better_auth 0.8.0 → 0.10.0

data/lib/better_auth/plugins/organization.rb

@@ -527,14 +527,14 @@ module BetterAuth
       end
     end
 
-    def organization_list_members_endpoint(_config)
+    def organization_list_members_endpoint(config)
       Endpoint.new(path: "/organization/list-members", method: "GET", metadata: organization_openapi("listOrganizationMembers", "List organization members", response: organization_members_response_schema)) do |ctx|
         session = Routes.current_session(ctx)
         query = normalize_hash(ctx.query)
         organization_id = query[:organization_id] || organization_by_slug(ctx, query[:organization_slug])&.fetch("id") || session[:session]["activeOrganizationId"]
         raise APIError.new("BAD_REQUEST", message: ORGANIZATION_ERROR_CODES.fetch("NO_ACTIVE_ORGANIZATION")) unless organization_id
         require_member!(ctx, session[:user]["id"], organization_id)
-        ctx.json(list_members_for(ctx, organization_id, query))
+        ctx.json(list_members_for(ctx, organization_id, query, config, session[:user]))
       end
     end
 
@@ -768,6 +768,7 @@ module BetterAuth
     end
 
     def organization_openapi(operation_id, description, response:, response_description: "Success", request: nil, required: [], parameters: nil)
+      request ||= organization_request_schema(operation_id)
       openapi = {
         operationId: operation_id,
         description: description,
@@ -781,6 +782,68 @@ module BetterAuth
       {openapi: openapi}
     end
 
+    def organization_request_schema(operation_id)
+      string = {type: "string"}
+      boolean = {type: "boolean"}
+      array = ->(items = string) { {type: "array", items: items} }
+      object = {type: "object", additionalProperties: true}
+      {
+        "createOrganization" => {
+          name: string,
+          slug: string,
+          logo: string,
+          metadata: object,
+          userId: string,
+          user_id: string,
+          keepCurrentActiveOrganization: boolean,
+          keep_current_active_organization: boolean
+        },
+        "checkOrganizationSlug" => {slug: string},
+        "updateOrganization" => {
+          organizationId: string,
+          organization_id: string,
+          organizationSlug: string,
+          organization_slug: string,
+          data: object,
+          name: string,
+          slug: string,
+          logo: string,
+          metadata: object
+        },
+        "deleteOrganization" => {organizationId: string, organization_id: string, organizationSlug: string, organization_slug: string},
+        "setActiveOrganization" => {organizationId: string, organization_id: string, organizationSlug: string, organization_slug: string},
+        "createOrganizationInvitation" => {
+          organizationId: string,
+          organization_id: string,
+          organizationSlug: string,
+          organization_slug: string,
+          email: {type: "string", format: "email"},
+          role: {oneOf: [string, array.call]},
+          teamId: string,
+          team_id: string,
+          teamIds: array.call,
+          team_ids: array.call
+        },
+        "acceptOrganizationInvitation" => {invitationId: string, invitation_id: string, id: string},
+        "rejectOrganizationInvitation" => {invitationId: string, invitation_id: string},
+        "cancelOrganizationInvitation" => {invitationId: string, invitation_id: string},
+        "addOrganizationMember" => {organizationId: string, organization_id: string, userId: string, user_id: string, role: {oneOf: [string, array.call]}},
+        "removeOrganizationMember" => {memberId: string, member_id: string, userId: string, user_id: string, organizationId: string, organization_id: string},
+        "updateOrganizationMemberRole" => {memberId: string, member_id: string, userId: string, user_id: string, organizationId: string, organization_id: string, role: {oneOf: [string, array.call]}},
+        "leaveOrganization" => {organizationId: string, organization_id: string},
+        "hasOrganizationPermission" => {organizationId: string, organization_id: string, permission: object, permissions: object},
+        "createOrganizationTeam" => {organizationId: string, organization_id: string, name: string},
+        "updateOrganizationTeam" => {teamId: string, team_id: string, name: string},
+        "removeOrganizationTeam" => {teamId: string, team_id: string},
+        "setActiveOrganizationTeam" => {teamId: string, team_id: string},
+        "addTeamMember" => {teamId: string, team_id: string, userId: string, user_id: string},
+        "removeTeamMember" => {teamId: string, team_id: string, userId: string, user_id: string},
+        "createOrganizationRole" => {organizationId: string, organization_id: string, role: string, roleName: string, role_name: string, permission: object, permissions: object},
+        "updateOrganizationRole" => {organizationId: string, organization_id: string, roleId: string, role_id: string, role: string, roleName: string, role_name: string, permission: object, permissions: object, data: object},
+        "deleteOrganizationRole" => {organizationId: string, organization_id: string, roleId: string, role_id: string, role: string, roleName: string, role_name: string}
+      }[operation_id]
+    end
+
     def organization_ref_schema(name)
       {
         type: "object",
@@ -969,7 +1032,7 @@ module BetterAuth
       ctx.context.adapter.find_one(model: "organizationRole", where: [{field: "organizationId", value: organization_id}, {field: "role", value: role}])
     end
 
