react-native-nitro-auth 0.1.4 → 0.1.6

package/README.md

@@ -1,5 +1,9 @@
 # react-native-nitro-auth
 
+[![npm version](https://img.shields.io/npm/v/react-native-nitro-auth?style=flat-square)](https://www.npmjs.com/package/react-native-nitro-auth)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg?style=flat-square)](https://opensource.org/licenses/MIT)
+[![Nitro Modules](https://img.shields.io/badge/Powered%20by-Nitro%20Modules-blueviolet?style=flat-square)](https://nitro.margelo.com)
+
 🚀 **High-performance, JSI-powered Authentication for React Native.**
 
 Nitro Auth is a modern authentication library for React Native built on top of [Nitro Modules](https://github.com/mrousavy/nitro). It provides a unified, type-safe API for Google and Apple Sign-In with zero-bridge overhead.
@@ -23,6 +27,9 @@ Nitro Auth is designed to replace legacy modules like `@react-native-google-sign
 - **Expo Ready**: Comes with a powerful Config Plugin for zero-config setup.
 - **Cross-Platform**: Unified API for iOS, Android, and Web.
 - **Auto-Refresh**: Synchronous access to tokens with automatic silent refresh.
+- **Google One-Tap**: Modern login experience on Android using Credential Manager.
+- **Custom Storage**: Pluggable storage adapters for secure persistence (e.g., Keychain).
+- **Refresh Interceptors**: Listen to token updates globally.
 
 ## Installation
 
@@ -45,7 +52,8 @@ Add the plugin to `app.json`:
           "ios": {
             "googleClientId": "YOUR_IOS_CLIENT_ID.apps.googleusercontent.com",
             "googleServerClientId": "YOUR_WEB_CLIENT_ID.apps.googleusercontent.com",
-            "googleUrlScheme": "com.googleusercontent.apps.YOUR_IOS_CLIENT_ID"
+            "googleUrlScheme": "com.googleusercontent.apps.YOUR_IOS_CLIENT_ID",
+            "appleSignIn": true
           },
           "android": {
             "googleClientId": "YOUR_ANDROID_CLIENT_ID.apps.googleusercontent.com"
@@ -57,7 +65,9 @@ Add the plugin to `app.json`:
 }
 ```
 
-> [!NOTE] > `googleServerClientId` is only required if you need a `serverAuthCode` for backend integration.
+> [!NOTE]
+> `appleSignIn` on iOS is `false` by default to avoid unnecessary entitlements. Set it to `true` to enable Apple Sign-In.
+> `googleServerClientId` is only required if you need a `serverAuthCode` for backend integration.
 
 ### Bare React Native
 
@@ -182,6 +192,49 @@ if (user?.serverAuthCode) {
 }
 ```
 
+### Custom Storage Adapter
+
+By default, Nitro Auth uses standard local storage. You can provide a custom adapter for better security (e.g., using `react-native-keychain`):
+
+```ts
+import { AuthService, AuthStorageAdapter } from "react-native-nitro-auth";
+
+const myStorage: AuthStorageAdapter = {
+  save: (key, value) => {
+    /* Save to Keychain */
+  },
+  load: (key) => {
+    /* Load from Keychain */
+  },
+  remove: (key) => {
+    /* Clear from Keychain */
+  },
+};
+
+AuthService.setStorageAdapter(myStorage);
+```
+
+### Token Refresh Listeners
+
+Perfect for updating your API client (e.g., Axios/Fetch) whenever tokens are refreshed in the background:
+
+```ts
+AuthService.onTokensRefreshed((tokens) => {
+  console.log("Tokens were updated!", tokens.accessToken);
+  apiClient.defaults.headers.common[
+    "Authorization"
+  ] = `Bearer ${tokens.accessToken}`;
+});
+```
+
+### Google One-Tap (Android)
+
+Explicitly enable the modern One-Tap flow on Android:
+
+```ts
+await login("google", { useOneTap: true });
+```
+
 ## API Reference
 
