better_auth 0.2.0 → 0.4.0

data/lib/better_auth/plugins/organization/schema.rb

@@ -10,6 +10,7 @@ module BetterAuth
           organization: {
             model_name: "organizations",
             fields: {
+              id: {type: "string", required: true},
               name: {type: "string", required: true, sortable: true},
               slug: {type: "string", required: true, unique: true, sortable: true, index: true},
               logo: {type: "string", required: false},
@@ -21,6 +22,7 @@ module BetterAuth
           member: {
             model_name: "members",
             fields: {
+              id: {type: "string", required: true},
               organizationId: {type: "string", required: true, references: {model: "organization", field: "id"}, index: true},
               userId: {type: "string", required: true, references: {model: "user", field: "id"}, index: true},
               role: {type: "string", required: true, default_value: "member", sortable: true},
@@ -30,6 +32,7 @@ module BetterAuth
           invitation: {
             model_name: "invitations",
             fields: {
+              id: {type: "string", required: true},
               organizationId: {type: "string", required: true, references: {model: "organization", field: "id"}, index: true},
               email: {type: "string", required: true, sortable: true, index: true},
               role: {type: "string", required: true, sortable: true},
@@ -50,6 +53,7 @@ module BetterAuth
           schema[:team] = {
             model_name: "teams",
             fields: {
+              id: {type: "string", required: true},
               name: {type: "string", required: true},
               organizationId: {type: "string", required: true, references: {model: "organization", field: "id"}, index: true},
               createdAt: {type: "date", required: true, default_value: -> { Time.now }},
@@ -59,6 +63,7 @@ module BetterAuth
           schema[:teamMember] = {
             model_name: "team_members",
             fields: {
+              id: {type: "string", required: true},
               teamId: {type: "string", required: true, references: {model: "team", field: "id"}, index: true},
               userId: {type: "string", required: true, references: {model: "user", field: "id"}, index: true},
               createdAt: {type: "date", required: false, default_value: -> { Time.now }}
@@ -72,6 +77,7 @@ module BetterAuth
           schema[:organizationRole] = {
             model_name: "organization_roles",
             fields: {
+              id: {type: "string", required: true},
               organizationId: {type: "string", required: true, references: {model: "organization", field: "id"}, index: true},
               role: {type: "string", required: true, index: true},
               permission: {type: "string", required: true},

data/lib/better_auth/plugins/organization.rb

@@ -272,6 +272,12 @@ module BetterAuth
       Endpoint.new(path: "/organization/set-active", method: "POST") do |ctx|
         session = Routes.current_session(ctx, sensitive: true)
         body = normalize_hash(ctx.body)
+        if body.key?(:organization_id) && body[:organization_id].nil?
+          updated_session = ctx.context.internal_adapter.update_session(session[:session]["token"], {activeOrganizationId: nil, activeTeamId: nil})
+          Cookies.set_session_cookie(ctx, {session: updated_session || session[:session].merge("activeOrganizationId" => nil, "activeTeamId" => nil), user: session[:user]})
+          next ctx.json(nil)
+        end
+
         organization = organization_by_id(ctx, body[:organization_id]) || organization_by_slug(ctx, body[:organization_slug])
         raise APIError.new("BAD_REQUEST", message: ORGANIZATION_ERROR_CODES.fetch("ORGANIZATION_NOT_FOUND")) unless organization
         require_member!(ctx, session[:user]["id"], organization["id"])
@@ -285,11 +291,16 @@ module BetterAuth
       Endpoint.new(path: "/organization/get-full-organization", method: "GET") do |ctx|
         session = Routes.current_session(ctx)
         query = normalize_hash(ctx.query)
+        explicit_lookup = query.key?(:organization_slug) || query.key?(:organization_id)
         organization = organization_by_slug(ctx, query[:organization_slug]) || organization_by_id(ctx, query[:organization_id] || session[:session]["activeOrganizationId"])
-        next ctx.json(nil) unless organization
+        unless organization
+          raise APIError.new("BAD_REQUEST", message: ORGANIZATION_ERROR_CODES.fetch("ORGANIZATION_NOT_FOUND")) if explicit_lookup
+
+          next ctx.json(nil)
+        end
 
