feat: one time token (#3482)

* feat: unified auth for desktop and ssr

* feat: use one time token

* feat: remove better auth patch

* feat(desktop): handle session changes

* feat(desktop): recover ck auth for compatibility

Author: DIYgod

apps/desktop/package.json

@@ -33,6 +33,7 @@
     "update:main-hash": "tsx plugins/vite/generate-main-hash.ts"
   },
   "dependencies": {
+    "cookie-es": "2.0.0",
     "react-google-recaptcha": "3.1.0",
     "react-google-recaptcha-v3": "1.10.1"
   },

apps/desktop/src/main/src/index.ts

@@ -140,41 +140,6 @@ function bootstrap() {
     registerUpdater()
     registerAppTray()
 
-    // handle session cookie when sign in with email in electron
-    session.defaultSession.webRequest.onHeadersReceived(
-      {
-        urls: [
-          `${apiURL}/better-auth/sign-in/email`,
-          `${apiURL}/better-auth/sign-in/email?*`,
-          `${apiURL}/better-auth/two-factor/verify-totp`,
-          `${apiURL}/better-auth/two-factor/verify-totp?*`,
-        ],
-      },
-      (detail, callback) => {
-        const { responseHeaders } = detail
-        if (responseHeaders?.["set-cookie"]) {
-          const cookies = responseHeaders["set-cookie"] as string[]
-          cookies.forEach((cookie) => {
-            const cookieObj = parse(cookie, { decode: (value) => value })
-            Object.keys(cookieObj).forEach((name) => {
-              const value = cookieObj[name]
-              mainWindow.webContents.session.cookies.set({
-                url: apiURL,
-                name,
-                value,
-                secure: true,
-                httpOnly: true,
-                domain: new URL(apiURL).hostname,
-                sameSite: "no_restriction",
-              })
-            })
-          })
-        }
-
-        callback({ cancel: false, responseHeaders })
-      },
-    )
-
     app.on("open-url", (_, url) => {
       if (mainWindow && !mainWindow.isDestroyed()) {
         if (mainWindow.isMinimized()) mainWindow.restore()
@@ -232,29 +197,36 @@ function bootstrap() {
     const urlObj = new URL(url)
 
     if (urlObj.hostname === "auth" || urlObj.pathname === "//auth") {
-      const ck = urlObj.searchParams.get("ck")
-      const userId = urlObj.searchParams.get("userId")
-
-      if (ck && apiURL) {
-        setBetterAuthSessionCookie(ck)
-        const cookie = parse(atob(ck), { decode: (value) => value })
-        Object.keys(cookie).forEach((name) => {
-          const value = cookie[name]
-          mainWindow.webContents.session.cookies.set({
-            url: apiURL,
-            name,
-            value,
-            secure: true,
-            httpOnly: true,
-            domain: new URL(apiURL).hostname,
-            sameSite: "no_restriction",
+      const token = urlObj.searchParams.get("token")
+
+      if (token) {
+        await callWindowExpose(mainWindow).applyOneTimeToken(token)
+      } else {
+        // compatible with old version of ssr, should be removed in 0.4.4
+        const ck = urlObj.searchParams.get("ck")
+        const userId = urlObj.searchParams.get("userId")
+
+        if (ck && apiURL) {
+          setBetterAuthSessionCookie(ck)
+          const cookie = parse(atob(ck), { decode: (value) => value })
+          Object.keys(cookie).forEach((name) => {
+            const value = cookie[name]
+            mainWindow.webContents.session.cookies.set({
+              url: apiURL,
+              name,
+              value,
+              secure: true,
+              httpOnly: true,
+              domain: new URL(apiURL).hostname,
+              sameSite: "no_restriction",
+            })
           })
-        })
 
-        userId && (await callWindowExpose(mainWindow).clearIfLoginOtherAccount(userId))
-        mainWindow.reload()
+          userId && (await callWindowExpose(mainWindow).clearIfLoginOtherAccount(userId))
+          mainWindow.reload()
 
