react-native-nitro-auth 0.5.1 → 0.5.4

package/lib/module/Auth.web.js

@@ -3,13 +3,83 @@
 import { logger } from "./utils/logger.js";
 const CACHE_KEY = "nitro_auth_user";
 const SCOPES_KEY = "nitro_auth_scopes";
+const MS_REFRESH_TOKEN_KEY = "nitro_auth_microsoft_refresh_token";
 const DEFAULT_SCOPES = ["openid", "email", "profile"];
 const MS_DEFAULT_SCOPES = ["openid", "email", "profile", "User.Read"];
+const STORAGE_MODE_SESSION = "session";
+const STORAGE_MODE_LOCAL = "local";
+const STORAGE_MODE_MEMORY = "memory";
+const POPUP_POLL_INTERVAL_MS = 100;
+const POPUP_TIMEOUT_MS = 120000;
+const WEB_STORAGE_MODES = new Set([STORAGE_MODE_SESSION, STORAGE_MODE_LOCAL, STORAGE_MODE_MEMORY]);
+const inMemoryWebStorage = new Map();
+class AuthWebError extends Error {
+  constructor(message, underlyingError) {
+    super(message);
+    this.name = "AuthWebError";
+    this.underlyingError = underlyingError;
+  }
+}
+const isJsonObject = value => typeof value === "object" && value !== null;
+const isAuthProvider = value => value === "google" || value === "apple" || value === "microsoft";
+const getOptionalString = (source, key) => {
+  const candidate = source[key];
+  return typeof candidate === "string" ? candidate : undefined;
+};
+const getOptionalNumber = (source, key) => {
+  const candidate = source[key];
+  return typeof candidate === "number" ? candidate : undefined;
+};
+const parseAuthUser = value => {
+  if (!isJsonObject(value) || !isAuthProvider(value.provider)) {
+    return undefined;
+  }
+  const scopesCandidate = value.scopes;
+  const scopes = Array.isArray(scopesCandidate) ? scopesCandidate.filter(scope => typeof scope === "string") : undefined;
+  return {
+    provider: value.provider,
+    email: getOptionalString(value, "email"),
+    name: getOptionalString(value, "name"),
+    photo: getOptionalString(value, "photo"),
+    idToken: getOptionalString(value, "idToken"),
+    accessToken: getOptionalString(value, "accessToken"),
+    refreshToken: getOptionalString(value, "refreshToken"),
+    serverAuthCode: getOptionalString(value, "serverAuthCode"),
+    scopes,
+    expirationTime: getOptionalNumber(value, "expirationTime"),
+    underlyingError: getOptionalString(value, "underlyingError")
+  };
+};
+const parseScopes = value => {
+  if (!Array.isArray(value)) {
+    return undefined;
+  }
+  return value.filter(scope => typeof scope === "string");
+};
+const parseAuthWebExtraConfig = value => {
+  if (!isJsonObject(value)) {
+    return {};
+  }
+  const nitroAuthWebStorageCandidate = value.nitroAuthWebStorage;
+  const nitroAuthWebStorage = nitroAuthWebStorageCandidate === STORAGE_MODE_SESSION || nitroAuthWebStorageCandidate === STORAGE_MODE_LOCAL || nitroAuthWebStorageCandidate === STORAGE_MODE_MEMORY ? nitroAuthWebStorageCandidate : undefined;
+  return {
+    googleWebClientId: getOptionalString(value, "googleWebClientId"),
+    microsoftClientId: getOptionalString(value, "microsoftClientId"),
+    microsoftTenant: getOptionalString(value, "microsoftTenant"),
+    microsoftB2cDomain: getOptionalString(value, "microsoftB2cDomain"),
+    appleWebClientId: getOptionalString(value, "appleWebClientId"),
+    nitroAuthWebStorage,
+    nitroAuthPersistTokensOnWeb: typeof value.nitroAuthPersistTokensOnWeb === "boolean" ? value.nitroAuthPersistTokensOnWeb : undefined
+  };
+};
 const getConfig = () => {
   try {
     const Constants = require("expo-constants").default;
-    return Constants.expoConfig?.extra || {};
-  } catch {
+    return parseAuthWebExtraConfig(Constants.expoConfig?.extra);
+  } catch (error) {
+    logger.debug("expo-constants unavailable on web, falling back to defaults", {
+      error: String(error)
+    });
     return {};
   }
 };
@@ -17,33 +87,204 @@ class AuthWeb {
   _grantedScopes = [];
   _listeners = [];
   _tokenListeners = [];
+  _browserStorageResolved = false;
   constructor() {
+    this._config = getConfig();
     this.loadFromCache();
   }
+  isPromiseLike(value) {
