better-auth 1.6.16 → 1.6.17

package/dist/plugins/oauth-popup/client.mjs

@@ -0,0 +1,203 @@
+import { getBaseURL } from "../../utils/url.mjs";
+import { PACKAGE_VERSION } from "../../version.mjs";
+import { POPUP_TOKEN_STORAGE_KEY } from "./constants.mjs";
+import { OAUTH_POPUP_ERROR_CODES } from "./error-codes.mjs";
+//#region src/plugins/oauth-popup/client.ts
+const POPUP_NAME = "better-auth-oauth";
+const POPUP_WIDTH = 500;
+const POPUP_HEIGHT = 600;
+const CLOSED_POLL_MS = 500;
+const DEFAULT_TIMEOUT_MS = 300 * 1e3;
+/** True when embedded cross-origin, where the cookie may be partitioned. */
+function isEmbedded() {
+	if (typeof window === "undefined" || window.self === window.top) return false;
+	try {
+		window.top?.location.href;
+		return false;
+	} catch {
+		return true;
+	}
+}
+/** Reads the stored popup token (browser-only; null otherwise). */
+function getStoredPopupToken() {
+	if (typeof window === "undefined") return null;
+	try {
+		return window.localStorage.getItem(POPUP_TOKEN_STORAGE_KEY);
+	} catch {
+		return null;
+	}
+}
+function storePopupToken(token) {
+	try {
+		window.localStorage?.setItem(POPUP_TOKEN_STORAGE_KEY, token);
+	} catch {}
+}
+function clearPopupToken() {
+	try {
+		window.localStorage?.removeItem(POPUP_TOKEN_STORAGE_KEY);
+	} catch {}
+}
+/**
+* Attaches the popup token as a bearer header when embedded (where the cookie is
+* partitioned), and clears it once the session ends so it can't be reused.
+*/
+const popupBearerFetchPlugin = {
+	id: "better-auth-popup-bearer",
+	name: "Popup Bearer",
+	hooks: {
+		onRequest(context) {
+			if (!isEmbedded()) return context;
+			const token = getStoredPopupToken();
+			if (!token) return context;
+			const headers = new Headers(context.headers);
+			if (!headers.has("authorization")) headers.set("authorization", `Bearer ${token}`);
+			return {
+				...context,
+				headers
+			};
+		},
+		onSuccess(context) {
+			const path = new URL(context.request.url).pathname;
+			if (path.endsWith("/sign-out") || path.endsWith("/revoke-session") || path.endsWith("/revoke-sessions") || path.endsWith("/revoke-other-sessions") || path.endsWith("/delete-user")) clearPopupToken();
+		}
+	}
+};
+let activePopup = null;
+function popupError(code, status) {
+	return {
+		data: null,
+		error: {
+			code,
+			message: String(OAUTH_POPUP_ERROR_CODES[code]),
+			...status ? { status } : {}
+		}
+	};
+}
+function centeredFeatures() {
+	return `width=${POPUP_WIDTH},height=${POPUP_HEIGHT},left=${window.screenX + (window.outerWidth - POPUP_WIDTH) / 2},top=${window.screenY + (window.outerHeight - POPUP_HEIGHT) / 2},menubar=no,toolbar=no`;
+}
+function randomNonce() {
+	const bytes = new Uint8Array(16);
+	crypto.getRandomValues(bytes);
+	return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+}
+/**
+* Resolves with the token (or relayed error) once the completion page posts
+* back, gating on origin, type, and nonce.
+*/
+function waitForPopupResult(popup, expectedOrigin, nonce, timeoutMs) {
+	return new Promise((resolve) => {
+		let settled = false;
+		const settle = (outcome) => {
+			if (settled) return;
+			settled = true;
+			window.removeEventListener("message", onMessage);
+			clearInterval(closedPoll);
+			clearTimeout(timeout);
+			try {
+				if (!popup.closed) popup.close();
+			} catch {}
+			resolve(outcome);
+		};
+		const onMessage = (event) => {
+			if (event.origin !== expectedOrigin) return;
+			const data = event.data;
+			if (data?.type !== "better-auth:oauth-popup") return;
+			if (data.nonce !== nonce) return;
+			if (data.error) {
+				settle({
+					status: "error",
+					error: data.error
+				});
+				return;
+			}
+			if (typeof data.token !== "string" || !data.token) return;
+			settle({
+				status: "success",
+				token: data.token
+			});
+		};
