@neutralauth/internal-auth 0.10.11

package/src/plugins/cross-domain/client.test.ts

@@ -0,0 +1,217 @@
+import { describe, it, expect, beforeEach } from "vitest";
+import { getCookie, getSetCookie, parseSetCookieHeader, crossDomainClient } from "./client.js";
+
+describe("parseSetCookieHeader", () => {
+  it("parses a simple cookie", () => {
+    const header = "session_token=abc123";
+    const map = parseSetCookieHeader(header);
+    expect(map.get("session_token")?.value).toBe("abc123");
+  });
+
+  it("parses cookie with attributes", () => {
+    const header = "session_token=abc123; Path=/; Secure; HttpOnly";
+    const map = parseSetCookieHeader(header);
+    const cookie = map.get("session_token");
+    expect(cookie?.value).toBe("abc123");
+  });
+
+  it("parses multiple cookies", () => {
+    const header = "a=1, b=2";
+    const map = parseSetCookieHeader(header);
+    expect(map.get("a")?.value).toBe("1");
+    expect(map.get("b")?.value).toBe("2");
+  });
+});
+
+describe("getSetCookie", () => {
+  it("stores expires as ISO string", () => {
+    const header = "session_token=abc; Max-Age=3600";
+    const result = JSON.parse(getSetCookie(header));
+    expect(typeof result.session_token.expires).toBe("string");
+    expect(result.session_token.expires).toMatch(/^\d{4}-\d{2}-\d{2}T/);
+  });
+
+  it("stores null expires when no expiry is set", () => {
+    const header = "session_token=abc";
+    const result = JSON.parse(getSetCookie(header));
+    expect(result.session_token.expires).toBeNull();
+  });
+
+  it("merges with previous cookies", () => {
+    const prev = JSON.stringify({
+      old_cookie: { value: "old", expires: null },
+    });
+    const header = "new_cookie=new";
+    const result = JSON.parse(getSetCookie(header, prev));
+    expect(result.old_cookie.value).toBe("old");
+    expect(result.new_cookie.value).toBe("new");
+  });
+
+  it("overwrites previous cookies with same name", () => {
+    const prev = JSON.stringify({
+      token: { value: "old", expires: null },
+    });
+    const header = "token=new";
+    const result = JSON.parse(getSetCookie(header, prev));
+    expect(result.token.value).toBe("new");
+  });
+
+  it("survives invalid previous cookie JSON", () => {
+    const header = "token=abc";
+    const result = JSON.parse(getSetCookie(header, "not-json"));
+    expect(result.token.value).toBe("abc");
+  });
+});
+
+describe("getCookie", () => {
+  it("returns cookie string for valid cookies", () => {
+    const stored = JSON.stringify({
+      session: { value: "abc", expires: new Date(Date.now() + 60000).toISOString() },
+    });
+    const result = getCookie(stored);
+    expect(result).toContain("session=abc");
+  });
+
+  it("filters out expired cookies", () => {
+    const stored = JSON.stringify({
+      expired: { value: "old", expires: new Date(Date.now() - 60000).toISOString() },
+      valid: { value: "new", expires: new Date(Date.now() + 60000).toISOString() },
+    });
+    const result = getCookie(stored);
+    expect(result).not.toContain("expired=old");
+    expect(result).toContain("valid=new");
+  });
+
+  it("keeps cookies with no expiry", () => {
+    const stored = JSON.stringify({
+      session: { value: "abc", expires: null },
+    });
+    const result = getCookie(stored);
+    expect(result).toContain("session=abc");
+  });
+
+  it("handles expires after JSON round-trip (string, not Date)", () => {
+    // This is the core bug #1 scenario: expires is a string after JSON.parse
+    const past = new Date(Date.now() - 60000);
+    const stored = JSON.stringify({
+      expired: { value: "old", expires: past.toISOString() },
+    });
+    // After JSON.parse, expires is a string — getCookie must handle this
+    const result = getCookie(stored);
+    expect(result).not.toContain("expired=old");
+  });
+
+  it("returns empty string for empty cookie object", () => {
+    expect(getCookie("{}")).toBe("");
+  });
+
