better_auth 0.2.0 → 0.4.0

data/lib/better_auth/host.rb

@@ -0,0 +1,166 @@
+# frozen_string_literal: true
+
+require "ipaddr"
+
+module BetterAuth
+  module Host
+    CLOUD_METADATA_HOSTS = [
+      "metadata.google.internal",
+      "metadata.goog",
+      "metadata",
+      "instance-data",
+      "instance-data.ec2.internal"
+    ].freeze
+
+    module_function
+
+    def classify_host(host)
+      canonical_input = normalize_input(host)
+      lowered = canonical_input.downcase
+      return {kind: :reserved, literal: :fqdn, canonical: ""} if lowered.empty?
+
+      address = parse_ip(lowered)
+      unless address
+        return {kind: :localhost, literal: :fqdn, canonical: lowered} if lowered == "localhost" || lowered.end_with?(".localhost")
+        return {kind: :cloud_metadata, literal: :fqdn, canonical: lowered} if CLOUD_METADATA_HOSTS.include?(lowered)
+
+        return {kind: :public, literal: :fqdn, canonical: lowered}
+      end
+
+      native = address.respond_to?(:native) ? address.native : address
+      if native.ipv4?
+        canonical = native.to_s
+        return {kind: classify_ipv4(canonical), literal: :ipv4, canonical: canonical}
+      end
+
+      canonical = expanded_ipv6(native)
+      {kind: classify_ipv6(canonical), literal: :ipv6, canonical: canonical}
+    end
+
+    def loopback_ip?(host)
+      classify_host(host)[:kind] == :loopback
+    end
+
+    def loopback_host?(host)
+      [:loopback, :localhost].include?(classify_host(host)[:kind])
+    end
+
+    def public_routable_host?(host)
+      classify_host(host)[:kind] == :public
+    end
+
+    def normalize_input(host)
+      value = host.to_s.strip
+      value = strip_port(value)
+      value = value[1...-1] if value.start_with?("[") && value.end_with?("]")
+      value = value.split("%", 2).first || ""
+      value.gsub(/\.+\z/, "")
+    end
+
+    def strip_port(host)
+      if host.start_with?("[")
+        closing = host.index("]")
+        return host unless closing
+
+        return host[0..closing] if host[(closing + 1)..]&.match?(/\A:\d+\z/)
+        return host
+      end
+
+      first_colon = host.index(":")
+      return host unless first_colon
+      return host if host.index(":", first_colon + 1)
+
+      host[0...first_colon]
+    end
+
+    def parse_ip(host)
+      IPAddr.new(host)
+    rescue ArgumentError
+      nil
+    end
+
+    def classify_ipv4(ip)
+      return :unspecified if ip == "0.0.0.0"
+      return :broadcast if ip == "255.255.255.255"
+
+      value = ipv4_to_i(ip)
+      return :loopback if ipv4_range?(value, "127.0.0.0", 8)
+      return :private if ipv4_range?(value, "10.0.0.0", 8)
+      return :private if ipv4_range?(value, "172.16.0.0", 12)
+      return :private if ipv4_range?(value, "192.168.0.0", 16)
+      return :link_local if ipv4_range?(value, "169.254.0.0", 16)
+      return :shared_address_space if ipv4_range?(value, "100.64.0.0", 10)
+      return :documentation if ipv4_range?(value, "192.0.2.0", 24)
+      return :documentation if ipv4_range?(value, "198.51.100.0", 24)
+      return :documentation if ipv4_range?(value, "203.0.113.0", 24)
+      return :benchmarking if ipv4_range?(value, "198.18.0.0", 15)
+      return :multicast if ipv4_range?(value, "224.0.0.0", 4)
+      return :reserved if ipv4_range?(value, "0.0.0.0", 8)
+      return :reserved if ipv4_range?(value, "192.0.0.0", 24)
+      return :reserved if ipv4_range?(value, "240.0.0.0", 4)
+
+      :public
+    end
+
+    def ipv4_to_i(ip)
+      ip.split(".").map(&:to_i).reduce(0) { |sum, part| (sum << 8) + part }
+    end
+
+    def ipv4_range?(value, prefix, length)
+      mask = (length == 32) ? 0xffffffff : ((0xffffffff << (32 - length)) & 0xffffffff)
+      (value & mask) == (ipv4_to_i(prefix) & mask)
+    end
+
+    def classify_ipv6(expanded)
+      return :unspecified if expanded == "0000:0000:0000:0000:0000:0000:0000:0000"
+      return :loopback if expanded == "0000:0000:0000:0000:0000:0000:0000:0001"
+
+      first_byte = expanded[0, 2].to_i(16)
+      second_byte = expanded[2, 2].to_i(16)
+
+      return :multicast if first_byte == 0xff
+      return :link_local if first_byte == 0xfe && (second_byte & 0xc0) == 0x80
+      return :private if (first_byte & 0xfe) == 0xfc
+      return :documentation if expanded.start_with?("2001:0db8:")
+
+      if expanded.start_with?("2002:")
+        embedded = embedded_ipv4(expanded, 1)
+        return (classify_ipv4(embedded) == :public) ? :public : :reserved if embedded
+      end
+
+      if expanded.start_with?("0064:ff9b:0000:0000:0000:0000:")
+        embedded = embedded_ipv4(expanded, 6)
+        return :reserved if embedded
+      end
+
+      if expanded.start_with?("2001:0000:")
+        embedded = embedded_ipv4(expanded, 6, xor: true)
+        return :reserved if embedded
+      end
+
+      return :reserved if expanded.start_with?("0100:0000:0000:0000:")
+
+      :public
+    end
+
+    def embedded_ipv4(expanded, start_group, xor: false)
+      groups = expanded.split(":")
+      combined = (groups.fetch(start_group).to_i(16) << 16) | groups.fetch(start_group + 1).to_i(16)
+      combined ^= 0xffffffff if xor
+      [
+        (combined >> 24) & 0xff,
+        (combined >> 16) & 0xff,
+        (combined >> 8) & 0xff,
+        combined & 0xff
+      ].join(".")
+    rescue IndexError
+      nil
+    end
+
+    def expanded_ipv6(address)
+      address.hton.bytes.each_slice(2).map do |high, low|
+        ((high << 8) + low).to_s(16).rjust(4, "0")
+      end.join(":")
+    end
+  end
+end

