react-native-nitro-auth 0.5.5 → 0.5.7

package/ios/AuthAdapter.swift

@@ -2,7 +2,6 @@ import Foundation
 import GoogleSignIn
 import AuthenticationServices
 import NitroModules
-import ObjectiveC
 import CommonCrypto
 
 @objc
@@ -11,9 +10,12 @@ public class AuthAdapter: NSObject {
   private static var inMemoryMicrosoftRefreshToken: String?
   private static var inMemoryMicrosoftScopes: [String] = defaultMicrosoftScopes
   private static var inMemoryGoogleServerAuthCode: String?
+  private static let tokenStoreLock = NSLock()
 
   @objc
   public static func login(provider: String, scopes: [String], loginHint: String?, useSheet: Bool, forceAccountPicker: Bool = false, tenant: String? = nil, prompt: String? = nil, completion: @escaping (NSDictionary?, String?) -> Void) {
+    // useSheet is accepted for API compatibility with Android but has no effect on iOS.
+    // Google Sign-In SDK controls its own presentation style.
     if provider == "google" {
       guard let clientId = Bundle.main.object(forInfoDictionaryKey: "GIDClientID") as? String, !clientId.isEmpty else {
         completion(nil, "configuration_error")
@@ -23,12 +25,11 @@ public class AuthAdapter: NSObject {
       let serverClientId = Bundle.main.object(forInfoDictionaryKey: "GIDServerClientID") as? String
       
       DispatchQueue.main.async {
-        guard let windowScene = UIApplication.shared.connectedScenes.first as? UIWindowScene,
-              let rootVC = windowScene.windows.first?.rootViewController else {
-          completion(nil, "No root view controller found")
+        guard let rootVC = presentingViewController() else {
+          completion(nil, "no_window")
           return
         }
-        
+
         let config = GIDConfiguration(clientID: clientId, serverClientID: serverClientId)
         GIDSignIn.sharedInstance.configuration = config
         
@@ -58,7 +59,17 @@ public class AuthAdapter: NSObject {
       let delegate = AppleSignInDelegate(completion: completion)
       controller.delegate = delegate
       objc_setAssociatedObject(controller, &delegateHandle, delegate, .OBJC_ASSOCIATION_RETAIN_NONATOMIC)
-      controller.performRequests()
+
+      DispatchQueue.main.async {
+        guard let window = activeWindow() else {
+          completion(nil, "no_window")
+          return
+        }
+        let contextProvider = AppleSignInContextProvider(anchor: window)
+        controller.presentationContextProvider = contextProvider
+        objc_setAssociatedObject(controller, &contextProviderHandle, contextProvider, .OBJC_ASSOCIATION_RETAIN_NONATOMIC)
+        controller.performRequests()
+      }
     } else if provider == "microsoft" {
       loginMicrosoft(scopes: scopes, loginHint: loginHint, tenant: tenant, prompt: prompt, completion: completion)
     } else {
@@ -78,15 +89,27 @@ public class AuthAdapter: NSObject {
     let effectiveScopes = scopes.isEmpty ? ["openid", "email", "profile", "offline_access", "User.Read"] : scopes
     let effectivePrompt = prompt ?? "select_account"
     
-    let codeVerifier = generateCodeVerifier()
-    let codeChallenge = generateCodeChallenge(codeVerifier)
+    guard let codeVerifier = generateCodeVerifier() else {
+      completion(nil, "configuration_error")
+      return
+    }
+    guard let codeChallenge = generateCodeChallenge(codeVerifier) else {
+      completion(nil, "configuration_error")
+      return
+    }
     let state = UUID().uuidString
     let nonce = UUID().uuidString
     
