better_auth 0.1.1 → 0.3.0

data/lib/better_auth/routes/user.rb

@@ -0,0 +1,205 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Routes
+    def self.update_user
+      Endpoint.new(path: "/update-user", method: "POST") do |ctx|
+        session = current_session(ctx)
+        body = normalize_hash(ctx.body)
+        raise APIError.new("BAD_REQUEST", message: "Body must be an object") unless body.is_a?(Hash)
+        raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["EMAIL_CAN_NOT_BE_UPDATED"]) if body.key?("email")
+        update = parse_declared_input(ctx, "user", body, allowed_base: ["name", "image"])
+        raise APIError.new("BAD_REQUEST", message: "No fields to update") if update.empty?
+
+        updated = ctx.context.internal_adapter.update_user(session[:user]["id"], update)
+        Cookies.set_session_cookie(ctx, {session: session[:session], user: updated}, Cookies.dont_remember?(ctx))
+        ctx.json({status: true})
+      end
+    end
+
+    def self.change_password
+      Endpoint.new(path: "/change-password", method: "POST") do |ctx|
+        session = current_session(ctx, sensitive: true)
+        body = normalize_hash(ctx.body)
+        new_password = body["newPassword"] || body["new_password"]
+        current_password = body["currentPassword"] || body["current_password"]
+        validate_password_length!(new_password, ctx.context.options.email_and_password)
+        account = credential_account(ctx, session[:user]["id"])
+        unless account && account["password"] && verify_password_value(ctx, current_password.to_s, account["password"])
+          raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_PASSWORD"])
+        end
+
+        ctx.context.internal_adapter.update_account(account["id"], password: hash_password(ctx, new_password))
+        token = nil
+        if body["revokeOtherSessions"] || body["revoke_other_sessions"]
+          ctx.context.internal_adapter.delete_sessions(session[:user]["id"])
+          new_session = ctx.context.internal_adapter.create_session(session[:user]["id"])
+          Cookies.set_session_cookie(ctx, {session: new_session, user: session[:user]})
+          token = new_session["token"]
+        end
+        ctx.json({token: token, user: Schema.parse_output(ctx.context.options, "user", session[:user])})
+      end
+    end
+
+    def self.set_password
+      Endpoint.new(path: "/set-password", method: "POST") do |ctx|
+        session = current_session(ctx, sensitive: true)
+        body = normalize_hash(ctx.body)
+        new_password = body["newPassword"] || body["new_password"]
+        validate_password_length!(new_password, ctx.context.options.email_and_password)
+        account = credential_account(ctx, session[:user]["id"])
+        raise APIError.new("BAD_REQUEST", message: "user already has a password") if account && account["password"]
+
+        ctx.context.internal_adapter.link_account(
+          userId: session[:user]["id"],
+          providerId: "credential",
+          accountId: session[:user]["id"],
+          password: hash_password(ctx, new_password)
+        )
+        ctx.json({status: true})
+      end
+    end
+
+    def self.delete_user
+      Endpoint.new(path: "/delete-user", method: "POST") do |ctx|
+        enabled = ctx.context.options.user.dig(:delete_user, :enabled)
+        raise APIError.new("NOT_FOUND") unless enabled
+
+        session = current_session(ctx, sensitive: true)
+        body = normalize_hash(ctx.body)
+        sender = ctx.context.options.user.dig(:delete_user, :send_delete_account_verification)
+        if body["password"]
+          account = credential_account(ctx, session[:user]["id"])
+          unless account && account["password"] && verify_password_value(ctx, body["password"], account["password"])
+            raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_PASSWORD"])
+          end
+        end
+
+        if body["token"]
+          delete_user_by_token!(ctx, session, body["token"])
+        elsif sender
+          token = SecureRandom.hex(16)
+          ctx.context.internal_adapter.create_verification_value(
+            identifier: "delete-account-#{token}",
+            value: session[:user]["id"],
+            expiresAt: Time.now + ctx.context.options.user.dig(:delete_user, :delete_token_expires_in).to_i
+          )
+          sender.call({user: session[:user], token: token}, ctx.request)
+          next ctx.json({success: true, message: "Verification email sent"})
+        elsif !body["password"]
+          require_fresh_session!(ctx, session)
+        end
+
+        delete_current_user!(ctx, session)
+        ctx.json({success: true, message: "User deleted"})
+      end
+    end
+
+    def self.delete_user_callback
+      Endpoint.new(path: "/delete-user/callback", method: "GET") do |ctx|
