better_auth 0.2.0 → 0.4.0

data/lib/better_auth/routes/user.rb

@@ -67,6 +67,7 @@ module BetterAuth
 
         session = current_session(ctx, sensitive: true)
         body = normalize_hash(ctx.body)
+        sender = ctx.context.options.user.dig(:delete_user, :send_delete_account_verification)
         if body["password"]
           account = credential_account(ctx, session[:user]["id"])
           unless account && account["password"] && verify_password_value(ctx, body["password"], account["password"])
@@ -76,15 +77,18 @@ module BetterAuth
 
         if body["token"]
           delete_user_by_token!(ctx, session, body["token"])
-        elsif (sender = ctx.context.options.user.dig(:delete_user, :send_delete_account_verification))
+        elsif sender
           token = SecureRandom.hex(16)
+          expires_in = ctx.context.options.user.dig(:delete_user, :delete_token_expires_in) || 3600
           ctx.context.internal_adapter.create_verification_value(
             identifier: "delete-account-#{token}",
             value: session[:user]["id"],
-            expiresAt: Time.now + ctx.context.options.user.dig(:delete_user, :delete_token_expires_in).to_i
+            expiresAt: Time.now + expires_in.to_i
           )
           sender.call({user: session[:user], token: token}, ctx.request)
           next ctx.json({success: true, message: "Verification email sent"})
+        elsif !body["password"]
+          require_fresh_session!(ctx, session)
         end
 
         delete_current_user!(ctx, session)
@@ -99,8 +103,9 @@ module BetterAuth
         session = current_session(ctx)
         token = fetch_value(ctx.query, "token")
         delete_user_by_token!(ctx, session, token)
-        delete_current_user!(ctx, session)
         callback_url = fetch_value(ctx.query, "callbackURL")
+        validate_callback_url!(ctx.context, callback_url)
+        delete_current_user!(ctx, session)
         raise ctx.redirect(callback_url) if callback_url
 
         ctx.json({success: true, message: "User deleted"})
@@ -116,9 +121,11 @@ module BetterAuth
         new_email = (body["newEmail"] || body["new_email"]).to_s.downcase
         raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_EMAIL"]) unless EMAIL_PATTERN.match?(new_email)
         raise APIError.new("BAD_REQUEST", message: "Email is the same") if new_email == session[:user]["email"]
-        raise APIError.new("UNPROCESSABLE_ENTITY", message: BASE_ERROR_CODES["USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL"]) if ctx.context.internal_adapter.find_user_by_email(new_email)
+        existing_target = ctx.context.internal_adapter.find_user_by_email(new_email)
 
         if !session[:user]["emailVerified"] && ctx.context.options.user.dig(:change_email, :update_email_without_verification)
+          next ctx.json({status: true}) if existing_target
+
           updated = ctx.context.internal_adapter.update_user_by_email(session[:user]["email"], email: new_email)
           Cookies.set_session_cookie(ctx, {session: session[:session], user: updated})
           next ctx.json({status: true})
@@ -126,6 +133,7 @@ module BetterAuth
 
         sender = ctx.context.options.email_verification[:send_verification_email]
         raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["VERIFICATION_EMAIL_NOT_ENABLED"]) unless sender.respond_to?(:call)
+        next ctx.json({status: true}) if existing_target
 
         token = create_email_verification_token(ctx, session[:user]["email"], update_to: new_email, extra: {"requestType" => "change-email-verification"})
         sender.call({user: session[:user].merge("email" => new_email), token: token}, ctx.request)
@@ -144,12 +152,22 @@ module BetterAuth
     def self.delete_current_user!(ctx, session)
       config = ctx.context.options.user[:delete_user] || {}
       call_option(config[:before_delete], session[:user], ctx.request)
-      ctx.context.internal_adapter.delete_user(session[:user]["id"])
+      deleted = ctx.context.internal_adapter.delete_user(session[:user]["id"])
+      raise APIError.new("BAD_REQUEST", message: "User delete aborted") if deleted == false
+
       ctx.context.internal_adapter.delete_sessions(session[:user]["id"])
       Cookies.delete_session_cookie(ctx)
       call_option(config[:after_delete], session[:user], ctx.request)
     end
 