     let b2cDomain = Bundle.main.object(forInfoDictionaryKey: "MSALB2cDomain") as? String
-    let authBaseUrl = getMicrosoftAuthBaseUrl(tenant: effectiveTenant, b2cDomain: b2cDomain)
-    
-    var urlComponents = URLComponents(string: "\(authBaseUrl)oauth2/v2.0/authorize")!
+    guard let authBaseUrl = getMicrosoftAuthBaseUrl(tenant: effectiveTenant, b2cDomain: b2cDomain) else {
+      completion(nil, "configuration_error")
+      return
+    }
+
+    guard var urlComponents = URLComponents(string: "\(authBaseUrl)oauth2/v2.0/authorize") else {
+      completion(nil, "configuration_error")
+      return
+    }
     urlComponents.queryItems = [
       URLQueryItem(name: "client_id", value: clientId),
       URLQueryItem(name: "redirect_uri", value: redirectUri),
@@ -166,14 +189,12 @@ public class AuthAdapter: NSObject {
           completion: completion
         )
       }
-      
-      guard let windowScene = UIApplication.shared.connectedScenes.first as? UIWindowScene,
-            let rootVC = windowScene.windows.first?.rootViewController else {
-        completion(nil, "No root view controller found")
+
+      guard let window = activeWindow() else {
+        completion(nil, "no_window")
         return
       }
-      
-      let contextProvider = WebAuthContextProvider(anchor: rootVC.view.window!)
+      let contextProvider = WebAuthContextProvider(anchor: window)
       session.presentationContextProvider = contextProvider
       objc_setAssociatedObject(session, &contextProviderHandle, contextProvider, .OBJC_ASSOCIATION_RETAIN_NONATOMIC)
       session.prefersEphemeralWebBrowserSession = false
@@ -181,17 +202,19 @@ public class AuthAdapter: NSObject {
     }
   }
   
-  private static func generateCodeVerifier() -> String {
+  private static func generateCodeVerifier() -> String? {
     var bytes = [UInt8](repeating: 0, count: 32)
-    _ = SecRandomCopyBytes(kSecRandomDefault, bytes.count, &bytes)
+    guard SecRandomCopyBytes(kSecRandomDefault, bytes.count, &bytes) == errSecSuccess else {
+      return nil
+    }
     return Data(bytes).base64EncodedString()
       .replacingOccurrences(of: "+", with: "-")
       .replacingOccurrences(of: "/", with: "_")
       .replacingOccurrences(of: "=", with: "")
   }
   
-  private static func generateCodeChallenge(_ verifier: String) -> String {
-    guard let data = verifier.data(using: .ascii) else { return "" }
+  private static func generateCodeChallenge(_ verifier: String) -> String? {
+    guard let data = verifier.data(using: .ascii) else { return nil }
     var hash = [UInt8](repeating: 0, count: Int(CC_SHA256_DIGEST_LENGTH))
     data.withUnsafeBytes {
       _ = CC_SHA256($0.baseAddress, CC_LONG(data.count), &hash)
@@ -213,13 +236,16 @@ public class AuthAdapter: NSObject {
     scopes: [String],
     completion: @escaping (NSDictionary?, String?) -> Void
   ) {
-    let authBaseUrl = getMicrosoftAuthBaseUrl(tenant: tenant, b2cDomain: b2cDomain)
-    let tokenUrl = URL(string: "\(authBaseUrl)oauth2/v2.0/token")!
-    
+    guard let authBaseUrl = getMicrosoftAuthBaseUrl(tenant: tenant, b2cDomain: b2cDomain),
+          let tokenUrl = URL(string: "\(authBaseUrl)oauth2/v2.0/token") else {
+      DispatchQueue.main.async { completion(nil, "configuration_error") }
+      return
+    }
+
     var request = URLRequest(url: tokenUrl)
     request.httpMethod = "POST"
     request.setValue("application/x-www-form-urlencoded", forHTTPHeaderField: "Content-Type")
-    
+
     let bodyParams = [
       "client_id": clientId,
       "code": code,
@@ -236,18 +262,17 @@ public class AuthAdapter: NSObject {
     URLSession.shared.dataTask(with: request) { data, response, error in
       DispatchQueue.main.async {
         if let error = error {
-          let nsError = error as NSError
-          if nsError.code == NSURLErrorNotConnectedToInternet || nsError.code == NSURLErrorTimedOut {
-            completion(nil, "network_error")
-          } else {
-            completion(nil, "network_error")
-          }
+          completion(nil, "network_error")
           return
         }
 
         guard let data = data,
               let json = try? JSONSerialization.jsonObject(with: data) as? [String: Any] else {
-          completion(nil, "parse_error")
+          if let httpResponse = response as? HTTPURLResponse, !(200...299).contains(httpResponse.statusCode) {
+            completion(nil, "network_error")
+          } else {
+            completion(nil, "parse_error")
+          }
           return
         }
 
