feat: add Google One Tap response handler (#1126)

* feat: check auth status on cloud console

* refactor: refactor code

* fix: fix page

* chore: fix content not render bug

* chore: resume least changes

* refactor: apply try-retry instead of polling

* refactor: use google API instead of HTML component

* revert: restore pnpm-lock.yaml to base branch version

* refactor: apply browser only to GOT and add referrer policy header

* refactor: apply thorough CSP

* feat: add GOT callback handler (#1166)

* feat: add GOT callback handler

* fix: fix CSP, refactor GOT credential verifier

* chore: test GET verify API

* chore: use otp landing page

* chore: add frame-ancestor config

* chore: pop up fallback mechanism

* chore: redirect in-place and try POST

* chore: test without CSP headers for CF

* chore: test experience google credential

* chore: add debug log and check/grant storage access

* chore: update console landing page

* refactor: remove unnecessary code

* feat: only trigger GOT once

* chore: remove unused code

* refactor: refactor code

Author: darcyYe

docusaurus.config.ts

@@ -1,5 +1,6 @@
 // eslint-disable-next-line import/no-unassigned-import
 import 'dotenv/config';
+
 import type { Config } from '@docusaurus/types';
 import { yes } from '@silverhand/essentials';
 
@@ -54,6 +55,9 @@ const config: Config = {
     inkeepApiKey: process.env.INKEEP_API_KEY,
     logtoApiBaseUrl: process.env.LOGTO_API_BASE_URL,
     isDevFeatureEnabled: yes(process.env.IS_DEV_FEATURE_ENABLED),
+    isDebuggingEnabled: yes(process.env.IS_DEBUGGING_ENABLED),
+    logtoAdminConsoleUrl: process.env.LOGTO_ADMIN_CONSOLE_URL,
+    googleOneTapConfig: process.env.GOOGLE_ONE_TAP_CONFIG,
   },
 
   staticDirectories: ['static', 'static-localized/' + currentLocale],

src/theme/Layout/GoogleOneTapInitializer.tsx

@@ -0,0 +1,81 @@
+import { type ReactNode, useCallback, useEffect, useState } from 'react';
+
+import type { GoogleOneTapCredentialResponse } from './types';
+import { appendPath, yes } from '@silverhand/essentials';
+import { isGoogleOneTapTriggeredKey } from './constants';
+import { useApiBaseUrl, useDebugLogger, useGoogleOneTapConfig } from './hooks';
+
+export default function GoogleOneTapInitializer(): ReactNode {
+  const [isGoogleOneTapTriggered, setIsGoogleOneTapTriggered] = useState(false);
+  const { logtoAdminConsoleUrl } = useApiBaseUrl();
+  const { config } = useGoogleOneTapConfig();
+  const { debugLogger } = useDebugLogger();
+
+  useEffect(() => {
+    const isTriggered = yes(localStorage.getItem(isGoogleOneTapTriggeredKey));
+    setIsGoogleOneTapTriggered(isTriggered);
+  }, []);
+
+  // Function to manually build Logto sign-in URL
+  const buildSignInUrl = useCallback(
+    ({ credential }: GoogleOneTapCredentialResponse) => {
+      try {
+        if (!logtoAdminConsoleUrl) {
+          throw new Error('Logto admin console URL is not set');
+        }
+
+        const signInUrl = new URL(appendPath(new URL(logtoAdminConsoleUrl), 'external-google-one-tap'));
+
+        signInUrl.searchParams.set('credential', credential);
+
+        return signInUrl.toString();
+      } catch (error) {
+        debugLogger.error('Failed to build sign-in URL:', error);
+        return null;
+      }
+    },
+    [logtoAdminConsoleUrl, debugLogger]
+  );
+
+  const handleCredentialResponse = useCallback(
+    async (response: GoogleOneTapCredentialResponse) => {
+      debugLogger.log('handleCredentialResponse received response:', response);
+
+      // Build Logto sign-in URL with credential
+      const signInUrl = buildSignInUrl(response);
+
+      if (signInUrl) {
+        localStorage.setItem(isGoogleOneTapTriggeredKey, '1');
+        // Directly navigate to sign-in URL in current window
+        window.location.href = signInUrl;
+        debugLogger.log('Redirecting to Logto sign-in URL', signInUrl);
+      }
+    },
+    [debugLogger, buildSignInUrl]
+  );
+
+  useEffect(() => {
+    if (!isGoogleOneTapTriggered && logtoAdminConsoleUrl && config && config.oneTap?.isEnabled && window.google?.accounts.id) {
+      debugLogger.log('Initializing Google One Tap');
+
+      try {
+        // Initialize Google One Tap
+        window.google.accounts.id.initialize({
+          client_id: config.clientId,
+          // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+          callback: handleCredentialResponse,
+          auto_select: config.oneTap.autoSelect,
+          cancel_on_tap_outside: config.oneTap.closeOnTapOutside,
+          itp_support: config.oneTap.itpSupport,
+        });
+
+        // Show One Tap prompt
+        window.google.accounts.id.prompt();
+      } catch (error) {
+        console.error('Error initializing Google One Tap:', error);
+      }
+    }
+  }, [config, debugLogger, logtoAdminConsoleUrl]);
+
+  return null;
+}

