better_auth 0.3.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: df93cdae06059d52fa2c3d35c5b173aba9025d5ac46bda0b93a7a8abc5045f40
-  data.tar.gz: adec802dade2610da15329266c91dcd46aecb8642165c29e364ce7db2829d217
+  metadata.gz: cd7630e5e1e1775f9db5545b1f81cbe0fed67da4e38ac59e0aa92ec3a896da3a
+  data.tar.gz: 24bfbe49981f12d00533f0db6acc9e899bdeb3edea1145f2e6c38d5cc9e8493d
 SHA512:
-  metadata.gz: f46ac8a5cf79a859a417e2cbe60f000c290d014975fb3ce910c49b6c1cd455b2123e436a42a323dd530b38096a4ebc18a1f206c97f0ef6624378c9eb051d37e3
-  data.tar.gz: '0469ddcdcad97a7b1b58e3ddc0ef8d54c7469a1e0411546367f829291ab5664fc0b4685d460d8d328fe6ef67543908060d33eb961a638121930154ca31a4cfaf'
+  metadata.gz: e168ce722c56f26dddc5e0e4eb34626ae6b4523aae547768970bde07b68f56ba31db302a2e1ea8abf0e4d1e5a5ad98018a7f0129174cc3ef09486294c7bfa28a
+  data.tar.gz: b7b9e1bbbab49acc51d876dadeebf067976658782af41a1b82e7c78d3fc2b2d15106d0e90ac7699a380e8b7f4b9211ad105bb388d8f95db17f8624b537e29d7b

data/CHANGELOG.md

@@ -7,6 +7,23 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+- Modernized the MCP plugin to use OAuth Provider-style client, token, metadata, and protected-resource behavior while keeping legacy MCP routes as aliases.
+
+## [0.4.0] - 2026-04-30
+
+### Added
+
+- Added upstream-parity helpers for async execution, host resolution, instrumentation, request state, URL handling, OAuth2, deprecation warnings, and expanded route behavior.
+- Added two-factor, OAuth protocol, social route, organization, admin, adapter, schema, and session parity coverage.
+
+### Changed
+
+- Aligned core auth, email OTP, generic OAuth, organization, two-factor, OAuth protocol, adapter, router, rate-limiter, logger, and middleware behavior more closely with upstream Better Auth.
+
+### Fixed
+
+- Fixed upstream parity gaps in organization handling, generic OAuth user info, email OTP sign-up, database schema behavior, and route/session edge cases.
+
 ## [0.3.0] - 2026-04-29
 
 ### Added

data/README.md

@@ -66,6 +66,30 @@ auth = BetterAuth.auth(
 )
 ```
 
+### Secret Rotation
+
+Better Auth Ruby supports upstream-style non-destructive rotation for encrypted data through versioned secrets. The first entry is used for new encrypted payloads; older entries remain available for decrypting existing data.
+
+```ruby
+auth = BetterAuth.auth(
+  secret: ENV["BETTER_AUTH_SECRET"], # legacy fallback for older encrypted data
+  secrets: [
+    { version: 2, value: ENV.fetch("BETTER_AUTH_SECRET_V2") },
+    { version: 1, value: ENV.fetch("BETTER_AUTH_SECRET_V1") }
+  ],
+  database: :memory
+)
+```
+
+You can also configure the same list via `BETTER_AUTH_SECRETS`:
+
+```bash
+BETTER_AUTH_SECRETS="2:new-secret-base64,1:old-secret-base64"
+BETTER_AUTH_SECRET="legacy-secret-for-pre-rotation-data"
+```
+
+Signed cookies and HMAC/JWT signatures continue to use the current `secret`, matching upstream Better Auth behavior.
+
 ### Password Hashing
 
 Better Auth Ruby uses upstream-compatible `scrypt` password hashes by default through Ruby's `OpenSSL::KDF.scrypt`, so no extra password-hashing gem is required for the default setup.

