kasy-cli 1.32.0 → 1.35.0

package/templates/firebase/lib/features/authentication/api/authentication_api.dart

@@ -7,7 +7,10 @@ import 'package:flutter/services.dart';
 import 'package:flutter_facebook_auth/flutter_facebook_auth.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:google_sign_in/google_sign_in.dart';
+import 'package:kasy_kit/core/config/features.dart';
 import 'package:kasy_kit/core/data/entities/user_entity.dart';
+import 'package:kasy_kit/features/authentication/api/auth_web_support.dart'
+    if (dart.library.js_interop) 'package:kasy_kit/features/authentication/api/auth_web_support_web.dart';
 import 'package:kasy_kit/features/authentication/api/authentication_api_interface.dart';
 import 'package:kasy_kit/features/authentication/api/popup_dismiss_watcher.dart'
     if (dart.library.js_interop) 'package:kasy_kit/features/authentication/api/popup_dismiss_watcher_web.dart';
@@ -48,6 +51,23 @@ class FirebaseAuthenticationApi implements AuthenticationApi {
       }
       _user = event;
     });
+    if (kIsWeb) {
+      // Complete a pending mobile-web redirect sign-in (see signinWithGoogle /
+      // signinWithApple / signinWithFacebook). On desktop, or when no redirect
+      // is pending, this resolves immediately and is a no-op.
+      try {
+        await _auth.getRedirectResult();
+      } on FirebaseAuthException catch (e) {
+        if (e.code == 'account-exists-with-different-credential') {
+          Logger().w(
+            'Redirect sign-in: an account already exists with this email '
+            'under a different provider.',
+          );
+        } else if (!_isUserCancelledPopup(e.code)) {
+          Logger().w('Redirect sign-in failed: ${e.code}');
+        }
+      }
+    }
     var attempts = 0;
     while (!hasInit && attempts < 20) {
       await Future.delayed(const Duration(milliseconds: 500));
@@ -177,6 +197,38 @@ class FirebaseAuthenticationApi implements AuthenticationApi {
     }
   }
 