+    def self.require_fresh_session!(ctx, session)
+      fresh_age = ctx.context.session_config[:fresh_age].to_i
+      return if fresh_age <= 0
+
+      updated_at = Session.normalize_time(session[:session]["updatedAt"] || session[:session]["updated_at"] || session[:session]["createdAt"] || session[:session]["created_at"])
+      raise APIError.new("UNAUTHORIZED") unless updated_at && updated_at + fresh_age > Time.now
+    end
+
     def self.parse_declared_input(ctx, model, data, allowed_base: [])
       input = normalize_hash(data || {})
       table = Schema.auth_tables(ctx.context.options)[model.to_s]

data/lib/better_auth/schema/sql.rb

@@ -108,6 +108,17 @@ module BetterAuth
           end
         when "number"
           attributes[:bigint] ? "bigint" : "integer"
+        when "json", "string[]", "number[]"
+          case dialect
+          when :postgres
+            "jsonb"
+          when :mysql
+            "json"
+          when :mssql
+            "varchar(8000)"
+          else
+            "text"
+          end
         else
           if dialect == :mysql
             indexed = logical_field == "id" || attributes[:unique] || attributes[:index] || attributes[:references]

data/lib/better_auth/schema.rb

@@ -15,6 +15,7 @@ module BetterAuth
       }
 
       tables.delete("session") if secondary_storage?(options) && !session_option(options, :store_session_in_database)
+      tables.delete("verification") if secondary_storage?(options) && !verification_option(options, :store_in_database)
       tables.merge!(plugin_schema)
       tables["rateLimit"] = rate_limit_table(options) if rate_limit_option(options, :storage) == "database"
       tables.sort_by { |_name, table| table[:order] || Float::INFINITY }.to_h
@@ -179,9 +180,16 @@ module BetterAuth
     private_class_method def self.normalize_field(value, key)
       data = symbolize_hash(value || {})
       data[:field_name] ||= physical_name(key)
+      data[:references] = normalize_reference(data[:references]) if data[:references]
       data
     end
 
+    private_class_method def self.normalize_reference(value)
+      reference = symbolize_hash(value || {})
+      reference[:on_delete] ||= "cascade"
+      reference
+    end
+
     private_class_method def self.mapped_field(options, model, field)
       fields = fetch_hash(model_options(options, model), :fields) || {}
       fetch_mapped_value(fields, field) || physical_name(field)
@@ -212,6 +220,10 @@ module BetterAuth
       fetch_hash(rate_limit_options(options), key)
     end
 
+    private_class_method def self.verification_option(options, key)
+      fetch_hash(verification_options(options), key)
+    end
+
     private_class_method def self.model_options(options, model)
       options.respond_to?(model) ? options.public_send(model) : fetch_hash(options, model)
     end
@@ -224,6 +236,10 @@ module BetterAuth
       options.respond_to?(:rate_limit) ? options.rate_limit : fetch_hash(options, :rate_limit)
     end
 
+    private_class_method def self.verification_options(options)
+      options.respond_to?(:verification) ? options.verification : fetch_hash(options, :verification)
+    end
+
     private_class_method def self.secondary_storage?(options)
       options.respond_to?(:secondary_storage) ? !!options.secondary_storage : !!fetch_hash(options, :secondary_storage)
     end

data/lib/better_auth/session.rb

@@ -51,7 +51,7 @@ module BetterAuth
       return nil if payload["session"]["token"] && payload["session"]["token"] != token
 
       result = {session: payload["session"], user: payload["user"]}
-      Cookies.set_cookie_cache(ctx, result, false) if should_refresh_cookie_cache?(config, payload)
+      result = refresh_cached_session(ctx, result) if should_refresh_cookie_cache?(config, payload)
       result
     end
 