src/theme/Layout/constants.ts

@@ -0,0 +1,4 @@
+export const isGoogleOneTapTriggeredKey = '_logto_is_google_one_tap_triggered';
+
+export const defaultApiBaseProdUrl = 'https://auth.logto.io';
+export const defaultApiBaseDevUrl = 'https://auth.logto.dev';

src/theme/Layout/global.d.ts

@@ -0,0 +1,27 @@
+declare global {
+  interface Window {
+    handleCredentialResponse?: (response: GoogleCredentialResponse) => void;
+    google?: {
+      accounts: {
+        id: {
+          initialize: (config: GoogleOneTapInitConfig) => void;
+          prompt: () => void;
+        };
+      };
+    };
+  }
+}
+
+type GoogleCredentialResponse = {
+  credential: string;
+};
+
+type GoogleOneTapInitConfig = {
+  client_id: string;
+  callback: (response: GoogleCredentialResponse) => void;
+  auto_select?: boolean;
+  cancel_on_tap_outside?: boolean;
+  itp_support?: boolean;
+};
+
+export {};

src/theme/Layout/google-one-tap.ts

@@ -0,0 +1,17 @@
+import { z } from 'zod';
+
+export const oneTapSchema = z
+  .object({
+    isEnabled: z.boolean().optional(),
+    autoSelect: z.boolean().optional(),
+    closeOnTapOutside: z.boolean().optional(),
+    itpSupport: z.boolean().optional(),
+  })
+  .optional();
+
+export const googleOneTapConfigSchema = z.object({
+  clientId: z.string(),
+  oneTap: oneTapSchema,
+});
+
+export type GoogleOneTapConfig = z.infer<typeof googleOneTapConfigSchema>;

