better_auth 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: df93cdae06059d52fa2c3d35c5b173aba9025d5ac46bda0b93a7a8abc5045f40
-  data.tar.gz: adec802dade2610da15329266c91dcd46aecb8642165c29e364ce7db2829d217
+  metadata.gz: 38179f5800613263ca30525a3d878b91c2a5f9057f104b1f24cecbf72a0cc030
+  data.tar.gz: 9883d339ce2f1ab8f5a618da3708f4ab5bdde69a09fe98b48889b6069351c7bb
 SHA512:
-  metadata.gz: f46ac8a5cf79a859a417e2cbe60f000c290d014975fb3ce910c49b6c1cd455b2123e436a42a323dd530b38096a4ebc18a1f206c97f0ef6624378c9eb051d37e3
-  data.tar.gz: '0469ddcdcad97a7b1b58e3ddc0ef8d54c7469a1e0411546367f829291ab5664fc0b4685d460d8d328fe6ef67543908060d33eb961a638121930154ca31a4cfaf'
+  metadata.gz: b0bdd97ab9d677df601b0eed5d387a09543743aee41d0243f7ed3981935c3391f3ae10dfc110fc41312a5a4b188f29581563f2c99154a8808ed3158cb47663ad
+  data.tar.gz: 6b9b76c6969e601e01506a2cd91a28abf13eeccf0446023fad7c58e8c95476f6110b7ac6f3979fc18705687589cff74748f839c685a8ccb791392d0d2e729c15

data/CHANGELOG.md

@@ -7,6 +7,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.4.0] - 2026-04-30
+
+### Added
+
+- Added upstream-parity helpers for async execution, host resolution, instrumentation, request state, URL handling, OAuth2, deprecation warnings, and expanded route behavior.
+- Added two-factor, OAuth protocol, social route, organization, admin, adapter, schema, and session parity coverage.
+
+### Changed
+
+- Aligned core auth, email OTP, generic OAuth, organization, two-factor, OAuth protocol, adapter, router, rate-limiter, logger, and middleware behavior more closely with upstream Better Auth.
+
+### Fixed
+
+- Fixed upstream parity gaps in organization handling, generic OAuth user info, email OTP sign-up, database schema behavior, and route/session edge cases.
+
 ## [0.3.0] - 2026-04-29
 
 ### Added

data/lib/better_auth/adapters/internal_adapter.rb

@@ -59,9 +59,12 @@ module BetterAuth
       end
 
       def delete_user(user_id)
-        delete_sessions(user_id) if !secondary_storage || options.session[:store_session_in_database]
+        deleted = hooks.delete([{field: "id", value: user_id}], "user")
+        return false if deleted == false
+
         hooks.delete_many([{field: "userId", value: user_id}], "account")
-        hooks.delete([{field: "id", value: user_id}], "user")
+        delete_sessions(user_id) if !secondary_storage || options.session[:store_session_in_database]
+        deleted
       end
 
       def create_session(user_id, dont_remember_me = false, override = nil, override_all = false, context = nil)

data/lib/better_auth/adapters/memory.rb

@@ -156,33 +156,79 @@ module BetterAuth
         value = fetch_key(clause, :value)
         operator = (fetch_key(clause, :operator) || "eq").to_s
         current = record[field]
+        comparable = coerce_where_value(record, field, value, operator)
 
         case operator
         when "in"
-          Array(value).include?(current)
+          Array(comparable).include?(current)
         when "not_in"
-          !Array(value).include?(current)
+          !Array(comparable).include?(current)
         when "contains"
-          current.to_s.include?(value.to_s)
+          current.to_s.include?(comparable.to_s)
         when "starts_with"
-          current.to_s.start_with?(value.to_s)
+          current.to_s.start_with?(comparable.to_s)
         when "ends_with"
-          current.to_s.end_with?(value.to_s)
+          current.to_s.end_with?(comparable.to_s)
         when "ne"
-          current != value
+          current != comparable
         when "gt"
-          !value.nil? && current > value
+          !comparable.nil? && current > comparable
         when "gte"
-          !value.nil? && current >= value
+          !comparable.nil? && current >= comparable
         when "lt"
-          !value.nil? && current < value
+          !comparable.nil? && current < comparable
         when "lte"
-          !value.nil? && current <= value
+          !comparable.nil? && current <= comparable
         else
-          current == value
+          current == comparable
         end
       end
 