+  /// Mobile-web OAuth: start a full-page redirect to the provider instead of a
+  /// popup. Mobile browsers handle popups unreliably (the popup result is often
+  /// lost when the browser reclaims the backgrounded opener tab), leaving the app
+  /// stuck "signing in". The redirect result is picked up at startup by
+  /// [getRedirectResult] in [init]. The page is navigating away as soon as
+  /// [signInWithRedirect] resolves, so this future intentionally never completes
+  /// — the caller stays in its loading state until the browser leaves.
+  /// See [isMobileWebBrowser]. When a Firebase anonymous user exists we link the
+  /// provider to it (preserving the UID, same as the popup path does); otherwise
+  /// we sign in. The linked/signed-in user is materialised at startup by
+  /// [getRedirectResult].
+  Future<Credentials> _signInWithRedirectWeb(AuthProvider provider) async {
+    final current = _auth.currentUser;
+    if (current != null && current.isAnonymous) {
+      await current.linkWithRedirect(provider);
+    } else {
+      await _auth.signInWithRedirect(provider);
+    }
+    return Completer<Credentials>().future;
+  }
+
+  /// Mobile-web account linking (Settings): link [provider] to [user] via a
+  /// full-page redirect instead of a popup, for the same reason as
+  /// [_signInWithRedirectWeb]. The link is completed at startup by
+  /// [getRedirectResult] in [init] (it reconnects to the persisted user). The
+  /// page navigates away as [linkWithRedirect] resolves, so this future never
+  /// completes — the caller stays in its loading state until the browser leaves.
+  Future<void> _linkWithRedirectWeb(User user, AuthProvider provider) async {
+    await user.linkWithRedirect(provider);
+    return Completer<void>().future;
+  }
+
   @override
   Future<Credentials> signinWithGoogle() async {
     if (kIsWeb) {
@@ -188,6 +240,9 @@ class FirebaseAuthenticationApi implements AuthenticationApi {
       // googleProvider.setCustomParameters({
       //   'login_hint': 'user@example.com'
       // });
+      if (isMobileWebBrowser()) {
+        return _signInWithRedirectWeb(googleProvider);
+      }
       try {
         final credentials = await _popupOrCancel(
           () => _auth.signInWithPopup(googleProvider),
@@ -200,6 +255,9 @@ class FirebaseAuthenticationApi implements AuthenticationApi {
         if (_isUserCancelledPopup(e.code)) {
           throw const UserCancelledSignInException();
         }
+        if (e.code == 'account-exists-with-different-credential') {
+          throw const EmailAlreadyRegisteredException();
+        }
         rethrow;
       }
     }
@@ -232,6 +290,9 @@ class FirebaseAuthenticationApi implements AuthenticationApi {
   Future<Credentials> signupFromAnonymousWithGoogle() async {
     if (kIsWeb) {
       final googleProvider = GoogleAuthProvider();
+      if (isMobileWebBrowser()) {
+        return _signInWithRedirectWeb(googleProvider);
+      }
       try {
         final userCredential = await _popupOrCancel(
           () => _auth.currentUser != null
@@ -246,6 +307,9 @@ class FirebaseAuthenticationApi implements AuthenticationApi {
         if (_isUserCancelledPopup(e.code)) {
           throw const UserCancelledSignInException();
         }
+        if (e.code == 'account-exists-with-different-credential') {
+          throw const EmailAlreadyRegisteredException();
+        }
         if (e.code == 'credential-already-in-use') {
           // Delete orphaned anonymous user before signing in with existing account.
           final anonymousUser = _auth.currentUser;
@@ -285,6 +349,9 @@ class FirebaseAuthenticationApi implements AuthenticationApi {
         if (_isUserCancelledPopup(e.code)) {
           throw const UserCancelledSignInException();
         }
+        if (e.code == 'account-exists-with-different-credential') {
+          throw const EmailAlreadyRegisteredException();
+        }
         rethrow;
       }
     }
@@ -323,6 +390,9 @@ class FirebaseAuthenticationApi implements AuthenticationApi {
   Future<Credentials> signinWithApple() async {
     final appleProvider = AppleAuthProvider();
     appleProvider.addScope('email');
+    if (kIsWeb && isMobileWebBrowser()) {
+      return _signInWithRedirectWeb(appleProvider);
+    }
     try {
       final value = kIsWeb
           ? await _popupOrCancel(() => _auth.signInWithPopup(appleProvider))
@@ -335,6 +405,9 @@ class FirebaseAuthenticationApi implements AuthenticationApi {
       if (e.code == 'canceled' || e.code == 'popup-closed-by-user' || e.code == 'cancelled-popup-request') {
         throw const UserCancelledSignInException();
       }
+      if (e.code == 'account-exists-with-different-credential') {
+        throw const EmailAlreadyRegisteredException();
+      }
       rethrow;
     }
   }
@@ -345,6 +418,9 @@ class FirebaseAuthenticationApi implements AuthenticationApi {
   Future<Credentials> signupFromAnonymousWithApple() async {
     final appleProvider = AppleAuthProvider();
     appleProvider.addScope('email');
+    if (kIsWeb && isMobileWebBrowser()) {
+      return _signInWithRedirectWeb(appleProvider);
+    }
     final currentUser = _auth.currentUser;
     if (currentUser == null) {
       // No anonymous session — fall back to regular sign-in.
@@ -357,6 +433,9 @@ class FirebaseAuthenticationApi implements AuthenticationApi {
         if (_isUserCancelledPopup(e.code)) {
           throw const UserCancelledSignInException();
         }
+        if (e.code == 'account-exists-with-different-credential') {
+          throw const EmailAlreadyRegisteredException();
+        }
         rethrow;
       }
     }
@@ -392,6 +471,49 @@ class FirebaseAuthenticationApi implements AuthenticationApi {
   /// Falls back to regular sign-in if the Facebook account already exists.
   @override
   Future<Credentials> signupFromAnonymousWithFacebook() async {
+    // Web: use the Firebase popup (link to the anonymous user when present), same
+    // pattern as Apple/Google on web.
+    if (kIsWeb) {
+      final facebookProvider = FacebookAuthProvider();
+      facebookProvider.addScope('email');
+      if (isMobileWebBrowser()) {
+        return _signInWithRedirectWeb(facebookProvider);
+      }
+      final currentUser = _auth.currentUser;
+      if (currentUser == null) {
+        try {
+          final result = await _popupOrCancel(
+            () => _auth.signInWithPopup(facebookProvider),
+          );
+          return Credentials(id: result.user!.uid, token: result.credential?.token.toString() ?? '');
+        } on FirebaseAuthException catch (e) {
+          if (_isUserCancelledPopup(e.code)) throw const UserCancelledSignInException();
+          rethrow;
+        }
+      }
+      try {
+        final result = await _popupOrCancel(() => currentUser.linkWithPopup(facebookProvider));
+        return Credentials(id: result.user!.uid, token: result.credential?.token.toString() ?? '');
+      } on FirebaseAuthException catch (e) {
+        if (_isUserCancelledPopup(e.code)) throw const UserCancelledSignInException();
+        if (e.code == 'credential-already-in-use') {
+          final anonymousUser = _auth.currentUser;
+          if (anonymousUser != null && anonymousUser.isAnonymous) {
+            await anonymousUser.delete();
+          }
+          final cred = e.credential;
+          if (cred != null) {
+            final result = await _auth.signInWithCredential(cred);
+            return Credentials(id: result.user!.uid, token: result.credential?.token.toString() ?? '');
+          }
+          final result = await _popupOrCancel(
+            () => _auth.signInWithPopup(facebookProvider),
+          );
+          return Credentials(id: result.user!.uid, token: result.credential?.token.toString() ?? '');
+        }
+        rethrow;
+      }
+    }
     final loginResult = await FacebookAuth.instance.login();
     if (loginResult.status == LoginStatus.cancelled) throw const UserCancelledSignInException();
     if (loginResult.status != LoginStatus.success || loginResult.accessToken == null) {
@@ -407,6 +529,9 @@ class FirebaseAuthenticationApi implements AuthenticationApi {
         if (_isUserCancelledPopup(e.code)) {
           throw const UserCancelledSignInException();
         }
+        if (e.code == 'account-exists-with-different-credential') {
+          throw const EmailAlreadyRegisteredException();
+        }
         rethrow;
       }
     }
@@ -429,6 +554,33 @@ class FirebaseAuthenticationApi implements AuthenticationApi {
 