@@ -89,6 +89,17 @@ module BetterAuth
       refreshed
     end
 
+    def refresh_cached_session(ctx, result)
+      now = Time.now
+      session = stringify_keys(result[:session]).merge(
+        "expiresAt" => now + ctx.context.session_config[:expires_in].to_i,
+        "updatedAt" => now
+      )
+      refreshed = {session: session, user: result[:user]}
+      Cookies.set_session_cookie(ctx, refreshed, Cookies.dont_remember?(ctx))
+      refreshed
+    end
+
     def should_refresh_cookie_cache?(config, payload)
       refresh_cache = config[:refresh_cache]
       return false if refresh_cache == false || refresh_cache.nil?

data/lib/better_auth/social_providers/apple.rb

@@ -5,6 +5,8 @@ module BetterAuth
     module_function
 
     def apple(client_id:, client_secret:, scopes: ["email", "name"], **options)
+      normalized = Base.normalize_options(options)
+      primary_client_id = Base.primary_client_id(client_id)
       {
         id: "apple",
         name: "Apple",
@@ -12,17 +14,17 @@ module BetterAuth
         client_secret: client_secret,
         create_authorization_url: lambda do |data|
           Base.authorization_url(options[:authorization_endpoint] || "https://appleid.apple.com/auth/authorize", {
-            client_id: client_id,
+            client_id: primary_client_id,
             redirect_uri: data[:redirect_uri] || data[:redirectURI],
             response_type: "code id_token",
             response_mode: options[:response_mode] || options[:responseMode] || "form_post",
-            scope: data[:scopes] || scopes,
+            scope: Base.selected_scopes(scopes, normalized, data),
             state: data[:state]
           })
         end,
         validate_authorization_code: lambda do |data|
           Base.post_form("https://appleid.apple.com/auth/token", {
-            client_id: client_id,
+            client_id: primary_client_id,
             client_secret: client_secret,
             code: data[:code],
             code_verifier: data[:code_verifier] || data[:codeVerifier],
@@ -30,24 +32,58 @@ module BetterAuth
             redirect_uri: data[:redirect_uri] || data[:redirectURI]
           })
         end,
+        verify_id_token: normalized[:verify_id_token] || lambda do |token, nonce = nil|
+          return false if normalized[:disable_id_token_sign_in]
+
+          audiences = Array(normalized[:audience] || normalized[:app_bundle_identifier] || normalized[:appBundleIdentifier] || client_id)
+          return false if audiences.empty?
+
+          profile = Base.verify_jwt_with_jwks(
+            token,
+            jwks: normalized[:jwks],
+            jwks_endpoint: normalized[:jwks_endpoint] || "https://appleid.apple.com/auth/keys",
+            algorithms: ["RS256"],
+            issuers: "https://appleid.apple.com",
+            audience: audiences,
+            nonce: nonce
+          )
+          !!profile&.fetch("sub", nil)
+        end,
         get_user_info: lambda do |tokens|
+          custom = normalized[:get_user_info]
+          next custom.call(tokens) if custom
+
           profile = Base.decode_jwt_payload(Base.id_token(tokens))
           apple_user = tokens[:user] || tokens["user"] || {}
-          name = apple_user.dig(:name, :firstName) || apple_user.dig("name", "firstName")
-          last_name = apple_user.dig(:name, :lastName) || apple_user.dig("name", "lastName")
+          name = apple_user.dig(:name, :firstName) ||
+            apple_user.dig(:name, :first_name) ||
+            apple_user.dig("name", "firstName") ||
+            apple_user.dig("name", "first_name")
+          last_name = apple_user.dig(:name, :lastName) ||
+            apple_user.dig(:name, :last_name) ||
+            apple_user.dig("name", "lastName") ||
+            apple_user.dig("name", "last_name")
           full_name = [name, last_name].compact.join(" ").strip
-          full_name = profile["name"] || " " if full_name.empty?
+          full_name = profile["name"] || "" if full_name.empty?
 
