react-native-nitro-auth 0.5.1 → 0.5.4

package/src/Auth.web.ts

@@ -5,13 +5,31 @@ import type {
   LoginOptions,
   AuthTokens,
 } from "./Auth.nitro";
-import type { AuthStorageAdapter } from "./AuthStorage.nitro";
+import type { JSStorageAdapter } from "./js-storage-adapter";
 import { logger } from "./utils/logger";
 
 const CACHE_KEY = "nitro_auth_user";
 const SCOPES_KEY = "nitro_auth_scopes";
+const MS_REFRESH_TOKEN_KEY = "nitro_auth_microsoft_refresh_token";
 const DEFAULT_SCOPES = ["openid", "email", "profile"];
 const MS_DEFAULT_SCOPES = ["openid", "email", "profile", "User.Read"];
+const STORAGE_MODE_SESSION = "session";
+const STORAGE_MODE_LOCAL = "local";
+const STORAGE_MODE_MEMORY = "memory";
+const POPUP_POLL_INTERVAL_MS = 100;
+const POPUP_TIMEOUT_MS = 120000;
+const WEB_STORAGE_MODES = new Set([
+  STORAGE_MODE_SESSION,
+  STORAGE_MODE_LOCAL,
+  STORAGE_MODE_MEMORY,
+] as const);
+const inMemoryWebStorage = new Map<string, string>();
+
+type WebStorageDriver = {
+  save(key: string, value: string): void;
+  load(key: string): string | undefined;
+  remove(key: string): void;
+};
 
 type AppleAuthResponse = {
   authorization: {
@@ -26,58 +44,364 @@ type AppleAuthResponse = {
   };
 };
 
-const getConfig = () => {
+type AuthWebExtraConfig = {
+  googleWebClientId?: string;
+  microsoftClientId?: string;
+  microsoftTenant?: string;
+  microsoftB2cDomain?: string;
+  appleWebClientId?: string;
+  nitroAuthWebStorage?: "session" | "local" | "memory";
+  nitroAuthPersistTokensOnWeb?: boolean;
+};
+
+type JsonObject = Record<string, unknown>;
+
+class AuthWebError extends Error {
+  public readonly underlyingError?: string;
+
+  constructor(message: string, underlyingError?: string) {
+    super(message);
+    this.name = "AuthWebError";
+    this.underlyingError = underlyingError;
+  }
+}
+
+const isJsonObject = (value: unknown): value is JsonObject =>
+  typeof value === "object" && value !== null;
+
+const isAuthProvider = (value: unknown): value is AuthProvider =>
+  value === "google" || value === "apple" || value === "microsoft";
+
+const getOptionalString = (
+  source: JsonObject,
+  key: string,
+): string | undefined => {
+  const candidate = source[key];
+  return typeof candidate === "string" ? candidate : undefined;
+};
+
+const getOptionalNumber = (
+  source: JsonObject,
+  key: string,
+): number | undefined => {
+  const candidate = source[key];
+  return typeof candidate === "number" ? candidate : undefined;
+};
+
+const parseAuthUser = (value: unknown): AuthUser | undefined => {
+  if (!isJsonObject(value) || !isAuthProvider(value.provider)) {
+    return undefined;
+  }
+
+  const scopesCandidate = value.scopes;
+  const scopes = Array.isArray(scopesCandidate)
+    ? scopesCandidate.filter(
+        (scope): scope is string => typeof scope === "string",
+      )
+    : undefined;
+
+  return {
+    provider: value.provider,
+    email: getOptionalString(value, "email"),
+    name: getOptionalString(value, "name"),
+    photo: getOptionalString(value, "photo"),
+    idToken: getOptionalString(value, "idToken"),
+    accessToken: getOptionalString(value, "accessToken"),
+    refreshToken: getOptionalString(value, "refreshToken"),
+    serverAuthCode: getOptionalString(value, "serverAuthCode"),
+    scopes,
+    expirationTime: getOptionalNumber(value, "expirationTime"),
+    underlyingError: getOptionalString(value, "underlyingError"),
+  };
+};
+
+const parseScopes = (value: unknown): string[] | undefined => {
+  if (!Array.isArray(value)) {
+    return undefined;
+  }
+
+  return value.filter((scope): scope is string => typeof scope === "string");
+};
+
+const parseAuthWebExtraConfig = (value: unknown): AuthWebExtraConfig => {
+  if (!isJsonObject(value)) {
+    return {};
+  }
+
+  const nitroAuthWebStorageCandidate = value.nitroAuthWebStorage;
+  const nitroAuthWebStorage =
+    nitroAuthWebStorageCandidate === STORAGE_MODE_SESSION ||
+    nitroAuthWebStorageCandidate === STORAGE_MODE_LOCAL ||
+    nitroAuthWebStorageCandidate === STORAGE_MODE_MEMORY
+      ? nitroAuthWebStorageCandidate
+      : undefined;
+
+  return {
+    googleWebClientId: getOptionalString(value, "googleWebClientId"),
+    microsoftClientId: getOptionalString(value, "microsoftClientId"),
+    microsoftTenant: getOptionalString(value, "microsoftTenant"),
+    microsoftB2cDomain: getOptionalString(value, "microsoftB2cDomain"),
+    appleWebClientId: getOptionalString(value, "appleWebClientId"),
+    nitroAuthWebStorage,
+    nitroAuthPersistTokensOnWeb:
+      typeof value.nitroAuthPersistTokensOnWeb === "boolean"
+        ? value.nitroAuthPersistTokensOnWeb
+        : undefined,
+  };
+};
+
+const getConfig = (): AuthWebExtraConfig => {
   try {
     const Constants = require("expo-constants").default;
-    return Constants.expoConfig?.extra || {};
-  } catch {
+    return parseAuthWebExtraConfig(Constants.expoConfig?.extra);
+  } catch (error) {
+    logger.debug(
+      "expo-constants unavailable on web, falling back to defaults",
+      {
+        error: String(error),
+      },
+    );
     return {};
   }
 };
 
