react-native-nitro-auth 0.5.12 → 0.6.1

package/CHANGELOG.md

@@ -1,5 +1,47 @@
 # Changelog
 
+## 0.6.1 - 2026-05-21
+
+### Changed
+
+- Updated the package and Expo example baseline to Expo SDK 56, React Native 0.85.3, React 19.2.3, TypeScript 6.0.3, Nitro Modules 0.35.7, and nitrogen 0.35.7.
+- Raised the iOS deployment target to 16.4 for SDK 56 compatibility.
+- Added release preflight checks for Expo dependency validation, Expo Doctor, config introspection, package build, tests, C++ tests, and publish dry run.
+- Simplified the example app by keeping provider-specific advanced options collapsed by default.
+- Updated README badges, setup commands, release checks, and typed API examples to match the 0.6.1 package state.
+- Added compile-time coverage for provider-specific login option types.
+- Added CI setup and versioned tool detection for LLVM C++ coverage tools.
+- Added a CI-safe release preflight mode that skips unauthenticated npm publish dry runs while keeping local publish dry runs intact.
+
+### Fixed
+
+- Retained the active iOS Apple Sign-In controller until completion to avoid premature native lifecycle cleanup.
+- Removed the example app's import-time native logging side effect.
+- Removed Turbo cache-output warnings from lint and typecheck tasks.
+
+## 0.6.0 - 2026-05-14
+
+### Added
+
+- Added provider option support for Google nonce, hosted domain, OpenID realm, authorized-account filtering, verified phone number requests, refresh-code forcing, and Android legacy Google sign-in.
+- Added Apple nonce and authorization-code/user-id result support.
+- Added Microsoft tenant and prompt option coverage across native and web flows.
+- Added `revokeAccess()` to the native/web auth API and `useAuth()` hook.
+- Added native logging hooks and platform-gated example controls for supported provider options only.
+- Added provider-specific TypeScript option types for `AuthService.login()` and `useAuth().login()`.
+
+### Changed
+
+- Updated Nitro Modules and native SDK dependencies, including Android Credential Manager, Activity, Browser, and API 36 targets.
+- Hardened native and web promise handling so stale sign-in, scope, restore, revoke, and token operations settle consistently.
+- Updated Android Google sign-out to avoid noisy Credential Manager cleanup during normal logout while preserving deep cleanup through revoke access.
+
+### Fixed
+
+- Fixed Android Metro watcher noise from transient Bun `node_modules/.old-*` directories in the example app.
+- Fixed Android Google cancellation handling so cancellations are not reported as unknown failures.
+- Fixed native session cleanup paths to reject pending work before clearing provider state.
+
 ## 0.5.12 - 2026-05-13
 
 ### Changed

package/README.md

@@ -1,9 +1,9 @@
 # react-native-nitro-auth
 
-![npm](https://img.shields.io/badge/npm-v0.5.12-f97316?style=flat-square)
-![license](https://img.shields.io/badge/license-MIT-007ec6?style=flat-square)
-![react-native](https://img.shields.io/badge/react--native-%3E%3D0.75-61dafb?style=flat-square)
-![nitro-modules](https://img.shields.io/badge/nitro--modules-%3E%3D0.35.0-black?style=flat-square)
+[![npm](https://img.shields.io/badge/npm-v0.6.1-f97316?style=flat-square)](https://www.npmjs.com/package/react-native-nitro-auth)
+[![license](https://img.shields.io/badge/license-MIT-007ec6?style=flat-square)](https://github.com/JoaoPauloCMarra/react-native-nitro-auth/blob/main/LICENSE)
+[![react-native](https://img.shields.io/badge/react--native-%3E%3D0.75-61dafb?style=flat-square)](https://reactnative.dev/)
+[![nitro-modules](https://img.shields.io/badge/nitro--modules-%3E%3D0.35.0-black?style=flat-square)](https://nitro.margelo.com/)
 
 Fast React Native authentication for Google Sign-In, Apple Sign-In, and Microsoft Entra ID, built on Nitro Modules and JSI.
 
