Module: BetterAuth::SocialProviders::Base

Defined in:

lib/better_auth/social_providers/base.rb

Class Method Summary

• .access_token(tokens) ⇒ Object
• .apply_profile_mapping(user, profile, options) ⇒ Object
• .authorization_url(endpoint, params) ⇒ Object
• .decode_jwt_payload(token) ⇒ Object
• .fetch_jwks(endpoint) ⇒ Object
• .fetch_user_info(endpoint, tokens, method: :get, headers: {}, body: nil) ⇒ Object
• .get_bytes(url, headers = {}) ⇒ Object
• .get_json(url, headers = {}) ⇒ Object
• .id_token(tokens) ⇒ Object
• .normalize_options(options) ⇒ Object
• .normalize_tokens(tokens, now: Time.now) ⇒ Object
• .oauth_provider(id:, name:, client_id:, authorization_endpoint:, token_endpoint:, profile_map:, client_secret: nil, user_info_endpoint: nil, scopes: [], scope_separator: " ", pkce: false, auth_params: {}, token_params: {}, user_info_method: :get, user_info_headers: {}, user_info_body: nil, **options) ⇒ Object
• .option(options, *keys) ⇒ Object
• .padded_base64(value) ⇒ Object
• .parse_response(response) ⇒ Object
• .pkce_challenge(verifier) ⇒ Object
• .post_form(url, form) ⇒ Object
• .post_form_json(url, form, headers = {}) ⇒ Object
• .post_json(url, body = {}, headers = {}) ⇒ Object
• .primary_client_id(client_id) ⇒ Object
• .provider_user_info?(value) ⇒ Boolean
• .refresh_access_token(token_endpoint, refresh_token, client_id:, client_secret: nil, extra_params: {}) ⇒ Object
• .request_json(uri, request) ⇒ Object
• .resolve_hash(value, data, options) ⇒ Object
• .selected_scopes(defaults, options, data) ⇒ Object
• .stringify_keys(hash) ⇒ Object
• .time_from(value) ⇒ Object
• .value(hash, *keys) ⇒ Object
• .verify_jwt_with_jwks(token, jwks:, jwks_endpoint:, algorithms:, issuers:, audience:, nonce: nil, max_age: 3600) ⇒ Object

Class Method Details

.access_token(tokens) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 167

def access_token(tokens)
  tokens[:access_token] || tokens["access_token"] || tokens[:accessToken] || tokens["accessToken"]
end

.apply_profile_mapping(user, profile, options) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 237

def apply_profile_mapping(user, profile, options)
  user.merge(options[:map_profile_to_user]&.call(profile) || {})
end

.authorization_url(endpoint, params) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 17

def authorization_url(endpoint, params)
  uri = URI(endpoint)
  query = URI.decode_www_form(uri.query.to_s)
  params.compact.each do |key, value|
    next if value == ""

    query << [key.to_s, Array(value).join(" ")]
  end
  uri.query = URI.encode_www_form(query)
  uri.to_s
end

.decode_jwt_payload(token) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 250

def decode_jwt_payload(token)
  _header, payload, _signature = token.to_s.split(".", 3)
  return {} unless payload

  JSON.parse(Base64.urlsafe_decode64(padded_base64(payload)))
rescue JSON::ParserError, ArgumentError
  {}
end

.fetch_jwks(endpoint) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 281

def fetch_jwks(endpoint)
  return nil if endpoint.to_s.empty?

  get_json(endpoint)
end

.fetch_user_info(endpoint, tokens, method: :get, headers: {}, body: nil) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 134

def fetch_user_info(endpoint, tokens, method: :get, headers: {}, body: nil)
  resolved_headers = resolve_hash(headers, tokens, {})
  resolved_body = resolve_hash(body || {}, tokens, {})
  resolved_headers = {"Authorization" => "Bearer #{access_token(tokens)}"}.merge(resolved_headers)
  (method == :post) ? post_json(endpoint, resolved_body, resolved_headers) : get_json(endpoint, resolved_headers)
end

