better_auth 0.1.1 → 0.3.0

data/lib/better_auth/router.rb

@@ -0,0 +1,378 @@
+# frozen_string_literal: true
+
+require "cgi"
+require "json"
+require "rack/request"
+
+module BetterAuth
+  class Router
+    attr_reader :context, :endpoints, :rate_limiter
+
+    def initialize(context, endpoints, rate_limiter: RateLimiter.new)
+      @context = context
+      @endpoints = endpoints
+      @rate_limiter = rate_limiter
+      @origin_check = Middleware::OriginCheck.new
+    end
+
+    def self.check_endpoint_conflicts(options, logger)
+      registry = Hash.new { |hash, key| hash[key] = [] }
+      options.plugins.each do |plugin|
+        plugin.fetch(:endpoints, {}).each do |key, endpoint|
+          next unless endpoint.respond_to?(:path) && endpoint.path
+
+          registry[endpoint.path] << {
+            plugin_id: plugin[:id].to_s,
+            endpoint_key: key.to_s,
+            methods: endpoint.methods
+          }
+        end
+      end
+
+      conflicts = registry.filter_map do |path, entries|
+        conflict_methods = conflicting_methods(entries)
+        next if conflict_methods.empty?
+
+        {
+          path: path,
+          plugins: entries.map { |entry| entry[:plugin_id] }.uniq,
+          methods: conflict_methods
+        }
+      end
+
+      return if conflicts.empty?
+
+      message = "Endpoint path conflicts detected! Multiple plugins are trying to use the same endpoint paths with conflicting HTTP methods:\n"
+      message += conflicts.map do |conflict|
+        "  - \"#{conflict[:path]}\" [#{conflict[:methods].join(", ")}] used by plugins: #{conflict[:plugins].join(", ")}"
+      end.join("\n")
+      log(logger, :error, message)
+    end
+
+    def call(env)
+      request = Rack::Request.new(env)
+      context.prepare_for_request!(request) if context.respond_to?(:prepare_for_request!)
+
+      route_path = route_path_for(request.path_info)
+      return not_found unless route_path
+
+      query = parse_query(request)
+      endpoint, params, allowed_methods = find_endpoint(route_path, request.request_method)
+      return run_on_response_chain(not_found) unless endpoint
+      return run_on_response_chain(method_not_allowed(allowed_methods)) unless endpoint.matches_method?(request.request_method)
+      return run_on_response_chain(unsupported_media_type) unless allowed_media_type?(request, endpoint)
+
+      body = parse_body(request)
+      endpoint_context = build_endpoint_context(request, route_path, query, body, params)
+      return run_on_response_chain(forbidden) if server_only?(endpoint)
+
+      response = @origin_check.call(endpoint_context)
+      return run_on_response_chain(response) if response
+
+      response = run_plugin_middlewares(endpoint_context)
+      return run_on_response_chain(response) if response
+
+      return run_on_response_chain(not_found) if disabled_path?(route_path)
+
+      request = run_on_request_chain(request)
+      return run_on_response_chain(request) if rack_response?(request)
+
+      response = rate_limiter.call(request, context, route_path)
+      return run_on_response_chain(response) if response
+
+      endpoint_context = rebuild_endpoint_context(endpoint_context, request, route_path, params)
+      result = API.new(context, endpoints).execute(endpoint, endpoint_context)
+      response = result.response.is_a?(APIError) ? error_response(result.response, headers: result.headers) : result.to_rack_response
+      run_on_response_chain(response)
+    rescue APIError => error
+      error_response(error)
+    rescue JSON::ParserError
+      error_response(APIError.new("BAD_REQUEST", message: "Invalid JSON body"))
+    end
+
+    def self.conflicting_methods(entries)
+      method_map = Hash.new { |hash, key| hash[key] = [] }
+      entries.each do |entry|
+        entry[:methods].each do |method|
+          method_map[method] << entry[:plugin_id]
+        end
+      end
+
+      method_map.keys.select do |method|
+        method_map[method].length > 1 ||
+          (method == "*" && entries.length > 1) ||
+          (method != "*" && method_map.key?("*"))
+      end
+    end
+
+    def self.log(logger, level, message)
+      if logger.respond_to?(:call)
+        logger.call(level, message)
+      elsif logger.respond_to?(level)
+        logger.public_send(level, message)
+      end
+    end
+
+    private_class_method :conflicting_methods, :log
+
+    private
+
+    def route_path_for(path_info)
+      base_path = context.options.base_path
+      decoded = normalize_path(path_info, trim: false)
+
+      path = if base_path.empty?
