better_auth 0.3.0 → 0.4.0

data/lib/better_auth/plugins/organization.rb

@@ -272,6 +272,12 @@ module BetterAuth
       Endpoint.new(path: "/organization/set-active", method: "POST") do |ctx|
         session = Routes.current_session(ctx, sensitive: true)
         body = normalize_hash(ctx.body)
+        if body.key?(:organization_id) && body[:organization_id].nil?
+          updated_session = ctx.context.internal_adapter.update_session(session[:session]["token"], {activeOrganizationId: nil, activeTeamId: nil})
+          Cookies.set_session_cookie(ctx, {session: updated_session || session[:session].merge("activeOrganizationId" => nil, "activeTeamId" => nil), user: session[:user]})
+          next ctx.json(nil)
+        end
+
         organization = organization_by_id(ctx, body[:organization_id]) || organization_by_slug(ctx, body[:organization_slug])
         raise APIError.new("BAD_REQUEST", message: ORGANIZATION_ERROR_CODES.fetch("ORGANIZATION_NOT_FOUND")) unless organization
         require_member!(ctx, session[:user]["id"], organization["id"])
@@ -285,11 +291,16 @@ module BetterAuth
       Endpoint.new(path: "/organization/get-full-organization", method: "GET") do |ctx|
         session = Routes.current_session(ctx)
         query = normalize_hash(ctx.query)
+        explicit_lookup = query.key?(:organization_slug) || query.key?(:organization_id)
         organization = organization_by_slug(ctx, query[:organization_slug]) || organization_by_id(ctx, query[:organization_id] || session[:session]["activeOrganizationId"])
-        next ctx.json(nil) unless organization
+        unless organization
+          raise APIError.new("BAD_REQUEST", message: ORGANIZATION_ERROR_CODES.fetch("ORGANIZATION_NOT_FOUND")) if explicit_lookup
+
+          next ctx.json(nil)
+        end
 
         require_member!(ctx, session[:user]["id"], organization["id"])
-        members = list_members_for(ctx, organization["id"])
+        members = list_members_for(ctx, organization["id"], {limit: query[:members_limit] || config[:membership_limit]})
         invitations = ctx.context.adapter.find_many(model: "invitation", where: [{field: "organizationId", value: organization["id"]}])
         result = organization_wire(ctx, organization).merge(
           members: members.fetch(:members),
@@ -307,7 +318,7 @@ module BetterAuth
       Endpoint.new(path: "/organization/invite-member", method: "POST") do |ctx|
         session = Routes.current_session(ctx)
         body = normalize_hash(ctx.body)
-        organization = organization_by_id(ctx, body[:organization_id])
+        organization = organization_by_id(ctx, body[:organization_id] || session[:session]["activeOrganizationId"]) || organization_by_slug(ctx, body[:organization_slug])
         raise APIError.new("BAD_REQUEST", message: ORGANIZATION_ERROR_CODES.fetch("ORGANIZATION_NOT_FOUND")) unless organization
         require_org_permission!(ctx, config, session, organization["id"], {invitation: ["create"]}, ORGANIZATION_ERROR_CODES.fetch("YOU_ARE_NOT_ALLOWED_TO_INVITE_USERS_TO_THIS_ORGANIZATION"))
         email = body[:email].to_s.downcase
@@ -334,21 +345,26 @@ module BetterAuth
           raise APIError.new("FORBIDDEN", message: ORGANIZATION_ERROR_CODES.fetch("INVITATION_LIMIT_REACHED"))
         end
         team_ids = organization_team_ids(body[:team_id] || body[:team_ids])
+        ensure_team_member_capacity!(ctx, config, team_ids)
+        invitation_data = {
+          organizationId: organization["id"],
+          email: email,
+          role: role,
+          status: "pending",
+          expiresAt: Time.now + config[:invitation_expires_in].to_i,
+          inviterId: session[:user]["id"],
+          teamId: team_ids.any? ? team_ids.join(",") : nil,
+          createdAt: Time.now
+        }.merge(additional_input(body, :organization_id, :organization_slug, :email, :role, :team_id, :team_ids))
+        merge_hook_data!(invitation_data, run_org_hook(config, :before_create_invitation, {invitation: invitation_data, inviter: session[:user], organization: organization_wire(ctx, organization)}, ctx))
         invitation = ctx.context.adapter.create(
           model: "invitation",
-          data: {
-            organizationId: organization["id"],
-            email: email,
-            role: role,
-            status: "pending",
-            expiresAt: Time.now + config[:invitation_expires_in].to_i,
-            inviterId: session[:user]["id"],
-            teamId: team_ids.any? ? team_ids.join(",") : nil,
-            createdAt: Time.now
-          }
+          data: invitation_data,
+          force_allow_id: true
         )
         sender = config[:send_invitation_email]
         sender.call({id: invitation["id"], role: role, email: email, organization: organization_wire(ctx, organization), invitation: invitation_wire(ctx, invitation), inviter: require_member!(ctx, session[:user]["id"], organization["id"])}, ctx.request) if sender.respond_to?(:call)
+        run_org_hook(config, :after_create_invitation, {invitation: invitation_wire(ctx, invitation), inviter: session[:user], organization: organization_wire(ctx, organization)}, ctx)
         ctx.json(invitation_wire(ctx, invitation))
       end
     end
@@ -365,6 +381,7 @@ module BetterAuth
         if config[:require_email_verification_on_invitation] && !session[:user]["emailVerified"]
           raise APIError.new("FORBIDDEN", message: ORGANIZATION_ERROR_CODES.fetch("EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION"))
         end
+        ensure_team_member_capacity!(ctx, config, organization_team_ids(invitation["teamId"]))
         member = ctx.context.adapter.create(model: "member", data: {organizationId: invitation["organizationId"], userId: session[:user]["id"], role: invitation["role"], createdAt: Time.now})
         organization_team_ids(invitation["teamId"]).each do |team_id|
           ctx.context.adapter.create(model: "teamMember", data: {teamId: team_id, userId: session[:user]["id"], createdAt: Time.now})
@@ -488,10 +505,12 @@ module BetterAuth
     def organization_get_active_member_role_endpoint(_config)
       Endpoint.new(path: "/organization/get-active-member-role", method: "GET") do |ctx|
         session = Routes.current_session(ctx)
-        organization_id = normalize_hash(ctx.query)[:organization_id] || session[:session]["activeOrganizationId"]
+        query = normalize_hash(ctx.query)
+        organization_id = query[:organization_id] || session[:session]["activeOrganizationId"]
         raise APIError.new("BAD_REQUEST", message: ORGANIZATION_ERROR_CODES.fetch("NO_ACTIVE_ORGANIZATION")) unless organization_id
-        member = require_member!(ctx, session[:user]["id"], organization_id)
-        ctx.json({role: member["role"]})
+        require_member!(ctx, session[:user]["id"], organization_id)
+        member = require_member!(ctx, query[:user_id] || session[:user]["id"], organization_id)
+        ctx.json({role: member["role"], member: member_wire(ctx, member)})
       end
     end
 
