@rebasepro/server-core 0.0.1-canary.f81da60 → 0.1.2

package/dist/server-core/src/auth/google-oauth.d.ts

@@ -6,12 +6,42 @@ export interface GoogleUserInfo {
     photoUrl: string | null;
     emailVerified: boolean;
 }
+export interface GoogleProviderConfig {
+    clientId: string;
+    /**
+     * The OAuth 2.0 client secret from Google Cloud Console.
+     *
+     * Required for the **authorization code flow** (Path 3), where the
+     * frontend sends an authorization `code` and the backend exchanges it
+     * server-side for tokens. This is the most secure flow because tokens
+     * never touch the browser.
+     *
+     * When omitted, only ID-token and access-token verification are available
+     * (Paths 1 & 2), which rely on the frontend obtaining tokens directly.
+     */
+    clientSecret?: string;
+}
 /**
  * Creates a Google OAuth Provider integration.
- * Supports both ID-token verification (One Tap / renderButton) and
- * access-token verification (popup via initTokenClient).
+ *
+ * Supports three verification paths:
+ *
+ * **Path 1 – ID Token** (One Tap / Sign In With Google button):
+ *   Frontend sends `idToken`. Backend verifies cryptographically using
+ *   Google's public keys. No secret required.
+ *
+ * **Path 2 – Access Token** (popup via `initTokenClient`):
+ *   Frontend sends `accessToken`. Backend validates by calling Google's
+ *   userinfo endpoint. No secret required.
+ *
+ * **Path 3 – Authorization Code** (most secure, requires `clientSecret`):
+ *   Frontend sends `code` + `redirectUri`. Backend exchanges the code
+ *   server-side for an ID token using `clientId` + `clientSecret`, then
+ *   verifies the ID token. Tokens never touch the browser.
  */
-export declare function createGoogleProvider(clientId: string): OAuthProvider<{
+export declare function createGoogleProvider(config: GoogleProviderConfig | string): OAuthProvider<{
     idToken?: string;
     accessToken?: string;
+    code?: string;
+    redirectUri?: string;
 }>;

package/dist/server-core/src/auth/index.d.ts

@@ -4,6 +4,7 @@ export type { JwtConfig, AccessTokenPayload } from "./jwt";
 export { hashPassword, verifyPassword, validatePasswordStrength } from "./password";
 export type { PasswordValidationResult } from "./password";
 export { createGoogleProvider } from "./google-oauth";
+export type { GoogleProviderConfig } from "./google-oauth";
 export { createLinkedinProvider } from "./linkedin-oauth";
 export { createGitHubProvider } from "./github-oauth";
 export { createMicrosoftProvider } from "./microsoft-oauth";

package/dist/server-core/src/init.d.ts

@@ -29,6 +29,7 @@ export interface RebaseAuthConfig {
     email?: EmailConfig;
     google?: {
         clientId: string;
+        clientSecret?: string;
     };
     linkedin?: {
         clientId: string;

package/dist/types/src/controllers/auth.d.ts

@@ -80,8 +80,14 @@ export type AuthController<USER extends User = User, ExtraData = unknown> = {
 export interface AuthControllerExtended<USER extends User = User, ExtraData = unknown> extends AuthController<USER, ExtraData> {
     /** Login with email and password */
     emailPasswordLogin?(email: string, password: string): Promise<void>;
-    /** Login with a Google token (ID token or access token from popup) */
-    googleLogin?(token: string, tokenType?: "idToken" | "accessToken"): Promise<void>;
+    /** Login with a Google token or authorization code */
+    googleLogin?: {
+        (token: string, tokenType?: "idToken" | "accessToken"): Promise<void>;
+        (payload: {
+            code: string;
+            redirectUri: string;
+        }): Promise<void>;
+    };
     /** Register a new user */
     register?(email: string, password: string, displayName?: string): Promise<void>;
     /** Skip login (for anonymous access if enabled) */

