@better-auth/electron 1.5.0-beta.12

package/dist/client.mjs

@@ -0,0 +1,476 @@
+import { n as parseProtocolScheme, t as isProcessType } from "./utils-C3fLmbAT.mjs";
+import { BetterAuthError } from "@better-auth/core/error";
+import { APIError as APIError$1, getBaseURL, isDevelopment, isTest } from "better-auth";
+import { generateRandomString } from "better-auth/crypto";
+import * as z from "zod";
+import { Buffer } from "node:buffer";
+import { base64, base64Url } from "@better-auth/utils/base64";
+import { createHash } from "@better-auth/utils/hash";
+import { signInSocial } from "better-auth/api";
+import { parseSetCookieHeader } from "better-auth/cookies";
+import electron, { shell } from "electron";
+import { resolve } from "node:path";
+
+//#region src/bridges.ts
+const { ipcRenderer, ipcMain, contextBridge, webContents: webContents$1 } = electron;
+function getChannelPrefixWithDelimiter(ns = "better-auth") {
+	return ns.length > 0 ? ns + ":" : ns;
+}
+function listenerFactory(channel, listener) {
+	ipcRenderer.on(channel, listener);
+	return () => {
+		ipcRenderer.off(channel, listener);
+	};
+}
+/**
+* Exposes IPC bridges to the renderer process.
+*/
+function exposeBridges(opts) {
+	if (!process.contextIsolated) throw new BetterAuthError("Context isolation must be enabled to use IPC bridges securely.");
+	const prefix = getChannelPrefixWithDelimiter(opts.channelPrefix);
+	const bridges = {
+		getUser: async () => {
+			return await ipcRenderer.invoke(`${prefix}getUser`);
+		},
+		requestAuth: async (options) => {
+			await ipcRenderer.invoke(`${prefix}requestAuth`, options);
+		},
+		signOut: async () => {
+			await ipcRenderer.invoke(`${prefix}signOut`);
+		},
+		onAuthenticated: (callback) => {
+			return listenerFactory(`${prefix}authenticated`, async (_evt, user) => {
+				await callback(user);
+			});
+		},
+		onUserUpdated: (callback) => {
+			return listenerFactory(`${prefix}user-updated`, async (_evt, user) => {
+				await callback(user);
+			});
+		},
+		onAuthError: (callback) => {
+			return listenerFactory(`${prefix}error`, async (_evt, context) => {
+				await callback(context);
+			});
+		}
+	};
+	for (const [key, value] of Object.entries(bridges)) contextBridge.exposeInMainWorld(key, value);
+	return {};
+}
+/**
+* Sets up IPC bridges in the main process.
+*/
+function setupBridges(ctx, opts, clientOptions) {
+	const prefix = getChannelPrefixWithDelimiter(opts.channelPrefix);
+	ctx.$store?.atoms.session?.subscribe((state) => {
+		if (state.isPending === true) return;
+		webContents$1.getFocusedWebContents()?.send(`${prefix}user-updated`, state?.data?.user ?? null);
+	});
+	ipcMain.handle(`${prefix}getUser`, async () => {
+		return (await ctx.$fetch("/get-session", {
+			method: "GET",
+			headers: {
+				cookie: ctx.getCookie(),
+				"content-type": "application/json"
+			}
+		})).data?.user ?? null;
+	});
+	ipcMain.handle(`${prefix}requestAuth`, (_evt, options) => requestAuth(clientOptions, opts, options));
+	ipcMain.handle(`${prefix}signOut`, async () => {
+		await ctx.$fetch("/sign-out", {
+			method: "POST",
+			body: "{}",
+			headers: {
+				cookie: ctx.getCookie(),
+				"content-type": "application/json"
+			}
+		});
+	});
+}
+
+//#endregion
+//#region src/authenticate.ts
+const kCodeVerifier = Symbol.for("better-auth:code_verifier");
+const kState = Symbol.for("better-auth:state");
+(() => {
+	const { provider, idToken, loginHint, ...signInSocialBody } = signInSocial().options.body.shape;
+	return z.object({
+		...signInSocialBody,
+		provider: z.string().nonempty().optional()
+	});
+})();
+/**
+* Opens the system browser to request user authentication.
