@pricava/react-native-google-credential 0.1.0

package/src/PricavaGoogleCredentialModule.web.ts

@@ -0,0 +1,296 @@
+import type {
+  GoogleCredentialResult,
+  PricavaGoogleCredentialNativeModule,
+  ResolvedGoogleCredentialOptions,
+} from "./types";
+
+type GoogleCredentialResponse = {
+  credential?: string;
+};
+
+type GooglePromptMomentNotification = {
+  isDismissedMoment(): boolean;
+  isDisplayed(): boolean;
+  isNotDisplayed(): boolean;
+  isSkippedMoment(): boolean;
+  getDismissedReason(): string;
+  getNotDisplayedReason(): string;
+  getSkippedReason(): string;
+};
+
+type GoogleIdentityService = {
+  accounts: {
+    id: {
+      cancel(): void;
+      disableAutoSelect(): void;
+      initialize(config: {
+        auto_select?: boolean;
+        callback(response: GoogleCredentialResponse): void;
+        cancel_on_tap_outside?: boolean;
+        client_id: string;
+        nonce?: string;
+        use_fedcm_for_prompt?: boolean;
+      }): void;
+      prompt(
+        callback?: (notification: GooglePromptMomentNotification) => void,
+      ): void;
+    };
+  };
+};
+
+declare global {
+  interface Window {
+    google?: GoogleIdentityService;
+  }
+}
+
+type GoogleIdTokenPayload = {
+  email?: string;
+  family_name?: string;
+  given_name?: string;
+  name?: string;
+  phone_number?: string;
+  picture?: string;
+  sub?: string;
+};
+
+const GOOGLE_IDENTITY_SCRIPT_ID = "google-identity-services-script";
+const GOOGLE_IDENTITY_SCRIPT_SRC = "https://accounts.google.com/gsi/client";
+const SIGN_IN_TIMEOUT_MS = 120_000;
+
+let scriptLoadPromise: Promise<void> | null = null;
+let pendingSignInReject: ((error: Error) => void) | null = null;
+
+function getGoogleIdentityService() {
+  return typeof window === "undefined" ? undefined : window.google;
+}
+
+function toErrorMessage(reason: string | null | undefined) {
+  if (reason === "unregistered_origin") {
+    const origin =
+      typeof window === "undefined"
+        ? "the current web origin"
+        : window.location.origin;
+
+    return [
+      "Google sign-in was not completed: this web origin is not authorized for the configured Google OAuth web client.",
+      `Add ${origin} to Authorized JavaScript origins for GOOGLE_WEB_CLIENT_ID in Google Cloud Console.`,
+      "For localhost development, Google also requires http://localhost and the exact ported origin, for example http://localhost:8081.",
+    ].join(" ");
+  }
+
+  return reason?.trim()
+    ? `Google sign-in was not completed: ${reason}.`
+    : "Google sign-in was not completed.";
+}
+
+function createGoogleSignInError(reason?: string | null) {
+  return new Error(toErrorMessage(reason));
+}
+
+function loadGoogleIdentityScript() {
+  if (getGoogleIdentityService()) {
+    return Promise.resolve();
+  }
+
+  if (scriptLoadPromise) {
+    return scriptLoadPromise;
+  }
+
+  scriptLoadPromise = new Promise((resolve, reject) => {
+    const existingScript = document.getElementById(
+      GOOGLE_IDENTITY_SCRIPT_ID,
+    ) as HTMLScriptElement | null;
+
+    if (existingScript) {
+      if (getGoogleIdentityService()) {
+        resolve();
+        return;
+      }
+
+      existingScript.addEventListener("load", () => resolve(), { once: true });
+      existingScript.addEventListener(
+        "error",
+        () => reject(new Error("Failed to load Google Identity Services.")),
+        { once: true },
+      );
+      return;
+    }
+
+    const script = document.createElement("script");
+    script.id = GOOGLE_IDENTITY_SCRIPT_ID;
+    script.src = GOOGLE_IDENTITY_SCRIPT_SRC;
+    script.async = true;
+    script.defer = true;
+    script.onload = () => resolve();
+    script.onerror = () => {
+      scriptLoadPromise = null;
+      reject(new Error("Failed to load Google Identity Services."));
+    };
+
+    document.head.appendChild(script);
+  });
+
+  return scriptLoadPromise;
+}
+
+function decodeBase64UrlJson<T>(value: string): T {
+  const base64 = value.replace(/-/g, "+").replace(/_/g, "/");
+  const paddedBase64 = base64.padEnd(
+    base64.length + ((4 - (base64.length % 4)) % 4),
+    "=",
+  );
+  const decoded = window.atob(paddedBase64);