@@ -41,6 +41,8 @@ For Expo projects, prebuild after adding the config plugin:
 bunx expo prebuild --clean
 ```
 
+The example app uses Expo Continuous Native Generation. Its `apps/example/android` and `apps/example/ios` folders are generated local artifacts and intentionally ignored by git.
+
 For bare React Native projects, install pods after installing the package:
 
 ```sh
@@ -49,13 +51,15 @@ cd ios && pod install
 
 ## Requirements
 
-| Runtime               | Requirement                              |
-| --------------------- | ---------------------------------------- |
-| React Native          | `>=0.75`                                 |
-| Nitro Modules         | `>=0.35`                                 |
-| iOS                   | 15.1+ recommended                        |
-| Android               | min SDK 24+ recommended                  |
-| Expo example baseline | Expo SDK 55, React Native 0.83, React 19 |
+| Runtime            | Requirement                              |
+| ------------------ | ---------------------------------------- |
+| React Native       | `>=0.75` peer range                      |
+| Nitro Modules      | `>=0.35` peer range                      |
+| iOS                | 16.4+ for Expo SDK 56                    |
+| Android            | min SDK 24+ recommended                  |
+| Validated baseline | Expo SDK 56, React Native 0.85, React 19 |
+
+The package keeps a wide React Native peer range for existing consumers, but this release is validated against Expo SDK 56, React Native 0.85.3, React 19.2.3, and Nitro Modules 0.35.7.
 
 ## Expo Setup
 
@@ -154,16 +158,23 @@ Use `microsoftTenant` for `common`, `organizations`, `consumers`, a tenant ID, o
 
 ```tsx
 import { Button, Text, View } from "react-native";
-import { AuthError, useAuth } from "react-native-nitro-auth";
+import {
+  AuthError,
+  type GoogleLoginOptions,
+  useAuth,
+} from "react-native-nitro-auth";
+
+const googleOptions = {
+  scopes: ["email", "profile"],
+  forceAccountPicker: true,
+} satisfies GoogleLoginOptions;
 
 export function SignInScreen() {
   const { user, loading, login, logout, getAccessToken } = useAuth();
 
   async function signInWithGoogle() {
     try {
-      await login("google", {
-        scopes: ["email", "profile"],
-      });
+      await login("google", googleOptions);
     } catch (e) {
       const error = AuthError.from(e);
       console.warn(error.code, error.underlyingMessage);
@@ -232,29 +243,45 @@ tokensUnsubscribe();
 await login("google", {
   scopes: ["email", "profile"],
   loginHint: "user@example.com",
+  nonce: "opaque-nonce",
   useOneTap: true,
-  useSheet: true,
   forceAccountPicker: true,
+  filterByAuthorizedAccounts: true,
   useLegacyGoogleSignIn: true,
+  forceCodeForRefreshToken: true,
+  hostedDomain: "company.com",
+  requestVerifiedPhoneNumber: true,
+});
+
+await login("apple", {
+  scopes: ["email", "name"],
+  nonce: "opaque-nonce",
 });
 
 await login("microsoft", {
   scopes: ["openid", "profile", "email", "offline_access", "User.Read"],
+  loginHint: "user@example.com",
   tenant: "organizations",
   prompt: "select_account",
 });
 ```
 
