better_auth 0.3.0 → 0.5.0

data/lib/better_auth/routes/sign_up.rb

@@ -11,17 +11,52 @@ module BetterAuth
       Endpoint.new(
         path: "/sign-up/email",
         method: "POST",
+        body_schema: request_body_schema(
+          required_strings: %w[name email],
+          required_nonempty_strings: %w[password]
+        ),
         metadata: {
           allowed_media_types: [
             "application/x-www-form-urlencoded",
             "application/json"
-          ]
+          ],
+          openapi: {
+            operationId: "signUpWithEmailAndPassword",
+            description: "Sign up a user using email and password",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  name: {type: "string", description: "The name of the user"},
+                  email: {type: "string", description: "The email of the user"},
+                  password: {type: "string", description: "The password of the user"},
+                  image: {type: "string", description: "The profile image URL of the user"},
+                  callbackURL: {type: "string", description: "The URL to use for email verification callback"},
+                  rememberMe: {type: "boolean", description: "If this is false, the session will not be remembered. Default is `true`."}
+                },
+                required: ["name", "email", "password"]
+              ),
+              required: false
+            ),
+            responses: {
+              "200" => OpenAPI.json_response(
+                "Successfully created user",
+                OpenAPI.object_schema(
+                  {
+                    token: {type: "string", nullable: true, description: "Authentication token for the session"},
+                    user: {type: "object", "$ref": "#/components/schemas/User"}
+                  },
+                  required: ["user"]
+                )
+              ),
+              "422" => OpenAPI.error_response("Unprocessable Entity. User already exists or failed to create user.")
+            }
+          }
         }
       ) do |ctx|
         options = ctx.context.options
         email_config = options.email_and_password
         if email_config[:enabled] != true || email_config[:disable_sign_up]
-          raise APIError.new("BAD_REQUEST", message: "Email and password sign up is not enabled")
+          raise APIError.new("BAD_REQUEST", code: "EMAIL_PASSWORD_SIGN_UP_DISABLED", message: BASE_ERROR_CODES["EMAIL_PASSWORD_SIGN_UP_DISABLED"])
         end
 
         body = normalize_hash(ctx.body)
@@ -32,6 +67,7 @@ module BetterAuth
         callback_url = body["callbackURL"] || body["callbackUrl"] || body["callback_url"]
         remember_me = body.key?("rememberMe") ? body["rememberMe"] : body["remember_me"]
 
+        validate_auth_callback_url!(ctx.context, callback_url, "callbackURL")
         validate_sign_up_input!(email, password, email_config)
 
         ctx.context.adapter.transaction do
@@ -101,6 +137,13 @@ module BetterAuth
       end
     end
 
+    def self.validate_auth_callback_url!(context, value, label)
+      return if value.nil? || value.to_s.empty?
+      return if context.trusted_origin?(value.to_s, allow_relative_paths: true)
+
+      raise APIError.new("FORBIDDEN", message: "Invalid #{label}")
+    end
+
     def self.create_sign_up_user(ctx, body, email, name, image)
       reserved = %w[email password name image callbackURL callbackUrl callback_url rememberMe remember_me]
       additional = parse_declared_input(ctx, "user", body.except(*reserved), allowed_base: [])
@@ -110,7 +153,8 @@ module BetterAuth
           "name" => name,
           "image" => image,
           "emailVerified" => false
-        )
+        ),
+        context: ctx
       )
     rescue APIError
       raise
@@ -143,18 +187,40 @@ module BetterAuth
         "updatedAt" => now
       }
       reserved = %w[email password name image callbackURL callbackUrl callback_url rememberMe remember_me]
-      additional = parse_declared_input(ctx, "user", body.except(*reserved), allowed_base: [])
+      additional = synthetic_additional_user_fields(ctx, body.except(*reserved))
       custom = ctx.context.options.email_and_password[:custom_synthetic_user]
       return core_fields.merge(additional) unless custom.respond_to?(:call)
 
       value = {
         core_fields: core_fields.except("id"),
+        coreFields: core_fields.except("id"),
         additional_fields: additional,
+        additionalFields: additional,
         id: core_fields["id"]
       }
       stringify_synthetic_user(custom.call(value))
     end
 
