better_auth 0.3.0 → 0.5.0

data/lib/better_auth/plugins/phone_number.rb

@@ -65,7 +65,38 @@ module BetterAuth
     end
 
     def sign_in_phone_number_endpoint(config)
-      Endpoint.new(path: "/sign-in/phone-number", method: "POST") do |ctx|
+      Endpoint.new(
+        path: "/sign-in/phone-number",
+        method: "POST",
+        metadata: {
+          openapi: {
+            operationId: "signInPhoneNumber",
+            description: "Sign in with phone number and password",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  phoneNumber: {type: "string"},
+                  password: {type: "string"},
+                  rememberMe: {type: ["boolean", "null"]}
+                },
+                required: ["phoneNumber", "password"]
+              )
+            ),
+            responses: {
+              "200" => OpenAPI.json_response(
+                "Signed in",
+                OpenAPI.object_schema(
+                  {
+                    token: {type: "string"},
+                    user: {type: "object", "$ref": "#/components/schemas/User"}
+                  },
+                  required: ["token", "user"]
+                )
+              )
+            }
+          }
+        }
+      ) do |ctx|
         body = normalize_hash(ctx.body)
         phone_number = body[:phone_number].to_s
         password = body[:password].to_s
@@ -101,7 +132,35 @@ module BetterAuth
     end
 
     def send_phone_number_otp_endpoint(config)
-      Endpoint.new(path: "/phone-number/send-otp", method: "POST") do |ctx|
+      Endpoint.new(
+        path: "/phone-number/send-otp",
+        method: "POST",
+        metadata: {
+          openapi: {
+            operationId: "sendPhoneNumberOTP",
+            description: "Send a phone number OTP",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  phoneNumber: {type: "string"}
+                },
+                required: ["phoneNumber"]
+              )
+            ),
+            responses: {
+              "200" => OpenAPI.json_response(
+                "OTP sent",
+                OpenAPI.object_schema(
+                  {
+                    message: {type: "string"}
+                  },
+                  required: ["message"]
+                )
+              )
+            }
+          }
+        }
+      ) do |ctx|
         sender = config[:send_otp]
         unless sender.respond_to?(:call)
           raise APIError.new("NOT_IMPLEMENTED", message: PHONE_NUMBER_ERROR_CODES["SEND_OTP_NOT_IMPLEMENTED"])
@@ -118,7 +177,40 @@ module BetterAuth
     end
 
     def verify_phone_number_endpoint(config)
-      Endpoint.new(path: "/phone-number/verify", method: "POST") do |ctx|
+      Endpoint.new(
+        path: "/phone-number/verify",
+        method: "POST",
+        metadata: {
+          openapi: {
+            operationId: "verifyPhoneNumber",
+            description: "Verify a phone number OTP",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  phoneNumber: {type: "string"},
+                  code: {type: "string"},
+                  updatePhoneNumber: {type: ["boolean", "null"]},
+                  disableSession: {type: ["boolean", "null"]}
+                },
+                required: ["phoneNumber", "code"]
+              )
+            ),
+            responses: {
+              "200" => OpenAPI.json_response(
+                "Phone number verified",
+                OpenAPI.object_schema(
+                  {
+                    status: {type: "boolean"},
+                    token: {type: ["string", "null"]},
+                    user: {type: "object", "$ref": "#/components/schemas/User"}
+                  },
+                  required: ["status", "user"]
+                )
+              )
+            }
+          }
+        }
+      ) do |ctx|
         body = normalize_hash(ctx.body)
         phone_number = body[:phone_number].to_s
         code = body[:code].to_s
@@ -163,7 +255,27 @@ module BetterAuth
     end
 
     def request_password_reset_phone_number_endpoint(config)
-      Endpoint.new(path: "/phone-number/request-password-reset", method: "POST") do |ctx|
+      Endpoint.new(
+        path: "/phone-number/request-password-reset",
+        method: "POST",
+        metadata: {
+          openapi: {
+            operationId: "requestPasswordResetPhoneNumber",
+            description: "Request a phone number password reset OTP",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  phoneNumber: {type: "string"}
+                },
+                required: ["phoneNumber"]
+              )
+            ),
+            responses: {
+              "200" => OpenAPI.json_response("Password reset OTP requested", OpenAPI.status_response_schema)
+            }
+          }
+        }
+      ) do |ctx|
         body = normalize_hash(ctx.body)
         phone_number = body[:phone_number].to_s
         user = ctx.context.adapter.find_one(model: "user", where: [{field: "phoneNumber", value: phone_number}])
@@ -179,7 +291,29 @@ module BetterAuth
     end
 
