react-native-nitro-auth 0.5.5 → 0.5.7

package/README.md

@@ -308,12 +308,13 @@ To enable Microsoft Sign-In, you need to register an application in the Azure Po
   - `nitro_auth_microsoft_client_id`
   - `nitro_auth_microsoft_tenant` (optional)
   - `nitro_auth_microsoft_b2c_domain` (optional)
-- Add the Microsoft redirect activity to `AndroidManifest.xml`:
+- `MicrosoftAuthActivity` is **automatically declared** by the library manifest — no manual `AndroidManifest.xml` entry is required for basic Microsoft OAuth redirect handling. If you need to customize the intent-filter (e.g., restrict the host/path to your specific package and client ID), you can override it in your app manifest:
 
 ```xml
 <activity
   android:name="com.auth.MicrosoftAuthActivity"
-  android:exported="true">
+  android:exported="true"
+  android:launchMode="singleTask">
   <intent-filter>
     <action android:name="android.intent.action.VIEW" />
     <category android:name="android.intent.category.DEFAULT" />
@@ -693,19 +694,23 @@ try {
 }
 ```
 
-| Error Code             | Description                                    |
-| ---------------------- | ---------------------------------------------- |
-| `cancelled`            | The user cancelled the sign-in flow            |
-| `network_error`        | A network error occurred                       |
-| `configuration_error`  | Missing client IDs or invalid setup            |
-| `unsupported_provider` | The provider is not supported on this platform |
-| `invalid_state`        | PKCE state mismatch (possible CSRF)            |
-| `invalid_nonce`        | Nonce mismatch in token response               |
-| `token_error`          | Token exchange failed                          |
-| `no_id_token`          | No `id_token` in token response                |
-| `parse_error`          | Failed to parse token response                 |
-| `refresh_failed`       | Refresh token flow failed                      |
-| `unknown`              | An unknown error occurred                      |
+| Error Code             | Description                                                     |
+| ---------------------- | --------------------------------------------------------------- |
+| `cancelled`            | The user cancelled the sign-in flow or dismissed the popup      |
+| `timeout`              | The login popup/flow timed out                                  |
+| `popup_blocked`        | The browser blocked the popup window                            |
+| `network_error`        | A network or connectivity error occurred                        |
+| `configuration_error`  | Missing client IDs, invalid tenant, or misconfigured setup      |
+| `not_signed_in`        | The operation requires an authenticated user/session            |
+| `operation_in_progress`| Another auth flow of the same kind is already running           |
+| `unsupported_provider` | The provider is not supported on this platform                  |
+| `invalid_state`        | PKCE state mismatch — possible CSRF attack                      |
+| `invalid_nonce`        | Nonce mismatch in token response — possible replay attack       |
+| `token_error`          | Token exchange or storage failed                                |
+| `no_id_token`          | No `id_token` in token response                                 |
+| `parse_error`          | Failed to parse token response                                  |
+| `refresh_failed`       | Refresh token flow failed (token may be expired or revoked)     |
+| `unknown`              | An unknown or unmapped error occurred                           |
 
 ### Native Error Metadata
 
@@ -729,10 +734,12 @@ The `AuthUser.underlyingError` field carries a raw warning string when the provi
 
 ### Troubleshooting
 
-- `configuration_error`: verify client IDs, URL schemes, and redirect URIs are set for the current platform.
-- `invalid_state` or `invalid_nonce`: ensure the redirect URI in your provider console matches your app config exactly.
+- `configuration_error`: verify client IDs, URL schemes, and redirect URIs are set for the current platform. On Android, check that the `microsoftTenant` is a non-empty valid value.
+- `invalid_state` or `invalid_nonce`: ensure the redirect URI in your provider console matches your app config exactly. These indicate a potential CSRF or replay attack — do not retry silently.
+- `refresh_failed`: the refresh token is likely expired or revoked. Clear the session and prompt the user to sign in again. On Android and web, structured error details from the provider (e.g. `invalid_grant`) are surfaced via `error.underlyingMessage`.
 - `hasPlayServices` is false: prompt the user to install/update Google Play Services or disable One-Tap.
 - Apple web login fails: confirm `appleWebClientId` is set and your domain is registered with Apple.
+- Microsoft Android redirect hangs: confirm the `msauth://` redirect URI in your Azure app matches your package name and client ID.
 
