RubyGems - better_auth - Versions diffs - 0.3.0 → 0.5.0 - Mend

better_auth 0.3.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (78) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +17 -0
data/README.md +24 -0
data/lib/better_auth/adapters/internal_adapter.rb +10 -7
data/lib/better_auth/adapters/memory.rb +57 -11
data/lib/better_auth/adapters/sql.rb +123 -20
data/lib/better_auth/api.rb +114 -9
data/lib/better_auth/async.rb +70 -0
data/lib/better_auth/configuration.rb +97 -7
data/lib/better_auth/context.rb +165 -12
data/lib/better_auth/cookies.rb +6 -4
data/lib/better_auth/core.rb +2 -0
data/lib/better_auth/crypto/jwe.rb +27 -5
data/lib/better_auth/crypto.rb +32 -0
data/lib/better_auth/database_hooks.rb +8 -8
data/lib/better_auth/deprecate.rb +28 -0
data/lib/better_auth/endpoint.rb +92 -5
data/lib/better_auth/error.rb +8 -1
data/lib/better_auth/host.rb +166 -0
data/lib/better_auth/instrumentation.rb +74 -0
data/lib/better_auth/logger.rb +31 -0
data/lib/better_auth/middleware/origin_check.rb +2 -2
data/lib/better_auth/oauth2.rb +94 -0
data/lib/better_auth/plugins/admin/schema.rb +2 -2
data/lib/better_auth/plugins/admin.rb +344 -16
data/lib/better_auth/plugins/anonymous.rb +37 -3
data/lib/better_auth/plugins/device_authorization.rb +102 -5
data/lib/better_auth/plugins/dub.rb +148 -0
data/lib/better_auth/plugins/email_otp.rb +261 -19
data/lib/better_auth/plugins/expo.rb +17 -1
data/lib/better_auth/plugins/generic_oauth.rb +67 -35
data/lib/better_auth/plugins/jwt.rb +37 -4
data/lib/better_auth/plugins/last_login_method.rb +2 -2
data/lib/better_auth/plugins/magic_link.rb +66 -3
data/lib/better_auth/plugins/mcp/authorization.rb +111 -0
data/lib/better_auth/plugins/mcp/config.rb +51 -0
data/lib/better_auth/plugins/mcp/consent.rb +31 -0
data/lib/better_auth/plugins/mcp/legacy_aliases.rb +39 -0
data/lib/better_auth/plugins/mcp/metadata.rb +81 -0
data/lib/better_auth/plugins/mcp/registration.rb +31 -0
data/lib/better_auth/plugins/mcp/resource_handler.rb +37 -0
data/lib/better_auth/plugins/mcp/schema.rb +91 -0
data/lib/better_auth/plugins/mcp/token.rb +108 -0
data/lib/better_auth/plugins/mcp/userinfo.rb +37 -0
data/lib/better_auth/plugins/mcp.rb +111 -263
data/lib/better_auth/plugins/multi_session.rb +61 -3
data/lib/better_auth/plugins/oauth_protocol.rb +173 -30
data/lib/better_auth/plugins/oauth_proxy.rb +26 -6
data/lib/better_auth/plugins/oidc_provider.rb +118 -14
data/lib/better_auth/plugins/one_tap.rb +7 -2
data/lib/better_auth/plugins/one_time_token.rb +42 -2
data/lib/better_auth/plugins/open_api.rb +163 -318
data/lib/better_auth/plugins/organization/schema.rb +6 -0
data/lib/better_auth/plugins/organization.rb +186 -56
data/lib/better_auth/plugins/phone_number.rb +141 -6
data/lib/better_auth/plugins/siwe.rb +69 -3
data/lib/better_auth/plugins/two_factor.rb +118 -41
data/lib/better_auth/plugins/username.rb +57 -2
data/lib/better_auth/rate_limiter.rb +38 -0
data/lib/better_auth/request_state.rb +44 -0
data/lib/better_auth/response.rb +42 -0
data/lib/better_auth/router.rb +7 -1
data/lib/better_auth/routes/account.rb +220 -42
data/lib/better_auth/routes/email_verification.rb +98 -14
data/lib/better_auth/routes/password.rb +126 -8
data/lib/better_auth/routes/session.rb +128 -13
data/lib/better_auth/routes/sign_in.rb +26 -2
data/lib/better_auth/routes/sign_out.rb +13 -1
data/lib/better_auth/routes/sign_up.rb +70 -4
data/lib/better_auth/routes/social.rb +132 -7
data/lib/better_auth/routes/user.rb +228 -20
data/lib/better_auth/routes/validation.rb +50 -0
data/lib/better_auth/secret_config.rb +115 -0
data/lib/better_auth/session.rb +13 -2
data/lib/better_auth/url_helpers.rb +206 -0
data/lib/better_auth/version.rb +1 -1
data/lib/better_auth.rb +12 -0
metadata +23 -1