data/lib/better_auth/adapters/internal_adapter.rb

@@ -15,18 +15,18 @@ module BetterAuth
         @hooks = DatabaseHooks.new(adapter, options)
       end
 
-      def create_oauth_user(user, account)
+      def create_oauth_user(user, account, context: nil)
         adapter.transaction do
-          created_user = create_user(user)
+          created_user = create_user(user, context: context)
           created_account = create_account(stringify_keys(account).merge("userId" => created_user["id"]))
           {user: created_user, account: created_account}
         end
       end
 
-      def create_user(user)
-        data = timestamps.merge(stringify_keys(user))
+      def create_user(user = nil, context: nil, **keywords)
+        data = timestamps.merge(stringify_keys((user || {}).merge(keywords)))
         data["email"] = data["email"].to_s.downcase if data["email"]
-        hooks.create(data, "user")
+        hooks.create(data, "user", context: context)
       end
 
       def create_account(account)
@@ -59,9 +59,12 @@ module BetterAuth
       end
 
       def delete_user(user_id)
-        delete_sessions(user_id) if !secondary_storage || options.session[:store_session_in_database]
+        deleted = hooks.delete([{field: "id", value: user_id}], "user")
+        return false if deleted == false
+
         hooks.delete_many([{field: "userId", value: user_id}], "account")
-        hooks.delete([{field: "id", value: user_id}], "user")
+        delete_sessions(user_id) if !secondary_storage || options.session[:store_session_in_database]
+        deleted
       end
 
       def create_session(user_id, dont_remember_me = false, override = nil, override_all = false, context = nil)

data/lib/better_auth/adapters/memory.rb

@@ -156,33 +156,79 @@ module BetterAuth
         value = fetch_key(clause, :value)
         operator = (fetch_key(clause, :operator) || "eq").to_s
         current = record[field]
+        comparable = coerce_where_value(record, field, value, operator)
 
         case operator
         when "in"
-          Array(value).include?(current)
+          Array(comparable).include?(current)
         when "not_in"
-          !Array(value).include?(current)
+          !Array(comparable).include?(current)
         when "contains"
-          current.to_s.include?(value.to_s)
+          current.to_s.include?(comparable.to_s)
         when "starts_with"
-          current.to_s.start_with?(value.to_s)
+          current.to_s.start_with?(comparable.to_s)
         when "ends_with"
-          current.to_s.end_with?(value.to_s)
+          current.to_s.end_with?(comparable.to_s)
         when "ne"
-          current != value
+          current != comparable
         when "gt"
-          !value.nil? && current > value
+          !comparable.nil? && current > comparable
         when "gte"
-          !value.nil? && current >= value
+          !comparable.nil? && current >= comparable
         when "lt"
-          !value.nil? && current < value
+          !comparable.nil? && current < comparable
         when "lte"
-          !value.nil? && current <= value
+          !comparable.nil? && current <= comparable
         else
-          current == value
+          current == comparable
         end
       end
 
+      def coerce_where_value(record, field, value, operator)
+        attributes = schema_for_record_field(record, field)
+        return value unless attributes
+        return Array(value).map { |entry| coerce_scalar_where_value(entry, attributes) } if %w[in not_in].include?(operator)
+
+        coerce_scalar_where_value(value, attributes)
+      end
+
+      def schema_for_record_field(record, field)
+        db.each_key do |model|
+          fields = Schema.auth_tables(options)[model]&.fetch(:fields, nil)
+          next unless fields&.key?(field)
+          return fields[field] if table_for(model).include?(record)
+        end
+        nil
+      end
+
+      def coerce_scalar_where_value(value, attributes)
+        return value if value.nil?
