better_auth 0.1.1 → 0.3.0

data/lib/better_auth/api_error.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  class APIError < Error
+    STATUS_CODES = {
+      "BAD_REQUEST" => 400,
+      "UNAUTHORIZED" => 401,
+      "UNAUTHORIZED_INVALID_OR_EXPIRED_NONCE" => 401,
+      "FORBIDDEN" => 403,
+      "CONFLICT" => 409,
+      "NOT_FOUND" => 404,
+      "METHOD_NOT_ALLOWED" => 405,
+      "UNPROCESSABLE_ENTITY" => 422,
+      "TOO_MANY_REQUESTS" => 429,
+      "BAD_GATEWAY" => 502,
+      "NOT_IMPLEMENTED" => 501,
+      "FOUND" => 302,
+      "INTERNAL_SERVER_ERROR" => 500
+    }.freeze
+
+    attr_reader :status, :status_code, :headers, :code, :body
+
+    def initialize(status, message: nil, headers: {}, code: nil, body: nil)
+      @status = status.to_s.upcase
+      @status_code = STATUS_CODES.fetch(@status, 500)
+      @headers = normalize_headers(headers)
+      @code = code || @status
+      @body = body
+      super(message || default_message)
+    end
+
+    def to_h
+      return body if body
+
+      {
+        code: code,
+        message: message
+      }
+    end
+
+    private
+
+    def default_message
+      status.split("_").map(&:capitalize).join(" ")
+    end
+
+    def normalize_headers(headers)
+      headers.each_with_object({}) do |(key, value), result|
+        result[key.to_s.downcase] = value
+      end
+    end
+  end
+end

data/lib/better_auth/auth.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  class Auth
+    attr_reader :handler, :api, :options, :context, :error_codes
+
+    def initialize(options = {})
+      @options = Configuration.new(options)
+      @context = Context.new(@options)
+      @context.set_adapter(build_adapter)
+      @context.set_internal_adapter(Adapters::InternalAdapter.new(@context.adapter, @options))
+      @plugin_registry = PluginRegistry.new(@context)
+      @plugin_registry.run_init!
+      @error_codes = build_error_codes
+      @endpoints = build_endpoints
+      Router.check_endpoint_conflicts(@options, @options.logger)
+      @api = API.new(@context, @endpoints)
+      @handler = Router.new(@context, @endpoints)
+    end
+
+    def call(env)
+      handler.call(env)
+    end
+
+    private
+
+    def build_error_codes
+      @plugin_registry.error_codes(BASE_ERROR_CODES)
+    end
+
+    def build_adapter
+      return Adapters::Memory.new(options) if options.database.nil? || options.database == :memory
+      return options.database.call(options) if options.database.respond_to?(:call)
+
+      options.database
+    end
+
+    def build_endpoints
+      Core.base_endpoints.merge(@plugin_registry.endpoints)
+    end
+  end
+end

data/lib/better_auth/configuration.rb

@@ -0,0 +1,399 @@
+# frozen_string_literal: true
+
+require "securerandom"
+require "uri"
+
+module BetterAuth
+  class Configuration
+    DEFAULT_BASE_PATH = "/api/auth"
+    DEFAULT_SECRET = "better-auth-secret-12345678901234567890"
+    DEFAULT_SESSION = {
+      update_age: 24 * 60 * 60,
+      expires_in: 60 * 60 * 24 * 7,
+      fresh_age: 60 * 60 * 24
+    }.freeze
+    DEFAULT_EMAIL_AND_PASSWORD = {
+      min_password_length: 8,
+      max_password_length: 128
+    }.freeze
+    DEFAULT_PASSWORD_HASHER = :scrypt
+    SUPPORTED_PASSWORD_HASHERS = [:scrypt, :bcrypt].freeze
+    DEFAULT_STATELESS_SESSION = {
+      cookie_cache: {
+        enabled: true,
+        strategy: "jwe",
+        refresh_cache: true
+      }
+    }.freeze
+    DEFAULT_STATELESS_ACCOUNT = {
+      store_state_strategy: "cookie",
+      store_account_cookie: true
+    }.freeze
+
+    attr_reader :app_name,
+      :base_url,
+      :base_path,
+      :context_base_url,
+      :secret,
+      :database,
+      :plugins,
+      :trusted_origins,
+      :rate_limit,
+      :session,
+      :account,
+      :user,
+      :verification,
+      :advanced,
+      :email_and_password,
