@neondatabase/auth 0.1.0-beta.14 → 0.1.0-beta.16

package/README.md

@@ -242,6 +242,7 @@ For Next.js projects, this package provides built-in integration via `@neondatab
 - Importing styles (with or without Tailwind CSS)
 - Accessing session data with `neonAuth()` in server components
 - Using `authClient.useSession()` hook in client components
+- Server-side auth operations with `createAuthServer()` from `@neondatabase/auth/next/server`
 
 ## CSS for UI Components
 

package/dist/{adapter-core-BPv4mLT0.mjs → adapter-core-BQ6ga1zK.mjs}

@@ -1,3 +1,4 @@
+import { a as NEON_AUTH_POPUP_CALLBACK_ROUTE, c as OAUTH_POPUP_MESSAGE_TYPE, i as NEON_AUTH_POPUP_CALLBACK_PARAM_NAME, l as SESSION_CACHE_TTL_MS, o as NEON_AUTH_POPUP_PARAM_NAME, s as NEON_AUTH_SESSION_VERIFIER_PARAM_NAME, t as CLOCK_SKEW_BUFFER_MS } from "./constants-2bpp2_-f.mjs";
 import { getGlobalBroadcastChannel } from "better-auth/client";
 import { adminClient, emailOTPClient, jwtClient, organizationClient } from "better-auth/client/plugins";
 import z from "zod";
@@ -100,25 +101,6 @@ var InFlightRequestManager = class {
 	}
 };
 
-//#endregion
-//#region src/core/constants.ts
-/**
-* Session caching configuration constants
-*
-* Uses industry-standard 60s cache TTL (common across auth providers).
-*
-* Note: Token refresh detection is now automatic via Better Auth's
-* fetchOptions.onSuccess callback. No polling is needed.
-*/
-/** Session cache TTL in milliseconds (60 seconds) */
-const SESSION_CACHE_TTL_MS = 6e4;
-/** Clock skew buffer for token expiration checks in milliseconds (10 seconds) */
-const CLOCK_SKEW_BUFFER_MS = 1e4;
-/** Default session expiry duration in milliseconds (1 hour) */
-const DEFAULT_SESSION_EXPIRY_MS = 36e5;
-/** Name of the session verifier parameter in the URL, used for the OAUTH flow */
-const NEON_AUTH_SESSION_VERIFIER_PARAM_NAME = "neon_auth_session_verifier";
-
 //#endregion
 //#region src/utils/jwt.ts
 /**
@@ -293,6 +275,59 @@ var AnonymousTokenCacheManager = class {
 	}
 };
 
+//#endregion
+//#region src/core/oauth-popup.ts
+/**
+* Opens an OAuth popup window and waits for completion.
+*
+* This is used when the app is running inside an iframe, where OAuth
+* redirect flows don't work due to X-Frame-Options/CSP restrictions.
+* The popup completes the OAuth flow and sends a postMessage back
+* with the session verifier needed to fetch the session.
+*
+* @param url - The OAuth authorization URL to open in the popup
+* @returns Promise that resolves with the session verifier when OAuth completes
+* @throws Error if popup is blocked, closed by user, or times out
+*/
+async function openOAuthPopup(url) {
+	const timeout = 12e4;
+	const pollInterval = 500;
+	return new Promise((resolve, reject) => {
+		const popup = globalThis.open(url, "neon_oauth_popup", "width=500,height=700,popup=yes");
+		if (!popup || popup.closed) {
+			reject(/* @__PURE__ */ new Error("Popup blocked. Please allow popups for this site."));
+			return;
+		}
+		const timeoutId = setTimeout(() => {
+			cleanup();
+			try {
+				popup.close();
+			} catch {}
+			reject(/* @__PURE__ */ new Error("OAuth popup timed out. Please try again."));
+		}, timeout);
+		const pollId = setInterval(() => {
+			try {
+				if (popup.closed) {
+					cleanup();
+					reject(/* @__PURE__ */ new Error("OAuth popup was closed. Please try again."));
+				}
+			} catch {}
+		}, pollInterval);
+		function cleanup() {
+			clearTimeout(timeoutId);
+			clearInterval(pollId);
+			globalThis.removeEventListener("message", handleMessage);
+		}
+		function handleMessage(event) {
+			if (event.origin !== globalThis.location.origin) return;
+			if (event.data?.type !== OAUTH_POPUP_MESSAGE_TYPE) return;
+			cleanup();
+			resolve({ verifier: event.data.verifier || null });
+		}
+		globalThis.addEventListener("message", handleMessage);
+	});
+}
+
 //#endregion
 //#region src/utils/browser.ts
 /**
@@ -302,6 +337,19 @@ var AnonymousTokenCacheManager = class {
 const isBrowser = () => {
 	return globalThis.window !== void 0 && typeof document !== "undefined";
 };
+/**
+* Checks if the code is running inside an iframe
+* Used to detect embedded contexts where OAuth redirect won't work
+* @returns true if in iframe, false otherwise
+*/
+const isIframe = () => {
+	if (!isBrowser()) return false;
+	try {
+		return globalThis.self !== globalThis.top;
+	} catch {
+		return true;
+	}
+};
 
 //#endregion
 //#region src/plugins/anonymous-token.ts
@@ -341,6 +389,39 @@ const BETTER_AUTH_ENDPOINTS = {
 	anonymousSignIn: "/sign-in/anonymous",
 	anonymousToken: "/token/anonymous"
 };
+/**
+* Handles social sign-in via popup when running inside an iframe.
+* This is necessary because OAuth redirects don't work in iframes due to
+* X-Frame-Options/CSP restrictions from OAuth providers.
+*
+* Flow:
+* 1. Request OAuth URL from server (with disableRedirect)
+* 2. Open popup window with the OAuth URL
+* 3. Wait for popup to complete and send back the session verifier
+* 4. Navigate to callbackURL with verifier - normal page load handles session
+*/
+async function handleSocialSignInViaPopup(input, init) {
+	const body = JSON.parse(init?.body || "{}");
+	const originalCallbackURL = body.callbackURL || "/";
+	const popupCallbackUrl = new URL(NEON_AUTH_POPUP_CALLBACK_ROUTE, globalThis.location.origin);
+	popupCallbackUrl.searchParams.set(NEON_AUTH_POPUP_PARAM_NAME, "1");
+	popupCallbackUrl.searchParams.set(NEON_AUTH_POPUP_CALLBACK_PARAM_NAME, originalCallbackURL);
+	body.callbackURL = popupCallbackUrl.toString();
+	body.disableRedirect = true;
+	const response = await fetch(input, {
+		...init,
+		body: JSON.stringify(body)
+	});
+	const data = await response.json();
+	const oauthUrl = data.url;
+	if (!oauthUrl) throw new Error("Failed to get OAuth URL");
+	const popupResult = await openOAuthPopup(oauthUrl);
+	if (!popupResult.verifier) throw new Error("OAuth completed but no session verifier received");
+	const navigationUrl = new URL(originalCallbackURL, globalThis.location.origin);
+	navigationUrl.searchParams.set(NEON_AUTH_SESSION_VERIFIER_PARAM_NAME, popupResult.verifier);
+	globalThis.location.href = navigationUrl.toString();
+	return Response.json(data, { status: response.status });
+}
 const BETTER_AUTH_METHODS_HOOKS = {
 	signUp: {
 		onRequest: () => {},
@@ -359,6 +440,10 @@ const BETTER_AUTH_METHODS_HOOKS = {
 		}
 	},
 	signIn: {
+		beforeRequest: (input, init) => {
+			if (!(typeof input === "string" ? input : input.toString()).includes("/sign-in/social") || !isIframe()) return null;
+			return handleSocialSignInViaPopup(input, init);
+		},
 		onRequest: () => {},
 		onSuccess: (responseData) => {
 			if (isSessionResponseData(responseData)) {
@@ -513,6 +598,20 @@ function deriveBetterAuthMethodFromUrl(url) {
 	if (url.includes(BETTER_AUTH_ENDPOINTS.getSession) || url.includes(BETTER_AUTH_ENDPOINTS.token)) return "getSession";
 }
 function initBroadcastChannel() {
+	if (isBrowser() && globalThis.opener && globalThis.opener !== globalThis) {
+		const params = new URLSearchParams(globalThis.location.search);
+		if (params.has(NEON_AUTH_POPUP_PARAM_NAME)) {
+			const verifier = params.get(NEON_AUTH_SESSION_VERIFIER_PARAM_NAME);
+			const originalCallback = params.get(NEON_AUTH_POPUP_CALLBACK_PARAM_NAME);
+			globalThis.opener.postMessage({
+				type: OAUTH_POPUP_MESSAGE_TYPE,
+				verifier,
+				originalCallback
+			}, "*");
+			globalThis.close();
+			return;
+		}
+	}
 	getGlobalBroadcastChannel().subscribe((message) => {
 		if (message.clientId === CURRENT_TAB_CLIENT_ID) return;
 		const trigger = message.data?.trigger;
@@ -615,4 +714,4 @@ var NeonAuthAdapterCore = class {
 };
 