+  it("returns empty string for invalid JSON", () => {
+    expect(getCookie("not-json")).toBe("");
+  });
+});
+
+describe("crossDomainClient", () => {
+  let storage: Map<string, string>;
+  let mockStorage: { getItem: (key: string) => string | null; setItem: (key: string, value: string) => void };
+  const cookieName = "better-auth_cookie";
+  const localCacheName = "better-auth_session_data";
+
+  beforeEach(() => {
+    storage = new Map<string, string>();
+    mockStorage = {
+      getItem: (key) => storage.get(key) ?? null,
+      setItem: (key, value) => { storage.set(key, value); },
+    };
+  });
+
+  function getActions() {
+    const plugin = crossDomainClient({ storage: mockStorage });
+    const mockStore = {
+      notify: () => {},
+      atoms: { session: { set: () => {}, get: () => ({}) } },
+    };
+    return plugin.getActions({} as any, mockStore as any);
+  }
+
+  function getOnSuccessHook() {
+    const plugin = crossDomainClient({ storage: mockStorage });
+    return plugin.fetchPlugins[0].hooks!.onSuccess!;
+  }
+
+  describe("getSessionData", () => {
+    it("returns null when storage is empty", () => {
+      const actions = getActions();
+      expect(actions.getSessionData()).toBeNull();
+    });
+
+    it("returns null for empty object in storage", () => {
+      storage.set(localCacheName, "{}");
+      const actions = getActions();
+      expect(actions.getSessionData()).toBeNull();
+    });
+
+    it("returns parsed session data", () => {
+      const sessionData = { session: { id: "123" }, user: { name: "test" } };
+      storage.set(localCacheName, JSON.stringify(sessionData));
+      const actions = getActions();
+      expect(actions.getSessionData()).toEqual(sessionData);
+    });
+
+    it("returns null for stored 'null' string", () => {
+      storage.set(localCacheName, "null");
+      const actions = getActions();
+      expect(actions.getSessionData()).toBeNull();
+    });
+
+    it("returns null for corrupt JSON in storage", () => {
+      storage.set(localCacheName, "not-valid-json");
+      const actions = getActions();
+      expect(actions.getSessionData()).toBeNull();
+    });
+  });
+
+  describe("onSuccess handler", () => {
+    it("clears cookies when get-session returns null", async () => {
+      storage.set(cookieName, JSON.stringify({
+        "better-auth.session_token": { value: "stale", expires: null },
+      }));
+
+      const onSuccess = getOnSuccessHook();
+      await onSuccess({
+        data: null,
+        request: { url: new URL("https://example.com/api/auth/get-session") },
+        response: { headers: new Headers() },
+      } as any);
+
+      expect(storage.get(cookieName)).toBe("{}");
+    });
+
+    it("preserves cookies when get-session returns data", async () => {
+      const existingCookies = JSON.stringify({
+        "better-auth.session_token": { value: "valid", expires: null },
+      });
+      storage.set(cookieName, existingCookies);
+
+      const onSuccess = getOnSuccessHook();
+      await onSuccess({
+        data: { session: { id: "123" }, user: { name: "test" } },
+        request: { url: new URL("https://example.com/api/auth/get-session") },
+        response: { headers: new Headers() },
+      } as any);
+
+      expect(storage.get(cookieName)).toBe(existingCookies);
+    });
+
+    it("caches session data on get-session", async () => {
+      const sessionData = { session: { id: "123" }, user: { name: "test" } };
+      const onSuccess = getOnSuccessHook();
+      await onSuccess({
+        data: sessionData,
+        request: { url: new URL("https://example.com/api/auth/get-session") },
+        response: { headers: new Headers() },
+      } as any);
+
+      expect(storage.get(localCacheName)).toBe(JSON.stringify(sessionData));
+    });
+  });
+});

package/src/plugins/cross-domain/client.ts

@@ -0,0 +1,234 @@
+import type { BetterAuthClientPlugin, ClientStore } from "better-auth";
+import type { BetterFetchOption } from "@better-fetch/fetch";
