better_auth 0.8.0 → 0.10.0

data/lib/better_auth/doctor.rb

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+
+require "better_auth/sql_migration"
+
+module BetterAuth
+  module Doctor
+    Result = Struct.new(:ok, :warnings, :errors, keyword_init: true) do
+      def success?
+        errors.empty?
+      end
+    end
+
+    module_function
+
+    def check(config_or_options)
+      config = BetterAuth::SQLMigration.configuration_for(config_or_options)
+      result = Result.new(ok: ["config loaded"], warnings: [], errors: [])
+
+      check_secret(config, result)
+      check_base_url(config, result)
+      check_rate_limit(config, result)
+      check_database(config, result)
+
+      result
+    end
+
+    def print(result, stdout:, stderr:)
+      result.ok.each { |message| stdout.puts "OK #{message}" }
+      result.warnings.each { |message| stdout.puts "WARN #{message}" }
+      result.errors.each { |message| stderr.puts "ERROR #{message}" }
+      result.success? ? 0 : 1
+    end
+
+    def check_secret(config, result)
+      secret = config.secret.to_s
+      if secret.empty?
+        result.errors << "secret is missing"
+      elsif secret == BetterAuth::Configuration::DEFAULT_SECRET
+        result.errors << "secret uses the default development value"
+      elsif secret.length < 32
+        result.errors << "secret should be at least 32 characters"
+      elsif entropy(secret) < 120
+        result.errors << "secret appears low-entropy; use a random production secret"
+      else
+        result.ok << "secret length and entropy look acceptable"
+      end
+    end
+
+    def check_base_url(config, result)
+      base_url = config.base_url.to_s
+      if base_url.empty?
+        result.warnings << "base_url is not configured; set it explicitly in production"
+      elsif !base_url.start_with?("https://")
+        result.warnings << "base_url is not HTTPS"
+      else
+        result.ok << "base_url uses HTTPS"
+      end
+    end
+
+    def check_rate_limit(config, result)
+      rate_limit = config.rate_limit || {}
+      result.warnings << "rate_limit is disabled" unless rate_limit[:enabled]
+      if rate_limit[:storage].to_s == "memory"
+        result.warnings << "rate_limit uses memory storage; use database or secondary-storage for multi-process production deployments"
+      else
+        result.ok << "rate_limit storage is #{rate_limit[:storage]}"
+      end
+    end
+
+    def check_database(config, result)
+      auth = BetterAuth.auth(config.to_h)
+      adapter = auth.context.adapter
+      unless adapter.respond_to?(:dialect) && adapter.respond_to?(:connection)
+        result.warnings << "database adapter does not expose SQL migration introspection; schema drift check skipped"
+        return
+      end
+
+      result.ok << "database adapter supports SQL migrations"
+      plan = BetterAuth::SQLMigration.plan(config, connection: adapter.connection, dialect: adapter.dialect)
+      if plan.empty?
+        result.ok << "database schema is up to date"
+      else
+        result.warnings << "database has pending Better Auth migrations"
+        plan.warnings.each { |warning| result.warnings << warning }
+      end
+    rescue BetterAuth::SQLMigration::UnsupportedAdapterError => error
+      result.warnings << error.message
+    end
+
+    def entropy(value)
+      unique = value.chars.uniq.length
+      return 0 if unique.zero?
+
+      Math.log2(unique**value.length)
+    end
+  end
+end

data/lib/better_auth/endpoint.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "json"
+require "uri"
 
 module BetterAuth
   class Endpoint
@@ -24,6 +25,7 @@ module BetterAuth
       @headers_schema = headers_schema
       @metadata = metadata || {}
       apply_default_open_api_metadata!
+      apply_open_api_defaults!
       apply_open_api_schemas!
       @options = endpoint_options
       @use = Array(use)
@@ -40,13 +42,12 @@ module BetterAuth
     end
 
     def call(context)
-      apply_schemas!(context)
-
       use.each do |middleware|
         middleware_result = middleware.call(context)
         return Result.from_value(middleware_result, context) if middleware_result
       end
 
+      apply_schemas!(context)
       Result.from_value(handler.call(context), context)
     end
 
@@ -72,6 +73,41 @@ module BetterAuth
       metadata[:openapi] = BetterAuth::OpenAPI.default_metadata(path, methods)
     end
 
