react-native-nitro-auth 0.1.3 → 0.1.5

package/README.md

@@ -1,5 +1,9 @@
 # react-native-nitro-auth
 
+[![npm version](https://img.shields.io/npm/v/react-native-nitro-auth?style=flat-square)](https://www.npmjs.com/package/react-native-nitro-auth)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg?style=flat-square)](https://opensource.org/licenses/MIT)
+[![Nitro Modules](https://img.shields.io/badge/Powered%20by-Nitro%20Modules-blueviolet?style=flat-square)](https://nitro.margelo.com)
+
 🚀 **High-performance, JSI-powered Authentication for React Native.**
 
 Nitro Auth is a modern authentication library for React Native built on top of [Nitro Modules](https://github.com/mrousavy/nitro). It provides a unified, type-safe API for Google and Apple Sign-In with zero-bridge overhead.
@@ -8,21 +12,24 @@ Nitro Auth is a modern authentication library for React Native built on top of [
 
 Nitro Auth is designed to replace legacy modules like `@react-native-google-signin/google-signin` with a modern, high-performance architecture.
 
-| Feature | Legacy Modules | Nitro Auth |
-| :--- | :--- | :--- |
+| Feature         | Legacy Modules               | Nitro Auth                     |
+| :-------------- | :--------------------------- | :----------------------------- |
 | **Performance** | Async bridge overhead (JSON) | **Direct JSI C++ (Zero-copy)** |
-| **Persistence** | Varies / Manual | **Built-in & Automatic** |
-| **Setup** | Manual async initialization | **Sync & declarative plugins** |
-| **Types** | Manual / Brittle | **Fully Generated (Nitrogen)** |
+| **Persistence** | Varies / Manual              | **Built-in & Automatic**       |
+| **Setup**       | Manual async initialization  | **Sync & declarative plugins** |
+| **Types**       | Manual / Brittle             | **Fully Generated (Nitrogen)** |
 
 ## Features
 
-- 🏎️ **Ultra-fast**: Direct C++ calls using JSI (no JSON serialization).
-- 🛡️ **Fully Type-Safe**: Shared types between TypeScript, C++, Swift, and Kotlin.
-- �� **Incremental Auth**: Request additional OAuth scopes on the fly.
-- 📦 **Expo Ready**: Comes with a powerful Config Plugin for zero-config setup.
-- 📱 **Cross-Platform**: Unified API for iOS, Android, and Web.
-- 🔁 **Auto-Refresh**: Synchronous access to tokens with automatic silent refresh.
+- **Ultra-fast**: Direct C++ calls using JSI (no JSON serialization).
+- **Fully Type-Safe**: Shared types between TypeScript, C++, Swift, and Kotlin.
+- **Incremental Auth**: Request additional OAuth scopes on the fly.
+- **Expo Ready**: Comes with a powerful Config Plugin for zero-config setup.
+- **Cross-Platform**: Unified API for iOS, Android, and Web.
+- **Auto-Refresh**: Synchronous access to tokens with automatic silent refresh.
+- **Google One-Tap**: Modern login experience on Android using Credential Manager.
+- **Custom Storage**: Pluggable storage adapters for secure persistence (e.g., Keychain).
+- **Refresh Interceptors**: Listen to token updates globally.
 
 ## Installation
 
@@ -57,8 +64,7 @@ Add the plugin to `app.json`:
 }
 ```
 
-> [!NOTE]
-> `googleServerClientId` is only required if you need a `serverAuthCode` for backend integration.
+> [!NOTE] > `googleServerClientId` is only required if you need a `serverAuthCode` for backend integration.
 
 ### Bare React Native
 
@@ -183,6 +189,49 @@ if (user?.serverAuthCode) {
 }
 ```
 
