react-native-nitro-auth 0.5.7 → 0.5.9

package/android/src/main/java/com/auth/AuthAdapter.kt

@@ -142,6 +142,7 @@ object AuthAdapter {
     }
 
     fun dispose() {
+        clearPkceState()
         moduleScope.cancel()
         moduleScope = CoroutineScope(SupervisorJob() + Dispatchers.IO)
         runCatching { nativeDispose() }
@@ -309,7 +310,8 @@ object AuthAdapter {
         val origin = pendingOrigin
         if (error != null) {
             clearPkceState()
-            nativeOnLoginError(origin, error, errorDescription)
+            val mappedError = mapMicrosoftOAuthError(error)
+            nativeOnLoginError(origin, mappedError, errorDescription ?: error)
             return
         }
         if (state != pendingState) {
@@ -391,7 +393,7 @@ object AuthAdapter {
                 val error = json.optString("error", "token_error")
                 val desc = json.optString("error_description", "Failed to exchange code for tokens")
                 clearPkceState()
-                nativeOnLoginError(origin, error, desc)
+                nativeOnLoginError(origin, mapMicrosoftOAuthError(error), desc)
             } catch (e: Exception) {
                 clearPkceState()
                 nativeOnLoginError(origin, "token_error", "Failed to exchange code for tokens")
@@ -438,6 +440,7 @@ object AuthAdapter {
         }
     }
 
+    @Synchronized
     private fun clearPkceState() {
         pendingOrigin = "login"
         pendingPkceVerifier = null
@@ -450,6 +453,16 @@ object AuthAdapter {
         microsoftAuthInProgress = false
     }
 
+    private fun mapMicrosoftOAuthError(error: String): String {
+        return when (error) {
+            "access_denied", "interaction_required" -> "cancelled"
+            "invalid_client", "unauthorized_client" -> "configuration_error"
+            "invalid_grant", "invalid_request", "invalid_scope" -> "token_error"
+            "temporarily_unavailable", "server_error" -> "network_error"
+            else -> "token_error"
+        }
+    }
+
     private fun decodeJwt(token: String): Map<String, String> {
         return try {
             val parts = token.split(".")
@@ -594,8 +607,10 @@ object AuthAdapter {
         val account = GoogleSignIn.getLastSignedInAccount(ctx)
         if (account != null) {
             val newScopes = scopes.map { Scope(it) }
+            val grantedScopes = account.grantedScopes?.map { it.scopeUri }.orEmpty()
+            val allScopes = (grantedScopes + scopes.toList()).distinct()
             if (GoogleSignIn.hasPermissions(account, *newScopes.toTypedArray())) {
-                onSignInSuccess(account, (pendingScopes + scopes.toList()).distinct(), "scopes")
+                onSignInSuccess(account, allScopes, "scopes")
                 return
             }
             val clientId = getClientIdFromResources(ctx)
@@ -603,7 +618,6 @@ object AuthAdapter {
                 nativeOnLoginError("scopes", "configuration_error", "Google Client ID not configured")
                 return
             }
-            val allScopes = (pendingScopes + scopes.toList()).distinct()
             val intent = GoogleSignInActivity.createIntent(ctx, clientId, allScopes.toTypedArray(), account.email, origin = "scopes")
             ctx.startActivity(intent)
             return
@@ -667,6 +681,7 @@ object AuthAdapter {
     @JvmStatic
     fun logoutSync(context: Context) {
         val ctx = appContext ?: context.applicationContext
+        clearPkceState()
         // Clear Credential Manager state (covers One-Tap / passkey credentials).
         moduleScope.launch {
             try {
@@ -689,6 +704,7 @@ object AuthAdapter {
     @JvmStatic
     fun revokeAccessSync(context: Context) {
         val ctx = appContext ?: context.applicationContext
+        clearPkceState()
         val clientId = getClientIdFromResources(ctx)
         if (clientId != null) {
             val gso = GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN)
@@ -788,7 +804,7 @@ object AuthAdapter {
                                 val json = org.json.JSONObject(responseBody)
                                 val errorCode = json.optString("error", "token_error")
                                 val errorDesc = json.optString("error_description", "Token refresh failed")
-                                Pair(errorCode, errorDesc)
+                                Pair(mapMicrosoftOAuthError(errorCode), errorDesc)
                             } catch (e: Exception) {
                                 Pair("token_error", "Token refresh failed")
                             }
@@ -871,7 +887,7 @@ object AuthAdapter {
                                 val json = org.json.JSONObject(errorBody)
                                 val errorCode = json.optString("error", "token_error")
                                 val errorDesc = json.optString("error_description", "Token refresh failed")
-                                Pair(errorCode, errorDesc)
+                                Pair(mapMicrosoftOAuthError(errorCode), errorDesc)
                             } catch (e: Exception) {
                                 Pair("token_error", "Token refresh failed")
                             }

