react-native-nitro-auth 0.5.3 → 0.5.4

package/android/build.gradle

@@ -93,7 +93,7 @@ dependencies {
   implementation project(":react-native-nitro-modules")
   
   // Google Sign-In SDK (full scope support)
-  implementation "com.google.android.gms:play-services-auth:21.2.0"
+  implementation "com.google.android.gms:play-services-auth:21.5.1"
   
   // Activity result APIs
   implementation "androidx.activity:activity-ktx:1.9.3"
@@ -104,8 +104,5 @@ dependencies {
   // Google Credential Manager (One-Tap / Passkeys)
   implementation "androidx.credentials:credentials:1.5.0"
   implementation "androidx.credentials:credentials-play-services-auth:1.5.0"
-  implementation "com.google.android.libraries.identity.googleid:googleid:1.1.1"
-
-  // Secure storage (EncryptedSharedPreferences)
-  implementation "androidx.security:security-crypto:1.0.0"
+  implementation "com.google.android.libraries.identity.googleid:googleid:1.2.0"
 }

package/android/src/main/cpp/PlatformAuth+Android.cpp

@@ -6,6 +6,8 @@
 #include <fbjni/fbjni.h>
 #include <NitroModules/NitroLogger.hpp>
 #include <NitroModules/Promise.hpp>
+#include <exception>
+#include <stdexcept>
 
 namespace margelo::nitro::NitroAuth {
 
@@ -24,6 +26,33 @@ static std::shared_ptr<Promise<AuthUser>> gScopesPromise;
 static std::shared_ptr<Promise<AuthTokens>> gRefreshPromise;
 static std::shared_ptr<Promise<std::optional<AuthUser>>> gSilentPromise;
 static std::mutex gMutex;
+static jclass gAuthAdapterClass = nullptr;
+static jmethodID gLoginMethod = nullptr;
+static jmethodID gRequestScopesMethod = nullptr;
+
+static void ensureAuthAdapterMethods(JNIEnv* env) {
+    if (gAuthAdapterClass != nullptr && gLoginMethod != nullptr && gRequestScopesMethod != nullptr) {
+        return;
+    }
+
+    jclass localAdapterClass = env->FindClass("com/auth/AuthAdapter");
+    if (localAdapterClass == nullptr) {
+        throw std::runtime_error("Unable to resolve com/auth/AuthAdapter");
+    }
+    gAuthAdapterClass = static_cast<jclass>(env->NewGlobalRef(localAdapterClass));
+    env->DeleteLocalRef(localAdapterClass);
+
+    gLoginMethod = env->GetStaticMethodID(
+        gAuthAdapterClass,
+        "loginSync",
+        "(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;[Ljava/lang/String;Ljava/lang/String;ZZZLjava/lang/String;Ljava/lang/String;)V"
+    );
+    gRequestScopesMethod = env->GetStaticMethodID(
+        gAuthAdapterClass,
+        "requestScopesSync",
+        "(Landroid/content/Context;[Ljava/lang/String;)V"
+    );
+}
 
 std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, const std::optional<LoginOptions>& options) {
     auto promise = Promise<AuthUser>::create();
@@ -35,6 +64,9 @@ std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, co
     
     {
         std::lock_guard<std::mutex> lock(gMutex);
+        if (gLoginPromise) {
+            gLoginPromise->reject(std::make_exception_ptr(std::runtime_error("Login request superseded by a newer request")));
+        }
         gLoginPromise = promise;
     }
     
@@ -71,30 +103,47 @@ std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, co
     }
 
     JNIEnv* env = Environment::current();
+    try {
+        ensureAuthAdapterMethods(env);
+    } catch (...) {
+        promise->reject(std::current_exception());
+        return promise;
+    }
     jclass stringClass = env->FindClass("java/lang/String");
     jobjectArray jScopes = env->NewObjectArray(scopes.size(), stringClass, nullptr);
     for (size_t i = 0; i < scopes.size(); i++) {
         env->SetObjectArrayElement(jScopes, i, make_jstring(scopes[i]).get());
     }
     