+        decoded
+      elsif decoded == base_path
+        "/"
+      elsif decoded.start_with?("#{base_path}/")
+        decoded.delete_prefix(base_path)
+      else
+        return nil
+      end
+
+      if context.options.advanced[:skip_trailing_slashes]
+        trim_trailing_slashes(path)
+      else
+        path
+      end
+    end
+
+    def normalize_path(path, trim: true)
+      decoded = path.to_s
+      2.times do
+        next_decoded = CGI.unescape(decoded)
+        break if next_decoded == decoded
+
+        decoded = next_decoded
+      end
+      decoded = decoded.gsub(/[[:cntrl:]]/, "")
+      decoded = decoded.squeeze("/")
+      decoded = trim_trailing_slashes(decoded) if trim
+      decoded.empty? ? "/" : decoded
+    rescue ArgumentError
+      path.to_s
+    end
+
+    def trim_trailing_slashes(path)
+      path = path.sub(%r{/+\z}, "")
+      path.empty? ? "/" : path
+    end
+
+    def parse_body(request)
+      return {} unless request.body
+
+      request.body.rewind
+      raw = request.body.read.to_s
+      request.body.rewind
+      return {} if raw.empty?
+
+      if json_media_type?(request.media_type)
+        JSON.parse(raw)
+      else
+        request.POST
+      end
+    end
+
+    def json_media_type?(media_type)
+      media_type == "application/json" || media_type.to_s.end_with?("+json")
+    end
+
+    def allowed_media_type?(request, endpoint)
+      return true unless request_body_method?(request.request_method)
+      return true if request.media_type.nil? || request.media_type.empty?
+      return true if request.body.nil? || request.content_length.to_i.zero?
+
+      allowed_media_types(endpoint).include?(request.media_type)
+    end
+
+    def request_body_method?(method)
+      %w[POST PUT PATCH DELETE].include?(method.to_s.upcase)
+    end
+
+    def allowed_media_types(endpoint)
+      endpoint.metadata[:allowed_media_types] ||
+        endpoint.metadata["allowedMediaTypes"] ||
+        endpoint.metadata[:allowedMediaTypes] ||
+        ["application/json"]
+    end
+
+    def parse_query(request)
+      request.GET
+    end
+
+    def build_endpoint_context(request, path, query, body, params)
+      Endpoint::Context.new(
+        path: path,
+        method: request.request_method,
+        query: query,
+        body: body,
+        params: params,
+        headers: headers_from(request.env),
+        context: context,
+        request: request
+      )
+    end
+
+    def rebuild_endpoint_context(previous_context, request, route_path, params)
+      fresh_context = build_endpoint_context(request, route_path, parse_query(request), parse_body(request), params)
+      fresh_context.headers = merge_hashes(previous_context.headers, fresh_context.headers)
+      fresh_context.query = merge_hashes(previous_context.query, fresh_context.query)
+      fresh_context.body = merge_hashes(previous_context.body, fresh_context.body)
+      fresh_context
+    end
+
+    def merge_hashes(base, override)
+      return override unless base.is_a?(Hash) && override.is_a?(Hash)
+
+      base.merge(override) do |_key, old_value, new_value|
+        if old_value.is_a?(Hash) && new_value.is_a?(Hash)
+          merge_hashes(old_value, new_value)
+        else
+          new_value
+        end
+      end
+    end
+
+    def headers_from(env)
+      env.each_with_object({}) do |(key, value), headers|
+        case key
+        when "CONTENT_TYPE"
+          headers["content-type"] = value if value
+        when "CONTENT_LENGTH"
+          headers["content-length"] = value if value
+        else
+          next unless key.start_with?("HTTP_")
+
+          header = key.delete_prefix("HTTP_").downcase.tr("_", "-")
+          headers[header] = value
+        end
+      end
+    end
+
+    def find_endpoint(route_path, method)
+      path_matches = endpoints.values.filter_map do |endpoint|
+        params = match_path(endpoint.path, route_path)
+        [endpoint, params] if params
+      end
+
+      return [nil, {}, []] if path_matches.empty?