+    def self.synthetic_additional_user_fields(ctx, data)
+      additional = parse_declared_input(ctx, "user", data, allowed_base: [])
+      configured = ctx.context.options.user[:additional_fields] || {}
+      configured.each do |field, attributes|
+        storage_field = Schema.storage_key(field)
+        next if additional.key?(storage_field)
+
+        field_attributes = normalize_hash(attributes || {})
+        next unless field_attributes.key?("defaultValue") || field_attributes.key?("default_value")
+
+        default = field_attributes.key?("defaultValue") ? field_attributes["defaultValue"] : field_attributes["default_value"]
+        additional[storage_field] = resolve_default(default)
+      end
+      additional
+    end
+
+    def self.resolve_default(value)
+      value.respond_to?(:call) ? value.call : value
+    end
+
     def self.stringify_synthetic_user(value)
       return value.each_with_object({}) { |(key, object_value), result| result[Schema.storage_key(key)] = object_value } if value.is_a?(Hash)
 

data/lib/better_auth/routes/social.rb

@@ -7,7 +7,49 @@ require "securerandom"
 module BetterAuth
   module Routes
     def self.sign_in_social
-      Endpoint.new(path: "/sign-in/social", method: "POST") do |ctx|
+      Endpoint.new(
+        path: "/sign-in/social",
+        method: "POST",
+        metadata: {
+          openapi: {
+            description: "Sign in with a social provider",
+            operationId: "socialSignIn",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  provider: {type: "string"},
+                  callbackURL: {type: ["string", "null"], description: "Callback URL to redirect to after the user has signed in"},
+                  errorCallbackURL: {type: ["string", "null"], description: "Callback URL to redirect to if an error happens"},
+                  newUserCallbackURL: {type: ["string", "null"]},
+                  disableRedirect: {type: ["boolean", "null"], description: "Disable automatic redirection to the provider. Useful for handling the redirection yourself"},
+                  requestSignUp: {type: ["boolean", "null"], description: "Explicitly request sign-up. Useful when disableImplicitSignUp is true for this provider"},
+                  loginHint: {type: ["string", "null"], description: "The login hint to use for the authorization code request"},
+                  additionalData: {type: ["string", "null"]},
+                  scopes: {type: ["array", "null"], description: "Array of scopes to request from the provider. This will override the default scopes passed."},
+                  idToken: {
+                    type: ["object", "null"],
+                    properties: {
+                      token: {type: "string", description: "ID token from the provider"},
+                      accessToken: {type: ["string", "null"], description: "Access token from the provider"},
+                      refreshToken: {type: ["string", "null"], description: "Refresh token from the provider"},
+                      expiresAt: {type: ["number", "null"], description: "Expiry date of the token"},
+                      nonce: {type: ["string", "null"], description: "Nonce used to generate the token"}
+                    },
+                    required: ["token"]
+                  }
+                },
+                required: ["provider"]
+              )
+            ),
+            responses: {
+              "200" => OpenAPI.json_response(
+                "Success - Returns either session details or redirect URL",
+                OpenAPI.session_response_schema(description: "Session response when idToken is provided")
+              )
+            }
+          }
+        }
+      ) do |ctx|
         body = normalize_hash(ctx.body)
         provider_id = body["provider"].to_s
         provider = social_provider(ctx.context, provider_id)
@@ -66,21 +108,38 @@ module BetterAuth
 
