RubyGems - better_auth - Versions diffs - 0.3.0 → 0.5.0 - Mend

better_auth 0.3.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (78) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +17 -0
data/README.md +24 -0
data/lib/better_auth/adapters/internal_adapter.rb +10 -7
data/lib/better_auth/adapters/memory.rb +57 -11
data/lib/better_auth/adapters/sql.rb +123 -20
data/lib/better_auth/api.rb +114 -9
data/lib/better_auth/async.rb +70 -0
data/lib/better_auth/configuration.rb +97 -7
data/lib/better_auth/context.rb +165 -12
data/lib/better_auth/cookies.rb +6 -4
data/lib/better_auth/core.rb +2 -0
data/lib/better_auth/crypto/jwe.rb +27 -5
data/lib/better_auth/crypto.rb +32 -0
data/lib/better_auth/database_hooks.rb +8 -8
data/lib/better_auth/deprecate.rb +28 -0
data/lib/better_auth/endpoint.rb +92 -5
data/lib/better_auth/error.rb +8 -1
data/lib/better_auth/host.rb +166 -0
data/lib/better_auth/instrumentation.rb +74 -0
data/lib/better_auth/logger.rb +31 -0
data/lib/better_auth/middleware/origin_check.rb +2 -2
data/lib/better_auth/oauth2.rb +94 -0
data/lib/better_auth/plugins/admin/schema.rb +2 -2
data/lib/better_auth/plugins/admin.rb +344 -16
data/lib/better_auth/plugins/anonymous.rb +37 -3
data/lib/better_auth/plugins/device_authorization.rb +102 -5
data/lib/better_auth/plugins/dub.rb +148 -0
data/lib/better_auth/plugins/email_otp.rb +261 -19
data/lib/better_auth/plugins/expo.rb +17 -1
data/lib/better_auth/plugins/generic_oauth.rb +67 -35
data/lib/better_auth/plugins/jwt.rb +37 -4
data/lib/better_auth/plugins/last_login_method.rb +2 -2
data/lib/better_auth/plugins/magic_link.rb +66 -3
data/lib/better_auth/plugins/mcp/authorization.rb +111 -0
data/lib/better_auth/plugins/mcp/config.rb +51 -0
data/lib/better_auth/plugins/mcp/consent.rb +31 -0
data/lib/better_auth/plugins/mcp/legacy_aliases.rb +39 -0
data/lib/better_auth/plugins/mcp/metadata.rb +81 -0
data/lib/better_auth/plugins/mcp/registration.rb +31 -0
data/lib/better_auth/plugins/mcp/resource_handler.rb +37 -0
data/lib/better_auth/plugins/mcp/schema.rb +91 -0
data/lib/better_auth/plugins/mcp/token.rb +108 -0
data/lib/better_auth/plugins/mcp/userinfo.rb +37 -0
data/lib/better_auth/plugins/mcp.rb +111 -263
data/lib/better_auth/plugins/multi_session.rb +61 -3
data/lib/better_auth/plugins/oauth_protocol.rb +173 -30
data/lib/better_auth/plugins/oauth_proxy.rb +26 -6
data/lib/better_auth/plugins/oidc_provider.rb +118 -14
data/lib/better_auth/plugins/one_tap.rb +7 -2
data/lib/better_auth/plugins/one_time_token.rb +42 -2
data/lib/better_auth/plugins/open_api.rb +163 -318
data/lib/better_auth/plugins/organization/schema.rb +6 -0
data/lib/better_auth/plugins/organization.rb +186 -56
data/lib/better_auth/plugins/phone_number.rb +141 -6
data/lib/better_auth/plugins/siwe.rb +69 -3
data/lib/better_auth/plugins/two_factor.rb +118 -41
data/lib/better_auth/plugins/username.rb +57 -2
data/lib/better_auth/rate_limiter.rb +38 -0
data/lib/better_auth/request_state.rb +44 -0
data/lib/better_auth/response.rb +42 -0
data/lib/better_auth/router.rb +7 -1
data/lib/better_auth/routes/account.rb +220 -42
data/lib/better_auth/routes/email_verification.rb +98 -14
data/lib/better_auth/routes/password.rb +126 -8
data/lib/better_auth/routes/session.rb +128 -13
data/lib/better_auth/routes/sign_in.rb +26 -2
data/lib/better_auth/routes/sign_out.rb +13 -1
data/lib/better_auth/routes/sign_up.rb +70 -4
data/lib/better_auth/routes/social.rb +132 -7
data/lib/better_auth/routes/user.rb +228 -20
data/lib/better_auth/routes/validation.rb +50 -0
data/lib/better_auth/secret_config.rb +115 -0
data/lib/better_auth/session.rb +13 -2
data/lib/better_auth/url_helpers.rb +206 -0
data/lib/better_auth/version.rb +1 -1
