react-native-nitro-auth 0.5.6 → 0.5.8

package/android/src/main/cpp/PlatformAuth+Android.cpp

@@ -531,7 +531,7 @@ extern "C" JNIEXPORT void JNICALL Java_com_auth_AuthAdapter_nativeOnLoginError(
     if (loginPromise) loginPromise->reject(std::make_exception_ptr(std::runtime_error(errorStr)));
     if (scopesPromise) scopesPromise->reject(std::make_exception_ptr(std::runtime_error(errorStr)));
     if (silentPromise) {
-        if (errorStr == "No session") silentPromise->resolve(std::nullopt);
+        if (errorStr == "not_signed_in") silentPromise->resolve(std::nullopt);
         else silentPromise->reject(std::make_exception_ptr(std::runtime_error(errorStr)));
     }
 }

package/android/src/main/java/com/auth/AuthAdapter.kt

@@ -3,7 +3,8 @@
 //   • getLastSignedInAccount  – persists session across app restarts via GMS store; no drop-in replacement
 //   • silentSignIn            – AuthorizationClient.authorize() still requires an Activity for interactive fallback
 //   • revokeAccess            – no equivalent in Credential Manager or Identity.getAuthorizationClient()
-// All modern entry-points use Credential Manager (One-Tap). Legacy is a documented fallback only.
+// All modern entry-points use Credential Manager (One-Tap) unless the caller explicitly needs
+// Android's account chooser semantics, which still require the legacy Google Sign-In flow.
 
 package com.auth
 
@@ -40,11 +41,14 @@ import java.util.UUID
 
 object AuthAdapter {
     private const val TAG = "AuthAdapter"
+    private val defaultMicrosoftScopes =
+        listOf("openid", "email", "profile", "offline_access", "User.Read")
 
     @Volatile
     private var isInitialized = false
 
     private var appContext: Context? = null
+    @Volatile
     private var currentActivity: Activity? = null
     private var googleSignInClient: GoogleSignInClient? = null
     private var lifecycleCallbacks: Application.ActivityLifecycleCallbacks? = null
@@ -65,18 +69,22 @@ object AuthAdapter {
     private var pendingMicrosoftClientId: String? = null
     @Volatile
     private var pendingMicrosoftB2cDomain: String? = null
+    @Volatile
+    private var microsoftAuthInProgress = false
 
     @Volatile
     private var inMemoryMicrosoftRefreshToken: String? = null
     @Volatile
     private var inMemoryMicrosoftScopes: List<String> =
-        listOf("openid", "email", "profile", "offline_access", "User.Read")
+        defaultMicrosoftScopes
 
     // Module-scoped coroutine scope — cancelled on module invalidation via dispose().
     private var moduleScope = CoroutineScope(SupervisorJob() + Dispatchers.IO)
 
     @JvmStatic
     private external fun nativeInitialize(context: Context)
+    @JvmStatic
+    private external fun nativeDispose()
 
     @JvmStatic
     private external fun nativeOnLoginSuccess(
@@ -134,8 +142,11 @@ object AuthAdapter {
     }
 
     fun dispose() {
+        clearPkceState()
         moduleScope.cancel()
         moduleScope = CoroutineScope(SupervisorJob() + Dispatchers.IO)
+        runCatching { nativeDispose() }
+            .onFailure { Log.w(TAG, "Failed to dispose NitroAuth native bridge", it) }
 
         val app = appContext as? Application
         lifecycleCallbacks?.let { app?.unregisterActivityLifecycleCallbacks(it) }
@@ -200,7 +211,7 @@ object AuthAdapter {
         val requestedScopes = scopes?.toList() ?: listOf("email", "profile")
         pendingScopes = requestedScopes
 
