react-native-nitro-auth 0.5.8 → 0.5.9

package/lib/typescript/module/Auth.web.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"Auth.web.d.ts","sourceRoot":"","sources":["../../../src/Auth.web.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,IAAI,EACJ,QAAQ,EACR,YAAY,EACZ,YAAY,EACZ,UAAU,EACX,MAAM,cAAc,CAAC;AACtB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAkK7D,cAAM,OAAQ,YAAW,IAAI;IAC3B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAqB;IAC7C,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,cAAc,CAAgB;IACtC,OAAO,CAAC,UAAU,CAAgD;IAClE,OAAO,CAAC,eAAe,CAAwC;IAC/D,OAAO,CAAC,eAAe,CAA+B;IACtD,OAAO,CAAC,uBAAuB,CAAS;IACxC,OAAO,CAAC,oBAAoB,CAAsB;IAClD,OAAO,CAAC,eAAe,CAAkC;IACzD,OAAO,CAAC,mBAAmB,CAAqB;IAChD,OAAO,CAAC,cAAc,CAAkB;;IAOxC,OAAO,CAAC,aAAa;IAOrB,OAAO,CAAC,sBAAsB;IA0B9B,OAAO,CAAC,4BAA4B;IAOpC,OAAO,CAAC,iBAAiB;IAQzB,OAAO,CAAC,iBAAiB;IAsCzB,OAAO,CAAC,SAAS;IAcjB,OAAO,CAAC,SAAS;IAYjB,OAAO,CAAC,WAAW;IAcnB,OAAO,CAAC,2BAA2B;IAgBnC,OAAO,CAAC,0BAA0B;IAYlC,OAAO,CAAC,gBAAgB;IAUxB,OAAO,CAAC,gBAAgB;IAOxB,OAAO,CAAC,aAAa;IAgDrB,OAAO,CAAC,eAAe;IAIvB,IAAI,WAAW,IAAI,QAAQ,GAAG,SAAS,CAEtC;IAED,IAAI,aAAa,IAAI,MAAM,EAAE,CAE5B;IAED,IAAI,eAAe,IAAI,OAAO,CAE7B;IAED,kBAAkB,CAChB,QAAQ,EAAE,CAAC,IAAI,EAAE,QAAQ,GAAG,SAAS,KAAK,IAAI,GAC7C,MAAM,IAAI;IAQb,iBAAiB,CAAC,QAAQ,EAAE,CAAC,MAAM,EAAE,UAAU,KAAK,IAAI,GAAG,MAAM,IAAI;IAOrE,OAAO,CAAC,MAAM;IAMR,KAAK,CAAC,QAAQ,EAAE,YAAY,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC;IA0BpE,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAyB9C,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAY7C,cAAc,IAAI,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAW7C,YAAY,IAAI,OAAO,CAAC,UAAU,CAAC;YAgB3B,mBAAmB;IA6GjC,OAAO,CAAC,QAAQ;YAkCF,mBAAmB;IAQjC,OAAO,CAAC,eAAe;IAevB,OAAO,CAAC,oBAAoB;YA8Dd,WAAW;YAkBX,iBAAiB;IAyF/B,OAAO,CAAC,eAAe;YAcT,cAAc;YAoBd,oBAAoB;IA2GlC,OAAO,CAAC,oBAAoB;YAMd,qBAAqB;IAOnC,OAAO,CAAC,eAAe;YAKT,8BAA8B;IA8E5C,OAAO,CAAC,uBAAuB;IAY/B,OAAO,CAAC,kBAAkB;YAiBZ,oBAAoB;YA2DpB,UAAU;IAqClB,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC;IAcpC,MAAM,IAAI,IAAI;IASd,OAAO,CAAC,UAAU;IAOlB,iBAAiB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI;IAIzC,qEAAqE;IACrE,oBAAoB,CAAC,OAAO,EAAE,gBAAgB,GAAG,SAAS,GAAG,IAAI;IAQjE,IAAI,SAAU;IACd,OAAO;IACP,MAAM,CAAC,KAAK,EAAE,OAAO;CAGtB;AAED,eAAO,MAAM,UAAU,SAAgB,CAAC"}