data/lib/better_auth.rb +12 -0
metadata +23 -1

data/lib/better_auth/plugins/mcp.rb CHANGED Viewed

@@ -1,72 +1,41 @@
 # frozen_string_literal: true
 require "json"
+require_relative "mcp/config"
+require_relative "mcp/metadata"
+require_relative "mcp/schema"
+require_relative "mcp/registration"
+require_relative "mcp/authorization"
+require_relative "mcp/consent"
+require_relative "mcp/token"
+require_relative "mcp/userinfo"
+require_relative "mcp/resource_handler"
+require_relative "mcp/legacy_aliases"
 module BetterAuth
   module Plugins
     module MCP
       module_function
-      def with_mcp_auth(app, resource_metadata_url:, auth: nil)
-        lambda do |env|
-          authorization = env["HTTP_AUTHORIZATION"].to_s
-          unless authorization.start_with?("Bearer ")
-            return unauthorized(resource_metadata_url)
-          end
-          session = auth&.api&.get_mcp_session(headers: {"authorization" => authorization})
-          return unauthorized(resource_metadata_url) unless session
-          env["better_auth.mcp_session"] = session
-          app.call(env)
-        rescue APIError
-          unauthorized(resource_metadata_url)
-        end
-      end
-      def unauthorized(resource_metadata_url)
-        [
-          401,
-          {
-            "www-authenticate" => %(Bearer resource_metadata="#{resource_metadata_url}"),
-            "access-control-expose-headers" => "WWW-Authenticate"
-          },
-          ["unauthorized"]
-        ]
+      def with_mcp_auth(app, resource_metadata_url:, auth: nil, resource_metadata_mappings: {})
+        ResourceHandler.with_mcp_auth(
+          app,
+          resource_metadata_url: resource_metadata_url,
+          auth: auth,
+          resource_metadata_mappings: resource_metadata_mappings
+        )
       end
     end
     module_function
     def mcp(options = {})
-      config = {
-        login_page: "/login",
-        consent_page: "/oauth/consent",
-        resource: nil,
-        oidc_config: {},
-        code_expires_in: 600,
-        default_scope: "openid",
-        access_token_expires_in: 3600,
-        refresh_token_expires_in: 604_800,
-        allow_plain_code_challenge_method: true,
-        scopes: %w[openid profile email offline_access],
-        store: OAuthProtocol.stores
-      }.merge(normalize_hash(options))
-      config = mcp_normalize_config(config)
+      config = MCP.normalize_config(options)
       Plugin.new(
         id: "mcp",
         endpoints: mcp_endpoints(config),
-        hooks: {
-          after: [
-            {
-              matcher: ->(_ctx) { true },
-              handler: ->(ctx) { mcp_restore_login_prompt(ctx, config) }
-            }
-          ]
-        },
-        schema: oidc_provider_schema,
+        hooks: {after: [{matcher: ->(_ctx) { true }, handler: ->(ctx) { MCP.restore_login_prompt(ctx, config) }}]},
+        schema: MCP.schema,
         options: config
       )
     end
@@ -75,268 +44,147 @@ module BetterAuth
       {
         get_mcp_o_auth_config: mcp_oauth_config_endpoint(config),
         get_mcp_protected_resource: mcp_protected_resource_endpoint(config),
+        mcp_register: mcp_register_endpoint(config),
+        legacy_mcp_register: MCP.legacy_register_endpoint(config),
         mcp_o_auth_authorize: mcp_authorize_endpoint(config),
+        legacy_mcp_o_auth_authorize: MCP.legacy_authorize_endpoint(config),
+        o_auth_consent: mcp_consent_endpoint(config),
         mcp_o_auth_token: mcp_token_endpoint(config),
+        legacy_mcp_o_auth_token: MCP.legacy_token_endpoint(config),
         mcp_o_auth_user_info: mcp_userinfo_endpoint(config),
