better_auth 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a5e95c51ce68259fcccbbfabe1bd9ffa5383ce4c098161f1c2d54da76137fa0a
-  data.tar.gz: 7c81ade6292ced9b98c1c411c320e4ad6e05734ea891145f75a9205d6e4fdea0
+  metadata.gz: df93cdae06059d52fa2c3d35c5b173aba9025d5ac46bda0b93a7a8abc5045f40
+  data.tar.gz: adec802dade2610da15329266c91dcd46aecb8642165c29e364ce7db2829d217
 SHA512:
-  metadata.gz: 4b7f5c635ce16aa7be7f3ea42c5fa03304b7c682821c8a82e55c81754ba330a88aba350f0a6ed59b171333766ba6a973c4a2d15cf3d46debeae42ddd59b602c5
-  data.tar.gz: 524ce3bfb3f023bcf057154fde0e88e0555753016d1297d67d40f2db6de6cf5516b0fcb8b513fd260cd284b38722eeffe9a02784d3d08a58cd5811cce23a1d39
+  metadata.gz: f46ac8a5cf79a859a417e2cbe60f000c290d014975fb3ce910c49b6c1cd455b2123e436a42a323dd530b38096a4ebc18a1f206c97f0ef6624378c9eb051d37e3
+  data.tar.gz: '0469ddcdcad97a7b1b58e3ddc0ef8d54c7469a1e0411546367f829291ab5664fc0b4685d460d8d328fe6ef67543908060d33eb961a638121930154ca31a4cfaf'

data/CHANGELOG.md

@@ -7,6 +7,23 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.3.0] - 2026-04-29
+
+### Added
+
+- Added upstream-parity social provider support, including provider-specific authorization, token, profile, refresh, and revocation behavior for the expanded provider set.
+- Added OAuth/OIDC protocol hardening for authorization, callback, discovery, metadata, token, and userinfo flows.
+- Added upstream v1.6.9 parity coverage for schema generation, adapter behavior, plugin hooks, session handling, and account/user route edge cases.
+
+### Changed
+
+- Extracted MongoDB adapter support behind the external `better_auth-mongo-adapter` shim while preserving compatibility for existing adapter configuration.
+- Updated auth routes, router behavior, rate limiting, password and email-verification flows, and schema metadata to match upstream semantics more closely.
+
+### Fixed
+
+- Fixed social provider edge cases, magic-link expiration behavior, adapter value coercion, and callback/session handling across Rack integrations.
+
 ## [0.1.1] - 2026-03-22
 
 ### Fixed

data/README.md

@@ -90,7 +90,7 @@ Custom Better Auth-style password callbacks are still supported through `email_a
 
 ### Database Adapters
 
-The core gem ships framework-agnostic adapters for memory, PostgreSQL, MySQL, SQLite, MongoDB, and MSSQL. Driver gems are loaded only when their adapter is instantiated.
+The core gem ships framework-agnostic adapters for memory, PostgreSQL, MySQL, SQLite, and MSSQL. Driver gems are loaded only when their adapter is instantiated. MongoDB support lives in the external `better_auth-mongo-adapter` package so apps that do not use MongoDB do not install the Mongo driver.
 
 ```ruby
 auth = BetterAuth.auth(
@@ -100,6 +100,8 @@ auth = BetterAuth.auth(
 ```
 
 ```ruby
+require "better_auth/mongo_adapter"
+
 auth = BetterAuth.auth(
   secret: ENV.fetch("BETTER_AUTH_SECRET"),
   database: BetterAuth::Adapters::MongoDB.new(
@@ -155,7 +157,7 @@ export const authClient = createAuthClient({
 Add to your Gemfile:
 
 ```ruby
-gem 'better_auth', require: 'better_auth/rails'
+gem "better_auth-rails"
 ```
 
 Then in your ApplicationController:
@@ -170,7 +172,7 @@ Now you have access to `current_user` and authentication methods:
 
