@hammadj/better-auth 1.5.0-beta.10

package/dist/plugins/one-tap/client.d.mts

@@ -0,0 +1,159 @@
+import { ClientFetchOption } from "@better-auth/core";
+
+//#region src/plugins/one-tap/client.d.ts
+declare global {
+  interface Window {
+    googleScriptInitialized?: boolean | undefined;
+  }
+}
+interface GsiButtonConfiguration {
+  /**
+   * The button type: icon, or standard button.
+   */
+  type: "standard" | "icon";
+  /**
+   * The button theme. For example, filled_blue or filled_black.
+   * outline  A standard button theme:
+   * filled_blue  A blue-filled button theme:
+   * filled_black  A black-filled button theme:
+   */
+  theme?: "outline" | "filled_blue" | "filled_black";
+  /**
+   * The button size. For example, small or large.
+   */
+  size?: "small" | "medium" | "large";
+  /**
+   * The button text. The default value is signin_with.
+   * There are no visual differences for the text of icon buttons that
+   * have different text attributes. The only exception is when the
+   * text is read for screen accessibility.
+   *
+   * signin_with  The button text is “Sign in with Google”:
+   * signup_with  The button text is “Sign up with Google”:
+   * continue_with  The button text is “Continue with Google”:
+   * signup_with  The button text is “Sign in”:
+   */
+  text?: "signin_with" | "signup_with" | "continue_with" | "signin";
+  /**
+   * The button shape. The default value is rectangular.
+   */
+  shape?: "rectangular" | "pill" | "circle" | "square";
+  /**
+   * The alignment of the Google logo. The default value is left.
+   * This attribute only applies to the standard button type.
+   */
+  logo_alignment?: "left" | "center";
+  /**
+   * The minimum button width, in pixels. The maximum width is 400
+   * pixels.
+   */
+  width?: number;
+  /**
+   * The pre-set locale of the button text. If it's not set, the
+   * browser's default locale or the Google session user’s preference
+   * is used.
+   */
+  locale?: string;
+  /**
+   * You can define a JavaScript function to be called when the
+   * Sign in with Google button is clicked.
+   */
+  click_listener?: () => void;
+  /**
+   * Optional, as multiple Sign in with Google buttons can be
+   * rendered on the same page, you can assign each button with a
+   * unique string. The same string would return along with the ID
+   * token, so you can identify which button user clicked to sign in.
+   */
+  state?: string;
+}
+interface GoogleOneTapOptions {
+  /**
+   * Google client ID
+   */
+  clientId: string;
+  /**
+   * Auto select the account if the user is already signed in
+   */
+  autoSelect?: boolean | undefined;
+  /**
+   * Cancel the flow when the user taps outside the prompt
+   *
+   * Note: To use this option, disable `promptOptions.fedCM`
+   */
+  cancelOnTapOutside?: boolean | undefined;
+  /**
+   * The mode to use for the Google One Tap flow
+   *
+   * popup: Use a popup window
+   * redirect: Redirect the user to the Google One Tap flow
+   *
+   * @default "popup"
+   */
+  uxMode?: ("popup" | "redirect") | undefined;
+  /**
+   * The context to use for the Google One Tap flow.
+   *
+   * @see {@link https://developers.google.com/identity/gsi/web/reference/js-reference}
+   * @default "signin"
+   */
+  context?: ("signin" | "signup" | "use") | undefined;
+  /**
+   * Additional configuration options to pass to the Google One Tap API.
+   */
+  additionalOptions?: Record<string, any> | undefined;
+  /**
+   * Configuration options for the prompt and exponential backoff behavior.
+   */
+  promptOptions?: {
+    /**
+     * Base delay (in milliseconds) for exponential backoff.
+     * @default 1000
+     */
+    baseDelay?: number;
+    /**
+     * Maximum number of prompt attempts before calling onPromptNotification.
+     * @default 5
+     */
+    maxAttempts?: number;
+    /**
+     * Whether to support FedCM (Federated Credential Management) support.
+     *
+     * @see {@link https://developer.chrome.com/docs/identity/fedcm/overview}
+     * @default true
+     */
+    fedCM?: boolean | undefined;
+  } | undefined;
+}
+interface GoogleOneTapActionOptions extends Omit<GoogleOneTapOptions, "clientId" | "promptOptions"> {
+  fetchOptions?: ClientFetchOption | undefined;
+  /**
+   * Callback URL.
+   */
+  callbackURL?: string | undefined;
+  /**
+   * Optional callback that receives the prompt notification if (or when) the prompt is dismissed or skipped.
+   * This lets you render an alternative UI (e.g. a Google Sign-In button) to restart the process.
+   */
+  onPromptNotification?: ((notification?: any | undefined) => void) | undefined;
+  nonce?: string | undefined;
+  /**
+   * Button mode configuration. When provided, renders a "Sign In with Google" button
+   * instead of showing the One Tap prompt.
+   */
+  button?: {
+    /**
+     * The HTML element or CSS selector where the button should be rendered.
+     * If a string is provided, it will be used as a CSS selector.
+     */
+    container: HTMLElement | string;
+    /**
+     * Button configuration options
+     */
+    config?: GsiButtonConfiguration | undefined;
+  } | undefined;
+}
+declare const oneTapClient: (options: GoogleOneTapOptions) => BetterAuthClientPlugin;
+//#endregion
+export { GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, oneTapClient };
+//# sourceMappingURL=client.d.mts.map

