better_auth 0.2.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a5e95c51ce68259fcccbbfabe1bd9ffa5383ce4c098161f1c2d54da76137fa0a
-  data.tar.gz: 7c81ade6292ced9b98c1c411c320e4ad6e05734ea891145f75a9205d6e4fdea0
+  metadata.gz: 38179f5800613263ca30525a3d878b91c2a5f9057f104b1f24cecbf72a0cc030
+  data.tar.gz: 9883d339ce2f1ab8f5a618da3708f4ab5bdde69a09fe98b48889b6069351c7bb
 SHA512:
-  metadata.gz: 4b7f5c635ce16aa7be7f3ea42c5fa03304b7c682821c8a82e55c81754ba330a88aba350f0a6ed59b171333766ba6a973c4a2d15cf3d46debeae42ddd59b602c5
-  data.tar.gz: 524ce3bfb3f023bcf057154fde0e88e0555753016d1297d67d40f2db6de6cf5516b0fcb8b513fd260cd284b38722eeffe9a02784d3d08a58cd5811cce23a1d39
+  metadata.gz: b0bdd97ab9d677df601b0eed5d387a09543743aee41d0243f7ed3981935c3391f3ae10dfc110fc41312a5a4b188f29581563f2c99154a8808ed3158cb47663ad
+  data.tar.gz: 6b9b76c6969e601e01506a2cd91a28abf13eeccf0446023fad7c58e8c95476f6110b7ac6f3979fc18705687589cff74748f839c685a8ccb791392d0d2e729c15

data/CHANGELOG.md

@@ -7,6 +7,38 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.4.0] - 2026-04-30
+
+### Added
+
+- Added upstream-parity helpers for async execution, host resolution, instrumentation, request state, URL handling, OAuth2, deprecation warnings, and expanded route behavior.
+- Added two-factor, OAuth protocol, social route, organization, admin, adapter, schema, and session parity coverage.
+
+### Changed
+
+- Aligned core auth, email OTP, generic OAuth, organization, two-factor, OAuth protocol, adapter, router, rate-limiter, logger, and middleware behavior more closely with upstream Better Auth.
+
+### Fixed
+
+- Fixed upstream parity gaps in organization handling, generic OAuth user info, email OTP sign-up, database schema behavior, and route/session edge cases.
+
+## [0.3.0] - 2026-04-29
+
+### Added
+
+- Added upstream-parity social provider support, including provider-specific authorization, token, profile, refresh, and revocation behavior for the expanded provider set.
+- Added OAuth/OIDC protocol hardening for authorization, callback, discovery, metadata, token, and userinfo flows.
+- Added upstream v1.6.9 parity coverage for schema generation, adapter behavior, plugin hooks, session handling, and account/user route edge cases.
+
+### Changed
+
+- Extracted MongoDB adapter support behind the external `better_auth-mongo-adapter` shim while preserving compatibility for existing adapter configuration.
+- Updated auth routes, router behavior, rate limiting, password and email-verification flows, and schema metadata to match upstream semantics more closely.
+
+### Fixed
+
+- Fixed social provider edge cases, magic-link expiration behavior, adapter value coercion, and callback/session handling across Rack integrations.
+
 ## [0.1.1] - 2026-03-22
 
 ### Fixed

data/README.md

@@ -90,7 +90,7 @@ Custom Better Auth-style password callbacks are still supported through `email_a
 
 ### Database Adapters
 
-The core gem ships framework-agnostic adapters for memory, PostgreSQL, MySQL, SQLite, MongoDB, and MSSQL. Driver gems are loaded only when their adapter is instantiated.
+The core gem ships framework-agnostic adapters for memory, PostgreSQL, MySQL, SQLite, and MSSQL. Driver gems are loaded only when their adapter is instantiated. MongoDB support lives in the external `better_auth-mongo-adapter` package so apps that do not use MongoDB do not install the Mongo driver.
 
 ```ruby
 auth = BetterAuth.auth(
@@ -100,6 +100,8 @@ auth = BetterAuth.auth(
 ```
 
 ```ruby
+require "better_auth/mongo_adapter"
+
 auth = BetterAuth.auth(
   secret: ENV.fetch("BETTER_AUTH_SECRET"),
   database: BetterAuth::Adapters::MongoDB.new(
@@ -155,7 +157,7 @@ export const authClient = createAuthClient({
 Add to your Gemfile:
 
