react-native-nitro-auth 0.5.1 → 0.5.3

package/src/Auth.web.ts

@@ -5,13 +5,31 @@ import type {
   LoginOptions,
   AuthTokens,
 } from "./Auth.nitro";
-import type { AuthStorageAdapter } from "./AuthStorage.nitro";
+import type { JSStorageAdapter } from "./js-storage-adapter";
 import { logger } from "./utils/logger";
 
 const CACHE_KEY = "nitro_auth_user";
 const SCOPES_KEY = "nitro_auth_scopes";
+const MS_REFRESH_TOKEN_KEY = "nitro_auth_microsoft_refresh_token";
 const DEFAULT_SCOPES = ["openid", "email", "profile"];
 const MS_DEFAULT_SCOPES = ["openid", "email", "profile", "User.Read"];
+const STORAGE_MODE_SESSION = "session";
+const STORAGE_MODE_LOCAL = "local";
+const STORAGE_MODE_MEMORY = "memory";
+const POPUP_POLL_INTERVAL_MS = 100;
+const POPUP_TIMEOUT_MS = 120000;
+const WEB_STORAGE_MODES = new Set([
+  STORAGE_MODE_SESSION,
+  STORAGE_MODE_LOCAL,
+  STORAGE_MODE_MEMORY,
+] as const);
+const inMemoryWebStorage = new Map<string, string>();
+
+type WebStorageDriver = {
+  save(key: string, value: string): void;
+  load(key: string): string | undefined;
+  remove(key: string): void;
+};
 
 type AppleAuthResponse = {
   authorization: {
@@ -26,11 +44,123 @@ type AppleAuthResponse = {
   };
 };
 
-const getConfig = () => {
+type AuthWebExtraConfig = {
+  googleWebClientId?: string;
+  microsoftClientId?: string;
+  microsoftTenant?: string;
+  microsoftB2cDomain?: string;
+  appleWebClientId?: string;
+  nitroAuthWebStorage?: "session" | "local" | "memory";
+  nitroAuthPersistTokensOnWeb?: boolean;
+};
+
+type JsonObject = Record<string, unknown>;
+
+class AuthWebError extends Error {
+  public readonly underlyingError?: string;
+
+  constructor(message: string, underlyingError?: string) {
+    super(message);
+    this.name = "AuthWebError";
+    this.underlyingError = underlyingError;
+  }
+}
+
+const isJsonObject = (value: unknown): value is JsonObject =>
+  typeof value === "object" && value !== null;
+
+const isAuthProvider = (value: unknown): value is AuthProvider =>
+  value === "google" || value === "apple" || value === "microsoft";
+
+const getOptionalString = (
+  source: JsonObject,
+  key: string,
+): string | undefined => {
+  const candidate = source[key];
+  return typeof candidate === "string" ? candidate : undefined;
+};
+
+const getOptionalNumber = (
+  source: JsonObject,
+  key: string,
+): number | undefined => {
+  const candidate = source[key];
+  return typeof candidate === "number" ? candidate : undefined;
+};
+
+const parseAuthUser = (value: unknown): AuthUser | undefined => {
+  if (!isJsonObject(value) || !isAuthProvider(value.provider)) {
+    return undefined;
+  }
+
+  const scopesCandidate = value.scopes;
+  const scopes = Array.isArray(scopesCandidate)
