better_auth 0.1.1 → 0.3.0

data/lib/better_auth/schema.rb

@@ -0,0 +1,291 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Schema
+    module_function
+
+    def auth_tables(options)
+      plugin_schema = plugin_tables(options)
+
+      tables = {
+        "user" => user_table(options, plugin_schema.delete("user")),
+        "session" => session_table(options, plugin_schema.delete("session")),
+        "account" => account_table(options, plugin_schema.delete("account")),
+        "verification" => verification_table(options, plugin_schema.delete("verification"))
+      }
+
+      tables.delete("session") if secondary_storage?(options) && !session_option(options, :store_session_in_database)
+      tables.delete("verification") if secondary_storage?(options) && !verification_option(options, :store_in_database)
+      tables.merge!(plugin_schema)
+      tables["rateLimit"] = rate_limit_table(options) if rate_limit_option(options, :storage) == "database"
+      tables.sort_by { |_name, table| table[:order] || Float::INFINITY }.to_h
+    end
+
+    def storage_model_name(options, model)
+      table = auth_tables(options).fetch(model.to_s)
+      table[:model_name]
+    end
+
+    def storage_field_name(options, model, field)
+      table = auth_tables(options).fetch(model.to_s)
+      data = table[:fields].fetch(field.to_s)
+      data[:field_name] || field.to_s
+    end
+
+    def parse_output(options, model, data)
+      return nil unless data
+
+      table = auth_tables(options).fetch(model.to_s)
+      table[:fields].each_with_object({}) do |(field, attributes), result|
+        next if attributes[:returned] == false && field != "id"
+        next unless data.key?(field)
+
+        result[field] = data[field]
+      end.tap do |result|
+        data.each { |key, value| result[key] = value unless result.key?(key) || table[:fields].key?(key) }
+      end
+    rescue KeyError
+      data
+    end
+
+    private_class_method def self.user_table(options, plugin_table)
+      table(
+        model_name: model_option(options, :user, :model_name) || "users",
+        order: 1,
+        fields: id_field.merge(
+          "name" => field("string", required: true, sortable: true, field_name: mapped_field(options, :user, "name")),
+          "email" => field("string", required: true, unique: true, sortable: true, field_name: mapped_field(options, :user, "email")),
+          "emailVerified" => field("boolean", required: true, input: false, default_value: false, field_name: mapped_field(options, :user, "emailVerified")),
+          "image" => field("string", required: false, field_name: mapped_field(options, :user, "image"))
+        ).merge(timestamp_fields),
+        extra_fields: [plugin_table&.fetch(:fields, nil), additional_fields(options, :user)]
+      )
+    end
+
+    private_class_method def self.session_table(options, plugin_table)
+      table(
+        model_name: model_option(options, :session, :model_name) || "sessions",
+        order: 2,
+        fields: base_fields.merge(
+          "expiresAt" => field("date", required: true, field_name: mapped_field(options, :session, "expiresAt")),
+          "token" => field("string", required: true, unique: true, field_name: mapped_field(options, :session, "token")),
+          "ipAddress" => field("string", required: false, field_name: mapped_field(options, :session, "ipAddress")),
+          "userAgent" => field("string", required: false, field_name: mapped_field(options, :session, "userAgent")),
+          "userId" => field("string", required: true, index: true, field_name: mapped_field(options, :session, "userId"), references: {model: model_option(options, :user, :model_name) || "users", field: "id", on_delete: "cascade"})
+        ),
+        extra_fields: [plugin_table&.fetch(:fields, nil), additional_fields(options, :session)]
+      )
+    end
+
+    private_class_method def self.account_table(options, plugin_table)
+      table(
+        model_name: model_option(options, :account, :model_name) || "accounts",
+        order: 3,
+        fields: base_fields.merge(
+          "accountId" => field("string", required: true, field_name: mapped_field(options, :account, "accountId")),