-        updateNotificationsToken()
+          updateNotificationsToken()
+        }
       }
     } else {
       handleUrlRouting(url)

apps/desktop/src/renderer/src/hooks/biz/useSignOut.ts

@@ -5,6 +5,7 @@ import { setWhoami } from "~/atoms/user"
 import { QUERY_PERSIST_KEY } from "~/constants"
 import { signOut } from "~/lib/auth"
 import { tipcClient } from "~/lib/client"
+import { handleSessionChanges } from "~/queries/auth"
 import { clearLocalPersistStoreData } from "~/store/utils/clear"
 
 export const useSignOut = () =>
@@ -30,6 +31,6 @@ export const useSignOut = () =>
     ])
     // Sign out
     await signOut().then(() => {
-      window.location.reload()
+      handleSessionChanges()
     })
   }, [])

apps/desktop/src/renderer/src/lib/auth.ts

@@ -1,52 +1,22 @@
-import { IN_ELECTRON } from "@follow/shared"
+import { Auth } from "@follow/shared/auth"
 import { env } from "@follow/shared/env.desktop"
-import type { authPlugins } from "@follow/shared/hono"
-import type { BetterAuthClientPlugin } from "better-auth/client"
-import { inferAdditionalFields, twoFactorClient } from "better-auth/client/plugins"
-import { createAuthClient } from "better-auth/react"
 
-import { WEB_URL } from "~/constants/env"
-
-type AuthPlugin = (typeof authPlugins)[number]
-const serverPlugins = [
-  {
-    id: "customGetProviders",
-    $InferServerPlugin: {} as Extract<AuthPlugin, { id: "customGetProviders" }>,
-  },
-  {
-    id: "customCreateSession",
-    $InferServerPlugin: {} as Extract<AuthPlugin, { id: "customCreateSession" }>,
-  },
-  {
-    id: "getAccountInfo",
-    $InferServerPlugin: {} as Extract<AuthPlugin, { id: "getAccountInfo" }>,
-  },
-  inferAdditionalFields({
-    user: {
-      handle: {
-        type: "string",
-        required: false,
-      },
-    },
-  }),
-] satisfies BetterAuthClientPlugin[]
-
-const authClient = createAuthClient({
-  baseURL: `${env.VITE_API_URL}/better-auth`,
-  plugins: [...serverPlugins, twoFactorClient()],
+const auth = new Auth({
+  apiURL: env.VITE_API_URL,
+  webURL: env.VITE_WEB_URL,
 })
 
 // @keep-sorted
 export const {
   changeEmail,
   changePassword,
-  createSession,
   forgetPassword,
   getAccountInfo,
   getProviders,
   getSession,
   linkSocial,
   listAccounts,
+  oneTimeToken,
   resetPassword,
   sendVerificationEmail,
   signIn,
@@ -55,33 +25,6 @@ export const {
   twoFactor,
   unlinkAccount,
   updateUser,
-} = authClient
-
-export type LoginRuntime = "browser" | "app"
-export const loginHandler = async (
-  provider: string,
-  runtime?: LoginRuntime,
-  args?: {
-    email?: string
-    password?: string
-    headers?: Record<string, string>
-  },
-) => {
-  const { email, password, headers } = args ?? {}
-  if (IN_ELECTRON && provider !== "credential") {
-    window.open(`${WEB_URL}/login?provider=${provider}`)
-  } else {
-    if (provider === "credential") {
-      if (!email || !password) {
-        window.location.href = "/login"
-        return
-      }
-      return signIn.email({ email, password }, { headers })
-    }
+} = auth.authClient
 
-    signIn.social({
-      provider: provider as "google" | "github" | "apple",
-      callbackURL: runtime === "app" ? `${WEB_URL}/login` : WEB_URL,
-    })
-  }
-}
+export const { loginHandler } = auth

apps/desktop/src/renderer/src/modules/auth/Form.tsx

@@ -8,6 +8,7 @@ import {
   FormMessage,
 } from "@follow/components/ui/form/index.js"
 import { Input } from "@follow/components/ui/input/Input.js"
+import type { LoginRuntime } from "@follow/shared/auth"
 import { env } from "@follow/shared/env.desktop"
 import { zodResolver } from "@hookform/resolvers/zod"
 import { useRef } from "react"
@@ -18,8 +19,8 @@ import { toast } from "sonner"
 import { z } from "zod"
 
 import { useCurrentModal, useModalStack } from "~/components/ui/modal/stacked/hooks"
-import type { LoginRuntime } from "~/lib/auth"
 import { loginHandler, signUp, twoFactor } from "~/lib/auth"
+import { handleSessionChanges } from "~/queries/auth"
 
 import { TOTPForm } from "../profile/two-factor"
 