+import type { crossDomain } from "./index.js";
+
+interface CookieAttributes {
+  value: string;
+  expires?: Date;
+  "max-age"?: number;
+  domain?: string;
+  path?: string;
+  secure?: boolean;
+  httpOnly?: boolean;
+  sameSite?: "Strict" | "Lax" | "None";
+}
+
+export function parseSetCookieHeader(
+  header: string
+): Map<string, CookieAttributes> {
+  const cookieMap = new Map<string, CookieAttributes>();
+  const cookies = header.split(", ");
+  cookies.forEach((cookie) => {
+    const [nameValue, ...attributes] = cookie.split("; ");
+    const [name, value] = nameValue.split("=");
+
+    const cookieObj: CookieAttributes = { value };
+
+    attributes.forEach((attr) => {
+      const [attrName, attrValue] = attr.split("=");
+      cookieObj[attrName.toLowerCase() as "value"] = attrValue;
+    });
+
+    cookieMap.set(name, cookieObj);
+  });
+
+  return cookieMap;
+}
+
+interface StoredCookie {
+  value: string;
+  expires: string | null;
+}
+
+export function getSetCookie(header: string, prevCookie?: string) {
+  const parsed = parseSetCookieHeader(header);
+  let toSetCookie: Record<string, StoredCookie> = {};
+  parsed.forEach((cookie, key) => {
+    const expiresAt = cookie["expires"];
+    const maxAge = cookie["max-age"];
+    const expires = expiresAt
+      ? new Date(String(expiresAt))
+      : maxAge
+        ? new Date(Date.now() + Number(maxAge) * 1000)
+        : null;
+    toSetCookie[key] = {
+      value: cookie["value"],
+      expires: expires ? expires.toISOString() : null,
+    };
+  });
+  if (prevCookie) {
+    try {
+      const prevCookieParsed = JSON.parse(prevCookie);
+      toSetCookie = {
+        ...prevCookieParsed,
+        ...toSetCookie,
+      };
+    } catch {
+      //
+    }
+  }
+  return JSON.stringify(toSetCookie);
+}
+
+export function getCookie(cookie: string) {
+  let parsed = {} as Record<string, StoredCookie>;
+  try {
+    parsed = JSON.parse(cookie) as Record<string, StoredCookie>;
+  } catch {
+    // noop
+  }
+  const toSend = Object.entries(parsed).reduce((acc, [key, value]) => {
+    if (value.expires && new Date(value.expires) < new Date()) {
+      return acc;
+    }
+    return `${acc}; ${key}=${value.value}`;
+  }, "");
+  return toSend;
+}
+
+export const crossDomainClient = (
+  opts: {
+    storage?: {
+      setItem: (key: string, value: string) => any;
+      getItem: (key: string) => string | null;
+    };
+    storagePrefix?: string;
+    disableCache?: boolean;
+  } = {}
+) => {
+  let store: ClientStore | null = null;
+  const cookieName = `${opts?.storagePrefix || "better-auth"}_cookie`;
+  const localCacheName = `${opts?.storagePrefix || "better-auth"}_session_data`;
+  const storage =
+    opts?.storage || (typeof localStorage !== "undefined" ? localStorage : undefined);
+
+  return {
+    id: "cross-domain",
+    $InferServerPlugin: {} as ReturnType<typeof crossDomain>,
+    getActions(_, $store) {
+      store = $store;
+      return {
+        /**
+         * Get the stored cookie.
+         *
+         * You can use this to get the cookie stored in the device and use it in your fetch
+         * requests.
+         *
+         * @example
+         * ```ts
+         * const cookie = client.getCookie();
+         * fetch("https://api.example.com", {
+         * 	headers: {
+         * 		cookie,
+         * 	},
+         * });
+         */
+        getCookie: () => {
+          const cookie = storage?.getItem(cookieName);
+          return getCookie(cookie || "{}");
+        },
+        /**
+         * Notify the session signal.
+         *
+         * This is used to trigger an update in useSession, generally when a new session
+         * token is set.
+         *
+         * @example
+         * ```ts
+         * client.notifySessionSignal();
+         * ```
+         */
+        updateSession: () => {
+          $store.notify("$sessionSignal");
+        },
+        /**
+         * Get the stored session data.
