1use argon2::password_hash::{SaltString, rand_core::OsRng};
2use argon2::{Argon2, PasswordHash, PasswordHasher, PasswordVerifier};
3use async_trait::async_trait;
4use serde::{Deserialize, Serialize};
5use validator::Validate;
6
7use better_auth_core::adapters::DatabaseAdapter;
8use better_auth_core::entity::{AuthSession, AuthUser};
9use better_auth_core::{AuthContext, AuthPlugin, AuthRoute};
10use better_auth_core::{AuthError, AuthResult};
11use better_auth_core::{AuthRequest, AuthResponse, CreateUser, HttpMethod};
12
13pub struct EmailPasswordPlugin {
15 config: EmailPasswordConfig,
16}
17
18#[derive(Debug, Clone)]
19pub struct EmailPasswordConfig {
20 pub enable_signup: bool,
21 pub require_email_verification: bool,
22 pub password_min_length: usize,
23}
24
25#[derive(Debug, Deserialize, Validate)]
26#[allow(dead_code)]
27struct SignUpRequest {
28 #[validate(length(min = 1, message = "Name is required"))]
29 name: String,
30 #[validate(email(message = "Invalid email address"))]
31 email: String,
32 #[validate(length(min = 1, message = "Password is required"))]
33 password: String,
34 username: Option<String>,
35 #[serde(rename = "displayUsername")]
36 display_username: Option<String>,
37 #[serde(rename = "callbackURL")]
38 callback_url: Option<String>,
39}
40
41#[derive(Debug, Deserialize, Validate)]
42#[allow(dead_code)]
43struct SignInRequest {
44 #[validate(email(message = "Invalid email address"))]
45 email: String,
46 #[validate(length(min = 1, message = "Password is required"))]
47 password: String,
48 #[serde(rename = "callbackURL")]
49 callback_url: Option<String>,
50 #[serde(rename = "rememberMe")]
51 remember_me: Option<bool>,
52}
53
54#[derive(Debug, Deserialize, Validate)]
55#[allow(dead_code)]
56struct SignInUsernameRequest {
57 #[validate(length(min = 1, message = "Username is required"))]
58 username: String,
59 #[validate(length(min = 1, message = "Password is required"))]
60 password: String,
61 #[serde(rename = "rememberMe")]
62 remember_me: Option<bool>,
63}
64
65#[derive(Debug, Serialize)]
66struct SignUpResponse<U: Serialize> {
67 token: Option<String>,
68 user: U,
69}
70
71#[derive(Debug, Serialize)]
72struct SignInResponse<U: Serialize> {
73 redirect: bool,
74 token: String,
75 url: Option<String>,
76 user: U,
77}
78
79impl EmailPasswordPlugin {
80 #[allow(clippy::new_without_default)]
81 pub fn new() -> Self {
82 Self {
83 config: EmailPasswordConfig::default(),
84 }
85 }
86
87 pub fn with_config(config: EmailPasswordConfig) -> Self {
88 Self { config }
89 }
90
91 pub fn enable_signup(mut self, enable: bool) -> Self {
92 self.config.enable_signup = enable;
93 self
94 }
95
96 pub fn require_email_verification(mut self, require: bool) -> Self {
97 self.config.require_email_verification = require;
98 self
99 }
100
101 pub fn password_min_length(mut self, length: usize) -> Self {
102 self.config.password_min_length = length;
103 self
104 }
105
106 async fn handle_sign_up<DB: DatabaseAdapter>(
107 &self,
108 req: &AuthRequest,
109 ctx: &AuthContext<DB>,
110 ) -> AuthResult<AuthResponse> {
111 if !self.config.enable_signup {
112 return Err(AuthError::forbidden("User registration is not enabled"));
113 }
114
115 let signup_req: SignUpRequest = match better_auth_core::validate_request_body(req) {
116 Ok(v) => v,
117 Err(resp) => return Ok(resp),
118 };
119
120 self.validate_password(&signup_req.password, ctx)?;
122
123 if ctx
125 .database
126 .get_user_by_email(&signup_req.email)
127 .await?