+      :password_hasher,
+      :email_verification,
+      :social_providers,
+      :experimental,
+      :secondary_storage,
+      :database_hooks,
+      :hooks,
+      :on_api_error,
+      :disabled_paths,
+      :trusted_origins_callback,
+      :logger
+
+    def initialize(options = {})
+      options = symbolize_keys(options)
+      @explicit_options = deep_dup(options)
+
+      @logger = options[:logger]
+      @app_name = options[:app_name] || "Better Auth"
+      @base_path = normalize_base_path(options.fetch(:base_path, DEFAULT_BASE_PATH))
+      @database = options[:database]
+      @secondary_storage = options[:secondary_storage]
+      @plugins = normalize_plugins(options[:plugins])
+      @advanced = deep_merge({}, symbolize_keys(options[:advanced] || {}))
+      @disabled_paths = Array(options[:disabled_paths]).compact.map(&:to_s)
+      @database_hooks = options[:database_hooks]
+      @hooks = options[:hooks]
+      @on_api_error = symbolize_keys(options[:on_api_error] || options[:on_apierror] || {})
+      @social_providers = symbolize_keys(options[:social_providers] || {})
+      @trusted_origins_callback = options[:trusted_origins] if options[:trusted_origins].respond_to?(:call)
+      @secret = resolve_secret(options)
+      @base_url, @context_base_url = normalize_base_url(options[:base_url])
+      @session = normalize_session(options[:session])
+      @account = normalize_account(options[:account])
+      @user = symbolize_keys(options[:user] || {})
+      @verification = symbolize_keys(options[:verification] || {})
+      @email_and_password = normalize_email_and_password(options[:email_and_password])
+      @password_hasher = normalize_password_hasher(options[:password_hasher])
+      @email_verification = symbolize_keys(options[:email_verification] || {})
+      @experimental = normalize_experimental(options[:experimental])
+      @rate_limit = normalize_rate_limit(options[:rate_limit])
+      @trusted_origins = normalize_trusted_origins(options[:trusted_origins])
+
+      validate_secret
+    end
+
+    def trusted_origin?(url, allow_relative_paths: false)
+      trusted_origins.any? do |origin|
+        self.class.matches_origin_pattern?(url, origin, allow_relative_paths: allow_relative_paths)
+      end
+    end
+
+    def production?
+      production_environment?
+    end
+
+    def to_h
+      {
+        app_name: app_name,
+        base_url: base_url,
+        base_path: base_path,
+        secret: secret,
+        database: database,
+        plugins: plugins,
+        trusted_origins: trusted_origins,
+        rate_limit: rate_limit,
+        session: session,
+        account: account,
+        user: user,
+        verification: verification,
+        advanced: advanced,
+        email_and_password: email_and_password,
+        password_hasher: password_hasher,
+        email_verification: email_verification,
+        social_providers: social_providers,
+        experimental: experimental,
+        secondary_storage: secondary_storage,
+        database_hooks: database_hooks,
+        hooks: hooks,
+        on_api_error: on_api_error,
+        disabled_paths: disabled_paths
+      }
+    end
+
+    def merge_defaults!(defaults)
+      normalized = symbolize_keys(defaults || {})
+      normalized.each do |key, value|
+        next unless respond_to?(key)
+        next if key == :database_hooks
+
+        instance_variable_set("@#{key}", merge_default_value([key], public_send(key), value))
+      end
+    end
+
+    def self.matches_origin_pattern?(url, pattern, allow_relative_paths: false)
+      return relative_path_allowed?(url) if url.start_with?("/") && allow_relative_paths
+      return false if url.start_with?("/")
+
+      uri = parse_uri(url)
+      return false unless uri
+
+      if pattern.include?("*") || pattern.include?("?")