 class AuthWeb implements Auth {
+  private readonly _config: AuthWebExtraConfig;
   private _currentUser: AuthUser | undefined;
   private _grantedScopes: string[] = [];
   private _listeners: ((user: AuthUser | undefined) => void)[] = [];
   private _tokenListeners: ((tokens: AuthTokens) => void)[] = [];
-  private _storageAdapter: AuthStorageAdapter | undefined;
+  private _storageAdapter: WebStorageDriver | undefined;
+  private _browserStorageResolved = false;
+  private _browserStorageCache: Storage | undefined;
+  private _refreshPromise: Promise<AuthTokens> | undefined;
+  private _appleSdkLoadPromise: Promise<void> | undefined;
 
   constructor() {
+    this._config = getConfig();
     this.loadFromCache();
   }
 
+  private isPromiseLike(value: unknown): value is PromiseLike<unknown> {
+    if (!isJsonObject(value)) {
+      return false;
+    }
+    return typeof value.then === "function";
+  }
+
+  private createWebStorageDriver(adapter: JSStorageAdapter): WebStorageDriver {
+    return {
+      save: (key, value) => {
+        const result = adapter.save(key, value);
+        if (this.isPromiseLike(result)) {
+          throw new Error("On web, JSStorageAdapter.save must be synchronous.");
+        }
+      },
+      load: (key) => {
+        const result = adapter.load(key);
+        if (this.isPromiseLike(result)) {
+          throw new Error("On web, JSStorageAdapter.load must be synchronous.");
+        }
+        return result;
+      },
+      remove: (key) => {
+        const result = adapter.remove(key);
+        if (this.isPromiseLike(result)) {
+          throw new Error(
+            "On web, JSStorageAdapter.remove must be synchronous.",
+          );
+        }
+      },
+    };
+  }
+
+  private shouldPersistTokensInStorage(): boolean {
+    if (this._storageAdapter) {
+      return true;
+    }
+    return this._config.nitroAuthPersistTokensOnWeb === true;
+  }
+
+  private getWebStorageMode(): "session" | "local" | "memory" {
+    const configuredMode = this._config.nitroAuthWebStorage;
+    if (configuredMode && WEB_STORAGE_MODES.has(configuredMode)) {
+      return configuredMode;
+    }
+    return STORAGE_MODE_SESSION;
+  }
+
+  private getBrowserStorage(): Storage | undefined {
+    if (this._browserStorageResolved) {
+      return this._browserStorageCache;
+    }
+
+    this._browserStorageResolved = true;
+    if (typeof window === "undefined") {
+      this._browserStorageCache = undefined;
+      return undefined;
+    }
+
+    const mode = this.getWebStorageMode();
+    if (mode === STORAGE_MODE_MEMORY) {
+      this._browserStorageCache = undefined;
+      return undefined;
+    }
+
+    const storage =
+      mode === STORAGE_MODE_LOCAL ? window.localStorage : window.sessionStorage;
+    try {
+      const testKey = "__nitro_auth_storage_probe__";
+      storage.setItem(testKey, "1");
+      storage.removeItem(testKey);
+      this._browserStorageCache = storage;
+      return storage;
+    } catch (error) {
+      logger.warn(
+        "Configured web storage is unavailable; using in-memory fallback",
+        {
+          mode,
+          error: String(error),
+        },
+      );
+      this._browserStorageCache = undefined;
+      return undefined;
+    }
+  }
+
+  private saveValue(key: string, value: string): void {
+    if (this._storageAdapter) {
+      this._storageAdapter.save(key, value);
+      return;
+    }
+
+    const storage = this.getBrowserStorage();
+    if (storage) {
+      storage.setItem(key, value);
+      return;
+    }
+    inMemoryWebStorage.set(key, value);
+  }
+
+  private loadValue(key: string): string | undefined {
+    if (this._storageAdapter) {
+      return this._storageAdapter.load(key);
+    }
+
+    const storage = this.getBrowserStorage();
+    if (storage) {
+      return storage.getItem(key) ?? undefined;
+    }
+    return inMemoryWebStorage.get(key);
+  }
+
+  private removeValue(key: string): void {
+    if (this._storageAdapter) {
+      this._storageAdapter.remove(key);
+      return;
+    }
+
+    const storage = this.getBrowserStorage();
+    if (storage) {
+      storage.removeItem(key);
+    }
+    inMemoryWebStorage.delete(key);
+  }
+
+  private removePersistedBrowserValue(key: string): void {
+    if (typeof window === "undefined") {
+      return;
+    }
+
+    try {
+      window.localStorage.removeItem(key);
+      window.sessionStorage.removeItem(key);
+    } catch (error) {
+      logger.debug("Failed to clear persisted browser value", {
+        key,
+        error: String(error),
+      });
+    }
+  }
+
+  private sanitizeUserForPersistence(user: AuthUser): AuthUser {
+    if (this.shouldPersistTokensInStorage()) {
+      return user;
+    }
+
+    const safeUser = { ...user };
+    delete safeUser.accessToken;
+    delete safeUser.idToken;
+    delete safeUser.serverAuthCode;
+    return safeUser;
+  }
+
+  private saveRefreshToken(refreshToken: string): void {
+    if (this._storageAdapter || this.shouldPersistTokensInStorage()) {
+      this.saveValue(MS_REFRESH_TOKEN_KEY, refreshToken);
+      return;
+    }
+
+    // Security-first default: keep refresh tokens in-memory only on web.
+    inMemoryWebStorage.set(MS_REFRESH_TOKEN_KEY, refreshToken);
+  }
+
+  private loadRefreshToken(): string | undefined {
+    if (this._storageAdapter || this.shouldPersistTokensInStorage()) {
+      return this.loadValue(MS_REFRESH_TOKEN_KEY);
+    }
+    return inMemoryWebStorage.get(MS_REFRESH_TOKEN_KEY);
+  }
+
   private loadFromCache() {
-    const cached = this._storageAdapter
-      ? this._storageAdapter.load(CACHE_KEY)
-      : localStorage.getItem(CACHE_KEY);
+    const cached = this.loadValue(CACHE_KEY);
 
