react-native-nitro-auth 0.4.0 → 0.5.1

package/android/src/main/java/com/auth/AuthAdapter.kt

@@ -1,7 +1,11 @@
+@file:Suppress("DEPRECATION")
+
 package com.auth
 
 import android.content.Context
+import android.content.SharedPreferences
 import android.os.Bundle
+import android.os.Build
 import android.util.Log
 import com.google.android.gms.auth.api.signin.GoogleSignIn
 import com.google.android.gms.auth.api.signin.GoogleSignInAccount
@@ -20,15 +24,74 @@ import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.launch
 import android.app.Activity
 import android.app.Application
+import android.content.Intent
+import android.net.Uri
+import androidx.browser.customtabs.CustomTabsIntent
+import androidx.security.crypto.EncryptedSharedPreferences
+import androidx.security.crypto.MasterKeys
+import java.util.UUID
+import org.json.JSONArray
+import org.json.JSONObject
+import android.util.Base64
 
 object AuthAdapter {
     private const val TAG = "AuthAdapter"
     private const val PREF_NAME = "nitro_auth"
+    private const val SECURE_PREF_NAME = "nitro_auth_secure"
     
     private var appContext: Context? = null
     private var currentActivity: Activity? = null
     private var googleSignInClient: GoogleSignInClient? = null
     private var pendingScopes: List<String> = emptyList()
+    private var pendingMicrosoftScopes: List<String> = emptyList()
+    
+    private var pendingPkceVerifier: String? = null
+    private var pendingState: String? = null
+    private var pendingNonce: String? = null
+    private var pendingMicrosoftTenant: String? = null
+    private var pendingMicrosoftClientId: String? = null
+    private var pendingMicrosoftB2cDomain: String? = null
+
+    private fun getPrefs(context: Context): SharedPreferences {
+        return try {
+            if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
+                val masterKeyAlias = MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC)
+                val securePrefs = EncryptedSharedPreferences.create(
+                    SECURE_PREF_NAME,
+                    masterKeyAlias,
+                    context,
+                    EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
+                    EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
+                )
+                migrateLegacyPrefsIfNeeded(context, securePrefs)
+                securePrefs
+            } else {
+                context.getSharedPreferences(PREF_NAME, Context.MODE_PRIVATE)
+            }
+        } catch (e: Exception) {
+            Log.w(TAG, "Failed to initialize encrypted storage, falling back to SharedPreferences", e)
+            context.getSharedPreferences(PREF_NAME, Context.MODE_PRIVATE)
+        }
+    }
+
+    private fun migrateLegacyPrefsIfNeeded(context: Context, securePrefs: SharedPreferences) {
+        val legacyPrefs = context.getSharedPreferences(PREF_NAME, Context.MODE_PRIVATE)
+        if (legacyPrefs.all.isEmpty() || securePrefs.all.isNotEmpty()) {
+            return
+        }
+        val editor = securePrefs.edit()
+        for ((key, value) in legacyPrefs.all) {
+            when (value) {
+                is String -> editor.putString(key, value)
+                is Boolean -> editor.putBoolean(key, value)
+                is Int -> editor.putInt(key, value)
+                is Long -> editor.putLong(key, value)
+                is Float -> editor.putFloat(key, value)
+            }
+        }
+        editor.apply()
+        legacyPrefs.edit().clear().apply()
+    }
 
     @JvmStatic
     private external fun nativeInitialize(context: Context)
@@ -96,12 +159,28 @@ object AuthAdapter {
     }
 
     @JvmStatic
-    fun loginSync(context: Context, provider: String, googleClientId: String?, scopes: Array<String>?, loginHint: String?, useOneTap: Boolean, forceAccountPicker: Boolean = false) {
+    fun loginSync(
+        context: Context,
+        provider: String,
+        googleClientId: String?,
+        scopes: Array<String>?,
+        loginHint: String?,
+        useOneTap: Boolean,
+        forceAccountPicker: Boolean = false,
+        useLegacyGoogleSignIn: Boolean = false,
+        tenant: String? = null,
+        prompt: String? = null
+    ) {
         if (provider == "apple") {
             nativeOnLoginError("unsupported_provider", "Apple Sign-In is not supported on Android.")
             return
         }
 