data/lib/better_auth/instrumentation.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Instrumentation
+    module SpanStatusCode
+      UNSET = 0
+      OK = 1
+      ERROR = 2
+    end
+
+    class NoopSpan
+      def set_attribute(_key, _value)
+        self
+      end
+
+      def set_attributes(_attributes)
+        self
+      end
+
+      def record_exception(_error)
+        self
+      end
+
+      def set_status(_status)
+        self
+      end
+
+      def add_event(_name, _attributes = nil)
+        self
+      end
+
+      def end
+        self
+      end
+    end
+
+    class NoopTracer
+      def start_active_span(_name, attributes: {}, &block)
+        span = NoopSpan.new
+        return span unless block
+
+        block.call(span)
+      ensure
+        span&.end
+      end
+    end
+
+    class Trace
+      def get_tracer(_name = "better-auth")
+        NoopTracer.new
+      end
+
+      def get_active_span
+        NoopSpan.new
+      end
+    end
+
+    module_function
+
+    def trace
+      @trace ||= Trace.new
+    end
+
+    def with_span(name, attributes: {}, &block)
+      trace.get_tracer("better-auth").start_active_span(name, attributes: attributes) do |span|
+        block.call(span)
+      rescue => error
+        span.record_exception(error)
+        span.set_status(SpanStatusCode::ERROR)
+        raise
+      end
+    end
+  end
+end