+          "providerId" => field("string", required: true, field_name: mapped_field(options, :account, "providerId")),
+          "userId" => field("string", required: true, index: true, field_name: mapped_field(options, :account, "userId"), references: {model: model_option(options, :user, :model_name) || "users", field: "id", on_delete: "cascade"}),
+          "accessToken" => field("string", required: false, returned: false, field_name: mapped_field(options, :account, "accessToken")),
+          "refreshToken" => field("string", required: false, returned: false, field_name: mapped_field(options, :account, "refreshToken")),
+          "idToken" => field("string", required: false, returned: false, field_name: mapped_field(options, :account, "idToken")),
+          "accessTokenExpiresAt" => field("date", required: false, returned: false, field_name: mapped_field(options, :account, "accessTokenExpiresAt")),
+          "refreshTokenExpiresAt" => field("date", required: false, returned: false, field_name: mapped_field(options, :account, "refreshTokenExpiresAt")),
+          "scope" => field("string", required: false, field_name: mapped_field(options, :account, "scope")),
+          "password" => field("string", required: false, returned: false, field_name: mapped_field(options, :account, "password"))
+        ),
+        extra_fields: [plugin_table&.fetch(:fields, nil), additional_fields(options, :account)]
+      )
+    end
+
+    private_class_method def self.verification_table(options, plugin_table)
+      table(
+        model_name: model_option(options, :verification, :model_name) || "verifications",
+        order: 4,
+        fields: base_fields.merge(
+          "identifier" => field("string", required: true, index: true, field_name: mapped_field(options, :verification, "identifier")),
+          "value" => field("string", required: true, field_name: mapped_field(options, :verification, "value")),
+          "expiresAt" => field("date", required: true, field_name: mapped_field(options, :verification, "expiresAt"))
+        ),
+        extra_fields: [plugin_table&.fetch(:fields, nil), additional_fields(options, :verification)]
+      )
+    end
+
+    private_class_method def self.rate_limit_table(options)
+      {
+        model_name: rate_limit_option(options, :model_name) || "rate_limits",
+        fields: {
+          "key" => field("string", required: true, unique: true, field_name: rate_limit_field(options, "key")),
+          "count" => field("number", required: true, field_name: rate_limit_field(options, "count")),
+          "lastRequest" => field("number", required: true, bigint: true, default_value: -> { current_millis }, field_name: rate_limit_field(options, "lastRequest"))
+        }
+      }
+    end
+
+    private_class_method def self.base_fields
+      id_field.merge(timestamp_fields)
+    end
+
+    private_class_method def self.id_field
+      {
+        "id" => field("string", required: true)
+      }
+    end
+
+    private_class_method def self.timestamp_fields
+      {
+        "createdAt" => field("date", required: true, default_value: -> { Time.now }, field_name: physical_name("createdAt")),
+        "updatedAt" => field("date", required: true, default_value: -> { Time.now }, on_update: -> { Time.now }, field_name: physical_name("updatedAt"))
+      }
+    end
+
+    private_class_method def self.table(model_name:, fields:, extra_fields:, order:)
+      {
+        model_name: model_name,
+        fields: merge_fields(fields, *extra_fields),
+        order: order
+      }
+    end
+
+    private_class_method def self.merge_fields(base, *extras)
+      extras.compact.each_with_object(base.dup) do |extra, fields|
+        normalize_fields(extra).each { |key, value| fields[key] = value }
+      end
+    end
+
+    private_class_method def self.field(type, **attributes)
+      {type: type}.merge(attributes).compact
+    end
+
+    private_class_method def self.plugin_tables(options)
+      plugins_for(options).each_with_object({}) do |plugin, tables|
+        schema = fetch_hash(plugin, :schema) || {}
+        schema.each do |raw_key, raw_table|