package/dist/plugins/one-tap/client.mjs

@@ -0,0 +1,214 @@
+//#region src/plugins/one-tap/client.ts
+let isRequestInProgress = null;
+function isFedCMSupported() {
+	return typeof window !== "undefined" && "IdentityCredential" in window;
+}
+/**
+* Reasons that should NOT trigger a retry.
+* @see https://developers.google.com/identity/gsi/web/reference/js-reference
+*/
+const noRetryReasons = {
+	dismissed: ["credential_returned", "cancel_called"],
+	skipped: ["user_cancel", "tap_outside"]
+};
+const oneTapClient = (options) => {
+	return {
+		id: "one-tap",
+		fetchPlugins: [{
+			id: "fedcm-signout-handle",
+			name: "FedCM Sign-Out Handler",
+			hooks: { async onResponse(ctx) {
+				if (!ctx.request.url.toString().includes("/sign-out")) return;
+				if (options.promptOptions?.fedCM === false || !isFedCMSupported()) return;
+				navigator.credentials.preventSilentAccess();
+			} }
+		}],
+		getActions: ($fetch, _) => {
+			return { oneTap: async (opts, fetchOptions) => {
+				if (isRequestInProgress && !isRequestInProgress.signal.aborted) {
+					console.warn("A Google One Tap request is already in progress. Please wait.");
+					return;
+				}
+				if (typeof window === "undefined" || !window.document) {
+					console.warn("Google One Tap is only available in browser environments");
+					return;
+				}
+				if (opts?.button) {
+					await loadGoogleScript();
+					const container = typeof opts.button.container === "string" ? document.querySelector(opts.button.container) : opts.button.container;
+					if (!container) {
+						console.error("Google One Tap: Button container not found", opts.button.container);
+						return;
+					}
+					async function callback(idToken) {
+						await $fetch("/one-tap/callback", {
+							method: "POST",
+							body: { idToken },
+							...opts?.fetchOptions,
+							...fetchOptions
+						});
+						if (!opts?.fetchOptions && !fetchOptions || opts?.callbackURL) window.location.href = opts?.callbackURL ?? "/";
+					}
+					const { autoSelect, cancelOnTapOutside, context } = opts ?? {};
+					const contextValue = context ?? options.context ?? "signin";
+					window.google?.accounts.id.initialize({
+						client_id: options.clientId,
+						callback: async (response) => {
+							try {
+								await callback(response.credential);
+							} catch (error) {
+								console.error("Error during button callback:", error);
+							}
+						},
+						auto_select: autoSelect,
+						cancel_on_tap_outside: cancelOnTapOutside,
+						context: contextValue,
+						ux_mode: opts?.uxMode || "popup",
+						nonce: opts?.nonce,
+						itp_support: true,
+						...options.additionalOptions
+					});
+					window.google?.accounts.id.renderButton(container, opts.button.config ?? { type: "icon" });
+					return;
+				}
+				async function callback(idToken) {
+					await $fetch("/one-tap/callback", {
+						method: "POST",
+						body: { idToken },
+						...opts?.fetchOptions,
+						...fetchOptions
+					});
+					if (!opts?.fetchOptions && !fetchOptions || opts?.callbackURL) window.location.href = opts?.callbackURL ?? "/";
+				}
+				const { autoSelect, cancelOnTapOutside, context } = opts ?? {};
+				const contextValue = context ?? options.context ?? "signin";
+				const clients = {
+					fedCM: async () => {
+						try {
+							const identityCredential = await navigator.credentials.get({
+								identity: {
+									context: contextValue,
+									providers: [{
+										configURL: "https://accounts.google.com/gsi/fedcm.json",
+										clientId: options.clientId,
+										nonce: opts?.nonce
+									}]
+								},
+								mediation: autoSelect ? "optional" : "required",
+								signal: isRequestInProgress?.signal
+							});
+							if (!identityCredential?.token) {
+								opts?.onPromptNotification?.(void 0);
+								return;
+							}
+							try {
+								await callback(identityCredential.token);
+								return;
+							} catch (error) {
+								console.error("Error during FedCM callback:", error);
+								throw error;
+							}
+						} catch (error) {
+							if (error?.code && (error.code === 19 || error.code === 20)) {
+								opts?.onPromptNotification?.(void 0);
+								return;
+							}
+							throw error;
+						}
+					},
+					oneTap: () => {
+						return new Promise((resolve, reject) => {
+							let isResolved = false;
+							const baseDelay = options.promptOptions?.baseDelay ?? 1e3;
+							const maxAttempts = options.promptOptions?.maxAttempts ?? 5;
+							window.google?.accounts.id.initialize({
+								client_id: options.clientId,
+								callback: async (response) => {
+									isResolved = true;
+									try {
+										await callback(response.credential);
+										resolve();
+									} catch (error) {
+										console.error("Error during One Tap callback:", error);
+										reject(error);
+									}
+								},
+								auto_select: autoSelect,
+								cancel_on_tap_outside: cancelOnTapOutside,
+								context: contextValue,
+								ux_mode: opts?.uxMode || "popup",
+								nonce: opts?.nonce,
+								itp_support: true,
+								...options.additionalOptions
+							});
+							const handlePrompt = (attempt) => {
+								if (isResolved) return;
+								window.google?.accounts.id.prompt((notification) => {
+									if (isResolved) return;
+									if (notification.isDismissedMoment && notification.isDismissedMoment()) {
+										const reason = notification.getDismissedReason?.();
+										if (noRetryReasons.dismissed.includes(reason)) {
+											opts?.onPromptNotification?.(notification);
+											return;
+										}
+										if (attempt < maxAttempts) {
+											const delay = Math.pow(2, attempt) * baseDelay;
+											setTimeout(() => handlePrompt(attempt + 1), delay);
+										} else opts?.onPromptNotification?.(notification);
+									} else if (notification.isSkippedMoment && notification.isSkippedMoment()) {
+										const reason = notification.getSkippedReason?.();
+										if (noRetryReasons.skipped.includes(reason)) {
+											opts?.onPromptNotification?.(notification);
+											return;
+										}
+										if (attempt < maxAttempts) {
+											const delay = Math.pow(2, attempt) * baseDelay;
+											setTimeout(() => handlePrompt(attempt + 1), delay);
+										} else opts?.onPromptNotification?.(notification);
+									}
+								});
+							};
+							handlePrompt(0);
+						});
+					}
+				};
+				if (isRequestInProgress) isRequestInProgress?.abort();
+				isRequestInProgress = new AbortController();
+				try {
+					const client = options.promptOptions?.fedCM === false || !isFedCMSupported() ? "oneTap" : "fedCM";
+					if (client === "oneTap") await loadGoogleScript();
+					await clients[client]();
+				} catch (error) {
+					console.error("Error during Google One Tap flow:", error);
+					throw error;
+				} finally {
+					isRequestInProgress = null;
+				}
+			} };
+		},
+		getAtoms($fetch) {
+			return {};
+		}
+	};
+};
+const loadGoogleScript = () => {
+	return new Promise((resolve) => {
+		if (window.googleScriptInitialized) {
+			resolve();
+			return;
+		}
+		const script = document.createElement("script");
+		script.src = "https://accounts.google.com/gsi/client";
+		script.async = true;
+		script.defer = true;
+		script.onload = () => {
+			window.googleScriptInitialized = true;
+			resolve();
+		};
+		document.head.appendChild(script);
+	});
+};
+
+//#endregion
+export { oneTapClient };
+//# sourceMappingURL=client.mjs.map