+		const closedPoll = setInterval(() => {
+			if (popup.closed) settle({ status: "cancelled" });
+		}, CLOSED_POLL_MS);
+		const timeout = setTimeout(() => settle({ status: "timeout" }), timeoutMs);
+		window.addEventListener("message", onMessage);
+	});
+}
+function resolveAuthURL(options) {
+	const configured = getBaseURL(options?.baseURL, options?.basePath) ?? options?.basePath ?? "/api/auth";
+	return new URL(configured, window.location.origin);
+}
+/**
+* Builds `signIn.popup`. Runs the sign-in in the popup's own first-party
+* context (so the OAuth state cookie lands there), waits for the completion
+* page to post the session token back, stores it for the bearer fetch plugin,
+* and refreshes the reactive session.
+*/
+function createSignInPopup({ $fetch, options, notifySessionSignal }) {
+	return async function signInPopup(opts) {
+		if (typeof window === "undefined") return popupError("POPUP_SIGN_IN_FAILED");
+		const { provider, providerId, additionalData, windowFeatures, timeoutMs = DEFAULT_TIMEOUT_MS, callbackURL, errorCallbackURL, newUserCallbackURL, scopes, requestSignUp } = opts;
+		if (!provider && !providerId) return popupError("POPUP_SIGN_IN_FAILED");
+		if (activePopup && !activePopup.closed) {
+			activePopup.focus();
+			return popupError("POPUP_SIGN_IN_FAILED");
+		}
+		const nonce = randomNonce();
+		const authUrl = resolveAuthURL(options);
+		const authOrigin = authUrl.origin;
+		const startUrl = new URL(`${authUrl.href.replace(/\/$/, "")}/oauth-popup/start`);
+		startUrl.searchParams.set("provider", provider ?? providerId);
+		startUrl.searchParams.set("popupOrigin", window.location.origin);
+		startUrl.searchParams.set("popupNonce", nonce);
+		if (callbackURL) startUrl.searchParams.set("callbackURL", callbackURL);
+		if (errorCallbackURL) startUrl.searchParams.set("errorCallbackURL", errorCallbackURL);
+		if (newUserCallbackURL) startUrl.searchParams.set("newUserCallbackURL", newUserCallbackURL);
+		if (scopes?.length) startUrl.searchParams.set("scopes", scopes.join(","));
+		if (requestSignUp) startUrl.searchParams.set("requestSignUp", "true");
+		if (additionalData) startUrl.searchParams.set("additionalData", JSON.stringify(additionalData));
+		const popup = window.open(startUrl.toString(), POPUP_NAME, windowFeatures ?? centeredFeatures());
+		if (!popup) return popupError("POPUP_BLOCKED");
+		activePopup = popup;
+		const outcome = await waitForPopupResult(popup, authOrigin, nonce, timeoutMs);
+		activePopup = null;
+		if (outcome.status === "timeout") return popupError("POPUP_TIMEOUT");
+		if (outcome.status === "cancelled") return popupError("POPUP_CLOSED");
+		if (outcome.status === "error") return {
+			data: null,
+			error: {
+				code: outcome.error.code,
+				message: outcome.error.description || outcome.error.code
+			}
+		};
+		if (isEmbedded()) storePopupToken(outcome.token);
+		else clearPopupToken();
+		const session = await $fetch("/get-session");
+		if (session.error || !session.data) return popupError("POPUP_SIGN_IN_FAILED", session.error?.status);
+		notifySessionSignal();
+		return {
+			data: { success: true },
+			error: null
+		};
+	};
+}
+/**
+* Client plugin for popup OAuth sign-in. Adds `authClient.signIn.popup`. Pair
+* with the server `oauthPopup` and `bearer` plugins.
+*/
+const oauthPopupClient = () => {
+	return {
+		id: "oauth-popup",
+		version: PACKAGE_VERSION,
+		$InferServerPlugin: {},
+		$ERROR_CODES: OAUTH_POPUP_ERROR_CODES,
+		fetchPlugins: [popupBearerFetchPlugin],
+		getActions: ($fetch, $store, options) => ({ signIn: { popup: createSignInPopup({
+			$fetch,
+			options,
+			notifySessionSignal: () => $store.notify("$sessionSignal")
+		}) } })
+	};
+};
+//#endregion
+export { createSignInPopup, getStoredPopupToken, oauthPopupClient, popupBearerFetchPlugin };