+### Custom Storage Adapter
+
+By default, Nitro Auth uses standard local storage. You can provide a custom adapter for better security (e.g., using `react-native-keychain`):
+
+```ts
+import { AuthService, AuthStorageAdapter } from "react-native-nitro-auth";
+
+const myStorage: AuthStorageAdapter = {
+  save: (key, value) => {
+    /* Save to Keychain */
+  },
+  load: (key) => {
+    /* Load from Keychain */
+  },
+  remove: (key) => {
+    /* Clear from Keychain */
+  },
+};
+
+AuthService.setStorageAdapter(myStorage);
+```
+
+### Token Refresh Listeners
+
+Perfect for updating your API client (e.g., Axios/Fetch) whenever tokens are refreshed in the background:
+
+```ts
+AuthService.onTokensRefreshed((tokens) => {
+  console.log("Tokens were updated!", tokens.accessToken);
+  apiClient.defaults.headers.common[
+    "Authorization"
+  ] = `Bearer ${tokens.accessToken}`;
+});
+```
+
+### Google One-Tap (Android)
+
+Explicitly enable the modern One-Tap flow on Android:
+
+```ts
+await login("google", { useOneTap: true });
+```
+
 ## API Reference
 
 ### useAuth Hook

package/android/build.gradle

@@ -45,6 +45,7 @@ android {
     minSdkVersion getExtOrIntegerDefault("minSdkVersion")
     targetSdkVersion getExtOrIntegerDefault("targetSdkVersion")
     buildConfigField "boolean", "IS_NEW_ARCHITECTURE_ENABLED", isNewArchitectureEnabled().toString()
+     consumerProguardFiles "proguard-rules.pro"
 
     externalNativeBuild {
       cmake {
@@ -63,7 +64,6 @@ android {
 
   buildFeatures {
     buildConfig true
-    consumerProguardFiles "proguard-rules.pro"
     prefab true
   }
 
@@ -89,12 +89,17 @@ repositories {
 
 dependencies {
   implementation "com.facebook.react:react-native:+"
-  implementation "org.jetbrains.kotlin:kotlin-stdlib:1.9.0"
+  implementation "org.jetbrains.kotlin:kotlin-stdlib:1.9.24"
   implementation project(":react-native-nitro-modules")
   
   // Google Sign-In SDK (full scope support)
-  implementation "com.google.android.gms:play-services-auth:21.3.0"
+  implementation "com.google.android.gms:play-services-auth:21.2.0"
   
   // Activity result APIs
   implementation "androidx.activity:activity-ktx:1.9.3"
+  
+  // Google Credential Manager (One-Tap / Passkeys)
+  implementation "androidx.credentials:credentials:1.5.0"
+  implementation "androidx.credentials:credentials-play-services-auth:1.5.0"
+  implementation "com.google.android.libraries.identity.googleid:googleid:1.1.1"
 }

package/android/src/main/cpp/PlatformAuth+Android.cpp

@@ -24,7 +24,7 @@ static std::shared_ptr<Promise<AuthTokens>> gRefreshPromise;
 static std::shared_ptr<Promise<std::optional<AuthUser>>> gSilentPromise;
 static std::mutex gMutex;
 
-std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, const std::vector<std::string>& scopes, const std::optional<std::string>& loginHint) {
+std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, const std::optional<LoginOptions>& options) {
     auto promise = Promise<AuthUser>::create();
     auto contextPtr = static_cast<jobject>(AuthCache::getAndroidContext());
     if (!contextPtr) {
@@ -38,6 +38,16 @@ std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, co
     }
     
     std::string providerStr = (provider == AuthProvider::GOOGLE) ? "google" : "apple";
+    std::vector<std::string> scopes = {"email", "profile"};
+    std::optional<std::string> loginHint;
+    bool useOneTap = false;
+
+    if (options) {
+        if (options->scopes) scopes = *options->scopes;
+        loginHint = options->loginHint;
+        useOneTap = options->useOneTap.value_or(false);
+    }
+
     JNIEnv* env = Environment::current();
     jclass stringClass = env->FindClass("java/lang/String");
     jobjectArray jScopes = env->NewObjectArray(scopes.size(), stringClass, nullptr);
@@ -48,13 +58,14 @@ std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, co
     jstring jLoginHint = loginHint.has_value() ? make_jstring(loginHint.value()).get() : nullptr;
     jclass adapterClass = env->FindClass("com/auth/AuthAdapter");
     jmethodID loginMethod = env->GetStaticMethodID(adapterClass, "loginSync", 
-        "(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;[Ljava/lang/String;Ljava/lang/String;)V");
+        "(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;[Ljava/lang/String;Ljava/lang/String;Z)V");
     env->CallStaticVoidMethod(adapterClass, loginMethod, 
         contextPtr, 
         make_jstring(providerStr).get(),
         nullptr,
         jScopes,
-        jLoginHint);
+        jLoginHint,
+        (jboolean)useOneTap);
     
