react-native-nitro-auth 0.5.8 → 0.5.10

package/CHANGELOG.md

@@ -0,0 +1,48 @@
+# Changelog
+
+## 0.5.10 - 2026-04-27
+
+### Fixed
+
+- Fixed iOS Microsoft sign-in so `ASWebAuthenticationSession` is retained until callback or cancellation and duplicate sessions fail with `operation_in_progress`.
+- Fixed the example app header so it displays the current package version.
+
+### Verified
+
+- `bun run check:ci`
+- `bunx expo install --check --cwd apps/example`
+- `bunx expo-doctor@latest apps/example`
+- `bun run example:prebuild`
+- `bun run publish-package:dry-run`
+
+## 0.5.9 - 2026-04-24
+
+### Added
+
+- Added shared JS service factory coverage and logger behavior tests.
+- Added C++ coverage support with `test:cpp:coverage` and expanded native tests for session restore, token refresh, access-token fallback, scope updates, listener isolation, logout cancellation, and serializer behavior.
+- Added example-app smoke checks for the public auth API, provider support, platform-gated behavior, and session-dependent methods.
+
+### Changed
+
+- Updated Expo SDK 55 patch dependencies, React Native 0.83.6, Nitro Modules 0.35.5, and related build tooling.
+- Refactored native/web `AuthService` creation so native and web error mapping stay consistent.
+- Hardened web OAuth state, cache parsing, token refresh, and provider error handling.
+- Improved example app handling for unsupported providers and unavailable session actions.
+- Improved release validation to include JS and C++ coverage gates and a faster publish dry run path.
+
+### Fixed
+
+- Fixed native runtime crashes in the example app when optional Nitro methods are not available on the installed native object.
+- Fixed startup `silentRestore()` errors in the example app so restore failures surface in status instead of becoming unhandled promises.
+- Excluded C++ test sources from the iOS pod target to avoid app-target duplicate `main` symbols.
+
+### Verified
+
+- `bun run check:ci`
+- `bun run --cwd packages/react-native-nitro-auth test:coverage -- --runInBand`
+- `bun run --cwd packages/react-native-nitro-auth test:cpp:coverage`
+- `bun run publish-package:dry-run`
+- `bun run example:prebuild`
+- `bun run example:android`
+- `bun run example:ios`

package/README.md

@@ -1,5 +1,10 @@
 # react-native-nitro-auth
 
+![npm](https://img.shields.io/badge/npm-v0.5.10-f97316?style=flat-square)
+![license](https://img.shields.io/badge/license-MIT-007ec6?style=flat-square)
+![react-native](https://img.shields.io/badge/react--native-%3E%3D0.75-61dafb?style=flat-square)
+![nitro-modules](https://img.shields.io/badge/nitro--modules-%3E%3D0.35.0-black?style=flat-square)
+
 Fast React Native authentication for Google Sign-In, Apple Sign-In, and Microsoft Entra ID, built on Nitro Modules and JSI.
 
 `react-native-nitro-auth` gives Expo and React Native apps one typed API for native social login, web OAuth, token refresh, incremental scopes, and auth state listeners without owning your app's long-term token storage.
@@ -13,15 +18,16 @@ Fast React Native authentication for Google Sign-In, Apple Sign-In, and Microsof
 - Typed `useAuth()` hook, `AuthService`, `SocialButton`, and `AuthError`.
 - App-owned persistence model: tokens stay in memory unless your app stores a snapshot.
 - Built-in flows for silent restore, token refresh, account picker, login hints, and incremental Google scopes.
+- Consistent `AuthError` mapping for async `AuthService` failures on native and web.
 
 ## Choose Your Path
 
-| Need | Use |
-| --- | --- |
-| Google, Apple, or Microsoft sign-in in an Expo or React Native app | `react-native-nitro-auth` |
-| Generic OAuth or OIDC provider not covered by this package | `expo-auth-session` or `react-native-app-auth` |
+| Need                                                                   | Use                                                               |
+| ---------------------------------------------------------------------- | ----------------------------------------------------------------- |
+| Google, Apple, or Microsoft sign-in in an Expo or React Native app     | `react-native-nitro-auth`                                         |
+| Generic OAuth or OIDC provider not covered by this package             | `expo-auth-session` or `react-native-app-auth`                    |
 | Firebase user management, password auth, MFA, and hosted auth platform | `@react-native-firebase/auth`, Auth0, Authgear, or your IDaaS SDK |
-| Server-side session validation | Your backend; client JWT decode is display-only |
+| Server-side session validation                                         | Your backend; client JWT decode is display-only                   |
 
