react-native-nitro-auth 0.5.1 → 0.5.3

package/lib/module/Auth.web.js

@@ -3,13 +3,83 @@
 import { logger } from "./utils/logger.js";
 const CACHE_KEY = "nitro_auth_user";
 const SCOPES_KEY = "nitro_auth_scopes";
+const MS_REFRESH_TOKEN_KEY = "nitro_auth_microsoft_refresh_token";
 const DEFAULT_SCOPES = ["openid", "email", "profile"];
 const MS_DEFAULT_SCOPES = ["openid", "email", "profile", "User.Read"];
+const STORAGE_MODE_SESSION = "session";
+const STORAGE_MODE_LOCAL = "local";
+const STORAGE_MODE_MEMORY = "memory";
+const POPUP_POLL_INTERVAL_MS = 100;
+const POPUP_TIMEOUT_MS = 120000;
+const WEB_STORAGE_MODES = new Set([STORAGE_MODE_SESSION, STORAGE_MODE_LOCAL, STORAGE_MODE_MEMORY]);
+const inMemoryWebStorage = new Map();
+class AuthWebError extends Error {
+  constructor(message, underlyingError) {
+    super(message);
+    this.name = "AuthWebError";
+    this.underlyingError = underlyingError;
+  }
+}
+const isJsonObject = value => typeof value === "object" && value !== null;
+const isAuthProvider = value => value === "google" || value === "apple" || value === "microsoft";
+const getOptionalString = (source, key) => {
+  const candidate = source[key];
+  return typeof candidate === "string" ? candidate : undefined;
+};
+const getOptionalNumber = (source, key) => {
+  const candidate = source[key];
+  return typeof candidate === "number" ? candidate : undefined;
+};
+const parseAuthUser = value => {
+  if (!isJsonObject(value) || !isAuthProvider(value.provider)) {
+    return undefined;
+  }
+  const scopesCandidate = value.scopes;
+  const scopes = Array.isArray(scopesCandidate) ? scopesCandidate.filter(scope => typeof scope === "string") : undefined;
+  return {
+    provider: value.provider,
+    email: getOptionalString(value, "email"),
+    name: getOptionalString(value, "name"),
+    photo: getOptionalString(value, "photo"),
+    idToken: getOptionalString(value, "idToken"),
+    accessToken: getOptionalString(value, "accessToken"),
+    refreshToken: getOptionalString(value, "refreshToken"),
+    serverAuthCode: getOptionalString(value, "serverAuthCode"),
+    scopes,
+    expirationTime: getOptionalNumber(value, "expirationTime"),
+    underlyingError: getOptionalString(value, "underlyingError")
+  };
+};
+const parseScopes = value => {
+  if (!Array.isArray(value)) {
+    return undefined;
+  }
+  return value.filter(scope => typeof scope === "string");
+};
+const parseAuthWebExtraConfig = value => {
+  if (!isJsonObject(value)) {
+    return {};
+  }
+  const nitroAuthWebStorageCandidate = value.nitroAuthWebStorage;
+  const nitroAuthWebStorage = nitroAuthWebStorageCandidate === STORAGE_MODE_SESSION || nitroAuthWebStorageCandidate === STORAGE_MODE_LOCAL || nitroAuthWebStorageCandidate === STORAGE_MODE_MEMORY ? nitroAuthWebStorageCandidate : undefined;
+  return {
+    googleWebClientId: getOptionalString(value, "googleWebClientId"),
+    microsoftClientId: getOptionalString(value, "microsoftClientId"),
+    microsoftTenant: getOptionalString(value, "microsoftTenant"),
+    microsoftB2cDomain: getOptionalString(value, "microsoftB2cDomain"),
+    appleWebClientId: getOptionalString(value, "appleWebClientId"),
+    nitroAuthWebStorage,
+    nitroAuthPersistTokensOnWeb: typeof value.nitroAuthPersistTokensOnWeb === "boolean" ? value.nitroAuthPersistTokensOnWeb : undefined
+  };
+};
 const getConfig = () => {
   try {
     const Constants = require("expo-constants").default;
-    return Constants.expoConfig?.extra || {};
-  } catch {
+    return parseAuthWebExtraConfig(Constants.expoConfig?.extra);
+  } catch (error) {
+    logger.debug("expo-constants unavailable on web, falling back to defaults", {
+      error: String(error)
+    });
     return {};
   }
 };
@@ -20,30 +90,191 @@ class AuthWeb {