data/lib/better_auth/configuration.rb CHANGED Viewed

@@ -31,10 +31,11 @@ module BetterAuth
     }.freeze
     attr_reader :app_name,
-      :base_url,
+      :base_url_config,
       :base_path,
       :context_base_url,
       :secret,
+      :secret_config,
       :database,
       :plugins,
       :trusted_origins,
@@ -73,8 +74,19 @@ module BetterAuth
       @hooks = options[:hooks]
       @on_api_error = symbolize_keys(options[:on_api_error] || options[:on_apierror] || {})
       @social_providers = symbolize_keys(options[:social_providers] || {})
-      @trusted_origins_callback = options[:trusted_origins] if options[:trusted_origins].respond_to?(:call)
-      @secret = resolve_secret(options)
+      @trusted_origins_callbacks = []
+      @trusted_origins_callbacks << options[:trusted_origins] if options[:trusted_origins].respond_to?(:call)
+      @trusted_origins_callback = combined_trusted_origins_callback
+      legacy_secret = resolve_secret(options, allow_test_default: false)
+      secrets = options.key?(:secrets) ? options[:secrets] : SecretConfig.parse_env(ENV["BETTER_AUTH_SECRETS"])
+      if secrets
+        @secret_config = SecretConfig.build(secrets, legacy_secret, logger: logger)
+        @secret = @secret_config.current_secret
+      else
+        @secret = legacy_secret || (test_environment? ? DEFAULT_SECRET : nil)
+        @secret_config = @secret
+      end
+      @base_url_config = options[:base_url]
       @base_url, @context_base_url = normalize_base_url(options[:base_url])
       @session = normalize_session(options[:session])
       @account = normalize_account(options[:account])
@@ -96,16 +108,33 @@ module BetterAuth
       end
     end
+    def base_url
+      Thread.current[base_url_runtime_key] || @base_url
+    end
+    def set_runtime_base_url(value)
+      Thread.current[base_url_runtime_key] = value
+    end
+    def clear_runtime_base_url!
+      Thread.current[base_url_runtime_key] = nil
+    end
     def production?
       production_environment?
     end
+    def dynamic_base_url?
+      URLHelpers.dynamic_config?(base_url_config)
+    end
     def to_h
       {
         app_name: app_name,
         base_url: base_url,
         base_path: base_path,
         secret: secret,
+        secret_config: secret_config,
         database: database,
         plugins: plugins,
         trusted_origins: trusted_origins,
@@ -134,6 +163,11 @@ module BetterAuth
         next unless respond_to?(key)
         next if key == :database_hooks
+        if key == :trusted_origins
+          merge_trusted_origins_default(value)
+          next
+        end
         instance_variable_set("@#{key}", merge_default_value([key], public_send(key), value))
       end
     end
@@ -146,7 +180,12 @@ module BetterAuth
       return false unless uri
       if pattern.include?("*") || pattern.include?("?")
-        return wildcard_match?(pattern, origin_for(uri) || url) if pattern.include?("://")
+        if pattern.include?("://")
+          origin = origin_for(uri)
+          return true if origin && wildcard_match?(pattern, origin)
+          return wildcard_match?(pattern, url)
+        end
         return wildcard_match?(pattern, uri.host.to_s)
       end
@@ -191,6 +230,15 @@ module BetterAuth
       configured = value || env_base_url
       return ["", ""] unless configured && !configured.empty?
+      if URLHelpers.dynamic_config?(configured)
+        validate_dynamic_base_url!(configured)
+        resolved = URLHelpers.resolve_base_url(configured, base_path)
+        return ["", ""] unless resolved
+        uri = URI.parse(resolved)
+        return [self.class.origin_for(uri), resolved.sub(%r{/+\z}, "")]
+      end
       with_path = append_base_path(configured.to_s)
       uri = URI.parse(with_path)
       validate_http_url!(uri, configured)
@@ -199,6 +247,11 @@ module BetterAuth
       raise Error, "Invalid base URL: #{configured}. Please provide a valid base URL."