     if (cached) {
       try {
-        this._currentUser = JSON.parse(cached);
-      } catch {
+        const parsedUser = parseAuthUser(JSON.parse(cached));
+        if (!parsedUser) {
+          throw new Error("Expected cached auth user to be a valid AuthUser");
+        }
+        if (this.shouldPersistTokensInStorage()) {
+          this._currentUser = parsedUser;
+        } else {
+          const safeUser = { ...parsedUser };
+          delete safeUser.accessToken;
+          delete safeUser.idToken;
+          delete safeUser.serverAuthCode;
+          this._currentUser = safeUser;
+        }
+      } catch (error) {
+        logger.warn("Failed to parse cached auth user; clearing cache", {
+          error: String(error),
+        });
         this.removeFromCache(CACHE_KEY);
       }
     }
 
-    const scopes = this._storageAdapter
-      ? this._storageAdapter.load(SCOPES_KEY)
-      : localStorage.getItem(SCOPES_KEY);
+    const scopes = this.loadValue(SCOPES_KEY);
 
     if (scopes) {
       try {
-        this._grantedScopes = JSON.parse(scopes);
-      } catch {
+        const parsedScopes = parseScopes(JSON.parse(scopes));
+        if (!parsedScopes) {
+          throw new Error("Expected cached scopes to be an array");
+        }
+        this._grantedScopes = parsedScopes;
+      } catch (error) {
+        logger.warn("Failed to parse cached scopes; clearing cache", {
+          error: String(error),
+        });
         this.removeFromCache(SCOPES_KEY);
       }
     }
+
+    if (!this.shouldPersistTokensInStorage() && !this._storageAdapter) {
+      this.removePersistedBrowserValue(MS_REFRESH_TOKEN_KEY);
+    }
   }
 
   private removeFromCache(key: string) {
-    if (this._storageAdapter) {
-      this._storageAdapter.remove(key);
-    } else {
-      localStorage.removeItem(key);
-    }
+    this.removeValue(key);
   }
 
   get currentUser(): AuthUser | undefined {
@@ -110,7 +434,9 @@ class AuthWeb implements Auth {
   }
 
   private notify() {
-    this._listeners.forEach((l) => l(this._currentUser));
+    this._listeners.forEach((l) => {
+      l(this._currentUser);
+    });
   }
 
   async login(provider: AuthProvider, options?: LoginOptions): Promise<void> {
@@ -169,14 +495,7 @@ class AuthWeb implements Auth {
     this._grantedScopes = this._grantedScopes.filter(
       (s) => !scopes.includes(s),
     );
-    if (this._storageAdapter) {
-      this._storageAdapter.save(
-        SCOPES_KEY,
-        JSON.stringify(this._grantedScopes),
-      );
-    } else {
-      localStorage.setItem(SCOPES_KEY, JSON.stringify(this._grantedScopes));
-    }
+    this.saveValue(SCOPES_KEY, JSON.stringify(this._grantedScopes));
     if (this._currentUser) {
       this._currentUser.scopes = this._grantedScopes;
       this.updateUser(this._currentUser);
@@ -194,25 +513,43 @@ class AuthWeb implements Auth {
     return this._currentUser?.accessToken;
   }
 