+
+      endpoint, params = path_matches.reverse.find { |candidate, _candidate_params| candidate.matches_method?(method) } || path_matches.first
+      allowed_methods = path_matches.flat_map { |candidate, _candidate_params| candidate.methods }.uniq
+      [endpoint, params, allowed_methods]
+    end
+
+    def match_path(pattern, path)
+      return {} if pattern == path
+      return nil unless pattern
+
+      pattern_parts = pattern.split("/", -1)
+      path_parts = path.split("/", -1)
+      return nil unless pattern_parts.length == path_parts.length
+
+      params = {}
+      pattern_parts.zip(path_parts).each do |pattern_part, path_part|
+        if pattern_part.start_with?(":")
+          params[pattern_part.delete_prefix(":").to_sym] = path_part
+        elsif pattern_part != path_part
+          return nil
+        end
+      end
+      params
+    end
+
+    def run_plugin_middlewares(endpoint_context)
+      plugin_middlewares.each do |middleware|
+        next unless path_matches?(middleware[:path], endpoint_context.path)
+
+        result = middleware[:middleware].call(endpoint_context)
+        return Endpoint::Result.from_value(result, endpoint_context).to_rack_response if result
+      end
+      nil
+    end
+
+    def plugin_middlewares
+      context.options.plugins.flat_map do |plugin|
+        Array(plugin[:middlewares]).map do |middleware|
+          {
+            path: middleware[:path],
+            middleware: middleware[:middleware]
+          }
+        end
+      end
+    end
+
+    def disabled_path?(route_path)
+      context.options.disabled_paths.any? do |disabled|
+        normalize_path(disabled) == normalize_path(route_path)
+      end
+    end
+
+    def run_on_request_chain(request)
+      current_request = request
+      context.options.plugins.each do |plugin|
+        handler = plugin[:on_request]
+        next unless handler
+
+        result = handler.call(current_request, context)
+        next unless result
+
+        return result[:response] if result[:response]
+        current_request = result[:request] if result[:request]
+      end
+      current_request
+    end
+
+    def run_on_response_chain(response)
+      current_response = response
+      context.options.plugins.each do |plugin|
+        handler = plugin[:on_response]
+        next unless handler
+
+        result = handler.call(current_response, context)
+        current_response = result[:response] if result && result[:response]
+      end
+      current_response
+    end
+
+    def path_matches?(pattern, path)
+      return true if pattern == "/**"
+      return path == pattern unless pattern&.end_with?("/**")
+
+      path.start_with?(pattern.delete_suffix("/**"))
+    end
+
+    def not_found
+      [404, {"content-type" => "application/json"}, [JSON.generate({error: "Not Found"})]]
+    end
+
+    def method_not_allowed(methods)
+      [405, {"content-type" => "application/json", "allow" => methods.reject { |method| method == "*" }.join(", ")}, [JSON.generate({error: "Method Not Allowed"})]]
+    end
+
+    def unsupported_media_type
+      [415, {"content-type" => "application/json"}, [JSON.generate({error: "Unsupported Media Type"})]]
+    end
+
+    def forbidden
+      [403, {"content-type" => "application/json"}, [JSON.generate({error: "Forbidden"})]]
+    end
+
+    def server_only?(endpoint)
+      endpoint.metadata[:server_only] || endpoint.metadata[:SERVER_ONLY] || endpoint.metadata["SERVER_ONLY"]
+    end
+
+    def error_response(error, headers: {})
+      Endpoint::Result.new(
+        response: error.to_h,
+        status: error.status_code,
+        headers: Endpoint::Result.merge_headers(headers, error.headers)
+      ).to_rack_response
+    end
+
+    def rack_response?(value)
