lib/better_auth/database_hooks.rb +114 -0
data/lib/better_auth/endpoint.rb +326 -0
data/lib/better_auth/error.rb +52 -0
data/lib/better_auth/middleware/origin_check.rb +128 -0
data/lib/better_auth/password.rb +120 -0
data/lib/better_auth/plugin.rb +142 -0
data/lib/better_auth/plugin_context.rb +16 -0
data/lib/better_auth/plugin_registry.rb +67 -0
data/lib/better_auth/plugins/access.rb +87 -0
data/lib/better_auth/plugins/additional_fields.rb +29 -0
data/lib/better_auth/plugins/admin/schema.rb +28 -0
data/lib/better_auth/plugins/admin.rb +518 -0
data/lib/better_auth/plugins/anonymous.rb +198 -0
data/lib/better_auth/plugins/api_key.rb +16 -0
data/lib/better_auth/plugins/bearer.rb +128 -0
data/lib/better_auth/plugins/captcha.rb +159 -0
data/lib/better_auth/plugins/custom_session.rb +84 -0
data/lib/better_auth/plugins/device_authorization.rb +302 -0
data/lib/better_auth/plugins/email_otp.rb +536 -0
data/lib/better_auth/plugins/expo.rb +88 -0
data/lib/better_auth/plugins/generic_oauth.rb +780 -0
data/lib/better_auth/plugins/have_i_been_pwned.rb +94 -0
data/lib/better_auth/plugins/jwt.rb +482 -0
data/lib/better_auth/plugins/last_login_method.rb +92 -0
data/lib/better_auth/plugins/magic_link.rb +181 -0
data/lib/better_auth/plugins/mcp.rb +342 -0
data/lib/better_auth/plugins/multi_session.rb +173 -0
data/lib/better_auth/plugins/oauth_protocol.rb +694 -0
data/lib/better_auth/plugins/oauth_provider.rb +16 -0
data/lib/better_auth/plugins/oauth_proxy.rb +257 -0
data/lib/better_auth/plugins/oidc_provider.rb +597 -0
data/lib/better_auth/plugins/one_tap.rb +154 -0
data/lib/better_auth/plugins/one_time_token.rb +106 -0
data/lib/better_auth/plugins/open_api.rb +489 -0
data/lib/better_auth/plugins/organization/schema.rb +106 -0
data/lib/better_auth/plugins/organization.rb +995 -0
data/lib/better_auth/plugins/passkey.rb +16 -0
data/lib/better_auth/plugins/phone_number.rb +321 -0
data/lib/better_auth/plugins/scim.rb +16 -0
data/lib/better_auth/plugins/siwe.rb +242 -0
data/lib/better_auth/plugins/sso.rb +16 -0
data/lib/better_auth/plugins/stripe.rb +16 -0
data/lib/better_auth/plugins/two_factor.rb +514 -0
data/lib/better_auth/plugins/username.rb +278 -0
data/lib/better_auth/plugins.rb +46 -0
data/lib/better_auth/rate_limiter.rb +232 -0
data/lib/better_auth/request_ip.rb +70 -0
data/lib/better_auth/router.rb +378 -0
data/lib/better_auth/routes/account.rb +211 -0
data/lib/better_auth/routes/email_verification.rb +111 -0
data/lib/better_auth/routes/error.rb +102 -0
data/lib/better_auth/routes/ok.rb +15 -0
data/lib/better_auth/routes/password.rb +183 -0
data/lib/better_auth/routes/session.rb +160 -0
data/lib/better_auth/routes/sign_in.rb +90 -0
data/lib/better_auth/routes/sign_out.rb +15 -0
data/lib/better_auth/routes/sign_up.rb +196 -0
data/lib/better_auth/routes/social.rb +367 -0
data/lib/better_auth/routes/user.rb +205 -0
data/lib/better_auth/schema/sql.rb +202 -0
data/lib/better_auth/schema.rb +291 -0
data/lib/better_auth/session.rb +122 -0
data/lib/better_auth/session_store.rb +91 -0
data/lib/better_auth/social_providers/apple.rb +91 -0
data/lib/better_auth/social_providers/atlassian.rb +32 -0
data/lib/better_auth/social_providers/base.rb +325 -0
data/lib/better_auth/social_providers/cognito.rb +32 -0
data/lib/better_auth/social_providers/discord.rb +81 -0