-        mcp_register: mcp_register_endpoint(config),
+        legacy_mcp_o_auth_user_info: MCP.legacy_userinfo_endpoint(config),
         get_mcp_session: mcp_get_session_endpoint(config),
-        o_auth_consent: oidc_consent_endpoint(config),
-        mcp_jwks: mcp_jwks_endpoint(config)
+        mcp_jwks: mcp_jwks_endpoint(config),
+        legacy_mcp_jwks: MCP.legacy_jwks_endpoint(config),
+        mcp_o_auth_introspect: mcp_introspect_endpoint(config),
+        mcp_o_auth_revoke: mcp_revoke_endpoint(config)
       }
     end
     def mcp_oauth_config_endpoint(config)
       Endpoint.new(path: "/.well-known/oauth-authorization-server", method: "GET", metadata: {hide: true}) do |ctx|
-        base = OAuthProtocol.endpoint_base(ctx)
-        ctx.json({
-          issuer: OAuthProtocol.issuer(ctx),
-          authorization_endpoint: "#{base}/mcp/authorize",
-          token_endpoint: "#{base}/mcp/token",
-          userinfo_endpoint: "#{base}/mcp/userinfo",
-          jwks_uri: "#{base}/mcp/jwks",
-          registration_endpoint: "#{base}/mcp/register",
-          scopes_supported: config[:scopes],
-          response_types_supported: ["code"],
-          response_modes_supported: ["query"],
-          grant_types_supported: ["authorization_code", "refresh_token"],
-          acr_values_supported: ["urn:mace:incommon:iap:silver", "urn:mace:incommon:iap:bronze"],
-          subject_types_supported: ["public"],
-          id_token_signing_alg_values_supported: ["RS256", "none"],
-          token_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post", "none"],
-          code_challenge_methods_supported: ["S256"],
-          claims_supported: %w[sub iss aud exp nbf iat jti email email_verified name]
-        }.merge(config[:oidc_config][:metadata] || {}))
+        ctx.json(MCP.oauth_metadata(ctx, config))
       end
     end
     def mcp_protected_resource_endpoint(config)
       Endpoint.new(path: "/.well-known/oauth-protected-resource", method: "GET", metadata: {hide: true}) do |ctx|
-        origin = OAuthProtocol.origin_for(OAuthProtocol.endpoint_base(ctx))
-        ctx.json({
-          resource: config[:resource] || origin,
-          authorization_servers: [origin],
-          jwks_uri: config.dig(:oidc_config, :metadata, :jwks_uri) || "#{OAuthProtocol.endpoint_base(ctx)}/mcp/jwks",
-          scopes_supported: config.dig(:oidc_config, :metadata, :scopes_supported) || config[:scopes],
-          bearer_methods_supported: ["header"],
-          resource_signing_alg_values_supported: ["RS256", "none"]
-        })
+        ctx.json(MCP.protected_resource_metadata(ctx, config))
       end
     end
     def mcp_register_endpoint(config)
-      Endpoint.new(path: "/mcp/register", method: "POST") do |ctx|
-        mcp_set_cors_headers(ctx)
-        ctx.json(
-          OAuthProtocol.create_client(
-            ctx,
-            model: "oauthApplication",
-            body: ctx.body,
-            default_auth_method: "none",
-            store_client_secret: config[:store_client_secret] || "plain"
-          ),
-          status: 201,
-          headers: {"Cache-Control" => "no-store", "Pragma" => "no-cache"}
-        )
+      Endpoint.new(path: "/oauth2/register", method: "POST", metadata: mcp_openapi("registerMcpClient", "Register an OAuth2 application", "OAuth2 application registered successfully", mcp_client_schema)) do |ctx|
+        ctx.json(MCP.register_client(ctx, config), status: 201, headers: MCP.no_store_headers)
       end
     end
     def mcp_authorize_endpoint(config)
-      Endpoint.new(path: "/mcp/authorize", method: "GET") do |ctx|
-        query = OAuthProtocol.stringify_keys(ctx.query)
