better_auth 0.2.0 → 0.3.0

data/lib/better_auth/social_providers/dropbox.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def dropbox(client_id:, client_secret:, scopes: ["account_info.read"], **options)
+      Base.oauth_provider(
+        id: "dropbox",
+        name: "Dropbox",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://www.dropbox.com/oauth2/authorize",
+        token_endpoint: "https://api.dropboxapi.com/oauth2/token",
+        user_info_endpoint: "https://api.dropboxapi.com/2/users/get_current_account",
+        user_info_method: :post,
+        scopes: scopes,
+        pkce: true,
+        auth_params: ->(_data, opts) { {token_access_type: opts[:access_type] || opts[:accessType]} },
+        profile_map: ->(profile) {
+          {
+            id: profile["account_id"],
+            name: profile.dig("name", "display_name"),
+            email: profile["email"],
+            image: profile["profile_photo_url"],
+            emailVerified: !!profile["email_verified"]
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/facebook.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def facebook(client_id:, client_secret:, scopes: ["email", "public_profile"], **options)
+      fields = Array(options[:fields] || %w[id name email picture email_verified]).join(",")
+      provider = Base.oauth_provider(
+        id: "facebook",
+        name: "Facebook",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://www.facebook.com/v24.0/dialog/oauth",
+        token_endpoint: "https://graph.facebook.com/v24.0/oauth/access_token",
+        user_info_endpoint: "https://graph.facebook.com/me?fields=#{URI.encode_www_form_component(fields)}",
+        scopes: scopes,
+        auth_params: ->(_data, opts) { {config_id: opts[:config_id] || opts[:configId]} },
+        profile_map: ->(profile) {
+          picture = profile.dig("picture", "data", "url") || profile["picture"]
+          {
+            id: profile["id"] || profile["sub"],
+            name: profile["name"],
+            email: profile["email"],
+            image: picture,
+            emailVerified: !!profile["email_verified"]
+          }
+        },
+        **options
+      )
+      provider[:verify_id_token] = provider[:options][:verify_id_token] || ->(token, _nonce = nil) { provider[:options][:disable_id_token_sign_in] ? false : !token.to_s.empty? }
+      provider
+    end
+  end
+end

data/lib/better_auth/social_providers/figma.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def figma(client_id:, client_secret:, scopes: ["current_user:read"], **options)
+      Base.oauth_provider(
+        id: "figma",
+        name: "Figma",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://www.figma.com/oauth",
+        token_endpoint: "https://api.figma.com/v1/oauth/token",
+        user_info_endpoint: "https://api.figma.com/v1/me",
+        scopes: scopes,
+        pkce: true,
+        profile_map: ->(profile) {
+          {
+            id: profile["id"],
+            name: profile["handle"],
+            email: profile["email"],
+            image: profile["img_url"],
+            emailVerified: false
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/github.rb

@@ -5,6 +5,10 @@ module BetterAuth
     module_function
 
     def github(client_id:, client_secret:, scopes: ["read:user", "user:email"], **options)
+      normalized = Base.normalize_options(options)
+      token_endpoint = normalized[:token_endpoint] || "https://github.com/login/oauth/access_token"
+      user_info_endpoint = normalized[:user_info_endpoint] || "https://api.github.com/user"
+      emails_endpoint = normalized[:emails_endpoint] || "https://api.github.com/user/emails"
       {
         id: "github",
         name: "GitHub",
@@ -14,14 +18,14 @@ module BetterAuth
           Base.authorization_url(options[:authorization_endpoint] || "https://github.com/login/oauth/authorize", {
             client_id: client_id,
             redirect_uri: data[:redirect_uri] || data[:redirectURI],
-            scope: data[:scopes] || scopes,
+            scope: Base.selected_scopes(scopes, normalized, data),
             state: data[:state],
             login_hint: data[:loginHint] || data[:login_hint],
             prompt: options[:prompt]
           })
         end,
         validate_authorization_code: lambda do |data|
-          Base.post_form("https://github.com/login/oauth/access_token", {
+          Base.post_form(token_endpoint, {
             client_id: client_id,
             client_secret: client_secret,
             code: data[:code],
@@ -30,28 +34,39 @@ module BetterAuth
           })
         end,
         get_user_info: lambda do |tokens|
+          custom = normalized[:get_user_info]
+          next custom.call(tokens) if custom
+
           headers = {
             "Authorization" => "Bearer #{Base.access_token(tokens)}",
             "Accept" => "application/json",
             "User-Agent" => "better-auth"
           }
-          profile = Base.get_json("https://api.github.com/user", headers)
-          emails = Base.get_json("https://api.github.com/user/emails", headers)
+          profile = Base.get_json(user_info_endpoint, headers)
+          emails = Base.get_json(emails_endpoint, headers)
           primary = Array(emails).find { |email| email["email"] == profile["email"] } ||
             Array(emails).find { |email| email["primary"] } ||
             Array(emails).first ||
             {}
 