+      def coerce_where_value(record, field, value, operator)
+        attributes = schema_for_record_field(record, field)
+        return value unless attributes
+        return Array(value).map { |entry| coerce_scalar_where_value(entry, attributes) } if %w[in not_in].include?(operator)
+
+        coerce_scalar_where_value(value, attributes)
+      end
+
+      def schema_for_record_field(record, field)
+        db.each_key do |model|
+          fields = Schema.auth_tables(options)[model]&.fetch(:fields, nil)
+          next unless fields&.key?(field)
+          return fields[field] if table_for(model).include?(record)
+        end
+        nil
+      end
+
+      def coerce_scalar_where_value(value, attributes)
+        return value if value.nil?
+
+        case attributes[:type]
+        when "boolean"
+          return false if value == false || value == 0 || value.to_s.downcase == "false" || value.to_s == "0"
+          return true if value == true || value == 1 || value.to_s.downcase == "true" || value.to_s == "1"
+        when "number"
+          return coerce_number(value)
+        when "date"
+          return Time.parse(value) if value.is_a?(String)
+        when "number[]"
+          return Array(value).map { |entry| coerce_number(entry) }
+        when "string[]"
+          return Array(value).map(&:to_s)
+        end
+
+        value
+      end
+
+      def coerce_number(value)
+        return value unless value.is_a?(String)
+        return value.to_i if /\A-?\d+\z/.match?(value)
+        return value.to_f if /\A-?\d+\.\d+\z/.match?(value)
+
+        value
+      end
+
       def sort_records(model, records, sort_by)
         field = Schema.storage_key(fetch_key(sort_by, :field))
         direction = fetch_key(sort_by, :direction).to_s

data/lib/better_auth/adapters/sql.rb

@@ -204,10 +204,11 @@ module BetterAuth
           column = "#{quote(table_for(model))}.#{quote(storage_field(model, field))}"
           operator = (fetch_key(clause, :operator) || "eq").to_s
           value = fetch_key(clause, :value)
+          attributes = schema_for(model).fetch(:fields).fetch(field)
 
           expression = case operator
           when "in", "not_in"
-            values = Array(value)
+            values = Array(value).map { |entry| coerce_where_value(entry, attributes) }
             placeholders = values.map do |entry|
               params << entry
               placeholder(params.length)
@@ -223,7 +224,7 @@ module BetterAuth
             params << pattern
             "#{column} LIKE #{placeholder(params.length)}"
           else
-            params << value
+            params << coerce_where_value(value, attributes)
             "#{column} #{sql_operator(operator)} #{placeholder(params.length)}"
           end
 
@@ -385,6 +386,22 @@ module BetterAuth
         value
       end
 
+      def coerce_where_value(value, attributes)
+        return value if value.nil?
+
+        case attributes[:type]
+        when "boolean"
+          return coerce_value(false, attributes) if value == false || value == 0 || value.to_s.downcase == "false" || value.to_s == "0"
+          return coerce_value(true, attributes) if value == true || value == 1 || value.to_s.downcase == "true" || value.to_s == "1"
+        when "number"
+          return coerce_number(value)
+        when "date"
+          return Time.parse(value) if value.is_a?(String)
+        end
+
+        coerce_value(value, attributes)
+      end
+
       def coerce_output_value(value, attributes)
         return value if value.nil?
         return coerce_boolean(value) if attributes[:type] == "boolean"
@@ -412,6 +429,14 @@ module BetterAuth
         value
       end
 
+      def coerce_number(value)
+        return value unless value.is_a?(String)
+        return value.to_i if /\A-?\d+\z/.match?(value)
+        return value.to_f if /\A-?\d+\.\d+\z/.match?(value)
+
+        value
+      end
+
       def stringify_keys(data)
         data.each_with_object({}) do |(key, value), result|
           result[storage_key(key)] = value

data/lib/better_auth/api.rb

@@ -211,7 +211,12 @@ module BetterAuth
       return value unless value.is_a?(Hash)
 
       value.each_with_object({}) do |(key, object_value), result|
-        result[normalize_key(key)] = object_value.is_a?(Hash) ? symbolize_keys(object_value) : object_value
+        normalized_key = normalize_key(key)
+        result[normalized_key] = if normalized_key == :metadata
+          object_value
+        else
+          object_value.is_a?(Hash) ? symbolize_keys(object_value) : object_value
+        end
       end
     end
 