-        session = Routes.current_session(ctx, allow_nil: true)
-        unless session
-          ctx.set_signed_cookie("oidc_login_prompt", JSON.generate(query), ctx.context.secret, max_age: 600, path: "/", same_site: "lax")
-          raise ctx.redirect(OAuthProtocol.redirect_uri_with_params(config[:login_page], query))
-        end
-        raise ctx.redirect(mcp_authorization_redirect(ctx, config, query, session))
+      Endpoint.new(path: "/oauth2/authorize", method: "GET", metadata: mcp_openapi("mcpOAuthAuthorize", "Authorize an OAuth2 request using MCP", "Authorization response generated successfully", {type: "object", additionalProperties: true})) do |ctx|
+        MCP.authorize(ctx, config)
       end
     end
-    def mcp_restore_login_prompt(ctx, config)
-      cookie = ctx.get_signed_cookie("oidc_login_prompt", ctx.context.secret)
-      return unless cookie
-      session = ctx.context.new_session
-      return unless session && session[:session] && ctx.response_headers["set-cookie"].to_s.include?(ctx.context.auth_cookies[:session_token].name)
-      query = mcp_parse_login_prompt(cookie)
-      return unless query
-      ctx.set_cookie("oidc_login_prompt", "", path: "/", max_age: 0)
-      ctx.context.set_current_session(session) if ctx.context.respond_to?(:set_current_session)
-      [302, ctx.response_headers.merge("location" => mcp_authorization_redirect(ctx, config, query, session)), [""]]
-    end
-    def mcp_authorization_redirect(ctx, config, query, session)
-      query = OAuthProtocol.stringify_keys(query)
-      query["prompt"] = mcp_prompt_without_login(query["prompt"]) if query.key?("prompt")
-      prompts = OIDCProvider.parse_prompt(query["prompt"])
-      unless query["client_id"]
-        raise ctx.redirect("#{ctx.context.base_url}/error?error=invalid_client")
-      end
-      unless query["response_type"]
-        raise ctx.redirect(OAuthProtocol.redirect_uri_with_params(ctx.context.base_url + "/error", error: "invalid_request", error_description: "response_type is required"))
-      end
-      client = OAuthProtocol.find_client(ctx, "oauthApplication", query["client_id"])
-      raise ctx.redirect("#{ctx.context.base_url}/error?error=invalid_client") unless client
-      OAuthProtocol.validate_redirect_uri!(client, query["redirect_uri"])
-      client_data = OAuthProtocol.stringify_keys(client)
-      raise ctx.redirect("#{ctx.context.base_url}/error?error=client_disabled") if client_data["disabled"]
-      unless query["response_type"] == "code"
-        raise ctx.redirect("#{ctx.context.base_url}/error?error=unsupported_response_type")
-      end
-      scopes = OAuthProtocol.parse_scopes(query["scope"] || config[:default_scope])
-      invalid_scopes = scopes.reject { |scope| config[:scopes].include?(scope) }
-      unless invalid_scopes.empty?
-        redirect = OAuthProtocol.redirect_uri_with_params(query["redirect_uri"], error: "invalid_scope", error_description: "The following scopes are invalid: #{invalid_scopes.join(", ")}", state: query["state"])
-        raise ctx.redirect(redirect)
+    def mcp_consent_endpoint(config)
+      Endpoint.new(path: "/oauth2/consent", method: "POST") do |ctx|
+        ctx.json(MCP.consent(ctx, config))
       end
-      if config[:require_pkce] && (query["code_challenge"].to_s.empty? || query["code_challenge_method"].to_s.empty?)
-        redirect = OAuthProtocol.redirect_uri_with_params(query["redirect_uri"], error: "invalid_request", error_description: "pkce is required", state: query["state"])
-        raise ctx.redirect(redirect)
-      end
-      challenge_method = query["code_challenge_method"].to_s
-      if challenge_method.empty?