+    if (!isJsonObject(value)) {
+      return false;
+    }
+    return typeof value.then === "function";
+  }
+  createWebStorageDriver(adapter) {
+    return {
+      save: (key, value) => {
+        const result = adapter.save(key, value);
+        if (this.isPromiseLike(result)) {
+          throw new Error("On web, JSStorageAdapter.save must be synchronous.");
+        }
+      },
+      load: key => {
+        const result = adapter.load(key);
+        if (this.isPromiseLike(result)) {
+          throw new Error("On web, JSStorageAdapter.load must be synchronous.");
+        }
+        return result;
+      },
+      remove: key => {
+        const result = adapter.remove(key);
+        if (this.isPromiseLike(result)) {
+          throw new Error("On web, JSStorageAdapter.remove must be synchronous.");
+        }
+      }
+    };
+  }
+  shouldPersistTokensInStorage() {
+    if (this._storageAdapter) {
+      return true;
+    }
+    return this._config.nitroAuthPersistTokensOnWeb === true;
+  }
+  getWebStorageMode() {
+    const configuredMode = this._config.nitroAuthWebStorage;
+    if (configuredMode && WEB_STORAGE_MODES.has(configuredMode)) {
+      return configuredMode;
+    }
+    return STORAGE_MODE_SESSION;
+  }
+  getBrowserStorage() {
+    if (this._browserStorageResolved) {
+      return this._browserStorageCache;
+    }
+    this._browserStorageResolved = true;
+    if (typeof window === "undefined") {
+      this._browserStorageCache = undefined;
+      return undefined;
+    }
+    const mode = this.getWebStorageMode();
+    if (mode === STORAGE_MODE_MEMORY) {
+      this._browserStorageCache = undefined;
+      return undefined;
+    }
+    const storage = mode === STORAGE_MODE_LOCAL ? window.localStorage : window.sessionStorage;
+    try {
+      const testKey = "__nitro_auth_storage_probe__";
+      storage.setItem(testKey, "1");
+      storage.removeItem(testKey);
+      this._browserStorageCache = storage;
+      return storage;
+    } catch (error) {
+      logger.warn("Configured web storage is unavailable; using in-memory fallback", {
+        mode,
+        error: String(error)
+      });
+      this._browserStorageCache = undefined;
+      return undefined;
+    }
+  }
+  saveValue(key, value) {
+    if (this._storageAdapter) {
+      this._storageAdapter.save(key, value);
+      return;
+    }
+    const storage = this.getBrowserStorage();
+    if (storage) {
+      storage.setItem(key, value);
+      return;
+    }
+    inMemoryWebStorage.set(key, value);
+  }
+  loadValue(key) {
+    if (this._storageAdapter) {
+      return this._storageAdapter.load(key);
+    }
+    const storage = this.getBrowserStorage();
+    if (storage) {
+      return storage.getItem(key) ?? undefined;
+    }
+    return inMemoryWebStorage.get(key);
+  }
+  removeValue(key) {
+    if (this._storageAdapter) {
+      this._storageAdapter.remove(key);
+      return;
+    }
+    const storage = this.getBrowserStorage();
+    if (storage) {
+      storage.removeItem(key);
+    }
+    inMemoryWebStorage.delete(key);
+  }
+  removePersistedBrowserValue(key) {
+    if (typeof window === "undefined") {
+      return;
+    }
+    try {
+      window.localStorage.removeItem(key);
+      window.sessionStorage.removeItem(key);
+    } catch (error) {
+      logger.debug("Failed to clear persisted browser value", {
+        key,
+        error: String(error)
+      });
+    }
+  }
+  sanitizeUserForPersistence(user) {
+    if (this.shouldPersistTokensInStorage()) {
+      return user;
+    }
+    const safeUser = {
+      ...user
+    };
+    delete safeUser.accessToken;
+    delete safeUser.idToken;
+    delete safeUser.serverAuthCode;
+    return safeUser;
+  }
+  saveRefreshToken(refreshToken) {
+    if (this._storageAdapter || this.shouldPersistTokensInStorage()) {
+      this.saveValue(MS_REFRESH_TOKEN_KEY, refreshToken);
+      return;
+    }
+
+    // Security-first default: keep refresh tokens in-memory only on web.