   @override
   Future<Credentials> signinWithFacebook() async {
+    // Web has no native Facebook SDK flow: use the Firebase popup, same as Google
+    // and Apple on web. Requires the Facebook provider enabled in Firebase
+    // (kasy facebook) and the redirect URI registered on Meta.
+    if (kIsWeb) {
+      final facebookProvider = FacebookAuthProvider();
+      facebookProvider.addScope('email');
+      if (isMobileWebBrowser()) {
+        return _signInWithRedirectWeb(facebookProvider);
+      }
+      try {
+        final value = await _popupOrCancel(
+          () => _auth.signInWithPopup(facebookProvider),
+        );
+        return Credentials(
+          id: value.user!.uid,
+          token: value.credential?.token.toString() ?? '',
+        );
+      } on FirebaseAuthException catch (e) {
+        if (_isUserCancelledPopup(e.code)) {
+          throw const UserCancelledSignInException();
+        }
+        if (e.code == 'account-exists-with-different-credential') {
+          throw const EmailAlreadyRegisteredException();
+        }
+        rethrow;
+      }
+    }
     final LoginResult loginResult = await FacebookAuth.instance.login();
     if (loginResult.status == LoginStatus.cancelled) throw const UserCancelledSignInException();
     if (loginResult.status != LoginStatus.success || loginResult.accessToken == null) {
@@ -563,6 +715,120 @@ class FirebaseAuthenticationApi implements AuthenticationApi {
   Future<String?> getCurrentUserDisplayName() async =>
       _auth.currentUser?.displayName;
 