@@ -511,7 +530,7 @@ module BetterAuth
       Endpoint.new(path: "/organization/list-members", method: "GET") do |ctx|
         session = Routes.current_session(ctx)
         query = normalize_hash(ctx.query)
-        organization_id = query[:organization_id] || organization_by_slug(ctx, query[:organization_slug])&.fetch("id")
+        organization_id = query[:organization_id] || organization_by_slug(ctx, query[:organization_slug])&.fetch("id") || session[:session]["activeOrganizationId"]
         raise APIError.new("BAD_REQUEST", message: ORGANIZATION_ERROR_CODES.fetch("NO_ACTIVE_ORGANIZATION")) unless organization_id
         require_member!(ctx, session[:user]["id"], organization_id)
         ctx.json(list_members_for(ctx, organization_id, query))
@@ -543,7 +562,7 @@ module BetterAuth
         end
         team_data = {organizationId: organization_id, name: body[:name].to_s, createdAt: Time.now}.merge(additional_input(body, :organization_id, :name))
         merge_hook_data!(team_data, run_org_hook(config, :before_create_team, {team: team_data, user: session[:user], organization: organization_wire(ctx, organization)}, ctx))
-        team = ctx.context.adapter.create(model: "team", data: team_data)
+        team = ctx.context.adapter.create(model: "team", data: team_data, force_allow_id: true)
         ctx.context.adapter.create(model: "teamMember", data: {teamId: team["id"], userId: session[:user]["id"], createdAt: Time.now})
         run_org_hook(config, :after_create_team, {team: team_wire(ctx, team), user: session[:user], organization: organization_wire(ctx, organization)}, ctx)
         ctx.json(team_wire(ctx, team))
@@ -864,7 +883,7 @@ module BetterAuth
         where: where,
         limit: query[:limit],
         offset: query[:offset],
-        sort_by: query[:sort_by] ? {field: query[:sort_by], direction: query[:sort_order] || "asc"} : nil
+        sort_by: query[:sort_by] ? {field: query[:sort_by], direction: query[:sort_direction] || query[:sort_order] || "asc"} : nil
       )
       {
         members: members.map { |entry| member_wire(ctx, entry) },
@@ -872,6 +891,18 @@ module BetterAuth
       }
     end
 