data/lib/better_auth/logger.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Logger
+    LEVELS = [:debug, :info, :success, :warn, :error].freeze
+
+    Internal = Struct.new(:level, :disabled, :handler, keyword_init: true) do
+      LEVELS.each do |log_level|
+        define_method(log_level) do |message, *args|
+          return if disabled || !Logger.should_publish?(level, log_level)
+
+          if handler
+            handler.call((log_level == :success) ? :info : log_level, message, *args)
+          else
+            Kernel.warn("#{log_level.upcase} [Better Auth]: #{message}")
+          end
+        end
+      end
+    end
+
+    module_function
+
+    def should_publish?(current_log_level, log_level)
+      LEVELS.index(log_level.to_sym).to_i >= LEVELS.index(current_log_level.to_sym).to_i
+    end
+
+    def create(level: :warn, disabled: false, log: nil, **)
+      Internal.new(level: level.to_sym, disabled: disabled, handler: log)
+    end
+  end
+end

data/lib/better_auth/middleware/origin_check.rb

@@ -14,7 +14,7 @@ module BetterAuth
 
         validate_origin(endpoint_context)
         validate_fetch_metadata(endpoint_context)
-        return if skip_origin_check?(endpoint_context)
+        return if skip_origin_check?(endpoint_context) || skip_origin_path?(endpoint_context)
 
         validate_callback_urls(endpoint_context)
         nil
@@ -87,7 +87,7 @@ module BetterAuth
       end
 
       def skip_origin_check?(endpoint_context)
-        !!endpoint_context.context.options.advanced[:disable_origin_check]
+        endpoint_context.context.options.advanced[:disable_origin_check] == true
       end
 
       def skip_csrf_for_backward_compat?(endpoint_context)

data/lib/better_auth/oauth2.rb

@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+require "base64"
+require "net/http"
+require "uri"
+require "jwt"
+
+module BetterAuth
+  module OAuth2
+    module_function
+
+    def validate_token(token, jwks:, audience: nil, issuer: nil)
+      header = JWT.decode(token, nil, false).last
+      kid = header["kid"]
+      raise APIError.new("UNAUTHORIZED", message: "Missing jwt kid") if kid.to_s.empty?
+
+      key_data = Array(jwks["keys"] || jwks[:keys]).find { |key| (key["kid"] || key[:kid]).to_s == kid.to_s }
+      raise APIError.new("UNAUTHORIZED", message: "kid doesn't match any key") unless key_data
+
+      public_key = JWT::JWK.import(stringify_keys(key_data)).public_key
+      algorithm = header["alg"] || key_data["alg"] || key_data[:alg]
+      options = {algorithm: algorithm}
+      options[:aud] = audience if audience
+      options[:verify_aud] = true if audience
+      options[:iss] = issuer if issuer
+      options[:verify_iss] = true if issuer
+      JWT.decode(token, public_key, true, **options).first
+    rescue JWT::DecodeError => error
+      raise APIError.new("UNAUTHORIZED", message: error.message)
+    end
+
+    def refresh_access_token(refresh_token:, token_endpoint:, options:, authentication: nil, extra_params: nil, resource: nil, fetcher: nil)
+      request = create_refresh_access_token_request(
+        refresh_token: refresh_token,
+        options: options,
+        authentication: authentication,
+        extra_params: extra_params,
+        resource: resource
+      )
+      data = fetcher ? fetcher.call(token_endpoint, request) : post_form(token_endpoint, request)
+      now = Time.now
+      tokens = {
+        access_token: data["access_token"] || data[:access_token],
+        refresh_token: data["refresh_token"] || data[:refresh_token],
+        token_type: data["token_type"] || data[:token_type],
+        scopes: (data["scope"] || data[:scope])&.split(" "),
+        id_token: data["id_token"] || data[:id_token]
+      }.compact
+
+      expires_in = data["expires_in"] || data[:expires_in]
+      tokens[:access_token_expires_at] = now + expires_in.to_i if expires_in
+
+      refresh_expires_in = data["refresh_token_expires_in"] || data[:refresh_token_expires_in]
+      tokens[:refresh_token_expires_at] = now + refresh_expires_in.to_i if refresh_expires_in
+      tokens
+    end
+
+    def create_refresh_access_token_request(refresh_token:, options:, authentication: nil, extra_params: nil, resource: nil)
+      body = {
+        "grant_type" => "refresh_token",
+        "refresh_token" => refresh_token
+      }
+      headers = {
+        "content-type" => "application/x-www-form-urlencoded",
+        "accept" => "application/json"
+      }
+      client_id = Array(options[:client_id] || options["client_id"] || options[:clientId] || options["clientId"]).first
+      client_secret = options[:client_secret] || options["client_secret"] || options[:clientSecret] || options["clientSecret"]
+
+      if authentication.to_s == "basic"
+        headers["authorization"] = "Basic #{Base64.strict_encode64("#{client_id}:#{client_secret}")}"
+      else
+        body["client_id"] = client_id if client_id
+        body["client_secret"] = client_secret if client_secret
+      end
+
+      Array(resource).each { |entry| (body["resource"] ||= []) << entry } if resource
+      extra_params&.each { |key, value| body[key.to_s] = value }
+      {body: body, headers: headers}
+    end
+
+    def post_form(token_endpoint, request)
+      uri = URI.parse(token_endpoint)
+      response = Net::HTTP.post(uri, URI.encode_www_form(request[:body]), request[:headers])
+      JSON.parse(response.body)
+    end
+
+    def stringify_keys(hash)
+      hash.each_with_object({}) do |(key, value), result|
+        result[key.to_s] = value.is_a?(Hash) ? stringify_keys(value) : value
+      end
+    end
+  end
+end