+*/
+async function requestAuth(clientOptions, options, cfg) {
+	if (!isProcessType("browser")) throw new BetterAuthError("`requestAuth` can only be called in the main process");
+	const { randomBytes } = await import("node:crypto");
+	const state = generateRandomString(16, "A-Z", "a-z", "0-9");
+	const codeVerifier = base64Url.encode(randomBytes(32));
+	const codeChallenge = base64Url.encode(await createHash("SHA-256").digest(codeVerifier));
+	globalThis[kCodeVerifier] = codeVerifier;
+	globalThis[kState] = state;
+	let url = null;
+	if (cfg?.provider) {
+		const baseURL = getBaseURL(clientOptions?.baseURL, clientOptions?.basePath, void 0, true);
+		if (!baseURL) {
+			console.log("No base URL found in client options");
+			throw APIError$1.from("INTERNAL_SERVER_ERROR", {
+				code: "NO_BASE_URL",
+				message: "Base URL is required to use provider-based sign-in."
+			});
+		}
+		url = new URL(`${baseURL}/electron/init-oauth-proxy`);
+		for (const [key, value] of Object.entries(cfg)) url.searchParams.set(key, typeof value === "string" ? value : JSON.stringify(value));
+	} else url = new URL(options.signInURL);
+	url.searchParams.set("client_id", options.clientID || "electron");
+	url.searchParams.set("code_challenge", codeChallenge);
+	url.searchParams.set("code_challenge_method", "S256");
+	url.searchParams.set("state", state);
+	if (url === null) throw new Error("Failed to construct sign-in URL.");
+	await shell.openExternal(url.toString(), { activate: true });
+}
+/**
+* Exchanges the authorization code for a session.
+*/
+async function authenticate($fetch, options, body, getWindow) {
+	const codeVerifier = globalThis[kCodeVerifier];
+	const state = globalThis[kState];
+	globalThis[kCodeVerifier] = void 0;
+	globalThis[kState] = void 0;
+	if (!codeVerifier) throw new Error("Code verifier not found.");
+	if (!state) throw new Error("State not found.");
+	await $fetch("/electron/token", {
+		method: "POST",
+		body: {
+			...body,
+			state,
+			code_verifier: codeVerifier
+		},
+		onSuccess: (ctx) => {
+			getWindow()?.webContents.send(`${getChannelPrefixWithDelimiter(options.channelPrefix)}authenticated`, ctx.data.user);
+		},
+		throw: true
+	});
+}
+
+//#endregion
+//#region src/cookies.ts
+function getSetCookie(header, prevCookie) {
+	const parsed = parseSetCookieHeader(header);
+	let toSetCookie = {};
+	parsed.forEach((cookie, key) => {
+		const expiresAt = cookie["expires"];
+		const maxAge = cookie["max-age"];
+		const expires = maxAge ? new Date(Date.now() + Number(maxAge) * 1e3) : expiresAt ? new Date(String(expiresAt)) : null;
+		toSetCookie[key] = {
+			value: cookie["value"],
+			expires: expires ? expires.toISOString() : null
+		};
+	});
+	if (prevCookie) try {
+		toSetCookie = {
+			...JSON.parse(prevCookie),
+			...toSetCookie
+		};
+	} catch {}
+	return JSON.stringify(toSetCookie);
+}
+function getCookie(cookie) {
+	let parsed = {};
+	try {
+		parsed = JSON.parse(cookie);
+	} catch (_e) {}
+	return Object.entries(parsed).reduce((acc, [key, value]) => {
+		if (value.expires && new Date(value.expires) < /* @__PURE__ */ new Date()) return acc;
+		return `${acc}; ${key}=${value.value}`;
+	}, "");
+}
+/**
+* Compare if session cookies have actually changed by comparing their values.
+* Ignores expiry timestamps that naturally change on each request.