-| Option                  | Applies to        | Notes                                                |
-| ----------------------- | ----------------- | ---------------------------------------------------- |
-| `scopes`                | Google, Microsoft | Requested OAuth scopes                               |
-| `loginHint`             | Google, Microsoft | Prefills account selection when supported            |
-| `useOneTap`             | Android Google    | Enables Credential Manager auto-select               |
-| `useSheet`              | iOS Google        | Uses native sign-in sheet behavior                   |
-| `forceAccountPicker`    | Google            | Forces account picker                                |
-| `useLegacyGoogleSignIn` | Android Google    | Uses legacy Google Sign-In path for server auth code |
-| `tenant`                | Microsoft         | Overrides configured tenant                          |
-| `prompt`                | Microsoft         | `login`, `consent`, `select_account`, or `none`      |
+| Option                       | Provider     | Platform         | Notes                                                       |
+| ---------------------------- | ------------ | ---------------- | ----------------------------------------------------------- |
+| `scopes`                     | All          | iOS, Android, web | Requested OAuth scopes. Apple is unavailable on Android.    |
+| `loginHint`                  | Google, Microsoft | iOS, Android, web | Prefills account selection when supported by the provider.  |
+| `nonce`                      | Google, Apple | iOS, Android, web | Passed to provider ID-token flows when the SDK supports it. |
+| `useOneTap`                  | Google       | Android          | Enables Credential Manager auto-select.                     |
+| `useSheet`                   | Google       | iOS              | Compatibility alias; prefer `forceAccountPicker`.           |
+| `forceAccountPicker`         | Google       | iOS, Android, web | Forces an account picker. Android uses the legacy chooser.  |
+| `filterByAuthorizedAccounts` | Google       | Android          | Limits Credential Manager to authorized accounts.           |
+| `useLegacyGoogleSignIn`      | Google       | Android          | Uses legacy Google Sign-In for server auth code flows.      |
+| `forceCodeForRefreshToken`   | Google       | Android          | Forces a new server auth code on the legacy Google path.    |
+| `hostedDomain`               | Google       | iOS, Android, web | Hints or filters Google Workspace hosted-domain accounts.   |
+| `openIDRealm`                | Google       | iOS, web         | Adds OpenID realm support where the SDK exposes it.         |
+| `requestVerifiedPhoneNumber` | Google       | Android          | Requests verified phone number through Credential Manager.  |
+| `tenant`                     | Microsoft    | iOS, Android, web | Overrides configured tenant.                                |
+| `prompt`                     | Microsoft    | iOS, Android, web | `login`, `consent`, `select_account`, or `none`.            |
 
 ## Incremental Scopes
 
@@ -357,6 +384,18 @@ Main exports:
 - `AuthUser`
 - `AuthTokens`
 - `LoginOptions`
+- `ProviderLoginOptions`
+- `LoginOptionsByProvider`
+- `GoogleLoginOptions`
+- `GoogleIOSLoginOptions`
+- `GoogleAndroidLoginOptions`
+- `GoogleWebLoginOptions`
+- `AppleLoginOptions`
+- `AppleIOSLoginOptions`
+- `AppleWebLoginOptions`
+- `MicrosoftLoginOptions`
+- `AuthLogin`
+- `TypedAuth`
 
 ### useAuth()
 
@@ -371,12 +410,66 @@ type UseAuthReturn = {
   logout(): void;
   requestScopes(scopes: string[]): Promise<void>;
   revokeScopes(scopes: string[]): Promise<void>;
+  revokeAccess(): Promise<void>;
   getAccessToken(): Promise<string | undefined>;
   refreshToken(): Promise<AuthTokens>;
   silentRestore(): Promise<void>;
 };
 ```
 
+### Strong Login Types
+
+`AuthService.login()` and `useAuth().login()` infer the allowed option object from the provider argument. Provider-specific option types intentionally reject unsupported keys, so TypeScript can catch mistakes before they become native configuration bugs.
+
+```ts
+await AuthService.login("apple", {
+  nonce: "opaque-nonce",
+});
+
+await AuthService.login("microsoft", {
+  tenant: "organizations",
+  prompt: "select_account",
+});
+```
+
+Provider/platform option helpers are exported for config builders and AI-generated integrations:
+
+```ts
+import type {
+  GoogleAndroidLoginOptions,
+  GoogleIOSLoginOptions,
+  MicrosoftLoginOptions,
+} from "react-native-nitro-auth";
+
+const androidGoogleOptions = {
+  useOneTap: true,
+  filterByAuthorizedAccounts: true,
+  requestVerifiedPhoneNumber: true,
+} satisfies GoogleAndroidLoginOptions;
+
+const iosGoogleOptions = {
+  hostedDomain: "company.com",
+  openIDRealm: "https://example.com",
+} satisfies GoogleIOSLoginOptions;
+
+const microsoftOptions = {
+  tenant: "organizations",
+  prompt: "select_account",
+} satisfies MicrosoftLoginOptions;
+```
+
+Examples of mistakes that TypeScript rejects:
+
+```ts
+await AuthService.login("apple", {
+  tenant: "organizations",
+});
+
+await AuthService.login("microsoft", {
+  nonce: "opaque-nonce",
+});
+```
+
 ### AuthUser
 