data/lib/better_auth/social_providers/dropbox.rb +33 -0
data/lib/better_auth/social_providers/facebook.rb +35 -0
data/lib/better_auth/social_providers/figma.rb +31 -0
data/lib/better_auth/social_providers/github.rb +74 -0
data/lib/better_auth/social_providers/gitlab.rb +67 -0
data/lib/better_auth/social_providers/google.rb +90 -0
data/lib/better_auth/social_providers/huggingface.rb +31 -0
data/lib/better_auth/social_providers/kakao.rb +32 -0
data/lib/better_auth/social_providers/kick.rb +32 -0
data/lib/better_auth/social_providers/line.rb +33 -0
data/lib/better_auth/social_providers/linear.rb +44 -0
data/lib/better_auth/social_providers/linkedin.rb +30 -0
data/lib/better_auth/social_providers/microsoft_entra_id.rb +137 -0
data/lib/better_auth/social_providers/naver.rb +31 -0
data/lib/better_auth/social_providers/notion.rb +33 -0
data/lib/better_auth/social_providers/paybin.rb +31 -0
data/lib/better_auth/social_providers/paypal.rb +36 -0
data/lib/better_auth/social_providers/polar.rb +31 -0
data/lib/better_auth/social_providers/railway.rb +49 -0
data/lib/better_auth/social_providers/reddit.rb +32 -0
data/lib/better_auth/social_providers/roblox.rb +31 -0
data/lib/better_auth/social_providers/salesforce.rb +38 -0
data/lib/better_auth/social_providers/slack.rb +30 -0
data/lib/better_auth/social_providers/spotify.rb +31 -0
data/lib/better_auth/social_providers/tiktok.rb +35 -0
data/lib/better_auth/social_providers/twitch.rb +39 -0
data/lib/better_auth/social_providers/twitter.rb +32 -0
data/lib/better_auth/social_providers/vercel.rb +47 -0
data/lib/better_auth/social_providers/vk.rb +34 -0
data/lib/better_auth/social_providers/wechat.rb +104 -0
data/lib/better_auth/social_providers/zoom.rb +31 -0
data/lib/better_auth/social_providers.rb +38 -0
data/lib/better_auth/version.rb +1 -1
data/lib/better_auth.rb +86 -2
metadata +233 -21
data/.ruby-version +0 -1
data/.standard.yml +0 -12
data/.vscode/settings.json +0 -22
data/AGENTS.md +0 -50
data/CLAUDE.md +0 -1
data/CODE_OF_CONDUCT.md +0 -173
data/CONTRIBUTING.md +0 -187
data/Gemfile +0 -12
data/Makefile +0 -207
data/Rakefile +0 -25
data/SECURITY.md +0 -28
data/docker-compose.yml +0 -63

data/lib/better_auth/plugins/one_tap.rb ADDED Viewed

@@ -0,0 +1,154 @@
+# frozen_string_literal: true
+require "net/http"
+require "uri"
+module BetterAuth
+  module Plugins
+    module_function
+    def one_tap(options = {})
+      config = normalize_hash(options)
+      Plugin.new(
+        id: "one-tap",
+        endpoints: {
+          one_tap_callback: one_tap_callback_endpoint(config)
+        },
+        options: config
+      )
+    end
+    def one_tap_callback_endpoint(config)
+      Endpoint.new(
+        path: "/one-tap/callback",
+        method: "POST",
+        body_schema: ->(body) {
+          data = normalize_hash(body)
+          data[:id_token].to_s.empty? ? false : data
+        },
+        metadata: {
+          openapi: {
+            summary: "One tap callback",
+            description: "Use this endpoint to authenticate with Google One Tap"
+          }
+        }
+      ) do |ctx|
+        body = normalize_hash(ctx.body)
+        id_token = body[:id_token].to_s
+        payload = one_tap_verify_id_token(ctx, config, id_token)
+        email = fetch_value(payload, "email").to_s.downcase
+        if email.empty?