package/dist/types/src/controllers/client.d.ts

@@ -167,4 +167,17 @@ export interface RebaseClient<DB = unknown> {
     email?: EmailService;
     /** Admin API for user and role management */
     admin?: AdminAPI;
+    /**
+     * The base HTTP URL of the backend server.
+     * Exposed by the SDK client (`@rebasepro/client`) and used to auto-derive
+     * the `ApiConfigProvider` URL.
+     */
+    baseUrl?: string;
+    /**
+     * WebSocket client for realtime subscriptions and admin capabilities.
+     * Exposed by the SDK client (`@rebasepro/client`). The shape is intentionally
+     * left as `unknown` in the base interface — callers should narrow via feature
+     * detection (e.g. `typeof ws.executeSql === "function"`).
+     */
+    ws?: unknown;
 }

package/dist/types/src/controllers/navigation.d.ts

@@ -144,17 +144,18 @@ export interface AppView {
      * It will still be accessible if you reach the specified path
      */
     hideFromNavigation?: boolean;
+    /**
+     * Navigation group for this view.
+     * Views sharing the same group name will be visually grouped
+     * together in the drawer and home page. If not set, the view
+     * falls into the default "Views" group.
+     */
+    group?: string;
     /**
      * Component to be rendered. This can be any React component, and can use
      * any of the provided hooks
      */
     view: React.ReactNode;
-    /**
-     * Optional field used to group top level navigation entries under a
-     * navigation view.
-     * This prop is ignored for admin views.
-     */
-    group?: string;
     /**
      * If true, a wildcard route (slug/*) is automatically registered
      * alongside the base route, enabling nested navigation within this view.
@@ -193,6 +194,17 @@ export interface NavigationGroupMapping {
      * List of collection ids or view paths that belong to this group.
      */
     entries: string[];
+    /**
+     * Configure which groups start collapsed.
+     * Set to `true` to collapse in both drawer and home page,
+     * or use an object to control each independently.
+     *
+     * @defaultValue false (expanded)
+     */
+    collapsedByDefault?: boolean | {
+        drawer?: boolean;
+        home?: boolean;
+    };
 }
 export interface NavigationEntry {
     id: string;

package/dist/types/src/controllers/registry.d.ts

@@ -3,7 +3,7 @@ import type { EntityCollection } from "../types/collections";
 import type { EntityCollectionsBuilder } from "../types/builders";
 import type { EntityCustomView } from "../types/entity_views";
 import type { EntityAction } from "../types/entity_actions";
-import type { AppView } from "./navigation";
+import type { AppView, NavigationGroupMapping } from "./navigation";
 /**
  * Options to enable the built-in collection editor.
  * When provided to `<RebaseCMS>`, the editor is auto-wired as a native feature.
@@ -25,6 +25,14 @@ export interface RebaseCMSConfig<EC extends EntityCollection = any> {
     entityViews?: EntityCustomView<any>[];
     entityActions?: EntityAction[];
     plugins?: any[];
+    /**
+     * Centralized configuration for how collections and views are grouped
+     * in the navigation sidebar and home page.
+     * Each mapping defines a named group and the collection/view slugs
+     * that belong to it. The array order determines group display order.
+     * Entry order within each group determines card order.
+     */
+    navigationGroupMappings?: NavigationGroupMapping[];
     /**
      * Enable the built-in visual collection/schema editor.
      * Pass `true` for zero-config, or an options object for fine-grained control.