     end
+    def validate_dynamic_base_url!(value)
+      allowed_hosts = value[:allowed_hosts] || value["allowed_hosts"] || value[:allowedHosts] || value["allowedHosts"]
+      raise Error, "baseURL.allowedHosts cannot be empty" if allowed_hosts.respond_to?(:empty?) && allowed_hosts.empty?
+    end
     def normalize_base_path(value)
       return "" if value.nil? || value == "" || value == "/"
@@ -235,8 +288,9 @@ module BetterAuth
       ].find { |value| value && !value.empty? }
     end
-    def resolve_secret(options)
-      options[:secret] || ENV["BETTER_AUTH_SECRET"] || ENV["AUTH_SECRET"] || (test_environment? ? DEFAULT_SECRET : nil)
+    def resolve_secret(options, allow_test_default: true)
+      [options[:secret], ENV["BETTER_AUTH_SECRET"], ENV["AUTH_SECRET"]].find { |value| value && !value.empty? } ||
+        ((allow_test_default && test_environment?) ? DEFAULT_SECRET : nil)
     end
     def validate_secret
@@ -244,6 +298,10 @@ module BetterAuth
         raise Error, "BETTER_AUTH_SECRET is missing. Set it in your environment or pass `secret` to BetterAuth.auth(secret: ...)."
       end
+      if production_environment? && secret == DEFAULT_SECRET
+        raise Error, "You are using the default secret. Please set `BETTER_AUTH_SECRET` in your environment variables or pass `secret` in your auth config."
+      end
       return if test_environment? && secret == DEFAULT_SECRET
       warn("[better-auth] Warning: your BETTER_AUTH_SECRET should be at least 32 characters long for adequate security.") if secret.length < 32
@@ -263,7 +321,8 @@ module BetterAuth
       session = deep_merge(DEFAULT_SESSION, configured)
       if database.nil?
-        session = deep_merge(session, DEFAULT_STATELESS_SESSION)
+        session = deep_merge(session, deep_dup(DEFAULT_STATELESS_SESSION))
+        session[:cookie_cache][:max_age] ||= session[:expires_in]
       else
         session[:cookie_cache] = cookie_cache unless cookie_cache.empty?
       end
@@ -316,11 +375,38 @@ module BetterAuth
     def normalize_trusted_origins(value)
       origins = []
       origins << base_url unless base_url.nil? || base_url.empty?
+      origins.concat(dynamic_base_url_trusted_origins)
       origins.concat(Array(value).compact) unless value.respond_to?(:call)
       origins.concat(env_trusted_origins)
       origins.map(&:to_s).reject(&:empty?).uniq
     end
+    def dynamic_base_url_trusted_origins
+      return [] unless URLHelpers.dynamic_config?(base_url_config)
+      protocol = base_url_config[:protocol] || base_url_config["protocol"] || "https"
+      allowed_hosts = base_url_config[:allowed_hosts] || base_url_config["allowed_hosts"] || base_url_config[:allowedHosts] || base_url_config["allowedHosts"] || []
+      Array(allowed_hosts).map do |host|
+        host = host.to_s
+        host.match?(%r{\Ahttps?://}i) ? host : "#{protocol}://#{host}"
+      end
+    end
+    def merge_trusted_origins_default(value)
+      if value.respond_to?(:call)
+        @trusted_origins_callbacks << value
+        @trusted_origins_callback = combined_trusted_origins_callback
+      else
+        @trusted_origins = (trusted_origins + Array(value).compact.map(&:to_s).reject(&:empty?)).uniq
+      end
+    end
+    def combined_trusted_origins_callback
+      return nil if @trusted_origins_callbacks.empty?
+      ->(request) { @trusted_origins_callbacks.flat_map { |callback| Array(callback.call(request)) }.compact }
+    end
     def env_trusted_origins
       ENV.fetch("BETTER_AUTH_TRUSTED_ORIGINS", "").split(",").map(&:strip).reject(&:empty?)
     end
@@ -388,6 +474,10 @@ module BetterAuth
       end
     end
+    def base_url_runtime_key
+      :"better_auth_configuration_base_url_#{object_id}"
+    end
     def test_environment?
       ENV["RACK_ENV"] == "test" || ENV["RAILS_ENV"] == "test" || ENV["APP_ENV"] == "test"
     end