package/dist/plugins/one-tap/client.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.mjs","names":[],"sources":["../../../src/plugins/one-tap/client.ts"],"sourcesContent":["/// <reference types=\"@types/google.accounts\" />\nimport type {\n\tBetterAuthClientPlugin,\n\tClientFetchOption,\n} from \"@better-auth/core\";\n\ndeclare global {\n\tinterface Window {\n\t\tgoogleScriptInitialized?: boolean | undefined;\n\t}\n}\n\nexport interface GsiButtonConfiguration {\n\t/**\n\t * The button type: icon, or standard button.\n\t */\n\ttype: \"standard\" | \"icon\";\n\n\t/**\n\t * The button theme. For example, filled_blue or filled_black.\n\t * outline  A standard button theme:\n\t * filled_blue  A blue-filled button theme:\n\t * filled_black  A black-filled button theme:\n\t */\n\ttheme?: \"outline\" | \"filled_blue\" | \"filled_black\";\n\n\t/**\n\t * The button size. For example, small or large.\n\t */\n\tsize?: \"small\" | \"medium\" | \"large\";\n\n\t/**\n\t * The button text. The default value is signin_with.\n\t * There are no visual differences for the text of icon buttons that\n\t * have different text attributes. The only exception is when the\n\t * text is read for screen accessibility.\n\t *\n\t * signin_with  The button text is “Sign in with Google”:\n\t * signup_with  The button text is “Sign up with Google”:\n\t * continue_with  The button text is “Continue with Google”:\n\t * signup_with  The button text is “Sign in”:\n\t */\n\ttext?: \"signin_with\" | \"signup_with\" | \"continue_with\" | \"signin\";\n\n\t/**\n\t * The button shape. The default value is rectangular.\n\t */\n\tshape?: \"rectangular\" | \"pill\" | \"circle\" | \"square\";\n\n\t/**\n\t * The alignment of the Google logo. The default value is left.\n\t * This attribute only applies to the standard button type.\n\t */\n\tlogo_alignment?: \"left\" | \"center\";\n\n\t/**\n\t * The minimum button width, in pixels. The maximum width is 400\n\t * pixels.\n\t */\n\twidth?: number;\n\n\t/**\n\t * The pre-set locale of the button text. If it's not set, the\n\t * browser's default locale or the Google session user’s preference\n\t * is used.\n\t */\n\tlocale?: string;\n\n\t/**\n\t * You can define a JavaScript function to be called when the\n\t * Sign in with Google button is clicked.\n\t */\n\tclick_listener?: () => void;\n\n\t/**\n\t * Optional, as multiple Sign in with Google buttons can be\n\t * rendered on the same page, you can assign each button with a\n\t * unique string. The same string would return along with the ID\n\t * token, so you can identify which button user clicked to sign in.\n\t */\n\tstate?: string;\n}\n\nexport interface GoogleOneTapOptions {\n\t/**\n\t * Google client ID\n\t */\n\tclientId: string;\n\t/**\n\t * Auto select the account if the user is already signed in\n\t */\n\tautoSelect?: boolean | undefined;\n\t/**\n\t * Cancel the flow when the user taps outside the prompt\n\t *\n\t * Note: To use this option, disable `promptOptions.fedCM`\n\t */\n\tcancelOnTapOutside?: boolean | undefined;\n\t/**\n\t * The mode to use for the Google One Tap flow\n\t *\n\t * popup: Use a popup window\n\t * redirect: Redirect the user to the Google One Tap flow\n\t *\n\t * @default \"popup\"\n\t */\n\tuxMode?: (\"popup\" | \"redirect\") | undefined;\n\t/**\n\t * The context to use for the Google One Tap flow.\n\t *\n\t * @see {@link https://developers.google.com/identity/gsi/web/reference/js-reference}\n\t * @default \"signin\"\n\t */\n\tcontext?: (\"signin\" | \"signup\" | \"use\") | undefined;\n\t/**\n\t * Additional configuration options to pass to the Google One Tap API.\n\t */\n\tadditionalOptions?: Record<string, any> | undefined;\n\t/**\n\t * Configuration options for the prompt and exponential backoff behavior.\n\t */\n\tpromptOptions?:\n\t\t| {\n\t\t\t\t/**\n\t\t\t\t * Base delay (in milliseconds) for exponential backoff.\n\t\t\t\t * @default 1000\n\t\t\t\t */\n\t\t\t\tbaseDelay?: number;\n\t\t\t\t/**\n\t\t\t\t * Maximum number of prompt attempts before calling onPromptNotification.\n\t\t\t\t * @default 5\n\t\t\t\t */\n\t\t\t\tmaxAttempts?: number;\n\t\t\t\t/**\n\t\t\t\t * Whether to support FedCM (Federated Credential Management) support.\n\t\t\t\t *\n\t\t\t\t * @see {@link https://developer.chrome.com/docs/identity/fedcm/overview}\n\t\t\t\t * @default true\n\t\t\t\t */\n\t\t\t\tfedCM?: boolean | undefined;\n\t\t  }\n\t\t| undefined;\n}\n\nexport interface GoogleOneTapActionOptions\n\textends Omit<GoogleOneTapOptions, \"clientId\" | \"promptOptions\"> {\n\tfetchOptions?: ClientFetchOption | undefined;\n\t/**\n\t * Callback URL.\n\t */\n\tcallbackURL?: string | undefined;\n\t/**\n\t * Optional callback that receives the prompt notification if (or when) the prompt is dismissed or skipped.\n\t * This lets you render an alternative UI (e.g. a Google Sign-In button) to restart the process.\n\t */\n\tonPromptNotification?: ((notification?: any | undefined) => void) | undefined;\n\tnonce?: string | undefined;\n\t/**\n\t * Button mode configuration. When provided, renders a \"Sign In with Google\" button\n\t * instead of showing the One Tap prompt.\n\t */\n\tbutton?:\n\t\t| {\n\t\t\t\t/**\n\t\t\t\t * The HTML element or CSS selector where the button should be rendered.\n\t\t\t\t * If a string is provided, it will be used as a CSS selector.\n\t\t\t\t */\n\t\t\t\tcontainer: HTMLElement | string;\n\t\t\t\t/**\n\t\t\t\t * Button configuration options\n\t\t\t\t */\n\t\t\t\tconfig?: GsiButtonConfiguration | undefined;\n\t\t  }\n\t\t| undefined;\n}\n\ninterface IdentityCredential {\n\treadonly configURL: string;\n\treadonly isAutoSelected: boolean;\n\ttoken: string;\n}\n\nlet isRequestInProgress: AbortController | null = null;\n\nfunction isFedCMSupported() {\n\treturn typeof window !== \"undefined\" && \"IdentityCredential\" in window;\n}\n\n/**\n * Reasons that should NOT trigger a retry.\n * @see https://developers.google.com/identity/gsi/web/reference/js-reference\n */\nconst noRetryReasons = {\n\tdismissed: [\"credential_returned\", \"cancel_called\"],\n\tskipped: [\"user_cancel\", \"tap_outside\"],\n} as const;\n\nexport const oneTapClient = (options: GoogleOneTapOptions) => {\n\treturn {\n\t\tid: \"one-tap\",\n\t\tfetchPlugins: [\n\t\t\t{\n\t\t\t\tid: \"fedcm-signout-handle\",\n\t\t\t\tname: \"FedCM Sign-Out Handler\",\n\t\t\t\thooks: {\n\t\t\t\t\tasync onResponse(ctx) {\n\t\t\t\t\t\tif (!ctx.request.url.toString().includes(\"/sign-out\")) {\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (options.promptOptions?.fedCM === false || !isFedCMSupported()) {\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tnavigator.credentials.preventSilentAccess();\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t],\n\t\tgetActions: ($fetch, _) => {\n\t\t\treturn {\n\t\t\t\toneTap: async (\n\t\t\t\t\topts?: GoogleOneTapActionOptions | undefined,\n\t\t\t\t\tfetchOptions?: ClientFetchOption | undefined,\n\t\t\t\t) => {\n\t\t\t\t\tif (isRequestInProgress && !isRequestInProgress.signal.aborted) {\n\t\t\t\t\t\tconsole.warn(\n\t\t\t\t\t\t\t\"A Google One Tap request is already in progress. Please wait.