XF2 [TylerAustin] Google One Tap Sign-In - XF2 1.0.9

Thank you for your consistent support and assistance in improving this add-on. This version of the XF2 Add-on includes several bug fixes and a few changes.

Full Changelog:

• Added mask + reveal behavior on Google connected-account provider ACP page (client ID + client secret fields):
• Switched these options to callback renderers so they are password-masked by default:
• Hardened setup constants and reuse (ADDON_ID) to reduce drift.
• Added legacy option-group migration cleanup (google_one_tap -> googleOneTap) and uninstall cleanup for both IDs.
• Fixed log table backfill safety: when log_id is added in fallback mode, it now gets setDefault(0) to avoid strict-schema insert failures.
• Added defensive table/column existence checks before provider-link migration to avoid SQL failures on partial/odd installs.
• Added safe tableExists() helper and used it in provider migration flow.
• Hardened group detection in templaterMacroPreRender() with OptionGroup type checks (prevents invalid access warnings).
• Hardened callback CSRF behavior: If Google g_csrf_token is absent, controller now requires valid XenForo CSRF token.
• Replaced fragile phrase-key usage in tab labels with stable literals (no phrase dependency regressions).
• Removed suppressed logging and made debug logging safer (isDebugEnabled() + user id only).
• Added strict_types and made handler final.
• Fixed method signatures to be compatibility-safe across XF handler variations (...$extra variadics).
• Added recursion guard to prevent self-trigger logging loops.
• Removed internal XF::logError() recursion risk; now writes to PHP error log directly.
• Added request-context safety for non-web/edge contexts.
• Added URI/token redaction and truncation to reduce sensitive data leakage and oversized log entries.
• Hardened serialized-data handling to prevent object deserialization via allowed_classes => false.
• Fixed table-name resolution fallback in user entity logic so installs with atypical DB prefix/table setups don’t fail lookup/upsert paths.
• Fixed optional client-id validator mismatch so empty client ID is accepted where intended.
• Fixed provider-data class inheritance bug (namespace/import correctness):
• Fixed DB schema detection bug for provider_data column type (safer SHOW COLUMNS handling):
• Fixed potential runtime break when third-party add-ons change XF:Login->completeLogin() signature.
• Added a compatibility wrapper and switched to redirect after login completion.
• Added missing One Tap opt-out enforcement in legacy login controller:
• Added missing One Tap opt-out + banned-email enforcement in legacy user login controller:
• Added powerful filters in AdminCP Log Viewer:
  • message search
  • username contains
  • user ID
  • date range (from / to)
  • context filter (auto-detected from log tags like [callback], [login], [connected])
  • per-page size (25/50/100/200)
• Added context column for each log row.
• Added truncation + expand (<details>) for very long log messages.
• Added filtered-clear behavior:
  • if filters are active, “Clear filtered logs” only deletes matching rows
  • if no filters, clears all logs as before
• Added matching/total counter at top of the page.
• Upgraded vulnerable JWT dependency to remove the current advisory:
  • Vendor updated to firebase/php-jwt v7.0.3.
• Added a new ACP option googleOneTap_enable_failures_widget (default 0 / OFF) to control failures-widget visibility for both front-end and AdminCP widget contexts.

Thank you for your unwavering support and assistance in further enhancing this add-on. This version of the XF2 Add-on includes several bug fixes and changes.

Full Changelog(s):

• Schema-safe connected-account upsert now fills required custom columns (including extra_data) when they have no default:
• Added generated-column guard so DB-generated fields are not inserted:
• Increased One Tap callback fetch abort timeout from 15000 to 45000 to reduce false client aborts on slower callback processing:
• Added missing repository init in completion action:
• Fixed callback logic so mapped users who are blocked (including email_confirm when option is OFF) are not treated as stale and deleted:
• Added explicit blocked-login message for email_confirm when option is OFF:

Thank you for your unwavering support and assistance in enhancing this add-on even further. This version of the XF2 Add-on includes fixing several bugs fixes and few new changes

Full Changelog(s):

New:

• Ajax-enabled “Complete registration” form submission so XenForo processes the response normally (JSON is handled by XF JS and redirects properly instead of rendering JSON on-screen).
• “Login while awaiting email confirmation” behavior:
  • After a user completes registration via Google and clicks Continue, they remain logged in even if user_state remains email_confirm.
  • The flow redirects the user to the confirmation endpoint while preserving the logged-in session.
• Justin AutoComplete Location integration (when add-on is installed and configured):
  • Location field supports Google Places Autocomplete and optional geolocation-based auto-fill (where permitted).
  • Uses the third-party API key option (j_acl_map_api) and only loads scripts when appropriate.
• OzzModz Registration Invites integration (when add-on is installed and configured):
  • Invitation code input support on the complete-registration page.
  • “Require invite key to register” behavior honored.
  • Email retype support (where enabled).
  • “Disable copy/paste for email retype” support (where enabled).