data/lib/better_auth/async.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Async
+    module_function
+
+    def map_concurrent(items, concurrency:, &mapper)
+      list = items.to_a
+      return [] if list.empty?
+
+      width = normalized_concurrency(concurrency, list.length)
+      results = Array.new(list.length)
+      next_index = 0
+      first_error = nil
+      mutex = Mutex.new
+      status = Queue.new
+
+      workers = Array.new(width) do
+        Thread.new do
+          loop do
+            index = mutex.synchronize do
+              break if first_error || next_index >= list.length
+
+              current = next_index
+              next_index += 1
+              current
+            end
+            break unless index
+
+            begin
+              results[index] = mapper.call(list[index], index)
+            rescue => error
+              mutex.synchronize { first_error ||= error }
+              status << [:error, error]
+              break
+            end
+          end
+        ensure
+          status << [:done, nil]
+        end
+      end
+
+      done = 0
+      while done < workers.length
+        type, error = status.pop
+        if type == :error
+          workers.each { |worker| worker.kill if worker.alive? }
+          workers.each(&:join)
+          raise error
+        end
+
+        done += 1
+      end
+
+      raise first_error if first_error
+
+      results
+    end
+
+    def normalized_concurrency(concurrency, item_count)
+      raw = begin
+        Float(concurrency).floor
+      rescue ArgumentError, TypeError
+        1
+      end
+      raw = 1 if raw < 1
+      [raw, item_count].min
+    end
+  end
+end

data/lib/better_auth/database_hooks.rb

@@ -35,9 +35,9 @@ module BetterAuth
 
     def delete(where, model, custom: nil, context: nil)
       entity = adapter.find_one(model: model, where: where)
-      return custom ? custom.call(where) : adapter.delete(model: model, where: where) unless entity
+      return nil unless entity
 
-      return nil if before_hooks(model, :delete).any? { |hook| hook.call(entity, context) == false }
+      return false if before_hooks(model, :delete).any? { |hook| hook.call(entity, context) == false }
 
       deleted = custom ? custom.call(where) : adapter.delete(model: model, where: where)
       after_hooks(model, :delete).each { |hook| hook.call(entity, context) }
@@ -47,7 +47,7 @@ module BetterAuth
     def delete_many(where, model, custom: nil, context: nil)
       entities = adapter.find_many(model: model, where: where)
       entities.each do |entity|
-        return nil if before_hooks(model, :delete).any? { |hook| hook.call(entity, context) == false }
+        return false if before_hooks(model, :delete).any? { |hook| hook.call(entity, context) == false }
       end
       deleted = custom ? custom.call(where) : adapter.delete_many(model: model, where: where)
       entities.each { |entity| after_hooks(model, :delete).each { |hook| hook.call(entity, context) } }

data/lib/better_auth/deprecate.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Deprecate
+    module_function
+
+    def wrap(message, logger: nil, &block)
+      warned = false
+      proc do |*args, **kwargs|
+        unless warned
+          warn_once("[Deprecation] #{message}", logger)
+          warned = true
+        end
+        kwargs.empty? ? block.call(*args) : block.call(*args, **kwargs)
+      end
+    end
+
+    def warn_once(message, logger)
+      if logger.respond_to?(:call)
+        logger.call(message)
+      elsif logger.respond_to?(:warn)
+        logger.warn(message)
+      else
+        warn(message)
+      end
+    end
+  end
+end

data/lib/better_auth/endpoint.rb

@@ -7,16 +7,18 @@ module BetterAuth
     attr_reader :path,
       :body_schema,
       :query_schema,
+      :params_schema,
       :headers_schema,
       :metadata,
       :use,
       :handler
 
-    def initialize(path: nil, method: nil, body_schema: nil, query_schema: nil, headers_schema: nil, metadata: {}, use: [], &handler)
+    def initialize(path: nil, method: nil, body_schema: nil, query_schema: nil, params_schema: nil, headers_schema: nil, metadata: {}, use: [], &handler)
       @path = path
       @methods = Array(method || "*").map { |value| value.to_s.upcase }
       @body_schema = body_schema
       @query_schema = query_schema
+      @params_schema = params_schema
       @headers_schema = headers_schema
       @metadata = metadata || {}
       @use = Array(use)
@@ -47,6 +49,7 @@ module BetterAuth
     def apply_schemas!(context)
       context.body = validate_schema(:body, body_schema, context.body)
       context.query = validate_schema(:query, query_schema, context.query)
+      context.params = validate_schema(:params, params_schema, context.params)
       context.headers = context.send(:normalize_headers, validate_schema(:headers, headers_schema, context.headers))
     end
 
@@ -136,7 +139,7 @@ module BetterAuth
         return @raw_response if raw_response?
 
