better-auth-api 0.10.0

Plugin implementations for better-auth
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314

use std::collections::HashMap;

use better_auth_core::adapters::DatabaseAdapter;
use better_auth_core::{AuthContext, AuthResult, CreateApiKey, UpdateApiKey};

use super::ApiKeyPlugin;
use super::types::*;
use crate::plugins::helpers;

// ---------------------------------------------------------------------------
// Permissions verification helper (RBAC)
// ---------------------------------------------------------------------------

/// Check whether `key_permissions` (JSON object mapping role->actions) covers
/// all of the `required_permissions`.
///
/// Mirrors the TypeScript `role(apiKeyPermissions).authorize(permissions)`
/// implementation. Required actions must be a subset of the API key's actions
/// for each resource/role.
pub(super) fn check_permissions(key_permissions_json: &str, required: &serde_json::Value) -> bool {
    let required_map = match required.as_object() {
        Some(m) => m,
        None => return false,
    };

    let key_map: HashMap<String, Vec<String>> = match serde_json::from_str(key_permissions_json) {
        Ok(v) => v,
        Err(_) => return false,
    };

    for (resource, requested_actions) in required_map {
        // Look up the allowed actions for this resource
        let allowed_actions = match key_map.get(resource) {
            Some(a) => a,
            // Resource not found in key permissions -> fail (matches TS behavior)
            None => return false,
        };

        // The request value can be:
        // 1. An array of action strings -> all must be allowed (AND)
        // 2. An object { actions: [...], connector: "OR"|"AND" }
        if let Some(actions_array) = requested_actions.as_array() {
            // Simple array -> every requested action must exist in allowed actions
            for action_val in actions_array {
                let action = match action_val.as_str() {
                    Some(s) => s,
                    None => return false,
                };
                if !allowed_actions.iter().any(|a| a == action) {
                    return false;
                }
            }
        } else if let Some(obj) = requested_actions.as_object() {
            // Object form: { actions: [...], connector: "OR" | "AND" }
            let actions = match obj.get("actions").and_then(|v| v.as_array()) {
                Some(a) => a,
                None => return false,
            };
            let connector = obj
                .get("connector")
                .and_then(|v| v.as_str())
                .unwrap_or("AND");

            if connector == "OR" {
                // At least one requested action must be allowed
                let any_allowed = actions.iter().any(|action_val| {
                    action_val
                        .as_str()
                        .is_some_and(|action| allowed_actions.iter().any(|a| a == action))
                });
                if !any_allowed {
                    return false;
                }
            } else {
                // AND (default): every requested action must be allowed
                for action_val in actions {
                    let action = match action_val.as_str() {
                        Some(s) => s,
                        None => return false,
                    };
                    if !allowed_actions.iter().any(|a| a == action) {
                        return false;
                    }
                }
            }
        } else {
            // Invalid format
            return false;
        }
    }

    true
}

// ---------------------------------------------------------------------------
// Core functions -- framework-agnostic business logic
// ---------------------------------------------------------------------------

pub(crate) async fn create_key_core<DB: DatabaseAdapter>(
    body: &CreateKeyRequest,
    user_id: &str,
    plugin: &ApiKeyPlugin,
    ctx: &AuthContext<DB>,
) -> AuthResult<CreateKeyResponse> {
    // Validations
    plugin.validate_prefix(body.prefix.as_deref())?;
    plugin.validate_name(body.name.as_deref(), true)?;
    plugin.validate_metadata(&body.metadata)?;
    ApiKeyPlugin::validate_refill(body.refill_interval, body.refill_amount)?;

    let effective_expires_in = plugin.validate_expires_in(body.expires_in)?;

    let (full_key, hash, start) = plugin.generate_key(body.prefix.as_deref());

    let expires_at = helpers::expires_in_to_at(effective_expires_in)?;

    let remaining = body.remaining.or(plugin.config.default_remaining);

    let store_start = if plugin.config.store_starting_characters {
        Some(start)
    } else {
        None
    };

    let input = CreateApiKey {
        user_id: user_id.to_string(),
        name: body.name.clone(),
        prefix: body.prefix.clone().or_else(|| plugin.config.prefix.clone()),
        key_hash: hash,
        start: store_start,
        expires_at,
        remaining,
        rate_limit_enabled: body.rate_limit_enabled.unwrap_or(false),
        rate_limit_time_window: body.rate_limit_time_window,
        rate_limit_max: body.rate_limit_max,
        refill_interval: body.refill_interval,
        refill_amount: body.refill_amount,
        permissions: body
            .permissions
            .as_ref()
            .map(|v| serde_json::to_string(v).unwrap_or_default()),
        metadata: body
            .metadata
            .as_ref()
            .map(|v| serde_json::to_string(v).unwrap_or_default()),
        enabled: true,
    };

    let api_key = ctx.database.create_api_key(input).await?;

    // Throttled cleanup
    plugin.maybe_delete_expired(ctx).await;