 ## Install
 
@@ -43,12 +49,12 @@ cd ios && pod install
 
 ## Requirements
 
-| Runtime | Requirement |
-| --- | --- |
-| React Native | `>=0.75` |
-| Nitro Modules | `>=0.35` |
-| iOS | 15.1+ recommended |
-| Android | min SDK 24+ recommended |
+| Runtime               | Requirement                              |
+| --------------------- | ---------------------------------------- |
+| React Native          | `>=0.75`                                 |
+| Nitro Modules         | `>=0.35`                                 |
+| iOS                   | 15.1+ recommended                        |
+| Android               | min SDK 24+ recommended                  |
 | Expo example baseline | Expo SDK 55, React Native 0.83, React 19 |
 
 ## Expo Setup
@@ -102,19 +108,19 @@ export default {
 
 ### Plugin Options
 
-| Option | Platform | Purpose |
-| --- | --- | --- |
-| `ios.googleClientId` | iOS | Google iOS OAuth client ID |
-| `ios.googleServerClientId` | iOS | Google web/server client ID for server auth code flows |
-| `ios.googleUrlScheme` | iOS | Reversed iOS client ID URL scheme |
-| `ios.appleSignIn` | iOS | Adds Apple Sign-In entitlement when `true` |
-| `ios.microsoftClientId` | iOS | Microsoft app/client ID |
-| `ios.microsoftTenant` | iOS | Microsoft tenant, `common`, `organizations`, `consumers`, or tenant ID |
-| `ios.microsoftB2cDomain` | iOS | Azure AD B2C domain |
-| `android.googleClientId` | Android | Google web OAuth client ID |
-| `android.microsoftClientId` | Android | Microsoft app/client ID |
-| `android.microsoftTenant` | Android | Microsoft tenant |
-| `android.microsoftB2cDomain` | Android | Azure AD B2C domain |
+| Option                       | Platform | Purpose                                                                |
+| ---------------------------- | -------- | ---------------------------------------------------------------------- |
+| `ios.googleClientId`         | iOS      | Google iOS OAuth client ID                                             |
+| `ios.googleServerClientId`   | iOS      | Google web/server client ID for server auth code flows                 |
+| `ios.googleUrlScheme`        | iOS      | Reversed iOS client ID URL scheme                                      |
+| `ios.appleSignIn`            | iOS      | Adds Apple Sign-In entitlement when `true`                             |
+| `ios.microsoftClientId`      | iOS      | Microsoft app/client ID                                                |
+| `ios.microsoftTenant`        | iOS      | Microsoft tenant, `common`, `organizations`, `consumers`, or tenant ID |
+| `ios.microsoftB2cDomain`     | iOS      | Azure AD B2C domain                                                    |
+| `android.googleClientId`     | Android  | Google web OAuth client ID                                             |
+| `android.microsoftClientId`  | Android  | Microsoft app/client ID                                                |
+| `android.microsoftTenant`    | Android  | Microsoft tenant                                                       |
+| `android.microsoftB2cDomain` | Android  | Azure AD B2C domain                                                    |
 
 ## Provider Setup
 
@@ -239,16 +245,16 @@ await login("microsoft", {
 });
 ```
 
-| Option | Applies to | Notes |
-| --- | --- | --- |
-| `scopes` | Google, Microsoft | Requested OAuth scopes |
-| `loginHint` | Google, Microsoft | Prefills account selection when supported |
-| `useOneTap` | Android Google | Enables Credential Manager auto-select |
-| `useSheet` | iOS Google | Uses native sign-in sheet behavior |
-| `forceAccountPicker` | Google | Forces account picker |
-| `useLegacyGoogleSignIn` | Android Google | Uses legacy Google Sign-In path for server auth code |
-| `tenant` | Microsoft | Overrides configured tenant |
-| `prompt` | Microsoft | `login`, `consent`, `select_account`, or `none` |
+| Option                  | Applies to        | Notes                                                |
+| ----------------------- | ----------------- | ---------------------------------------------------- |
+| `scopes`                | Google, Microsoft | Requested OAuth scopes                               |
+| `loginHint`             | Google, Microsoft | Prefills account selection when supported            |
+| `useOneTap`             | Android Google    | Enables Credential Manager auto-select               |
+| `useSheet`              | iOS Google        | Uses native sign-in sheet behavior                   |
+| `forceAccountPicker`    | Google            | Forces account picker                                |
+| `useLegacyGoogleSignIn` | Android Google    | Uses legacy Google Sign-In path for server auth code |
+| `tenant`                | Microsoft         | Overrides configured tenant                          |
+| `prompt`                | Microsoft         | `login`, `consent`, `select_account`, or `none`      |
 
 ## Incremental Scopes
 
@@ -288,7 +294,7 @@ extra: {
 
 ## Error Contract
 
-All public async APIs throw `AuthError`.
+All public async APIs throw `AuthError`, including provider errors surfaced by native and web `AuthService` implementations.
 