+    inMemoryWebStorage.set(MS_REFRESH_TOKEN_KEY, refreshToken);
+  }
+  loadRefreshToken() {
+    if (this._storageAdapter || this.shouldPersistTokensInStorage()) {
+      return this.loadValue(MS_REFRESH_TOKEN_KEY);
+    }
+    return inMemoryWebStorage.get(MS_REFRESH_TOKEN_KEY);
+  }
   loadFromCache() {
-    const cached = this._storageAdapter ? this._storageAdapter.load(CACHE_KEY) : localStorage.getItem(CACHE_KEY);
+    const cached = this.loadValue(CACHE_KEY);
     if (cached) {
       try {
-        this._currentUser = JSON.parse(cached);
-      } catch {
+        const parsedUser = parseAuthUser(JSON.parse(cached));
+        if (!parsedUser) {
+          throw new Error("Expected cached auth user to be a valid AuthUser");
+        }
+        if (this.shouldPersistTokensInStorage()) {
+          this._currentUser = parsedUser;
+        } else {
+          const safeUser = {
+            ...parsedUser
+          };
+          delete safeUser.accessToken;
+          delete safeUser.idToken;
+          delete safeUser.serverAuthCode;
+          this._currentUser = safeUser;
+        }
+      } catch (error) {
+        logger.warn("Failed to parse cached auth user; clearing cache", {
+          error: String(error)
+        });
         this.removeFromCache(CACHE_KEY);
       }
     }
-    const scopes = this._storageAdapter ? this._storageAdapter.load(SCOPES_KEY) : localStorage.getItem(SCOPES_KEY);
+    const scopes = this.loadValue(SCOPES_KEY);
     if (scopes) {
       try {
-        this._grantedScopes = JSON.parse(scopes);
-      } catch {
+        const parsedScopes = parseScopes(JSON.parse(scopes));
+        if (!parsedScopes) {
+          throw new Error("Expected cached scopes to be an array");
+        }
+        this._grantedScopes = parsedScopes;
+      } catch (error) {
+        logger.warn("Failed to parse cached scopes; clearing cache", {
+          error: String(error)
+        });
         this.removeFromCache(SCOPES_KEY);
       }
     }
+    if (!this.shouldPersistTokensInStorage() && !this._storageAdapter) {
+      this.removePersistedBrowserValue(MS_REFRESH_TOKEN_KEY);
+    }
   }
   removeFromCache(key) {
-    if (this._storageAdapter) {
-      this._storageAdapter.remove(key);
-    } else {
-      localStorage.removeItem(key);
-    }
+    this.removeValue(key);
   }
   get currentUser() {
     return this._currentUser;
@@ -68,7 +309,9 @@ class AuthWeb {
     };
   }
   notify() {
-    this._listeners.forEach(l => l(this._currentUser));
+    this._listeners.forEach(l => {
+      l(this._currentUser);
+    });
   }
   async login(provider, options) {
     const loginHint = options?.loginHint;
@@ -117,11 +360,7 @@ class AuthWeb {
   async revokeScopes(scopes) {
     logger.log("Revoking scopes:", scopes);
     this._grantedScopes = this._grantedScopes.filter(s => !scopes.includes(s));
-    if (this._storageAdapter) {
-      this._storageAdapter.save(SCOPES_KEY, JSON.stringify(this._grantedScopes));
-    } else {
-      localStorage.setItem(SCOPES_KEY, JSON.stringify(this._grantedScopes));
-    }
+    this.saveValue(SCOPES_KEY, JSON.stringify(this._grantedScopes));
     if (this._currentUser) {
       this._currentUser.scopes = this._grantedScopes;
       this.updateUser(this._currentUser);
@@ -138,19 +377,35 @@ class AuthWeb {
     return this._currentUser?.accessToken;
   }
   async refreshToken() {
+    if (this._refreshPromise) {
+      return this._refreshPromise;
+    }
+    const refreshPromise = this.performRefreshToken();
+    this._refreshPromise = refreshPromise;
+    try {
+      return await refreshPromise;
+    } finally {
+      if (this._refreshPromise === refreshPromise) {
+        this._refreshPromise = undefined;
+      }
+    }
+  }
+  async performRefreshToken() {
     if (!this._currentUser) {
       throw new Error("No user logged in");
     }
     if (this._currentUser.provider === "microsoft") {
       logger.log("Refreshing Microsoft tokens...");
-      const refreshToken = this._storageAdapter ? this._storageAdapter.load("microsoft_refresh_token") : localStorage.getItem("nitro_auth_microsoft_refresh_token");
+      const refreshToken = this.loadRefreshToken();
       if (!refreshToken) {
         throw new Error("No refresh token available");
       }
-      const config = getConfig();
-      const clientId = config.microsoftClientId;
-      const tenant = config.microsoftTenant ?? "common";