@@ -256,6 +281,11 @@ public class AuthAdapter: NSObject {
           return
         }
 
+        if let httpResponse = response as? HTTPURLResponse, !(200...299).contains(httpResponse.statusCode) {
+          completion(nil, "network_error")
+          return
+        }
+
         guard let idToken = json["id_token"] as? String else {
           completion(nil, "no_id_token")
           return
@@ -269,13 +299,15 @@ public class AuthAdapter: NSObject {
         
         let accessToken = json["access_token"] as? String ?? ""
         let refreshToken = json["refresh_token"] as? String ?? ""
-        let expiresIn = json["expires_in"] as? Double ?? 0
+        let expiresIn = (json["expires_in"] as? Double).flatMap { $0 > 0 ? $0 : nil } ?? 3600.0
         let expirationTime = Date().timeIntervalSince1970 * 1000 + expiresIn * 1000
         
+        tokenStoreLock.lock()
         if !refreshToken.isEmpty {
           inMemoryMicrosoftRefreshToken = refreshToken
         }
         inMemoryMicrosoftScopes = scopes.isEmpty ? defaultMicrosoftScopes : scopes
+        tokenStoreLock.unlock()
         
         let resultData: [String: Any] = [
           "provider": "microsoft",
@@ -285,6 +317,7 @@ public class AuthAdapter: NSObject {
           "idToken": idToken,
           "accessToken": accessToken,
           "serverAuthCode": "",
+          "scopes": scopes,
           "expirationTime": expirationTime,
           "underlyingError": ""
         ]
@@ -331,7 +364,9 @@ public class AuthAdapter: NSObject {
     }
     
     let serverAuthCode = result?.serverAuthCode ?? ""
+    tokenStoreLock.lock()
     inMemoryGoogleServerAuthCode = serverAuthCode.isEmpty ? nil : serverAuthCode
+    tokenStoreLock.unlock()
 
     let data: [String: Any] = [
       "provider": "google",
@@ -349,11 +384,14 @@ public class AuthAdapter: NSObject {
 
   static func mapError(_ error: Error) -> String {
     let nsError = error as NSError
+    if nsError.domain == NSURLErrorDomain {
+      return "network_error"
+    }
     // GIDSignIn error codes
     if nsError.domain == "com.google.GIDSignIn" {
       switch nsError.code {
       case -5: return "cancelled"   // GIDSignInErrorCodeCanceled
-      case -4: return "network_error" // GIDSignInErrorCodeNoCurrentUser (used for network issues)
+      case -4: return "not_signed_in"  // GIDSignInErrorCodeNoCurrentUser
       default: break
       }
     }
@@ -386,9 +424,8 @@ public class AuthAdapter: NSObject {
   public static func addScopes(scopes: [String], completion: @escaping (NSDictionary?, String?) -> Void) {
     if let currentUser = GIDSignIn.sharedInstance.currentUser {
       DispatchQueue.main.async {
-        guard let windowScene = UIApplication.shared.connectedScenes.first as? UIWindowScene,
-              let rootVC = windowScene.windows.first?.rootViewController else {
-          completion(nil, "No root view controller found")
+        guard let rootVC = presentingViewController() else {
+          completion(nil, "no_window")
           return
         }
         currentUser.addScopes(scopes, presenting: rootVC) { result, error in
@@ -397,11 +434,17 @@ public class AuthAdapter: NSObject {
       }
       return
     }
-    guard inMemoryMicrosoftRefreshToken != nil else {
-      completion(nil, "No user logged in")
+    tokenStoreLock.lock()
+    let hasRefreshToken = inMemoryMicrosoftRefreshToken != nil
+    let currentScopes = inMemoryMicrosoftScopes
+    tokenStoreLock.unlock()
+    guard hasRefreshToken else {
+      completion(nil, "not_signed_in")
       return
     }
-    let mergedScopes = Array(Set(inMemoryMicrosoftScopes + scopes))
+    let mergedScopes = (currentScopes + scopes).reduce(into: [String]()) { acc, s in
+      if !acc.contains(s) { acc.append(s) }
+    }
     loginMicrosoft(scopes: mergedScopes, loginHint: nil, tenant: nil, prompt: nil, completion: completion)
   }
 