-    jstring jLoginHint = loginHint.has_value() ? make_jstring(loginHint.value()).get() : nullptr;
-    jstring jTenant = tenant.has_value() ? make_jstring(tenant.value()).get() : nullptr;
-    jstring jPrompt = prompt.has_value() ? make_jstring(prompt.value()).get() : nullptr;
-    
-    jclass adapterClass = env->FindClass("com/auth/AuthAdapter");
-    jmethodID loginMethod = env->GetStaticMethodID(adapterClass, "loginSync", 
-        "(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;[Ljava/lang/String;Ljava/lang/String;ZZZLjava/lang/String;Ljava/lang/String;)V");
-    env->CallStaticVoidMethod(adapterClass, loginMethod, 
+    local_ref<JString> providerRef = make_jstring(providerStr);
+    local_ref<JString> loginHintRef;
+    local_ref<JString> tenantRef;
+    local_ref<JString> promptRef;
+
+    if (loginHint.has_value()) {
+        loginHintRef = make_jstring(loginHint.value());
+    }
+    if (tenant.has_value()) {
+        tenantRef = make_jstring(tenant.value());
+    }
+    if (prompt.has_value()) {
+        promptRef = make_jstring(prompt.value());
+    }
+
+    env->CallStaticVoidMethod(gAuthAdapterClass, gLoginMethod, 
         contextPtr, 
-        make_jstring(providerStr).get(),
+        providerRef.get(),
         nullptr,
         jScopes,
-        jLoginHint,
+        loginHintRef.get(),
         (jboolean)useOneTap,
         (jboolean)forceAccountPicker,
         (jboolean)useLegacyGoogleSignIn,
-        jTenant,
-        jPrompt);
+        tenantRef.get(),
+        promptRef.get());
+
+    env->DeleteLocalRef(jScopes);
+    env->DeleteLocalRef(stringClass);
     
     return promise;
 }
@@ -109,20 +158,28 @@ std::shared_ptr<Promise<AuthUser>> PlatformAuth::requestScopes(const std::vector
     
     {
         std::lock_guard<std::mutex> lock(gMutex);
+        if (gScopesPromise) {
+            gScopesPromise->reject(std::make_exception_ptr(std::runtime_error("Scope request superseded by a newer request")));
+        }
         gScopesPromise = promise;
     }
     
     JNIEnv* env = Environment::current();
+    try {
+        ensureAuthAdapterMethods(env);
+    } catch (...) {
+        promise->reject(std::current_exception());
+        return promise;
+    }
     jclass stringClass = env->FindClass("java/lang/String");
     jobjectArray jScopes = env->NewObjectArray(scopes.size(), stringClass, nullptr);
     for (size_t i = 0; i < scopes.size(); i++) {
         env->SetObjectArrayElement(jScopes, i, make_jstring(scopes[i]).get());
     }
     
-    jclass adapterClass = env->FindClass("com/auth/AuthAdapter");
-    jmethodID requestMethod = env->GetStaticMethodID(adapterClass, "requestScopesSync", 
-        "(Landroid/content/Context;[Ljava/lang/String;)V");
-    env->CallStaticVoidMethod(adapterClass, requestMethod, contextPtr, jScopes);
+    env->CallStaticVoidMethod(gAuthAdapterClass, gRequestScopesMethod, contextPtr, jScopes);
+    env->DeleteLocalRef(jScopes);
+    env->DeleteLocalRef(stringClass);
     return promise;
 }
 
@@ -136,6 +193,9 @@ std::shared_ptr<Promise<AuthTokens>> PlatformAuth::refreshToken() {
     
     {
         std::lock_guard<std::mutex> lock(gMutex);
+        if (gRefreshPromise) {
+            gRefreshPromise->reject(std::make_exception_ptr(std::runtime_error("Refresh request superseded by a newer request")));
+        }
         gRefreshPromise = promise;
     }
     
@@ -155,6 +215,9 @@ std::shared_ptr<Promise<std::optional<AuthUser>>> PlatformAuth::silentRestore()
 
