{"id":50813939,"url":"https://github.com/runablehq/better-auth-auth-popup-failure","last_synced_at":"2026-06-13T07:33:41.068Z","repository":{"id":362920205,"uuid":"1261296601","full_name":"runablehq/better-auth-auth-popup-failure","owner":"runablehq","description":"Minimal reproduction for Better Auth OAuth popup direct-mode session failure","archived":false,"fork":false,"pushed_at":"2026-06-06T13:59:01.000Z","size":25,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-06T15:24:35.864Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/runablehq.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-06T13:54:05.000Z","updated_at":"2026-06-06T13:59:05.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/runablehq/better-auth-auth-popup-failure","commit_stats":null,"previous_names":["runablehq/better-auth-auth-popup-failure"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/runablehq/better-auth-auth-popup-failure","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/runablehq%2Fbetter-auth-auth-popup-failure","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/runablehq%2Fbetter-auth-auth-popup-failure/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/runablehq%2Fbetter-auth-auth-popup-failure/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/runablehq%2Fbetter-auth-auth-popup-failure/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/runablehq","download_url":"https://codeload.github.com/runablehq/better-auth-auth-popup-failure/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/runablehq%2Fbetter-auth-auth-popup-failure/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34276501,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-13T02:00:06.617Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-13T07:33:36.681Z","updated_at":"2026-06-13T07:33:41.062Z","avatar_url":"https://github.com/runablehq.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Better Auth OAuth popup direct-mode failure\n\nMinimal reproduction for the experimental OAuth popup plugin from [better-auth/better-auth#9890](https://github.com/better-auth/better-auth/pull/9890).\n\nVerified against the preview package built from Better Auth commit `4d0dbd6`.\n\nThe repository contains:\n\n- a Vite app on `http://localhost:5173`\n- a Better Auth server on `http://localhost:5174`, proxied through Vite at `/api`\n- a zero-configuration mock OAuth provider on `http://localhost:5174/provider/*`\n- a cross-origin iframe harness on `http://localhost:5174/iframe`\n\nNo external OAuth credentials or services are required.\n\n## Run\n\n```sh\nbun install\nbun dev\n```\n\nIf those ports are occupied:\n\n```sh\nAPP_PORT=5273 API_PORT=5274 VITE_IFRAME_URL=http://localhost:5274/iframe bun dev\n```\n\n## Reproduce\n\n### Direct mode\n\n1. Open `http://localhost:5173`.\n2. Click **Sign in with popup**.\n3. The mock provider immediately redirects back and the popup closes.\n4. The result becomes `POPUP_SIGN_IN_FAILED` and the session remains signed out.\n\n### Cross-origin iframe mode\n\n1. Open `http://localhost:5174/iframe`.\n2. Click **Sign in with popup** inside the iframe.\n3. The same mock provider immediately redirects back and the popup closes.\n4. The result becomes `Success` and the session is authenticated.\n\n## Expected\n\nDirect mode should authenticate successfully, matching iframe mode.\n\n## Observed\n\n| Mode                | Popup result           | Session       |\n| ------------------- | ---------------------- | ------------- |\n| Direct page         | `POPUP_SIGN_IN_FAILED` | Signed out    |\n| Cross-origin iframe | `Success`              | Authenticated |\n\nBoth opener pages send:\n\n```http\nCross-Origin-Opener-Policy: same-origin-allow-popups\n```\n\nThis removes Chrome's `window.closed` COOP warnings but does not fix direct mode.\n\n## Root cause\n\nThe popup callback creates both `better-auth.session_token` and `better-auth.session_data`, then the popup after-hook replaces the redirect with an HTML completion `Response`.\n\nThe hook attempts to replay the callback cookies with repeated `c.setCookie(...)` calls. In the final HTTP response, only `better-auth.session_data` survives; `better-auth.session_token` is missing. The popup posts the token successfully, but direct mode's subsequent cookie-authenticated `/get-session` request is signed out.\n\nThis can be inspected without a browser by following the mock OAuth redirects and listing the final response's `Set-Cookie` names:\n\n```txt\nbetter-auth.session_data\n```\n\nReplaying every original `Set-Cookie` value directly on the returned completion `Response`, including `better-auth.session_token`, fixes direct mode with the client unchanged. The iframe bearer-token flow continues to work.\n\nThe COOP review suggestion is still useful for avoiding `window.closed` warnings, but the opener documents need `Cross-Origin-Opener-Policy: same-origin-allow-popups`. The reproduction already sends it on both opener pages, and direct mode still fails until the session cookie is preserved.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frunablehq%2Fbetter-auth-auth-popup-failure","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frunablehq%2Fbetter-auth-auth-popup-failure","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frunablehq%2Fbetter-auth-auth-popup-failure/lists"}