 ### useAuth Hook

package/android/build.gradle

@@ -89,12 +89,17 @@ repositories {
 
 dependencies {
   implementation "com.facebook.react:react-native:+"
-  implementation "org.jetbrains.kotlin:kotlin-stdlib:1.9.0"
+  implementation "org.jetbrains.kotlin:kotlin-stdlib:1.9.24"
   implementation project(":react-native-nitro-modules")
   
   // Google Sign-In SDK (full scope support)
-  implementation "com.google.android.gms:play-services-auth:21.3.0"
+  implementation "com.google.android.gms:play-services-auth:21.2.0"
   
   // Activity result APIs
   implementation "androidx.activity:activity-ktx:1.9.3"
+  
+  // Google Credential Manager (One-Tap / Passkeys)
+  implementation "androidx.credentials:credentials:1.5.0"
+  implementation "androidx.credentials:credentials-play-services-auth:1.5.0"
+  implementation "com.google.android.libraries.identity.googleid:googleid:1.1.1"
 }

package/android/src/main/cpp/PlatformAuth+Android.cpp

@@ -24,7 +24,7 @@ static std::shared_ptr<Promise<AuthTokens>> gRefreshPromise;
 static std::shared_ptr<Promise<std::optional<AuthUser>>> gSilentPromise;
 static std::mutex gMutex;
 
-std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, const std::vector<std::string>& scopes, const std::optional<std::string>& loginHint) {
+std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, const std::optional<LoginOptions>& options) {
     auto promise = Promise<AuthUser>::create();
     auto contextPtr = static_cast<jobject>(AuthCache::getAndroidContext());
     if (!contextPtr) {
@@ -38,6 +38,16 @@ std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, co
     }
     
     std::string providerStr = (provider == AuthProvider::GOOGLE) ? "google" : "apple";
+    std::vector<std::string> scopes = {"email", "profile"};
+    std::optional<std::string> loginHint;
+    bool useOneTap = false;
+
+    if (options) {
+        if (options->scopes) scopes = *options->scopes;
+        loginHint = options->loginHint;
+        useOneTap = options->useOneTap.value_or(false);
+    }
+
     JNIEnv* env = Environment::current();
     jclass stringClass = env->FindClass("java/lang/String");
     jobjectArray jScopes = env->NewObjectArray(scopes.size(), stringClass, nullptr);
@@ -48,13 +58,14 @@ std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, co
     jstring jLoginHint = loginHint.has_value() ? make_jstring(loginHint.value()).get() : nullptr;
     jclass adapterClass = env->FindClass("com/auth/AuthAdapter");
     jmethodID loginMethod = env->GetStaticMethodID(adapterClass, "loginSync", 
-        "(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;[Ljava/lang/String;Ljava/lang/String;)V");
+        "(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;[Ljava/lang/String;Ljava/lang/String;Z)V");
     env->CallStaticVoidMethod(adapterClass, loginMethod, 
         contextPtr, 
         make_jstring(providerStr).get(),
         nullptr,
         jScopes,
-        jLoginHint);
+        jLoginHint,
+        (jboolean)useOneTap);
     
     return promise;
 }

package/android/src/main/java/com/auth/AuthAdapter.kt

@@ -10,12 +10,23 @@ import com.google.android.gms.auth.api.signin.GoogleSignInOptions
 import com.google.android.gms.common.GoogleApiAvailability
 import com.google.android.gms.common.ConnectionResult
 import com.google.android.gms.common.api.Scope
+import androidx.credentials.CredentialManager
+import androidx.credentials.GetCredentialRequest
+import androidx.credentials.GetCredentialResponse
+import com.google.android.libraries.identity.googleid.GetGoogleIdOption
+import com.google.android.libraries.identity.googleid.GoogleIdTokenCredential
+import kotlinx.coroutines.CoroutineScope
+import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.launch
+import android.app.Activity
+import android.app.Application
 
 object AuthAdapter {
     private const val TAG = "AuthAdapter"
     private const val PREF_NAME = "nitro_auth"
     
     private var appContext: Context? = null
+    private var currentActivity: Activity? = null
     private var googleSignInClient: GoogleSignInClient? = null
     private var pendingScopes: List<String> = emptyList()
 