+        if (provider == "microsoft") {
+            loginMicrosoft(context, scopes, loginHint, tenant, prompt)
+            return
+        }
+
         if (provider != "google") {
             nativeOnLoginError("unsupported_provider", "Unsupported provider: $provider")
             return
@@ -117,27 +196,311 @@ object AuthAdapter {
         val requestedScopes = scopes?.toList() ?: listOf("email", "profile")
         pendingScopes = requestedScopes
 
-        if (useOneTap && !forceAccountPicker) {
-            loginOneTap(context, clientId, requestedScopes)
+        if (useLegacyGoogleSignIn) {
+            loginLegacy(context, clientId, requestedScopes, loginHint, forceAccountPicker)
+            return
+        }
+
+        loginOneTap(context, clientId, requestedScopes, loginHint, forceAccountPicker, useOneTap)
+    }
+
+    private fun loginMicrosoft(context: Context, scopes: Array<String>?, loginHint: String?, tenant: String?, prompt: String?) {
+        val ctx = appContext ?: context.applicationContext
+        val clientId = getMicrosoftClientIdFromResources(ctx)
+        if (clientId == null) {
+            nativeOnLoginError("configuration_error", "Microsoft Client ID is required. Set it in app.json plugins.")
+            return
+        }
+
+        val effectiveTenant = tenant ?: getMicrosoftTenantFromResources(ctx) ?: "common"
+        val effectiveScopes = scopes?.toList() ?: listOf("openid", "email", "profile", "offline_access", "User.Read")
+        val effectivePrompt = prompt ?: "select_account"
+        pendingMicrosoftScopes = effectiveScopes
+
+        val codeVerifier = generateCodeVerifier()
+        val codeChallenge = generateCodeChallenge(codeVerifier)
+        val state = UUID.randomUUID().toString()
+        val nonce = UUID.randomUUID().toString()
+        pendingPkceVerifier = codeVerifier
+        pendingState = state
+        pendingNonce = nonce
+        pendingMicrosoftTenant = effectiveTenant
+        pendingMicrosoftClientId = clientId
+
+        val b2cDomain = getMicrosoftB2cDomainFromResources(ctx)
+        pendingMicrosoftB2cDomain = b2cDomain
+        val authBaseUrl = getMicrosoftAuthBaseUrl(effectiveTenant, b2cDomain)
+        val redirectUri = "msauth://${ctx.packageName}/${clientId}"
+
+        val authUrl = Uri.parse("${authBaseUrl}oauth2/v2.0/authorize").buildUpon()
+            .appendQueryParameter("client_id", clientId)
+            .appendQueryParameter("redirect_uri", redirectUri)
+            .appendQueryParameter("response_type", "code")
+            .appendQueryParameter("response_mode", "query")
+            .appendQueryParameter("scope", effectiveScopes.joinToString(" "))
+            .appendQueryParameter("state", state)
+            .appendQueryParameter("nonce", nonce)
+            .appendQueryParameter("code_challenge", codeChallenge)
+            .appendQueryParameter("code_challenge_method", "S256")
+            .appendQueryParameter("prompt", effectivePrompt)
+            .apply { if (loginHint != null) appendQueryParameter("login_hint", loginHint) }
+            .build()
+
+        try {
+            val activity = currentActivity
+            if (activity != null) {
+                val customTabsIntent = CustomTabsIntent.Builder().build()
+                customTabsIntent.launchUrl(activity, authUrl)
+            } else {
+                val browserIntent = Intent(Intent.ACTION_VIEW, authUrl)
+                browserIntent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK)
+                ctx.startActivity(browserIntent)
+            }
+        } catch (e: Exception) {
+            nativeOnLoginError("unknown", e.message)
+        }
+    }
+
+    private fun generateCodeVerifier(): String {
+        val bytes = ByteArray(32)
+        java.security.SecureRandom().nextBytes(bytes)
+        return Base64.encodeToString(bytes, Base64.URL_SAFE or Base64.NO_PADDING or Base64.NO_WRAP)
+    }
+
+    private fun generateCodeChallenge(verifier: String): String {
+        val bytes = java.security.MessageDigest.getInstance("SHA-256").digest(verifier.toByteArray(Charsets.US_ASCII))
+        return Base64.encodeToString(bytes, Base64.URL_SAFE or Base64.NO_PADDING or Base64.NO_WRAP)
+    }
+
+    @JvmStatic
+    fun handleMicrosoftRedirect(uri: Uri) {
+        val code = uri.getQueryParameter("code")
+        val state = uri.getQueryParameter("state")
+        val error = uri.getQueryParameter("error")
+        val errorDescription = uri.getQueryParameter("error_description")
+
+        if (error != null) {
+            clearPkceState()
+            nativeOnLoginError(error, errorDescription)
+            return
+        }
+
+        if (state != pendingState) {
+            clearPkceState()
+            nativeOnLoginError("invalid_state", "State mismatch - possible CSRF attack")
+            return
+        }
+
+        if (code == null) {
+            clearPkceState()
+            nativeOnLoginError("unknown", "No authorization code in response")
+            return
+        }
+
+        exchangeCodeForTokens(code)
+    }
+
+    private fun exchangeCodeForTokens(code: String) {
+        val ctx = appContext
+        val clientId = pendingMicrosoftClientId
+        val tenant = pendingMicrosoftTenant
+        val verifier = pendingPkceVerifier
+
+        if (ctx == null || clientId == null || tenant == null || verifier == null) {
+            clearPkceState()
+            nativeOnLoginError("invalid_state", "Missing PKCE state for token exchange")
+            return
+        }
+
+        val redirectUri = "msauth://${ctx.packageName}/${clientId}"
+        val authBaseUrl = getMicrosoftAuthBaseUrl(tenant, pendingMicrosoftB2cDomain)
+        val tokenUrl = "${authBaseUrl}oauth2/v2.0/token"
+
+        CoroutineScope(Dispatchers.IO).launch {
+            try {
+                val url = java.net.URL(tokenUrl)
+                val connection = url.openConnection() as java.net.HttpURLConnection
+                connection.requestMethod = "POST"
+                connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded")
+                connection.doOutput = true
+
+                val postData = buildString {
+                    append("client_id=${java.net.URLEncoder.encode(clientId, "UTF-8")}")
+                    append("&code=${java.net.URLEncoder.encode(code, "UTF-8")}")