 ```ts
 try {
@@ -411,16 +417,16 @@ The demo includes:
 
 ## Troubleshooting
 
-| Symptom | Check |
-| --- | --- |
-| `configuration_error` on Google | Client ID is missing or wrong for the current platform |
-| Google works in debug but not release | Add release SHA-1/SHA-256 fingerprints to Google Cloud Console |
-| Android `hasPlayServices` is false | Use an emulator image with Google Play Services |
-| Apple email/name missing | Apple only returns these fields on first authorization |
-| Microsoft `invalid_state` | Redirect URI or app resume path is wrong, or an old auth redirect completed late |
-| Microsoft `token_error` | Check tenant, client ID, redirect URI, and requested scopes |
-| Web popup blocked | Call `login()` from a user gesture such as a button press |
-| `operation_in_progress` | A provider flow is already active; wait for it to finish or sign out |
+| Symptom                               | Check                                                                            |
+| ------------------------------------- | -------------------------------------------------------------------------------- |
+| `configuration_error` on Google       | Client ID is missing or wrong for the current platform                           |
+| Google works in debug but not release | Add release SHA-1/SHA-256 fingerprints to Google Cloud Console                   |
+| Android `hasPlayServices` is false    | Use an emulator image with Google Play Services                                  |
+| Apple email/name missing              | Apple only returns these fields on first authorization                           |
+| Microsoft `invalid_state`             | Redirect URI or app resume path is wrong, or an old auth redirect completed late |
+| Microsoft `token_error`               | Check tenant, client ID, redirect URI, and requested scopes                      |
+| Web popup blocked                     | Call `login()` from a user gesture such as a button press                        |
+| `operation_in_progress`               | A provider flow is already active; wait for it to finish or sign out             |
 
 ## Production Notes
 
@@ -433,13 +439,26 @@ The demo includes:
 ## Release Checks
 
 ```sh
-bun run codegen
-bun run build
+bun run publish-package:dry-run
+```
+
+The publish script runs frozen install, core-version verification, codegen, build, lint, typecheck, Jest, JS coverage, C++ tests, C++ coverage, Expo Doctor, package docs sync, pack dry run, and `bun publish --dry-run --ignore-scripts`.
+
+For faster local iteration before the full release dry run:
+
+```sh
 bun run check
 bun run test:cpp
-bun example:prebuild:clean
-bun example:ios
-bun example:android
+bun run --cwd packages/react-native-nitro-auth test:coverage -- --runInBand
+bun run --cwd packages/react-native-nitro-auth test:cpp:coverage
+```
+
+Before shipping provider or native config changes, also verify the example app:
+
+```sh
+bun run example:prebuild
+bun run example:android
+bun run example:ios
 ```
 
 ## License

package/cpp/HybridAuth.cpp

@@ -2,10 +2,63 @@
 #include "PlatformAuth.hpp"
 #include <algorithm>
 #include <chrono>
+#include <exception>
 #include <stdexcept>
+#include <unordered_set>
 