@@ -45,7 +56,19 @@ object AuthAdapter {
     private external fun nativeOnRefreshError(error: String)
 
     fun initialize(context: Context) {
-        appContext = context.applicationContext
+        val app = context.applicationContext as? Application
+        appContext = app
+        
+        app?.registerActivityLifecycleCallbacks(object : Application.ActivityLifecycleCallbacks {
+            override fun onActivityCreated(activity: Activity, savedInstanceState: Bundle?) { currentActivity = activity }
+            override fun onActivityStarted(activity: Activity) { currentActivity = activity }
+            override fun onActivityResumed(activity: Activity) { currentActivity = activity }
+            override fun onActivityPaused(activity: Activity) { if (currentActivity == activity) currentActivity = null }
+            override fun onActivityStopped(activity: Activity) { if (currentActivity == activity) currentActivity = null }
+            override fun onActivitySaveInstanceState(activity: Activity, outState: Bundle) {}
+            override fun onActivityDestroyed(activity: Activity) { if (currentActivity == activity) currentActivity = null }
+        })
+
         try {
             System.loadLibrary("NitroAuth")
             nativeInitialize(appContext!!)
@@ -73,7 +96,7 @@ object AuthAdapter {
     }
 
     @JvmStatic
-    fun loginSync(context: Context, provider: String, googleClientId: String?, scopes: Array<String>?, loginHint: String?) {
+    fun loginSync(context: Context, provider: String, googleClientId: String?, scopes: Array<String>?, loginHint: String?, useOneTap: Boolean) {
         if (provider == "apple") {
             nativeOnLoginError("Apple Sign-In is not supported on Android.")
             return
@@ -94,10 +117,84 @@ object AuthAdapter {
         val requestedScopes = scopes?.toList() ?: listOf("email", "profile")
         pendingScopes = requestedScopes
 
-        val intent = GoogleSignInActivity.createIntent(ctx, clientId, requestedScopes.toTypedArray(), loginHint)
+        if (useOneTap) {
+            loginOneTap(context, clientId, requestedScopes)
+        } else {
+            val intent = GoogleSignInActivity.createIntent(ctx, clientId, requestedScopes.toTypedArray(), loginHint)
+            intent.addFlags(android.content.Intent.FLAG_ACTIVITY_NEW_TASK)
+            ctx.startActivity(intent)
+        }
+    }
+
+    private fun loginOneTap(context: Context, clientId: String, scopes: List<String>) {
+        val activity = currentActivity ?: context as? Activity
+        if (activity == null) {
+            Log.w(TAG, "No Activity context available for One-Tap, falling back to legacy")
+            return loginLegacy(context, clientId, scopes)
+        }
+        
+        val credentialManager = CredentialManager.create(activity)
+        val googleIdOption = GetGoogleIdOption.Builder()
+            .setFilterByAuthorizedAccounts(false)
+            .setServerClientId(clientId)
+            .setAutoSelectEnabled(false) // Disable auto-select for testing so the sheet always shows
+            .build()
+
+        val request = GetCredentialRequest.Builder()
+            .addCredentialOption(googleIdOption)
+            .build()
+
+        CoroutineScope(Dispatchers.Main).launch {
+            try {
+                val result = credentialManager.getCredential(context = activity, request = request)
+                handleCredentialResponse(result, scopes)
+            } catch (e: Exception) {
+                Log.w(TAG, "One-Tap failed, falling back to legacy: ${e.message}")
+                loginLegacy(context, clientId, scopes)
+            }
+        }
+    }
+
+    private fun loginLegacy(context: Context, clientId: String, scopes: List<String>) {
+        val ctx = appContext ?: context.applicationContext
+        val intent = GoogleSignInActivity.createIntent(ctx, clientId, scopes.toTypedArray(), null)
+        intent.addFlags(android.content.Intent.FLAG_ACTIVITY_NEW_TASK)
         ctx.startActivity(intent)
     }
 