@@ -410,7 +453,7 @@ public class AuthAdapter: NSObject {
     if let currentUser = GIDSignIn.sharedInstance.currentUser {
       currentUser.refreshTokensIfNeeded { user, error in
         if let error = error {
-          completion(nil, error.localizedDescription)
+          completion(nil, mapError(error))
           return
         }
         guard let user = user else {
@@ -435,6 +478,9 @@ public class AuthAdapter: NSObject {
     if Bundle.main.object(forInfoDictionaryKey: "GIDClientID") != nil {
       GIDSignIn.sharedInstance.restorePreviousSignIn { user, error in
         if let user = user {
+          tokenStoreLock.lock()
+          let cachedServerAuthCode = inMemoryGoogleServerAuthCode
+          tokenStoreLock.unlock()
           let data: [String: Any] = [
             "provider": "google",
             "email": user.profile?.email ?? "",
@@ -442,7 +488,7 @@ public class AuthAdapter: NSObject {
             "photo": user.profile?.imageURL(withDimension: 300)?.absoluteString ?? "",
             "idToken": user.idToken?.tokenString ?? "",
             "accessToken": user.accessToken.tokenString,
-            "serverAuthCode": inMemoryGoogleServerAuthCode ?? "",
+            "serverAuthCode": cachedServerAuthCode ?? "",
             "expirationTime": (user.accessToken.expirationDate?.timeIntervalSince1970 ?? 0) * 1000
           ]
           completion(data as NSDictionary)
@@ -456,7 +502,11 @@ public class AuthAdapter: NSObject {
   }
 
   private static func tryMicrosoftSilentRefresh(completion: @escaping (NSDictionary?) -> Void) {
-    guard let refreshToken = inMemoryMicrosoftRefreshToken else {
+    tokenStoreLock.lock()
+    let refreshToken = inMemoryMicrosoftRefreshToken
+    let currentScopes = inMemoryMicrosoftScopes
+    tokenStoreLock.unlock()
+    guard let refreshToken = refreshToken else {
       completion(nil)
       return
     }
@@ -468,13 +518,16 @@ public class AuthAdapter: NSObject {
     
     let tenant = Bundle.main.object(forInfoDictionaryKey: "MSALTenant") as? String ?? "common"
     let b2cDomain = Bundle.main.object(forInfoDictionaryKey: "MSALB2cDomain") as? String
-    let authBaseUrl = getMicrosoftAuthBaseUrl(tenant: tenant, b2cDomain: b2cDomain)
-    let tokenUrl = URL(string: "\(authBaseUrl)oauth2/v2.0/token")!
-    
+    guard let authBaseUrl = getMicrosoftAuthBaseUrl(tenant: tenant, b2cDomain: b2cDomain),
+          let tokenUrl = URL(string: "\(authBaseUrl)oauth2/v2.0/token") else {
+      completion(nil)
+      return
+    }
+
     var request = URLRequest(url: tokenUrl)
     request.httpMethod = "POST"
     request.setValue("application/x-www-form-urlencoded", forHTTPHeaderField: "Content-Type")
-    
+
     let bodyParams = [
       "client_id": clientId,
       "grant_type": "refresh_token",
@@ -488,23 +541,42 @@ public class AuthAdapter: NSObject {
     