 ```ruby
-gem 'better_auth', require: 'better_auth/rails'
+gem "better_auth-rails"
 ```
 
 Then in your ApplicationController:
@@ -170,7 +172,7 @@ Now you have access to `current_user` and authentication methods:
 
 ```ruby
 class PostsController < ApplicationController
-  before_action :authenticate_user!
+  before_action :require_authentication
 
   def index
     @posts = current_user.posts

data/lib/better_auth/adapters/internal_adapter.rb

@@ -59,9 +59,12 @@ module BetterAuth
       end
 
       def delete_user(user_id)
-        delete_sessions(user_id) if !secondary_storage || options.session[:store_session_in_database]
+        deleted = hooks.delete([{field: "id", value: user_id}], "user")
+        return false if deleted == false
+
         hooks.delete_many([{field: "userId", value: user_id}], "account")
-        hooks.delete([{field: "id", value: user_id}], "user")
+        delete_sessions(user_id) if !secondary_storage || options.session[:store_session_in_database]
+        deleted
       end
 
       def create_session(user_id, dont_remember_me = false, override = nil, override_all = false, context = nil)
@@ -74,28 +77,31 @@ module BetterAuth
           "userId" => user_id,
           "token" => token
         }.merge(timestamps)
+        base["id"] = generated_id if secondary_storage
         data = override_all ? base.merge(override) : override.merge(base)
 
         custom = secondary_storage && lambda do |session_data|
           actual_session = apply_schema_create("session", session_data)
           store_session(actual_session)
+          adapter.create(model: "session", data: actual_session, force_allow_id: true) if options.session[:store_session_in_database]
           actual_session
         end
-        execute_main = !secondary_storage || options.session[:store_session_in_database]
-        created = hooks.create(data, "session", custom: custom, context: context)
-        adapter.create(model: "session", data: data, force_allow_id: true) if secondary_storage && execute_main
-        created
+        hooks.create(data, "session", custom: custom, context: context)
       end
 
       def find_session(token)
         if secondary_storage
           data = parse_storage(secondary_storage.get(token))
-          return nil unless data
+          unless data
+            return nil unless options.session[:store_session_in_database] && !options.session[:preserve_session_in_database]
+          end
 
-          return {
-            session: normalize_session_dates(data["session"]),
-            user: normalize_user_dates(data["user"])
-          }
+          if data
+            return {
+              session: normalize_session_dates(data["session"]),
+              user: normalize_user_dates(data["user"])
+            }
+          end
         end
 
         found = find_session_with_user(token)
@@ -113,7 +119,9 @@ module BetterAuth
         data = stringify_keys(session)
         if secondary_storage
           return hooks.update(data, [{field: "token", value: token}], "session", custom: lambda { |actual_data|
-            update_stored_session(token, actual_data)
+            stored = update_stored_session(token, actual_data)
+            db = adapter.update(model: "session", where: [{field: "token", value: token}], update: actual_data) if options.session[:store_session_in_database]
+            db || stored
           })
         end
 
@@ -226,30 +234,93 @@ module BetterAuth
       end
 
       def create_verification_value(data)
-        hooks.create(timestamps.merge(stringify_keys(data)), "verification")
+        payload = timestamps.merge(stringify_keys(data))
+        stored_identifier = processed_verification_identifier(payload.fetch("identifier"))
+        payload["identifier"] = stored_identifier
+
+        custom = secondary_storage && lambda do |verification_data|
+          actual = apply_schema_create("verification", verification_data)
+          actual["id"] ||= generated_id
+          store_verification(actual)
+          adapter.create(model: "verification", data: actual, force_allow_id: true) if verification_store_in_database?
+          actual
+        end
+
+        hooks.create(payload, "verification", custom: custom)
       end
 