package/dist/plugins/oauth-popup/constants.d.mts

@@ -0,0 +1,11 @@
+//#region src/plugins/oauth-popup/constants.d.ts
+/** postMessage `type` the completion page posts to its opener. */
+declare const OAUTH_POPUP_MESSAGE_TYPE = "better-auth:oauth-popup";
+/** DOM id of the inert JSON data block the completion page reads. */
+declare const OAUTH_POPUP_DATA_ELEMENT_ID = "better-auth-oauth-popup";
+/** Signed cookie carrying the opener origin/nonce from sign-in to callback. */
+declare const POPUP_MARKER_COOKIE = "oauth_popup";
+/** localStorage key the popup session token is persisted under. */
+declare const POPUP_TOKEN_STORAGE_KEY = "better-auth.popup_token";
+//#endregion
+export { OAUTH_POPUP_DATA_ELEMENT_ID, OAUTH_POPUP_MESSAGE_TYPE, POPUP_MARKER_COOKIE, POPUP_TOKEN_STORAGE_KEY };

package/dist/plugins/oauth-popup/constants.mjs

@@ -0,0 +1,11 @@
+//#region src/plugins/oauth-popup/constants.ts
+/** postMessage `type` the completion page posts to its opener. */
+const OAUTH_POPUP_MESSAGE_TYPE = "better-auth:oauth-popup";
+/** DOM id of the inert JSON data block the completion page reads. */
+const OAUTH_POPUP_DATA_ELEMENT_ID = "better-auth-oauth-popup";
+/** Signed cookie carrying the opener origin/nonce from sign-in to callback. */
+const POPUP_MARKER_COOKIE = "oauth_popup";
+/** localStorage key the popup session token is persisted under. */
+const POPUP_TOKEN_STORAGE_KEY = "better-auth.popup_token";
+//#endregion
+export { OAUTH_POPUP_DATA_ELEMENT_ID, OAUTH_POPUP_MESSAGE_TYPE, POPUP_MARKER_COOKIE, POPUP_TOKEN_STORAGE_KEY };

package/dist/plugins/oauth-popup/error-codes.d.mts

@@ -0,0 +1,11 @@
+import * as _better_auth_core_utils_error_codes0 from "@better-auth/core/utils/error-codes";
+
+//#region src/plugins/oauth-popup/error-codes.d.ts
+declare const OAUTH_POPUP_ERROR_CODES: {
+  POPUP_SIGN_IN_FAILED: _better_auth_core_utils_error_codes0.RawError<"POPUP_SIGN_IN_FAILED">;
+  POPUP_BLOCKED: _better_auth_core_utils_error_codes0.RawError<"POPUP_BLOCKED">;
+  POPUP_CLOSED: _better_auth_core_utils_error_codes0.RawError<"POPUP_CLOSED">;
+  POPUP_TIMEOUT: _better_auth_core_utils_error_codes0.RawError<"POPUP_TIMEOUT">;
+};
+//#endregion
+export { OAUTH_POPUP_ERROR_CODES };

package/dist/plugins/oauth-popup/error-codes.mjs

@@ -0,0 +1,10 @@
+import { defineErrorCodes } from "@better-auth/core/utils/error-codes";
+//#region src/plugins/oauth-popup/error-codes.ts
+const OAUTH_POPUP_ERROR_CODES = defineErrorCodes({
+	POPUP_SIGN_IN_FAILED: "Popup sign-in failed",
+	POPUP_BLOCKED: "Sign-in popup was blocked by the browser",
+	POPUP_CLOSED: "Sign-in popup was closed before completing",
+	POPUP_TIMEOUT: "Sign-in popup timed out"
+});
+//#endregion
+export { OAUTH_POPUP_ERROR_CODES };

