[TylerAustin] Google One Tap Sign-In - XF2 1.0.9

Thank you for your consistent support and assistance in improving this add-on. This version of the XF2 Add-on includes several bug fixes and a few changes.

Full Changelog:

• Added mask + reveal behavior on Google connected-account provider ACP page (client ID + client secret fields):
• Switched these options to callback renderers so they are password-masked by default:
• Hardened setup constants and reuse (ADDON_ID) to reduce drift.
• Added legacy option-group migration cleanup (google_one_tap -> googleOneTap) and uninstall cleanup for both IDs.
• Fixed log table backfill safety: when log_id is added in fallback mode, it now gets setDefault(0) to avoid strict-schema insert failures.
• Added defensive table/column existence checks before provider-link migration to avoid SQL failures on partial/odd installs.
• Added safe tableExists() helper and used it in provider migration flow.
• Hardened group detection in templaterMacroPreRender() with OptionGroup type checks (prevents invalid access warnings).
• Hardened callback CSRF behavior: If Google g_csrf_token is absent, controller now requires valid XenForo CSRF token.
• Replaced fragile phrase-key usage in tab labels with stable literals (no phrase dependency regressions).
• Removed suppressed logging and made debug logging safer (isDebugEnabled() + user id only).
• Added strict_types and made handler final.
• Fixed method signatures to be compatibility-safe across XF handler variations (...$extra variadics).
• Added recursion guard to prevent self-trigger logging loops.
• Removed internal XF::logError() recursion risk; now writes to PHP error log directly.
• Added request-context safety for non-web/edge contexts.
• Added URI/token redaction and truncation to reduce sensitive data leakage and oversized log entries.
• Hardened serialized-data handling to prevent object deserialization via allowed_classes => false.
• Fixed table-name resolution fallback in user entity logic so installs with atypical DB prefix/table setups don’t fail lookup/upsert paths.
• Fixed optional client-id validator mismatch so empty client ID is accepted where intended.
• Fixed provider-data class inheritance bug (namespace/import correctness):
• Fixed DB schema detection bug for provider_data column type (safer SHOW COLUMNS handling):
• Fixed potential runtime break when third-party add-ons change XF:Login->completeLogin() signature.
• Added a compatibility wrapper and switched to redirect after login completion.
• Added missing One Tap opt-out enforcement in legacy login controller:
• Added missing One Tap opt-out + banned-email enforcement in legacy user login controller:
• Added powerful filters in AdminCP Log Viewer:
  • message search
  • username contains
  • user ID
  • date range (from / to)
  • context filter (auto-detected from log tags like [callback], [login], [connected])
  • per-page size (25/50/100/200)
• Added context column for each log row.
• Added truncation + expand (<details>) for very long log messages.
• Added filtered-clear behavior:
  • if filters are active, “Clear filtered logs” only deletes matching rows
  • if no filters, clears all logs as before
• Added matching/total counter at top of the page.
• Upgraded vulnerable JWT dependency to remove the current advisory:
  • Vendor updated to firebase/php-jwt v7.0.3.
• Added a new ACP option googleOneTap_enable_failures_widget (default 0 / OFF) to control failures-widget visibility for both front-end and AdminCP widget contexts.

Thank you for your unwavering support and assistance in further enhancing this add-on. This version of the XF2 Add-on includes several bug fixes and changes.

Full Changelog(s):

• Schema-safe connected-account upsert now fills required custom columns (including extra_data) when they have no default:
• Added generated-column guard so DB-generated fields are not inserted:
• Increased One Tap callback fetch abort timeout from 15000 to 45000 to reduce false client aborts on slower callback processing:
• Added missing repository init in completion action:
• Fixed callback logic so mapped users who are blocked (including email_confirm when option is OFF) are not treated as stale and deleted:
• Added explicit blocked-login message for email_confirm when option is OFF: