better_auth 0.1.1 → 0.3.0

data/lib/better_auth/social_providers/google.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def google(client_id:, client_secret:, scopes: ["openid", "email", "profile"], **options)
+      normalized = Base.normalize_options(options)
+      primary_client_id = Base.primary_client_id(client_id)
+      {
+        id: "google",
+        name: "Google",
+        client_id: client_id,
+        client_secret: client_secret,
+        create_authorization_url: lambda do |data|
+          verifier = data[:code_verifier] || data[:codeVerifier]
+          raise Error, "codeVerifier is required for Google" if verifier.to_s.empty?
+
+          Base.authorization_url(options[:authorization_endpoint] || "https://accounts.google.com/o/oauth2/v2/auth", {
+            client_id: primary_client_id,
+            redirect_uri: data[:redirect_uri] || data[:redirectURI],
+            response_type: "code",
+            scope: Base.selected_scopes(scopes, normalized, data),
+            state: data[:state],
+            code_challenge: verifier && Base.pkce_challenge(verifier),
+            code_challenge_method: verifier && "S256",
+            login_hint: data[:loginHint] || data[:login_hint],
+            prompt: options[:prompt],
+            access_type: options[:access_type] || options[:accessType] || "offline",
+            display: data[:display] || options[:display],
+            hd: options[:hd],
+            include_granted_scopes: "true"
+          })
+        end,
+        validate_authorization_code: lambda do |data|
+          Base.post_form("https://oauth2.googleapis.com/token", {
+            client_id: primary_client_id,
+            client_secret: client_secret,
+            code: data[:code],
+            code_verifier: data[:code_verifier] || data[:codeVerifier],
+            grant_type: "authorization_code",
+            redirect_uri: data[:redirect_uri] || data[:redirectURI]
+          })
+        end,
+        verify_id_token: normalized[:verify_id_token] || lambda do |token, nonce = nil|
+          return false if normalized[:disable_id_token_sign_in]
+
+          audiences = Array(client_id)
+          return false if audiences.empty?
+
+          profile = Base.verify_jwt_with_jwks(
+            token,
+            jwks: normalized[:jwks],
+            jwks_endpoint: normalized[:jwks_endpoint] || "https://www.googleapis.com/oauth2/v3/certs",
+            algorithms: ["RS256"],
+            issuers: ["https://accounts.google.com", "accounts.google.com"],
+            audience: audiences,
+            nonce: nonce
+          )
+          !!profile&.fetch("sub", nil)
+        end,
+        get_user_info: lambda do |tokens|
+          custom = normalized[:get_user_info]
+          next custom.call(tokens) if custom
+          next nil unless Base.id_token(tokens)
+
+          profile = Base.decode_jwt_payload(Base.id_token(tokens))
+          user = Base.apply_profile_mapping(
+            {
+              id: profile["sub"],
+              email: profile["email"],
+              name: profile["name"],
+              image: profile["picture"],
+              emailVerified: !!profile["email_verified"]
+            },
+            profile,
+            normalized
+          )
+          {
+            user: user,
+            data: profile
+          }
+        end,
+        refresh_access_token: options[:refresh_access_token] || options[:refreshAccessToken] || lambda do |refresh_token|
+          Base.refresh_access_token("https://oauth2.googleapis.com/token", refresh_token, client_id: primary_client_id, client_secret: client_secret)
+        end
+      }
+    end
+  end
+end

data/lib/better_auth/social_providers/huggingface.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def huggingface(client_id:, client_secret:, scopes: ["openid", "profile", "email"], **options)
+      Base.oauth_provider(
+        id: "huggingface",
+        name: "Hugging Face",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://huggingface.co/oauth/authorize",
+        token_endpoint: "https://huggingface.co/oauth/token",
+        user_info_endpoint: "https://huggingface.co/oauth/userinfo",
+        scopes: scopes,
+        pkce: true,
+        profile_map: ->(profile) {
+          {
+            id: profile["sub"],
+            name: profile["name"] || profile["preferred_username"] || "",
+            email: profile["email"],
+            image: profile["picture"],
+            emailVerified: !!profile["email_verified"]
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/kakao.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def kakao(client_id:, client_secret:, scopes: ["account_email", "profile_image", "profile_nickname"], **options)
