better_auth 0.4.0 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 38179f5800613263ca30525a3d878b91c2a5f9057f104b1f24cecbf72a0cc030
-  data.tar.gz: 9883d339ce2f1ab8f5a618da3708f4ab5bdde69a09fe98b48889b6069351c7bb
+  metadata.gz: 3d0edd237bbc32992ae24fec0305f09d55521add17768dceac160198e9a7d190
+  data.tar.gz: fb04ec9c038649e8fbf2dc34aecb92b5959342eedc598daefce06e3ae7f6131a
 SHA512:
-  metadata.gz: b0bdd97ab9d677df601b0eed5d387a09543743aee41d0243f7ed3981935c3391f3ae10dfc110fc41312a5a4b188f29581563f2c99154a8808ed3158cb47663ad
-  data.tar.gz: 6b9b76c6969e601e01506a2cd91a28abf13eeccf0446023fad7c58e8c95476f6110b7ac6f3979fc18705687589cff74748f839c685a8ccb791392d0d2e729c15
+  metadata.gz: 593471f2dee235f6f75d479c61f24a49a23e6d8fec8db00fe8fa5d20afadf179bb1cb6d62b07a668b6c1246b60c934626c5906e3ea965912806afd00bbda1ee4
+  data.tar.gz: 1742e7eb46663909392cf010e3ada3aa675f68cdcc5160c0019e561407c467c4831f7c19a22bf9a660ee0527db7131f768fad99528dbefb40d8be51ae6b5fc39

data/CHANGELOG.md

@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+- Modernized the MCP plugin to use OAuth Provider-style client, token, metadata, and protected-resource behavior while keeping legacy MCP routes as aliases.
+
 ## [0.4.0] - 2026-04-30
 
 ### Added

data/README.md

@@ -66,6 +66,30 @@ auth = BetterAuth.auth(
 )
 ```
 
+### Secret Rotation
+
+Better Auth Ruby supports upstream-style non-destructive rotation for encrypted data through versioned secrets. The first entry is used for new encrypted payloads; older entries remain available for decrypting existing data.
+
+```ruby
+auth = BetterAuth.auth(
+  secret: ENV["BETTER_AUTH_SECRET"], # legacy fallback for older encrypted data
+  secrets: [
+    { version: 2, value: ENV.fetch("BETTER_AUTH_SECRET_V2") },
+    { version: 1, value: ENV.fetch("BETTER_AUTH_SECRET_V1") }
+  ],
+  database: :memory
+)
+```
+
+You can also configure the same list via `BETTER_AUTH_SECRETS`:
+
+```bash
+BETTER_AUTH_SECRETS="2:new-secret-base64,1:old-secret-base64"
+BETTER_AUTH_SECRET="legacy-secret-for-pre-rotation-data"
+```
+
+Signed cookies and HMAC/JWT signatures continue to use the current `secret`, matching upstream Better Auth behavior.
+
 ### Password Hashing
 
 Better Auth Ruby uses upstream-compatible `scrypt` password hashes by default through Ruby's `OpenSSL::KDF.scrypt`, so no extra password-hashing gem is required for the default setup.