@@ -71,14 +72,14 @@ export function LoginWithPassword({ runtime }: { runtime: LoginRuntime }) {
                 }
               }}
               onSuccess={() => {
-                window.location.reload()
+                handleSessionChanges()
               }}
             />
           )
         },
       })
     } else {
-      window.location.reload()
+      handleSessionChanges()
     }
   }
 
@@ -188,7 +189,7 @@ function RegisterForm() {
       callbackURL: "/",
       fetchOptions: {
         onSuccess() {
-          window.location.reload()
+          handleSessionChanges()
         },
         onError(context) {
           toast.error(context.error.message)

apps/desktop/src/renderer/src/modules/auth/LoginModalContent.tsx

@@ -8,12 +8,12 @@ import {
   TooltipPortal,
   TooltipTrigger,
 } from "@follow/components/ui/tooltip/index.js"
+import type { LoginRuntime } from "@follow/shared/auth"
 import { clsx } from "@follow/utils/utils"
 import { m } from "framer-motion"
 import { useTranslation } from "react-i18next"
 
 import { useCurrentModal } from "~/components/ui/modal/stacked/hooks"
-import type { LoginRuntime } from "~/lib/auth"
 import { loginHandler } from "~/lib/auth"
 import { useAuthProviders } from "~/queries/users"
 

apps/desktop/src/renderer/src/pages/settings/(settings)/profile.tsx

@@ -12,6 +12,7 @@ import { TwoFactor } from "~/modules/profile/two-factor"
 import { UpdatePasswordForm } from "~/modules/profile/update-password-form"
 import { SettingsTitle } from "~/modules/settings/title"
 import { defineSettingPageData } from "~/modules/settings/utils"
+import { handleSessionChanges } from "~/queries/auth"
 
 const iconName = "i-mgc-user-setting-cute-re"
 const priority = 1090
@@ -55,7 +56,7 @@ export function Component() {
                           variant="outline"
                           onClick={async () => {
                             await signOut()
-                            window.location.reload()
+                            handleSessionChanges()
                           }}
                         >
                           Delete

apps/desktop/src/renderer/src/providers/extension-expose-provider.tsx

@@ -11,8 +11,10 @@ import { setUpdaterStatus } from "~/atoms/updater"
 import { useDialog, useModalStack } from "~/components/ui/modal/stacked/hooks"
 import { useDiscoverRSSHubRouteModal } from "~/hooks/biz/useDiscoverRSSHubRoute"
 import { useFollow } from "~/hooks/biz/useFollow"
+import { oneTimeToken } from "~/lib/auth"
 import { usePresentUserProfileModal } from "~/modules/profile/hooks"
 import { useSettingModal } from "~/modules/settings/modal/use-setting-modal"
+import { handleSessionChanges } from "~/queries/auth"
 import { clearDataIfLoginOtherAccount } from "~/store/utils/clear"
 
 declare module "@follow/components/providers/stable-router-provider.js" {
@@ -42,6 +44,11 @@ export const ExtensionExposeProvider = () => {
       clearIfLoginOtherAccount(newUserId: string) {
         clearDataIfLoginOtherAccount(newUserId)
       },
+      async applyOneTimeToken(token: string) {
+        await oneTimeToken.apply({ token })
+        handleSessionChanges()
+      },
+
       readyToUpdate() {
         setUpdaterStatus({
           type: "renderer",

apps/desktop/src/renderer/src/queries/auth.ts

@@ -65,3 +65,7 @@ export const useSession = (options?: { enabled?: boolean }) => {
             : "unknown",
   }
 }
+
+export const handleSessionChanges = () => {
+  window.location.reload()
+}

apps/mobile/package.json

@@ -47,7 +47,6 @@
     "@tanstack/react-query-persist-client": "5.73.3",
     "@types/qrcode": "1.5.5",
     "better-auth": "1.2.6",
-    "cookie-es": "2.0.0",
     "dayjs": "1.11.13",
     "dnum": "2.14.0",
     "es-toolkit": "1.34.1",