+*
+* @param prevCookie - Previous cookie JSON string
+* @param newCookie - New cookie JSON string
+* @returns true if session cookies have changed, false otherwise
+*/
+function hasSessionCookieChanged(prevCookie, newCookie) {
+	if (!prevCookie) return true;
+	try {
+		const prev = JSON.parse(prevCookie);
+		const next = JSON.parse(newCookie);
+		const sessionKeys = /* @__PURE__ */ new Set();
+		Object.keys(prev).forEach((key) => {
+			if (key.includes("session_token") || key.includes("session_data")) sessionKeys.add(key);
+		});
+		Object.keys(next).forEach((key) => {
+			if (key.includes("session_token") || key.includes("session_data")) sessionKeys.add(key);
+		});
+		for (const key of sessionKeys) if (prev[key]?.value !== next[key]?.value) return true;
+		return false;
+	} catch {
+		return true;
+	}
+}
+/**
+* Check if the Set-Cookie header contains better-auth cookies.
+* This prevents infinite refetching when non-better-auth cookies (like third-party cookies) change.
+*
+* Supports multiple cookie naming patterns:
+* - Default: "better-auth.session_token", "better-auth-passkey", "__Secure-better-auth.session_token"
+* - Custom prefix: "myapp.session_token", "myapp-passkey", "__Secure-myapp.session_token"
+* - Custom full names: "my_custom_session_token", "custom_session_data"
+* - No prefix (cookiePrefix=""): matches any cookie with known suffixes
+* - Multiple prefixes: ["better-auth", "my-app"] matches cookies starting with any of the prefixes
+*
+* @param setCookieHeader - The Set-Cookie header value
+* @param cookiePrefix - The cookie prefix(es) to check for. Can be a string, array of strings, or empty string.
+* @returns true if the header contains better-auth cookies, false otherwise
+*/
+function hasBetterAuthCookies(setCookieHeader, cookiePrefix) {
+	const cookies = parseSetCookieHeader(setCookieHeader);
+	const cookieSuffixes = ["session_token", "session_data"];
+	const prefixes = Array.isArray(cookiePrefix) ? cookiePrefix : [cookiePrefix];
+	for (const name of cookies.keys()) {
+		const nameWithoutSecure = name.startsWith("__Secure-") ? name.slice(9) : name;
+		for (const prefix of prefixes) if (prefix) {
+			if (nameWithoutSecure.startsWith(prefix)) return true;
+		} else for (const suffix of cookieSuffixes) if (nameWithoutSecure.endsWith(suffix)) return true;
+	}
+	return false;
+}
+
+//#endregion
+//#region src/setup.ts
+const { app: app$1, session, protocol, BrowserWindow } = electron;
+function withGetWindowFallback(win) {
+	return win ?? (() => {
+		const allWindows = BrowserWindow.getAllWindows();
+		return allWindows.length > 0 ? allWindows[0] : null;
+	});
+}
+function setupRenderer(opts) {
+	if (!isProcessType("renderer")) throw new BetterAuthError("setupRenderer can only be called in the renderer process.");
+	exposeBridges(opts);
+}
+function setupMain($fetch, $store, getCookie, opts, clientOptions, cfg) {
+	if (!isProcessType("browser")) throw new BetterAuthError("setupMain can only be called in the main process.");
+	if (!cfg || cfg.csp === true) setupCSP(clientOptions);
+	if (!cfg || cfg.scheme === true) registerProtocolScheme($fetch, opts, withGetWindowFallback(cfg?.getWindow));
+	if (!cfg || cfg.bridges === true) setupBridges({
+		$fetch,
+		$store,
+		getCookie
+	}, opts, clientOptions);
+}
+/**
+* Handles the deep link URL for authentication.