     def self.callback_oauth
       Endpoint.new(
-        path: "/callback/:providerId",
+        path: "/callback/:id",
         method: ["GET", "POST"],
-        metadata: {allowed_media_types: ["application/x-www-form-urlencoded", "application/json"]}
+        metadata: {
+          allowed_media_types: ["application/x-www-form-urlencoded", "application/json"],
+          openapi: {
+            operationId: "callbackOAuth",
+            description: "Handle an OAuth provider callback",
+            parameters: [
+              {
+                name: "id",
+                in: "path",
+                required: true,
+                schema: {type: "string"}
+              }
+            ],
+            responses: {
+              "302" => {description: "Redirects to the configured callback URL"}
+            }
+          }
+        }
       ) do |ctx|
+        provider_id = (fetch_value(ctx.params, "id") || fetch_value(ctx.params, "providerId")).to_s
         if ctx.method == "POST"
           merged = normalize_hash(ctx.query).merge(normalize_hash(ctx.body))
           query = URI.encode_www_form(merged.reject { |_key, value| value.nil? || value.to_s.empty? })
-          target = "#{ctx.context.base_url}/callback/#{fetch_value(ctx.params, "providerId")}"
+          target = "#{ctx.context.base_url}/callback/#{provider_id}"
           target = "#{target}?#{query}" unless query.empty?
           raise ctx.redirect(target)
         end
 
         source = ctx.query
         data = normalize_hash(source)
-        provider_id = fetch_value(ctx.params, "providerId").to_s
         provider = social_provider(ctx.context, provider_id)
         state = data["state"].to_s
         state_data = state.empty? ? nil : Crypto.verify_jwt(state, ctx.context.secret)
@@ -132,7 +191,42 @@ module BetterAuth
     end
 
     def self.link_social
-      Endpoint.new(path: "/link-social", method: "POST") do |ctx|
+      Endpoint.new(
+        path: "/link-social",
+        method: "POST",
+        metadata: {
+          openapi: {
+            operationId: "linkSocialAccount",
+            description: "Link a social account to the current user",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  provider: {type: "string"},
+                  callbackURL: {type: ["string", "null"]},
+                  errorCallbackURL: {type: ["string", "null"]},
+                  disableRedirect: {type: ["boolean", "null"]},
+                  scopes: {type: ["array", "null"], items: {type: "string"}},
+                  idToken: {type: ["object", "null"]}
+                },
+                required: ["provider"]
+              )
+            ),
+            responses: {
+              "200" => OpenAPI.json_response(
+                "Social account link started or completed",
+                OpenAPI.object_schema(
+                  {
+                    url: {type: "string"},
+                    redirect: {type: "boolean"},
+                    status: {type: ["boolean", "null"]}
+                  },
+                  required: ["url", "redirect"]
+                )
+              )
+            }
+          }
+        }
+      ) do |ctx|
         session = current_session(ctx)
         body = normalize_hash(ctx.body)
         provider_id = body["provider"].to_s
@@ -228,6 +322,12 @@ module BetterAuth
 
       if existing && existing[:linked_account]
         user = existing[:user]
+        if ctx.context.options.account[:update_account_on_sign_in] != false
+          update_data = account_storage_fields(account_info)
+          ctx.context.internal_adapter.update_account(existing[:linked_account]["id"], update_data) unless update_data.empty?
+        end
+        verified_user = update_verified_email_on_link(ctx, user["id"], user["email"], user_info)
+        user = verified_user if verified_user
         new_user = false
       elsif existing
         unless linkable_provider?(ctx, provider_id, user_info, implicit: true)
@@ -235,6 +335,8 @@ module BetterAuth
         end
         user = existing[:user]
         ctx.context.internal_adapter.create_account(account_info.merge("providerId" => provider_id, "accountId" => account_id, "userId" => user["id"]))
+        verified_user = update_verified_email_on_link(ctx, user["id"], user["email"], user_info)
+        user = verified_user if verified_user
         new_user = false
       else
         return {error: "signup disabled"} if disable_sign_up
@@ -246,11 +348,13 @@ module BetterAuth
             image: fetch_value(user_info, "image"),
             emailVerified: !!fetch_value(user_info, "emailVerified")
           },
-          account_info.merge("providerId" => provider_id, "accountId" => account_id)
+          account_info.merge("providerId" => provider_id, "accountId" => account_id),
+          context: ctx
         )
         user = created[:user]
         new_user = true
       end
+      user = override_social_user_info(ctx, user, user_info) if existing && provider_override_user_info_on_sign_in?(provider_id, ctx.context)
 
       session = ctx.context.internal_adapter.create_session(user["id"], false, session_overrides(ctx), true, ctx)
       {session: session, user: user, new_user: new_user}
@@ -318,6 +422,27 @@ module BetterAuth
       {status: true}
     end
 