-    def list_members_for(ctx, organization_id, query = {})
+    def list_members_for(ctx, organization_id, query = {}, config = nil, user = nil)
       where = [{field: "organizationId", value: organization_id}]
       if query[:filter_field]
         where << {field: query[:filter_field], value: query[:filter_value], operator: query[:filter_operator]}
@@ -977,19 +1040,48 @@ module BetterAuth
         filter = normalize_hash(query[:filter])
         where << {field: filter[:field], value: filter[:value], operator: filter[:operator]}
       end
+      limit = member_list_limit(ctx, organization_id, query, config, user)
       members = ctx.context.adapter.find_many(
         model: "member",
         where: where,
-        limit: query[:limit],
+        limit: limit,
         offset: query[:offset],
         sort_by: query[:sort_by] ? {field: query[:sort_by], direction: query[:sort_direction] || query[:sort_order] || "asc"} : nil
       )
+      users_by_id = member_users_by_id(ctx, members)
       {
-        members: members.map { |entry| member_wire(ctx, entry) },
+        members: members.map { |entry| member_wire(ctx, entry, users_by_id: users_by_id) },
         total: ctx.context.adapter.count(model: "member", where: where)
       }
     end
 
+    def member_list_limit(ctx, organization_id, query, config, user)
+      configured = config && config[:membership_limit]
+      configured = 100 if configured.nil?
+      default = numeric_member_limit(configured)
+      default = 100 unless default.positive?
+      requested = query[:limit].to_i if query.key?(:limit) && !query[:limit].to_s.empty?
+      return default unless requested&.positive?
+
+      [requested, default].min
+    end
+
+    def numeric_member_limit(value)
+      return value.to_i if value.is_a?(Numeric)
+      return value.to_i if value.to_s.match?(/\A\d+\z/)
+
+      100
+    end
+
+    def member_users_by_id(ctx, members)
+      user_ids = members.map { |member| member["userId"] }.compact.uniq
+      return {} if user_ids.empty?
+
+      ctx.context.adapter.find_many(model: "user", where: [{field: "id", operator: "in", value: user_ids}]).each_with_object({}) do |user, result|
+        result[user["id"]] = user
+      end
+    end
+
     def ensure_team_member_capacity!(ctx, config, team_ids)
       max_members = config.dig(:teams, :maximum_members_per_team)
       return unless max_members && team_ids.any?
@@ -1002,9 +1094,9 @@ module BetterAuth
       end
     end
 
-    def member_wire(ctx, member)
+    def member_wire(ctx, member, users_by_id: nil)
       data = Schema.parse_output(ctx.context.options, "member", member)
-      user = ctx.context.internal_adapter.find_user_by_id(member["userId"])
+      user = users_by_id ? users_by_id[member["userId"]] : ctx.context.internal_adapter.find_user_by_id(member["userId"])
       data["user"] = user.slice("id", "name", "email", "image") if user
       data
     end
@@ -1034,8 +1126,11 @@ module BetterAuth
     def ensure_not_last_owner!(ctx, member)
       return unless member["role"].to_s.split(",").include?("owner")
 