+  const bytes = Uint8Array.from(decoded, (character) =>
+    character.charCodeAt(0),
+  );
+  const json = new TextDecoder().decode(bytes);
+
+  return JSON.parse(json) as T;
+}
+
+function decodeGoogleIdToken(idToken: string) {
+  const [, payload] = idToken.split(".");
+
+  if (!payload) {
+    return {};
+  }
+
+  try {
+    return decodeBase64UrlJson<GoogleIdTokenPayload>(payload);
+  } catch {
+    return {};
+  }
+}
+
+function mapCredentialResult(idToken: string): GoogleCredentialResult {
+  const payload = decodeGoogleIdToken(idToken);
+
+  return {
+    idToken,
+    displayName: payload.name ?? null,
+    email: payload.email ?? null,
+    familyName: payload.family_name ?? null,
+    givenName: payload.given_name ?? null,
+    id: payload.sub ?? payload.email ?? null,
+    phoneNumber: payload.phone_number ?? null,
+    profilePictureUri: payload.picture ?? null,
+  };
+}
+
+function rejectPendingSignIn(error: Error) {
+  pendingSignInReject?.(error);
+  pendingSignInReject = null;
+}
+
+const module: PricavaGoogleCredentialNativeModule = {
+  async isAvailableAsync() {
+    return typeof window !== "undefined" && typeof document !== "undefined";
+  },
+  async signInAsync(options: ResolvedGoogleCredentialOptions) {
+    if (!options.webClientId.trim()) {
+      throw new Error("Missing Google web client ID.");
+    }
+
+    if (!(await module.isAvailableAsync())) {
+      throw new Error("Google sign-in is not available in this environment.");
+    }
+
+    rejectPendingSignIn(
+      createGoogleSignInError("another sign-in request started"),
+    );
+
+    await loadGoogleIdentityScript();
+
+    const google = getGoogleIdentityService();
+
+    if (!google) {
+      throw new Error("Google Identity Services is not available.");
+    }
+
+    return new Promise<GoogleCredentialResult>((resolve, reject) => {
+      let settled = false;
+      const timeoutId = window.setTimeout(() => {
+        if (settled) {
+          return;
+        }
+
+        settled = true;
+        pendingSignInReject = null;
+        google.accounts.id.cancel();
+        reject(createGoogleSignInError("request timed out"));
+      }, SIGN_IN_TIMEOUT_MS);
+
+      function settleWithCredential(idToken: string) {
+        if (settled) {
+          return;
+        }
+
+        settled = true;
+        pendingSignInReject = null;
+        window.clearTimeout(timeoutId);
+        resolve(mapCredentialResult(idToken));
+      }
+
+      function settleWithError(error: Error) {
+        if (settled) {
+          return;
+        }
+
+        settled = true;
+        pendingSignInReject = null;
+        window.clearTimeout(timeoutId);
+        reject(error);
+      }
+
+      pendingSignInReject = settleWithError;
+
+      google.accounts.id.initialize({
+        client_id: options.webClientId,
+        nonce: options.nonce ?? undefined,
+        auto_select: options.webAutoSelect,
+        cancel_on_tap_outside: true,
+        use_fedcm_for_prompt: options.webUseFedCm,
+        callback(response) {
+          if (response.credential) {
+            settleWithCredential(response.credential);
+            return;
+          }
+
+          settleWithError(createGoogleSignInError("missing credential"));
+        },
+      });
+
+      google.accounts.id.prompt((notification) => {
+        if (settled || notification.isDisplayed()) {
+          return;
+        }
+
+        if (notification.isNotDisplayed()) {
+          settleWithError(
+            createGoogleSignInError(notification.getNotDisplayedReason()),
+          );
+          return;
+        }
+
+        if (notification.isSkippedMoment()) {
+          settleWithError(
+            createGoogleSignInError(notification.getSkippedReason()),
+          );
+          return;
+        }
+
+        if (notification.isDismissedMoment()) {
+          settleWithError(
+            createGoogleSignInError(notification.getDismissedReason()),
+          );
+        }
+      });
+    });
+  },
+  async clearCredentialStateAsync() {
+    getGoogleIdentityService()?.accounts.id.disableAutoSelect();
+  },
+};
+
+export default module;

