RubyGems - better_auth - Versions diffs - 0.1.1 → 0.3.0 - Mend

better_auth 0.1.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (136) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +23 -0
data/README.md +110 -18
data/lib/better_auth/adapters/base.rb +49 -0
data/lib/better_auth/adapters/internal_adapter.rb +589 -0
data/lib/better_auth/adapters/memory.rb +235 -0
data/lib/better_auth/adapters/mongodb.rb +9 -0
data/lib/better_auth/adapters/mssql.rb +42 -0
data/lib/better_auth/adapters/mysql.rb +33 -0
data/lib/better_auth/adapters/postgres.rb +17 -0
data/lib/better_auth/adapters/sql.rb +441 -0
data/lib/better_auth/adapters/sqlite.rb +20 -0
data/lib/better_auth/api.rb +226 -0
data/lib/better_auth/api_error.rb +53 -0
data/lib/better_auth/auth.rb +42 -0
data/lib/better_auth/configuration.rb +399 -0
data/lib/better_auth/context.rb +211 -0
data/lib/better_auth/cookies.rb +278 -0
data/lib/better_auth/core.rb +37 -1
data/lib/better_auth/crypto/jwe.rb +76 -0
data/lib/better_auth/crypto.rb +191 -0
data/lib/better_auth/database_hooks.rb +114 -0
data/lib/better_auth/endpoint.rb +326 -0
data/lib/better_auth/error.rb +52 -0
data/lib/better_auth/middleware/origin_check.rb +128 -0
data/lib/better_auth/password.rb +120 -0
data/lib/better_auth/plugin.rb +142 -0
data/lib/better_auth/plugin_context.rb +16 -0
data/lib/better_auth/plugin_registry.rb +67 -0
data/lib/better_auth/plugins/access.rb +87 -0
data/lib/better_auth/plugins/additional_fields.rb +29 -0
data/lib/better_auth/plugins/admin/schema.rb +28 -0
data/lib/better_auth/plugins/admin.rb +518 -0
data/lib/better_auth/plugins/anonymous.rb +198 -0
data/lib/better_auth/plugins/api_key.rb +16 -0
data/lib/better_auth/plugins/bearer.rb +128 -0
data/lib/better_auth/plugins/captcha.rb +159 -0
data/lib/better_auth/plugins/custom_session.rb +84 -0
data/lib/better_auth/plugins/device_authorization.rb +302 -0
data/lib/better_auth/plugins/email_otp.rb +536 -0
data/lib/better_auth/plugins/expo.rb +88 -0
data/lib/better_auth/plugins/generic_oauth.rb +780 -0
data/lib/better_auth/plugins/have_i_been_pwned.rb +94 -0
data/lib/better_auth/plugins/jwt.rb +482 -0
data/lib/better_auth/plugins/last_login_method.rb +92 -0
data/lib/better_auth/plugins/magic_link.rb +181 -0
data/lib/better_auth/plugins/mcp.rb +342 -0
data/lib/better_auth/plugins/multi_session.rb +173 -0
data/lib/better_auth/plugins/oauth_protocol.rb +694 -0
data/lib/better_auth/plugins/oauth_provider.rb +16 -0
data/lib/better_auth/plugins/oauth_proxy.rb +257 -0
data/lib/better_auth/plugins/oidc_provider.rb +597 -0
data/lib/better_auth/plugins/one_tap.rb +154 -0
data/lib/better_auth/plugins/one_time_token.rb +106 -0
data/lib/better_auth/plugins/open_api.rb +489 -0
data/lib/better_auth/plugins/organization/schema.rb +106 -0
data/lib/better_auth/plugins/organization.rb +995 -0
data/lib/better_auth/plugins/passkey.rb +16 -0
data/lib/better_auth/plugins/phone_number.rb +321 -0
data/lib/better_auth/plugins/scim.rb +16 -0
data/lib/better_auth/plugins/siwe.rb +242 -0
data/lib/better_auth/plugins/sso.rb +16 -0
data/lib/better_auth/plugins/stripe.rb +16 -0
data/lib/better_auth/plugins/two_factor.rb +514 -0
data/lib/better_auth/plugins/username.rb +278 -0
data/lib/better_auth/plugins.rb +46 -0
data/lib/better_auth/rate_limiter.rb +232 -0
data/lib/better_auth/request_ip.rb +70 -0
data/lib/better_auth/router.rb +378 -0
data/lib/better_auth/routes/account.rb +211 -0
data/lib/better_auth/routes/email_verification.rb +111 -0
data/lib/better_auth/routes/error.rb +102 -0
data/lib/better_auth/routes/ok.rb +15 -0
data/lib/better_auth/routes/password.rb +183 -0
data/lib/better_auth/routes/session.rb +160 -0
data/lib/better_auth/routes/sign_in.rb +90 -0
data/lib/better_auth/routes/sign_out.rb +15 -0
