react-native-nitro-auth 0.5.3 → 0.5.5

package/cpp/AuthCache.cpp

@@ -1,10 +1,5 @@
 #include "AuthCache.hpp"
 
-#ifdef __APPLE__
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/Security.h>
-#endif
-
 #ifdef __ANDROID__
 #include <jni.h>
 #include <fbjni/fbjni.h>
@@ -12,34 +7,10 @@
 
 namespace margelo::nitro::NitroAuth {
 
-#ifdef __APPLE__
-static std::string sInMemoryUserJson;
-
-void AuthCache::setUserJson(const std::string& json) {
-    sInMemoryUserJson = json;
-}
-
-std::optional<std::string> AuthCache::getUserJson() {
-    if (sInMemoryUserJson.empty()) {
-        return std::nullopt;
-    }
-    return sInMemoryUserJson;
-}
-
-void AuthCache::clear() {
-    sInMemoryUserJson.clear();
-}
-#endif
-
 #ifdef __ANDROID__
 using namespace facebook::jni;
 
-struct JContext : JavaClass<JContext> {
-    static constexpr auto kJavaDescriptor = "Landroid/content/Context;";
-};
-
 static facebook::jni::global_ref<jobject> gContext;
-static std::string sInMemoryUserJson;
 
 void AuthCache::setAndroidContext(void* context) {
     gContext = facebook::jni::make_global(static_cast<jobject>(context));
@@ -48,21 +19,6 @@ void AuthCache::setAndroidContext(void* context) {
 void* AuthCache::getAndroidContext() {
     return gContext.get();
 }
-
-void AuthCache::setUserJson(const std::string& json) {
-    sInMemoryUserJson = json;
-}
-
-std::optional<std::string> AuthCache::getUserJson() {
-    if (sInMemoryUserJson.empty()) {
-        return std::nullopt;
-    }
-    return sInMemoryUserJson;
-}
-
-void AuthCache::clear() {
-    sInMemoryUserJson.clear();
-}
 #endif
 
 } // namespace margelo::nitro::NitroAuth

package/cpp/AuthCache.hpp

@@ -1,16 +1,9 @@
 #pragma once
 
-#include <string>
-#include <optional>
-
 namespace margelo::nitro::NitroAuth {
 
 class AuthCache {
 public:
-  static void setUserJson(const std::string& json);
-  static std::optional<std::string> getUserJson();
-  static void clear();
-
 #ifdef __ANDROID__
   static void setAndroidContext(void* context);
   static void* getAndroidContext();

package/cpp/HybridAuth.cpp

@@ -209,7 +209,16 @@ std::shared_ptr<Promise<std::optional<std::string>>> HybridAuth::getAccessToken(
 }
 
 std::shared_ptr<Promise<AuthTokens>> HybridAuth::refreshToken() {
-  auto promise = Promise<AuthTokens>::create();
+  std::shared_ptr<Promise<AuthTokens>> promise;
+  {
+    std::lock_guard<std::mutex> lock(_mutex);
+    if (_refreshInFlight) {
+      return _refreshInFlight;
+    }
+    promise = Promise<AuthTokens>::create();
+    _refreshInFlight = promise;
+  }
+
   auto refreshPromise = PlatformAuth::refreshToken();
   refreshPromise->addOnResolvedListener([this, promise](const AuthTokens& tokens) {
     {
@@ -228,13 +237,22 @@ std::shared_ptr<Promise<AuthTokens>> HybridAuth::refreshToken() {
           _currentUser->expirationTime = tokens.expirationTime;
         }
       }
+      if (_refreshInFlight == promise) {
+        _refreshInFlight = nullptr;
+      }
     }
     notifyTokensRefreshed(tokens);
     notifyAuthStateChanged();
     promise->resolve(tokens);
   });
   