-          {
-            user: {
+          user = Base.apply_profile_mapping(
+            {
               id: profile["id"].to_s,
               email: profile["email"] || primary["email"],
               name: profile["name"] || profile["login"],
               image: profile["avatar_url"],
               emailVerified: !!primary["verified"]
             },
+            profile,
+            normalized
+          )
+          {
+            user: user,
             data: profile
           }
+        end,
+        refresh_access_token: options[:refresh_access_token] || options[:refreshAccessToken] || lambda do |refresh_token|
+          Base.refresh_access_token(token_endpoint, refresh_token, client_id: client_id, client_secret: client_secret)
         end
       }
     end

data/lib/better_auth/social_providers/gitlab.rb

@@ -6,6 +6,7 @@ module BetterAuth
 
     def gitlab(client_id:, client_secret:, issuer: "https://gitlab.com", scopes: ["read_user"], **options)
       base = issuer.to_s.sub(%r{/+\z}, "")
+      normalized = Base.normalize_options(options)
       {
         id: "gitlab",
         name: "GitLab",
@@ -16,7 +17,7 @@ module BetterAuth
             client_id: client_id,
             redirect_uri: data[:redirect_uri] || data[:redirectURI],
             response_type: "code",
-            scope: data[:scopes] || scopes,
+            scope: Base.selected_scopes(scopes, normalized, data),
             state: data[:state],
             code_challenge: (data[:code_verifier] || data[:codeVerifier]) && Base.pkce_challenge(data[:code_verifier] || data[:codeVerifier]),
             code_challenge_method: (data[:code_verifier] || data[:codeVerifier]) && "S256",
@@ -34,19 +35,31 @@ module BetterAuth
           })
         end,
         get_user_info: lambda do |tokens|
+          custom = normalized[:get_user_info]
+          next custom.call(tokens) if custom
+
           profile = Base.get_json("#{base}/api/v4/user", "Authorization" => "Bearer #{Base.access_token(tokens)}")
           return nil if profile["state"] && profile["state"] != "active"
+          return nil if profile["locked"] == true
 
-          {
-            user: {
+          user = Base.apply_profile_mapping(
+            {
               id: profile["id"].to_s,
               email: profile["email"],
               name: profile["name"] || profile["username"],
               image: profile["avatar_url"],
               emailVerified: !!profile["email_verified"]
             },
+            profile,
+            normalized
+          )
+          {
+            user: user,
             data: profile
           }
+        end,
+        refresh_access_token: options[:refresh_access_token] || options[:refreshAccessToken] || lambda do |refresh_token|
+          Base.refresh_access_token("#{base}/oauth/token", refresh_token, client_id: client_id, client_secret: client_secret)
         end
       }
     end