+    def apply_open_api_defaults!
+      return unless path
+      return unless defined?(BetterAuth::OpenAPI)
+
+      openapi = fetch_key(metadata, :openapi)
+      return unless openapi.is_a?(Hash)
+
+      defaults = BetterAuth::OpenAPI.default_metadata(path, methods)
+      openapi[:operationId] = defaults[:operationId] if fetch_key(openapi, :operationId).to_s.empty?
+      openapi[:description] = defaults[:description] if default_open_api_description?(fetch_key(openapi, :description))
+      openapi[:parameters] = merge_open_api_parameters(defaults[:parameters], fetch_key(openapi, :parameters))
+      openapi[:responses] = defaults[:responses].merge(fetch_key(openapi, :responses) || {})
+      if request_body_method? && !fetch_key(openapi, :requestBody).is_a?(Hash)
+        openapi[:requestBody] = defaults[:requestBody] || BetterAuth::OpenAPI.default_request_body
+      end
+    end
+
+    def default_open_api_description?(description)
+      methods.any? { |method| description.to_s == "#{method} #{path}" }
+    end
+
+    def request_body_method?
+      methods.any? { |method| %w[POST PUT PATCH].include?(method) }
+    end
+
+    def merge_open_api_parameters(default_parameters, custom_parameters)
+      merged = Array(custom_parameters).dup
+      Array(default_parameters).each do |parameter|
+        next if merged.any? { |entry| fetch_key(entry, :name).to_s == fetch_key(parameter, :name).to_s && fetch_key(entry, :in).to_s == fetch_key(parameter, :in).to_s }
+
+        merged << parameter
+      end
+      merged
+    end
+
     def apply_open_api_schemas!
       openapi = fetch_key(metadata, :openapi)
       return unless openapi.is_a?(Hash)
@@ -172,6 +208,42 @@ module BetterAuth
     class Result
       attr_accessor :response, :status, :headers
 
+      class SetCookieHeader < Array
+        def self.from(value)
+          new(value.lines.map(&:chomp))
+        end
+
+        def include?(value)
+          return super unless value.is_a?(String)
+
+          any? { |line| line.include?(value) }
+        end
+
+        def lines
+          self
+        end
+
+        def match(...)
+          to_s.match(...)
+        end
+
+        def =~(pattern)
+          to_s =~ pattern
+        end
+
+        def split(...)
+          to_s.split(...)
+        end
+
+        def to_s
+          join("\n")
+        end
+
+        def to_str
+          to_s
+        end
+      end
+
       def initialize(response:, status: 200, headers: {}, raw_response: nil)
         @response = response
         @status = status
@@ -223,7 +295,7 @@ module BetterAuth
       end
 
       def to_response
-        return Response.from_rack(@raw_response) if raw_response?
+        return Response.from_rack([@raw_response[0], rack_headers(@raw_response[1]), @raw_response[2]]) if raw_response?
 
         body = if response.nil?
           [JSON.generate(nil)]
@@ -232,12 +304,23 @@ module BetterAuth
         else
           [JSON.generate(response)]
         end
-        response_headers = {"content-type" => "application/json"}.merge(headers)
+        response_headers = rack_headers({"content-type" => "application/json"}.merge(headers))
         Response.new(status: status, headers: response_headers, body: body)
       end
 
       private
 
+      def rack_headers(value)
+        value.each_with_object({}) do |(key, header_value), result|
+          normalized = key.to_s.downcase
+          result[normalized] = if normalized == "set-cookie" && header_value.is_a?(String) && header_value.include?("\n")
+            SetCookieHeader.from(header_value)
+          else
+            header_value
+          end
+        end
+      end
+
       def normalize_headers(headers)
         headers.each_with_object({}) do |(key, value), result|
           result[key.to_s.downcase] = value
@@ -290,7 +373,7 @@ module BetterAuth
 
       def set_cookie(name, value, options = {})
         attributes = cookie_attributes(options)
-        cookie = (["#{name}=#{value}"] + attributes).join("; ")
+        cookie = (["#{name}=#{URI.encode_uri_component(value.to_s)}"] + attributes).join("; ")
         set_header("set-cookie", cookie)
       end
 

