better_auth 0.2.0 → 0.4.0

data/lib/better_auth/social_providers/microsoft_entra_id.rb

@@ -5,20 +5,48 @@ module BetterAuth
     module_function
 
     def microsoft_entra_id(client_id:, client_secret:, tenant_id: "common", scopes: ["openid", "profile", "email", "User.Read", "offline_access"], **options)
+      normalized = Base.normalize_options(options)
+      microsoft_provider(
+        provider_id: "microsoft-entra-id",
+        provider_name: "Microsoft Entra ID",
+        client_id: client_id,
+        client_secret: client_secret,
+        tenant_id: normalized[:tenant_id] || tenant_id,
+        scopes: scopes,
+        **options
+      )
+    end
+
+    def microsoft(client_id:, client_secret: nil, tenant_id: "common", scopes: ["openid", "profile", "email", "User.Read", "offline_access"], **options)
+      normalized = Base.normalize_options(options)
+      microsoft_provider(
+        provider_id: "microsoft",
+        provider_name: "Microsoft EntraID",
+        client_id: client_id,
+        client_secret: client_secret,
+        tenant_id: normalized[:tenant_id] || tenant_id,
+        scopes: scopes,
+        **options
+      )
+    end
+
+    def microsoft_provider(provider_id:, provider_name:, client_id:, client_secret:, tenant_id:, scopes:, **options)
       authority = options[:authority] || "https://login.microsoftonline.com"
       base = "#{authority.to_s.sub(%r{/+\z}, "")}/#{tenant_id}/oauth2/v2.0"
+      normalized = Base.normalize_options(options)
+      primary_client_id = Base.primary_client_id(client_id)
       {
-        id: "microsoft-entra-id",
-        name: "Microsoft Entra ID",
+        id: provider_id,
+        name: provider_name,
         client_id: client_id,
         client_secret: client_secret,
         create_authorization_url: lambda do |data|
           verifier = data[:code_verifier] || data[:codeVerifier]
           Base.authorization_url(options[:authorization_endpoint] || "#{base}/authorize", {
-            client_id: client_id,
+            client_id: primary_client_id,
             redirect_uri: data[:redirect_uri] || data[:redirectURI],
             response_type: "code",
-            scope: data[:scopes] || scopes,
+            scope: Base.selected_scopes(scopes, normalized, data),
             state: data[:state],
             code_challenge: verifier && Base.pkce_challenge(verifier),
             code_challenge_method: verifier && "S256",
@@ -28,7 +56,7 @@ module BetterAuth
         end,
         validate_authorization_code: lambda do |data|
           Base.post_form("#{base}/token", {
-            client_id: client_id,
+            client_id: primary_client_id,
             client_secret: client_secret,
             code: data[:code],
             code_verifier: data[:code_verifier] || data[:codeVerifier],
@@ -36,21 +64,65 @@ module BetterAuth
             redirect_uri: data[:redirect_uri] || data[:redirectURI]
           })
         end,
+        verify_id_token: normalized[:verify_id_token] || lambda do |token, nonce = nil|
+          return false if normalized[:disable_id_token_sign_in]
+
+          issuers = nil
+          unless %w[common organizations consumers].include?(tenant_id.to_s)
+            issuers = "#{authority.to_s.sub(%r{/+\z}, "")}/#{tenant_id}/v2.0"
+          end
+          profile = Base.verify_jwt_with_jwks(
+            token,
+            jwks: normalized[:jwks],
+            jwks_endpoint: normalized[:jwks_endpoint] || "#{authority.to_s.sub(%r{/+\z}, "")}/#{tenant_id}/discovery/v2.0/keys",
+            algorithms: ["RS256"],
+            issuers: issuers,
+            audience: Array(client_id),
+            nonce: nonce
+          )
+
+          !!(profile&.fetch("sub", nil) || profile&.fetch("oid", nil))
+        end,
         get_user_info: lambda do |tokens|
+          custom = normalized[:get_user_info]
+          next custom.call(tokens) if custom
+
           profile = Base.id_token(tokens) ? Base.decode_jwt_payload(Base.id_token(tokens)) : {}
           profile = Base.get_json("https://graph.microsoft.com/v1.0/me", "Authorization" => "Bearer #{Base.access_token(tokens)}") if profile.empty?