-        query["code_challenge_method"] = "plain" if query["code_challenge"]
-      elsif !valid_code_challenge_method?(challenge_method, config)
-        redirect = OAuthProtocol.redirect_uri_with_params(query["redirect_uri"], error: "invalid_request", error_description: "invalid code_challenge method", state: query["state"])
-        raise ctx.redirect(redirect)
-      end
-      if prompts.include?("consent")
-        consent_code = Crypto.random_string(32)
-        config[:store][:consents][consent_code] = {
-          query: query,
-          session: session,
-          client: client,
-          scopes: scopes,
-          expires_at: Time.now + config[:code_expires_in].to_i
-        }
-        raise ctx.redirect(OAuthProtocol.redirect_uri_with_params(config[:consent_page], consent_code: consent_code, client_id: client_data["clientId"], scope: OAuthProtocol.scope_string(scopes)))
-      end
-      code = Crypto.random_string(32)
-      OAuthProtocol.store_code(
-        config[:store],
-        code: code,
-        client_id: query["client_id"],
-        redirect_uri: query["redirect_uri"],
-        session: session,
-        scopes: scopes,
-        code_challenge: query["code_challenge"],
-        code_challenge_method: query["code_challenge_method"]
-      )
-      OAuthProtocol.redirect_uri_with_params(query["redirect_uri"], code: code, state: query["state"])
-    end
-    def mcp_prompt_without_login(value)
-      prompts = value.to_s.split(/\s+/).reject(&:empty?)
-      prompts.delete("login")
-      prompts.join(" ")
-    end
-    def mcp_parse_login_prompt(value)
-      parsed = JSON.parse(value.to_s)
-      parsed.is_a?(Hash) ? parsed : nil
-    rescue JSON::ParserError
-      nil
     end
     def mcp_token_endpoint(config)
-      Endpoint.new(path: "/mcp/token", method: "POST", metadata: {allowed_media_types: ["application/x-www-form-urlencoded", "application/json"]}) do |ctx|
-        mcp_set_cors_headers(ctx)
-        body = OAuthProtocol.stringify_keys(ctx.body)
-        client = mcp_authenticate_token_client!(ctx, body, config)
-        raise APIError.new("UNAUTHORIZED", message: "invalid_client") unless client
-        response = case body["grant_type"]
-        when OAuthProtocol::AUTH_CODE_GRANT
-          client_data = OAuthProtocol.stringify_keys(client)
-          if client_data["type"] == "public" && body["code_verifier"].to_s.empty?
-            raise APIError.new("BAD_REQUEST", message: "invalid_request")
-          end
-          code = OAuthProtocol.consume_code!(
-            config[:store],
-            body["code"],
-            client_id: client_data["clientId"],
-            redirect_uri: body["redirect_uri"],
-            code_verifier: body["code_verifier"]
-          )
-          OAuthProtocol.issue_tokens(
-            ctx,
-            config[:store],
-            model: "oauthAccessToken",
-            client: client,
-            session: code[:session],
-            scopes: code[:scopes],
-            include_refresh: code[:scopes].include?("offline_access"),
-            issuer: OAuthProtocol.issuer(ctx),
-            access_token_expires_in: config[:access_token_expires_in]
-          )
-        when OAuthProtocol::REFRESH_GRANT
-          OAuthProtocol.refresh_tokens(ctx, config[:store], model: "oauthAccessToken", client: client, refresh_token: body["refresh_token"], scopes: body["scope"], issuer: OAuthProtocol.issuer(ctx), access_token_expires_in: config[:access_token_expires_in])
-        else
-          raise APIError.new("BAD_REQUEST", message: "unsupported_grant_type")
-        end
-        ctx.json(response, headers: {"Cache-Control" => "no-store", "Pragma" => "no-cache"})
+      Endpoint.new(
+        path: "/oauth2/token",
+        method: "POST",
+        metadata: mcp_openapi("mcpOAuthToken", "Exchange OAuth2 code for MCP tokens", "OAuth2 tokens issued successfully", mcp_token_response_schema).merge(allowed_media_types: ["application/x-www-form-urlencoded", "application/json"])
+      ) do |ctx|
+        ctx.json(MCP.token(ctx, config), headers: MCP.no_store_headers)
       end
     end
     def mcp_userinfo_endpoint(config)
-      Endpoint.new(path: "/mcp/userinfo", method: "GET") do |ctx|
-        ctx.json(OAuthProtocol.userinfo(config[:store], ctx.headers["authorization"]))
+      Endpoint.new(path: "/oauth2/userinfo", method: "GET", metadata: mcp_openapi("mcpOAuthUserinfo", "Get MCP OAuth2 user information", "User information retrieved successfully", mcp_userinfo_schema)) do |ctx|
+        ctx.json(MCP.userinfo(ctx, config))
       end
     end
     def mcp_get_session_endpoint(config)
-      Endpoint.new(path: "/mcp/get-session", method: "GET") do |ctx|
-        authorization = ctx.headers["authorization"].to_s
-        token = authorization.start_with?("Bearer ") ? authorization.delete_prefix("Bearer ").strip : ""
-        next ctx.json(nil) if token.empty?