data/lib/better_auth/adapters/internal_adapter.rb

@@ -15,18 +15,18 @@ module BetterAuth
         @hooks = DatabaseHooks.new(adapter, options)
       end
 
-      def create_oauth_user(user, account)
+      def create_oauth_user(user, account, context: nil)
         adapter.transaction do
-          created_user = create_user(user)
+          created_user = create_user(user, context: context)
           created_account = create_account(stringify_keys(account).merge("userId" => created_user["id"]))
           {user: created_user, account: created_account}
         end
       end
 
-      def create_user(user)
-        data = timestamps.merge(stringify_keys(user))
+      def create_user(user = nil, context: nil, **keywords)
+        data = timestamps.merge(stringify_keys((user || {}).merge(keywords)))
         data["email"] = data["email"].to_s.downcase if data["email"]
-        hooks.create(data, "user")
+        hooks.create(data, "user", context: context)
       end
 
       def create_account(account)

data/lib/better_auth/adapters/sql.rb

@@ -173,8 +173,7 @@ module BetterAuth
       end
 
       def join_select_sql(model, join)
-        join.flat_map do |join_model, _enabled|
-          join_model = join_model.to_s
+        normalized_join(model, join).flat_map do |join_model, _config|
           schema_for(join_model).fetch(:fields).map do |field, attributes|
             column = attributes[:field_name] || physical_name(field)
             "#{quote(join_model)}.#{quote(column)} AS #{quote("#{join_model}__#{column}")}"
@@ -185,17 +184,79 @@ module BetterAuth
       def join_sql(model, join)
         return "" unless join
 
-        join.map do |join_model, _enabled|
+        normalized_join(model, join).map do |join_model, config|
+          local_field = storage_field(model, config.fetch(:from))
+          foreign_field = storage_field(join_model, config.fetch(:to))
+          " LEFT JOIN #{quote(table_for(join_model))} AS #{quote(join_model)} ON #{quote(join_model)}.#{quote(foreign_field)} = #{quote(table_for(model))}.#{quote(local_field)}"
+        end.join
+      end
+
+      def normalized_join(model, join)
+        return {} unless join
+
+        join.each_with_object({}) do |(join_model, config), result|
           join_model = join_model.to_s
-          case [model, join_model]
-          when ["session", "user"], ["account", "user"]
-            " LEFT JOIN #{quote(table_for("user"))} AS #{quote("user")} ON #{quote("user")}.#{quote("id")} = #{quote(table_for(model))}.#{quote("user_id")}"
-          when ["user", "account"]
-            " LEFT JOIN #{quote(table_for("account"))} AS #{quote("account")} ON #{quote("account")}.#{quote("user_id")} = #{quote(table_for(model))}.#{quote("id")}"
-          else
-            ""
+          result[join_model] = normalize_join_config(model.to_s, join_model, config)
+        end
+      end
+
+      def normalize_join_config(model, join_model, config)
+        if config.is_a?(Hash) && (config.key?(:on) || config.key?("on"))
+          on = config[:on] || config["on"]
+          from = storage_key(fetch_key(on, :from))
+          to = storage_key(fetch_key(on, :to))
+          relation = config[:relation] || config["relation"]
+          limit = config[:limit] || config["limit"]
+          return {from: from, to: to, relation: relation, limit: limit, unique: unique_join_field?(join_model, to)}
+        end
+
+        inferred = inferred_join_config(model, join_model)
+        if config.is_a?(Hash)
+          relation = config[:relation] || config["relation"]
+          limit = config[:limit] || config["limit"]
+          inferred = inferred.merge(relation: relation) if relation
+          inferred = inferred.merge(limit: limit) if limit
+        end
+        inferred
+      end
+
+      def inferred_join_config(model, join_model)
+        foreign_keys = schema_for(join_model).fetch(:fields).select do |_field, attributes|
+          reference_model_matches?(attributes, model)
+        end
+        forward_join = true
+
+        if foreign_keys.empty?
+          foreign_keys = schema_for(model).fetch(:fields).select do |_field, attributes|
+            reference_model_matches?(attributes, join_model)
           end
-        end.join
+          forward_join = false
+        end
+
+        raise Error, "No foreign key found for model #{join_model} and base model #{model} while performing join operation." if foreign_keys.empty?