 //#endregion
-export { DEFAULT_SESSION_EXPIRY_MS as a, CURRENT_TAB_CLIENT_ID as i, BETTER_AUTH_METHODS_CACHE as n, BETTER_AUTH_METHODS_HOOKS as r, NeonAuthAdapterCore as t };
+export { CURRENT_TAB_CLIENT_ID as i, BETTER_AUTH_METHODS_CACHE as n, BETTER_AUTH_METHODS_HOOKS as r, NeonAuthAdapterCore as t };

package/dist/{adapter-core-9F3bfyWA.d.mts → adapter-core-DYWYECKK.d.mts}

@@ -6,10 +6,22 @@ import * as zod0 from "zod";
 import * as jose2 from "jose";
 import * as better_auth454 from "better-auth";
 import * as _better_fetch_fetch266 from "@better-fetch/fetch";
+import { BetterFetchError as BetterFetchError$1 } from "@better-fetch/fetch";
 import * as nanostores7 from "nanostores";
 import * as better_call0 from "better-call";
 import * as better_auth_plugins_email_otp0 from "better-auth/plugins/email-otp";
+import { EmailOTPOptions } from "better-auth/plugins/email-otp";
+import { Invitation, InvitationInput, InvitationStatus, Member, MemberInput, Organization, OrganizationInput, OrganizationRole, Team, TeamInput, TeamMember, TeamMemberInput } from "better-auth/plugins/organization";
+import { JWKOptions, JWSAlgorithms, Jwk, JwtOptions } from "better-auth/plugins/jwt";
+import { AdminOptions, InferAdminRolesFromOption, SessionWithImpersonatedBy, UserWithRole } from "better-auth/plugins/admin";
 
+//#region src/types/index.d.ts
+type BetterAuthInstance = ReturnType<typeof createAuthClient$1<{
+  plugins: SupportedBetterAuthClientPlugins;
+}> | typeof createAuthClient<{
+  plugins: SupportedBetterAuthClientPlugins;
+}>>;
+//#endregion
 //#region src/core/adapter-core.d.ts
 interface NeonAuthAdapterCoreAuthOptions extends Omit<BetterAuthClientOptions, 'plugins'> {}
 declare const supportedBetterAuthClientPlugins: ({
@@ -1243,7 +1255,7 @@ declare const supportedBetterAuthClientPlugins: ({
         permission: {
           readonly organization?: ("delete" | "update")[] | undefined;
           readonly member?: ("delete" | "create" | "update")[] | undefined;
-          readonly invitation?: ("create" | "cancel")[] | undefined;
+          readonly invitation?: ("cancel" | "create")[] | undefined;
           readonly team?: ("delete" | "create" | "update")[] | undefined;
           readonly ac?: ("delete" | "create" | "update" | "read")[] | undefined;
         };
@@ -1252,7 +1264,7 @@ declare const supportedBetterAuthClientPlugins: ({
         permissions: {
           readonly organization?: ("delete" | "update")[] | undefined;
           readonly member?: ("delete" | "create" | "update")[] | undefined;
-          readonly invitation?: ("create" | "cancel")[] | undefined;
+          readonly invitation?: ("cancel" | "create")[] | undefined;
           readonly team?: ("delete" | "create" | "update")[] | undefined;
           readonly ac?: ("delete" | "create" | "update" | "read")[] | undefined;
         };
@@ -1770,11 +1782,7 @@ declare abstract class NeonAuthAdapterCore {
    * See CLAUDE.md for architecture details and API mappings.
    */
   constructor(betterAuthClientOptions: NeonAuthAdapterCoreAuthOptions);
-  abstract getBetterAuthInstance(): ReturnType<typeof createAuthClient$1<{
-    plugins: SupportedBetterAuthClientPlugins;
-  }> | typeof createAuthClient<{
-    plugins: SupportedBetterAuthClientPlugins;
-  }>>;
+  abstract getBetterAuthInstance(): BetterAuthInstance;
   /**
    * Get JWT token for authenticated or anonymous access.
    * Single source of truth for token retrieval logic.
@@ -1785,4 +1793,4 @@ declare abstract class NeonAuthAdapterCore {
   getJWTToken(allowAnonymous: boolean): Promise<string | null>;
 }
 //#endregion
-export { NeonAuthAdapterCoreAuthOptions as n, SupportedBetterAuthClientPlugins as r, NeonAuthAdapterCore as t };
+export { TeamInput as C, UserWithRole as E, Team as S, TeamMemberInput as T, MemberInput as _, BetterAuthInstance as a, OrganizationRole as b, InferAdminRolesFromOption as c, InvitationStatus as d, JWKOptions as f, Member as g, JwtOptions as h, AdminOptions as i, Invitation as l, Jwk as m, NeonAuthAdapterCoreAuthOptions as n, BetterFetchError$1 as o, JWSAlgorithms as p, SupportedBetterAuthClientPlugins as r, EmailOTPOptions as s, NeonAuthAdapterCore as t, InvitationInput as u, Organization as v, TeamMember as w, SessionWithImpersonatedBy as x, OrganizationInput as y };

package/dist/{better-auth-react-adapter-BkeuhSFt.mjs → better-auth-react-adapter-BLKXYcWM.mjs}

@@ -1,4 +1,4 @@
-import { t as NeonAuthAdapterCore } from "./adapter-core-BPv4mLT0.mjs";
+import { t as NeonAuthAdapterCore } from "./adapter-core-BQ6ga1zK.mjs";
 import { createAuthClient } from "better-auth/react";
 
 //#region src/adapters/better-auth-react/better-auth-react-adapter.ts