package/dist/types/src/controllers/side_entity_controller.d.ts

@@ -62,6 +62,13 @@ export interface EntitySidePanelProps<M extends Record<string, unknown> = Record
      * Allow the user to open the entity fullscreen
      */
     allowFullScreen?: boolean;
+    /**
+     * Pre-populate the form with these values when creating a new entity.
+     * Only applied when `entityId` is not set (i.e. the form is in "new" mode).
+     * Useful for actions that fetch data from an external source (e.g. a URL)
+     * and want to pre-fill the document before the user saves.
+     */
+    defaultValues?: Partial<M>;
 }
 /**
  * Controller to open the side dialog displaying entity forms

package/dist/types/src/rebase_context.d.ts

@@ -3,6 +3,7 @@ import type { AuthController } from "./controllers/auth";
 import type { StorageSource } from "./controllers/storage";
 import type { UserConfigurationPersistence } from "./controllers/local_config_persistence";
 import type { DatabaseAdmin } from "./types/backend";
+import type { RebaseClient } from "./controllers/client";
 import type { RebaseData } from "./controllers/data";
 import type { User } from "./users";
 import type { UserManagementDelegate } from "./types/user_management_delegate";
@@ -12,6 +13,22 @@ import type { UserManagementDelegate } from "./types/user_management_delegate";
  * @group Hooks and utilities
  */
 export type RebaseCallContext<USER extends User = User> = {
+    /**
+     * The Rebase client instance.
+     * Available in all entity callbacks (beforeSave, afterSave, afterRead,
+     * beforeDelete, afterDelete) and in CollectionActionsProps via context.
+     * Use it to call backend functions, access data, storage, etc.
+     *
+     * @example
+     * // In a beforeSave callback:
+     * const result = await context.client.functions.invoke('my-function', { ... });
+     *
+     * @example
+     * // In a CollectionAction component:
+     * const { client } = props.context;
+     * const result = await client.functions.invoke('extract-job', { url });
+     */
+    client: RebaseClient<any>;
     /**
      * Unified data access — `context.data.products.create(...)`.
      * Access any collection as a dynamic property.

package/dist/types/src/types/collections.d.ts

@@ -9,6 +9,7 @@ import type { RebaseContext } from "../rebase_context";
 import type { Relation } from "./relations";
 import type { EntityCustomView } from "./entity_views";
 import type { EntityAction } from "./entity_actions";
+import type { ComponentRef } from "./component_ref";
 /**
  * Base interface containing all driver-agnostic collection properties.
  * Use {@link PostgresCollection} or {@link FirebaseCollection} for
@@ -86,6 +87,9 @@ export interface BaseEntityCollection<M extends Record<string, unknown> = Record
     icon?: string | React.ReactNode;
     /**
      * Navigation group for this collection.
+     * Collections sharing the same group name will be visually grouped
+     * together in the drawer and home page. If not set, the collection
+     * falls into the default "Views" group.
      */
     group?: string;
     /**
@@ -301,7 +305,7 @@ export interface BaseEntityCollection<M extends Record<string, unknown> = Record
     /**
      * Builder for the collection actions rendered in the toolbar
      */
-    Actions?: React.ComponentType<any>[];
+    Actions?: ComponentRef<CollectionActionsProps>[];
 }
 /**
  * A collection backed by PostgreSQL (or any SQL database).
@@ -482,6 +486,21 @@ export interface CollectionActionsProps<M extends Record<string, unknown> = Reco
      * undefined means the count is still loading.
      */
     collectionEntitiesCount?: number;
+    /**
+     * Programmatically open the new-document form for this collection,
+     * optionally pre-populating it with initial field values.
+     * The form opens in the same mode configured for the collection
+     * (side panel, full screen, or split).
+     *
+     * This is the primary hook for workflows that need to create a document
+     * from external data — e.g. fetching content from a URL, importing from
+     * a third-party API, or duplicating from another system.
+     *
+     * @example
+     * // Inside a custom CollectionAction component:
+     * openNewDocument({ title: "Fetched title", body: "..." });
+     */
+    openNewDocument: (defaultValues?: Record<string, unknown>) => void;
 }
 /**
  * Use this controller to retrieve the selected entities or modify them in