+      Base.oauth_provider(
+        id: "kakao",
+        name: "Kakao",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://kauth.kakao.com/oauth/authorize",
+        token_endpoint: "https://kauth.kakao.com/oauth/token",
+        user_info_endpoint: "https://kapi.kakao.com/v2/user/me",
+        scopes: scopes,
+        profile_map: ->(profile) {
+          account = profile["kakao_account"] || {}
+          kakao_profile = account["profile"] || {}
+          {
+            id: profile["id"].to_s,
+            name: kakao_profile["nickname"] || account["name"] || "",
+            email: account["email"],
+            image: kakao_profile["profile_image_url"] || kakao_profile["thumbnail_image_url"],
+            emailVerified: !!account["is_email_valid"] && !!account["is_email_verified"]
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/kick.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def kick(client_id:, client_secret:, scopes: ["user:read"], **options)
+      Base.oauth_provider(
+        id: "kick",
+        name: "Kick",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://id.kick.com/oauth/authorize",
+        token_endpoint: "https://id.kick.com/oauth/token",
+        user_info_endpoint: "https://api.kick.com/public/v1/users",
+        scopes: scopes,
+        pkce: true,
+        profile_map: ->(profile) {
+          user = Array(profile["data"]).first || profile
+          {
+            id: user["user_id"],
+            name: user["name"],
+            email: user["email"],
+            image: user["profile_picture"],
+            emailVerified: false
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/line.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def line(client_id:, client_secret:, scopes: ["openid", "profile", "email"], **options)
+      provider = Base.oauth_provider(
+        id: "line",
+        name: "LINE",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://access.line.me/oauth2/v2.1/authorize",
+        token_endpoint: "https://api.line.me/oauth2/v2.1/token",
+        user_info_endpoint: "https://api.line.me/oauth2/v2.1/userinfo",
+        scopes: scopes,
+        pkce: true,
+        profile_map: ->(profile) {
+          {
+            id: profile["sub"] || profile["userId"],
+            name: profile["name"] || profile["displayName"] || "",
+            email: profile["email"],
+            image: profile["picture"] || profile["pictureUrl"],
+            emailVerified: false
+          }
+        },
+        **options
+      )
+      provider[:verify_id_token] = provider[:options][:verify_id_token] || ->(token, _nonce = nil) { provider[:options][:disable_id_token_sign_in] ? false : !Base.decode_jwt_payload(token).empty? }
+      provider
+    end
+  end
+end

data/lib/better_auth/social_providers/linear.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def linear(client_id:, client_secret:, scopes: ["read"], **options)
+      provider = Base.oauth_provider(
+        id: "linear",
+        name: "Linear",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://linear.app/oauth/authorize",
+        token_endpoint: "https://api.linear.app/oauth/token",
+        scopes: scopes,
+        profile_map: ->(profile) {
+          viewer = profile.dig("data", "viewer") || {}
+          {
+            id: viewer["id"],
+            name: viewer["name"],
+            email: viewer["email"],
+            image: viewer["avatarUrl"],
+            emailVerified: false
+          }
+        },
+        **options
+      )
+      provider[:get_user_info] = lambda do |tokens|
+        custom = Base.option(provider[:options], :get_user_info)
+        profile = custom ? custom.call(tokens) : Base.post_json(
+          "https://api.linear.app/graphql",
+          {query: "{ viewer { id name email avatarUrl active createdAt updatedAt } }"},
+          "Authorization" => "Bearer #{Base.access_token(tokens)}"
+        )
+        return profile if Base.provider_user_info?(profile)
+
+        mapped = provider[:options][:map_profile_to_user]&.call(profile) || {}
+        viewer = profile.dig("data", "viewer") || {}
+        {user: {id: viewer["id"], name: viewer["name"], email: viewer["email"], image: viewer["avatarUrl"], emailVerified: false}.merge(mapped), data: profile}
+      end
+      provider
+    end
+  end
+end

data/lib/better_auth/social_providers/linkedin.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def linkedin(client_id:, client_secret:, scopes: ["profile", "email", "openid"], **options)