\",\n\t\t\t\t\t\t);\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\n\t\t\t\t\tif (typeof window === \"undefined\" || !window.document) {\n\t\t\t\t\t\tconsole.warn(\n\t\t\t\t\t\t\t\"Google One Tap is only available in browser environments\",\n\t\t\t\t\t\t);\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\n\t\t\t\t\t// Button mode: render a button instead of showing the prompt\n\t\t\t\t\tif (opts?.button) {\n\t\t\t\t\t\tawait loadGoogleScript();\n\n\t\t\t\t\t\tconst container =\n\t\t\t\t\t\t\ttypeof opts.button.container === \"string\"\n\t\t\t\t\t\t\t\t? document.querySelector<HTMLElement>(opts.button.container)\n\t\t\t\t\t\t\t\t: opts.button.container;\n\n\t\t\t\t\t\tif (!container) {\n\t\t\t\t\t\t\tconsole.error(\n\t\t\t\t\t\t\t\t\"Google One Tap: Button container not found\",\n\t\t\t\t\t\t\t\topts.button.container,\n\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tasync function callback(idToken: string) {\n\t\t\t\t\t\t\tawait $fetch(\"/one-tap/callback\", {\n\t\t\t\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\t\t\t\tbody: { idToken },\n\t\t\t\t\t\t\t\t...opts?.fetchOptions,\n\t\t\t\t\t\t\t\t...fetchOptions,\n\t\t\t\t\t\t\t});\n\n\t\t\t\t\t\t\tif ((!opts?.fetchOptions && !fetchOptions) || opts?.callbackURL) {\n\t\t\t\t\t\t\t\twindow.location.href = opts?.callbackURL ?? \"/\";\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tconst { autoSelect, cancelOnTapOutside, context } = opts ?? {};\n\t\t\t\t\t\tconst contextValue = context ?? options.context ?? \"signin\";\n\n\t\t\t\t\t\twindow.google?.accounts.id.initialize({\n\t\t\t\t\t\t\tclient_id: options.clientId,\n\t\t\t\t\t\t\tcallback: async (response: { credential: string }) => {\n\t\t\t\t\t\t\t\ttry {\n\t\t\t\t\t\t\t\t\tawait callback(response.credential);\n\t\t\t\t\t\t\t\t} catch (error) {\n\t\t\t\t\t\t\t\t\tconsole.error(\"Error during button callback:\", error);\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tauto_select: autoSelect,\n\t\t\t\t\t\t\tcancel_on_tap_outside: cancelOnTapOutside,\n\t\t\t\t\t\t\tcontext: contextValue,\n\t\t\t\t\t\t\tux_mode: opts?.uxMode || \"popup\",\n\t\t\t\t\t\t\tnonce: opts?.nonce,\n\t\t\t\t\t\t\titp_support: true,\n\t\t\t\t\t\t\t...options.additionalOptions,\n\t\t\t\t\t\t});\n\n\t\t\t\t\t\twindow.google?.accounts.id.renderButton(\n\t\t\t\t\t\t\tcontainer,\n\t\t\t\t\t\t\topts.button.config ?? {\n\t\t\t\t\t\t\t\ttype: \"icon\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\n\t\t\t\t\tasync function callback(idToken: string) {\n\t\t\t\t\t\tawait $fetch(\"/one-tap/callback\", {\n\t\t\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\t\t\tbody: { idToken },\n\t\t\t\t\t\t\t...opts?.fetchOptions,\n\t\t\t\t\t\t\t...fetchOptions,\n\t\t\t\t\t\t});\n\n\t\t\t\t\t\tif ((!opts?.fetchOptions && !fetchOptions) || opts?.callbackURL) {\n\t\t\t\t\t\t\twindow.location.href = opts?.callbackURL ?? \"/\";\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tconst { autoSelect, cancelOnTapOutside, context } = opts ?? {};\n\t\t\t\t\tconst contextValue = context ?? options.context ?? \"signin\";\n\t\t\t\t\tconst clients = {\n\t\t\t\t\t\tfedCM: async () => {\n\t\t\t\t\t\t\ttry {\n\t\t\t\t\t\t\t\tconst identityCredential = (await navigator.credentials.get({\n\t\t\t\t\t\t\t\t\tidentity: {\n\t\t\t\t\t\t\t\t\t\tcontext: contextValue,\n\t\t\t\t\t\t\t\t\t\tproviders: [\n\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\tconfigURL: \"https://accounts.google.com/gsi/fedcm.json\",\n\t\t\t\t\t\t\t\t\t\t\t\tclientId: options.clientId,\n\t\t\t\t\t\t\t\t\t\t\t\tnonce: opts?.nonce,\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t],\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tmediation: autoSelect ? \"optional\" : \"required\",\n\t\t\t\t\t\t\t\t\tsignal: isRequestInProgress?.signal,\n\t\t\t\t\t\t\t\t} as any)) as IdentityCredential | null;\n\n\t\t\t\t\t\t\t\tif (!identityCredential?.token) {\n\t\t\t\t\t\t\t\t\t// Notify the caller that the prompt resulted in no token.\n\t\t\t\t\t\t\t\t\topts?.onPromptNotification?.(undefined);\n\t\t\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\ttry {\n\t\t\t\t\t\t\t\t\tawait callback(identityCredential.token);\n\t\t\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t\t\t} catch (error) {\n\t\t\t\t\t\t\t\t\tconsole.error(\"Error during FedCM callback:\", error);\n\t\t\t\t\t\t\t\t\tthrow error;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t} catch (error: any) {\n\t\t\t\t\t\t\t\tif (error?.code && (error.code === 19 || error.code === 20)) {\n\t\t\t\t\t\t\t\t\t// Notify the caller that the prompt was closed/dismissed.\n\t\t\t\t\t\t\t\t\topts?.onPromptNotification?.(undefined);\n\t\t\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\tthrow error;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t},\n\t\t\t\t\t\toneTap: () => {\n\t\t\t\t\t\t\treturn new Promise<void>((resolve, reject) => {\n\t\t\t\t\t\t\t\tlet isResolved = false;\n\t\t\t\t\t\t\t\tconst baseDelay = options.promptOptions?.baseDelay ?? 1000;\n\t\t\t\t\t\t\t\tconst maxAttempts = options.promptOptions?.maxAttempts ?? 5;\n\n\t\t\t\t\t\t\t\twindow.google?.accounts.id.initialize({\n\t\t\t\t\t\t\t\t\tclient_id: options.clientId,\n\t\t\t\t\t\t\t\t\tcallback: async (response: { credential: string }) => {\n\t\t\t\t\t\t\t\t\t\tisResolved = true;\n\t\t\t\t\t\t\t\t\t\ttry {\n\t\t\t\t\t\t\t\t\t\t\tawait callback(response.credential);\n\t\t\t\t\t\t\t\t\t\t\tresolve();\n\t\t\t\t\t\t\t\t\t\t} catch (error) {\n\t\t\t\t\t\t\t\t\t\t\tconsole.error(\"Error during One Tap callback:\", error);\n\t\t\t\t\t\t\t\t\t\t\treject(error);\n\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tauto_select: autoSelect,\n\t\t\t\t\t\t\t\t\tcancel_on_tap_outside: cancelOnTapOutside,\n\t\t\t\t\t\t\t\t\tcontext: contextValue,\n\t\t\t\t\t\t\t\t\tux_mode: opts?.uxMode || \"popup\",\n\t\t\t\t\t\t\t\t\tnonce: opts?.nonce,\n\t\t\t\t\t\t\t\t\t/**\n\t\t\t\t\t\t\t\t\t * @see {@link https://developers.google.com/identity/gsi/web/guides/overview}\n\t\t\t\t\t\t\t\t\t */\n\t\t\t\t\t\t\t\t\titp_support: true,\n\n\t\t\t\t\t\t\t\t\t...options.additionalOptions,\n\t\t\t\t\t\t\t\t});\n\n\t\t\t\t\t\t\t\tconst handlePrompt = (attempt: number) => {\n\t\t\t\t\t\t\t\t\tif (isResolved) return;\n\n\t\t\t\t\t\t\t\t\twindow.google?.accounts.id.prompt((notification: any) => {\n\t\t\t\t\t\t\t\t\t\tif (isResolved) return;\n\n\t\t\t\t\t\t\t\t\t\tif (\n\t\t\t\t\t\t\t\t\t\t\tnotification.isDismissedMoment &&\n\t\t\t\t\t\t\t\t\t\t\tnotification.isDismissedMoment()\n\t\t\t\t\t\t\t\t\t\t) {\n\t\t\t\t\t\t\t\t\t\t\tconst reason = notification.getDismissedReason?.