   constructor() {
     this.loadFromCache();
   }
+  isPromiseLike(value) {
+    if (!isJsonObject(value)) {
+      return false;
+    }
+    return typeof value.then === "function";
+  }
+  createWebStorageDriver(adapter) {
+    return {
+      save: (key, value) => {
+        const result = adapter.save(key, value);
+        if (this.isPromiseLike(result)) {
+          throw new Error("On web, JSStorageAdapter.save must be synchronous.");
+        }
+      },
+      load: key => {
+        const result = adapter.load(key);
+        if (this.isPromiseLike(result)) {
+          throw new Error("On web, JSStorageAdapter.load must be synchronous.");
+        }
+        return result;
+      },
+      remove: key => {
+        const result = adapter.remove(key);
+        if (this.isPromiseLike(result)) {
+          throw new Error("On web, JSStorageAdapter.remove must be synchronous.");
+        }
+      }
+    };
+  }
+  shouldPersistTokensInStorage() {
+    if (this._storageAdapter) {
+      return true;
+    }
+    return getConfig().nitroAuthPersistTokensOnWeb === true;
+  }
+  getWebStorageMode() {
+    const configuredMode = getConfig().nitroAuthWebStorage;
+    if (configuredMode && WEB_STORAGE_MODES.has(configuredMode)) {
+      return configuredMode;
+    }
+    return STORAGE_MODE_SESSION;
+  }
+  getBrowserStorage() {
+    if (typeof window === "undefined") {
+      return undefined;
+    }
+    const mode = this.getWebStorageMode();
+    if (mode === STORAGE_MODE_MEMORY) {
+      return undefined;
+    }
+    const storage = mode === STORAGE_MODE_LOCAL ? window.localStorage : window.sessionStorage;
+    try {
+      const testKey = "__nitro_auth_storage_probe__";
+      storage.setItem(testKey, "1");
+      storage.removeItem(testKey);
+      return storage;
+    } catch (error) {
+      logger.warn("Configured web storage is unavailable; using in-memory fallback", {
+        mode,
+        error: String(error)
+      });
+      return undefined;
+    }
+  }
+  saveValue(key, value) {
+    if (this._storageAdapter) {
+      this._storageAdapter.save(key, value);
+      return;
+    }
+    const storage = this.getBrowserStorage();
+    if (storage) {
+      storage.setItem(key, value);
+      return;
+    }
+    inMemoryWebStorage.set(key, value);
+  }
+  loadValue(key) {
+    if (this._storageAdapter) {
+      return this._storageAdapter.load(key);
+    }
+    const storage = this.getBrowserStorage();
+    if (storage) {
+      return storage.getItem(key) ?? undefined;
+    }
+    return inMemoryWebStorage.get(key);
+  }
+  removeValue(key) {
+    if (this._storageAdapter) {
+      this._storageAdapter.remove(key);
+      return;
+    }
+    const storage = this.getBrowserStorage();
+    if (storage) {
+      storage.removeItem(key);
+    }
+    inMemoryWebStorage.delete(key);
+  }
+  removePersistedBrowserValue(key) {
+    if (typeof window === "undefined") {
+      return;
+    }
+    try {
+      window.localStorage.removeItem(key);
+      window.sessionStorage.removeItem(key);
+    } catch (error) {
+      logger.debug("Failed to clear persisted browser value", {
+        key,
+        error: String(error)
+      });
+    }
+  }
+  sanitizeUserForPersistence(user) {
+    if (this.shouldPersistTokensInStorage()) {
+      return user;
+    }
+    const safeUser = {
+      ...user
+    };
+    delete safeUser.accessToken;
+    delete safeUser.idToken;
+    delete safeUser.serverAuthCode;
+    return safeUser;
+  }
+  saveRefreshToken(refreshToken) {
+    if (this._storageAdapter || this.shouldPersistTokensInStorage()) {
+      this.saveValue(MS_REFRESH_TOKEN_KEY, refreshToken);
+      return;
+    }
+
+    // Security-first default: keep refresh tokens in-memory only on web.
