feat: update Google Sign-In package with new dependencies and documentation improvements

- Added '@vitejs/plugin-react' and 'vite' as dependencies in the package.json for better integration.
- Updated README to clarify the loading of Google Identity Services with a timeout and emphasized the required 'storage' field in TypeScript for React Native.
- Introduced a nonce parameter in the GoogleSignInButton component to enhance security against replay attacks.

Author: Francesco Giucastro

packages/google-signin/README.md

@@ -14,7 +14,7 @@ npm install @forward-software/react-auth @forward-software/react-auth-google
 
 ### Platform requirements
 
-**Web** - No additional dependencies. The package loads Google Identity Services (GSI) script automatically.
+**Web** - No additional dependencies. The package loads the Google Identity Services (GSI) script automatically (with a 10-second timeout).
 
 **React Native / Expo** - Requires a development build (not compatible with Expo Go):
 
@@ -97,6 +97,7 @@ const googleAuth = new GoogleAuthClient({
   ux_mode: 'popup',                          // 'popup' | 'redirect'
   redirect_uri: undefined,                   // required if ux_mode is 'redirect'
   hosted_domain: undefined,                  // restrict to a G Suite domain
+  nonce: undefined,                          // binds the ID token to a session (replay attack prevention)
 });
 ```
 
@@ -203,7 +204,9 @@ const googleAuth = new GoogleAuthClient({
 });
 ```
 
-> **Note:** On React Native, a `storage` adapter is **required**. The adapter throws an error if none is provided. Use [react-native-mmkv](https://github.com/mrousavy/react-native-mmkv) (recommended) or wrap AsyncStorage with the `TokenStorage` interface.
+> **Note:** On React Native, `storage` is a **required** field in the TypeScript type. Your project will not compile without providing a `TokenStorage` implementation. Use [react-native-mmkv](https://github.com/mrousavy/react-native-mmkv) (recommended) or wrap AsyncStorage with the `TokenStorage` interface.
+>
+> **Android scopes:** Android Credential Manager does not support OAuth scopes directly. If you request scopes beyond `openid`, `profile`, and `email`, the adapter will include a `serverAuthCode` in the response. Exchange this code on your backend for scoped access tokens via the Google OAuth2 token endpoint.
 
 ### GoogleSignInButton (React Native)
 

packages/google-signin/package.json

@@ -41,6 +41,8 @@
     "react-dom": "catalog:",
     "rimraf": "^6.1.3",
     "typescript": "catalog:",
+    "@vitejs/plugin-react": "catalog:",
+    "vite": "catalog:",
     "vitest": "^4.0.18"
   },
   "peerDependencies": {

packages/google-signin/src/web/GoogleSignInButton.tsx

@@ -66,7 +66,7 @@ export function GoogleSignInButton({
         err instanceof Error ? err : new Error('Failed to initialize Google Sign-In')
       );
     }
-  }, [config.clientId, config.ux_mode, config.redirect_uri, config.hosted_domain, theme, size, text, shape, width]);
+  }, [config.clientId, config.ux_mode, config.redirect_uri, config.hosted_domain, config.nonce, theme, size, text, shape, width]);
 
   useEffect(() => {
     initialize();