    Ok(CreateKeyResponse {
        key: full_key,
        api_key: ApiKeyView::from_entity(&api_key),
    })
}

pub(crate) async fn get_key_core<DB: DatabaseAdapter>(
    id: &str,
    user_id: &str,
    plugin: &ApiKeyPlugin,
    ctx: &AuthContext<DB>,
) -> AuthResult<ApiKeyView> {
    let api_key = helpers::get_owned_api_key(ctx, id, user_id).await?;
    plugin.maybe_delete_expired(ctx).await;
    Ok(ApiKeyView::from_entity(&api_key))
}

pub(crate) async fn list_keys_core<DB: DatabaseAdapter>(
    user_id: &str,
    plugin: &ApiKeyPlugin,
    ctx: &AuthContext<DB>,
) -> AuthResult<Vec<ApiKeyView>> {
    let keys = ctx.database.list_api_keys_by_user(user_id).await?;
    let views: Vec<ApiKeyView> = keys.iter().map(ApiKeyView::from_entity).collect();
    plugin.maybe_delete_expired(ctx).await;
    Ok(views)
}

pub(crate) async fn update_key_core<DB: DatabaseAdapter>(
    body: &UpdateKeyRequest,
    user_id: &str,
    plugin: &ApiKeyPlugin,
    ctx: &AuthContext<DB>,
) -> AuthResult<ApiKeyView> {
    // Validations
    plugin.validate_name(body.name.as_deref(), false)?;
    plugin.validate_metadata(&body.metadata)?;
    ApiKeyPlugin::validate_refill(body.refill_interval, body.refill_amount)?;

    // Ownership check via shared helper
    let _existing = helpers::get_owned_api_key(ctx, &body.id, user_id).await?;

    // Build expires_at if expiresIn is provided
    let expires_at = if let Some(ms) = body.expires_in {
        let effective_ms = plugin.validate_expires_in(Some(ms))?;
        helpers::expires_in_to_at(effective_ms)?.map(Some)
    } else {
        None
    };

    let update = UpdateApiKey {
        name: body.name.clone(),
        enabled: body.enabled,
        remaining: body.remaining,
        rate_limit_enabled: body.rate_limit_enabled,
        rate_limit_time_window: body.rate_limit_time_window,
        rate_limit_max: body.rate_limit_max,
        refill_interval: body.refill_interval,
        refill_amount: body.refill_amount,
        permissions: body
            .permissions
            .as_ref()
            .map(|v| serde_json::to_string(v).unwrap_or_default()),
        metadata: body
            .metadata
            .as_ref()
            .map(|v| serde_json::to_string(v).unwrap_or_default()),
        expires_at,
        last_request: None,
        request_count: None,
        last_refill_at: None,
    };

    let updated = ctx.database.update_api_key(&body.id, update).await?;

    // Invalidate cached rate limiter if rate limit settings changed
    if body.rate_limit_time_window.is_some()
        || body.rate_limit_max.is_some()
        || body.rate_limit_enabled.is_some()
    {
        plugin
            .rate_limiters
            .lock()
            .expect("rate_limiters mutex poisoned")
            .remove(&body.id);
    }

    plugin.maybe_delete_expired(ctx).await;

    Ok(ApiKeyView::from_entity(&updated))
}

pub(crate) async fn delete_key_core<DB: DatabaseAdapter>(
    body: &DeleteKeyRequest,
    user_id: &str,
    plugin: &ApiKeyPlugin,
    ctx: &AuthContext<DB>,
) -> AuthResult<serde_json::Value> {
    // Ownership check via shared helper
    let _existing = helpers::get_owned_api_key(ctx, &body.id, user_id).await?;

    ctx.database.delete_api_key(&body.id).await?;

    // Evict cached rate limiter for the deleted key
    plugin
        .rate_limiters
        .lock()
        .expect("rate_limiters mutex poisoned")
        .remove(&body.id);

    Ok(serde_json::json!({ "status": true }))
}

pub(crate) async fn verify_key_core<DB: DatabaseAdapter>(
    body: &VerifyKeyRequest,
    plugin: &ApiKeyPlugin,
    ctx: &AuthContext<DB>,
) -> AuthResult<VerifyKeyResponse> {
    let result = plugin
        .validate_api_key(ctx, &body.key, body.permissions.as_ref())
        .await;

    match result {
        Ok(view) => Ok(VerifyKeyResponse {
            valid: true,
            error: None,
            key: Some(view),
        }),
        Err(validation_err) => {
            let code_str = validation_err.code.as_str().to_string();
            let message = validation_err.message;
            Ok(VerifyKeyResponse {
                valid: false,
                error: Some(VerifyErrorBody {
                    message,
                    code: code_str,
                }),
                key: None,
            })
        }
    }
}

pub(crate) async fn delete_all_expired_core<DB: DatabaseAdapter>(
    _user_id: &str,
    plugin: &ApiKeyPlugin,
    ctx: &AuthContext<DB>,
) -> AuthResult<serde_json::Value> {
    let count = ctx.database.delete_expired_api_keys().await?;

    // Best-effort eviction: clear all cached limiters when bulk-deleting.
    if count > 0 {
        plugin
            .rate_limiters
            .lock()
            .expect("rate_limiters mutex poisoned")
            .clear();
    }

    Ok(serde_json::json!({ "deleted": count }))
}