package/dist/plugins/oauth-popup/index.d.mts

@@ -0,0 +1,67 @@
+import { OAUTH_POPUP_DATA_ELEMENT_ID, OAUTH_POPUP_MESSAGE_TYPE, POPUP_MARKER_COOKIE } from "./constants.mjs";
+import { OAUTH_POPUP_ERROR_CODES } from "./error-codes.mjs";
+import { OAuthPopupData, OAuthPopupMessage } from "./types.mjs";
+import * as _better_auth_core0 from "@better-auth/core";
+import * as _better_auth_core_utils_error_codes0 from "@better-auth/core/utils/error-codes";
+import * as better_call0 from "better-call";
+import * as z from "zod";
+
+//#region src/plugins/oauth-popup/index.d.ts
+declare module "@better-auth/core" {
+  interface BetterAuthPluginRegistry<AuthOptions, Options> {
+    "oauth-popup": {
+      creator: typeof oauthPopup;
+    };
+  }
+}
+/**
+ * The completion-page script.
+ */
+declare const OAUTH_POPUP_COMPLETE_SCRIPT: string;
+/**
+ * sha256 of `OAUTH_POPUP_COMPLETE_SCRIPT`, pinned in the completion CSP.
+ */
+declare const OAUTH_POPUP_SCRIPT_CSP_HASH = "sha256-tIo2K8VBC9SnhvdZ+9GsGkQoZm+jm/JcxL+d+i8b8KQ=";
+/**
+ * Server plugin for popup-based OAuth. `signIn.popup` navigates the popup to
+ * `/oauth-popup/start`; on the OAuth callback this plugin swaps the redirect for
+ * a page that posts the session token (or error) back to the opener. Pair with
+ * the `bearer` plugin and `oauthPopupClient`.
+ */
+declare const oauthPopup: () => {
+  id: "oauth-popup";
+  version: string;
+  $ERROR_CODES: {
+    POPUP_SIGN_IN_FAILED: _better_auth_core_utils_error_codes0.RawError<"POPUP_SIGN_IN_FAILED">;
+    POPUP_BLOCKED: _better_auth_core_utils_error_codes0.RawError<"POPUP_BLOCKED">;
+    POPUP_CLOSED: _better_auth_core_utils_error_codes0.RawError<"POPUP_CLOSED">;
+    POPUP_TIMEOUT: _better_auth_core_utils_error_codes0.RawError<"POPUP_TIMEOUT">;
+  };
+  endpoints: {
+    oauthPopupStart: better_call0.StrictEndpoint<"/oauth-popup/start", {
+      method: "GET";
+      query: z.ZodObject<{
+        provider: z.ZodString;
+        popupOrigin: z.ZodString;
+        popupNonce: z.ZodOptional<z.ZodString>;
+        callbackURL: z.ZodOptional<z.ZodString>;
+        errorCallbackURL: z.ZodOptional<z.ZodString>;
+        newUserCallbackURL: z.ZodOptional<z.ZodString>;
+        scopes: z.ZodOptional<z.ZodString>;
+        requestSignUp: z.ZodOptional<z.ZodString>;
+        additionalData: z.ZodOptional<z.ZodString>;
+      }, z.core.$strip>;
+      metadata: {
+        readonly scope: "server";
+      };
+    }, Response>;
+  };
+  hooks: {
+    after: {
+      matcher(context: _better_auth_core0.HookEndpointContext): boolean;
+      handler: (inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>;
+    }[];
+  };
+};
+//#endregion
+export { OAUTH_POPUP_COMPLETE_SCRIPT, OAUTH_POPUP_SCRIPT_CSP_HASH, oauthPopup };