+    ? scopesCandidate.filter(
+        (scope): scope is string => typeof scope === "string",
+      )
+    : undefined;
+
+  return {
+    provider: value.provider,
+    email: getOptionalString(value, "email"),
+    name: getOptionalString(value, "name"),
+    photo: getOptionalString(value, "photo"),
+    idToken: getOptionalString(value, "idToken"),
+    accessToken: getOptionalString(value, "accessToken"),
+    refreshToken: getOptionalString(value, "refreshToken"),
+    serverAuthCode: getOptionalString(value, "serverAuthCode"),
+    scopes,
+    expirationTime: getOptionalNumber(value, "expirationTime"),
+    underlyingError: getOptionalString(value, "underlyingError"),
+  };
+};
+
+const parseScopes = (value: unknown): string[] | undefined => {
+  if (!Array.isArray(value)) {
+    return undefined;
+  }
+
+  return value.filter((scope): scope is string => typeof scope === "string");
+};
+
+const parseAuthWebExtraConfig = (value: unknown): AuthWebExtraConfig => {
+  if (!isJsonObject(value)) {
+    return {};
+  }
+
+  const nitroAuthWebStorageCandidate = value.nitroAuthWebStorage;
+  const nitroAuthWebStorage =
+    nitroAuthWebStorageCandidate === STORAGE_MODE_SESSION ||
+    nitroAuthWebStorageCandidate === STORAGE_MODE_LOCAL ||
+    nitroAuthWebStorageCandidate === STORAGE_MODE_MEMORY
+      ? nitroAuthWebStorageCandidate
+      : undefined;
+
+  return {
+    googleWebClientId: getOptionalString(value, "googleWebClientId"),
+    microsoftClientId: getOptionalString(value, "microsoftClientId"),
+    microsoftTenant: getOptionalString(value, "microsoftTenant"),
+    microsoftB2cDomain: getOptionalString(value, "microsoftB2cDomain"),
+    appleWebClientId: getOptionalString(value, "appleWebClientId"),
+    nitroAuthWebStorage,
+    nitroAuthPersistTokensOnWeb:
+      typeof value.nitroAuthPersistTokensOnWeb === "boolean"
+        ? value.nitroAuthPersistTokensOnWeb
+        : undefined,
+  };
+};
+
+const getConfig = (): AuthWebExtraConfig => {
   try {
     const Constants = require("expo-constants").default;
-    return Constants.expoConfig?.extra || {};
-  } catch {
+    return parseAuthWebExtraConfig(Constants.expoConfig?.extra);
+  } catch (error) {
+    logger.debug(
+      "expo-constants unavailable on web, falling back to defaults",
+      {
+        error: String(error),
+      },
+    );
     return {};
   }
 };
@@ -40,44 +170,223 @@ class AuthWeb implements Auth {
   private _grantedScopes: string[] = [];
   private _listeners: ((user: AuthUser | undefined) => void)[] = [];
   private _tokenListeners: ((tokens: AuthTokens) => void)[] = [];
-  private _storageAdapter: AuthStorageAdapter | undefined;
+  private _storageAdapter: WebStorageDriver | undefined;
 