+    def self.provider_override_user_info_on_sign_in?(provider_id, context)
+      provider = social_provider(context, provider_id)
+      !!(fetch_value(provider, "overrideUserInfoOnSignIn") || fetch_value(fetch_value(provider, "options") || {}, "overrideUserInfoOnSignIn"))
+    end
+
+    def self.override_social_user_info(ctx, user, user_info)
+      email = fetch_value(user_info, "email").to_s.downcase
+      email_verified = if email == user["email"].to_s.downcase
+        !!(user["emailVerified"] || fetch_value(user_info, "emailVerified"))
+      else
+        !!fetch_value(user_info, "emailVerified")
+      end
+      update = {
+        "email" => email,
+        "name" => fetch_value(user_info, "name").to_s,
+        "image" => fetch_value(user_info, "image"),
+        "emailVerified" => email_verified
+      }.reject { |_key, value| value.nil? }
+      ctx.context.internal_adapter.update_user(user["id"], update) || user
+    end
+
     def self.safe_additional_state(body)
       additional = body["additionalData"] || body["additional_data"]
       return {} unless additional.is_a?(Hash)

data/lib/better_auth/routes/user.rb

@@ -1,12 +1,36 @@
 # frozen_string_literal: true
 
+require "securerandom"
+require "uri"
+
 module BetterAuth
   module Routes
     def self.update_user
-      Endpoint.new(path: "/update-user", method: "POST") do |ctx|
+      Endpoint.new(
+        path: "/update-user",
+        method: "POST",
+        metadata: {
+          openapi: {
+            operationId: "updateUser",
+            description: "Update the current user's profile",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  name: {type: ["string", "null"], description: "The user's name"},
+                  image: {type: ["string", "null"], description: "The user's profile image URL"}
+                }
+              )
+            ),
+            responses: {
+              "200" => OpenAPI.json_response("User updated", OpenAPI.status_response_schema)
+            }
+          }
+        }
+      ) do |ctx|
         session = current_session(ctx)
+        raise APIError.new("BAD_REQUEST", code: "BODY_MUST_BE_AN_OBJECT", message: BASE_ERROR_CODES["BODY_MUST_BE_AN_OBJECT"]) unless ctx.body.is_a?(Hash)
+
         body = normalize_hash(ctx.body)
-        raise APIError.new("BAD_REQUEST", message: "Body must be an object") unless body.is_a?(Hash)
         raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["EMAIL_CAN_NOT_BE_UPDATED"]) if body.key?("email")
         update = parse_declared_input(ctx, "user", body, allowed_base: ["name", "image"])
         raise APIError.new("BAD_REQUEST", message: "No fields to update") if update.empty?
@@ -18,7 +42,38 @@ module BetterAuth
     end
 
     def self.change_password
-      Endpoint.new(path: "/change-password", method: "POST") do |ctx|
+      Endpoint.new(
+        path: "/change-password",
+        method: "POST",
+        metadata: {
+          openapi: {
+            description: "Change the password of the user",
+            operationId: "changePassword",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  newPassword: {type: "string", description: "The new password to set"},
+                  currentPassword: {type: "string", description: "The current password is required"},
+                  revokeOtherSessions: {type: ["boolean", "null"], description: "Must be a boolean value"}
+                },
+                required: ["newPassword", "currentPassword"]
+              )
+            ),
+            responses: {
+              "200" => OpenAPI.json_response(
+                "Password successfully changed",
+                OpenAPI.object_schema(
+                  {
+                    token: {type: "string", nullable: true, description: "New session token if other sessions were revoked"},
+                    user: OpenAPI.user_response_schema
+                  },
+                  required: ["user"]
+                )
+              )
+            }
+          }
+        }
+      ) do |ctx|
         session = current_session(ctx, sensitive: true)
         body = normalize_hash(ctx.body)
         new_password = body["newPassword"] || body["new_password"]
@@ -42,13 +97,33 @@ module BetterAuth
     end
 