-      const b2cDomain = config.microsoftB2cDomain;
+      const clientId = this._config.microsoftClientId;
+      if (!clientId) {
+        throw new Error("Microsoft Client ID not configured. Add 'microsoftClientId' to expo.extra in your app.config.js");
+      }
+      const tenant = this._config.microsoftTenant ?? "common";
+      const b2cDomain = this._config.microsoftB2cDomain;
       const authBaseUrl = this.getMicrosoftAuthBaseUrl(tenant, b2cDomain);
       const tokenUrl = `${authBaseUrl}oauth2/v2.0/token`;
       const body = new URLSearchParams({
@@ -165,35 +420,38 @@ class AuthWeb {
         },
         body: body.toString()
       });
-      const json = await response.json();
+      const json = await this.parseResponseObject(response);
       if (!response.ok) {
-        throw new Error(json.error_description ?? json.error ?? "Token refresh failed");
+        throw new Error(getOptionalString(json, "error_description") ?? getOptionalString(json, "error") ?? "Token refresh failed");
       }
-      const idToken = json.id_token;
-      const accessToken = json.access_token;
-      const newRefreshToken = json.refresh_token;
-      const expiresIn = json.expires_in;
+      const idToken = getOptionalString(json, "id_token");
+      const accessToken = getOptionalString(json, "access_token");
+      const newRefreshToken = getOptionalString(json, "refresh_token");
+      const expiresInSeconds = getOptionalNumber(json, "expires_in");
       if (newRefreshToken) {
-        if (this._storageAdapter) {
-          this._storageAdapter.save("microsoft_refresh_token", newRefreshToken);
-        } else {
-          localStorage.setItem("nitro_auth_microsoft_refresh_token", newRefreshToken);
-        }
+        this.saveRefreshToken(newRefreshToken);
       }
-      const claims = this.decodeMicrosoftJwt(idToken);
+      const expirationTime = typeof expiresInSeconds === "number" ? Date.now() + expiresInSeconds * 1000 : undefined;
+      const effectiveIdToken = idToken ?? this._currentUser.idToken;
+      const claims = effectiveIdToken ? this.decodeMicrosoftJwt(effectiveIdToken) : {};
       const user = {
         ...this._currentUser,
-        idToken,
+        idToken: effectiveIdToken,
         accessToken: accessToken ?? undefined,
-        expirationTime: expiresIn ? Date.now() + parseInt(expiresIn) * 1000 : undefined,
+        refreshToken: newRefreshToken ?? this._currentUser.refreshToken,
+        expirationTime,
         ...claims
       };
       this.updateUser(user);
       const tokens = {
-        accessToken,
-        idToken
+        accessToken: accessToken ?? undefined,
+        idToken: effectiveIdToken,
+        refreshToken: newRefreshToken ?? undefined,
+        expirationTime
       };
-      this._tokenListeners.forEach(l => l(tokens));
+      this._tokenListeners.forEach(l => {
+        l(tokens);
+      });
       return tokens;
     }
     if (this._currentUser.provider !== "google") {
@@ -203,9 +461,13 @@ class AuthWeb {
     await this.loginGoogle(this._grantedScopes.length > 0 ? this._grantedScopes : DEFAULT_SCOPES);
     const tokens = {
       accessToken: this._currentUser.accessToken,
-      idToken: this._currentUser.idToken
+      idToken: this._currentUser.idToken,
+      refreshToken: this._currentUser.refreshToken,
+      expirationTime: this._currentUser.expirationTime
     };
-    this._tokenListeners.forEach(l => l(tokens));
+    this._tokenListeners.forEach(l => {
+      l(tokens);
+    });
     return tokens;
   }
   mapError(error) {
@@ -214,18 +476,83 @@ class AuthWeb {
     let mappedMsg = rawMessage;
     if (msg.includes("cancel") || msg.includes("popup_closed")) {
       mappedMsg = "cancelled";
+    } else if (msg.includes("timeout")) {
+      mappedMsg = "timeout";
+    } else if (msg.includes("popup blocked")) {
+      mappedMsg = "popup_blocked";
     } else if (msg.includes("network")) {
       mappedMsg = "network_error";
     } else if (msg.includes("client id") || msg.includes("config")) {
       mappedMsg = "configuration_error";
     }
-    return Object.assign(new Error(mappedMsg), {
-      underlyingError: rawMessage
+    return new AuthWebError(mappedMsg, rawMessage);
+  }
+  async parseResponseObject(response) {
+    const parsed = await response.json();
+    if (!isJsonObject(parsed)) {
+      throw new Error("Expected JSON object response from auth provider");
+    }
+    return parsed;
+  }