+        return wildcard_match?(pattern, origin_for(uri) || url) if pattern.include?("://")
+
+        return wildcard_match?(pattern, uri.host.to_s)
+      end
+
+      protocol = uri.scheme&.then { |scheme| "#{scheme}:" }
+      if protocol == "http:" || protocol == "https:" || protocol.nil?
+        pattern == origin_for(uri)
+      else
+        url.start_with?(pattern)
+      end
+    end
+
+    def self.relative_path_allowed?(url)
+      %r{\A/(?!/|\\|%2f|%5c)[\w\-.+/@]*(?:\?[\w\-.+/=&%@]*)?\z}i.match?(url)
+    end
+
+    def self.parse_uri(url)
+      URI.parse(url)
+    rescue URI::InvalidURIError
+      nil
+    end
+
+    def self.origin_for(uri)
+      return nil unless uri.scheme && uri.host
+
+      port = uri.port
+      default_port = (uri.scheme == "http" && port == 80) || (uri.scheme == "https" && port == 443)
+      host = uri.host
+      host = "[#{host}]" if host.include?(":") && !host.start_with?("[")
+      origin = "#{uri.scheme}://#{host}"
+      default_port ? origin : "#{origin}:#{port}"
+    end
+
+    def self.wildcard_match?(pattern, value)
+      regex = Regexp.escape(pattern).gsub("\\*", ".*").gsub("\\?", ".")
+      /\A#{regex}\z/.match?(value)
+    end
+
+    private
+
+    def normalize_base_url(value)
+      configured = value || env_base_url
+      return ["", ""] unless configured && !configured.empty?
+
+      with_path = append_base_path(configured.to_s)
+      uri = URI.parse(with_path)
+      validate_http_url!(uri, configured)
+      [self.class.origin_for(uri), with_path.sub(%r{/+\z}, "")]
+    rescue URI::InvalidURIError
+      raise Error, "Invalid base URL: #{configured}. Please provide a valid base URL."
+    end
+
+    def normalize_base_path(value)
+      return "" if value.nil? || value == "" || value == "/"
+
+      path = value.to_s
+      path.start_with?("/") ? path.sub(%r{/+\z}, "") : "/#{path.sub(%r{/+\z}, "")}"
+    end
+
+    def append_base_path(url)
+      uri = URI.parse(url)
+      validate_http_url!(uri, url)
+      path = uri.path.to_s.sub(%r{/+\z}, "")
+      has_path = !path.empty? && path != "/"
+      trimmed = url.to_s.sub(%r{/+\z}, "")
+      return trimmed if has_path || base_path.empty?
+
+      "#{trimmed}#{base_path}"
+    end
+
+    def validate_http_url!(uri, original)
+      return if uri.is_a?(URI::HTTP) || uri.is_a?(URI::HTTPS)
+
+      raise Error, "Invalid base URL: #{original}. URL must include 'http://' or 'https://'"
+    end
+
+    def env_base_url
+      base_url = ENV["BASE_URL"]
+      [
+        ENV["BETTER_AUTH_URL"],
+        ENV["NEXT_PUBLIC_BETTER_AUTH_URL"],
+        ENV["PUBLIC_BETTER_AUTH_URL"],
+        ENV["NUXT_PUBLIC_BETTER_AUTH_URL"],
+        ENV["NUXT_PUBLIC_AUTH_URL"],
+        (base_url unless base_url == "/")
+      ].find { |value| value && !value.empty? }
+    end
+
+    def resolve_secret(options)
+      options[:secret] || ENV["BETTER_AUTH_SECRET"] || ENV["AUTH_SECRET"] || (test_environment? ? DEFAULT_SECRET : nil)
+    end
+
+    def validate_secret
+      if secret.nil? || secret.empty?
+        raise Error, "BETTER_AUTH_SECRET is missing. Set it in your environment or pass `secret` to BetterAuth.auth(secret: ...)."
+      end
+
+      return if test_environment? && secret == DEFAULT_SECRET
+
+      warn("[better-auth] Warning: your BETTER_AUTH_SECRET should be at least 32 characters long for adequate security.") if secret.length < 32
+      warn("[better-auth] Warning: your BETTER_AUTH_SECRET appears low-entropy. Use a randomly generated secret for production.") if entropy(secret) < 120
+    end
+
+    def entropy(value)
+      unique = value.chars.uniq.length
+      return 0 if unique.zero?
