@convex-dev/better-auth 0.10.10 → 0.10.12

package/src/plugins/cross-domain/client.test.ts

@@ -0,0 +1,315 @@
+import { describe, it, expect, beforeEach, vi } from "vitest";
+import { getCookie, getSetCookie, parseSetCookieHeader, crossDomainClient } from "./client.js";
+
+describe("parseSetCookieHeader", () => {
+  it("parses a simple cookie", () => {
+    const header = "session_token=abc123";
+    const map = parseSetCookieHeader(header);
+    expect(map.get("session_token")?.value).toBe("abc123");
+  });
+
+  it("parses cookie with attributes", () => {
+    const header = "session_token=abc123; Path=/; Secure; HttpOnly";
+    const map = parseSetCookieHeader(header);
+    const cookie = map.get("session_token");
+    expect(cookie?.value).toBe("abc123");
+  });
+
+  it("parses multiple cookies", () => {
+    const header = "a=1, b=2";
+    const map = parseSetCookieHeader(header);
+    expect(map.get("a")?.value).toBe("1");
+    expect(map.get("b")?.value).toBe("2");
+  });
+});
+
+describe("getSetCookie", () => {
+  it("stores expires as ISO string", () => {
+    const header = "session_token=abc; Max-Age=3600";
+    const result = JSON.parse(getSetCookie(header));
+    expect(typeof result.session_token.expires).toBe("string");
+    expect(result.session_token.expires).toMatch(/^\d{4}-\d{2}-\d{2}T/);
+  });
+
+  it("stores null expires when no expiry is set", () => {
+    const header = "session_token=abc";
+    const result = JSON.parse(getSetCookie(header));
+    expect(result.session_token.expires).toBeNull();
+  });
+
+  it("merges with previous cookies", () => {
+    const prev = JSON.stringify({
+      old_cookie: { value: "old", expires: null },
+    });
+    const header = "new_cookie=new";
+    const result = JSON.parse(getSetCookie(header, prev));
+    expect(result.old_cookie.value).toBe("old");
+    expect(result.new_cookie.value).toBe("new");
+  });
+
+  it("overwrites previous cookies with same name", () => {
+    const prev = JSON.stringify({
+      token: { value: "old", expires: null },
+    });
+    const header = "token=new";
+    const result = JSON.parse(getSetCookie(header, prev));
+    expect(result.token.value).toBe("new");
+  });
+
+  it("survives invalid previous cookie JSON", () => {
+    const header = "token=abc";
+    const result = JSON.parse(getSetCookie(header, "not-json"));
+    expect(result.token.value).toBe("abc");
+  });
+});
+
+describe("getCookie", () => {
+  it("returns cookie string for valid cookies", () => {
+    const stored = JSON.stringify({
+      session: { value: "abc", expires: new Date(Date.now() + 60000).toISOString() },
+    });
+    const result = getCookie(stored);
+    expect(result).toContain("session=abc");
+  });
+
+  it("filters out expired cookies", () => {
+    const stored = JSON.stringify({
+      expired: { value: "old", expires: new Date(Date.now() - 60000).toISOString() },
+      valid: { value: "new", expires: new Date(Date.now() + 60000).toISOString() },
+    });
+    const result = getCookie(stored);
+    expect(result).not.toContain("expired=old");
+    expect(result).toContain("valid=new");
+  });
+
+  it("keeps cookies with no expiry", () => {
+    const stored = JSON.stringify({
+      session: { value: "abc", expires: null },
+    });
+    const result = getCookie(stored);
+    expect(result).toContain("session=abc");
+  });
+
+  it("handles expires after JSON round-trip (string, not Date)", () => {
+    // This is the core bug #1 scenario: expires is a string after JSON.parse
+    const past = new Date(Date.now() - 60000);
+    const stored = JSON.stringify({
+      expired: { value: "old", expires: past.toISOString() },