-          {
-            user: {
+          user = Base.apply_profile_mapping(
+            {
               id: profile["sub"],
               email: profile["email"],
               name: full_name,
               image: profile["picture"],
               emailVerified: profile["email_verified"] == true || profile["email_verified"] == "true"
             },
+            profile.merge("name" => full_name),
+            normalized
+          )
+          {
+            user: user,
             data: profile.merge("name" => full_name)
           }
+        end,
+        refresh_access_token: options[:refresh_access_token] || options[:refreshAccessToken] || lambda do |refresh_token|
+          Base.refresh_access_token("https://appleid.apple.com/auth/token", refresh_token, client_id: primary_client_id, client_secret: client_secret)
         end
       }
     end

data/lib/better_auth/social_providers/atlassian.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def atlassian(client_id:, client_secret:, scopes: ["read:jira-user", "offline_access"], **options)
+      Base.oauth_provider(
+        id: "atlassian",
+        name: "Atlassian",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://auth.atlassian.com/authorize",
+        token_endpoint: "https://auth.atlassian.com/oauth/token",
+        user_info_endpoint: "https://api.atlassian.com/me",
+        scopes: scopes,
+        pkce: true,
+        auth_params: {audience: "api.atlassian.com"},
+        profile_map: ->(profile) {
+          {
+            id: profile["account_id"],
+            name: profile["name"],
+            email: profile["email"],
+            image: profile["picture"],
+            emailVerified: false
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/base.rb

@@ -2,8 +2,10 @@
 
 require "base64"
 require "json"
+require "jwt"
 require "net/http"
 require "openssl"
+require "time"
 require "uri"
 
 module BetterAuth
@@ -23,23 +25,146 @@ module BetterAuth
         uri.to_s
       end
 
+      def oauth_provider(id:, name:, client_id:, authorization_endpoint:, token_endpoint:, profile_map:, client_secret: nil, user_info_endpoint: nil, scopes: [], scope_separator: " ", pkce: false, auth_params: {}, token_params: {}, user_info_method: :get, user_info_headers: {}, user_info_body: nil, **options)
+        opts = normalize_options(options.merge(client_id: client_id, client_secret: client_secret))
+        {
+          id: id,
+          name: name,
+          client_id: client_id,
+          client_secret: client_secret,
+          options: opts,
+          create_authorization_url: lambda do |data|
+            verifier = value(data, :code_verifier, :codeVerifier)
+            selected_scopes = selected_scopes(scopes, opts, data)
+            params = {
+              client_id: primary_client_id(client_id),
+              redirect_uri: opts[:redirect_uri] || value(data, :redirect_uri, :redirectURI),
+              response_type: "code",
+              scope: selected_scopes.empty? ? nil : selected_scopes.join(scope_separator),
+              state: value(data, :state),
+              code_challenge: (pkce && verifier) ? pkce_challenge(verifier) : nil,
+              code_challenge_method: (pkce && verifier) ? "S256" : nil,
+              login_hint: value(data, :loginHint, :login_hint),
+              prompt: opts[:prompt]
+            }.merge(resolve_hash(auth_params, data, opts))
+            authorization_url(option(opts, :authorization_endpoint, :authorizationEndpoint) || authorization_endpoint, params)
+          end,
+          validate_authorization_code: lambda do |data|
+            post_form_json(option(opts, :token_endpoint, :tokenEndpoint) || token_endpoint, {
+              client_id: primary_client_id(client_id),
+              client_secret: client_secret,
+              code: value(data, :code),
+              code_verifier: value(data, :code_verifier, :codeVerifier),
+              grant_type: "authorization_code",
+              redirect_uri: opts[:redirect_uri] || value(data, :redirect_uri, :redirectURI)
+            }.merge(resolve_hash(token_params, data, opts)))
+          end,
+          refresh_access_token: opts[:refresh_access_token] || lambda do |refresh_token|
+            refresh_access_token(
+              option(opts, :token_endpoint, :tokenEndpoint) || token_endpoint,
+              refresh_token,
+              client_id: primary_client_id(client_id),
+              client_secret: client_secret
+            )
+          end,
+          verify_id_token: opts[:verify_id_token] || lambda do |token, _nonce = nil|
+            return false if opts[:disable_id_token_sign_in]
+
+            !decode_jwt_payload(token).empty?
+          end,
+          get_user_info: lambda do |tokens|
+            custom = opts[:get_user_info]
+            profile = if custom
+              custom.call(tokens)
+            elsif user_info_endpoint
+              fetch_user_info(user_info_endpoint, tokens, method: user_info_method, headers: user_info_headers, body: user_info_body)
+            else
+              decode_jwt_payload(id_token(tokens))
+            end
+            return nil unless profile
+            return profile if provider_user_info?(profile)
+
+            mapped = profile_map.call(profile)
+            user_map = opts[:map_profile_to_user]&.call(profile) || {}
+            {user: mapped.merge(user_map), data: profile}
+          end
+        }
+      end
+
       def pkce_challenge(verifier)
         digest = OpenSSL::Digest.digest("SHA256", verifier.to_s)
         Base64.urlsafe_encode64(digest, padding: false)
       end
 