-  refreshPromise->addOnRejectedListener([promise](const std::exception_ptr& error) {
+  refreshPromise->addOnRejectedListener([this, promise](const std::exception_ptr& error) {
+    {
+      std::lock_guard<std::mutex> lock(_mutex);
+      if (_refreshInFlight == promise) {
+        _refreshInFlight = nullptr;
+      }
+    }
     promise->reject(error);
   });
   return promise;

package/cpp/HybridAuth.hpp

@@ -46,6 +46,7 @@ private:
   
   std::map<int, std::function<void(const AuthTokens&)>> _tokenListeners;
   int _nextTokenListenerId = 0;
+  std::shared_ptr<Promise<AuthTokens>> _refreshInFlight;
   
   std::mutex _mutex;
 

package/ios/AuthAdapter.swift

@@ -114,37 +114,43 @@ public class AuthAdapter: NSObject {
     DispatchQueue.main.async {
       let session = ASWebAuthenticationSession(url: authUrl, callbackURLScheme: callbackScheme) { callbackURL, error in
         if let error = error {
-          if (error as NSError).code == ASWebAuthenticationSessionError.canceledLogin.rawValue {
+          let nsError = error as NSError
+          if nsError.code == ASWebAuthenticationSessionError.canceledLogin.rawValue {
             completion(nil, "cancelled")
+          } else if nsError.domain.lowercased().contains("network") || nsError.code == NSURLErrorNotConnectedToInternet {
+            completion(nil, "network_error")
           } else {
-            completion(nil, error.localizedDescription)
+            completion(nil, "unknown")
           }
           return
         }
-        
+
         guard let callbackURL = callbackURL,
               let components = URLComponents(url: callbackURL, resolvingAgainstBaseURL: false) else {
-          completion(nil, "No response from Microsoft")
+          completion(nil, "unknown")
           return
         }
-        
+
         var params: [String: String] = [:]
         for item in components.queryItems ?? [] {
           params[item.name] = item.value
         }
-        
+
         if let errorCode = params["error"] {
-          completion(nil, params["error_description"] ?? errorCode)
+          // OAuth error codes are already structured (e.g. "access_denied").
+          // Map well-known ones; fall back to "unknown".
+          let mapped = mapOAuthError(errorCode)
+          completion(nil, mapped)
           return
         }
-        
+
         guard let returnedState = params["state"], returnedState == state else {
-          completion(nil, "State mismatch - possible CSRF attack")
+          completion(nil, "invalid_state")
           return
         }
-        
+
         guard let code = params["code"] else {
-          completion(nil, "No authorization code in response")
+          completion(nil, "unknown")
           return
         }
         
@@ -230,30 +236,34 @@ public class AuthAdapter: NSObject {
     URLSession.shared.dataTask(with: request) { data, response, error in
       DispatchQueue.main.async {
         if let error = error {
-          completion(nil, error.localizedDescription)
+          let nsError = error as NSError
+          if nsError.code == NSURLErrorNotConnectedToInternet || nsError.code == NSURLErrorTimedOut {
+            completion(nil, "network_error")
+          } else {
+            completion(nil, "network_error")
+          }
           return
         }
-        
+
         guard let data = data,
               let json = try? JSONSerialization.jsonObject(with: data) as? [String: Any] else {
-          completion(nil, "Failed to parse token response")
+          completion(nil, "parse_error")
           return
         }
-        
+
         if let errorCode = json["error"] as? String {
-          let desc = json["error_description"] as? String ?? errorCode
-          completion(nil, desc)
+          completion(nil, mapOAuthError(errorCode))
           return
         }
-        
+
         guard let idToken = json["id_token"] as? String else {
-          completion(nil, "No id_token in token response")
+          completion(nil, "no_id_token")
           return
         }
-        
+
         let claims = decodeJwt(idToken)
         guard claims["nonce"] == expectedNonce else {
-          completion(nil, "Nonce mismatch - token may be replayed")
+          completion(nil, "invalid_nonce")
           return
         }
         
@@ -288,6 +298,8 @@ public class AuthAdapter: NSObject {
     guard parts.count >= 2 else { return [:] }
     
     var base64 = parts[1]
+      .replacingOccurrences(of: "-", with: "+")
+      .replacingOccurrences(of: "_", with: "/")
     let remainder = base64.count % 4
     if remainder > 0 {
       base64 += String(repeating: "=", count: 4 - remainder)
@@ -309,7 +321,7 @@ public class AuthAdapter: NSObject {
 
   private static func handleGoogleResult(_ result: GIDSignInResult?, error: Error?, completion: @escaping (NSDictionary?, String?) -> Void) {
     if let error = error {
-      completion(nil, error.localizedDescription)
+      completion(nil, mapError(error))
       return
     }
     