     def reset_password_phone_number_endpoint(config)
-      Endpoint.new(path: "/phone-number/reset-password", method: "POST") do |ctx|
+      Endpoint.new(
+        path: "/phone-number/reset-password",
+        method: "POST",
+        metadata: {
+          openapi: {
+            operationId: "resetPasswordPhoneNumber",
+            description: "Reset a password with a phone number OTP",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  phoneNumber: {type: "string"},
+                  otp: {type: "string"},
+                  newPassword: {type: "string"}
+                },
+                required: ["phoneNumber", "otp", "newPassword"]
+              )
+            ),
+            responses: {
+              "200" => OpenAPI.json_response("Password reset", OpenAPI.status_response_schema)
+            }
+          }
+        }
+      ) do |ctx|
         body = normalize_hash(ctx.body)
         phone_number = body[:phone_number].to_s
         otp = body[:otp].to_s
@@ -225,7 +359,8 @@ module BetterAuth
           "phoneNumber" => phone_number,
           "phoneNumberVerified" => true,
           "emailVerified" => false
-        )
+        ),
+        context: ctx
       )
     end
 

data/lib/better_auth/plugins/siwe.rb

@@ -24,7 +24,37 @@ module BetterAuth
     end
 
     def get_siwe_nonce_endpoint(config)
-      Endpoint.new(path: "/siwe/nonce", method: "POST", body_schema: ->(body) { siwe_nonce_body(body) }) do |ctx|
+      Endpoint.new(
+        path: "/siwe/nonce",
+        method: "POST",
+        body_schema: ->(body) { siwe_nonce_body(body) },
+        metadata: {
+          openapi: {
+            operationId: "getSiweNonce",
+            description: "Generate a nonce for Sign-In with Ethereum",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  walletAddress: {type: "string"},
+                  chainId: {type: ["number", "string", "null"]}
+                },
+                required: ["walletAddress"]
+              )
+            ),
+            responses: {
+              "200" => OpenAPI.json_response(
+                "SIWE nonce",
+                OpenAPI.object_schema(
+                  {
+                    nonce: {type: "string"}
+                  },
+                  required: ["nonce"]
+                )
+              )
+            }
+          }
+        }
+      ) do |ctx|
         body = normalize_hash(ctx.body)
         wallet_address = siwe_normalize_wallet!(body[:wallet_address])
         chain_id = siwe_chain_id(body[:chain_id])
@@ -42,7 +72,42 @@ module BetterAuth
     end
 
     def verify_siwe_message_endpoint(config)
-      Endpoint.new(path: "/siwe/verify", method: "POST", body_schema: ->(body) { siwe_verify_body(body, config) }) do |ctx|
+      Endpoint.new(
+        path: "/siwe/verify",
+        method: "POST",
+        body_schema: ->(body) { siwe_verify_body(body, config) },
+        metadata: {
+          openapi: {
+            operationId: "verifySiweMessage",
+            description: "Verify a Sign-In with Ethereum message",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  walletAddress: {type: "string"},
+                  chainId: {type: ["number", "string", "null"]},
+                  message: {type: "string"},
+                  signature: {type: "string"},
+                  email: {type: ["string", "null"]}
+                },
+                required: ["walletAddress", "message", "signature"]
+              )
+            ),
+            responses: {
+              "200" => OpenAPI.json_response(
+                "SIWE message verified",
+                OpenAPI.object_schema(
+                  {
+                    token: {type: "string"},
+                    success: {type: "boolean"},
+                    user: {type: "object"}
+                  },
+                  required: ["token", "success", "user"]
+                )
+              )
+            }
+          }
+        }
+      ) do |ctx|
         body = normalize_hash(ctx.body)
         wallet_address = siwe_normalize_wallet!(body[:wallet_address])
         chain_id = siwe_chain_id(body[:chain_id])
@@ -203,7 +268,8 @@ module BetterAuth
       ctx.context.internal_adapter.create_user(
         name: ens[:name] || wallet_address,
         email: (anonymous == false && !email.empty?) ? email : "#{wallet_address}@#{domain}",
-        image: ens[:avatar] || ""
+        image: ens[:avatar] || "",
+        context: ctx
       )
     end
 