+  @override
+  Future<String?> getCurrentUserPhotoUrl() async => _auth.currentUser?.photoURL;
+
+  @override
+  Future<List<String>> getLinkedProviders() async {
+    final providers = _auth.currentUser?.providerData;
+    if (providers == null) return const [];
+    return providers
+        .map((p) => switch (p.providerId) {
+              'google.com' => 'google',
+              'apple.com' => 'apple',
+              'facebook.com' => 'facebook',
+              'password' => 'email',
+              'phone' => 'phone',
+              _ => p.providerId,
+            })
+        .toList();
+  }
+
+  @override
+  Future<void> setPassword(String password) async {
+    final user = _auth.currentUser;
+    if (user == null) throw Exception('No signed-in user');
+    final hasPassword =
+        user.providerData.any((p) => p.providerId == 'password');
+    if (hasPassword) {
+      // Already has an email/password credential: just change it.
+      await user.updatePassword(password);
+      return;
+    }
+    // Social-only account: attach an email/password credential to the same UID.
+    final email = user.email;
+    if (email == null || email.isEmpty) {
+      throw Exception('Account has no email to attach a password to');
+    }
+    await user.linkWithCredential(
+      EmailAuthProvider.credential(email: email, password: password),
+    );
+  }
+
+  @override
+  Future<List<String>> linkableSocialProviders() async {
+    final user = _auth.currentUser;
+    if (user == null) return const [];
+    final linked = user.providerData
+        .map((p) => switch (p.providerId) {
+              'google.com' => 'google',
+              'apple.com' => 'apple',
+              'facebook.com' => 'facebook',
+              _ => p.providerId,
+            })
+        .toSet();
+    final result = <String>[];
+    if (!linked.contains('google')) result.add('google');
+    // Apple: native on iOS/macOS; on web only when the Apple web flow is set up.
+    final appleAvailable = kIsWeb
+        ? withAppleWebSignin
+        : (defaultTargetPlatform == TargetPlatform.iOS ||
+            defaultTargetPlatform == TargetPlatform.macOS);
+    if (appleAvailable && !linked.contains('apple')) result.add('apple');
+    return result;
+  }
+
+  @override
+  Future<void> linkSocialProvider(String provider) async {
+    final user = _auth.currentUser;
+    if (user == null) throw Exception('No signed-in user');
+    switch (provider) {
+      case 'google':
+        if (kIsWeb) {
+          if (isMobileWebBrowser()) {
+            return _linkWithRedirectWeb(user, GoogleAuthProvider());
+          }
+          await _popupOrCancel(() => user.linkWithPopup(GoogleAuthProvider()));
+          return;
+        }
+        try {
+          await GoogleSignIn.instance
+              .initialize(serverClientId: kGoogleWebClientId);
+          final googleUser = await GoogleSignIn.instance.authenticate();
+          final googleAuth = googleUser.authentication;
+          await user.linkWithCredential(
+            GoogleAuthProvider.credential(idToken: googleAuth.idToken),
+          );
+        } on GoogleSignInException catch (e) {
+          if (e.code == GoogleSignInExceptionCode.canceled) {
+            throw const UserCancelledSignInException();
+          }
+          rethrow;
+        }
+      case 'apple':
+        final appleProvider = AppleAuthProvider()..addScope('email');
+        if (kIsWeb && isMobileWebBrowser()) {
+          return _linkWithRedirectWeb(user, appleProvider);
+        }
+        try {
+          if (kIsWeb) {
+            await _popupOrCancel(() => user.linkWithPopup(appleProvider));
+          } else {
+            await user.linkWithProvider(appleProvider);
+          }
+        } on FirebaseAuthException catch (e) {
+          if (e.code == 'canceled' ||
+              e.code == 'popup-closed-by-user' ||
+              e.code == 'cancelled-popup-request') {
+            throw const UserCancelledSignInException();
+          }
+          rethrow;
+        }
+      default:
+        throw Exception('Unsupported provider: $provider');
+    }
+  }
+
   String _normalizePhoneNumber(String phoneNumber) {
     String normalized = phoneNumber.replaceAll(RegExp(r'\D'), '');
     if (!normalized.startsWith('+')) {