-        if (useLegacyGoogleSignIn) {
+        if (useLegacyGoogleSignIn || forceAccountPicker) {
             loginLegacy(context, clientId, requestedScopes, loginHint, forceAccountPicker, "login")
             return
         }
@@ -217,9 +228,21 @@ object AuthAdapter {
         pendingOrigin = origin
 
         val effectiveTenant = tenant ?: getMicrosoftTenantFromResources(ctx) ?: "common"
-        val effectiveScopes = scopes?.toList() ?: listOf("openid", "email", "profile", "offline_access", "User.Read")
+        val effectiveScopes = scopes?.toList() ?: defaultMicrosoftScopes
         val effectivePrompt = prompt ?: "select_account"
-        pendingMicrosoftScopes = effectiveScopes
+
+        synchronized(this) {
+            if (microsoftAuthInProgress) {
+                nativeOnLoginError(
+                    origin,
+                    "operation_in_progress",
+                    "Microsoft authentication already in progress",
+                )
+                return
+            }
+            microsoftAuthInProgress = true
+            pendingMicrosoftScopes = effectiveScopes
+        }
 
         val codeVerifier = generateCodeVerifier()
         val codeChallenge = generateCodeChallenge(codeVerifier)
@@ -261,6 +284,7 @@ object AuthAdapter {
                 ctx.startActivity(browserIntent)
             }
         } catch (e: Exception) {
+            clearPkceState()
             nativeOnLoginError(origin, "unknown", e.message)
         }
     }
@@ -286,7 +310,8 @@ object AuthAdapter {
         val origin = pendingOrigin
         if (error != null) {
             clearPkceState()
-            nativeOnLoginError(origin, error, errorDescription)
+            val mappedError = mapMicrosoftOAuthError(error)
+            nativeOnLoginError(origin, mappedError, errorDescription ?: error)
             return
         }
         if (state != pendingState) {
@@ -368,7 +393,7 @@ object AuthAdapter {
                 val error = json.optString("error", "token_error")
                 val desc = json.optString("error_description", "Failed to exchange code for tokens")
                 clearPkceState()
-                nativeOnLoginError(origin, error, desc)
+                nativeOnLoginError(origin, mapMicrosoftOAuthError(error), desc)
             } catch (e: Exception) {
                 clearPkceState()
                 nativeOnLoginError(origin, "token_error", "Failed to exchange code for tokens")
@@ -399,16 +424,15 @@ object AuthAdapter {
 
             val email = claims["preferred_username"] ?: claims["email"]
             val name = claims["name"]
+            val grantedScopes = pendingMicrosoftScopes.ifEmpty { defaultMicrosoftScopes }
 
             if (refreshToken.isNotEmpty()) inMemoryMicrosoftRefreshToken = refreshToken
-            inMemoryMicrosoftScopes = pendingMicrosoftScopes.ifEmpty {
-                listOf("openid", "email", "profile", "offline_access", "User.Read")
-            }
+            inMemoryMicrosoftScopes = grantedScopes
 
             clearPkceState()
             nativeOnLoginSuccess(
                 origin, "microsoft", email, name, null, idToken, accessToken, null,
-                pendingMicrosoftScopes.toTypedArray(), expirationTime
+                grantedScopes.toTypedArray(), expirationTime
             )
         } catch (e: Exception) {
             clearPkceState()
@@ -416,6 +440,7 @@ object AuthAdapter {
         }
     }
 
+    @Synchronized
     private fun clearPkceState() {
         pendingOrigin = "login"
         pendingPkceVerifier = null
@@ -424,6 +449,18 @@ object AuthAdapter {
         pendingMicrosoftTenant = null
         pendingMicrosoftClientId = null
         pendingMicrosoftB2cDomain = null
+        pendingMicrosoftScopes = emptyList()
+        microsoftAuthInProgress = false
+    }
+
+    private fun mapMicrosoftOAuthError(error: String): String {
+        return when (error) {
+            "access_denied", "interaction_required" -> "cancelled"
+            "invalid_client", "unauthorized_client" -> "configuration_error"
+            "invalid_grant", "invalid_request", "invalid_scope" -> "token_error"
+            "temporarily_unavailable", "server_error" -> "network_error"
+            else -> "token_error"
+        }
     }
 