+    inMemoryWebStorage.set(MS_REFRESH_TOKEN_KEY, refreshToken);
+  }
+  loadRefreshToken() {
+    if (this._storageAdapter || this.shouldPersistTokensInStorage()) {
+      return this.loadValue(MS_REFRESH_TOKEN_KEY);
+    }
+    return inMemoryWebStorage.get(MS_REFRESH_TOKEN_KEY);
+  }
   loadFromCache() {
-    const cached = this._storageAdapter ? this._storageAdapter.load(CACHE_KEY) : localStorage.getItem(CACHE_KEY);
+    const cached = this.loadValue(CACHE_KEY);
     if (cached) {
       try {
-        this._currentUser = JSON.parse(cached);
-      } catch {
+        const parsedUser = parseAuthUser(JSON.parse(cached));
+        if (!parsedUser) {
+          throw new Error("Expected cached auth user to be a valid AuthUser");
+        }
+        if (this.shouldPersistTokensInStorage()) {
+          this._currentUser = parsedUser;
+        } else {
+          const safeUser = {
+            ...parsedUser
+          };
+          delete safeUser.accessToken;
+          delete safeUser.idToken;
+          delete safeUser.serverAuthCode;
+          this._currentUser = safeUser;
+        }
+      } catch (error) {
+        logger.warn("Failed to parse cached auth user; clearing cache", {
+          error: String(error)
+        });
         this.removeFromCache(CACHE_KEY);
       }
     }
-    const scopes = this._storageAdapter ? this._storageAdapter.load(SCOPES_KEY) : localStorage.getItem(SCOPES_KEY);
+    const scopes = this.loadValue(SCOPES_KEY);
     if (scopes) {
       try {
-        this._grantedScopes = JSON.parse(scopes);
-      } catch {
+        const parsedScopes = parseScopes(JSON.parse(scopes));
+        if (!parsedScopes) {
+          throw new Error("Expected cached scopes to be an array");
+        }
+        this._grantedScopes = parsedScopes;
+      } catch (error) {
+        logger.warn("Failed to parse cached scopes; clearing cache", {
+          error: String(error)
+        });
         this.removeFromCache(SCOPES_KEY);
       }
     }
+    if (!this.shouldPersistTokensInStorage() && !this._storageAdapter) {
+      this.removePersistedBrowserValue(MS_REFRESH_TOKEN_KEY);
+    }
   }
   removeFromCache(key) {
-    if (this._storageAdapter) {
-      this._storageAdapter.remove(key);
-    } else {
-      localStorage.removeItem(key);
-    }
+    this.removeValue(key);
   }
   get currentUser() {
     return this._currentUser;
@@ -68,7 +299,9 @@ class AuthWeb {
     };
   }
   notify() {
-    this._listeners.forEach(l => l(this._currentUser));
+    this._listeners.forEach(l => {
+      l(this._currentUser);
+    });
   }
   async login(provider, options) {
     const loginHint = options?.loginHint;
@@ -117,11 +350,7 @@ class AuthWeb {
   async revokeScopes(scopes) {
     logger.log("Revoking scopes:", scopes);
     this._grantedScopes = this._grantedScopes.filter(s => !scopes.includes(s));
-    if (this._storageAdapter) {
-      this._storageAdapter.save(SCOPES_KEY, JSON.stringify(this._grantedScopes));
-    } else {
-      localStorage.setItem(SCOPES_KEY, JSON.stringify(this._grantedScopes));
-    }
+    this.saveValue(SCOPES_KEY, JSON.stringify(this._grantedScopes));
     if (this._currentUser) {
       this._currentUser.scopes = this._grantedScopes;
       this.updateUser(this._currentUser);
@@ -143,12 +372,15 @@ class AuthWeb {
     }
     if (this._currentUser.provider === "microsoft") {
       logger.log("Refreshing Microsoft tokens...");
-      const refreshToken = this._storageAdapter ? this._storageAdapter.load("microsoft_refresh_token") : localStorage.getItem("nitro_auth_microsoft_refresh_token");
+      const refreshToken = this.loadRefreshToken();
       if (!refreshToken) {
         throw new Error("No refresh token available");
       }
       const config = getConfig();
       const clientId = config.microsoftClientId;
+      if (!clientId) {
+        throw new Error("Microsoft Client ID not configured. Add 'microsoftClientId' to expo.extra in your app.config.js");
+      }
       const tenant = config.microsoftTenant ?? "common";
       const b2cDomain = config.microsoftB2cDomain;
       const authBaseUrl = this.getMicrosoftAuthBaseUrl(tenant, b2cDomain);
@@ -165,35 +397,38 @@ class AuthWeb {