package/cpp/HybridAuth.cpp

@@ -2,9 +2,63 @@
 #include "PlatformAuth.hpp"
 #include <algorithm>
 #include <chrono>
+#include <exception>
+#include <stdexcept>
+#include <unordered_set>
 
 namespace margelo::nitro::NitroAuth {
 
+namespace {
+
+std::exception_ptr makeAuthError(const char* message) {
+  return std::make_exception_ptr(std::runtime_error(message));
+}
+
+void rejectIfPending(const std::shared_ptr<Promise<AuthTokens>>& promise, const char* message) {
+  if (promise && promise->isPending()) {
+    promise->reject(makeAuthError(message));
+  }
+}
+
+void mergeGrantedScopes(std::vector<std::string>& grantedScopes, const std::vector<std::string>& scopes) {
+  std::unordered_set<std::string> knownScopes(grantedScopes.begin(), grantedScopes.end());
+  grantedScopes.reserve(grantedScopes.size() + scopes.size());
+
+  for (const auto& scope : scopes) {
+    if (knownScopes.insert(scope).second) {
+      grantedScopes.push_back(scope);
+    }
+  }
+}
+
+void removeGrantedScopes(std::vector<std::string>& grantedScopes, const std::vector<std::string>& scopes) {
+  if (scopes.empty() || grantedScopes.empty()) {
+    return;
+  }
+
+  const std::unordered_set<std::string> scopesToRemove(scopes.begin(), scopes.end());
+  grantedScopes.erase(
+    std::remove_if(grantedScopes.begin(), grantedScopes.end(),
+      [&scopesToRemove](const std::string& scope) {
+        return scopesToRemove.find(scope) != scopesToRemove.end();
+      }),
+    grantedScopes.end()
+  );
+}
+
+template <typename TCallback, typename TValue>
+void invokeListenersSafely(const std::vector<TCallback>& listeners, const TValue& value) {
+  for (const auto& listener : listeners) {
+    try {
+      listener(value);
+    } catch (...) {
+      // Callback failures are isolated so one listener cannot block core state updates.
+    }
+  }
+}
+
+} // namespace
+
 HybridAuth::HybridAuth() : HybridObject(TAG) {
   // In-memory only - no internal persistence.
 }
@@ -29,13 +83,12 @@ void HybridAuth::notifyAuthStateChanged() {
   {
     std::lock_guard<std::recursive_mutex> lock(_mutex);
     user = _currentUser;
+    listeners.reserve(_listeners.size());
     for (auto const& [id, listener] : _listeners) {
       listeners.push_back(listener);
     }
   }
-  for (const auto& listener : listeners) {
-    listener(user);
-  }
+  invokeListenersSafely(listeners, user);
 }
 
 std::function<void()> HybridAuth::onAuthStateChanged(const std::function<void(const std::optional<AuthUser>&)>& callback) {
@@ -48,6 +101,7 @@ std::function<void()> HybridAuth::onAuthStateChanged(const std::function<void(co
     auto self = weak.lock();
     if (!self) return;
     auto* auth = dynamic_cast<HybridAuth*>(self.get());
+    if (!auth) return;
     std::lock_guard<std::recursive_mutex> lock(auth->_mutex);
     auth->_listeners.erase(id);
   };
@@ -63,29 +117,55 @@ std::function<void()> HybridAuth::onTokensRefreshed(const std::function<void(con
     auto self = weak.lock();
     if (!self) return;
     auto* auth = dynamic_cast<HybridAuth*>(self.get());
+    if (!auth) return;
     std::lock_guard<std::recursive_mutex> lock(auth->_mutex);
     auth->_tokenListeners.erase(id);
   };
 }
 