 ```ts
@@ -389,6 +482,10 @@ type AuthUser = {
   accessToken?: string;
   refreshToken?: string;
   serverAuthCode?: string;
+  authorizationCode?: string;
+  userId?: string;
+  phoneNumber?: string;
+  hostedDomain?: string;
   scopes?: string[];
   expirationTime?: number;
   underlyingError?: string;
@@ -402,16 +499,17 @@ The example app is the fastest way to verify setup and read a complete integrati
 ```sh
 cp apps/example/.env.example apps/example/.env.local
 bun install
-bun example:prebuild:clean
-bun example:ios
-bun example:android
+bun run example:prebuild:clean
+bun run example:ios
+bun run example:android
 ```
 
 The demo includes:
 
 - Provider cards for Google, Apple, and Microsoft.
 - Token and scope operations.
-- Silent restore and account picker actions.
+- Silent restore, account picker, revoke access, and native logging actions.
+- Platform-gated controls for each supported Google, Apple, and Microsoft option.
 - App-owned disk snapshot example with `react-native-nitro-storage`.
 - Runtime smoke tests for the public API.
 
@@ -439,10 +537,12 @@ The demo includes:
 ## Release Checks
 
 ```sh
-bun run publish-package:dry-run
+bun run release:preflight
 ```
 
-The publish script runs frozen install, core-version verification, codegen, build, lint, typecheck, Jest, JS coverage, C++ tests, C++ coverage, Expo Doctor, package docs sync, pack dry run, and `bun publish --dry-run --ignore-scripts`.
+The release preflight runs core-version verification, codegen, build, lint, typecheck, Jest, C++ tests, Expo dependency validation, Expo Doctor, Expo config introspection, package docs sync, pack dry run, and `bun publish --dry-run --ignore-scripts`.
+
+CI runs the same preflight with registry publish dry-run disabled because GitHub pull-request jobs do not have npm publish credentials.
 
 For faster local iteration before the full release dry run:
 

package/android/build.gradle

@@ -96,13 +96,13 @@ dependencies {
   implementation "com.google.android.gms:play-services-auth:21.5.1"
   
   // Activity result APIs
-  implementation "androidx.activity:activity-ktx:1.9.3"
+  implementation "androidx.activity:activity-ktx:1.13.0"
   
   // Custom Tabs (Microsoft OAuth in-app browser)
-  implementation "androidx.browser:browser:1.8.0"
+  implementation "androidx.browser:browser:1.10.0"
   
   // Google Credential Manager (One-Tap / Passkeys)
-  implementation "androidx.credentials:credentials:1.5.0"
-  implementation "androidx.credentials:credentials-play-services-auth:1.5.0"
+  implementation "androidx.credentials:credentials:1.6.0"
+  implementation "androidx.credentials:credentials-play-services-auth:1.6.0"
   implementation "com.google.android.libraries.identity.googleid:googleid:1.2.0"
 }

package/android/gradle.properties

@@ -1,4 +1,4 @@
 NitroAuth_ndkVersion=27.1.12297006
-NitroAuth_compileSdkVersion=35
-NitroAuth_targetSdkVersion=35
+NitroAuth_compileSdkVersion=36
+NitroAuth_targetSdkVersion=36
 NitroAuth_minSdkVersion=24

package/android/src/main/cpp/PlatformAuth+Android.cpp

@@ -25,6 +25,7 @@ static jmethodID gRefreshMethod = nullptr;
 static jmethodID gRestoreMethod = nullptr;
 static jmethodID gHasPlayMethod = nullptr;
 static jmethodID gLogoutMethod = nullptr;
+static jmethodID gRevokeAccessMethod = nullptr;
 