-        ctx.json(OAuthProtocol.token_record(config[:store], token))
+      Endpoint.new(path: "/mcp/get-session", method: "GET", metadata: mcp_openapi("getMcpSession", "Get the MCP session", "MCP session retrieved successfully", {type: ["object", "null"]})) do |ctx|
+        ctx.json(MCP.session_from_token(ctx, config))
       end
     end
     def mcp_jwks_endpoint(config)
-      Endpoint.new(path: "/mcp/jwks", method: "GET") do |ctx|
-        jwt_config = config[:jwt] || {}
-        create_jwk(ctx, jwt_config) if all_jwks(ctx, jwt_config).empty?
-        ctx.json({keys: public_jwks(ctx, jwt_config).map { |key| public_jwk(key, jwt_config) }})
+      Endpoint.new(path: "/oauth2/jwks", method: "GET", metadata: mcp_openapi("getMcpJSONWebKeySet", "Get the MCP JSON Web Key Set", "JSON Web Key Set retrieved successfully", mcp_jwks_response_schema)) do |ctx|
+        ctx.json(MCP.jwks(ctx, config))
       end
     end
-    def mcp_normalize_config(config)
-      oidc = normalize_hash(config[:oidc_config] || {})
-      merged = config.merge(oidc.except(:metadata))
-      merged[:scopes] = (Array(config[:scopes]) + Array(oidc[:scopes])).compact.map(&:to_s).uniq
-      merged
+    def mcp_introspect_endpoint(config)
+      Endpoint.new(path: "/oauth2/introspect", method: "POST", metadata: {allowed_media_types: ["application/x-www-form-urlencoded", "application/json"]}) do |ctx|
+        ctx.json(MCP.introspect(ctx, config))
+      end
     end
-    def mcp_set_cors_headers(ctx)
-      ctx.set_header("Access-Control-Allow-Origin", "*")
-      ctx.set_header("Access-Control-Allow-Methods", "POST, OPTIONS")
-      ctx.set_header("Access-Control-Allow-Headers", "Content-Type, Authorization")
-      ctx.set_header("Access-Control-Max-Age", "86400")
+    def mcp_revoke_endpoint(config)
+      Endpoint.new(path: "/oauth2/revoke", method: "POST", metadata: {allowed_media_types: ["application/x-www-form-urlencoded", "application/json"]}) do |ctx|
+        ctx.json(MCP.revoke(ctx, config))
+      end
     end
-    def mcp_authenticate_token_client!(ctx, body, config)
-      authorization = ctx.headers["authorization"].to_s
-      if authorization.start_with?("Basic ") && body["client_id"].to_s.empty?