-      owners = ctx.context.adapter.find_many(model: "member", where: [{field: "organizationId", value: member["organizationId"]}]).select { |entry| entry["role"].to_s.split(",").include?("owner") }
-      raise APIError.new("BAD_REQUEST", message: ORGANIZATION_ERROR_CODES.fetch("YOU_CANNOT_LEAVE_THE_ORGANIZATION_AS_THE_ONLY_OWNER")) if owners.length <= 1
+      owner_count = 0
+      organization_each_adapter_record(ctx.context.adapter, "member", where: [{field: "organizationId", value: member["organizationId"]}]) do |entry|
+        owner_count += 1 if entry["role"].to_s.split(",").include?("owner")
+      end
+      raise APIError.new("BAD_REQUEST", message: ORGANIZATION_ERROR_CODES.fetch("YOU_CANNOT_LEAVE_THE_ORGANIZATION_AS_THE_ONLY_OWNER")) if owner_count <= 1
     end
 
     def create_default_team(ctx, config, organization, session)
@@ -1053,8 +1148,24 @@ module BetterAuth
     end
 
     def organization_created_count(ctx, user_id)
-      members = ctx.context.adapter.find_many(model: "member", where: [{field: "userId", value: user_id}])
-      members.count { |member| member["role"].to_s.split(",").include?("owner") }
+      count = 0
+      organization_each_adapter_record(ctx.context.adapter, "member", where: [{field: "userId", value: user_id}]) do |member|
+        count += 1 if member["role"].to_s.split(",").include?("owner")
+      end
+      count
+    end
+
+    def organization_each_adapter_record(adapter, model, where:, page_size: 100)
+      offset = 0
+      loop do
+        records = adapter.find_many(model: model, where: where, limit: page_size, offset: offset)
+        break if records.empty?
+
+        records.each { |record| yield record }
+        break if records.length < page_size
+
+        offset += records.length
+      end
     end
 
     def run_org_hook(config, key, data, ctx)

data/lib/better_auth/plugins/phone_number.rb

@@ -55,7 +55,7 @@ module BetterAuth
         rate_limit: [
           {
             path_matcher: ->(path) { path.start_with?("/phone-number") },
-            window: 60_000,
+            window: 60,
             max: 10
           }
         ],

data/lib/better_auth/plugins/two_factor.rb

@@ -300,6 +300,7 @@ module BetterAuth
         openapi: {
           operationId: operation_id,
           description: description,
+          requestBody: two_factor_request_body(operation_id),
           responses: {
             "200" => OpenAPI.json_response("Success", response_schema)
           }
@@ -307,6 +308,26 @@ module BetterAuth
       }
     end
 
+    def two_factor_request_body(operation_id)
+      schema = case operation_id
+      when "enableTwoFactor"
+        OpenAPI.object_schema({password: {type: "string"}, issuer: {type: "string"}})
+      when "disableTwoFactor", "getTOTPURI", "generateBackupCodes"
+        OpenAPI.object_schema({password: {type: "string"}})
+      when "generateTOTP"
+        OpenAPI.object_schema({secret: {type: "string"}}, required: ["secret"])
+      when "verifyTOTP", "verifyTwoFactorOTP"
+        OpenAPI.object_schema({code: {type: "string"}, trustDevice: {type: "boolean"}, trust_device: {type: "boolean"}}, required: ["code"])
+      when "verifyBackupCode"
+        OpenAPI.object_schema({code: {type: "string"}, disableSession: {type: "boolean"}, disable_session: {type: "boolean"}, trustDevice: {type: "boolean"}, trust_device: {type: "boolean"}}, required: ["code"])
+      when "sendTwoFactorOTP"
+        OpenAPI.empty_request_body.dig(:content, "application/json", :schema)
+      else
+        {type: "object", properties: {}}
+      end
+      OpenAPI.json_request_body(schema)
+    end
+
     def two_factor_enable_response_schema
       OpenAPI.object_schema(
         {