       def find_verification_value(identifier)
+        stored_identifier = processed_verification_identifier(identifier)
+        storage_option = verification_storage_option(identifier)
+        if secondary_storage
+          cached = read_verification(stored_identifier)
+          cached ||= read_verification(identifier) if storage_option && storage_option.to_s != "plain"
+          return cached if cached
+          return nil unless verification_store_in_database?
+        end
+
         values = adapter.find_many(
           model: "verification",
-          where: [{field: "identifier", value: identifier}],
+          where: [{field: "identifier", value: stored_identifier}],
           sort_by: {field: "createdAt", direction: "desc"},
           limit: 1
         )
+        if values.empty? && storage_option && storage_option.to_s != "plain"
+          values = adapter.find_many(
+            model: "verification",
+            where: [{field: "identifier", value: identifier}],
+            sort_by: {field: "createdAt", direction: "desc"},
+            limit: 1
+          )
+        end
         hooks.delete_many([{field: "expiresAt", value: Time.now, operator: "lt"}], "verification") unless options.verification[:disable_cleanup]
         values.first
       end
 
       def delete_verification_value(id)
+        if secondary_storage
+          stored_identifier = secondary_storage.get(verification_id_key(id))
+          if stored_identifier
+            secondary_storage.delete(verification_key(stored_identifier))
+            secondary_storage.delete(verification_id_key(id))
+            return nil unless verification_store_in_database?
+          elsif !verification_store_in_database?
+            return nil
+          end
+        end
+
         hooks.delete([{field: "id", value: id}], "verification")
       end
 
       def delete_verification_by_identifier(identifier)
-        hooks.delete([{field: "identifier", value: identifier}], "verification")
+        stored_identifier = processed_verification_identifier(identifier)
+        if secondary_storage
+          cached = read_verification(stored_identifier)
+          secondary_storage.delete(verification_key(stored_identifier))
+          secondary_storage.delete(verification_id_key(cached["id"])) if cached && cached["id"]
+          return nil unless verification_store_in_database?
+        end
+
+        hooks.delete([{field: "identifier", value: stored_identifier}], "verification")
       end
 
       def update_verification_value(id, data)
-        hooks.update(stringify_keys(data), [{field: "id", value: id}], "verification")
+        update = stringify_keys(data)
+        if secondary_storage
+          stored_identifier = secondary_storage.get(verification_id_key(id))
+          if stored_identifier
+            cached = read_verification(stored_identifier)
+            if cached
+              updated = cached.merge(update)
+              store_verification(updated)
+              return updated unless verification_store_in_database?
+            end
+          elsif !verification_store_in_database?
+            return nil
+          end
+        end
+
+        hooks.update(update, [{field: "id", value: id}], "verification")
       end
 
       private
@@ -285,6 +356,14 @@ module BetterAuth
         {"createdAt" => now, "updatedAt" => now}
       end
 
+      def generated_id
+        generator = options.advanced.dig(:database, :generate_id)
+        return generator.call.to_s if generator.respond_to?(:call)
+        return SecureRandom.uuid if generator == "uuid"
+
+        SecureRandom.hex(16)
+      end
+
       def stringify_keys(data)
         data.each_with_object({}) do |(key, value), result|
           result[Schema.storage_key(key)] = value
@@ -295,6 +374,8 @@ module BetterAuth
         fields = Schema.auth_tables(options)[model]&.fetch(:fields)
         fields ||= session_additional_fields if model == "session"
         output = stringify_keys(data)
+        return output unless fields
+
         fields.each do |field, attributes|
           unless output.key?(field)
             if attributes.key?(:default_value)
@@ -334,7 +415,8 @@ module BetterAuth
           .push({"token" => session["token"], "expiresAt" => expires_ms})
           .sort_by { |entry| entry["expiresAt"] }
         write_active_sessions(session["userId"], entries)
-        secondary_storage.set(session["token"], JSON.generate({session: session, user: user}), ttl(expires_ms))
+        ttl_seconds = ttl(expires_ms)
+        secondary_storage.set(session["token"], JSON.generate({session: session, user: user}), ttl_seconds) if ttl_seconds.positive?
       end
 