+
+      Math.log2(unique**value.length)
+    end
+
+    def normalize_session(value)
+      configured = symbolize_keys(value || {})
+      cookie_cache = symbolize_keys(configured.delete(:cookie_cache) || {})
+      session = deep_merge(DEFAULT_SESSION, configured)
+
+      if database.nil?
+        session = deep_merge(session, DEFAULT_STATELESS_SESSION)
+      else
+        session[:cookie_cache] = cookie_cache unless cookie_cache.empty?
+      end
+
+      session[:cookie_cache] = deep_merge(session[:cookie_cache] || {}, cookie_cache) unless cookie_cache.empty?
+      if (database || secondary_storage) && session.dig(:cookie_cache, :refresh_cache)
+        warn("[better-auth] `session.cookieCache.refreshCache` is enabled while `database` or `secondaryStorage` is configured. `refreshCache` is meant for stateless setups. Disabling `refreshCache`.")
+        session[:cookie_cache] = session[:cookie_cache].merge(refresh_cache: false)
+      end
+      session
+    end
+
+    def normalize_account(value)
+      configured = symbolize_keys(value || {})
+      database.nil? ? deep_merge(DEFAULT_STATELESS_ACCOUNT, configured) : configured
+    end
+
+    def normalize_email_and_password(value)
+      deep_merge(DEFAULT_EMAIL_AND_PASSWORD, symbolize_keys(value || {}))
+    end
+
+    def normalize_password_hasher(value)
+      hasher = (value || DEFAULT_PASSWORD_HASHER).to_sym
+      return hasher if SUPPORTED_PASSWORD_HASHERS.include?(hasher)
+
+      raise Error, "Unsupported password hasher: #{value}. Supported hashers are :scrypt and :bcrypt."
+    end
+
+    def normalize_experimental(value)
+      configured = symbolize_keys(value || {})
+      {
+        joins: !!configured[:joins]
+      }
+    end
+
+    def normalize_rate_limit(value)
+      configured = symbolize_keys(value || {})
+      {
+        enabled: configured.key?(:enabled) ? configured[:enabled] : production_environment?,
+        window: configured[:window] || 10,
+        max: configured[:max] || 100,
+        storage: configured[:storage] || (secondary_storage ? "secondary-storage" : "memory")
+      }.merge(configured)
+    end
+
+    def normalize_plugins(value)
+      Array(value).compact.reject { |plugin| plugin == false }.map { |plugin| Plugin.coerce(plugin) }
+    end
+
+    def normalize_trusted_origins(value)
+      origins = []
+      origins << base_url unless base_url.nil? || base_url.empty?
+      origins.concat(Array(value).compact) unless value.respond_to?(:call)
+      origins.concat(env_trusted_origins)
+      origins.map(&:to_s).reject(&:empty?).uniq
+    end
+
+    def env_trusted_origins
+      ENV.fetch("BETTER_AUTH_TRUSTED_ORIGINS", "").split(",").map(&:strip).reject(&:empty?)
+    end
+
+    def symbolize_keys(value)
+      return value unless value.is_a?(Hash)
+
+      value.each_with_object({}) do |(key, object_value), result|
+        normalized_key = normalize_key(key)
+        result[normalized_key] = object_value.is_a?(Hash) ? symbolize_keys(object_value) : object_value
+      end
+    end
+
+    def normalize_key(key)
+      key.to_s
+        .gsub(/([a-z\d])([A-Z])/, "\\1_\\2")
+        .tr("-", "_")
+        .downcase
+        .to_sym
+    end
+
+    def deep_merge(base, override)
+      base.merge(override) do |_key, old_value, new_value|
+        if old_value.is_a?(Hash) && new_value.is_a?(Hash)
+          deep_merge(old_value, new_value)
+        else
+          new_value
+        end
+      end
+    end
+
+    def merge_default_value(path, current, default)
+      if current.is_a?(Hash) && default.is_a?(Hash)
+        default.each_with_object(current.dup) do |(key, value), result|
+          result[key] = merge_default_value(path + [key], result[key], value)
+        end
+      else
+        return current if explicit_path?(path)
+
+        default
+      end
+    end
+
+    def explicit_path?(path)
+      path.reduce(@explicit_options) do |value, key|
+        return false unless value.is_a?(Hash) && value.key?(key)
+
+        value[key]
+      end
+      true
+    end
+
+    def deep_dup(value)
+      return value.transform_values { |entry| deep_dup(entry) } if value.is_a?(Hash)
+      return value.map { |entry| deep_dup(entry) } if value.is_a?(Array)
+
+      value
+    end
+
+    def warn(message)
+      if logger.respond_to?(:call)
+        logger.call(:warn, message)
+      elsif logger.respond_to?(:warn)
+        logger.warn(message)
+      end
+    end
+
+    def test_environment?