-  async refreshToken(): Promise<{ accessToken?: string; idToken?: string }> {
+  async refreshToken(): Promise<AuthTokens> {
+    if (this._refreshPromise) {
+      return this._refreshPromise;
+    }
+
+    const refreshPromise = this.performRefreshToken();
+    this._refreshPromise = refreshPromise;
+    try {
+      return await refreshPromise;
+    } finally {
+      if (this._refreshPromise === refreshPromise) {
+        this._refreshPromise = undefined;
+      }
+    }
+  }
+
+  private async performRefreshToken(): Promise<AuthTokens> {
     if (!this._currentUser) {
       throw new Error("No user logged in");
     }
 
     if (this._currentUser.provider === "microsoft") {
       logger.log("Refreshing Microsoft tokens...");
-      const refreshToken = this._storageAdapter
-        ? this._storageAdapter.load("microsoft_refresh_token")
-        : localStorage.getItem("nitro_auth_microsoft_refresh_token");
+      const refreshToken = this.loadRefreshToken();
 
       if (!refreshToken) {
         throw new Error("No refresh token available");
       }
 
-      const config = getConfig();
-      const clientId = config.microsoftClientId;
-      const tenant = config.microsoftTenant ?? "common";
-      const b2cDomain = config.microsoftB2cDomain;
+      const clientId = this._config.microsoftClientId;
+      if (!clientId) {
+        throw new Error(
+          "Microsoft Client ID not configured. Add 'microsoftClientId' to expo.extra in your app.config.js",
+        );
+      }
+      const tenant = this._config.microsoftTenant ?? "common";
+      const b2cDomain = this._config.microsoftB2cDomain;
 
       const authBaseUrl = this.getMicrosoftAuthBaseUrl(tenant, b2cDomain);
       const tokenUrl = `${authBaseUrl}oauth2/v2.0/token`;
@@ -230,43 +567,52 @@ class AuthWeb implements Auth {
         body: body.toString(),
       });
 
-      const json = await response.json();
+      const json = await this.parseResponseObject(response);
       if (!response.ok) {
         throw new Error(
-          json.error_description ?? json.error ?? "Token refresh failed",
+          getOptionalString(json, "error_description") ??
+            getOptionalString(json, "error") ??
+            "Token refresh failed",
         );
       }
 
-      const idToken = json.id_token;
-      const accessToken = json.access_token;
-      const newRefreshToken = json.refresh_token;
-      const expiresIn = json.expires_in;
+      const idToken = getOptionalString(json, "id_token");
+      const accessToken = getOptionalString(json, "access_token");
+      const newRefreshToken = getOptionalString(json, "refresh_token");
+      const expiresInSeconds = getOptionalNumber(json, "expires_in");
 
       if (newRefreshToken) {
-        if (this._storageAdapter) {
-          this._storageAdapter.save("microsoft_refresh_token", newRefreshToken);
-        } else {
-          localStorage.setItem(
-            "nitro_auth_microsoft_refresh_token",
-            newRefreshToken,
-          );
-        }
+        this.saveRefreshToken(newRefreshToken);
       }
 
-      const claims = this.decodeMicrosoftJwt(idToken);
+      const expirationTime =
+        typeof expiresInSeconds === "number"
+          ? Date.now() + expiresInSeconds * 1000
+          : undefined;
+
+      const effectiveIdToken = idToken ?? this._currentUser.idToken;
+      const claims = effectiveIdToken
+        ? this.decodeMicrosoftJwt(effectiveIdToken)
+        : {};
       const user: AuthUser = {
         ...this._currentUser,
-        idToken,
+        idToken: effectiveIdToken,
         accessToken: accessToken ?? undefined,
-        expirationTime: expiresIn
-          ? Date.now() + parseInt(expiresIn) * 1000
-          : undefined,
+        refreshToken: newRefreshToken ?? this._currentUser.refreshToken,
+        expirationTime,
         ...claims,
       };
       this.updateUser(user);
 
-      const tokens = { accessToken, idToken };
-      this._tokenListeners.forEach((l) => l(tokens));
+      const tokens: AuthTokens = {
+        accessToken: accessToken ?? undefined,
+        idToken: effectiveIdToken,
+        refreshToken: newRefreshToken ?? undefined,
+        expirationTime,
+      };
+      this._tokenListeners.forEach((l) => {
+        l(tokens);
+      });
       return tokens;
     }
 
