better_auth 0.4.0 → 0.5.0

data/lib/better_auth/plugins/siwe.rb

@@ -24,7 +24,37 @@ module BetterAuth
     end
 
     def get_siwe_nonce_endpoint(config)
-      Endpoint.new(path: "/siwe/nonce", method: "POST", body_schema: ->(body) { siwe_nonce_body(body) }) do |ctx|
+      Endpoint.new(
+        path: "/siwe/nonce",
+        method: "POST",
+        body_schema: ->(body) { siwe_nonce_body(body) },
+        metadata: {
+          openapi: {
+            operationId: "getSiweNonce",
+            description: "Generate a nonce for Sign-In with Ethereum",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  walletAddress: {type: "string"},
+                  chainId: {type: ["number", "string", "null"]}
+                },
+                required: ["walletAddress"]
+              )
+            ),
+            responses: {
+              "200" => OpenAPI.json_response(
+                "SIWE nonce",
+                OpenAPI.object_schema(
+                  {
+                    nonce: {type: "string"}
+                  },
+                  required: ["nonce"]
+                )
+              )
+            }
+          }
+        }
+      ) do |ctx|
         body = normalize_hash(ctx.body)
         wallet_address = siwe_normalize_wallet!(body[:wallet_address])
         chain_id = siwe_chain_id(body[:chain_id])
@@ -42,7 +72,42 @@ module BetterAuth
     end
 
     def verify_siwe_message_endpoint(config)
-      Endpoint.new(path: "/siwe/verify", method: "POST", body_schema: ->(body) { siwe_verify_body(body, config) }) do |ctx|
+      Endpoint.new(
+        path: "/siwe/verify",
+        method: "POST",
+        body_schema: ->(body) { siwe_verify_body(body, config) },
+        metadata: {
+          openapi: {
+            operationId: "verifySiweMessage",
+            description: "Verify a Sign-In with Ethereum message",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  walletAddress: {type: "string"},
+                  chainId: {type: ["number", "string", "null"]},
+                  message: {type: "string"},
+                  signature: {type: "string"},
+                  email: {type: ["string", "null"]}
+                },
+                required: ["walletAddress", "message", "signature"]
+              )
+            ),
+            responses: {
+              "200" => OpenAPI.json_response(
+                "SIWE message verified",
+                OpenAPI.object_schema(
+                  {
+                    token: {type: "string"},
+                    success: {type: "boolean"},
+                    user: {type: "object"}
+                  },
+                  required: ["token", "success", "user"]
+                )
+              )
+            }
+          }
+        }
+      ) do |ctx|
         body = normalize_hash(ctx.body)
         wallet_address = siwe_normalize_wallet!(body[:wallet_address])
         chain_id = siwe_chain_id(body[:chain_id])
@@ -203,7 +268,8 @@ module BetterAuth
       ctx.context.internal_adapter.create_user(
         name: ens[:name] || wallet_address,
         email: (anonymous == false && !email.empty?) ? email : "#{wallet_address}@#{domain}",
-        image: ens[:avatar] || ""
+        image: ens[:avatar] || "",
+        context: ctx
       )
     end
 

data/lib/better_auth/plugins/two_factor.rb

@@ -79,13 +79,13 @@ module BetterAuth
     end
 
     def two_factor_enable_endpoint(config)
-      Endpoint.new(path: "/two-factor/enable", method: "POST") do |ctx|
-        session = Routes.current_session(ctx, sensitive: true)
+      Endpoint.new(path: "/two-factor/enable", method: "POST", metadata: two_factor_openapi("enableTwoFactor", "Enable two factor authentication", two_factor_enable_response_schema)) do |ctx|
+        session = Routes.current_session(ctx)
         body = normalize_hash(ctx.body)
         two_factor_check_password!(ctx, session[:user]["id"], body[:password], allow_passwordless: config[:allow_passwordless])
 
         secret = two_factor_generate_secret
-        backup = two_factor_generate_backup_codes(ctx.context.secret, config[:backup_code_options])
+        backup = two_factor_generate_backup_codes(ctx.context.secret_config, config[:backup_code_options])
         if config[:skip_verification_on_enable]
           updated_user = ctx.context.internal_adapter.update_user(session[:user]["id"], twoFactorEnabled: true)
           new_session = ctx.context.internal_adapter.create_session(updated_user["id"], false)
@@ -99,7 +99,7 @@ module BetterAuth
         ctx.context.adapter.create(
           model: TWO_FACTOR_MODEL,
           data: {
-            secret: Crypto.symmetric_encrypt(key: ctx.context.secret, data: secret),
+            secret: Crypto.symmetric_encrypt(key: ctx.context.secret_config, data: secret),
             backupCodes: backup[:stored],
             userId: session[:user]["id"],
             verified: verified
@@ -115,8 +115,8 @@ module BetterAuth
     end
 