+                    append("&redirect_uri=${java.net.URLEncoder.encode(redirectUri, "UTF-8")}")
+                    append("&grant_type=authorization_code")
+                    append("&code_verifier=${java.net.URLEncoder.encode(verifier, "UTF-8")}")
+                }
+
+                connection.outputStream.use { it.write(postData.toByteArray()) }
+
+                val responseCode = connection.responseCode
+                val responseBody = if (responseCode == 200) {
+                    connection.inputStream.bufferedReader().readText()
+                } else {
+                    connection.errorStream?.bufferedReader()?.readText() ?: ""
+                }
+
+                CoroutineScope(Dispatchers.Main).launch {
+                    handleTokenResponse(responseCode, responseBody)
+                }
+            } catch (e: Exception) {
+                CoroutineScope(Dispatchers.Main).launch {
+                    clearPkceState()
+                    nativeOnLoginError("network_error", e.message)
+                }
+            }
+        }
+    }
+
+    private fun handleTokenResponse(responseCode: Int, responseBody: String) {
+        if (responseCode != 200) {
+            try {
+                val json = JSONObject(responseBody)
+                val error = json.optString("error", "token_error")
+                val desc = json.optString("error_description", "Failed to exchange code for tokens")
+                clearPkceState()
+                nativeOnLoginError(error, desc)
+            } catch (e: Exception) {
+                clearPkceState()
+                nativeOnLoginError("token_error", "Failed to exchange code for tokens")
+            }
+            return
+        }
+
+        try {
+            val json = JSONObject(responseBody)
+            val idToken = json.optString("id_token")
+            val accessToken = json.optString("access_token")
+            val refreshToken = json.optString("refresh_token")
+            val expiresIn = json.optLong("expires_in", 0)
+            val expirationTime = if (expiresIn > 0) System.currentTimeMillis() + expiresIn * 1000 else null
+
+            if (idToken.isEmpty()) {
+                clearPkceState()
+                nativeOnLoginError("no_id_token", "No id_token in token response")
+                return
+            }
+
+            val claims = decodeJwt(idToken)
+            val tokenNonce = claims["nonce"]
+            if (tokenNonce != pendingNonce) {
+                clearPkceState()
+                nativeOnLoginError("invalid_nonce", "Nonce mismatch - token may be replayed")
+                return
+            }
+
+            val email = claims["preferred_username"] ?: claims["email"]
+            val name = claims["name"]
+
+            val ctx = appContext
+            if (ctx != null) {
+                saveUser(ctx, "microsoft", email, name, null, idToken, refreshToken, pendingMicrosoftScopes)
+                if (refreshToken.isNotEmpty()) {
+                    saveMicrosoftRefreshToken(ctx, refreshToken)
+                }
+            }
+
+            clearPkceState()
+            nativeOnLoginSuccess(
+                "microsoft",
+                email,
+                name,
+                null,
+                idToken,
+                accessToken,
+                null,
+                pendingMicrosoftScopes.toTypedArray(),
+                expirationTime
+            )
+        } catch (e: Exception) {
+            clearPkceState()
+            nativeOnLoginError("parse_error", e.message)
+        }
+    }
+
+    private fun saveMicrosoftRefreshToken(context: Context, refreshToken: String) {
+        val prefs = getPrefs(context)
+        prefs.edit().putString("microsoft_refresh_token", refreshToken).apply()
+    }
+
+    private fun getMicrosoftRefreshToken(context: Context): String? {
+        val prefs = getPrefs(context)
+        return prefs.getString("microsoft_refresh_token", null)
+    }
+
+    private fun clearPkceState() {
+        pendingPkceVerifier = null
+        pendingState = null
+        pendingNonce = null
+        pendingMicrosoftTenant = null
+        pendingMicrosoftClientId = null
+        pendingMicrosoftB2cDomain = null
+    }
+
+    private fun decodeJwt(token: String): Map<String, String> {
+        return try {
+            val parts = token.split(".")
+            if (parts.size < 2) return emptyMap()
+            val payload = String(Base64.decode(parts[1], Base64.URL_SAFE or Base64.NO_PADDING or Base64.NO_WRAP))
+            val json = JSONObject(payload)
+            val result = mutableMapOf<String, String>()
+            json.keys().forEach { key ->
+                val value = json.optString(key)
+                if (value.isNotEmpty()) result[key] = value
+            }
+            result
+        } catch (e: Exception) {
+            emptyMap()
+        }
+    }
+
+    private fun getMicrosoftClientIdFromResources(context: Context): String? {
+        val resId = context.resources.getIdentifier("nitro_auth_microsoft_client_id", "string", context.packageName)
+        return if (resId != 0) context.getString(resId) else null
+    }
+
+    private fun getMicrosoftTenantFromResources(context: Context): String? {
+        val resId = context.resources.getIdentifier("nitro_auth_microsoft_tenant", "string", context.packageName)
+        return if (resId != 0) context.getString(resId) else null
+    }
+
+    private fun getMicrosoftB2cDomainFromResources(context: Context): String? {
+        val resId = context.resources.getIdentifier("nitro_auth_microsoft_b2c_domain", "string", context.packageName)
+        return if (resId != 0) context.getString(resId) else null
+    }
+
+    private fun getMicrosoftAuthBaseUrl(tenant: String, b2cDomain: String?): String {
+        if (tenant.startsWith("https://")) {
+            return if (tenant.endsWith("/")) tenant else "$tenant/"
+        }
+        
+        return if (b2cDomain != null) {
+            "https://$b2cDomain/tfp/$tenant/"
         } else {
-            val intent = GoogleSignInActivity.createIntent(ctx, clientId, requestedScopes.toTypedArray(), loginHint, forceAccountPicker)
-            intent.addFlags(android.content.Intent.FLAG_ACTIVITY_NEW_TASK)
-            ctx.startActivity(intent)
+            "https://login.microsoftonline.com/$tenant/"
         }
     }
 