     URLSession.shared.dataTask(with: request) { data, response, error in
       DispatchQueue.main.async {
+        if let error = error {
+          #if DEBUG
+          print("[NitroAuth] Microsoft silent refresh network error: \(error.localizedDescription)")
+          #endif
+          completion(nil)
+          return
+        }
+        if let httpResponse = response as? HTTPURLResponse, !(200...299).contains(httpResponse.statusCode) {
+          #if DEBUG
+          print("[NitroAuth] Microsoft silent refresh HTTP \(httpResponse.statusCode)")
+          #endif
+          completion(nil)
+          return
+        }
         guard let data = data,
               let json = try? JSONSerialization.jsonObject(with: data) as? [String: Any],
               let idToken = json["id_token"] as? String else {
+          #if DEBUG
+          print("[NitroAuth] Microsoft silent refresh: failed to parse token response")
+          #endif
           completion(nil)
           return
         }
-        
+
         let claims = decodeJwt(idToken)
         let accessToken = json["access_token"] as? String ?? ""
         let newRefreshToken = json["refresh_token"] as? String ?? ""
-        let expiresIn = json["expires_in"] as? Double ?? 0
+        let expiresIn = (json["expires_in"] as? Double).flatMap { $0 > 0 ? $0 : nil } ?? 3600.0
         let expirationTime = Date().timeIntervalSince1970 * 1000 + expiresIn * 1000
-        
+
+        tokenStoreLock.lock()
         if !newRefreshToken.isEmpty {
           inMemoryMicrosoftRefreshToken = newRefreshToken
         }
-        
+        tokenStoreLock.unlock()
+
         let resultData: [String: Any] = [
           "provider": "microsoft",
           "email": claims["preferred_username"] ?? claims["email"] ?? "",
@@ -513,6 +585,7 @@ public class AuthAdapter: NSObject {
           "idToken": idToken,
           "accessToken": accessToken,
           "serverAuthCode": "",
+          "scopes": currentScopes,
           "expirationTime": expirationTime
         ]
         completion(resultData as NSDictionary)
@@ -521,8 +594,11 @@ public class AuthAdapter: NSObject {
   }
 
   private static func tryMicrosoftRefreshForTokenRefresh(completion: @escaping (NSDictionary?, String?) -> Void) {
-    guard let refreshToken = inMemoryMicrosoftRefreshToken else {
-      completion(nil, "No user logged in")
+    tokenStoreLock.lock()
+    let refreshToken = inMemoryMicrosoftRefreshToken
+    tokenStoreLock.unlock()
+    guard let refreshToken = refreshToken else {
+      completion(nil, "not_signed_in")
       return
     }
     guard let clientId = Bundle.main.object(forInfoDictionaryKey: "MSALClientID") as? String, !clientId.isEmpty else {
@@ -531,8 +607,11 @@ public class AuthAdapter: NSObject {
     }
     let tenant = Bundle.main.object(forInfoDictionaryKey: "MSALTenant") as? String ?? "common"
     let b2cDomain = Bundle.main.object(forInfoDictionaryKey: "MSALB2cDomain") as? String
-    let authBaseUrl = getMicrosoftAuthBaseUrl(tenant: tenant, b2cDomain: b2cDomain)
-    let tokenUrl = URL(string: "\(authBaseUrl)oauth2/v2.0/token")!
+    guard let authBaseUrl = getMicrosoftAuthBaseUrl(tenant: tenant, b2cDomain: b2cDomain),
+          let tokenUrl = URL(string: "\(authBaseUrl)oauth2/v2.0/token") else {
+      completion(nil, "configuration_error")
+      return
+    }
     var request = URLRequest(url: tokenUrl)
     request.httpMethod = "POST"
     request.setValue("application/x-www-form-urlencoded", forHTTPHeaderField: "Content-Type")
@@ -553,21 +632,31 @@ public class AuthAdapter: NSObject {
         }
         guard let data = data,
               let json = try? JSONSerialization.jsonObject(with: data) as? [String: Any] else {
-          completion(nil, "parse_error")
+          if let httpResponse = response as? HTTPURLResponse, !(200...299).contains(httpResponse.statusCode) {
+            completion(nil, "network_error")
+          } else {
+            completion(nil, "parse_error")
+          }
           return
         }
         if let errorCode = json["error"] as? String {
           completion(nil, AuthAdapter.mapOAuthError(errorCode))
           return
         }
+        if let httpResponse = response as? HTTPURLResponse, !(200...299).contains(httpResponse.statusCode) {
+          completion(nil, "network_error")
+          return
+        }
         let idToken = json["id_token"] as? String ?? ""
         let accessToken = json["access_token"] as? String ?? ""
         let newRefreshToken = json["refresh_token"] as? String ?? ""
-        let expiresIn = json["expires_in"] as? Double ?? 0
+        let expiresIn = (json["expires_in"] as? Double).flatMap { $0 > 0 ? $0 : nil } ?? 3600.0
         let expirationTime = Date().timeIntervalSince1970 * 1000 + expiresIn * 1000
+        tokenStoreLock.lock()
         if !newRefreshToken.isEmpty {
           inMemoryMicrosoftRefreshToken = newRefreshToken
         }
+        tokenStoreLock.unlock()
         let tokensData: [String: Any] = [
           "accessToken": accessToken,
           "idToken": idToken,
@@ -579,24 +668,63 @@ public class AuthAdapter: NSObject {
     }.resume()
   }
   