data/lib/better_auth/http_client.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require "json"
+require "net/http"
+require "uri"
+
+module BetterAuth
+  module HTTPClient
+    DEFAULT_OPEN_TIMEOUT = 5
+    DEFAULT_READ_TIMEOUT = 5
+
+    module_function
+
+    def request(uri, request, open_timeout: DEFAULT_OPEN_TIMEOUT, read_timeout: DEFAULT_READ_TIMEOUT)
+      Net::HTTP.start(
+        uri.hostname || uri.host,
+        uri.port,
+        use_ssl: uri.scheme == "https",
+        open_timeout: open_timeout,
+        read_timeout: read_timeout
+      ) do |http|
+        http.request(request)
+      end
+    end
+
+    def get_response(uri, headers = {})
+      request = Net::HTTP::Get.new(uri)
+      headers.each { |key, value| request[key.to_s] = value.to_s }
+      request(uri, request)
+    end
+
+    def post_form(uri, form_body, headers = {})
+      request = Net::HTTP::Post.new(uri)
+      headers.each { |key, value| request[key.to_s] = value.to_s }
+      request["Content-Type"] ||= "application/x-www-form-urlencoded"
+      request.body = form_body
+      request(uri, request)
+    end
+
+    def get_json(url, headers = {})
+      uri = url.is_a?(URI) ? url : URI.parse(url.to_s)
+      response = get_response(uri, headers)
+      response.is_a?(Net::HTTPSuccess) ? JSON.parse(response.body.to_s) : nil
+    end
+  end
+end

data/lib/better_auth/migration_plan.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module MigrationPlan
+    TableChange = Struct.new(:logical_name, :table_name, :table, :order, keyword_init: true)
+    FieldChange = Struct.new(:logical_name, :table_name, :fields, :table, :order, keyword_init: true)
+    IndexChange = Struct.new(:table_name, :field_name, :name, :unique, :field, keyword_init: true)
+
+    Plan = Struct.new(:to_create, :to_add, :to_index, :warnings, :dialect, :tables, keyword_init: true) do
+      def empty?
+        to_create.empty? && to_add.empty? && to_index.empty?
+      end
+    end
+  end
+end

data/lib/better_auth/oauth2.rb

@@ -81,7 +81,7 @@ module BetterAuth
 
     def post_form(token_endpoint, request)
       uri = URI.parse(token_endpoint)
-      response = Net::HTTP.post(uri, URI.encode_www_form(request[:body]), request[:headers])
+      response = HTTPClient.post_form(uri, URI.encode_www_form(request[:body]), request[:headers])
       JSON.parse(response.body)
     end
 

data/lib/better_auth/plugins/admin.rb

@@ -66,7 +66,11 @@ module BetterAuth
           after: [
             {
               matcher: ->(ctx) { ctx.path == "/list-sessions" },
-              handler: ->(ctx) { ctx.json(Array(ctx.returned).reject { |session| session["impersonatedBy"] || session[:impersonatedBy] }) }
+              handler: lambda do |ctx|
+                next unless ctx.returned.is_a?(Array)
+
+                ctx.json(ctx.returned.reject { |session| session["impersonatedBy"] || session[:impersonatedBy] })
+              end
             }
           ]
         },
@@ -436,6 +440,7 @@ module BetterAuth
           openapi: {
             operationId: "stopImpersonating",
             description: "Stop impersonating a user",
+            requestBody: OpenAPI.empty_request_body,
             responses: {
               "200" => OpenAPI.json_response("Impersonation stopped", OpenAPI.session_response_schema_pair)
             }

data/lib/better_auth/plugins/anonymous.rb

@@ -47,6 +47,7 @@ module BetterAuth
           openapi: {
             operationId: "signInAnonymous",
             description: "Sign in anonymously",
+            requestBody: OpenAPI.empty_request_body,
             responses: {
               "200" => OpenAPI.json_response(
                 "Anonymous session created",
@@ -96,6 +97,7 @@ module BetterAuth
           openapi: {
             operationId: "deleteAnonymousUser",
             description: "Delete the current anonymous user",
+            requestBody: OpenAPI.empty_request_body,
             responses: {
               "200" => OpenAPI.json_response("Anonymous user deleted", OpenAPI.success_response_schema)
             }

data/lib/better_auth/plugins/captcha.rb

@@ -103,7 +103,7 @@ module BetterAuth
       else
         URI.encode_www_form(verifier[:payload])
       end
-      response = Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https") { |http| http.request(request) }
+      response = HTTPClient.request(uri, request)
       raise CAPTCHA_INTERNAL_ERROR_CODES["SERVICE_UNAVAILABLE"] unless response.is_a?(Net::HTTPSuccess)
 