 namespace margelo::nitro::NitroAuth {
 
+namespace {
+
+std::exception_ptr makeAuthError(const char* message) {
+  return std::make_exception_ptr(std::runtime_error(message));
+}
+
+void rejectIfPending(const std::shared_ptr<Promise<AuthTokens>>& promise, const char* message) {
+  if (promise && promise->isPending()) {
+    promise->reject(makeAuthError(message));
+  }
+}
+
+void mergeGrantedScopes(std::vector<std::string>& grantedScopes, const std::vector<std::string>& scopes) {
+  std::unordered_set<std::string> knownScopes(grantedScopes.begin(), grantedScopes.end());
+  grantedScopes.reserve(grantedScopes.size() + scopes.size());
+
+  for (const auto& scope : scopes) {
+    if (knownScopes.insert(scope).second) {
+      grantedScopes.push_back(scope);
+    }
+  }
+}
+
+void removeGrantedScopes(std::vector<std::string>& grantedScopes, const std::vector<std::string>& scopes) {
+  if (scopes.empty() || grantedScopes.empty()) {
+    return;
+  }
+
+  const std::unordered_set<std::string> scopesToRemove(scopes.begin(), scopes.end());
+  grantedScopes.erase(
+    std::remove_if(grantedScopes.begin(), grantedScopes.end(),
+      [&scopesToRemove](const std::string& scope) {
+        return scopesToRemove.find(scope) != scopesToRemove.end();
+      }),
+    grantedScopes.end()
+  );
+}
+
+template <typename TCallback, typename TValue>
+void invokeListenersSafely(const std::vector<TCallback>& listeners, const TValue& value) {
+  for (const auto& listener : listeners) {
+    try {
+      listener(value);
+    } catch (...) {
+      // Callback failures are isolated so one listener cannot block core state updates.
+    }
+  }
+}
+
+} // namespace
+
 HybridAuth::HybridAuth() : HybridObject(TAG) {
   // In-memory only - no internal persistence.
 }
@@ -30,13 +83,12 @@ void HybridAuth::notifyAuthStateChanged() {
   {
     std::lock_guard<std::recursive_mutex> lock(_mutex);
     user = _currentUser;
+    listeners.reserve(_listeners.size());
     for (auto const& [id, listener] : _listeners) {
       listeners.push_back(listener);
     }
   }
-  for (const auto& listener : listeners) {
-    listener(user);
-  }
+  invokeListenersSafely(listeners, user);
 }
 
 std::function<void()> HybridAuth::onAuthStateChanged(const std::function<void(const std::optional<AuthUser>&)>& callback) {
@@ -49,6 +101,7 @@ std::function<void()> HybridAuth::onAuthStateChanged(const std::function<void(co
     auto self = weak.lock();
     if (!self) return;
     auto* auth = dynamic_cast<HybridAuth*>(self.get());
+    if (!auth) return;
     std::lock_guard<std::recursive_mutex> lock(auth->_mutex);
     auth->_listeners.erase(id);
   };
@@ -64,26 +117,28 @@ std::function<void()> HybridAuth::onTokensRefreshed(const std::function<void(con
     auto self = weak.lock();
     if (!self) return;
     auto* auth = dynamic_cast<HybridAuth*>(self.get());
+    if (!auth) return;
     std::lock_guard<std::recursive_mutex> lock(auth->_mutex);
     auth->_tokenListeners.erase(id);
   };
 }
 
+std::shared_ptr<Promise<AuthTokens>> HybridAuth::advanceSessionGenerationLocked() {
+  _sessionGeneration++;
+  auto refreshInFlight = _refreshInFlight;
+  _refreshInFlight = nullptr;
+  return refreshInFlight;
+}
+
 void HybridAuth::logout() {
   std::shared_ptr<Promise<AuthTokens>> refreshInFlight;
   {
     std::lock_guard<std::recursive_mutex> lock(_mutex);
-    _sessionGeneration++;
+    refreshInFlight = advanceSessionGenerationLocked();
     _currentUser = std::nullopt;
     _grantedScopes.clear();
-    refreshInFlight = _refreshInFlight;
-    _refreshInFlight = nullptr;
-  }
-  if (refreshInFlight) {
-    refreshInFlight->reject(
-      std::make_exception_ptr(std::runtime_error("not_signed_in"))
-    );
   }
+  rejectIfPending(refreshInFlight, "not_signed_in");
   PlatformAuth::logout();
   notifyAuthStateChanged();
 }
@@ -99,12 +154,18 @@ std::shared_ptr<Promise<void>> HybridAuth::silentRestore() {
   auto self = shared_from_this();
   silentPromise->addOnResolvedListener([self, promise, generation](const std::optional<AuthUser>& user) {
     auto* auth = dynamic_cast<HybridAuth*>(self.get());
+    if (!auth) {
+      promise->reject(makeAuthError("internal_error"));
+      return;
+    }
+    std::shared_ptr<Promise<AuthTokens>> refreshInFlight;
     {
       std::lock_guard<std::recursive_mutex> lock(auth->_mutex);
       if (auth->_sessionGeneration != generation) {
         promise->resolve();
         return;
       }
+      refreshInFlight = auth->advanceSessionGenerationLocked();
       auth->_currentUser = user;
       if (user) {
         if (user->scopes) {
@@ -116,6 +177,7 @@ std::shared_ptr<Promise<void>> HybridAuth::silentRestore() {
         auth->_grantedScopes.clear();
       }
     }
+    rejectIfPending(refreshInFlight, "cancelled");
     // Always resolve - no session is not an error, just means user is logged out
     auth->notifyAuthStateChanged();
     promise->resolve();
@@ -131,23 +193,30 @@ std::shared_ptr<Promise<void>> HybridAuth::silentRestore() {
 std::shared_ptr<Promise<void>> HybridAuth::login(AuthProvider provider, const std::optional<LoginOptions>& options) {
   auto promise = Promise<void>::create();
   uint64_t generation;
+  std::shared_ptr<Promise<AuthTokens>> refreshInFlight;
   {
     std::lock_guard<std::recursive_mutex> lock(_mutex);
+    refreshInFlight = advanceSessionGenerationLocked();
     generation = _sessionGeneration;
   }
+  rejectIfPending(refreshInFlight, "cancelled");
   