-  private static func getMicrosoftAuthBaseUrl(tenant: String, b2cDomain: String?) -> String {
-    if tenant.hasPrefix("https://") {
-      return tenant.hasSuffix("/") ? tenant : "\(tenant)/"
+  private static func getMicrosoftAuthBaseUrl(tenant: String, b2cDomain: String?) -> String? {
+    let trimmedTenant = tenant.trimmingCharacters(in: .whitespacesAndNewlines)
+    guard !trimmedTenant.isEmpty else { return nil }
+
+    if trimmedTenant.hasPrefix("https://") {
+      guard URL(string: trimmedTenant) != nil else { return nil }
+      return trimmedTenant.hasSuffix("/") ? trimmedTenant : "\(trimmedTenant)/"
     }
-    
-    if let domain = b2cDomain {
-      return "https://\(domain)/tfp/\(tenant)/"
-    } else {
-      return "https://login.microsoftonline.com/\(tenant)/"
+    if let domain = b2cDomain?.trimmingCharacters(in: .whitespacesAndNewlines), !domain.isEmpty {
+      return "https://\(domain)/tfp/\(trimmedTenant)/"
     }
+    return "https://login.microsoftonline.com/\(trimmedTenant)/"
   }
 
   @objc
   public static func logout() {
     GIDSignIn.sharedInstance.signOut()
+    tokenStoreLock.lock()
     inMemoryMicrosoftRefreshToken = nil
     inMemoryMicrosoftScopes = defaultMicrosoftScopes
     inMemoryGoogleServerAuthCode = nil
+    tokenStoreLock.unlock()
+  }
+
+  private static func activeWindow() -> UIWindow? {
+    let windowScenes = UIApplication.shared.connectedScenes
+      .compactMap { $0 as? UIWindowScene }
+      .filter {
+        $0.activationState == .foregroundActive ||
+          $0.activationState == .foregroundInactive
+      }
+
+    for scene in windowScenes {
+      if let keyWindow = scene.windows.first(where: { $0.isKeyWindow }) {
+        return keyWindow
+      }
+    }
+
+    return windowScenes.lazy.compactMap { $0.windows.first }.first
+  }
+
+  private static func presentingViewController() -> UIViewController? {
+    guard let rootViewController = activeWindow()?.rootViewController else {
+      return nil
+    }
+
+    var current = rootViewController
+    while let presented = current.presentedViewController {
+      current = presented
+    }
+    if let navigationController = current as? UINavigationController {
+      return navigationController.visibleViewController ?? navigationController
+    }
+    if let tabBarController = current as? UITabBarController {
+      return tabBarController.selectedViewController ?? tabBarController
+    }
+    return current
   }
 }
 
@@ -625,14 +753,28 @@ class AppleSignInDelegate: NSObject, ASAuthorizationControllerDelegate {
         "underlyingError": ""
       ]
       completion(data as NSDictionary, nil)
+    } else {
+      completion(nil, "unknown")
     }
   }
-  
+
   func authorizationController(controller: ASAuthorizationController, didCompleteWithError error: Error) {
     completion(nil, AuthAdapter.mapError(error))
   }
 }
 
+class AppleSignInContextProvider: NSObject, ASAuthorizationControllerPresentationContextProviding {
+  let anchor: ASPresentationAnchor
+
+  init(anchor: ASPresentationAnchor) {
+    self.anchor = anchor
+  }
+
+  func presentationAnchor(for controller: ASAuthorizationController) -> ASPresentationAnchor {
+    return anchor
+  }
+}
+
 class WebAuthContextProvider: NSObject, ASWebAuthenticationPresentationContextProviding {
   let anchor: ASPresentationAnchor
   

