better_auth 0.1.1 → 0.3.0

data/lib/better_auth/password.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+require "digest"
+require "openssl"
+require "securerandom"
+require_relative "error"
+
+module BetterAuth
+  module Password
+    PREFIX = "bcrypt_sha256$"
+    BCRYPT_PREFIXES = ["$2a$", "$2b$", "$2x$", "$2y$"].freeze
+    SCRYPT = {
+      N: 16_384,
+      r: 16,
+      p: 1,
+      length: 64
+    }.freeze
+
+    module_function
+
+    def hash(password, hasher: nil, algorithm: :scrypt)
+      return hasher.call(password) if hasher.respond_to?(:call)
+
+      case (hasher || algorithm || :scrypt).to_sym
+      when :scrypt
+        hash_scrypt(password)
+      when :bcrypt
+        hash_bcrypt(password)
+      else
+        raise Error, "Unsupported password hasher: #{hasher || algorithm}. Supported hashers are :scrypt and :bcrypt."
+      end
+    end
+
+    def verify(password:, hash:, verifier: nil, algorithm: :scrypt)
+      return call_verifier(verifier, password, hash) if verifier.respond_to?(:call)
+
+      digest = hash.to_s
+      if digest.start_with?(PREFIX)
+        return verify_bcrypt(password_input(password), digest.delete_prefix(PREFIX))
+      end
+
+      return verify_bcrypt(password.to_s, digest) if bcrypt_hash?(digest)
+      return verify_scrypt(password, digest) if scrypt_hash?(digest)
+
+      false
+    end
+
+    def password_input(password)
+      Digest::SHA256.hexdigest(password.to_s)
+    end
+
+    def hash_scrypt(password)
+      salt = SecureRandom.random_bytes(16).unpack1("H*")
+      key = scrypt_key(password, salt)
+      "#{salt}:#{key.unpack1("H*")}"
+    end
+
+    def verify_scrypt(password, digest)
+      salt, key = digest.to_s.split(":", 2)
+      return false unless salt && key
+
+      expected = scrypt_key(password, salt).unpack1("H*")
+      return false unless expected.bytesize == key.bytesize
+
+      OpenSSL.fixed_length_secure_compare(expected, key.downcase)
+    rescue OpenSSL::KDF::KDFError, ArgumentError
+      false
+    end
+
+    def scrypt_key(password, salt)
+      OpenSSL::KDF.scrypt(
+        password.to_s.unicode_normalize(:nfkc),
+        salt: salt,
+        N: SCRYPT.fetch(:N),
+        r: SCRYPT.fetch(:r),
+        p: SCRYPT.fetch(:p),
+        length: SCRYPT.fetch(:length)
+      )
+    end
+
+    def hash_bcrypt(password)
+      klass = require_bcrypt!
+      "#{PREFIX}#{klass.create(password_input(password))}"
+    end
+
+    def verify_bcrypt(password, digest)
+      klass = require_bcrypt!
+      klass.new(digest) == password.to_s
+    rescue BCrypt::Errors::InvalidHash
+      false
+    end
+
+    def bcrypt_hash?(digest)
+      BCRYPT_PREFIXES.any? { |prefix| digest.start_with?(prefix) }
+    end
+
+    def scrypt_hash?(digest)
+      /\A[0-9a-fA-F]{32}:[0-9a-fA-F]{128}\z/.match?(digest.to_s)
+    end
+
+    def call_verifier(verifier, password, digest)
+      if verifier.arity == 1
+        verifier.call(password: password, hash: digest)
+      else
+        verifier.call(password, digest)
+      end
+    end
+
+    def bcrypt_password_class
+      require "bcrypt"
+      BCrypt::Password
+    rescue LoadError
+      nil
+    end
+
+    def require_bcrypt!
+      bcrypt_password_class || raise(Error, "The :bcrypt password hasher requires the optional bcrypt gem. Add `gem \"bcrypt\"` to your Gemfile.")
+    end
+  end
+end