+      Endpoint::Result.rack_response?(value)
+    end
+  end
+end

data/lib/better_auth/routes/account.rb

@@ -0,0 +1,211 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Routes
+    def self.list_accounts
+      Endpoint.new(path: "/list-accounts", method: "GET") do |ctx|
+        session = current_session(ctx)
+        accounts = ctx.context.internal_adapter.find_accounts(session[:user]["id"]).map do |account|
+          parsed = Schema.parse_output(ctx.context.options, "account", account)
+          scope = parsed.delete("scope")
+          parsed.merge("scopes" => scope.to_s.empty? ? [] : scope.to_s.split(","))
+        end
+        ctx.json(accounts)
+      end
+    end
+
+    def self.unlink_account
+      Endpoint.new(path: "/unlink-account", method: "POST") do |ctx|
+        session = current_session(ctx, sensitive: true)
+        body = normalize_hash(ctx.body)
+        accounts = ctx.context.internal_adapter.find_accounts(session[:user]["id"])
+        if accounts.length == 1 && !ctx.context.options.account.dig(:account_linking, :allow_unlinking_all)
+          raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["FAILED_TO_UNLINK_LAST_ACCOUNT"])
+        end
+
+        provider_id = body["providerId"] || body["provider_id"]
+        account_id = body["accountId"] || body["account_id"]
+        account = accounts.find do |entry|
+          entry["providerId"] == provider_id && (account_id.to_s.empty? || entry["accountId"] == account_id)
+        end
+        raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["ACCOUNT_NOT_FOUND"]) unless account
+
+        ctx.context.internal_adapter.delete_account(account["id"])
+        ctx.json({status: true})
+      end
+    end
+
+    def self.get_access_token
+      Endpoint.new(path: "/get-access-token", method: "POST") do |ctx|
+        session = current_session(ctx, allow_nil: true)
+        body = normalize_hash(ctx.body)
+        user_id = session&.dig(:user, "id") || body["userId"] || body["user_id"]
+        raise APIError.new("UNAUTHORIZED") if user_id.to_s.empty?
+
+        provider_id = body["providerId"] || body["provider_id"]
+        provider = social_provider(ctx.context, provider_id)
+        raise APIError.new("BAD_REQUEST", message: "Provider #{provider_id} is not supported.") unless provider
+
+        account_id = body["accountId"] || body["account_id"]
+        account = account_cookie(ctx, provider_id, account_id, user_id) || find_provider_account(ctx, user_id, provider_id, account_id)
+        raise APIError.new("BAD_REQUEST", message: "Account not found") unless account
+
+        if account["refreshToken"] && access_token_expired?(account) && provider_callable(provider, :refresh_access_token)
+          tokens = call_provider(provider, :refresh_access_token, oauth_token_value(ctx, account["refreshToken"]))
+          updated = update_account_tokens(ctx, account, tokens)
+          account = account.merge(token_hash(tokens))
+          Cookies.set_account_cookie(ctx, updated || account.merge(token_hash_for_storage(ctx, tokens)))
+        end
+
+        ctx.json({
+          accessToken: oauth_token_value(ctx, account["accessToken"]),
+          accessTokenExpiresAt: account["accessTokenExpiresAt"],
+          scopes: account["scopes"] || (account["scope"].to_s.empty? ? [] : account["scope"].to_s.split(",")),
+          idToken: account["idToken"]
+        })
+      end
+    end
+
+    def self.refresh_token
+      Endpoint.new(path: "/refresh-token", method: "POST") do |ctx|
+        session = current_session(ctx, allow_nil: true)
+        body = normalize_hash(ctx.body)
+        user_id = session&.dig(:user, "id") || body["userId"] || body["user_id"]
+        raise APIError.new("BAD_REQUEST", message: "Either userId or session is required") if user_id.to_s.empty?
