@proveanything/smartlinks-auth-ui 0.4.10 → 0.4.12

package/dist/index.js

@@ -12617,6 +12617,18 @@ const useAuth = () => {
 // VERSION: Update this when making changes to help identify which version is running
 const AUTH_UI_VERSION = '46';
 const LOG_PREFIX = `[SmartlinksAuthUI:v${AUTH_UI_VERSION}]`;
+// Normalize malformed query strings where a second '?' is used instead of '&'.
+// Some host platforms append "?mode=...&token=..." to a URL that already has a "?pageId=...",
+// resulting in "?pageId=xxx?mode=resetPassword&token=yyy". Convert any extra '?' to '&'
+// so URLSearchParams can parse mode/token correctly.
+const normalizeQueryString = (query) => {
+    // Strip a single leading '?' if present, then replace any remaining '?' with '&'
+    const withoutLead = query.startsWith('?') ? query.slice(1) : query;
+    return withoutLead.replace(/\?/g, '&');
+};
+const buildSearchParams = (rawQuery) => {
+    return new URLSearchParams(normalizeQueryString(rawQuery));
+};
 // Helper to check for URL auth params synchronously (runs during initialization)
 // This prevents the form from flashing before detecting deep-link flows
 const getInitialUrlAuthParams = () => {
@@ -12624,8 +12636,8 @@ const getInitialUrlAuthParams = () => {
     const hash = window.location.hash;
     const hashQueryIndex = hash.indexOf('?');
     const params = hashQueryIndex !== -1
-        ? new URLSearchParams(hash.substring(hashQueryIndex + 1))
-        : new URLSearchParams(window.location.search);
+        ? buildSearchParams(hash.substring(hashQueryIndex + 1))
+        : buildSearchParams(window.location.search);
     return {
         mode: params.get('mode'),
         token: params.get('token'),
@@ -12671,7 +12683,9 @@ const WHITELISTED_GOOGLE_OAUTH_HOSTS = [
 ];
 /**
  * Check if the current domain is whitelisted for direct Google OAuth.
- * Uses exact hostname match (plus subdomain match for smartlinks.app production).
+ * Uses EXACT hostname match only — subdomains (e.g. hubdev.smartlinks.app)
+ * are NOT auto-whitelisted because they're not registered with Google Cloud Console.
+ * Unregistered domains must route through the Google OAuth proxy.
  * Merges the hardcoded list with any additional domains from auth kit config.
  * Returns true if OneTap/inline flow can work without a proxy.
  */
@@ -12680,7 +12694,7 @@ const isWhitelistedGoogleDomain = (additionalDomains) => {
     const allDomains = additionalDomains?.length
         ? [...WHITELISTED_GOOGLE_OAUTH_HOSTS, ...additionalDomains]
         : WHITELISTED_GOOGLE_OAUTH_HOSTS;
-    return allDomains.some(domain => hostname === domain || hostname.endsWith(`.${domain}`));
+    return allDomains.some(domain => hostname === domain);
 };
 // Default auth UI configuration when no clientId is provided
 const DEFAULT_AUTH_CONFIG = {
@@ -13099,10 +13113,10 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
             if (hashQueryIndex !== -1) {
                 // Extract query string from hash (e.g., #/test?mode=verifyEmail&token=abc)
                 const hashQuery = hash.substring(hashQueryIndex + 1);
-                return new URLSearchParams(hashQuery);
+                return buildSearchParams(hashQuery);
             }
             // Fall back to regular search params (for non-hash routing)
-            return new URLSearchParams(window.location.search);
+            return buildSearchParams(window.location.search);
         };
         const params = getUrlParams();
         const urlMode = params.get('mode');