data/lib/better_auth/plugins/two_factor.rb

@@ -24,6 +24,7 @@ module BetterAuth
     TRUST_DEVICE_COOKIE_NAME = "trust_device"
     TRUST_DEVICE_COOKIE_MAX_AGE = 30 * 24 * 60 * 60
     TWO_FACTOR_COOKIE_MAX_AGE = 10 * 60
+    TWO_FACTOR_MODEL = "twoFactor"
 
     module_function
 
@@ -39,6 +40,8 @@ module BetterAuth
       config[:backup_code_options] = {store_backup_codes: "encrypted"}.merge(normalize_hash(config[:backup_code_options]))
       config[:otp_options] = normalize_hash(config[:otp_options])
       config[:totp_options] = normalize_hash(config[:totp_options])
+      config[:backup_code_options][:allow_passwordless] = config[:allow_passwordless] unless config[:backup_code_options].key?(:allow_passwordless)
+      config[:totp_options][:allow_passwordless] = config[:allow_passwordless] unless config[:totp_options].key?(:allow_passwordless)
 
       Plugin.new(
         id: "two-factor",
@@ -62,7 +65,7 @@ module BetterAuth
             }
           ]
         },
-        schema: two_factor_schema(config[:schema]),
+        schema: two_factor_schema(config),
         rate_limit: [
           {
             path_matcher: ->(path) { path.start_with?("/two-factor/") },
@@ -76,13 +79,13 @@ module BetterAuth
     end
 
     def two_factor_enable_endpoint(config)
-      Endpoint.new(path: "/two-factor/enable", method: "POST") do |ctx|
-        session = Routes.current_session(ctx, sensitive: true)
+      Endpoint.new(path: "/two-factor/enable", method: "POST", metadata: two_factor_openapi("enableTwoFactor", "Enable two factor authentication", two_factor_enable_response_schema)) do |ctx|
+        session = Routes.current_session(ctx)
         body = normalize_hash(ctx.body)
-        two_factor_check_password!(ctx, session[:user]["id"], body[:password])
+        two_factor_check_password!(ctx, session[:user]["id"], body[:password], allow_passwordless: config[:allow_passwordless])
 
         secret = two_factor_generate_secret
-        backup = two_factor_generate_backup_codes(ctx.context.secret, config[:backup_code_options])
+        backup = two_factor_generate_backup_codes(ctx.context.secret_config, config[:backup_code_options])
         if config[:skip_verification_on_enable]
           updated_user = ctx.context.internal_adapter.update_user(session[:user]["id"], twoFactorEnabled: true)
           new_session = ctx.context.internal_adapter.create_session(updated_user["id"], false)
@@ -90,14 +93,18 @@ module BetterAuth
           ctx.context.internal_adapter.delete_session(session[:session]["token"])
         end
 
-        ctx.context.adapter.delete_many(model: config[:two_factor_table], where: [{field: "userId", value: session[:user]["id"]}])
+        existing = two_factor_record(ctx, config, session[:user]["id"])
+        verified = (!!existing && existing["verified"] != false) || !!config[:skip_verification_on_enable]
+        ctx.context.adapter.delete_many(model: TWO_FACTOR_MODEL, where: [{field: "userId", value: session[:user]["id"]}])
         ctx.context.adapter.create(
-          model: config[:two_factor_table],
+          model: TWO_FACTOR_MODEL,
           data: {
-            secret: Crypto.symmetric_encrypt(key: ctx.context.secret, data: secret),
+            secret: Crypto.symmetric_encrypt(key: ctx.context.secret_config, data: secret),
             backupCodes: backup[:stored],
-            userId: session[:user]["id"]
-          }
+            userId: session[:user]["id"],
+            verified: verified
+          },
+          force_allow_id: true
         )
 