+  parseJwtPayload(token) {
+    const payload = token.split(".")[1];
+    if (!payload) {
+      throw new Error("Invalid JWT payload");
+    }
+    const normalizedPayload = payload.replace(/-/g, "+").replace(/_/g, "/");
+    const padding = "=".repeat((4 - normalizedPayload.length % 4) % 4);
+    const decoded = JSON.parse(atob(`${normalizedPayload}${padding}`));
+    if (!isJsonObject(decoded)) {
+      throw new Error("Expected JWT payload to be an object");
+    }
+    return decoded;
+  }
+  waitForPopupRedirect(popup, redirectUri, provider, onRedirect) {
+    return new Promise((resolve, reject) => {
+      let crossOriginLogShown = false;
+      const cleanup = (intervalId, timeoutId, shouldClosePopup) => {
+        window.clearInterval(intervalId);
+        window.clearTimeout(timeoutId);
+        if (shouldClosePopup && !popup.closed) {
+          popup.close();
+        }
+      };
+      const timeoutId = window.setTimeout(() => {
+        cleanup(intervalId, timeoutId, true);
+        reject(new Error(`${provider.toLowerCase()}_auth_timeout`));
+      }, POPUP_TIMEOUT_MS);
+      const intervalId = window.setInterval(() => {
+        if (popup.closed) {
+          cleanup(intervalId, timeoutId, false);
+          reject(new Error("cancelled"));
+          return;
+        }
+        let url;
+        try {
+          url = popup.location.href;
+        } catch (error) {
+          if (!crossOriginLogShown) {
+            logger.debug(`Waiting for ${provider} auth redirect`, {
+              error: String(error)
+            });
+            crossOriginLogShown = true;
+          }
+          return;
+        }
+        if (!url.startsWith(redirectUri)) {
+          return;
+        }
+        cleanup(intervalId, timeoutId, true);
+        void Promise.resolve(onRedirect(url)).then(() => {
+          resolve();
+        }).catch(error => {
+          reject(error);
+        });
+      }, POPUP_POLL_INTERVAL_MS);
     });
   }
   async loginGoogle(scopes, loginHint) {
-    const config = getConfig();
-    const clientId = config.googleWebClientId;
+    const clientId = this._config.googleWebClientId;
     if (!clientId) {
       throw new Error("Google Web Client ID not configured. Add 'GOOGLE_WEB_CLIENT_ID' to your .env file.");
     }
@@ -236,7 +563,7 @@ class AuthWeb {
       authUrl.searchParams.set("redirect_uri", redirectUri);
       authUrl.searchParams.set("response_type", "id_token token code");
       authUrl.searchParams.set("scope", scopes.join(" "));
-      authUrl.searchParams.set("nonce", Math.random().toString(36).slice(2));
+      authUrl.searchParams.set("nonce", crypto.randomUUID());
       authUrl.searchParams.set("access_type", "offline");
       authUrl.searchParams.set("prompt", "consent");
       if (loginHint) {
@@ -251,70 +578,57 @@ class AuthWeb {
         reject(new Error("Popup blocked. Please allow popups for this site."));
         return;
       }
-      const checkInterval = setInterval(() => {
-        try {
-          if (popup.closed) {
-            clearInterval(checkInterval);
-            reject(new Error("cancelled"));
-            return;
-          }
-          const url = popup.location.href;
-          if (url.startsWith(redirectUri)) {
-            clearInterval(checkInterval);
-            popup.close();
-            const hash = new URL(url).hash.slice(1);
-            const params = new URLSearchParams(hash);
-            const idToken = params.get("id_token");
-            const accessToken = params.get("access_token");
-            const expiresIn = params.get("expires_in");
-            const code = params.get("code");
-            if (idToken) {
-              this._grantedScopes = scopes;
-              if (this._storageAdapter) {
-                this._storageAdapter.save(SCOPES_KEY, JSON.stringify(scopes));
-              } else {
-                localStorage.setItem(SCOPES_KEY, JSON.stringify(scopes));
-              }
-              const user = {
-                provider: "google",
-                idToken,
-                accessToken: accessToken ?? undefined,
-                serverAuthCode: code ?? undefined,
-                scopes,
-                expirationTime: expiresIn ? Date.now() + parseInt(expiresIn) * 1000 : undefined,
-                ...this.decodeGoogleJwt(idToken)
-              };
-              this.updateUser(user);
-              resolve();
-            } else {