package/src/adapters/google-auth-provider.ts

@@ -0,0 +1,155 @@
+import {
+  type GoogleCredentialOptions,
+  type GoogleCredentialResult,
+  signInWithGoogleCredential,
+} from "../index";
+
+const BASE64_URL_ALPHABET =
+  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
+
+type ExpoCryptoModule = {
+  CryptoDigestAlgorithm: {
+    SHA256: string;
+  };
+  CryptoEncoding: {
+    HEX: string;
+  };
+  digestStringAsync(
+    algorithm: string,
+    value: string,
+    options: { encoding: string },
+  ): Promise<string>;
+  getRandomBytes(byteCount: number): Uint8Array;
+};
+
+type OptionalRequire = (id: string) => unknown;
+
+declare const require: OptionalRequire | undefined;
+
+function getExpoCrypto() {
+  if (typeof require !== "function") {
+    return null;
+  }
+
+  try {
+    return require("expo-crypto") as ExpoCryptoModule;
+  } catch {
+    return null;
+  }
+}
+
+function getRandomBytes(byteCount: number) {
+  const bytes = new Uint8Array(byteCount);
+  const webCrypto = globalThis.crypto;
+
+  if (webCrypto?.getRandomValues) {
+    webCrypto.getRandomValues(bytes);
+    return bytes;
+  }
+
+  const expoCrypto = getExpoCrypto();
+
+  if (expoCrypto) {
+    return expoCrypto.getRandomBytes(byteCount);
+  }
+
+  throw new Error(
+    "Google auth provider adapter requires crypto.getRandomValues or expo-crypto.",
+  );
+}
+
+function toHex(bytes: Uint8Array) {
+  return Array.from(bytes)
+    .map((byte) => byte.toString(16).padStart(2, "0"))
+    .join("");
+}
+
+async function sha256Hex(value: string) {
+  const subtle = globalThis.crypto?.subtle;
+
+  if (subtle) {
+    const encodedValue = new TextEncoder().encode(value);
+    const digest = await subtle.digest("SHA-256", encodedValue);
+
+    return toHex(new Uint8Array(digest));
+  }
+
+  const expoCrypto = getExpoCrypto();
+
+  if (expoCrypto) {
+    return expoCrypto.digestStringAsync(
+      expoCrypto.CryptoDigestAlgorithm.SHA256,
+      value,
+      { encoding: expoCrypto.CryptoEncoding.HEX },
+    );
+  }
+
+  throw new Error(
+    "Google auth provider adapter requires crypto.subtle.digest or expo-crypto.",
+  );
+}
+
+export type GoogleAuthProviderExchangeInput = {
+  credential: GoogleCredentialResult;
+  idToken: string;
+  nonce: string;
+};
+
+export type GoogleAuthProviderExchange<TResult> = (
+  input: GoogleAuthProviderExchangeInput,
+) => Promise<TResult>;
+
+export type SignInWithGoogleAuthProviderOptions<TResult> = {
+  credentialOptions: GoogleCredentialOptions;
+  exchangeCredential: GoogleAuthProviderExchange<TResult>;
+};
+
+function toBase64Url(bytes: Uint8Array) {
+  let output = "";
+
+  for (let index = 0; index < bytes.length; index += 3) {
+    const first = bytes[index];
+    const second = bytes[index + 1];
+    const third = bytes[index + 2];
+    const hasSecond = index + 1 < bytes.length;
+    const hasThird = index + 2 < bytes.length;
+    const chunk = (first << 16) | ((second ?? 0) << 8) | (third ?? 0);
+
+    output += BASE64_URL_ALPHABET[(chunk >> 18) & 63];
+    output += BASE64_URL_ALPHABET[(chunk >> 12) & 63];
+
+    if (hasSecond) {
+      output += BASE64_URL_ALPHABET[(chunk >> 6) & 63];
+    }
+
+    if (hasThird) {
+      output += BASE64_URL_ALPHABET[chunk & 63];
+    }
+  }
+
+  return output;
+}
+
+async function createOidcNoncePair() {
+  const nonce = toBase64Url(getRandomBytes(32));
+  const hashedNonce = await sha256Hex(nonce);
+
+  return { nonce, hashedNonce };
+}
+
+export async function signInWithGoogleAuthProvider<TResult>({
+  credentialOptions,
+  exchangeCredential,
+}: SignInWithGoogleAuthProviderOptions<TResult>) {
+  const { nonce, hashedNonce } = await createOidcNoncePair();
+  const credential = await signInWithGoogleCredential({
+    ...credentialOptions,
+    nonce: credentialOptions.nonce ?? hashedNonce,
+  });
+
+  return exchangeCredential({
+    credential,
+    idToken: credential.idToken,
+    nonce,
+  });
+}