+    def ensure_team_member_capacity!(ctx, config, team_ids)
+      max_members = config.dig(:teams, :maximum_members_per_team)
+      return unless max_members && team_ids.any?
+
+      team_ids.each do |team_id|
+        count = ctx.context.adapter.count(model: "teamMember", where: [{field: "teamId", value: team_id}])
+        if count >= max_members.to_i
+          raise APIError.new("FORBIDDEN", message: ORGANIZATION_ERROR_CODES.fetch("TEAM_MEMBER_LIMIT_REACHED"))
+        end
+      end
+    end
+
     def member_wire(ctx, member)
       data = Schema.parse_output(ctx.context.options, "member", member)
       user = ctx.context.internal_adapter.find_user_by_id(member["userId"])
@@ -915,7 +946,7 @@ module BetterAuth
       team = if custom.respond_to?(:call)
         custom.call(organization_wire(ctx, organization), ctx)
       else
-        ctx.context.adapter.create(model: "team", data: team_data)
+        ctx.context.adapter.create(model: "team", data: team_data, force_allow_id: true)
       end
       ctx.context.adapter.create(model: "teamMember", data: {teamId: team["id"], userId: session[:user]["id"], createdAt: Time.now})
       run_org_hook(config, :after_create_team, {team: team_wire(ctx, team), user: session[:user], organization: organization_wire(ctx, organization)}, ctx)

data/lib/better_auth/plugins/two_factor.rb

@@ -24,6 +24,7 @@ module BetterAuth
     TRUST_DEVICE_COOKIE_NAME = "trust_device"
     TRUST_DEVICE_COOKIE_MAX_AGE = 30 * 24 * 60 * 60
     TWO_FACTOR_COOKIE_MAX_AGE = 10 * 60
+    TWO_FACTOR_MODEL = "twoFactor"
 
     module_function
 
@@ -39,6 +40,8 @@ module BetterAuth
       config[:backup_code_options] = {store_backup_codes: "encrypted"}.merge(normalize_hash(config[:backup_code_options]))
       config[:otp_options] = normalize_hash(config[:otp_options])
       config[:totp_options] = normalize_hash(config[:totp_options])
+      config[:backup_code_options][:allow_passwordless] = config[:allow_passwordless] unless config[:backup_code_options].key?(:allow_passwordless)
+      config[:totp_options][:allow_passwordless] = config[:allow_passwordless] unless config[:totp_options].key?(:allow_passwordless)
 
       Plugin.new(
         id: "two-factor",
@@ -62,7 +65,7 @@ module BetterAuth
             }
           ]
         },
-        schema: two_factor_schema(config[:schema]),
+        schema: two_factor_schema(config),
         rate_limit: [
           {
             path_matcher: ->(path) { path.start_with?("/two-factor/") },
@@ -79,7 +82,7 @@ module BetterAuth
       Endpoint.new(path: "/two-factor/enable", method: "POST") do |ctx|
         session = Routes.current_session(ctx, sensitive: true)
         body = normalize_hash(ctx.body)
-        two_factor_check_password!(ctx, session[:user]["id"], body[:password])
+        two_factor_check_password!(ctx, session[:user]["id"], body[:password], allow_passwordless: config[:allow_passwordless])
 
         secret = two_factor_generate_secret
         backup = two_factor_generate_backup_codes(ctx.context.secret, config[:backup_code_options])
@@ -90,14 +93,18 @@ module BetterAuth
           ctx.context.internal_adapter.delete_session(session[:session]["token"])
         end
 