data/lib/better_auth/social_providers/google.rb

@@ -5,6 +5,8 @@ module BetterAuth
     module_function
 
     def google(client_id:, client_secret:, scopes: ["openid", "email", "profile"], **options)
+      normalized = Base.normalize_options(options)
+      primary_client_id = Base.primary_client_id(client_id)
       {
         id: "google",
         name: "Google",
@@ -12,11 +14,13 @@ module BetterAuth
         client_secret: client_secret,
         create_authorization_url: lambda do |data|
           verifier = data[:code_verifier] || data[:codeVerifier]
+          raise Error, "codeVerifier is required for Google" if verifier.to_s.empty?
+
           Base.authorization_url(options[:authorization_endpoint] || "https://accounts.google.com/o/oauth2/v2/auth", {
-            client_id: client_id,
+            client_id: primary_client_id,
             redirect_uri: data[:redirect_uri] || data[:redirectURI],
             response_type: "code",
-            scope: data[:scopes] || scopes,
+            scope: Base.selected_scopes(scopes, normalized, data),
             state: data[:state],
             code_challenge: verifier && Base.pkce_challenge(verifier),
             code_challenge_method: verifier && "S256",
@@ -30,7 +34,7 @@ module BetterAuth
         end,
         validate_authorization_code: lambda do |data|
           Base.post_form("https://oauth2.googleapis.com/token", {
-            client_id: client_id,
+            client_id: primary_client_id,
             client_secret: client_secret,
             code: data[:code],
             code_verifier: data[:code_verifier] || data[:codeVerifier],
@@ -38,26 +42,47 @@ module BetterAuth
             redirect_uri: data[:redirect_uri] || data[:redirectURI]
           })
         end,
+        verify_id_token: normalized[:verify_id_token] || lambda do |token, nonce = nil|
+          return false if normalized[:disable_id_token_sign_in]
+
+          audiences = Array(client_id)
+          return false if audiences.empty?
+
+          profile = Base.verify_jwt_with_jwks(
+            token,
+            jwks: normalized[:jwks],
+            jwks_endpoint: normalized[:jwks_endpoint] || "https://www.googleapis.com/oauth2/v3/certs",
+            algorithms: ["RS256"],
+            issuers: ["https://accounts.google.com", "accounts.google.com"],
+            audience: audiences,
+            nonce: nonce
+          )
+          !!profile&.fetch("sub", nil)
+        end,
         get_user_info: lambda do |tokens|
-          profile = if Base.id_token(tokens)
-            Base.decode_jwt_payload(Base.id_token(tokens))
-          else
-            Base.get_json(
-              "https://openidconnect.googleapis.com/v1/userinfo",
-              "Authorization" => "Bearer #{Base.access_token(tokens)}"
-            )
-          end
+          custom = normalized[:get_user_info]
+          next custom.call(tokens) if custom
+          next nil unless Base.id_token(tokens)
 
-          {
-            user: {
+          profile = Base.decode_jwt_payload(Base.id_token(tokens))
+          user = Base.apply_profile_mapping(
+            {
               id: profile["sub"],
               email: profile["email"],
               name: profile["name"],
               image: profile["picture"],
               emailVerified: !!profile["email_verified"]
             },
+            profile,
+            normalized
+          )
+          {
+            user: user,
             data: profile
           }
+        end,
+        refresh_access_token: options[:refresh_access_token] || options[:refreshAccessToken] || lambda do |refresh_token|
+          Base.refresh_access_token("https://oauth2.googleapis.com/token", refresh_token, client_id: primary_client_id, client_secret: client_secret)
         end
       }
     end

data/lib/better_auth/social_providers/huggingface.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def huggingface(client_id:, client_secret:, scopes: ["openid", "profile", "email"], **options)
+      Base.oauth_provider(
+        id: "huggingface",
+        name: "Hugging Face",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://huggingface.co/oauth/authorize",
+        token_endpoint: "https://huggingface.co/oauth/token",
+        user_info_endpoint: "https://huggingface.co/oauth/userinfo",
+        scopes: scopes,
+        pkce: true,
+        profile_map: ->(profile) {
+          {
+            id: profile["sub"],
+            name: profile["name"] || profile["preferred_username"] || "",
+            email: profile["email"],
+            image: profile["picture"],
+            emailVerified: !!profile["email_verified"]
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/kakao.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def kakao(client_id:, client_secret:, scopes: ["account_email", "profile_image", "profile_nickname"], **options)
+      Base.oauth_provider(
+        id: "kakao",
+        name: "Kakao",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://kauth.kakao.com/oauth/authorize",
+        token_endpoint: "https://kauth.kakao.com/oauth/token",
+        user_info_endpoint: "https://kapi.kakao.com/v2/user/me",
+        scopes: scopes,
+        profile_map: ->(profile) {
+          account = profile["kakao_account"] || {}
+          kakao_profile = account["profile"] || {}
+          {
+            id: profile["id"].to_s,
+            name: kakao_profile["nickname"] || account["name"] || "",
+            email: account["email"],
+            image: kakao_profile["profile_image_url"] || kakao_profile["thumbnail_image_url"],
+            emailVerified: !!account["is_email_valid"] && !!account["is_email_verified"]
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/kick.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def kick(client_id:, client_secret:, scopes: ["user:read"], **options)
+      Base.oauth_provider(
+        id: "kick",
+        name: "Kick",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://id.kick.com/oauth/authorize",
+        token_endpoint: "https://id.kick.com/oauth/token",
+        user_info_endpoint: "https://api.kick.com/public/v1/users",
+        scopes: scopes,
+        pkce: true,
+        profile_map: ->(profile) {
+          user = Array(profile["data"]).first || profile
+          {
+            id: user["user_id"],
+            name: user["name"],
+            email: user["email"],
+            image: user["profile_picture"],
+            emailVerified: false
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/line.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def line(client_id:, client_secret:, scopes: ["openid", "profile", "email"], **options)
+      provider = Base.oauth_provider(
+        id: "line",
+        name: "LINE",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://access.line.me/oauth2/v2.1/authorize",
+        token_endpoint: "https://api.line.me/oauth2/v2.1/token",
+        user_info_endpoint: "https://api.line.me/oauth2/v2.1/userinfo",
+        scopes: scopes,
+        pkce: true,
+        profile_map: ->(profile) {
+          {
+            id: profile["sub"] || profile["userId"],
+            name: profile["name"] || profile["displayName"] || "",
+            email: profile["email"],
+            image: profile["picture"] || profile["pictureUrl"],
+            emailVerified: false
+          }
+        },
+        **options
+      )
+      provider[:verify_id_token] = provider[:options][:verify_id_token] || ->(token, _nonce = nil) { provider[:options][:disable_id_token_sign_in] ? false : !Base.decode_jwt_payload(token).empty? }
+      provider
+    end
+  end
+end