   auto self = shared_from_this();
   auto loginPromise = PlatformAuth::login(provider, options);
   loginPromise->addOnResolvedListener([self, promise, options, generation](const AuthUser& user) {
     auto* auth = dynamic_cast<HybridAuth*>(self.get());
+    if (!auth) {
+      promise->reject(makeAuthError("internal_error"));
+      return;
+    }
+    std::shared_ptr<Promise<AuthTokens>> refreshInFlight;
     {
       std::lock_guard<std::recursive_mutex> lock(auth->_mutex);
       if (auth->_sessionGeneration != generation) {
-        promise->reject(
-          std::make_exception_ptr(std::runtime_error("cancelled"))
-        );
+        promise->reject(makeAuthError("cancelled"));
         return;
       }
+      refreshInFlight = auth->advanceSessionGenerationLocked();
       auth->_currentUser = user;
       if (user.scopes && !user.scopes->empty()) {
         auth->_grantedScopes = *user.scopes;
@@ -162,6 +231,7 @@ std::shared_ptr<Promise<void>> HybridAuth::login(AuthProvider provider, const st
           : std::make_optional(auth->_grantedScopes);
       }
     }
+    rejectIfPending(refreshInFlight, "cancelled");
     auth->notifyAuthStateChanged();
     promise->resolve();
   });
@@ -183,20 +253,18 @@ std::shared_ptr<Promise<void>> HybridAuth::requestScopes(const std::vector<std::
   auto requestPromise = PlatformAuth::requestScopes(scopes);
   requestPromise->addOnResolvedListener([self, promise, scopes, generation](const AuthUser& user) {
     auto* auth = dynamic_cast<HybridAuth*>(self.get());
+    if (!auth) {
+      promise->reject(makeAuthError("internal_error"));
+      return;
+    }
     {
       std::lock_guard<std::recursive_mutex> lock(auth->_mutex);
       if (auth->_sessionGeneration != generation) {
-        promise->reject(
-          std::make_exception_ptr(std::runtime_error("cancelled"))
-        );
+        promise->reject(makeAuthError("cancelled"));
         return;
       }
       auth->_currentUser = user;
-      for (const auto& scope : scopes) {
-        if (std::find(auth->_grantedScopes.begin(), auth->_grantedScopes.end(), scope) == auth->_grantedScopes.end()) {
-          auth->_grantedScopes.push_back(scope);
-        }
-      }
+      mergeGrantedScopes(auth->_grantedScopes, scopes);
       if (auth->_currentUser) auth->_currentUser->scopes = auth->_grantedScopes;
     }
     auth->notifyAuthStateChanged();
@@ -213,13 +281,7 @@ std::shared_ptr<Promise<void>> HybridAuth::revokeScopes(const std::vector<std::s
   auto promise = Promise<void>::create();
   {
     std::lock_guard<std::recursive_mutex> lock(_mutex);
-    _grantedScopes.erase(
-      std::remove_if(_grantedScopes.begin(), _grantedScopes.end(),
-        [&scopes](const std::string& s) {
-          return std::find(scopes.begin(), scopes.end(), s) != scopes.end();
-        }),
-      _grantedScopes.end()
-    );
+    removeGrantedScopes(_grantedScopes, scopes);
     if (_currentUser) {
       _currentUser->scopes = _grantedScopes;
     }
@@ -280,28 +342,41 @@ std::shared_ptr<Promise<AuthTokens>> HybridAuth::refreshToken() {
   auto refreshPromise = PlatformAuth::refreshToken();
   refreshPromise->addOnResolvedListener([self, promise, generation](const AuthTokens& tokens) {
     auto* auth = dynamic_cast<HybridAuth*>(self.get());
+    if (!auth) {
+      promise->reject(makeAuthError("internal_error"));
+      return;
+    }
+    bool isStale = false;
     {
       std::lock_guard<std::recursive_mutex> lock(auth->_mutex);
       if (auth->_sessionGeneration != generation) {
-        return;
-      }
-      if (auth->_currentUser) {
-        if (tokens.accessToken.has_value()) {
-          auth->_currentUser->accessToken = tokens.accessToken;
+        if (auth->_refreshInFlight == promise) {
+          auth->_refreshInFlight = nullptr;
         }
-        if (tokens.idToken.has_value()) {
-          auth->_currentUser->idToken = tokens.idToken;
-        }
-        if (tokens.refreshToken.has_value()) {
-          auth->_currentUser->refreshToken = tokens.refreshToken;
+        isStale = true;
+      } else {
+        if (auth->_currentUser) {
+          if (tokens.accessToken.has_value()) {
+            auth->_currentUser->accessToken = tokens.accessToken;
+          }
+          if (tokens.idToken.has_value()) {
+            auth->_currentUser->idToken = tokens.idToken;
+          }
+          if (tokens.refreshToken.has_value()) {
+            auth->_currentUser->refreshToken = tokens.refreshToken;
+          }
+          if (tokens.expirationTime.has_value()) {
+            auth->_currentUser->expirationTime = tokens.expirationTime;
+          }
         }
-        if (tokens.expirationTime.has_value()) {
-          auth->_currentUser->expirationTime = tokens.expirationTime;
+        if (auth->_refreshInFlight == promise) {
+          auth->_refreshInFlight = nullptr;
         }
       }
-      if (auth->_refreshInFlight == promise) {
-        auth->_refreshInFlight = nullptr;
-      }
+    }
+    if (isStale) {
+      rejectIfPending(promise, "cancelled");
+      return;
     }
     auth->notifyTokensRefreshed(tokens);
     auth->notifyAuthStateChanged();
@@ -310,15 +385,26 @@ std::shared_ptr<Promise<AuthTokens>> HybridAuth::refreshToken() {
 