+    private fun handleCredentialResponse(response: GetCredentialResponse, scopes: List<String>) {
+        val credential = response.credential
+        val googleIdTokenCredential = try {
+            if (credential is GoogleIdTokenCredential) {
+                credential
+            } else if (credential.type == "com.google.android.libraries.identity.googleid.TYPE_GOOGLE_ID_TOKEN_CREDENTIAL") {
+                GoogleIdTokenCredential.createFrom(credential.data)
+            } else {
+                null
+            }
+        } catch (e: Exception) {
+            Log.e(TAG, "Failed to parse Google ID token credential: ${e.message}")
+            null
+        }
+
+        if (googleIdTokenCredential != null) {
+            nativeOnLoginSuccess(
+                "google",
+                googleIdTokenCredential.id,
+                googleIdTokenCredential.displayName,
+                googleIdTokenCredential.profilePictureUri?.toString(),
+                googleIdTokenCredential.idToken,
+                null,
+                null,
+                scopes.toTypedArray(),
+                null
+            )
+        } else {
+            Log.w(TAG, "Unsupported credential type: ${credential.type}")
+            nativeOnLoginError("Unsupported credential type: ${credential.type}")
+        }
+    }
+
     @JvmStatic
     fun requestScopesSync(context: Context, scopes: Array<String>) {
         val ctx = appContext ?: context.applicationContext

package/app.plugin.js

@@ -36,10 +36,12 @@ const withNitroAuth = (config, props = {}) => {
   });
 
   // 2. iOS Entitlements
-  config = withEntitlementsPlist(config, (config) => {
-    config.modResults["com.apple.developer.applesignin"] = ["Default"];
-    return config;
-  });
+  if (ios.appleSignIn === true) {
+    config = withEntitlementsPlist(config, (config) => {
+      config.modResults["com.apple.developer.applesignin"] = ["Default"];
+      return config;
+    });
+  }
 
   // 3. Android Strings (for Google Client ID)
   config = withStringsXml(config, (config) => {
@@ -63,5 +65,5 @@ const withNitroAuth = (config, props = {}) => {
 module.exports = createRunOncePlugin(
   withNitroAuth,
   "react-native-nitro-auth",
-  "0.1.3"
+  "0.1.6"
 );

package/cpp/HybridAuth.cpp

@@ -29,7 +29,14 @@ bool HybridAuth::getHasPlayServices() {
 
 void HybridAuth::loadFromCache() {
   std::lock_guard<std::mutex> lock(_mutex);
-  auto json = AuthCache::getUserJson();
+  std::optional<std::string> json;
+  
+  if (_storageAdapter) {
+    json = _storageAdapter->load("nitro_auth_user");
+  } else {
+    json = AuthCache::getUserJson();
+  }
+  
   if (json) {
     _currentUser = JSONSerializer::deserialize(*json);
     if (_currentUser && _currentUser->scopes) {
@@ -41,9 +48,17 @@ void HybridAuth::loadFromCache() {
 void HybridAuth::saveToCache(const std::optional<AuthUser>& user) {
   if (user) {
     auto json = JSONSerializer::serialize(*user);
-    AuthCache::setUserJson(json);
+    if (_storageAdapter) {
+      _storageAdapter->save("nitro_auth_user", json);
+    } else {
+      AuthCache::setUserJson(json);
+    }
   } else {
-    AuthCache::clear();
+    if (_storageAdapter) {
+      _storageAdapter->remove("nitro_auth_user");
+    } else {
+      AuthCache::clear();
+    }
   }
 }
 
@@ -73,6 +88,17 @@ std::function<void()> HybridAuth::onAuthStateChanged(const std::function<void(co
   };
 }
 