package/templates/firebase/lib/features/authentication/api/authentication_api_interface.dart

@@ -77,6 +77,28 @@ abstract class AuthenticationApi implements OnStartService {
 
   /// Returns the display name of the currently authenticated Firebase Auth user (if any).
   Future<String?> getCurrentUserDisplayName();
+
+  /// Returns the photo URL of the current user (e.g. Google profile picture), or null.
+  Future<String?> getCurrentUserPhotoUrl();
+
+  /// Returns ALL sign-in providers linked to the current account, each
+  /// normalised to 'google' | 'apple' | 'facebook' | 'email' | 'phone'.
+  /// Empty when there is no user or none can be determined.
+  Future<List<String>> getLinkedProviders();
+
+  /// Sets or updates an email/password credential for the current user, so a
+  /// social-only account can also sign in with email + password (same account,
+  /// no duplicate). Throws if there is no signed-in user.
+  Future<void> setPassword(String password);
+
+  /// Returns the social providers ('google'|'apple') the current user can still
+  /// link to their account (already-linked ones excluded). Empty on backends
+  /// that link identities automatically (e.g. Supabase).
+  Future<List<String>> linkableSocialProviders();
+
+  /// Links the given social provider ('google'|'apple') to the current account,
+  /// so it can also be used to sign in. Same account, no duplicate.
+  Future<void> linkSocialProvider(String provider);
 }
 
 class PhoneAlreadyLinkedException implements Exception {

package/templates/firebase/lib/features/authentication/navigation/post_login_navigation.dart

@@ -0,0 +1,32 @@
+import 'package:flutter/widgets.dart';
+import 'package:flutter_riverpod/flutter_riverpod.dart';
+import 'package:kasy_kit/core/bottom_menu/active_tab_notifier.dart';
+import 'package:kasy_kit/core/bottom_menu/web_url.dart';
+import 'package:kasy_kit/router.dart';
+
+/// Sends a freshly-authenticated user to Home — the single source of truth for
+/// post-login navigation.
+///
+/// EVERY sign-in flow (email/password, Google, Google Play Games, Apple,
+/// Facebook, phone and sign-up) calls this instead of navigating on its own, so
+/// they all behave identically:
+///   1. force the next bottom-bar mount to Home — a fresh login must land on
+///      Home, never on whatever tab (or stale web URL) a previous session left
+///      behind. This is a one-shot flag, so it wins the race against the auth
+///      page's own `redirectIfAuthenticated` (both navigate to `/`);
+///   2. navigate Home;
+///   3. on web, rewrite the address bar to `/` — the bottom bar (Bart) writes
+///      tab URLs directly and never writes Home's, so without this the URL stays
+///      frozen on the previous tab (e.g. `/settings`) while the screen is Home.
+///
+/// Adding a new sign-in method later? Call this one function and the tab reset
+/// comes for free — there is nothing to remember and nothing to duplicate, which
+/// is exactly what kept the old per-flow `go('/')` calls drifting out of sync.
+void goHomeAfterLogin(Ref ref) {
+  requestHomeOnNextMount();
+  ref.read(goRouterProvider).go('/');
+  // After the frame that mounts the Home shell, correct the address bar. Home
+  // never re-pushes the URL, so this `replaceState('/')` sticks.
+  WidgetsBinding.instance
+      .addPostFrameCallback((_) => syncBrowserUrl('/'));
+}

package/templates/firebase/lib/features/authentication/providers/phone_auth_notifier.dart