     def two_factor_disable_endpoint(config)
-      Endpoint.new(path: "/two-factor/disable", method: "POST") do |ctx|
-        session = Routes.current_session(ctx, sensitive: true)
+      Endpoint.new(path: "/two-factor/disable", method: "POST", metadata: two_factor_openapi("disableTwoFactor", "Disable two factor authentication", OpenAPI.status_response_schema)) do |ctx|
+        session = Routes.current_session(ctx)
         body = normalize_hash(ctx.body)
         two_factor_check_password!(ctx, session[:user]["id"], body[:password], allow_passwordless: config[:allow_passwordless])
 
@@ -138,7 +138,7 @@ module BetterAuth
     end
 
     def two_factor_generate_totp_endpoint(config)
-      Endpoint.new(path: "/totp/generate", method: "POST") do |ctx|
+      Endpoint.new(path: "/totp/generate", method: "POST", metadata: two_factor_openapi("generateTOTP", "Generate a TOTP code", OpenAPI.object_schema({code: {type: "string"}}, required: ["code"]))) do |ctx|
         two_factor_totp_enabled!(config)
         body = normalize_hash(ctx.body)
         ctx.json({code: two_factor_totp(body[:secret], options: config[:totp_options])})
@@ -146,20 +146,20 @@ module BetterAuth
     end
 
     def two_factor_get_totp_uri_endpoint(config)
-      Endpoint.new(path: "/two-factor/get-totp-uri", method: "POST") do |ctx|
+      Endpoint.new(path: "/two-factor/get-totp-uri", method: "POST", metadata: two_factor_openapi("getTOTPURI", "Get the TOTP URI", OpenAPI.object_schema({totpURI: {type: "string"}}, required: ["totpURI"]))) do |ctx|
         two_factor_totp_enabled!(config)
-        session = Routes.current_session(ctx, sensitive: true)
+        session = Routes.current_session(ctx)
         two_factor_check_password!(ctx, session[:user]["id"], normalize_hash(ctx.body)[:password], allow_passwordless: config[:totp_options][:allow_passwordless])
         record = two_factor_record(ctx, config, session[:user]["id"])
         raise APIError.new("BAD_REQUEST", message: TWO_FACTOR_ERROR_CODES["TOTP_NOT_ENABLED"]) unless record
 
-        secret = Crypto.symmetric_decrypt(key: ctx.context.secret, data: record["secret"])
+        secret = Crypto.symmetric_decrypt(key: ctx.context.secret_config, data: record["secret"])
         ctx.json({totpURI: two_factor_totp_uri(secret, issuer: config[:issuer] || ctx.context.app_name, account: session[:user]["email"], options: config[:totp_options])})
       end
     end
 
     def two_factor_verify_totp_endpoint(config)
-      Endpoint.new(path: "/two-factor/verify-totp", method: "POST") do |ctx|
+      Endpoint.new(path: "/two-factor/verify-totp", method: "POST", metadata: two_factor_openapi("verifyTOTP", "Verify a TOTP code", two_factor_verification_response_schema)) do |ctx|
         two_factor_totp_enabled!(config)
         body = normalize_hash(ctx.body)
         data = two_factor_verification_context(ctx, config)
@@ -169,7 +169,7 @@ module BetterAuth
           raise APIError.new("BAD_REQUEST", message: TWO_FACTOR_ERROR_CODES["TOTP_NOT_ENABLED"])
         end
 