+          key = storage_key(raw_key)
+          table_data = symbolize_hash(raw_table || {})
+          existing = tables[key] || {model_name: table_data[:model_name] || physical_name(key), fields: {}}
+          existing[:model_name] = table_data[:model_name] || existing[:model_name] || physical_name(key)
+          existing[:fields] = existing[:fields].merge(normalize_fields(table_data[:fields] || {}))
+          tables[key] = existing
+        end
+      end
+    end
+
+    private_class_method def self.normalize_fields(fields)
+      fields.each_with_object({}) do |(raw_key, raw_value), result|
+        key = storage_key(raw_key)
+        result[key] = normalize_field(raw_value, key)
+      end
+    end
+
+    private_class_method def self.normalize_field(value, key)
+      data = symbolize_hash(value || {})
+      data[:field_name] ||= physical_name(key)
+      data[:references] = normalize_reference(data[:references]) if data[:references]
+      data
+    end
+
+    private_class_method def self.normalize_reference(value)
+      reference = symbolize_hash(value || {})
+      reference[:on_delete] ||= "cascade"
+      reference
+    end
+
+    private_class_method def self.mapped_field(options, model, field)
+      fields = fetch_hash(model_options(options, model), :fields) || {}
+      fetch_mapped_value(fields, field) || physical_name(field)
+    end
+
+    private_class_method def self.rate_limit_field(options, field)
+      fields = fetch_hash(rate_limit_options(options), :fields) || {}
+      fetch_mapped_value(fields, field) || physical_name(field)
+    end
+
+    private_class_method def self.fetch_mapped_value(hash, field)
+      hash[storage_key(field).to_sym] || hash[storage_key(field)] || hash[underscore(field).to_sym] || hash[underscore(field)]
+    end
+
+    private_class_method def self.additional_fields(options, model)
+      fetch_hash(model_options(options, model), :additional_fields) || {}
+    end
+
+    private_class_method def self.model_option(options, model, key)
+      fetch_hash(model_options(options, model), key)
+    end
+
+    private_class_method def self.session_option(options, key)
+      fetch_hash(session_options(options), key)
+    end
+
+    private_class_method def self.rate_limit_option(options, key)
+      fetch_hash(rate_limit_options(options), key)
+    end
+
+    private_class_method def self.verification_option(options, key)
+      fetch_hash(verification_options(options), key)
+    end
+
+    private_class_method def self.model_options(options, model)
+      options.respond_to?(model) ? options.public_send(model) : fetch_hash(options, model)
+    end
+
+    private_class_method def self.session_options(options)
+      options.respond_to?(:session) ? options.session : fetch_hash(options, :session)
+    end
+
+    private_class_method def self.rate_limit_options(options)
+      options.respond_to?(:rate_limit) ? options.rate_limit : fetch_hash(options, :rate_limit)
+    end
+
+    private_class_method def self.verification_options(options)
+      options.respond_to?(:verification) ? options.verification : fetch_hash(options, :verification)
+    end
+
+    private_class_method def self.secondary_storage?(options)
+      options.respond_to?(:secondary_storage) ? !!options.secondary_storage : !!fetch_hash(options, :secondary_storage)
+    end
+
+    private_class_method def self.plugins_for(options)
+      options.respond_to?(:plugins) ? options.plugins : Array(fetch_hash(options, :plugins))
+    end
+
+    private_class_method def self.fetch_hash(hash, key)
+      return nil unless hash.respond_to?(:[])
+
+      hash[key] || hash[key.to_s] || hash[underscore(key.to_s).to_sym] || hash[underscore(key.to_s)]
+    end
+
+    private_class_method def self.symbolize_hash(value)
+      return {} unless value.is_a?(Hash)
+
+      value.each_with_object({}) do |(key, object), result|
+        result[underscore(key.to_s).to_sym] = object.is_a?(Hash) ? symbolize_hash(object) : object
+      end
+    end
+
+    private_class_method def self.storage_key(value)
+      camelize_lower(value.to_s)
+    end
+
+    private_class_method def self.physical_name(value)