+      Base.oauth_provider(
+        id: "linkedin",
+        name: "Linkedin",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://www.linkedin.com/oauth/v2/authorization",
+        token_endpoint: "https://www.linkedin.com/oauth/v2/accessToken",
+        user_info_endpoint: "https://api.linkedin.com/v2/userinfo",
+        scopes: scopes,
+        profile_map: ->(profile) {
+          {
+            id: profile["sub"],
+            name: profile["name"],
+            email: profile["email"],
+            image: profile["picture"],
+            emailVerified: !!profile["email_verified"]
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/microsoft_entra_id.rb

@@ -0,0 +1,137 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def microsoft_entra_id(client_id:, client_secret:, tenant_id: "common", scopes: ["openid", "profile", "email", "User.Read", "offline_access"], **options)
+      normalized = Base.normalize_options(options)
+      microsoft_provider(
+        provider_id: "microsoft-entra-id",
+        provider_name: "Microsoft Entra ID",
+        client_id: client_id,
+        client_secret: client_secret,
+        tenant_id: normalized[:tenant_id] || tenant_id,
+        scopes: scopes,
+        **options
+      )
+    end
+
+    def microsoft(client_id:, client_secret: nil, tenant_id: "common", scopes: ["openid", "profile", "email", "User.Read", "offline_access"], **options)
+      normalized = Base.normalize_options(options)
+      microsoft_provider(
+        provider_id: "microsoft",
+        provider_name: "Microsoft EntraID",
+        client_id: client_id,
+        client_secret: client_secret,
+        tenant_id: normalized[:tenant_id] || tenant_id,
+        scopes: scopes,
+        **options
+      )
+    end
+
+    def microsoft_provider(provider_id:, provider_name:, client_id:, client_secret:, tenant_id:, scopes:, **options)
+      authority = options[:authority] || "https://login.microsoftonline.com"
+      base = "#{authority.to_s.sub(%r{/+\z}, "")}/#{tenant_id}/oauth2/v2.0"
+      normalized = Base.normalize_options(options)
+      primary_client_id = Base.primary_client_id(client_id)
+      {
+        id: provider_id,
+        name: provider_name,
+        client_id: client_id,
+        client_secret: client_secret,
+        create_authorization_url: lambda do |data|
+          verifier = data[:code_verifier] || data[:codeVerifier]
+          Base.authorization_url(options[:authorization_endpoint] || "#{base}/authorize", {
+            client_id: primary_client_id,
+            redirect_uri: data[:redirect_uri] || data[:redirectURI],
+            response_type: "code",
+            scope: Base.selected_scopes(scopes, normalized, data),
+            state: data[:state],
+            code_challenge: verifier && Base.pkce_challenge(verifier),
+            code_challenge_method: verifier && "S256",
+            login_hint: data[:loginHint] || data[:login_hint],
+            prompt: options[:prompt]
+          })
+        end,
+        validate_authorization_code: lambda do |data|
+          Base.post_form("#{base}/token", {
+            client_id: primary_client_id,
+            client_secret: client_secret,
+            code: data[:code],
+            code_verifier: data[:code_verifier] || data[:codeVerifier],
+            grant_type: "authorization_code",
+            redirect_uri: data[:redirect_uri] || data[:redirectURI]
+          })
+        end,
+        verify_id_token: normalized[:verify_id_token] || lambda do |token, nonce = nil|
+          return false if normalized[:disable_id_token_sign_in]
+
+          issuers = nil
+          unless %w[common organizations consumers].include?(tenant_id.to_s)
+            issuers = "#{authority.to_s.sub(%r{/+\z}, "")}/#{tenant_id}/v2.0"
+          end
+          profile = Base.verify_jwt_with_jwks(
+            token,
+            jwks: normalized[:jwks],
+            jwks_endpoint: normalized[:jwks_endpoint] || "#{authority.to_s.sub(%r{/+\z}, "")}/#{tenant_id}/discovery/v2.0/keys",
+            algorithms: ["RS256"],
+            issuers: issuers,
+            audience: Array(client_id),
+            nonce: nonce
+          )
+
+          !!(profile&.fetch("sub", nil) || profile&.fetch("oid", nil))
+        end,
+        get_user_info: lambda do |tokens|
+          custom = normalized[:get_user_info]
+          next custom.call(tokens) if custom
+
+          profile = Base.id_token(tokens) ? Base.decode_jwt_payload(Base.id_token(tokens)) : {}
+          profile = Base.get_json("https://graph.microsoft.com/v1.0/me", "Authorization" => "Bearer #{Base.access_token(tokens)}") if profile.empty?