128 .is_some()
129 {
130 return Err(AuthError::conflict("A user with this email already exists"));
131 }
132
133 let password_hash = self.hash_password(&signup_req.password)?;
135
136 let metadata = serde_json::json!({
138 "password_hash": password_hash,
139 });
140
141 let mut create_user = CreateUser::new()
142 .with_email(&signup_req.email)
143 .with_name(&signup_req.name);
144 if let Some(username) = signup_req.username {
145 create_user = create_user.with_username(username);
146 }
147 if let Some(display_username) = signup_req.display_username {
148 create_user.display_username = Some(display_username);
149 }
150 create_user.metadata = Some(metadata);
151
152 let user = ctx.database.create_user(create_user).await?;
153
154 let session_manager =
156 better_auth_core::SessionManager::new(ctx.config.clone(), ctx.database.clone());
157 let session = session_manager.create_session(&user, None, None).await?;
158
159 let response = SignUpResponse {
160 token: Some(session.token().to_string()),
161 user,
162 };
163
164 let cookie_header = self.create_session_cookie(session.token(), ctx);
166
167 Ok(AuthResponse::json(200, &response)?.with_header("Set-Cookie", cookie_header))
168 }
169
170 async fn handle_sign_in<DB: DatabaseAdapter>(
171 &self,
172 req: &AuthRequest,
173 ctx: &AuthContext<DB>,
174 ) -> AuthResult<AuthResponse> {
175 let signin_req: SignInRequest = match better_auth_core::validate_request_body(req) {
176 Ok(v) => v,
177 Err(resp) => return Ok(resp),
178 };
179
180 let user = ctx
182 .database
183 .get_user_by_email(&signin_req.email)
184 .await?
185 .ok_or(AuthError::InvalidCredentials)?;
186
187 let stored_hash = user
189 .metadata()
190 .get("password_hash")
191 .and_then(|v| v.as_str())
192 .ok_or(AuthError::InvalidCredentials)?;
193
194 self.verify_password(&signin_req.password, stored_hash)?;
195
196 let session_manager =
198 better_auth_core::SessionManager::new(ctx.config.clone(), ctx.database.clone());
199 let session = session_manager.create_session(&user, None, None).await?;
200
201 let response = SignInResponse {
202 redirect: false,
203 token: session.token().to_string(),
204 url: None,
205 user,
206 };
207
208 let cookie_header = self.create_session_cookie(session.token(), ctx);
210
211 Ok(AuthResponse::json(200, &response)?.with_header("Set-Cookie", cookie_header))
212 }
213
214 async fn handle_sign_in_username<DB: DatabaseAdapter>(
215 &self,
216 req: &AuthRequest,
217 ctx: &AuthContext<DB>,
218 ) -> AuthResult<AuthResponse> {
219 let signin_req: SignInUsernameRequest = match better_auth_core::validate_request_body(req) {
220 Ok(v) => v,
221 Err(resp) => return Ok(resp),
222 };
223
224 let user = ctx
226 .database
227 .get_user_by_username(&signin_req.username)
228 .await?