data/lib/better_auth/routes/sign_up.rb +196 -0
data/lib/better_auth/routes/social.rb +367 -0
data/lib/better_auth/routes/user.rb +205 -0
data/lib/better_auth/schema/sql.rb +202 -0
data/lib/better_auth/schema.rb +291 -0
data/lib/better_auth/session.rb +122 -0
data/lib/better_auth/session_store.rb +91 -0
data/lib/better_auth/social_providers/apple.rb +91 -0
data/lib/better_auth/social_providers/atlassian.rb +32 -0
data/lib/better_auth/social_providers/base.rb +325 -0
data/lib/better_auth/social_providers/cognito.rb +32 -0
data/lib/better_auth/social_providers/discord.rb +81 -0
data/lib/better_auth/social_providers/dropbox.rb +33 -0
data/lib/better_auth/social_providers/facebook.rb +35 -0
data/lib/better_auth/social_providers/figma.rb +31 -0
data/lib/better_auth/social_providers/github.rb +74 -0
data/lib/better_auth/social_providers/gitlab.rb +67 -0
data/lib/better_auth/social_providers/google.rb +90 -0
data/lib/better_auth/social_providers/huggingface.rb +31 -0
data/lib/better_auth/social_providers/kakao.rb +32 -0
data/lib/better_auth/social_providers/kick.rb +32 -0
data/lib/better_auth/social_providers/line.rb +33 -0
data/lib/better_auth/social_providers/linear.rb +44 -0
data/lib/better_auth/social_providers/linkedin.rb +30 -0
data/lib/better_auth/social_providers/microsoft_entra_id.rb +137 -0
data/lib/better_auth/social_providers/naver.rb +31 -0
data/lib/better_auth/social_providers/notion.rb +33 -0
data/lib/better_auth/social_providers/paybin.rb +31 -0
data/lib/better_auth/social_providers/paypal.rb +36 -0
data/lib/better_auth/social_providers/polar.rb +31 -0
data/lib/better_auth/social_providers/railway.rb +49 -0
data/lib/better_auth/social_providers/reddit.rb +32 -0
data/lib/better_auth/social_providers/roblox.rb +31 -0
data/lib/better_auth/social_providers/salesforce.rb +38 -0
data/lib/better_auth/social_providers/slack.rb +30 -0
data/lib/better_auth/social_providers/spotify.rb +31 -0
data/lib/better_auth/social_providers/tiktok.rb +35 -0
data/lib/better_auth/social_providers/twitch.rb +39 -0
data/lib/better_auth/social_providers/twitter.rb +32 -0
data/lib/better_auth/social_providers/vercel.rb +47 -0
data/lib/better_auth/social_providers/vk.rb +34 -0
data/lib/better_auth/social_providers/wechat.rb +104 -0
data/lib/better_auth/social_providers/zoom.rb +31 -0
data/lib/better_auth/social_providers.rb +38 -0
data/lib/better_auth/version.rb +1 -1
data/lib/better_auth.rb +86 -2
metadata +233 -21
data/.ruby-version +0 -1
data/.standard.yml +0 -12
data/.vscode/settings.json +0 -22
data/AGENTS.md +0 -50
data/CLAUDE.md +0 -1
data/CODE_OF_CONDUCT.md +0 -173
data/CONTRIBUTING.md +0 -187
data/Gemfile +0 -12
data/Makefile +0 -207
data/Rakefile +0 -25
data/SECURITY.md +0 -28
data/docker-compose.yml +0 -63

data/lib/better_auth/plugins/username.rb ADDED Viewed

@@ -0,0 +1,278 @@
+# frozen_string_literal: true
+require "uri"
+module BetterAuth
+  module Plugins
+    USERNAME_ERROR_CODES = {
+      "INVALID_USERNAME_OR_PASSWORD" => "Invalid username or password",
+      "EMAIL_NOT_VERIFIED" => "Email not verified",
+      "UNEXPECTED_ERROR" => "Unexpected error",
+      "USERNAME_IS_ALREADY_TAKEN" => "Username is already taken. Please try another.",
+      "USERNAME_TOO_SHORT" => "Username is too short",
+      "USERNAME_TOO_LONG" => "Username is too long",
+      "INVALID_USERNAME" => "Username is invalid",
+      "INVALID_DISPLAY_USERNAME" => "Display username is invalid"
+    }.freeze
+    module_function
+    def username(options = {})
+      config = normalize_hash(options)
+      Plugin.new(
+        id: "username",
+        init: ->(_context) { {options: {database_hooks: username_database_hooks(config)}} },
+        endpoints: {
+          sign_in_username: sign_in_username_endpoint(config),