         },
         body: body.toString()
       });
-      const json = await response.json();
+      const json = await this.parseResponseObject(response);
       if (!response.ok) {
-        throw new Error(json.error_description ?? json.error ?? "Token refresh failed");
+        throw new Error(getOptionalString(json, "error_description") ?? getOptionalString(json, "error") ?? "Token refresh failed");
       }
-      const idToken = json.id_token;
-      const accessToken = json.access_token;
-      const newRefreshToken = json.refresh_token;
-      const expiresIn = json.expires_in;
+      const idToken = getOptionalString(json, "id_token");
+      const accessToken = getOptionalString(json, "access_token");
+      const newRefreshToken = getOptionalString(json, "refresh_token");
+      const expiresInSeconds = getOptionalNumber(json, "expires_in");
       if (newRefreshToken) {
-        if (this._storageAdapter) {
-          this._storageAdapter.save("microsoft_refresh_token", newRefreshToken);
-        } else {
-          localStorage.setItem("nitro_auth_microsoft_refresh_token", newRefreshToken);
-        }
+        this.saveRefreshToken(newRefreshToken);
       }
-      const claims = this.decodeMicrosoftJwt(idToken);
+      const expirationTime = typeof expiresInSeconds === "number" ? Date.now() + expiresInSeconds * 1000 : undefined;
+      const effectiveIdToken = idToken ?? this._currentUser.idToken;
+      const claims = effectiveIdToken ? this.decodeMicrosoftJwt(effectiveIdToken) : {};
       const user = {
         ...this._currentUser,
-        idToken,
+        idToken: effectiveIdToken,
         accessToken: accessToken ?? undefined,
-        expirationTime: expiresIn ? Date.now() + parseInt(expiresIn) * 1000 : undefined,
+        refreshToken: newRefreshToken ?? this._currentUser.refreshToken,
+        expirationTime,
         ...claims
       };
       this.updateUser(user);
       const tokens = {
-        accessToken,
-        idToken
+        accessToken: accessToken ?? undefined,
+        idToken: effectiveIdToken,
+        refreshToken: newRefreshToken ?? undefined,
+        expirationTime
       };
-      this._tokenListeners.forEach(l => l(tokens));
+      this._tokenListeners.forEach(l => {
+        l(tokens);
+      });
       return tokens;
     }
     if (this._currentUser.provider !== "google") {
@@ -203,9 +438,13 @@ class AuthWeb {
     await this.loginGoogle(this._grantedScopes.length > 0 ? this._grantedScopes : DEFAULT_SCOPES);
     const tokens = {
       accessToken: this._currentUser.accessToken,
-      idToken: this._currentUser.idToken
+      idToken: this._currentUser.idToken,
+      refreshToken: this._currentUser.refreshToken,
+      expirationTime: this._currentUser.expirationTime
     };
-    this._tokenListeners.forEach(l => l(tokens));
+    this._tokenListeners.forEach(l => {
+      l(tokens);
+    });
     return tokens;
   }
   mapError(error) {
@@ -214,13 +453,77 @@ class AuthWeb {
     let mappedMsg = rawMessage;
     if (msg.includes("cancel") || msg.includes("popup_closed")) {
       mappedMsg = "cancelled";
+    } else if (msg.includes("timeout")) {
+      mappedMsg = "timeout";
+    } else if (msg.includes("popup blocked")) {
+      mappedMsg = "popup_blocked";
     } else if (msg.includes("network")) {
       mappedMsg = "network_error";
     } else if (msg.includes("client id") || msg.includes("config")) {
       mappedMsg = "configuration_error";
     }
-    return Object.assign(new Error(mappedMsg), {
-      underlyingError: rawMessage
+    return new AuthWebError(mappedMsg, rawMessage);
+  }
+  async parseResponseObject(response) {
+    const parsed = await response.json();
+    if (!isJsonObject(parsed)) {
+      throw new Error("Expected JSON object response from auth provider");
+    }
+    return parsed;
+  }
+  parseJwtPayload(token) {
+    const payload = token.split(".")[1];
+    if (!payload) {
+      throw new Error("Invalid JWT payload");
+    }
+    const decoded = JSON.parse(atob(payload));
+    if (!isJsonObject(decoded)) {
+      throw new Error("Expected JWT payload to be an object");
+    }
+    return decoded;
+  }