+std::shared_ptr<Promise<AuthTokens>> HybridAuth::advanceSessionGenerationLocked() {
+  _sessionGeneration++;
+  auto refreshInFlight = _refreshInFlight;
+  _refreshInFlight = nullptr;
+  return refreshInFlight;
+}
+
 void HybridAuth::logout() {
+  std::shared_ptr<Promise<AuthTokens>> refreshInFlight;
   {
     std::lock_guard<std::recursive_mutex> lock(_mutex);
+    refreshInFlight = advanceSessionGenerationLocked();
     _currentUser = std::nullopt;
     _grantedScopes.clear();
   }
+  rejectIfPending(refreshInFlight, "not_signed_in");
   PlatformAuth::logout();
   notifyAuthStateChanged();
 }
 
 std::shared_ptr<Promise<void>> HybridAuth::silentRestore() {
   auto promise = Promise<void>::create();
+  uint64_t generation;
+  {
+    std::lock_guard<std::recursive_mutex> lock(_mutex);
+    generation = _sessionGeneration;
+  }
   auto silentPromise = PlatformAuth::silentRestore();
   auto self = shared_from_this();
-  silentPromise->addOnResolvedListener([self, promise](const std::optional<AuthUser>& user) {
+  silentPromise->addOnResolvedListener([self, promise, generation](const std::optional<AuthUser>& user) {
     auto* auth = dynamic_cast<HybridAuth*>(self.get());
+    if (!auth) {
+      promise->reject(makeAuthError("internal_error"));
+      return;
+    }
+    std::shared_ptr<Promise<AuthTokens>> refreshInFlight;
     {
       std::lock_guard<std::recursive_mutex> lock(auth->_mutex);
+      if (auth->_sessionGeneration != generation) {
+        promise->resolve();
+        return;
+      }
+      refreshInFlight = auth->advanceSessionGenerationLocked();
       auth->_currentUser = user;
       if (user) {
         if (user->scopes) {
@@ -97,6 +177,7 @@ std::shared_ptr<Promise<void>> HybridAuth::silentRestore() {
         auth->_grantedScopes.clear();
       }
     }
+    rejectIfPending(refreshInFlight, "cancelled");
     // Always resolve - no session is not an error, just means user is logged out
     auth->notifyAuthStateChanged();
     promise->resolve();
@@ -111,13 +192,31 @@ std::shared_ptr<Promise<void>> HybridAuth::silentRestore() {
 
 std::shared_ptr<Promise<void>> HybridAuth::login(AuthProvider provider, const std::optional<LoginOptions>& options) {
   auto promise = Promise<void>::create();
+  uint64_t generation;
+  std::shared_ptr<Promise<AuthTokens>> refreshInFlight;
+  {
+    std::lock_guard<std::recursive_mutex> lock(_mutex);
+    refreshInFlight = advanceSessionGenerationLocked();
+    generation = _sessionGeneration;
+  }
+  rejectIfPending(refreshInFlight, "cancelled");
   
   auto self = shared_from_this();
   auto loginPromise = PlatformAuth::login(provider, options);
-  loginPromise->addOnResolvedListener([self, promise, options](const AuthUser& user) {
+  loginPromise->addOnResolvedListener([self, promise, options, generation](const AuthUser& user) {
     auto* auth = dynamic_cast<HybridAuth*>(self.get());
+    if (!auth) {
+      promise->reject(makeAuthError("internal_error"));
+      return;
+    }
+    std::shared_ptr<Promise<AuthTokens>> refreshInFlight;
     {
       std::lock_guard<std::recursive_mutex> lock(auth->_mutex);
+      if (auth->_sessionGeneration != generation) {
+        promise->reject(makeAuthError("cancelled"));
+        return;
+      }
+      refreshInFlight = auth->advanceSessionGenerationLocked();
       auth->_currentUser = user;
       if (user.scopes && !user.scopes->empty()) {
         auth->_grantedScopes = *user.scopes;
@@ -132,6 +231,7 @@ std::shared_ptr<Promise<void>> HybridAuth::login(AuthProvider provider, const st
           : std::make_optional(auth->_grantedScopes);
       }
     }
+    rejectIfPending(refreshInFlight, "cancelled");
     auth->notifyAuthStateChanged();
     promise->resolve();
   });
@@ -144,18 +244,27 @@ std::shared_ptr<Promise<void>> HybridAuth::login(AuthProvider provider, const st
 