+          is_username_available: is_username_available_endpoint(config)
+        },
+        schema: username_schema(config),
+        hooks: {
+          before: [
+            {
+              matcher: ->(ctx) { username_mutation_path?(ctx.path) },
+              handler: ->(ctx) { validate_username_mutation!(ctx, config) }
+            },
+            {
+              matcher: ->(ctx) { username_mutation_path?(ctx.path) },
+              handler: ->(ctx) { mirror_username_fields!(ctx) }
+            }
+          ]
+        },
+        error_codes: USERNAME_ERROR_CODES,
+        options: config
+      )
+    end
+    def sign_in_username_endpoint(config)
+      Endpoint.new(
+        path: "/sign-in/username",
+        method: "POST",
+        metadata: {
+          allowed_media_types: [
+            "application/x-www-form-urlencoded",
+            "application/json"
+          ]
+        }
+      ) do |ctx|
+        body = normalize_hash(ctx.body)
+        raw_username = body[:username].to_s
+        password = body[:password].to_s
+        callback_url = body[:callback_url] || body[:callbackURL]
+        remember_me = body.key?(:remember_me) ? body[:remember_me] : body[:rememberMe]
+        if raw_username.empty? || password.empty?
+          raise APIError.new("UNAUTHORIZED", message: USERNAME_ERROR_CODES["INVALID_USERNAME_OR_PASSWORD"])
+        end
+        username = username_for_validation(raw_username, config)
+        validate_username!(username, config, status: "UNPROCESSABLE_ENTITY")
+        user = ctx.context.adapter.find_one(
+          model: "user",
+          where: [{field: "username", value: normalize_username(username, config)}]
+        )
+        unless user
+          Routes.hash_password(ctx, password)
+          raise APIError.new("UNAUTHORIZED", message: USERNAME_ERROR_CODES["INVALID_USERNAME_OR_PASSWORD"])
+        end
+        account = ctx.context.adapter.find_one(
+          model: "account",
+          where: [
+            {field: "userId", value: user["id"]},
+            {field: "providerId", value: "credential"}
+          ]
+        )
+        current_password = account && account["password"]
+        email_config = ctx.context.options.email_and_password
+        unless current_password && Routes.verify_password_value(ctx, password, current_password)
+          Routes.hash_password(ctx, password) unless current_password
+          raise APIError.new("UNAUTHORIZED", message: USERNAME_ERROR_CODES["INVALID_USERNAME_OR_PASSWORD"])
+        end
+        if email_config[:require_email_verification] && !user["emailVerified"]
+          Routes.send_sign_in_verification_email(ctx, user, callback_url)
+          raise APIError.new("FORBIDDEN", message: USERNAME_ERROR_CODES["EMAIL_NOT_VERIFIED"])
+        end
+        dont_remember_me = remember_me == false || remember_me.to_s == "false"
+        session = ctx.context.internal_adapter.create_session(
+          user["id"],
+          dont_remember_me,
+          Routes.session_overrides(ctx),
+          true
+        )
+        raise APIError.new("INTERNAL_SERVER_ERROR", message: BASE_ERROR_CODES["FAILED_TO_CREATE_SESSION"]) unless session
+        Cookies.set_session_cookie(ctx, {session: session, user: user}, dont_remember_me)
+        ctx.json({
+          token: session["token"],
+          user: Schema.parse_output(ctx.context.options, "user", user)
+        })
+      end
+    end
+    def is_username_available_endpoint(config)
+      Endpoint.new(path: "/is-username-available", method: "POST") do |ctx|
+        body = normalize_hash(ctx.body)
+        username = body[:username].to_s
+        raise APIError.new("UNPROCESSABLE_ENTITY", message: USERNAME_ERROR_CODES["INVALID_USERNAME"]) if username.empty?