package/src/adapters/index.ts

@@ -0,0 +1,2 @@
+export * from "./google-auth-provider";
+export * from "./supabase";

package/src/adapters/supabase.ts

@@ -0,0 +1,28 @@
+import type { GoogleCredentialOptions } from "../types";
+import { signInWithGoogleAuthProvider } from "./google-auth-provider";
+
+export type SupabaseGoogleIdTokenExchange<TResult> = (input: {
+  idToken: string;
+  nonce: string;
+}) => Promise<TResult>;
+
+export type SupabaseGoogleAuthAdapterOptions<TResult> = {
+  credentialOptions: GoogleCredentialOptions;
+  exchangeGoogleIdToken: SupabaseGoogleIdTokenExchange<TResult>;
+};
+
+export function createSupabaseGoogleAuthAdapter<TResult>({
+  credentialOptions,
+  exchangeGoogleIdToken,
+}: SupabaseGoogleAuthAdapterOptions<TResult>) {
+  return function signInWithGoogleUsingSupabase() {
+    return signInWithGoogleAuthProvider({
+      credentialOptions,
+      exchangeCredential: ({ idToken, nonce }) =>
+        exchangeGoogleIdToken({
+          idToken,
+          nonce,
+        }),
+    });
+  };
+}

package/src/index.ts

@@ -0,0 +1,98 @@
+import PricavaGoogleCredentialModule from "./PricavaGoogleCredentialModule";
+import type {
+  AndroidGoogleCredentialAccountFilter,
+  AndroidGoogleCredentialFlow,
+  GoogleCredentialOptions,
+  GoogleCredentialResult,
+  ResolvedGoogleCredentialOptions,
+} from "./types";
+
+export * from "./types";
+
+const DEFAULT_ANDROID_FLOW: AndroidGoogleCredentialFlow = "sign-in-button";
+const DEFAULT_ANDROID_ACCOUNT_FILTER: AndroidGoogleCredentialAccountFilter =
+  "authorized-first";
+const DEFAULT_ANDROID_AUTO_SELECT = true;
+const DEFAULT_WEB_AUTO_SELECT = true;
+const DEFAULT_WEB_USE_FED_CM = true;
+
+export class GoogleCredentialUnavailableError extends Error {
+  constructor(message = "Google credential sign-in is not available.") {
+    super(message);
+    this.name = "GoogleCredentialUnavailableError";
+  }
+}
+
+export async function isAvailableAsync(): Promise<boolean> {
+  return PricavaGoogleCredentialModule.isAvailableAsync();
+}
+
+export async function isGoogleCredentialAvailable(): Promise<boolean> {
+  return isAvailableAsync();
+}
+
+export async function signInAsync(
+  options: GoogleCredentialOptions,
+): Promise<GoogleCredentialResult> {
+  return PricavaGoogleCredentialModule.signInAsync(
+    resolveGoogleCredentialOptions(options),
+  );
+}
+
+export async function signInWithGoogleCredential(
+  options: GoogleCredentialOptions,
+): Promise<GoogleCredentialResult> {
+  if (!options.webClientId.trim()) {
+    throw new Error("Missing Google web client ID.");
+  }
+
+  const isAvailable = await isGoogleCredentialAvailable();
+
+  if (!isAvailable) {
+    throw new GoogleCredentialUnavailableError(
+      "Google credential sign-in is not available on this platform.",