         require_member!(ctx, session[:user]["id"], organization["id"])
-        members = list_members_for(ctx, organization["id"])
+        members = list_members_for(ctx, organization["id"], {limit: query[:members_limit] || config[:membership_limit]})
         invitations = ctx.context.adapter.find_many(model: "invitation", where: [{field: "organizationId", value: organization["id"]}])
         result = organization_wire(ctx, organization).merge(
           members: members.fetch(:members),
@@ -307,7 +318,7 @@ module BetterAuth
       Endpoint.new(path: "/organization/invite-member", method: "POST") do |ctx|
         session = Routes.current_session(ctx)
         body = normalize_hash(ctx.body)
-        organization = organization_by_id(ctx, body[:organization_id])
+        organization = organization_by_id(ctx, body[:organization_id] || session[:session]["activeOrganizationId"]) || organization_by_slug(ctx, body[:organization_slug])
         raise APIError.new("BAD_REQUEST", message: ORGANIZATION_ERROR_CODES.fetch("ORGANIZATION_NOT_FOUND")) unless organization
         require_org_permission!(ctx, config, session, organization["id"], {invitation: ["create"]}, ORGANIZATION_ERROR_CODES.fetch("YOU_ARE_NOT_ALLOWED_TO_INVITE_USERS_TO_THIS_ORGANIZATION"))
         email = body[:email].to_s.downcase
@@ -334,21 +345,26 @@ module BetterAuth
           raise APIError.new("FORBIDDEN", message: ORGANIZATION_ERROR_CODES.fetch("INVITATION_LIMIT_REACHED"))
         end
         team_ids = organization_team_ids(body[:team_id] || body[:team_ids])
+        ensure_team_member_capacity!(ctx, config, team_ids)
+        invitation_data = {
+          organizationId: organization["id"],
+          email: email,
+          role: role,
+          status: "pending",
+          expiresAt: Time.now + config[:invitation_expires_in].to_i,
+          inviterId: session[:user]["id"],
+          teamId: team_ids.any? ? team_ids.join(",") : nil,
+          createdAt: Time.now
+        }.merge(additional_input(body, :organization_id, :organization_slug, :email, :role, :team_id, :team_ids))
+        merge_hook_data!(invitation_data, run_org_hook(config, :before_create_invitation, {invitation: invitation_data, inviter: session[:user], organization: organization_wire(ctx, organization)}, ctx))
         invitation = ctx.context.adapter.create(
           model: "invitation",
-          data: {
-            organizationId: organization["id"],
-            email: email,
-            role: role,
-            status: "pending",
-            expiresAt: Time.now + config[:invitation_expires_in].to_i,
-            inviterId: session[:user]["id"],
-            teamId: team_ids.any? ? team_ids.join(",") : nil,
-            createdAt: Time.now
-          }
+          data: invitation_data,
+          force_allow_id: true
         )
         sender = config[:send_invitation_email]
         sender.call({id: invitation["id"], role: role, email: email, organization: organization_wire(ctx, organization), invitation: invitation_wire(ctx, invitation), inviter: require_member!(ctx, session[:user]["id"], organization["id"])}, ctx.request) if sender.respond_to?(:call)
+        run_org_hook(config, :after_create_invitation, {invitation: invitation_wire(ctx, invitation), inviter: session[:user], organization: organization_wire(ctx, organization)}, ctx)
         ctx.json(invitation_wire(ctx, invitation))
       end
     end
@@ -365,11 +381,14 @@ module BetterAuth
         if config[:require_email_verification_on_invitation] && !session[:user]["emailVerified"]
           raise APIError.new("FORBIDDEN", message: ORGANIZATION_ERROR_CODES.fetch("EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION"))
         end
+        ensure_team_member_capacity!(ctx, config, organization_team_ids(invitation["teamId"]))
         member = ctx.context.adapter.create(model: "member", data: {organizationId: invitation["organizationId"], userId: session[:user]["id"], role: invitation["role"], createdAt: Time.now})
         organization_team_ids(invitation["teamId"]).each do |team_id|
           ctx.context.adapter.create(model: "teamMember", data: {teamId: team_id, userId: session[:user]["id"], createdAt: Time.now})
         end
         updated = ctx.context.adapter.update(model: "invitation", where: [{field: "id", value: invitation["id"]}], update: {status: "accepted"})
+        organization = organization_by_id(ctx, invitation["organizationId"])
+        run_org_hook(config, :after_accept_invitation, {invitation: invitation_wire(ctx, updated), member: member_wire(ctx, member), user: session[:user], organization: organization_wire(ctx, organization)}, ctx)
         ctx.json({invitation: invitation_wire(ctx, updated), member: member_wire(ctx, member)})
       end
     end
@@ -452,8 +471,11 @@ module BetterAuth
         raise APIError.new("BAD_REQUEST", message: ORGANIZATION_ERROR_CODES.fetch("MEMBER_NOT_FOUND")) unless member
         require_org_permission!(ctx, config, session, member["organizationId"], {member: ["delete"]}, ORGANIZATION_ERROR_CODES.fetch("YOU_ARE_NOT_ALLOWED_TO_DELETE_THIS_MEMBER"))
         ensure_not_last_owner!(ctx, member)
+        organization = organization_by_id(ctx, member["organizationId"])
+        user = ctx.context.internal_adapter.find_user_by_id(member["userId"])
         ctx.context.adapter.delete(model: "member", where: [{field: "id", value: member["id"]}])
         ctx.context.adapter.delete_many(model: "teamMember", where: [{field: "userId", value: member["userId"]}]) if org_truthy?(config.dig(:teams, :enabled))
+        run_org_hook(config, :after_remove_member, {member: member_wire(ctx, member), user: user, organization: organization_wire(ctx, organization)}, ctx)
         ctx.json({status: true})
       end
     end
@@ -483,10 +505,12 @@ module BetterAuth
     def organization_get_active_member_role_endpoint(_config)
       Endpoint.new(path: "/organization/get-active-member-role", method: "GET") do |ctx|
         session = Routes.current_session(ctx)
-        organization_id = normalize_hash(ctx.query)[:organization_id] || session[:session]["activeOrganizationId"]
+        query = normalize_hash(ctx.query)
+        organization_id = query[:organization_id] || session[:session]["activeOrganizationId"]
         raise APIError.new("BAD_REQUEST", message: ORGANIZATION_ERROR_CODES.fetch("NO_ACTIVE_ORGANIZATION")) unless organization_id
-        member = require_member!(ctx, session[:user]["id"], organization_id)
-        ctx.json({role: member["role"]})
+        require_member!(ctx, session[:user]["id"], organization_id)
+        member = require_member!(ctx, query[:user_id] || session[:user]["id"], organization_id)
+        ctx.json({role: member["role"], member: member_wire(ctx, member)})
       end
     end
 