   constructor() {
     this.loadFromCache();
   }
 
+  private isPromiseLike(value: unknown): value is PromiseLike<unknown> {
+    if (!isJsonObject(value)) {
+      return false;
+    }
+    return typeof value.then === "function";
+  }
+
+  private createWebStorageDriver(adapter: JSStorageAdapter): WebStorageDriver {
+    return {
+      save: (key, value) => {
+        const result = adapter.save(key, value);
+        if (this.isPromiseLike(result)) {
+          throw new Error("On web, JSStorageAdapter.save must be synchronous.");
+        }
+      },
+      load: (key) => {
+        const result = adapter.load(key);
+        if (this.isPromiseLike(result)) {
+          throw new Error("On web, JSStorageAdapter.load must be synchronous.");
+        }
+        return result;
+      },
+      remove: (key) => {
+        const result = adapter.remove(key);
+        if (this.isPromiseLike(result)) {
+          throw new Error(
+            "On web, JSStorageAdapter.remove must be synchronous.",
+          );
+        }
+      },
+    };
+  }
+
+  private shouldPersistTokensInStorage(): boolean {
+    if (this._storageAdapter) {
+      return true;
+    }
+    return getConfig().nitroAuthPersistTokensOnWeb === true;
+  }
+
+  private getWebStorageMode(): "session" | "local" | "memory" {
+    const configuredMode = getConfig().nitroAuthWebStorage;
+    if (configuredMode && WEB_STORAGE_MODES.has(configuredMode)) {
+      return configuredMode;
+    }
+    return STORAGE_MODE_SESSION;
+  }
+
+  private getBrowserStorage(): Storage | undefined {
+    if (typeof window === "undefined") {
+      return undefined;
+    }
+
+    const mode = this.getWebStorageMode();
+    if (mode === STORAGE_MODE_MEMORY) {
+      return undefined;
+    }
+
+    const storage =
+      mode === STORAGE_MODE_LOCAL ? window.localStorage : window.sessionStorage;
+    try {
+      const testKey = "__nitro_auth_storage_probe__";
+      storage.setItem(testKey, "1");
+      storage.removeItem(testKey);
+      return storage;
+    } catch (error) {
+      logger.warn(
+        "Configured web storage is unavailable; using in-memory fallback",
+        {
+          mode,
+          error: String(error),
+        },
+      );
+      return undefined;
+    }
+  }
+
+  private saveValue(key: string, value: string): void {
+    if (this._storageAdapter) {
+      this._storageAdapter.save(key, value);
+      return;
+    }
+
+    const storage = this.getBrowserStorage();
+    if (storage) {
+      storage.setItem(key, value);
+      return;
+    }
+    inMemoryWebStorage.set(key, value);
+  }
+
+  private loadValue(key: string): string | undefined {
+    if (this._storageAdapter) {
+      return this._storageAdapter.load(key);
+    }
+
+    const storage = this.getBrowserStorage();
+    if (storage) {
+      return storage.getItem(key) ?? undefined;
+    }
+    return inMemoryWebStorage.get(key);
+  }
+
+  private removeValue(key: string): void {
+    if (this._storageAdapter) {
+      this._storageAdapter.remove(key);
+      return;
+    }
+
+    const storage = this.getBrowserStorage();
+    if (storage) {
+      storage.removeItem(key);
+    }
+    inMemoryWebStorage.delete(key);
+  }
+
+  private removePersistedBrowserValue(key: string): void {
+    if (typeof window === "undefined") {
+      return;
+    }
+
+    try {
+      window.localStorage.removeItem(key);
+      window.sessionStorage.removeItem(key);
+    } catch (error) {
+      logger.debug("Failed to clear persisted browser value", {
+        key,
+        error: String(error),
+      });
+    }
+  }
+
+  private sanitizeUserForPersistence(user: AuthUser): AuthUser {
+    if (this.shouldPersistTokensInStorage()) {
+      return user;
+    }
+
+    const safeUser = { ...user };
+    delete safeUser.accessToken;
+    delete safeUser.idToken;
+    delete safeUser.serverAuthCode;
+    return safeUser;
+  }
+
+  private saveRefreshToken(refreshToken: string): void {
+    if (this._storageAdapter || this.shouldPersistTokensInStorage()) {
+      this.saveValue(MS_REFRESH_TOKEN_KEY, refreshToken);
+      return;
+    }
+
+    // Security-first default: keep refresh tokens in-memory only on web.
+    inMemoryWebStorage.set(MS_REFRESH_TOKEN_KEY, refreshToken);
+  }
+
+  private loadRefreshToken(): string | undefined {
+    if (this._storageAdapter || this.shouldPersistTokensInStorage()) {
+      return this.loadValue(MS_REFRESH_TOKEN_KEY);
+    }
+    return inMemoryWebStorage.get(MS_REFRESH_TOKEN_KEY);
+  }
+
   private loadFromCache() {
-    const cached = this._storageAdapter
-      ? this._storageAdapter.load(CACHE_KEY)
-      : localStorage.getItem(CACHE_KEY);
+    const cached = this.loadValue(CACHE_KEY);
 
     if (cached) {
       try {
-        this._currentUser = JSON.parse(cached);
-      } catch {
+        const parsedUser = parseAuthUser(JSON.parse(cached));
+        if (!parsedUser) {
+          throw new Error("Expected cached auth user to be a valid AuthUser");
+        }
+        if (this.shouldPersistTokensInStorage()) {
+          this._currentUser = parsedUser;
+        } else {
+          const safeUser = { ...parsedUser };
+          delete safeUser.accessToken;
+          delete safeUser.idToken;
+          delete safeUser.serverAuthCode;
+          this._currentUser = safeUser;
+        }
+      } catch (error) {
+        logger.warn("Failed to parse cached auth user; clearing cache", {
+          error: String(error),
+        });
         this.removeFromCache(CACHE_KEY);
       }
     }
 