       JSON.parse(response.body.to_s)

data/lib/better_auth/plugins/device_authorization.rb

@@ -54,6 +54,14 @@ module BetterAuth
           openapi: {
             operationId: "requestDeviceCode",
             description: "Request a device and user code",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  client_id: {type: "string", description: "OAuth client ID"},
+                  scope: {type: "string", description: "Requested scopes"}
+                }
+              )
+            ),
             responses: {
               "200" => OpenAPI.json_response("Success", device_code_response_schema)
             }
@@ -106,6 +114,16 @@ module BetterAuth
           openapi: {
             operationId: "exchangeDeviceToken",
             description: "Exchange device code for access token",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  grant_type: {type: "string", enum: [OAuthProtocol::DEVICE_CODE_GRANT]},
+                  device_code: {type: "string"},
+                  client_id: {type: "string"}
+                },
+                required: ["grant_type", "device_code"]
+              )
+            ),
             responses: {
               "200" => OpenAPI.json_response("Success", device_token_response_schema)
             }
@@ -197,6 +215,14 @@ module BetterAuth
           openapi: {
             operationId: "approveDevice",
             description: "Approve a device authorization request",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  user_code: {type: "string", description: "User code shown on the device"},
+                  userCode: {type: "string", description: "User code shown on the device"}
+                }
+              )
+            ),
             responses: {
               "200" => OpenAPI.json_response("Success", OpenAPI.success_response_schema)
             }
@@ -218,6 +244,14 @@ module BetterAuth
           openapi: {
             operationId: "denyDevice",
             description: "Deny a device authorization request",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  user_code: {type: "string", description: "User code shown on the device"},
+                  userCode: {type: "string", description: "User code shown on the device"}
+                }
+              )
+            ),
             responses: {
               "200" => OpenAPI.json_response("Success", OpenAPI.success_response_schema)
             }

data/lib/better_auth/plugins/dub.rb

@@ -38,6 +38,14 @@ module BetterAuth
           openapi: {
             operationId: "dubLink",
             description: "Link a Dub OAuth account",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  callbackURL: {type: "string", description: "The URL to redirect to after linking"},
+                  callback_url: {type: "string", description: "The URL to redirect to after linking"}
+                }
+              )
+            ),
             responses: {
               "200" => OpenAPI.json_response(
                 "Authorization URL generated successfully for linking a Dub account",

data/lib/better_auth/plugins/generic_oauth.rb

@@ -220,6 +220,7 @@ module BetterAuth
           openapi: {
             operationId: "signInOAuth2",
             description: "Sign in with OAuth2",
+            requestBody: OpenAPI.json_request_body(generic_oauth_start_body_schema),
             responses: {
               "200" => OpenAPI.json_response("Sign in with OAuth2", generic_oauth_url_response_schema)
             }
@@ -242,6 +243,7 @@ module BetterAuth
           openapi: {
             operationId: "linkOAuth2",
             description: "Link an OAuth2 account to the current user session",
+            requestBody: OpenAPI.json_request_body(generic_oauth_start_body_schema),
             responses: {
               "200" => OpenAPI.json_response("Authorization URL generated successfully for linking an OAuth2 account", generic_oauth_url_response_schema)
             }
@@ -352,6 +354,28 @@ module BetterAuth
       )
     end
 
+    def generic_oauth_start_body_schema
+      OpenAPI.object_schema(
+        {
+          providerId: {type: "string", description: "OAuth provider ID"},
+          provider_id: {type: "string", description: "OAuth provider ID"},
+          callbackURL: {type: "string", description: "URL to redirect to after success"},
+          callback_url: {type: "string", description: "URL to redirect to after success"},
+          errorCallbackURL: {type: "string", description: "URL to redirect to after error"},
+          error_callback_url: {type: "string", description: "URL to redirect to after error"},
+          newUserCallbackURL: {type: "string", description: "URL to redirect to for new users"},
+          new_user_callback_url: {type: "string", description: "URL to redirect to for new users"},
+          requestSignUp: {type: "boolean", description: "Whether this request is a sign-up flow"},
+          request_sign_up: {type: "boolean", description: "Whether this request is a sign-up flow"},
+          scopes: {type: "array", items: {type: "string"}, description: "Additional OAuth scopes"},
+          disableRedirect: {type: "boolean", description: "Return the URL instead of redirecting"},
+          disable_redirect: {type: "boolean", description: "Return the URL instead of redirecting"},
+          additionalData: {type: "object", additionalProperties: true},
+          additional_data: {type: "object", additionalProperties: true}
+        }
+      )
+    end
+
     def generic_oauth_authorization_url(ctx, provider, body, link:)
       authorization_url = provider[:authorization_url] || generic_oauth_discovery(provider)["authorization_endpoint"]
       token_url = provider[:token_url] || generic_oauth_discovery(provider)["token_endpoint"]
@@ -487,14 +511,17 @@ module BetterAuth
         if verification
           cookie = ctx.context.create_auth_cookie("state")
           cookie_state = ctx.get_signed_cookie(cookie.name, ctx.context.secret)
-          if cookie_state && cookie_state != state
+          if ctx.request && cookie_state != state
+            Cookies.expire_cookie(ctx, cookie)
+            raise ctx.redirect(generic_oauth_error_url(generic_oauth_state_error_url(ctx), "state_mismatch"))
+          elsif !ctx.request && cookie_state && cookie_state != state
             Cookies.expire_cookie(ctx, cookie)
             raise ctx.redirect(generic_oauth_error_url(generic_oauth_state_error_url(ctx), "state_mismatch"))
           end
 