data/lib/better_auth/rate_limiter.rb

@@ -121,9 +121,14 @@ module BetterAuth
     end
 
     def default_special_rule(path)
-      return unless path.start_with?("/sign-in", "/sign-up", "/change-password", "/change-email")
+      return {window: 10, max: 3} if path.start_with?("/sign-in", "/sign-up", "/change-password", "/change-email")
+      return {window: 60, max: 3} if path == "/request-password-reset" ||
+        path == "/send-verification-email" ||
+        path.start_with?("/forget-password") ||
+        path == "/email-otp/send-verification-otp" ||
+        path == "/email-otp/request-password-reset"
 
-      {window: 10, max: 3}
+      nil
     end
 
     def matching_custom_rule(config, path)

data/lib/better_auth/routes/account.rb

@@ -118,6 +118,8 @@ module BetterAuth
       ) do |ctx|
         session = current_session(ctx, allow_nil: true)
         body = normalize_hash(ctx.body)
+        raise APIError.new("UNAUTHORIZED") if ctx.request && !session
+
         user_id = session&.dig(:user, "id") || body["userId"] || body["user_id"]
         raise APIError.new("UNAUTHORIZED") if user_id.to_s.empty?
 
@@ -174,6 +176,8 @@ module BetterAuth
       ) do |ctx|
         session = current_session(ctx, allow_nil: true)
         body = normalize_hash(ctx.body)
+        raise APIError.new("UNAUTHORIZED") if ctx.request && !session
+
         user_id = session&.dig(:user, "id") || body["userId"] || body["user_id"]
         raise APIError.new("BAD_REQUEST", message: "Either userId or session is required") if user_id.to_s.empty?
 

data/lib/better_auth/routes/email_verification.rb

@@ -184,7 +184,11 @@ module BetterAuth
 
     def self.set_verified_session_cookie(ctx, user)
       session = current_session(ctx, allow_nil: true)
-      session_data = session ? session[:session] : ctx.context.internal_adapter.create_session(user["id"])
+      session_data = if session && session[:user]["id"] == user["id"]
+        session[:session]
+      else
+        ctx.context.internal_adapter.create_session(user["id"])
+      end
       Cookies.set_session_cookie(ctx, {session: session_data, user: user})
     end
 

data/lib/better_auth/routes/password.rb

@@ -179,6 +179,7 @@ module BetterAuth
         path: "/verify-password",
         method: "POST",
         metadata: {
+          scope: "server",
           openapi: {
             operationId: "verifyPassword",
             description: "Verify the current user's password",

data/lib/better_auth/routes/social.rb

@@ -2,6 +2,7 @@
 
 require "uri"
 require "json"
+require "net/http"
 require "securerandom"
 
 module BetterAuth
@@ -92,6 +93,7 @@ module BetterAuth
           ctx.context.secret,
           expires_in: 600
         )
+        store_oauth_state_cookie(ctx, state)
         url = call_provider(provider, :create_authorization_url, {
           state: state,
           codeVerifier: code_verifier,
@@ -148,6 +150,7 @@ module BetterAuth
         raise ctx.redirect(oauth_error_url(error_url, data["error"], data["errorDescription"] || data["error_description"])) if data["error"]
         raise ctx.redirect(oauth_error_url(error_url, "oauth_provider_not_found")) unless provider
         raise ctx.redirect(oauth_error_url(error_url, "state_not_found")) unless state_data
+        raise ctx.redirect(oauth_error_url(error_url, "state_mismatch")) unless valid_oauth_state_cookie?(ctx, state)
         raise ctx.redirect(oauth_error_url(error_url, "no_code")) if data["code"].to_s.empty?
 