+      ENV["RACK_ENV"] == "test" || ENV["RAILS_ENV"] == "test" || ENV["APP_ENV"] == "test"
+    end
+
+    def production_environment?
+      ENV["RACK_ENV"] == "production" || ENV["RAILS_ENV"] == "production" || ENV["APP_ENV"] == "production"
+    end
+  end
+end

data/lib/better_auth/context.rb

@@ -0,0 +1,211 @@
+# frozen_string_literal: true
+
+require "uri"
+
+module BetterAuth
+  class Context
+    attr_reader :app_name,
+      :base_url,
+      :version,
+      :options,
+      :social_providers,
+      :cookies,
+      :auth_cookies,
+      :adapter,
+      :internal_adapter,
+      :logger,
+      :session_config,
+      :rate_limit_config,
+      :trusted_origins,
+      :secret,
+      :current_session,
+      :new_session
+
+    def initialize(configuration)
+      @app_name = configuration.app_name
+      @base_url = configuration.context_base_url
+      @version = BetterAuth::VERSION
+      @options = configuration
+      @social_providers = configuration.social_providers
+      @auth_cookies = Cookies.get_cookies(configuration)
+      @cookies = @auth_cookies
+      @adapter = configuration.database
+      @internal_adapter = nil
+      @logger = configuration.logger
+      @session_config = configuration.session
+      @rate_limit_config = configuration.rate_limit
+      @trusted_origins = configuration.trusted_origins
+      @secret = configuration.secret
+      @current_session = nil
+      @new_session = nil
+    end
+
+    def trusted_origin?(url, allow_relative_paths: false)
+      trusted_origins.any? do |origin|
+        Configuration.matches_origin_pattern?(url, origin, allow_relative_paths: allow_relative_paths)
+      end
+    end
+
+    def set_new_session(session)
+      @new_session = session
+    end
+
+    def set_current_session(session)
+      @current_session = session
+    end
+
+    def run_in_background(task)
+      handler = options.advanced.dig(:background_tasks, :handler)
+      if handler.respond_to?(:call)
+        handler.call(task)
+      elsif task.respond_to?(:call)
+        task.call
+      end
+    end
+
+    def create_auth_cookie(cookie_name, override_attributes = {})
+      Cookies.create_cookie(options, cookie_name.to_s, override_attributes)
+    end
+
+    def set_adapter(adapter)
+      @adapter = adapter
+    end
+
+    def set_internal_adapter(adapter)
+      @internal_adapter = adapter
+    end
+
+    def apply_plugin_context!(attributes)
+      normalize_context(attributes).each do |key, value|
+        instance_variable_set("@#{key}", value) if plugin_context_attribute?(key)
+      end
+    end
+
+    def refresh_from_options!
+      @social_providers = options.social_providers
+      @session_config = options.session
+      @rate_limit_config = options.rate_limit
+      @trusted_origins = options.trusted_origins
+      @secret = options.secret
+    end
+
+    def method_missing(name, *arguments, &block)
+      variable_name = :"@#{name}"
+      return instance_variable_get(variable_name) if arguments.empty? && instance_variable_defined?(variable_name)
+
+      super
+    end
+
+    def respond_to_missing?(name, include_private = false)
+      instance_variable_defined?(:"@#{name}") || super
+    end
+
+    def prepare_for_request!(request)
+      @current_session = nil
+      @new_session = nil
+      @base_url = inferred_base_url(request) if options.base_url.to_s.empty?