data/lib/better_auth/context.rb CHANGED Viewed

@@ -5,21 +5,16 @@ require "uri"
 module BetterAuth
   class Context
     attr_reader :app_name,
-      :base_url,
       :version,
       :options,
       :social_providers,
-      :cookies,
-      :auth_cookies,
       :adapter,
       :internal_adapter,
       :logger,
       :session_config,
       :rate_limit_config,
-      :trusted_origins,
       :secret,
-      :current_session,
-      :new_session
+      :secret_config
     def initialize(configuration)
       @app_name = configuration.app_name
@@ -36,6 +31,7 @@ module BetterAuth
       @rate_limit_config = configuration.rate_limit
       @trusted_origins = configuration.trusted_origins
       @secret = configuration.secret
+      @secret_config = configuration.secret_config
       @current_session = nil
       @new_session = nil
     end
@@ -46,12 +42,36 @@ module BetterAuth
       end
     end
+    def base_url
+      runtime_fetch(:base_url, @base_url)
+    end
+    def trusted_origins
+      runtime_fetch(:trusted_origins, @trusted_origins)
+    end
+    def auth_cookies
+      runtime_fetch(:auth_cookies, @auth_cookies)
+    end
+    def cookies
+      runtime_fetch(:cookies, @cookies)
+    end
+    def current_session
+      runtime_fetch(:current_session, @current_session)
+    end
+    def new_session
+      runtime_fetch(:new_session, @new_session)
+    end
     def set_new_session(session)
-      @new_session = session
+      runtime_store(:new_session, session) || @new_session = session
     end
     def set_current_session(session)
-      @current_session = session
+      runtime_store(:current_session, session) || @current_session = session
     end
     def run_in_background(task)
@@ -63,6 +83,31 @@ module BetterAuth
       end
     end
+    def password
+      config = {
+        min_password_length: options.email_and_password[:min_password_length],
+        max_password_length: options.email_and_password[:max_password_length]
+      }
+      password_config = options.email_and_password[:password] || {}
+      {
+        config: config,
+        hash: ->(value) { Password.hash(value, hasher: password_config[:hash], algorithm: options.password_hasher) },
+        verify: lambda do |password:, hash:|
+          Password.verify(
+            password: password,
+            hash: hash,
+            verifier: password_config[:verify],
+            algorithm: options.password_hasher
+          )
+        end,
+        check_password: lambda do |value|
+          length = value.to_s.length
+          length.between?(config[:min_password_length].to_i, config[:max_password_length].to_i)
+        end
+      }
+    end
     def create_auth_cookie(cookie_name, override_attributes = {})
       Cookies.create_cookie(options, cookie_name.to_s, override_attributes)
     end
@@ -87,6 +132,7 @@ module BetterAuth
       @rate_limit_config = options.rate_limit
       @trusted_origins = options.trusted_origins
       @secret = options.secret
+      @secret_config = options.secret_config
     end
     def method_missing(name, *arguments, &block)
@@ -101,17 +147,52 @@ module BetterAuth
     end
     def prepare_for_request!(request)
-      @current_session = nil
-      @new_session = nil
-      @base_url = inferred_base_url(request) if options.base_url.to_s.empty?
-      @trusted_origins = current_trusted_origins(request)
+      runtime = request_runtime
+      runtime[:current_session] = nil
+      runtime[:new_session] = nil
+      if options.dynamic_base_url?
+        runtime[:base_url] = resolved_dynamic_base_url(request)
+        refresh_cookies!
+      elsif options.base_url.to_s.empty?