         tokens = call_provider(provider, :validate_authorization_code, {
@@ -161,7 +164,11 @@ module BetterAuth
 
         token_data = token_hash(tokens)
         token_data["user"] = parse_json_hash(data["user"]) if data["user"]
-        user_info = call_provider(provider, :get_user_info, token_data)
+        user_info = begin
+          call_provider(provider, :get_user_info, token_data)
+        rescue Net::OpenTimeout, Net::ReadTimeout, SocketError, SystemCallError
+          nil
+        end
         user = user_info[:user] || user_info["user"] if user_info
         raise ctx.redirect(oauth_error_url(error_url, "unable_to_get_user_info")) unless user
         raise ctx.redirect(oauth_error_url(error_url, "email_not_found")) if fetch_value(user, "email").to_s.empty?
@@ -269,6 +276,7 @@ module BetterAuth
           }
         }.merge(safe_additional_state(body))
         state = Crypto.sign_jwt(state_data, ctx.context.secret, expires_in: 600)
+        store_oauth_state_cookie(ctx, state)
         url = call_provider(provider, :create_authorization_url, {
           state: state,
           codeVerifier: code_verifier,
@@ -285,6 +293,10 @@ module BetterAuth
 
     def self.social_user_from_id_token!(ctx, provider, id_token)
       token = fetch_value(id_token, "token").to_s
+      unless provider_callable(provider, :verify_id_token)
+        raise APIError.new("NOT_FOUND", message: BASE_ERROR_CODES["ID_TOKEN_NOT_SUPPORTED"])
+      end
+
       valid = call_provider(provider, :verify_id_token, token, fetch_value(id_token, "nonce"))
       raise APIError.new("UNAUTHORIZED", message: BASE_ERROR_CODES["INVALID_TOKEN"]) unless valid
 
@@ -360,6 +372,22 @@ module BetterAuth
       {session: session, user: user, new_user: new_user}
     end
 
+    def self.store_oauth_state_cookie(ctx, state)
+      return unless ctx.request
+
+      cookie = ctx.context.create_auth_cookie("state", max_age: 600)
+      ctx.set_signed_cookie(cookie.name, state, ctx.context.secret, cookie.attributes)
+    end
+
+    def self.valid_oauth_state_cookie?(ctx, state)
+      return true unless ctx.request
+
+      cookie = ctx.context.create_auth_cookie("state", max_age: 600)
+      stored = ctx.get_signed_cookie(cookie.name, ctx.context.secret)
+      Cookies.expire_cookie(ctx, cookie)
+      stored == state
+    end
+
     def self.oauth_error_url(base_url, error, description = nil)
       uri = URI.parse(base_url.to_s)
       query = URI.decode_www_form(uri.query.to_s)

data/lib/better_auth/routes/user.rb

@@ -80,7 +80,9 @@ module BetterAuth
         current_password = body["currentPassword"] || body["current_password"]
         validate_password_length!(new_password, ctx.context.options.email_and_password)
         account = credential_account(ctx, session[:user]["id"])
-        unless account && account["password"] && verify_password_value(ctx, current_password.to_s, account["password"])
+        raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["CREDENTIAL_ACCOUNT_NOT_FOUND"]) unless account && account["password"]
+
+        unless verify_password_value(ctx, current_password.to_s, account["password"])
           raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_PASSWORD"])
         end
 
@@ -176,7 +178,9 @@ module BetterAuth
         sender = ctx.context.options.user.dig(:delete_user, :send_delete_account_verification)
         if body["password"]
           account = credential_account(ctx, session[:user]["id"])
-          unless account && account["password"] && verify_password_value(ctx, body["password"], account["password"])
+          raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["CREDENTIAL_ACCOUNT_NOT_FOUND"]) unless account && account["password"]
+
+          unless verify_password_value(ctx, body["password"], account["password"])
             raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_PASSWORD"])
           end
         end

data/lib/better_auth/schema/sql.rb

@@ -12,6 +12,31 @@ module BetterAuth
         statements.concat(tables.flat_map { |_logical_name, table| index_statements(table, dialect) })
       end
 