         body = if response.nil?
-          [""]
+          [JSON.generate(nil)]
         elsif response.is_a?(String)
           [response]
         else

data/lib/better_auth/host.rb

@@ -0,0 +1,166 @@
+# frozen_string_literal: true
+
+require "ipaddr"
+
+module BetterAuth
+  module Host
+    CLOUD_METADATA_HOSTS = [
+      "metadata.google.internal",
+      "metadata.goog",
+      "metadata",
+      "instance-data",
+      "instance-data.ec2.internal"
+    ].freeze
+
+    module_function
+
+    def classify_host(host)
+      canonical_input = normalize_input(host)
+      lowered = canonical_input.downcase
+      return {kind: :reserved, literal: :fqdn, canonical: ""} if lowered.empty?
+
+      address = parse_ip(lowered)
+      unless address
+        return {kind: :localhost, literal: :fqdn, canonical: lowered} if lowered == "localhost" || lowered.end_with?(".localhost")
+        return {kind: :cloud_metadata, literal: :fqdn, canonical: lowered} if CLOUD_METADATA_HOSTS.include?(lowered)
+
+        return {kind: :public, literal: :fqdn, canonical: lowered}
+      end
+
+      native = address.respond_to?(:native) ? address.native : address
+      if native.ipv4?
+        canonical = native.to_s
+        return {kind: classify_ipv4(canonical), literal: :ipv4, canonical: canonical}
+      end
+
+      canonical = expanded_ipv6(native)
+      {kind: classify_ipv6(canonical), literal: :ipv6, canonical: canonical}
+    end
+
+    def loopback_ip?(host)
+      classify_host(host)[:kind] == :loopback
+    end
+
+    def loopback_host?(host)
+      [:loopback, :localhost].include?(classify_host(host)[:kind])
+    end
+
+    def public_routable_host?(host)
+      classify_host(host)[:kind] == :public
+    end
+
+    def normalize_input(host)
+      value = host.to_s.strip
+      value = strip_port(value)
+      value = value[1...-1] if value.start_with?("[") && value.end_with?("]")
+      value = value.split("%", 2).first || ""
+      value.gsub(/\.+\z/, "")
+    end
+
+    def strip_port(host)
+      if host.start_with?("[")
+        closing = host.index("]")
+        return host unless closing
+
+        return host[0..closing] if host[(closing + 1)..]&.match?(/\A:\d+\z/)
+        return host
+      end
+
+      first_colon = host.index(":")
+      return host unless first_colon
+      return host if host.index(":", first_colon + 1)
+
+      host[0...first_colon]
+    end
+
+    def parse_ip(host)
+      IPAddr.new(host)
+    rescue ArgumentError
+      nil
+    end
+
+    def classify_ipv4(ip)
+      return :unspecified if ip == "0.0.0.0"
+      return :broadcast if ip == "255.255.255.255"
+
+      value = ipv4_to_i(ip)
+      return :loopback if ipv4_range?(value, "127.0.0.0", 8)
+      return :private if ipv4_range?(value, "10.0.0.0", 8)
+      return :private if ipv4_range?(value, "172.16.0.0", 12)
+      return :private if ipv4_range?(value, "192.168.0.0", 16)
+      return :link_local if ipv4_range?(value, "169.254.0.0", 16)
+      return :shared_address_space if ipv4_range?(value, "100.64.0.0", 10)
+      return :documentation if ipv4_range?(value, "192.0.2.0", 24)
+      return :documentation if ipv4_range?(value, "198.51.100.0", 24)
+      return :documentation if ipv4_range?(value, "203.0.113.0", 24)
+      return :benchmarking if ipv4_range?(value, "198.18.0.0", 15)
+      return :multicast if ipv4_range?(value, "224.0.0.0", 4)
+      return :reserved if ipv4_range?(value, "0.0.0.0", 8)
+      return :reserved if ipv4_range?(value, "192.0.0.0", 24)
+      return :reserved if ipv4_range?(value, "240.0.0.0", 4)
+
+      :public
+    end
+
+    def ipv4_to_i(ip)
+      ip.split(".").map(&:to_i).reduce(0) { |sum, part| (sum << 8) + part }
+    end
+
+    def ipv4_range?(value, prefix, length)
+      mask = (length == 32) ? 0xffffffff : ((0xffffffff << (32 - length)) & 0xffffffff)
+      (value & mask) == (ipv4_to_i(prefix) & mask)
+    end
+
+    def classify_ipv6(expanded)
+      return :unspecified if expanded == "0000:0000:0000:0000:0000:0000:0000:0000"
+      return :loopback if expanded == "0000:0000:0000:0000:0000:0000:0000:0001"
+
+      first_byte = expanded[0, 2].to_i(16)
+      second_byte = expanded[2, 2].to_i(16)
+
+      return :multicast if first_byte == 0xff
+      return :link_local if first_byte == 0xfe && (second_byte & 0xc0) == 0x80
+      return :private if (first_byte & 0xfe) == 0xfc
+      return :documentation if expanded.start_with?("2001:0db8:")
+
+      if expanded.start_with?("2002:")
+        embedded = embedded_ipv4(expanded, 1)
+        return (classify_ipv4(embedded) == :public) ? :public : :reserved if embedded
+      end
+
+      if expanded.start_with?("0064:ff9b:0000:0000:0000:0000:")
+        embedded = embedded_ipv4(expanded, 6)
+        return :reserved if embedded
+      end
+
+      if expanded.start_with?("2001:0000:")
+        embedded = embedded_ipv4(expanded, 6, xor: true)
+        return :reserved if embedded
+      end
+
+      return :reserved if expanded.start_with?("0100:0000:0000:0000:")
+
+      :public
+    end
+
+    def embedded_ipv4(expanded, start_group, xor: false)
+      groups = expanded.split(":")
+      combined = (groups.fetch(start_group).to_i(16) << 16) | groups.fetch(start_group + 1).to_i(16)
+      combined ^= 0xffffffff if xor
+      [
+        (combined >> 24) & 0xff,
+        (combined >> 16) & 0xff,
+        (combined >> 8) & 0xff,
+        combined & 0xff
+      ].join(".")
+    rescue IndexError
+      nil
+    end
+
+    def expanded_ipv6(address)
+      address.hton.bytes.each_slice(2).map do |high, low|
+        ((high << 8) + low).to_s(16).rjust(4, "0")
+      end.join(":")
+    end
+  end
+end