@@ -337,15 +349,39 @@ public class AuthAdapter: NSObject {
 
   static func mapError(_ error: Error) -> String {
     let nsError = error as NSError
+    // GIDSignIn error codes
     if nsError.domain == "com.google.GIDSignIn" {
-      if nsError.code == -5 { return "cancelled" }
+      switch nsError.code {
+      case -5: return "cancelled"   // GIDSignInErrorCodeCanceled
+      case -4: return "network_error" // GIDSignInErrorCodeNoCurrentUser (used for network issues)
+      default: break
+      }
+    }
+    // ASAuthorizationError codes (Apple Sign-In / ASWebAuthenticationSession)
+    if nsError.domain == ASAuthorizationError.errorDomain {
+      switch nsError.code {
+      case ASAuthorizationError.canceled.rawValue: return "cancelled"
+      case ASAuthorizationError.invalidResponse.rawValue: return "configuration_error"
+      default: return "unknown"
+      }
     }
     let msg = error.localizedDescription.lowercased()
     if msg.contains("cancel") { return "cancelled" }
-    if msg.contains("network") { return "network_error" }
+    if msg.contains("network") || msg.contains("internet") || msg.contains("offline") { return "network_error" }
     return "unknown"
   }
 
+  /// Maps OAuth 2.0 error codes (returned in query params or JSON) to AuthErrorCode values.
+  private static func mapOAuthError(_ oauthCode: String) -> String {
+    switch oauthCode {
+    case "access_denied": return "cancelled"
+    case "invalid_client", "unauthorized_client", "invalid_scope": return "configuration_error"
+    case "invalid_grant", "invalid_request": return "token_error"
+    case "temporarily_unavailable", "server_error": return "network_error"
+    default: return "unknown"
+    }
+  }
+
   @objc
   public static func addScopes(scopes: [String], completion: @escaping (NSDictionary?, String?) -> Void) {
     if let currentUser = GIDSignIn.sharedInstance.currentUser {
@@ -512,16 +548,16 @@ public class AuthAdapter: NSObject {
     URLSession.shared.dataTask(with: request) { data, response, error in
       DispatchQueue.main.async {
         if let error = error {
-          completion(nil, error.localizedDescription)
+          completion(nil, "network_error")
           return
         }
         guard let data = data,
               let json = try? JSONSerialization.jsonObject(with: data) as? [String: Any] else {
-          completion(nil, "Token refresh failed")
+          completion(nil, "parse_error")
           return
         }
         if let errorCode = json["error"] as? String {
-          completion(nil, (json["error_description"] as? String) ?? errorCode)
+          completion(nil, AuthAdapter.mapOAuthError(errorCode))
           return
         }
         let idToken = json["id_token"] as? String ?? ""
@@ -593,7 +629,7 @@ class AppleSignInDelegate: NSObject, ASAuthorizationControllerDelegate {
   }
   
   func authorizationController(controller: ASAuthorizationController, didCompleteWithError error: Error) {
-    completion(nil, error.localizedDescription)
+    completion(nil, AuthAdapter.mapError(error))
   }
 }
 