src/theme/Layout/hooks.ts

@@ -0,0 +1,109 @@
+import useDocusaurusContext from '@docusaurus/useDocusaurusContext';
+import { trySafe, type Optional } from '@silverhand/essentials';
+import { useEffect, useMemo, useState } from 'react';
+
+import { defaultApiBaseProdUrl, defaultApiBaseDevUrl } from './constants';
+import { type GoogleOneTapConfig, googleOneTapConfigSchema } from './google-one-tap';
+import { type RawSiteConfig, rawSiteConfigSchema } from './types';
+
+type DebugLogger = {
+  log: (...args: unknown[]) => void;
+  warn: (...args: unknown[]) => void;
+  error: (...args: unknown[]) => void;
+};
+
+const createDebugLogger = (isDebugMode: boolean): DebugLogger => {
+  return {
+    log: (...args: unknown[]) => {
+      if (isDebugMode) {
+        console.log(...args);
+      }
+    },
+    warn: (...args: unknown[]) => {
+      if (isDebugMode) {
+        console.warn(...args);
+      }
+    },
+    error: (...args: unknown[]) => {
+      if (isDebugMode) {
+        console.error(...args);
+      }
+    },
+  };
+};
+
+const useSiteConfig = (): { siteConfig: RawSiteConfig } => {
+  const { siteConfig: rawSiteConfig } = useDocusaurusContext();
+  const parsedRawSiteConfig = rawSiteConfigSchema.safeParse(rawSiteConfig);
+  if (!parsedRawSiteConfig.success) {
+    throw new Error('Invalid site config');
+  }
+  return { siteConfig: parsedRawSiteConfig.data };
+};
+
+export function useDebugLogger(): { debugLogger: DebugLogger } {
+  const {
+    siteConfig: { customFields },
+  } = useSiteConfig();
+  const isDebugMode = Boolean(customFields?.isDebuggingEnabled);
+
+  return { debugLogger: useMemo(() => createDebugLogger(isDebugMode), [isDebugMode]) };
+}
+
+export function useApiBaseUrl(): {
+  baseUrl: string;
+  logtoAdminConsoleUrl?: string;
+} {
+  const {
+    siteConfig: { customFields },
+  } = useSiteConfig();
+  const { logtoApiBaseUrl, isDevFeatureEnabled, logtoAdminConsoleUrl } = customFields ?? {};
+
+  return useMemo(() => {
+    const baseUrl =
+      typeof logtoApiBaseUrl === 'string'
+        ? logtoApiBaseUrl
+        : isDevFeatureEnabled
+          ? defaultApiBaseDevUrl
+          : defaultApiBaseProdUrl;
+
+    return {
+      baseUrl,
+      logtoAdminConsoleUrl,
+    };
+  }, [logtoApiBaseUrl, isDevFeatureEnabled, logtoAdminConsoleUrl]);
+}
+
+export function useGoogleOneTapConfig(): {
+  config: Optional<GoogleOneTapConfig>;
+} {
+  const [config, setConfig] = useState<GoogleOneTapConfig>();
+  const { debugLogger } = useDebugLogger();
+  const {
+    siteConfig: { customFields },
+  } = useSiteConfig();
+
+  useEffect(() => {
+    const loadConfig = async () => {
+      const rawConfig = customFields?.googleOneTapConfig;
+      if (typeof rawConfig !== 'string') {
+        throw new TypeError('Google One Tap config is not a string');
+      }
+      const parsedConfig = googleOneTapConfigSchema.safeParse(
+        // eslint-disable-next-line no-restricted-syntax
+        trySafe(() => JSON.parse(rawConfig) as unknown)
+      );
+
+      if (parsedConfig.success) {
+        setConfig(parsedConfig.data);
+      } else {
+        debugLogger.error('Failed to parse Google One Tap config:', parsedConfig.error);
+        setConfig(undefined);
+      }
+    };
+
+    void loadConfig();
+  }, [customFields?.googleOneTapConfig, debugLogger]);
+
+  return { config };
+}

src/theme/Layout/index.tsx

@@ -1,107 +1,21 @@
+import BrowserOnly from '@docusaurus/BrowserOnly';
 import type { WrapperProps } from '@docusaurus/types';
-import useDocusaurusContext from '@docusaurus/useDocusaurusContext';
 import type LayoutType from '@theme/Layout';
 import Layout from '@theme-original/Layout';
-import type { ReactNode } from 'react';
-import { useEffect, useState } from 'react';
-import { z } from 'zod';
+import { type ReactNode } from 'react';
 