+        enabled = ctx.context.options.user.dig(:delete_user, :enabled)
+        raise APIError.new("NOT_FOUND") unless enabled
+        session = current_session(ctx)
+        token = fetch_value(ctx.query, "token")
+        delete_user_by_token!(ctx, session, token)
+        callback_url = fetch_value(ctx.query, "callbackURL")
+        validate_callback_url!(ctx.context, callback_url)
+        delete_current_user!(ctx, session)
+        raise ctx.redirect(callback_url) if callback_url
+
+        ctx.json({success: true, message: "User deleted"})
+      end
+    end
+
+    def self.change_email
+      Endpoint.new(path: "/change-email", method: "POST") do |ctx|
+        enabled = ctx.context.options.user.dig(:change_email, :enabled)
+        raise APIError.new("BAD_REQUEST", message: "Change email is disabled") unless enabled
+        session = current_session(ctx, sensitive: true)
+        body = normalize_hash(ctx.body)
+        new_email = (body["newEmail"] || body["new_email"]).to_s.downcase
+        raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_EMAIL"]) unless EMAIL_PATTERN.match?(new_email)
+        raise APIError.new("BAD_REQUEST", message: "Email is the same") if new_email == session[:user]["email"]
+        raise APIError.new("UNPROCESSABLE_ENTITY", message: BASE_ERROR_CODES["USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL"]) if ctx.context.internal_adapter.find_user_by_email(new_email)
+
+        if !session[:user]["emailVerified"] && ctx.context.options.user.dig(:change_email, :update_email_without_verification)
+          updated = ctx.context.internal_adapter.update_user_by_email(session[:user]["email"], email: new_email)
+          Cookies.set_session_cookie(ctx, {session: session[:session], user: updated})
+          next ctx.json({status: true})
+        end
+
+        sender = ctx.context.options.email_verification[:send_verification_email]
+        raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["VERIFICATION_EMAIL_NOT_ENABLED"]) unless sender.respond_to?(:call)
+
+        token = create_email_verification_token(ctx, session[:user]["email"], update_to: new_email, extra: {"requestType" => "change-email-verification"})
+        sender.call({user: session[:user].merge("email" => new_email), token: token}, ctx.request)
+        ctx.json({status: true})
+      end
+    end
+
+    def self.delete_user_by_token!(ctx, session, token)
+      verification = ctx.context.internal_adapter.find_verification_value("delete-account-#{token}")
+      unless verification && verification["value"] == session[:user]["id"] && !expired_time?(verification["expiresAt"])
+        raise APIError.new("NOT_FOUND", message: BASE_ERROR_CODES["INVALID_TOKEN"])
+      end
+      ctx.context.internal_adapter.delete_verification_value(verification["id"])
+    end
+
+    def self.delete_current_user!(ctx, session)
+      config = ctx.context.options.user[:delete_user] || {}
+      call_option(config[:before_delete], session[:user], ctx.request)
+      ctx.context.internal_adapter.delete_user(session[:user]["id"])
+      ctx.context.internal_adapter.delete_sessions(session[:user]["id"])
+      Cookies.delete_session_cookie(ctx)
+      call_option(config[:after_delete], session[:user], ctx.request)
+    end
+
+    def self.require_fresh_session!(ctx, session)
+      fresh_age = ctx.context.session_config[:fresh_age].to_i
+      return if fresh_age <= 0
+
+      updated_at = Session.normalize_time(session[:session]["updatedAt"] || session[:session]["updated_at"] || session[:session]["createdAt"] || session[:session]["created_at"])
+      raise APIError.new("UNAUTHORIZED") unless updated_at && updated_at + fresh_age > Time.now
+    end
+
+    def self.parse_declared_input(ctx, model, data, allowed_base: [])
+      input = normalize_hash(data || {})
+      table = Schema.auth_tables(ctx.context.options)[model.to_s]
+      fields = table ? table.fetch(:fields) : {}
+      additional = ctx.context.options.public_send(model.to_sym)[:additional_fields] || {}
+      fields = fields.merge(additional.each_with_object({}) { |(key, value), result| result[Schema.storage_key(key)] = value }) if model.to_s == "session"
+      declared_fields = fields.keys - core_model_fields(model)
+      allowed = (Array(allowed_base).map { |field| Schema.storage_key(field) } + declared_fields).uniq
+
+      input.each_with_object({}) do |(field, value), result|
+        next unless fields.key?(field)
+        next unless allowed.include?(field)
+
+        attributes = fields.fetch(field)
+        if attributes[:input] == false
+          raise APIError.new("BAD_REQUEST", message: "#{field} is not allowed to be set")
+        end
+
+        result[field] = coerce_input_value(value, attributes)
+      end
+    end
+
+    def self.coerce_input_value(value, attributes)
+      return value if value.nil?