package/dist/types/src/types/component_ref.d.ts

@@ -0,0 +1,47 @@
+import type React from "react";
+/**
+ * Internal marker for a lazily-loaded component reference.
+ * Created by the Vite transform plugin when converting string paths
+ * to deferred `import()` calls. Users should NOT create these manually.
+ *
+ * @internal
+ */
+export interface LazyComponentRef<P = unknown> {
+    readonly __rebaseLazy: true;
+    readonly load: () => Promise<{
+        default: React.ComponentType<P>;
+    }>;
+}
+/**
+ * A reference to a React component that can be provided in three forms:
+ *
+ * 1. **String path** (recommended for collection configs):
+ *    ```ts
+ *    Field: "../../frontend/src/components/MyField"
+ *    ```
+ *    The Vite plugin transforms this into a `LazyComponentRef` at build time.
+ *    On the backend, the string stays inert and is never evaluated.
+ *
+ * 2. **Lazy import function**:
+ *    ```ts
+ *    Field: () => import("../../frontend/src/components/MyField")
+ *    ```
+ *    Standard ES dynamic import. Backend never calls the function.
+ *
+ * 3. **Direct component reference** (use only in frontend-only code):
+ *    ```ts
+ *    Field: MyFieldComponent
+ *    ```
+ *    Importing a component at the top level will pull React into the
+ *    backend runtime — only safe in code that the backend never imports.
+ *
+ * @group Types
+ */
+export type ComponentRef<P = unknown> = React.ComponentType<P> | LazyComponentRef<P> | (() => Promise<{
+    default: React.ComponentType<P>;
+}>) | string;
+/**
+ * Type guard: checks if a value is a `LazyComponentRef` produced by the
+ * Vite transform plugin.
+ */
+export declare function isLazyComponentRef<P = unknown>(ref: unknown): ref is LazyComponentRef<P>;

package/dist/types/src/types/entity_views.d.ts

@@ -2,6 +2,7 @@ import React from "react";
 import type { Entity, EntityValues } from "./entities";
 import type { EntityCollection } from "./collections";
 import type { FormexController } from "./formex";
+import type { ComponentRef } from "./component_ref";
 /**
  * Context passed to custom fields and entity views.
  * @group Form custom fields
@@ -46,7 +47,7 @@ export type EntityCustomView<M extends Record<string, unknown> = Record<string,
     name: string;
     tabComponent?: React.ReactNode;
     includeActions?: boolean | "bottom";
-    Builder?: React.ComponentType<EntityCustomViewParams<M>>;
+    Builder?: ComponentRef<EntityCustomViewParams<M>>;
     position?: "start" | "end";
 };
 export interface EntityCustomViewParams<M extends Record<string, unknown> = Record<string, unknown>> {

package/dist/types/src/types/index.d.ts

@@ -23,3 +23,4 @@ export * from "./entity_views";
 export * from "./data_source";
 export * from "./cron";
 export * from "./backend_hooks";
+export * from "./component_ref";

package/dist/types/src/types/properties.d.ts

@@ -1,4 +1,4 @@
-import React from "react";
+import type { ComponentRef } from "./component_ref";
 import type { EntityReference, EntityRelation, EntityValues, GeoPoint, Entity } from "./entities";
 import type { Relation, JoinStep, OnAction } from "./relations";
 import type { EntityCollection, FilterValues } from "./collections";
@@ -104,8 +104,8 @@ export interface BaseUIConfig<CustomProps = unknown> {
     disabled?: boolean | PropertyDisabledConfig;
     widthPercentage?: number;
     customProps?: CustomProps;
-    Field?: React.ComponentType<any>;
-    Preview?: React.ComponentType<any>;
+    Field?: ComponentRef<any>;
+    Preview?: ComponentRef<any>;
 }
 export interface BaseProperty<CustomProps = unknown> {
     ui?: BaseUIConfig<CustomProps>;
@@ -124,6 +124,18 @@ export interface BaseProperty<CustomProps = unknown> {
      * overwritten by the current property config.
      */
     propertyConfig?: string;
+    /**
+     * Explicit database column name. When set, this value is used as-is
+     * for the SQL column name, bypassing any snake_case conversion of
+     * the property key.
+     *
+     * This is automatically populated by `rebase schema introspect`
+     * to guarantee an exact match with the live database schema.
+     *
+     * For manually-authored collections you can omit this — the framework
+     * will derive the column name from the property key via `toSnakeCase()`.
+     */
+    columnName?: string;
     /**
      * Rules for validating this property
      */