+
+        case attributes[:type]
+        when "boolean"
+          return false if value == false || value == 0 || value.to_s.downcase == "false" || value.to_s == "0"
+          return true if value == true || value == 1 || value.to_s.downcase == "true" || value.to_s == "1"
+        when "number"
+          return coerce_number(value)
+        when "date"
+          return Time.parse(value) if value.is_a?(String)
+        when "number[]"
+          return Array(value).map { |entry| coerce_number(entry) }
+        when "string[]"
+          return Array(value).map(&:to_s)
+        end
+
+        value
+      end
+
+      def coerce_number(value)
+        return value unless value.is_a?(String)
+        return value.to_i if /\A-?\d+\z/.match?(value)
+        return value.to_f if /\A-?\d+\.\d+\z/.match?(value)
+
+        value
+      end
+
       def sort_records(model, records, sort_by)
         field = Schema.storage_key(fetch_key(sort_by, :field))
         direction = fetch_key(sort_by, :direction).to_s

data/lib/better_auth/adapters/sql.rb

@@ -173,8 +173,7 @@ module BetterAuth
       end
 
       def join_select_sql(model, join)
-        join.flat_map do |join_model, _enabled|
-          join_model = join_model.to_s
+        normalized_join(model, join).flat_map do |join_model, _config|
           schema_for(join_model).fetch(:fields).map do |field, attributes|
             column = attributes[:field_name] || physical_name(field)
             "#{quote(join_model)}.#{quote(column)} AS #{quote("#{join_model}__#{column}")}"
@@ -185,17 +184,79 @@ module BetterAuth
       def join_sql(model, join)
         return "" unless join
 
-        join.map do |join_model, _enabled|
+        normalized_join(model, join).map do |join_model, config|
+          local_field = storage_field(model, config.fetch(:from))
+          foreign_field = storage_field(join_model, config.fetch(:to))
+          " LEFT JOIN #{quote(table_for(join_model))} AS #{quote(join_model)} ON #{quote(join_model)}.#{quote(foreign_field)} = #{quote(table_for(model))}.#{quote(local_field)}"
+        end.join
+      end
+
+      def normalized_join(model, join)
+        return {} unless join
+
+        join.each_with_object({}) do |(join_model, config), result|
           join_model = join_model.to_s
-          case [model, join_model]
-          when ["session", "user"], ["account", "user"]
-            " LEFT JOIN #{quote(table_for("user"))} AS #{quote("user")} ON #{quote("user")}.#{quote("id")} = #{quote(table_for(model))}.#{quote("user_id")}"
-          when ["user", "account"]
-            " LEFT JOIN #{quote(table_for("account"))} AS #{quote("account")} ON #{quote("account")}.#{quote("user_id")} = #{quote(table_for(model))}.#{quote("id")}"
-          else
-            ""
+          result[join_model] = normalize_join_config(model.to_s, join_model, config)
+        end
+      end
+
+      def normalize_join_config(model, join_model, config)
+        if config.is_a?(Hash) && (config.key?(:on) || config.key?("on"))
+          on = config[:on] || config["on"]
+          from = storage_key(fetch_key(on, :from))
+          to = storage_key(fetch_key(on, :to))
+          relation = config[:relation] || config["relation"]
+          limit = config[:limit] || config["limit"]
+          return {from: from, to: to, relation: relation, limit: limit, unique: unique_join_field?(join_model, to)}
+        end
+
+        inferred = inferred_join_config(model, join_model)
+        if config.is_a?(Hash)
+          relation = config[:relation] || config["relation"]
+          limit = config[:limit] || config["limit"]
+          inferred = inferred.merge(relation: relation) if relation
+          inferred = inferred.merge(limit: limit) if limit
+        end
+        inferred
+      end
+
+      def inferred_join_config(model, join_model)
+        foreign_keys = schema_for(join_model).fetch(:fields).select do |_field, attributes|
+          reference_model_matches?(attributes, model)
+        end
+        forward_join = true
+
+        if foreign_keys.empty?
+          foreign_keys = schema_for(model).fetch(:fields).select do |_field, attributes|
+            reference_model_matches?(attributes, join_model)
           end
-        end.join
+          forward_join = false
+        end
+
+        raise Error, "No foreign key found for model #{join_model} and base model #{model} while performing join operation." if foreign_keys.empty?