-    const scopes = this._storageAdapter
-      ? this._storageAdapter.load(SCOPES_KEY)
-      : localStorage.getItem(SCOPES_KEY);
+    const scopes = this.loadValue(SCOPES_KEY);
 
     if (scopes) {
       try {
-        this._grantedScopes = JSON.parse(scopes);
-      } catch {
+        const parsedScopes = parseScopes(JSON.parse(scopes));
+        if (!parsedScopes) {
+          throw new Error("Expected cached scopes to be an array");
+        }
+        this._grantedScopes = parsedScopes;
+      } catch (error) {
+        logger.warn("Failed to parse cached scopes; clearing cache", {
+          error: String(error),
+        });
         this.removeFromCache(SCOPES_KEY);
       }
     }
+
+    if (!this.shouldPersistTokensInStorage() && !this._storageAdapter) {
+      this.removePersistedBrowserValue(MS_REFRESH_TOKEN_KEY);
+    }
   }
 
   private removeFromCache(key: string) {
-    if (this._storageAdapter) {
-      this._storageAdapter.remove(key);
-    } else {
-      localStorage.removeItem(key);
-    }
+    this.removeValue(key);
   }
 
   get currentUser(): AuthUser | undefined {
@@ -110,7 +419,9 @@ class AuthWeb implements Auth {
   }
 
   private notify() {
-    this._listeners.forEach((l) => l(this._currentUser));
+    this._listeners.forEach((l) => {
+      l(this._currentUser);
+    });
   }
 
   async login(provider: AuthProvider, options?: LoginOptions): Promise<void> {
@@ -169,14 +480,7 @@ class AuthWeb implements Auth {
     this._grantedScopes = this._grantedScopes.filter(
       (s) => !scopes.includes(s),
     );
-    if (this._storageAdapter) {
-      this._storageAdapter.save(
-        SCOPES_KEY,
-        JSON.stringify(this._grantedScopes),
-      );
-    } else {
-      localStorage.setItem(SCOPES_KEY, JSON.stringify(this._grantedScopes));
-    }
+    this.saveValue(SCOPES_KEY, JSON.stringify(this._grantedScopes));
     if (this._currentUser) {
       this._currentUser.scopes = this._grantedScopes;
       this.updateUser(this._currentUser);
@@ -194,16 +498,14 @@ class AuthWeb implements Auth {
     return this._currentUser?.accessToken;
   }
 
-  async refreshToken(): Promise<{ accessToken?: string; idToken?: string }> {
+  async refreshToken(): Promise<AuthTokens> {
     if (!this._currentUser) {
       throw new Error("No user logged in");
     }
 
     if (this._currentUser.provider === "microsoft") {
       logger.log("Refreshing Microsoft tokens...");
-      const refreshToken = this._storageAdapter
-        ? this._storageAdapter.load("microsoft_refresh_token")
-        : localStorage.getItem("nitro_auth_microsoft_refresh_token");
+      const refreshToken = this.loadRefreshToken();
 
       if (!refreshToken) {
         throw new Error("No refresh token available");
@@ -211,6 +513,11 @@ class AuthWeb implements Auth {
 
       const config = getConfig();
       const clientId = config.microsoftClientId;
+      if (!clientId) {
+        throw new Error(
+          "Microsoft Client ID not configured. Add 'microsoftClientId' to expo.extra in your app.config.js",
+        );
+      }
       const tenant = config.microsoftTenant ?? "common";
       const b2cDomain = config.microsoftB2cDomain;
 
@@ -230,43 +537,52 @@ class AuthWeb implements Auth {
         body: body.toString(),
       });
 
-      const json = await response.json();
+      const json = await this.parseResponseObject(response);
       if (!response.ok) {
         throw new Error(
-          json.error_description ?? json.error ?? "Token refresh failed",
+          getOptionalString(json, "error_description") ??
+            getOptionalString(json, "error") ??
+            "Token refresh failed",
         );
       }
 
-      const idToken = json.id_token;
-      const accessToken = json.access_token;
-      const newRefreshToken = json.refresh_token;
-      const expiresIn = json.expires_in;
+      const idToken = getOptionalString(json, "id_token");
+      const accessToken = getOptionalString(json, "access_token");
+      const newRefreshToken = getOptionalString(json, "refresh_token");
+      const expiresInSeconds = getOptionalNumber(json, "expires_in");
 
       if (newRefreshToken) {
-        if (this._storageAdapter) {
-          this._storageAdapter.save("microsoft_refresh_token", newRefreshToken);
-        } else {
-          localStorage.setItem(
-            "nitro_auth_microsoft_refresh_token",
-            newRefreshToken,
-          );
-        }
+        this.saveRefreshToken(newRefreshToken);
       }
 