+std::function<void()> HybridAuth::onTokensRefreshed(const std::function<void(const AuthTokens&)>& callback) {
+  std::lock_guard<std::mutex> lock(_mutex);
+  int id = _nextTokenListenerId++;
+  _tokenListeners[id] = callback;
+  
+  return [this, id]() {
+    std::lock_guard<std::mutex> lock(_mutex);
+    _tokenListeners.erase(id);
+  };
+}
+
 void HybridAuth::logout() {
   {
     std::lock_guard<std::mutex> lock(_mutex);
@@ -86,20 +112,16 @@ void HybridAuth::logout() {
 
 std::shared_ptr<Promise<void>> HybridAuth::login(AuthProvider provider, const std::optional<LoginOptions>& options) {
   auto promise = Promise<void>::create();
-  std::vector<std::string> scopes;
-  std::optional<std::string> loginHint;
-  if (options) {
-    if (options->scopes) scopes = *options->scopes;
-    loginHint = options->loginHint;
-  }
   
-  auto loginPromise = PlatformAuth::login(provider, scopes, loginHint);
-  loginPromise->addOnResolvedListener([this, promise, scopes](const AuthUser& user) {
+  auto loginPromise = PlatformAuth::login(provider, options);
+  loginPromise->addOnResolvedListener([this, promise, options](const AuthUser& user) {
     {
       std::lock_guard<std::mutex> lock(_mutex);
       _currentUser = user;
-      _grantedScopes = scopes;
-      if (_currentUser) _currentUser->scopes = scopes;
+      if (options && options->scopes) {
+        _grantedScopes = *options->scopes;
+      }
+      if (_currentUser) _currentUser->scopes = _grantedScopes;
       saveToCache(_currentUser);
     }
     notifyAuthStateChanged();
@@ -202,6 +224,7 @@ std::shared_ptr<Promise<AuthTokens>> HybridAuth::refreshToken() {
         saveToCache(_currentUser);
       }
     }
+    notifyTokensRefreshed(tokens);
     notifyAuthStateChanged();
     promise->resolve(tokens);
   });
@@ -216,4 +239,26 @@ void HybridAuth::setLoggingEnabled(bool enabled) {
   sLoggingEnabled = enabled;
 }
 
+void HybridAuth::setStorageAdapter(const std::optional<std::shared_ptr<HybridAuthStorageAdapterSpec>>& adapter) {
+  std::lock_guard<std::mutex> lock(_mutex);
+  _storageAdapter = adapter.value_or(nullptr);
+  if (_storageAdapter) {
+    loadFromCache();
+    notifyAuthStateChanged();
+  }
+}
+
+void HybridAuth::notifyTokensRefreshed(const AuthTokens& tokens) {
+  std::vector<std::function<void(const AuthTokens&)>> listeners;
+  {
+    std::lock_guard<std::mutex> lock(_mutex);
+    for (auto const& [id, listener] : _tokenListeners) {
+      listeners.push_back(listener);
+    }
+  }
+  for (const auto& listener : listeners) {
+    listener(tokens);
+  }
+}
+
 } // namespace margelo::nitro::NitroAuth

package/cpp/HybridAuth.hpp

@@ -28,18 +28,26 @@ public:
 
   void logout() override;
   std::function<void()> onAuthStateChanged(const std::function<void(const std::optional<AuthUser>&)>& callback) override;
+  std::function<void()> onTokensRefreshed(const std::function<void(const AuthTokens&)>& callback) override;
   void setLoggingEnabled(bool enabled) override;
+  void setStorageAdapter(const std::optional<std::shared_ptr<HybridAuthStorageAdapterSpec>>& adapter) override;
 
 private:
   void loadFromCache();
   void saveToCache(const std::optional<AuthUser>& user);
   void notifyAuthStateChanged();
+  void notifyTokensRefreshed(const AuthTokens& tokens);
 