       def post_form(url, form)
+        post_form_json(url, form)
+      end
+
+      def post_form_json(url, form, headers = {})
         uri = URI(url)
-        response = Net::HTTP.post_form(uri, form.transform_keys(&:to_s))
-        JSON.parse(response.body)
+        request = Net::HTTP::Post.new(uri)
+        request.set_form_data(form.compact.transform_keys(&:to_s))
+        request["Accept"] = "application/json"
+        headers.each { |key, value| request[key.to_s] = value.to_s }
+        parse_response(request_json(uri, request))
       end
 
       def get_json(url, headers = {})
         uri = URI(url)
         request = Net::HTTP::Get.new(uri)
         headers.each { |key, value| request[key.to_s] = value.to_s }
-        response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == "https") { |http| http.request(request) }
-        JSON.parse(response.body)
+        parse_response(request_json(uri, request))
+      end
+
+      def get_bytes(url, headers = {})
+        uri = URI(url)
+        request = Net::HTTP::Get.new(uri)
+        headers.each { |key, value| request[key.to_s] = value.to_s }
+        response = request_json(uri, request)
+        response.is_a?(Net::HTTPSuccess) ? response.body.to_s : nil
+      rescue URI::InvalidURIError, SocketError, SystemCallError
+        nil
+      end
+
+      def post_json(url, body = {}, headers = {})
+        uri = URI(url)
+        request = Net::HTTP::Post.new(uri)
+        headers.each { |key, value| request[key.to_s] = value.to_s }
+        request.set_form_data(body.compact.transform_keys(&:to_s))
+        parse_response(request_json(uri, request))
+      end
+
+      def fetch_user_info(endpoint, tokens, method: :get, headers: {}, body: nil)
+        resolved_headers = resolve_hash(headers, tokens, {})
+        resolved_body = resolve_hash(body || {}, tokens, {})
+        resolved_headers = {"Authorization" => "Bearer #{access_token(tokens)}"}.merge(resolved_headers)
+        (method == :post) ? post_json(endpoint, resolved_body, resolved_headers) : get_json(endpoint, resolved_headers)
+      end
+
+      def refresh_access_token(token_endpoint, refresh_token, client_id:, client_secret: nil, extra_params: {})
+        normalize_tokens(post_form_json(token_endpoint, {
+          client_id: client_id,
+          client_secret: client_secret,
+          grant_type: "refresh_token",
+          refresh_token: refresh_token
+        }.merge(extra_params || {})))
+      end
+
+      def normalize_tokens(tokens, now: Time.now)
+        data = stringify_keys(tokens || {})
+        result = {}
+        result["accessToken"] = data["accessToken"] || data["access_token"] if data["accessToken"] || data["access_token"]
+        result["refreshToken"] = data["refreshToken"] || data["refresh_token"] if data["refreshToken"] || data["refresh_token"]
+        result["idToken"] = data["idToken"] || data["id_token"] if data["idToken"] || data["id_token"]
+        result["tokenType"] = data["tokenType"] || data["token_type"] if data["tokenType"] || data["token_type"]
+        scope = data["scope"] || data["scopes"]
+        result["scope"] = Array(scope).join(",").tr(" ", ",").split(",").reject(&:empty?).join(",") if scope
+        result["accessTokenExpiresAt"] = time_from(data["accessTokenExpiresAt"] || data["access_token_expires_at"]) if data["accessTokenExpiresAt"] || data["access_token_expires_at"]
+        result["refreshTokenExpiresAt"] = time_from(data["refreshTokenExpiresAt"] || data["refresh_token_expires_at"]) if data["refreshTokenExpiresAt"] || data["refresh_token_expires_at"]
+        result["accessTokenExpiresAt"] ||= now + data["expires_in"].to_i if data["expires_in"]
+        result["refreshTokenExpiresAt"] ||= now + data["refresh_token_expires_in"].to_i if data["refresh_token_expires_in"]
+        data.each { |key, value| result[key] = value unless result.key?(key) || %w[access_token refresh_token id_token token_type expires_in refresh_token_expires_in scopes].include?(key) }
+        result
       end
 