-        secret = Crypto.symmetric_decrypt(key: ctx.context.secret, data: record["secret"])
+        secret = Crypto.symmetric_decrypt(key: ctx.context.secret_config, data: record["secret"])
         raise APIError.new("UNAUTHORIZED", message: TWO_FACTOR_ERROR_CODES["INVALID_CODE"]) unless two_factor_totp_valid?(secret, body[:code], options: config[:totp_options])
 
         if record["verified"] != true
@@ -191,7 +191,7 @@ module BetterAuth
     end
 
     def two_factor_send_otp_endpoint(config)
-      Endpoint.new(path: "/two-factor/send-otp", method: "POST") do |ctx|
+      Endpoint.new(path: "/two-factor/send-otp", method: "POST", metadata: two_factor_openapi("sendTwoFactorOTP", "Send a two factor OTP", OpenAPI.status_response_schema)) do |ctx|
         otp_config = config[:otp_options]
         sender = otp_config[:send_otp]
         unless sender.respond_to?(:call)
@@ -212,7 +212,7 @@ module BetterAuth
     end
 
     def two_factor_verify_otp_endpoint(config)
-      Endpoint.new(path: "/two-factor/verify-otp", method: "POST") do |ctx|
+      Endpoint.new(path: "/two-factor/verify-otp", method: "POST", metadata: two_factor_openapi("verifyTwoFactorOTP", "Verify a two factor OTP", two_factor_verification_response_schema)) do |ctx|
         body = normalize_hash(ctx.body)
         data = two_factor_verification_context(ctx, config)
         verification = ctx.context.internal_adapter.find_verification_value("2fa-otp-#{data[:key]}")
@@ -246,19 +246,19 @@ module BetterAuth
     end
 
     def two_factor_verify_backup_code_endpoint(config)
-      Endpoint.new(path: "/two-factor/verify-backup-code", method: "POST") do |ctx|
+      Endpoint.new(path: "/two-factor/verify-backup-code", method: "POST", metadata: two_factor_openapi("verifyBackupCode", "Verify a two factor backup code", two_factor_verification_response_schema)) do |ctx|
         body = normalize_hash(ctx.body)
         data = two_factor_verification_context(ctx, config)
         record = two_factor_record(ctx, config, data[:session][:user]["id"])
         raise APIError.new("BAD_REQUEST", message: TWO_FACTOR_ERROR_CODES["BACKUP_CODES_NOT_ENABLED"]) unless record
 
-        codes = two_factor_read_backup_codes(ctx.context.secret, record["backupCodes"], config[:backup_code_options])
+        codes = two_factor_read_backup_codes(ctx.context.secret_config, record["backupCodes"], config[:backup_code_options])
         unless codes.include?(body[:code].to_s)
           raise APIError.new("UNAUTHORIZED", message: TWO_FACTOR_ERROR_CODES["INVALID_BACKUP_CODE"])
         end
 
         remaining = codes.reject { |code| code == body[:code].to_s }
-        stored = two_factor_store_backup_codes(ctx.context.secret, remaining, config[:backup_code_options])
+        stored = two_factor_store_backup_codes(ctx.context.secret_config, remaining, config[:backup_code_options])
         updated = ctx.context.adapter.update(
           model: TWO_FACTOR_MODEL,
           where: [{field: "id", value: record["id"]}, {field: "backupCodes", value: record["backupCodes"]}],
@@ -271,15 +271,15 @@ module BetterAuth
     end
 
     def two_factor_generate_backup_codes_endpoint(config)
-      Endpoint.new(path: "/two-factor/generate-backup-codes", method: "POST") do |ctx|
-        session = Routes.current_session(ctx, sensitive: true)
+      Endpoint.new(path: "/two-factor/generate-backup-codes", method: "POST", metadata: two_factor_openapi("generateBackupCodes", "Generate two factor backup codes", two_factor_backup_codes_response_schema)) do |ctx|
+        session = Routes.current_session(ctx)
         raise APIError.new("BAD_REQUEST", message: TWO_FACTOR_ERROR_CODES["TWO_FACTOR_NOT_ENABLED"]) unless session[:user]["twoFactorEnabled"]
 
         two_factor_check_password!(ctx, session[:user]["id"], normalize_hash(ctx.body)[:password], allow_passwordless: config[:backup_code_options][:allow_passwordless])
         record = two_factor_record(ctx, config, session[:user]["id"])
         raise APIError.new("BAD_REQUEST", message: TWO_FACTOR_ERROR_CODES["TWO_FACTOR_NOT_ENABLED"]) unless record
 