@@ -506,7 +530,7 @@ module BetterAuth
       Endpoint.new(path: "/organization/list-members", method: "GET") do |ctx|
         session = Routes.current_session(ctx)
         query = normalize_hash(ctx.query)
-        organization_id = query[:organization_id] || organization_by_slug(ctx, query[:organization_slug])&.fetch("id")
+        organization_id = query[:organization_id] || organization_by_slug(ctx, query[:organization_slug])&.fetch("id") || session[:session]["activeOrganizationId"]
         raise APIError.new("BAD_REQUEST", message: ORGANIZATION_ERROR_CODES.fetch("NO_ACTIVE_ORGANIZATION")) unless organization_id
         require_member!(ctx, session[:user]["id"], organization_id)
         ctx.json(list_members_for(ctx, organization_id, query))
@@ -538,7 +562,7 @@ module BetterAuth
         end
         team_data = {organizationId: organization_id, name: body[:name].to_s, createdAt: Time.now}.merge(additional_input(body, :organization_id, :name))
         merge_hook_data!(team_data, run_org_hook(config, :before_create_team, {team: team_data, user: session[:user], organization: organization_wire(ctx, organization)}, ctx))
-        team = ctx.context.adapter.create(model: "team", data: team_data)
+        team = ctx.context.adapter.create(model: "team", data: team_data, force_allow_id: true)
         ctx.context.adapter.create(model: "teamMember", data: {teamId: team["id"], userId: session[:user]["id"], createdAt: Time.now})
         run_org_hook(config, :after_create_team, {team: team_wire(ctx, team), user: session[:user], organization: organization_wire(ctx, organization)}, ctx)
         ctx.json(team_wire(ctx, team))
@@ -859,7 +883,7 @@ module BetterAuth
         where: where,
         limit: query[:limit],
         offset: query[:offset],
-        sort_by: query[:sort_by] ? {field: query[:sort_by], direction: query[:sort_order] || "asc"} : nil
+        sort_by: query[:sort_by] ? {field: query[:sort_by], direction: query[:sort_direction] || query[:sort_order] || "asc"} : nil
       )
       {
         members: members.map { |entry| member_wire(ctx, entry) },
@@ -867,6 +891,18 @@ module BetterAuth
       }
     end
 
