better_auth 0.2.0 → 0.3.0

data/lib/better_auth/rate_limiter.rb

@@ -148,18 +148,26 @@ module BetterAuth
     def read_storage((type, storage), key)
       data = storage.get(key)
       data = JSON.parse(data) if type == :secondary && data.is_a?(String)
-      symbolize_keys(data)
+      normalize_rate_limit_data(symbolize_keys(data))
     rescue JSON::ParserError
       nil
     end
 
     def write_storage((type, storage), key, data, ttl:, update:)
-      value = (type == :secondary) ? JSON.generate(data) : data
+      value = (type == :secondary) ? JSON.generate(secondary_storage_data(data)) : data
       return call_secondary_storage_set(storage, key, value, ttl: ttl, update: update) if type == :secondary
 
       call_storage_set(storage, key, value, ttl: ttl, update: update)
     end
 
+    def secondary_storage_data(data)
+      {
+        key: data[:key],
+        count: data[:count],
+        lastRequest: (data[:last_request].to_f * 1000).to_i
+      }
+    end
+
     def call_secondary_storage_set(storage, key, value, ttl:, update:)
       storage.set(key, value, ttl)
     rescue ArgumentError
@@ -188,6 +196,15 @@ module BetterAuth
       end
     end
 
+    def normalize_rate_limit_data(data)
+      return data unless data.is_a?(Hash)
+
+      last_request = data[:last_request]
+      return data unless last_request.is_a?(Numeric) && last_request > 10_000_000_000
+
+      data.merge(last_request: last_request / 1000.0)
+    end
+
     def rate_limit_key(ip, path)
       "#{ip}|#{path}"
     end

data/lib/better_auth/router.rb

@@ -64,6 +64,7 @@ module BetterAuth
 
       body = parse_body(request)
       endpoint_context = build_endpoint_context(request, route_path, query, body, params)
+      return run_on_response_chain(forbidden) if server_only?(endpoint)
 
       response = @origin_check.call(endpoint_context)
       return run_on_response_chain(response) if response
@@ -166,13 +167,17 @@ module BetterAuth
       request.body.rewind
       return {} if raw.empty?
 
-      if request.media_type == "application/json"
+      if json_media_type?(request.media_type)
         JSON.parse(raw)
       else
         request.POST
       end
     end
 
+    def json_media_type?(media_type)
+      media_type == "application/json" || media_type.to_s.end_with?("+json")
+    end
+
     def allowed_media_type?(request, endpoint)
       return true unless request_body_method?(request.request_method)
       return true if request.media_type.nil? || request.media_type.empty?
@@ -350,6 +355,14 @@ module BetterAuth
       [415, {"content-type" => "application/json"}, [JSON.generate({error: "Unsupported Media Type"})]]
     end
 
+    def forbidden
+      [403, {"content-type" => "application/json"}, [JSON.generate({error: "Forbidden"})]]
+    end
+
+    def server_only?(endpoint)
+      endpoint.metadata[:server_only] || endpoint.metadata[:SERVER_ONLY] || endpoint.metadata["SERVER_ONLY"]
+    end
+
     def error_response(error, headers: {})
       Endpoint::Result.new(
         response: error.to_h,

data/lib/better_auth/routes/email_verification.rb

@@ -35,6 +35,7 @@ module BetterAuth
       Endpoint.new(path: "/verify-email", method: "GET") do |ctx|
         token = fetch_value(ctx.query, "token").to_s
         callback_url = fetch_value(ctx.query, "callbackURL")
+        validate_callback_url!(ctx.context, callback_url)
         payload = verify_email_token(ctx, token, callback_url)
         email = payload["email"].to_s.downcase
         update_to = payload["updateTo"] || payload["update_to"]
@@ -43,8 +44,10 @@ module BetterAuth
 
         user = user_data[:user]
         if update_to
-          updated = ctx.context.internal_adapter.update_user_by_email(email, email: update_to, emailVerified: true)
-          set_verified_session_cookie(ctx, updated || user.merge("email" => update_to, "emailVerified" => true))
+          updated = ctx.context.internal_adapter.update_user_by_email(email, email: update_to, emailVerified: false)
+          updated_user = updated || user.merge("email" => update_to, "emailVerified" => false)
+          send_verification_email_payload(ctx, updated_user, callback_url) if ctx.context.options.email_verification[:send_verification_email].respond_to?(:call)
+          set_verified_session_cookie(ctx, updated_user)
           next redirect_or_json(ctx, callback_url, {status: true, user: Schema.parse_output(ctx.context.options, "user", updated)})
         end
 