+        raise Error, "Multiple foreign keys found for model #{join_model} and base model #{model} while performing join operation. Only one foreign key is supported." if foreign_keys.length > 1
+
+        foreign_key, attributes = foreign_keys.first
+        reference = attributes.fetch(:references)
+        if forward_join
+          unique = attributes[:unique] == true
+          {from: reference.fetch(:field).to_s, to: foreign_key, relation: unique ? "one-to-one" : "one-to-many", unique: unique}
+        else
+          {from: foreign_key, to: reference.fetch(:field).to_s, relation: "one-to-one", unique: true}
+        end
+      end
+
+      def reference_model_matches?(attributes, model)
+        reference = attributes[:references]
+        return false unless reference
+
+        reference_model = reference[:model] || reference["model"]
+        reference_model.to_s == model.to_s || reference_model.to_s == table_for(model)
+      end
+
+      def unique_join_field?(model, field)
+        field = storage_key(field)
+        field == "id" || schema_for(model).fetch(:fields).dig(field, :unique) == true
       end
 
       def build_where(model, where, params)
@@ -303,8 +364,7 @@ module BetterAuth
           output[field] = coerce_output_value(fetch_row(row, column), attributes) if row_key?(row, column)
         end
 
-        join&.each_key do |join_model|
-          join_model = join_model.to_s
+        normalized_join(model, join).each_key do |join_model|
           record[join_model] = normalize_joined_record(join_model, row)
         end
 
@@ -320,16 +380,34 @@ module BetterAuth
       end
 
       def collection_join?(model, join)
-        model == "user" && join&.keys&.any? { |join_model| join_model.to_s == "account" }
+        normalized_join(model, join).any? do |_join_model, config|
+          config[:relation] != "one-to-one" && config[:unique] != true
+        end
       end
 
-      def aggregate_collection_joins(_model, records, _join)
+      def aggregate_collection_joins(model, records, join)
+        join_config = normalized_join(model, join)
         grouped = {}
         records.each do |record|
           key = record.fetch("id")
-          grouped[key] ||= record.merge("account" => [])
-          account = record["account"]
-          grouped[key]["account"] << account if account&.values&.any?
+          grouped[key] ||= begin
+            base = record.reject { |field, _value| join_config.key?(field) }
+            join_defaults = join_config.each_with_object({}) do |(join_model, config), defaults|
+              defaults[join_model] = (config[:relation] == "one-to-one" || config[:unique] == true) ? nil : []
+            end
+            base.merge(join_defaults)
+          end
+
+          join_config.each do |join_model, config|
+            joined = record[join_model]
+            next unless joined&.values&.any?
+
+            if config[:relation] == "one-to-one" || config[:unique] == true
+              grouped[key][join_model] = joined
+            else
+              grouped[key][join_model] << joined
+            end
+          end
         end
         grouped.values
       end

data/lib/better_auth/api.rb

@@ -14,18 +14,34 @@ module BetterAuth
       context.reset_runtime! if context.respond_to?(:reset_runtime!)
       endpoint = endpoints.fetch(key.to_sym)
       input = symbolize_keys(input || {})
+      request = input[:request]
+      headers = request_headers(request).merge(normalize_headers_hash(input[:headers] || {}))
+      begin
+        prepare_context_for_call!(request, headers)
+      rescue APIError => error
+        result = Endpoint::Result.new(response: error, status: error.status_code, headers: error.headers)
+        return format_result(result, input)
+      rescue Error => error
+        api_error = APIError.new("INTERNAL_SERVER_ERROR", message: error.message)
+        result = Endpoint::Result.new(response: api_error, status: api_error.status_code, headers: api_error.headers)
+        return format_result(result, input)
+      end
+      input[:as_response] = true if request_like?(request) && !input.key?(:as_response)
       endpoint_context = Endpoint::Context.new(
         path: endpoint.path,
-        method: input[:method] || Array(endpoint.methods).first,
+        method: input[:method] || request_method(request) || Array(endpoint.methods).first,
         query: input[:query] || {},
         body: input[:body] || {},
         params: input[:params] || {},
-        headers: input[:headers] || {},
-        context: context
+        headers: headers,
+        context: context,
+        request: request_like?(request) ? request : nil
       )
 
       result = run_endpoint_with_hooks(endpoint, endpoint_context)
       format_result(result, input)
+    ensure
+      context.clear_runtime! if context.respond_to?(:clear_runtime!)
     end
 
     def execute(endpoint, endpoint_context)
@@ -51,6 +67,34 @@ module BetterAuth
         .to_sym
     end
 
+    def prepare_context_for_call!(request, headers)
+      return unless context.respond_to?(:prepare_for_api_call!)
+
+      source = direct_call_source(request, headers)
+      if context.options.dynamic_base_url? && source.nil? && !dynamic_base_url_fallback?