       def update_stored_session(token, data)
@@ -345,7 +427,12 @@ module BetterAuth
         merged["expiresAt"] = normalize_time(merged["expiresAt"])
         merged["createdAt"] = normalize_time(merged["createdAt"])
         merged["updatedAt"] = normalize_time(merged["updatedAt"])
-        secondary_storage.set(token, JSON.generate({session: merged, user: parsed["user"]}), ttl(millis(merged["expiresAt"])))
+        ttl_seconds = ttl(millis(merged["expiresAt"]))
+        if ttl_seconds.positive?
+          secondary_storage.set(token, JSON.generate({session: merged, user: parsed["user"]}), ttl_seconds)
+        else
+          secondary_storage.delete(token)
+        end
         entries = active_session_entries(merged["userId"])
           .reject { |entry| entry["token"] == token || entry["expiresAt"].to_i <= current_millis }
           .push({"token" => token, "expiresAt" => millis(merged["expiresAt"])})
@@ -369,7 +456,7 @@ module BetterAuth
         raw = secondary_storage.get(active_key(user_id))
         Array(parse_storage(raw)).map do |entry|
           entry.transform_keys(&:to_s)
-        end
+        end.uniq { |entry| entry["token"] }
       end
 
       def write_active_sessions(user_id, entries)
@@ -377,7 +464,12 @@ module BetterAuth
         if future.empty?
           secondary_storage.delete(active_key(user_id))
         else
-          secondary_storage.set(active_key(user_id), JSON.generate(future), ttl(future.last["expiresAt"]))
+          ttl_seconds = ttl(future.last["expiresAt"])
+          if ttl_seconds.positive?
+            secondary_storage.set(active_key(user_id), JSON.generate(future), ttl_seconds)
+          else
+            secondary_storage.delete(active_key(user_id))
+          end
         end
       end
 
@@ -415,6 +507,67 @@ module BetterAuth
         )
       end
 
+      def normalize_verification_dates(verification)
+        return nil unless verification
+
+        verification.transform_keys(&:to_s).merge(
+          "expiresAt" => normalize_time(verification["expiresAt"] || verification[:expiresAt]),
+          "createdAt" => normalize_time(verification["createdAt"] || verification[:createdAt]),
+          "updatedAt" => normalize_time(verification["updatedAt"] || verification[:updatedAt])
+        )
+      end
+
+      def store_verification(verification)
+        normalized = normalize_verification_dates(verification)
+        ttl_seconds = ttl(millis(normalized["expiresAt"]))
+        return normalized unless ttl_seconds.positive?
+
+        secondary_storage.set(verification_key(normalized["identifier"]), JSON.generate(normalized), ttl_seconds)
+        secondary_storage.set(verification_id_key(normalized["id"]), normalized["identifier"], ttl_seconds) if normalized["id"]
+        normalized
+      end
+
+      def read_verification(identifier)
+        normalize_verification_dates(parse_storage(secondary_storage.get(verification_key(identifier))))
+      end
+
+      def verification_key(identifier)
+        "verification:#{identifier}"
+      end
+
+      def verification_id_key(id)
+        "verification-id:#{id}"
+      end
+
+      def verification_store_in_database?
+        !!options.verification[:store_in_database]
+      end
+
+      def processed_verification_identifier(identifier)
+        option = verification_storage_option(identifier)
+        return identifier.to_s if option.nil? || option.to_s == "plain"
+        return Crypto.sha256(identifier.to_s, encoding: :base64url) if option.to_s == "hashed"
+        return option[:hash].call(identifier.to_s).to_s if option.is_a?(Hash) && option[:hash].respond_to?(:call)
+        return option["hash"].call(identifier.to_s).to_s if option.is_a?(Hash) && option["hash"].respond_to?(:call)
+
+        identifier.to_s
+      end
+
+      def verification_storage_option(identifier)
+        config = options.verification[:store_identifier]
+        return nil unless config
+
+        if config.is_a?(Hash) && (config.key?(:default) || config.key?("default"))
+          overrides = config[:overrides] || config["overrides"] || {}
+          overrides.each do |prefix, option|
+            return option if identifier.to_s.start_with?(prefix.to_s)
+          end
+          return config[:default] || config["default"]
+        end
+
+        config
+      end
+
       def normalize_time(value)
         return value if value.is_a?(Time)
         return Time.at(value / 1000.0) if value.is_a?(Integer) && value > 10_000_000_000