data/lib/better_auth/routes/password.rb

@@ -41,6 +41,7 @@ module BetterAuth
       Endpoint.new(path: "/reset-password/:token", method: "GET") do |ctx|
         token = ctx.params[:token].to_s
         callback_url = fetch_value(ctx.query, "callbackURL") || "/error"
+        validate_callback_url!(ctx.context, callback_url)
         verification = ctx.context.internal_adapter.find_verification_value("reset-password:#{token}")
 
         unless verification && !expired_time?(verification["expiresAt"])
@@ -152,6 +153,7 @@ module BetterAuth
     end
 
     def self.absolute_callback(context, callback_url, params)
+      validate_callback_url!(context, callback_url)
       uri = URI.parse(callback_url.to_s)
       origin = Configuration.origin_for(URI.parse(context.base_url))
       url = uri.relative? ? URI.join("#{origin}/", callback_url.to_s.delete_prefix("/")) : uri
@@ -160,5 +162,22 @@ module BetterAuth
       url.query = URI.encode_www_form(query)
       url.to_s
     end
+
+    def self.validate_callback_url!(context, callback_url)
+      return if callback_url.nil? || callback_url.to_s.empty?
+
+      value = callback_url.to_s
+      if value.start_with?("/")
+        return if Configuration.relative_path_allowed?(value)
+      else
+        uri = Configuration.parse_uri(value)
+        base_uri = Configuration.parse_uri(context.base_url.to_s)
+        base_origin = base_uri && Configuration.origin_for(base_uri)
+        return if uri && Configuration.origin_for(uri) == base_origin
+        return if context.trusted_origin?(value)
+      end
+
+      raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_CALLBACK_URL"])
+    end
   end
 end

data/lib/better_auth/routes/session.rb

@@ -34,10 +34,11 @@ module BetterAuth
         body = Routes.parse_declared_input(ctx, "session", ctx.body, allowed_base: [])
         raise APIError.new("BAD_REQUEST", message: "No fields to update") if body.empty?
 
-        updated = ctx.context.internal_adapter.update_session(session[:session]["token"], body)
-        merged = session[:session].merge(updated || body)
+        update = body.merge("updatedAt" => Time.now)
+        updated = ctx.context.internal_adapter.update_session(session[:session]["token"], update)
+        merged = session[:session].merge(updated || update)
         Cookies.set_session_cookie(ctx, {session: merged, user: session[:user]}, Cookies.dont_remember?(ctx))
-        ctx.json({status: true})
+        ctx.json(parsed_session_response(ctx, {session: merged, user: session[:user]}))
       end
     end
 
@@ -91,12 +92,34 @@ module BetterAuth
 
       raise APIError.new("UNAUTHORIZED") unless data
 
+      session = stringify_keys(data[:session] || data["session"])
+      ensure_fresh_session!(ctx, session) if sensitive
+
       {
-        session: stringify_keys(data[:session] || data["session"]),
+        session: session,
         user: stringify_keys(data[:user] || data["user"])
       }
     end
 
+    def self.ensure_fresh_session!(ctx, session)
+      fresh_age = ctx.context.session_config[:fresh_age].to_i
+      return if fresh_age.zero?
+
+      created_at = normalize_time(session["createdAt"])
+      return unless created_at && Time.now - created_at >= fresh_age
+
+      raise APIError.new("FORBIDDEN", code: "SESSION_NOT_FRESH", message: BASE_ERROR_CODES.fetch("SESSION_NOT_FRESH"))
+    end
+
+    def self.normalize_time(value)
+      return value if value.is_a?(Time)
+      return nil if value.nil? || value.to_s.empty?
+
+      Time.parse(value.to_s)
+    rescue ArgumentError
+      nil
+    end
+
     def self.parsed_session_response(ctx, session)
       {
         session: Schema.parse_output(ctx.context.options, "session", session[:session]),

