@better-auth/expo 1.7.0-beta.0 → 1.7.0-beta.10

package/dist/client.d.ts

@@ -84,10 +84,23 @@ declare function hasBetterAuthCookies(setCookieHeader: string, cookiePrefix: str
 declare function normalizeCookieName(name: string): string;
 declare function storageAdapter(storage: {
   getItem: (name: string) => string | null;
-  setItem: (name: string, value: string) => void;
+  setItem: (name: string, value: string) => unknown;
 }): {
+  /**
+   * Reads a value, reassembling it if it was split across chunk keys. A value
+   * that fit is returned as-is (values written before chunking still read
+   * back); a missing chunk returns `null` so a torn write fails closed.
+   */
   getItem: (name: string) => string | null;
-  setItem: (name: string, value: string) => void;
+  /**
+   * Stores `value`, splitting it across chunk keys when it exceeds the
+   * per-write limit. The base key is cleared before the chunks are rewritten
+   * and set to the marker last, as the commit point, so a write interrupted
+   * partway through reads as absent rather than a mix of old and new chunks.
+   * Failures are logged, not thrown: persistence is best-effort and must not
+   * break the request.
+   */
+  setItem: (name: string, value: string) => Promise<void>;
 };
 declare const expoClient: (opts: ExpoClientOptions) => {
   id: "expo";
@@ -119,11 +132,6 @@ declare const expoClient: (opts: ExpoClientOptions) => {
     init(url: string, options: ({
       priority?: RequestPriority | undefined;
       method?: string | undefined;
-      headers?: (HeadersInit & (HeadersInit | {
-        accept: "application/json" | "text/plain" | "application/octet-stream";
-        "content-type": "application/json" | "text/plain" | "application/x-www-form-urlencoded" | "multipart/form-data" | "application/octet-stream";
-        authorization: "Bearer" | "Basic";
-      })) | undefined;
       redirect?: RequestRedirect | undefined;
       window?: null | undefined;
       cache?: RequestCache | undefined;
@@ -159,6 +167,12 @@ declare const expoClient: (opts: ExpoClientOptions) => {
         prefix: string | (() => string | undefined) | undefined;
         value: string | (() => string | undefined) | undefined;
       }) | undefined;
+      headers?: {} | {
+        [x: string]: string | undefined;
+        accept?: ((string & {}) | "application/json" | "text/plain" | "application/octet-stream") | undefined;
+        "content-type"?: ((string & {}) | "application/json" | "text/plain" | "application/octet-stream" | "application/x-www-form-urlencoded" | "multipart/form-data") | undefined;
+        authorization?: ((string & {}) | `Bearer ${string}` | `Basic ${string}`) | undefined;
+      } | undefined;
       body?: any;
       query?: any;
       params?: any;

