Struct AuthConfig

Source

pub struct AuthConfig {
    pub secret: String,
    pub app_name: String,
    pub base_url: String,
    pub base_path: String,
    pub trusted_origins: Vec<String>,
    pub disabled_paths: Vec<String>,
    pub session: SessionConfig,
    pub jwt: JwtConfig,
    pub password: PasswordConfig,
    pub account: AccountConfig,
    pub email_provider: Option<Arc<dyn EmailProvider>>,
    pub advanced: AdvancedConfig,
}

Expand description

Main configuration for BetterAuth

Fields§

§secret: String

Secret key for signing tokens and sessions

§app_name: String

Application name, used for cookie prefixes, email templates, etc.

Defaults to "Better Auth".

§base_url: String

Base URL for the authentication service (e.g. "http://localhost:3000").

§base_path: String

Base path where the auth routes are mounted.

All routes handled by BetterAuth will be prefixed with this path. For example, with the default "/api/auth", the sign-in route becomes "/api/auth/sign-in/email".

Defaults to "/api/auth".

§trusted_origins: Vec<String>

Origins that are trusted for CSRF and other cross-origin checks.

Supports glob patterns (e.g. "https://*.example.com"). These are shared across all middleware that needs origin validation (CSRF, CORS, etc.).

§disabled_paths: Vec<String>

Paths that should be disabled (skipped) by the router.

Any request whose path matches an entry in this list will receive a 404 response, even if a handler is registered for it.

§session: SessionConfig

Session configuration

§jwt: JwtConfig

JWT configuration

§password: PasswordConfig

Password configuration

§account: AccountConfig

Account configuration (linking, token encryption, etc.)

§email_provider: Option<Arc<dyn EmailProvider>>

Email provider for sending emails (verification, password reset, etc.)

§advanced: AdvancedConfig

Advanced configuration options

Implementations§

Source §

impl AuthConfig

Source

pub fn new(secret: impl Into<String>) -> AuthConfig

Source

pub fn app_name(self, name: impl Into<String>) -> AuthConfig

Set the application name.

Source

pub fn base_url(self, url: impl Into<String>) -> AuthConfig

Set the base URL (e.g. "https://myapp.com").

Source

pub fn account(self, account: AccountConfig) -> AuthConfig

Source

pub fn base_path(self, path: impl Into<String>) -> AuthConfig

Set the base path where auth routes are mounted.

Source

pub fn trusted_origin(self, origin: impl Into<String>) -> AuthConfig

Add a trusted origin. Supports glob patterns (e.g. "https://*.example.com").

Source

pub fn trusted_origins(self, origins: Vec<String>) -> AuthConfig

Set all trusted origins at once.

Source

pub fn disabled_path(self, path: impl Into<String>) -> AuthConfig

Add a path to the disabled paths list.

Source

pub fn disabled_paths(self, paths: Vec<String>) -> AuthConfig

Set all disabled paths at once.

Source

pub fn session_expires_in(self, duration: TimeDelta) -> AuthConfig

Set the session expiration duration.

Source

pub fn session_cookie_cache(self, config: CookieCacheConfig) -> AuthConfig

Set the cookie cache configuration for sessions.

Source

pub fn jwt_expires_in(self, duration: TimeDelta) -> AuthConfig

Set the JWT expiration duration.

Source

pub fn password_min_length(self, length: usize) -> AuthConfig

Set the minimum password length.

Source

pub fn advanced(self, advanced: AdvancedConfig) -> AuthConfig

Source

pub fn cookie_prefix(self, prefix: impl Into<String>) -> AuthConfig

Source

pub fn disable_csrf_check(self, disabled: bool) -> AuthConfig

Source

pub fn cross_sub_domain_cookies(self, domain: impl Into<String>) -> AuthConfig

Source

pub fn is_origin_trusted(&self, origin: &str) -> bool

Check whether a given origin is trusted.

An origin is trusted if it matches:

The origin extracted from base_url, or
Any pattern in trusted_origins (after extracting the origin portion from the pattern).

Glob patterns are supported — * matches any characters except /, ** matches any characters including /. Non-wildcard patterns are parsed with the strict WHATWG URL parser so scheme, host, and default port match exactly what runtime callback URLs normalise to. Wildcard patterns fall back to naïve scheme/authority splitting so http://localhost:* and *://app.com still work; their non-wildcard host labels are still IDN-canonicalised.

Source

pub fn is_path_disabled(&self, path: &str) -> bool

Check whether a given path is disabled.

Source

pub fn is_redirect_target_trusted(&self, target: &str) -> bool

Check whether target is safe to use as the value of a server-issued redirect (302 Location) or an absolute link embedded in an outgoing email. Safe targets are:

a relative path starting with / whose second character is not / or \ (authority smuggling — //evil.com, /\evil.com — is rejected even when the caller opts out of origin checks; browsers normalise \ to / in the authority component);
an absolute http/https URL whose origin matches base_url or a trusted_origins pattern;
any path/URL when advanced.disable_origin_check is set, with the authority-smuggling exception above.

Other schemes (javascript:, data:, file:, …) are always rejected. Prevents open-redirect via user-supplied callbackURL / redirectTo.

Source

pub fn is_absolute_trusted_callback_url(&self, target: &str) -> bool

Stricter variant of [is_redirect_target_trusted] that requires an absolute http/https URL. Use this for callbackURL values that are embedded in an email body or forwarded to an OAuth provider as redirect_uri — in both contexts a relative path produces a broken link (mail clients have no base URL to resolve against; OAuth spec requires absolute URIs).

For server-issued Location redirects (GET handlers reached via email link clicks), relative paths are fine; use the less strict [is_redirect_target_trusted] there.

Source