     {
         std::lock_guard<std::mutex> lock(gMutex);
+        if (gSilentPromise) {
+            gSilentPromise->reject(std::make_exception_ptr(std::runtime_error("Silent restore superseded by a newer request")));
+        }
         gSilentPromise = promise;
     }
 
@@ -182,8 +245,8 @@ void PlatformAuth::logout() {
     logoutMethod(JAuthAdapter::javaClassStatic(), static_ref_cast<JContext>(jContext));
 }
 
-extern "C" JNIEXPORT void JNICALL Java_com_auth_AuthAdapter_nativeInitialize(JNIEnv* env, jclass, jobject context) {
-    AuthCache::setAndroidContext(env->NewGlobalRef(context));
+extern "C" JNIEXPORT void JNICALL Java_com_auth_AuthAdapter_nativeInitialize(JNIEnv*, jclass, jobject context) {
+    AuthCache::setAndroidContext(context);
 }
 
 extern "C" JNIEXPORT void JNICALL Java_com_auth_AuthAdapter_nativeOnLoginSuccess(
@@ -253,6 +316,7 @@ extern "C" JNIEXPORT void JNICALL Java_com_auth_AuthAdapter_nativeOnLoginSuccess
             const char* s = env->GetStringUTFChars(jstr, nullptr);
             scopeVec.push_back(std::string(s));
             env->ReleaseStringUTFChars(jstr, s);
+            env->DeleteLocalRef(jstr);
         }
         user.scopes = scopeVec;
     }
@@ -260,6 +324,7 @@ extern "C" JNIEXPORT void JNICALL Java_com_auth_AuthAdapter_nativeOnLoginSuccess
         jclass longClass = env->FindClass("java/lang/Long");
         jmethodID longValueMethod = env->GetMethodID(longClass, "longValue", "()J");
         user.expirationTime = (double)env->CallLongMethod(expirationTime, longValueMethod);
+        env->DeleteLocalRef(longClass);
     }
     
     if (loginPromise) loginPromise->resolve(user);
@@ -328,6 +393,7 @@ extern "C" JNIEXPORT void JNICALL Java_com_auth_AuthAdapter_nativeOnRefreshSucce
             jclass longClass = env->FindClass("java/lang/Long");
             jmethodID longValueMethod = env->GetMethodID(longClass, "longValue", "()J");
             tokens.expirationTime = (double)env->CallLongMethod(expirationTime, longValueMethod);
+            env->DeleteLocalRef(longClass);
         }
         refreshPromise->resolve(tokens);
     }

package/android/src/main/java/com/auth/AuthAdapter.kt

@@ -32,9 +32,13 @@ import android.util.Base64
 object AuthAdapter {
     private const val TAG = "AuthAdapter"
     
+    @Volatile
+    private var isInitialized = false
+
     private var appContext: Context? = null
     private var currentActivity: Activity? = null
     private var googleSignInClient: GoogleSignInClient? = null
+    private var lifecycleCallbacks: Application.ActivityLifecycleCallbacks? = null
     private var pendingScopes: List<String> = emptyList()
     private var pendingMicrosoftScopes: List<String> = emptyList()
     
@@ -74,23 +78,33 @@ object AuthAdapter {
     @JvmStatic
     private external fun nativeOnRefreshError(error: String, underlyingError: String?)
 