   refreshPromise->addOnRejectedListener([self, promise, generation](const std::exception_ptr& error) {
     auto* auth = dynamic_cast<HybridAuth*>(self.get());
+    if (!auth) {
+      promise->reject(makeAuthError("internal_error"));
+      return;
+    }
+    bool isStale = false;
     {
       std::lock_guard<std::recursive_mutex> lock(auth->_mutex);
       if (auth->_sessionGeneration != generation) {
-        return;
-      }
-      if (auth->_refreshInFlight == promise) {
+        if (auth->_refreshInFlight == promise) {
+          auth->_refreshInFlight = nullptr;
+        }
+        isStale = true;
+      } else if (auth->_refreshInFlight == promise) {
         auth->_refreshInFlight = nullptr;
       }
     }
+    if (isStale) {
+      rejectIfPending(promise, "cancelled");
+      return;
+    }
     promise->reject(error);
   });
   return promise;
@@ -332,13 +418,12 @@ void HybridAuth::notifyTokensRefreshed(const AuthTokens& tokens) {
   std::vector<std::function<void(const AuthTokens&)>> listeners;
   {
     std::lock_guard<std::recursive_mutex> lock(_mutex);
+    listeners.reserve(_tokenListeners.size());
     for (auto const& [id, listener] : _tokenListeners) {
       listeners.push_back(listener);
     }
   }
-  for (const auto& listener : listeners) {
-    listener(tokens);
-  }
+  invokeListenersSafely(listeners, tokens);
 }
 