+    def ensure_team_member_capacity!(ctx, config, team_ids)
+      max_members = config.dig(:teams, :maximum_members_per_team)
+      return unless max_members && team_ids.any?
+
+      team_ids.each do |team_id|
+        count = ctx.context.adapter.count(model: "teamMember", where: [{field: "teamId", value: team_id}])
+        if count >= max_members.to_i
+          raise APIError.new("FORBIDDEN", message: ORGANIZATION_ERROR_CODES.fetch("TEAM_MEMBER_LIMIT_REACHED"))
+        end
+      end
+    end
+
     def member_wire(ctx, member)
       data = Schema.parse_output(ctx.context.options, "member", member)
       user = ctx.context.internal_adapter.find_user_by_id(member["userId"])
@@ -910,7 +946,7 @@ module BetterAuth
       team = if custom.respond_to?(:call)
         custom.call(organization_wire(ctx, organization), ctx)
       else
-        ctx.context.adapter.create(model: "team", data: team_data)
+        ctx.context.adapter.create(model: "team", data: team_data, force_allow_id: true)
       end
       ctx.context.adapter.create(model: "teamMember", data: {teamId: team["id"], userId: session[:user]["id"], createdAt: Time.now})
       run_org_hook(config, :after_create_team, {team: team_wire(ctx, team), user: session[:user], organization: organization_wire(ctx, organization)}, ctx)

data/lib/better_auth/plugins/two_factor.rb

@@ -24,6 +24,7 @@ module BetterAuth
     TRUST_DEVICE_COOKIE_NAME = "trust_device"
     TRUST_DEVICE_COOKIE_MAX_AGE = 30 * 24 * 60 * 60
     TWO_FACTOR_COOKIE_MAX_AGE = 10 * 60
+    TWO_FACTOR_MODEL = "twoFactor"
 
     module_function
 
@@ -39,6 +40,8 @@ module BetterAuth
       config[:backup_code_options] = {store_backup_codes: "encrypted"}.merge(normalize_hash(config[:backup_code_options]))
       config[:otp_options] = normalize_hash(config[:otp_options])
       config[:totp_options] = normalize_hash(config[:totp_options])
+      config[:backup_code_options][:allow_passwordless] = config[:allow_passwordless] unless config[:backup_code_options].key?(:allow_passwordless)
+      config[:totp_options][:allow_passwordless] = config[:allow_passwordless] unless config[:totp_options].key?(:allow_passwordless)
 
       Plugin.new(
         id: "two-factor",
@@ -62,7 +65,7 @@ module BetterAuth
             }
           ]
         },
-        schema: two_factor_schema(config[:schema]),
+        schema: two_factor_schema(config),
         rate_limit: [
           {
             path_matcher: ->(path) { path.start_with?("/two-factor/") },
@@ -79,7 +82,7 @@ module BetterAuth
       Endpoint.new(path: "/two-factor/enable", method: "POST") do |ctx|
         session = Routes.current_session(ctx, sensitive: true)
         body = normalize_hash(ctx.body)
-        two_factor_check_password!(ctx, session[:user]["id"], body[:password])
+        two_factor_check_password!(ctx, session[:user]["id"], body[:password], allow_passwordless: config[:allow_passwordless])
 
         secret = two_factor_generate_secret
         backup = two_factor_generate_backup_codes(ctx.context.secret, config[:backup_code_options])
@@ -90,14 +93,18 @@ module BetterAuth
           ctx.context.internal_adapter.delete_session(session[:session]["token"])
         end
 
-        ctx.context.adapter.delete_many(model: config[:two_factor_table], where: [{field: "userId", value: session[:user]["id"]}])
+        existing = two_factor_record(ctx, config, session[:user]["id"])
+        verified = (!!existing && existing["verified"] != false) || !!config[:skip_verification_on_enable]
+        ctx.context.adapter.delete_many(model: TWO_FACTOR_MODEL, where: [{field: "userId", value: session[:user]["id"]}])
         ctx.context.adapter.create(
-          model: config[:two_factor_table],
+          model: TWO_FACTOR_MODEL,
           data: {
             secret: Crypto.symmetric_encrypt(key: ctx.context.secret, data: secret),
             backupCodes: backup[:stored],
-            userId: session[:user]["id"]
-          }
+            userId: session[:user]["id"],
+            verified: verified
+          },
+          force_allow_id: true
         )
 