+        validate_username!(username, config, status: "UNPROCESSABLE_ENTITY")
+        user = ctx.context.adapter.find_one(
+          model: "user",
+          where: [{field: "username", value: normalize_username(username, config)}]
+        )
+        ctx.json({available: user.nil?})
+      end
+    end
+    def username_schema(config)
+      {
+        user: {
+          fields: {
+            username: {
+              type: "string",
+              required: false,
+              sortable: true,
+              unique: true,
+              returned: true,
+              field_name: "username"
+            },
+            displayUsername: {
+              type: "string",
+              required: false,
+              field_name: "display_username"
+            }
+          }
+        }
+      }
+    end
+    def username_database_hooks(config)
+      before_hook = lambda do |user, _context|
+        data = user.dup
+        if data["username"].is_a?(String) && !data["username"].empty?
+          data["username"] = normalize_username(data["username"], config)
+        end
+        if data["displayUsername"].is_a?(String) && !data["displayUsername"].empty?
+          data["displayUsername"] = normalize_display_username(data["displayUsername"], config)
+        end
+        {data: data}
+      end
+      {
+        user: {
+          create: {before: before_hook},
+          update: {before: before_hook}
+        }
+      }
+    end
+    def validate_username_mutation!(ctx, config)
+      body = normalize_hash(ctx.body)
+      raw_username = body.key?(:username) ? body[:username] : nil
+      username = if raw_username.is_a?(String) && validation_order(config, :username) == "post-normalization"
+        normalize_username(raw_username, config)
+      else
+        raw_username
+      end
+      if username.is_a?(String)
+        validate_username!(username, config, status: "BAD_REQUEST")
+        existing = ctx.context.adapter.find_one(model: "user", where: [{field: "username", value: normalize_username(username, config)}])
+        current = (ctx.path == "/update-user") ? Routes.current_session(ctx, allow_nil: true) : nil
+        same_user = existing && current && existing["id"] == current[:session]["userId"]
+        if existing && ctx.path == "/sign-up/email"
+          raise APIError.new("UNPROCESSABLE_ENTITY", message: USERNAME_ERROR_CODES["USERNAME_IS_ALREADY_TAKEN"])
+        end
+        if existing && ctx.path == "/update-user" && !same_user
+          raise APIError.new("BAD_REQUEST", message: USERNAME_ERROR_CODES["USERNAME_IS_ALREADY_TAKEN"])
+        end
+      end
+      raw_display_username = body.key?(:display_username) ? body[:display_username] : nil
+      display_username = if raw_display_username.is_a?(String) && validation_order(config, :display_username) == "post-normalization"
+        normalize_display_username(raw_display_username, config)
+      else
+        raw_display_username
+      end
+      if display_username.is_a?(String)
+        validator = config[:display_username_validator]
+        unless !validator.respond_to?(:call) || validator.call(display_username)
+          raise APIError.new("BAD_REQUEST", message: USERNAME_ERROR_CODES["INVALID_DISPLAY_USERNAME"])
+        end
+      end
+      nil
+    end
+    def mirror_username_fields!(ctx)
+      body = normalize_hash(ctx.body)
+      body[:display_username] = body[:username] if present?(body[:username]) && !present?(body[:display_username])
+      body[:username] = body[:display_username] if present?(body[:display_username]) && !present?(body[:username])
+      ctx.body = body
+      nil
+    end
+    def validate_username!(username, config, status:)
+      if username.length < min_username_length(config)
+        raise APIError.new(status, message: USERNAME_ERROR_CODES["USERNAME_TOO_SHORT"])
+      end
+      if username.length > max_username_length(config)