-        ctx.context.adapter.delete_many(model: config[:two_factor_table], where: [{field: "userId", value: session[:user]["id"]}])
+        existing = two_factor_record(ctx, config, session[:user]["id"])
+        verified = (!!existing && existing["verified"] != false) || !!config[:skip_verification_on_enable]
+        ctx.context.adapter.delete_many(model: TWO_FACTOR_MODEL, where: [{field: "userId", value: session[:user]["id"]}])
         ctx.context.adapter.create(
-          model: config[:two_factor_table],
+          model: TWO_FACTOR_MODEL,
           data: {
             secret: Crypto.symmetric_encrypt(key: ctx.context.secret, data: secret),
             backupCodes: backup[:stored],
-            userId: session[:user]["id"]
-          }
+            userId: session[:user]["id"],
+            verified: verified
+          },
+          force_allow_id: true
         )
 
         ctx.json({
@@ -111,10 +118,10 @@ module BetterAuth
       Endpoint.new(path: "/two-factor/disable", method: "POST") do |ctx|
         session = Routes.current_session(ctx, sensitive: true)
         body = normalize_hash(ctx.body)
-        two_factor_check_password!(ctx, session[:user]["id"], body[:password])
+        two_factor_check_password!(ctx, session[:user]["id"], body[:password], allow_passwordless: config[:allow_passwordless])
 
         updated_user = ctx.context.internal_adapter.update_user(session[:user]["id"], twoFactorEnabled: false)
-        ctx.context.adapter.delete(model: config[:two_factor_table], where: [{field: "userId", value: updated_user["id"]}])
+        ctx.context.adapter.delete(model: TWO_FACTOR_MODEL, where: [{field: "userId", value: updated_user["id"]}])
         new_session = ctx.context.internal_adapter.create_session(updated_user["id"], false)
         Cookies.set_session_cookie(ctx, {session: new_session, user: updated_user})
         ctx.context.internal_adapter.delete_session(session[:session]["token"])
@@ -142,7 +149,7 @@ module BetterAuth
       Endpoint.new(path: "/two-factor/get-totp-uri", method: "POST") do |ctx|
         two_factor_totp_enabled!(config)
         session = Routes.current_session(ctx, sensitive: true)
-        two_factor_check_password!(ctx, session[:user]["id"], normalize_hash(ctx.body)[:password])
+        two_factor_check_password!(ctx, session[:user]["id"], normalize_hash(ctx.body)[:password], allow_passwordless: config[:totp_options][:allow_passwordless])
         record = two_factor_record(ctx, config, session[:user]["id"])
         raise APIError.new("BAD_REQUEST", message: TWO_FACTOR_ERROR_CODES["TOTP_NOT_ENABLED"]) unless record
 
@@ -158,11 +165,22 @@ module BetterAuth
         data = two_factor_verification_context(ctx, config)
         record = two_factor_record(ctx, config, data[:session][:user]["id"])
         raise APIError.new("BAD_REQUEST", message: TWO_FACTOR_ERROR_CODES["TOTP_NOT_ENABLED"]) unless record
+        if !data[:session][:session] && record["verified"] == false
+          raise APIError.new("BAD_REQUEST", message: TWO_FACTOR_ERROR_CODES["TOTP_NOT_ENABLED"])
+        end
 
         secret = Crypto.symmetric_decrypt(key: ctx.context.secret, data: record["secret"])
         raise APIError.new("UNAUTHORIZED", message: TWO_FACTOR_ERROR_CODES["INVALID_CODE"]) unless two_factor_totp_valid?(secret, body[:code], options: config[:totp_options])
 
-        if !data[:session][:user]["twoFactorEnabled"] && data[:session][:session]
+        if record["verified"] != true
+          if !data[:session][:user]["twoFactorEnabled"] && data[:session][:session]
+            updated_user = ctx.context.internal_adapter.update_user(data[:session][:user]["id"], twoFactorEnabled: true)
+            new_session = ctx.context.internal_adapter.create_session(updated_user["id"], false)
+            ctx.context.internal_adapter.delete_session(data[:session][:session]["token"])
+            Cookies.set_session_cookie(ctx, {session: new_session, user: updated_user})
+          end
+          ctx.context.adapter.update(model: TWO_FACTOR_MODEL, where: [{field: "id", value: record["id"]}], update: {verified: true})
+        elsif !data[:session][:user]["twoFactorEnabled"] && data[:session][:session]
           updated_user = ctx.context.internal_adapter.update_user(data[:session][:user]["id"], twoFactorEnabled: true)
           new_session = ctx.context.internal_adapter.create_session(updated_user["id"], false)
           ctx.context.internal_adapter.delete_session(data[:session][:session]["token"])
@@ -242,7 +260,7 @@ module BetterAuth
         remaining = codes.reject { |code| code == body[:code].to_s }
         stored = two_factor_store_backup_codes(ctx.context.secret, remaining, config[:backup_code_options])
         updated = ctx.context.adapter.update(
-          model: config[:two_factor_table],
+          model: TWO_FACTOR_MODEL,
           where: [{field: "id", value: record["id"]}, {field: "backupCodes", value: record["backupCodes"]}],
           update: {backupCodes: stored}
         )
@@ -257,12 +275,12 @@ module BetterAuth
         session = Routes.current_session(ctx, sensitive: true)
         raise APIError.new("BAD_REQUEST", message: TWO_FACTOR_ERROR_CODES["TWO_FACTOR_NOT_ENABLED"]) unless session[:user]["twoFactorEnabled"]
 