 ```ruby
 class PostsController < ApplicationController
-  before_action :authenticate_user!
+  before_action :require_authentication
 
   def index
     @posts = current_user.posts

data/lib/better_auth/adapters/internal_adapter.rb

@@ -74,28 +74,31 @@ module BetterAuth
           "userId" => user_id,
           "token" => token
         }.merge(timestamps)
+        base["id"] = generated_id if secondary_storage
         data = override_all ? base.merge(override) : override.merge(base)
 
         custom = secondary_storage && lambda do |session_data|
           actual_session = apply_schema_create("session", session_data)
           store_session(actual_session)
+          adapter.create(model: "session", data: actual_session, force_allow_id: true) if options.session[:store_session_in_database]
           actual_session
         end
-        execute_main = !secondary_storage || options.session[:store_session_in_database]
-        created = hooks.create(data, "session", custom: custom, context: context)
-        adapter.create(model: "session", data: data, force_allow_id: true) if secondary_storage && execute_main
-        created
+        hooks.create(data, "session", custom: custom, context: context)
       end
 
       def find_session(token)
         if secondary_storage
           data = parse_storage(secondary_storage.get(token))
-          return nil unless data
+          unless data
+            return nil unless options.session[:store_session_in_database] && !options.session[:preserve_session_in_database]
+          end
 
-          return {
-            session: normalize_session_dates(data["session"]),
-            user: normalize_user_dates(data["user"])
-          }
+          if data
+            return {
+              session: normalize_session_dates(data["session"]),
+              user: normalize_user_dates(data["user"])
+            }
+          end
         end
 
         found = find_session_with_user(token)
@@ -113,7 +116,9 @@ module BetterAuth
         data = stringify_keys(session)
         if secondary_storage
           return hooks.update(data, [{field: "token", value: token}], "session", custom: lambda { |actual_data|
-            update_stored_session(token, actual_data)
+            stored = update_stored_session(token, actual_data)
+            db = adapter.update(model: "session", where: [{field: "token", value: token}], update: actual_data) if options.session[:store_session_in_database]
+            db || stored
           })
         end
 
@@ -226,30 +231,93 @@ module BetterAuth
       end
 
       def create_verification_value(data)
-        hooks.create(timestamps.merge(stringify_keys(data)), "verification")
+        payload = timestamps.merge(stringify_keys(data))
+        stored_identifier = processed_verification_identifier(payload.fetch("identifier"))
+        payload["identifier"] = stored_identifier
+
+        custom = secondary_storage && lambda do |verification_data|
+          actual = apply_schema_create("verification", verification_data)
+          actual["id"] ||= generated_id
+          store_verification(actual)
+          adapter.create(model: "verification", data: actual, force_allow_id: true) if verification_store_in_database?
+          actual
+        end
+
+        hooks.create(payload, "verification", custom: custom)
       end
 
       def find_verification_value(identifier)
+        stored_identifier = processed_verification_identifier(identifier)
+        storage_option = verification_storage_option(identifier)
+        if secondary_storage
+          cached = read_verification(stored_identifier)
+          cached ||= read_verification(identifier) if storage_option && storage_option.to_s != "plain"
+          return cached if cached
+          return nil unless verification_store_in_database?
+        end
+
         values = adapter.find_many(
           model: "verification",
-          where: [{field: "identifier", value: identifier}],
+          where: [{field: "identifier", value: stored_identifier}],
           sort_by: {field: "createdAt", direction: "desc"},
           limit: 1
         )
+        if values.empty? && storage_option && storage_option.to_s != "plain"
+          values = adapter.find_many(
+            model: "verification",
+            where: [{field: "identifier", value: identifier}],
+            sort_by: {field: "createdAt", direction: "desc"},
+            limit: 1
+          )
+        end
         hooks.delete_many([{field: "expiresAt", value: Time.now, operator: "lt"}], "verification") unless options.verification[:disable_cleanup]
         values.first
       end
 