 std::shared_ptr<Promise<void>> HybridAuth::requestScopes(const std::vector<std::string>& scopes) {
   auto promise = Promise<void>::create();
+  uint64_t generation;
+  {
+    std::lock_guard<std::recursive_mutex> lock(_mutex);
+    generation = _sessionGeneration;
+  }
   auto self = shared_from_this();
   auto requestPromise = PlatformAuth::requestScopes(scopes);
-  requestPromise->addOnResolvedListener([self, promise, scopes](const AuthUser& user) {
+  requestPromise->addOnResolvedListener([self, promise, scopes, generation](const AuthUser& user) {
     auto* auth = dynamic_cast<HybridAuth*>(self.get());
+    if (!auth) {
+      promise->reject(makeAuthError("internal_error"));
+      return;
+    }
     {
       std::lock_guard<std::recursive_mutex> lock(auth->_mutex);
-      auth->_currentUser = user;
-      for (const auto& scope : scopes) {
-        if (std::find(auth->_grantedScopes.begin(), auth->_grantedScopes.end(), scope) == auth->_grantedScopes.end()) {
-          auth->_grantedScopes.push_back(scope);
-        }
+      if (auth->_sessionGeneration != generation) {
+        promise->reject(makeAuthError("cancelled"));
+        return;
       }
+      auth->_currentUser = user;
+      mergeGrantedScopes(auth->_grantedScopes, scopes);
       if (auth->_currentUser) auth->_currentUser->scopes = auth->_grantedScopes;
     }
     auth->notifyAuthStateChanged();
@@ -172,13 +281,7 @@ std::shared_ptr<Promise<void>> HybridAuth::revokeScopes(const std::vector<std::s
   auto promise = Promise<void>::create();
   {
     std::lock_guard<std::recursive_mutex> lock(_mutex);
-    _grantedScopes.erase(
-      std::remove_if(_grantedScopes.begin(), _grantedScopes.end(),
-        [&scopes](const std::string& s) {
-          return std::find(scopes.begin(), scopes.end(), s) != scopes.end();
-        }),
-      _grantedScopes.end()
-    );
+    removeGrantedScopes(_grantedScopes, scopes);
     if (_currentUser) {
       _currentUser->scopes = _grantedScopes;
     }
@@ -191,9 +294,11 @@ std::shared_ptr<Promise<void>> HybridAuth::revokeScopes(const std::vector<std::s
 std::shared_ptr<Promise<std::optional<std::string>>> HybridAuth::getAccessToken() {
   auto promise = Promise<std::optional<std::string>>::create();
   bool needsRefresh = false;
+  std::optional<std::string> cachedAccessToken;
   {
     std::lock_guard<std::recursive_mutex> lock(_mutex);
     if (_currentUser && _currentUser->accessToken) {
+      cachedAccessToken = _currentUser->accessToken;
       if (_currentUser->expirationTime) {
         auto now = std::chrono::system_clock::now().time_since_epoch() / std::chrono::milliseconds(1);
         if (now + 300000 > *_currentUser->expirationTime) needsRefresh = true;
@@ -210,8 +315,8 @@ std::shared_ptr<Promise<std::optional<std::string>>> HybridAuth::getAccessToken(
 
   if (needsRefresh) {
     auto refreshPromise = refreshToken();
-    refreshPromise->addOnResolvedListener([promise](const AuthTokens& tokens) {
-      promise->resolve(tokens.accessToken);
+    refreshPromise->addOnResolvedListener([promise, cachedAccessToken](const AuthTokens& tokens) {
+      promise->resolve(tokens.accessToken.has_value() ? tokens.accessToken : cachedAccessToken);
     });
     refreshPromise->addOnRejectedListener([promise](const std::exception_ptr& error) {
       promise->reject(error);
@@ -222,52 +327,84 @@ std::shared_ptr<Promise<std::optional<std::string>>> HybridAuth::getAccessToken(
 
 std::shared_ptr<Promise<AuthTokens>> HybridAuth::refreshToken() {
   std::shared_ptr<Promise<AuthTokens>> promise;
+  uint64_t generation;
   {
     std::lock_guard<std::recursive_mutex> lock(_mutex);
     if (_refreshInFlight) {
       return _refreshInFlight;
     }
+    generation = _sessionGeneration;
     promise = Promise<AuthTokens>::create();
     _refreshInFlight = promise;
   }
 