@@ -1,12 +1,13 @@
 import 'package:flutter/material.dart';
 import 'package:kasy_kit/core/data/models/user.dart';
+import 'package:kasy_kit/core/states/translations.dart';
 import 'package:kasy_kit/core/states/user_state_notifier.dart';
 import 'package:kasy_kit/core/toast/toast_service.dart';
 import 'package:kasy_kit/features/authentication/api/authentication_api_interface.dart';
+import 'package:kasy_kit/features/authentication/navigation/post_login_navigation.dart';
 import 'package:kasy_kit/features/authentication/providers/models/phone_signin_state.dart';
 import 'package:kasy_kit/features/authentication/repositories/authentication_repository.dart';
 import 'package:kasy_kit/features/authentication/repositories/exceptions/authentication_exceptions.dart';
-import 'package:kasy_kit/router.dart';
 import 'package:logger/logger.dart';
 import 'package:riverpod_annotation/riverpod_annotation.dart';
 
@@ -97,14 +98,13 @@ class PhoneAuthNotifier extends _$PhoneAuthNotifier {
         false => await _authRepository.verifyPhoneAuth(verificationId, otp),
       };
 
-      ref
-          .read(toastProvider)
-          .success(
-            title: "Success",
-            text: "You are now signed in with your phone number",
+      final tr = ref.read(translationsProvider).phone_auth;
+      ref.read(toastProvider).success(
+            title: tr.signin_success_title,
+            text: tr.signin_success_text,
           );
       await Future.delayed(const Duration(seconds: 2));
-      ref.read(goRouterProvider).go("/");
+      goHomeAfterLogin(ref);
     } on PhoneAuthException catch (e) {
       state = state.copyWith(isLoading: false, error: e.message);
     } on PhoneAlreadyLinkedException {

package/templates/firebase/lib/features/authentication/providers/signin_state_provider.dart

@@ -3,12 +3,12 @@ import 'package:kasy_kit/core/data/models/user.dart';
 import 'package:kasy_kit/core/states/translations.dart';
 import 'package:kasy_kit/core/states/user_state_notifier.dart';
 import 'package:kasy_kit/core/toast/toast_service.dart';
+import 'package:kasy_kit/features/authentication/navigation/post_login_navigation.dart';
 import 'package:kasy_kit/features/authentication/providers/models/email.dart';
 import 'package:kasy_kit/features/authentication/providers/models/password.dart';
 import 'package:kasy_kit/features/authentication/providers/models/signin_state.dart';
 import 'package:kasy_kit/features/authentication/repositories/authentication_repository.dart';
 import 'package:kasy_kit/features/authentication/repositories/exceptions/authentication_exceptions.dart';
-import 'package:kasy_kit/router.dart';
 import 'package:riverpod_annotation/riverpod_annotation.dart';
 