       def delete_verification_value(id)
+        if secondary_storage
+          stored_identifier = secondary_storage.get(verification_id_key(id))
+          if stored_identifier
+            secondary_storage.delete(verification_key(stored_identifier))
+            secondary_storage.delete(verification_id_key(id))
+            return nil unless verification_store_in_database?
+          elsif !verification_store_in_database?
+            return nil
+          end
+        end
+
         hooks.delete([{field: "id", value: id}], "verification")
       end
 
       def delete_verification_by_identifier(identifier)
-        hooks.delete([{field: "identifier", value: identifier}], "verification")
+        stored_identifier = processed_verification_identifier(identifier)
+        if secondary_storage
+          cached = read_verification(stored_identifier)
+          secondary_storage.delete(verification_key(stored_identifier))
+          secondary_storage.delete(verification_id_key(cached["id"])) if cached && cached["id"]
+          return nil unless verification_store_in_database?
+        end
+
+        hooks.delete([{field: "identifier", value: stored_identifier}], "verification")
       end
 
       def update_verification_value(id, data)
-        hooks.update(stringify_keys(data), [{field: "id", value: id}], "verification")
+        update = stringify_keys(data)
+        if secondary_storage
+          stored_identifier = secondary_storage.get(verification_id_key(id))
+          if stored_identifier
+            cached = read_verification(stored_identifier)
+            if cached
+              updated = cached.merge(update)
+              store_verification(updated)
+              return updated unless verification_store_in_database?
+            end
+          elsif !verification_store_in_database?
+            return nil
+          end
+        end
+
+        hooks.update(update, [{field: "id", value: id}], "verification")
       end
 
       private
@@ -285,6 +353,14 @@ module BetterAuth
         {"createdAt" => now, "updatedAt" => now}
       end
 
+      def generated_id
+        generator = options.advanced.dig(:database, :generate_id)
+        return generator.call.to_s if generator.respond_to?(:call)
+        return SecureRandom.uuid if generator == "uuid"
+
+        SecureRandom.hex(16)
+      end
+
       def stringify_keys(data)
         data.each_with_object({}) do |(key, value), result|
           result[Schema.storage_key(key)] = value
@@ -295,6 +371,8 @@ module BetterAuth
         fields = Schema.auth_tables(options)[model]&.fetch(:fields)
         fields ||= session_additional_fields if model == "session"
         output = stringify_keys(data)
+        return output unless fields
+
         fields.each do |field, attributes|
           unless output.key?(field)
             if attributes.key?(:default_value)
@@ -334,7 +412,8 @@ module BetterAuth
           .push({"token" => session["token"], "expiresAt" => expires_ms})
           .sort_by { |entry| entry["expiresAt"] }
         write_active_sessions(session["userId"], entries)
-        secondary_storage.set(session["token"], JSON.generate({session: session, user: user}), ttl(expires_ms))
+        ttl_seconds = ttl(expires_ms)
+        secondary_storage.set(session["token"], JSON.generate({session: session, user: user}), ttl_seconds) if ttl_seconds.positive?
       end
 
       def update_stored_session(token, data)
@@ -345,7 +424,12 @@ module BetterAuth
         merged["expiresAt"] = normalize_time(merged["expiresAt"])
         merged["createdAt"] = normalize_time(merged["createdAt"])
         merged["updatedAt"] = normalize_time(merged["updatedAt"])
-        secondary_storage.set(token, JSON.generate({session: merged, user: parsed["user"]}), ttl(millis(merged["expiresAt"])))
+        ttl_seconds = ttl(millis(merged["expiresAt"]))
+        if ttl_seconds.positive?
+          secondary_storage.set(token, JSON.generate({session: merged, user: parsed["user"]}), ttl_seconds)
+        else
+          secondary_storage.delete(token)
+        end
         entries = active_session_entries(merged["userId"])
           .reject { |entry| entry["token"] == token || entry["expiresAt"].to_i <= current_millis }
           .push({"token" => token, "expiresAt" => millis(merged["expiresAt"])})
@@ -369,7 +453,7 @@ module BetterAuth
         raw = secondary_storage.get(active_key(user_id))
         Array(parse_storage(raw)).map do |entry|
           entry.transform_keys(&:to_s)
-        end
+        end.uniq { |entry| entry["token"] }
       end
 