+        raise Error, "Multiple foreign keys found for model #{join_model} and base model #{model} while performing join operation. Only one foreign key is supported." if foreign_keys.length > 1
+
+        foreign_key, attributes = foreign_keys.first
+        reference = attributes.fetch(:references)
+        if forward_join
+          unique = attributes[:unique] == true
+          {from: reference.fetch(:field).to_s, to: foreign_key, relation: unique ? "one-to-one" : "one-to-many", unique: unique}
+        else
+          {from: foreign_key, to: reference.fetch(:field).to_s, relation: "one-to-one", unique: true}
+        end
+      end
+
+      def reference_model_matches?(attributes, model)
+        reference = attributes[:references]
+        return false unless reference
+
+        reference_model = reference[:model] || reference["model"]
+        reference_model.to_s == model.to_s || reference_model.to_s == table_for(model)
+      end
+
+      def unique_join_field?(model, field)
+        field = storage_key(field)
+        field == "id" || schema_for(model).fetch(:fields).dig(field, :unique) == true
       end
 
       def build_where(model, where, params)
@@ -204,10 +265,11 @@ module BetterAuth
           column = "#{quote(table_for(model))}.#{quote(storage_field(model, field))}"
           operator = (fetch_key(clause, :operator) || "eq").to_s
           value = fetch_key(clause, :value)
+          attributes = schema_for(model).fetch(:fields).fetch(field)
 
           expression = case operator
           when "in", "not_in"
-            values = Array(value)
+            values = Array(value).map { |entry| coerce_where_value(entry, attributes) }
             placeholders = values.map do |entry|
               params << entry
               placeholder(params.length)
@@ -223,7 +285,7 @@ module BetterAuth
             params << pattern
             "#{column} LIKE #{placeholder(params.length)}"
           else
-            params << value
+            params << coerce_where_value(value, attributes)
             "#{column} #{sql_operator(operator)} #{placeholder(params.length)}"
           end
 
@@ -302,8 +364,7 @@ module BetterAuth
           output[field] = coerce_output_value(fetch_row(row, column), attributes) if row_key?(row, column)
         end
 
-        join&.each_key do |join_model|
-          join_model = join_model.to_s
+        normalized_join(model, join).each_key do |join_model|
           record[join_model] = normalize_joined_record(join_model, row)
         end
 
@@ -319,16 +380,34 @@ module BetterAuth
       end
 
       def collection_join?(model, join)
-        model == "user" && join&.keys&.any? { |join_model| join_model.to_s == "account" }
+        normalized_join(model, join).any? do |_join_model, config|
+          config[:relation] != "one-to-one" && config[:unique] != true
+        end
       end
 
-      def aggregate_collection_joins(_model, records, _join)
+      def aggregate_collection_joins(model, records, join)
+        join_config = normalized_join(model, join)
         grouped = {}
         records.each do |record|
           key = record.fetch("id")
-          grouped[key] ||= record.merge("account" => [])
-          account = record["account"]
-          grouped[key]["account"] << account if account&.values&.any?
+          grouped[key] ||= begin
+            base = record.reject { |field, _value| join_config.key?(field) }
+            join_defaults = join_config.each_with_object({}) do |(join_model, config), defaults|
+              defaults[join_model] = (config[:relation] == "one-to-one" || config[:unique] == true) ? nil : []
+            end
+            base.merge(join_defaults)
+          end
+
+          join_config.each do |join_model, config|
+            joined = record[join_model]
+            next unless joined&.values&.any?
+
+            if config[:relation] == "one-to-one" || config[:unique] == true
+              grouped[key][join_model] = joined
+            else
+              grouped[key][join_model] << joined
+            end
+          end
         end
         grouped.values
       end
@@ -385,6 +464,22 @@ module BetterAuth
         value
       end
 
+      def coerce_where_value(value, attributes)
+        return value if value.nil?