package/dist/plugins/oauth-popup/index.mjs

@@ -0,0 +1,227 @@
+import { parseSetCookieHeader, splitSetCookieHeader } from "../../cookies/cookie-utils.mjs";
+import { generateRandomString } from "../../crypto/random.mjs";
+import { expireCookie } from "../../cookies/index.mjs";
+import { getAwaitableValue } from "../../context/helpers.mjs";
+import { setOAuthState } from "../../api/state/oauth.mjs";
+import { generateGenericState } from "../../state.mjs";
+import { HIDE_METADATA } from "../../utils/hide-metadata.mjs";
+import { PACKAGE_VERSION } from "../../version.mjs";
+import { OAUTH_POPUP_DATA_ELEMENT_ID, OAUTH_POPUP_MESSAGE_TYPE, POPUP_MARKER_COOKIE } from "./constants.mjs";
+import { OAUTH_POPUP_ERROR_CODES } from "./error-codes.mjs";
+import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
+import { safeJSONParse } from "@better-auth/core/utils/json";
+import { createAuthEndpoint, createAuthMiddleware } from "@better-auth/core/api";
+import * as z from "zod";
+//#region src/plugins/oauth-popup/index.ts
+let warnedMissingBearer = false;
+/**
+* Escapes `<\/script>` and JS line separators for embedding in a script element.
+*/
+function inlineJSON(value) {
+	return JSON.stringify(value).replace(/[<\u2028\u2029]/g, (c) => `\\u${c.charCodeAt(0).toString(16).padStart(4, "0")}`);
+}
+/**
+* The completion-page script.
+*/
+const OAUTH_POPUP_COMPLETE_SCRIPT = `(function () {
+	var el = document.getElementById(${JSON.stringify(OAUTH_POPUP_DATA_ELEMENT_ID)});
+	if (!el) return;
+	var payload;
+	try {
+		payload = JSON.parse(el.textContent || "");
+	} catch (e) {
+		return;
+	}
+	var target = window.opener || window.parent;
+	if (target && target !== window) {
+		try {
+			target.postMessage(
+				{
+					type: payload.type,
+					nonce: payload.nonce,
+					token: payload.token,
+					redirectTo: payload.redirectTo,
+					error: payload.error,
+				},
+				payload.targetOrigin,
+			);
+		} catch (e) {}
+	}
+	window.close();
+})();
+`;
+/**
+* sha256 of `OAUTH_POPUP_COMPLETE_SCRIPT`, pinned in the completion CSP.
+*/
+const OAUTH_POPUP_SCRIPT_CSP_HASH = "sha256-tIo2K8VBC9SnhvdZ+9GsGkQoZm+jm/JcxL+d+i8b8KQ=";
+/**
+* Renders the page that posts the outcome (token or error) to the opener. The
+* caller must pass a trusted `popupOrigin` — validated at `/oauth-popup/start`
+* and preserved in the signed marker cookie the callback reads.
+*/
+function renderCompletion(c, popupOrigin, message) {
+	if (message.token && !warnedMissingBearer && !c.context.hasPlugin("bearer")) {
+		warnedMissingBearer = true;
+		c.context.logger.warn("OAuth popup hands the session token back via postMessage, but the `bearer` plugin is not registered, so an embedded (cross-site iframe) app cannot authenticate with it. Add bearer() to your auth `plugins`.");
+	}
+	const html = `<!doctype html>
+<html>
+<head><meta charset="utf-8"><title>Completing sign-in</title></head>
+<body>
+<script type="application/json" id="${OAUTH_POPUP_DATA_ELEMENT_ID}">${inlineJSON({
+		type: OAUTH_POPUP_MESSAGE_TYPE,
+		targetOrigin: popupOrigin,
+		...message
+	})}<\/script>
+<script>${OAUTH_POPUP_COMPLETE_SCRIPT}<\/script>
+</body>
+</html>`;
+	return new Response(html, {
+		status: 200,
+		headers: {
+			"content-type": "text/html; charset=utf-8",
+			"content-security-policy": `default-src 'none'; script-src '${OAUTH_POPUP_SCRIPT_CSP_HASH}'; base-uri 'none'`,
+			"cache-control": "no-store",
+			pragma: "no-cache"
+		}
+	});
+}
+/**
+* Starts the OAuth flow for a popup. The popup navigates here (top-level, so it
+* is first-party to the auth origin even when the app is on another origin),
+* the server sets the state + opener-marker cookies in the right partition, then
+* redirects to the provider. The callback then renders the completion page.
+*/
+const oauthPopupStart = createAuthEndpoint("/oauth-popup/start", {
+	method: "GET",
+	query: z.object({
+		provider: z.string(),
+		popupOrigin: z.string(),
+		popupNonce: z.string().optional(),
+		callbackURL: z.string().optional(),
+		errorCallbackURL: z.string().optional(),
+		newUserCallbackURL: z.string().optional(),
+		scopes: z.string().optional(),
+		requestSignUp: z.string().optional(),
+		additionalData: z.string().optional()
+	}),
+	metadata: HIDE_METADATA
+}, async (c) => {
+	const { popupOrigin } = c.query;
+	if (!c.context.isTrustedOrigin(popupOrigin, { allowRelativePaths: false })) {
+		c.context.logger.error(`OAuth popup origin is not a trusted origin. Add ${popupOrigin} to trustedOrigins.`);