-    private fun loginOneTap(context: Context, clientId: String, scopes: List<String>) {
+    private fun loginOneTap(
+        context: Context,
+        clientId: String,
+        scopes: List<String>,
+        loginHint: String?,
+        forceAccountPicker: Boolean,
+        useOneTap: Boolean
+    ) {
         val activity = currentActivity ?: context as? Activity
         if (activity == null) {
             Log.w(TAG, "No Activity context available for One-Tap, falling back to legacy")
-            return loginLegacy(context, clientId, scopes)
+            return loginLegacy(context, clientId, scopes, loginHint, forceAccountPicker)
         }
         
         val credentialManager = CredentialManager.create(activity)
         val googleIdOption = GetGoogleIdOption.Builder()
             .setFilterByAuthorizedAccounts(false)
             .setServerClientId(clientId)
-            .setAutoSelectEnabled(false)
+            .setAutoSelectEnabled(useOneTap && !forceAccountPicker)
             .build()
 
         val request = GetCredentialRequest.Builder()
@@ -150,14 +513,26 @@ object AuthAdapter {
                 handleCredentialResponse(result, scopes)
             } catch (e: Exception) {
                 Log.w(TAG, "One-Tap failed, falling back to legacy: ${e.message}")
-                loginLegacy(context, clientId, scopes)
+                loginLegacy(context, clientId, scopes, loginHint, forceAccountPicker)
             }
         }
     }
 