+          unless normalized[:disable_profile_photo]
+            photo_size = normalized[:profile_photo_size] || 48
+            photo = Base.get_bytes(
+              "https://graph.microsoft.com/v1.0/me/photos/#{photo_size}x#{photo_size}/$value",
+              "Authorization" => "Bearer #{Base.access_token(tokens)}"
+            )
+            profile["picture"] = "data:image/jpeg;base64, #{Base64.strict_encode64(photo)}" if photo
+          end
+          email = profile["email"] || profile["mail"] || profile["userPrincipalName"] || profile["preferred_username"]
+
+          user = Base.apply_profile_mapping(
+            {
+              id: profile["sub"] || profile["id"] || profile["oid"],
+              email: email,
+              name: profile["name"] || profile["displayName"],
+              image: profile["picture"],
+              emailVerified: microsoft_email_verified?(profile, email)
+            },
+            profile,
+            normalized
+          )
+          {
+            user: user,
+            data: profile
+          }
+        end,
+        refresh_access_token: options[:refresh_access_token] || options[:refreshAccessToken] || lambda do |refresh_token|
+          Base.refresh_access_token(
+            "#{base}/token",
+            refresh_token,
+            client_id: primary_client_id,
+            client_secret: client_secret,
+            extra_params: {scope: Base.selected_scopes(scopes, normalized, {}).join(" ")}
+          )
+        end
+      }
+    end
+
+    def microsoft_email_verified?(profile, email)
+      return !!profile["email_verified"] if profile.key?("email_verified")
+
+      Array(profile["verified_primary_email"]).include?(email) ||
+        Array(profile["verified_secondary_email"]).include?(email)
+    end
+  end
+end

data/lib/better_auth/social_providers/naver.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def naver(client_id:, client_secret:, scopes: ["profile", "email"], **options)
+      Base.oauth_provider(
+        id: "naver",
+        name: "Naver",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://nid.naver.com/oauth2.0/authorize",
+        token_endpoint: "https://nid.naver.com/oauth2.0/token",
+        user_info_endpoint: "https://openapi.naver.com/v1/nid/me",
+        scopes: scopes,
+        profile_map: ->(profile) {
+          data = profile["response"] || {}
+          {
+            id: data["id"],
+            name: data["name"] || data["nickname"] || "",
+            email: data["email"],
+            image: data["profile_image"],
+            emailVerified: false
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/notion.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def notion(client_id:, client_secret:, scopes: [], **options)
+      Base.oauth_provider(
+        id: "notion",
+        name: "Notion",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://api.notion.com/v1/oauth/authorize",
+        token_endpoint: "https://api.notion.com/v1/oauth/token",
+        user_info_endpoint: "https://api.notion.com/v1/users/me",
+        scopes: scopes,
+        auth_params: {owner: "user"},
+        user_info_headers: {"Notion-Version" => "2022-06-28"},
+        profile_map: ->(profile) {
+          user = profile.dig("bot", "owner", "user") || profile
+          {
+            id: user["id"],
+            name: user["name"] || "",
+            email: user.dig("person", "email"),
+            image: user["avatar_url"],
+            emailVerified: false
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/paybin.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def paybin(client_id:, client_secret:, scopes: ["openid", "email", "profile"], **options)
+      issuer = (options[:issuer] || "https://idp.paybin.io").to_s.sub(%r{/+\z}, "")
+      Base.oauth_provider(
+        id: "paybin",
+        name: "Paybin",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "#{issuer}/oauth2/authorize",
+        token_endpoint: "#{issuer}/oauth2/token",
+        scopes: scopes,
+        pkce: true,
+        profile_map: ->(profile) {
+          {
+            id: profile["sub"],
+            name: profile["name"] || profile["preferred_username"] || "",