Changed:

• Complete registration form now explicitly uses XenForo’s AJAX form conventions to ensure proper redirect behavior.
• Login eligibility logic updated to allow login for users in user_state = valid OR email_confirm (still denies banned accounts).
• Registration completion template updated to support third-party fields (invite code/email retype) and location behaviors.
• Improved conditional rendering to avoid showing third-party UI when the third-party add-ons are not installed/active.

Fixed:

• “Continue” on the complete-registration page no longer displays raw JSON output in the browser.
• Users no longer get “logged out” immediately after completing the Google-based registration workflow (while email confirmation is still pending).
• Fatal error protection when third-party add-ons are not installed:
• Removed/avoided autoload patterns that caused class resolution failures (e.g., checking classes that trigger loading of XFCP_[/i] stubs).
• Template output correctness:
  • Prevented raw JavaScript blocks from being printed as plain text in the page body.
  • Compatibility with User entity overrides:
• Added safe getAge() handling to prevent template warnings when other add-ons override/replace XF\User (e.g., SV PasswordTools).

Thank you for your support and helping me to improve the add-ons even better than before. This version includes new features and changes in some areas of the XF2 Add-on!

Full Changelog:

Fixed:

• XenForo version compatibility (JSON body parsing)
• Fixed fatal error: `Call to undefined method XF\Http\Request::getJsonBody()` by using a compatibility shim:
• If `getJsonBody()` exists (newer XF), use it.
• Otherwise parse `php://input` with `json_decode()` (older XF 2.2.x and earlier).
• Legacy redirect mode login failures (`/connected_account.php`):**
• Fixed OAuth redirect calculation so the redirect URI is determined **before** delegating to XenForo’s core Google provider (prevents mismatched `state` / redirect problems).
• Supports both:
  • Legacy: `<boardUrl>/connected_account.php`
  • Route callback: `connected-accounts/tyl_google/callback`
• Duplicate element IDs (invalid HTML):**
• Fixed duplicate `id="google-one-tap-parent"` injection across multiple templates by ensuring the fixed-position parent container is injected only once globally (PAGE_CONTAINER), not duplicated on login/register templates.

Added:

• Account chooser / multi-account support:**
• Defaulted `autoSelect` to `false` so users can choose which Google account to use (prevents silent auto-selection).
• Restored One Tap prompt messaging (“Sign in with Google … No more passwords …”)
• Added `context: 'use'` to Google Identity Services initialization so the prompt includes the descriptive header/body text like in your screenshot.
• Ad-blocker and network-failure fallback:**
• Added a client-side detector: if the GIS library doesn’t load (e.g., blocked by AdGuard/uBlock rules), the add-on displays a small fallback message/link to standard login.
• When a valid/verified Google user is not yet linked and no verified-email match exists, the callback can now create a new XenForo account, link it, and log the user in.
• Generates a unique username (adds numeric suffix as needed).
• Use legacy redirect (/connected_account.php)
• Test Google One Tap Callback option
• Test Google One Tap Connectivity option

Changed:

• Responsive prompt anchoring
• Updated the injected One Tap parent container styling so it is mobile/tablet/desktop friendly:
• Fixed-position anchor near top-right (`top: 10px; right: 10px;`)
• No forced `width: 0; height: 0;` so the fallback message can render cleanly on small screens.
• Provider config defaults:**
• Ensures required OpenID scopes are present (`openid`, `email`, `profile`).
• Backfills OAuth client ID/secret from the add-on options when provider values are empty (so configuration can live in one place).

Full Changelog:

• Fixed XF\Db\Exception: MySQL query error [1364]: Field 'display_order' doesn't have a default value src/XF/Db/AbstractStatement.php:230