           parsed = JSON.parse(verification.fetch("value"))
           ctx.context.internal_adapter.delete_verification_value(verification.fetch("id"))
-          Cookies.expire_cookie(ctx, cookie) if cookie_state
+          Cookies.expire_cookie(ctx, cookie) if ctx.request || cookie_state
           return parsed
         end
       end
@@ -521,7 +548,7 @@ module BetterAuth
       uri = URI(user_info_url)
       request = Net::HTTP::Get.new(uri)
       request["authorization"] = "Bearer #{fetch_value(tokens, "accessToken")}"
-      response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == "https") { |http| http.request(request) }
+      response = HTTPClient.request(uri, request)
       return nil unless response.is_a?(Net::HTTPSuccess)
 
       generic_oauth_normalize_user_info(JSON.parse(response.body))
@@ -615,7 +642,7 @@ module BetterAuth
       normalize_hash(provider[:discovery_headers] || provider[:discoveryHeaders]).each do |key, value|
         request[key.to_s.tr("_", "-")] = value.to_s
       end
-      response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == "https") { |http| http.request(request) }
+      response = HTTPClient.request(uri, request)
       provider[:_discovery] = response.is_a?(Net::HTTPSuccess) ? JSON.parse(response.body) : {}
     rescue
       {}
@@ -649,7 +676,7 @@ module BetterAuth
         form_data[key] = value unless form_data.key?(key)
       end
       request.set_form_data(form_data)
-      response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == "https") { |http| http.request(request) }
+      response = HTTPClient.request(uri, request)
       return nil unless response.is_a?(Net::HTTPSuccess)
 
       generic_oauth_normalize_tokens(JSON.parse(response.body))
@@ -714,7 +741,7 @@ module BetterAuth
       uri = URI(url)
       request = Net::HTTP::Get.new(uri)
       normalize_hash(headers).each { |key, value| request[key.to_s.tr("_", "-")] = value.to_s }
-      response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == "https") { |http| http.request(request) }
+      response = HTTPClient.request(uri, request)
       return nil unless response.is_a?(Net::HTTPSuccess)
 
       JSON.parse(response.body)
@@ -790,7 +817,7 @@ module BetterAuth
       token_url_params = token_url_params.call(ctx) if token_url_params.respond_to?(:call)
       normalize_hash(token_url_params || {}).each { |key, value| form_data[key] = value }
       request.set_form_data(form_data.compact)
-      response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == "https") { |http| http.request(request) }
+      response = HTTPClient.request(uri, request)
       raise APIError.new("BAD_REQUEST", message: GENERIC_OAUTH_ERROR_CODES["INVALID_OAUTH_CONFIG"]) unless response.is_a?(Net::HTTPSuccess)
 
       generic_oauth_normalize_tokens(JSON.parse(response.body))

data/lib/better_auth/plugins/have_i_been_pwned.rb

@@ -83,7 +83,7 @@ module BetterAuth
       request = Net::HTTP::Get.new(uri)
       request["Add-Padding"] = "true"
       request["User-Agent"] = "BetterAuth Password Checker"
-      response = Net::HTTP.start(uri.host, uri.port, use_ssl: true) { |http| http.request(request) }
+      response = HTTPClient.request(uri, request)
       unless response.is_a?(Net::HTTPSuccess)
         raise APIError.new("INTERNAL_SERVER_ERROR", message: "Failed to check password. Status: #{response.code}")
       end

data/lib/better_auth/plugins/jwt.rb

@@ -63,6 +63,7 @@ module BetterAuth
         schema: {
           jwks: {
             fields: {
+              id: {type: "string", required: true},
               publicKey: {type: "string", required: true},
               privateKey: {type: "string", required: true},
               createdAt: {type: "date", required: true},
@@ -279,9 +280,15 @@ module BetterAuth
       payload = if fetcher.respond_to?(:call)
         fetcher.call(url)
       else
-        uri = URI.parse(url.to_s)
-        response = Net::HTTP.get_response(uri)
-        response.is_a?(Net::HTTPSuccess) ? JSON.parse(response.body) : nil
+        cached = @jwt_remote_jwks_cache ||= {}
+        entry = cached[url.to_s]
+        if entry && entry[:expires_at] > Time.now
+          entry[:payload]
+        else
+          fetched = HTTPClient.get_json(url)
+          cached[url.to_s] = {payload: fetched, expires_at: Time.now + 300} if fetched
+          fetched
+        end
       end
       keys = fetch_value(payload, "keys")
       Array(keys).map { |entry| normalize_remote_jwk(entry) }

data/lib/better_auth/plugins/mcp/schema.rb

@@ -8,7 +8,7 @@ module BetterAuth
       def schema
         {
           oauthClient: {
-            modelName: "oauthClient",
+            model_name: "oauth_clients",
             fields: {
               clientId: {type: "string", unique: true, required: true},
               clientSecret: {type: "string", required: false},
@@ -17,7 +17,7 @@ module BetterAuth
               enableEndSession: {type: "boolean", required: false},
               clientSecretExpiresAt: {type: "number", required: false},
               scopes: {type: "string[]", required: false},
-              userId: {type: "string", required: false},
+              userId: {type: "string", required: false, references: {model: "user", field: "id"}},
               createdAt: {type: "date", required: true, default_value: -> { Time.now }},
               updatedAt: {type: "date", required: true, default_value: -> { Time.now }, on_update: -> { Time.now }},
               name: {type: "string", required: false},
@@ -45,9 +45,9 @@ module BetterAuth
           oauthRefreshToken: {
             fields: {
               token: {type: "string", required: true},
-              clientId: {type: "string", required: true},
-              sessionId: {type: "string", required: false},
-              userId: {type: "string", required: false},
+              clientId: {type: "string", required: true, references: {model: "oauthClient", field: "clientId"}},
+              sessionId: {type: "string", required: false, references: {model: "session", field: "id", on_delete: "set null"}},
+              userId: {type: "string", required: false, references: {model: "user", field: "id"}},
               referenceId: {type: "string", required: false},
               authTime: {type: "date", required: false},
               expiresAt: {type: "date", required: false},
@@ -57,27 +57,27 @@ module BetterAuth
             }
           },
           oauthAccessToken: {
-            modelName: "oauthAccessToken",
+            model_name: "oauth_access_tokens",
             fields: {
               token: {type: "string", unique: true, required: true},
               expiresAt: {type: "date", required: true},
-              clientId: {type: "string", required: true},
-              userId: {type: "string", required: false},
-              sessionId: {type: "string", required: false},
+              clientId: {type: "string", required: true, references: {model: "oauthClient", field: "clientId"}},
+              userId: {type: "string", required: false, references: {model: "user", field: "id"}},
+              sessionId: {type: "string", required: false, references: {model: "session", field: "id", on_delete: "set null"}},
               scopes: {type: "string[]", required: true},
               revoked: {type: "date", required: false},
               referenceId: {type: "string", required: false},
               authTime: {type: "date", required: false},
-              refreshId: {type: "string", required: false},
+              refreshId: {type: "string", required: false, references: {model: "oauthRefreshToken", field: "id"}},
               createdAt: {type: "date", required: true, default_value: -> { Time.now }},
               updatedAt: {type: "date", required: true, default_value: -> { Time.now }, on_update: -> { Time.now }}
             }
           },
           oauthConsent: {
-            modelName: "oauthConsent",
+            model_name: "oauth_consents",
             fields: {
-              clientId: {type: "string", required: true},
-              userId: {type: "string", required: false},
+              clientId: {type: "string", required: true, references: {model: "oauthClient", field: "clientId"}},
+              userId: {type: "string", required: false, references: {model: "user", field: "id"}},
               referenceId: {type: "string", required: false},
               scopes: {type: "string[]", required: true},
               createdAt: {type: "date", required: true, default_value: -> { Time.now }},