 ### Automatic Token Refresh
 
@@ -798,6 +805,8 @@ This is useful for scenarios where:
 - You need to ensure the user can select any account they've added to their device
 - The cached session is interfering with the expected account selection UX
 
+On Android, `forceAccountPicker` routes through the legacy Google Sign-In chooser to guarantee the account picker appears. Credential Manager / One-Tap remains the default when the chooser is not forced.
+
 ## API Reference
 
 ### Package Exports
@@ -825,7 +834,7 @@ import {
 | Type              | Definition                                                                                                                                                                                                                                    |
 | ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | `AuthProvider`    | `"google" \| "apple" \| "microsoft"`                                                                                                                                                                                                          |
-| `AuthErrorCode`   | `"cancelled" \| "timeout" \| "popup_blocked" \| "network_error" \| "configuration_error" \| "unsupported_provider" \| "invalid_state" \| "invalid_nonce" \| "token_error" \| "no_id_token" \| "parse_error" \| "refresh_failed" \| "unknown"` |
+| `AuthErrorCode`   | `"cancelled" \| "timeout" \| "popup_blocked" \| "network_error" \| "configuration_error" \| "not_signed_in" \| "operation_in_progress" \| "unsupported_provider" \| "invalid_state" \| "invalid_nonce" \| "token_error" \| "no_id_token" \| "parse_error" \| "refresh_failed" \| "unknown"` |
 | `MicrosoftPrompt` | `"login" \| "consent" \| "select_account" \| "none"`                                                                                                                                                                                          |
 
 ### `AuthUser`
@@ -864,7 +873,7 @@ import {
 | `loginHint`             | `string`          | All       | Prefills account identifier                                                       |
 | `useOneTap`             | `boolean`         | Android   | Use Credential Manager/One-Tap flow                                               |
 | `useSheet`              | `boolean`         | iOS       | Use native Google Sign-In sheet                                                   |
-| `forceAccountPicker`    | `boolean`         | All       | Always show account chooser                                                       |
+| `forceAccountPicker`    | `boolean`         | All       | Always show account chooser; Android Google uses the legacy chooser path          |
 | `useLegacyGoogleSignIn` | `boolean`         | Android   | Use legacy Google Sign-In (required when you need `serverAuthCode`)               |
 | `tenant`                | `string`          | Microsoft | Tenant (`common`, `organizations`, `consumers`, tenant id, or full authority URL) |
 | `prompt`                | `MicrosoftPrompt` | Microsoft | Prompt behavior                                                                   |
@@ -998,6 +1007,8 @@ function toAuthErrorCode(raw: string): AuthErrorCode; // Returns "unknown" for u
 | `popup_blocked`        | Browser blocked popup opening                  |
 | `network_error`        | Network failure                                |
 | `configuration_error`  | Missing/invalid provider configuration         |
+| `not_signed_in`        | Operation requires an active authenticated user |
+| `operation_in_progress`| Another auth flow is already running           |
 | `unsupported_provider` | Provider not supported on this platform        |
 | `invalid_state`        | PKCE state mismatch (possible CSRF)            |
 | `invalid_nonce`        | Nonce mismatch in token response               |

package/android/proguard-rules.pro

@@ -1,4 +1,10 @@
 # Nitro Auth Proguard Rules
--keep class com.auth.** { *; }
+-keep class com.auth.AuthAdapter {
+    public static <methods>;
+}
+-keep class com.auth.MicrosoftAuthActivity { *; }
+-keep class com.auth.GoogleSignInActivity { *; }
+-keep class com.auth.NitroAuthModule { *; }
+-keep class com.auth.NitroAuthPackage { *; }
 -keep class com.margelo.nitro.com.auth.** { *; }
 -keep class com.google.android.gms.auth.api.signin.** { *; }

package/android/src/main/AndroidManifest.xml

@@ -8,5 +8,17 @@
             android:name="com.auth.GoogleSignInActivity"
             android:theme="@android:style/Theme.Translucent.NoTitleBar"
             android:exported="false" />
+        <activity
+            android:name="com.auth.MicrosoftAuthActivity"
+            android:exported="true"
+            android:theme="@android:style/Theme.Translucent.NoTitleBar"
+            android:launchMode="singleTask">
+            <intent-filter>
+                <action android:name="android.intent.action.VIEW" />
+                <category android:name="android.intent.category.DEFAULT" />
+                <category android:name="android.intent.category.BROWSABLE" />
+                <data android:scheme="msauth" />
+            </intent-filter>
+        </activity>
     </application>
 </manifest>

package/android/src/main/cpp/PlatformAuth+Android.cpp

@@ -13,14 +13,6 @@ namespace margelo::nitro::NitroAuth {
 
 using namespace facebook::jni;
 