+    });
+    // After JSON.parse, expires is a string — getCookie must handle this
+    const result = getCookie(stored);
+    expect(result).not.toContain("expired=old");
+  });
+
+  it("returns empty string for empty cookie object", () => {
+    expect(getCookie("{}")).toBe("");
+  });
+
+  it("returns empty string for invalid JSON", () => {
+    expect(getCookie("not-json")).toBe("");
+  });
+});
+
+describe("crossDomainClient", () => {
+  let storage: Map<string, string>;
+  let mockStorage: { getItem: (key: string) => string | null; setItem: (key: string, value: string) => void };
+  const cookieName = "better-auth_cookie";
+  const localCacheName = "better-auth_session_data";
+
+  beforeEach(() => {
+    storage = new Map<string, string>();
+    mockStorage = {
+      getItem: (key) => storage.get(key) ?? null,
+      setItem: (key, value) => { storage.set(key, value); },
+    };
+  });
+
+  function getActions() {
+    const plugin = crossDomainClient({ storage: mockStorage });
+    const mockStore = {
+      notify: () => {},
+      atoms: { session: { set: () => {}, get: () => ({}) } },
+    };
+    return plugin.getActions({} as any, mockStore as any);
+  }
+
+  function getOnSuccessHook() {
+    const plugin = crossDomainClient({ storage: mockStorage });
+    return plugin.fetchPlugins[0].hooks!.onSuccess!;
+  }
+
+  function getOnSuccessHookWithStore() {
+    const plugin = crossDomainClient({ storage: mockStorage });
+    const notify = vi.fn();
+    const mockStore = {
+      notify,
+      atoms: { session: { set: () => {}, get: () => ({}) } },
+    };
+    // getActions sets the internal store reference
+    plugin.getActions({} as any, mockStore as any);
+    return { onSuccess: plugin.fetchPlugins[0].hooks!.onSuccess!, notify };
+  }
+
+  describe("getSessionData", () => {
+    it("returns null when storage is empty", () => {
+      const actions = getActions();
+      expect(actions.getSessionData()).toBeNull();
+    });
+
+    it("returns null for empty object in storage", () => {
+      storage.set(localCacheName, "{}");
+      const actions = getActions();
+      expect(actions.getSessionData()).toBeNull();
+    });
+
+    it("returns parsed session data", () => {
+      const sessionData = { session: { id: "123" }, user: { name: "test" } };
+      storage.set(localCacheName, JSON.stringify(sessionData));
+      const actions = getActions();
+      expect(actions.getSessionData()).toEqual(sessionData);
+    });
+
+    it("returns null for stored 'null' string", () => {
+      storage.set(localCacheName, "null");
+      const actions = getActions();
+      expect(actions.getSessionData()).toBeNull();
+    });
+
+    it("returns null for corrupt JSON in storage", () => {
+      storage.set(localCacheName, "not-valid-json");
+      const actions = getActions();
+      expect(actions.getSessionData()).toBeNull();
+    });
+  });
+
+  describe("onSuccess handler", () => {
+    it("clears cookies when get-session returns null", async () => {
+      storage.set(cookieName, JSON.stringify({
+        "better-auth.session_token": { value: "stale", expires: null },
+      }));
+
+      const onSuccess = getOnSuccessHook();
+      await onSuccess({
+        data: null,
+        request: { url: new URL("https://example.com/api/auth/get-session") },
+        response: { headers: new Headers() },
+      } as any);
+
+      expect(storage.get(cookieName)).toBe("{}");
+    });
+
+    it("preserves cookies when get-session returns data", async () => {
+      const existingCookies = JSON.stringify({
+        "better-auth.session_token": { value: "valid", expires: null },