+      return Time.parse(value) if attributes[:type] == "date" && value.is_a?(String)
+
+      value
+    end
+
+    def self.core_model_fields(model)
+      case model.to_s
+      when "user"
+        %w[id name email emailVerified image createdAt updatedAt]
+      when "session"
+        %w[id expiresAt token ipAddress userAgent userId createdAt updatedAt]
+      else
+        %w[id createdAt updatedAt]
+      end
+    end
+  end
+end

data/lib/better_auth/schema/sql.rb

@@ -0,0 +1,202 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Schema
+    module SQL
+      module_function
+
+      def create_statements(options, dialect:)
+        dialect = dialect.to_sym
+        tables = Schema.auth_tables(options)
+        statements = tables.map { |logical_name, table| create_table_statement(logical_name, table, dialect, tables) }
+        statements.concat(tables.flat_map { |_logical_name, table| index_statements(table, dialect) })
+      end
+
+      def create_table_statement(logical_name, table, dialect, tables = nil)
+        table_name = table.fetch(:model_name)
+        columns = table.fetch(:fields).map do |logical_field, attributes|
+          column_definition(table_name, logical_field, attributes, dialect)
+        end
+        constraints = table.fetch(:fields).flat_map do |logical_field, attributes|
+          field_constraints(table_name, logical_field, attributes, dialect, tables)
+        end
+        body = (columns + constraints).join(",\n  ")
+
+        case dialect
+        when :postgres, :sqlite
+          %(CREATE TABLE IF NOT EXISTS #{quote(table_name, dialect)} (\n  #{body}\n);)
+        when :mysql
+          %(CREATE TABLE IF NOT EXISTS #{quote(table_name, dialect)} (\n  #{body}\n) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;)
+        when :mssql
+          %(IF OBJECT_ID(N'#{quote(table_name, dialect)}', N'U') IS NULL\nCREATE TABLE #{quote(table_name, dialect)} (\n  #{body}\n);)
+        else
+          raise ArgumentError, "Unsupported SQL dialect: #{dialect}"
+        end
+      end
+
+      def column_definition(table_name, logical_field, attributes, dialect)
+        column = quote(attributes[:field_name] || physical_name(logical_field), dialect)
+        parts = [column, sql_type(logical_field, attributes, dialect)]
+        parts << "PRIMARY KEY" if logical_field == "id"
+        if attributes[:required]
+          parts << "NOT NULL"
+        elsif dialect == :mssql
+          parts << "NULL"
+        end
+        default = default_sql(attributes, dialect)
+        parts << "DEFAULT #{default}" if default
+        parts.join(" ")
+      end
+
+      def field_constraints(table_name, logical_field, attributes, dialect, tables = nil)
+        constraints = []
+        column = attributes[:field_name] || physical_name(logical_field)
+
+        if attributes[:unique] && logical_field != "id"
+          constraints << unique_constraint(table_name, column, dialect)
+        end
+
+        reference = attributes[:references]
+        if reference
+          constraints << foreign_key_constraint(table_name, column, reference, dialect, tables)
+        end
+
+        constraints
+      end
+
+      def index_statements(table, dialect)
+        table_name = table.fetch(:model_name)
+        table.fetch(:fields).filter_map do |logical_field, attributes|
+          next unless attributes[:index]
+
+          column = attributes[:field_name] || Schema.physical_name(logical_field)
+          name = "index_#{table_name}_on_#{column}"
+          case dialect
+          when :postgres, :sqlite
+            %(CREATE INDEX IF NOT EXISTS #{quote(name, dialect)} ON #{quote(table_name, dialect)} (#{quote(column, dialect)});)
+          when :mysql
+            %(CREATE INDEX #{quote(name, dialect)} ON #{quote(table_name, dialect)} (#{quote(column, dialect)});)
+          when :mssql
+            %(IF NOT EXISTS (SELECT name FROM sys.indexes WHERE name = '#{name.gsub("'", "''")}' AND object_id = OBJECT_ID(N'#{quote(table_name, dialect)}')) CREATE INDEX #{quote(name, dialect)} ON #{quote(table_name, dialect)} (#{quote(column, dialect)});)
+          end
+        end
+      end
+
+      def sql_type(logical_field, attributes, dialect)
