npm - @bigio/better-auth-electron - Versions diffs - 1.0.1 → 1.0.2 - Mend

@bigio/better-auth-electron 1.0.1 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/README.md CHANGED Viewed

@@ -1,3 +1,41 @@
+## I'm currently studying the official implementation; the documentation is still rough but will be improved soon. I'm eager and looking forward to exchanging ideas with everyone.
+Based on my study of the official implementation code, I have decided on the following to-do list:
+**1. Architecture: The "Silent Handoff" (Stateless & Secure)**
+* [ ] **Server-Side Cookie Interception**: Modify `electron-server-plugin` to intercept the OAuth callback response.
+* *Action*: Strip the `Set-Cookie` header (specifically the session token) from the response to prevent overwriting the user's browser session.
+* *Goal*: Achieve strict physical isolation between Web Session and Electron Session.
+* [ ] **Stateless OAuth Flow**: Ensure the OAuth flow relies solely on the encrypted `Ticket` mechanism, making the browser a purely stateless transport layer for Electron authentication.
+**2. Security & Hardening**
+* [ ] **Secure Persistence**: Implement `safeStorage` (DPAPI/Keychain) for encrypting the persisted PKCE Verifier on disk.
+* *Reason*: Prevent plaintext credentials from resting on the file system.
+* [ ] **User-Agent Scrubbing**: Global removal of "Electron" tokens from the `User-Agent` string at the `app.on('ready')` stage.
+* *Reason*: Bypass WAF/Anti-Bot protections that block Electron-based requests during the ticket exchange phase.
+* [ ] **Automated CSP Injection**: Implement `onHeadersReceived` interceptor in the Main Process.
+* *Action*: Automatically append the backend API URL to the `connect-src` directive.
+* *Goal*: Provide a "Zero-Config" experience by preventing CSP violations without requiring users to manually edit `index.html`.
+**3. Developer Experience (DX) & API**
+* [ ] **Enhanced Renderer API**: Refactor `getActions` to introduce a dedicated `authClient.bigio` namespace.
+* *Feature*: Implement `authClient.bigio.signIn({ provider: 'github' })` wrapper.
+* *Implementation*: Utilize `window.open` (intercepted by Main) or IPC to trigger the flow, keeping the API consistent with the official web client style.
+* [ ] **Smart Web Handoff UI (Optional/Next)**: Update the web-side confirmation page to detect and display the currently logged-in web user, offering a "Continue as [User]" button for a seamless transition.
 # @bigio/better-auth-electron
 > **Work In Progress:** This library is actively being developed. Detailed documentation and architecture diagrams are coming soon.
@@ -14,7 +52,7 @@ Designed for production-grade applications, this library provides a secure, "bat
 - ** Secure PKCE Flow:**
   Implements the standard **Proof Key for Code Exchange** protocol out-of-the-box. Ensures enterprise-grade security for your OAuth exchanges without exposing secrets.
-- ** Preact SSR Ready:**
+- ** Preact SSR Coming soon:**
   Includes a dedicated, lightweight Preact entry point optimized for Server-Side Rendering (SSR) in login windows.
   _(React 19 supported. Vue/Svelte support coming soon!)_