data/lib/better_auth/plugin.rb

@@ -11,6 +11,8 @@ module BetterAuth
       :schema,
       :migrations,
       :options,
+      :version,
+      :client,
       :rate_limit,
       :error_codes,
       :on_request,
@@ -28,7 +30,8 @@ module BetterAuth
 
     def initialize(data = {}, **keywords)
       data = data.to_h if data.respond_to?(:to_h) && !data.is_a?(Hash)
-      raw = normalize_hash((data || {}).merge(keywords))
+      input = (data || {}).merge(keywords)
+      raw = normalize_hash(input)
 
       @id = raw[:id].to_s
       @init = raw[:init]
@@ -38,6 +41,8 @@ module BetterAuth
       @schema = raw[:schema] || {}
       @migrations = raw[:migrations] || {}
       @options = raw[:options] || {}
+      @version = raw[:version]
+      @client = stringify_hash(input[:client] || input["client"])
       @rate_limit = Array(raw[:rate_limit])
       @error_codes = normalize_error_codes(raw)
       @on_request = raw[:on_request]
@@ -107,6 +112,14 @@ module BetterAuth
       end
     end
 
+    def stringify_hash(value)
+      return nil unless value.is_a?(Hash)
+
+      value.each_with_object({}) do |(key, object), result|
+        result[key.to_s] = object.is_a?(Hash) ? stringify_hash(object) : object
+      end
+    end
+
     def normalize_key(key)
       key.to_s
         .delete_prefix("$")

data/lib/better_auth/plugins/email_otp.rb

@@ -193,9 +193,9 @@ module BetterAuth
         user = if found
           found[:user]
         else
-          raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["USER_NOT_FOUND"]) if config[:disable_sign_up]
+          raise APIError.new("BAD_REQUEST", message: EMAIL_OTP_ERROR_CODES["INVALID_OTP"]) if config[:disable_sign_up]
 
-          ctx.context.internal_adapter.create_user(email_otp_sign_up_user_data(body, email))
+          ctx.context.internal_adapter.create_user(email_otp_sign_up_user_data(ctx, body, email))
         end
 
         unless user["emailVerified"]
@@ -419,10 +419,21 @@ module BetterAuth
       Array.new(config[:otp_length].to_i) { SecureRandom.random_number(10).to_s }.join
     end
 