-        two_factor_check_password!(ctx, session[:user]["id"], normalize_hash(ctx.body)[:password])
+        two_factor_check_password!(ctx, session[:user]["id"], normalize_hash(ctx.body)[:password], allow_passwordless: config[:backup_code_options][:allow_passwordless])
         record = two_factor_record(ctx, config, session[:user]["id"])
         raise APIError.new("BAD_REQUEST", message: TWO_FACTOR_ERROR_CODES["TWO_FACTOR_NOT_ENABLED"]) unless record
 
         backup = two_factor_generate_backup_codes(ctx.context.secret, config[:backup_code_options])
-        ctx.context.adapter.update(model: config[:two_factor_table], where: [{field: "id", value: record["id"]}], update: {backupCodes: backup[:stored]})
+        ctx.context.adapter.update(model: TWO_FACTOR_MODEL, where: [{field: "id", value: record["id"]}], update: {backupCodes: backup[:stored]})
         ctx.json({status: true, backupCodes: backup[:codes]})
       end
     end
@@ -277,7 +295,8 @@ module BetterAuth
       end
     end
 
-    def two_factor_schema(custom_schema = nil)
+    def two_factor_schema(config = {})
+      custom_schema = config[:schema]
       base = {
         user: {
           fields: {
@@ -288,10 +307,14 @@ module BetterAuth
           fields: {
             secret: {type: "string", required: true, returned: false, index: true},
             backupCodes: {type: "string", required: true, returned: false},
-            userId: {type: "string", required: true, returned: false, index: true, references: {model: "user", field: "id"}}
+            userId: {type: "string", required: true, returned: false, index: true, references: {model: "user", field: "id"}},
+            verified: {type: "boolean", required: false, default_value: true, input: false}
           }
         }
       }
+      if config[:two_factor_table] && config[:two_factor_table] != TWO_FACTOR_MODEL
+        base[:twoFactor][:model_name] = config[:two_factor_table].to_s
+      end
       deep_merge_hashes(base, normalize_hash(custom_schema || {}))
     end
 
@@ -311,7 +334,7 @@ module BetterAuth
         expiresAt: Time.now + config[:two_factor_cookie_max_age].to_i
       )
       ctx.set_signed_cookie(cookie.name, identifier, ctx.context.secret, cookie.attributes)
-      ctx.json({twoFactorRedirect: true})
+      ctx.json({twoFactorRedirect: true, twoFactorMethods: two_factor_methods(ctx, config, data[:user]["id"])})
     end
 
     def two_factor_verification_context(ctx, config)
@@ -377,11 +400,23 @@ module BetterAuth
     end
 
     def two_factor_record(ctx, config, user_id)
-      ctx.context.adapter.find_one(model: config[:two_factor_table], where: [{field: "userId", value: user_id}])
+      ctx.context.adapter.find_one(model: TWO_FACTOR_MODEL, where: [{field: "userId", value: user_id}])
     end
 
-    def two_factor_check_password!(ctx, user_id, password)
+    def two_factor_methods(ctx, config, user_id)
+      methods = []
+      unless config[:totp_options][:disable]
+        record = two_factor_record(ctx, config, user_id)
+        methods << "totp" if record && record["verified"] != false
+      end
+      methods << "otp" if config[:otp_options][:send_otp].respond_to?(:call)
+      methods
+    end
+
+    def two_factor_check_password!(ctx, user_id, password, allow_passwordless: false)
       account = ctx.context.internal_adapter.find_accounts(user_id).find { |entry| entry["providerId"] == "credential" }
+      return if allow_passwordless && !account
+
       unless account && account["password"] && Routes.verify_password_value(ctx, password.to_s, account["password"])
         raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_PASSWORD"])
       end

data/lib/better_auth/rate_limiter.rb

@@ -4,6 +4,9 @@ require "json"
 
 module BetterAuth
   class RateLimiter
+    MISSING_CLIENT_IP_WARNING = "Rate limiting skipped: could not determine client IP address. " \
+      "Ensure your runtime forwards a trusted client IP header and configure `advanced.ipAddress.ipAddressHeaders` if needed."
+
     class MemoryStore
       def initialize
         @entries = {}
@@ -36,6 +39,7 @@ module BetterAuth
 
     def initialize
       @memory_store = MemoryStore.new
+      @warned_missing_client_ip = false
     end
 
     def call(request, context, path)
@@ -43,6 +47,7 @@ module BetterAuth
       return unless config[:enabled]
 
       ip = client_ip(request, context.options)
+      warn_missing_client_ip(context) unless ip
       return unless ip
 
       rule = rate_limit_rule(request, context, config, path)
@@ -213,6 +218,19 @@ module BetterAuth
       RequestIP.client_ip(request, options)
     end
 