+      def pending_statements(plan)
+        statements = plan.to_create.map do |change|
+          create_table_statement(change.logical_name, change.table, plan.dialect, plan.tables)
+        end
+        statements.concat(plan.to_add.flat_map do |change|
+          change.fields.map do |logical_field, attributes|
+            if logical_field.to_s == "id" && plan.dialect == :postgres
+              add_postgres_id_column_statements(change.table_name)
+            else
+              add_column_statement(change.table_name, logical_field, attributes, plan.dialect)
+            end
+          end
+        end.flatten)
+        statements.concat(plan.to_index.map do |change|
+          index_statement(
+            change.table_name,
+            change.field_name,
+            change.name,
+            plan.dialect,
+            unique: change.unique,
+            where_not_null: filtered_unique_index?(change.field, plan.dialect)
+          )
+        end)
+      end
+
       def create_table_statement(logical_name, table, dialect, tables = nil)
         table_name = table.fetch(:model_name)
         columns = table.fetch(:fields).map do |logical_field, attributes|
@@ -28,7 +53,7 @@ module BetterAuth
         when :mysql
           %(CREATE TABLE IF NOT EXISTS #{quote(table_name, dialect)} (\n  #{body}\n) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;)
         when :mssql
-          %(IF OBJECT_ID(N'#{quote(table_name, dialect)}', N'U') IS NULL\nCREATE TABLE #{quote(table_name, dialect)} (\n  #{body}\n);)
+          %(#{mssql_required_set_options}\nIF OBJECT_ID(N'#{quote(table_name, dialect)}', N'U') IS NULL\nCREATE TABLE #{quote(table_name, dialect)} (\n  #{body}\n);)
         else
           raise ArgumentError, "Unsupported SQL dialect: #{dialect}"
         end
@@ -52,7 +77,7 @@ module BetterAuth
         constraints = []
         column = attributes[:field_name] || physical_name(logical_field)
 
-        if attributes[:unique] && logical_field != "id"
+        if attributes[:unique] && logical_field != "id" && !(dialect == :mssql && !attributes[:required])
           constraints << unique_constraint(table_name, column, dialect)
         end
 
@@ -67,21 +92,62 @@ module BetterAuth
       def index_statements(table, dialect)
         table_name = table.fetch(:model_name)
         table.fetch(:fields).filter_map do |logical_field, attributes|
-          next unless attributes[:index]
+          nullable_unique_mssql = dialect == :mssql && attributes[:unique] && logical_field != "id" && !attributes[:required]
+          next if attributes[:unique] && !nullable_unique_mssql
+          next unless attributes[:index] || nullable_unique_mssql
 
           column = attributes[:field_name] || Schema.physical_name(logical_field)
-          name = "index_#{table_name}_on_#{column}"
-          case dialect
-          when :postgres, :sqlite
-            %(CREATE INDEX IF NOT EXISTS #{quote(name, dialect)} ON #{quote(table_name, dialect)} (#{quote(column, dialect)});)
-          when :mysql
-            %(CREATE INDEX #{quote(name, dialect)} ON #{quote(table_name, dialect)} (#{quote(column, dialect)});)
-          when :mssql
-            %(IF NOT EXISTS (SELECT name FROM sys.indexes WHERE name = '#{name.gsub("'", "''")}' AND object_id = OBJECT_ID(N'#{quote(table_name, dialect)}')) CREATE INDEX #{quote(name, dialect)} ON #{quote(table_name, dialect)} (#{quote(column, dialect)});)
-          end
+          unique = attributes[:unique] && dialect == :mssql
+          name = unique ? "uniq_#{table_name}_#{column}" : "index_#{table_name}_on_#{column}"
+          index_statement(table_name, column, name, dialect, unique: unique, where_not_null: filtered_unique_index?(attributes, dialect))
+        end
+      end
+
+      def add_column_statement(table_name, logical_field, attributes, dialect)
+        keyword = (dialect == :mssql) ? "ADD" : "ADD COLUMN"
+        %(ALTER TABLE #{quote(table_name, dialect)} #{keyword} #{column_definition(table_name, logical_field, attributes, dialect)};)
+      end
+
+      def add_postgres_id_column_statements(table_name)
+        quoted_table = quote(table_name, :postgres)
+        quoted_id = quote("id", :postgres)
+        [
+          %(ALTER TABLE #{quoted_table} ADD COLUMN #{quoted_id} text;),
+          %(UPDATE #{quoted_table} SET #{quoted_id} = md5(random()::text || clock_timestamp()::text || ctid::text) WHERE #{quoted_id} IS NULL;),
+          %(ALTER TABLE #{quoted_table} ALTER COLUMN #{quoted_id} SET NOT NULL;),
+          %(ALTER TABLE #{quoted_table} ADD PRIMARY KEY (#{quoted_id});)
+        ]
+      end
+
+      def index_statement(table_name, column, name, dialect, unique: false, where_not_null: false)
+        unique_prefix = unique ? "UNIQUE " : ""
+        case dialect
+        when :postgres, :sqlite
+          %(CREATE #{unique_prefix}INDEX IF NOT EXISTS #{quote(name, dialect)} ON #{quote(table_name, dialect)} (#{quote(column, dialect)});)
+        when :mysql
+          %(CREATE #{unique_prefix}INDEX #{quote(name, dialect)} ON #{quote(table_name, dialect)} (#{quote(column, dialect)});)
+        when :mssql
+          filter = where_not_null ? " WHERE #{quote(column, dialect)} IS NOT NULL" : ""
+          %(#{mssql_required_set_options}\nIF NOT EXISTS (SELECT name FROM sys.indexes WHERE name = '#{name.gsub("'", "''")}' AND object_id = OBJECT_ID(N'#{quote(table_name, dialect)}')) CREATE #{unique_prefix}INDEX #{quote(name, dialect)} ON #{quote(table_name, dialect)} (#{quote(column, dialect)})#{filter};)
         end
       end
 