package/ios/PlatformAuth+iOS.mm

@@ -16,9 +16,25 @@
 
 namespace margelo::nitro::NitroAuth {
  
- inline std::string nsToStd(NSString* _Nullable ns) {
-     if (ns == nil) return "";
-     return std::string([ns UTF8String]);
+ inline std::optional<std::string> nsToStd(NSString* _Nullable ns) {
+     if (ns == nil) return std::nullopt;
+     std::string value([ns UTF8String]);
+     if (value.empty()) return std::nullopt;
+     return value;
+ }
+
+ inline std::optional<std::vector<std::string>> nsArrayToStd(NSArray<NSString*>* _Nullable nsArray) {
+     if (nsArray == nil || nsArray.count == 0) return std::nullopt;
+
+     std::vector<std::string> values;
+     values.reserve(nsArray.count);
+     for (NSString* value in nsArray) {
+         if (value.length == 0) continue;
+         values.emplace_back([value UTF8String]);
+     }
+
+     if (values.empty()) return std::nullopt;
+     return values;
  }
 
 std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, const std::optional<LoginOptions>& options) {
@@ -85,6 +101,7 @@ std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, co
         user.idToken = nsToStd([data objectForKey:@"idToken"]);
         if ([data objectForKey:@"accessToken"]) user.accessToken = nsToStd([data objectForKey:@"accessToken"]);
         if ([data objectForKey:@"serverAuthCode"]) user.serverAuthCode = nsToStd([data objectForKey:@"serverAuthCode"]);
+        if ([data objectForKey:@"scopes"]) user.scopes = nsArrayToStd([data objectForKey:@"scopes"]);
         if ([data objectForKey:@"expirationTime"]) user.expirationTime = [[data objectForKey:@"expirationTime"] doubleValue];
         if ([data objectForKey:@"underlyingError"]) user.underlyingError = nsToStd([data objectForKey:@"underlyingError"]);
         
@@ -109,13 +126,21 @@ std::shared_ptr<Promise<AuthUser>> PlatformAuth::requestScopes(const std::vector
         }
         
         AuthUser user;
-        user.provider = AuthProvider::GOOGLE;
+        NSString *providerStr = [data objectForKey:@"provider"];
+        if ([providerStr isEqualToString:@"microsoft"]) {
+            user.provider = AuthProvider::MICROSOFT;
+        } else if ([providerStr isEqualToString:@"apple"]) {
+            user.provider = AuthProvider::APPLE;
+        } else {
+            user.provider = AuthProvider::GOOGLE;
+        }
         user.email = nsToStd([data objectForKey:@"email"]);
         user.name = nsToStd([data objectForKey:@"name"]);
         user.photo = nsToStd([data objectForKey:@"photo"]);
         user.idToken = nsToStd([data objectForKey:@"idToken"]);
         if ([data objectForKey:@"accessToken"]) user.accessToken = nsToStd([data objectForKey:@"accessToken"]);
         if ([data objectForKey:@"serverAuthCode"]) user.serverAuthCode = nsToStd([data objectForKey:@"serverAuthCode"]);
+        if ([data objectForKey:@"scopes"]) user.scopes = nsArrayToStd([data objectForKey:@"scopes"]);
         if ([data objectForKey:@"expirationTime"]) user.expirationTime = [[data objectForKey:@"expirationTime"] doubleValue];
         if ([data objectForKey:@"underlyingError"]) user.underlyingError = nsToStd([data objectForKey:@"underlyingError"]);
         promise->resolve(user);
@@ -161,6 +186,7 @@ std::shared_ptr<Promise<std::optional<AuthUser>>> PlatformAuth::silentRestore()
         user.idToken = nsToStd([data objectForKey:@"idToken"]);
         if ([data objectForKey:@"accessToken"]) user.accessToken = nsToStd([data objectForKey:@"accessToken"]);
         if ([data objectForKey:@"serverAuthCode"]) user.serverAuthCode = nsToStd([data objectForKey:@"serverAuthCode"]);
+        if ([data objectForKey:@"scopes"]) user.scopes = nsArrayToStd([data objectForKey:@"scopes"]);
         if ([data objectForKey:@"expirationTime"]) user.expirationTime = [[data objectForKey:@"expirationTime"] doubleValue];
         if ([data objectForKey:@"underlyingError"]) user.underlyingError = nsToStd([data objectForKey:@"underlyingError"]);
         promise->resolve(user);