+      });
+      storage.set(cookieName, existingCookies);
+
+      const onSuccess = getOnSuccessHook();
+      await onSuccess({
+        data: { session: { id: "123" }, user: { name: "test" } },
+        request: { url: new URL("https://example.com/api/auth/get-session") },
+        response: { headers: new Headers() },
+      } as any);
+
+      expect(storage.get(cookieName)).toBe(existingCookies);
+    });
+
+    it("caches session data on get-session", async () => {
+      const sessionData = { session: { id: "123" }, user: { name: "test" } };
+      const onSuccess = getOnSuccessHook();
+      await onSuccess({
+        data: sessionData,
+        request: { url: new URL("https://example.com/api/auth/get-session") },
+        response: { headers: new Headers() },
+      } as any);
+
+      expect(storage.get(localCacheName)).toBe(JSON.stringify(sessionData));
+    });
+  });
+
+  describe("session signal notification", () => {
+    it("notifies when session token changes", async () => {
+      const { onSuccess, notify } = getOnSuccessHookWithStore();
+      await onSuccess({
+        data: null,
+        request: { url: new URL("https://example.com/api/auth/sign-in") },
+        response: {
+          headers: new Headers({
+            "set-better-auth-cookie":
+              "better-auth.session_token=new-token; Max-Age=3600",
+          }),
+        },
+      } as any);
+
+      expect(notify).toHaveBeenCalledWith("$sessionSignal");
+    });
+
+    it("does not notify when session token value is unchanged", async () => {
+      // Pre-populate storage with existing token
+      storage.set(
+        cookieName,
+        JSON.stringify({
+          "better-auth.session_token": {
+            value: "same-token",
+            expires: new Date(Date.now() + 3600000).toISOString(),
+          },
+        })
+      );
+
+      const { onSuccess, notify } = getOnSuccessHookWithStore();
+      await onSuccess({
+        data: null,
+        request: { url: new URL("https://example.com/api/auth/get-session") },
+        response: {
+          headers: new Headers({
+            "set-better-auth-cookie":
+              "better-auth.session_token=same-token; Max-Age=3600",
+          }),
+        },
+      } as any);
+
+      expect(notify).not.toHaveBeenCalled();
+    });
+
+    it("notifies when session token value differs from stored", async () => {
+      storage.set(
+        cookieName,
+        JSON.stringify({
+          "better-auth.session_token": {
+            value: "old-token",
+            expires: new Date(Date.now() + 3600000).toISOString(),
+          },
+        })
+      );
+
+      const { onSuccess, notify } = getOnSuccessHookWithStore();
+      await onSuccess({
+        data: null,
+        request: { url: new URL("https://example.com/api/auth/get-session") },
+        response: {
+          headers: new Headers({
+            "set-better-auth-cookie":
+              "better-auth.session_token=new-token; Max-Age=3600",
+          }),
+        },
+      } as any);
+
+      expect(notify).toHaveBeenCalledWith("$sessionSignal");
+    });
+
+    it("does not notify for non-session cookies", async () => {
+      const { onSuccess, notify } = getOnSuccessHookWithStore();
+      await onSuccess({
+        data: null,
+        request: { url: new URL("https://example.com/api/auth/something") },
+        response: {
+          headers: new Headers({
+            "set-better-auth-cookie": "other_cookie=value; Max-Age=3600",
+          }),
+        },
+      } as any);
+
+      expect(notify).not.toHaveBeenCalled();
+    });
+  });
+});