       def access_token(tokens)
@@ -50,6 +175,81 @@ module BetterAuth
         tokens[:id_token] || tokens["id_token"] || tokens[:idToken] || tokens["idToken"]
       end
 
+      def value(hash, *keys)
+        return nil unless hash
+
+        keys.each do |key|
+          return hash[key] if hash.respond_to?(:key?) && hash.key?(key)
+
+          string_key = key.to_s
+          return hash[string_key] if hash.respond_to?(:key?) && hash.key?(string_key)
+        end
+        nil
+      end
+
+      def option(options, *keys)
+        value(options, *keys)
+      end
+
+      def normalize_options(options)
+        normalized = options.dup
+        {
+          clientId: :client_id,
+          clientSecret: :client_secret,
+          clientKey: :client_key,
+          disableDefaultScope: :disable_default_scope,
+          mapProfileToUser: :map_profile_to_user,
+          getUserInfo: :get_user_info,
+          verifyIdToken: :verify_id_token,
+          refreshAccessToken: :refresh_access_token,
+          disableIdTokenSignIn: :disable_id_token_sign_in,
+          disableImplicitSignUp: :disable_implicit_sign_up,
+          disableSignUp: :disable_sign_up,
+          authorizationEndpoint: :authorization_endpoint,
+          tokenEndpoint: :token_endpoint,
+          userInfoEndpoint: :user_info_endpoint,
+          emailsEndpoint: :emails_endpoint,
+          redirectURI: :redirect_uri,
+          jwksEndpoint: :jwks_endpoint,
+          appBundleIdentifier: :app_bundle_identifier,
+          profilePhotoSize: :profile_photo_size,
+          disableProfilePhoto: :disable_profile_photo,
+          tenantId: :tenant_id
+        }.each do |camel, snake|
+          normalized[snake] = normalized[camel] if normalized.key?(camel) && !normalized.key?(snake)
+        end
+        normalized
+      end
+
+      def selected_scopes(defaults, options, data)
+        scopes = options[:disable_default_scope] ? [] : Array(defaults).dup
+        scopes.concat(Array(options[:scope])) if options[:scope]
+        scopes.concat(Array(options[:scopes])) if options[:scopes]
+        request_scopes = value(data, :scopes)
+        scopes.concat(Array(request_scopes)) if request_scopes
+        scopes
+      end
+
+      def primary_client_id(client_id)
+        value = Array(client_id).first
+        raise Error, "CLIENT_ID_AND_SECRET_REQUIRED" if value.to_s.empty?
+
+        value
+      end
+
+      def apply_profile_mapping(user, profile, options)
+        user.merge(options[:map_profile_to_user]&.call(profile) || {})
+      end
+
+      def resolve_hash(value, data, options)
+        resolved = value.respond_to?(:call) ? value.call(data, options) : value
+        (resolved || {}).compact
+      end
+
+      def provider_user_info?(value)
+        value.is_a?(Hash) && (value.key?(:user) || value.key?("user"))
+      end
+
       def decode_jwt_payload(token)
         _header, payload, _signature = token.to_s.split(".", 3)
         return {} unless payload
@@ -59,6 +259,64 @@ module BetterAuth
         {}
       end
 