+    def warn_missing_client_ip(context)
+      return if @warned_missing_client_ip
+      return if context.options.advanced.dig(:ip_address, :disable_ip_tracking)
+
+      @warned_missing_client_ip = true
+      logger = context.logger
+      if logger.respond_to?(:call)
+        logger.call(:warn, MISSING_CLIENT_IP_WARNING)
+      elsif logger.respond_to?(:warn)
+        logger.warn(MISSING_CLIENT_IP_WARNING)
+      end
+    end
+
     def matching_plugin_rule(context, path)
       context.options.plugins
         .flat_map { |plugin| Array(plugin[:rate_limit]) }

data/lib/better_auth/request_state.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module RequestState
+    THREAD_KEY = :better_auth_request_state_stack
+
+    State = Struct.new(:ref, :initializer) do
+      def get
+        store = RequestState.current_store
+        store[ref] = initializer.call unless store.key?(ref)
+        store[ref]
+      end
+
+      def set(value)
+        RequestState.current_store[ref] = value
+      end
+    end
+
+    module_function
+
+    def run(store = {}, &block)
+      stack.push(store)
+      block.call
+    ensure
+      stack.pop
+    end
+
+    def present?
+      !stack.empty?
+    end
+
+    def current_store
+      stack.last || raise("No request state found. Please make sure you are calling this function within a `run` callback.")
+    end
+
+    def define(&initializer)
+      State.new(Object.new.freeze, initializer || -> {})
+    end
+
+    def stack
+      Thread.current[THREAD_KEY] ||= []
+    end
+  end
+end

data/lib/better_auth/routes/account.rb

@@ -90,10 +90,10 @@ module BetterAuth
         Cookies.set_account_cookie(ctx, updated || account.merge(token_hash_for_storage(ctx, tokens)))
         ctx.json({
           accessToken: values["accessToken"],
-          refreshToken: values["refreshToken"],
+          refreshToken: values["refreshToken"] || refresh_token,
           accessTokenExpiresAt: values["accessTokenExpiresAt"],
-          refreshTokenExpiresAt: values["refreshTokenExpiresAt"],
-          scope: Array(values["scopes"]).join(","),
+          refreshTokenExpiresAt: values["refreshTokenExpiresAt"] || account["refreshTokenExpiresAt"],
+          scope: values["scope"] || account["scope"],
           idToken: values["idToken"] || account["idToken"],
           providerId: account["providerId"],
           accountId: account["accountId"]
@@ -167,7 +167,10 @@ module BetterAuth
     def self.update_account_tokens(ctx, account, tokens)
       return nil if account["id"].to_s.empty?
 
-      ctx.context.internal_adapter.update_account(account["id"], token_hash_for_storage(ctx, tokens))
+      data = account_token_update_hash(ctx, tokens)
+      return nil if data.empty?
+
+      ctx.context.internal_adapter.update_account(account["id"], data)
     end
 
     def self.token_hash(tokens)
@@ -183,6 +186,15 @@ module BetterAuth
       data
     end
 
+    def self.account_token_update_hash(ctx, tokens)
+      account_storage_fields(token_hash_for_storage(ctx, tokens))
+    end
+
+    def self.account_storage_fields(data)
+      allowed = %w[accessToken refreshToken idToken accessTokenExpiresAt refreshTokenExpiresAt scope]
+      token_hash(data).select { |key, value| allowed.include?(key) && !value.nil? }
+    end
+
     def self.oauth_token_for_storage(ctx, token)
       return token if token.to_s.empty?
       return token unless ctx.context.options.account[:encrypt_oauth_tokens]

data/lib/better_auth/routes/password.rb

@@ -14,6 +14,8 @@ module BetterAuth
 
         body = normalize_hash(ctx.body)
         email = body["email"].to_s.downcase
+        redirect_to = body["redirectTo"] || body["redirect_to"]
+        validate_callback_url!(ctx.context, redirect_to)
         found = ctx.context.internal_adapter.find_user_by_email(email, include_accounts: true)
         unless found
           SecureRandom.hex(12)
@@ -29,7 +31,6 @@ module BetterAuth
           expiresAt: Time.now + expires_in.to_i
         )
 