+  waitForPopupRedirect(popup, redirectUri, provider, onRedirect) {
+    return new Promise((resolve, reject) => {
+      let crossOriginLogShown = false;
+      const cleanup = (intervalId, timeoutId, shouldClosePopup) => {
+        window.clearInterval(intervalId);
+        window.clearTimeout(timeoutId);
+        if (shouldClosePopup && !popup.closed) {
+          popup.close();
+        }
+      };
+      const timeoutId = window.setTimeout(() => {
+        cleanup(intervalId, timeoutId, true);
+        reject(new Error(`${provider.toLowerCase()}_auth_timeout`));
+      }, POPUP_TIMEOUT_MS);
+      const intervalId = window.setInterval(() => {
+        if (popup.closed) {
+          cleanup(intervalId, timeoutId, false);
+          reject(new Error("cancelled"));
+          return;
+        }
+        let url;
+        try {
+          url = popup.location.href;
+        } catch (error) {
+          if (!crossOriginLogShown) {
+            logger.debug(`Waiting for ${provider} auth redirect`, {
+              error: String(error)
+            });
+            crossOriginLogShown = true;
+          }
+          return;
+        }
+        if (!url.startsWith(redirectUri)) {
+          return;
+        }
+        cleanup(intervalId, timeoutId, true);
+        void Promise.resolve(onRedirect(url)).then(() => {
+          resolve();
+        }).catch(error => {
+          reject(error);
+        });
+      }, POPUP_POLL_INTERVAL_MS);
     });
   }
   async loginGoogle(scopes, loginHint) {
@@ -236,7 +539,7 @@ class AuthWeb {
       authUrl.searchParams.set("redirect_uri", redirectUri);
       authUrl.searchParams.set("response_type", "id_token token code");
       authUrl.searchParams.set("scope", scopes.join(" "));
-      authUrl.searchParams.set("nonce", Math.random().toString(36).slice(2));
+      authUrl.searchParams.set("nonce", crypto.randomUUID());
       authUrl.searchParams.set("access_type", "offline");
       authUrl.searchParams.set("prompt", "consent");
       if (loginHint) {
@@ -251,59 +554,47 @@ class AuthWeb {
         reject(new Error("Popup blocked. Please allow popups for this site."));
         return;
       }
-      const checkInterval = setInterval(() => {
-        try {
-          if (popup.closed) {
-            clearInterval(checkInterval);
-            reject(new Error("cancelled"));
-            return;
-          }
-          const url = popup.location.href;
-          if (url.startsWith(redirectUri)) {
-            clearInterval(checkInterval);
-            popup.close();
-            const hash = new URL(url).hash.slice(1);
-            const params = new URLSearchParams(hash);
-            const idToken = params.get("id_token");
-            const accessToken = params.get("access_token");
-            const expiresIn = params.get("expires_in");
-            const code = params.get("code");
-            if (idToken) {
-              this._grantedScopes = scopes;
-              if (this._storageAdapter) {
-                this._storageAdapter.save(SCOPES_KEY, JSON.stringify(scopes));
-              } else {
-                localStorage.setItem(SCOPES_KEY, JSON.stringify(scopes));
-              }
-              const user = {
-                provider: "google",
-                idToken,
-                accessToken: accessToken ?? undefined,
-                serverAuthCode: code ?? undefined,
-                scopes,
-                expirationTime: expiresIn ? Date.now() + parseInt(expiresIn) * 1000 : undefined,
-                ...this.decodeGoogleJwt(idToken)
-              };
-              this.updateUser(user);
-              resolve();
-            } else {
-              reject(new Error("No id_token in response"));
-            }
-          }
-        } catch {}
-      }, 100);
+      void this.waitForPopupRedirect(popup, redirectUri, "Google", url => {
+        const hash = new URL(url).hash.slice(1);
+        const params = new URLSearchParams(hash);
+        const idToken = params.get("id_token");
+        const accessToken = params.get("access_token");
+        const expiresIn = params.get("expires_in");
+        const code = params.get("code");
+        if (!idToken) {