     return promise;
 }

package/android/src/main/java/com/auth/AuthAdapter.kt

@@ -10,12 +10,23 @@ import com.google.android.gms.auth.api.signin.GoogleSignInOptions
 import com.google.android.gms.common.GoogleApiAvailability
 import com.google.android.gms.common.ConnectionResult
 import com.google.android.gms.common.api.Scope
+import androidx.credentials.CredentialManager
+import androidx.credentials.GetCredentialRequest
+import androidx.credentials.GetCredentialResponse
+import com.google.android.libraries.identity.googleid.GetGoogleIdOption
+import com.google.android.libraries.identity.googleid.GoogleIdTokenCredential
+import kotlinx.coroutines.CoroutineScope
+import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.launch
+import android.app.Activity
+import android.app.Application
 
 object AuthAdapter {
     private const val TAG = "AuthAdapter"
     private const val PREF_NAME = "nitro_auth"
     
     private var appContext: Context? = null
+    private var currentActivity: Activity? = null
     private var googleSignInClient: GoogleSignInClient? = null
     private var pendingScopes: List<String> = emptyList()
 
@@ -45,7 +56,19 @@ object AuthAdapter {
     private external fun nativeOnRefreshError(error: String)
 
     fun initialize(context: Context) {
-        appContext = context.applicationContext
+        val app = context.applicationContext as? Application
+        appContext = app
+        
+        app?.registerActivityLifecycleCallbacks(object : Application.ActivityLifecycleCallbacks {
+            override fun onActivityCreated(activity: Activity, savedInstanceState: Bundle?) { currentActivity = activity }
+            override fun onActivityStarted(activity: Activity) { currentActivity = activity }
+            override fun onActivityResumed(activity: Activity) { currentActivity = activity }
+            override fun onActivityPaused(activity: Activity) { if (currentActivity == activity) currentActivity = null }
+            override fun onActivityStopped(activity: Activity) { if (currentActivity == activity) currentActivity = null }
+            override fun onActivitySaveInstanceState(activity: Activity, outState: Bundle) {}
+            override fun onActivityDestroyed(activity: Activity) { if (currentActivity == activity) currentActivity = null }
+        })
+
         try {
             System.loadLibrary("NitroAuth")
             nativeInitialize(appContext!!)
@@ -73,7 +96,7 @@ object AuthAdapter {
     }
 
     @JvmStatic
-    fun loginSync(context: Context, provider: String, googleClientId: String?, scopes: Array<String>?, loginHint: String?) {
+    fun loginSync(context: Context, provider: String, googleClientId: String?, scopes: Array<String>?, loginHint: String?, useOneTap: Boolean) {
         if (provider == "apple") {
             nativeOnLoginError("Apple Sign-In is not supported on Android.")
             return
@@ -94,10 +117,84 @@ object AuthAdapter {
         val requestedScopes = scopes?.toList() ?: listOf("email", "profile")
         pendingScopes = requestedScopes
 