-struct JContext : JavaClass<JContext> {
-    static constexpr auto kJavaDescriptor = "Landroid/content/Context;";
-};
-
-struct JAuthAdapter : JavaClass<JAuthAdapter> {
-    static constexpr auto kJavaDescriptor = "Lcom/auth/AuthAdapter;";
-};
-
 static std::shared_ptr<Promise<AuthUser>> gLoginPromise;
 static std::shared_ptr<Promise<AuthUser>> gScopesPromise;
 static std::shared_ptr<Promise<AuthTokens>> gRefreshPromise;
@@ -29,29 +21,84 @@ static std::mutex gMutex;
 static jclass gAuthAdapterClass = nullptr;
 static jmethodID gLoginMethod = nullptr;
 static jmethodID gRequestScopesMethod = nullptr;
+static jmethodID gRefreshMethod = nullptr;
+static jmethodID gRestoreMethod = nullptr;
+static jmethodID gHasPlayMethod = nullptr;
+static jmethodID gLogoutMethod = nullptr;
+
+// Call from JNI_OnUnload or dispose to prevent stale refs after a module reload.
+static void clearCachedJniRefs(JNIEnv* env) {
+    if (gAuthAdapterClass != nullptr) {
+        env->DeleteGlobalRef(gAuthAdapterClass);
+        gAuthAdapterClass = nullptr;
+    }
+    gLoginMethod = nullptr;
+    gRequestScopesMethod = nullptr;
+    gRefreshMethod = nullptr;
+    gRestoreMethod = nullptr;
+    gHasPlayMethod = nullptr;
+    gLogoutMethod = nullptr;
+}
 
 static void ensureAuthAdapterMethods(JNIEnv* env) {
-    if (gAuthAdapterClass != nullptr && gLoginMethod != nullptr && gRequestScopesMethod != nullptr) {
+    if (gAuthAdapterClass != nullptr && gLoginMethod != nullptr
+        && gRequestScopesMethod != nullptr && gRefreshMethod != nullptr
+        && gRestoreMethod != nullptr && gHasPlayMethod != nullptr
+        && gLogoutMethod != nullptr) {
         return;
     }
 
-    jclass localAdapterClass = env->FindClass("com/auth/AuthAdapter");
-    if (localAdapterClass == nullptr) {
-        throw std::runtime_error("Unable to resolve com/auth/AuthAdapter");
+    if (gAuthAdapterClass == nullptr) {
+        jclass localAdapterClass = env->FindClass("com/auth/AuthAdapter");
+        if (localAdapterClass == nullptr) {
+            throw std::runtime_error("Unable to resolve com/auth/AuthAdapter");
+        }
+        gAuthAdapterClass = static_cast<jclass>(env->NewGlobalRef(localAdapterClass));
+        env->DeleteLocalRef(localAdapterClass);
     }
-    gAuthAdapterClass = static_cast<jclass>(env->NewGlobalRef(localAdapterClass));
-    env->DeleteLocalRef(localAdapterClass);
 