+    @Synchronized
     fun initialize(context: Context) {
-        val app = context.applicationContext as? Application
-        appContext = app
-        
-        app?.registerActivityLifecycleCallbacks(object : Application.ActivityLifecycleCallbacks {
-            override fun onActivityCreated(activity: Activity, savedInstanceState: Bundle?) { currentActivity = activity }
-            override fun onActivityStarted(activity: Activity) { currentActivity = activity }
-            override fun onActivityResumed(activity: Activity) { currentActivity = activity }
-            override fun onActivityPaused(activity: Activity) { if (currentActivity == activity) currentActivity = null }
-            override fun onActivityStopped(activity: Activity) { if (currentActivity == activity) currentActivity = null }
-            override fun onActivitySaveInstanceState(activity: Activity, outState: Bundle) {}
-            override fun onActivityDestroyed(activity: Activity) { if (currentActivity == activity) currentActivity = null }
-        })
+        if (isInitialized) {
+            return
+        }
+
+        val applicationContext = context.applicationContext
+        appContext = applicationContext
+
+        val app = applicationContext as? Application
+        if (app != null && lifecycleCallbacks == null) {
+            lifecycleCallbacks = object : Application.ActivityLifecycleCallbacks {
+                override fun onActivityCreated(activity: Activity, savedInstanceState: Bundle?) { currentActivity = activity }
+                override fun onActivityStarted(activity: Activity) { currentActivity = activity }
+                override fun onActivityResumed(activity: Activity) { currentActivity = activity }
+                override fun onActivityPaused(activity: Activity) { if (currentActivity == activity) currentActivity = null }
+                override fun onActivityStopped(activity: Activity) { if (currentActivity == activity) currentActivity = null }
+                override fun onActivitySaveInstanceState(activity: Activity, outState: Bundle) {}
+                override fun onActivityDestroyed(activity: Activity) { if (currentActivity == activity) currentActivity = null }
+            }
+            app.registerActivityLifecycleCallbacks(lifecycleCallbacks)
+        }
 
         try {
             System.loadLibrary("NitroAuth")
-            nativeInitialize(appContext!!)
+            nativeInitialize(applicationContext)
+            isInitialized = true
         } catch (e: Exception) {
             Log.e(TAG, "Failed to load NitroAuth library", e)
         }

package/cpp/AuthCache.cpp

@@ -1,10 +1,5 @@
 #include "AuthCache.hpp"
 
-#ifdef __APPLE__
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/Security.h>
-#endif
-
 #ifdef __ANDROID__
 #include <jni.h>
 #include <fbjni/fbjni.h>
@@ -12,34 +7,10 @@
 
 namespace margelo::nitro::NitroAuth {
 
-#ifdef __APPLE__
-static std::string sInMemoryUserJson;
-
-void AuthCache::setUserJson(const std::string& json) {
-    sInMemoryUserJson = json;
-}
-
-std::optional<std::string> AuthCache::getUserJson() {
-    if (sInMemoryUserJson.empty()) {
-        return std::nullopt;
-    }
-    return sInMemoryUserJson;
-}
-
-void AuthCache::clear() {
-    sInMemoryUserJson.clear();
-}
-#endif
-
 #ifdef __ANDROID__
 using namespace facebook::jni;
 
-struct JContext : JavaClass<JContext> {
-    static constexpr auto kJavaDescriptor = "Landroid/content/Context;";
-};
-
 static facebook::jni::global_ref<jobject> gContext;
-static std::string sInMemoryUserJson;
 
 void AuthCache::setAndroidContext(void* context) {
     gContext = facebook::jni::make_global(static_cast<jobject>(context));
@@ -48,21 +19,6 @@ void AuthCache::setAndroidContext(void* context) {
 void* AuthCache::getAndroidContext() {
     return gContext.get();
 }
-
-void AuthCache::setUserJson(const std::string& json) {
-    sInMemoryUserJson = json;
-}
-
-std::optional<std::string> AuthCache::getUserJson() {
-    if (sInMemoryUserJson.empty()) {
-        return std::nullopt;
-    }
-    return sInMemoryUserJson;
-}
-
-void AuthCache::clear() {
-    sInMemoryUserJson.clear();
-}
 #endif
 