 private:
   std::optional<AuthUser> _currentUser;
   std::vector<std::string> _grantedScopes;
   std::map<int, std::function<void(const std::optional<AuthUser>&)>> _listeners;
   int _nextListenerId = 0;
+  
+  std::shared_ptr<HybridAuthStorageAdapterSpec> _storageAdapter;
+  std::map<int, std::function<void(const AuthTokens&)>> _tokenListeners;
+  int _nextTokenListenerId = 0;
+  
   std::mutex _mutex;
 
   static constexpr auto TAG = "Auth";

package/cpp/PlatformAuth.hpp

@@ -3,6 +3,7 @@
 #include "AuthProvider.hpp"
 #include "AuthUser.hpp"
 #include "AuthTokens.hpp"
+#include "LoginOptions.hpp"
 #include <NitroModules/Promise.hpp>
 #include <memory>
 #include <vector>
@@ -14,7 +15,7 @@ using namespace margelo::nitro;
 
 class PlatformAuth {
 public:
-  static std::shared_ptr<Promise<AuthUser>> login(AuthProvider provider, const std::vector<std::string>& scopes = {}, const std::optional<std::string>& loginHint = std::nullopt);
+  static std::shared_ptr<Promise<AuthUser>> login(AuthProvider provider, const std::optional<LoginOptions>& options = std::nullopt);
   static std::shared_ptr<Promise<AuthUser>> requestScopes(const std::vector<std::string>& scopes);
   static std::shared_ptr<Promise<AuthTokens>> refreshToken();
   static std::shared_ptr<Promise<std::optional<AuthUser>>> silentRestore();

package/ios/PlatformAuth+iOS.mm

@@ -11,14 +11,32 @@
 #import "react_native_nitro_auth-Swift.h"
 #endif
 
+#include "LoginOptions.hpp"
+
 namespace margelo::nitro::NitroAuth {
 
-std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, const std::vector<std::string>& scopes, const std::optional<std::string>& loginHint) {
+std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, const std::optional<LoginOptions>& options) {
     auto promise = Promise<AuthUser>::create();
     NSString* providerStr = provider == AuthProvider::GOOGLE ? @"google" : @"apple";
-    NSMutableArray* scopesArray = [NSMutableArray arrayWithCapacity:scopes.size()];
-    for (const auto& scope : scopes) [scopesArray addObject:[NSString stringWithUTF8String:scope.c_str()]];
-    NSString* hintStr = loginHint.has_value() ? [NSString stringWithUTF8String:loginHint->c_str()] : nil;
+    
+    NSMutableArray* scopesArray = [NSMutableArray array];
+    NSString* hintStr = nil;
+    
+    if (options.has_value()) {
+        if (options->scopes.has_value()) {
+            for (const auto& scope : *options->scopes) {
+                [scopesArray addObject:[NSString stringWithUTF8String:scope.c_str()]];
+            }
+        }
+        if (options->loginHint.has_value()) {
+            hintStr = [NSString stringWithUTF8String:options->loginHint->c_str()];
+        }
+    }
+    
+    // Default scopes if none provided
+    if (scopesArray.count == 0) {
+        [scopesArray addObjectsFromArray:@[@"openid", @"email", @"profile"]];
+    }
     
     [AuthAdapter loginWithProvider:providerStr scopes:scopesArray loginHint:hintStr completion:^(NSDictionary* _Nullable data, NSString* _Nullable error) {
         if (error != nil) {