+        raise APIError.new(
+          "INTERNAL_SERVER_ERROR",
+          message: "Dynamic baseURL could not be resolved for this direct auth.api call. Pass `headers: request.headers` (or `request`) to the call, or add `fallback` to your baseURL config."
+        )
+      end
+
+      context.prepare_for_api_call!(source)
+    end
+
+    def direct_call_source(request, headers)
+      return request if request_like?(request)
+      return headers if headers.key?("host") || headers.key?("x-forwarded-host")
+
+      nil
+    end
+
+    def dynamic_base_url_fallback?
+      config = context.options.base_url_config
+      return false unless config.is_a?(Hash)
+
+      !!(config[:fallback] || config["fallback"])
+    end
+
     def run_endpoint_with_hooks(endpoint, endpoint_context)
       before = run_before_hooks(endpoint_context)
       return normalize_short_circuit(before, endpoint_context) if before
@@ -136,15 +180,16 @@ module BetterAuth
     end
 
     def format_result(result, input)
-      return result.to_rack_response if result.raw_response?
+      return result.to_response if result.raw_response?
+      as_response = input[:as_response] || request_like?(input[:request])
 
       if result.response.is_a?(APIError)
-        return error_response(result.response, headers: result.headers) if input[:as_response]
+        return error_response(result.response, headers: result.headers) if as_response
 
-        raise result.response
+        raise error_with_headers(result.response, result.headers)
       end
 
-      return result.to_rack_response if input[:as_response]
+      return result.to_response if as_response
 
       if input[:return_headers]
         output = {
@@ -165,7 +210,17 @@ module BetterAuth
         response: error.to_h,
         status: error.status_code,
         headers: Endpoint::Result.merge_headers(headers, error.headers)
-      ).to_rack_response
+      ).to_response
+    end
+
+    def error_with_headers(error, headers)
+      APIError.new(
+        error.status,
+        message: error.message,
+        headers: Endpoint::Result.merge_headers(headers, error.headers),
+        code: error.code,
+        body: error.body
+      )
     end
 
     def before_hooks
@@ -207,16 +262,61 @@ module BetterAuth
       hash[key] || hash[key.to_s]
     end
 
+    def request_like?(value)
+      return false unless value
+
+      value.respond_to?(:request_method) || request_method(value) || !request_headers(value).empty?
+    end
+
+    def request_method(request)
+      return unless request
+      return request.request_method if request.respond_to?(:request_method)
+
+      request.public_send(:method)
+    rescue ArgumentError, NoMethodError
+      nil
+    end
+
+    def request_headers(request)
+      return {} unless request
+
+      if request.respond_to?(:env)
+        return headers_from_env(request.env)
+      end
+
+      return normalize_headers_hash(request.headers) if request.respond_to?(:headers)
+
+      {}
+    end
+
+    def headers_from_env(env)
+      env.each_with_object({}) do |(key, value), headers|
+        case key
+        when "CONTENT_TYPE"
+          headers["content-type"] = value if value
+        when "CONTENT_LENGTH"
+          headers["content-length"] = value if value
+        else
+          next unless key.start_with?("HTTP_")
+
+          header = key.delete_prefix("HTTP_").downcase.tr("_", "-")
+          headers[header] = value
+        end
+      end
+    end
+
+    def normalize_headers_hash(headers)
+      headers.each_with_object({}) do |(key, value), result|
+        result[key.to_s.downcase.tr("_", "-")] = value
+      end
+    end
+
     def symbolize_keys(value)
       return value unless value.is_a?(Hash)
 
       value.each_with_object({}) do |(key, object_value), result|
         normalized_key = normalize_key(key)
-        result[normalized_key] = if normalized_key == :metadata
-          object_value
-        else
-          object_value.is_a?(Hash) ? symbolize_keys(object_value) : object_value
-        end
+        result[normalized_key] = object_value
       end
     end
 

data/lib/better_auth/configuration.rb

@@ -31,10 +31,11 @@ module BetterAuth