.get_bytes(url, headers = {}) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 116

def get_bytes(url, headers = {})
  uri = URI(url)
  request = Net::HTTP::Get.new(uri)
  headers.each { |key, value| request[key.to_s] = value.to_s }
  response = request_json(uri, request)
  response.is_a?(Net::HTTPSuccess) ? response.body.to_s : nil
rescue URI::InvalidURIError, SocketError, SystemCallError
  nil
end

.get_json(url, headers = {}) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 109

def get_json(url, headers = {})
  uri = URI(url)
  request = Net::HTTP::Get.new(uri)
  headers.each { |key, value| request[key.to_s] = value.to_s }
  parse_response(request_json(uri, request))
end

.id_token(tokens) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 171

def id_token(tokens)
  tokens[:id_token] || tokens["id_token"] || tokens[:idToken] || tokens["idToken"]
end

.normalize_options(options) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 191

def normalize_options(options)
  normalized = options.dup
  {
    clientId: :client_id,
    clientSecret: :client_secret,
    clientKey: :client_key,
    disableDefaultScope: :disable_default_scope,
    mapProfileToUser: :map_profile_to_user,
    getUserInfo: :get_user_info,
    verifyIdToken: :verify_id_token,
    refreshAccessToken: :refresh_access_token,
    disableIdTokenSignIn: :disable_id_token_sign_in,
    disableImplicitSignUp: :disable_implicit_sign_up,
    disableSignUp: :disable_sign_up,
    authorizationEndpoint: :authorization_endpoint,
    tokenEndpoint: :token_endpoint,
    userInfoEndpoint: :user_info_endpoint,
    emailsEndpoint: :emails_endpoint,
    redirectURI: :redirect_uri,
    jwksEndpoint: :jwks_endpoint,
    appBundleIdentifier: :app_bundle_identifier,
    profilePhotoSize: :profile_photo_size,
    disableProfilePhoto: :disable_profile_photo,
    tenantId: :tenant_id
  }.each do |camel, snake|
    normalized[snake] = normalized[camel] if normalized.key?(camel) && !normalized.key?(snake)
  end
  normalized
end

.normalize_tokens(tokens, now: Time.now) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 150

def normalize_tokens(tokens, now: Time.now)
  data = stringify_keys(tokens || {})
  result = {}
  result["accessToken"] = data["accessToken"] || data["access_token"] if data["accessToken"] || data["access_token"]
  result["refreshToken"] = data["refreshToken"] || data["refresh_token"] if data["refreshToken"] || data["refresh_token"]
  result["idToken"] = data["idToken"] || data["id_token"] if data["idToken"] || data["id_token"]
  result["tokenType"] = data["tokenType"] || data["token_type"] if data["tokenType"] || data["token_type"]
  scope = data["scope"] || data["scopes"]
  result["scope"] = Array(scope).join(",").tr(" ", ",").split(",").reject(&:empty?).join(",") if scope
  result["accessTokenExpiresAt"] = time_from(data["accessTokenExpiresAt"] || data["access_token_expires_at"]) if data["accessTokenExpiresAt"] || data["access_token_expires_at"]
  result["refreshTokenExpiresAt"] = time_from(data["refreshTokenExpiresAt"] || data["refresh_token_expires_at"]) if data["refreshTokenExpiresAt"] || data["refresh_token_expires_at"]
  result["accessTokenExpiresAt"] ||= now + data["expires_in"].to_i if data["expires_in"]
  result["refreshTokenExpiresAt"] ||= now + data["refresh_token_expires_in"].to_i if data["refresh_token_expires_in"]
  data.each { |key, value| result[key] = value unless result.key?(key) || %w[access_token refresh_token id_token token_type expires_in refresh_token_expires_in scopes].include?(key) }
  result
end