-        val intent = GoogleSignInActivity.createIntent(ctx, clientId, requestedScopes.toTypedArray(), loginHint)
+        if (useOneTap) {
+            loginOneTap(context, clientId, requestedScopes)
+        } else {
+            val intent = GoogleSignInActivity.createIntent(ctx, clientId, requestedScopes.toTypedArray(), loginHint)
+            intent.addFlags(android.content.Intent.FLAG_ACTIVITY_NEW_TASK)
+            ctx.startActivity(intent)
+        }
+    }
+
+    private fun loginOneTap(context: Context, clientId: String, scopes: List<String>) {
+        val activity = currentActivity ?: context as? Activity
+        if (activity == null) {
+            Log.w(TAG, "No Activity context available for One-Tap, falling back to legacy")
+            return loginLegacy(context, clientId, scopes)
+        }
+        
+        val credentialManager = CredentialManager.create(activity)
+        val googleIdOption = GetGoogleIdOption.Builder()
+            .setFilterByAuthorizedAccounts(false)
+            .setServerClientId(clientId)
+            .setAutoSelectEnabled(false) // Disable auto-select for testing so the sheet always shows
+            .build()
+
+        val request = GetCredentialRequest.Builder()
+            .addCredentialOption(googleIdOption)
+            .build()
+
+        CoroutineScope(Dispatchers.Main).launch {
+            try {
+                val result = credentialManager.getCredential(context = activity, request = request)
+                handleCredentialResponse(result, scopes)
+            } catch (e: Exception) {
+                Log.w(TAG, "One-Tap failed, falling back to legacy: ${e.message}")
+                loginLegacy(context, clientId, scopes)
+            }
+        }
+    }
+
+    private fun loginLegacy(context: Context, clientId: String, scopes: List<String>) {
+        val ctx = appContext ?: context.applicationContext
+        val intent = GoogleSignInActivity.createIntent(ctx, clientId, scopes.toTypedArray(), null)
+        intent.addFlags(android.content.Intent.FLAG_ACTIVITY_NEW_TASK)
         ctx.startActivity(intent)
     }
 
+    private fun handleCredentialResponse(response: GetCredentialResponse, scopes: List<String>) {
+        val credential = response.credential
+        val googleIdTokenCredential = try {
+            if (credential is GoogleIdTokenCredential) {
+                credential
+            } else if (credential.type == "com.google.android.libraries.identity.googleid.TYPE_GOOGLE_ID_TOKEN_CREDENTIAL") {
+                GoogleIdTokenCredential.createFrom(credential.data)
+            } else {
+                null
+            }
+        } catch (e: Exception) {
+            Log.e(TAG, "Failed to parse Google ID token credential: ${e.message}")
+            null
+        }
+
+        if (googleIdTokenCredential != null) {
+            nativeOnLoginSuccess(
+                "google",
+                googleIdTokenCredential.id,
+                googleIdTokenCredential.displayName,
+                googleIdTokenCredential.profilePictureUri?.toString(),
+                googleIdTokenCredential.idToken,
+                null,
+                null,
+                scopes.toTypedArray(),
+                null
+            )
+        } else {
+            Log.w(TAG, "Unsupported credential type: ${credential.type}")
+            nativeOnLoginError("Unsupported credential type: ${credential.type}")
+        }
+    }
+
     @JvmStatic
     fun requestScopesSync(context: Context, scopes: Array<String>) {
         val ctx = appContext ?: context.applicationContext

package/cpp/HybridAuth.cpp

@@ -6,6 +6,8 @@
 #include <chrono>
 
 namespace margelo::nitro::NitroAuth {
+ 
+bool HybridAuth::sLoggingEnabled = false;
 
 HybridAuth::HybridAuth() : HybridObject(TAG) {
   loadFromCache();
@@ -27,7 +29,14 @@ bool HybridAuth::getHasPlayServices() {
 
 void HybridAuth::loadFromCache() {
   std::lock_guard<std::mutex> lock(_mutex);
-  auto json = AuthCache::getUserJson();
+  std::optional<std::string> json;
+  
+  if (_storageAdapter) {
+    json = _storageAdapter->load("nitro_auth_user");
+  } else {
+    json = AuthCache::getUserJson();
+  }
+  
   if (json) {
     _currentUser = JSONSerializer::deserialize(*json);
     if (_currentUser && _currentUser->scopes) {
@@ -39,9 +48,17 @@ void HybridAuth::loadFromCache() {
 void HybridAuth::saveToCache(const std::optional<AuthUser>& user) {
   if (user) {
     auto json = JSONSerializer::serialize(*user);
-    AuthCache::setUserJson(json);
+    if (_storageAdapter) {
+      _storageAdapter->save("nitro_auth_user", json);
+    } else {
+      AuthCache::setUserJson(json);
+    }
   } else {
-    AuthCache::clear();
+    if (_storageAdapter) {
+      _storageAdapter->remove("nitro_auth_user");
+    } else {
+      AuthCache::clear();
+    }
   }
 }
 