data/lib/better_auth/adapters/memory.rb

@@ -156,33 +156,79 @@ module BetterAuth
         value = fetch_key(clause, :value)
         operator = (fetch_key(clause, :operator) || "eq").to_s
         current = record[field]
+        comparable = coerce_where_value(record, field, value, operator)
 
         case operator
         when "in"
-          Array(value).include?(current)
+          Array(comparable).include?(current)
         when "not_in"
-          !Array(value).include?(current)
+          !Array(comparable).include?(current)
         when "contains"
-          current.to_s.include?(value.to_s)
+          current.to_s.include?(comparable.to_s)
         when "starts_with"
-          current.to_s.start_with?(value.to_s)
+          current.to_s.start_with?(comparable.to_s)
         when "ends_with"
-          current.to_s.end_with?(value.to_s)
+          current.to_s.end_with?(comparable.to_s)
         when "ne"
-          current != value
+          current != comparable
         when "gt"
-          !value.nil? && current > value
+          !comparable.nil? && current > comparable
         when "gte"
-          !value.nil? && current >= value
+          !comparable.nil? && current >= comparable
         when "lt"
-          !value.nil? && current < value
+          !comparable.nil? && current < comparable
         when "lte"
-          !value.nil? && current <= value
+          !comparable.nil? && current <= comparable
         else
-          current == value
+          current == comparable
         end
       end
 
+      def coerce_where_value(record, field, value, operator)
+        attributes = schema_for_record_field(record, field)
+        return value unless attributes
+        return Array(value).map { |entry| coerce_scalar_where_value(entry, attributes) } if %w[in not_in].include?(operator)
+
+        coerce_scalar_where_value(value, attributes)
+      end
+
+      def schema_for_record_field(record, field)
+        db.each_key do |model|
+          fields = Schema.auth_tables(options)[model]&.fetch(:fields, nil)
+          next unless fields&.key?(field)
+          return fields[field] if table_for(model).include?(record)
+        end
+        nil
+      end
+
+      def coerce_scalar_where_value(value, attributes)
+        return value if value.nil?
+
+        case attributes[:type]
+        when "boolean"
+          return false if value == false || value == 0 || value.to_s.downcase == "false" || value.to_s == "0"
+          return true if value == true || value == 1 || value.to_s.downcase == "true" || value.to_s == "1"
+        when "number"
+          return coerce_number(value)
+        when "date"
+          return Time.parse(value) if value.is_a?(String)
+        when "number[]"
+          return Array(value).map { |entry| coerce_number(entry) }
+        when "string[]"
+          return Array(value).map(&:to_s)
+        end
+
+        value
+      end
+
+      def coerce_number(value)
+        return value unless value.is_a?(String)
+        return value.to_i if /\A-?\d+\z/.match?(value)
+        return value.to_f if /\A-?\d+\.\d+\z/.match?(value)
+
+        value
+      end
+
       def sort_records(model, records, sort_by)
         field = Schema.storage_key(fetch_key(sort_by, :field))
         direction = fetch_key(sort_by, :direction).to_s
@@ -225,7 +271,10 @@ module BetterAuth
       end
 
       def fetch_key(hash, key)
-        hash[key] || hash[key.to_s] || hash[Schema.storage_key(key)] || hash[Schema.storage_key(key).to_sym]
+        [key, key.to_s, Schema.storage_key(key), Schema.storage_key(key).to_sym].each do |candidate|
+          return hash[candidate] if hash.key?(candidate)
+        end
+        nil
       end
     end
   end