     def self.set_password
-      Endpoint.new(path: "/set-password", method: "POST") do |ctx|
+      Endpoint.new(
+        path: "/set-password",
+        method: "POST",
+        metadata: {
+          openapi: {
+            operationId: "setPassword",
+            description: "Set a password for the current user",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  newPassword: {type: "string", description: "The password to set"}
+                },
+                required: ["newPassword"]
+              )
+            ),
+            responses: {
+              "200" => OpenAPI.json_response("Password set", OpenAPI.status_response_schema)
+            }
+          }
+        }
+      ) do |ctx|
         session = current_session(ctx, sensitive: true)
         body = normalize_hash(ctx.body)
         new_password = body["newPassword"] || body["new_password"]
         validate_password_length!(new_password, ctx.context.options.email_and_password)
         account = credential_account(ctx, session[:user]["id"])
-        raise APIError.new("BAD_REQUEST", message: "user already has a password") if account && account["password"]
+        raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["PASSWORD_ALREADY_SET"]) if account && account["password"]
 
         ctx.context.internal_adapter.link_account(
           userId: session[:user]["id"],
@@ -61,7 +136,37 @@ module BetterAuth
     end
 
     def self.delete_user
-      Endpoint.new(path: "/delete-user", method: "POST") do |ctx|
+      Endpoint.new(
+        path: "/delete-user",
+        method: "POST",
+        metadata: {
+          openapi: {
+            operationId: "deleteUser",
+            description: "Delete the current user",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  password: {type: ["string", "null"], description: "The user's password"},
+                  token: {type: ["string", "null"], description: "Delete account verification token"},
+                  callbackURL: {type: ["string", "null"], description: "The URL to redirect to after deletion"}
+                }
+              )
+            ),
+            responses: {
+              "200" => OpenAPI.json_response(
+                "User deleted or verification email sent",
+                OpenAPI.object_schema(
+                  {
+                    success: {type: "boolean"},
+                    message: {type: "string"}
+                  },
+                  required: ["success", "message"]
+                )
+              )
+            }
+          }
+        }
+      ) do |ctx|
         enabled = ctx.context.options.user.dig(:delete_user, :enabled)
         raise APIError.new("NOT_FOUND") unless enabled
 
@@ -79,12 +184,15 @@ module BetterAuth
           delete_user_by_token!(ctx, session, body["token"])
         elsif sender
           token = SecureRandom.hex(16)
+          expires_in = ctx.context.options.user.dig(:delete_user, :delete_token_expires_in) || 3600
+          callback_url = body["callbackURL"] || body["callbackUrl"] || body["callback_url"] || "/"
+          url = "#{ctx.context.base_url}/delete-user/callback?token=#{URI.encode_www_form_component(token)}&callbackURL=#{URI.encode_www_form_component(callback_url)}"
           ctx.context.internal_adapter.create_verification_value(
             identifier: "delete-account-#{token}",
             value: session[:user]["id"],
-            expiresAt: Time.now + ctx.context.options.user.dig(:delete_user, :delete_token_expires_in).to_i
+            expiresAt: Time.now + expires_in.to_i
           )
-          sender.call({user: session[:user], token: token}, ctx.request)
+          sender.call({user: session[:user], url: url, token: token}, ctx.request)
           next ctx.json({success: true, message: "Verification email sent"})
         elsif !body["password"]
           require_fresh_session!(ctx, session)
@@ -96,14 +204,49 @@ module BetterAuth
     end
 