.oauth_provider(id:, name:, client_id:, authorization_endpoint:, token_endpoint:, profile_map:, client_secret: nil, user_info_endpoint: nil, scopes: [], scope_separator: " ", pkce: false, auth_params: {}, token_params: {}, user_info_method: :get, user_info_headers: {}, user_info_body: nil, **options) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 29

def oauth_provider(id:, name:, client_id:, authorization_endpoint:, token_endpoint:, profile_map:, client_secret: nil, user_info_endpoint: nil, scopes: [], scope_separator: " ", pkce: false, auth_params: {}, token_params: {}, user_info_method: :get, user_info_headers: {}, user_info_body: nil, **options)
  opts = normalize_options(options.merge(client_id: client_id, client_secret: client_secret))
  {
    id: id,
    name: name,
    client_id: client_id,
    client_secret: client_secret,
    options: opts,
    create_authorization_url: lambda do |data|
      verifier = value(data, :code_verifier, :codeVerifier)
      selected_scopes = selected_scopes(scopes, opts, data)
      params = {
        client_id: primary_client_id(client_id),
        redirect_uri: opts[:redirect_uri] || value(data, :redirect_uri, :redirectURI),
        response_type: "code",
        scope: selected_scopes.empty? ? nil : selected_scopes.join(scope_separator),
        state: value(data, :state),
        code_challenge: (pkce && verifier) ? pkce_challenge(verifier) : nil,
        code_challenge_method: (pkce && verifier) ? "S256" : nil,
        login_hint: value(data, :loginHint, :login_hint),
        prompt: opts[:prompt]
      }.merge(resolve_hash(auth_params, data, opts))
      authorization_url(option(opts, :authorization_endpoint, :authorizationEndpoint) || authorization_endpoint, params)
    end,
    validate_authorization_code: lambda do |data|
      post_form_json(option(opts, :token_endpoint, :tokenEndpoint) || token_endpoint, {
        client_id: primary_client_id(client_id),
        client_secret: client_secret,
        code: value(data, :code),
        code_verifier: value(data, :code_verifier, :codeVerifier),
        grant_type: "authorization_code",
        redirect_uri: opts[:redirect_uri] || value(data, :redirect_uri, :redirectURI)
      }.merge(resolve_hash(token_params, data, opts)))
    end,
    refresh_access_token: opts[:refresh_access_token] || lambda do |refresh_token|
      refresh_access_token(
        option(opts, :token_endpoint, :tokenEndpoint) || token_endpoint,
        refresh_token,
        client_id: primary_client_id(client_id),
        client_secret: client_secret
      )
    end,
    verify_id_token: opts[:verify_id_token],
    get_user_info: lambda do |tokens|
      custom = opts[:get_user_info]
      profile = if custom
        custom.call(tokens)
      elsif user_info_endpoint
        fetch_user_info(user_info_endpoint, tokens, method: user_info_method, headers: user_info_headers, body: user_info_body)
      else
        decode_jwt_payload(id_token(tokens))
      end
      return nil unless profile
      return profile if provider_user_info?(profile)

      mapped = profile_map.call(profile)
      user_map = opts[:map_profile_to_user]&.call(profile) || {}
      {user: mapped.merge(user_map), data: profile}
    end
  }
end

.option(options, *keys) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 187

def option(options, *keys)
  value(options, *keys)
end

.padded_base64(value) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 315

def padded_base64(value)
  value + ("=" * ((4 - value.length % 4) % 4))
end

.parse_response(response) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 300

def parse_response(response)
  return nil unless response.is_a?(Net::HTTPSuccess)

  body = response.body.to_s
  return {} if body.empty?

  JSON.parse(body)
rescue JSON::ParserError
  URI.decode_www_form(body).to_h
end

.pkce_challenge(verifier) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 91

def pkce_challenge(verifier)
  digest = OpenSSL::Digest.digest("SHA256", verifier.to_s)
  Base64.urlsafe_encode64(digest, padding: false)
end

.post_form(url, form) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 96

def post_form(url, form)
  post_form_json(url, form)
end

.post_form_json(url, form, headers = {}) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 100

def post_form_json(url, form, headers = {})
  uri = URI(url)
  request = Net::HTTP::Post.new(uri)
  request.set_form_data(form.compact.transform_keys(&:to_s))
  request["Accept"] = "application/json"
  headers.each { |key, value| request[key.to_s] = value.to_s }
  parse_response(request_json(uri, request))
end