-    gLoginMethod = env->GetStaticMethodID(
-        gAuthAdapterClass,
-        "loginSync",
-        "(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;[Ljava/lang/String;Ljava/lang/String;ZZZLjava/lang/String;Ljava/lang/String;)V"
-    );
-    gRequestScopesMethod = env->GetStaticMethodID(
-        gAuthAdapterClass,
-        "requestScopesSync",
-        "(Landroid/content/Context;[Ljava/lang/String;)V"
-    );
+    if (gLoginMethod == nullptr) {
+        gLoginMethod = env->GetStaticMethodID(
+            gAuthAdapterClass,
+            "loginSync",
+            "(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;[Ljava/lang/String;Ljava/lang/String;ZZZLjava/lang/String;Ljava/lang/String;)V"
+        );
+    }
+    if (gRequestScopesMethod == nullptr) {
+        gRequestScopesMethod = env->GetStaticMethodID(
+            gAuthAdapterClass,
+            "requestScopesSync",
+            "(Landroid/content/Context;[Ljava/lang/String;)V"
+        );
+    }
+    if (gRefreshMethod == nullptr) {
+        gRefreshMethod = env->GetStaticMethodID(
+            gAuthAdapterClass,
+            "refreshTokenSync",
+            "(Landroid/content/Context;)V"
+        );
+    }
+    if (gRestoreMethod == nullptr) {
+        gRestoreMethod = env->GetStaticMethodID(
+            gAuthAdapterClass,
+            "restoreSession",
+            "(Landroid/content/Context;)V"
+        );
+    }
+    if (gHasPlayMethod == nullptr) {
+        gHasPlayMethod = env->GetStaticMethodID(
+            gAuthAdapterClass,
+            "hasPlayServices",
+            "(Landroid/content/Context;)Z"
+        );
+    }
+    if (gLogoutMethod == nullptr) {
+        gLogoutMethod = env->GetStaticMethodID(
+            gAuthAdapterClass,
+            "logoutSync",
+            "(Landroid/content/Context;)V"
+        );
+    }
 }
 
 std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, const std::optional<LoginOptions>& options) {
@@ -61,11 +108,12 @@ std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, co
         promise->reject(std::make_exception_ptr(std::runtime_error("Android Context not initialized")));
         return promise;
     }
-    
+
     {
         std::lock_guard<std::mutex> lock(gMutex);
         if (gLoginPromise) {
-            gLoginPromise->reject(std::make_exception_ptr(std::runtime_error("Login request superseded by a newer request")));
+            promise->reject(std::make_exception_ptr(std::runtime_error("operation_in_progress")));
+            return promise;
         }
         gLoginPromise = promise;
     }
@@ -106,15 +154,20 @@ std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, co
     try {
         ensureAuthAdapterMethods(env);
     } catch (...) {
+        {
+            std::lock_guard<std::mutex> lock(gMutex);
+            gLoginPromise = nullptr;
+        }
         promise->reject(std::current_exception());
         return promise;
     }
     jclass stringClass = env->FindClass("java/lang/String");
     jobjectArray jScopes = env->NewObjectArray(scopes.size(), stringClass, nullptr);
     for (size_t i = 0; i < scopes.size(); i++) {
-        env->SetObjectArrayElement(jScopes, i, make_jstring(scopes[i]).get());
+        auto jstr = make_jstring(scopes[i]);
+        env->SetObjectArrayElement(jScopes, i, jstr.get());
     }
-    
+
     local_ref<JString> providerRef = make_jstring(providerStr);
     local_ref<JString> loginHintRef;
     local_ref<JString> tenantRef;
@@ -130,8 +183,8 @@ std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, co
         promptRef = make_jstring(prompt.value());
     }
 
-    env->CallStaticVoidMethod(gAuthAdapterClass, gLoginMethod, 
-        contextPtr, 
+    env->CallStaticVoidMethod(gAuthAdapterClass, gLoginMethod,
+        contextPtr,
         providerRef.get(),
         nullptr,
         jScopes,
@@ -144,7 +197,18 @@ std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, co
 
     env->DeleteLocalRef(jScopes);
     env->DeleteLocalRef(stringClass);
-    
+
+    if (env->ExceptionCheck()) {
+        env->ExceptionDescribe();
+        env->ExceptionClear();
+        {
+            std::lock_guard<std::mutex> lock(gMutex);
+            gLoginPromise = nullptr;
+        }
+        promise->reject(std::make_exception_ptr(std::runtime_error("JNI call failed")));
+        return promise;
+    }
+
     return promise;
 }
 