-      const claims = this.decodeMicrosoftJwt(idToken);
+      const expirationTime =
+        typeof expiresInSeconds === "number"
+          ? Date.now() + expiresInSeconds * 1000
+          : undefined;
+
+      const effectiveIdToken = idToken ?? this._currentUser.idToken;
+      const claims = effectiveIdToken
+        ? this.decodeMicrosoftJwt(effectiveIdToken)
+        : {};
       const user: AuthUser = {
         ...this._currentUser,
-        idToken,
+        idToken: effectiveIdToken,
         accessToken: accessToken ?? undefined,
-        expirationTime: expiresIn
-          ? Date.now() + parseInt(expiresIn) * 1000
-          : undefined,
+        refreshToken: newRefreshToken ?? this._currentUser.refreshToken,
+        expirationTime,
         ...claims,
       };
       this.updateUser(user);
 
-      const tokens = { accessToken, idToken };
-      this._tokenListeners.forEach((l) => l(tokens));
+      const tokens: AuthTokens = {
+        accessToken: accessToken ?? undefined,
+        idToken: effectiveIdToken,
+        refreshToken: newRefreshToken ?? undefined,
+        expirationTime,
+      };
+      this._tokenListeners.forEach((l) => {
+        l(tokens);
+      });
       return tokens;
     }
 
@@ -280,11 +596,15 @@ class AuthWeb implements Auth {
     await this.loginGoogle(
       this._grantedScopes.length > 0 ? this._grantedScopes : DEFAULT_SCOPES,
     );
-    const tokens = {
+    const tokens: AuthTokens = {
       accessToken: this._currentUser.accessToken,
       idToken: this._currentUser.idToken,
+      refreshToken: this._currentUser.refreshToken,
+      expirationTime: this._currentUser.expirationTime,
     };
-    this._tokenListeners.forEach((l) => l(tokens));
+    this._tokenListeners.forEach((l) => {
+      l(tokens);
+    });
     return tokens;
   }
 
@@ -295,13 +615,100 @@ class AuthWeb implements Auth {
 
     if (msg.includes("cancel") || msg.includes("popup_closed")) {
       mappedMsg = "cancelled";
+    } else if (msg.includes("timeout")) {
+      mappedMsg = "timeout";
+    } else if (msg.includes("popup blocked")) {
+      mappedMsg = "popup_blocked";
     } else if (msg.includes("network")) {
       mappedMsg = "network_error";
     } else if (msg.includes("client id") || msg.includes("config")) {
       mappedMsg = "configuration_error";
     }
 
-    return Object.assign(new Error(mappedMsg), { underlyingError: rawMessage });
+    return new AuthWebError(mappedMsg, rawMessage);
+  }
+
+  private async parseResponseObject(response: Response): Promise<JsonObject> {
+    const parsed: unknown = await response.json();
+    if (!isJsonObject(parsed)) {
+      throw new Error("Expected JSON object response from auth provider");
+    }
+    return parsed;
+  }
+
+  private parseJwtPayload(token: string): JsonObject {
+    const payload = token.split(".")[1];
+    if (!payload) {
+      throw new Error("Invalid JWT payload");
+    }
+
+    const decoded: unknown = JSON.parse(atob(payload));
+    if (!isJsonObject(decoded)) {
+      throw new Error("Expected JWT payload to be an object");
+    }
+    return decoded;
+  }
+
+  private waitForPopupRedirect(
+    popup: Window,
+    redirectUri: string,
+    provider: "Google" | "Microsoft",
+    onRedirect: (url: string) => Promise<void> | void,
+  ): Promise<void> {
+    return new Promise((resolve, reject) => {
+      let crossOriginLogShown = false;
+
+      const cleanup = (
+        intervalId: number,
+        timeoutId: number,
+        shouldClosePopup: boolean,
+      ) => {
+        window.clearInterval(intervalId);
+        window.clearTimeout(timeoutId);
+        if (shouldClosePopup && !popup.closed) {
+          popup.close();
+        }
+      };
+
+      const timeoutId = window.setTimeout(() => {
+        cleanup(intervalId, timeoutId, true);
+        reject(new Error(`${provider.toLowerCase()}_auth_timeout`));
+      }, POPUP_TIMEOUT_MS);
+
+      const intervalId = window.setInterval(() => {
+        if (popup.closed) {
+          cleanup(intervalId, timeoutId, false);
+          reject(new Error("cancelled"));
+          return;
+        }
+
+        let url: string;
+        try {
+          url = popup.location.href;
+        } catch (error) {
+          if (!crossOriginLogShown) {
+            logger.debug(`Waiting for ${provider} auth redirect`, {
+              error: String(error),
+            });
+            crossOriginLogShown = true;
+          }
+          return;
+        }
+
+        if (!url.startsWith(redirectUri)) {
+          return;
+        }
+
+        cleanup(intervalId, timeoutId, true);
+        void Promise.resolve(onRedirect(url))
+          .then(() => {
+            resolve();
+          })
+          .catch((error: unknown) => {
+            reject(error);
+          });
+      }, POPUP_POLL_INTERVAL_MS);
+    });
   }
 