@@ -280,11 +626,15 @@ class AuthWeb implements Auth {
     await this.loginGoogle(
       this._grantedScopes.length > 0 ? this._grantedScopes : DEFAULT_SCOPES,
     );
-    const tokens = {
+    const tokens: AuthTokens = {
       accessToken: this._currentUser.accessToken,
       idToken: this._currentUser.idToken,
+      refreshToken: this._currentUser.refreshToken,
+      expirationTime: this._currentUser.expirationTime,
     };
-    this._tokenListeners.forEach((l) => l(tokens));
+    this._tokenListeners.forEach((l) => {
+      l(tokens);
+    });
     return tokens;
   }
 
@@ -295,21 +645,109 @@ class AuthWeb implements Auth {
 
     if (msg.includes("cancel") || msg.includes("popup_closed")) {
       mappedMsg = "cancelled";
+    } else if (msg.includes("timeout")) {
+      mappedMsg = "timeout";
+    } else if (msg.includes("popup blocked")) {
+      mappedMsg = "popup_blocked";
     } else if (msg.includes("network")) {
       mappedMsg = "network_error";
     } else if (msg.includes("client id") || msg.includes("config")) {
       mappedMsg = "configuration_error";
     }
 
-    return Object.assign(new Error(mappedMsg), { underlyingError: rawMessage });
+    return new AuthWebError(mappedMsg, rawMessage);
+  }
+
+  private async parseResponseObject(response: Response): Promise<JsonObject> {
+    const parsed: unknown = await response.json();
+    if (!isJsonObject(parsed)) {
+      throw new Error("Expected JSON object response from auth provider");
+    }
+    return parsed;
+  }
+
+  private parseJwtPayload(token: string): JsonObject {
+    const payload = token.split(".")[1];
+    if (!payload) {
+      throw new Error("Invalid JWT payload");
+    }
+
+    const normalizedPayload = payload.replace(/-/g, "+").replace(/_/g, "/");
+    const padding = "=".repeat((4 - (normalizedPayload.length % 4)) % 4);
+    const decoded: unknown = JSON.parse(atob(`${normalizedPayload}${padding}`));
+    if (!isJsonObject(decoded)) {
+      throw new Error("Expected JWT payload to be an object");
+    }
+    return decoded;
+  }
+
+  private waitForPopupRedirect(
+    popup: Window,
+    redirectUri: string,
+    provider: "Google" | "Microsoft",
+    onRedirect: (url: string) => Promise<void> | void,
+  ): Promise<void> {
+    return new Promise((resolve, reject) => {
+      let crossOriginLogShown = false;
+
+      const cleanup = (
+        intervalId: number,
+        timeoutId: number,
+        shouldClosePopup: boolean,
+      ) => {
+        window.clearInterval(intervalId);
+        window.clearTimeout(timeoutId);
+        if (shouldClosePopup && !popup.closed) {
+          popup.close();
+        }
+      };
+
+      const timeoutId = window.setTimeout(() => {
+        cleanup(intervalId, timeoutId, true);
+        reject(new Error(`${provider.toLowerCase()}_auth_timeout`));
+      }, POPUP_TIMEOUT_MS);
+
+      const intervalId = window.setInterval(() => {
+        if (popup.closed) {
+          cleanup(intervalId, timeoutId, false);
+          reject(new Error("cancelled"));
+          return;
+        }
+
+        let url: string;
+        try {
+          url = popup.location.href;
+        } catch (error) {
+          if (!crossOriginLogShown) {
+            logger.debug(`Waiting for ${provider} auth redirect`, {
+              error: String(error),
+            });
+            crossOriginLogShown = true;
+          }
+          return;
+        }
+
+        if (!url.startsWith(redirectUri)) {
+          return;
+        }
+
+        cleanup(intervalId, timeoutId, true);
+        void Promise.resolve(onRedirect(url))
+          .then(() => {
+            resolve();
+          })
+          .catch((error: unknown) => {
+            reject(error);
+          });
+      }, POPUP_POLL_INTERVAL_MS);
+    });
   }
 
   private async loginGoogle(
     scopes: string[],
     loginHint?: string,
   ): Promise<void> {
-    const config = getConfig();
-    const clientId = config.googleWebClientId;
+    const clientId = this._config.googleWebClientId;
 
     if (!clientId) {
       throw new Error(
@@ -324,7 +762,7 @@ class AuthWeb implements Auth {
       authUrl.searchParams.set("redirect_uri", redirectUri);
       authUrl.searchParams.set("response_type", "id_token token code");
       authUrl.searchParams.set("scope", scopes.join(" "));
-      authUrl.searchParams.set("nonce", Math.random().toString(36).slice(2));
+      authUrl.searchParams.set("nonce", crypto.randomUUID());
       authUrl.searchParams.set("access_type", "offline");
       authUrl.searchParams.set("prompt", "consent");
 
@@ -348,66 +786,53 @@ class AuthWeb implements Auth {
         return;
       }
 
-      const checkInterval = setInterval(() => {
-        try {
-          if (popup.closed) {
-            clearInterval(checkInterval);
-            reject(new Error("cancelled"));
-            return;
-          }
+      void this.waitForPopupRedirect(popup, redirectUri, "Google", (url) => {
+        const hash = new URL(url).hash.slice(1);
+        const params = new URLSearchParams(hash);
+        const idToken = params.get("id_token");
+        const accessToken = params.get("access_token");
+        const expiresIn = params.get("expires_in");
+        const code = params.get("code");
 