data/lib/better_auth/routes/sign_in.rb

@@ -17,7 +17,7 @@ module BetterAuth
       ) do |ctx|
         options = ctx.context.options
         email_config = options.email_and_password
-        if email_config[:enabled] == false
+        if email_config[:enabled] != true
           raise APIError.new("BAD_REQUEST", message: "Email and password is not enabled")
         end
 

data/lib/better_auth/routes/sign_up.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "uri"
+require "securerandom"
 
 module BetterAuth
   module Routes
@@ -19,7 +20,7 @@ module BetterAuth
       ) do |ctx|
         options = ctx.context.options
         email_config = options.email_and_password
-        if email_config[:enabled] == false || email_config[:disable_sign_up]
+        if email_config[:enabled] != true || email_config[:disable_sign_up]
           raise APIError.new("BAD_REQUEST", message: "Email and password sign up is not enabled")
         end
 
@@ -36,6 +37,13 @@ module BetterAuth
         ctx.context.adapter.transaction do
           existing = ctx.context.internal_adapter.find_user_by_email(email)
           if existing
+            if email_config[:require_email_verification]
+              hash_password(ctx, password)
+              call_existing_sign_up_callback(ctx, email_config, existing)
+              synthetic_user = synthetic_sign_up_user(ctx, body, email, name, image)
+              next ctx.json({token: nil, user: Schema.parse_output(options, "user", synthetic_user)})
+            end
+
             raise APIError.new(
               "UNPROCESSABLE_ENTITY",
               message: BASE_ERROR_CODES["USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL"]
@@ -110,6 +118,49 @@ module BetterAuth
       raise APIError.new("UNPROCESSABLE_ENTITY", message: BASE_ERROR_CODES["FAILED_TO_CREATE_USER"])
     end
 
+    def self.call_existing_sign_up_callback(ctx, email_config, existing)
+      callback = email_config[:on_existing_user_sign_up]
+      return unless callback.respond_to?(:call)
+
+      user = existing[:user] || existing["user"] || existing
+      data = {user: user}
+      if callback.arity == 1
+        callback.call(data)
+      else
+        callback.call(data, ctx.request)
+      end
+    end
+
+    def self.synthetic_sign_up_user(ctx, body, email, name, image)
+      now = Time.now
+      core_fields = {
+        "id" => SecureRandom.hex(16),
+        "name" => name,
+        "email" => email.to_s.downcase,
+        "emailVerified" => false,
+        "image" => image,
+        "createdAt" => now,
+        "updatedAt" => now
+      }
+      reserved = %w[email password name image callbackURL callbackUrl callback_url rememberMe remember_me]
+      additional = parse_declared_input(ctx, "user", body.except(*reserved), allowed_base: [])
+      custom = ctx.context.options.email_and_password[:custom_synthetic_user]
+      return core_fields.merge(additional) unless custom.respond_to?(:call)
+
+      value = {
+        core_fields: core_fields.except("id"),
+        additional_fields: additional,
+        id: core_fields["id"]
+      }
+      stringify_synthetic_user(custom.call(value))
+    end
+
+    def self.stringify_synthetic_user(value)
+      return value.each_with_object({}) { |(key, object_value), result| result[Schema.storage_key(key)] = object_value } if value.is_a?(Hash)
+
+      {}
+    end
+
     def self.send_sign_up_verification_email(ctx, user, callback_url)
       verification = ctx.context.options.email_verification
       password_config = ctx.context.options.email_and_password

data/lib/better_auth/routes/social.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "uri"
+require "json"
 require "securerandom"
 
 module BetterAuth
@@ -11,11 +12,23 @@ module BetterAuth
         provider_id = body["provider"].to_s
         provider = social_provider(ctx.context, provider_id)
         raise APIError.new("NOT_FOUND", message: BASE_ERROR_CODES["PROVIDER_NOT_FOUND"]) unless provider
+        validate_social_callback_url!(ctx.context, body["callbackURL"] || body["callbackUrl"] || body["callback_url"], "INVALID_CALLBACK_URL")
+        validate_social_callback_url!(ctx.context, body["errorCallbackURL"] || body["errorCallbackUrl"] || body["error_callback_url"], "INVALID_ERROR_CALLBACK_URL")
+        validate_social_callback_url!(ctx.context, body["newUserCallbackURL"] || body["newUserCallbackUrl"] || body["new_user_callback_url"], "INVALID_NEW_USER_CALLBACK_URL")
 