 part 'signin_state_provider.g.dart';
@@ -54,7 +54,7 @@ class SigninStateNotifier extends _$SigninStateNotifier {
       if (!ref.mounted) return;
       await _userStateNotifier.onSignin();
       if (!ref.mounted) return;
-      ref.read(goRouterProvider).go('/');
+      goHomeAfterLogin(ref);
     } catch (e, trace) {
       debugPrint("Error while signing up: $e, $trace");
       if (!ref.mounted) return;
@@ -84,13 +84,19 @@ class SigninStateNotifier extends _$SigninStateNotifier {
       if (!ref.mounted) return;
       await _userStateNotifier.onSignin();
       if (!ref.mounted) return;
-      ref.read(goRouterProvider).go('/');
+      goHomeAfterLogin(ref);
     } catch (e, trace) {
       if (!ref.mounted) return;
       state = SigninState(email: state.email, password: state.password);
       if (e is UserCancelledSignInException) return;
       debugPrint("Error while signing up: $e, $trace");
-      ref.read(toastProvider).error(title: 'Error', text: 'Cannot signin with Google');
+      final tr = ref.read(translationsProvider).auth.signin;
+      ref.read(toastProvider).error(
+            title: tr.error_title,
+            text: e is EmailAlreadyRegisteredException
+                ? tr.email_already_registered
+                : tr.social_error(provider: 'Google'),
+          );
     }
   }
 
@@ -104,13 +110,19 @@ class SigninStateNotifier extends _$SigninStateNotifier {
       if (!ref.mounted) return;
       await _userStateNotifier.onSignin();
       if (!ref.mounted) return;
-      ref.read(goRouterProvider).go('/');
+      goHomeAfterLogin(ref);
     } catch (e, trace) {
       if (!ref.mounted) return;
       state = SigninState(email: state.email, password: state.password);
       if (e is UserCancelledSignInException) return;
       debugPrint("Error while signing up: $e, $trace");
-      ref.read(toastProvider).error(title: 'Error', text: 'Cannot signin with Google Play Games');
+      final tr = ref.read(translationsProvider).auth.signin;
+      ref.read(toastProvider).error(
+            title: tr.error_title,
+            text: e is EmailAlreadyRegisteredException
+                ? tr.email_already_registered
+                : tr.social_error(provider: 'Google Play Games'),
+          );
     }
   }
 
@@ -129,13 +141,19 @@ class SigninStateNotifier extends _$SigninStateNotifier {
       if (!ref.mounted) return;
       await _userStateNotifier.onSignin();
       if (!ref.mounted) return;
-      ref.read(goRouterProvider).go('/');
+      goHomeAfterLogin(ref);
     } catch (e, trace) {
       if (!ref.mounted) return;
       state = SigninState(email: state.email, password: state.password);
       if (e is UserCancelledSignInException) return;
       debugPrint("Error while signing up: $e, $trace");
-      ref.read(toastProvider).error(title: 'Error', text: 'Cannot signin with Apple');
+      final tr = ref.read(translationsProvider).auth.signin;
+      ref.read(toastProvider).error(
+            title: tr.error_title,
+            text: e is EmailAlreadyRegisteredException
+                ? tr.email_already_registered
+                : tr.social_error(provider: 'Apple'),
+          );
     }
   }
 
@@ -154,13 +172,19 @@ class SigninStateNotifier extends _$SigninStateNotifier {
       if (!ref.mounted) return;
       await _userStateNotifier.onSignin();
       if (!ref.mounted) return;
-      ref.read(goRouterProvider).go('/');
+      goHomeAfterLogin(ref);
     } catch (e, trace) {
       if (!ref.mounted) return;
       state = SigninState(email: state.email, password: state.password);
       if (e is UserCancelledSignInException) return;
       debugPrint("Error while signing up: $e, $trace");
-      ref.read(toastProvider).error(title: 'Error', text: 'Cannot signin with Facebook');
+      final tr = ref.read(translationsProvider).auth.signin;
+      ref.read(toastProvider).error(
+            title: tr.error_title,
+            text: e is EmailAlreadyRegisteredException
+                ? tr.email_already_registered
+                : tr.social_error(provider: 'Facebook'),
+          );
     }
   }
 }

package/templates/firebase/lib/features/authentication/providers/signup_state_provider.dart