-          const url = popup.location.href;
-          if (url.startsWith(redirectUri)) {
-            clearInterval(checkInterval);
-            popup.close();
-
-            const hash = new URL(url).hash.slice(1);
-            const params = new URLSearchParams(hash);
-            const idToken = params.get("id_token");
-            const accessToken = params.get("access_token");
-            const expiresIn = params.get("expires_in");
-            const code = params.get("code");
-
-            if (idToken) {
-              this._grantedScopes = scopes;
-              if (this._storageAdapter) {
-                this._storageAdapter.save(SCOPES_KEY, JSON.stringify(scopes));
-              } else {
-                localStorage.setItem(SCOPES_KEY, JSON.stringify(scopes));
-              }
-
-              const user: AuthUser = {
-                provider: "google",
-                idToken,
-                accessToken: accessToken ?? undefined,
-                serverAuthCode: code ?? undefined,
-                scopes,
-                expirationTime: expiresIn
-                  ? Date.now() + parseInt(expiresIn) * 1000
-                  : undefined,
-                ...this.decodeGoogleJwt(idToken),
-              };
-              this.updateUser(user);
-              resolve();
-            } else {
-              reject(new Error("No id_token in response"));
-            }
-          }
-        } catch {}
-      }, 100);
+        if (!idToken) {
+          throw new Error("No id_token in response");
+        }
+
+        this._grantedScopes = scopes;
+        this.saveValue(SCOPES_KEY, JSON.stringify(scopes));
+
+        const user: AuthUser = {
+          provider: "google",
+          idToken,
+          accessToken: accessToken ?? undefined,
+          serverAuthCode: code ?? undefined,
+          scopes,
+          expirationTime: expiresIn
+            ? Date.now() + parseInt(expiresIn, 10) * 1000
+            : undefined,
+          ...this.decodeGoogleJwt(idToken),
+        };
+        this.updateUser(user);
+      })
+        .then(() => {
+          resolve();
+        })
+        .catch((error: unknown) => {
+          reject(error);
+        });
     });
   }
 
   private decodeGoogleJwt(token: string): Partial<AuthUser> {
     try {
-      const payload = token.split(".")[1];
-      const decoded = JSON.parse(atob(payload));
+      const decoded = this.parseJwtPayload(token);
       return {
-        email: decoded.email,
-        name: decoded.name,
-        photo: decoded.picture,
+        email: getOptionalString(decoded, "email"),
+        name: getOptionalString(decoded, "name"),
+        photo: getOptionalString(decoded, "picture"),
       };
-    } catch {
+    } catch (error) {
+      logger.warn("Failed to decode Google ID token", { error: String(error) });
       return {};
     }
   }
@@ -418,8 +843,7 @@ class AuthWeb implements Auth {
     tenant?: string,
     prompt?: string,
   ): Promise<void> {
-    const config = getConfig();
-    const clientId = config.microsoftClientId;
+    const clientId = this._config.microsoftClientId;
 
     if (!clientId) {
       throw new Error(
@@ -427,8 +851,8 @@ class AuthWeb implements Auth {
       );
     }
 
-    const effectiveTenant = tenant ?? config.microsoftTenant ?? "common";
-    const b2cDomain = config.microsoftB2cDomain;
+    const effectiveTenant = tenant ?? this._config.microsoftTenant ?? "common";
+    const b2cDomain = this._config.microsoftB2cDomain;
     const authBaseUrl = this.getMicrosoftAuthBaseUrl(
       effectiveTenant,
       b2cDomain,
@@ -477,58 +901,46 @@ class AuthWeb implements Auth {
         return;
       }
 
-      const checkInterval = setInterval(async () => {
-        try {
-          if (popup.closed) {
-            clearInterval(checkInterval);
-            reject(new Error("cancelled"));
-            return;
+      void this.waitForPopupRedirect(
+        popup,
+        redirectUri,
+        "Microsoft",
+        async (url) => {
+          const urlObj = new URL(url);
+          const code = urlObj.searchParams.get("code");
+          const returnedState = urlObj.searchParams.get("state");
+          const error = urlObj.searchParams.get("error");
+          const errorDescription = urlObj.searchParams.get("error_description");
+
+          if (error) {
+            throw new Error(errorDescription ?? error);
+          }
+
+          if (returnedState !== state) {
+            throw new Error("State mismatch - possible CSRF attack");
           }
 