 // Call from JNI_OnUnload or dispose to prevent stale refs after a module reload.
 static void clearCachedJniRefs(JNIEnv* env) {
@@ -38,13 +39,14 @@ static void clearCachedJniRefs(JNIEnv* env) {
     gRestoreMethod = nullptr;
     gHasPlayMethod = nullptr;
     gLogoutMethod = nullptr;
+    gRevokeAccessMethod = nullptr;
 }
 
 static void ensureAuthAdapterMethods(JNIEnv* env) {
     if (gAuthAdapterClass != nullptr && gLoginMethod != nullptr
         && gRequestScopesMethod != nullptr && gRefreshMethod != nullptr
         && gRestoreMethod != nullptr && gHasPlayMethod != nullptr
-        && gLogoutMethod != nullptr) {
+        && gLogoutMethod != nullptr && gRevokeAccessMethod != nullptr) {
         return;
     }
 
@@ -61,7 +63,7 @@ static void ensureAuthAdapterMethods(JNIEnv* env) {
         gLoginMethod = env->GetStaticMethodID(
             gAuthAdapterClass,
             "loginSync",
-            "(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;[Ljava/lang/String;Ljava/lang/String;ZZZLjava/lang/String;Ljava/lang/String;)V"
+            "(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;[Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;ZZZZZZLjava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)V"
         );
     }
     if (gRequestScopesMethod == nullptr) {
@@ -99,6 +101,13 @@ static void ensureAuthAdapterMethods(JNIEnv* env) {
             "(Landroid/content/Context;)V"
         );
     }
+    if (gRevokeAccessMethod == nullptr) {
+        gRevokeAccessMethod = env->GetStaticMethodID(
+            gAuthAdapterClass,
+            "revokeAccessSync",
+            "(Landroid/content/Context;)V"
+        );
+    }
 }
 
 std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, const std::optional<LoginOptions>& options) {
@@ -127,16 +136,25 @@ std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, co
     
     std::vector<std::string> scopes = {"email", "profile"};
     std::optional<std::string> loginHint;
+    std::optional<std::string> nonce;
     std::optional<std::string> tenant;
     std::optional<std::string> prompt;
+    std::optional<std::string> hostedDomain;
+    std::optional<std::string> openIDRealm;
     bool useOneTap = false;
     bool forceAccountPicker = false;
     bool useLegacyGoogleSignIn = false;
+    bool filterByAuthorizedAccounts = false;
+    bool forceCodeForRefreshToken = false;
+    bool requestVerifiedPhoneNumber = false;
 
     if (options) {
         if (options->scopes) scopes = *options->scopes;
         loginHint = options->loginHint;
+        nonce = options->nonce;
         tenant = options->tenant;
+        hostedDomain = options->hostedDomain;
+        openIDRealm = options->openIDRealm;
         if (options->prompt.has_value()) {
             switch (options->prompt.value()) {
                 case MicrosoftPrompt::LOGIN: prompt = "login"; break;
@@ -148,6 +166,9 @@ std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, co
         useOneTap = options->useOneTap.value_or(false);
         forceAccountPicker = options->forceAccountPicker.value_or(false);
         useLegacyGoogleSignIn = options->useLegacyGoogleSignIn.value_or(false);
+        filterByAuthorizedAccounts = options->filterByAuthorizedAccounts.value_or(false);
+        forceCodeForRefreshToken = options->forceCodeForRefreshToken.value_or(false);
+        requestVerifiedPhoneNumber = options->requestVerifiedPhoneNumber.value_or(false);
     }
 
     JNIEnv* env = Environment::current();
@@ -170,18 +191,30 @@ std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, co
 
     local_ref<JString> providerRef = make_jstring(providerStr);
     local_ref<JString> loginHintRef;
+    local_ref<JString> nonceRef;
     local_ref<JString> tenantRef;
     local_ref<JString> promptRef;
+    local_ref<JString> hostedDomainRef;
+    local_ref<JString> openIDRealmRef;
 
     if (loginHint.has_value()) {
         loginHintRef = make_jstring(loginHint.value());
     }
+    if (nonce.has_value()) {
+        nonceRef = make_jstring(nonce.value());
+    }
     if (tenant.has_value()) {
         tenantRef = make_jstring(tenant.value());
     }
     if (prompt.has_value()) {
         promptRef = make_jstring(prompt.value());
     }
+    if (hostedDomain.has_value()) {
+        hostedDomainRef = make_jstring(hostedDomain.value());
+    }
+    if (openIDRealm.has_value()) {
+        openIDRealmRef = make_jstring(openIDRealm.value());
+    }
 