+          throw new Error("No id_token in response");
+        }
+        this._grantedScopes = scopes;
+        this.saveValue(SCOPES_KEY, JSON.stringify(scopes));
+        const user = {
+          provider: "google",
+          idToken,
+          accessToken: accessToken ?? undefined,
+          serverAuthCode: code ?? undefined,
+          scopes,
+          expirationTime: expiresIn ? Date.now() + parseInt(expiresIn, 10) * 1000 : undefined,
+          ...this.decodeGoogleJwt(idToken)
+        };
+        this.updateUser(user);
+      }).then(() => {
+        resolve();
+      }).catch(error => {
+        reject(error);
+      });
     });
   }
   decodeGoogleJwt(token) {
     try {
-      const payload = token.split(".")[1];
-      const decoded = JSON.parse(atob(payload));
+      const decoded = this.parseJwtPayload(token);
       return {
-        email: decoded.email,
-        name: decoded.name,
-        photo: decoded.picture
+        email: getOptionalString(decoded, "email"),
+        name: getOptionalString(decoded, "name"),
+        photo: getOptionalString(decoded, "picture")
       };
-    } catch {
+    } catch (error) {
+      logger.warn("Failed to decode Google ID token", {
+        error: String(error)
+      });
       return {};
     }
   }
@@ -346,43 +637,27 @@ class AuthWeb {
         reject(new Error("Popup blocked. Please allow popups for this site."));
         return;
       }
-      const checkInterval = setInterval(async () => {
-        try {
-          if (popup.closed) {
-            clearInterval(checkInterval);
-            reject(new Error("cancelled"));
-            return;
-          }
-          const url = popup.location.href;
-          if (url.startsWith(redirectUri)) {
-            clearInterval(checkInterval);
-            popup.close();
-            const urlObj = new URL(url);
-            const code = urlObj.searchParams.get("code");
-            const returnedState = urlObj.searchParams.get("state");
-            const error = urlObj.searchParams.get("error");
-            const errorDescription = urlObj.searchParams.get("error_description");
-            if (error) {
-              reject(new Error(errorDescription ?? error));
-              return;
-            }
-            if (returnedState !== state) {
-              reject(new Error("State mismatch - possible CSRF attack"));
-              return;
-            }
-            if (!code) {
-              reject(new Error("No authorization code in response"));
-              return;
-            }
-            try {
-              await this.exchangeMicrosoftCodeForTokens(code, codeVerifier, clientId, redirectUri, effectiveTenant, nonce, effectiveScopes);
-              resolve();
-            } catch (e) {
-              reject(e);
-            }
-          }
-        } catch {}
-      }, 100);
+      void this.waitForPopupRedirect(popup, redirectUri, "Microsoft", async url => {
+        const urlObj = new URL(url);
+        const code = urlObj.searchParams.get("code");
+        const returnedState = urlObj.searchParams.get("state");
+        const error = urlObj.searchParams.get("error");
+        const errorDescription = urlObj.searchParams.get("error_description");
+        if (error) {
+          throw new Error(errorDescription ?? error);
+        }
+        if (returnedState !== state) {
+          throw new Error("State mismatch - possible CSRF attack");
+        }
+        if (!code) {
+          throw new Error("No authorization code in response");
+        }
+        await this.exchangeMicrosoftCodeForTokens(code, codeVerifier, clientId, redirectUri, effectiveTenant, nonce, effectiveScopes);
+      }).then(() => {
+        resolve();
+      }).catch(error => {
+        reject(error);
+      });
     });
   }
   generateCodeVerifier() {
@@ -418,41 +693,34 @@ class AuthWeb {
       },
       body: body.toString()
     });
-    const json = await response.json();
+    const json = await this.parseResponseObject(response);
     if (!response.ok) {
-      throw new Error(json.error_description ?? json.error ?? "Token exchange failed");