+        raise APIError.new(status, message: USERNAME_ERROR_CODES["USERNAME_TOO_LONG"])
+      end
+      validator = config[:username_validator]
+      valid = validator.respond_to?(:call) ? validator.call(username) : default_username_valid?(username)
+      raise APIError.new(status, message: USERNAME_ERROR_CODES["INVALID_USERNAME"]) unless valid
+    end
+    def username_for_validation(username, config)
+      (validation_order(config, :username) == "pre-normalization") ? normalize_username(username, config) : username
+    end
+    def normalize_username(username, config)
+      normalizer = config[:username_normalization]
+      return username if normalizer == false
+      return normalizer.call(username) if normalizer.respond_to?(:call)
+      username.downcase
+    end
+    def normalize_display_username(display_username, config)
+      normalizer = config[:display_username_normalization]
+      normalizer.respond_to?(:call) ? normalizer.call(display_username) : display_username
+    end
+    def validation_order(config, field)
+      order = config[:validation_order] || {}
+      order[field] || "pre-normalization"
+    end
+    def username_mutation_path?(path)
+      path == "/sign-up/email" || path == "/update-user"
+    end
+    def min_username_length(config)
+      (config[:min_username_length] || 3).to_i
+    end
+    def max_username_length(config)
+      (config[:max_username_length] || 30).to_i
+    end
+    def default_username_valid?(username)
+      username.match?(/\A[a-zA-Z0-9_.]+\z/)
+    end
+    def present?(value)
+      !value.nil? && value != false && !value.to_s.empty?
+    end
+  end
+end

data/lib/better_auth/plugins.rb ADDED Viewed

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+module BetterAuth
+  module Plugins
+    module_function
+    def normalize_hash(value)
+      return {} unless value.is_a?(Hash)
+      value.each_with_object({}) do |(key, object), result|
+        result[normalize_key(key)] = object.is_a?(Hash) ? normalize_hash(object) : object
+      end
+    end
+    def normalize_key(key)
+      key.to_s
+        .gsub(/([a-z\d])([A-Z])/, "\\1_\\2")
+        .tr("-", "_")
+        .downcase
+        .to_sym
+    end
+    def storage_fields(fields)
+      normalize_hash(fields).each_with_object({}) do |(key, value), result|
+        result[Schema.storage_key(key)] = normalize_field(value)
+      end
+    end
+    def normalize_field(value)
+      data = normalize_hash(value || {})
+      data[:default_value] = data.delete(:defaultValue) if data.key?(:defaultValue)
+      data[:field_name] = data.delete(:fieldName) if data.key?(:fieldName)
+      data
+    end
+    def fetch_value(data, key)
+      return nil unless data.respond_to?(:[])
+      data[key] || data[key.to_s] || data[Schema.storage_key(key)] || data[Schema.storage_key(key).to_sym] || data[normalize_key(key)]
+    end
+    def cookie_header_from_set_cookie(set_cookie)
+      set_cookie.to_s.lines.map { |line| line.split(";").first }.join("; ")
+    end
+  end
+end

data/lib/better_auth/rate_limiter.rb ADDED Viewed

@@ -0,0 +1,232 @@
+# frozen_string_literal: true
+require "json"
+module BetterAuth
+  class RateLimiter
+    class MemoryStore
+      def initialize
+        @entries = {}
+        @mutex = Mutex.new
+      end
+      def get(key)
+        @mutex.synchronize do
+          entry = @entries[key]
+          return nil unless entry
+          if Time.now.to_f >= entry[:expires_at]
+            @entries.delete(key)
+            return nil
+          end
+          entry[:data]
+        end
+      end
+      def set(key, value, ttl:, update: false)
+        @mutex.synchronize do
+          @entries[key] = {
+            data: value,
+            expires_at: Time.now.to_f + ttl.to_f
+          }
+        end
+      end
+    end
+    def initialize
+      @memory_store = MemoryStore.new