();\n\t\t\t\t\t\t\t\t\t\t\tif (noRetryReasons.dismissed.includes(reason)) {\n\t\t\t\t\t\t\t\t\t\t\t\topts?.onPromptNotification?.(notification);\n\t\t\t\t\t\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t\tif (attempt < maxAttempts) {\n\t\t\t\t\t\t\t\t\t\t\t\tconst delay = Math.pow(2, attempt) * baseDelay;\n\t\t\t\t\t\t\t\t\t\t\t\tsetTimeout(() => handlePrompt(attempt + 1), delay);\n\t\t\t\t\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\t\t\t\t\topts?.onPromptNotification?.(notification);\n\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t} else if (\n\t\t\t\t\t\t\t\t\t\t\tnotification.isSkippedMoment &&\n\t\t\t\t\t\t\t\t\t\t\tnotification.isSkippedMoment()\n\t\t\t\t\t\t\t\t\t\t) {\n\t\t\t\t\t\t\t\t\t\t\tconst reason = notification.getSkippedReason?.();\n\t\t\t\t\t\t\t\t\t\t\tif (noRetryReasons.skipped.includes(reason)) {\n\t\t\t\t\t\t\t\t\t\t\t\topts?.onPromptNotification?.(notification);\n\t\t\t\t\t\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t\tif (attempt < maxAttempts) {\n\t\t\t\t\t\t\t\t\t\t\t\tconst delay = Math.pow(2, attempt) * baseDelay;\n\t\t\t\t\t\t\t\t\t\t\t\tsetTimeout(() => handlePrompt(attempt + 1), delay);\n\t\t\t\t\t\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\t\t\t\t\t\topts?.onPromptNotification?.(notification);\n\t\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\t\t};\n\n\t\t\t\t\t\t\t\thandlePrompt(0);\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t},\n\t\t\t\t\t};\n\n\t\t\t\t\tif (isRequestInProgress) {\n\t\t\t\t\t\tisRequestInProgress?.abort();\n\t\t\t\t\t}\n\t\t\t\t\tisRequestInProgress = new AbortController();\n\n\t\t\t\t\ttry {\n\t\t\t\t\t\tconst client =\n\t\t\t\t\t\t\toptions.promptOptions?.fedCM === false || !isFedCMSupported()\n\t\t\t\t\t\t\t\t? \"oneTap\"\n\t\t\t\t\t\t\t\t: \"fedCM\";\n\t\t\t\t\t\tif (client === \"oneTap\") {\n\t\t\t\t\t\t\tawait loadGoogleScript();\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tawait clients[client]();\n\t\t\t\t\t} catch (error) {\n\t\t\t\t\t\tconsole.error(\"Error during Google One Tap flow:\", error);\n\t\t\t\t\t\tthrow error;\n\t\t\t\t\t} finally {\n\t\t\t\t\t\tisRequestInProgress = null;\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t};\n\t\t},\n\t\tgetAtoms($fetch) {\n\t\t\treturn {};\n\t\t},\n\t} satisfies BetterAuthClientPlugin;\n};\n\nconst loadGoogleScript = (): Promise<void> => {\n\treturn new Promise((resolve) => {\n\t\tif (window.googleScriptInitialized) {\n\t\t\tresolve();\n\t\t\treturn;\n\t\t}\n\n\t\tconst script = document.createElement(\"script\");\n\t\tscript.src = \"https://accounts.google.com/gsi/client\";\n\t\tscript.async = true;\n\t\tscript.defer = true;\n\t\tscript.onload = () => {\n\t\t\twindow.googleScriptInitialized = true;\n\t\t\tresolve();\n\t\t};\n\t\tdocument.head.appendChild(script);\n\t});\n};\n"],"mappings":";AAsLA,IAAI,sBAA8C;AAElD,SAAS,mBAAmB;AAC3B,QAAO,OAAO,WAAW,eAAe,wBAAwB;;;;;;AAOjE,MAAM,iBAAiB;CACtB,WAAW,CAAC,uBAAuB,gBAAgB;CACnD,SAAS,CAAC,eAAe,cAAc;CACvC;AAED,MAAa,gBAAgB,YAAiC;AAC7D,QAAO;EACN,IAAI;EACJ,cAAc,CACb;GACC,IAAI;GACJ,MAAM;GACN,OAAO,EACN,MAAM,WAAW,KAAK;AACrB,QAAI,CAAC,IAAI,QAAQ,IAAI,UAAU,CAAC,SAAS,YAAY,CACpD;AAED,QAAI,QAAQ,eAAe,UAAU,SAAS,CAAC,kBAAkB,CAChE;AAED,cAAU,YAAY,qBAAqB;MAE5C;GACD,CACD;EACD,aAAa,QAAQ,MAAM;AAC1B,UAAO,EACN,QAAQ,OACP,MACA,iBACI;AACJ,QAAI,uBAAuB,CAAC,oBAAoB,OAAO,SAAS;AAC/D,aAAQ,KACP,gEACA;AACD;;AAGD,QAAI,OAAO,WAAW,eAAe,CAAC,OAAO,UAAU;AACtD,aAAQ,KACP,2DACA;AACD;;AAID,QAAI,MAAM,QAAQ;AACjB,WAAM,kBAAkB;KAExB,MAAM,YACL,OAAO,KAAK,OAAO,cAAc,WAC9B,SAAS,cAA2B,KAAK,OAAO,UAAU,GAC1D,KAAK,OAAO;AAEhB,SAAI,CAAC,WAAW;AACf,cAAQ,MACP,8CACA,KAAK,OAAO,UACZ;AACD;;KAGD,eAAe,SAAS,SAAiB;AACxC,YAAM,OAAO,qBAAqB;OACjC,QAAQ;OACR,MAAM,EAAE,SAAS;OACjB,GAAG,MAAM;OACT,GAAG;OACH,CAAC;AAEF,UAAK,CAAC,MAAM,gBAAgB,CAAC,gBAAiB,MAAM,YACnD,QAAO,SAAS,OAAO,MAAM,eAAe;;KAI9C,MAAM,EAAE,YAAY,oBAAoB,YAAY,QAAQ,EAAE;KAC9D,MAAM,eAAe,WAAW,QAAQ,WAAW;AAEnD,YAAO,QAAQ,SAAS,GAAG,WAAW;MACrC,WAAW,QAAQ;MACnB,UAAU,OAAO,aAAqC;AACrD,WAAI;AACH,cAAM,SAAS,SAAS,WAAW;gBAC3B,OAAO;AACf,gBAAQ,MAAM,iCAAiC,MAAM;;;MAGvD,aAAa;MACb,uBAAuB;MACvB,SAAS;MACT,SAAS,MAAM,UAAU;MACzB,OAAO,MAAM;MACb,aAAa;MACb,GAAG,QAAQ;MACX,CAAC;AAEF,YAAO,QAAQ,SAAS,GAAG,aAC1B,WACA,KAAK,OAAO,UAAU,EACrB,MAAM,QACN,CACD;AAED;;IAGD,eAAe,SAAS,SAAiB;AACxC,WAAM,OAAO,qBAAqB;MACjC,QAAQ;MACR,MAAM,EAAE,SAAS;MACjB,GAAG,MAAM;MACT,GAAG;MACH,CAAC;AAEF,SAAK,CAAC,MAAM,gBAAgB,CAAC,gBAAiB,MAAM,YACnD,QAAO,SAAS,OAAO,MAAM,eAAe;;IAI9C,MAAM,EAAE,YAAY,oBAAoB,YAAY,QAAQ,EAAE;IAC9D,MAAM,eAAe,WAAW,QAAQ,WAAW;IACnD,MAAM,UAAU;KACf,OAAO,YAAY;AAClB,UAAI;OACH,MAAM,qBAAsB,MAAM,UAAU,YAAY,IAAI;QAC3D,UAAU;SACT,SAAS;SACT,WAAW,CACV;UACC,WAAW;UACX,UAAU,QAAQ;UAClB,OAAO,MAAM;UACb,CACD;SACD;QACD,WAAW,aAAa,aAAa;QACrC,QAAQ,qBAAqB;QAC7B,CAAQ;AAET,WAAI,CAAC,oBAAoB,OAAO;AAE/B,cAAM,uBAAuB,OAAU;AACvC;;AAGD,WAAI;AACH,cAAM,SAAS,mBAAmB,MAAM;AACxC;gBACQ,OAAO;AACf,gBAAQ,MAAM,gCAAgC,MAAM;AACpD,cAAM;;eAEC,OAAY;AACpB,WAAI,OAAO,SAAS,MAAM,SAAS,MAAM,MAAM,SAAS,KAAK;AAE5D,cAAM,uBAAuB,OAAU;AACvC;;AAED,aAAM;;;KAGR,cAAc;AACb,aAAO,IAAI,SAAe,SAAS,WAAW;OAC7C,IAAI,aAAa;OACjB,MAAM,YAAY,QAAQ,eAAe,aAAa;OACtD,MAAM,cAAc,QAAQ,eAAe,eAAe;AAE1D,cAAO,QAAQ,SAAS,GAAG,WAAW;QACrC,WAAW,QAAQ;QACnB,UAAU,OAAO,aAAqC;AACrD,sBAAa;AACb,aAAI;AACH,gBAAM,SAAS,SAAS,WAAW;AACnC,mBAAS;kBACD,OAAO;AACf,kBAAQ,MAAM,kCAAkC,MAAM;AACtD,iBAAO,MAAM;;;QAGf,aAAa;QACb,uBAAuB;QACvB,SAAS;QACT,SAAS,MAAM,UAAU;QACzB,OAAO,MAAM;QAIb,aAAa;QAEb,GAAG,QAAQ;QACX,CAAC;OAEF,MAAM,gBAAgB,YAAoB;AACzC,YAAI,WAAY;AAEhB,eAAO,QAAQ,SAAS,GAAG,QAAQ,iBAAsB;AACxD,aAAI,WAAY;AAEhB,aACC,aAAa,qBACb,aAAa,mBAAmB,EAC/B;UACD,MAAM,SAAS,aAAa,sBAAsB;AAClD,cAAI,eAAe,UAAU,SAAS,OAAO,EAAE;AAC9C,iBAAM,uBAAuB,aAAa;AAC1C;;AAED,cAAI,UAAU,aAAa;WAC1B,MAAM,QAAQ,KAAK,IAAI,GAAG,QAAQ,GAAG;AACrC,4BAAiB,aAAa,UAAU,EAAE,EAAE,MAAM;gBAElD,OAAM,uBAAuB,aAAa;oBAG3C,aAAa,mBACb,aAAa,iBAAiB,EAC7B;UACD,MAAM,SAAS,aAAa,oBAAoB;AAChD,cAAI,eAAe,QAAQ,SAAS,OAAO,EAAE;AAC5C,iBAAM,uBAAuB,aAAa;AAC1C;;AAED,cAAI,UAAU,aAAa;WAC1B,MAAM,QAAQ,KAAK,IAAI,GAAG,QAAQ,GAAG;AACrC,4BAAiB,aAAa,UAAU,EAAE,EAAE,MAAM;gBAElD,OAAM,uBAAuB,aAAa;;UAG3C;;AAGH,oBAAa,EAAE;QACd;;KAEH;AAED,QAAI,oBACH,sBAAqB,OAAO;AAE7B,0BAAsB,IAAI,iBAAiB;AAE3C,QAAI;KACH,MAAM,SACL,QAAQ,eAAe,UAAU,SAAS,CAAC,kBAAkB,GAC1D,WACA;AACJ,SAAI,WAAW,SACd,OAAM,kBAAkB;AAGzB,WAAM,QAAQ,SAAS;aACf,OAAO;AACf,aAAQ,MAAM,qCAAqC,MAAM;AACzD,WAAM;cACG;AACT,2BAAsB;;MAGxB;;EAEF,SAAS,QAAQ;AAChB,UAAO,EAAE;;EAEV;;AAGF,MAAM,yBAAwC;AAC7C,QAAO,IAAI,SAAS,YAAY;AAC/B,MAAI,OAAO,yBAAyB;AACnC,YAAS;AACT;;EAGD,MAAM,SAAS,SAAS,cAAc,SAAS;AAC/C,SAAO,MAAM;AACb,SAAO,QAAQ;AACf,SAAO,QAAQ;AACf,SAAO,eAAe;AACrB,UAAO,0BAA0B;AACjC,YAAS;;AAEV,WAAS,KAAK,YAAY,OAAO;GAChC"}