package/dist/client.js

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-3o9_RtC5.js";
+import { t as PACKAGE_VERSION } from "./version-CXjBN8D3.js";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 import { SECURE_COOKIE_PREFIX, parseSetCookieHeader, parseSetCookieHeader as parseSetCookieHeader$1, stripSecureCookiePrefix } from "better-auth/cookies";
 import Constants from "expo-constants";
@@ -195,13 +195,54 @@ function hasBetterAuthCookies(setCookieHeader, cookiePrefix) {
 function normalizeCookieName(name) {
 	return name.replace(/:/g, "_");
 }
+/**
+* Max characters written per `setItem`. Native secure stores silently reject
+* oversized writes (iOS Keychain refuses values above ~2KB), losing the cookie,
+* so a larger value is split across keys here. Mirrors the server's
+* `chunkCookie`/`joinChunks` in `session-store.ts`; keep the two in sync.
+*
+* @see https://github.com/better-auth/better-auth/issues/9151
+*/
+const STORAGE_VALUE_LIMIT = 1800;
+/**
+* Marks a base key whose value is split across `<key>.0..N` chunks. The leading
+* control char can't start a JSON value (so it never collides) and, unlike NUL,
+* survives the native storage bridge without C-string truncation.
+*/
+const CHUNK_MARKER = "
ba-chunks:";
 function storageAdapter(storage) {
 	return {
 		getItem: (name) => {
-			return storage.getItem(normalizeCookieName(name));
+			const key = normalizeCookieName(name);
+			const stored = storage.getItem(key);
+			if (stored == null || !stored.startsWith(CHUNK_MARKER)) return stored;
+			const count = Number(stored.slice(11));
+			if (!Number.isInteger(count) || count < 1) return null;
+			let value = "";
+			for (let i = 0; i < count; i++) {
+				const chunk = storage.getItem(`${key}.${i}`);
+				if (chunk == null) return null;
+				value += chunk;
+			}
+			return value;
 		},
-		setItem: (name, value) => {
-			return storage.setItem(normalizeCookieName(name), value);
+		setItem: async (name, value) => {
+			const key = normalizeCookieName(name);
+			try {
+				if (value.length <= STORAGE_VALUE_LIMIT) {
+					await storage.setItem(key, value);
+					return;
+				}
+				await storage.setItem(key, "");
+				const count = Math.ceil(value.length / STORAGE_VALUE_LIMIT);
+				for (let i = 0; i < count; i++) {
+					const start = i * STORAGE_VALUE_LIMIT;
+					await storage.setItem(`${key}.${i}`, value.slice(start, start + STORAGE_VALUE_LIMIT));
+				}
+				await storage.setItem(key, `${CHUNK_MARKER}${count}`);
+			} catch (error) {
+				console.error(`[better-auth/expo] failed to persist "${key}" to storage`, error);
+			}
 		}
 	};
 }
@@ -213,6 +254,16 @@ const expoClient = (opts) => {
 	const storage = storageAdapter(opts?.storage);
 	const isWeb = Platform.OS === "web";
 	const cookiePrefix = opts?.cookiePrefix || "better-auth";
+	const clearSessionCache = async () => {
+		await storage.setItem(cookieName, "{}");
+		store?.atoms.session?.set({
+			...store.atoms.session.get(),
+			data: null,
+			error: null,
+			isPending: false
+		});
+		await storage.setItem(localCacheName, "{}");
+	};
 	const rawScheme = opts?.scheme || Constants.expoConfig?.scheme || Constants.platform?.scheme;
 	const scheme = Array.isArray(rawScheme) ? rawScheme[0] : rawScheme;
 	if (!scheme && !isWeb) throw new Error("Scheme not found in app.json. Please provide a scheme in the options.");
@@ -221,6 +272,18 @@ const expoClient = (opts) => {
 		version: PACKAGE_VERSION,
 		getActions(_, $store) {
 			store = $store;
+			const sessionAtom = $store.atoms.session;
+			if (!isWeb && !opts?.disableCache && sessionAtom) {
+				const raw = storage.getItem(localCacheName);
+				const cached = raw ? safeJSONParse(raw) : null;
+				const exp = cached?.session?.expiresAt;
+				const expMs = exp ? new Date(exp).getTime() : NaN;
+				if (!!cached?.user?.id && !!cached.session?.id && expMs > Date.now()) sessionAtom.set({
+					...sessionAtom.get(),
+					data: cached,
+					error: null
+				});
+			}
 			return { getCookie: () => {
 				return getCookie(storage.getItem(cookieName) || "{}");
 			} };
@@ -236,15 +299,16 @@ const expoClient = (opts) => {
 						const prevCookie = storage.getItem(cookieName);
 						const toSetCookie = getSetCookie(setCookie || "", prevCookie ?? void 0);
 						if (hasSessionCookieChanged(prevCookie, toSetCookie)) {
-							storage.setItem(cookieName, toSetCookie);
+							await storage.setItem(cookieName, toSetCookie);
 							store?.notify("$sessionSignal");
-						} else storage.setItem(cookieName, toSetCookie);
+						} else await storage.setItem(cookieName, toSetCookie);
 					}
 				}
 				if (context.request.url.toString().includes("/get-session") && !opts?.disableCache) {
 					const data = context.data;
-					storage.setItem(localCacheName, JSON.stringify(data));
+					await storage.setItem(localCacheName, JSON.stringify(data));
 				}
+				if (context.request.url.toString().includes("/sign-out")) await clearSessionCache();
 				if (context.data?.redirect && (context.request.url.toString().includes("/sign-in") || context.request.url.toString().includes("/link-social")) && !context.request?.body.includes("idToken")) {
 					const to = JSON.parse(context.request.body)?.callbackURL;
 					const signInURL = context.data?.url;
@@ -270,7 +334,7 @@ const expoClient = (opts) => {
 					const cookie = new URL(result.url).searchParams.get("cookie");
 					if (!cookie) return;
 					const toSetCookie = getSetCookie(cookie, storage.getItem(cookieName) ?? void 0);
-					storage.setItem(cookieName, toSetCookie);
+					await storage.setItem(cookieName, toSetCookie);
 					store?.notify("$sessionSignal");
 				}
 			} },
@@ -281,11 +345,14 @@ const expoClient = (opts) => {
 				};
 				options = options || {};
 				options.credentials = "omit";
-				if (options.body?.idToken !== void 0) options.headers = {
-					...options.headers,
-					"x-skip-oauth-proxy": "true"
-				};
-				else {
+				if (options.body?.idToken !== void 0) {
+					const cookie = url.includes("/link-social") ? getCookie(storage.getItem(cookieName) || "{}") : "";
+					options.headers = {
+						...options.headers,
+						...cookie ? { cookie } : {},
+						"x-skip-oauth-proxy": "true"
+					};
+				} else {
 					const cookie = getCookie(storage.getItem(cookieName) || "{}");
 					options.headers = {
 						...options.headers,
@@ -311,16 +378,7 @@ const expoClient = (opts) => {
 							options.body.errorCallbackURL = url;
 						}
 					}
-					if (url.includes("/sign-out")) {
-						storage.setItem(cookieName, "{}");
-						store?.atoms.session?.set({
-							...store.atoms.session.get(),
-							data: null,
-							error: null,
-							isPending: false
-						});
-						storage.setItem(localCacheName, "{}");
-					}
+					if (url.includes("/sign-out")) await clearSessionCache();
 				}
 				return {
 					url,