+
+        provider_id = body["providerId"] || body["provider_id"]
+        provider = social_provider(ctx.context, provider_id)
+        raise APIError.new("BAD_REQUEST", message: "Provider #{provider_id} not found.") unless provider
+        raise APIError.new("BAD_REQUEST", message: "Provider #{provider_id} does not support token refreshing.") unless provider_callable(provider, :refresh_access_token)
+
+        account_id = body["accountId"] || body["account_id"]
+        account = account_cookie(ctx, provider_id, account_id, user_id) || find_provider_account(ctx, user_id, provider_id, account_id)
+        raise APIError.new("BAD_REQUEST", message: "Account not found") unless account
+        refresh_token = oauth_token_value(ctx, account["refreshToken"])
+        raise APIError.new("BAD_REQUEST", message: "Refresh token not found") if refresh_token.to_s.empty?
+
+        tokens = call_provider(provider, :refresh_access_token, refresh_token)
+        updated = update_account_tokens(ctx, account, tokens)
+        values = token_hash(tokens)
+        Cookies.set_account_cookie(ctx, updated || account.merge(token_hash_for_storage(ctx, tokens)))
+        ctx.json({
+          accessToken: values["accessToken"],
+          refreshToken: values["refreshToken"],
+          accessTokenExpiresAt: values["accessTokenExpiresAt"],
+          refreshTokenExpiresAt: values["refreshTokenExpiresAt"],
+          scope: Array(values["scopes"]).join(","),
+          idToken: values["idToken"] || account["idToken"],
+          providerId: account["providerId"],
+          accountId: account["accountId"]
+        })
+      end
+    end
+
+    def self.account_info
+      Endpoint.new(path: "/account-info", method: "GET") do |ctx|
+        session = current_session(ctx)
+        account_id = fetch_value(ctx.query, "accountId")
+        account = if account_id
+          ctx.context.internal_adapter.find_accounts(session[:user]["id"]).find do |entry|
+            entry["id"] == account_id || entry["accountId"] == account_id
+          end
+        end
+        raise APIError.new("BAD_REQUEST", message: "Account not found") unless account && account["userId"] == session[:user]["id"]
+
+        provider = social_provider(ctx.context, account["providerId"])
+        raise APIError.new("INTERNAL_SERVER_ERROR", message: "Provider account provider is #{account["providerId"]} but it is not configured") unless provider
+        raise APIError.new("BAD_REQUEST", message: "Access token not found") if account["accessToken"].to_s.empty?
+
+        info = call_provider(provider, :get_user_info, {
+          accessToken: oauth_token_value(ctx, account["accessToken"]),
+          access_token: oauth_token_value(ctx, account["accessToken"]),
+          idToken: account["idToken"],
+          scopes: account["scope"].to_s.split(",")
+        })
+        ctx.json(info)
+      end
+    end
+
+    def self.social_provider(context, provider_id)
+      provider = context.social_providers[provider_id.to_sym] || context.social_providers[provider_id.to_s]
+      return provider.merge(id: provider_id.to_s) if provider.is_a?(Hash) && !provider.key?(:id) && !provider.key?("id")
+
+      provider
+    end
+
+    def self.find_provider_account(ctx, user_id, provider_id, account_id = nil)
+      ctx.context.internal_adapter.find_accounts(user_id).find do |account|
+        account["providerId"] == provider_id && (account_id.to_s.empty? || account["id"] == account_id || account["accountId"] == account_id)
+      end
+    end
+
+    def self.account_cookie(ctx, provider_id, account_id = nil, user_id = nil)
+      return nil unless ctx.context.options.account[:store_account_cookie]
+
+      account = Cookies.get_account_cookie(ctx)
+      return nil unless account && account["providerId"] == provider_id
+      return nil unless account_id.to_s.empty? || account["id"] == account_id || account["accountId"] == account_id
+      return nil unless user_id.to_s.empty? || account["userId"].to_s.empty? || account["userId"] == user_id
+
+      account
+    end
+
+    def self.access_token_expired?(account)
+      value = parse_time(account["accessTokenExpiresAt"])
+      value && value < Time.now + 5
+    end
+
+    def self.parse_time(value)
+      return value if value.is_a?(Time)
+      return nil if value.nil? || value.to_s.empty?
