@neondatabase/auth 0.1.0-beta.13 → 0.1.0-beta.15

package/dist/{adapter-core-Ed-EN_tr.mjs → adapter-core-ChIlSbGg.mjs}

@@ -1,5 +1,5 @@
 import { getGlobalBroadcastChannel } from "better-auth/client";
-import { adminClient, anonymousClient, emailOTPClient, jwtClient, organizationClient } from "better-auth/client/plugins";
+import { adminClient, emailOTPClient, jwtClient, organizationClient } from "better-auth/client/plugins";
 import z from "zod";
 
 //#region src/core/in-flight-request-manager.ts
@@ -118,6 +118,14 @@ const CLOCK_SKEW_BUFFER_MS = 1e4;
 const DEFAULT_SESSION_EXPIRY_MS = 36e5;
 /** Name of the session verifier parameter in the URL, used for the OAUTH flow */
 const NEON_AUTH_SESSION_VERIFIER_PARAM_NAME = "neon_auth_session_verifier";
+/** Name of the popup marker parameter in the URL, used for OAuth popup flow in iframes */
+const NEON_AUTH_POPUP_PARAM_NAME = "neon_popup";
+/** Name of the original callback URL parameter, used in OAuth popup flow */
+const NEON_AUTH_POPUP_CALLBACK_PARAM_NAME = "neon_popup_callback";
+/** The callback route used for OAuth popup completion (must be in middleware SKIP_ROUTES) */
+const NEON_AUTH_POPUP_CALLBACK_ROUTE = "/auth/callback";
+/** Message type for OAuth popup completion postMessage */
+const OAUTH_POPUP_MESSAGE_TYPE = "neon-auth:oauth-complete";
 
 //#endregion
 //#region src/utils/jwt.ts
@@ -293,6 +301,59 @@ var AnonymousTokenCacheManager = class {
 	}
 };
 
+//#endregion
+//#region src/core/oauth-popup.ts
+/**
+* Opens an OAuth popup window and waits for completion.
+*
+* This is used when the app is running inside an iframe, where OAuth
+* redirect flows don't work due to X-Frame-Options/CSP restrictions.
+* The popup completes the OAuth flow and sends a postMessage back
+* with the session verifier needed to fetch the session.
+*
+* @param url - The OAuth authorization URL to open in the popup
+* @returns Promise that resolves with the session verifier when OAuth completes
+* @throws Error if popup is blocked, closed by user, or times out
+*/
+async function openOAuthPopup(url) {
+	const timeout = 12e4;
+	const pollInterval = 500;
+	return new Promise((resolve, reject) => {
+		const popup = globalThis.open(url, "neon_oauth_popup", "width=500,height=700,popup=yes");
+		if (!popup || popup.closed) {
+			reject(/* @__PURE__ */ new Error("Popup blocked. Please allow popups for this site."));
+			return;
+		}
+		const timeoutId = setTimeout(() => {
+			cleanup();
+			try {
+				popup.close();
+			} catch {}
+			reject(/* @__PURE__ */ new Error("OAuth popup timed out. Please try again."));
+		}, timeout);
+		const pollId = setInterval(() => {
+			try {
+				if (popup.closed) {
+					cleanup();
+					reject(/* @__PURE__ */ new Error("OAuth popup was closed. Please try again."));
+				}
+			} catch {}
+		}, pollInterval);
+		function cleanup() {
+			clearTimeout(timeoutId);
+			clearInterval(pollId);
+			globalThis.removeEventListener("message", handleMessage);
+		}
+		function handleMessage(event) {
+			if (event.origin !== globalThis.location.origin) return;
+			if (event.data?.type !== OAUTH_POPUP_MESSAGE_TYPE) return;
+			cleanup();
+			resolve({ verifier: event.data.verifier || null });
+		}
+		globalThis.addEventListener("message", handleMessage);
+	});
+}
+
 //#endregion
 //#region src/utils/browser.ts
 /**
@@ -302,6 +363,19 @@ var AnonymousTokenCacheManager = class {
 const isBrowser = () => {
 	return globalThis.window !== void 0 && typeof document !== "undefined";
 };
+/**
+* Checks if the code is running inside an iframe
+* Used to detect embedded contexts where OAuth redirect won't work
+* @returns true if in iframe, false otherwise
+*/
+const isIframe = () => {
+	if (!isBrowser()) return false;
+	try {
+		return globalThis.self !== globalThis.top;
+	} catch {
+		return true;
+	}
+};
 