+         *
+         * @example
+         * ```ts
+         * const sessionData = client.getSessionData();
+         * ```
+         */
+        getSessionData: (): Record<string, unknown> | null => {
+          const sessionData = storage?.getItem(localCacheName);
+          if (!sessionData) return null;
+          try {
+            const parsed = JSON.parse(sessionData);
+            if (parsed && typeof parsed === "object" && Object.keys(parsed).length === 0) return null;
+            return parsed;
+          } catch {
+            return null;
+          }
+        },
+      };
+    },
+    fetchPlugins: [
+      {
+        id: "convex",
+        name: "Convex",
+        hooks: {
+          async onSuccess(context) {
+            if (!storage) {
+              return;
+            }
+            const setCookie = context.response.headers.get(
+              "set-better-auth-cookie"
+            );
+            if (setCookie) {
+              const prevCookie = storage.getItem(cookieName);
+              const toSetCookie = getSetCookie(
+                setCookie || "",
+                prevCookie ?? undefined
+              );
+              await storage.setItem(cookieName, toSetCookie);
+              // Only notify on session cookie set
+              if (setCookie.includes(".session_token=")) {
+                store?.notify("$sessionSignal");
+              }
+            }
+
+            if (
+              context.request.url.toString().includes("/get-session") &&
+              !opts?.disableCache
+            ) {
+              const data = context.data;
+              storage.setItem(localCacheName, JSON.stringify(data));
+              if (data === null) {
+                storage.setItem(cookieName, "{}");
+              }
+            }
+          },
+        },
+        async init(url, options) {
+          if (!storage) {
+            return {
+              url,
+              options: options as BetterFetchOption,
+            };
+          }
+          options = options || {};
+          const storedCookie = storage.getItem(cookieName);
+          const cookie = getCookie(storedCookie || "{}");
+          options.credentials = "omit";
+          options.headers = {
+            ...options.headers,
+            "Better-Auth-Cookie": cookie,
+          };
+          if (url.includes("/sign-out")) {
+            await storage.setItem(cookieName, "{}");
+            store?.atoms.session?.set({
+              data: null,
+              error: null,
+              isPending: false,
+            });
+            storage.setItem(localCacheName, "{}");
+          }
+          return {
+            url,
+            options: options as BetterFetchOption,
+          };
+        },
+      },
+    ],
+  } satisfies BetterAuthClientPlugin;
+};

package/src/plugins/cross-domain/index.ts

@@ -0,0 +1,199 @@
+import type { BetterAuthPlugin } from "better-auth";
+import { setSessionCookie } from "better-auth/cookies";
+import { generateRandomString } from "better-auth/crypto";
+import {
+  createAuthEndpoint,
+  createAuthMiddleware,
+  oneTimeToken as oneTimeTokenPlugin,
+} from "better-auth/plugins";
+import { z } from "zod";
+
+export const crossDomain = ({ siteUrl }: { siteUrl: string }) => {
+  const oneTimeToken = oneTimeTokenPlugin();
+
+  const rewriteCallbackURL = (callbackURL?: string) => {
+    if (callbackURL && !callbackURL.startsWith("/")) {
+      return callbackURL;
+    }
+    const relativeCallbackURL = callbackURL || "/";
+    return new URL(relativeCallbackURL, siteUrl).toString();
+  };
+
+  const isExpoNative = (ctx: { headers?: Headers }) => {
+    return ctx.headers?.has("expo-origin");
+  };
+
+  return {
+    id: "cross-domain",
+    // TODO: remove this in the next minor release, it doesn't
+    // actually affect ctx.trustedOrigins. cors allowedOrigins
+    // is using it, via options.trustedOrigins, though, so it's
+    // a breaking change.
+    init() {
+      return {
+        options: {
+          trustedOrigins: [siteUrl],
+        },
+        context: {
+          oauthConfig: {
+            storeStateStrategy: "database",
+            // We could fake the cookie by sending a header, but it would need
+            // to be set on a 302 redirect from the identity provider, and we
+            // don't have a way to do that. This only means we can't stop an
+            // oauth flow that started in one browser from continuing in
+            // another. We still verify the state token from the query string
+            // against the database.