package/dist/plugins/one-tap/index.d.mts

@@ -0,0 +1,27 @@
+//#region src/plugins/one-tap/index.d.ts
+declare module "@better-auth/core" {
+  interface BetterAuthPluginRegistry<AuthOptions, Options> {
+    "one-tap": {
+      creator: typeof oneTap;
+    };
+  }
+}
+interface OneTapOptions {
+  /**
+   * Disable the signup flow
+   *
+   * @default false
+   */
+  disableSignup?: boolean | undefined;
+  /**
+   * Google Client ID
+   *
+   * If a client ID is provided in the social provider configuration,
+   * it will be used.
+   */
+  clientId?: string | undefined;
+}
+declare const oneTap: (options?: OneTapOptions | undefined) => BetterAuthPlugin;
+//#endregion
+export { OneTapOptions, oneTap };
+//# sourceMappingURL=index.d.mts.map

package/dist/plugins/one-tap/index.mjs

@@ -0,0 +1,96 @@
+import { parseUserOutput } from "../../db/schema.mjs";
+import { setSessionCookie } from "../../cookies/index.mjs";
+import { APIError } from "../../api/index.mjs";
+import { toBoolean } from "../../utils/boolean.mjs";
+import { createAuthEndpoint } from "@better-auth/core/api";
+import * as z from "zod";
+import { createRemoteJWKSet, jwtVerify } from "jose";
+
+//#region src/plugins/one-tap/index.ts
+const oneTapCallbackBodySchema = z.object({ idToken: z.string().meta({ description: "Google ID token, which the client obtains from the One Tap API" }) });
+const oneTap = (options) => ({
+	id: "one-tap",
+	endpoints: { oneTapCallback: createAuthEndpoint("/one-tap/callback", {
+		method: "POST",
+		body: oneTapCallbackBodySchema,
+		metadata: { openapi: {
+			summary: "One tap callback",
+			description: "Use this endpoint to authenticate with Google One Tap",
+			responses: {
+				200: {
+					description: "Successful response",
+					content: { "application/json": { schema: {
+						type: "object",
+						properties: {
+							session: { $ref: "#/components/schemas/Session" },
+							user: { $ref: "#/components/schemas/User" }
+						}
+					} } }
+				},
+				400: { description: "Invalid token" }
+			}
+		} }
+	}, async (ctx) => {
+		const { idToken } = ctx.body;
+		let payload;
+		try {
+			const { payload: verifiedPayload } = await jwtVerify(idToken, createRemoteJWKSet(new URL("https://www.googleapis.com/oauth2/v3/certs")), {
+				issuer: ["https://accounts.google.com", "accounts.google.com"],
+				audience: options?.clientId || ctx.context.options.socialProviders?.google?.clientId
+			});
+			payload = verifiedPayload;
+		} catch {
+			throw new APIError("BAD_REQUEST", { message: "invalid id token" });
+		}
+		const { email, email_verified, name, picture, sub } = payload;
+		if (!email) return ctx.json({ error: "Email not available in token" });
+		const user = await ctx.context.internalAdapter.findUserByEmail(email);
+		if (!user) {
+			if (options?.disableSignup) throw new APIError("BAD_GATEWAY", { message: "User not found" });
+			const newUser = await ctx.context.internalAdapter.createOAuthUser({
+				email,
+				emailVerified: typeof email_verified === "boolean" ? email_verified : toBoolean(email_verified),
+				name,
+				image: picture
+			}, {
+				providerId: "google",
+				accountId: sub
+			});
+			if (!newUser) throw new APIError("INTERNAL_SERVER_ERROR", { message: "Could not create user" });
+			const session = await ctx.context.internalAdapter.createSession(newUser.user.id);
+			await setSessionCookie(ctx, {
+				user: newUser.user,
+				session
+			});
+			return ctx.json({
+				token: session.token,
+				user: parseUserOutput(ctx.context.options, newUser.user)
+			});
+		}
+		if (!await ctx.context.internalAdapter.findAccount(sub)) {
+			const accountLinking = ctx.context.options.account?.accountLinking;
+			if (accountLinking?.enabled !== false && (accountLinking?.trustedProviders?.includes("google") || email_verified)) await ctx.context.internalAdapter.linkAccount({
+				userId: user.user.id,
+				providerId: "google",
+				accountId: sub,
+				scope: "openid,profile,email",
+				idToken
+			});
+			else throw new APIError("UNAUTHORIZED", { message: "Google sub doesn't match" });
+		}
+		const session = await ctx.context.internalAdapter.createSession(user.user.id);
+		await setSessionCookie(ctx, {
+			user: user.user,
+			session
+		});
+		return ctx.json({
+			token: session.token,
+			user: parseUserOutput(ctx.context.options, user.user)
+		});
+	}) },
+	options
+});
+
+//#endregion
+export { oneTap };
+//# sourceMappingURL=index.mjs.map