         ctx.json({
@@ -111,10 +118,10 @@ module BetterAuth
       Endpoint.new(path: "/two-factor/disable", method: "POST") do |ctx|
         session = Routes.current_session(ctx, sensitive: true)
         body = normalize_hash(ctx.body)
-        two_factor_check_password!(ctx, session[:user]["id"], body[:password])
+        two_factor_check_password!(ctx, session[:user]["id"], body[:password], allow_passwordless: config[:allow_passwordless])
 
         updated_user = ctx.context.internal_adapter.update_user(session[:user]["id"], twoFactorEnabled: false)
-        ctx.context.adapter.delete(model: config[:two_factor_table], where: [{field: "userId", value: updated_user["id"]}])
+        ctx.context.adapter.delete(model: TWO_FACTOR_MODEL, where: [{field: "userId", value: updated_user["id"]}])
         new_session = ctx.context.internal_adapter.create_session(updated_user["id"], false)
         Cookies.set_session_cookie(ctx, {session: new_session, user: updated_user})
         ctx.context.internal_adapter.delete_session(session[:session]["token"])
@@ -142,7 +149,7 @@ module BetterAuth
       Endpoint.new(path: "/two-factor/get-totp-uri", method: "POST") do |ctx|
         two_factor_totp_enabled!(config)
         session = Routes.current_session(ctx, sensitive: true)
-        two_factor_check_password!(ctx, session[:user]["id"], normalize_hash(ctx.body)[:password])
+        two_factor_check_password!(ctx, session[:user]["id"], normalize_hash(ctx.body)[:password], allow_passwordless: config[:totp_options][:allow_passwordless])
         record = two_factor_record(ctx, config, session[:user]["id"])
         raise APIError.new("BAD_REQUEST", message: TWO_FACTOR_ERROR_CODES["TOTP_NOT_ENABLED"]) unless record
 
@@ -158,11 +165,22 @@ module BetterAuth
         data = two_factor_verification_context(ctx, config)
         record = two_factor_record(ctx, config, data[:session][:user]["id"])
         raise APIError.new("BAD_REQUEST", message: TWO_FACTOR_ERROR_CODES["TOTP_NOT_ENABLED"]) unless record
+        if !data[:session][:session] && record["verified"] == false
+          raise APIError.new("BAD_REQUEST", message: TWO_FACTOR_ERROR_CODES["TOTP_NOT_ENABLED"])
+        end
 
         secret = Crypto.symmetric_decrypt(key: ctx.context.secret, data: record["secret"])
         raise APIError.new("UNAUTHORIZED", message: TWO_FACTOR_ERROR_CODES["INVALID_CODE"]) unless two_factor_totp_valid?(secret, body[:code], options: config[:totp_options])
 
-        if !data[:session][:user]["twoFactorEnabled"] && data[:session][:session]
+        if record["verified"] != true
+          if !data[:session][:user]["twoFactorEnabled"] && data[:session][:session]
+            updated_user = ctx.context.internal_adapter.update_user(data[:session][:user]["id"], twoFactorEnabled: true)
+            new_session = ctx.context.internal_adapter.create_session(updated_user["id"], false)
+            ctx.context.internal_adapter.delete_session(data[:session][:session]["token"])
+            Cookies.set_session_cookie(ctx, {session: new_session, user: updated_user})
+          end
+          ctx.context.adapter.update(model: TWO_FACTOR_MODEL, where: [{field: "id", value: record["id"]}], update: {verified: true})
+        elsif !data[:session][:user]["twoFactorEnabled"] && data[:session][:session]
           updated_user = ctx.context.internal_adapter.update_user(data[:session][:user]["id"], twoFactorEnabled: true)
           new_session = ctx.context.internal_adapter.create_session(updated_user["id"], false)
           ctx.context.internal_adapter.delete_session(data[:session][:session]["token"])
@@ -242,7 +260,7 @@ module BetterAuth
         remaining = codes.reject { |code| code == body[:code].to_s }
         stored = two_factor_store_backup_codes(ctx.context.secret, remaining, config[:backup_code_options])
         updated = ctx.context.adapter.update(
-          model: config[:two_factor_table],
+          model: TWO_FACTOR_MODEL,
           where: [{field: "id", value: record["id"]}, {field: "backupCodes", value: record["backupCodes"]}],
           update: {backupCodes: stored}
         )
@@ -257,12 +275,12 @@ module BetterAuth
         session = Routes.current_session(ctx, sensitive: true)
         raise APIError.new("BAD_REQUEST", message: TWO_FACTOR_ERROR_CODES["TWO_FACTOR_NOT_ENABLED"]) unless session[:user]["twoFactorEnabled"]
 