+		throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.INVALID_ORIGIN);
+	}
+	const fail = (code, description) => renderCompletion(c, popupOrigin, {
+		nonce: c.query.popupNonce ?? "",
+		error: {
+			code,
+			description
+		}
+	});
+	const validateRedirect = (url, code) => {
+		if (!url || c.context.isTrustedOrigin(url, { allowRelativePaths: true })) return;
+		c.context.logger.error(`Invalid redirect URL: ${url}`);
+		return fail(code, `Untrusted URL: ${url}`);
+	};
+	const invalidRedirect = validateRedirect(c.query.callbackURL, "invalid_callback_url") ?? validateRedirect(c.query.errorCallbackURL, "invalid_error_callback_url") ?? validateRedirect(c.query.newUserCallbackURL, "invalid_new_user_callback_url");
+	if (invalidRedirect) return invalidRedirect;
+	const provider = await getAwaitableValue(c.context.socialProviders, { value: c.query.provider });
+	if (!provider) return fail("provider_not_found", `Unknown provider: ${c.query.provider}`);
+	const callbackURL = c.query.callbackURL || c.context.baseURL;
+	let url;
+	try {
+		const codeVerifier = generateRandomString(128);
+		const stateData = {
+			...c.query.additionalData ? safeJSONParse(c.query.additionalData) ?? {} : {},
+			callbackURL,
+			codeVerifier,
+			errorURL: c.query.errorCallbackURL,
+			newUserURL: c.query.newUserCallbackURL,
+			requestSignUp: c.query.requestSignUp === "true" ? true : void 0,
+			expiresAt: Date.now() + 600 * 1e3
+		};
+		await setOAuthState(stateData);
+		const { state } = await generateGenericState(c, stateData);
+		const marker = c.context.createAuthCookie(POPUP_MARKER_COOKIE, { maxAge: 600 });
+		await c.setSignedCookie(marker.name, JSON.stringify({
+			popupOrigin,
+			popupNonce: c.query.popupNonce ?? ""
+		}), c.context.secret, marker.attributes);
+		url = await provider.createAuthorizationURL({
+			state,
+			codeVerifier,
+			redirectURI: `${c.context.baseURL}/callback/${provider.id}`,
+			scopes: c.query.scopes ? c.query.scopes.split(",") : void 0
+		});
+	} catch (error) {
+		c.context.logger.error("OAuth popup failed to start", error);
+		return fail("popup_sign_in_failed", "Failed to start the OAuth flow.");
+	}
+	throw c.redirect(url.toString());
+});
+/**
+* Server plugin for popup-based OAuth. `signIn.popup` navigates the popup to
+* `/oauth-popup/start`; on the OAuth callback this plugin swaps the redirect for
+* a page that posts the session token (or error) back to the opener. Pair with
+* the `bearer` plugin and `oauthPopupClient`.
+*/
+const oauthPopup = () => {
+	return {
+		id: "oauth-popup",
+		version: PACKAGE_VERSION,
+		$ERROR_CODES: OAUTH_POPUP_ERROR_CODES,
+		endpoints: { oauthPopupStart },
+		hooks: { after: [{
+			matcher(context) {
+				return !!(context.path?.startsWith("/callback/") || context.path?.startsWith("/oauth2/callback/"));
+			},
+			handler: createAuthMiddleware(async (c) => {
+				const redirectTo = c.context.responseHeaders?.get("location");
+				if (!redirectTo) return;
+				const cookie = c.context.createAuthCookie(POPUP_MARKER_COOKIE);
+				const marker = await c.getSignedCookie(cookie.name, c.context.secret);
+				if (!marker) return;
+				expireCookie(c, cookie);
+				let popupOrigin;
+				let popupNonce;
+				try {
+					const parsed = JSON.parse(marker);
+					popupOrigin = parsed.popupOrigin;
+					popupNonce = parsed.popupNonce ?? "";
+				} catch {
+					return;
+				}
+				const setCookies = c.context.responseHeaders?.getSetCookie?.() ?? splitSetCookieHeader(c.context.responseHeaders?.get("set-cookie") ?? "");
+				let token;
+				for (const raw of setCookies) {
+					const value = parseSetCookieHeader(raw).get(c.context.authCookies.sessionToken.name)?.value;
+					if (value !== void 0) {
+						token = value;
+						break;
+					}
+				}
+				let response;
+				if (token) response = renderCompletion(c, popupOrigin, {
+					nonce: popupNonce,
+					token,
+					redirectTo
+				});
+				else {
+					const error = new URL(redirectTo, c.context.baseURL).searchParams.get("error");
+					if (!error) return;
+					response = renderCompletion(c, popupOrigin, {
+						nonce: popupNonce,
+						error: {
+							code: error,
+							description: new URL(redirectTo, c.context.baseURL).searchParams.get("error_description") ?? void 0
+						}
+					});
+				}
+				c.context.returned = response;
+			})
+		}] }
+	};
+};
+//#endregion
+export { OAUTH_POPUP_COMPLETE_SCRIPT, OAUTH_POPUP_SCRIPT_CSP_HASH, oauthPopup };