+          unless normalized[:disable_profile_photo]
+            photo_size = normalized[:profile_photo_size] || 48
+            photo = Base.get_bytes(
+              "https://graph.microsoft.com/v1.0/me/photos/#{photo_size}x#{photo_size}/$value",
+              "Authorization" => "Bearer #{Base.access_token(tokens)}"
+            )
+            profile["picture"] = "data:image/jpeg;base64, #{Base64.strict_encode64(photo)}" if photo
+          end
           email = profile["email"] || profile["mail"] || profile["userPrincipalName"] || profile["preferred_username"]
 
-          {
-            user: {
+          user = Base.apply_profile_mapping(
+            {
               id: profile["sub"] || profile["id"] || profile["oid"],
               email: email,
               name: profile["name"] || profile["displayName"],
               image: profile["picture"],
               emailVerified: microsoft_email_verified?(profile, email)
             },
+            profile,
+            normalized
+          )
+          {
+            user: user,
             data: profile
           }
+        end,
+        refresh_access_token: options[:refresh_access_token] || options[:refreshAccessToken] || lambda do |refresh_token|
+          Base.refresh_access_token(
+            "#{base}/token",
+            refresh_token,
+            client_id: primary_client_id,
+            client_secret: client_secret,
+            extra_params: {scope: Base.selected_scopes(scopes, normalized, {}).join(" ")}
+          )
         end
       }
     end

data/lib/better_auth/social_providers/naver.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def naver(client_id:, client_secret:, scopes: ["profile", "email"], **options)
+      Base.oauth_provider(
+        id: "naver",
+        name: "Naver",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://nid.naver.com/oauth2.0/authorize",
+        token_endpoint: "https://nid.naver.com/oauth2.0/token",
+        user_info_endpoint: "https://openapi.naver.com/v1/nid/me",
+        scopes: scopes,
+        profile_map: ->(profile) {
+          data = profile["response"] || {}
+          {
+            id: data["id"],
+            name: data["name"] || data["nickname"] || "",
+            email: data["email"],
+            image: data["profile_image"],
+            emailVerified: false
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/notion.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def notion(client_id:, client_secret:, scopes: [], **options)
+      Base.oauth_provider(
+        id: "notion",
+        name: "Notion",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://api.notion.com/v1/oauth/authorize",
+        token_endpoint: "https://api.notion.com/v1/oauth/token",
+        user_info_endpoint: "https://api.notion.com/v1/users/me",
+        scopes: scopes,
+        auth_params: {owner: "user"},
+        user_info_headers: {"Notion-Version" => "2022-06-28"},
+        profile_map: ->(profile) {
+          user = profile.dig("bot", "owner", "user") || profile
+          {
+            id: user["id"],
+            name: user["name"] || "",
+            email: user.dig("person", "email"),
+            image: user["avatar_url"],
+            emailVerified: false
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/paybin.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def paybin(client_id:, client_secret:, scopes: ["openid", "email", "profile"], **options)
+      issuer = (options[:issuer] || "https://idp.paybin.io").to_s.sub(%r{/+\z}, "")
+      Base.oauth_provider(
+        id: "paybin",
+        name: "Paybin",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "#{issuer}/oauth2/authorize",
+        token_endpoint: "#{issuer}/oauth2/token",
+        scopes: scopes,
+        pkce: true,
+        profile_map: ->(profile) {
+          {
+            id: profile["sub"],
+            name: profile["name"] || profile["preferred_username"] || "",
+            email: profile["email"],
+            image: profile["picture"],
+            emailVerified: !!profile["email_verified"]
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/paypal.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def paypal(client_id:, client_secret:, scopes: [], **options)
+      sandbox = (options[:environment] || "sandbox").to_s == "sandbox"
+      auth_host = sandbox ? "https://www.sandbox.paypal.com" : "https://www.paypal.com"