-        redirect_to = body["redirectTo"] || body["redirect_to"]
         callback = redirect_to ? URI.encode_www_form_component(redirect_to) : ""
         url = "#{ctx.context.base_url}/reset-password/#{token}?callbackURL=#{callback}"
         sender.call({user: found[:user], url: url, token: token}, ctx.request)

data/lib/better_auth/routes/sign_in.rb

@@ -27,6 +27,8 @@ module BetterAuth
         callback_url = body["callbackURL"] || body["callbackUrl"] || body["callback_url"]
         remember_me = body.key?("rememberMe") ? body["rememberMe"] : body["remember_me"]
 
+        validate_auth_callback_url!(ctx.context, callback_url, "callbackURL")
+
         unless EMAIL_PATTERN.match?(email)
           raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_EMAIL"])
         end

data/lib/better_auth/routes/sign_up.rb

@@ -32,6 +32,7 @@ module BetterAuth
         callback_url = body["callbackURL"] || body["callbackUrl"] || body["callback_url"]
         remember_me = body.key?("rememberMe") ? body["rememberMe"] : body["remember_me"]
 
+        validate_auth_callback_url!(ctx.context, callback_url, "callbackURL")
         validate_sign_up_input!(email, password, email_config)
 
         ctx.context.adapter.transaction do
@@ -101,6 +102,13 @@ module BetterAuth
       end
     end
 
+    def self.validate_auth_callback_url!(context, value, label)
+      return if value.nil? || value.to_s.empty?
+      return if context.trusted_origin?(value.to_s, allow_relative_paths: true)
+
+      raise APIError.new("FORBIDDEN", message: "Invalid #{label}")
+    end
+
     def self.create_sign_up_user(ctx, body, email, name, image)
       reserved = %w[email password name image callbackURL callbackUrl callback_url rememberMe remember_me]
       additional = parse_declared_input(ctx, "user", body.except(*reserved), allowed_base: [])

data/lib/better_auth/routes/social.rb

@@ -228,6 +228,12 @@ module BetterAuth
 
       if existing && existing[:linked_account]
         user = existing[:user]
+        if ctx.context.options.account[:update_account_on_sign_in] != false
+          update_data = account_storage_fields(account_info)
+          ctx.context.internal_adapter.update_account(existing[:linked_account]["id"], update_data) unless update_data.empty?
+        end
+        verified_user = update_verified_email_on_link(ctx, user["id"], user["email"], user_info)
+        user = verified_user if verified_user
         new_user = false
       elsif existing
         unless linkable_provider?(ctx, provider_id, user_info, implicit: true)
@@ -235,6 +241,8 @@ module BetterAuth
         end
         user = existing[:user]
         ctx.context.internal_adapter.create_account(account_info.merge("providerId" => provider_id, "accountId" => account_id, "userId" => user["id"]))
+        verified_user = update_verified_email_on_link(ctx, user["id"], user["email"], user_info)
+        user = verified_user if verified_user
         new_user = false
       else
         return {error: "signup disabled"} if disable_sign_up
@@ -251,6 +259,7 @@ module BetterAuth
         user = created[:user]
         new_user = true
       end
+      user = override_social_user_info(ctx, user, user_info) if existing && provider_override_user_info_on_sign_in?(provider_id, ctx.context)
 
       session = ctx.context.internal_adapter.create_session(user["id"], false, session_overrides(ctx), true, ctx)
       {session: session, user: user, new_user: new_user}
@@ -318,6 +327,27 @@ module BetterAuth
       {status: true}
     end
 
+    def self.provider_override_user_info_on_sign_in?(provider_id, context)
+      provider = social_provider(context, provider_id)
+      !!(fetch_value(provider, "overrideUserInfoOnSignIn") || fetch_value(fetch_value(provider, "options") || {}, "overrideUserInfoOnSignIn"))
+    end
+
+    def self.override_social_user_info(ctx, user, user_info)
+      email = fetch_value(user_info, "email").to_s.downcase
+      email_verified = if email == user["email"].to_s.downcase
+        !!(user["emailVerified"] || fetch_value(user_info, "emailVerified"))
+      else
+        !!fetch_value(user_info, "emailVerified")
+      end
+      update = {
+        "email" => email,
+        "name" => fetch_value(user_info, "name").to_s,
+        "image" => fetch_value(user_info, "image"),
+        "emailVerified" => email_verified
+      }.reject { |_key, value| value.nil? }
+      ctx.context.internal_adapter.update_user(user["id"], update) || user
+    end
+
     def self.safe_additional_state(body)
       additional = body["additionalData"] || body["additional_data"]
       return {} unless additional.is_a?(Hash)