.post_json(url, body = {}, headers = {}) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 126

def post_json(url, body = {}, headers = {})
  uri = URI(url)
  request = Net::HTTP::Post.new(uri)
  headers.each { |key, value| request[key.to_s] = value.to_s }
  request.set_form_data(body.compact.transform_keys(&:to_s))
  parse_response(request_json(uri, request))
end

.primary_client_id(client_id) ⇒ Object

Raises:

• (Error)

# File 'lib/better_auth/social_providers/base.rb', line 230

def primary_client_id(client_id)
  value = Array(client_id).first
  raise Error, "CLIENT_ID_AND_SECRET_REQUIRED" if value.to_s.empty?

  value
end

.provider_user_info?(value) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/better_auth/social_providers/base.rb', line 246

def provider_user_info?(value)
  value.is_a?(Hash) && (value.key?(:user) || value.key?("user"))
end

.refresh_access_token(token_endpoint, refresh_token, client_id:, client_secret: nil, extra_params: {}) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 141

def refresh_access_token(token_endpoint, refresh_token, client_id:, client_secret: nil, extra_params: {})
  normalize_tokens(post_form_json(token_endpoint, {
    client_id: client_id,
    client_secret: client_secret,
    grant_type: "refresh_token",
    refresh_token: refresh_token
  }.merge(extra_params || {})))
end

.request_json(uri, request) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 311

def request_json(uri, request)
  HTTPClient.request(uri, request)
end

.resolve_hash(value, data, options) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 241

def resolve_hash(value, data, options)
  resolved = value.respond_to?(:call) ? value.call(data, options) : value
  (resolved || {}).compact
end

.selected_scopes(defaults, options, data) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 221

def selected_scopes(defaults, options, data)
  scopes = options[:disable_default_scope] ? [] : Array(defaults).dup
  scopes.concat(Array(options[:scope])) if options[:scope]
  scopes.concat(Array(options[:scopes])) if options[:scopes]
  request_scopes = value(data, :scopes)
  scopes.concat(Array(request_scopes)) if request_scopes
  scopes
end

.stringify_keys(hash) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 287

def stringify_keys(hash)
  hash.each_with_object({}) { |(key, value), memo| memo[key.to_s] = value }
end

.time_from(value) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 291

def time_from(value)
  return value if value.is_a?(Time)
  return nil if value.nil? || value.to_s.empty?

  Time.parse(value.to_s)
rescue ArgumentError
  nil
end

.value(hash, *keys) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 175

def value(hash, *keys)
  return nil unless hash

  keys.each do |key|
    return hash[key] if hash.respond_to?(:key?) && hash.key?(key)

    string_key = key.to_s
    return hash[string_key] if hash.respond_to?(:key?) && hash.key?(string_key)
  end
  nil
end

.verify_jwt_with_jwks(token, jwks:, jwks_endpoint:, algorithms:, issuers:, audience:, nonce: nil, max_age: 3600) ⇒ Object

# File 'lib/better_auth/social_providers/base.rb', line 259

def verify_jwt_with_jwks(token, jwks:, jwks_endpoint:, algorithms:, issuers:, audience:, nonce: nil, max_age: 3600)
  jwks_payload = jwks.respond_to?(:call) ? jwks.call : jwks
  jwks_payload ||= fetch_jwks(jwks_endpoint)
  return nil unless jwks_payload

  options = {
    algorithms: algorithms,
    jwks: JWT::JWK::Set.new(stringify_keys(jwks_payload)),
    aud: audience,
    verify_aud: true
  }
  options[:iss] = issuers if issuers
  options[:verify_iss] = true if issuers
  payload, = JWT.decode(token.to_s, nil, true, options)
  return nil if nonce && payload["nonce"] != nonce
  return nil if max_age && payload["iat"] && payload["iat"].to_i < Time.now.to_i - max_age.to_i

  payload
rescue JWT::DecodeError, JSON::ParserError, ArgumentError, OpenSSL::PKey::PKeyError, Net::OpenTimeout, Net::ReadTimeout, SocketError, SystemCallError
  nil
end