+
+        case attributes[:type]
+        when "boolean"
+          return coerce_value(false, attributes) if value == false || value == 0 || value.to_s.downcase == "false" || value.to_s == "0"
+          return coerce_value(true, attributes) if value == true || value == 1 || value.to_s.downcase == "true" || value.to_s == "1"
+        when "number"
+          return coerce_number(value)
+        when "date"
+          return Time.parse(value) if value.is_a?(String)
+        end
+
+        coerce_value(value, attributes)
+      end
+
       def coerce_output_value(value, attributes)
         return value if value.nil?
         return coerce_boolean(value) if attributes[:type] == "boolean"
@@ -412,6 +507,14 @@ module BetterAuth
         value
       end
 
+      def coerce_number(value)
+        return value unless value.is_a?(String)
+        return value.to_i if /\A-?\d+\z/.match?(value)
+        return value.to_f if /\A-?\d+\.\d+\z/.match?(value)
+
+        value
+      end
+
       def stringify_keys(data)
         data.each_with_object({}) do |(key, value), result|
           result[storage_key(key)] = value

data/lib/better_auth/api.rb

@@ -14,18 +14,34 @@ module BetterAuth
       context.reset_runtime! if context.respond_to?(:reset_runtime!)
       endpoint = endpoints.fetch(key.to_sym)
       input = symbolize_keys(input || {})
+      request = input[:request]
+      headers = request_headers(request).merge(normalize_headers_hash(input[:headers] || {}))
+      begin
+        prepare_context_for_call!(request, headers)
+      rescue APIError => error
+        result = Endpoint::Result.new(response: error, status: error.status_code, headers: error.headers)
+        return format_result(result, input)
+      rescue Error => error
+        api_error = APIError.new("INTERNAL_SERVER_ERROR", message: error.message)
+        result = Endpoint::Result.new(response: api_error, status: api_error.status_code, headers: api_error.headers)
+        return format_result(result, input)
+      end
+      input[:as_response] = true if request_like?(request) && !input.key?(:as_response)
       endpoint_context = Endpoint::Context.new(
         path: endpoint.path,
-        method: input[:method] || Array(endpoint.methods).first,
+        method: input[:method] || request_method(request) || Array(endpoint.methods).first,
         query: input[:query] || {},
         body: input[:body] || {},
         params: input[:params] || {},
-        headers: input[:headers] || {},
-        context: context
+        headers: headers,
+        context: context,
+        request: request_like?(request) ? request : nil
       )
 
       result = run_endpoint_with_hooks(endpoint, endpoint_context)
       format_result(result, input)
+    ensure
+      context.clear_runtime! if context.respond_to?(:clear_runtime!)
     end
 
     def execute(endpoint, endpoint_context)
@@ -51,6 +67,34 @@ module BetterAuth
         .to_sym
     end
 
+    def prepare_context_for_call!(request, headers)
+      return unless context.respond_to?(:prepare_for_api_call!)
+
+      source = direct_call_source(request, headers)
+      if context.options.dynamic_base_url? && source.nil? && !dynamic_base_url_fallback?
+        raise APIError.new(
+          "INTERNAL_SERVER_ERROR",
+          message: "Dynamic baseURL could not be resolved for this direct auth.api call. Pass `headers: request.headers` (or `request`) to the call, or add `fallback` to your baseURL config."
+        )
+      end
+
+      context.prepare_for_api_call!(source)
+    end
+
+    def direct_call_source(request, headers)
+      return request if request_like?(request)
+      return headers if headers.key?("host") || headers.key?("x-forwarded-host")
+
+      nil
+    end
+
+    def dynamic_base_url_fallback?
+      config = context.options.base_url_config
+      return false unless config.is_a?(Hash)
+
+      !!(config[:fallback] || config["fallback"])
+    end
+
     def run_endpoint_with_hooks(endpoint, endpoint_context)
       before = run_before_hooks(endpoint_context)
       return normalize_short_circuit(before, endpoint_context) if before
@@ -136,15 +180,16 @@ module BetterAuth
     end
 
     def format_result(result, input)
-      return result.to_rack_response if result.raw_response?
+      return result.to_response if result.raw_response?