+        runtime[:base_url] = inferred_base_url(request)
+      end
+      runtime[:trusted_origins] = current_trusted_origins(request)
+    end
+    def prepare_for_api_call!(source)
+      runtime = request_runtime
+      runtime[:current_session] = nil
+      runtime[:new_session] = nil
+      if options.dynamic_base_url?
+        runtime[:base_url] = resolved_dynamic_base_url(source)
+        refresh_cookies!
+      end
+      runtime[:trusted_origins] = current_trusted_origins(request_for_callbacks(source))
     end
     def reset_runtime!
+      Thread.current[runtime_key] = nil if request_runtime?
+      options.clear_runtime_base_url! if options.respond_to?(:clear_runtime_base_url!)
       @current_session = nil
       @new_session = nil
     end
+    def clear_runtime!
+      Thread.current[runtime_key] = nil
+      options.clear_runtime_base_url! if options.respond_to?(:clear_runtime_base_url!)
+    end
+    def refresh_cookies!
+      cookies = Cookies.get_cookies(options)
+      if request_runtime?
+        runtime_store(:auth_cookies, cookies)
+        runtime_store(:cookies, cookies)
+      else
+        @auth_cookies = cookies
+        @cookies = cookies
+      end
+    end
     private
     def inferred_base_url(request)
@@ -120,6 +201,61 @@ module BetterAuth
       path.empty? ? origin : "#{origin}#{path}"
     end
+    def resolved_dynamic_base_url(request)
+      resolved = URLHelpers.resolve_base_url(
+        options.base_url_config,
+        options.base_path,
+        request,
+        load_env: true,
+        trusted_proxy_headers: dynamic_trusted_proxy_headers?
+      )
+      origin = Configuration.origin_for(URI.parse(resolved))
+      options.set_runtime_base_url(origin) if options.respond_to?(:set_runtime_base_url)
+      resolved
+    end
+    def dynamic_trusted_proxy_headers?
+      return true unless options.advanced.key?(:trusted_proxy_headers)
+      !!options.advanced[:trusted_proxy_headers]
+    end
+    def request_for_callbacks(source)
+      return source if source.respond_to?(:get_header)
+      DirectAPIRequest.new(source, base_url) if source.is_a?(Hash)
+    end
+    def request_runtime
+      Thread.current[runtime_key] ||= {
+        base_url: @base_url,
+        trusted_origins: @trusted_origins,
+        auth_cookies: @auth_cookies,
+        cookies: @cookies,
+        current_session: nil,
+        new_session: nil
+      }
+    end
+    def request_runtime?
+      !!Thread.current[runtime_key]
+    end
+    def runtime_fetch(key, fallback)
+      request_runtime? ? Thread.current[runtime_key].fetch(key, fallback) : fallback
+    end
+    def runtime_store(key, value)
+      return false unless request_runtime?
+      Thread.current[runtime_key][key] = value
+      true
+    end
+    def runtime_key
+      :"better_auth_context_runtime_#{object_id}"
+    end
     def inferred_origin(request)
       forwarded_host = request.get_header("HTTP_X_FORWARDED_HOST")
       forwarded_proto = request.get_header("HTTP_X_FORWARDED_PROTO")
@@ -207,5 +343,22 @@ module BetterAuth
     def plugin_context_attribute?(key)
       ![:options, :adapter, :internal_adapter].include?(key)
     end
+    class DirectAPIRequest
+      attr_reader :headers, :url
+      def initialize(headers, url)
+        @headers = headers.transform_keys { |key| key.to_s.downcase }
+        @url = url
+      end
+      def get_header(key)
+        normalized = key.to_s
+          .sub(/\AHTTP_/, "")
+          .downcase
+          .tr("_", "-")
+        headers[normalized] || headers[key.to_s] || headers[key.to_s.downcase]
+      end
+    end
   end
 end