package/dist/types/src/types/translations.d.ts

@@ -51,6 +51,8 @@ export interface RebaseTranslations {
     all_entries_loaded: string;
     create_your_first_entry: string;
     no_results_filter_sort: string;
+    /** Shown when a text search yields no results. Supports `{{search}}` interpolation. */
+    no_results_search?: string;
     add: string;
     remove: string;
     copy_id: string;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@rebasepro/server-core",
   "type": "module",
-  "version": "0.0.1-canary.f81da60",
+  "version": "0.1.2",
   "description": "Database-Agnostic Backend Core for Rebase",
   "funding": {
     "url": "https://github.com/sponsors/rebaseco"
@@ -52,10 +52,10 @@
     "ts-morph": "27.0.2",
     "ws": "^8.16.0",
     "zod": "^3.22.4",
-    "@rebasepro/client": "0.0.1-canary.f81da60",
-    "@rebasepro/common": "0.0.1-canary.f81da60",
-    "@rebasepro/types": "0.0.1-canary.f81da60",
-    "@rebasepro/utils": "0.0.1-canary.f81da60"
+    "@rebasepro/client": "0.1.2",
+    "@rebasepro/common": "0.1.2",
+    "@rebasepro/utils": "0.1.2",
+    "@rebasepro/types": "0.1.2"
   },
   "devDependencies": {
     "@types/jest": "^29.5.14",
@@ -69,8 +69,8 @@
     "ts-jest": "29.4.1",
     "typescript": "^5.0.0",
     "vite": "^5.0.0",
-    "@rebasepro/common": "0.0.1-canary.f81da60",
-    "@rebasepro/types": "0.0.1-canary.f81da60"
+    "@rebasepro/common": "0.1.2",
+    "@rebasepro/types": "0.1.2"
   },
   "gitHead": "d935eefa5aa8d1009a2398cfac2c1e4ee9aeb6b6",
   "publishConfig": {

package/src/api/errors.ts

@@ -120,10 +120,11 @@ export const errorHandler: ErrorHandler = (err, c) => {
         `❌ [API] ${c.req.method} ${c.req.path} → ${statusCode} ${code}: ${logMessage}`
     );
 
-    // Suppress the huge stack trace for known missing schema errors (it's noisy and not a code bug)
+    // Suppress the huge stack trace for known DB errors (it's noisy and leaks SQL)
     const causePg = (error.cause && typeof error.cause === "object") ? (error.cause as PgLikeError) : undefined;
     const pgErrorCode = causePg?.code || error.code;
-    if (pgErrorCode !== "42703" && pgErrorCode !== "42P01") {
+    const suppressStack = pgErrorCode === "42703" || pgErrorCode === "42P01" || (statusCode < 500 && code === "BAD_REQUEST");
+    if (!suppressStack) {
         console.error(error.stack || error);
     }
 

package/src/api/server.ts

@@ -69,8 +69,11 @@ export class RebaseApiServer {
      * Setup Hono middleware
      */
     private setupMiddleware(): void {
-        // Security headers
-        this.router.use("/*", secureHeaders());
+        // Security headers — use same-origin-allow-popups for COOP so that
+        // OAuth popup flows (Google, etc.) can postMessage back to the opener.
+        this.router.use("/*", secureHeaders({
+            crossOriginOpenerPolicy: "same-origin-allow-popups"
+        }));
 
         // CORS — only applied if explicitly configured via `cors` option.
         // If omitted, the user is expected to configure CORS on their own

package/src/auth/google-oauth.ts

@@ -10,26 +10,69 @@ export interface GoogleUserInfo {
     emailVerified: boolean;
 }
 