package/lib/commonjs/Auth.web.js

@@ -91,7 +91,9 @@ class AuthWeb {
   _grantedScopes = [];
   _listeners = [];
   _tokenListeners = [];
+  _browserStorageResolved = false;
   constructor() {
+    this._config = getConfig();
     this.loadFromCache();
   }
   isPromiseLike(value) {
@@ -127,21 +129,27 @@ class AuthWeb {
     if (this._storageAdapter) {
       return true;
     }
-    return getConfig().nitroAuthPersistTokensOnWeb === true;
+    return this._config.nitroAuthPersistTokensOnWeb === true;
   }
   getWebStorageMode() {
-    const configuredMode = getConfig().nitroAuthWebStorage;
+    const configuredMode = this._config.nitroAuthWebStorage;
     if (configuredMode && WEB_STORAGE_MODES.has(configuredMode)) {
       return configuredMode;
     }
     return STORAGE_MODE_SESSION;
   }
   getBrowserStorage() {
+    if (this._browserStorageResolved) {
+      return this._browserStorageCache;
+    }
+    this._browserStorageResolved = true;
     if (typeof window === "undefined") {
+      this._browserStorageCache = undefined;
       return undefined;
     }
     const mode = this.getWebStorageMode();
     if (mode === STORAGE_MODE_MEMORY) {
+      this._browserStorageCache = undefined;
       return undefined;
     }
     const storage = mode === STORAGE_MODE_LOCAL ? window.localStorage : window.sessionStorage;
@@ -149,12 +157,14 @@ class AuthWeb {
       const testKey = "__nitro_auth_storage_probe__";
       storage.setItem(testKey, "1");
       storage.removeItem(testKey);
+      this._browserStorageCache = storage;
       return storage;
     } catch (error) {
       _logger.logger.warn("Configured web storage is unavailable; using in-memory fallback", {
         mode,
         error: String(error)
       });
+      this._browserStorageCache = undefined;
       return undefined;
     }
   }
@@ -371,6 +381,20 @@ class AuthWeb {
     return this._currentUser?.accessToken;
   }
   async refreshToken() {
+    if (this._refreshPromise) {
+      return this._refreshPromise;
+    }
+    const refreshPromise = this.performRefreshToken();
+    this._refreshPromise = refreshPromise;
+    try {
+      return await refreshPromise;
+    } finally {
+      if (this._refreshPromise === refreshPromise) {
+        this._refreshPromise = undefined;
+      }
+    }
+  }
+  async performRefreshToken() {
     if (!this._currentUser) {
       throw new Error("No user logged in");
     }
@@ -380,13 +404,12 @@ class AuthWeb {
       if (!refreshToken) {
         throw new Error("No refresh token available");
       }
-      const config = getConfig();
-      const clientId = config.microsoftClientId;
+      const clientId = this._config.microsoftClientId;
       if (!clientId) {
         throw new Error("Microsoft Client ID not configured. Add 'microsoftClientId' to expo.extra in your app.config.js");
       }
-      const tenant = config.microsoftTenant ?? "common";
-      const b2cDomain = config.microsoftB2cDomain;
+      const tenant = this._config.microsoftTenant ?? "common";
+      const b2cDomain = this._config.microsoftB2cDomain;
       const authBaseUrl = this.getMicrosoftAuthBaseUrl(tenant, b2cDomain);
       const tokenUrl = `${authBaseUrl}oauth2/v2.0/token`;
       const body = new URLSearchParams({
@@ -480,7 +503,9 @@ class AuthWeb {
     if (!payload) {
       throw new Error("Invalid JWT payload");
     }
-    const decoded = JSON.parse(atob(payload));
+    const normalizedPayload = payload.replace(/-/g, "+").replace(/_/g, "/");
+    const padding = "=".repeat((4 - normalizedPayload.length % 4) % 4);
+    const decoded = JSON.parse(atob(`${normalizedPayload}${padding}`));
     if (!isJsonObject(decoded)) {
       throw new Error("Expected JWT payload to be an object");
     }
@@ -531,8 +556,7 @@ class AuthWeb {
     });
   }
   async loginGoogle(scopes, loginHint) {
-    const config = getConfig();
-    const clientId = config.googleWebClientId;
+    const clientId = this._config.googleWebClientId;
     if (!clientId) {
       throw new Error("Google Web Client ID not configured. Add 'GOOGLE_WEB_CLIENT_ID' to your .env file.");
     }
@@ -603,13 +627,12 @@ class AuthWeb {
     }
   }
   async loginMicrosoft(scopes, loginHint, tenant, prompt) {
-    const config = getConfig();
-    const clientId = config.microsoftClientId;
+    const clientId = this._config.microsoftClientId;
     if (!clientId) {
       throw new Error("Microsoft Client ID not configured. Add 'microsoftClientId' to expo.extra in your app.config.js");
     }
-    const effectiveTenant = tenant ?? config.microsoftTenant ?? "common";