-        two_factor_check_password!(ctx, session[:user]["id"], normalize_hash(ctx.body)[:password])
+        two_factor_check_password!(ctx, session[:user]["id"], normalize_hash(ctx.body)[:password], allow_passwordless: config[:backup_code_options][:allow_passwordless])
         record = two_factor_record(ctx, config, session[:user]["id"])
         raise APIError.new("BAD_REQUEST", message: TWO_FACTOR_ERROR_CODES["TWO_FACTOR_NOT_ENABLED"]) unless record
 
         backup = two_factor_generate_backup_codes(ctx.context.secret, config[:backup_code_options])
-        ctx.context.adapter.update(model: config[:two_factor_table], where: [{field: "id", value: record["id"]}], update: {backupCodes: backup[:stored]})
+        ctx.context.adapter.update(model: TWO_FACTOR_MODEL, where: [{field: "id", value: record["id"]}], update: {backupCodes: backup[:stored]})
         ctx.json({status: true, backupCodes: backup[:codes]})
       end
     end
@@ -277,7 +295,8 @@ module BetterAuth
       end
     end
 
-    def two_factor_schema(custom_schema = nil)
+    def two_factor_schema(config = {})
+      custom_schema = config[:schema]
       base = {
         user: {
           fields: {
@@ -288,10 +307,14 @@ module BetterAuth
           fields: {
             secret: {type: "string", required: true, returned: false, index: true},
             backupCodes: {type: "string", required: true, returned: false},
-            userId: {type: "string", required: true, returned: false, index: true, references: {model: "user", field: "id"}}
+            userId: {type: "string", required: true, returned: false, index: true, references: {model: "user", field: "id"}},
+            verified: {type: "boolean", required: false, default_value: true, input: false}
           }
         }
       }
+      if config[:two_factor_table] && config[:two_factor_table] != TWO_FACTOR_MODEL
+        base[:twoFactor][:model_name] = config[:two_factor_table].to_s
+      end
       deep_merge_hashes(base, normalize_hash(custom_schema || {}))
     end
 
@@ -311,7 +334,7 @@ module BetterAuth
         expiresAt: Time.now + config[:two_factor_cookie_max_age].to_i
       )
       ctx.set_signed_cookie(cookie.name, identifier, ctx.context.secret, cookie.attributes)
-      ctx.json({twoFactorRedirect: true})
+      ctx.json({twoFactorRedirect: true, twoFactorMethods: two_factor_methods(ctx, config, data[:user]["id"])})
     end
 
     def two_factor_verification_context(ctx, config)
@@ -377,11 +400,23 @@ module BetterAuth
     end
 
     def two_factor_record(ctx, config, user_id)
-      ctx.context.adapter.find_one(model: config[:two_factor_table], where: [{field: "userId", value: user_id}])
+      ctx.context.adapter.find_one(model: TWO_FACTOR_MODEL, where: [{field: "userId", value: user_id}])
     end
 
-    def two_factor_check_password!(ctx, user_id, password)
+    def two_factor_methods(ctx, config, user_id)
+      methods = []
+      unless config[:totp_options][:disable]
+        record = two_factor_record(ctx, config, user_id)
+        methods << "totp" if record && record["verified"] != false
+      end
+      methods << "otp" if config[:otp_options][:send_otp].respond_to?(:call)
+      methods
+    end
+
+    def two_factor_check_password!(ctx, user_id, password, allow_passwordless: false)
       account = ctx.context.internal_adapter.find_accounts(user_id).find { |entry| entry["providerId"] == "credential" }
+      return if allow_passwordless && !account
+
       unless account && account["password"] && Routes.verify_password_value(ctx, password.to_s, account["password"])
         raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_PASSWORD"])
       end

data/lib/better_auth/rate_limiter.rb

@@ -4,6 +4,9 @@ require "json"
 