+      @trusted_origins = current_trusted_origins(request)
+    end
+
+    def reset_runtime!
+      @current_session = nil
+      @new_session = nil
+    end
+
+    private
+
+    def inferred_base_url(request)
+      origin = inferred_origin(request)
+      path = options.base_path
+      path.empty? ? origin : "#{origin}#{path}"
+    end
+
+    def inferred_origin(request)
+      forwarded_host = request.get_header("HTTP_X_FORWARDED_HOST")
+      forwarded_proto = request.get_header("HTTP_X_FORWARDED_PROTO")
+      if options.advanced[:trusted_proxy_headers] && valid_forwarded?(forwarded_host, forwarded_proto)
+        return "#{forwarded_proto}://#{forwarded_host}"
+      end
+
+      scheme = request.get_header("rack.url_scheme") || request.scheme
+      scheme = "https" unless valid_proxy_proto?(scheme.to_s)
+      host_header = request.get_header("HTTP_HOST")
+      return "#{scheme}://#{host_header}" if host_header && valid_proxy_host?(host_header.to_s)
+
+      host = request.get_header("SERVER_NAME") || request.host
+      port = (request.get_header("SERVER_PORT") || request.port).to_i
+      default_port = (scheme == "http" && port == 80) || (scheme == "https" && port == 443)
+      default_port ? "#{scheme}://#{host}" : "#{scheme}://#{host}:#{port}"
+    end
+
+    def valid_forwarded?(host, proto)
+      valid_proxy_proto?(proto.to_s) && valid_proxy_host?(host.to_s)
+    end
+
+    def valid_proxy_proto?(proto)
+      %w[http https].include?(proto)
+    end
+
+    def valid_proxy_host?(host)
+      return false if host.strip.empty?
+
+      suspicious_patterns = [
+        /\.\./,
+        /\0/,
+        /\s/,
+        /\A[.]/,
+        /[<>'"]/,
+        /javascript:/i,
+        /file:/i,
+        /data:/i,
+        %r{[/\\]}
+      ]
+      return false if suspicious_patterns.any? { |pattern| host.match?(pattern) }
+
+      hostname = /\A[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*(:[0-9]{1,5})?\z/
+      ipv4 = /\A(\d{1,3}\.){3}\d{1,3}(:[0-9]{1,5})?\z/
+      ipv6 = /\A\[[0-9a-fA-F:]+\](:[0-9]{1,5})?\z/
+      localhost = /\Alocalhost(:[0-9]{1,5})?\z/i
+      return false unless [hostname, ipv4, ipv6, localhost].any? { |pattern| host.match?(pattern) }
+
+      valid_port?(host)
+    end
+
+    def valid_port?(host)
+      port = host[/:(\d{1,5})\z/, 1]
+      return true unless port
+
+      port.to_i.between?(1, 65_535)
+    end
+
+    def current_trusted_origins(request)
+      origins = []
+      origins << Configuration.origin_for(URI.parse(base_url)) unless base_url.to_s.empty?
+      origins.concat(options.trusted_origins)
+      if options.trusted_origins_callback
+        origins.concat(Array(options.trusted_origins_callback.call(request)).compact)
+      end
+      origins.concat(ENV.fetch("BETTER_AUTH_TRUSTED_ORIGINS", "").split(",").map(&:strip))
+      origins.map(&:to_s).reject(&:empty?).uniq
+    rescue URI::InvalidURIError
+      options.trusted_origins
+    end
+
+    def normalize_context(value)
+      return {} unless value.is_a?(Hash)
+
+      value.each_with_object({}) do |(key, object), result|
+        normalized = key.to_s
+          .gsub(/([a-z\d])([A-Z])/, "\\1_\\2")
+          .tr("-", "_")
+          .downcase
+          .to_sym
+        result[normalized] = object
+      end
+    end
+
+    def plugin_context_attribute?(key)
+      ![:options, :adapter, :internal_adapter].include?(key)
+    end
+  end
+end