+export interface GoogleProviderConfig {
+    clientId: string;
+    /**
+     * The OAuth 2.0 client secret from Google Cloud Console.
+     *
+     * Required for the **authorization code flow** (Path 3), where the
+     * frontend sends an authorization `code` and the backend exchanges it
+     * server-side for tokens. This is the most secure flow because tokens
+     * never touch the browser.
+     *
+     * When omitted, only ID-token and access-token verification are available
+     * (Paths 1 & 2), which rely on the frontend obtaining tokens directly.
+     */
+    clientSecret?: string;
+}
+
 /**
  * Creates a Google OAuth Provider integration.
- * Supports both ID-token verification (One Tap / renderButton) and
- * access-token verification (popup via initTokenClient).
+ *
+ * Supports three verification paths:
+ *
+ * **Path 1 – ID Token** (One Tap / Sign In With Google button):
+ *   Frontend sends `idToken`. Backend verifies cryptographically using
+ *   Google's public keys. No secret required.
+ *
+ * **Path 2 – Access Token** (popup via `initTokenClient`):
+ *   Frontend sends `accessToken`. Backend validates by calling Google's
+ *   userinfo endpoint. No secret required.
+ *
+ * **Path 3 – Authorization Code** (most secure, requires `clientSecret`):
+ *   Frontend sends `code` + `redirectUri`. Backend exchanges the code
+ *   server-side for an ID token using `clientId` + `clientSecret`, then
+ *   verifies the ID token. Tokens never touch the browser.
  */
-export function createGoogleProvider(clientId: string): OAuthProvider<{ idToken?: string; accessToken?: string }> {
-    const googleClient = new OAuth2Client(clientId);
+export function createGoogleProvider(config: GoogleProviderConfig | string): OAuthProvider<{
+    idToken?: string;
+    accessToken?: string;
+    code?: string;
+    redirectUri?: string;
+}> {
+    const clientId = typeof config === "string" ? config : config.clientId;
+    const clientSecret = typeof config === "string" ? undefined : config.clientSecret;
+    const googleClient = new OAuth2Client(clientId, clientSecret);
 
     return {
         id: "google",
         schema: z.object({
             idToken: z.string().min(1).optional(),
-            accessToken: z.string().min(1).optional()
+            accessToken: z.string().min(1).optional(),
+            code: z.string().min(1).optional(),
+            redirectUri: z.string().min(1).optional()
         }).refine(
-            (data) => data.idToken || data.accessToken,
-            { message: "Either idToken or accessToken is required" }
+            (data) => data.idToken || data.accessToken || (data.code && data.redirectUri),
+            { message: "One of idToken, accessToken, or code+redirectUri is required" }
         ),
-        verify: async (payload: { idToken?: string; accessToken?: string }): Promise<OAuthProviderProfile | null> => {
+        verify: async (payload: {
+            idToken?: string;
+            accessToken?: string;
+            code?: string;
+            redirectUri?: string;
+        }): Promise<OAuthProviderProfile | null> => {
             try {
-                // Path 1: verify an ID token (legacy / One Tap)
+                // Path 1: verify an ID token (One Tap / renderButton)
                 if (payload.idToken) {
                     const ticket = await googleClient.verifyIdToken({
                         idToken: payload.idToken,
@@ -38,7 +81,7 @@ export function createGoogleProvider(clientId: string): OAuthProvider<{ idToken?
 