package/dist/plugins/oauth-popup/types.d.mts

@@ -0,0 +1,30 @@
+import { OAUTH_POPUP_MESSAGE_TYPE } from "./constants.mjs";
+
+//#region src/plugins/oauth-popup/types.d.ts
+/** OAuth error relayed to the opener when the flow fails. */
+interface OAuthPopupError {
+  code: string;
+  description?: string;
+}
+/**
+ * Message the completion page posts to its opener — success carries the token,
+ * failure carries the error.
+ */
+interface OAuthPopupMessage {
+  type: typeof OAUTH_POPUP_MESSAGE_TYPE;
+  /** Echoes the request nonce so the opener can correlate the handoff. */
+  nonce: string;
+  /** The session token, sent as `Authorization: Bearer <token>` (on success). */
+  token?: string;
+  /** Where the flow would have redirected (callbackURL / newUserURL). */
+  redirectTo?: string;
+  /** The OAuth error (on failure). */
+  error?: OAuthPopupError;
+}
+/** Payload embedded in the completion page's data block. */
+interface OAuthPopupData extends OAuthPopupMessage {
+  /** Exact origin the message is posted to (the trusted popup opener). */
+  targetOrigin: string;
+}
+//#endregion
+export { OAuthPopupData, OAuthPopupMessage };

package/dist/plugins/oauth-proxy/index.mjs

@@ -183,13 +183,13 @@ const oAuthProxy = (opts) => {
 					}
 					if (error) throw redirectOnError(ctx, errorURL, error);
 					if (!code) {
-						ctx.context.logger.error("OAuth callback missing authorization code");
+						ctx.context.logger.warn("OAuth callback missing authorization code");
 						throw redirectOnError(ctx, errorURL, "no_code");
 					}
 					const providerId = ctx.params?.id;
 					const provider = ctx.context.socialProviders.find((p) => p.id === providerId);
 					if (!provider) {
-						ctx.context.logger.error("OAuth provider not found", providerId);
+						ctx.context.logger.warn("OAuth provider not found", { providerId });
 						throw redirectOnError(ctx, errorURL, "oauth_provider_not_found");
 					}
 					let tokens;