 } // namespace margelo::nitro::NitroAuth

package/cpp/AuthCache.hpp

@@ -1,16 +1,9 @@
 #pragma once
 
-#include <string>
-#include <optional>
-
 namespace margelo::nitro::NitroAuth {
 
 class AuthCache {
 public:
-  static void setUserJson(const std::string& json);
-  static std::optional<std::string> getUserJson();
-  static void clear();
-
 #ifdef __ANDROID__
   static void setAndroidContext(void* context);
   static void* getAndroidContext();

package/cpp/HybridAuth.cpp

@@ -209,7 +209,16 @@ std::shared_ptr<Promise<std::optional<std::string>>> HybridAuth::getAccessToken(
 }
 
 std::shared_ptr<Promise<AuthTokens>> HybridAuth::refreshToken() {
-  auto promise = Promise<AuthTokens>::create();
+  std::shared_ptr<Promise<AuthTokens>> promise;
+  {
+    std::lock_guard<std::mutex> lock(_mutex);
+    if (_refreshInFlight) {
+      return _refreshInFlight;
+    }
+    promise = Promise<AuthTokens>::create();
+    _refreshInFlight = promise;
+  }
+
   auto refreshPromise = PlatformAuth::refreshToken();
   refreshPromise->addOnResolvedListener([this, promise](const AuthTokens& tokens) {
     {
@@ -228,13 +237,22 @@ std::shared_ptr<Promise<AuthTokens>> HybridAuth::refreshToken() {
           _currentUser->expirationTime = tokens.expirationTime;
         }
       }
+      if (_refreshInFlight == promise) {
+        _refreshInFlight = nullptr;
+      }
     }
     notifyTokensRefreshed(tokens);
     notifyAuthStateChanged();
     promise->resolve(tokens);
   });
   
-  refreshPromise->addOnRejectedListener([promise](const std::exception_ptr& error) {
+  refreshPromise->addOnRejectedListener([this, promise](const std::exception_ptr& error) {
+    {
+      std::lock_guard<std::mutex> lock(_mutex);
+      if (_refreshInFlight == promise) {
+        _refreshInFlight = nullptr;
+      }
+    }
     promise->reject(error);
   });
   return promise;

package/cpp/HybridAuth.hpp

@@ -46,6 +46,7 @@ private:
   
   std::map<int, std::function<void(const AuthTokens&)>> _tokenListeners;
   int _nextTokenListenerId = 0;
+  std::shared_ptr<Promise<AuthTokens>> _refreshInFlight;
   
   std::mutex _mutex;
 

package/ios/AuthAdapter.swift

@@ -288,6 +288,8 @@ public class AuthAdapter: NSObject {
     guard parts.count >= 2 else { return [:] }
     
     var base64 = parts[1]
+      .replacingOccurrences(of: "-", with: "+")
+      .replacingOccurrences(of: "_", with: "/")
     let remainder = base64.count % 4
     if remainder > 0 {
       base64 += String(repeating: "=", count: 4 - remainder)