     private fun decodeJwt(token: String): Map<String, String> {
@@ -570,8 +607,10 @@ object AuthAdapter {
         val account = GoogleSignIn.getLastSignedInAccount(ctx)
         if (account != null) {
             val newScopes = scopes.map { Scope(it) }
+            val grantedScopes = account.grantedScopes?.map { it.scopeUri }.orEmpty()
+            val allScopes = (grantedScopes + scopes.toList()).distinct()
             if (GoogleSignIn.hasPermissions(account, *newScopes.toTypedArray())) {
-                onSignInSuccess(account, (pendingScopes + scopes.toList()).distinct(), "scopes")
+                onSignInSuccess(account, allScopes, "scopes")
                 return
             }
             val clientId = getClientIdFromResources(ctx)
@@ -579,7 +618,6 @@ object AuthAdapter {
                 nativeOnLoginError("scopes", "configuration_error", "Google Client ID not configured")
                 return
             }
-            val allScopes = (pendingScopes + scopes.toList()).distinct()
             val intent = GoogleSignInActivity.createIntent(ctx, clientId, allScopes.toTypedArray(), account.email, origin = "scopes")
             ctx.startActivity(intent)
             return
@@ -590,7 +628,7 @@ object AuthAdapter {
             loginMicrosoft(ctx, mergedScopes.toTypedArray(), null, tenant, null, "scopes")
             return
         }
-        nativeOnLoginError("scopes", "unknown", "No user logged in")
+        nativeOnLoginError("scopes", "not_signed_in", "No user logged in")
     }
 
     // refreshTokenSync uses the legacy silentSignIn because AuthorizationClient (the recommended
@@ -628,7 +666,7 @@ object AuthAdapter {
             refreshMicrosoftTokenForRefresh(ctx, refreshToken)
             return
         }
-        nativeOnRefreshError("unknown", "No user logged in")
+        nativeOnRefreshError("not_signed_in", "No user logged in")
     }
 
     @JvmStatic
@@ -643,6 +681,7 @@ object AuthAdapter {
     @JvmStatic
     fun logoutSync(context: Context) {
         val ctx = appContext ?: context.applicationContext
+        clearPkceState()
         // Clear Credential Manager state (covers One-Tap / passkey credentials).
         moduleScope.launch {
             try {
@@ -659,12 +698,13 @@ object AuthAdapter {
             GoogleSignIn.getClient(ctx, gso).signOut()
         }
         inMemoryMicrosoftRefreshToken = null
-        inMemoryMicrosoftScopes = listOf("openid", "email", "profile", "offline_access", "User.Read")
+        inMemoryMicrosoftScopes = defaultMicrosoftScopes
     }
 
     @JvmStatic
     fun revokeAccessSync(context: Context) {
         val ctx = appContext ?: context.applicationContext
+        clearPkceState()
         val clientId = getClientIdFromResources(ctx)
         if (clientId != null) {
             val gso = GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN)
@@ -672,7 +712,7 @@ object AuthAdapter {
             GoogleSignIn.getClient(ctx, gso).revokeAccess()
         }
         inMemoryMicrosoftRefreshToken = null
-        inMemoryMicrosoftScopes = listOf("openid", "email", "profile", "offline_access", "User.Read")
+        inMemoryMicrosoftScopes = defaultMicrosoftScopes
     }
 
     private fun getClientIdFromResources(context: Context): String? {
@@ -695,7 +735,7 @@ object AuthAdapter {
             if (refreshToken != null) {
                 refreshMicrosoftToken(ctx, refreshToken)
             } else {
-                nativeOnLoginError("silent", "unknown", "No session")
+                nativeOnLoginError("silent", "not_signed_in", "No session")
             }
         }
     }
@@ -704,6 +744,7 @@ object AuthAdapter {
         val clientId = getMicrosoftClientIdFromResources(context)
         val tenant = getMicrosoftTenantFromResources(context) ?: "common"
         val b2cDomain = getMicrosoftB2cDomainFromResources(context)
+        val effectiveScopes = inMemoryMicrosoftScopes.ifEmpty { defaultMicrosoftScopes }
 
         if (clientId == null) {
             nativeOnLoginError("silent", "configuration_error", "Microsoft Client ID is required for refresh")
@@ -749,14 +790,12 @@ object AuthAdapter {
                             val claims = decodeJwt(newIdToken)
 