package/lib/commonjs/Auth.web.js

@@ -19,24 +19,35 @@ const getConfig = () => {
 class AuthWeb {
   _grantedScopes = [];
   _listeners = [];
+  _tokenListeners = [];
   constructor() {
-    const cached = localStorage.getItem(CACHE_KEY);
+    this.loadFromCache();
+  }
+  loadFromCache() {
+    const cached = this._storageAdapter ? this._storageAdapter.load(CACHE_KEY) : localStorage.getItem(CACHE_KEY);
     if (cached) {
       try {
         this._currentUser = JSON.parse(cached);
       } catch {
-        localStorage.removeItem(CACHE_KEY);
+        this.removeFromCache(CACHE_KEY);
       }
     }
-    const scopes = localStorage.getItem(SCOPES_KEY);
+    const scopes = this._storageAdapter ? this._storageAdapter.load(SCOPES_KEY) : localStorage.getItem(SCOPES_KEY);
     if (scopes) {
       try {
         this._grantedScopes = JSON.parse(scopes);
       } catch {
-        localStorage.removeItem(SCOPES_KEY);
+        this.removeFromCache(SCOPES_KEY);
       }
     }
   }
+  removeFromCache(key) {
+    if (this._storageAdapter) {
+      this._storageAdapter.remove(key);
+    } else {
+      localStorage.removeItem(key);
+    }
+  }
   get currentUser() {
     return this._currentUser;
   }
@@ -53,6 +64,12 @@ class AuthWeb {
       this._listeners = this._listeners.filter(l => l !== callback);
     };
   }
+  onTokensRefreshed(callback) {
+    this._tokenListeners.push(callback);
+    return () => {
+      this._tokenListeners = this._tokenListeners.filter(l => l !== callback);
+    };
+  }
   notify() {
     this._listeners.forEach(l => l(this._currentUser));
   }
@@ -93,7 +110,11 @@ class AuthWeb {
   async revokeScopes(scopes) {
     _logger.logger.log("Revoking scopes:", scopes);
     this._grantedScopes = this._grantedScopes.filter(s => !scopes.includes(s));
-    localStorage.setItem(SCOPES_KEY, JSON.stringify(this._grantedScopes));
+    if (this._storageAdapter) {
+      this._storageAdapter.save(SCOPES_KEY, JSON.stringify(this._grantedScopes));
+    } else {
+      localStorage.setItem(SCOPES_KEY, JSON.stringify(this._grantedScopes));
+    }
     if (this._currentUser) {
       this._currentUser.scopes = this._grantedScopes;
       this.updateUser(this._currentUser);
@@ -118,10 +139,12 @@ class AuthWeb {
     }
     _logger.logger.log("Refreshing tokens...");
     await this.loginGoogle(this._grantedScopes.length > 0 ? this._grantedScopes : DEFAULT_SCOPES);
-    return {
+    const tokens = {
       accessToken: this._currentUser.accessToken,
       idToken: this._currentUser.idToken
     };
+    this._tokenListeners.forEach(l => l(tokens));
+    return tokens;
   }
   mapError(error) {
     if (error instanceof Error) {
@@ -192,7 +215,11 @@ class AuthWeb {
             const code = params.get("code");
             if (idToken) {
               this._grantedScopes = scopes;
-              localStorage.setItem(SCOPES_KEY, JSON.stringify(scopes));
+              if (this._storageAdapter) {
+                this._storageAdapter.save(SCOPES_KEY, JSON.stringify(scopes));
+              } else {
+                localStorage.setItem(SCOPES_KEY, JSON.stringify(scopes));
+              }
               const user = {
                 provider: "google",
                 idToken,
@@ -264,18 +291,29 @@ class AuthWeb {
   logout() {
     this._currentUser = undefined;
     this._grantedScopes = [];
-    localStorage.removeItem(CACHE_KEY);
-    localStorage.removeItem(SCOPES_KEY);
+    this.removeFromCache(CACHE_KEY);
+    this.removeFromCache(SCOPES_KEY);
     this.notify();
   }
   updateUser(user) {
     this._currentUser = user;
-    localStorage.setItem(CACHE_KEY, JSON.stringify(user));
+    if (this._storageAdapter) {
+      this._storageAdapter.save(CACHE_KEY, JSON.stringify(user));
+    } else {
+      localStorage.setItem(CACHE_KEY, JSON.stringify(user));
+    }
     this.notify();
   }
   setLoggingEnabled(enabled) {
     _logger.logger.setEnabled(enabled);
   }
+  setStorageAdapter(adapter) {
+    this._storageAdapter = adapter;
+    if (adapter) {
+      this.loadFromCache();
+      this.notify();
+    }
+  }
   name = "Auth";
   dispose() {}
   equals(other) {