+      as_response = input[:as_response] || request_like?(input[:request])
 
       if result.response.is_a?(APIError)
-        return error_response(result.response, headers: result.headers) if input[:as_response]
+        return error_response(result.response, headers: result.headers) if as_response
 
-        raise result.response
+        raise error_with_headers(result.response, result.headers)
       end
 
-      return result.to_rack_response if input[:as_response]
+      return result.to_response if as_response
 
       if input[:return_headers]
         output = {
@@ -165,7 +210,17 @@ module BetterAuth
         response: error.to_h,
         status: error.status_code,
         headers: Endpoint::Result.merge_headers(headers, error.headers)
-      ).to_rack_response
+      ).to_response
+    end
+
+    def error_with_headers(error, headers)
+      APIError.new(
+        error.status,
+        message: error.message,
+        headers: Endpoint::Result.merge_headers(headers, error.headers),
+        code: error.code,
+        body: error.body
+      )
     end
 
     def before_hooks
@@ -207,11 +262,61 @@ module BetterAuth
       hash[key] || hash[key.to_s]
     end
 
+    def request_like?(value)
+      return false unless value
+
+      value.respond_to?(:request_method) || request_method(value) || !request_headers(value).empty?
+    end
+
+    def request_method(request)
+      return unless request
+      return request.request_method if request.respond_to?(:request_method)
+
+      request.public_send(:method)
+    rescue ArgumentError, NoMethodError
+      nil
+    end
+
+    def request_headers(request)
+      return {} unless request
+
+      if request.respond_to?(:env)
+        return headers_from_env(request.env)
+      end
+
+      return normalize_headers_hash(request.headers) if request.respond_to?(:headers)
+
+      {}
+    end
+
+    def headers_from_env(env)
+      env.each_with_object({}) do |(key, value), headers|
+        case key
+        when "CONTENT_TYPE"
+          headers["content-type"] = value if value
+        when "CONTENT_LENGTH"
+          headers["content-length"] = value if value
+        else
+          next unless key.start_with?("HTTP_")
+
+          header = key.delete_prefix("HTTP_").downcase.tr("_", "-")
+          headers[header] = value
+        end
+      end
+    end
+
+    def normalize_headers_hash(headers)
+      headers.each_with_object({}) do |(key, value), result|
+        result[key.to_s.downcase.tr("_", "-")] = value
+      end
+    end
+
     def symbolize_keys(value)
       return value unless value.is_a?(Hash)
 
       value.each_with_object({}) do |(key, object_value), result|
-        result[normalize_key(key)] = object_value.is_a?(Hash) ? symbolize_keys(object_value) : object_value
+        normalized_key = normalize_key(key)
+        result[normalized_key] = object_value
       end
     end
 

data/lib/better_auth/async.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Async
+    module_function
+
+    def map_concurrent(items, concurrency:, &mapper)
+      list = items.to_a
+      return [] if list.empty?
+
+      width = normalized_concurrency(concurrency, list.length)
+      results = Array.new(list.length)
+      next_index = 0
+      first_error = nil
+      mutex = Mutex.new
+      status = Queue.new
+
+      workers = Array.new(width) do
+        Thread.new do
+          loop do
+            index = mutex.synchronize do
+              break if first_error || next_index >= list.length
+
+              current = next_index
+              next_index += 1
+              current
+            end
+            break unless index
+
+            begin
+              results[index] = mapper.call(list[index], index)
+            rescue => error
+              mutex.synchronize { first_error ||= error }
+              status << [:error, error]
+              break
+            end
+          end
+        ensure
+          status << [:done, nil]
+        end
+      end
+
+      done = 0
+      while done < workers.length
+        type, error = status.pop
+        if type == :error
+          workers.each { |worker| worker.kill if worker.alive? }
+          workers.each(&:join)
+          raise error
+        end
+
+        done += 1
+      end
+
+      raise first_error if first_error
+
+      results
+    end
+
+    def normalized_concurrency(concurrency, item_count)
+      raw = begin
+        Float(concurrency).floor
+      rescue ArgumentError, TypeError
+        1
+      end
+      raw = 1 if raw < 1
+      [raw, item_count].min
+    end
+  end
+end