 //#endregion
 //#region src/plugins/anonymous-token.ts
@@ -341,6 +415,39 @@ const BETTER_AUTH_ENDPOINTS = {
 	anonymousSignIn: "/sign-in/anonymous",
 	anonymousToken: "/token/anonymous"
 };
+/**
+* Handles social sign-in via popup when running inside an iframe.
+* This is necessary because OAuth redirects don't work in iframes due to
+* X-Frame-Options/CSP restrictions from OAuth providers.
+*
+* Flow:
+* 1. Request OAuth URL from server (with disableRedirect)
+* 2. Open popup window with the OAuth URL
+* 3. Wait for popup to complete and send back the session verifier
+* 4. Navigate to callbackURL with verifier - normal page load handles session
+*/
+async function handleSocialSignInViaPopup(input, init) {
+	const body = JSON.parse(init?.body || "{}");
+	const originalCallbackURL = body.callbackURL || "/";
+	const popupCallbackUrl = new URL(NEON_AUTH_POPUP_CALLBACK_ROUTE, globalThis.location.origin);
+	popupCallbackUrl.searchParams.set(NEON_AUTH_POPUP_PARAM_NAME, "1");
+	popupCallbackUrl.searchParams.set(NEON_AUTH_POPUP_CALLBACK_PARAM_NAME, originalCallbackURL);
+	body.callbackURL = popupCallbackUrl.toString();
+	body.disableRedirect = true;
+	const response = await fetch(input, {
+		...init,
+		body: JSON.stringify(body)
+	});
+	const data = await response.json();
+	const oauthUrl = data.url;
+	if (!oauthUrl) throw new Error("Failed to get OAuth URL");
+	const popupResult = await openOAuthPopup(oauthUrl);
+	if (!popupResult.verifier) throw new Error("OAuth completed but no session verifier received");
+	const navigationUrl = new URL(originalCallbackURL, globalThis.location.origin);
+	navigationUrl.searchParams.set(NEON_AUTH_SESSION_VERIFIER_PARAM_NAME, popupResult.verifier);
+	globalThis.location.href = navigationUrl.toString();
+	return Response.json(data, { status: response.status });
+}
 const BETTER_AUTH_METHODS_HOOKS = {
 	signUp: {
 		onRequest: () => {},
@@ -359,6 +466,10 @@ const BETTER_AUTH_METHODS_HOOKS = {
 		}
 	},
 	signIn: {
+		beforeRequest: (input, init) => {
+			if (!(typeof input === "string" ? input : input.toString()).includes("/sign-in/social") || !isIframe()) return null;
+			return handleSocialSignInViaPopup(input, init);
+		},
 		onRequest: () => {},
 		onSuccess: (responseData) => {
 			if (isSessionResponseData(responseData)) {
@@ -513,6 +624,20 @@ function deriveBetterAuthMethodFromUrl(url) {
 	if (url.includes(BETTER_AUTH_ENDPOINTS.getSession) || url.includes(BETTER_AUTH_ENDPOINTS.token)) return "getSession";
 }
 function initBroadcastChannel() {
+	if (isBrowser() && globalThis.opener && globalThis.opener !== globalThis) {
+		const params = new URLSearchParams(globalThis.location.search);
+		if (params.has(NEON_AUTH_POPUP_PARAM_NAME)) {
+			const verifier = params.get(NEON_AUTH_SESSION_VERIFIER_PARAM_NAME);
+			const originalCallback = params.get(NEON_AUTH_POPUP_CALLBACK_PARAM_NAME);
+			globalThis.opener.postMessage({
+				type: OAUTH_POPUP_MESSAGE_TYPE,
+				verifier,
+				originalCallback
+			}, "*");
+			globalThis.close();
+			return;
+		}
+	}
 	getGlobalBroadcastChannel().subscribe((message) => {
 		if (message.clientId === CURRENT_TAB_CLIENT_ID) return;
 		const trigger = message.data?.trigger;
@@ -528,7 +653,6 @@ const supportedBetterAuthClientPlugins = [
 	adminClient(),
 	organizationClient(),
 	emailOTPClient(),
-	anonymousClient(),
 	anonymousTokenClient()
 ];
 var NeonAuthAdapterCore = class {
@@ -616,4 +740,4 @@ var NeonAuthAdapterCore = class {
 };
 
 //#endregion
-export { DEFAULT_SESSION_EXPIRY_MS as a, CURRENT_TAB_CLIENT_ID as i, BETTER_AUTH_METHODS_CACHE as n, BETTER_AUTH_METHODS_HOOKS as r, NeonAuthAdapterCore as t };
+export { DEFAULT_SESSION_EXPIRY_MS as a, CURRENT_TAB_CLIENT_ID as i, BETTER_AUTH_METHODS_CACHE as n, NEON_AUTH_SESSION_VERIFIER_PARAM_NAME as o, BETTER_AUTH_METHODS_HOOKS as r, NeonAuthAdapterCore as t };