         ctx.json({
@@ -108,13 +115,13 @@ module BetterAuth
     end
 
     def two_factor_disable_endpoint(config)
-      Endpoint.new(path: "/two-factor/disable", method: "POST") do |ctx|
-        session = Routes.current_session(ctx, sensitive: true)
+      Endpoint.new(path: "/two-factor/disable", method: "POST", metadata: two_factor_openapi("disableTwoFactor", "Disable two factor authentication", OpenAPI.status_response_schema)) do |ctx|
+        session = Routes.current_session(ctx)
         body = normalize_hash(ctx.body)
-        two_factor_check_password!(ctx, session[:user]["id"], body[:password])
+        two_factor_check_password!(ctx, session[:user]["id"], body[:password], allow_passwordless: config[:allow_passwordless])
 
         updated_user = ctx.context.internal_adapter.update_user(session[:user]["id"], twoFactorEnabled: false)
-        ctx.context.adapter.delete(model: config[:two_factor_table], where: [{field: "userId", value: updated_user["id"]}])
+        ctx.context.adapter.delete(model: TWO_FACTOR_MODEL, where: [{field: "userId", value: updated_user["id"]}])
         new_session = ctx.context.internal_adapter.create_session(updated_user["id"], false)
         Cookies.set_session_cookie(ctx, {session: new_session, user: updated_user})
         ctx.context.internal_adapter.delete_session(session[:session]["token"])
@@ -131,7 +138,7 @@ module BetterAuth
     end
 
     def two_factor_generate_totp_endpoint(config)
-      Endpoint.new(path: "/totp/generate", method: "POST") do |ctx|
+      Endpoint.new(path: "/totp/generate", method: "POST", metadata: two_factor_openapi("generateTOTP", "Generate a TOTP code", OpenAPI.object_schema({code: {type: "string"}}, required: ["code"]))) do |ctx|
         two_factor_totp_enabled!(config)
         body = normalize_hash(ctx.body)
         ctx.json({code: two_factor_totp(body[:secret], options: config[:totp_options])})
@@ -139,30 +146,41 @@ module BetterAuth
     end
 
     def two_factor_get_totp_uri_endpoint(config)
-      Endpoint.new(path: "/two-factor/get-totp-uri", method: "POST") do |ctx|
+      Endpoint.new(path: "/two-factor/get-totp-uri", method: "POST", metadata: two_factor_openapi("getTOTPURI", "Get the TOTP URI", OpenAPI.object_schema({totpURI: {type: "string"}}, required: ["totpURI"]))) do |ctx|
         two_factor_totp_enabled!(config)
-        session = Routes.current_session(ctx, sensitive: true)
-        two_factor_check_password!(ctx, session[:user]["id"], normalize_hash(ctx.body)[:password])
+        session = Routes.current_session(ctx)
+        two_factor_check_password!(ctx, session[:user]["id"], normalize_hash(ctx.body)[:password], allow_passwordless: config[:totp_options][:allow_passwordless])
         record = two_factor_record(ctx, config, session[:user]["id"])
         raise APIError.new("BAD_REQUEST", message: TWO_FACTOR_ERROR_CODES["TOTP_NOT_ENABLED"]) unless record
 
-        secret = Crypto.symmetric_decrypt(key: ctx.context.secret, data: record["secret"])
+        secret = Crypto.symmetric_decrypt(key: ctx.context.secret_config, data: record["secret"])
         ctx.json({totpURI: two_factor_totp_uri(secret, issuer: config[:issuer] || ctx.context.app_name, account: session[:user]["email"], options: config[:totp_options])})
       end
     end
 
     def two_factor_verify_totp_endpoint(config)
-      Endpoint.new(path: "/two-factor/verify-totp", method: "POST") do |ctx|
+      Endpoint.new(path: "/two-factor/verify-totp", method: "POST", metadata: two_factor_openapi("verifyTOTP", "Verify a TOTP code", two_factor_verification_response_schema)) do |ctx|
         two_factor_totp_enabled!(config)
         body = normalize_hash(ctx.body)
         data = two_factor_verification_context(ctx, config)
         record = two_factor_record(ctx, config, data[:session][:user]["id"])
         raise APIError.new("BAD_REQUEST", message: TWO_FACTOR_ERROR_CODES["TOTP_NOT_ENABLED"]) unless record
+        if !data[:session][:session] && record["verified"] == false
+          raise APIError.new("BAD_REQUEST", message: TWO_FACTOR_ERROR_CODES["TOTP_NOT_ENABLED"])
+        end
 