     def self.delete_user_callback
-      Endpoint.new(path: "/delete-user/callback", method: "GET") do |ctx|
+      Endpoint.new(
+        path: "/delete-user/callback",
+        method: "GET",
+        metadata: {
+          openapi: {
+            operationId: "deleteUserCallback",
+            description: "Delete the current user using a verification token",
+            parameters: [
+              {
+                name: "token",
+                in: "query",
+                required: true,
+                schema: {type: "string"}
+              },
+              {
+                name: "callbackURL",
+                in: "query",
+                required: false,
+                schema: {type: "string"}
+              }
+            ],
+            responses: {
+              "200" => OpenAPI.json_response(
+                "User deleted",
+                OpenAPI.object_schema(
+                  {
+                    success: {type: "boolean"},
+                    message: {type: "string"}
+                  },
+                  required: ["success", "message"]
+                )
+              )
+            }
+          }
+        }
+      ) do |ctx|
         enabled = ctx.context.options.user.dig(:delete_user, :enabled)
         raise APIError.new("NOT_FOUND") unless enabled
         session = current_session(ctx)
         token = fetch_value(ctx.query, "token")
-        delete_user_by_token!(ctx, session, token)
         callback_url = fetch_value(ctx.query, "callbackURL")
         validate_callback_url!(ctx.context, callback_url)
+        delete_user_by_token!(ctx, session, token)
         delete_current_user!(ctx, session)
         raise ctx.redirect(callback_url) if callback_url
 
@@ -112,7 +255,43 @@ module BetterAuth
     end
 
     def self.change_email
-      Endpoint.new(path: "/change-email", method: "POST") do |ctx|
+      Endpoint.new(
+        path: "/change-email",
+        method: "POST",
+        metadata: {
+          openapi: {
+            operationId: "changeEmail",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  callbackURL: {type: ["string", "null"], description: "The URL to redirect to after email verification"},
+                  newEmail: {type: "string", description: "The new email address to set must be a valid email address"}
+                },
+                required: ["newEmail"]
+              )
+            ),
+            responses: {
+              "200" => OpenAPI.json_response(
+                "Email change request processed successfully",
+                OpenAPI.object_schema(
+                  {
+                    message: {
+                      type: "string",
+                      nullable: true,
+                      enum: ["Email updated", "Verification email sent"],
+                      description: "Status message of the email change process"
+                    },
+                    status: {type: "boolean", description: "Indicates if the request was successful"},
+                    user: {type: "object", "$ref": "#/components/schemas/User"}
+                  },
+                  required: ["status"]
+                )
+              ),
+              "422" => OpenAPI.error_response("Unprocessable Entity. Email already exists")
+            }
+          }
+        }
+      ) do |ctx|
         enabled = ctx.context.options.user.dig(:change_email, :enabled)
         raise APIError.new("BAD_REQUEST", message: "Change email is disabled") unless enabled
         session = current_session(ctx, sensitive: true)
@@ -120,23 +299,48 @@ module BetterAuth
         new_email = (body["newEmail"] || body["new_email"]).to_s.downcase
         raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_EMAIL"]) unless EMAIL_PATTERN.match?(new_email)
         raise APIError.new("BAD_REQUEST", message: "Email is the same") if new_email == session[:user]["email"]
-        raise APIError.new("UNPROCESSABLE_ENTITY", message: BASE_ERROR_CODES["USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL"]) if ctx.context.internal_adapter.find_user_by_email(new_email)
+        sender = ctx.context.options.email_verification[:send_verification_email]
+        confirmation_sender = ctx.context.options.user.dig(:change_email, :send_change_email_confirmation)
+        can_update_without_verification = !session[:user]["emailVerified"] && ctx.context.options.user.dig(:change_email, :update_email_without_verification)
+        can_send_confirmation = session[:user]["emailVerified"] && confirmation_sender.respond_to?(:call)
+        can_send_verification = sender.respond_to?(:call)
+        unless can_update_without_verification || can_send_confirmation || can_send_verification
+          raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["VERIFICATION_EMAIL_NOT_ENABLED"])
+        end
 