-          const url = popup.location.href;
-          if (url.startsWith(redirectUri)) {
-            clearInterval(checkInterval);
-            popup.close();
-
-            const urlObj = new URL(url);
-            const code = urlObj.searchParams.get("code");
-            const returnedState = urlObj.searchParams.get("state");
-            const error = urlObj.searchParams.get("error");
-            const errorDescription =
-              urlObj.searchParams.get("error_description");
-
-            if (error) {
-              reject(new Error(errorDescription ?? error));
-              return;
-            }
-
-            if (returnedState !== state) {
-              reject(new Error("State mismatch - possible CSRF attack"));
-              return;
-            }
-
-            if (!code) {
-              reject(new Error("No authorization code in response"));
-              return;
-            }
-
-            try {
-              await this.exchangeMicrosoftCodeForTokens(
-                code,
-                codeVerifier,
-                clientId,
-                redirectUri,
-                effectiveTenant,
-                nonce,
-                effectiveScopes,
-              );
-              resolve();
-            } catch (e) {
-              reject(e);
-            }
+          if (!code) {
+            throw new Error("No authorization code in response");
           }
-        } catch {}
-      }, 100);
+
+          await this.exchangeMicrosoftCodeForTokens(
+            code,
+            codeVerifier,
+            clientId,
+            redirectUri,
+            effectiveTenant,
+            nonce,
+            effectiveScopes,
+          );
+        },
+      )
+        .then(() => {
+          resolve();
+        })
+        .catch((error: unknown) => {
+          reject(error);
+        });
     });
   }
 
@@ -559,10 +971,9 @@ class AuthWeb implements Auth {
     expectedNonce: string,
     scopes: string[],
   ): Promise<void> {
-    const config = getConfig();
     const authBaseUrl = this.getMicrosoftAuthBaseUrl(
       tenant,
-      config.microsoftB2cDomain,
+      this._config.microsoftB2cDomain,
     );
     const tokenUrl = `${authBaseUrl}oauth2/v2.0/token`;
 
@@ -582,55 +993,48 @@ class AuthWeb implements Auth {
       body: body.toString(),
     });
 
-    const json = await response.json();
+    const json = await this.parseResponseObject(response);
 
     if (!response.ok) {
       throw new Error(
-        json.error_description ?? json.error ?? "Token exchange failed",
+        getOptionalString(json, "error_description") ??
+          getOptionalString(json, "error") ??
+          "Token exchange failed",
       );
     }
 
-    const idToken = json.id_token;
+    const idToken = getOptionalString(json, "id_token");
     if (!idToken) {
       throw new Error("No id_token in token response");
     }
 
     const claims = this.decodeMicrosoftJwt(idToken);
-    const payload = JSON.parse(atob(idToken.split(".")[1]));
-    if (payload.nonce !== expectedNonce) {
+    const payload = this.parseJwtPayload(idToken);
+    if (getOptionalString(payload, "nonce") !== expectedNonce) {
       throw new Error("Nonce mismatch - token may be replayed");
     }
 
-    const accessToken = json.access_token;
-    const refreshToken = json.refresh_token;
-    const expiresIn = json.expires_in;
+    const accessToken = getOptionalString(json, "access_token");
+    const refreshToken = getOptionalString(json, "refresh_token");
+    const expiresInSeconds = getOptionalNumber(json, "expires_in");
 
     if (refreshToken) {
-      if (this._storageAdapter) {
-        this._storageAdapter.save("microsoft_refresh_token", refreshToken);
-      } else {
-        localStorage.setItem(
-          "nitro_auth_microsoft_refresh_token",
-          refreshToken,
-        );
-      }
+      this.saveRefreshToken(refreshToken);
     }
 
     this._grantedScopes = scopes;
-    if (this._storageAdapter) {
-      this._storageAdapter.save(SCOPES_KEY, JSON.stringify(scopes));
-    } else {
-      localStorage.setItem(SCOPES_KEY, JSON.stringify(scopes));
-    }
+    this.saveValue(SCOPES_KEY, JSON.stringify(scopes));
 
     const user: AuthUser = {
       provider: "microsoft",
       idToken,
       accessToken: accessToken ?? undefined,
+      refreshToken: refreshToken ?? undefined,
       scopes,
-      expirationTime: expiresIn
-        ? Date.now() + parseInt(expiresIn) * 1000
-        : undefined,
+      expirationTime:
+        typeof expiresInSeconds === "number"
+          ? Date.now() + expiresInSeconds * 1000
+          : undefined,
       ...claims,
     };
     this.updateUser(user);
@@ -650,62 +1054,115 @@ class AuthWeb implements Auth {
 
   private decodeMicrosoftJwt(token: string): Partial<AuthUser> {
     try {
-      const payload = token.split(".")[1];
-      const decoded = JSON.parse(atob(payload));
+      const decoded = this.parseJwtPayload(token);
       return {
-        email: decoded.preferred_username ?? decoded.email,
-        name: decoded.name,
+        email:
+          getOptionalString(decoded, "preferred_username") ??
+          getOptionalString(decoded, "email"),
+        name: getOptionalString(decoded, "name"),
       };
-    } catch {
+    } catch (error) {
+      logger.warn("Failed to decode Microsoft ID token", {
+        error: String(error),
+      });
       return {};
     }
   }
 
-  private async loginApple(): Promise<void> {
-    const config = getConfig();
-    const clientId = config.appleWebClientId;
+  private async ensureAppleSdkLoaded(): Promise<void> {
+    if (window.AppleID) {
+      return;
+    }
 
