@idealyst/oauth-client 1.2.111 → 1.2.112

package/README.md

@@ -24,9 +24,13 @@ yarn add @idealyst/oauth-client
 
 #### For React Native:
 ```bash
-npm install @react-native-async-storage/async-storage
+npm install expo-web-browser
+# Then for iOS:
+cd ios && pod install
 ```
 
+This provides `ASWebAuthenticationSession` on iOS (in-app auth sheet, no redirect prompt) and `Chrome Custom Tabs` on Android (in-app browser overlay). Works in bare React Native projects — requires the `expo` core package.
+
 #### For Web:
 No additional dependencies required.
 
@@ -63,10 +67,11 @@ This library uses a hybrid approach that minimizes server requirements:
 4. Client automatically detects callback and exchanges code directly with Google using PKCE
 
 ### Mobile Flow:
-1. App opens browser to `GET /api/auth/google?redirect_uri=com.yourapp://oauth/callback&state=xyz&code_challenge=abc`
-2. Server redirects to Google OAuth with server's client credentials + client's PKCE challenge
-3. Google redirects back to `com.yourapp://oauth/callback?code=123&state=xyz`
-4. Mobile OS opens app via deep link, client exchanges code directly with Google using PKCE
+1. App opens an in-app auth session (`ASWebAuthenticationSession` on iOS, `Chrome Custom Tabs` on Android)
+2. Auth session navigates to `GET /api/auth/google?redirect_uri=com.yourapp://oauth/callback&state=xyz&code_challenge=abc`
+3. Server redirects to Google OAuth with server's client credentials + client's PKCE challenge
+4. Google redirects back to `com.yourapp://oauth/callback?code=123&state=xyz`
+5. Auth session captures the redirect and returns the URL directly to the app (no system prompt on iOS)
 