 module BetterAuth
   class RateLimiter
+    MISSING_CLIENT_IP_WARNING = "Rate limiting skipped: could not determine client IP address. " \
+      "Ensure your runtime forwards a trusted client IP header and configure `advanced.ipAddress.ipAddressHeaders` if needed."
+
     class MemoryStore
       def initialize
         @entries = {}
@@ -36,6 +39,7 @@ module BetterAuth
 
     def initialize
       @memory_store = MemoryStore.new
+      @warned_missing_client_ip = false
     end
 
     def call(request, context, path)
@@ -43,6 +47,7 @@ module BetterAuth
       return unless config[:enabled]
 
       ip = client_ip(request, context.options)
+      warn_missing_client_ip(context) unless ip
       return unless ip
 
       rule = rate_limit_rule(request, context, config, path)
@@ -148,18 +153,26 @@ module BetterAuth
     def read_storage((type, storage), key)
       data = storage.get(key)
       data = JSON.parse(data) if type == :secondary && data.is_a?(String)
-      symbolize_keys(data)
+      normalize_rate_limit_data(symbolize_keys(data))
     rescue JSON::ParserError
       nil
     end
 
     def write_storage((type, storage), key, data, ttl:, update:)
-      value = (type == :secondary) ? JSON.generate(data) : data
+      value = (type == :secondary) ? JSON.generate(secondary_storage_data(data)) : data
       return call_secondary_storage_set(storage, key, value, ttl: ttl, update: update) if type == :secondary
 
       call_storage_set(storage, key, value, ttl: ttl, update: update)
     end
 
+    def secondary_storage_data(data)
+      {
+        key: data[:key],
+        count: data[:count],
+        lastRequest: (data[:last_request].to_f * 1000).to_i
+      }
+    end
+
     def call_secondary_storage_set(storage, key, value, ttl:, update:)
       storage.set(key, value, ttl)
     rescue ArgumentError
@@ -188,6 +201,15 @@ module BetterAuth
       end
     end
 
+    def normalize_rate_limit_data(data)
+      return data unless data.is_a?(Hash)
+
+      last_request = data[:last_request]
+      return data unless last_request.is_a?(Numeric) && last_request > 10_000_000_000
+
+      data.merge(last_request: last_request / 1000.0)
+    end
+
     def rate_limit_key(ip, path)
       "#{ip}|#{path}"
     end
@@ -196,6 +218,19 @@ module BetterAuth
       RequestIP.client_ip(request, options)
     end
 
+    def warn_missing_client_ip(context)
+      return if @warned_missing_client_ip
+      return if context.options.advanced.dig(:ip_address, :disable_ip_tracking)
+
+      @warned_missing_client_ip = true
+      logger = context.logger
+      if logger.respond_to?(:call)
+        logger.call(:warn, MISSING_CLIENT_IP_WARNING)
+      elsif logger.respond_to?(:warn)
+        logger.warn(MISSING_CLIENT_IP_WARNING)
+      end
+    end
+
     def matching_plugin_rule(context, path)
       context.options.plugins
         .flat_map { |plugin| Array(plugin[:rate_limit]) }

data/lib/better_auth/request_state.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module RequestState
+    THREAD_KEY = :better_auth_request_state_stack
+
+    State = Struct.new(:ref, :initializer) do
+      def get
+        store = RequestState.current_store
+        store[ref] = initializer.call unless store.key?(ref)
+        store[ref]
+      end
+
+      def set(value)
+        RequestState.current_store[ref] = value
+      end
+    end
+
+    module_function
+
+    def run(store = {}, &block)
+      stack.push(store)
+      block.call
+    ensure
+      stack.pop
+    end
+
+    def present?
+      !stack.empty?
+    end
+
+    def current_store
+      stack.last || raise("No request state found. Please make sure you are calling this function within a `run` callback.")
+    end
+
+    def define(&initializer)
+      State.new(Object.new.freeze, initializer || -> {})
+    end
+
+    def stack
+      Thread.current[THREAD_KEY] ||= []
+    end
+  end
+end

data/lib/better_auth/router.rb

@@ -64,6 +64,7 @@ module BetterAuth
 
       body = parse_body(request)
       endpoint_context = build_endpoint_context(request, route_path, query, body, params)
+      return run_on_response_chain(forbidden) if server_only?(endpoint)
 
       response = @origin_check.call(endpoint_context)
       return run_on_response_chain(response) if response
@@ -166,13 +167,17 @@ module BetterAuth
       request.body.rewind
       return {} if raw.empty?
 