   private async loginGoogle(
@@ -324,7 +731,7 @@ class AuthWeb implements Auth {
       authUrl.searchParams.set("redirect_uri", redirectUri);
       authUrl.searchParams.set("response_type", "id_token token code");
       authUrl.searchParams.set("scope", scopes.join(" "));
-      authUrl.searchParams.set("nonce", Math.random().toString(36).slice(2));
+      authUrl.searchParams.set("nonce", crypto.randomUUID());
       authUrl.searchParams.set("access_type", "offline");
       authUrl.searchParams.set("prompt", "consent");
 
@@ -348,66 +755,53 @@ class AuthWeb implements Auth {
         return;
       }
 
-      const checkInterval = setInterval(() => {
-        try {
-          if (popup.closed) {
-            clearInterval(checkInterval);
-            reject(new Error("cancelled"));
-            return;
-          }
+      void this.waitForPopupRedirect(popup, redirectUri, "Google", (url) => {
+        const hash = new URL(url).hash.slice(1);
+        const params = new URLSearchParams(hash);
+        const idToken = params.get("id_token");
+        const accessToken = params.get("access_token");
+        const expiresIn = params.get("expires_in");
+        const code = params.get("code");
 
-          const url = popup.location.href;
-          if (url.startsWith(redirectUri)) {
-            clearInterval(checkInterval);
-            popup.close();
-
-            const hash = new URL(url).hash.slice(1);
-            const params = new URLSearchParams(hash);
-            const idToken = params.get("id_token");
-            const accessToken = params.get("access_token");
-            const expiresIn = params.get("expires_in");
-            const code = params.get("code");
-
-            if (idToken) {
-              this._grantedScopes = scopes;
-              if (this._storageAdapter) {
-                this._storageAdapter.save(SCOPES_KEY, JSON.stringify(scopes));
-              } else {
-                localStorage.setItem(SCOPES_KEY, JSON.stringify(scopes));
-              }
-
-              const user: AuthUser = {
-                provider: "google",
-                idToken,
-                accessToken: accessToken ?? undefined,
-                serverAuthCode: code ?? undefined,
-                scopes,
-                expirationTime: expiresIn
-                  ? Date.now() + parseInt(expiresIn) * 1000
-                  : undefined,
-                ...this.decodeGoogleJwt(idToken),
-              };
-              this.updateUser(user);
-              resolve();
-            } else {
-              reject(new Error("No id_token in response"));
-            }
-          }
-        } catch {}
-      }, 100);
+        if (!idToken) {
+          throw new Error("No id_token in response");
+        }
+
+        this._grantedScopes = scopes;
+        this.saveValue(SCOPES_KEY, JSON.stringify(scopes));
+
+        const user: AuthUser = {
+          provider: "google",
+          idToken,
+          accessToken: accessToken ?? undefined,
+          serverAuthCode: code ?? undefined,
+          scopes,
+          expirationTime: expiresIn
+            ? Date.now() + parseInt(expiresIn, 10) * 1000
+            : undefined,
+          ...this.decodeGoogleJwt(idToken),
+        };
+        this.updateUser(user);
+      })
+        .then(() => {
+          resolve();
+        })
+        .catch((error: unknown) => {
+          reject(error);
+        });
     });
   }
 
