The simplest way to get and compare the g_csrf_token cookie from Google One Tap is looking for the string with includes.

import { redirect, type ActionArgs, json } from "@remix-run/node";
import jwtDecode from "jwt-decode";
import { loggedIn } from "~/cookies";

export const action = async ({ request }: ActionArgs) => {
  // body
  const formData = await request.formData();
  const body = Object.fromEntries(formData) as Record<string, string>;
  //cookie
  const cookieHeader = request.headers.get("Cookie");
  if (!cookieHeader?.includes(body.g_csrf_token)) {
    return json({ message: "Wrong cookie" }, { status: 400 });
  }
  const userInfo = jwtDecode(body.credential);
  // save your user in DB ...
  return redirect("/", {
    headers: {
      "set-Cookie": await loggedIn.serialize(true), // update this for a session
    },
  });
};

I'm sure there must be a better way, but I'm still in the search.

If this was useful for you, it could be for others, please share. 🤓

Abrazo. blissmo.