+      def filtered_unique_index?(attributes, dialect)
+        dialect == :mssql && attributes[:unique] && !attributes[:required]
+      end
+
+      def mssql_required_set_options
+        <<~SQL.strip
+          SET ANSI_NULLS ON;
+          SET QUOTED_IDENTIFIER ON;
+          SET ANSI_WARNINGS ON;
+          SET ANSI_PADDING ON;
+          SET CONCAT_NULL_YIELDS_NULL ON;
+          SET ARITHABORT ON;
+          SET NUMERIC_ROUNDABORT OFF;
+        SQL
+      end
+
       def sql_type(logical_field, attributes, dialect)
         case attributes[:type]
         when "boolean"
@@ -121,7 +187,7 @@ module BetterAuth
           end
         else
           if dialect == :mysql
-            indexed = logical_field == "id" || attributes[:unique] || attributes[:index] || attributes[:references]
+            indexed = logical_field == "id" || attributes[:unique] || attributes[:index] || attributes[:references] || attributes[:sortable] || attributes.key?(:default_value)
             indexed ? "varchar(191)" : "text"
           elsif dialect == :mssql
             indexed = logical_field == "id" || attributes[:unique] || attributes[:index] || attributes[:references] || attributes[:sortable]
@@ -164,8 +230,9 @@ module BetterAuth
       end
 
       def foreign_key_constraint(table_name, column, reference, dialect, tables = nil)
-        target_model = tables&.fetch(reference.fetch(:model).to_s, nil)&.fetch(:model_name) || reference.fetch(:model)
-        target_field = reference.fetch(:field)
+        target_table = foreign_key_target_table(reference, tables)
+        target_model = target_table&.fetch(:model_name) || reference.fetch(:model)
+        target_field = foreign_key_target_field(reference, target_table)
         on_delete = reference[:on_delete] ? " ON DELETE #{reference[:on_delete].to_s.upcase}" : ""
 
         case dialect
@@ -178,6 +245,28 @@ module BetterAuth
         end
       end
 
+      def foreign_key_target_table(reference, tables)
+        return unless tables
+
+        model = reference.fetch(:model).to_s
+        tables.fetch(model, nil) || tables.each_value.find { |table| table.fetch(:model_name).to_s == model }
+      end
+
+      def foreign_key_target_field(reference, target_table)
+        field = reference.fetch(:field).to_s
+        return field unless target_table
+
+        fields = target_table.fetch(:fields)
+        attributes = fields.fetch(field, nil)
+        return attributes[:field_name] || physical_name(field) if attributes
+
+        if fields.each_value.any? { |data| data[:field_name].to_s == field }
+          field
+        else
+          physical_name(field)
+        end
+      end
+
       def quote(identifier, dialect)
         case dialect
         when :postgres, :sqlite