@@ -71,6 +88,17 @@ std::function<void()> HybridAuth::onAuthStateChanged(const std::function<void(co
   };
 }
 
+std::function<void()> HybridAuth::onTokensRefreshed(const std::function<void(const AuthTokens&)>& callback) {
+  std::lock_guard<std::mutex> lock(_mutex);
+  int id = _nextTokenListenerId++;
+  _tokenListeners[id] = callback;
+  
+  return [this, id]() {
+    std::lock_guard<std::mutex> lock(_mutex);
+    _tokenListeners.erase(id);
+  };
+}
+
 void HybridAuth::logout() {
   {
     std::lock_guard<std::mutex> lock(_mutex);
@@ -84,20 +112,16 @@ void HybridAuth::logout() {
 
 std::shared_ptr<Promise<void>> HybridAuth::login(AuthProvider provider, const std::optional<LoginOptions>& options) {
   auto promise = Promise<void>::create();
-  std::vector<std::string> scopes;
-  std::optional<std::string> loginHint;
-  if (options) {
-    if (options->scopes) scopes = *options->scopes;
-    loginHint = options->loginHint;
-  }
   
-  auto loginPromise = PlatformAuth::login(provider, scopes, loginHint);
-  loginPromise->addOnResolvedListener([this, promise, scopes](const AuthUser& user) {
+  auto loginPromise = PlatformAuth::login(provider, options);
+  loginPromise->addOnResolvedListener([this, promise, options](const AuthUser& user) {
     {
       std::lock_guard<std::mutex> lock(_mutex);
       _currentUser = user;
-      _grantedScopes = scopes;
-      if (_currentUser) _currentUser->scopes = scopes;
+      if (options && options->scopes) {
+        _grantedScopes = *options->scopes;
+      }
+      if (_currentUser) _currentUser->scopes = _grantedScopes;
       saveToCache(_currentUser);
     }
     notifyAuthStateChanged();
@@ -200,6 +224,7 @@ std::shared_ptr<Promise<AuthTokens>> HybridAuth::refreshToken() {
         saveToCache(_currentUser);
       }
     }
+    notifyTokensRefreshed(tokens);
     notifyAuthStateChanged();
     promise->resolve(tokens);
   });
@@ -209,5 +234,31 @@ std::shared_ptr<Promise<AuthTokens>> HybridAuth::refreshToken() {
   });
   return promise;
 }
+ 
+void HybridAuth::setLoggingEnabled(bool enabled) {
+  sLoggingEnabled = enabled;
+}
+
+void HybridAuth::setStorageAdapter(const std::optional<std::shared_ptr<HybridAuthStorageAdapterSpec>>& adapter) {
+  std::lock_guard<std::mutex> lock(_mutex);
+  _storageAdapter = adapter.value_or(nullptr);
+  if (_storageAdapter) {
+    loadFromCache();
+    notifyAuthStateChanged();
+  }
+}
+
+void HybridAuth::notifyTokensRefreshed(const AuthTokens& tokens) {
+  std::vector<std::function<void(const AuthTokens&)>> listeners;
+  {
+    std::lock_guard<std::mutex> lock(_mutex);
+    for (auto const& [id, listener] : _tokenListeners) {
+      listeners.push_back(listener);
+    }
+  }
+  for (const auto& listener : listeners) {
+    listener(tokens);
+  }
+}
 