@@ -159,7 +223,8 @@ std::shared_ptr<Promise<AuthUser>> PlatformAuth::requestScopes(const std::vector
     {
         std::lock_guard<std::mutex> lock(gMutex);
         if (gScopesPromise) {
-            gScopesPromise->reject(std::make_exception_ptr(std::runtime_error("Scope request superseded by a newer request")));
+            promise->reject(std::make_exception_ptr(std::runtime_error("operation_in_progress")));
+            return promise;
         }
         gScopesPromise = promise;
     }
@@ -168,18 +233,35 @@ std::shared_ptr<Promise<AuthUser>> PlatformAuth::requestScopes(const std::vector
     try {
         ensureAuthAdapterMethods(env);
     } catch (...) {
+        {
+            std::lock_guard<std::mutex> lock(gMutex);
+            gScopesPromise = nullptr;
+        }
         promise->reject(std::current_exception());
         return promise;
     }
     jclass stringClass = env->FindClass("java/lang/String");
     jobjectArray jScopes = env->NewObjectArray(scopes.size(), stringClass, nullptr);
     for (size_t i = 0; i < scopes.size(); i++) {
-        env->SetObjectArrayElement(jScopes, i, make_jstring(scopes[i]).get());
+        auto jstr = make_jstring(scopes[i]);
+        env->SetObjectArrayElement(jScopes, i, jstr.get());
     }
-    
+
     env->CallStaticVoidMethod(gAuthAdapterClass, gRequestScopesMethod, contextPtr, jScopes);
     env->DeleteLocalRef(jScopes);
     env->DeleteLocalRef(stringClass);
+
+    if (env->ExceptionCheck()) {
+        env->ExceptionDescribe();
+        env->ExceptionClear();
+        {
+            std::lock_guard<std::mutex> lock(gMutex);
+            gScopesPromise = nullptr;
+        }
+        promise->reject(std::make_exception_ptr(std::runtime_error("JNI call failed")));
+        return promise;
+    }
+
     return promise;
 }
 
@@ -194,14 +276,37 @@ std::shared_ptr<Promise<AuthTokens>> PlatformAuth::refreshToken() {
     {
         std::lock_guard<std::mutex> lock(gMutex);
         if (gRefreshPromise) {
-            gRefreshPromise->reject(std::make_exception_ptr(std::runtime_error("Refresh request superseded by a newer request")));
+            promise->reject(std::make_exception_ptr(std::runtime_error("operation_in_progress")));
+            return promise;
         }
         gRefreshPromise = promise;
     }
     
-    auto jContext = wrap_alias(contextPtr);
-    static auto refreshMethod = JAuthAdapter::javaClassStatic()->getStaticMethod<void(alias_ref<JContext>)>("refreshTokenSync");
-    refreshMethod(JAuthAdapter::javaClassStatic(), static_ref_cast<JContext>(jContext));
+    JNIEnv* env = Environment::current();
+    try {
+        ensureAuthAdapterMethods(env);
+    } catch (...) {
+        {
+            std::lock_guard<std::mutex> lock(gMutex);
+            gRefreshPromise = nullptr;
+        }
+        promise->reject(std::current_exception());
+        return promise;
+    }
+
+    env->CallStaticVoidMethod(gAuthAdapterClass, gRefreshMethod, contextPtr);
+
+    if (env->ExceptionCheck()) {
+        env->ExceptionDescribe();
+        env->ExceptionClear();
+        {
+            std::lock_guard<std::mutex> lock(gMutex);
+            gRefreshPromise = nullptr;
+        }
+        promise->reject(std::make_exception_ptr(std::runtime_error("JNI call failed")));
+        return promise;
+    }
+
     return promise;
 }
 
@@ -216,33 +321,79 @@ std::shared_ptr<Promise<std::optional<AuthUser>>> PlatformAuth::silentRestore()
     {
         std::lock_guard<std::mutex> lock(gMutex);
         if (gSilentPromise) {
-            gSilentPromise->reject(std::make_exception_ptr(std::runtime_error("Silent restore superseded by a newer request")));
+            promise->reject(std::make_exception_ptr(std::runtime_error("operation_in_progress")));
+            return promise;
         }
         gSilentPromise = promise;
     }
 