-        backup = two_factor_generate_backup_codes(ctx.context.secret, config[:backup_code_options])
+        backup = two_factor_generate_backup_codes(ctx.context.secret_config, config[:backup_code_options])
         ctx.context.adapter.update(model: TWO_FACTOR_MODEL, where: [{field: "id", value: record["id"]}], update: {backupCodes: backup[:stored]})
         ctx.json({status: true, backupCodes: backup[:codes]})
       end
@@ -291,10 +291,52 @@ module BetterAuth
         record = two_factor_record(ctx, config, body[:user_id])
         raise APIError.new("BAD_REQUEST", message: TWO_FACTOR_ERROR_CODES["BACKUP_CODES_NOT_ENABLED"]) unless record
 
-        ctx.json({status: true, backupCodes: two_factor_read_backup_codes(ctx.context.secret, record["backupCodes"], config[:backup_code_options])})
+        ctx.json({status: true, backupCodes: two_factor_read_backup_codes(ctx.context.secret_config, record["backupCodes"], config[:backup_code_options])})
       end
     end
 
+    def two_factor_openapi(operation_id, description, response_schema)
+      {
+        openapi: {
+          operationId: operation_id,
+          description: description,
+          responses: {
+            "200" => OpenAPI.json_response("Success", response_schema)
+          }
+        }
+      }
+    end
+
+    def two_factor_enable_response_schema
+      OpenAPI.object_schema(
+        {
+          totpURI: {type: "string"},
+          backupCodes: {type: "array", items: {type: "string"}}
+        },
+        required: ["totpURI", "backupCodes"]
+      )
+    end
+
+    def two_factor_verification_response_schema
+      OpenAPI.object_schema(
+        {
+          token: {type: ["string", "null"]},
+          user: {type: ["object", "null"], "$ref": "#/components/schemas/User"},
+          status: {type: ["boolean", "null"]}
+        }
+      )
+    end
+
+    def two_factor_backup_codes_response_schema
+      OpenAPI.object_schema(
+        {
+          status: {type: "boolean"},
+          backupCodes: {type: "array", items: {type: "string"}}
+        },
+        required: ["status", "backupCodes"]
+      )
+    end
+
     def two_factor_schema(config = {})
       custom_schema = config[:schema]
       base = {
@@ -507,7 +549,7 @@ module BetterAuth
       if storage == "hashed"
         Crypto.sha256(code, encoding: :base64url)
       elsif storage == "encrypted"
-        Crypto.symmetric_encrypt(key: ctx.context.secret, data: code)
+        Crypto.symmetric_encrypt(key: ctx.context.secret_config, data: code)
       elsif storage.is_a?(Hash) && storage[:hash].respond_to?(:call)
         storage[:hash].call(code)
       elsif storage.is_a?(Hash) && storage[:encrypt].respond_to?(:call)
@@ -522,7 +564,7 @@ module BetterAuth
       expected, actual = if storage == "hashed"
         [stored, Crypto.sha256(input, encoding: :base64url)]
       elsif storage == "encrypted"
-        [Crypto.symmetric_decrypt(key: ctx.context.secret, data: stored), input]
+        [Crypto.symmetric_decrypt(key: ctx.context.secret_config, data: stored), input]
       elsif storage.is_a?(Hash) && storage[:hash].respond_to?(:call)
         [stored, storage[:hash].call(input)]
       elsif storage.is_a?(Hash) && storage[:decrypt].respond_to?(:call)

data/lib/better_auth/plugins/username.rb

@@ -53,7 +53,34 @@ module BetterAuth
           allowed_media_types: [
             "application/x-www-form-urlencoded",
             "application/json"
-          ]
+          ],
+          openapi: {
+            operationId: "signInUsername",
+            description: "Sign in with username and password",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  username: {type: "string"},
+                  password: {type: "string"},
+                  callbackURL: {type: ["string", "null"]},
+                  rememberMe: {type: ["boolean", "null"]}
+                },
+                required: ["username", "password"]
+              )
+            ),
+            responses: {
+              "200" => OpenAPI.json_response(
+                "Signed in",
+                OpenAPI.object_schema(
+                  {
+                    token: {type: "string"},
+                    user: {type: "object", "$ref": "#/components/schemas/User"}
+                  },
+                  required: ["token", "user"]
+                )
+              )
+            }
+          }
         }
       ) do |ctx|
         body = normalize_hash(ctx.body)
@@ -115,7 +142,35 @@ module BetterAuth
     end
 