         id_token = fetch_value(body, "idToken")
         if id_token
           data = social_user_from_id_token!(ctx, provider, id_token)
-          session_data = persist_social_user(ctx, provider_id, data[:user], data[:account])
+          session_data = persist_social_user(
+            ctx,
+            provider_id,
+            data[:user],
+            token_hash_for_storage(ctx, data[:account]),
+            callback_url: body["callbackURL"],
+            disable_sign_up: provider_disable_sign_up?(provider) || (provider_disable_implicit_sign_up?(provider) && !body["requestSignUp"])
+          )
+          raise APIError.new("UNAUTHORIZED", message: session_data[:error], code: "OAUTH_LINK_ERROR") if session_data[:error]
+
           Cookies.set_session_cookie(ctx, session_data)
           next ctx.json({
             redirect: false,
@@ -25,17 +38,18 @@ module BetterAuth
           })
         end
 
+        code_verifier = SecureRandom.hex(16)
         state = Crypto.sign_jwt(
           {
             "callbackURL" => body["callbackURL"] || body["callbackUrl"] || body["callback_url"] || "/",
             "errorCallbackURL" => body["errorCallbackURL"] || body["errorCallbackUrl"] || body["error_callback_url"],
             "newUserCallbackURL" => body["newUserCallbackURL"] || body["newUserCallbackUrl"] || body["new_user_callback_url"],
-            "requestSignUp" => body["requestSignUp"] || body["request_sign_up"]
-          },
+            "requestSignUp" => body["requestSignUp"] || body["request_sign_up"],
+            "codeVerifier" => code_verifier
+          }.merge(safe_additional_state(body)),
           ctx.context.secret,
           expires_in: 600
         )
-        code_verifier = SecureRandom.hex(16)
         url = call_provider(provider, :create_authorization_url, {
           state: state,
           codeVerifier: code_verifier,
@@ -56,17 +70,25 @@ module BetterAuth
         method: ["GET", "POST"],
         metadata: {allowed_media_types: ["application/x-www-form-urlencoded", "application/json"]}
       ) do |ctx|
-        source = (ctx.method == "POST") ? ctx.body.merge(ctx.query) : ctx.query
+        if ctx.method == "POST"
+          merged = normalize_hash(ctx.query).merge(normalize_hash(ctx.body))
+          query = URI.encode_www_form(merged.reject { |_key, value| value.nil? || value.to_s.empty? })
+          target = "#{ctx.context.base_url}/callback/#{fetch_value(ctx.params, "providerId")}"
+          target = "#{target}?#{query}" unless query.empty?
+          raise ctx.redirect(target)
+        end
+
+        source = ctx.query
         data = normalize_hash(source)
         provider_id = fetch_value(ctx.params, "providerId").to_s
         provider = social_provider(ctx.context, provider_id)
         state = data["state"].to_s
-        state_data = Crypto.verify_jwt(state, ctx.context.secret) || {}
-        error_url = state_data["errorCallbackURL"] || "#{ctx.context.base_url}/error"
+        state_data = state.empty? ? nil : Crypto.verify_jwt(state, ctx.context.secret)
+        error_url = state_data ? (state_data["errorCallbackURL"] || "#{ctx.context.base_url}/error") : "#{ctx.context.base_url}/error"
 
         raise ctx.redirect(oauth_error_url(error_url, data["error"], data["errorDescription"] || data["error_description"])) if data["error"]
         raise ctx.redirect(oauth_error_url(error_url, "oauth_provider_not_found")) unless provider
-        raise ctx.redirect(oauth_error_url(error_url, "state_not_found")) if state.empty?
+        raise ctx.redirect(oauth_error_url(error_url, "state_not_found")) unless state_data
         raise ctx.redirect(oauth_error_url(error_url, "no_code")) if data["code"].to_s.empty?
 
         tokens = call_provider(provider, :validate_authorization_code, {
@@ -78,14 +100,33 @@ module BetterAuth
         })
         raise ctx.redirect(oauth_error_url(error_url, "invalid_code")) unless tokens
 
-        user_info = call_provider(provider, :get_user_info, token_hash(tokens))
+        token_data = token_hash(tokens)
+        token_data["user"] = parse_json_hash(data["user"]) if data["user"]
+        user_info = call_provider(provider, :get_user_info, token_data)
         user = user_info[:user] || user_info["user"] if user_info
         raise ctx.redirect(oauth_error_url(error_url, "unable_to_get_user_info")) unless user
         raise ctx.redirect(oauth_error_url(error_url, "email_not_found")) if fetch_value(user, "email").to_s.empty?
 