-    private fun loginLegacy(context: Context, clientId: String, scopes: List<String>) {
+    private fun loginLegacy(
+        context: Context,
+        clientId: String,
+        scopes: List<String>,
+        loginHint: String?,
+        forceAccountPicker: Boolean
+    ) {
         val ctx = appContext ?: context.applicationContext
-        val intent = GoogleSignInActivity.createIntent(ctx, clientId, scopes.toTypedArray(), null)
+        val intent = GoogleSignInActivity.createIntent(
+            ctx,
+            clientId,
+            scopes.toTypedArray(),
+            loginHint,
+            forceAccountPicker
+        )
         intent.addFlags(android.content.Intent.FLAG_ACTIVITY_NEW_TASK)
         ctx.startActivity(intent)
     }
@@ -199,58 +574,72 @@ object AuthAdapter {
     fun requestScopesSync(context: Context, scopes: Array<String>) {
         val ctx = appContext ?: context.applicationContext
         val account = GoogleSignIn.getLastSignedInAccount(ctx)
-        if (account == null) {
-            nativeOnLoginError("unknown", "No user logged in")
-            return
-        }
-
-        val newScopes = scopes.map { Scope(it) }
-        if (GoogleSignIn.hasPermissions(account, *newScopes.toTypedArray())) {
-            onSignInSuccess(account, (pendingScopes + scopes.toList()).distinct())
+        if (account != null) {
+            val newScopes = scopes.map { Scope(it) }
+            if (GoogleSignIn.hasPermissions(account, *newScopes.toTypedArray())) {
+                onSignInSuccess(account, (pendingScopes + scopes.toList()).distinct())
+                return
+            }
+            val clientId = getClientIdFromResources(ctx)
+            if (clientId == null) {
+                nativeOnLoginError("configuration_error", "Google Client ID not configured")
+                return
+            }
+            val allScopes = (pendingScopes + scopes.toList()).distinct()
+            val intent = GoogleSignInActivity.createIntent(ctx, clientId, allScopes.toTypedArray(), account.email)
+            ctx.startActivity(intent)
             return
         }
-
-        val clientId = getClientIdFromResources(ctx)
-        if (clientId == null) {
-            nativeOnLoginError("configuration_error", "Google Client ID not configured")
+        val userJson = getUserJson(ctx)
+        if (userJson != null && userJson.contains("\"provider\":\"microsoft\"")) {
+            val currentScopes = extractScopesFromUserJson(userJson)
+            val defaultMicrosoftScopes = listOf("openid", "email", "profile", "offline_access", "User.Read")
+            val existing = if (currentScopes.isEmpty()) defaultMicrosoftScopes else currentScopes
+            val mergedScopes = (existing + scopes.toList()).distinct()
+            val tenant = getMicrosoftTenantFromResources(ctx)
+            loginMicrosoft(ctx, mergedScopes.toTypedArray(), null, tenant, null)
             return
         }
-
-        val allScopes = (pendingScopes + scopes.toList()).distinct()
-        val intent = GoogleSignInActivity.createIntent(ctx, clientId, allScopes.toTypedArray(), account.email)
-        ctx.startActivity(intent)
+        nativeOnLoginError("unknown", "No user logged in")
     }
 