-        if !session[:user]["emailVerified"] && ctx.context.options.user.dig(:change_email, :update_email_without_verification)
+        existing_target = ctx.context.internal_adapter.find_user_by_email(new_email)
+        next ctx.json({status: true}) if existing_target
+
+        if can_update_without_verification
           updated = ctx.context.internal_adapter.update_user_by_email(session[:user]["email"], email: new_email)
           Cookies.set_session_cookie(ctx, {session: session[:session], user: updated})
+          send_verification_email_payload(ctx, updated, body["callbackURL"] || body["callbackUrl"] || body["callback_url"]) if can_send_verification
           next ctx.json({status: true})
         end
 
-        sender = ctx.context.options.email_verification[:send_verification_email]
-        raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["VERIFICATION_EMAIL_NOT_ENABLED"]) unless sender.respond_to?(:call)
+        if can_send_confirmation
+          callback_url = body["callbackURL"] || body["callbackUrl"] || body["callback_url"]
+          token = create_email_verification_token(ctx, session[:user]["email"], update_to: new_email, extra: {"requestType" => "change-email-confirmation"})
+          url = email_verification_url(ctx, token, callback_url)
+          confirmation_sender.call({user: session[:user], new_email: new_email, url: url, token: token}, ctx.request)
+          next ctx.json({status: true})
+        end
 
-        token = create_email_verification_token(ctx, session[:user]["email"], update_to: new_email, extra: {"requestType" => "change-email-verification"})
-        sender.call({user: session[:user].merge("email" => new_email), token: token}, ctx.request)
+        send_change_email_verification(ctx, sender, session[:user], session[:user]["email"], new_email, body["callbackURL"] || body["callbackUrl"] || body["callback_url"])
         ctx.json({status: true})
       end
     end
 
+    def self.send_change_email_verification(ctx, sender, user, current_email, new_email, callback_url)
+      token = create_email_verification_token(ctx, current_email, update_to: new_email, extra: {"requestType" => "change-email-verification"})
+      sender.call({user: user.merge("email" => new_email), url: email_verification_url(ctx, token, callback_url), token: token}, ctx.request)
+    end
+
+    def self.email_verification_url(ctx, token, callback_url)
+      callback = URI.encode_www_form_component(callback_url || "/")
+      "#{ctx.context.base_url}/verify-email?token=#{URI.encode_www_form_component(token)}&callbackURL=#{callback}"
+    end
+
     def self.delete_user_by_token!(ctx, session, token)
       verification = ctx.context.internal_adapter.find_verification_value("delete-account-#{token}")
       unless verification && verification["value"] == session[:user]["id"] && !expired_time?(verification["expiresAt"])
@@ -148,7 +352,9 @@ module BetterAuth
     def self.delete_current_user!(ctx, session)
       config = ctx.context.options.user[:delete_user] || {}
       call_option(config[:before_delete], session[:user], ctx.request)
-      ctx.context.internal_adapter.delete_user(session[:user]["id"])
+      deleted = ctx.context.internal_adapter.delete_user(session[:user]["id"])
+      raise APIError.new("BAD_REQUEST", message: "User delete aborted") if deleted == false
+
       ctx.context.internal_adapter.delete_sessions(session[:user]["id"])
       Cookies.delete_session_cookie(ctx)
       call_option(config[:after_delete], session[:user], ctx.request)
@@ -158,8 +364,10 @@ module BetterAuth
       fresh_age = ctx.context.session_config[:fresh_age].to_i
       return if fresh_age <= 0
 
-      updated_at = Session.normalize_time(session[:session]["updatedAt"] || session[:session]["updated_at"] || session[:session]["createdAt"] || session[:session]["created_at"])
-      raise APIError.new("UNAUTHORIZED") unless updated_at && updated_at + fresh_age > Time.now
+      created_at = Session.normalize_time(session[:session]["createdAt"] || session[:session]["created_at"])
+      return if created_at && created_at + fresh_age > Time.now
+
+      raise APIError.new("BAD_REQUEST", code: "SESSION_EXPIRED", message: BASE_ERROR_CODES["SESSION_EXPIRED"])
     end
 
     def self.parse_declared_input(ctx, model, data, allowed_base: [])