+        case attributes[:type]
+        when "boolean"
+          case dialect
+          when :mysql
+            "tinyint(1)"
+          when :sqlite
+            "integer"
+          when :mssql
+            "smallint"
+          else
+            "boolean"
+          end
+        when "date"
+          case dialect
+          when :mysql
+            "datetime(6)"
+          when :sqlite
+            "date"
+          when :mssql
+            "datetime2(3)"
+          else
+            "timestamptz"
+          end
+        when "number"
+          attributes[:bigint] ? "bigint" : "integer"
+        when "json", "string[]", "number[]"
+          case dialect
+          when :postgres
+            "jsonb"
+          when :mysql
+            "json"
+          when :mssql
+            "varchar(8000)"
+          else
+            "text"
+          end
+        else
+          if dialect == :mysql
+            indexed = logical_field == "id" || attributes[:unique] || attributes[:index] || attributes[:references]
+            indexed ? "varchar(191)" : "text"
+          elsif dialect == :mssql
+            indexed = logical_field == "id" || attributes[:unique] || attributes[:index] || attributes[:references] || attributes[:sortable]
+            indexed ? "varchar(255)" : "varchar(8000)"
+          else
+            "text"
+          end
+        end
+      end
+
+      def default_sql(attributes, dialect)
+        default = attributes[:default_value]
+        return unless default == false || default == true || default.is_a?(Numeric) || default.is_a?(String) || default.respond_to?(:call)
+
+        if attributes[:type] == "date" && default.respond_to?(:call)
+          return (dialect == :mysql) ? "CURRENT_TIMESTAMP(6)" : "CURRENT_TIMESTAMP"
+        end
+
+        case default
+        when true
+          (dialect == :mysql || dialect == :sqlite || dialect == :mssql) ? "1" : "true"
+        when false
+          (dialect == :mysql || dialect == :sqlite || dialect == :mssql) ? "0" : "false"
+        when Numeric
+          default.to_s
+        when String
+          "'#{default.gsub("'", "''")}'"
+        end
+      end
+
+      def unique_constraint(table_name, column, dialect)
+        case dialect
+        when :postgres, :sqlite
+          %(UNIQUE (#{quote(column, dialect)}))
+        when :mysql
+          %(UNIQUE KEY #{quote("uniq_#{table_name}_#{column}", dialect)} (#{quote(column, dialect)}))
+        when :mssql
+          %(CONSTRAINT #{quote("uniq_#{table_name}_#{column}", dialect)} UNIQUE (#{quote(column, dialect)}))
+        end
+      end
+
+      def foreign_key_constraint(table_name, column, reference, dialect, tables = nil)
+        target_model = tables&.fetch(reference.fetch(:model).to_s, nil)&.fetch(:model_name) || reference.fetch(:model)
+        target_field = reference.fetch(:field)
+        on_delete = reference[:on_delete] ? " ON DELETE #{reference[:on_delete].to_s.upcase}" : ""
+
+        case dialect
+        when :postgres, :sqlite
+          %(FOREIGN KEY (#{quote(column, dialect)}) REFERENCES #{quote(target_model, dialect)} (#{quote(target_field, dialect)})#{on_delete})
+        when :mysql
+          %(CONSTRAINT #{quote("fk_#{table_name}_#{column}", dialect)} FOREIGN KEY (#{quote(column, dialect)}) REFERENCES #{quote(target_model, dialect)} (#{quote(target_field, dialect)})#{on_delete})
+        when :mssql
+          %(CONSTRAINT #{quote("fk_#{table_name}_#{column}", dialect)} FOREIGN KEY (#{quote(column, dialect)}) REFERENCES #{quote(target_model, dialect)} (#{quote(target_field, dialect)})#{on_delete})
+        end
+      end
+
+      def quote(identifier, dialect)
+        case dialect
+        when :postgres, :sqlite
+          %("#{identifier.to_s.gsub("\"", "\"\"")}")
+        when :mysql
+          "`#{identifier.to_s.gsub("`", "``")}`"
+        when :mssql
+          "[#{identifier.to_s.gsub("]", "]]")}]"
+        else
+          raise ArgumentError, "Unsupported SQL dialect: #{dialect}"
+        end
+      end
+
+      def physical_name(value)
+        value.to_s
+          .gsub(/([a-z\d])([A-Z])/, "\\1_\\2")
+          .tr("-", "_")
+          .downcase
+      end
+    end
+  end
+end