                             if (newRefreshToken.isNotEmpty()) inMemoryMicrosoftRefreshToken = newRefreshToken
-                            inMemoryMicrosoftScopes = pendingMicrosoftScopes.ifEmpty {
-                                listOf("openid", "email", "profile", "offline_access", "User.Read")
-                            }
+                            inMemoryMicrosoftScopes = effectiveScopes
 
                             nativeOnLoginSuccess("silent", "microsoft",
                                 claims["preferred_username"] ?: claims["email"],
                                 claims["name"], null,
-                                newIdToken, newAccessToken, null, null, expirationTime)
+                                newIdToken, newAccessToken, null, effectiveScopes.toTypedArray(), expirationTime)
                         } else {
                             if (responseCode in 400..499) {
                                 inMemoryMicrosoftRefreshToken = null  // Token is invalid, clear it
@@ -765,7 +804,7 @@ object AuthAdapter {
                                 val json = org.json.JSONObject(responseBody)
                                 val errorCode = json.optString("error", "token_error")
                                 val errorDesc = json.optString("error_description", "Token refresh failed")
-                                Pair(errorCode, errorDesc)
+                                Pair(mapMicrosoftOAuthError(errorCode), errorDesc)
                             } catch (e: Exception) {
                                 Pair("token_error", "Token refresh failed")
                             }
@@ -787,6 +826,7 @@ object AuthAdapter {
         val clientId = getMicrosoftClientIdFromResources(context)
         val tenant = getMicrosoftTenantFromResources(context) ?: "common"
         val b2cDomain = getMicrosoftB2cDomainFromResources(context)
+        val effectiveScopes = inMemoryMicrosoftScopes.ifEmpty { defaultMicrosoftScopes }
 
         if (clientId == null) {
             nativeOnRefreshError("configuration_error", "Microsoft Client ID not configured")
@@ -831,9 +871,7 @@ object AuthAdapter {
                             val expirationTime = if (expiresIn > 0) System.currentTimeMillis() + expiresIn * 1000 else null
 
                             if (newRefreshToken.isNotEmpty()) inMemoryMicrosoftRefreshToken = newRefreshToken
-                            inMemoryMicrosoftScopes = pendingMicrosoftScopes.ifEmpty {
-                                listOf("openid", "email", "profile", "offline_access", "User.Read")
-                            }
+                            inMemoryMicrosoftScopes = effectiveScopes
 
                             nativeOnRefreshSuccess(
                                 newIdToken.ifEmpty { null },
@@ -849,7 +887,7 @@ object AuthAdapter {
                                 val json = org.json.JSONObject(errorBody)
                                 val errorCode = json.optString("error", "token_error")
                                 val errorDesc = json.optString("error_description", "Token refresh failed")
-                                Pair(errorCode, errorDesc)
+                                Pair(mapMicrosoftOAuthError(errorCode), errorDesc)
                             } catch (e: Exception) {
                                 Pair("token_error", "Token refresh failed")
                             }

package/cpp/HybridAuth.cpp

@@ -2,6 +2,7 @@
 #include "PlatformAuth.hpp"
 #include <algorithm>
 #include <chrono>
+#include <stdexcept>
 
 namespace margelo::nitro::NitroAuth {
 
@@ -69,10 +70,19 @@ std::function<void()> HybridAuth::onTokensRefreshed(const std::function<void(con
 }
 
 void HybridAuth::logout() {
+  std::shared_ptr<Promise<AuthTokens>> refreshInFlight;
   {
     std::lock_guard<std::recursive_mutex> lock(_mutex);
+    _sessionGeneration++;
     _currentUser = std::nullopt;
     _grantedScopes.clear();
+    refreshInFlight = _refreshInFlight;
+    _refreshInFlight = nullptr;
+  }
+  if (refreshInFlight) {
+    refreshInFlight->reject(
+      std::make_exception_ptr(std::runtime_error("not_signed_in"))
+    );
   }
   PlatformAuth::logout();
   notifyAuthStateChanged();
@@ -80,12 +90,21 @@ void HybridAuth::logout() {
 