-    def email_otp_sign_up_user_data(body, email)
+    def email_otp_sign_up_user_data(ctx, body, email)
       reserved = %i[email otp name image callback_url callbackURL callbackUrl]
-      additional = body.reject { |key, _value| reserved.include?(key.to_sym) }
-      additional = additional.each_with_object({}) { |(key, value), result| result[Schema.storage_key(key)] = value }
+      user_fields = Schema.auth_tables(ctx.context.options).fetch("user").fetch(:fields)
+      core_fields = %w[id name email emailVerified image createdAt updatedAt]
+      additional = body.each_with_object({}) do |(key, value), result|
+        next if reserved.include?(key.to_sym)
+
+        field = Schema.storage_key(key)
+        attributes = user_fields[field]
+        next unless attributes
+        next if core_fields.include?(field)
+        next if attributes[:input] == false
+
+        result[field] = value
+      end
       additional.merge(
         "email" => email,
         "emailVerified" => true,

data/lib/better_auth/plugins/generic_oauth.rb

@@ -52,19 +52,7 @@ module BetterAuth
         data,
         provider_id: "auth0",
         discovery_url: "https://#{domain}/.well-known/openid-configuration",
-        scopes: ["openid", "profile", "email"],
-        get_user_info: ->(tokens) {
-          profile = generic_oauth_fetch_json("https://#{domain}/userinfo", authorization: "Bearer #{fetch_value(tokens, "accessToken")}")
-          return nil unless profile
-
-          {
-            id: fetch_value(profile, "sub"),
-            name: fetch_value(profile, "name") || fetch_value(profile, "nickname"),
-            email: fetch_value(profile, "email"),
-            image: fetch_value(profile, "picture"),
-            emailVerified: fetch_value(profile, "email_verified") || false
-          }
-        }
+        scopes: ["openid", "profile", "email"]
       )
     end
 
@@ -688,24 +676,12 @@ module BetterAuth
       nil
     end
 
-    def generic_oidc_helper_provider(options, provider_id, issuer, discovery_url, user_info_url)
+    def generic_oidc_helper_provider(options, provider_id, issuer, discovery_url, _user_info_url)
       generic_oauth_provider_config(
         options,
         provider_id: provider_id,
         discovery_url: discovery_url,
-        scopes: ["openid", "profile", "email"],
-        get_user_info: ->(tokens) {
-          profile = generic_oauth_fetch_json(user_info_url, authorization: "Bearer #{fetch_value(tokens, "accessToken")}")
-          return nil unless profile
-
-          {
-            id: fetch_value(profile, "sub"),
-            name: fetch_value(profile, "name") || fetch_value(profile, "preferred_username"),
-            email: fetch_value(profile, "email"),
-            image: fetch_value(profile, "picture"),
-            emailVerified: fetch_value(profile, "email_verified") || false
-          }
-        }
+        scopes: ["openid", "profile", "email"]
       )
     end
 
@@ -730,12 +706,22 @@ module BetterAuth
         result[provider_id.to_sym] = {
           id: provider_id,
           name: provider_id,
-          get_user_info: ->(tokens) { generic_oauth_user_info(provider, tokens) },
+          get_user_info: ->(tokens) { generic_oauth_provider_user_info(provider, tokens) },
           refresh_access_token: ->(refresh_token) { generic_oauth_refresh_access_token(context, provider, refresh_token) }
         }
       end
     end
 
+    def generic_oauth_provider_user_info(provider, tokens)
+      user_info = generic_oauth_user_info(provider, tokens)
+      return nil unless user_info
+
+      {
+        user: generic_oauth_map_user(provider, user_info),
+        data: user_info
+      }
+    end
+
     def generic_oauth_refresh_access_token(ctx, provider, refresh_token)
       token_url = provider[:token_url] || generic_oauth_discovery(provider)["token_endpoint"]
       raise APIError.new("BAD_REQUEST", message: GENERIC_OAUTH_ERROR_CODES["TOKEN_URL_NOT_FOUND"]) if token_url.to_s.empty?