package/dist/index.js

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-3o9_RtC5.js";
+import { t as PACKAGE_VERSION } from "./version-CXjBN8D3.js";
 import { createAuthMiddleware } from "@better-auth/core/api";
 import { HIDE_METADATA } from "better-auth";
 import { APIError, createAuthEndpoint } from "better-auth/api";
@@ -12,14 +12,22 @@ const expoAuthorizationProxy = createAuthEndpoint("/expo-authorization-proxy", {
 	}),
 	metadata: HIDE_METADATA
 }, async (ctx) => {
+	const { authorizationURL } = ctx.query;
+	if (authorizationURL.includes("#")) throw new APIError("BAD_REQUEST", { message: "Invalid authorizationURL" });
+	let url;
+	try {
+		url = new URL(authorizationURL);
+	} catch {
+		throw new APIError("BAD_REQUEST", { message: "Invalid authorizationURL" });
+	}
+	if (url.protocol !== "https:" || url.origin === new URL(ctx.context.baseURL).origin) throw new APIError("BAD_REQUEST", { message: "Invalid authorizationURL" });
 	const { oauthState } = ctx.query;
 	if (oauthState) {
 		const oauthStateCookie = ctx.context.createAuthCookie("oauth_state", { maxAge: 600 });
 		ctx.setCookie(oauthStateCookie.name, oauthState, oauthStateCookie.attributes);
-		return ctx.redirect(ctx.query.authorizationURL);
+		return ctx.redirect(authorizationURL);
 	}
-	const { authorizationURL } = ctx.query;
-	const state = new URL(authorizationURL).searchParams.get("state");
+	const state = url.searchParams.get("state");
 	if (!state) throw new APIError("BAD_REQUEST", { message: "Unexpected error" });
 	const stateCookie = ctx.context.createAuthCookie("state", { maxAge: 300 });
 	await ctx.setSignedCookie(stateCookie.name, state, ctx.context.secret, stateCookie.attributes);
@@ -53,7 +61,7 @@ const expo = (options) => {
 		},
 		hooks: { after: [{
 			matcher(context) {
-				return !!(context.path?.startsWith("/callback") || context.path?.startsWith("/oauth2/callback") || context.path?.startsWith("/magic-link/verify") || context.path?.startsWith("/verify-email"));
+				return !!(context.path?.startsWith("/callback") || context.path?.startsWith("/magic-link/verify") || context.path?.startsWith("/verify-email"));
 			},
 			handler: createAuthMiddleware(async (ctx) => {
 				const headers = ctx.context.responseHeaders;

package/dist/plugins/index.js

@@ -1,8 +1,7 @@
-import { t as PACKAGE_VERSION } from "../version-3o9_RtC5.js";
+import { t as PACKAGE_VERSION } from "../version-CXjBN8D3.js";
 //#region src/plugins/last-login-method.ts
 const paths = [
 	"/callback/",
-	"/oauth2/callback/",
 	"/sign-in/email",
 	"/sign-up/email"
 ];

package/dist/{version-3o9_RtC5.js → version-CXjBN8D3.js}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.7.0-beta.0";
+const PACKAGE_VERSION = "1.7.0-beta.10";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/expo",
-  "version": "1.7.0-beta.0",
+  "version": "1.7.0-beta.10",
   "description": "Better Auth integration for Expo and React Native applications.",
   "type": "module",
   "license": "MIT",
@@ -58,28 +58,28 @@
     }
   },
   "dependencies": {
-    "@better-fetch/fetch": "1.1.21",
-    "better-call": "1.3.5",
+    "@better-fetch/fetch": "1.3.1",
+    "better-call": "1.3.7",
     "zod": "^4.3.6"
   },
   "devDependencies": {
-    "@better-fetch/fetch": "1.1.21",
-    "expo-constants": "~55.0.7",
-    "expo-linking": "~55.0.7",
-    "expo-network": "~55.0.8",
-    "expo-web-browser": "~55.0.9",
-    "react-native": "~0.84.1",
+    "@better-fetch/fetch": "1.3.1",
+    "expo-constants": "~56.0.18",
+    "expo-linking": "~56.0.14",
+    "expo-network": "~56.0.5",
+    "expo-web-browser": "~56.0.5",
+    "react-native": "~0.86.0",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.7.0-beta.0",
-    "better-auth": "1.7.0-beta.0"
+    "@better-auth/core": "1.7.0-beta.10",
+    "better-auth": "1.7.0-beta.10"
   },
   "peerDependencies": {
     "expo-constants": ">=17.0.0",
     "expo-linking": ">=7.0.0",
     "expo-network": ">=8.0.7",
     "expo-web-browser": ">=14.0.0",
-    "@better-auth/core": "^1.7.0-beta.0",
-    "better-auth": "^1.7.0-beta.0"
+    "@better-auth/core": "^1.7.0-beta.10",
+    "better-auth": "^1.7.0-beta.10"
   },
   "peerDependenciesMeta": {
     "expo-constants": {