+
+      Time.parse(value.to_s)
+    rescue ArgumentError
+      nil
+    end
+
+    def self.update_account_tokens(ctx, account, tokens)
+      return nil if account["id"].to_s.empty?
+
+      ctx.context.internal_adapter.update_account(account["id"], token_hash_for_storage(ctx, tokens))
+    end
+
+    def self.token_hash(tokens)
+      data = normalize_hash(tokens || {})
+      data["scope"] = Array(data.delete("scopes")).join(",") if data.key?("scopes")
+      data
+    end
+
+    def self.token_hash_for_storage(ctx, tokens)
+      data = token_hash(tokens)
+      data["accessToken"] = oauth_token_for_storage(ctx, data["accessToken"]) if data.key?("accessToken")
+      data["refreshToken"] = oauth_token_for_storage(ctx, data["refreshToken"]) if data.key?("refreshToken")
+      data
+    end
+
+    def self.oauth_token_for_storage(ctx, token)
+      return token if token.to_s.empty?
+      return token unless ctx.context.options.account[:encrypt_oauth_tokens]
+
+      Crypto.symmetric_encrypt(key: ctx.context.secret, data: token)
+    end
+
+    def self.oauth_token_value(ctx, token)
+      return token if token.to_s.empty?
+      return token unless ctx.context.options.account[:encrypt_oauth_tokens]
+
+      Crypto.symmetric_decrypt(key: ctx.context.secret, data: token) || token
+    end
+
+    def self.provider_callable(provider, key)
+      provider.respond_to?(key) || (provider.is_a?(Hash) && (provider[key] || provider[key.to_s]))
+    end
+
+    def self.call_provider(provider, key, *arguments)
+      return provider.public_send(key, *arguments) if provider.respond_to?(key)
+
+      callable = provider[key] || provider[key.to_s]
+      callable.respond_to?(:call) ? callable.call(*arguments) : callable
+    end
+  end
+end

data/lib/better_auth/routes/email_verification.rb

@@ -0,0 +1,111 @@
+# frozen_string_literal: true
+
+require "uri"
+
+module BetterAuth
+  module Routes
+    def self.send_verification_email
+      Endpoint.new(path: "/send-verification-email", method: "POST") do |ctx|
+        sender = ctx.context.options.email_verification[:send_verification_email]
+        raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["VERIFICATION_EMAIL_NOT_ENABLED"]) unless sender.respond_to?(:call)
+
+        body = normalize_hash(ctx.body)
+        email = body["email"].to_s.downcase
+        session = current_session(ctx, allow_nil: true)
+
+        if session
+          raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["EMAIL_MISMATCH"]) if session[:user]["email"] != email
+          raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["EMAIL_ALREADY_VERIFIED"]) if session[:user]["emailVerified"]
+
+          send_verification_email_payload(ctx, session[:user], body["callbackURL"] || body["callbackUrl"] || body["callback_url"])
+          next ctx.json({status: true})
+        end
+
+        found = ctx.context.internal_adapter.find_user_by_email(email)
+        if found && !found[:user]["emailVerified"]
+          send_verification_email_payload(ctx, found[:user], body["callbackURL"] || body["callbackUrl"] || body["callback_url"])
+        else
+          create_email_verification_token(ctx, email)
+        end
+        ctx.json({status: true})
+      end
+    end
+
+    def self.verify_email
+      Endpoint.new(path: "/verify-email", method: "GET") do |ctx|
+        token = fetch_value(ctx.query, "token").to_s
+        callback_url = fetch_value(ctx.query, "callbackURL")
+        validate_callback_url!(ctx.context, callback_url)
+        payload = verify_email_token(ctx, token, callback_url)