-        session_data = persist_social_user(ctx, provider_id, user, token_hash(tokens).merge("accountId" => fetch_value(user, "id").to_s))
+        link = state_data["link"] || state_data[:link]
+        if link
+          linked = link_social_account_from_callback(ctx, provider_id, user, tokens, link)
+          raise ctx.redirect(oauth_error_url(error_url, linked[:error])) if linked[:error]
+
+          raise ctx.redirect(state_data["callbackURL"] || "/")
+        end
+
+        account_info = token_hash_for_storage(ctx, tokens).merge("accountId" => fetch_value(user, "id").to_s)
+        session_data = persist_social_user(
+          ctx,
+          provider_id,
+          user,
+          account_info,
+          callback_url: state_data["callbackURL"],
+          disable_sign_up: provider_disable_sign_up?(provider) || (provider_disable_implicit_sign_up?(provider) && !state_data["requestSignUp"])
+        )
+        raise ctx.redirect(oauth_error_url(error_url, session_data[:error].tr(" ", "_"))) if session_data[:error]
         Cookies.set_session_cookie(ctx, session_data)
-        callback_url = state_data["callbackURL"] || "/"
+        callback_url = session_data[:new_user] ? (state_data["newUserCallbackURL"] || state_data["callbackURL"] || "/") : (state_data["callbackURL"] || "/")
         raise ctx.redirect(callback_url)
       end
     end
@@ -97,11 +138,16 @@ module BetterAuth
         provider_id = body["provider"].to_s
         provider = social_provider(ctx.context, provider_id)
         raise APIError.new("NOT_FOUND", message: BASE_ERROR_CODES["PROVIDER_NOT_FOUND"]) unless provider
+        validate_social_callback_url!(ctx.context, body["callbackURL"] || body["callbackUrl"] || body["callback_url"], "INVALID_CALLBACK_URL")
+        validate_social_callback_url!(ctx.context, body["errorCallbackURL"] || body["errorCallbackUrl"] || body["error_callback_url"], "INVALID_ERROR_CALLBACK_URL")
 
         id_token = fetch_value(body, "idToken")
         if id_token
           data = social_user_from_id_token!(ctx, provider, id_token)
           email = fetch_value(data[:user], "email").to_s.downcase
+          unless linkable_provider?(ctx, provider_id, data[:user])
+            raise APIError.new("UNAUTHORIZED", message: "Account not linked - untrusted provider")
+          end
           unless email == session[:user]["email"].to_s.downcase || ctx.context.options.account.dig(:account_linking, :allow_different_emails)
             raise APIError.new("UNAUTHORIZED", message: "Account not linked - different emails not allowed")
           end
@@ -111,12 +157,35 @@ module BetterAuth
             account["providerId"] == provider_id && account["accountId"] == account_id
           end
           unless existing
-            ctx.context.internal_adapter.create_account(data[:account].merge("userId" => session[:user]["id"]))
+            ctx.context.internal_adapter.create_account(token_hash_for_storage(ctx, data[:account]).merge("userId" => session[:user]["id"]))
           end
+          update_verified_email_on_link(ctx, session[:user]["id"], session[:user]["email"], data[:user])
           next ctx.json({url: "", status: true, redirect: false})
         end
 
-        raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_TOKEN"])
+        code_verifier = SecureRandom.hex(16)
+        state_data = {
+          "callbackURL" => body["callbackURL"] || body["callbackUrl"] || body["callback_url"] || ctx.context.base_url,
+          "errorCallbackURL" => body["errorCallbackURL"] || body["errorCallbackUrl"] || body["error_callback_url"],
+          "requestSignUp" => body["requestSignUp"] || body["request_sign_up"],
+          "codeVerifier" => code_verifier,
+          "link" => {
+            "userId" => session[:user]["id"],
+            "email" => session[:user]["email"]
+          }
+        }.merge(safe_additional_state(body))
+        state = Crypto.sign_jwt(state_data, ctx.context.secret, expires_in: 600)
+        url = call_provider(provider, :create_authorization_url, {
+          state: state,
+          codeVerifier: code_verifier,
+          code_verifier: code_verifier,
+          redirectURI: "#{ctx.context.base_url}/callback/#{provider_id}",
+          redirect_uri: "#{ctx.context.base_url}/callback/#{provider_id}",
+          scopes: body["scopes"],
+          loginHint: body["loginHint"] || body["login_hint"]
+        })
+        ctx.set_header("location", url.to_s) unless body["disableRedirect"] || body["disable_redirect"]
+        ctx.json({url: url.to_s, redirect: !(body["disableRedirect"] || body["disable_redirect"])})
       end
     end
 