package/src/plugins/cross-domain/client.ts

@@ -37,7 +37,7 @@ export function parseSetCookieHeader(
 
 interface StoredCookie {
   value: string;
-  expires: Date | null;
+  expires: string | null;
 }
 
 export function getSetCookie(header: string, prevCookie?: string) {
@@ -53,7 +53,7 @@ export function getSetCookie(header: string, prevCookie?: string) {
         : null;
     toSetCookie[key] = {
       value: cookie["value"],
-      expires,
+      expires: expires ? expires.toISOString() : null,
     };
   });
   if (prevCookie) {
@@ -78,7 +78,7 @@ export function getCookie(cookie: string) {
     // noop
   }
   const toSend = Object.entries(parsed).reduce((acc, [key, value]) => {
-    if (value.expires && value.expires < new Date()) {
+    if (value.expires && new Date(value.expires) < new Date()) {
       return acc;
     }
     return `${acc}; ${key}=${value.value}`;
@@ -149,9 +149,16 @@ export const crossDomainClient = (
          * const sessionData = client.getSessionData();
          * ```
          */
-        getSessionData: () => {
+        getSessionData: (): Record<string, unknown> | null => {
           const sessionData = storage?.getItem(localCacheName);
-          return sessionData ? JSON.parse(sessionData) : null;
+          if (!sessionData) return null;
+          try {
+            const parsed = JSON.parse(sessionData);
+            if (parsed && typeof parsed === "object" && Object.keys(parsed).length === 0) return null;
+            return parsed;
+          } catch {
+            return null;
+          }
         },
       };
     },
@@ -174,9 +181,27 @@ export const crossDomainClient = (
                 prevCookie ?? undefined
               );
               await storage.setItem(cookieName, toSetCookie);
-              // Only notify on session cookie set
+              // Only notify when the session token value actually changed.
+              // max-age recalculation with Date.now() causes the stored
+              // cookie JSON to always differ, so comparing values directly
+              // prevents infinite get-session polling loops.
               if (setCookie.includes(".session_token=")) {
-                store?.notify("$sessionSignal");
+                const parsed = parseSetCookieHeader(setCookie);
+                let prevParsed: Record<string, StoredCookie> = {};
+                try {
+                  prevParsed = JSON.parse(prevCookie || "{}");
+                } catch {
+                  // noop
+                }
+                const tokenKey = [...parsed.keys()].find((k) =>
+                  k.includes("session_token")
+                );
+                if (
+                  tokenKey &&
+                  prevParsed[tokenKey]?.value !== parsed.get(tokenKey)?.value
+                ) {
+                  store?.notify("$sessionSignal");
+                }
               }
             }
 
@@ -186,6 +211,9 @@ export const crossDomainClient = (
             ) {
               const data = context.data;
               storage.setItem(localCacheName, JSON.stringify(data));
+              if (data === null) {
+                storage.setItem(cookieName, "{}");
+              }
             }
           },
         },

package/src/plugins/cross-domain/index.ts

@@ -12,11 +12,13 @@ export const crossDomain = ({ siteUrl }: { siteUrl: string }) => {
   const oneTimeToken = oneTimeTokenPlugin();
 
   const rewriteCallbackURL = (callbackURL?: string) => {
-    if (callbackURL && !callbackURL.startsWith("/")) {
+    if (!callbackURL) {
       return callbackURL;
     }
-    const relativeCallbackURL = callbackURL || "/";
-    return new URL(relativeCallbackURL, siteUrl).toString();
+    if (!callbackURL.startsWith("/")) {
+      return callbackURL;
+    }
+    return new URL(callbackURL, siteUrl).toString();
   };
 
   const isExpoNative = (ctx: { headers?: Headers }) => {
@@ -54,9 +56,10 @@ export const crossDomain = ({ siteUrl }: { siteUrl: string }) => {
           matcher(ctx) {
             return (
               Boolean(
-                ctx.request?.headers.get("better-auth-cookie") ||
-                  ctx.headers?.get("better-auth-cookie")
-              ) && !isExpoNative(ctx)
+                ctx.request?.headers.has("better-auth-cookie") ||
+                  ctx.headers?.has("better-auth-cookie")
+              ) &&
+              !isExpoNative(ctx)
             );
           },
           handler: createAuthMiddleware(async (ctx) => {
@@ -129,7 +132,13 @@ export const crossDomain = ({ siteUrl }: { siteUrl: string }) => {
       after: [
         {
           matcher(ctx) {
-            return !isExpoNative(ctx);
+            return (
+              Boolean(
+                ctx.request?.headers.has("better-auth-cookie") ||
+                  ctx.headers?.has("better-auth-cookie")
+              ) &&
+              !isExpoNative(ctx)
+            );
           },
           handler: createAuthMiddleware(async (ctx) => {
             const setCookie = ctx.context.responseHeaders?.get("set-cookie");