-        secret = Crypto.symmetric_decrypt(key: ctx.context.secret, data: record["secret"])
+        secret = Crypto.symmetric_decrypt(key: ctx.context.secret_config, data: record["secret"])
         raise APIError.new("UNAUTHORIZED", message: TWO_FACTOR_ERROR_CODES["INVALID_CODE"]) unless two_factor_totp_valid?(secret, body[:code], options: config[:totp_options])
 
-        if !data[:session][:user]["twoFactorEnabled"] && data[:session][:session]
+        if record["verified"] != true
+          if !data[:session][:user]["twoFactorEnabled"] && data[:session][:session]
+            updated_user = ctx.context.internal_adapter.update_user(data[:session][:user]["id"], twoFactorEnabled: true)
+            new_session = ctx.context.internal_adapter.create_session(updated_user["id"], false)
+            ctx.context.internal_adapter.delete_session(data[:session][:session]["token"])
+            Cookies.set_session_cookie(ctx, {session: new_session, user: updated_user})
+          end
+          ctx.context.adapter.update(model: TWO_FACTOR_MODEL, where: [{field: "id", value: record["id"]}], update: {verified: true})
+        elsif !data[:session][:user]["twoFactorEnabled"] && data[:session][:session]
           updated_user = ctx.context.internal_adapter.update_user(data[:session][:user]["id"], twoFactorEnabled: true)
           new_session = ctx.context.internal_adapter.create_session(updated_user["id"], false)
           ctx.context.internal_adapter.delete_session(data[:session][:session]["token"])
@@ -173,7 +191,7 @@ module BetterAuth
     end
 
     def two_factor_send_otp_endpoint(config)
-      Endpoint.new(path: "/two-factor/send-otp", method: "POST") do |ctx|
+      Endpoint.new(path: "/two-factor/send-otp", method: "POST", metadata: two_factor_openapi("sendTwoFactorOTP", "Send a two factor OTP", OpenAPI.status_response_schema)) do |ctx|
         otp_config = config[:otp_options]
         sender = otp_config[:send_otp]
         unless sender.respond_to?(:call)
@@ -194,7 +212,7 @@ module BetterAuth
     end
 
     def two_factor_verify_otp_endpoint(config)
-      Endpoint.new(path: "/two-factor/verify-otp", method: "POST") do |ctx|
+      Endpoint.new(path: "/two-factor/verify-otp", method: "POST", metadata: two_factor_openapi("verifyTwoFactorOTP", "Verify a two factor OTP", two_factor_verification_response_schema)) do |ctx|
         body = normalize_hash(ctx.body)
         data = two_factor_verification_context(ctx, config)
         verification = ctx.context.internal_adapter.find_verification_value("2fa-otp-#{data[:key]}")
@@ -228,21 +246,21 @@ module BetterAuth
     end
 
     def two_factor_verify_backup_code_endpoint(config)
-      Endpoint.new(path: "/two-factor/verify-backup-code", method: "POST") do |ctx|
+      Endpoint.new(path: "/two-factor/verify-backup-code", method: "POST", metadata: two_factor_openapi("verifyBackupCode", "Verify a two factor backup code", two_factor_verification_response_schema)) do |ctx|
         body = normalize_hash(ctx.body)
         data = two_factor_verification_context(ctx, config)
         record = two_factor_record(ctx, config, data[:session][:user]["id"])
         raise APIError.new("BAD_REQUEST", message: TWO_FACTOR_ERROR_CODES["BACKUP_CODES_NOT_ENABLED"]) unless record
 