+*/
+async function handleDeepLink({ $fetch, options, url, getWindow }) {
+	if (!isProcessType("browser")) throw new BetterAuthError("`handleDeepLink` can only be called in the main process.");
+	let parsedURL = null;
+	try {
+		parsedURL = new URL(url);
+	} catch {}
+	if (!parsedURL) return;
+	const { scheme } = parseProtocolScheme(options.protocol);
+	if (!url.startsWith(`${scheme}:/`)) return;
+	const { protocol, pathname, hostname, hash } = parsedURL;
+	if (protocol !== `${scheme}:`) return;
+	if ("/" + hostname + pathname !== (options.callbackPath || "/auth/callback")) return;
+	if (!hash.startsWith("#token=")) return;
+	await authenticate($fetch, options, { token: hash.substring(7) }, withGetWindowFallback(getWindow));
+}
+function registerProtocolScheme($fetch, options, getWindow) {
+	const { scheme, privileges = {} } = typeof options.protocol === "string" ? { scheme: options.protocol } : options.protocol;
+	protocol.registerSchemesAsPrivileged([{
+		scheme,
+		privileges: {
+			standard: false,
+			secure: true,
+			...privileges
+		}
+	}]);
+	let hasSetupProtocolClient = false;
+	if (process?.defaultApp) {
+		if (process.argv.length >= 2 && typeof process.argv[1] === "string") hasSetupProtocolClient = app$1.setAsDefaultProtocolClient(scheme, process.execPath, [resolve(process.argv[1])]);
+	} else hasSetupProtocolClient = app$1.setAsDefaultProtocolClient(scheme);
+	if (!hasSetupProtocolClient) console.error(`Failed to register protocol ${scheme} as default protocol client.`);
+	if (!app$1.requestSingleInstanceLock()) app$1.quit();
+	else {
+		app$1.on("second-instance", async (_event, commandLine, _workingDir, url) => {
+			const win = getWindow();
+			if (win) {
+				if (win.isMinimized()) win.restore();
+				win.focus();
+			}
+			if (!url) {
+				const maybeURL = commandLine.pop();
+				if (typeof maybeURL === "string" && maybeURL.trim() !== "") try {
+					url = new URL(maybeURL).toString();
+				} catch {}
+			}
+			if (process?.platform !== "darwin" && typeof url === "string") await handleDeepLink({
+				$fetch,
+				options,
+				url,
+				getWindow
+			});
+		});
+		app$1.on("open-url", async (_event, url) => {
+			if (process?.platform === "darwin") await handleDeepLink({
+				$fetch,
+				options,
+				url,
+				getWindow
+			});
+		});
+		app$1.whenReady().then(async () => {
+			if (process?.platform !== "darwin" && typeof process.argv[1] === "string") await handleDeepLink({
+				$fetch,
+				options,
+				url: process.argv[1],
+				getWindow
+			});
+		});
+	}
+}
+function setupCSP(clientOptions) {
+	app$1.whenReady().then(() => {
+		session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
+			const origin = new URL(clientOptions?.baseURL || "", "http://localhost").origin;
+			const cspKey = Object.keys(details.responseHeaders || {}).find((k) => k.toLowerCase() === "content-security-policy");
+			if (!cspKey) return callback({ responseHeaders: {
+				...details.responseHeaders || {},
+				"content-security-policy": `connect-src 'self' ${origin}`
+			} });
+			const policy = details.responseHeaders?.[cspKey]?.toString() || "";
+			const csp = /* @__PURE__ */ new Map();
+			for (let token of policy.split(";")) {
+				token = token.trim();
+				if (!token || !/^[\x00-\x7f]*$/.test(token)) continue;
+				const [rawDirectiveName, ...directiveValue] = token.split(/\s+/);
+				const directiveName = rawDirectiveName?.toLowerCase();
+				if (!directiveName) continue;
+				if (csp.has(directiveName)) continue;
+				csp.set(directiveName, directiveValue);
+			}
+			if (csp.has("connect-src")) {
+				const values = csp.get("connect-src") || [];
+				if (!values.includes(origin)) values.push(origin);
+				csp.set("connect-src", values);
+			} else csp.set("connect-src", ["'self'", origin]);