-              reject(new Error("No id_token in response"));
-            }
-          }
-        } catch {}
-      }, 100);
+      void this.waitForPopupRedirect(popup, redirectUri, "Google", url => {
+        const hash = new URL(url).hash.slice(1);
+        const params = new URLSearchParams(hash);
+        const idToken = params.get("id_token");
+        const accessToken = params.get("access_token");
+        const expiresIn = params.get("expires_in");
+        const code = params.get("code");
+        if (!idToken) {
+          throw new Error("No id_token in response");
+        }
+        this._grantedScopes = scopes;
+        this.saveValue(SCOPES_KEY, JSON.stringify(scopes));
+        const user = {
+          provider: "google",
+          idToken,
+          accessToken: accessToken ?? undefined,
+          serverAuthCode: code ?? undefined,
+          scopes,
+          expirationTime: expiresIn ? Date.now() + parseInt(expiresIn, 10) * 1000 : undefined,
+          ...this.decodeGoogleJwt(idToken)
+        };
+        this.updateUser(user);
+      }).then(() => {
+        resolve();
+      }).catch(error => {
+        reject(error);
+      });
     });
   }
   decodeGoogleJwt(token) {
     try {
-      const payload = token.split(".")[1];
-      const decoded = JSON.parse(atob(payload));
+      const decoded = this.parseJwtPayload(token);
       return {
-        email: decoded.email,
-        name: decoded.name,
-        photo: decoded.picture
+        email: getOptionalString(decoded, "email"),
+        name: getOptionalString(decoded, "name"),
+        photo: getOptionalString(decoded, "picture")
       };
-    } catch {
+    } catch (error) {
+      logger.warn("Failed to decode Google ID token", {
+        error: String(error)
+      });
       return {};
     }
   }
   async loginMicrosoft(scopes, loginHint, tenant, prompt) {
-    const config = getConfig();
-    const clientId = config.microsoftClientId;
+    const clientId = this._config.microsoftClientId;
     if (!clientId) {
       throw new Error("Microsoft Client ID not configured. Add 'microsoftClientId' to expo.extra in your app.config.js");
     }
-    const effectiveTenant = tenant ?? config.microsoftTenant ?? "common";
-    const b2cDomain = config.microsoftB2cDomain;
+    const effectiveTenant = tenant ?? this._config.microsoftTenant ?? "common";
+    const b2cDomain = this._config.microsoftB2cDomain;
     const authBaseUrl = this.getMicrosoftAuthBaseUrl(effectiveTenant, b2cDomain);
     const effectiveScopes = scopes.length ? scopes : ["openid", "email", "profile", "offline_access", "User.Read"];
     const codeVerifier = this.generateCodeVerifier();
@@ -346,43 +660,27 @@ class AuthWeb {
         reject(new Error("Popup blocked. Please allow popups for this site."));
         return;
       }
-      const checkInterval = setInterval(async () => {
-        try {
-          if (popup.closed) {
-            clearInterval(checkInterval);
-            reject(new Error("cancelled"));
-            return;
-          }
-          const url = popup.location.href;
-          if (url.startsWith(redirectUri)) {
-            clearInterval(checkInterval);
-            popup.close();
-            const urlObj = new URL(url);
-            const code = urlObj.searchParams.get("code");
-            const returnedState = urlObj.searchParams.get("state");
-            const error = urlObj.searchParams.get("error");
-            const errorDescription = urlObj.searchParams.get("error_description");
-            if (error) {
-              reject(new Error(errorDescription ?? error));
-              return;
-            }
-            if (returnedState !== state) {
-              reject(new Error("State mismatch - possible CSRF attack"));
-              return;
-            }
-            if (!code) {
-              reject(new Error("No authorization code in response"));
-              return;
-            }
-            try {
-              await this.exchangeMicrosoftCodeForTokens(code, codeVerifier, clientId, redirectUri, effectiveTenant, nonce, effectiveScopes);
-              resolve();
-            } catch (e) {
-              reject(e);
-            }
-          }
-        } catch {}
-      }, 100);
+      void this.waitForPopupRedirect(popup, redirectUri, "Microsoft", async url => {
+        const urlObj = new URL(url);
+        const code = urlObj.searchParams.get("code");