+    end
+    def call(request, context, path)
+      config = context.rate_limit_config || {}
+      return unless config[:enabled]
+      ip = client_ip(request, context.options)
+      return unless ip
+      rule = rate_limit_rule(request, context, config, path)
+      return if rule == false
+      window = rule[:window] || 10
+      max = rule[:max] || 100
+      key = rate_limit_key(ip, path)
+      now = Time.now.to_f
+      storage = storage_for(context, config)
+      data = read_storage(storage, key)
+      unless data
+        write_storage(storage, key, rate_limit_data(key, 1, now), ttl: window, update: false)
+        return
+      end
+      last_request = data.fetch(:last_request).to_f
+      count = data.fetch(:count).to_i
+      if should_rate_limit?(max.to_i, window.to_f, count, last_request, now)
+        return rate_limit_response(retry_after(last_request, window.to_f, now))
+      end
+      next_data = if now - last_request > window.to_f
+        rate_limit_data(key, 1, now)
+      else
+        rate_limit_data(key, count + 1, now)
+      end
+      write_storage(storage, key, next_data, ttl: window, update: true)
+      nil
+    end
+    private
+    def rate_limit_response(retry_after)
+      [
+        429,
+        {"content-type" => "application/json", "x-retry-after" => retry_after.to_s},
+        [JSON.generate({message: "Too many requests. Please try again later."})]
+      ]
+    end
+    def should_rate_limit?(max, window, count, last_request, now)
+      now - last_request < window && count >= max
+    end
+    def retry_after(last_request, window, now)
+      [(last_request + window - now).ceil, 0].max
+    end
+    def rate_limit_data(key, count, last_request)
+      {
+        key: key,
+        count: count,
+        last_request: last_request
+      }
+    end
+    def rate_limit_rule(request, context, config, path)
+      rule = {
+        window: config[:window] || 10,
+        max: config[:max] || 100
+      }
+      rule = default_special_rule(path) || rule
+      rule = matching_plugin_rule(context, path) || rule
+      custom_rule = matching_custom_rule(config, path)
+      return resolve_custom_rule(custom_rule, request, rule) unless custom_rule.nil?
+      rule
+    end
+    def default_special_rule(path)
+      return unless path.start_with?("/sign-in", "/sign-up", "/change-password", "/change-email")
+      {window: 10, max: 3}
+    end
+    def matching_custom_rule(config, path)
+      custom_rules = config[:custom_rules] || {}
+      custom_rules.find do |pattern, _rule|
+        path_matches?(pattern.to_s, path)
+      end&.last
+    end
+    def resolve_custom_rule(rule, request, current)
+      return false if rule == false
+      return rule.call(request, current) if rule.respond_to?(:call)
+      rule || current
+    end
+    def storage_for(context, config)
+      return [:custom, config[:custom_storage]] if config[:custom_storage]
+      if config[:storage] == "secondary-storage" && context.options.secondary_storage
+        return [:secondary, context.options.secondary_storage]
+      end
+      [:memory, @memory_store]
+    end
+    def read_storage((type, storage), key)
+      data = storage.get(key)
+      data = JSON.parse(data) if type == :secondary && data.is_a?(String)
+      normalize_rate_limit_data(symbolize_keys(data))
+    rescue JSON::ParserError
+      nil
+    end
+    def write_storage((type, storage), key, data, ttl:, update:)
+      value = (type == :secondary) ? JSON.generate(secondary_storage_data(data)) : data
+      return call_secondary_storage_set(storage, key, value, ttl: ttl, update: update) if type == :secondary
+      call_storage_set(storage, key, value, ttl: ttl, update: update)
+    end
+    def secondary_storage_data(data)
+      {
+        key: data[:key],
+        count: data[:count],
+        lastRequest: (data[:last_request].to_f * 1000).to_i