@@ -2,11 +2,11 @@ import 'package:flutter/material.dart';
 import 'package:kasy_kit/core/states/translations.dart';
 import 'package:kasy_kit/core/states/user_state_notifier.dart';
 import 'package:kasy_kit/core/toast/toast_service.dart';
+import 'package:kasy_kit/features/authentication/navigation/post_login_navigation.dart';
 import 'package:kasy_kit/features/authentication/providers/models/email.dart';
 import 'package:kasy_kit/features/authentication/providers/models/password.dart';
 import 'package:kasy_kit/features/authentication/providers/models/signup_state.dart';
 import 'package:kasy_kit/features/authentication/repositories/authentication_repository.dart';
-import 'package:kasy_kit/router.dart';
 import 'package:riverpod_annotation/riverpod_annotation.dart';
 
 part 'signup_state_provider.g.dart';
@@ -53,7 +53,7 @@ class SignupStateNotifier extends _$SignupStateNotifier {
       await Future.delayed(const Duration(milliseconds: 1500));
       await _userStateNotifier.onSignin();
       if (!ref.mounted) return;
-      ref.read(goRouterProvider).go('/');
+      goHomeAfterLogin(ref);
     } catch (e, trace) {
       debugPrint("Error while signing up: $e, $trace");
       state = SignupState(email: state.email, password: state.password);

package/templates/firebase/lib/features/authentication/repositories/authentication_repository.dart

@@ -69,6 +69,23 @@ abstract class AuthenticationRepository {
   /// Returns the display name of the authenticated Firebase Auth user.
   Future<String?> getCurrentUserDisplayName();
 
+  /// Returns the photo URL of the current user (e.g. Google picture), or null.
+  Future<String?> getCurrentUserPhotoUrl();
+
+  /// Returns all sign-in providers linked to the current account
+  /// ('google'|'apple'|'facebook'|'email'|'phone'). Empty if none.
+  Future<List<String>> getLinkedProviders();
+
+  /// Sets or updates an email/password credential for the current user, so a
+  /// social-only account can also sign in with email + password.
+  Future<void> setPassword(String password);
+
+  /// Social providers the current user can still link to their account.
+  Future<List<String>> linkableSocialProviders();
+
+  /// Links a social provider ('google'|'apple') to the current account.
+  Future<void> linkSocialProvider(String provider);
+
   /// Signin with Google Play Games account on Android
   Future<void> signinWithGooglePlayGames();
 
@@ -263,6 +280,26 @@ class HttpAuthenticationRepository implements AuthenticationRepository {
   Future<String?> getCurrentUserDisplayName() =>
       _authenticationApi.getCurrentUserDisplayName();
 
+  @override
+  Future<String?> getCurrentUserPhotoUrl() =>
+      _authenticationApi.getCurrentUserPhotoUrl();
+
+  @override
+  Future<List<String>> getLinkedProviders() =>
+      _authenticationApi.getLinkedProviders();
+
+  @override
+  Future<void> setPassword(String password) =>
+      _authenticationApi.setPassword(password);
+
+  @override
+  Future<List<String>> linkableSocialProviders() =>
+      _authenticationApi.linkableSocialProviders();
+
+  @override
+  Future<void> linkSocialProvider(String provider) =>
+      _authenticationApi.linkSocialProvider(provider);
+
   @override
   Future<void> signinWithGooglePlayGames() async {
     try {

package/templates/firebase/lib/features/authentication/repositories/exceptions/authentication_exceptions.dart

@@ -70,6 +70,14 @@ class UserCancelledSignInException implements Exception {
   const UserCancelledSignInException();
 }
 
+/// Thrown when a social sign-in is attempted with an email that already has an
+/// account created with a different method (e.g. email/password or another
+/// social provider). Lets the UI show a clear "email already in use" message
+/// instead of a generic error, and avoids creating a duplicate account.
+class EmailAlreadyRegisteredException implements Exception {
+  const EmailAlreadyRegisteredException();
+}
+
 class PhoneAuthException extends ApiError {
   PhoneAuthException({
     required super.code,