   private decodeGoogleJwt(token: string): Partial<AuthUser> {
     try {
-      const payload = token.split(".")[1];
-      const decoded = JSON.parse(atob(payload));
+      const decoded = this.parseJwtPayload(token);
       return {
-        email: decoded.email,
-        name: decoded.name,
-        photo: decoded.picture,
+        email: getOptionalString(decoded, "email"),
+        name: getOptionalString(decoded, "name"),
+        photo: getOptionalString(decoded, "picture"),
       };
-    } catch {
+    } catch (error) {
+      logger.warn("Failed to decode Google ID token", { error: String(error) });
       return {};
     }
   }
@@ -477,58 +871,46 @@ class AuthWeb implements Auth {
         return;
       }
 
-      const checkInterval = setInterval(async () => {
-        try {
-          if (popup.closed) {
-            clearInterval(checkInterval);
-            reject(new Error("cancelled"));
-            return;
+      void this.waitForPopupRedirect(
+        popup,
+        redirectUri,
+        "Microsoft",
+        async (url) => {
+          const urlObj = new URL(url);
+          const code = urlObj.searchParams.get("code");
+          const returnedState = urlObj.searchParams.get("state");
+          const error = urlObj.searchParams.get("error");
+          const errorDescription = urlObj.searchParams.get("error_description");
+
+          if (error) {
+            throw new Error(errorDescription ?? error);
+          }
+
+          if (returnedState !== state) {
+            throw new Error("State mismatch - possible CSRF attack");
           }
 
-          const url = popup.location.href;
-          if (url.startsWith(redirectUri)) {
-            clearInterval(checkInterval);
-            popup.close();
-
-            const urlObj = new URL(url);
-            const code = urlObj.searchParams.get("code");
-            const returnedState = urlObj.searchParams.get("state");
-            const error = urlObj.searchParams.get("error");
-            const errorDescription =
-              urlObj.searchParams.get("error_description");
-
-            if (error) {
-              reject(new Error(errorDescription ?? error));
-              return;
-            }
-
-            if (returnedState !== state) {
-              reject(new Error("State mismatch - possible CSRF attack"));
-              return;
-            }
-
-            if (!code) {
-              reject(new Error("No authorization code in response"));
-              return;
-            }
-
-            try {
-              await this.exchangeMicrosoftCodeForTokens(
-                code,
-                codeVerifier,
-                clientId,
-                redirectUri,
-                effectiveTenant,
-                nonce,
-                effectiveScopes,
-              );
-              resolve();
-            } catch (e) {
-              reject(e);
-            }
+          if (!code) {
+            throw new Error("No authorization code in response");
           }
-        } catch {}
-      }, 100);
+
+          await this.exchangeMicrosoftCodeForTokens(
+            code,
+            codeVerifier,
+            clientId,
+            redirectUri,
+            effectiveTenant,
+            nonce,
+            effectiveScopes,
+          );
+        },
+      )
+        .then(() => {
+          resolve();
+        })
+        .catch((error: unknown) => {
+          reject(error);
+        });
     });
   }
 
@@ -582,55 +964,48 @@ class AuthWeb implements Auth {
       body: body.toString(),
     });
 
-    const json = await response.json();
+    const json = await this.parseResponseObject(response);
 
     if (!response.ok) {
       throw new Error(
-        json.error_description ?? json.error ?? "Token exchange failed",
+        getOptionalString(json, "error_description") ??
+          getOptionalString(json, "error") ??
+          "Token exchange failed",
       );
     }
 
-    const idToken = json.id_token;
+    const idToken = getOptionalString(json, "id_token");
     if (!idToken) {
       throw new Error("No id_token in token response");
     }
 
     const claims = this.decodeMicrosoftJwt(idToken);
-    const payload = JSON.parse(atob(idToken.split(".")[1]));
-    if (payload.nonce !== expectedNonce) {
+    const payload = this.parseJwtPayload(idToken);
+    if (getOptionalString(payload, "nonce") !== expectedNonce) {
       throw new Error("Nonce mismatch - token may be replayed");
     }
 