+      api_host = sandbox ? "https://api-m.sandbox.paypal.com" : "https://api-m.paypal.com"
+      provider = Base.oauth_provider(
+        id: "paypal",
+        name: "PayPal",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "#{auth_host}/signin/authorize",
+        token_endpoint: "#{api_host}/v1/oauth2/token",
+        user_info_endpoint: "#{api_host}/v1/identity/oauth2/userinfo?schema=paypalv1.1",
+        scopes: scopes,
+        pkce: true,
+        profile_map: ->(profile) {
+          {
+            id: profile["user_id"],
+            name: profile["name"],
+            email: profile["email"],
+            image: profile["picture"],
+            emailVerified: !!profile["email_verified"]
+          }
+        },
+        **options
+      )
+      provider[:verify_id_token] = provider[:options][:verify_id_token] || ->(token, _nonce = nil) { provider[:options][:disable_id_token_sign_in] ? false : !!Base.decode_jwt_payload(token)["sub"] }
+      provider
+    end
+  end
+end

data/lib/better_auth/social_providers/polar.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def polar(client_id:, client_secret:, scopes: ["openid", "profile", "email"], **options)
+      Base.oauth_provider(
+        id: "polar",
+        name: "Polar",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://polar.sh/oauth2/authorize",
+        token_endpoint: "https://api.polar.sh/v1/oauth2/token",
+        user_info_endpoint: "https://api.polar.sh/v1/oauth2/userinfo",
+        scopes: scopes,
+        pkce: true,
+        profile_map: ->(profile) {
+          {
+            id: profile["id"],
+            name: profile["public_name"] || profile["username"] || "",
+            email: profile["email"],
+            image: profile["avatar_url"],
+            emailVerified: !!profile["email_verified"]
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/railway.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def railway(client_id:, client_secret:, scopes: ["openid", "email", "profile"], **options)
+      primary_client_id = Base.primary_client_id(client_id)
+      credentials = Base64.strict_encode64("#{primary_client_id}:#{client_secret}")
+      token_endpoint = options[:token_endpoint] || options[:tokenEndpoint] || "https://backboard.railway.com/oauth/token"
+      provider = Base.oauth_provider(
+        id: "railway",
+        name: "Railway",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://backboard.railway.com/oauth/auth",
+        token_endpoint: "https://backboard.railway.com/oauth/token",
+        user_info_endpoint: "https://backboard.railway.com/oauth/me",
+        scopes: scopes,
+        pkce: true,
+        profile_map: ->(profile) {
+          {
+            id: profile["sub"],
+            name: profile["name"],
+            email: profile["email"],
+            image: profile["picture"],
+            emailVerified: false
+          }
+        },
+        **options
+      )
+      provider[:validate_authorization_code] = lambda do |data|
+        Base.post_form_json(token_endpoint, {
+          code: data[:code],
+          code_verifier: data[:code_verifier] || data[:codeVerifier],
+          grant_type: "authorization_code",
+          redirect_uri: options[:redirect_uri] || options[:redirectURI] || data[:redirect_uri] || data[:redirectURI]
+        }, {"Authorization" => "Basic #{credentials}"})
+      end
+      provider[:refresh_access_token] = options[:refresh_access_token] || options[:refreshAccessToken] || lambda do |refresh_token|
+        Base.normalize_tokens(Base.post_form_json(token_endpoint, {
+          grant_type: "refresh_token",
+          refresh_token: refresh_token
+        }, {"Authorization" => "Basic #{credentials}"}))
+      end
+      provider
+    end
+  end
+end

data/lib/better_auth/social_providers/reddit.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def reddit(client_id:, client_secret:, scopes: ["identity"], **options)
+      Base.oauth_provider(
+        id: "reddit",
+        name: "Reddit",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://www.reddit.com/api/v1/authorize",
+        token_endpoint: "https://www.reddit.com/api/v1/access_token",
+        user_info_endpoint: "https://oauth.reddit.com/api/v1/me",
+        user_info_headers: {"User-Agent" => "better-auth"},
+        scopes: scopes,
+        auth_params: ->(_data, opts) { {duration: opts[:duration]} },
+        profile_map: ->(profile) {
+          {
+            id: profile["id"],
+            name: profile["name"],