-type Props = WrapperProps<typeof LayoutType>;
-
-const oneTapSchema = z
-  .object({
-    isEnabled: z.boolean().optional(),
-    autoSelect: z.boolean().optional(),
-    closeOnTapOutside: z.boolean().optional(),
-    itpSupport: z.boolean().optional(),
-  })
-  .optional();
-
-const googleOneTapConfigSchema = z.object({
-  clientId: z.string(),
-  oneTap: oneTapSchema,
-});
-
-type GoogleOneTapConfig = z.infer<typeof googleOneTapConfigSchema>;
+import GoogleOneTapInitializer from './GoogleOneTapInitializer';
+import { useGoogleOneTapConfig } from './hooks';
 
-const CACHE_KEY = '_logto_google_one_tap_config';
-const CACHE_EXPIRY_KEY = '_logto_google_one_tap_config_expiry';
-const CACHE_EXPIRY_TIME = 1 * 60 * 60 * 1000; // 1 hour
-
-// Default API base URL
-const DEFAULT_API_BASE_PROD_URL = 'https://auth.logto.io';
-const DEFAULT_API_BASE_DEV_URL = 'https://auth.logto.dev';
+type Props = WrapperProps<typeof LayoutType>;
 
 export default function LayoutWrapper(props: Props): ReactNode {
-  const [config, setConfig] = useState<GoogleOneTapConfig | undefined>(undefined);
-  const { siteConfig } = useDocusaurusContext();
-
-  // Get the API base URL from customFields, or use the default value if it doesn't exist
-  const logtoApiBaseUrl = siteConfig.customFields?.logtoApiBaseUrl;
-  const apiBaseUrl =
-    typeof logtoApiBaseUrl === 'string'
-      ? logtoApiBaseUrl
-      : siteConfig.customFields?.isDevFeatureEnabled
-        ? DEFAULT_API_BASE_DEV_URL
-        : DEFAULT_API_BASE_PROD_URL;
-
-  useEffect(() => {
-    const fetchConfig = async () => {
-      try {
-        const cachedConfig = localStorage.getItem(CACHE_KEY);
-        const cachedExpiry = localStorage.getItem(CACHE_EXPIRY_KEY);
-
-        if (cachedConfig && cachedExpiry && Number(cachedExpiry) > Date.now()) {
-          try {
-            const parsedConfig = googleOneTapConfigSchema.parse(JSON.parse(cachedConfig));
-            setConfig(parsedConfig);
-            return;
-          } catch (parseError) {
-            console.error('Cached config validation failed:', parseError);
-          }
-        }
-
-        const response = await fetch(`${apiBaseUrl}/api/google-one-tap/config`, {
-          headers: {
-            Origin: window.location.origin,
-          },
-        });
-
-        if (!response.ok) {
-          throw new Error('Failed to fetch Google One Tap config');
-        }
-
-        const data = await response.json();
-
-        const validatedConfig = googleOneTapConfigSchema.parse(data);
-
-        localStorage.setItem(CACHE_KEY, JSON.stringify(validatedConfig));
-        localStorage.setItem(CACHE_EXPIRY_KEY, String(Date.now() + CACHE_EXPIRY_TIME));
-
-        setConfig(validatedConfig);
-      } catch (error) {
-        console.error('Error fetching or validating Google One Tap config:', error);
-      }
-    };
-
-    void fetchConfig();
-  }, [apiBaseUrl]);
+  const { config } = useGoogleOneTapConfig();
 
   return (
     <>
-      {config && config.oneTap?.isEnabled && (
-        <div
-          data-itp_support={Boolean(config.oneTap.itpSupport)}
-          data-auto_select={Boolean(config.oneTap.autoSelect)}
-          data-cancel_on_tap_outside={Boolean(config.oneTap.closeOnTapOutside)}
-          id="g_id_onload"
-          data-client_id={config.clientId}
-          // TODO: implement handleCredentialResponse page
-          data-callback="handleCredentialResponse"
-          data-context="signin"
-        ></div>
-      )}
       <Layout {...props} />
+      {config?.oneTap?.isEnabled && <BrowserOnly>{() => <GoogleOneTapInitializer />}</BrowserOnly>}
     </>
   );
 }