+        email = payload["email"].to_s.downcase
+        update_to = payload["updateTo"] || payload["update_to"]
+        user_data = ctx.context.internal_adapter.find_user_by_email(email)
+        return redirect_or_error(ctx, callback_url, "user_not_found") unless user_data
+
+        user = user_data[:user]
+        if update_to
+          updated = ctx.context.internal_adapter.update_user_by_email(email, email: update_to, emailVerified: false)
+          updated_user = updated || user.merge("email" => update_to, "emailVerified" => false)
+          send_verification_email_payload(ctx, updated_user, callback_url) if ctx.context.options.email_verification[:send_verification_email].respond_to?(:call)
+          set_verified_session_cookie(ctx, updated_user)
+          next redirect_or_json(ctx, callback_url, {status: true, user: Schema.parse_output(ctx.context.options, "user", updated)})
+        end
+
+        if user["emailVerified"]
+          next redirect_or_json(ctx, callback_url, {status: true, user: nil})
+        end
+
+        call_option(ctx.context.options.email_verification[:before_email_verification], user, ctx.request)
+        call_option(ctx.context.options.email_verification[:on_email_verification], user, ctx.request)
+        updated = ctx.context.internal_adapter.update_user_by_email(email, emailVerified: true)
+        call_option(ctx.context.options.email_verification[:after_email_verification], updated, ctx.request)
+        set_verified_session_cookie(ctx, updated) if ctx.context.options.email_verification[:auto_sign_in_after_verification]
+        redirect_or_json(ctx, callback_url, {status: true, user: nil})
+      end
+    end
+
+    def self.send_verification_email_payload(ctx, user, callback_url)
+      token = create_email_verification_token(ctx, user["email"])
+      callback = URI.encode_www_form_component(callback_url || "/")
+      url = "#{ctx.context.base_url}/verify-email?token=#{URI.encode_www_form_component(token)}&callbackURL=#{callback}"
+      ctx.context.options.email_verification[:send_verification_email].call({user: user, url: url, token: token}, ctx.request)
+    end
+
+    def self.create_email_verification_token(ctx, email, update_to: nil, extra: {})
+      payload = {"email" => email.to_s.downcase}.merge(extra)
+      payload["updateTo"] = update_to if update_to
+      Crypto.sign_jwt(payload, ctx.context.secret, expires_in: ctx.context.options.email_verification[:expires_in] || 3600)
+    end
+
+    def self.verify_email_token(ctx, token, callback_url)
+      payload = Crypto.verify_jwt(token, ctx.context.secret)
+      return payload if payload
+
+      redirect_or_error(ctx, callback_url, "invalid_token")
+    end
+
+    def self.redirect_or_error(ctx, callback_url, error)
+      if callback_url
+        separator = callback_url.include?("?") ? "&" : "?"
+        raise ctx.redirect("#{callback_url}#{separator}error=#{error}")
+      end
+      raise APIError.new("UNAUTHORIZED", message: error)
+    end
+
+    def self.redirect_or_json(ctx, callback_url, data)
+      raise ctx.redirect(callback_url) if callback_url
+
+      ctx.json(data)
+    end
+
+    def self.set_verified_session_cookie(ctx, user)
+      session = current_session(ctx, allow_nil: true)
+      session_data = session ? session[:session] : ctx.context.internal_adapter.create_session(user["id"])
+      Cookies.set_session_cookie(ctx, {session: session_data, user: user})
+    end
+
+    def self.call_option(callback, user, request)
+      callback.call(user, request) if callback.respond_to?(:call)
+    end
+  end
+end