     @JvmStatic
     fun refreshTokenSync(context: Context) {
         val ctx = appContext ?: context.applicationContext
-        if (googleSignInClient == null) {
-            val account = GoogleSignIn.getLastSignedInAccount(ctx)
-            if (account == null) {
-                nativeOnRefreshError("unknown", "No user logged in")
-                return
+        val account = GoogleSignIn.getLastSignedInAccount(ctx)
+        if (account != null) {
+            if (googleSignInClient == null) {
+                val clientId = getClientIdFromResources(ctx)
+                if (clientId == null) {
+                    nativeOnRefreshError("configuration_error", "Google Client ID not configured")
+                    return
+                }
+                val gso = GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN)
+                    .requestIdToken(clientId)
+                    .requestServerAuthCode(clientId)
+                    .requestEmail()
+                    .build()
+                googleSignInClient = GoogleSignIn.getClient(ctx, gso)
             }
-            val clientId = getClientIdFromResources(ctx)
-            if (clientId == null) {
-                nativeOnRefreshError("configuration_error", "Google Client ID not configured")
-                return
+            googleSignInClient!!.silentSignIn().addOnCompleteListener { task ->
+                if (task.isSuccessful) {
+                    val acc = task.result
+                    nativeOnRefreshSuccess(acc?.idToken, null, null)
+                } else {
+                    nativeOnRefreshError("network_error", task.exception?.message ?: "Silent sign-in failed")
+                }
             }
-            val gso = GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN)
-                .requestIdToken(clientId)
-                .requestServerAuthCode(clientId)
-                .requestEmail()
-                .build()
-            googleSignInClient = GoogleSignIn.getClient(ctx, gso)
+            return
         }
-
-        googleSignInClient!!.silentSignIn().addOnCompleteListener { task ->
-            if (task.isSuccessful) {
-                val account = task.result
-                nativeOnRefreshSuccess(account?.idToken, null, null)
-            } else {
-                nativeOnRefreshError("network_error", task.exception?.message ?: "Silent sign-in failed")
+        val userJson = getUserJson(ctx)
+        if (userJson != null && userJson.contains("\"provider\":\"microsoft\"")) {
+            val refreshToken = getMicrosoftRefreshToken(ctx)
+            if (refreshToken != null) {
+                refreshMicrosoftTokenForRefresh(ctx, refreshToken)
+                return
             }
         }
+        nativeOnRefreshError("unknown", "No user logged in")
     }
 
     @JvmStatic
@@ -298,19 +687,19 @@ object AuthAdapter {
 
     @JvmStatic
     fun getUserJson(context: Context): String? {
-        val pref = context.getSharedPreferences(PREF_NAME, Context.MODE_PRIVATE)
+        val pref = getPrefs(context)
         return pref.getString("user_json", null)
     }
 
     @JvmStatic
     fun setUserJson(context: Context, json: String) {
-        val pref = context.getSharedPreferences(PREF_NAME, Context.MODE_PRIVATE)
+        val pref = getPrefs(context)
         pref.edit().putString("user_json", json).apply()
     }
 
     @JvmStatic
     fun clearUser(context: Context) {
-        val pref = context.getSharedPreferences(PREF_NAME, Context.MODE_PRIVATE)
+        val pref = getPrefs(context)
         pref.edit().clear().apply()
     }
 
@@ -325,42 +714,201 @@ object AuthAdapter {
         } else {
             val json = getUserJson(ctx)
             if (json != null) {
-                val provider = if (json.contains("\"provider\":\"google\"")) "google" else "apple"
-                val email = extractJsonValue(json, "email")
-                val name = extractJsonValue(json, "name")
-                val photo = extractJsonValue(json, "photo")
-                val idToken = extractJsonValue(json, "idToken")
-                val serverAuthCode = extractJsonValue(json, "serverAuthCode")
-                nativeOnLoginSuccess(provider, email, name, photo, idToken, null, serverAuthCode, null, null)
+                val provider = try {
+                    val parsed = JSONObject(json)
+                    parsed.optString("provider")
+                } catch (_: Exception) {
+                    ""
+                }
+                val effectiveProvider = when (provider) {
+                    "google" -> "google"
+                    "microsoft" -> "microsoft"
+                    "apple" -> "apple"
+                    else -> "apple"
+                }
+                
+                if (effectiveProvider == "microsoft") {
+                    val refreshToken = getMicrosoftRefreshToken(ctx)
+                    if (refreshToken != null) {
+                        refreshMicrosoftToken(ctx, refreshToken)
+                    } else {
+                        val email = extractJsonValue(json, "email")
+                        val name = extractJsonValue(json, "name")
+                        val idToken = extractJsonValue(json, "idToken")
+                        nativeOnLoginSuccess(effectiveProvider, email, name, null, idToken, null, null, null, null)
+                    }
+                } else {
+                    val email = extractJsonValue(json, "email")
+                    val name = extractJsonValue(json, "name")
+                    val photo = extractJsonValue(json, "photo")
+                    val idToken = extractJsonValue(json, "idToken")
+                    val serverAuthCode = extractJsonValue(json, "serverAuthCode")
+                    nativeOnLoginSuccess(effectiveProvider, email, name, photo, idToken, null, serverAuthCode, null, null)
+                }
             } else {
                 nativeOnLoginError("unknown", "No session")
             }
         }
     }
 