+            email: profile["email"],
+            image: profile["picture"],
+            emailVerified: !!profile["email_verified"]
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/paypal.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def paypal(client_id:, client_secret:, scopes: [], **options)
+      sandbox = (options[:environment] || "sandbox").to_s == "sandbox"
+      auth_host = sandbox ? "https://www.sandbox.paypal.com" : "https://www.paypal.com"
+      api_host = sandbox ? "https://api-m.sandbox.paypal.com" : "https://api-m.paypal.com"
+      provider = Base.oauth_provider(
+        id: "paypal",
+        name: "PayPal",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "#{auth_host}/signin/authorize",
+        token_endpoint: "#{api_host}/v1/oauth2/token",
+        user_info_endpoint: "#{api_host}/v1/identity/oauth2/userinfo?schema=paypalv1.1",
+        scopes: scopes,
+        pkce: true,
+        profile_map: ->(profile) {
+          {
+            id: profile["user_id"],
+            name: profile["name"],
+            email: profile["email"],
+            image: profile["picture"],
+            emailVerified: !!profile["email_verified"]
+          }
+        },
+        **options
+      )
+      provider[:verify_id_token] = provider[:options][:verify_id_token] || ->(token, _nonce = nil) { provider[:options][:disable_id_token_sign_in] ? false : !!Base.decode_jwt_payload(token)["sub"] }
+      provider
+    end
+  end
+end

data/lib/better_auth/social_providers/polar.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def polar(client_id:, client_secret:, scopes: ["openid", "profile", "email"], **options)
+      Base.oauth_provider(
+        id: "polar",
+        name: "Polar",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://polar.sh/oauth2/authorize",
+        token_endpoint: "https://api.polar.sh/v1/oauth2/token",
+        user_info_endpoint: "https://api.polar.sh/v1/oauth2/userinfo",
+        scopes: scopes,
+        pkce: true,
+        profile_map: ->(profile) {
+          {
+            id: profile["id"],
+            name: profile["public_name"] || profile["username"] || "",
+            email: profile["email"],
+            image: profile["avatar_url"],
+            emailVerified: !!profile["email_verified"]
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/railway.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def railway(client_id:, client_secret:, scopes: ["openid", "email", "profile"], **options)
+      primary_client_id = Base.primary_client_id(client_id)
+      credentials = Base64.strict_encode64("#{primary_client_id}:#{client_secret}")
+      token_endpoint = options[:token_endpoint] || options[:tokenEndpoint] || "https://backboard.railway.com/oauth/token"
+      provider = Base.oauth_provider(
+        id: "railway",
+        name: "Railway",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://backboard.railway.com/oauth/auth",
+        token_endpoint: "https://backboard.railway.com/oauth/token",
+        user_info_endpoint: "https://backboard.railway.com/oauth/me",
+        scopes: scopes,
+        pkce: true,
+        profile_map: ->(profile) {
+          {
+            id: profile["sub"],
+            name: profile["name"],
+            email: profile["email"],
+            image: profile["picture"],
+            emailVerified: false
+          }
+        },
+        **options
+      )
+      provider[:validate_authorization_code] = lambda do |data|
+        Base.post_form_json(token_endpoint, {
+          code: data[:code],
+          code_verifier: data[:code_verifier] || data[:codeVerifier],
+          grant_type: "authorization_code",
+          redirect_uri: options[:redirect_uri] || options[:redirectURI] || data[:redirect_uri] || data[:redirectURI]
+        }, {"Authorization" => "Basic #{credentials}"})
+      end
+      provider[:refresh_access_token] = options[:refresh_access_token] || options[:refreshAccessToken] || lambda do |refresh_token|
+        Base.normalize_tokens(Base.post_form_json(token_endpoint, {
+          grant_type: "refresh_token",
+          refresh_token: refresh_token
+        }, {"Authorization" => "Basic #{credentials}"}))
+      end
+      provider
+    end
+  end
+end