data/lib/better_auth/instrumentation.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Instrumentation
+    module SpanStatusCode
+      UNSET = 0
+      OK = 1
+      ERROR = 2
+    end
+
+    class NoopSpan
+      def set_attribute(_key, _value)
+        self
+      end
+
+      def set_attributes(_attributes)
+        self
+      end
+
+      def record_exception(_error)
+        self
+      end
+
+      def set_status(_status)
+        self
+      end
+
+      def add_event(_name, _attributes = nil)
+        self
+      end
+
+      def end
+        self
+      end
+    end
+
+    class NoopTracer
+      def start_active_span(_name, attributes: {}, &block)
+        span = NoopSpan.new
+        return span unless block
+
+        block.call(span)
+      ensure
+        span&.end
+      end
+    end
+
+    class Trace
+      def get_tracer(_name = "better-auth")
+        NoopTracer.new
+      end
+
+      def get_active_span
+        NoopSpan.new
+      end
+    end
+
+    module_function
+
+    def trace
+      @trace ||= Trace.new
+    end
+
+    def with_span(name, attributes: {}, &block)
+      trace.get_tracer("better-auth").start_active_span(name, attributes: attributes) do |span|
+        block.call(span)
+      rescue => error
+        span.record_exception(error)
+        span.set_status(SpanStatusCode::ERROR)
+        raise
+      end
+    end
+  end
+end

data/lib/better_auth/logger.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Logger
+    LEVELS = [:debug, :info, :success, :warn, :error].freeze
+
+    Internal = Struct.new(:level, :disabled, :handler, keyword_init: true) do
+      LEVELS.each do |log_level|
+        define_method(log_level) do |message, *args|
+          return if disabled || !Logger.should_publish?(level, log_level)
+
+          if handler
+            handler.call((log_level == :success) ? :info : log_level, message, *args)
+          else
+            Kernel.warn("#{log_level.upcase} [Better Auth]: #{message}")
+          end
+        end
+      end
+    end
+
+    module_function
+
+    def should_publish?(current_log_level, log_level)
+      LEVELS.index(log_level.to_sym).to_i >= LEVELS.index(current_log_level.to_sym).to_i
+    end
+
+    def create(level: :warn, disabled: false, log: nil, **)
+      Internal.new(level: level.to_sym, disabled: disabled, handler: log)
+    end
+  end
+end

data/lib/better_auth/middleware/origin_check.rb

@@ -14,7 +14,7 @@ module BetterAuth
 
         validate_origin(endpoint_context)
         validate_fetch_metadata(endpoint_context)
-        return if skip_origin_check?(endpoint_context)
+        return if skip_origin_check?(endpoint_context) || skip_origin_path?(endpoint_context)
 
         validate_callback_urls(endpoint_context)
         nil
@@ -87,7 +87,7 @@ module BetterAuth
       end
 
       def skip_origin_check?(endpoint_context)
-        !!endpoint_context.context.options.advanced[:disable_origin_check]
+        endpoint_context.context.options.advanced[:disable_origin_check] == true
       end
 
       def skip_csrf_for_backward_compat?(endpoint_context)