 std::shared_ptr<Promise<void>> HybridAuth::silentRestore() {
   auto promise = Promise<void>::create();
+  uint64_t generation;
+  {
+    std::lock_guard<std::recursive_mutex> lock(_mutex);
+    generation = _sessionGeneration;
+  }
   auto silentPromise = PlatformAuth::silentRestore();
   auto self = shared_from_this();
-  silentPromise->addOnResolvedListener([self, promise](const std::optional<AuthUser>& user) {
+  silentPromise->addOnResolvedListener([self, promise, generation](const std::optional<AuthUser>& user) {
     auto* auth = dynamic_cast<HybridAuth*>(self.get());
     {
       std::lock_guard<std::recursive_mutex> lock(auth->_mutex);
+      if (auth->_sessionGeneration != generation) {
+        promise->resolve();
+        return;
+      }
       auth->_currentUser = user;
       if (user) {
         if (user->scopes) {
@@ -111,13 +130,24 @@ std::shared_ptr<Promise<void>> HybridAuth::silentRestore() {
 
 std::shared_ptr<Promise<void>> HybridAuth::login(AuthProvider provider, const std::optional<LoginOptions>& options) {
   auto promise = Promise<void>::create();
+  uint64_t generation;
+  {
+    std::lock_guard<std::recursive_mutex> lock(_mutex);
+    generation = _sessionGeneration;
+  }
   
   auto self = shared_from_this();
   auto loginPromise = PlatformAuth::login(provider, options);
-  loginPromise->addOnResolvedListener([self, promise, options](const AuthUser& user) {
+  loginPromise->addOnResolvedListener([self, promise, options, generation](const AuthUser& user) {
     auto* auth = dynamic_cast<HybridAuth*>(self.get());
     {
       std::lock_guard<std::recursive_mutex> lock(auth->_mutex);
+      if (auth->_sessionGeneration != generation) {
+        promise->reject(
+          std::make_exception_ptr(std::runtime_error("cancelled"))
+        );
+        return;
+      }
       auth->_currentUser = user;
       if (user.scopes && !user.scopes->empty()) {
         auth->_grantedScopes = *user.scopes;
@@ -144,12 +174,23 @@ std::shared_ptr<Promise<void>> HybridAuth::login(AuthProvider provider, const st
 
 std::shared_ptr<Promise<void>> HybridAuth::requestScopes(const std::vector<std::string>& scopes) {
   auto promise = Promise<void>::create();
+  uint64_t generation;
+  {
+    std::lock_guard<std::recursive_mutex> lock(_mutex);
+    generation = _sessionGeneration;
+  }
   auto self = shared_from_this();
   auto requestPromise = PlatformAuth::requestScopes(scopes);
-  requestPromise->addOnResolvedListener([self, promise, scopes](const AuthUser& user) {
+  requestPromise->addOnResolvedListener([self, promise, scopes, generation](const AuthUser& user) {
     auto* auth = dynamic_cast<HybridAuth*>(self.get());
     {
       std::lock_guard<std::recursive_mutex> lock(auth->_mutex);
+      if (auth->_sessionGeneration != generation) {
+        promise->reject(
+          std::make_exception_ptr(std::runtime_error("cancelled"))
+        );
+        return;
+      }
       auth->_currentUser = user;
       for (const auto& scope : scopes) {
         if (std::find(auth->_grantedScopes.begin(), auth->_grantedScopes.end(), scope) == auth->_grantedScopes.end()) {
@@ -191,9 +232,11 @@ std::shared_ptr<Promise<void>> HybridAuth::revokeScopes(const std::vector<std::s
 std::shared_ptr<Promise<std::optional<std::string>>> HybridAuth::getAccessToken() {
   auto promise = Promise<std::optional<std::string>>::create();
   bool needsRefresh = false;
+  std::optional<std::string> cachedAccessToken;
   {
     std::lock_guard<std::recursive_mutex> lock(_mutex);
     if (_currentUser && _currentUser->accessToken) {
+      cachedAccessToken = _currentUser->accessToken;
       if (_currentUser->expirationTime) {
         auto now = std::chrono::system_clock::now().time_since_epoch() / std::chrono::milliseconds(1);
         if (now + 300000 > *_currentUser->expirationTime) needsRefresh = true;
@@ -210,8 +253,8 @@ std::shared_ptr<Promise<std::optional<std::string>>> HybridAuth::getAccessToken(
 