package/lib/commonjs/Auth.web.js

@@ -91,7 +91,9 @@ class AuthWeb {
   _grantedScopes = [];
   _listeners = [];
   _tokenListeners = [];
+  _browserStorageResolved = false;
   constructor() {
+    this._config = getConfig();
     this.loadFromCache();
   }
   isPromiseLike(value) {
@@ -127,21 +129,27 @@ class AuthWeb {
     if (this._storageAdapter) {
       return true;
     }
-    return getConfig().nitroAuthPersistTokensOnWeb === true;
+    return this._config.nitroAuthPersistTokensOnWeb === true;
   }
   getWebStorageMode() {
-    const configuredMode = getConfig().nitroAuthWebStorage;
+    const configuredMode = this._config.nitroAuthWebStorage;
     if (configuredMode && WEB_STORAGE_MODES.has(configuredMode)) {
       return configuredMode;
     }
     return STORAGE_MODE_SESSION;
   }
   getBrowserStorage() {
+    if (this._browserStorageResolved) {
+      return this._browserStorageCache;
+    }
+    this._browserStorageResolved = true;
     if (typeof window === "undefined") {
+      this._browserStorageCache = undefined;
       return undefined;
     }
     const mode = this.getWebStorageMode();
     if (mode === STORAGE_MODE_MEMORY) {
+      this._browserStorageCache = undefined;
       return undefined;
     }
     const storage = mode === STORAGE_MODE_LOCAL ? window.localStorage : window.sessionStorage;
@@ -149,12 +157,14 @@ class AuthWeb {
       const testKey = "__nitro_auth_storage_probe__";
       storage.setItem(testKey, "1");
       storage.removeItem(testKey);
+      this._browserStorageCache = storage;
       return storage;
     } catch (error) {
       _logger.logger.warn("Configured web storage is unavailable; using in-memory fallback", {
         mode,
         error: String(error)
       });
+      this._browserStorageCache = undefined;
       return undefined;
     }
   }
@@ -371,6 +381,20 @@ class AuthWeb {
     return this._currentUser?.accessToken;
   }
   async refreshToken() {
+    if (this._refreshPromise) {
+      return this._refreshPromise;
+    }
+    const refreshPromise = this.performRefreshToken();
+    this._refreshPromise = refreshPromise;
+    try {
+      return await refreshPromise;
+    } finally {
+      if (this._refreshPromise === refreshPromise) {
+        this._refreshPromise = undefined;
+      }
+    }
+  }
+  async performRefreshToken() {
     if (!this._currentUser) {
       throw new Error("No user logged in");
     }
@@ -380,13 +404,12 @@ class AuthWeb {
       if (!refreshToken) {
         throw new Error("No refresh token available");
       }
-      const config = getConfig();
-      const clientId = config.microsoftClientId;
+      const clientId = this._config.microsoftClientId;
       if (!clientId) {
         throw new Error("Microsoft Client ID not configured. Add 'microsoftClientId' to expo.extra in your app.config.js");
       }
-      const tenant = config.microsoftTenant ?? "common";
-      const b2cDomain = config.microsoftB2cDomain;
+      const tenant = this._config.microsoftTenant ?? "common";
+      const b2cDomain = this._config.microsoftB2cDomain;
       const authBaseUrl = this.getMicrosoftAuthBaseUrl(tenant, b2cDomain);
       const tokenUrl = `${authBaseUrl}oauth2/v2.0/token`;
       const body = new URLSearchParams({
@@ -480,7 +503,9 @@ class AuthWeb {
     if (!payload) {
       throw new Error("Invalid JWT payload");
     }
-    const decoded = JSON.parse(atob(payload));
+    const normalizedPayload = payload.replace(/-/g, "+").replace(/_/g, "/");
+    const padding = "=".repeat((4 - normalizedPayload.length % 4) % 4);
+    const decoded = JSON.parse(atob(`${normalizedPayload}${padding}`));
     if (!isJsonObject(decoded)) {
       throw new Error("Expected JWT payload to be an object");
     }
@@ -531,8 +556,7 @@ class AuthWeb {
     });
   }
   async loginGoogle(scopes, loginHint) {
-    const config = getConfig();
-    const clientId = config.googleWebClientId;
+    const clientId = this._config.googleWebClientId;
     if (!clientId) {
       throw new Error("Google Web Client ID not configured. Add 'GOOGLE_WEB_CLIENT_ID' to your .env file.");
     }
@@ -603,13 +627,12 @@ class AuthWeb {
     }
   }
   async loginMicrosoft(scopes, loginHint, tenant, prompt) {
-    const config = getConfig();
-    const clientId = config.microsoftClientId;
+    const clientId = this._config.microsoftClientId;
     if (!clientId) {
       throw new Error("Microsoft Client ID not configured. Add 'microsoftClientId' to expo.extra in your app.config.js");
     }
-    const effectiveTenant = tenant ?? config.microsoftTenant ?? "common";