+            skipStateCookieCheck: true,
+          },
+        },
+      };
+    },
+    hooks: {
+      before: [
+        {
+          matcher(ctx) {
+            return (
+              Boolean(
+                ctx.request?.headers.get("better-auth-cookie") ||
+                  ctx.headers?.get("better-auth-cookie")
+              ) && !isExpoNative(ctx)
+            );
+          },
+          handler: createAuthMiddleware(async (ctx) => {
+            const existingHeaders = (ctx.request?.headers ||
+              ctx.headers) as Headers;
+            const headers = new Headers({
+              ...Object.fromEntries(existingHeaders?.entries()),
+            });
+            // Skip if the request has an authorization header
+            if (headers.get("authorization")) {
+              return;
+            }
+            const cookie = headers.get("better-auth-cookie");
+            if (!cookie) {
+              return;
+            }
+            headers.append("cookie", cookie);
+            return {
+              context: {
+                headers,
+              },
+            };
+          }),
+        },
+        {
+          matcher: (ctx) => {
+            return (
+              ctx.method === "GET" &&
+              ctx.path.startsWith("/verify-email") &&
+              !isExpoNative(ctx)
+            );
+          },
+          handler: createAuthMiddleware(async (ctx) => {
+            if (ctx.query?.callbackURL) {
+              ctx.query.callbackURL = rewriteCallbackURL(ctx.query.callbackURL);
+            }
+            return { context: ctx };
+          }),
+        },
+        {
+          matcher: (ctx) => {
+            return (
+              ((ctx.method === "POST" && ctx.path.startsWith("/link-social")) ||
+                ctx.path.startsWith("/send-verification-email") ||
+                ctx.path.startsWith("/sign-in/email") ||
+                ctx.path.startsWith("/sign-in/social") ||
+                ctx.path.startsWith("/sign-in/magic-link") ||
+                ctx.path.startsWith("/delete-user") ||
+                ctx.path.startsWith("/change-email")) &&
+              !isExpoNative(ctx)
+            );
+          },
+          handler: createAuthMiddleware(async (ctx) => {
+            const isSignIn = ctx.path.startsWith("/sign-in");
+            ctx.body.callbackURL = rewriteCallbackURL(ctx.body.callbackURL);
+            if (isSignIn && ctx.body.newUserCallbackURL) {
+              ctx.body.newUserCallbackURL = rewriteCallbackURL(
+                ctx.body.newUserCallbackURL
+              );
+            }
+            if (isSignIn && ctx.body.errorCallbackURL) {
+              ctx.body.errorCallbackURL = rewriteCallbackURL(
+                ctx.body.errorCallbackURL
+              );
+            }
+            return { context: ctx };
+          }),
+        },
+      ],
+      after: [
+        {
+          matcher(ctx) {
+            return !isExpoNative(ctx);
+          },
+          handler: createAuthMiddleware(async (ctx) => {
+            const setCookie = ctx.context.responseHeaders?.get("set-cookie");
+            if (!setCookie) {
+              return;
+            }
+            ctx.context.responseHeaders?.delete("set-cookie");
+            ctx.setHeader("Set-Better-Auth-Cookie", setCookie);
+          }),
+        },
+        {
+          matcher: (ctx) => {
+            return (
+              (ctx.path?.startsWith("/callback") ||
+                ctx.path?.startsWith("/oauth2/callback") ||
+                ctx.path?.startsWith("/magic-link/verify")) &&
+              !isExpoNative(ctx)
+            );
+          },
+          handler: createAuthMiddleware(async (ctx) => {
+            // Mostly copied from the one-time-token plugin
+            const session = ctx.context.newSession;
+            if (!session) {
+              ctx.context.logger.error("No session found");
+              return;
+            }
+            const token = generateRandomString(32);
+            const expiresAt = new Date(Date.now() + 3 * 60 * 1000);
+            await ctx.context.internalAdapter.createVerificationValue({
+              value: session.session.token,
+              identifier: `one-time-token:${token}`,
+              expiresAt,
+            });
+            const redirectTo = ctx.context.responseHeaders?.get("location");
+            if (!redirectTo) {
+              ctx.context.logger.error("No redirect to found");
+              return;
+            }
+            const url = new URL(redirectTo);
+            url.searchParams.set("ott", token);
+            throw ctx.redirect(url.toString());
+          }),
+        },
+      ],
+    },
+    endpoints: {
+      verifyOneTimeToken: createAuthEndpoint(
+        "/cross-domain/one-time-token/verify",
+        {
+          method: "POST",
+          body: z.object({
+            token: z.string(),
+          }),
+        },
+        async (ctx) => {
+          const response = await oneTimeToken.endpoints.verifyOneTimeToken({
+            ...ctx,
+            returnHeaders: false,
+            returnStatus: false,
+          });
+          await setSessionCookie(ctx, response);
+          return response;
+        }
+      ),
+    },
+  } satisfies BetterAuthPlugin;
+};

package/src/plugins/index.ts

@@ -0,0 +1,2 @@
+export * from "./convex/index.js";
+export * from "./cross-domain/index.js";