@@ -125,13 +194,15 @@ module BetterAuth
       valid = call_provider(provider, :verify_id_token, token, fetch_value(id_token, "nonce"))
       raise APIError.new("UNAUTHORIZED", message: BASE_ERROR_CODES["INVALID_TOKEN"]) unless valid
 
+      token_user = parse_json_hash(fetch_value(id_token, "user"))
       user_info = call_provider(provider, :get_user_info, {
-        idToken: token,
-        id_token: token,
-        accessToken: fetch_value(id_token, "accessToken"),
-        access_token: fetch_value(id_token, "accessToken"),
-        refreshToken: fetch_value(id_token, "refreshToken"),
-        refresh_token: fetch_value(id_token, "refreshToken")
+        "idToken" => token,
+        "id_token" => token,
+        "accessToken" => fetch_value(id_token, "accessToken"),
+        "access_token" => fetch_value(id_token, "accessToken"),
+        "refreshToken" => fetch_value(id_token, "refreshToken"),
+        "refresh_token" => fetch_value(id_token, "refreshToken"),
+        "user" => token_user
       })
       user = user_info[:user] || user_info["user"] if user_info
       raise APIError.new("UNAUTHORIZED", message: BASE_ERROR_CODES["FAILED_TO_GET_USER_INFO"]) unless user
@@ -144,22 +215,30 @@ module BetterAuth
           "accountId" => fetch_value(user, "id").to_s,
           "accessToken" => fetch_value(id_token, "accessToken"),
           "refreshToken" => fetch_value(id_token, "refreshToken"),
-          "idToken" => token
+          "idToken" => token,
+          "user" => token_user
         }
       }
     end
 
-    def self.persist_social_user(ctx, provider_id, user_info, account_info)
+    def self.persist_social_user(ctx, provider_id, user_info, account_info, callback_url: nil, disable_sign_up: false)
       email = fetch_value(user_info, "email").to_s.downcase
       account_id = (account_info["accountId"] || account_info[:accountId] || account_info[:account_id] || fetch_value(user_info, "id")).to_s
       existing = ctx.context.internal_adapter.find_oauth_user(email, account_id, provider_id)
 
       if existing && existing[:linked_account]
         user = existing[:user]
+        new_user = false
       elsif existing
+        unless linkable_provider?(ctx, provider_id, user_info, implicit: true)
+          return {error: "account not linked"}
+        end
         user = existing[:user]
         ctx.context.internal_adapter.create_account(account_info.merge("providerId" => provider_id, "accountId" => account_id, "userId" => user["id"]))
+        new_user = false
       else
+        return {error: "signup disabled"} if disable_sign_up
+
         created = ctx.context.internal_adapter.create_oauth_user(
           {
             email: email,
@@ -170,10 +249,11 @@ module BetterAuth
           account_info.merge("providerId" => provider_id, "accountId" => account_id)
         )
         user = created[:user]
+        new_user = true
       end
 
       session = ctx.context.internal_adapter.create_session(user["id"], false, session_overrides(ctx), true, ctx)
-      {session: session, user: user}
+      {session: session, user: user, new_user: new_user}
     end
 