   if (needsRefresh) {
     auto refreshPromise = refreshToken();
-    refreshPromise->addOnResolvedListener([promise](const AuthTokens& tokens) {
-      promise->resolve(tokens.accessToken);
+    refreshPromise->addOnResolvedListener([promise, cachedAccessToken](const AuthTokens& tokens) {
+      promise->resolve(tokens.accessToken.has_value() ? tokens.accessToken : cachedAccessToken);
     });
     refreshPromise->addOnRejectedListener([promise](const std::exception_ptr& error) {
       promise->reject(error);
@@ -222,21 +265,26 @@ std::shared_ptr<Promise<std::optional<std::string>>> HybridAuth::getAccessToken(
 
 std::shared_ptr<Promise<AuthTokens>> HybridAuth::refreshToken() {
   std::shared_ptr<Promise<AuthTokens>> promise;
+  uint64_t generation;
   {
     std::lock_guard<std::recursive_mutex> lock(_mutex);
     if (_refreshInFlight) {
       return _refreshInFlight;
     }
+    generation = _sessionGeneration;
     promise = Promise<AuthTokens>::create();
     _refreshInFlight = promise;
   }
 
   auto self = shared_from_this();
   auto refreshPromise = PlatformAuth::refreshToken();
-  refreshPromise->addOnResolvedListener([self, promise](const AuthTokens& tokens) {
+  refreshPromise->addOnResolvedListener([self, promise, generation](const AuthTokens& tokens) {
     auto* auth = dynamic_cast<HybridAuth*>(self.get());
     {
       std::lock_guard<std::recursive_mutex> lock(auth->_mutex);
+      if (auth->_sessionGeneration != generation) {
+        return;
+      }
       if (auth->_currentUser) {
         if (tokens.accessToken.has_value()) {
           auth->_currentUser->accessToken = tokens.accessToken;
@@ -260,10 +308,13 @@ std::shared_ptr<Promise<AuthTokens>> HybridAuth::refreshToken() {
     promise->resolve(tokens);
   });
 
-  refreshPromise->addOnRejectedListener([self, promise](const std::exception_ptr& error) {
+  refreshPromise->addOnRejectedListener([self, promise, generation](const std::exception_ptr& error) {
     auto* auth = dynamic_cast<HybridAuth*>(self.get());
     {
       std::lock_guard<std::recursive_mutex> lock(auth->_mutex);
+      if (auth->_sessionGeneration != generation) {
+        return;
+      }
       if (auth->_refreshInFlight == promise) {
         auth->_refreshInFlight = nullptr;
       }

package/cpp/HybridAuth.hpp

@@ -48,6 +48,7 @@ private:
   std::map<uint64_t, std::function<void(const AuthTokens&)>> _tokenListeners;
   uint64_t _nextTokenListenerId = 0;
   std::shared_ptr<Promise<AuthTokens>> _refreshInFlight;
+  uint64_t _sessionGeneration = 0;
   
   // recursive_mutex: listeners resolved inside a lock scope may re-enter Auth methods
   // that also acquire _mutex, causing deadlock with a non-recursive mutex.

package/ios/AuthAdapter.swift

@@ -25,8 +25,7 @@ public class AuthAdapter: NSObject {
       let serverClientId = Bundle.main.object(forInfoDictionaryKey: "GIDServerClientID") as? String
       
       DispatchQueue.main.async {
-        guard let windowScene = UIApplication.shared.connectedScenes.first as? UIWindowScene,
-              let rootVC = windowScene.windows.first?.rootViewController else {
+        guard let rootVC = presentingViewController() else {
           completion(nil, "no_window")
           return
         }
@@ -62,8 +61,7 @@ public class AuthAdapter: NSObject {
       objc_setAssociatedObject(controller, &delegateHandle, delegate, .OBJC_ASSOCIATION_RETAIN_NONATOMIC)
 