package/dist/plugins/one-tap/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","names":[],"sources":["../../../src/plugins/one-tap/index.ts"],"sourcesContent":["import type { BetterAuthPlugin } from \"@better-auth/core\";\nimport { createAuthEndpoint } from \"@better-auth/core/api\";\nimport { createRemoteJWKSet, jwtVerify } from \"jose\";\nimport * as z from \"zod\";\nimport { APIError } from \"../../api\";\nimport { setSessionCookie } from \"../../cookies\";\nimport { parseUserOutput } from \"../../db/schema\";\nimport { toBoolean } from \"../../utils/boolean\";\n\ndeclare module \"@better-auth/core\" {\n\tinterface BetterAuthPluginRegistry<AuthOptions, Options> {\n\t\t\"one-tap\": {\n\t\t\tcreator: typeof oneTap;\n\t\t};\n\t}\n}\n\nexport interface OneTapOptions {\n\t/**\n\t * Disable the signup flow\n\t *\n\t * @default false\n\t */\n\tdisableSignup?: boolean | undefined;\n\t/**\n\t * Google Client ID\n\t *\n\t * If a client ID is provided in the social provider configuration,\n\t * it will be used.\n\t */\n\tclientId?: string | undefined;\n}\n\nconst oneTapCallbackBodySchema = z.object({\n\tidToken: z.string().meta({\n\t\tdescription:\n\t\t\t\"Google ID token, which the client obtains from the One Tap API\",\n\t}),\n});\n\nexport const oneTap = (options?: OneTapOptions | undefined) =>\n\t({\n\t\tid: \"one-tap\",\n\t\tendpoints: {\n\t\t\toneTapCallback: createAuthEndpoint(\n\t\t\t\t\"/one-tap/callback\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\tbody: oneTapCallbackBodySchema,\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\tsummary: \"One tap callback\",\n\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\"Use this endpoint to authenticate with Google One Tap\",\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\t\t\tdescription: \"Successful response\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tsession: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t$ref: \"#/components/schemas/Session\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t$ref: \"#/components/schemas/User\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t400: {\n\t\t\t\t\t\t\t\t\tdescription: \"Invalid token\",\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\tconst { idToken } = ctx.body;\n\t\t\t\t\tlet payload: any;\n\t\t\t\t\ttry {\n\t\t\t\t\t\tconst JWKS = createRemoteJWKSet(\n\t\t\t\t\t\t\tnew URL(\"https://www.googleapis.com/oauth2/v3/certs\"),\n\t\t\t\t\t\t);\n\t\t\t\t\t\tconst { payload: verifiedPayload } = await jwtVerify(\n\t\t\t\t\t\t\tidToken,\n\t\t\t\t\t\t\tJWKS,\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tissuer: [\"https://accounts.google.com\", \"accounts.google.com\"],\n\t\t\t\t\t\t\t\taudience:\n\t\t\t\t\t\t\t\t\toptions?.clientId ||\n\t\t\t\t\t\t\t\t\tctx.context.options.socialProviders?.google?.clientId,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\t\t\t\t\t\tpayload = verifiedPayload;\n\t\t\t\t\t} catch {\n\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\tmessage: \"invalid id token\",\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tconst { email, email_verified, name, picture, sub } = payload;\n\t\t\t\t\tif (!email) {\n\t\t\t\t\t\treturn ctx.json({ error: \"Email not available in token\" });\n\t\t\t\t\t}\n\n\t\t\t\t\tconst user = await ctx.context.internalAdapter.findUserByEmail(email);\n\t\t\t\t\tif (!user) {\n\t\t\t\t\t\tif (options?.disableSignup) {\n\t\t\t\t\t\t\tthrow new APIError(\"BAD_GATEWAY\", {\n\t\t\t\t\t\t\t\tmessage: \"User not found\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t\tconst newUser = await ctx.context.internalAdapter.createOAuthUser(\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\temail,\n\t\t\t\t\t\t\t\temailVerified:\n\t\t\t\t\t\t\t\t\ttypeof email_verified === \"boolean\"\n\t\t\t\t\t\t\t\t\t\t? email_verified\n\t\t\t\t\t\t\t\t\t\t: toBoolean(email_verified),\n\t\t\t\t\t\t\t\tname,\n\t\t\t\t\t\t\t\timage: picture,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tproviderId: \"google\",\n\t\t\t\t\t\t\t\taccountId: sub,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\t\t\t\t\t\tif (!newUser) {\n\t\t\t\t\t\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\t\t\t\t\t\tmessage: \"Could not create user\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t\tconst session = await ctx.context.internalAdapter.createSession(\n\t\t\t\t\t\t\tnewUser.user.id,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tawait setSessionCookie(ctx, {\n\t\t\t\t\t\t\tuser: newUser.user,\n\t\t\t\t\t\t\tsession,\n\t\t\t\t\t\t});\n\t\t\t\t\t\treturn ctx.json({\n\t\t\t\t\t\t\ttoken: session.token,\n\t\t\t\t\t\t\tuser: parseUserOutput(ctx.context.options, newUser.user),\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tconst account = await ctx.context.internalAdapter.findAccount(sub);\n\t\t\t\t\tif (!account) {\n\t\t\t\t\t\tconst accountLinking = ctx.context.options.account?.accountLinking;\n\t\t\t\t\t\tconst shouldLinkAccount =\n\t\t\t\t\t\t\taccountLinking?.enabled !== false &&\n\t\t\t\t\t\t\t(accountLinking?.trustedProviders?.includes(\"google\") ||\n\t\t\t\t\t\t\t\temail_verified);\n\t\t\t\t\t\tif (shouldLinkAccount) {\n\t\t\t\t\t\t\tawait ctx.context.internalAdapter.linkAccount({\n\t\t\t\t\t\t\t\tuserId: user.user.id,\n\t\t\t\t\t\t\t\tproviderId: \"google\",\n\t\t\t\t\t\t\t\taccountId: sub,\n\t\t\t\t\t\t\t\tscope: \"openid,profile,email\",\n\t\t\t\t\t\t\t\tidToken,\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\t\t\t\tmessage: \"Google sub doesn't match\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\tconst session = await ctx.context.internalAdapter.createSession(\n\t\t\t\t\t\tuser.user.id,\n\t\t\t\t\t);\n\n\t\t\t\t\tawait setSessionCookie(ctx, {\n\t\t\t\t\t\tuser: user.user,\n\t\t\t\t\t\tsession,\n\t\t\t\t\t});\n\t\t\t\t\treturn ctx.json({\n\t\t\t\t\t\ttoken: session.token,\n\t\t\t\t\t\tuser: parseUserOutput(ctx.context.options, user.user),\n\t\t\t\t\t});\n\t\t\t\t},\n\t\t\t),\n\t\t},\n\t\toptions,\n\t}) satisfies BetterAuthPlugin;\n"],"mappings":";;;;;;;;;AAiCA,MAAM,2BAA2B,EAAE,OAAO,EACzC,SAAS,EAAE,QAAQ,CAAC,KAAK,EACxB,aACC,kEACD,CAAC,EACF,CAAC;AAEF,MAAa,UAAU,aACrB;CACA,IAAI;CACJ,WAAW,EACV,gBAAgB,mBACf,qBACA;EACC,QAAQ;EACR,MAAM;EACN,UAAU,EACT,SAAS;GACR,SAAS;GACT,aACC;GACD,WAAW;IACV,KAAK;KACJ,aAAa;KACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;MACP,MAAM;MACN,YAAY;OACX,SAAS,EACR,MAAM,gCACN;OACD,MAAM,EACL,MAAM,6BACN;OACD;MACD,EACD,EACD;KACD;IACD,KAAK,EACJ,aAAa,iBACb;IACD;GACD,EACD;EACD,EACD,OAAO,QAAQ;EACd,MAAM,EAAE,YAAY,IAAI;EACxB,IAAI;AACJ,MAAI;GAIH,MAAM,EAAE,SAAS,oBAAoB,MAAM,UAC1C,SAJY,mBACZ,IAAI,IAAI,6CAA6C,CACrD,EAIA;IACC,QAAQ,CAAC,+BAA+B,sBAAsB;IAC9D,UACC,SAAS,YACT,IAAI,QAAQ,QAAQ,iBAAiB,QAAQ;IAC9C,CACD;AACD,aAAU;UACH;AACP,SAAM,IAAI,SAAS,eAAe,EACjC,SAAS,oBACT,CAAC;;EAEH,MAAM,EAAE,OAAO,gBAAgB,MAAM,SAAS,QAAQ;AACtD,MAAI,CAAC,MACJ,QAAO,IAAI,KAAK,EAAE,OAAO,gCAAgC,CAAC;EAG3D,MAAM,OAAO,MAAM,IAAI,QAAQ,gBAAgB,gBAAgB,MAAM;AACrE,MAAI,CAAC,MAAM;AACV,OAAI,SAAS,cACZ,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,kBACT,CAAC;GAEH,MAAM,UAAU,MAAM,IAAI,QAAQ,gBAAgB,gBACjD;IACC;IACA,eACC,OAAO,mBAAmB,YACvB,iBACA,UAAU,eAAe;IAC7B;IACA,OAAO;IACP,EACD;IACC,YAAY;IACZ,WAAW;IACX,CACD;AACD,OAAI,CAAC,QACJ,OAAM,IAAI,SAAS,yBAAyB,EAC3C,SAAS,yBACT,CAAC;GAEH,MAAM,UAAU,MAAM,IAAI,QAAQ,gBAAgB,cACjD,QAAQ,KAAK,GACb;AACD,SAAM,iBAAiB,KAAK;IAC3B,MAAM,QAAQ;IACd;IACA,CAAC;AACF,UAAO,IAAI,KAAK;IACf,OAAO,QAAQ;IACf,MAAM,gBAAgB,IAAI,QAAQ,SAAS,QAAQ,KAAK;IACxD,CAAC;;AAGH,MAAI,CADY,MAAM,IAAI,QAAQ,gBAAgB,YAAY,IAAI,EACpD;GACb,MAAM,iBAAiB,IAAI,QAAQ,QAAQ,SAAS;AAKpD,OAHC,gBAAgB,YAAY,UAC3B,gBAAgB,kBAAkB,SAAS,SAAS,IACpD,gBAED,OAAM,IAAI,QAAQ,gBAAgB,YAAY;IAC7C,QAAQ,KAAK,KAAK;IAClB,YAAY;IACZ,WAAW;IACX,OAAO;IACP;IACA,CAAC;OAEF,OAAM,IAAI,SAAS,gBAAgB,EAClC,SAAS,4BACT,CAAC;;EAGJ,MAAM,UAAU,MAAM,IAAI,QAAQ,gBAAgB,cACjD,KAAK,KAAK,GACV;AAED,QAAM,iBAAiB,KAAK;GAC3B,MAAM,KAAK;GACX;GACA,CAAC;AACF,SAAO,IAAI,KAAK;GACf,OAAO,QAAQ;GACf,MAAM,gBAAgB,IAAI,QAAQ,SAAS,KAAK,KAAK;GACrD,CAAC;GAEH,EACD;CACD;CACA"}