data/lib/better_auth/cookies.rb CHANGED Viewed

@@ -40,7 +40,7 @@ module BetterAuth
           uri.host unless uri.host.to_s.empty?
         end
       end
-      raise Error, "base_url is required when cross_subdomain_cookies are enabled" if cross_subdomain && domain.to_s.empty?
+      raise Error, "base_url is required when cross_subdomain_cookies are enabled" if cross_subdomain && domain.to_s.empty? && !options.dynamic_base_url?
       custom = advanced.dig(:cookies, cookie_name.to_sym) || {}
       prefix = advanced[:cookie_prefix] || "better-auth"
@@ -112,7 +112,9 @@ module BetterAuth
       cookie = ctx.context.auth_cookies[:session_data]
       max_age = dont_remember_me ? nil : cookie.attributes[:max_age]
       data = filtered_cache_data(ctx, session)
-      value = encode_cookie_cache(data, ctx.context.secret, strategy: config[:strategy] || "compact", max_age: max_age || 60 * 5)
+      strategy = config[:strategy] || "compact"
+      secret = (strategy.to_s == "jwe") ? ctx.context.secret_config : ctx.context.secret
+      value = encode_cookie_cache(data, secret, strategy: strategy, max_age: max_age || 60 * 5)
       attributes = cookie.attributes.merge(max_age: max_age)
       store = SessionStore.new(cookie.name, attributes, ctx)
@@ -129,7 +131,7 @@ module BetterAuth
       cookie = ctx.context.auth_cookies[:account_data]
       attributes = cookie.attributes.merge(max_age: cookie.attributes[:max_age] || 60 * 5)
-      value = Crypto.symmetric_encode_jwt(stringify_keys(account_data), ctx.context.secret, "better-auth-account", expires_in: attributes[:max_age])
+      value = Crypto.symmetric_encode_jwt(stringify_keys(account_data), ctx.context.secret_config, "better-auth-account", expires_in: attributes[:max_age])
       store = SessionStore.new(cookie.name, attributes, ctx)
       if value.length > SessionStore::CHUNK_SIZE
@@ -145,7 +147,7 @@ module BetterAuth
       value = SessionStore.get_chunked_cookie(ctx, cookie.name)
       return nil unless value
-      Crypto.symmetric_decode_jwt(value, ctx.context.secret, "better-auth-account")
+      Crypto.symmetric_decode_jwt(value, ctx.context.secret_config, "better-auth-account")
     end
     def get_cookie_cache(request_or_cookie_header, secret:, strategy: "compact", version: nil, cookie_prefix: "better-auth", cookie_name: "session_data", is_secure: nil)

data/lib/better_auth/core.rb CHANGED Viewed

@@ -32,7 +32,9 @@ module BetterAuth
         delete_user: Routes.delete_user,
         delete_user_callback: Routes.delete_user_callback,
         list_accounts: Routes.list_accounts,
+        list_user_accounts: Routes.list_accounts,
         link_social: Routes.link_social,
+        link_social_account: Routes.link_social,
         unlink_account: Routes.unlink_account,
         get_access_token: Routes.get_access_token,
         refresh_token: Routes.refresh_token,