data/lib/better_auth/plugin.rb

@@ -0,0 +1,142 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  class Plugin
+    FIELDS = [
+      :id,
+      :init,
+      :endpoints,
+      :middlewares,
+      :hooks,
+      :schema,
+      :migrations,
+      :options,
+      :version,
+      :client,
+      :rate_limit,
+      :error_codes,
+      :on_request,
+      :on_response,
+      :adapter
+    ].freeze
+
+    attr_reader(*FIELDS)
+
+    def self.coerce(value)
+      return value if value.is_a?(self)
+
+      new(value || {})
+    end
+
+    def initialize(data = {}, **keywords)
+      data = data.to_h if data.respond_to?(:to_h) && !data.is_a?(Hash)
+      input = (data || {}).merge(keywords)
+      raw = normalize_hash(input)
+
+      @id = raw[:id].to_s
+      @init = raw[:init]
+      @endpoints = normalize_endpoint_keys(raw[:endpoints] || {})
+      @middlewares = normalize_middlewares(raw[:middlewares] || [])
+      @hooks = normalize_hooks(raw[:hooks] || {})
+      @schema = raw[:schema] || {}
+      @migrations = raw[:migrations] || {}
+      @options = raw[:options] || {}
+      @version = raw[:version]
+      @client = stringify_hash(input[:client] || input["client"])
+      @rate_limit = Array(raw[:rate_limit])
+      @error_codes = normalize_error_codes(raw)
+      @on_request = raw[:on_request]
+      @on_response = raw[:on_response]
+      @adapter = raw[:adapter]
+    end
+
+    def [](key)
+      to_h[normalize_key(key)]
+    end
+
+    def fetch(key, *default, &block)
+      normalized = normalize_key(key)
+      return to_h.fetch(normalized, *default, &block) if default.any? || block
+
+      to_h.fetch(normalized)
+    end
+
+    def dig(*keys)
+      keys.reduce(to_h) do |value, key|
+        return nil unless value.respond_to?(:[])
+
+        value[normalize_key(key)] || value[key]
+      end
+    end
+
+    def merge_options!(defaults)
+      @options = deep_merge(@options, normalize_hash(defaults || {}))
+    end
+
+    def to_h
+      FIELDS.each_with_object({}) do |field, result|
+        result[field] = public_send(field)
+      end
+    end
+
+    private
+
+    def normalize_endpoint_keys(value)
+      normalize_hash(value).each_with_object({}) do |(key, endpoint), result|
+        result[normalize_key(key)] = endpoint
+      end
+    end
+
+    def normalize_middlewares(value)
+      Array(value).map { |middleware| normalize_hash(middleware) }
+    end
+
+    def normalize_hooks(value)
+      data = normalize_hash(value)
+      {
+        before: Array(data[:before]).map { |hook| normalize_hash(hook) },
+        after: Array(data[:after]).map { |hook| normalize_hash(hook) }
+      }
+    end
+
+    def normalize_error_codes(raw)
+      codes = raw[:error_codes] || raw[:ERROR_CODES] || raw[:$ERROR_CODES]
+      normalize_hash(codes || {}).transform_keys { |key| key.to_s.upcase }
+    end
+
+    def normalize_hash(value)
+      return {} unless value.is_a?(Hash)
+
+      value.each_with_object({}) do |(key, object), result|
+        result[normalize_key(key)] = object.is_a?(Hash) ? normalize_hash(object) : object
+      end
+    end
+
+    def stringify_hash(value)
+      return nil unless value.is_a?(Hash)
+
+      value.each_with_object({}) do |(key, object), result|
+        result[key.to_s] = object.is_a?(Hash) ? stringify_hash(object) : object
+      end
+    end
+
+    def normalize_key(key)
+      key.to_s
+        .delete_prefix("$")
+        .gsub(/([a-z\d])([A-Z])/, "\\1_\\2")
+        .tr("-", "_")
+        .downcase
+        .to_sym
+    end
+
+    def deep_merge(base, override)
+      base.merge(override) do |_key, old_value, new_value|
+        if old_value.is_a?(Hash) && new_value.is_a?(Hash)
+          deep_merge(old_value, new_value)
+        else
+          new_value
+        end
+      end
+    end
+  end
+end

data/lib/better_auth/plugin_context.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  class PluginContext
+    attr_reader :context, :plugin
+
+    def initialize(context, plugin = nil)
+      @context = context
+      @plugin = plugin
+    end
+
+    def apply!(attributes)
+      context.apply_plugin_context!(attributes || {})
+    end
+  end
+end

data/lib/better_auth/plugin_registry.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  class PluginRegistry
+    attr_reader :context, :plugins
+
+    def initialize(context)
+      @context = context
+      @plugins = context.options.plugins
+    end
+
+    def run_init!
+      plugins.each do |plugin|
+        next unless plugin.init
+
+        result = plugin.init.call(context)
+        next unless result.is_a?(Hash)
+
+        apply_options(plugin, result[:options] || result["options"])
+        PluginContext.new(context, plugin).apply!(result[:context] || result["context"])
+      end
+
+      context.refresh_from_options!
+      context.set_internal_adapter(Adapters::InternalAdapter.new(context.adapter, context.options))
+    end
+
+    def endpoints
+      plugins.each_with_object({}) do |plugin, result|
+        result.merge!(plugin.endpoints)
+      end
+    end
+
+    def error_codes(base)
+      plugins.each_with_object(base.dup) do |plugin, codes|
+        plugin.error_codes.each do |key, value|
+          codes[key.to_s.upcase] = value
+        end
+      end
+    end
+
+    private
+
+    def apply_options(plugin, options)
+      return unless options.is_a?(Hash)
+
+      normalized = normalize_hash(options)
+      plugin.merge_options!(normalized)
+      context.options.merge_defaults!(normalized)
+    end
+
+    def normalize_hash(value)
+      return {} unless value.is_a?(Hash)
+
+      value.each_with_object({}) do |(key, object), result|
+        result[normalize_key(key)] = object.is_a?(Hash) ? normalize_hash(object) : object
+      end
+    end
+
+    def normalize_key(key)
+      key.to_s
+        .gsub(/([a-z\d])([A-Z])/, "\\1_\\2")
+        .tr("-", "_")
+        .downcase
+        .to_sym
+    end
+  end
+end