data/lib/better_auth/schema.rb

@@ -18,6 +18,7 @@ module BetterAuth
       tables.delete("verification") if secondary_storage?(options) && !verification_option(options, :store_in_database)
       tables.merge!(plugin_schema)
       tables["rateLimit"] = rate_limit_table(options) if rate_limit_option(options, :storage) == "database"
+      ensure_id_fields!(tables)
       tables.sort_by { |_name, table| table[:order] || Float::INFINITY }.to_h
     end
 
@@ -121,6 +122,15 @@ module BetterAuth
       }
     end
 
+    private_class_method def self.ensure_id_fields!(tables)
+      tables.each_value do |table|
+        fields = table.fetch(:fields)
+        next if fields.key?("id")
+
+        table[:fields] = id_field.merge(fields)
+      end
+    end
+
     private_class_method def self.base_fields
       id_field.merge(timestamp_fields)
     end
@@ -162,14 +172,19 @@ module BetterAuth
         schema.each do |raw_key, raw_table|
           key = storage_key(raw_key)
           table_data = symbolize_hash(raw_table || {})
-          existing = tables[key] || {model_name: table_data[:model_name] || physical_name(key), fields: {}}
-          existing[:model_name] = table_data[:model_name] || existing[:model_name] || physical_name(key)
+          existing = tables[key] || {model_name: table_data[:model_name] || physical_table_name(key), fields: {}}
+          existing[:model_name] = table_data[:model_name] || existing[:model_name] || physical_table_name(key)
           existing[:fields] = existing[:fields].merge(normalize_fields(table_data[:fields] || {}))
+          existing[:fields] = id_field.merge(existing[:fields]) unless core_table?(key) || existing[:fields].key?("id")
           tables[key] = existing
         end
       end
     end
 
+    private_class_method def self.core_table?(key)
+      %w[user session account verification].include?(key.to_s)
+    end
+
     private_class_method def self.normalize_fields(fields)
       fields.each_with_object({}) do |(raw_key, raw_value), result|
         key = storage_key(raw_key)
@@ -270,6 +285,24 @@ module BetterAuth
       underscore(value.to_s)
     end
 
+    private_class_method def self.physical_table_name(value)
+      pluralize_table_name(physical_name(value))
+    end
+
+    private_class_method def self.pluralize_table_name(value)
+      special = {
+        "apikey" => "api_keys",
+        "api_key" => "api_keys",
+        "wallet_address" => "wallet_addresses"
+      }
+      return special.fetch(value) if special.key?(value)
+      return value if value.end_with?("s")
+      return "#{value[0...-1]}ies" if value.end_with?("y") && value.match?(/[^aeiou]y\z/)
+      return "#{value}es" if value.match?(/(s|x|z|ch|sh)\z/)
+
+      "#{value}s"
+    end
+
     private_class_method def self.camelize_lower(value)
       parts = underscore(value).split("_")
       ([parts.first] + parts.drop(1).map(&:capitalize)).join

data/lib/better_auth/session.rb

@@ -45,7 +45,8 @@ module BetterAuth
         strategy: config[:strategy] || "compact",
         version: config[:version],
         cookie_prefix: ctx.context.options.advanced[:cookie_prefix] || "better-auth",
-        is_secure: ctx.context.auth_cookies[:session_data].name.start_with?(Cookies::SECURE_COOKIE_PREFIX)
+        is_secure: ctx.context.auth_cookies[:session_data].name.start_with?(Cookies::SECURE_COOKIE_PREFIX),
+        cookie_full_name: ctx.context.auth_cookies[:session_data].name
       )
       return nil unless payload
       return nil if payload["session"]["token"] && payload["session"]["token"] != token