+            email: profile["oauth_client_id"],
+            image: profile["icon_img"].to_s.split("?").first,
+            emailVerified: !!profile["has_verified_email"]
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/roblox.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def roblox(client_id:, client_secret:, scopes: ["openid", "profile"], **options)
+      Base.oauth_provider(
+        id: "roblox",
+        name: "Roblox",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://apis.roblox.com/oauth/v1/authorize",
+        token_endpoint: "https://apis.roblox.com/oauth/v1/token",
+        user_info_endpoint: "https://apis.roblox.com/oauth/v1/userinfo",
+        scopes: scopes,
+        auth_params: ->(_data, opts) { {prompt: opts[:prompt] || "select_account consent"} },
+        profile_map: ->(profile) {
+          {
+            id: profile["sub"],
+            name: profile["nickname"] || profile["preferred_username"] || "",
+            email: profile["preferred_username"],
+            image: profile["picture"],
+            emailVerified: false
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/salesforce.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def salesforce(client_id:, client_secret:, scopes: ["openid", "email", "profile"], **options)
+      host = if options[:loginUrl] || options[:login_url]
+        "https://#{options[:loginUrl] || options[:login_url]}"
+      elsif options[:environment].to_s == "sandbox"
+        "https://test.salesforce.com"
+      else
+        "https://login.salesforce.com"
+      end
+      Base.oauth_provider(
+        id: "salesforce",
+        name: "Salesforce",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "#{host}/services/oauth2/authorize",
+        token_endpoint: "#{host}/services/oauth2/token",
+        user_info_endpoint: "#{host}/services/oauth2/userinfo",
+        scopes: scopes,
+        pkce: true,
+        profile_map: ->(profile) {
+          {
+            id: profile["user_id"],
+            name: profile["name"],
+            email: profile["email"],
+            image: profile.dig("photos", "picture") || profile.dig("photos", "thumbnail"),
+            emailVerified: !!profile["email_verified"]
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/slack.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def slack(client_id:, client_secret:, scopes: ["openid", "profile", "email"], **options)
+      Base.oauth_provider(
+        id: "slack",
+        name: "Slack",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://slack.com/openid/connect/authorize",
+        token_endpoint: "https://slack.com/api/openid.connect.token",
+        user_info_endpoint: "https://slack.com/api/openid.connect.userInfo",
+        scopes: scopes,
+        profile_map: ->(profile) {
+          {
+            id: profile["https://slack.com/user_id"] || profile["sub"],
+            name: profile["name"] || "",
+            email: profile["email"],
+            image: profile["picture"] || profile["https://slack.com/user_image_512"],
+            emailVerified: !!profile["email_verified"]
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/spotify.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def spotify(client_id:, client_secret:, scopes: ["user-read-email"], **options)
+      Base.oauth_provider(
+        id: "spotify",
+        name: "Spotify",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://accounts.spotify.com/authorize",
+        token_endpoint: "https://accounts.spotify.com/api/token",
+        user_info_endpoint: "https://api.spotify.com/v1/me",
+        scopes: scopes,
+        pkce: true,
+        profile_map: ->(profile) {
+          {
+            id: profile["id"],
+            name: profile["display_name"],
+            email: profile["email"],
+            image: Array(profile["images"]).first&.fetch("url", nil),
+            emailVerified: false
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/tiktok.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def tiktok(client_id:, client_secret:, scopes: ["user.info.profile"], **options)
+      client_key = options[:client_key] || options[:clientKey] || client_id
+      Base.oauth_provider(
+        id: "tiktok",
+        name: "TikTok",
+        client_id: client_key,
+        client_secret: client_secret,
+        authorization_endpoint: "https://www.tiktok.com/v2/auth/authorize",
+        token_endpoint: "https://open.tiktokapis.com/v2/oauth/token/",