     env->CallStaticVoidMethod(gAuthAdapterClass, gLoginMethod,
         contextPtr,
@@ -189,11 +222,17 @@ std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, co
         nullptr,
         jScopes,
         loginHintRef.get(),
+        nonceRef.get(),
         (jboolean)useOneTap,
         (jboolean)forceAccountPicker,
         (jboolean)useLegacyGoogleSignIn,
+        (jboolean)filterByAuthorizedAccounts,
+        (jboolean)forceCodeForRefreshToken,
+        (jboolean)requestVerifiedPhoneNumber,
         tenantRef.get(),
-        promptRef.get());
+        promptRef.get(),
+        hostedDomainRef.get(),
+        openIDRealmRef.get());
 
     env->DeleteLocalRef(jScopes);
     env->DeleteLocalRef(stringClass);
@@ -396,13 +435,42 @@ void PlatformAuth::logout() {
     }
 }
 
+std::shared_ptr<Promise<void>> PlatformAuth::revokeAccess() {
+    auto promise = Promise<void>::create();
+    auto contextPtr = static_cast<jobject>(AuthCache::getAndroidContext());
+    if (!contextPtr) {
+        promise->resolve();
+        return promise;
+    }
+
+    JNIEnv* env = Environment::current();
+    try {
+        ensureAuthAdapterMethods(env);
+    } catch (...) {
+        promise->reject(std::current_exception());
+        return promise;
+    }
+
+    env->CallStaticVoidMethod(gAuthAdapterClass, gRevokeAccessMethod, contextPtr);
+
+    if (env->ExceptionCheck()) {
+        env->ExceptionDescribe();
+        env->ExceptionClear();
+        promise->reject(std::make_exception_ptr(std::runtime_error("JNI call failed")));
+        return promise;
+    }
+
+    promise->resolve();
+    return promise;
+}
+
 extern "C" JNIEXPORT void JNICALL Java_com_auth_AuthAdapter_nativeInitialize(JNIEnv*, jclass, jobject context) {
     AuthCache::setAndroidContext(context);
 }
 
 extern "C" JNIEXPORT void JNICALL Java_com_auth_AuthAdapter_nativeOnLoginSuccess(
     JNIEnv* env, jclass,
-    jstring origin, jstring provider, jstring email, jstring name, jstring photo, jstring idToken, jstring accessToken, jstring serverAuthCode, jobjectArray scopes, jobject expirationTime) {
+    jstring origin, jstring provider, jstring email, jstring name, jstring photo, jstring idToken, jstring accessToken, jstring serverAuthCode, jstring userId, jstring phoneNumber, jstring hostedDomain, jobjectArray scopes, jobject expirationTime) {
 
     const char* originCStr = env->GetStringUTFChars(origin, nullptr);
     std::string originStr(originCStr);
@@ -467,6 +535,21 @@ extern "C" JNIEXPORT void JNICALL Java_com_auth_AuthAdapter_nativeOnLoginSuccess
         user.serverAuthCode = std::string(s);
         env->ReleaseStringUTFChars(serverAuthCode, s);
     }
+    if (userId) {
+        const char* s = env->GetStringUTFChars(userId, nullptr);
+        user.userId = std::string(s);
+        env->ReleaseStringUTFChars(userId, s);
+    }
+    if (phoneNumber) {
+        const char* s = env->GetStringUTFChars(phoneNumber, nullptr);
+        user.phoneNumber = std::string(s);
+        env->ReleaseStringUTFChars(phoneNumber, s);
+    }
+    if (hostedDomain) {
+        const char* s = env->GetStringUTFChars(hostedDomain, nullptr);
+        user.hostedDomain = std::string(s);
+        env->ReleaseStringUTFChars(hostedDomain, s);
+    }
     if (scopes) {
         int len = env->GetArrayLength(scopes);
         std::vector<std::string> scopeVec;