-    auto jContext = wrap_alias(contextPtr);
-    static auto restoreMethod = JAuthAdapter::javaClassStatic()->getStaticMethod<void(alias_ref<JContext>)>("restoreSession");
-    restoreMethod(JAuthAdapter::javaClassStatic(), static_ref_cast<JContext>(jContext));
+    JNIEnv* env = Environment::current();
+    try {
+        ensureAuthAdapterMethods(env);
+    } catch (...) {
+        {
+            std::lock_guard<std::mutex> lock(gMutex);
+            gSilentPromise = nullptr;
+        }
+        promise->reject(std::current_exception());
+        return promise;
+    }
+
+    env->CallStaticVoidMethod(gAuthAdapterClass, gRestoreMethod, contextPtr);
+
+    if (env->ExceptionCheck()) {
+        env->ExceptionDescribe();
+        env->ExceptionClear();
+        {
+            std::lock_guard<std::mutex> lock(gMutex);
+            gSilentPromise = nullptr;
+        }
+        promise->reject(std::make_exception_ptr(std::runtime_error("JNI call failed")));
+        return promise;
+    }
+
     return promise;
 }
 
 bool PlatformAuth::hasPlayServices() {
     auto contextPtr = static_cast<jobject>(AuthCache::getAndroidContext());
     if (!contextPtr) return false;
-    
-    auto jContext = wrap_alias(contextPtr);
-    static auto hasPlayMethod = JAuthAdapter::javaClassStatic()->getStaticMethod<jboolean(alias_ref<JContext>)>("hasPlayServices");
-    return hasPlayMethod(JAuthAdapter::javaClassStatic(), static_ref_cast<JContext>(jContext));
+
+    JNIEnv* env = Environment::current();
+    try {
+        ensureAuthAdapterMethods(env);
+    } catch (...) {
+        return false;
+    }
+
+    jboolean result = env->CallStaticBooleanMethod(gAuthAdapterClass, gHasPlayMethod, contextPtr);
+
+    if (env->ExceptionCheck()) {
+        env->ExceptionDescribe();
+        env->ExceptionClear();
+        return false;
+    }
+
+    return result;
 }
 
 void PlatformAuth::logout() {
     auto contextPtr = static_cast<jobject>(AuthCache::getAndroidContext());
     if (!contextPtr) return;
 
-    auto jContext = wrap_alias(contextPtr);
-    static auto logoutMethod = JAuthAdapter::javaClassStatic()->getStaticMethod<void(alias_ref<JContext>)>("logoutSync");
-    logoutMethod(JAuthAdapter::javaClassStatic(), static_ref_cast<JContext>(jContext));
+    JNIEnv* env = Environment::current();
+    try {
+        ensureAuthAdapterMethods(env);
+    } catch (...) {
+        return;
+    }
+
+    env->CallStaticVoidMethod(gAuthAdapterClass, gLogoutMethod, contextPtr);
+
+    if (env->ExceptionCheck()) {
+        env->ExceptionDescribe();
+        env->ExceptionClear();
+    }
 }
 
 extern "C" JNIEXPORT void JNICALL Java_com_auth_AuthAdapter_nativeInitialize(JNIEnv*, jclass, jobject context) {
@@ -250,22 +401,30 @@ extern "C" JNIEXPORT void JNICALL Java_com_auth_AuthAdapter_nativeInitialize(JNI
 }
 
 extern "C" JNIEXPORT void JNICALL Java_com_auth_AuthAdapter_nativeOnLoginSuccess(
-    JNIEnv* env, jclass, 
-    jstring provider, jstring email, jstring name, jstring photo, jstring idToken, jstring accessToken, jstring serverAuthCode, jobjectArray scopes, jobject expirationTime) {
-    
+    JNIEnv* env, jclass,
+    jstring origin, jstring provider, jstring email, jstring name, jstring photo, jstring idToken, jstring accessToken, jstring serverAuthCode, jobjectArray scopes, jobject expirationTime) {
+
+    const char* originCStr = env->GetStringUTFChars(origin, nullptr);
+    std::string originStr(originCStr);
+    env->ReleaseStringUTFChars(origin, originCStr);
+
     std::shared_ptr<Promise<AuthUser>> loginPromise;
     std::shared_ptr<Promise<AuthUser>> scopesPromise;
     std::shared_ptr<Promise<std::optional<AuthUser>>> silentPromise;
     {
         std::lock_guard<std::mutex> lock(gMutex);
-        loginPromise = gLoginPromise;
-        gLoginPromise = nullptr;
-        scopesPromise = gScopesPromise;
-        gScopesPromise = nullptr;
-        silentPromise = gSilentPromise;
-        gSilentPromise = nullptr;
+        if (originStr == "login") {
+            loginPromise = gLoginPromise;
+            gLoginPromise = nullptr;
+        } else if (originStr == "scopes") {
+            scopesPromise = gScopesPromise;
+            gScopesPromise = nullptr;
+        } else if (originStr == "silent") {
+            silentPromise = gSilentPromise;
+            gSilentPromise = nullptr;
+        }
     }
-    
+
     AuthUser user;
     const char* providerCStr = env->GetStringUTFChars(provider, nullptr);
     std::string providerStr(providerCStr);
@@ -333,19 +492,27 @@ extern "C" JNIEXPORT void JNICALL Java_com_auth_AuthAdapter_nativeOnLoginSuccess
 }
 