-    if (!clientId) {
-      throw new Error(
-        "Apple Web Client ID not configured. Add 'APPLE_WEB_CLIENT_ID' to your .env file.",
-      );
+    if (this._appleSdkLoadPromise) {
+      return this._appleSdkLoadPromise;
     }
 
-    return new Promise((resolve, reject) => {
+    this._appleSdkLoadPromise = new Promise<void>((resolve, reject) => {
+      const scriptId = "nitro-auth-apple-sdk";
+      const existingScript = document.getElementById(
+        scriptId,
+      ) as HTMLScriptElement | null;
+
+      if (existingScript) {
+        if (window.AppleID) {
+          resolve();
+          return;
+        }
+
+        existingScript.addEventListener(
+          "load",
+          () => {
+            resolve();
+          },
+          {
+            once: true,
+          },
+        );
+        existingScript.addEventListener(
+          "error",
+          () => {
+            this._appleSdkLoadPromise = undefined;
+            reject(new Error("Failed to load Apple SDK"));
+          },
+          { once: true },
+        );
+        return;
+      }
+
       const script = document.createElement("script");
+      script.id = scriptId;
       script.src =
         "https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js";
       script.async = true;
       script.onload = () => {
-        if (!window.AppleID) {
-          reject(new Error("Apple SDK not loaded"));
-          return;
-        }
-        window.AppleID.auth.init({
-          clientId,
-          scope: "name email",
-          redirectURI: window.location.origin,
-          usePopup: true,
-        });
-        window.AppleID.auth
-          .signIn()
-          .then((response: AppleAuthResponse) => {
-            const user: AuthUser = {
-              provider: "apple",
-              idToken: response.authorization.id_token,
-              email: response.user?.email,
-              name: response.user?.name
-                ? `${response.user.name.firstName} ${response.user.name.lastName}`.trim()
-                : undefined,
-            };
-            this.updateUser(user);
-            resolve();
-          })
-          .catch((err: unknown) => reject(this.mapError(err)));
+        resolve();
+      };
+      script.onerror = () => {
+        this._appleSdkLoadPromise = undefined;
+        reject(new Error("Failed to load Apple SDK"));
       };
-      script.onerror = () => reject(new Error("Failed to load Apple SDK"));
       document.head.appendChild(script);
     });
+
+    return this._appleSdkLoadPromise;
+  }
+
+  private async loginApple(): Promise<void> {
+    const clientId = this._config.appleWebClientId;
+
+    if (!clientId) {
+      throw new Error(
+        "Apple Web Client ID not configured. Add 'APPLE_WEB_CLIENT_ID' to your .env file.",
+      );
+    }
+
+    await this.ensureAppleSdkLoaded();
+    if (!window.AppleID) {
+      throw new Error("Apple SDK not loaded");
+    }
+
+    window.AppleID.auth.init({
+      clientId,
+      scope: "name email",
+      redirectURI: window.location.origin,
+      usePopup: true,
+    });
+
+    try {
+      const response: AppleAuthResponse = await window.AppleID.auth.signIn();
+      const user: AuthUser = {
+        provider: "apple",
+        idToken: response.authorization.id_token,
+        email: response.user?.email,
+        name: response.user?.name
+          ? `${response.user.name.firstName} ${response.user.name.lastName}`.trim()
+          : undefined,
+      };
+      this.updateUser(user);
+    } catch (error) {
+      throw this.mapError(error);
+    }
   }
 
   async silentRestore(): Promise<void> {
@@ -727,17 +1184,14 @@ class AuthWeb implements Auth {
     this._grantedScopes = [];
     this.removeFromCache(CACHE_KEY);
     this.removeFromCache(SCOPES_KEY);
-    this.removeFromCache("microsoft_refresh_token");
+    this.removeFromCache(MS_REFRESH_TOKEN_KEY);
     this.notify();
   }
 
   private updateUser(user: AuthUser) {
     this._currentUser = user;
-    if (this._storageAdapter) {
-      this._storageAdapter.save(CACHE_KEY, JSON.stringify(user));
-    } else {
-      localStorage.setItem(CACHE_KEY, JSON.stringify(user));
-    }
+    const userToPersist = this.sanitizeUserForPersistence(user);
+    this.saveValue(CACHE_KEY, JSON.stringify(userToPersist));
     this.notify();
   }
 
@@ -745,12 +1199,12 @@ class AuthWeb implements Auth {
     logger.setEnabled(enabled);
   }
 
-  setStorageAdapter(adapter: AuthStorageAdapter | undefined): void {
-    this._storageAdapter = adapter;
-    if (adapter) {
-      this.loadFromCache();
-      this.notify();
-    }
+  setWebStorageAdapter(adapter: JSStorageAdapter | undefined): void {
+    this._storageAdapter = adapter
+      ? this.createWebStorageDriver(adapter)
+      : undefined;
+    this.loadFromCache();
+    this.notify();
   }
 
   name = "Auth";