 ## Minimal Server Setup
 
@@ -130,9 +135,9 @@ Add intent filter to `android/app/src/main/AndroidManifest.xml`:
 </activity>
 ```
 
-### Deep Link Handling (Automatic)
+### In-App Auth Session (Automatic)
 
-The client automatically handles OAuth deep links. The deep link handler is built-in and requires no additional setup.
+The client uses `expo-web-browser` to handle the OAuth flow within an in-app browser session. On iOS this uses `ASWebAuthenticationSession` which avoids the "Open in App?" system prompt that occurs with Safari redirects. On Android it uses Chrome Custom Tabs. No manual deep link listener setup is required.
 
 ## API Reference
 
@@ -265,11 +270,11 @@ try {
   const result = await client.authorize()
 } catch (error) {
   if (error.message.includes('User cancelled')) {
-    // User cancelled the authorization
+    // User dismissed the auth session
+  } else if (error.message.includes('not available')) {
+    // InAppBrowser not available on device (missing native dependency)
   } else if (error.message.includes('Invalid state')) {
-    // CSRF protection triggered  
-  } else if (error.message.includes('timeout')) {
-    // User didn't complete OAuth in time (mobile)
+    // CSRF protection triggered
   } else {
     // Other OAuth error
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@idealyst/oauth-client",
-  "version": "1.2.111",
+  "version": "1.2.112",
   "description": "Universal OAuth2 client for web and React Native",
   "main": "src/index.ts",
   "module": "src/index.ts",
@@ -38,12 +38,14 @@
     "@types/react-native": "^0.73.0",
     "react": "^19.1.0",
     "react-native": "^0.80.1",
+    "expo-web-browser": "^15.0.0",
     "tsup": "^8.3.5",
     "typescript": "^5.7.3"
   },
   "peerDependencies": {
     "@idealyst/storage": "^1.2.30",
-    "react-native": ">=0.60.0"
+    "react-native": ">=0.60.0",
+    "expo-web-browser": ">=13.0.0"
   },
   "files": [
     "dist",

package/src/oauth-client.native.ts

@@ -1,5 +1,5 @@
 import type { OAuthClient, OAuthConfig, OAuthResult, OAuthCallbackParams } from './types'
-import { Linking } from 'react-native'
+import * as WebBrowser from 'expo-web-browser'
 
 export class NativeOAuthClient<T = OAuthResult> implements OAuthClient<T> {
   private config: OAuthConfig<T>
@@ -12,11 +12,22 @@ export class NativeOAuthClient<T = OAuthResult> implements OAuthClient<T> {
     const state = this.generateState()
     const oauthUrl = this.buildOAuthUrl(state)
 
-    // Open OAuth URL in system browser
-    await Linking.openURL(oauthUrl)
+    // Use expo-web-browser's auth session (ASWebAuthenticationSession on iOS, Chrome Custom Tabs on Android)
+    const result = await WebBrowser.openAuthSessionAsync(oauthUrl, this.config.redirectUrl)
 
-    // Wait for deep link callback
-    const callbackParams = await this.waitForDeepLinkCallback()
+    if (result.type === 'cancel' || result.type === 'dismiss') {
+      throw new Error('User cancelled the authorization')
+    }
+
+    if (result.type !== 'success' || !result.url) {
+      throw new Error('OAuth flow failed unexpectedly')
+    }
+
+    const callbackParams = this.parseRedirectUrl(result.url)
+
+    if (!callbackParams) {
+      throw new Error('Failed to parse OAuth callback parameters')
+    }
 
     if (callbackParams.error) {
       throw new Error(`OAuth error: ${callbackParams.error}`)
@@ -31,67 +42,10 @@ export class NativeOAuthClient<T = OAuthResult> implements OAuthClient<T> {
     return callbackParams as T
   }
 
-  private async waitForDeepLinkCallback(): Promise<OAuthCallbackParams> {
-    return new Promise((resolve, reject) => {
-      let subscription: any
-      let timeoutId: NodeJS.Timeout | null = null
-      
-      const handleUrl = (event: { url: string }) => {
-        const callbackData = this.parseDeepLink(event.url)
-        if (callbackData) {
-          cleanup()
-          resolve(callbackData)
-        }
-      }
-
-      const cleanup = () => {
-        if (subscription?.remove) {
-          subscription.remove()
-        } else if (subscription) {
-          // For newer React Native versions
-          subscription()
-        }
-        if (timeoutId) {
-          clearTimeout(timeoutId)
-        }
-      }
-
-      // Check for initial URL (if app was opened from deep link)
-      Linking.getInitialURL().then((url: string | null) => {
-        if (url) {
-          const callbackData = this.parseDeepLink(url)
-          if (callbackData) {
-            cleanup()
-            resolve(callbackData)
-            return
-          }
-        }
-      }).catch((error: Error) => {
-        console.warn('Failed to get initial URL:', error)
-      })
-
-      // Listen for subsequent deep links
-      subscription = Linking.addEventListener('url', handleUrl)
-
-      // Timeout after 5 minutes
-      timeoutId = setTimeout(() => {
-        cleanup()
-        reject(new Error('OAuth timeout - user did not complete authorization'))
-      }, 5 * 60 * 1000)
-    })
-  }
-
-  private parseDeepLink(url: string): OAuthCallbackParams | null {
+  private parseRedirectUrl(url: string): OAuthCallbackParams | null {
     try {
-      // Handle custom scheme URLs (e.g., com.myapp://oauth/callback?code=123)
       const parsedUrl = new URL(url)
 
-      // Check if this is our OAuth callback
-      const expectedScheme = new URL(this.config.redirectUrl).protocol.slice(0, -1)
-      if (parsedUrl.protocol.slice(0, -1) !== expectedScheme) {
-        return null
-      }
-
       // Collect all query parameters
       const params: OAuthCallbackParams = {}
 
@@ -115,14 +69,14 @@ export class NativeOAuthClient<T = OAuthResult> implements OAuthClient<T> {
 
       return params
     } catch (error) {
-      console.warn('Failed to parse deep link URL:', url, error)
+      console.warn('Failed to parse redirect URL:', url, error)
       return null
     }
   }
 
   private buildOAuthUrl(state: string): string {
     const url = new URL(this.config.oauthUrl)
-    
+
     url.searchParams.set('redirect_uri', this.config.redirectUrl)
     url.searchParams.set('state', state)
 
@@ -145,4 +99,4 @@ export class NativeOAuthClient<T = OAuthResult> implements OAuthClient<T> {
     }
     return result
   }
-}
+}