     }.freeze
 
     attr_reader :app_name,
-      :base_url,
+      :base_url_config,
       :base_path,
       :context_base_url,
       :secret,
+      :secret_config,
       :database,
       :plugins,
       :trusted_origins,
@@ -73,8 +74,19 @@ module BetterAuth
       @hooks = options[:hooks]
       @on_api_error = symbolize_keys(options[:on_api_error] || options[:on_apierror] || {})
       @social_providers = symbolize_keys(options[:social_providers] || {})
-      @trusted_origins_callback = options[:trusted_origins] if options[:trusted_origins].respond_to?(:call)
-      @secret = resolve_secret(options)
+      @trusted_origins_callbacks = []
+      @trusted_origins_callbacks << options[:trusted_origins] if options[:trusted_origins].respond_to?(:call)
+      @trusted_origins_callback = combined_trusted_origins_callback
+      legacy_secret = resolve_secret(options, allow_test_default: false)
+      secrets = options.key?(:secrets) ? options[:secrets] : SecretConfig.parse_env(ENV["BETTER_AUTH_SECRETS"])
+      if secrets
+        @secret_config = SecretConfig.build(secrets, legacy_secret, logger: logger)
+        @secret = @secret_config.current_secret
+      else
+        @secret = legacy_secret || (test_environment? ? DEFAULT_SECRET : nil)
+        @secret_config = @secret
+      end
+      @base_url_config = options[:base_url]
       @base_url, @context_base_url = normalize_base_url(options[:base_url])
       @session = normalize_session(options[:session])
       @account = normalize_account(options[:account])
@@ -96,16 +108,33 @@ module BetterAuth
       end
     end
 
+    def base_url
+      Thread.current[base_url_runtime_key] || @base_url
+    end
+
+    def set_runtime_base_url(value)
+      Thread.current[base_url_runtime_key] = value
+    end
+
+    def clear_runtime_base_url!
+      Thread.current[base_url_runtime_key] = nil
+    end
+
     def production?
       production_environment?
     end
 
+    def dynamic_base_url?
+      URLHelpers.dynamic_config?(base_url_config)
+    end
+
     def to_h
       {
         app_name: app_name,
         base_url: base_url,
         base_path: base_path,
         secret: secret,
+        secret_config: secret_config,
         database: database,
         plugins: plugins,
         trusted_origins: trusted_origins,
@@ -134,6 +163,11 @@ module BetterAuth
         next unless respond_to?(key)
         next if key == :database_hooks
 
+        if key == :trusted_origins
+          merge_trusted_origins_default(value)
+          next
+        end
+
         instance_variable_set("@#{key}", merge_default_value([key], public_send(key), value))
       end
     end
@@ -146,7 +180,12 @@ module BetterAuth
       return false unless uri
 
       if pattern.include?("*") || pattern.include?("?")
-        return wildcard_match?(pattern, origin_for(uri) || url) if pattern.include?("://")
+        if pattern.include?("://")
+          origin = origin_for(uri)
+          return true if origin && wildcard_match?(pattern, origin)
+
+          return wildcard_match?(pattern, url)
+        end
 
         return wildcard_match?(pattern, uri.host.to_s)
       end
@@ -191,6 +230,15 @@ module BetterAuth
       configured = value || env_base_url
       return ["", ""] unless configured && !configured.empty?
 
+      if URLHelpers.dynamic_config?(configured)
+        validate_dynamic_base_url!(configured)
+        resolved = URLHelpers.resolve_base_url(configured, base_path)
+        return ["", ""] unless resolved
+
+        uri = URI.parse(resolved)
+        return [self.class.origin_for(uri), resolved.sub(%r{/+\z}, "")]
+      end
+
       with_path = append_base_path(configured.to_s)
       uri = URI.parse(with_path)
       validate_http_url!(uri, configured)
@@ -199,6 +247,11 @@ module BetterAuth
       raise Error, "Invalid base URL: #{configured}. Please provide a valid base URL."
     end
 
+    def validate_dynamic_base_url!(value)
+      allowed_hosts = value[:allowed_hosts] || value["allowed_hosts"] || value[:allowedHosts] || value["allowedHosts"]
+      raise Error, "baseURL.allowedHosts cannot be empty" if allowed_hosts.respond_to?(:empty?) && allowed_hosts.empty?