+        const returnedState = urlObj.searchParams.get("state");
+        const error = urlObj.searchParams.get("error");
+        const errorDescription = urlObj.searchParams.get("error_description");
+        if (error) {
+          throw new Error(errorDescription ?? error);
+        }
+        if (returnedState !== state) {
+          throw new Error("State mismatch - possible CSRF attack");
+        }
+        if (!code) {
+          throw new Error("No authorization code in response");
+        }
+        await this.exchangeMicrosoftCodeForTokens(code, codeVerifier, clientId, redirectUri, effectiveTenant, nonce, effectiveScopes);
+      }).then(() => {
+        resolve();
+      }).catch(error => {
+        reject(error);
+      });
     });
   }
   generateCodeVerifier() {
@@ -401,8 +699,7 @@ class AuthWeb {
     return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
   }
   async exchangeMicrosoftCodeForTokens(code, codeVerifier, clientId, redirectUri, tenant, expectedNonce, scopes) {
-    const config = getConfig();
-    const authBaseUrl = this.getMicrosoftAuthBaseUrl(tenant, config.microsoftB2cDomain);
+    const authBaseUrl = this.getMicrosoftAuthBaseUrl(tenant, this._config.microsoftB2cDomain);
     const tokenUrl = `${authBaseUrl}oauth2/v2.0/token`;
     const body = new URLSearchParams({
       client_id: clientId,
@@ -418,41 +715,34 @@ class AuthWeb {
       },
       body: body.toString()
     });
-    const json = await response.json();
+    const json = await this.parseResponseObject(response);
     if (!response.ok) {
-      throw new Error(json.error_description ?? json.error ?? "Token exchange failed");
+      throw new Error(getOptionalString(json, "error_description") ?? getOptionalString(json, "error") ?? "Token exchange failed");
     }
-    const idToken = json.id_token;
+    const idToken = getOptionalString(json, "id_token");
     if (!idToken) {
       throw new Error("No id_token in token response");
     }
     const claims = this.decodeMicrosoftJwt(idToken);
-    const payload = JSON.parse(atob(idToken.split(".")[1]));
-    if (payload.nonce !== expectedNonce) {
+    const payload = this.parseJwtPayload(idToken);
+    if (getOptionalString(payload, "nonce") !== expectedNonce) {
       throw new Error("Nonce mismatch - token may be replayed");
     }
-    const accessToken = json.access_token;
-    const refreshToken = json.refresh_token;
-    const expiresIn = json.expires_in;
+    const accessToken = getOptionalString(json, "access_token");
+    const refreshToken = getOptionalString(json, "refresh_token");
+    const expiresInSeconds = getOptionalNumber(json, "expires_in");
     if (refreshToken) {
-      if (this._storageAdapter) {
-        this._storageAdapter.save("microsoft_refresh_token", refreshToken);
-      } else {
-        localStorage.setItem("nitro_auth_microsoft_refresh_token", refreshToken);
-      }
+      this.saveRefreshToken(refreshToken);
     }
     this._grantedScopes = scopes;
-    if (this._storageAdapter) {
-      this._storageAdapter.save(SCOPES_KEY, JSON.stringify(scopes));
-    } else {
-      localStorage.setItem(SCOPES_KEY, JSON.stringify(scopes));
-    }
+    this.saveValue(SCOPES_KEY, JSON.stringify(scopes));
     const user = {
       provider: "microsoft",
       idToken,
       accessToken: accessToken ?? undefined,
+      refreshToken: refreshToken ?? undefined,
       scopes,
-      expirationTime: expiresIn ? Date.now() + parseInt(expiresIn) * 1000 : undefined,
+      expirationTime: typeof expiresInSeconds === "number" ? Date.now() + expiresInSeconds * 1000 : undefined,
       ...claims
     };
     this.updateUser(user);
@@ -469,51 +759,88 @@ class AuthWeb {
   }
   decodeMicrosoftJwt(token) {
     try {
-      const payload = token.split(".")[1];
-      const decoded = JSON.parse(atob(payload));
+      const decoded = this.parseJwtPayload(token);
       return {
-        email: decoded.preferred_username ?? decoded.email,
-        name: decoded.name
+        email: getOptionalString(decoded, "preferred_username") ?? getOptionalString(decoded, "email"),
+        name: getOptionalString(decoded, "name")
       };
-    } catch {
+    } catch (error) {
+      logger.warn("Failed to decode Microsoft ID token", {
+        error: String(error)
+      });
       return {};
     }
   }
-  async loginApple() {
-    const config = getConfig();
-    const clientId = config.appleWebClientId;