+      underscore(value.to_s)
+    end
+
+    private_class_method def self.camelize_lower(value)
+      parts = underscore(value).split("_")
+      ([parts.first] + parts.drop(1).map(&:capitalize)).join
+    end
+
+    private_class_method def self.underscore(value)
+      value
+        .gsub(/([a-z\d])([A-Z])/, "\\1_\\2")
+        .tr("-", "_")
+        .downcase
+    end
+
+    private_class_method def self.current_millis
+      (Time.now.to_f * 1000).to_i
+    end
+
+    public_class_method :storage_key
+  end
+end

data/lib/better_auth/session.rb

@@ -0,0 +1,122 @@
+# frozen_string_literal: true
+
+require "time"
+
+module BetterAuth
+  module Session
+    module_function
+
+    def find_current(ctx, disable_cookie_cache: false, disable_refresh: false, sensitive: false)
+      if ctx.context.current_session
+        return ctx.context.current_session
+      end
+
+      token_cookie = ctx.context.auth_cookies[:session_token]
+      token = ctx.get_signed_cookie(token_cookie.name, ctx.context.secret)
+      return nil unless token
+
+      cached = cached_session(ctx, token, disable_cookie_cache: disable_cookie_cache, sensitive: sensitive)
+      if cached
+        ctx.context.set_current_session(cached) if ctx.context.respond_to?(:set_current_session)
+        return cached
+      end
+
+      found = ctx.context.internal_adapter.find_session(token)
+      return missing_session(ctx) unless found
+
+      session = stringify_keys(found[:session] || found["session"])
+      user = stringify_keys(found[:user] || found["user"])
+      return missing_session(ctx) if expired?(session)
+
+      result = {session: session, user: user}
+      result = refresh_session(ctx, result) if should_refresh?(ctx, session, disable_refresh)
+      Cookies.set_cookie_cache(ctx, result, false)
+      ctx.context.set_current_session(result) if ctx.context.respond_to?(:set_current_session)
+      result
+    end
+
+    def cached_session(ctx, token, disable_cookie_cache:, sensitive:)
+      config = ctx.context.session_config[:cookie_cache] || {}
+      return nil if disable_cookie_cache || sensitive || !config[:enabled]
+
+      payload = Cookies.get_cookie_cache(
+        ctx,
+        secret: ctx.context.secret,
+        strategy: config[:strategy] || "compact",
+        version: config[:version],
+        cookie_prefix: ctx.context.options.advanced[:cookie_prefix] || "better-auth",
+        is_secure: ctx.context.auth_cookies[:session_data].name.start_with?(Cookies::SECURE_COOKIE_PREFIX)
+      )
+      return nil unless payload
+      return nil if payload["session"]["token"] && payload["session"]["token"] != token
+
+      result = {session: payload["session"], user: payload["user"]}
+      Cookies.set_cookie_cache(ctx, result, false) if should_refresh_cookie_cache?(config, payload)
+      result
+    end
+
+    def missing_session(ctx)
+      Cookies.delete_session_cookie(ctx)
+      nil
+    end
+
+    def expired?(session)
+      expires_at = normalize_time(session["expiresAt"])
+      expires_at && expires_at <= Time.now
+    end
+
+    def should_refresh?(ctx, session, disable_refresh)
+      return false if disable_refresh
+
+      update_age = ctx.context.session_config[:update_age].to_i
+      return true if update_age.zero?
+
+      updated_at = normalize_time(session["updatedAt"])
+      updated_at && updated_at + update_age <= Time.now
+    end
+
+    def refresh_session(ctx, result)
+      now = Time.now
+      expires_at = now + ctx.context.session_config[:expires_in].to_i
+      updated = ctx.context.internal_adapter.update_session(
+        result[:session]["token"],
+        "expiresAt" => expires_at,
+        "updatedAt" => now
+      )
+      session = stringify_keys(updated || result[:session]).merge("expiresAt" => expires_at, "updatedAt" => now)
+      refreshed = {session: session, user: result[:user]}
+      Cookies.set_session_cookie(ctx, refreshed, Cookies.dont_remember?(ctx))
+      refreshed
+    end
+
+    def should_refresh_cookie_cache?(config, payload)
+      refresh_cache = config[:refresh_cache]
+      return false if refresh_cache == false || refresh_cache.nil?