data/lib/better_auth/crypto/jwe.rb CHANGED Viewed

@@ -26,7 +26,7 @@ module BetterAuth
           "exp" => Time.now.to_i + expires_in.to_i,
           "jti" => SecureRandom.uuid
         )
-        key = encryption_key(secret, salt)
+        key = encryption_key(current_secret(secret), salt)
         ::JWE.encrypt(JSON.generate(claims), key, alg: ALG, enc: ENC, kid: thumbprint(key))
       end
@@ -35,12 +35,17 @@ module BetterAuth
         header = protected_header(token)
         return nil unless valid_header?(header)
-        return nil unless header["kid"].nil? || header["kid"] == thumbprint(encryption_key(secret, salt))
-        payload = JSON.parse(::JWE.decrypt(token.to_s, encryption_key(secret, salt)))
-        return nil if expired?(payload)
+        decryption_keys(secret, salt, header["kid"]).each do |key|
+          payload = JSON.parse(::JWE.decrypt(token.to_s, key))
+          return nil if expired?(payload)
-        payload
+          return payload
+        rescue JSON::ParserError, ::JWE::DecodeError, ::JWE::InvalidData, ::JWE::BadCEK
+          next
+        end
+        nil
       rescue JSON::ParserError, ArgumentError, ::JWE::DecodeError, ::JWE::InvalidData, ::JWE::BadCEK
         nil
       end
@@ -57,6 +62,23 @@ module BetterAuth
         Crypto.base64url_encode(OpenSSL::Digest.digest("SHA256", JSON.generate(jwk)))
       end
+      def current_secret(secret)
+        secret.is_a?(SecretConfig) ? secret.current_secret : secret
+      end
+      def all_secrets(secret)
+        return [[0, secret]] unless secret.is_a?(SecretConfig)
+        secret.all_secrets
+      end
+      def decryption_keys(secret, salt, kid)
+        keys = all_secrets(secret).map { |_version, value| encryption_key(value, salt) }
+        return keys if kid.nil?
+        keys.select { |key| thumbprint(key) == kid }
+      end
       def protected_header(token)
         first_segment = token.to_s.split(".", 2).first
         JSON.parse(Crypto.base64url_decode(first_segment))

data/lib/better_auth/crypto.rb CHANGED Viewed

@@ -73,6 +73,11 @@ module BetterAuth
     end
     def symmetric_encrypt(key:, data:)
+      if key.is_a?(SecretConfig)
+        ciphertext = symmetric_encrypt(key: key.current_secret, data: data)
+        return "#{SecretConfig::ENVELOPE_PREFIX}#{key.current_version}$#{ciphertext}"
+      end
       cipher = OpenSSL::Cipher.new("aes-256-gcm")
       cipher.encrypt
       cipher.key = OpenSSL::Digest.digest("SHA256", key.to_s)
@@ -88,6 +93,20 @@ module BetterAuth
     end
     def symmetric_decrypt(key:, data:)
+      if key.is_a?(SecretConfig)
+        envelope = parse_envelope(data)
+        if envelope
+          secret = key.keys[envelope[:version]]
+          return nil unless secret
+          return symmetric_decrypt(key: secret, data: envelope[:ciphertext])
+        end
+        return nil unless key.legacy_secret
+        return symmetric_decrypt(key: key.legacy_secret, data: data)
+      end
       payload = JSON.parse(base64url_decode(data.to_s))
       cipher = OpenSSL::Cipher.new("aes-256-gcm")
       cipher.decrypt
@@ -137,6 +156,19 @@ module BetterAuth
       value
     end
+    def parse_envelope(data)
+      value = data.to_s
+      return nil unless value.start_with?(SecretConfig::ENVELOPE_PREFIX)
+      rest = value.delete_prefix(SecretConfig::ENVELOPE_PREFIX)
+      version, ciphertext = rest.split("$", 2)
+      return nil if version.to_s.empty? || ciphertext.to_s.empty?
+      {version: SecretConfig.parse_version!(version, source: "encrypted envelope"), ciphertext: ciphertext}
+    rescue Error
+      nil
+    end
     def keccak256_bytes(input)
       rate = 136
       state = Array.new(25, 0)