+			callback({ responseHeaders: {
+				...details.responseHeaders,
+				"content-security-policy": Array.from(csp.entries()).map(([k, v]) => `${k} ${v.join(" ")}`).join("; ")
+			} });
+		});
+	});
+}
+
+//#endregion
+//#region src/client.ts
+const { app, safeStorage, webContents } = electron;
+const storageAdapter = (storage) => {
+	return {
+		...storage,
+		getDecrypted: (name) => {
+			const item = storage.getItem(name);
+			if (!item || typeof item !== "string") return null;
+			return safeStorage.decryptString(Buffer.from(base64.decode(item)));
+		},
+		setEncrypted: (name, value) => {
+			return storage.setItem(name, base64.encode(safeStorage.encryptString(value)));
+		}
+	};
+};
+const electronClient = (options) => {
+	const opts = {
+		storagePrefix: "better-auth",
+		cookiePrefix: "better-auth",
+		channelPrefix: "better-auth",
+		callbackPath: "/auth/callback",
+		...options
+	};
+	const { scheme } = parseProtocolScheme(opts.protocol);
+	let store = null;
+	const cookieName = `${opts.storagePrefix}.cookie`;
+	const localCacheName = `${opts.storagePrefix}.local_cache`;
+	const { getDecrypted, setEncrypted } = storageAdapter(opts.storage);
+	if ((isDevelopment() || isTest()) && /^(?!\.)(?!.*\.\.)(?!.*\.$)[^.]+\.[^.]+$/.test(scheme)) console.warn("The provided scheme does not follow the reverse domain name notation. For example: `app.example.com` -> `com.example.app`.");
+	return {
+		id: "electron",
+		fetchPlugins: [{
+			id: "electron",
+			name: "Electron",
+			async init(url, options) {
+				if (!isProcessType("browser")) throw new Error("Requests must be made from the Electron main process");
+				const cookie = getCookie(getDecrypted(cookieName) || "{}");
+				options ||= {};
+				options.credentials = "omit";
+				options.headers = {
+					...options.headers,
+					cookie,
+					"user-agent": app.userAgentFallback,
+					"electron-origin": `${scheme}:/`,
+					"x-skip-oauth-proxy": "true"
+				};
+				if (url.endsWith("/sign-out")) {
+					setEncrypted(cookieName, "{}");
+					store?.atoms.session?.set({
+						...store.atoms.session.get(),
+						data: null,
+						error: null,
+						isPending: false
+					});
+					setEncrypted(localCacheName, "{}");
+				}
+				return {
+					url,
+					options
+				};
+			},
+			hooks: {
+				onSuccess: async (context) => {
+					const setCookie = context.response.headers.get("set-cookie");
+					if (setCookie) {
+						if (hasBetterAuthCookies(setCookie, opts.cookiePrefix)) {
+							const prevCookie = getDecrypted(cookieName);
+							const toSetCookie = getSetCookie(setCookie || "{}", prevCookie ?? void 0);
+							if (hasSessionCookieChanged(prevCookie, toSetCookie)) {
+								setEncrypted(cookieName, toSetCookie);
+								store?.notify("$sessionSignal");
+							} else setEncrypted(cookieName, toSetCookie);
+						}
+					}
+					if (context.request.url.toString().includes("/get-session") && !opts.disableCache) {
+						const data = context.data;
+						setEncrypted(localCacheName, JSON.stringify(data));
+					}
+				},
+				onError: async (context) => {
+					webContents.getFocusedWebContents()?.send(`${getChannelPrefixWithDelimiter(opts.channelPrefix)}error`, {
+						...context.error,
+						path: context.request.url
+					});
+				}
+			}
+		}],
+		getActions: ($fetch, $store, clientOptions) => {
+			store = $store;
+			const getCookieFn = () => {
+				return getCookie(getDecrypted(cookieName) || "{}");
+			};
+			return {
+				getCookie: getCookieFn,
+				requestAuth: (options) => requestAuth(clientOptions, opts, options),
+				setupRenderer: () => setupRenderer(opts),
+				setupMain: (cfg) => setupMain($fetch, store, getCookieFn, opts, clientOptions, cfg),
+				$Infer: {}
+			};
+		}
+	};
+};
+
+//#endregion
+export { electronClient, handleDeepLink };