-    const b2cDomain = config.microsoftB2cDomain;
+    const effectiveTenant = tenant ?? this._config.microsoftTenant ?? "common";
+    const b2cDomain = this._config.microsoftB2cDomain;
     const authBaseUrl = this.getMicrosoftAuthBaseUrl(effectiveTenant, b2cDomain);
     const effectiveScopes = scopes.length ? scopes : ["openid", "email", "profile", "offline_access", "User.Read"];
     const codeVerifier = this.generateCodeVerifier();
@@ -680,8 +703,7 @@ class AuthWeb {
     return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
   }
   async exchangeMicrosoftCodeForTokens(code, codeVerifier, clientId, redirectUri, tenant, expectedNonce, scopes) {
-    const config = getConfig();
-    const authBaseUrl = this.getMicrosoftAuthBaseUrl(tenant, config.microsoftB2cDomain);
+    const authBaseUrl = this.getMicrosoftAuthBaseUrl(tenant, this._config.microsoftB2cDomain);
     const tokenUrl = `${authBaseUrl}oauth2/v2.0/token`;
     const body = new URLSearchParams({
       client_id: clientId,
@@ -753,45 +775,76 @@ class AuthWeb {
       return {};
     }
   }
-  async loginApple() {
-    const config = getConfig();
-    const clientId = config.appleWebClientId;
-    if (!clientId) {
-      throw new Error("Apple Web Client ID not configured. Add 'APPLE_WEB_CLIENT_ID' to your .env file.");
+  async ensureAppleSdkLoaded() {
+    if (window.AppleID) {
+      return;
     }
-    return new Promise((resolve, reject) => {
-      const script = document.createElement("script");
-      script.src = "https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js";
-      script.async = true;
-      script.onload = () => {
-        if (!window.AppleID) {
-          reject(new Error("Apple SDK not loaded"));
+    if (this._appleSdkLoadPromise) {
+      return this._appleSdkLoadPromise;
+    }
+    this._appleSdkLoadPromise = new Promise((resolve, reject) => {
+      const scriptId = "nitro-auth-apple-sdk";
+      const existingScript = document.getElementById(scriptId);
+      if (existingScript) {
+        if (window.AppleID) {
+          resolve();
           return;
         }
-        window.AppleID.auth.init({
-          clientId,
-          scope: "name email",
-          redirectURI: window.location.origin,
-          usePopup: true
-        });
-        window.AppleID.auth.signIn().then(response => {
-          const user = {
-            provider: "apple",
-            idToken: response.authorization.id_token,
-            email: response.user?.email,
-            name: response.user?.name ? `${response.user.name.firstName} ${response.user.name.lastName}`.trim() : undefined
-          };
-          this.updateUser(user);
+        existingScript.addEventListener("load", () => {
           resolve();
-        }).catch(err => {
-          reject(this.mapError(err));
+        }, {
+          once: true
+        });
+        existingScript.addEventListener("error", () => {
+          this._appleSdkLoadPromise = undefined;
+          reject(new Error("Failed to load Apple SDK"));
+        }, {
+          once: true
         });
+        return;
+      }
+      const script = document.createElement("script");
+      script.id = scriptId;
+      script.src = "https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js";
+      script.async = true;
+      script.onload = () => {
+        resolve();
       };
       script.onerror = () => {
+        this._appleSdkLoadPromise = undefined;
         reject(new Error("Failed to load Apple SDK"));
       };
       document.head.appendChild(script);
     });
+    return this._appleSdkLoadPromise;
+  }
+  async loginApple() {
+    const clientId = this._config.appleWebClientId;
+    if (!clientId) {
+      throw new Error("Apple Web Client ID not configured. Add 'APPLE_WEB_CLIENT_ID' to your .env file.");
+    }
+    await this.ensureAppleSdkLoaded();
+    if (!window.AppleID) {
+      throw new Error("Apple SDK not loaded");
+    }
+    window.AppleID.auth.init({
+      clientId,
+      scope: "name email",
+      redirectURI: window.location.origin,
+      usePopup: true
+    });
+    try {
+      const response = await window.AppleID.auth.signIn();
+      const user = {
+        provider: "apple",
+        idToken: response.authorization.id_token,
+        email: response.user?.email,
+        name: response.user?.name ? `${response.user.name.firstName} ${response.user.name.lastName}`.trim() : undefined
+      };
+      this.updateUser(user);
+    } catch (error) {
+      throw this.mapError(error);
+    }
   }
   async silentRestore() {
     _logger.logger.log("Attempting silent restore...");