-        codes = two_factor_read_backup_codes(ctx.context.secret, record["backupCodes"], config[:backup_code_options])
+        codes = two_factor_read_backup_codes(ctx.context.secret_config, record["backupCodes"], config[:backup_code_options])
         unless codes.include?(body[:code].to_s)
           raise APIError.new("UNAUTHORIZED", message: TWO_FACTOR_ERROR_CODES["INVALID_BACKUP_CODE"])
         end
 
         remaining = codes.reject { |code| code == body[:code].to_s }
-        stored = two_factor_store_backup_codes(ctx.context.secret, remaining, config[:backup_code_options])
+        stored = two_factor_store_backup_codes(ctx.context.secret_config, remaining, config[:backup_code_options])
         updated = ctx.context.adapter.update(
-          model: config[:two_factor_table],
+          model: TWO_FACTOR_MODEL,
           where: [{field: "id", value: record["id"]}, {field: "backupCodes", value: record["backupCodes"]}],
           update: {backupCodes: stored}
         )
@@ -253,16 +271,16 @@ module BetterAuth
     end
 
     def two_factor_generate_backup_codes_endpoint(config)
-      Endpoint.new(path: "/two-factor/generate-backup-codes", method: "POST") do |ctx|
-        session = Routes.current_session(ctx, sensitive: true)
+      Endpoint.new(path: "/two-factor/generate-backup-codes", method: "POST", metadata: two_factor_openapi("generateBackupCodes", "Generate two factor backup codes", two_factor_backup_codes_response_schema)) do |ctx|
+        session = Routes.current_session(ctx)
         raise APIError.new("BAD_REQUEST", message: TWO_FACTOR_ERROR_CODES["TWO_FACTOR_NOT_ENABLED"]) unless session[:user]["twoFactorEnabled"]
 
-        two_factor_check_password!(ctx, session[:user]["id"], normalize_hash(ctx.body)[:password])
+        two_factor_check_password!(ctx, session[:user]["id"], normalize_hash(ctx.body)[:password], allow_passwordless: config[:backup_code_options][:allow_passwordless])
         record = two_factor_record(ctx, config, session[:user]["id"])
         raise APIError.new("BAD_REQUEST", message: TWO_FACTOR_ERROR_CODES["TWO_FACTOR_NOT_ENABLED"]) unless record
 
-        backup = two_factor_generate_backup_codes(ctx.context.secret, config[:backup_code_options])
-        ctx.context.adapter.update(model: config[:two_factor_table], where: [{field: "id", value: record["id"]}], update: {backupCodes: backup[:stored]})
+        backup = two_factor_generate_backup_codes(ctx.context.secret_config, config[:backup_code_options])
+        ctx.context.adapter.update(model: TWO_FACTOR_MODEL, where: [{field: "id", value: record["id"]}], update: {backupCodes: backup[:stored]})
         ctx.json({status: true, backupCodes: backup[:codes]})
       end
     end
@@ -273,11 +291,54 @@ module BetterAuth
         record = two_factor_record(ctx, config, body[:user_id])
         raise APIError.new("BAD_REQUEST", message: TWO_FACTOR_ERROR_CODES["BACKUP_CODES_NOT_ENABLED"]) unless record
 
-        ctx.json({status: true, backupCodes: two_factor_read_backup_codes(ctx.context.secret, record["backupCodes"], config[:backup_code_options])})
+        ctx.json({status: true, backupCodes: two_factor_read_backup_codes(ctx.context.secret_config, record["backupCodes"], config[:backup_code_options])})
       end
     end
 