 } // namespace margelo::nitro::NitroAuth

package/cpp/HybridAuth.hpp

@@ -38,6 +38,7 @@ public:
 private:
   void notifyAuthStateChanged();
   void notifyTokensRefreshed(const AuthTokens& tokens);
+  std::shared_ptr<Promise<AuthTokens>> advanceSessionGenerationLocked();
 
 private:
   std::optional<AuthUser> _currentUser;

package/ios/AuthAdapter.swift

@@ -10,6 +10,7 @@ public class AuthAdapter: NSObject {
   private static var inMemoryMicrosoftRefreshToken: String?
   private static var inMemoryMicrosoftScopes: [String] = defaultMicrosoftScopes
   private static var inMemoryGoogleServerAuthCode: String?
+  private static var activeMicrosoftWebAuthSession: ASWebAuthenticationSession?
   private static let tokenStoreLock = NSLock()
 
   @objc
@@ -135,22 +136,32 @@ public class AuthAdapter: NSObject {
     let callbackScheme = "msauth.\(bundleId)"
     
     DispatchQueue.main.async {
+      guard self.activeMicrosoftWebAuthSession == nil else {
+        completion(nil, "operation_in_progress")
+        return
+      }
+
+      let completeAndClearSession = { (data: NSDictionary?, error: String?) in
+        self.activeMicrosoftWebAuthSession = nil
+        completion(data, error)
+      }
+
       let session = ASWebAuthenticationSession(url: authUrl, callbackURLScheme: callbackScheme) { callbackURL, error in
         if let error = error {
           let nsError = error as NSError
           if nsError.code == ASWebAuthenticationSessionError.canceledLogin.rawValue {
-            completion(nil, "cancelled")
+            completeAndClearSession(nil, "cancelled")
           } else if nsError.domain.lowercased().contains("network") || nsError.code == NSURLErrorNotConnectedToInternet {
-            completion(nil, "network_error")
+            completeAndClearSession(nil, "network_error")
           } else {
-            completion(nil, "unknown")
+            completeAndClearSession(nil, "unknown")
           }
           return
         }
 
         guard let callbackURL = callbackURL,
               let components = URLComponents(url: callbackURL, resolvingAgainstBaseURL: false) else {
-          completion(nil, "unknown")
+          completeAndClearSession(nil, "unknown")
           return
         }
 
@@ -163,20 +174,21 @@ public class AuthAdapter: NSObject {
           // OAuth error codes are already structured (e.g. "access_denied").
           // Map well-known ones; fall back to "unknown".
           let mapped = mapOAuthError(errorCode)
-          completion(nil, mapped)
+          completeAndClearSession(nil, mapped)
           return
         }
 
         guard let returnedState = params["state"], returnedState == state else {
-          completion(nil, "invalid_state")
+          completeAndClearSession(nil, "invalid_state")
           return
         }
 
         guard let code = params["code"] else {
-          completion(nil, "unknown")
+          completeAndClearSession(nil, "unknown")
           return
         }
         
+        self.activeMicrosoftWebAuthSession = nil
         exchangeCodeForTokens(
           code: code,
           codeVerifier: codeVerifier,
@@ -191,14 +203,17 @@ public class AuthAdapter: NSObject {
       }
 
       guard let window = activeWindow() else {
-        completion(nil, "no_window")
+        completeAndClearSession(nil, "no_window")
         return
       }
       let contextProvider = WebAuthContextProvider(anchor: window)
       session.presentationContextProvider = contextProvider
       objc_setAssociatedObject(session, &contextProviderHandle, contextProvider, .OBJC_ASSOCIATION_RETAIN_NONATOMIC)
       session.prefersEphemeralWebBrowserSession = false
-      session.start()
+      self.activeMicrosoftWebAuthSession = session
+      if !session.start() {
+        completeAndClearSession(nil, "unknown")
+      }
     }
   }
   
@@ -685,6 +700,10 @@ public class AuthAdapter: NSObject {
   @objc
   public static func logout() {
     GIDSignIn.sharedInstance.signOut()
+    DispatchQueue.main.async {
+      self.activeMicrosoftWebAuthSession?.cancel()
+      self.activeMicrosoftWebAuthSession = nil
+    }
     tokenStoreLock.lock()
     inMemoryMicrosoftRefreshToken = nil
     inMemoryMicrosoftScopes = defaultMicrosoftScopes