data/lib/better_auth/social_providers/linear.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def linear(client_id:, client_secret:, scopes: ["read"], **options)
+      provider = Base.oauth_provider(
+        id: "linear",
+        name: "Linear",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://linear.app/oauth/authorize",
+        token_endpoint: "https://api.linear.app/oauth/token",
+        scopes: scopes,
+        profile_map: ->(profile) {
+          viewer = profile.dig("data", "viewer") || {}
+          {
+            id: viewer["id"],
+            name: viewer["name"],
+            email: viewer["email"],
+            image: viewer["avatarUrl"],
+            emailVerified: false
+          }
+        },
+        **options
+      )
+      provider[:get_user_info] = lambda do |tokens|
+        custom = Base.option(provider[:options], :get_user_info)
+        profile = custom ? custom.call(tokens) : Base.post_json(
+          "https://api.linear.app/graphql",
+          {query: "{ viewer { id name email avatarUrl active createdAt updatedAt } }"},
+          "Authorization" => "Bearer #{Base.access_token(tokens)}"
+        )
+        return profile if Base.provider_user_info?(profile)
+
+        mapped = provider[:options][:map_profile_to_user]&.call(profile) || {}
+        viewer = profile.dig("data", "viewer") || {}
+        {user: {id: viewer["id"], name: viewer["name"], email: viewer["email"], image: viewer["avatarUrl"], emailVerified: false}.merge(mapped), data: profile}
+      end
+      provider
+    end
+  end
+end

data/lib/better_auth/social_providers/linkedin.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def linkedin(client_id:, client_secret:, scopes: ["profile", "email", "openid"], **options)
+      Base.oauth_provider(
+        id: "linkedin",
+        name: "Linkedin",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://www.linkedin.com/oauth/v2/authorization",
+        token_endpoint: "https://www.linkedin.com/oauth/v2/accessToken",
+        user_info_endpoint: "https://api.linkedin.com/v2/userinfo",
+        scopes: scopes,
+        profile_map: ->(profile) {
+          {
+            id: profile["sub"],
+            name: profile["name"],
+            email: profile["email"],
+            image: profile["picture"],
+            emailVerified: !!profile["email_verified"]
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/microsoft_entra_id.rb