-    const b2cDomain = config.microsoftB2cDomain;
+    const effectiveTenant = tenant ?? this._config.microsoftTenant ?? "common";
+    const b2cDomain = this._config.microsoftB2cDomain;
     const authBaseUrl = this.getMicrosoftAuthBaseUrl(effectiveTenant, b2cDomain);
     const effectiveScopes = scopes.length ? scopes : ["openid", "email", "profile", "offline_access", "User.Read"];
     const codeVerifier = this.generateCodeVerifier();
@@ -680,8 +703,7 @@ class AuthWeb {
     return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
   }
   async exchangeMicrosoftCodeForTokens(code, codeVerifier, clientId, redirectUri, tenant, expectedNonce, scopes) {
-    const config = getConfig();
-    const authBaseUrl = this.getMicrosoftAuthBaseUrl(tenant, config.microsoftB2cDomain);
+    const authBaseUrl = this.getMicrosoftAuthBaseUrl(tenant, this._config.microsoftB2cDomain);
     const tokenUrl = `${authBaseUrl}oauth2/v2.0/token`;
     const body = new URLSearchParams({
       client_id: clientId,
@@ -753,45 +775,76 @@ class AuthWeb {
       return {};
     }
   }
-  async loginApple() {
-    const config = getConfig();
-    const clientId = config.appleWebClientId;
-    if (!clientId) {
-      throw new Error("Apple Web Client ID not configured. Add 'APPLE_WEB_CLIENT_ID' to your .env file.");
+  async ensureAppleSdkLoaded() {
+    if (window.AppleID) {
+      return;
     }
-    return new Promise((resolve, reject) => {
-      const script = document.createElement("script");
-      script.src = "https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js";
-      script.async = true;
-      script.onload = () => {
-        if (!window.AppleID) {
-          reject(new Error("Apple SDK not loaded"));
+    if (this._appleSdkLoadPromise) {
+      return this._appleSdkLoadPromise;
+    }
+    this._appleSdkLoadPromise = new Promise((resolve, reject) => {
+      const scriptId = "nitro-auth-apple-sdk";
+      const existingScript = document.getElementById(scriptId);
+      if (existingScript) {
+        if (window.AppleID) {
+          resolve();
           return;
         }
-        window.AppleID.auth.init({
-          clientId,
-          scope: "name email",
-          redirectURI: window.location.origin,
-          usePopup: true
-        });
-        window.AppleID.auth.signIn().then(response => {
-          const user = {
-            provider: "apple",
-            idToken: response.authorization.id_token,
-            email: response.user?.email,
-            name: response.user?.name ? `${response.user.name.firstName} ${response.user.name.lastName}`.trim() : undefined
-          };
-          this.updateUser(user);
+        existingScript.addEventListener("load", () => {
           resolve();
-        }).catch(err => {
-          reject(this.mapError(err));
+        }, {
+          once: true
+        });
+        existingScript.addEventListener("error", () => {
+          this._appleSdkLoadPromise = undefined;
+          reject(new Error("Failed to load Apple SDK"));
+        }, {
+          once: true
         });
+        return;
+      }
+      const script = document.createElement("script");
+      script.id = scriptId;
+      script.src = "https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js";
+      script.async = true;
+      script.onload = () => {
+        resolve();
       };
       script.onerror = () => {
+        this._appleSdkLoadPromise = undefined;
         reject(new Error("Failed to load Apple SDK"));
       };
       document.head.appendChild(script);
     });
+    return this._appleSdkLoadPromise;
+  }
+  async loginApple() {
+    const clientId = this._config.appleWebClientId;
+    if (!clientId) {
+      throw new Error("Apple Web Client ID not configured. Add 'APPLE_WEB_CLIENT_ID' to your .env file.");
+    }
+    await this.ensureAppleSdkLoaded();
+    if (!window.AppleID) {
+      throw new Error("Apple SDK not loaded");
+    }
+    window.AppleID.auth.init({
+      clientId,
+      scope: "name email",
+      redirectURI: window.location.origin,
+      usePopup: true
+    });
+    try {
+      const response = await window.AppleID.auth.signIn();
+      const user = {
+        provider: "apple",
+        idToken: response.authorization.id_token,
+        email: response.user?.email,
+        name: response.user?.name ? `${response.user.name.firstName} ${response.user.name.lastName}`.trim() : undefined
+      };
+      this.updateUser(user);
+    } catch (error) {
+      throw this.mapError(error);
+    }
   }
   async silentRestore() {
     _logger.logger.log("Attempting silent restore...");