+
+      max_age = (config[:max_age] || 60 * 5).to_i
+      update_age = if refresh_cache.is_a?(Hash)
+        (refresh_cache[:update_age] || refresh_cache["updateAge"] || refresh_cache["update_age"]).to_i
+      else
+        (max_age * 0.8).to_i
+      end
+      updated_at = payload["updatedAt"].to_i
+      updated_at.positive? && updated_at + (update_age * 1000) <= (Time.now.to_f * 1000).to_i
+    end
+
+    def normalize_time(value)
+      return value if value.is_a?(Time)
+      return Time.at(value / 1000.0) if value.is_a?(Integer) && value > 10_000_000_000
+      return Time.at(value) if value.is_a?(Integer)
+      return nil if value.nil?
+
+      Time.parse(value.to_s)
+    end
+
+    def stringify_keys(value)
+      return value.each_with_object({}) { |(key, object_value), result| result[key.to_s] = stringify_keys(object_value) } if value.is_a?(Hash)
+      return value.map { |entry| stringify_keys(entry) } if value.is_a?(Array)
+
+      value
+    end
+  end
+end

data/lib/better_auth/session_store.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  class SessionStore
+    ALLOWED_COOKIE_SIZE = 4096
+    ESTIMATED_EMPTY_COOKIE_SIZE = 200
+    CHUNK_SIZE = ALLOWED_COOKIE_SIZE - ESTIMATED_EMPTY_COOKIE_SIZE
+
+    CookieValue = Struct.new(:name, :value, :attributes, keyword_init: true)
+
+    attr_reader :cookie_name, :cookie_options, :context, :chunks
+
+    def initialize(cookie_name, cookie_options, context)
+      @cookie_name = cookie_name
+      @cookie_options = cookie_options || {}
+      @context = context
+      @chunks = read_existing_chunks
+    end
+
+    def value
+      self.class.join_chunks(chunks)
+    end
+
+    def chunks?
+      !chunks.empty?
+    end
+
+    def chunk(value, options = {})
+      cleaned = clean
+      new_chunks = build_chunks(value.to_s, cookie_options.merge(options || {}))
+      cleaned + new_chunks
+    end
+
+    def clean
+      existing = chunks.keys.map do |name|
+        CookieValue.new(name: name, value: "", attributes: cookie_options.merge(max_age: 0))
+      end
+      chunks.clear
+      existing
+    end
+
+    def set_cookies(cookies)
+      cookies.each do |cookie|
+        context.set_cookie(cookie.name, cookie.value, cookie.attributes)
+      end
+    end
+
+    def self.get_chunked_cookie(context, cookie_name)
+      direct = context.get_cookie(cookie_name)
+      return direct if direct && !direct.empty?
+
+      chunks = context.cookies.each_with_object({}) do |(name, value), result|
+        result[name] = value if name.start_with?("#{cookie_name}.")
+      end
+      return nil if chunks.empty?
+
+      join_chunks(chunks)
+    end
+
+    def self.join_chunks(chunks)
+      chunks.keys.sort_by { |name| chunk_index(name) }.map { |name| chunks[name] }.join
+    end
+
+    def self.chunk_index(cookie_name)
+      Integer(cookie_name.split(".").last)
+    rescue ArgumentError, TypeError
+      0
+    end
+
+    private
+
+    def read_existing_chunks
+      context.cookies.each_with_object({}) do |(name, value), result|
+        result[name] = value if name == cookie_name || name.start_with?("#{cookie_name}.")