@@ -5,20 +5,48 @@ module BetterAuth
     module_function
 
     def microsoft_entra_id(client_id:, client_secret:, tenant_id: "common", scopes: ["openid", "profile", "email", "User.Read", "offline_access"], **options)
+      normalized = Base.normalize_options(options)
+      microsoft_provider(
+        provider_id: "microsoft-entra-id",
+        provider_name: "Microsoft Entra ID",
+        client_id: client_id,
+        client_secret: client_secret,
+        tenant_id: normalized[:tenant_id] || tenant_id,
+        scopes: scopes,
+        **options
+      )
+    end
+
+    def microsoft(client_id:, client_secret: nil, tenant_id: "common", scopes: ["openid", "profile", "email", "User.Read", "offline_access"], **options)
+      normalized = Base.normalize_options(options)
+      microsoft_provider(
+        provider_id: "microsoft",
+        provider_name: "Microsoft EntraID",
+        client_id: client_id,
+        client_secret: client_secret,
+        tenant_id: normalized[:tenant_id] || tenant_id,
+        scopes: scopes,
+        **options
+      )
+    end
+
+    def microsoft_provider(provider_id:, provider_name:, client_id:, client_secret:, tenant_id:, scopes:, **options)
       authority = options[:authority] || "https://login.microsoftonline.com"
       base = "#{authority.to_s.sub(%r{/+\z}, "")}/#{tenant_id}/oauth2/v2.0"
+      normalized = Base.normalize_options(options)
+      primary_client_id = Base.primary_client_id(client_id)
       {
-        id: "microsoft-entra-id",
-        name: "Microsoft Entra ID",
+        id: provider_id,
+        name: provider_name,
         client_id: client_id,
         client_secret: client_secret,
         create_authorization_url: lambda do |data|
           verifier = data[:code_verifier] || data[:codeVerifier]
           Base.authorization_url(options[:authorization_endpoint] || "#{base}/authorize", {
-            client_id: client_id,
+            client_id: primary_client_id,
             redirect_uri: data[:redirect_uri] || data[:redirectURI],
             response_type: "code",
-            scope: data[:scopes] || scopes,
+            scope: Base.selected_scopes(scopes, normalized, data),
             state: data[:state],
             code_challenge: verifier && Base.pkce_challenge(verifier),
             code_challenge_method: verifier && "S256",
@@ -28,7 +56,7 @@ module BetterAuth
         end,
         validate_authorization_code: lambda do |data|
           Base.post_form("#{base}/token", {
-            client_id: client_id,
+            client_id: primary_client_id,
             client_secret: client_secret,
             code: data[:code],
             code_verifier: data[:code_verifier] || data[:codeVerifier],
@@ -36,21 +64,65 @@ module BetterAuth
             redirect_uri: data[:redirect_uri] || data[:redirectURI]
           })
         end,
+        verify_id_token: normalized[:verify_id_token] || lambda do |token, nonce = nil|
+          return false if normalized[:disable_id_token_sign_in]
+
+          issuers = nil
+          unless %w[common organizations consumers].include?(tenant_id.to_s)
+            issuers = "#{authority.to_s.sub(%r{/+\z}, "")}/#{tenant_id}/v2.0"
+          end
+          profile = Base.verify_jwt_with_jwks(
+            token,
+            jwks: normalized[:jwks],
+            jwks_endpoint: normalized[:jwks_endpoint] || "#{authority.to_s.sub(%r{/+\z}, "")}/#{tenant_id}/discovery/v2.0/keys",
+            algorithms: ["RS256"],
+            issuers: issuers,
+            audience: Array(client_id),
+            nonce: nonce
+          )
+
+          !!(profile&.fetch("sub", nil) || profile&.fetch("oid", nil))
+        end,
         get_user_info: lambda do |tokens|
+          custom = normalized[:get_user_info]
+          next custom.call(tokens) if custom
+
           profile = Base.id_token(tokens) ? Base.decode_jwt_payload(Base.id_token(tokens)) : {}
           profile = Base.get_json("https://graph.microsoft.com/v1.0/me", "Authorization" => "Bearer #{Base.access_token(tokens)}") if profile.empty?
+          unless normalized[:disable_profile_photo]
+            photo_size = normalized[:profile_photo_size] || 48
+            photo = Base.get_bytes(
+              "https://graph.microsoft.com/v1.0/me/photos/#{photo_size}x#{photo_size}/$value",
+              "Authorization" => "Bearer #{Base.access_token(tokens)}"
+            )
+            profile["picture"] = "data:image/jpeg;base64, #{Base64.strict_encode64(photo)}" if photo
+          end
           email = profile["email"] || profile["mail"] || profile["userPrincipalName"] || profile["preferred_username"]
 
-          {
-            user: {
+          user = Base.apply_profile_mapping(
+            {
               id: profile["sub"] || profile["id"] || profile["oid"],
               email: email,
               name: profile["name"] || profile["displayName"],
               image: profile["picture"],
               emailVerified: microsoft_email_verified?(profile, email)
             },
+            profile,
+            normalized
+          )
+          {
+            user: user,
             data: profile
           }
+        end,
+        refresh_access_token: options[:refresh_access_token] || options[:refreshAccessToken] || lambda do |refresh_token|
+          Base.refresh_access_token(
+            "#{base}/token",
+            refresh_token,
+            client_id: primary_client_id,
+            client_secret: client_secret,
+            extra_params: {scope: Base.selected_scopes(scopes, normalized, {}).join(" ")}
+          )
         end
       }
     end