       DispatchQueue.main.async {
-        guard let windowScene = UIApplication.shared.connectedScenes.first as? UIWindowScene,
-              let window = windowScene.windows.first(where: { $0.isKeyWindow }) ?? windowScene.windows.first else {
+        guard let window = activeWindow() else {
           completion(nil, "no_window")
           return
         }
@@ -191,14 +189,8 @@ public class AuthAdapter: NSObject {
           completion: completion
         )
       }
-      
-      guard let windowScene = UIApplication.shared.connectedScenes.first as? UIWindowScene,
-            let window = windowScene.windows.first(where: { $0.isKeyWindow }) ?? windowScene.windows.first,
-            let rootVC = window.rootViewController else {
-        completion(nil, "no_window")
-        return
-      }
-      guard let window = rootVC.view.window else {
+
+      guard let window = activeWindow() else {
         completion(nil, "no_window")
         return
       }
@@ -269,7 +261,7 @@ public class AuthAdapter: NSObject {
     
     URLSession.shared.dataTask(with: request) { data, response, error in
       DispatchQueue.main.async {
-        if let error = error {
+        if error != nil {
           completion(nil, "network_error")
           return
         }
@@ -325,6 +317,7 @@ public class AuthAdapter: NSObject {
           "idToken": idToken,
           "accessToken": accessToken,
           "serverAuthCode": "",
+          "scopes": scopes,
           "expirationTime": expirationTime,
           "underlyingError": ""
         ]
@@ -431,8 +424,7 @@ public class AuthAdapter: NSObject {
   public static func addScopes(scopes: [String], completion: @escaping (NSDictionary?, String?) -> Void) {
     if let currentUser = GIDSignIn.sharedInstance.currentUser {
       DispatchQueue.main.async {
-        guard let windowScene = UIApplication.shared.connectedScenes.first as? UIWindowScene,
-              let rootVC = windowScene.windows.first?.rootViewController else {
+        guard let rootVC = presentingViewController() else {
           completion(nil, "no_window")
           return
         }
@@ -512,6 +504,7 @@ public class AuthAdapter: NSObject {
   private static func tryMicrosoftSilentRefresh(completion: @escaping (NSDictionary?) -> Void) {
     tokenStoreLock.lock()
     let refreshToken = inMemoryMicrosoftRefreshToken
+    let currentScopes = inMemoryMicrosoftScopes
     tokenStoreLock.unlock()
     guard let refreshToken = refreshToken else {
       completion(nil)
@@ -592,6 +585,7 @@ public class AuthAdapter: NSObject {
           "idToken": idToken,
           "accessToken": accessToken,
           "serverAuthCode": "",
+          "scopes": currentScopes,
           "expirationTime": expirationTime
         ]
         completion(resultData as NSDictionary)
@@ -632,7 +626,7 @@ public class AuthAdapter: NSObject {
       .data(using: .utf8)
     URLSession.shared.dataTask(with: request) { data, response, error in
       DispatchQueue.main.async {
-        if let error = error {
+        if error != nil {
           completion(nil, "network_error")
           return
         }
@@ -697,6 +691,41 @@ public class AuthAdapter: NSObject {
     inMemoryGoogleServerAuthCode = nil
     tokenStoreLock.unlock()
   }
+
+  private static func activeWindow() -> UIWindow? {
+    let windowScenes = UIApplication.shared.connectedScenes
+      .compactMap { $0 as? UIWindowScene }
+      .filter {
+        $0.activationState == .foregroundActive ||
+          $0.activationState == .foregroundInactive
+      }
+
+    for scene in windowScenes {
+      if let keyWindow = scene.windows.first(where: { $0.isKeyWindow }) {
+        return keyWindow
+      }
+    }
+
+    return windowScenes.lazy.compactMap { $0.windows.first }.first
+  }
+
+  private static func presentingViewController() -> UIViewController? {
+    guard let rootViewController = activeWindow()?.rootViewController else {
+      return nil
+    }
+
+    var current = rootViewController
+    while let presented = current.presentedViewController {
+      current = presented
+    }
+    if let navigationController = current as? UINavigationController {
+      return navigationController.visibleViewController ?? navigationController
+    }
+    if let tabBarController = current as? UITabBarController {
+      return tabBarController.selectedViewController ?? tabBarController
+    }
+    return current
+  }
 }
 