+          next ctx.json({error: "Email not available in token"})
+        end
+        user = ctx.context.internal_adapter.find_user_by_email(email)
+        if user
+          one_tap_link_account_unless_present!(ctx, config, user, payload, id_token)
+          session_data = one_tap_create_session(ctx, user[:user])
+        else
+          raise APIError.new("BAD_GATEWAY", message: "User not found") if config[:disable_signup]
+          created = ctx.context.internal_adapter.create_oauth_user(
+            {
+              email: email,
+              emailVerified: one_tap_boolean_value(fetch_value(payload, "email_verified")),
+              name: fetch_value(payload, "name").to_s,
+              image: fetch_value(payload, "picture")
+            },
+            {
+              providerId: "google",
+              accountId: fetch_value(payload, "sub").to_s,
+              idToken: id_token
+            }
+          )
+          raise APIError.new("INTERNAL_SERVER_ERROR", message: "Could not create user") unless created
+          session_data = one_tap_create_session(ctx, created[:user])
+        end
+        Cookies.set_session_cookie(ctx, session_data)
+        ctx.json({
+          token: session_data[:session]["token"],
+          user: Schema.parse_output(ctx.context.options, "user", session_data[:user])
+        })
+      end
+    end
+    def one_tap_verify_id_token(ctx, config, id_token)
+      verifier = config[:verify_id_token]
+      audience = config[:client_id] || ctx.context.options.social_providers.dig(:google, :client_id)
+      payload = if verifier.respond_to?(:call)
+        verifier.call(id_token, ctx, audience: audience)
+      else
+        one_tap_verify_google_id_token(id_token, audience)
+      end
+      one_tap_stringify_payload(payload)
+    rescue
+      raise APIError.new("BAD_REQUEST", message: "invalid id token")
+    end
+    def one_tap_verify_google_id_token(id_token, audience)
+      jwks = one_tap_google_jwks
+      options = {
+        algorithms: ["RS256"],
+        iss: ["https://accounts.google.com", "accounts.google.com"],
+        verify_iss: true
+      }
+      if audience
+        options[:aud] = audience
+        options[:verify_aud] = true
+      end
+      payload, = JWT.decode(id_token, nil, true, options.merge(jwks: jwks))
+      payload
+    end
+    def one_tap_google_jwks
+      uri = URI("https://www.googleapis.com/oauth2/v3/certs")
+      response = Net::HTTP.get_response(uri)
+      raise "Unable to fetch Google JWKS" unless response.is_a?(Net::HTTPSuccess)
+      JWT::JWK::Set.new(JSON.parse(response.body))
+    end
+    def one_tap_link_account_unless_present!(ctx, _config, user, payload, id_token)
+      sub = fetch_value(payload, "sub").to_s
+      account = ctx.context.internal_adapter.find_account(sub)
+      return if account
+      account_linking = ctx.context.options.account[:account_linking] || {}
+      trusted = Array(account_linking[:trusted_providers]).map(&:to_s).include?("google")
+      enabled = account_linking.fetch(:enabled, true)
+      should_link_account = enabled != false && (trusted || one_tap_boolean_value(fetch_value(payload, "email_verified")))
+      unless should_link_account
+        raise APIError.new("UNAUTHORIZED", message: "Google sub doesn't match")
+      end
+      ctx.context.internal_adapter.link_account(
+        userId: user[:user]["id"],
+        providerId: "google",
+        accountId: sub,
+        scope: "openid,profile,email",
+        idToken: id_token
+      )
+    end
+    def one_tap_create_session(ctx, user)
+      session = ctx.context.internal_adapter.create_session(user["id"])
+      {session: session, user: user}
+    end
+    def one_tap_stringify_payload(payload)
+      raise "Invalid payload" unless payload.is_a?(Hash)
+      payload.each_with_object({}) do |(key, value), result|
+        result[key.to_s] = value
+      end
+    end
+    def one_tap_boolean_value(value)