+    end
+
     def normalize_base_path(value)
       return "" if value.nil? || value == "" || value == "/"
 
@@ -235,8 +288,9 @@ module BetterAuth
       ].find { |value| value && !value.empty? }
     end
 
-    def resolve_secret(options)
-      options[:secret] || ENV["BETTER_AUTH_SECRET"] || ENV["AUTH_SECRET"] || (test_environment? ? DEFAULT_SECRET : nil)
+    def resolve_secret(options, allow_test_default: true)
+      [options[:secret], ENV["BETTER_AUTH_SECRET"], ENV["AUTH_SECRET"]].find { |value| value && !value.empty? } ||
+        ((allow_test_default && test_environment?) ? DEFAULT_SECRET : nil)
     end
 
     def validate_secret
@@ -244,6 +298,10 @@ module BetterAuth
         raise Error, "BETTER_AUTH_SECRET is missing. Set it in your environment or pass `secret` to BetterAuth.auth(secret: ...)."
       end
 
+      if production_environment? && secret == DEFAULT_SECRET
+        raise Error, "You are using the default secret. Please set `BETTER_AUTH_SECRET` in your environment variables or pass `secret` in your auth config."
+      end
+
       return if test_environment? && secret == DEFAULT_SECRET
 
       warn("[better-auth] Warning: your BETTER_AUTH_SECRET should be at least 32 characters long for adequate security.") if secret.length < 32
@@ -263,7 +321,8 @@ module BetterAuth
       session = deep_merge(DEFAULT_SESSION, configured)
 
       if database.nil?
-        session = deep_merge(session, DEFAULT_STATELESS_SESSION)
+        session = deep_merge(session, deep_dup(DEFAULT_STATELESS_SESSION))
+        session[:cookie_cache][:max_age] ||= session[:expires_in]
       else
         session[:cookie_cache] = cookie_cache unless cookie_cache.empty?
       end
@@ -316,11 +375,38 @@ module BetterAuth
     def normalize_trusted_origins(value)
       origins = []
       origins << base_url unless base_url.nil? || base_url.empty?
+      origins.concat(dynamic_base_url_trusted_origins)
       origins.concat(Array(value).compact) unless value.respond_to?(:call)
       origins.concat(env_trusted_origins)
       origins.map(&:to_s).reject(&:empty?).uniq
     end
 
+    def dynamic_base_url_trusted_origins
+      return [] unless URLHelpers.dynamic_config?(base_url_config)
+
+      protocol = base_url_config[:protocol] || base_url_config["protocol"] || "https"
+      allowed_hosts = base_url_config[:allowed_hosts] || base_url_config["allowed_hosts"] || base_url_config[:allowedHosts] || base_url_config["allowedHosts"] || []
+      Array(allowed_hosts).map do |host|
+        host = host.to_s
+        host.match?(%r{\Ahttps?://}i) ? host : "#{protocol}://#{host}"
+      end
+    end
+
+    def merge_trusted_origins_default(value)
+      if value.respond_to?(:call)
+        @trusted_origins_callbacks << value
+        @trusted_origins_callback = combined_trusted_origins_callback
+      else
+        @trusted_origins = (trusted_origins + Array(value).compact.map(&:to_s).reject(&:empty?)).uniq
+      end
+    end
+
+    def combined_trusted_origins_callback
+      return nil if @trusted_origins_callbacks.empty?
+
+      ->(request) { @trusted_origins_callbacks.flat_map { |callback| Array(callback.call(request)) }.compact }
+    end
+
     def env_trusted_origins
       ENV.fetch("BETTER_AUTH_TRUSTED_ORIGINS", "").split(",").map(&:strip).reject(&:empty?)
     end
@@ -388,6 +474,10 @@ module BetterAuth
       end
     end
 
+    def base_url_runtime_key
+      :"better_auth_configuration_base_url_#{object_id}"
+    end
+
     def test_environment?
       ENV["RACK_ENV"] == "test" || ENV["RAILS_ENV"] == "test" || ENV["APP_ENV"] == "test"
     end