-    def two_factor_schema(custom_schema = nil)
+    def two_factor_openapi(operation_id, description, response_schema)
+      {
+        openapi: {
+          operationId: operation_id,
+          description: description,
+          responses: {
+            "200" => OpenAPI.json_response("Success", response_schema)
+          }
+        }
+      }
+    end
+
+    def two_factor_enable_response_schema
+      OpenAPI.object_schema(
+        {
+          totpURI: {type: "string"},
+          backupCodes: {type: "array", items: {type: "string"}}
+        },
+        required: ["totpURI", "backupCodes"]
+      )
+    end
+
+    def two_factor_verification_response_schema
+      OpenAPI.object_schema(
+        {
+          token: {type: ["string", "null"]},
+          user: {type: ["object", "null"], "$ref": "#/components/schemas/User"},
+          status: {type: ["boolean", "null"]}
+        }
+      )
+    end
+
+    def two_factor_backup_codes_response_schema
+      OpenAPI.object_schema(
+        {
+          status: {type: "boolean"},
+          backupCodes: {type: "array", items: {type: "string"}}
+        },
+        required: ["status", "backupCodes"]
+      )
+    end
+
+    def two_factor_schema(config = {})
+      custom_schema = config[:schema]
       base = {
         user: {
           fields: {
@@ -288,10 +349,14 @@ module BetterAuth
           fields: {
             secret: {type: "string", required: true, returned: false, index: true},
             backupCodes: {type: "string", required: true, returned: false},
-            userId: {type: "string", required: true, returned: false, index: true, references: {model: "user", field: "id"}}
+            userId: {type: "string", required: true, returned: false, index: true, references: {model: "user", field: "id"}},
+            verified: {type: "boolean", required: false, default_value: true, input: false}
           }
         }
       }
+      if config[:two_factor_table] && config[:two_factor_table] != TWO_FACTOR_MODEL
+        base[:twoFactor][:model_name] = config[:two_factor_table].to_s
+      end
       deep_merge_hashes(base, normalize_hash(custom_schema || {}))
     end
 
@@ -311,7 +376,7 @@ module BetterAuth
         expiresAt: Time.now + config[:two_factor_cookie_max_age].to_i
       )
       ctx.set_signed_cookie(cookie.name, identifier, ctx.context.secret, cookie.attributes)
-      ctx.json({twoFactorRedirect: true})
+      ctx.json({twoFactorRedirect: true, twoFactorMethods: two_factor_methods(ctx, config, data[:user]["id"])})
     end
 
     def two_factor_verification_context(ctx, config)
@@ -377,11 +442,23 @@ module BetterAuth
     end
 
     def two_factor_record(ctx, config, user_id)
-      ctx.context.adapter.find_one(model: config[:two_factor_table], where: [{field: "userId", value: user_id}])
+      ctx.context.adapter.find_one(model: TWO_FACTOR_MODEL, where: [{field: "userId", value: user_id}])
+    end
+
+    def two_factor_methods(ctx, config, user_id)
+      methods = []
+      unless config[:totp_options][:disable]
+        record = two_factor_record(ctx, config, user_id)
+        methods << "totp" if record && record["verified"] != false
+      end
+      methods << "otp" if config[:otp_options][:send_otp].respond_to?(:call)
+      methods
     end
 
-    def two_factor_check_password!(ctx, user_id, password)
+    def two_factor_check_password!(ctx, user_id, password, allow_passwordless: false)
       account = ctx.context.internal_adapter.find_accounts(user_id).find { |entry| entry["providerId"] == "credential" }
+      return if allow_passwordless && !account
+
       unless account && account["password"] && Routes.verify_password_value(ctx, password.to_s, account["password"])
         raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_PASSWORD"])
       end
@@ -472,7 +549,7 @@ module BetterAuth
       if storage == "hashed"
         Crypto.sha256(code, encoding: :base64url)
       elsif storage == "encrypted"
-        Crypto.symmetric_encrypt(key: ctx.context.secret, data: code)
+        Crypto.symmetric_encrypt(key: ctx.context.secret_config, data: code)
       elsif storage.is_a?(Hash) && storage[:hash].respond_to?(:call)
         storage[:hash].call(code)
       elsif storage.is_a?(Hash) && storage[:encrypt].respond_to?(:call)
@@ -487,7 +564,7 @@ module BetterAuth
       expected, actual = if storage == "hashed"
         [stored, Crypto.sha256(input, encoding: :base64url)]
       elsif storage == "encrypted"
-        [Crypto.symmetric_decrypt(key: ctx.context.secret, data: stored), input]
+        [Crypto.symmetric_decrypt(key: ctx.context.secret_config, data: stored), input]
       elsif storage.is_a?(Hash) && storage[:hash].respond_to?(:call)
         [stored, storage[:hash].call(input)]
       elsif storage.is_a?(Hash) && storage[:decrypt].respond_to?(:call)