package/dist/plugins/one-time-token/client.d.mts

@@ -0,0 +1,7 @@
+import { OneTimeTokenOptions } from "./index.mjs";
+
+//#region src/plugins/one-time-token/client.d.ts
+declare const oneTimeTokenClient: () => BetterAuthClientPlugin;
+//#endregion
+export { oneTimeTokenClient };
+//# sourceMappingURL=client.d.mts.map

package/dist/plugins/one-time-token/client.mjs

@@ -0,0 +1,11 @@
+//#region src/plugins/one-time-token/client.ts
+const oneTimeTokenClient = () => {
+	return {
+		id: "one-time-token",
+		$InferServerPlugin: {}
+	};
+};
+
+//#endregion
+export { oneTimeTokenClient };
+//# sourceMappingURL=client.mjs.map

package/dist/plugins/one-time-token/client.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.mjs","names":[],"sources":["../../../src/plugins/one-time-token/client.ts"],"sourcesContent":["import type { BetterAuthClientPlugin } from \"@better-auth/core\";\nimport type { oneTimeToken } from \"./index\";\n\nexport const oneTimeTokenClient = () => {\n\treturn {\n\t\tid: \"one-time-token\",\n\t\t$InferServerPlugin: {} as ReturnType<typeof oneTimeToken>,\n\t} satisfies BetterAuthClientPlugin;\n};\n\nexport type { OneTimeTokenOptions } from \"./index\";\n"],"mappings":";AAGA,MAAa,2BAA2B;AACvC,QAAO;EACN,IAAI;EACJ,oBAAoB,EAAE;EACtB"}

package/dist/plugins/one-time-token/index.d.mts

@@ -0,0 +1,53 @@
+import { Session, User } from "../../types/models.mjs";
+import "../../types/index.mjs";
+import { GenericEndpointContext } from "@better-auth/core";
+
+//#region src/plugins/one-time-token/index.d.ts
+declare module "@better-auth/core" {
+  interface BetterAuthPluginRegistry<AuthOptions, Options> {
+    "one-time-token": {
+      creator: typeof oneTimeToken;
+    };
+  }
+}
+interface OneTimeTokenOptions {
+  /**
+   * Expires in minutes
+   *
+   * @default 3
+   */
+  expiresIn?: number | undefined;
+  /**
+   * Only allow server initiated requests
+   */
+  disableClientRequest?: boolean | undefined;
+  /**
+   * Generate a custom token
+   */
+  generateToken?: ((session: {
+    user: User & Record<string, any>;
+    session: Session & Record<string, any>;
+  }, ctx: GenericEndpointContext) => Promise<string>) | undefined;
+  /**
+   * Disable setting the session cookie when the token is verified
+   */
+  disableSetSessionCookie?: boolean;
+  /**
+   * This option allows you to configure how the token is stored in your database.
+   * Note: This will not affect the token that's sent, it will only affect the token stored in your database.
+   *
+   * @default "plain"
+   */
+  storeToken?: ("plain" | "hashed" | {
+    type: "custom-hasher";
+    hash: (token: string) => Promise<string>;
+  }) | undefined;
+  /**
+   * Set the OTT header on new sessions
+   */
+  setOttHeaderOnNewSession?: boolean;
+}
+declare const oneTimeToken: (options?: OneTimeTokenOptions | undefined) => BetterAuthPlugin;
+//#endregion
+export { OneTimeTokenOptions, oneTimeToken };
+//# sourceMappingURL=index.d.mts.map