+      throw new Error(getOptionalString(json, "error_description") ?? getOptionalString(json, "error") ?? "Token exchange failed");
     }
-    const idToken = json.id_token;
+    const idToken = getOptionalString(json, "id_token");
     if (!idToken) {
       throw new Error("No id_token in token response");
     }
     const claims = this.decodeMicrosoftJwt(idToken);
-    const payload = JSON.parse(atob(idToken.split(".")[1]));
-    if (payload.nonce !== expectedNonce) {
+    const payload = this.parseJwtPayload(idToken);
+    if (getOptionalString(payload, "nonce") !== expectedNonce) {
       throw new Error("Nonce mismatch - token may be replayed");
     }
-    const accessToken = json.access_token;
-    const refreshToken = json.refresh_token;
-    const expiresIn = json.expires_in;
+    const accessToken = getOptionalString(json, "access_token");
+    const refreshToken = getOptionalString(json, "refresh_token");
+    const expiresInSeconds = getOptionalNumber(json, "expires_in");
     if (refreshToken) {
-      if (this._storageAdapter) {
-        this._storageAdapter.save("microsoft_refresh_token", refreshToken);
-      } else {
-        localStorage.setItem("nitro_auth_microsoft_refresh_token", refreshToken);
-      }
+      this.saveRefreshToken(refreshToken);
     }
     this._grantedScopes = scopes;
-    if (this._storageAdapter) {
-      this._storageAdapter.save(SCOPES_KEY, JSON.stringify(scopes));
-    } else {
-      localStorage.setItem(SCOPES_KEY, JSON.stringify(scopes));
-    }
+    this.saveValue(SCOPES_KEY, JSON.stringify(scopes));
     const user = {
       provider: "microsoft",
       idToken,
       accessToken: accessToken ?? undefined,
+      refreshToken: refreshToken ?? undefined,
       scopes,
-      expirationTime: expiresIn ? Date.now() + parseInt(expiresIn) * 1000 : undefined,
+      expirationTime: typeof expiresInSeconds === "number" ? Date.now() + expiresInSeconds * 1000 : undefined,
       ...claims
     };
     this.updateUser(user);
@@ -469,13 +737,15 @@ class AuthWeb {
   }
   decodeMicrosoftJwt(token) {
     try {
-      const payload = token.split(".")[1];
-      const decoded = JSON.parse(atob(payload));
+      const decoded = this.parseJwtPayload(token);
       return {
-        email: decoded.preferred_username ?? decoded.email,
-        name: decoded.name
+        email: getOptionalString(decoded, "preferred_username") ?? getOptionalString(decoded, "email"),
+        name: getOptionalString(decoded, "name")
       };
-    } catch {
+    } catch (error) {
+      logger.warn("Failed to decode Microsoft ID token", {
+        error: String(error)
+      });
       return {};
     }
   }
@@ -509,9 +779,13 @@ class AuthWeb {
           };
           this.updateUser(user);
           resolve();
-        }).catch(err => reject(this.mapError(err)));
+        }).catch(err => {
+          reject(this.mapError(err));
+        });
+      };
+      script.onerror = () => {
+        reject(new Error("Failed to load Apple SDK"));
       };
-      script.onerror = () => reject(new Error("Failed to load Apple SDK"));
       document.head.appendChild(script);
     });
   }
@@ -533,27 +807,22 @@ class AuthWeb {
     this._grantedScopes = [];
     this.removeFromCache(CACHE_KEY);
     this.removeFromCache(SCOPES_KEY);
-    this.removeFromCache("microsoft_refresh_token");
+    this.removeFromCache(MS_REFRESH_TOKEN_KEY);
     this.notify();
   }
   updateUser(user) {
     this._currentUser = user;
-    if (this._storageAdapter) {
-      this._storageAdapter.save(CACHE_KEY, JSON.stringify(user));
-    } else {
-      localStorage.setItem(CACHE_KEY, JSON.stringify(user));
-    }
+    const userToPersist = this.sanitizeUserForPersistence(user);
+    this.saveValue(CACHE_KEY, JSON.stringify(userToPersist));
     this.notify();
   }
   setLoggingEnabled(enabled) {
     logger.setEnabled(enabled);
   }
-  setStorageAdapter(adapter) {
-    this._storageAdapter = adapter;
-    if (adapter) {
-      this.loadFromCache();
-      this.notify();
-    }
+  setWebStorageAdapter(adapter) {
+    this._storageAdapter = adapter ? this.createWebStorageDriver(adapter) : undefined;
+    this.loadFromCache();
+    this.notify();
   }
   name = "Auth";
   dispose() {}