+    );
+  }
+
+  return signInAsync(options);
+}
+
+export function resolveGoogleCredentialOptions(
+  options: GoogleCredentialOptions,
+): ResolvedGoogleCredentialOptions {
+  return {
+    webClientId: options.webClientId,
+    iosClientId: options.iosClientId,
+    nonce: options.nonce,
+    androidFlow: options.android?.flow ?? DEFAULT_ANDROID_FLOW,
+    androidAccountFilter:
+      options.android?.accountFilter ?? DEFAULT_ANDROID_ACCOUNT_FILTER,
+    androidAutoSelect:
+      options.android?.autoSelect ?? DEFAULT_ANDROID_AUTO_SELECT,
+    webAutoSelect: options.web?.autoSelect ?? DEFAULT_WEB_AUTO_SELECT,
+    webUseFedCm: options.web?.useFedCm ?? DEFAULT_WEB_USE_FED_CM,
+  };
+}
+
+export async function clearCredentialStateAsync(): Promise<void> {
+  return PricavaGoogleCredentialModule.clearCredentialStateAsync();
+}
+
+export async function clearGoogleCredentialState(): Promise<void> {
+  const isAvailable = await isGoogleCredentialAvailable();
+
+  if (!isAvailable) {
+    return;
+  }
+
+  return clearCredentialStateAsync();
+}
+
+export default {
+  clearGoogleCredentialState,
+  isAvailableAsync,
+  isGoogleCredentialAvailable,
+  signInAsync,
+  signInWithGoogleCredential,
+  clearCredentialStateAsync,
+};

package/src/types.ts

@@ -0,0 +1,54 @@
+export type AndroidGoogleCredentialFlow = "credential" | "sign-in-button";
+
+export type AndroidGoogleCredentialAccountFilter =
+  | "all"
+  | "authorized-first";
+
+export type GoogleCredentialAndroidOptions = {
+  flow?: AndroidGoogleCredentialFlow;
+  accountFilter?: AndroidGoogleCredentialAccountFilter;
+  autoSelect?: boolean;
+};
+
+export type GoogleCredentialWebOptions = {
+  autoSelect?: boolean;
+  useFedCm?: boolean;
+};
+
+export type GoogleCredentialOptions = {
+  webClientId: string;
+  iosClientId?: string | null;
+  nonce?: string | null;
+  android?: GoogleCredentialAndroidOptions;
+  web?: GoogleCredentialWebOptions;
+};
+
+export type ResolvedGoogleCredentialOptions = {
+  webClientId: string;
+  iosClientId?: string | null;
+  nonce?: string | null;
+  androidFlow: AndroidGoogleCredentialFlow;
+  androidAccountFilter: AndroidGoogleCredentialAccountFilter;
+  androidAutoSelect: boolean;
+  webAutoSelect: boolean;
+  webUseFedCm: boolean;
+};
+
+export type GoogleCredentialResult = {
+  idToken: string;
+  displayName: string | null;
+  email: string | null;
+  familyName: string | null;
+  givenName: string | null;
+  id: string | null;
+  phoneNumber: string | null;
+  profilePictureUri: string | null;
+};
+
+export type PricavaGoogleCredentialNativeModule = {
+  isAvailableAsync(): Promise<boolean>;
+  signInAsync(
+    options: ResolvedGoogleCredentialOptions,
+  ): Promise<GoogleCredentialResult>;
+  clearCredentialStateAsync(): Promise<void>;
+};