   auto self = shared_from_this();
   auto refreshPromise = PlatformAuth::refreshToken();
-  refreshPromise->addOnResolvedListener([self, promise](const AuthTokens& tokens) {
+  refreshPromise->addOnResolvedListener([self, promise, generation](const AuthTokens& tokens) {
     auto* auth = dynamic_cast<HybridAuth*>(self.get());
+    if (!auth) {
+      promise->reject(makeAuthError("internal_error"));
+      return;
+    }
+    bool isStale = false;
     {
       std::lock_guard<std::recursive_mutex> lock(auth->_mutex);
-      if (auth->_currentUser) {
-        if (tokens.accessToken.has_value()) {
-          auth->_currentUser->accessToken = tokens.accessToken;
-        }
-        if (tokens.idToken.has_value()) {
-          auth->_currentUser->idToken = tokens.idToken;
+      if (auth->_sessionGeneration != generation) {
+        if (auth->_refreshInFlight == promise) {
+          auth->_refreshInFlight = nullptr;
         }
-        if (tokens.refreshToken.has_value()) {
-          auth->_currentUser->refreshToken = tokens.refreshToken;
+        isStale = true;
+      } else {
+        if (auth->_currentUser) {
+          if (tokens.accessToken.has_value()) {
+            auth->_currentUser->accessToken = tokens.accessToken;
+          }
+          if (tokens.idToken.has_value()) {
+            auth->_currentUser->idToken = tokens.idToken;
+          }
+          if (tokens.refreshToken.has_value()) {
+            auth->_currentUser->refreshToken = tokens.refreshToken;
+          }
+          if (tokens.expirationTime.has_value()) {
+            auth->_currentUser->expirationTime = tokens.expirationTime;
+          }
         }
-        if (tokens.expirationTime.has_value()) {
-          auth->_currentUser->expirationTime = tokens.expirationTime;
+        if (auth->_refreshInFlight == promise) {
+          auth->_refreshInFlight = nullptr;
         }
       }
-      if (auth->_refreshInFlight == promise) {
-        auth->_refreshInFlight = nullptr;
-      }
+    }
+    if (isStale) {
+      rejectIfPending(promise, "cancelled");
+      return;
     }
     auth->notifyTokensRefreshed(tokens);
     auth->notifyAuthStateChanged();
     promise->resolve(tokens);
   });
 
-  refreshPromise->addOnRejectedListener([self, promise](const std::exception_ptr& error) {
+  refreshPromise->addOnRejectedListener([self, promise, generation](const std::exception_ptr& error) {
     auto* auth = dynamic_cast<HybridAuth*>(self.get());
+    if (!auth) {
+      promise->reject(makeAuthError("internal_error"));
+      return;
+    }
+    bool isStale = false;
     {
       std::lock_guard<std::recursive_mutex> lock(auth->_mutex);
-      if (auth->_refreshInFlight == promise) {
+      if (auth->_sessionGeneration != generation) {
+        if (auth->_refreshInFlight == promise) {
+          auth->_refreshInFlight = nullptr;
+        }
+        isStale = true;
+      } else if (auth->_refreshInFlight == promise) {
         auth->_refreshInFlight = nullptr;
       }
     }
+    if (isStale) {
+      rejectIfPending(promise, "cancelled");
+      return;
+    }
     promise->reject(error);
   });
   return promise;
@@ -281,13 +418,12 @@ void HybridAuth::notifyTokensRefreshed(const AuthTokens& tokens) {
   std::vector<std::function<void(const AuthTokens&)>> listeners;
   {
     std::lock_guard<std::recursive_mutex> lock(_mutex);
+    listeners.reserve(_tokenListeners.size());
     for (auto const& [id, listener] : _tokenListeners) {
       listeners.push_back(listener);
     }
   }
-  for (const auto& listener : listeners) {
-    listener(tokens);
-  }
+  invokeListenersSafely(listeners, tokens);
 }
 
 } // namespace margelo::nitro::NitroAuth

package/cpp/HybridAuth.hpp

@@ -38,6 +38,7 @@ public:
 private:
   void notifyAuthStateChanged();
   void notifyTokensRefreshed(const AuthTokens& tokens);
+  std::shared_ptr<Promise<AuthTokens>> advanceSessionGenerationLocked();
 
 private:
   std::optional<AuthUser> _currentUser;
@@ -48,6 +49,7 @@ private:
   std::map<uint64_t, std::function<void(const AuthTokens&)>> _tokenListeners;
   uint64_t _nextTokenListenerId = 0;
   std::shared_ptr<Promise<AuthTokens>> _refreshInFlight;
+  uint64_t _sessionGeneration = 0;
   
   // recursive_mutex: listeners resolved inside a lock scope may re-enter Auth methods
   // that also acquire _mutex, causing deadlock with a non-recursive mutex.

package/ios/AuthAdapter.swift

@@ -261,7 +261,7 @@ public class AuthAdapter: NSObject {
     
     URLSession.shared.dataTask(with: request) { data, response, error in
       DispatchQueue.main.async {
-        if let error = error {
+        if error != nil {
           completion(nil, "network_error")
           return
         }
@@ -626,7 +626,7 @@ public class AuthAdapter: NSObject {
       .data(using: .utf8)
     URLSession.shared.dataTask(with: request) { data, response, error in
       DispatchQueue.main.async {
-        if let error = error {
+        if error != nil {
           completion(nil, "network_error")
           return
         }