 private var delegateHandle: UInt8 = 0

package/ios/PlatformAuth+iOS.mm

@@ -18,7 +18,23 @@ namespace margelo::nitro::NitroAuth {
  
  inline std::optional<std::string> nsToStd(NSString* _Nullable ns) {
      if (ns == nil) return std::nullopt;
-     return std::string([ns UTF8String]);
+     std::string value([ns UTF8String]);
+     if (value.empty()) return std::nullopt;
+     return value;
+ }
+
+ inline std::optional<std::vector<std::string>> nsArrayToStd(NSArray<NSString*>* _Nullable nsArray) {
+     if (nsArray == nil || nsArray.count == 0) return std::nullopt;
+
+     std::vector<std::string> values;
+     values.reserve(nsArray.count);
+     for (NSString* value in nsArray) {
+         if (value.length == 0) continue;
+         values.emplace_back([value UTF8String]);
+     }
+
+     if (values.empty()) return std::nullopt;
+     return values;
  }
 
 std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, const std::optional<LoginOptions>& options) {
@@ -85,6 +101,7 @@ std::shared_ptr<Promise<AuthUser>> PlatformAuth::login(AuthProvider provider, co
         user.idToken = nsToStd([data objectForKey:@"idToken"]);
         if ([data objectForKey:@"accessToken"]) user.accessToken = nsToStd([data objectForKey:@"accessToken"]);
         if ([data objectForKey:@"serverAuthCode"]) user.serverAuthCode = nsToStd([data objectForKey:@"serverAuthCode"]);
+        if ([data objectForKey:@"scopes"]) user.scopes = nsArrayToStd([data objectForKey:@"scopes"]);
         if ([data objectForKey:@"expirationTime"]) user.expirationTime = [[data objectForKey:@"expirationTime"] doubleValue];
         if ([data objectForKey:@"underlyingError"]) user.underlyingError = nsToStd([data objectForKey:@"underlyingError"]);
         
@@ -123,6 +140,7 @@ std::shared_ptr<Promise<AuthUser>> PlatformAuth::requestScopes(const std::vector
         user.idToken = nsToStd([data objectForKey:@"idToken"]);
         if ([data objectForKey:@"accessToken"]) user.accessToken = nsToStd([data objectForKey:@"accessToken"]);
         if ([data objectForKey:@"serverAuthCode"]) user.serverAuthCode = nsToStd([data objectForKey:@"serverAuthCode"]);
+        if ([data objectForKey:@"scopes"]) user.scopes = nsArrayToStd([data objectForKey:@"scopes"]);
         if ([data objectForKey:@"expirationTime"]) user.expirationTime = [[data objectForKey:@"expirationTime"] doubleValue];
         if ([data objectForKey:@"underlyingError"]) user.underlyingError = nsToStd([data objectForKey:@"underlyingError"]);
         promise->resolve(user);
@@ -168,6 +186,7 @@ std::shared_ptr<Promise<std::optional<AuthUser>>> PlatformAuth::silentRestore()
         user.idToken = nsToStd([data objectForKey:@"idToken"]);
         if ([data objectForKey:@"accessToken"]) user.accessToken = nsToStd([data objectForKey:@"accessToken"]);
         if ([data objectForKey:@"serverAuthCode"]) user.serverAuthCode = nsToStd([data objectForKey:@"serverAuthCode"]);
+        if ([data objectForKey:@"scopes"]) user.scopes = nsArrayToStd([data objectForKey:@"scopes"]);
         if ([data objectForKey:@"expirationTime"]) user.expirationTime = [[data objectForKey:@"expirationTime"] doubleValue];
         if ([data objectForKey:@"underlyingError"]) user.underlyingError = nsToStd([data objectForKey:@"underlyingError"]);
         promise->resolve(user);