     def self.oauth_error_url(base_url, error, description = nil)
@@ -184,5 +264,104 @@ module BetterAuth
       uri.query = URI.encode_www_form(query)
       uri.to_s
     end
+
+    def self.provider_disable_implicit_sign_up?(provider)
+      !!(fetch_value(provider, "disableImplicitSignUp") || fetch_value(provider, "disableSignUp") || fetch_value(fetch_value(provider, "options") || {}, "disableSignUp"))
+    end
+
+    def self.provider_disable_sign_up?(provider)
+      !!(fetch_value(provider, "disableSignUp") || fetch_value(fetch_value(provider, "options") || {}, "disableSignUp"))
+    end
+
+    def self.linkable_provider?(ctx, provider_id, user_info, implicit: false)
+      linking = ctx.context.options.account[:account_linking] || {}
+      return false if linking[:enabled] == false
+      return false if implicit && linking[:disable_implicit_linking] == true
+
+      trusted = Array(linking[:trusted_providers]).map(&:to_s).include?(provider_id.to_s)
+      trusted || !!fetch_value(user_info, "emailVerified")
+    end
+
+    def self.link_social_account_from_callback(ctx, provider_id, user_info, tokens, link)
+      return {error: "unable_to_link_account"} unless linkable_provider?(ctx, provider_id, user_info)
+
+      email = fetch_value(user_info, "email").to_s.downcase
+      link_email = fetch_value(link, "email").to_s.downcase
+      unless email == link_email || ctx.context.options.account.dig(:account_linking, :allow_different_emails)
+        return {error: "email_doesn't_match"}
+      end
+
+      account_id = fetch_value(user_info, "id").to_s
+      user_id = fetch_value(link, "userId").to_s
+      account_info = token_hash_for_storage(ctx, tokens).merge(
+        "providerId" => provider_id,
+        "accountId" => account_id,
+        "userId" => user_id
+      )
+      existing = ctx.context.internal_adapter.find_account_by_provider_id(account_id, provider_id)
+      if existing
+        return {error: "account_already_linked_to_different_user"} if existing["userId"].to_s != user_id
+
+        ctx.context.internal_adapter.update_account(existing["id"], account_info)
+      else
+        ctx.context.internal_adapter.create_account(account_info)
+      end
+
+      if ctx.context.options.account.dig(:account_linking, :update_user_info_on_link)
+        ctx.context.internal_adapter.update_user(user_id, {
+          name: fetch_value(user_info, "name"),
+          image: fetch_value(user_info, "image")
+        }.compact)
+      end
+      update_verified_email_on_link(ctx, user_id, link_email, user_info)
+
+      {status: true}
+    end
+
+    def self.safe_additional_state(body)
+      additional = body["additionalData"] || body["additional_data"]
+      return {} unless additional.is_a?(Hash)
+
+      reserved = %w[callbackURL callbackUrl callback_url errorCallbackURL errorCallbackUrl error_callback_url errorURL error_url newUserCallbackURL newUserCallbackUrl new_user_callback_url newUserURL new_user_url requestSignUp request_sign_up codeVerifier code_verifier link expiresAt expires_at]
+      normalize_hash(additional).reject { |key, _value| reserved.include?(key.to_s) }
+    end
+
+    def self.validate_social_callback_url!(context, callback_url, error_code)
+      validate_callback_url!(context, callback_url)
+    rescue APIError => error
+      return if oauth_proxy_callback_url?(context, callback_url)
+      raise error unless error.message == BASE_ERROR_CODES["INVALID_CALLBACK_URL"]
+
+      raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES[error_code])
+    end
+
+    def self.oauth_proxy_callback_url?(context, callback_url)
+      uri = URI.parse(callback_url.to_s)
+      proxy_path = "#{context.options.base_path}/oauth-proxy-callback"
+      return false unless uri.path == proxy_path
+
+      nested = URI.decode_www_form(uri.query.to_s).assoc("callbackURL")&.last
+      validate_callback_url!(context, nested)
+      true
+    rescue APIError, URI::InvalidURIError
+      false
+    end
+
+    def self.update_verified_email_on_link(ctx, user_id, current_email, social_user)
+      return unless fetch_value(social_user, "emailVerified")
+      return unless fetch_value(social_user, "email").to_s.downcase == current_email.to_s.downcase
+
+      ctx.context.internal_adapter.update_user(user_id, {"emailVerified" => true})
+    end
+
+    def self.parse_json_hash(value)
+      return value if value.is_a?(Hash)
+      return {} if value.nil? || value.to_s.empty?
+
+      parsed = JSON.parse(value.to_s)
+      parsed.is_a?(Hash) ? parsed : {}
+    rescue JSON::ParserError
+      {}
+    end
   end
 end