                     const content = ticket.getPayload();
                     if (!content) {
-                        return null;
+                        throw new Error("Google ID token payload was empty");
                     }
 
                     return {
@@ -56,8 +99,7 @@ export function createGoogleProvider(clientId: string): OAuthProvider<{ idToken?
                         { headers: { Authorization: `Bearer ${payload.accessToken}` } }
                     );
                     if (!res.ok) {
-                        console.error("Google userinfo request failed:", res.status);
-                        return null;
+                        throw new Error(`Google userinfo request failed with status ${res.status}`);
                     }
                     const info = await res.json() as {
                         sub: string;
@@ -66,7 +108,7 @@ export function createGoogleProvider(clientId: string): OAuthProvider<{ idToken?
                         picture?: string;
                     };
                     if (!info.sub || !info.email) {
-                        return null;
+                        throw new Error("Google userinfo response missing sub or email");
                     }
                     return {
                         providerId: info.sub,
@@ -76,12 +118,101 @@ export function createGoogleProvider(clientId: string): OAuthProvider<{ idToken?
                     };
                 }
 
-                return null;
+                // Path 3: authorization code exchange (most secure)
+                // The frontend obtained a one-time authorization code via the
+                // Google OAuth consent screen. We exchange it server-side for
+                // tokens, so the access/id tokens never touch the browser.
+                if (payload.code && payload.redirectUri) {
+                    if (!clientSecret) {
+                        throw new Error(
+                            "Google authorization code flow requires clientSecret. " +
+                            "Configure GOOGLE_CLIENT_SECRET in your environment."
+                        );
+                    }
+
+                    // Exchange the authorization code for tokens
+                    const tokenResponse = await fetch("https://oauth2.googleapis.com/token", {
+                        method: "POST",
+                        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+                        body: new URLSearchParams({
+                            code: payload.code,
+                            client_id: clientId,
+                            client_secret: clientSecret,
+                            redirect_uri: payload.redirectUri,
+                            grant_type: "authorization_code"
+                        })
+                    });
+
+                    if (!tokenResponse.ok) {
+                        const errorBody = await tokenResponse.text();
+                        throw new Error(`Google token exchange failed (${tokenResponse.status}): ${errorBody}`);
+                    }
+
+                    const tokenData = await tokenResponse.json() as {
+                        id_token?: string;
+                        access_token?: string;
+                        error?: string;
+                        error_description?: string;
+                    };
+
+                    if (tokenData.error) {
+                        throw new Error(`Google token exchange error: ${tokenData.error} – ${tokenData.error_description || "no details"}`);
+                    }
+
+                    // Prefer verifying the ID token (cryptographic verification)
+                    if (tokenData.id_token) {
+                        const ticket = await googleClient.verifyIdToken({
+                            idToken: tokenData.id_token,
+                            audience: clientId
+                        });
+
+                        const content = ticket.getPayload();
+                        if (!content) {
+                            throw new Error("Google ID token payload was empty after code exchange");
+                        }
+
+                        return {
+                            providerId: content.sub,
+                            email: content.email || "",
+                            displayName: content.name || null,
+                            photoUrl: content.picture || null
+                        };
+                    }
+
+                    // Fallback: use the access token to fetch userinfo
+                    if (tokenData.access_token) {
+                        const userInfoRes = await fetch(
+                            "https://www.googleapis.com/oauth2/v3/userinfo",
+                            { headers: { Authorization: `Bearer ${tokenData.access_token}` } }
+                        );
+                        if (!userInfoRes.ok) {
+                            throw new Error(`Google userinfo request failed after code exchange (${userInfoRes.status})`);
+                        }
+                        const info = await userInfoRes.json() as {
+                            sub: string;
+                            email?: string;
+                            name?: string;
+                            picture?: string;
+                        };
+                        if (!info.sub || !info.email) {
+                            return null;
+                        }
+                        return {
+                            providerId: info.sub,
+                            email: info.email,
+                            displayName: info.name || null,
+                            photoUrl: info.picture || null
+                        };
+                    }
+
+                    throw new Error("Google token exchange returned neither id_token nor access_token");
+                }
+
+                throw new Error("No valid Google credential provided (expected idToken, accessToken, or code+redirectUri)");
             } catch (error) {
-                console.error("Failed to verify Google token:", error);
-                return null;
+                console.error("Google OAuth verification failed:", error);
+                throw error;
             }
         }
     };
 }
-