+    private fun refreshMicrosoftToken(context: Context, refreshToken: String) {
+        val clientId = getMicrosoftClientIdFromResources(context)
+        val tenant = getMicrosoftTenantFromResources(context) ?: "common"
+        val b2cDomain = getMicrosoftB2cDomainFromResources(context)
+        
+        if (clientId == null) {
+            nativeOnLoginError("configuration_error", "Microsoft Client ID is required for refresh")
+            return
+        }
+
+        val authBaseUrl = getMicrosoftAuthBaseUrl(tenant, b2cDomain)
+        val tokenUrl = "${authBaseUrl}oauth2/v2.0/token"
+
+        CoroutineScope(Dispatchers.IO).launch {
+            try {
+                val url = java.net.URL(tokenUrl)
+                val connection = url.openConnection() as java.net.HttpURLConnection
+                connection.requestMethod = "POST"
+                connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded")
+                connection.doOutput = true
+
+                val postData = buildString {
+                    append("client_id=${java.net.URLEncoder.encode(clientId, "UTF-8")}")
+                    append("&grant_type=refresh_token")
+                    append("&refresh_token=${java.net.URLEncoder.encode(refreshToken, "UTF-8")}")
+                }
+
+                connection.outputStream.use { it.write(postData.toByteArray()) }
+
+                val responseCode = connection.responseCode
+                val responseBody = if (responseCode == 200) {
+                    connection.inputStream.bufferedReader().readText()
+                } else {
+                    connection.errorStream?.bufferedReader()?.readText() ?: ""
+                }
+
+                CoroutineScope(Dispatchers.Main).launch {
+                    if (responseCode == 200) {
+                        val json = JSONObject(responseBody)
+                        val newIdToken = json.optString("id_token")
+                        val newAccessToken = json.optString("access_token")
+                        val newRefreshToken = json.optString("refresh_token")
+                        val expiresIn = json.optLong("expires_in", 0)
+                        val expirationTime = if (expiresIn > 0) System.currentTimeMillis() + expiresIn * 1000 else null
+
+                        val claims = decodeJwt(newIdToken)
+                        val email = claims["preferred_username"] ?: claims["email"]
+                        val name = claims["name"]
+
+                        if (newRefreshToken.isNotEmpty()) {
+                            saveMicrosoftRefreshToken(context, newRefreshToken)
+                        }
+                        saveUser(context, "microsoft", email, name, null, newIdToken, newRefreshToken, null)
+
+                        nativeOnLoginSuccess("microsoft", email, name, null, newIdToken, newAccessToken, null, null, expirationTime)
+                    } else {
+                        nativeOnLoginError("refresh_failed", "Microsoft token refresh failed")
+                    }
+                }
+            } catch (e: Exception) {
+                CoroutineScope(Dispatchers.Main).launch {
+                    nativeOnLoginError("network_error", e.message)
+                }
+            }
+        }
+    }
+
+    private fun refreshMicrosoftTokenForRefresh(context: Context, refreshToken: String) {
+        val clientId = getMicrosoftClientIdFromResources(context)
+        val tenant = getMicrosoftTenantFromResources(context) ?: "common"
+        val b2cDomain = getMicrosoftB2cDomainFromResources(context)
+        if (clientId == null) {
+            nativeOnRefreshError("configuration_error", "Microsoft Client ID not configured")
+            return
+        }
+        val authBaseUrl = getMicrosoftAuthBaseUrl(tenant, b2cDomain)
+        val tokenUrl = "${authBaseUrl}oauth2/v2.0/token"
+        CoroutineScope(Dispatchers.IO).launch {
+            try {
+                val url = java.net.URL(tokenUrl)
+                val connection = url.openConnection() as java.net.HttpURLConnection
+                connection.requestMethod = "POST"
+                connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded")
+                connection.doOutput = true
+                val postData = buildString {
+                    append("client_id=${java.net.URLEncoder.encode(clientId, "UTF-8")}")
+                    append("&grant_type=refresh_token")
+                    append("&refresh_token=${java.net.URLEncoder.encode(refreshToken, "UTF-8")}")
+                }
+                connection.outputStream.use { it.write(postData.toByteArray()) }
+                val responseCode = connection.responseCode
+                val responseBody = if (responseCode == 200) {
+                    connection.inputStream.bufferedReader().readText()
+                } else {
+                    connection.errorStream?.bufferedReader()?.readText() ?: ""
+                }
+                CoroutineScope(Dispatchers.Main).launch {
+                    if (responseCode == 200) {
+                        val json = JSONObject(responseBody)
+                        val newIdToken = json.optString("id_token")
+                        val newAccessToken = json.optString("access_token")
+                        val newRefreshToken = json.optString("refresh_token")
+                        val expiresIn = json.optLong("expires_in", 0)
+                        val expirationTime = if (expiresIn > 0) System.currentTimeMillis() + expiresIn * 1000 else null
+                        val claims = decodeJwt(newIdToken)
+                        val email = claims["preferred_username"] ?: claims["email"]
+                        val name = claims["name"]
+                        if (newRefreshToken.isNotEmpty()) {
+                            saveMicrosoftRefreshToken(context, newRefreshToken)
+                        }
+                        saveUser(context, "microsoft", email, name, null, newIdToken, newRefreshToken, null)
+                        nativeOnRefreshSuccess(
+                            newIdToken.ifEmpty { null },
+                            newAccessToken.ifEmpty { null },
+                            expirationTime
+                        )
+                    } else {
+                        nativeOnRefreshError("refresh_failed", "Microsoft token refresh failed")
+                    }
+                }
+            } catch (e: Exception) {
+                CoroutineScope(Dispatchers.Main).launch {
+                    nativeOnRefreshError("network_error", e.message)
+                }
+            }
+        }
+    }
+
     private fun extractJsonValue(json: String, key: String): String? {
-        val pattern = "\"$key\":\"([^\"]*)\""
-        val regex = Regex(pattern)
-        return regex.find(json)?.groupValues?.get(1)
+        return try {
+            val value = JSONObject(json).optString(key, "")
+            if (value.isEmpty()) null else value
+        } catch (_: Exception) {
+            null
+        }
+    }
+
+    private fun extractScopesFromUserJson(json: String): List<String> {
+        return try {
+            val jsonObj = JSONObject(json)
+            val arr = jsonObj.optJSONArray("scopes") ?: return emptyList()
+            (0 until arr.length()).mapNotNull { i -> arr.optString(i).takeIf { it.isNotEmpty() } }
+        } catch (_: Exception) {
+            emptyList()
+        }
     }
 