-        return OAuthProtocol.authenticate_client!(ctx, "oauthApplication", store_client_secret: config[:store_client_secret] || "plain")
-      end
+    def mcp_openapi(operation_id, description, response_description, response_schema)
+      {
+        openapi: {
+          operationId: operation_id,
+          description: description,
+          responses: {
+            "200" => OpenAPI.json_response(response_description, response_schema)
+          }
+        }
+      }
+    end
-      client = OAuthProtocol.find_client(ctx, "oauthApplication", body["client_id"])
-      raise APIError.new("UNAUTHORIZED", message: "invalid_client") unless client
+    def mcp_client_schema
+      OpenAPI.object_schema(
+        {
+          clientId: {type: "string"},
+          clientSecret: {type: ["string", "null"]},
+          name: {type: ["string", "null"]},
+          redirectUris: {type: "array", items: {type: "string"}}
+        },
+        required: ["clientId"]
+      )
+    end
-      data = OAuthProtocol.stringify_keys(client)
-      method = data["tokenEndpointAuthMethod"] || "client_secret_basic"
-      if method != "none" && !OAuthProtocol.verify_client_secret(ctx, data["clientSecret"], body["client_secret"], config[:store_client_secret] || "plain")
-        raise APIError.new("UNAUTHORIZED", message: "invalid_client")
-      end
-      client
+    def mcp_token_response_schema
+      OpenAPI.object_schema(
+        {
+          access_token: {type: "string"},
+          token_type: {type: "string"},
+          expires_in: {type: "number"},
+          refresh_token: {type: ["string", "null"]},
+          scope: {type: ["string", "null"]}
+        },
+        required: ["access_token", "token_type", "expires_in"]
+      )
+    end
+    def mcp_userinfo_schema
+      OpenAPI.object_schema(
+        {
+          sub: {type: "string"},
+          email: {type: ["string", "null"]},
+          email_verified: {type: ["boolean", "null"]},
+          name: {type: ["string", "null"]}
+        },
+        required: ["sub"]
+      )
+    end
+    def mcp_jwks_response_schema
+      OpenAPI.object_schema(
+        {keys: {type: "array", items: {type: "object"}}},
+        required: ["keys"]
+      )
     end
   end
 end

data/lib/better_auth/plugins/multi_session.rb CHANGED Viewed

@@ -36,7 +36,25 @@ module BetterAuth
     end
     def list_device_sessions_endpoint
-      Endpoint.new(path: "/multi-session/list-device-sessions", method: "GET") do |ctx|
+      Endpoint.new(
+        path: "/multi-session/list-device-sessions",
+        method: "GET",
+        metadata: {
+          openapi: {
+            operationId: "listDeviceSessions",
+            description: "List device sessions",
+            responses: {
+              "200" => OpenAPI.json_response(
+                "Device sessions",
+                {
+                  type: "array",
+                  items: OpenAPI.session_response_schema_pair
+                }
+              )
+            }
+          }
+        }
+      ) do |ctx|
         tokens = verified_multi_session_tokens(ctx)
         sessions = ctx.context.internal_adapter.find_sessions(tokens)
           .reject { |entry| entry[:session]["expiresAt"] && entry[:session]["expiresAt"] <= Time.now }
@@ -47,7 +65,27 @@ module BetterAuth
     end
     def set_active_session_endpoint
-      Endpoint.new(path: "/multi-session/set-active", method: "POST") do |ctx|
+      Endpoint.new(
+        path: "/multi-session/set-active",
+        method: "POST",
+        metadata: {
+          openapi: {
+            operationId: "setActiveSession",
+            description: "Set the active session",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  sessionToken: {type: "string", description: "The session token"}
+                },
+                required: ["sessionToken"]
+              )
+            ),
+            responses: {
+              "200" => OpenAPI.json_response("Active session", OpenAPI.session_response_schema_pair)
+            }
+          }
+        }
+      ) do |ctx|
         token = fetch_value(ctx.body, "sessionToken").to_s
         cookie_name = multi_session_cookie_name(ctx, token)
         unless !token.empty? && ctx.get_signed_cookie(cookie_name, ctx.context.secret)
@@ -66,7 +104,27 @@ module BetterAuth
     end
     def revoke_device_session_endpoint
-      Endpoint.new(path: "/multi-session/revoke", method: "POST") do |ctx|
+      Endpoint.new(
+        path: "/multi-session/revoke",
+        method: "POST",
+        metadata: {
+          openapi: {
+            operationId: "revokeDeviceSession",
+            description: "Revoke a device session",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  sessionToken: {type: "string", description: "The session token"}
+                },
+                required: ["sessionToken"]
+              )
+            ),
+            responses: {
+              "200" => OpenAPI.json_response("Device session revoked", OpenAPI.status_response_schema)
+            }
+          }
+        }
+      ) do |ctx|
         current = Routes.current_session(ctx)
         token = fetch_value(ctx.body, "sessionToken").to_s
         cookie_name = multi_session_cookie_name(ctx, token)