 } // namespace margelo::nitro::NitroAuth

package/cpp/HybridAuth.hpp

@@ -28,20 +28,30 @@ public:
 
   void logout() override;
   std::function<void()> onAuthStateChanged(const std::function<void(const std::optional<AuthUser>&)>& callback) override;
+  std::function<void()> onTokensRefreshed(const std::function<void(const AuthTokens&)>& callback) override;
+  void setLoggingEnabled(bool enabled) override;
+  void setStorageAdapter(const std::optional<std::shared_ptr<HybridAuthStorageAdapterSpec>>& adapter) override;
 
 private:
   void loadFromCache();
   void saveToCache(const std::optional<AuthUser>& user);
   void notifyAuthStateChanged();
+  void notifyTokensRefreshed(const AuthTokens& tokens);
 
 private:
   std::optional<AuthUser> _currentUser;
   std::vector<std::string> _grantedScopes;
   std::map<int, std::function<void(const std::optional<AuthUser>&)>> _listeners;
   int _nextListenerId = 0;
+  
+  std::shared_ptr<HybridAuthStorageAdapterSpec> _storageAdapter;
+  std::map<int, std::function<void(const AuthTokens&)>> _tokenListeners;
+  int _nextTokenListenerId = 0;
+  
   std::mutex _mutex;
 
   static constexpr auto TAG = "Auth";
+  static bool sLoggingEnabled;
 };
 
 } // namespace margelo::nitro::NitroAuth

package/cpp/PlatformAuth.hpp

@@ -3,6 +3,7 @@
 #include "AuthProvider.hpp"
 #include "AuthUser.hpp"
 #include "AuthTokens.hpp"
+#include "LoginOptions.hpp"
 #include <NitroModules/Promise.hpp>
 #include <memory>
 #include <vector>
@@ -14,7 +15,7 @@ using namespace margelo::nitro;
 
 class PlatformAuth {
 public:
-  static std::shared_ptr<Promise<AuthUser>> login(AuthProvider provider, const std::vector<std::string>& scopes = {}, const std::optional<std::string>& loginHint = std::nullopt);
+  static std::shared_ptr<Promise<AuthUser>> login(AuthProvider provider, const std::optional<LoginOptions>& options = std::nullopt);
   static std::shared_ptr<Promise<AuthUser>> requestScopes(const std::vector<std::string>& scopes);
   static std::shared_ptr<Promise<AuthTokens>> refreshToken();
   static std::shared_ptr<Promise<std::optional<AuthUser>>> silentRestore();

package/ios/PlatformAuth+iOS.mm

@@ -11,14 +11,32 @@
 #import "react_native_nitro_auth-Swift.h"
 #endif
 
+#include "LoginOptions.hpp"
+
 namespace margelo::nitro::NitroAuth {
 
-std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, const std::vector<std::string>& scopes, const std::optional<std::string>& loginHint) {
+std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, const std::optional<LoginOptions>& options) {
     auto promise = Promise<AuthUser>::create();
     NSString* providerStr = provider == AuthProvider::GOOGLE ? @"google" : @"apple";
-    NSMutableArray* scopesArray = [NSMutableArray arrayWithCapacity:scopes.size()];
-    for (const auto& scope : scopes) [scopesArray addObject:[NSString stringWithUTF8String:scope.c_str()]];
-    NSString* hintStr = loginHint.has_value() ? [NSString stringWithUTF8String:loginHint->c_str()] : nil;
+    
+    NSMutableArray* scopesArray = [NSMutableArray array];
+    NSString* hintStr = nil;
+    
+    if (options.has_value()) {
+        if (options->scopes.has_value()) {
+            for (const auto& scope : *options->scopes) {
+                [scopesArray addObject:[NSString stringWithUTF8String:scope.c_str()]];
+            }
+        }
+        if (options->loginHint.has_value()) {
+            hintStr = [NSString stringWithUTF8String:options->loginHint->c_str()];
+        }
+    }
+    
+    // Default scopes if none provided
+    if (scopesArray.count == 0) {
+        [scopesArray addObjectsFromArray:@[@"openid", @"email", @"profile"]];
+    }
     
     [AuthAdapter loginWithProvider:providerStr scopes:scopesArray loginHint:hintStr completion:^(NSDictionary* _Nullable data, NSString* _Nullable error) {
         if (error != nil) {