-    const accessToken = json.access_token;
-    const refreshToken = json.refresh_token;
-    const expiresIn = json.expires_in;
+    const accessToken = getOptionalString(json, "access_token");
+    const refreshToken = getOptionalString(json, "refresh_token");
+    const expiresInSeconds = getOptionalNumber(json, "expires_in");
 
     if (refreshToken) {
-      if (this._storageAdapter) {
-        this._storageAdapter.save("microsoft_refresh_token", refreshToken);
-      } else {
-        localStorage.setItem(
-          "nitro_auth_microsoft_refresh_token",
-          refreshToken,
-        );
-      }
+      this.saveRefreshToken(refreshToken);
     }
 
     this._grantedScopes = scopes;
-    if (this._storageAdapter) {
-      this._storageAdapter.save(SCOPES_KEY, JSON.stringify(scopes));
-    } else {
-      localStorage.setItem(SCOPES_KEY, JSON.stringify(scopes));
-    }
+    this.saveValue(SCOPES_KEY, JSON.stringify(scopes));
 
     const user: AuthUser = {
       provider: "microsoft",
       idToken,
       accessToken: accessToken ?? undefined,
+      refreshToken: refreshToken ?? undefined,
       scopes,
-      expirationTime: expiresIn
-        ? Date.now() + parseInt(expiresIn) * 1000
-        : undefined,
+      expirationTime:
+        typeof expiresInSeconds === "number"
+          ? Date.now() + expiresInSeconds * 1000
+          : undefined,
       ...claims,
     };
     this.updateUser(user);
@@ -650,13 +1025,17 @@ class AuthWeb implements Auth {
 
   private decodeMicrosoftJwt(token: string): Partial<AuthUser> {
     try {
-      const payload = token.split(".")[1];
-      const decoded = JSON.parse(atob(payload));
+      const decoded = this.parseJwtPayload(token);
       return {
-        email: decoded.preferred_username ?? decoded.email,
-        name: decoded.name,
+        email:
+          getOptionalString(decoded, "preferred_username") ??
+          getOptionalString(decoded, "email"),
+        name: getOptionalString(decoded, "name"),
       };
-    } catch {
+    } catch (error) {
+      logger.warn("Failed to decode Microsoft ID token", {
+        error: String(error),
+      });
       return {};
     }
   }
@@ -701,9 +1080,13 @@ class AuthWeb implements Auth {
             this.updateUser(user);
             resolve();
           })
-          .catch((err: unknown) => reject(this.mapError(err)));
+          .catch((err: unknown) => {
+            reject(this.mapError(err));
+          });
+      };
+      script.onerror = () => {
+        reject(new Error("Failed to load Apple SDK"));
       };
-      script.onerror = () => reject(new Error("Failed to load Apple SDK"));
       document.head.appendChild(script);
     });
   }
@@ -727,17 +1110,14 @@ class AuthWeb implements Auth {
     this._grantedScopes = [];
     this.removeFromCache(CACHE_KEY);
     this.removeFromCache(SCOPES_KEY);
-    this.removeFromCache("microsoft_refresh_token");
+    this.removeFromCache(MS_REFRESH_TOKEN_KEY);
     this.notify();
   }
 
   private updateUser(user: AuthUser) {
     this._currentUser = user;
-    if (this._storageAdapter) {
-      this._storageAdapter.save(CACHE_KEY, JSON.stringify(user));
-    } else {
-      localStorage.setItem(CACHE_KEY, JSON.stringify(user));
-    }
+    const userToPersist = this.sanitizeUserForPersistence(user);
+    this.saveValue(CACHE_KEY, JSON.stringify(userToPersist));
     this.notify();
   }
 
@@ -745,12 +1125,12 @@ class AuthWeb implements Auth {
     logger.setEnabled(enabled);
   }
 
-  setStorageAdapter(adapter: AuthStorageAdapter | undefined): void {
-    this._storageAdapter = adapter;
-    if (adapter) {
-      this.loadFromCache();
-      this.notify();
-    }
+  setWebStorageAdapter(adapter: JSStorageAdapter | undefined): void {
+    this._storageAdapter = adapter
+      ? this.createWebStorageDriver(adapter)
+      : undefined;
+    this.loadFromCache();
+    this.notify();
   }
 
   name = "Auth";