data/lib/better_auth/database_hooks.rb CHANGED Viewed

@@ -12,7 +12,7 @@ module BetterAuth
     def create(data, model, custom: nil, context: nil)
       run_before(model, :create, data, context) do |actual_data|
         created = custom ? custom.call(actual_data) : adapter.create(model: model, data: actual_data, force_allow_id: true)
-        run_after(model, :create, created)
+        run_after(model, :create, created, context)
         created
       end
     end
@@ -20,7 +20,7 @@ module BetterAuth
     def update(data, where, model, custom: nil, context: nil)
       run_before(model, :update, data, context) do |actual_data|
         updated = custom ? custom.call(actual_data) : adapter.update(model: model, where: where, update: actual_data)
-        run_after(model, :update, updated) if updated
+        run_after(model, :update, updated, context) if updated
         updated
       end
     end
@@ -28,16 +28,16 @@ module BetterAuth
     def update_many(data, where, model, custom: nil, context: nil)
       run_before(model, :update, data, context) do |actual_data|
         updated = custom ? custom.call(actual_data) : adapter.update_many(model: model, where: where, update: actual_data)
-        run_after(model, :update, updated) if updated
+        run_after(model, :update, updated, context) if updated
         updated
       end
     end
     def delete(where, model, custom: nil, context: nil)
       entity = adapter.find_one(model: model, where: where)
-      return custom ? custom.call(where) : adapter.delete(model: model, where: where) unless entity
+      return nil unless entity
-      return nil if before_hooks(model, :delete).any? { |hook| hook.call(entity, context) == false }
+      return false if before_hooks(model, :delete).any? { |hook| hook.call(entity, context) == false }
       deleted = custom ? custom.call(where) : adapter.delete(model: model, where: where)
       after_hooks(model, :delete).each { |hook| hook.call(entity, context) }
@@ -47,7 +47,7 @@ module BetterAuth
     def delete_many(where, model, custom: nil, context: nil)
       entities = adapter.find_many(model: model, where: where)
       entities.each do |entity|
-        return nil if before_hooks(model, :delete).any? { |hook| hook.call(entity, context) == false }
+        return false if before_hooks(model, :delete).any? { |hook| hook.call(entity, context) == false }
       end
       deleted = custom ? custom.call(where) : adapter.delete_many(model: model, where: where)
       entities.each { |entity| after_hooks(model, :delete).each { |hook| hook.call(entity, context) } }
@@ -68,8 +68,8 @@ module BetterAuth
       yield actual_data
     end
-    def run_after(model, action, data)
-      after_hooks(model, action).each { |hook| hook.call(data, nil) }
+    def run_after(model, action, data, context)
+      after_hooks(model, action).each { |hook| hook.call(data, context) }
     end
     def before_hooks(model, action)

data/lib/better_auth/deprecate.rb ADDED Viewed

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+module BetterAuth
+  module Deprecate
+    module_function
+    def wrap(message, logger: nil, &block)
+      warned = false
+      proc do |*args, **kwargs|
+        unless warned
+          warn_once("[Deprecation] #{message}", logger)
+          warned = true
+        end
+        kwargs.empty? ? block.call(*args) : block.call(*args, **kwargs)
+      end
+    end
+    def warn_once(message, logger)
+      if logger.respond_to?(:call)
+        logger.call(message)
+      elsif logger.respond_to?(:warn)
+        logger.warn(message)
+      else
+        warn(message)
+      end
+    end
+  end
+end