     def is_username_available_endpoint(config)
-      Endpoint.new(path: "/is-username-available", method: "POST") do |ctx|
+      Endpoint.new(
+        path: "/is-username-available",
+        method: "POST",
+        metadata: {
+          openapi: {
+            operationId: "isUsernameAvailable",
+            description: "Check whether a username is available",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  username: {type: "string"}
+                },
+                required: ["username"]
+              )
+            ),
+            responses: {
+              "200" => OpenAPI.json_response(
+                "Username availability",
+                OpenAPI.object_schema(
+                  {
+                    available: {type: "boolean"}
+                  },
+                  required: ["available"]
+                )
+              )
+            }
+          }
+        }
+      ) do |ctx|
         body = normalize_hash(ctx.body)
         username = body[:username].to_s
         raise APIError.new("UNPROCESSABLE_ENTITY", message: USERNAME_ERROR_CODES["INVALID_USERNAME"]) if username.empty?

data/lib/better_auth/rate_limiter.rb

@@ -142,6 +142,7 @@ module BetterAuth
 
     def storage_for(context, config)
       return [:custom, config[:custom_storage]] if config[:custom_storage]
+      return [:database, context.internal_adapter.adapter] if config[:storage] == "database"
 
       if config[:storage] == "secondary-storage" && context.options.secondary_storage
         return [:secondary, context.options.secondary_storage]
@@ -151,6 +152,8 @@ module BetterAuth
     end
 
     def read_storage((type, storage), key)
+      return read_database_storage(storage, key) if type == :database
+
       data = storage.get(key)
       data = JSON.parse(data) if type == :secondary && data.is_a?(String)
       normalize_rate_limit_data(symbolize_keys(data))
@@ -159,12 +162,29 @@ module BetterAuth
     end
 
     def write_storage((type, storage), key, data, ttl:, update:)
+      return write_database_storage(storage, key, data) if type == :database
+
       value = (type == :secondary) ? JSON.generate(secondary_storage_data(data)) : data
       return call_secondary_storage_set(storage, key, value, ttl: ttl, update: update) if type == :secondary
 
       call_storage_set(storage, key, value, ttl: ttl, update: update)
     end
 
+    def read_database_storage(adapter, key)
+      data = adapter.find_one(model: "rateLimit", where: [{field: "key", value: key}])
+      normalize_rate_limit_data(symbolize_keys(data))
+    end
+
+    def write_database_storage(adapter, key, data)
+      value = secondary_storage_data(data)
+      existing = adapter.find_one(model: "rateLimit", where: [{field: "key", value: key}])
+      if existing
+        adapter.update(model: "rateLimit", where: [{field: "key", value: key}], update: value)
+      else
+        adapter.create(model: "rateLimit", data: value)
+      end
+    end
+
     def secondary_storage_data(data)
       {
         key: data[:key],

data/lib/better_auth/response.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require "json"
+
+module BetterAuth
+  class Response
+    attr_reader :status, :headers, :body
+
+    def initialize(status:, headers:, body:)
+      @status = status
+      @headers = headers
+      @body = body
+    end
+
+    def self.from_rack(tuple)
+      status, headers, body = tuple
+      new(status: status, headers: headers, body: body)
+    end
+
+    def to_a
+      [status, headers, body]
+    end
+
+    alias_method :to_ary, :to_a
+
+    def each(&block)
+      to_a.each(&block)
+    end
+
+    def [](index)
+      to_a[index]
+    end
+
+    def first
+      status
+    end
+
+    def json(**options)
+      JSON.parse(body.join, **options)
+    end
+  end
+end

data/lib/better_auth/router.rb

@@ -88,6 +88,8 @@ module BetterAuth
       error_response(error)
     rescue JSON::ParserError
       error_response(APIError.new("BAD_REQUEST", message: "Invalid JSON body"))
+    ensure
+      context.clear_runtime! if context.respond_to?(:clear_runtime!)
     end
 
     def self.conflicting_methods(entries)
@@ -360,7 +362,11 @@ module BetterAuth
     end
 
     def server_only?(endpoint)
-      endpoint.metadata[:server_only] || endpoint.metadata[:SERVER_ONLY] || endpoint.metadata["SERVER_ONLY"]
+      endpoint.metadata[:server_only] ||
+        endpoint.metadata[:SERVER_ONLY] ||
+        endpoint.metadata["SERVER_ONLY"] ||
+        endpoint.metadata[:scope].to_s == "server" ||
+        endpoint.metadata["scope"].to_s == "server"
     end
 
     def error_response(error, headers: {})