+      def verify_jwt_with_jwks(token, jwks:, jwks_endpoint:, algorithms:, issuers:, audience:, nonce: nil, max_age: 3600)
+        jwks_payload = jwks.respond_to?(:call) ? jwks.call : jwks
+        jwks_payload ||= fetch_jwks(jwks_endpoint)
+        return nil unless jwks_payload
+
+        options = {
+          algorithms: algorithms,
+          jwks: JWT::JWK::Set.new(stringify_keys(jwks_payload)),
+          aud: audience,
+          verify_aud: true
+        }
+        options[:iss] = issuers if issuers
+        options[:verify_iss] = true if issuers
+        payload, = JWT.decode(token.to_s, nil, true, options)
+        return nil if nonce && payload["nonce"] != nonce
+        return nil if max_age && payload["iat"] && payload["iat"].to_i < Time.now.to_i - max_age.to_i
+
+        payload
+      rescue JWT::DecodeError, JSON::ParserError, ArgumentError, OpenSSL::PKey::PKeyError
+        nil
+      end
+
+      def fetch_jwks(endpoint)
+        return nil if endpoint.to_s.empty?
+
+        get_json(endpoint)
+      end
+
+      def stringify_keys(hash)
+        hash.each_with_object({}) { |(key, value), memo| memo[key.to_s] = value }
+      end
+
+      def time_from(value)
+        return value if value.is_a?(Time)
+        return nil if value.nil? || value.to_s.empty?
+
+        Time.parse(value.to_s)
+      rescue ArgumentError
+        nil
+      end
+
+      def parse_response(response)
+        return nil unless response.is_a?(Net::HTTPSuccess)
+
+        body = response.body.to_s
+        return {} if body.empty?
+
+        JSON.parse(body)
+      rescue JSON::ParserError
+        URI.decode_www_form(body).to_h
+      end
+
+      def request_json(uri, request)
+        Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == "https", open_timeout: 5, read_timeout: 5) do |http|
+          http.request(request)
+        end
+      end
+
       def padded_base64(value)
         value + ("=" * ((4 - value.length % 4) % 4))
       end

data/lib/better_auth/social_providers/cognito.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def cognito(client_id:, client_secret: nil, scopes: ["openid", "profile", "email"], **options)
+      domain = (options[:domain] || options[:issuer] || "https://cognito-idp.#{options[:region] || "us-east-1"}.amazonaws.com").to_s.sub(%r{/+\z}, "")
+      Base.oauth_provider(
+        id: "cognito",
+        name: "Cognito",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "#{domain}/oauth2/authorize",
+        token_endpoint: "#{domain}/oauth2/token",
+        user_info_endpoint: "#{domain}/oauth2/userinfo",
+        scopes: scopes,
+        pkce: true,
+        profile_map: ->(profile) {
+          {
+            id: profile["sub"],
+            name: profile["name"] || profile["given_name"] || profile["username"] || "",
+            email: profile["email"],
+            image: profile["picture"],
+            emailVerified: !!profile["email_verified"]
+          }
+        },
+        **options
+      )
+    end
+  end
+end