+      end
+    end
+
+    def build_chunks(value, attributes)
+      if value.length <= CHUNK_SIZE
+        chunks[cookie_name] = value
+        return [CookieValue.new(name: cookie_name, value: value, attributes: attributes)]
+      end
+
+      value.chars.each_slice(CHUNK_SIZE).map(&:join).each_with_index.map do |part, index|
+        name = "#{cookie_name}.#{index}"
+        chunks[name] = part
+        CookieValue.new(name: name, value: part, attributes: attributes)
+      end
+    end
+  end
+end

data/lib/better_auth/social_providers/apple.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def apple(client_id:, client_secret:, scopes: ["email", "name"], **options)
+      normalized = Base.normalize_options(options)
+      primary_client_id = Base.primary_client_id(client_id)
+      {
+        id: "apple",
+        name: "Apple",
+        client_id: client_id,
+        client_secret: client_secret,
+        create_authorization_url: lambda do |data|
+          Base.authorization_url(options[:authorization_endpoint] || "https://appleid.apple.com/auth/authorize", {
+            client_id: primary_client_id,
+            redirect_uri: data[:redirect_uri] || data[:redirectURI],
+            response_type: "code id_token",
+            response_mode: options[:response_mode] || options[:responseMode] || "form_post",
+            scope: Base.selected_scopes(scopes, normalized, data),
+            state: data[:state]
+          })
+        end,
+        validate_authorization_code: lambda do |data|
+          Base.post_form("https://appleid.apple.com/auth/token", {
+            client_id: primary_client_id,
+            client_secret: client_secret,
+            code: data[:code],
+            code_verifier: data[:code_verifier] || data[:codeVerifier],
+            grant_type: "authorization_code",
+            redirect_uri: data[:redirect_uri] || data[:redirectURI]
+          })
+        end,
+        verify_id_token: normalized[:verify_id_token] || lambda do |token, nonce = nil|
+          return false if normalized[:disable_id_token_sign_in]
+
+          audiences = Array(normalized[:audience] || normalized[:app_bundle_identifier] || normalized[:appBundleIdentifier] || client_id)
+          return false if audiences.empty?
+
+          profile = Base.verify_jwt_with_jwks(
+            token,
+            jwks: normalized[:jwks],
+            jwks_endpoint: normalized[:jwks_endpoint] || "https://appleid.apple.com/auth/keys",
+            algorithms: ["RS256"],
+            issuers: "https://appleid.apple.com",
+            audience: audiences,
+            nonce: nonce
+          )
+          !!profile&.fetch("sub", nil)
+        end,
+        get_user_info: lambda do |tokens|
+          custom = normalized[:get_user_info]
+          next custom.call(tokens) if custom
+
+          profile = Base.decode_jwt_payload(Base.id_token(tokens))
+          apple_user = tokens[:user] || tokens["user"] || {}
+          name = apple_user.dig(:name, :firstName) ||
+            apple_user.dig(:name, :first_name) ||
+            apple_user.dig("name", "firstName") ||
+            apple_user.dig("name", "first_name")
+          last_name = apple_user.dig(:name, :lastName) ||
+            apple_user.dig(:name, :last_name) ||
+            apple_user.dig("name", "lastName") ||
+            apple_user.dig("name", "last_name")
+          full_name = [name, last_name].compact.join(" ").strip
+          full_name = profile["name"] || "" if full_name.empty?
+
+          user = Base.apply_profile_mapping(
+            {
+              id: profile["sub"],
+              email: profile["email"],
+              name: full_name,
+              image: profile["picture"],
+              emailVerified: profile["email_verified"] == true || profile["email_verified"] == "true"
+            },
+            profile.merge("name" => full_name),
+            normalized
+          )
+          {
+            user: user,
+            data: profile.merge("name" => full_name)
+          }
+        end,
+        refresh_access_token: options[:refresh_access_token] || options[:refreshAccessToken] || lambda do |refresh_token|
+          Base.refresh_access_token("https://appleid.apple.com/auth/token", refresh_token, client_id: primary_client_id, client_secret: client_secret)
+        end
+      }
+    end
+  end
+end

data/lib/better_auth/social_providers/atlassian.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def atlassian(client_id:, client_secret:, scopes: ["read:jira-user", "offline_access"], **options)
+      Base.oauth_provider(
+        id: "atlassian",
+        name: "Atlassian",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://auth.atlassian.com/authorize",
+        token_endpoint: "https://auth.atlassian.com/oauth/token",
+        user_info_endpoint: "https://api.atlassian.com/me",
+        scopes: scopes,
+        pkce: true,
+        auth_params: {audience: "api.atlassian.com"},
+        profile_map: ->(profile) {
+          {
+            id: profile["account_id"],
+            name: profile["name"],
+            email: profile["email"],
+            image: profile["picture"],
+            emailVerified: false
+          }
+        },
+        **options
+      )
+    end
+  end
+end