-    if (!clientId) {
-      throw new Error("Apple Web Client ID not configured. Add 'APPLE_WEB_CLIENT_ID' to your .env file.");
+  async ensureAppleSdkLoaded() {
+    if (window.AppleID) {
+      return;
     }
-    return new Promise((resolve, reject) => {
+    if (this._appleSdkLoadPromise) {
+      return this._appleSdkLoadPromise;
+    }
+    this._appleSdkLoadPromise = new Promise((resolve, reject) => {
+      const scriptId = "nitro-auth-apple-sdk";
+      const existingScript = document.getElementById(scriptId);
+      if (existingScript) {
+        if (window.AppleID) {
+          resolve();
+          return;
+        }
+        existingScript.addEventListener("load", () => {
+          resolve();
+        }, {
+          once: true
+        });
+        existingScript.addEventListener("error", () => {
+          this._appleSdkLoadPromise = undefined;
+          reject(new Error("Failed to load Apple SDK"));
+        }, {
+          once: true
+        });
+        return;
+      }
       const script = document.createElement("script");
+      script.id = scriptId;
       script.src = "https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js";
       script.async = true;
       script.onload = () => {
-        if (!window.AppleID) {
-          reject(new Error("Apple SDK not loaded"));
-          return;
-        }
-        window.AppleID.auth.init({
-          clientId,
-          scope: "name email",
-          redirectURI: window.location.origin,
-          usePopup: true
-        });
-        window.AppleID.auth.signIn().then(response => {
-          const user = {
-            provider: "apple",
-            idToken: response.authorization.id_token,
-            email: response.user?.email,
-            name: response.user?.name ? `${response.user.name.firstName} ${response.user.name.lastName}`.trim() : undefined
-          };
-          this.updateUser(user);
-          resolve();
-        }).catch(err => reject(this.mapError(err)));
+        resolve();
+      };
+      script.onerror = () => {
+        this._appleSdkLoadPromise = undefined;
+        reject(new Error("Failed to load Apple SDK"));
       };
-      script.onerror = () => reject(new Error("Failed to load Apple SDK"));
       document.head.appendChild(script);
     });
+    return this._appleSdkLoadPromise;
+  }
+  async loginApple() {
+    const clientId = this._config.appleWebClientId;
+    if (!clientId) {
+      throw new Error("Apple Web Client ID not configured. Add 'APPLE_WEB_CLIENT_ID' to your .env file.");
+    }
+    await this.ensureAppleSdkLoaded();
+    if (!window.AppleID) {
+      throw new Error("Apple SDK not loaded");
+    }
+    window.AppleID.auth.init({
+      clientId,
+      scope: "name email",
+      redirectURI: window.location.origin,
+      usePopup: true
+    });
+    try {
+      const response = await window.AppleID.auth.signIn();
+      const user = {
+        provider: "apple",
+        idToken: response.authorization.id_token,
+        email: response.user?.email,
+        name: response.user?.name ? `${response.user.name.firstName} ${response.user.name.lastName}`.trim() : undefined
+      };
+      this.updateUser(user);
+    } catch (error) {
+      throw this.mapError(error);
+    }
   }
   async silentRestore() {
     logger.log("Attempting silent restore...");
@@ -533,27 +860,22 @@ class AuthWeb {
     this._grantedScopes = [];
     this.removeFromCache(CACHE_KEY);
     this.removeFromCache(SCOPES_KEY);
-    this.removeFromCache("microsoft_refresh_token");
+    this.removeFromCache(MS_REFRESH_TOKEN_KEY);
     this.notify();
   }
   updateUser(user) {
     this._currentUser = user;
-    if (this._storageAdapter) {
-      this._storageAdapter.save(CACHE_KEY, JSON.stringify(user));
-    } else {
-      localStorage.setItem(CACHE_KEY, JSON.stringify(user));
-    }
+    const userToPersist = this.sanitizeUserForPersistence(user);
+    this.saveValue(CACHE_KEY, JSON.stringify(userToPersist));
     this.notify();
   }
   setLoggingEnabled(enabled) {
     logger.setEnabled(enabled);
   }
-  setStorageAdapter(adapter) {
-    this._storageAdapter = adapter;
-    if (adapter) {
-      this.loadFromCache();
-      this.notify();
-    }
+  setWebStorageAdapter(adapter) {
+    this._storageAdapter = adapter ? this.createWebStorageDriver(adapter) : undefined;
+    this.loadFromCache();
+    this.notify();
   }
   name = "Auth";
   dispose() {}