-      if request.media_type == "application/json"
+      if json_media_type?(request.media_type)
         JSON.parse(raw)
       else
         request.POST
       end
     end
 
+    def json_media_type?(media_type)
+      media_type == "application/json" || media_type.to_s.end_with?("+json")
+    end
+
     def allowed_media_type?(request, endpoint)
       return true unless request_body_method?(request.request_method)
       return true if request.media_type.nil? || request.media_type.empty?
@@ -350,6 +355,14 @@ module BetterAuth
       [415, {"content-type" => "application/json"}, [JSON.generate({error: "Unsupported Media Type"})]]
     end
 
+    def forbidden
+      [403, {"content-type" => "application/json"}, [JSON.generate({error: "Forbidden"})]]
+    end
+
+    def server_only?(endpoint)
+      endpoint.metadata[:server_only] || endpoint.metadata[:SERVER_ONLY] || endpoint.metadata["SERVER_ONLY"]
+    end
+
     def error_response(error, headers: {})
       Endpoint::Result.new(
         response: error.to_h,

data/lib/better_auth/routes/account.rb

@@ -90,10 +90,10 @@ module BetterAuth
         Cookies.set_account_cookie(ctx, updated || account.merge(token_hash_for_storage(ctx, tokens)))
         ctx.json({
           accessToken: values["accessToken"],
-          refreshToken: values["refreshToken"],
+          refreshToken: values["refreshToken"] || refresh_token,
           accessTokenExpiresAt: values["accessTokenExpiresAt"],
-          refreshTokenExpiresAt: values["refreshTokenExpiresAt"],
-          scope: Array(values["scopes"]).join(","),
+          refreshTokenExpiresAt: values["refreshTokenExpiresAt"] || account["refreshTokenExpiresAt"],
+          scope: values["scope"] || account["scope"],
           idToken: values["idToken"] || account["idToken"],
           providerId: account["providerId"],
           accountId: account["accountId"]
@@ -167,7 +167,10 @@ module BetterAuth
     def self.update_account_tokens(ctx, account, tokens)
       return nil if account["id"].to_s.empty?
 
-      ctx.context.internal_adapter.update_account(account["id"], token_hash_for_storage(ctx, tokens))
+      data = account_token_update_hash(ctx, tokens)
+      return nil if data.empty?
+
+      ctx.context.internal_adapter.update_account(account["id"], data)
     end
 
     def self.token_hash(tokens)
@@ -183,6 +186,15 @@ module BetterAuth
       data
     end
 
+    def self.account_token_update_hash(ctx, tokens)
+      account_storage_fields(token_hash_for_storage(ctx, tokens))
+    end
+
+    def self.account_storage_fields(data)
+      allowed = %w[accessToken refreshToken idToken accessTokenExpiresAt refreshTokenExpiresAt scope]
+      token_hash(data).select { |key, value| allowed.include?(key) && !value.nil? }
+    end
+
     def self.oauth_token_for_storage(ctx, token)
       return token if token.to_s.empty?
       return token unless ctx.context.options.account[:encrypt_oauth_tokens]

data/lib/better_auth/routes/email_verification.rb

@@ -35,6 +35,7 @@ module BetterAuth
       Endpoint.new(path: "/verify-email", method: "GET") do |ctx|
         token = fetch_value(ctx.query, "token").to_s
         callback_url = fetch_value(ctx.query, "callbackURL")
+        validate_callback_url!(ctx.context, callback_url)
         payload = verify_email_token(ctx, token, callback_url)
         email = payload["email"].to_s.downcase
         update_to = payload["updateTo"] || payload["update_to"]
@@ -43,8 +44,10 @@ module BetterAuth
 
         user = user_data[:user]
         if update_to
-          updated = ctx.context.internal_adapter.update_user_by_email(email, email: update_to, emailVerified: true)
-          set_verified_session_cookie(ctx, updated || user.merge("email" => update_to, "emailVerified" => true))
+          updated = ctx.context.internal_adapter.update_user_by_email(email, email: update_to, emailVerified: false)
+          updated_user = updated || user.merge("email" => update_to, "emailVerified" => false)
+          send_verification_email_payload(ctx, updated_user, callback_url) if ctx.context.options.email_verification[:send_verification_email].respond_to?(:call)
+          set_verified_session_cookie(ctx, updated_user)
           next redirect_or_json(ctx, callback_url, {status: true, user: Schema.parse_output(ctx.context.options, "user", updated)})
         end