data/lib/better_auth/plugins/access.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Plugins
+    class Role
+      attr_reader :statements
+
+      def initialize(statements)
+        @statements = stringify_statements(statements)
+      end
+
+      def authorize(request, connector = "AND")
+        success = false
+        stringify_request(request).each do |resource, requested_actions|
+          allowed_actions = statements[resource]
+          unless allowed_actions
+            return {success: false, error: "You are not allowed to access resource: #{resource}"}
+          end
+
+          success = if requested_actions.is_a?(Array)
+            requested_actions.all? { |action| allowed_actions.include?(action.to_s) }
+          elsif requested_actions.is_a?(Hash)
+            unless requested_actions.key?("actions") || requested_actions.key?(:actions)
+              raise Error, "Invalid access control request"
+            end
+
+            raw_actions = requested_actions["actions"] || requested_actions[:actions]
+            raise Error, "Invalid access control request" if raw_actions.nil?
+
+            actions = Array(raw_actions).map(&:to_s)
+            action_connector = (requested_actions["connector"] || requested_actions[:connector] || "AND").to_s.upcase
+            if action_connector == "OR"
+              actions.any? { |action| allowed_actions.include?(action) }
+            else
+              actions.all? { |action| allowed_actions.include?(action) }
+            end
+          else
+            raise Error, "Invalid access control request"
+          end
+
+          return {success: true} if success && connector.to_s.upcase == "OR"
+          return {success: false, error: "unauthorized to access resource \"#{resource}\""} if !success && connector.to_s.upcase == "AND"
+        end
+
+        success ? {success: true} : {success: false, error: "Not authorized"}
+      end
+
+      private
+
+      def stringify_statements(value)
+        (value || {}).each_with_object({}) do |(resource, actions), result|
+          result[resource.to_s] = Array(actions).map(&:to_s)
+        end
+      end
+
+      def stringify_request(value)
+        (value || {}).each_with_object({}) do |(resource, actions), result|
+          result[resource.to_s] = actions
+        end
+      end
+    end
+
+    class AccessControl
+      attr_reader :statements
+
+      def initialize(statements)
+        @statements = (statements || {}).each_with_object({}) do |(resource, actions), result|
+          result[resource.to_s] = Array(actions).map(&:to_s)
+        end
+      end
+
+      def new_role(statements)
+        Role.new(statements)
+      end
+
+      alias_method :newRole, :new_role
+    end
+
+    module_function
+
+    def create_access_control(statements)
+      AccessControl.new(statements)
+    end
+
+    singleton_class.alias_method :createAccessControl, :create_access_control
+  end
+end

data/lib/better_auth/plugins/additional_fields.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Plugins
+    module_function
+
+    def additional_fields(schema = {})
+      config = normalize_hash(schema)
+      user_fields = storage_fields(config[:user] || {})
+      session_fields = storage_fields(config[:session] || {})
+
+      Plugin.new(
+        id: "additional-fields",
+        schema: {
+          user: {fields: user_fields},
+          session: {fields: session_fields}
+        },
+        init: lambda do |_context|
+          {
+            options: {
+              user: {additional_fields: user_fields},
+              session: {additional_fields: session_fields}
+            }
+          }
+        end
+      )
+    end
+  end
+end

data/lib/better_auth/plugins/admin/schema.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Plugins
+    module AdminSchema
+      module_function
+
+      def build(custom = nil)
+        schema = {
+          user: {
+            fields: {
+              role: {type: "string", required: false, input: false},
+              banned: {type: "boolean", required: false, input: false, default_value: false},
+              banReason: {type: "string", required: false, input: false},
+              banExpires: {type: "date", required: false, input: false}
+            }
+          },
+          session: {
+            fields: {
+              impersonatedBy: {type: "string", required: false}
+            }
+          }
+        }
+        OrganizationSchema.merge_custom_schema(schema, custom)
+      end
+    end
+  end
+end