package/src/react/index.tsx

@@ -1,5 +1,5 @@
 import type { PropsWithChildren, ReactNode } from "react";
-import { Component, useCallback, useEffect, useMemo, useState } from "react";
+import { Component, useCallback, useEffect, useMemo, useRef, useState } from "react";
 import type { AuthTokenFetcher } from "convex/browser";
 import {
   Authenticated,
@@ -64,12 +64,16 @@ export function ConvexBetterAuthProvider({
   const useBetterAuth = useUseAuthFromBetterAuth(authClient, initialToken);
   useEffect(() => {
     (async () => {
-      const url = new URL(window.location?.href);
+      if (typeof window === "undefined" || !window.location?.href) {
+        return;
+      }
+      const url = new URL(window.location.href);
       const token = url.searchParams.get("ott");
       if (token) {
         const authClientWithCrossDomain =
           authClient as AuthClientWithPlugins<PluginsWithCrossDomain>;
         url.searchParams.delete("ott");
+        window.history.replaceState({}, "", url);
         const result =
           await authClientWithCrossDomain.crossDomain.oneTimeToken.verify({
             token,
@@ -85,7 +89,6 @@ export function ConvexBetterAuthProvider({
           });
           authClientWithCrossDomain.updateSession();
         }
-        window.history.replaceState({}, "", url);
       }
     })();
   }, [authClient]);
@@ -103,8 +106,9 @@ function useUseAuthFromBetterAuth(
   initialToken?: string | null
 ) {
   const [cachedToken, setCachedToken] = useState<string | null>(
-    initialTokenUsed ? (initialToken ?? null) : null
+    initialTokenUsed ? null : (initialToken ?? null)
   );
+  const pendingTokenRef = useRef<Promise<string | null> | null>(null);
   useEffect(() => {
     if (!initialTokenUsed) {
       initialTokenUsed = true;
@@ -129,15 +133,24 @@ function useUseAuthFromBetterAuth(
             if (cachedToken && !forceRefreshToken) {
               return cachedToken;
             }
-            try {
-              const { data } = await authClient.convex.token();
-              const token = data?.token || null;
-              setCachedToken(token);
-              return token;
-            } catch {
-              setCachedToken(null);
-              return null;
+            if (!forceRefreshToken && pendingTokenRef.current) {
+              return pendingTokenRef.current;
             }
+            pendingTokenRef.current = authClient.convex
+              .token({ fetchOptions: { throw: false } })
+              .then(({ data }) => {
+                const token = data?.token || null;
+                setCachedToken(token);
+                return token;
+              })
+              .catch(() => {
+                setCachedToken(null);
+                return null;
+              })
+              .finally(() => {
+                pendingTokenRef.current = null;
+              });
+            return pendingTokenRef.current;
           },
           // Build a new fetchAccessToken to trigger setAuth() whenever the
           // session changes.
@@ -146,12 +159,12 @@ function useUseAuthFromBetterAuth(
         );
         return useMemo(
           () => ({
-            isLoading: isSessionPending,
-            isAuthenticated: session !== null,
+            isLoading: isSessionPending && !cachedToken,
+            isAuthenticated: Boolean(session?.session) || cachedToken !== null,
             fetchAccessToken,
           }),
           // eslint-disable-next-line react-hooks/exhaustive-deps
-          [isSessionPending, sessionId, fetchAccessToken]
+          [isSessionPending, sessionId, fetchAccessToken, cachedToken]
         );
       },
     [authClient]

package/src/react-start/index.ts

@@ -86,7 +86,10 @@ export const convexBetterAuthReactStart = (
   const cachedGetToken = cache(async (opts: GetTokenOptions) => {
     const { getRequestHeaders } = await import("@tanstack/react-start/server");
     const headers = getRequestHeaders();
-    return getToken(siteUrl, headers, opts);
+    const mutableHeaders = new Headers(headers);
+    mutableHeaders.delete("content-length");
+    mutableHeaders.delete("transfer-encoding");
+    return getToken(siteUrl, mutableHeaders, opts);
   });
 
   const callWithToken = async <