229 .ok_or(AuthError::InvalidCredentials)?;
230
231 let stored_hash = user
233 .metadata()
234 .get("password_hash")
235 .and_then(|v| v.as_str())
236 .ok_or(AuthError::InvalidCredentials)?;
237
238 self.verify_password(&signin_req.password, stored_hash)?;
239
240 let session_manager =
242 better_auth_core::SessionManager::new(ctx.config.clone(), ctx.database.clone());
243 let session = session_manager.create_session(&user, None, None).await?;
244
245 let response = SignInResponse {
246 redirect: false,
247 token: session.token().to_string(),
248 url: None,
249 user,
250 };
251
252 let cookie_header = self.create_session_cookie(session.token(), ctx);
254
255 Ok(AuthResponse::json(200, &response)?.with_header("Set-Cookie", cookie_header))
256 }
257
258 fn validate_password<DB: DatabaseAdapter>(
259 &self,
260 password: &str,
261 ctx: &AuthContext<DB>,
262 ) -> AuthResult<()> {
263 if password.len() < ctx.config.password.min_length {
264 return Err(AuthError::bad_request(format!(
265 "Password must be at least {} characters long",
266 ctx.config.password.min_length
267 )));
268 }
269 Ok(())
270 }
271
272 fn hash_password(&self, password: &str) -> AuthResult<String> {
273 let salt = SaltString::generate(&mut OsRng);
274 let argon2 = Argon2::default();
275
276 let password_hash = argon2
277 .hash_password(password.as_bytes(), &salt)
278 .map_err(|e| AuthError::PasswordHash(format!("Failed to hash password: {}", e)))?;
279
280 Ok(password_hash.to_string())
281 }
282
283 fn create_session_cookie<DB: DatabaseAdapter>(
284 &self,
285 token: &str,
286 ctx: &AuthContext<DB>,
287 ) -> String {
288 let session_config = &ctx.config.session;
289 let secure = if session_config.cookie_secure {
290 "; Secure"
291 } else {
292 ""
293 };
294 let http_only = if session_config.cookie_http_only {
295 "; HttpOnly"
296 } else {
297 ""
298 };
299 let same_site = match session_config.cookie_same_site {
300 better_auth_core::config::SameSite::Strict => "; SameSite=Strict",
301 better_auth_core::config::SameSite::Lax => "; SameSite=Lax",
302 better_auth_core::config::SameSite::None => "; SameSite=None",
303 };
304
305 let expires = chrono::Utc::now() + session_config.expires_in;
306 let expires_str = expires.format("%a, %d %b %Y %H:%M:%S GMT");
307
308 format!(
309 "{}={}; Path=/; Expires={}{}{}{}",
310 session_config.cookie_name, token, expires_str, secure, http_only, same_site
311 )
312 }
313
314 fn verify_password(&self, password: &str, hash: &str) -> AuthResult<()> {
315 let parsed_hash = PasswordHash::new(hash)
316 .map_err(|e| AuthError::PasswordHash(format!("Invalid password hash: {}", e)))?;
317
318 let argon2 = Argon2::default();
319 argon2
320 .verify_password(password.as_bytes(), &parsed_hash)
321 .map_err(|_| AuthError::InvalidCredentials)?;
322
323 Ok(())
324 }
325}
326
327impl Default for EmailPasswordConfig {
328 fn default() -> Self {
329 Self {
330 enable_signup: true,
331 require_email_verification: false,
332 password_min_length: 8,
333 }
334 }
335}
336
337#[async_trait]
338impl<DB: DatabaseAdapter> AuthPlugin<DB> for EmailPasswordPlugin {
339 fn name(&self) -> &'static str {
340 "email-password"
341 }
342
343 fn routes(&self) -> Vec<AuthRoute> {
344 let mut routes = vec![
345 AuthRoute::post("/sign-in/email", "sign_in_email"),
346 AuthRoute::post("/sign-in/username", "sign_in_username"),
347 ];
348
349 if self.config.enable_signup {
350 routes.push(AuthRoute::post("/sign-up/email", "sign_up_email"));
351 }
352
353 routes
354 }
355
356 async fn on_request(
357 &self,
358 req: &AuthRequest,
359 ctx: &AuthContext<DB>,
360 ) -> AuthResult<Option<AuthResponse>> {
361 match (req.method(), req.path()) {
362 (HttpMethod::Post, "/sign-up/email") if self.config.enable_signup => {
363 Ok(Some(self.handle_sign_up(req, ctx).await?))
364 }
365 (HttpMethod::Post, "/sign-in/email") => Ok(Some(self.handle_sign_in(req, ctx).await?)),
366 (HttpMethod::Post, "/sign-in/username") => {
367 Ok(Some(self.handle_sign_in_username(req, ctx).await?))
368 }
369 _ => Ok(None),
370 }
371 }
372
373 async fn on_user_created(&self, user: &DB::User, _ctx: &AuthContext<DB>) -> AuthResult<()> {
374 if self.config.require_email_verification
375 && !user.email_verified()
376 && let Some(email) = user.email()
377 {
378 println!("Email verification required for user: {}", email);
379 }
380 Ok(())
381 }
382}