+      }
+    end
+    def call_secondary_storage_set(storage, key, value, ttl:, update:)
+      storage.set(key, value, ttl)
+    rescue ArgumentError
+      call_storage_set(storage, key, value, ttl: ttl, update: update)
+    end
+    def call_storage_set(storage, key, value, ttl:, update:)
+      storage.set(key, value, ttl: ttl, update: update)
+    rescue ArgumentError
+      begin
+        storage.set(key, value, ttl, update)
+      rescue ArgumentError
+        begin
+          storage.set(key, value, ttl)
+        rescue ArgumentError
+          storage.set(key, value)
+        end
+      end
+    end
+    def symbolize_keys(value)
+      return value unless value.is_a?(Hash)
+      value.each_with_object({}) do |(key, object_value), result|
+        result[key.to_s.gsub(/([a-z\d])([A-Z])/, "\\1_\\2").tr("-", "_").downcase.to_sym] = object_value
+      end
+    end
+    def normalize_rate_limit_data(data)
+      return data unless data.is_a?(Hash)
+      last_request = data[:last_request]
+      return data unless last_request.is_a?(Numeric) && last_request > 10_000_000_000
+      data.merge(last_request: last_request / 1000.0)
+    end
+    def rate_limit_key(ip, path)
+      "#{ip}|#{path}"
+    end
+    def client_ip(request, options)
+      RequestIP.client_ip(request, options)
+    end
+    def matching_plugin_rule(context, path)
+      context.options.plugins
+        .flat_map { |plugin| Array(plugin[:rate_limit]) }
+        .find do |rule|
+          matcher = rule[:path_matcher]
+          matcher&.call(path)
+        end
+    end
+    def path_matches?(pattern, path)
+      return path == pattern unless pattern.include?("*")
+      regex = Regexp.escape(pattern).gsub("\\*", ".*")
+      /\A#{regex}\z/.match?(path)
+    end
+  end
+end

data/lib/better_auth/request_ip.rb ADDED Viewed

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+require "ipaddr"
+module BetterAuth
+  module RequestIP
+    LOCALHOST_IP = "127.0.0.1"
+    module_function
+    def client_ip(request, options)
+      ip_options = options.advanced[:ip_address] || {}
+      return nil if ip_options[:disable_ip_tracking]
+      Array(ip_options[:ip_address_headers] || ["x-forwarded-for"]).each do |header|
+        value = header_value(request, header)
+        next unless value.is_a?(String)
+        ip = value.split(",").first.to_s.strip
+        return normalize_ip(ip, ipv6_subnet: ip_options[:ipv6_subnet]) if valid_ip?(ip)
+      end
+      ip = fallback_ip(request)
+      return normalize_ip(ip, ipv6_subnet: ip_options[:ipv6_subnet]) if valid_ip?(ip)
+      LOCALHOST_IP if test_or_development?
+    end
+    def header_value(request, header)
+      return request.get_header(rack_header_name(header)) if request.respond_to?(:get_header)
+      return request.headers[header.to_s.downcase] if request.respond_to?(:headers)
+      return request[header.to_s.downcase] || request[header.to_s] || request[header.to_sym] if request.is_a?(Hash)
+      nil
+    end
+    def fallback_ip(request)
+      return request.ip.to_s if request.respond_to?(:ip)
+      nil
+    end
+    def rack_header_name(header)
+      "HTTP_#{header.to_s.upcase.tr("-", "_")}"
+    end
+    def valid_ip?(ip)
+      return false if ip.to_s.empty? || ip.to_s.match?(/\s/)
+      IPAddr.new(ip)
+      true
+    rescue ArgumentError
+      false
+    end
+    def normalize_ip(ip, ipv6_subnet: nil)
+      address = IPAddr.new(ip)
+      return address.native.to_s if address.respond_to?(:ipv4_mapped?) && address.ipv4_mapped?
+      return address.to_s if address.ipv4?
+      address.mask((ipv6_subnet || 64).to_i).to_s
+    end
+    def test_or_development?
+      ["test", "development"].include?(ENV["RACK_ENV"]) ||
+        ["test", "development"].include?(ENV["RAILS_ENV"]) ||
+        ["test", "development"].include?(ENV["APP_ENV"])
+    end
+  end
+end