+      value == true || value.to_s.downcase == "true"
+    end
+  end
+end

data/lib/better_auth/plugins/one_time_token.rb ADDED Viewed

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+module BetterAuth
+  module Plugins
+    module_function
+    def one_time_token(options = {})
+      config = {
+        expires_in: 3,
+        store_token: "plain"
+      }.merge(normalize_hash(options))
+      Plugin.new(
+        id: "one-time-token",
+        endpoints: {
+          generate_one_time_token: generate_one_time_token_endpoint(config),
+          verify_one_time_token: verify_one_time_token_endpoint(config)
+        },
+        hooks: {
+          after: [
+            {
+              matcher: ->(_ctx) { true },
+              handler: ->(ctx) { one_time_token_after_response(ctx, config) }
+            }
+          ]
+        },
+        options: config
+      )
+    end
+    def generate_one_time_token_endpoint(config)
+      Endpoint.new(path: "/one-time-token/generate", method: "GET") do |ctx|
+        if config[:disable_client_request] && ctx.request
+          raise APIError.new("BAD_REQUEST", message: "Client requests are disabled")
+        end
+        session = Routes.current_session(ctx)
+        token = one_time_token_create(ctx, config, session)
+        ctx.json({token: token})
+      end
+    end
+    def verify_one_time_token_endpoint(config)
+      Endpoint.new(path: "/one-time-token/verify", method: "POST") do |ctx|
+        body = normalize_hash(ctx.body)
+        token = body[:token].to_s
+        stored_token = one_time_token_stored_value(config, token)
+        verification = ctx.context.internal_adapter.find_verification_value("one-time-token:#{stored_token}")
+        raise APIError.new("BAD_REQUEST", message: "Invalid token") unless verification
+        ctx.context.internal_adapter.delete_verification_value(verification["id"])
+        raise APIError.new("BAD_REQUEST", message: "Token expired") if Routes.expired_time?(verification["expiresAt"])
+        session = ctx.context.internal_adapter.find_session(verification["value"])
+        raise APIError.new("BAD_REQUEST", message: "Session not found") unless session
+        raise APIError.new("BAD_REQUEST", message: "Session expired") if Routes.expired_time?(session[:session]["expiresAt"])
+        Cookies.set_session_cookie(ctx, session) unless config[:disable_set_session_cookie]
+        ctx.json(session)
+      end
+    end
+    def one_time_token_after_response(ctx, config)
+      return unless config[:set_ott_header_on_new_session]
+      session = ctx.context.new_session
+      return unless session && session[:session] && session[:user]
+      token = one_time_token_create(ctx, config, session)
+      existing = ctx.response_headers["access-control-expose-headers"].to_s
+      exposed = existing.split(",").map(&:strip).reject(&:empty?)
+      exposed << "set-ott"
+      ctx.set_header("set-ott", token)
+      ctx.set_header("access-control-expose-headers", exposed.uniq.join(", "))
+      nil
+    end
+    def one_time_token_create(ctx, config, session)
+      generator = config[:generate_token]
+      token = if generator.respond_to?(:call)
+        generator.call(session, ctx)
+      else
+        Crypto.random_string(32)
+      end.to_s
+      stored_token = one_time_token_stored_value(config, token)
+      ctx.context.internal_adapter.create_verification_value(
+        identifier: "one-time-token:#{stored_token}",
+        value: session[:session]["token"],
+        expiresAt: Time.now + config[:expires_in].to_i * 60
+      )
+      token
+    end
+    def one_time_token_stored_value(config, token)
+      storage = config[:store_token]
+      return Crypto.sha256(token, encoding: :base64url) if storage.to_s == "hashed"
+      if storage.is_a?(Hash) && storage[:type].to_s.tr("_", "-") == "custom-hasher"
+        hasher = storage[:hash]
+        return hasher.call(token) if hasher.respond_to?(:call)
+      end
+      token
+    end
+  end
+end