     private fun saveUser(context: Context, provider: String, email: String?, name: String?, 
                           photo: String?, idToken: String?, serverAuthCode: String?, scopes: List<String>?) {
-        val pref = context.getSharedPreferences(PREF_NAME, Context.MODE_PRIVATE)
-        val json = StringBuilder()
-        json.append("{")
-        json.append("\"provider\":\"$provider\"")
-        if (email != null) json.append(",\"email\":\"$email\"")
-        if (name != null) json.append(",\"name\":\"$name\"")
-        if (photo != null) json.append(",\"photo\":\"$photo\"")
-        if (idToken != null) json.append(",\"idToken\":\"$idToken\"")
-        if (serverAuthCode != null) json.append(",\"serverAuthCode\":\"$serverAuthCode\"")
-        if (scopes != null) {
-            json.append(",\"scopes\":[")
-            json.append(scopes.joinToString(",") { "\"$it\"" })
-            json.append("]")
-        }
-        json.append("}")
+        val pref = getPrefs(context)
+        val json = JSONObject()
+        json.put("provider", provider)
+        if (email != null) json.put("email", email)
+        if (name != null) json.put("name", name)
+        if (photo != null) json.put("photo", photo)
+        if (idToken != null) json.put("idToken", idToken)
+        if (serverAuthCode != null) json.put("serverAuthCode", serverAuthCode)
+        if (scopes != null) json.put("scopes", JSONArray(scopes))
         pref.edit().putString("user_json", json.toString()).apply()
     }
 }