       def write_active_sessions(user_id, entries)
@@ -377,7 +461,12 @@ module BetterAuth
         if future.empty?
           secondary_storage.delete(active_key(user_id))
         else
-          secondary_storage.set(active_key(user_id), JSON.generate(future), ttl(future.last["expiresAt"]))
+          ttl_seconds = ttl(future.last["expiresAt"])
+          if ttl_seconds.positive?
+            secondary_storage.set(active_key(user_id), JSON.generate(future), ttl_seconds)
+          else
+            secondary_storage.delete(active_key(user_id))
+          end
         end
       end
 
@@ -415,6 +504,67 @@ module BetterAuth
         )
       end
 
+      def normalize_verification_dates(verification)
+        return nil unless verification
+
+        verification.transform_keys(&:to_s).merge(
+          "expiresAt" => normalize_time(verification["expiresAt"] || verification[:expiresAt]),
+          "createdAt" => normalize_time(verification["createdAt"] || verification[:createdAt]),
+          "updatedAt" => normalize_time(verification["updatedAt"] || verification[:updatedAt])
+        )
+      end
+
+      def store_verification(verification)
+        normalized = normalize_verification_dates(verification)
+        ttl_seconds = ttl(millis(normalized["expiresAt"]))
+        return normalized unless ttl_seconds.positive?
+
+        secondary_storage.set(verification_key(normalized["identifier"]), JSON.generate(normalized), ttl_seconds)
+        secondary_storage.set(verification_id_key(normalized["id"]), normalized["identifier"], ttl_seconds) if normalized["id"]
+        normalized
+      end
+
+      def read_verification(identifier)
+        normalize_verification_dates(parse_storage(secondary_storage.get(verification_key(identifier))))
+      end
+
+      def verification_key(identifier)
+        "verification:#{identifier}"
+      end
+
+      def verification_id_key(id)
+        "verification-id:#{id}"
+      end
+
+      def verification_store_in_database?
+        !!options.verification[:store_in_database]
+      end
+
+      def processed_verification_identifier(identifier)
+        option = verification_storage_option(identifier)
+        return identifier.to_s if option.nil? || option.to_s == "plain"
+        return Crypto.sha256(identifier.to_s, encoding: :base64url) if option.to_s == "hashed"
+        return option[:hash].call(identifier.to_s).to_s if option.is_a?(Hash) && option[:hash].respond_to?(:call)
+        return option["hash"].call(identifier.to_s).to_s if option.is_a?(Hash) && option["hash"].respond_to?(:call)
+
+        identifier.to_s
+      end
+
+      def verification_storage_option(identifier)
+        config = options.verification[:store_identifier]
+        return nil unless config
+
+        if config.is_a?(Hash) && (config.key?(:default) || config.key?("default"))
+          overrides = config[:overrides] || config["overrides"] || {}
+          overrides.each do |prefix, option|
+            return option if identifier.to_s.start_with?(prefix.to_s)
+          end
+          return config[:default] || config["default"]
+        end
+
+        config
+      end
+
       def normalize_time(value)
         return value if value.is_a?(Time)
         return Time.at(value / 1000.0) if value.is_a?(Integer) && value > 10_000_000_000

data/lib/better_auth/adapters/memory.rb

@@ -225,7 +225,10 @@ module BetterAuth
       end
 
       def fetch_key(hash, key)
-        hash[key] || hash[key.to_s] || hash[Schema.storage_key(key)] || hash[Schema.storage_key(key).to_sym]
+        [key, key.to_s, Schema.storage_key(key), Schema.storage_key(key).to_sym].each do |candidate|
+          return hash[candidate] if hash.key?(candidate)
+        end
+        nil
       end
     end
   end