+        user_info_endpoint: "https://open.tiktokapis.com/v2/user/info/?fields=open_id,avatar_large_url,display_name,username",
+        scopes: scopes,
+        scope_separator: ",",
+        auth_params: {client_key: client_key},
+        token_params: {client_key: client_key},
+        profile_map: ->(profile) {
+          user = profile.dig("data", "user") || profile
+          {
+            id: user["open_id"],
+            name: user["display_name"] || user["username"] || "",
+            email: user["email"] || user["username"],
+            image: user["avatar_large_url"],
+            emailVerified: false
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/twitch.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def twitch(client_id:, client_secret:, scopes: ["user:read:email", "openid"], **options)
+      Base.oauth_provider(
+        id: "twitch",
+        name: "Twitch",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://id.twitch.tv/oauth2/authorize",
+        token_endpoint: "https://id.twitch.tv/oauth2/token",
+        scopes: scopes,
+        auth_params: {
+          claims: JSON.generate({
+            userinfo: {
+              email: nil,
+              email_verified: nil,
+              preferred_username: nil,
+              picture: nil
+            }
+          })
+        },
+        profile_map: ->(profile) {
+          {
+            id: profile["sub"],
+            name: profile["preferred_username"],
+            email: profile["email"],
+            image: profile["picture"],
+            emailVerified: !!profile["email_verified"]
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/twitter.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def twitter(client_id:, client_secret:, scopes: ["users.read", "tweet.read", "offline.access", "users.email"], **options)
+      Base.oauth_provider(
+        id: "twitter",
+        name: "Twitter",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://x.com/i/oauth2/authorize",
+        token_endpoint: "https://api.x.com/2/oauth2/token",
+        user_info_endpoint: "https://api.x.com/2/users/me?user.fields=profile_image_url,verified",
+        scopes: scopes,
+        pkce: true,
+        profile_map: ->(profile) {
+          data = profile["data"] || profile
+          {
+            id: data["id"],
+            name: data["name"],
+            email: data["email"] || data["username"],
+            image: data["profile_image_url"],
+            emailVerified: !!data["confirmed_email"]
+          }
+        },
+        **options
+      )
+    end
+  end
+end

data/lib/better_auth/social_providers/vercel.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module SocialProviders
+    module_function
+
+    def vercel(client_id:, client_secret:, scopes: [], **options)
+      provider = Base.oauth_provider(
+        id: "vercel",
+        name: "Vercel",
+        client_id: client_id,
+        client_secret: client_secret,
+        authorization_endpoint: "https://vercel.com/oauth/authorize",
+        token_endpoint: "https://api.vercel.com/login/oauth/token",
+        user_info_endpoint: "https://api.vercel.com/login/oauth/userinfo",
+        scopes: scopes,
+        pkce: true,
+        profile_map: ->(profile) {
+          {
+            id: profile["sub"],
+            name: profile["name"] || profile["preferred_username"] || "",
+            email: profile["email"],
+            image: profile["picture"],
+            emailVerified: !!profile["email_verified"]
+          }
+        },
+        **options
+      )
+      provider[:create_authorization_url] = lambda do |data|
+        verifier = data[:code_verifier] || data[:codeVerifier]
+        raise Error, "codeVerifier is required for Vercel" if verifier.to_s.empty?
+
+        selected_scopes = Base.selected_scopes(scopes, Base.normalize_options(options), data)
+        Base.authorization_url(options[:authorization_endpoint] || "https://vercel.com/oauth/authorize", {
+          client_id: Base.primary_client_id(client_id),
+          redirect_uri: options[:redirect_uri] || options[:redirectURI] || data[:redirect_uri] || data[:redirectURI],
+          response_type: "code",
+          scope: selected_scopes.empty? ? nil : selected_scopes,
+          state: data[:state],
+          code_challenge: Base.pkce_challenge(verifier),
+          code_challenge_method: "S256"
+        })
+      end
+      provider
+    end
+  end
+end