package/dist/plugins/oauth-proxy/utils.mjs

@@ -21,10 +21,24 @@ function getVendorBaseURL() {
 	return vercel || netlify || render || aws || google || azure;
 }
 /**
-* Resolve the current URL from various sources
+* Resolve the current URL from various sources.
+*
+* The request URL host can come from an untrusted source (`Host` / forwarded host),
+* and this origin becomes the receiver for the encrypted OAuth profile replay.
+* So a request-derived origin is only honored when it is an explicitly trusted
+* origin; otherwise resolution falls back to the configured platform/base URL,
+* never the raw request host. An explicit `opts.currentURL` and the vendor/base
+* URLs are configured by the developer and trusted as-is.
 */
 function resolveCurrentURL(ctx, opts) {
-	return new URL(opts?.currentURL || ctx.request?.url || getVendorBaseURL() || ctx.context.baseURL);
+	if (opts?.currentURL) return new URL(opts.currentURL);
+	const requestURL = ctx.request?.url;
+	if (requestURL) {
+		const origin = getOrigin(requestURL);
+		if (origin && ctx.context.isTrustedOrigin(origin)) return new URL(requestURL);
+	}
+	const vendorBaseURL = getVendorBaseURL();
+	return new URL(vendorBaseURL && getOrigin(vendorBaseURL) ? vendorBaseURL : ctx.context.baseURL);
 }
 /**
 * Check if the proxy should be skipped for this request

package/dist/plugins/oidc-provider/index.mjs

@@ -1082,6 +1082,16 @@ const oidcProvider = (options) => {
 					});
 				}
 				const session = await getSessionFromCtx(ctx);
+				if (ctx.request && (validatedUserId || session)) {
+					const fetchSite = ctx.request.headers.get("Sec-Fetch-Site");
+					const originHeader = ctx.request.headers.get("origin") || ctx.request.headers.get("referer");
+					const isSameSiteRequest = fetchSite === "same-origin" || fetchSite === "same-site" || fetchSite === "none" || !!originHeader && ctx.context.isTrustedOrigin(originHeader, { allowRelativePaths: false });
+					const hintMatchesSession = !!validatedUserId && validatedUserId === session?.user.id;
+					if (!isSameSiteRequest && !hintMatchesSession) throw new APIError("FORBIDDEN", {
+						error: "invalid_request",
+						error_description: "Logout must be same-site or carry an id_token_hint for the current session"
+					});
+				}
 				if (validatedUserId || session) {
 					const userId = validatedUserId || session?.user.id;
 					if (userId) await ctx.context.adapter.deleteMany({

package/dist/plugins/one-tap/client.mjs

@@ -44,12 +44,15 @@ const oneTapClient = (options) => {
 						return;
 					}
 					async function callback(idToken) {
-						await $fetch("/one-tap/callback", {
+						if ((await $fetch("/one-tap/callback", {
 							method: "POST",
-							body: { idToken },
+							body: {
+								idToken,
+								callbackURL: opts?.callbackURL
+							},
 							...opts?.fetchOptions,
 							...fetchOptions
-						});
+						}))?.error) return;
 						if (!opts?.fetchOptions && !fetchOptions || opts?.callbackURL) {
 							const target = opts?.callbackURL ?? "/";
 							if (isSafeUrlScheme(target)) window.location.href = target;
@@ -80,12 +83,15 @@ const oneTapClient = (options) => {
 					return;
 				}
 				async function callback(idToken) {
-					await $fetch("/one-tap/callback", {
+					if ((await $fetch("/one-tap/callback", {
 						method: "POST",
-						body: { idToken },
+						body: {
+							idToken,
+							callbackURL: opts?.callbackURL
+						},
 						...opts?.fetchOptions,
 						...fetchOptions
-					});
+					}))?.error) return;
 					if (!opts?.fetchOptions && !fetchOptions || opts?.callbackURL) {
 						const target = opts?.callbackURL ?? "/";
 						if (isSafeUrlScheme(target)) window.location.href = target;