data/lib/better_auth/routes/user.rb

@@ -79,10 +79,11 @@ module BetterAuth
           delete_user_by_token!(ctx, session, body["token"])
         elsif sender
           token = SecureRandom.hex(16)
+          expires_in = ctx.context.options.user.dig(:delete_user, :delete_token_expires_in) || 3600
           ctx.context.internal_adapter.create_verification_value(
             identifier: "delete-account-#{token}",
             value: session[:user]["id"],
-            expiresAt: Time.now + ctx.context.options.user.dig(:delete_user, :delete_token_expires_in).to_i
+            expiresAt: Time.now + expires_in.to_i
           )
           sender.call({user: session[:user], token: token}, ctx.request)
           next ctx.json({success: true, message: "Verification email sent"})
@@ -120,9 +121,11 @@ module BetterAuth
         new_email = (body["newEmail"] || body["new_email"]).to_s.downcase
         raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_EMAIL"]) unless EMAIL_PATTERN.match?(new_email)
         raise APIError.new("BAD_REQUEST", message: "Email is the same") if new_email == session[:user]["email"]
-        raise APIError.new("UNPROCESSABLE_ENTITY", message: BASE_ERROR_CODES["USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL"]) if ctx.context.internal_adapter.find_user_by_email(new_email)
+        existing_target = ctx.context.internal_adapter.find_user_by_email(new_email)
 
         if !session[:user]["emailVerified"] && ctx.context.options.user.dig(:change_email, :update_email_without_verification)
+          next ctx.json({status: true}) if existing_target
+
           updated = ctx.context.internal_adapter.update_user_by_email(session[:user]["email"], email: new_email)
           Cookies.set_session_cookie(ctx, {session: session[:session], user: updated})
           next ctx.json({status: true})
@@ -130,6 +133,7 @@ module BetterAuth
 
         sender = ctx.context.options.email_verification[:send_verification_email]
         raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["VERIFICATION_EMAIL_NOT_ENABLED"]) unless sender.respond_to?(:call)
+        next ctx.json({status: true}) if existing_target
 
         token = create_email_verification_token(ctx, session[:user]["email"], update_to: new_email, extra: {"requestType" => "change-email-verification"})
         sender.call({user: session[:user].merge("email" => new_email), token: token}, ctx.request)
@@ -148,7 +152,9 @@ module BetterAuth
     def self.delete_current_user!(ctx, session)
       config = ctx.context.options.user[:delete_user] || {}
       call_option(config[:before_delete], session[:user], ctx.request)
-      ctx.context.internal_adapter.delete_user(session[:user]["id"])
+      deleted = ctx.context.internal_adapter.delete_user(session[:user]["id"])
+      raise APIError.new("BAD_REQUEST", message: "User delete aborted") if deleted == false
+
       ctx.context.internal_adapter.delete_sessions(session[:user]["id"])
       Cookies.delete_session_cookie(ctx)
       call_option(config[:after_delete], session[:user], ctx.request)

data/lib/better_auth/session.rb

@@ -51,7 +51,7 @@ module BetterAuth
       return nil if payload["session"]["token"] && payload["session"]["token"] != token
 
       result = {session: payload["session"], user: payload["user"]}
-      Cookies.set_cookie_cache(ctx, result, false) if should_refresh_cookie_cache?(config, payload)
+      result = refresh_cached_session(ctx, result) if should_refresh_cookie_cache?(config, payload)
       result
     end
 
@@ -89,6 +89,17 @@ module BetterAuth
       refreshed
     end
 
+    def refresh_cached_session(ctx, result)
+      now = Time.now
+      session = stringify_keys(result[:session]).merge(
+        "expiresAt" => now + ctx.context.session_config[:expires_in].to_i,
+        "updatedAt" => now
+      )
+      refreshed = {session: session, user: result[:user]}
+      Cookies.set_session_cookie(ctx, refreshed, Cookies.dont_remember?(ctx))
+      refreshed
+    end
+
     def should_refresh_cookie_cache?(config, payload)
       refresh_cache = config[:refresh_cache]
       return false if refresh_cache == false || refresh_cache.nil?