 extern "C" JNIEXPORT void JNICALL Java_com_auth_AuthAdapter_nativeOnLoginError(
-    JNIEnv* env, jclass, jstring error, jstring underlyingError) {
-    
+    JNIEnv* env, jclass, jstring origin, jstring error, jstring underlyingError) {
+
+    const char* originCStr = env->GetStringUTFChars(origin, nullptr);
+    std::string originStr(originCStr);
+    env->ReleaseStringUTFChars(origin, originCStr);
+
     std::shared_ptr<Promise<AuthUser>> loginPromise;
     std::shared_ptr<Promise<AuthUser>> scopesPromise;
     std::shared_ptr<Promise<std::optional<AuthUser>>> silentPromise;
     {
         std::lock_guard<std::mutex> lock(gMutex);
-        loginPromise = gLoginPromise;
-        gLoginPromise = nullptr;
-        scopesPromise = gScopesPromise;
-        gScopesPromise = nullptr;
-        silentPromise = gSilentPromise;
-        gSilentPromise = nullptr;
+        if (originStr == "login") {
+            loginPromise = gLoginPromise;
+            gLoginPromise = nullptr;
+        } else if (originStr == "scopes") {
+            scopesPromise = gScopesPromise;
+            gScopesPromise = nullptr;
+        } else if (originStr == "silent") {
+            silentPromise = gSilentPromise;
+            gSilentPromise = nullptr;
+        }
     }
     
     const char* errorCStr = env->GetStringUTFChars(error, nullptr);
@@ -364,7 +531,7 @@ extern "C" JNIEXPORT void JNICALL Java_com_auth_AuthAdapter_nativeOnLoginError(
     if (loginPromise) loginPromise->reject(std::make_exception_ptr(std::runtime_error(errorStr)));
     if (scopesPromise) scopesPromise->reject(std::make_exception_ptr(std::runtime_error(errorStr)));
     if (silentPromise) {
-        if (errorStr == "No session") silentPromise->resolve(std::nullopt);
+        if (errorStr == "not_signed_in") silentPromise->resolve(std::nullopt);
         else silentPromise->reject(std::make_exception_ptr(std::runtime_error(errorStr)));
     }
 }
@@ -423,4 +590,30 @@ extern "C" JNIEXPORT void JNICALL Java_com_auth_AuthAdapter_nativeOnRefreshError
     }
 }
 
+extern "C" JNIEXPORT void JNICALL Java_com_auth_AuthAdapter_nativeDispose(JNIEnv* env, jclass) {
+    std::shared_ptr<Promise<AuthUser>> loginPromise;
+    std::shared_ptr<Promise<AuthUser>> scopesPromise;
+    std::shared_ptr<Promise<AuthTokens>> refreshPromise;
+    std::shared_ptr<Promise<std::optional<AuthUser>>> silentPromise;
+    {
+        std::lock_guard<std::mutex> lock(gMutex);
+        loginPromise = std::move(gLoginPromise);
+        scopesPromise = std::move(gScopesPromise);
+        refreshPromise = std::move(gRefreshPromise);
+        silentPromise = std::move(gSilentPromise);
+        gLoginPromise = nullptr;
+        gScopesPromise = nullptr;
+        gRefreshPromise = nullptr;
+        gSilentPromise = nullptr;
+    }
+
+    auto disposed = std::make_exception_ptr(std::runtime_error("disposed"));
+    if (loginPromise) loginPromise->reject(disposed);
+    if (scopesPromise) scopesPromise->reject(disposed);
+    if (refreshPromise) refreshPromise->reject(disposed);
+    if (silentPromise) silentPromise->reject(disposed);
+
+    clearCachedJniRefs(env);
+}
+
 } // namespace margelo::nitro::NitroAuth