+{"version":3,"file":"Auth.web.d.ts","sourceRoot":"","sources":["../../../src/Auth.web.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,IAAI,EACJ,QAAQ,EACR,YAAY,EACZ,YAAY,EACZ,UAAU,EAEX,MAAM,cAAc,CAAC;AACtB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AA4M7D,cAAM,OAAQ,YAAW,IAAI;IAC3B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAqB;IAC7C,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,cAAc,CAAgB;IACtC,OAAO,CAAC,UAAU,CAAgD;IAClE,OAAO,CAAC,eAAe,CAAwC;IAC/D,OAAO,CAAC,eAAe,CAA+B;IACtD,OAAO,CAAC,uBAAuB,CAAS;IACxC,OAAO,CAAC,oBAAoB,CAAsB;IAClD,OAAO,CAAC,eAAe,CAAkC;IACzD,OAAO,CAAC,mBAAmB,CAAqB;IAChD,OAAO,CAAC,cAAc,CAAkB;;IAOxC,OAAO,CAAC,aAAa;IAOrB,OAAO,CAAC,sBAAsB;IA0B9B,OAAO,CAAC,4BAA4B;IAOpC,OAAO,CAAC,iBAAiB;IAQzB,OAAO,CAAC,iBAAiB;IAsCzB,OAAO,CAAC,SAAS;IAcjB,OAAO,CAAC,SAAS;IAYjB,OAAO,CAAC,WAAW;IAcnB,OAAO,CAAC,2BAA2B;IAgBnC,OAAO,CAAC,0BAA0B;IAYlC,OAAO,CAAC,gBAAgB;IAUxB,OAAO,CAAC,gBAAgB;IAOxB,OAAO,CAAC,aAAa;IAgDrB,OAAO,CAAC,eAAe;IAIvB,IAAI,WAAW,IAAI,QAAQ,GAAG,SAAS,CAEtC;IAED,IAAI,aAAa,IAAI,MAAM,EAAE,CAE5B;IAED,IAAI,eAAe,IAAI,OAAO,CAE7B;IAED,kBAAkB,CAChB,QAAQ,EAAE,CAAC,IAAI,EAAE,QAAQ,GAAG,SAAS,KAAK,IAAI,GAC7C,MAAM,IAAI;IAQb,iBAAiB,CAAC,QAAQ,EAAE,CAAC,MAAM,EAAE,UAAU,KAAK,IAAI,GAAG,MAAM,IAAI;IAOrE,OAAO,CAAC,MAAM;IAMd,OAAO,CAAC,oBAAoB;YAMd,iBAAiB;IAkBzB,KAAK,CAAC,QAAQ,EAAE,YAAY,EAAE,OAAO,CAAC,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC;IAwCpE,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IA4B9C,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAY7C,cAAc,IAAI,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAW7C,YAAY,IAAI,OAAO,CAAC,UAAU,CAAC;YAgB3B,mBAAmB;IAsGjC,OAAO,CAAC,QAAQ;YAuDF,mBAAmB;IAiBjC,OAAO,CAAC,eAAe;IAyCvB,OAAO,CAAC,iBAAiB;IAmCzB,OAAO,CAAC,iBAAiB;IASzB,OAAO,CAAC,oBAAoB;YA+Dd,WAAW;IAmGzB,OAAO,CAAC,eAAe;YAcT,cAAc;IAoH5B,OAAO,CAAC,oBAAoB;YAMd,qBAAqB;IAOnC,OAAO,CAAC,eAAe;YAKT,8BAA8B;IA8E5C,OAAO,CAAC,uBAAuB;IAY/B,OAAO,CAAC,kBAAkB;YAiBZ,oBAAoB;YA2DpB,UAAU;IAqClB,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC;IAcpC,MAAM,IAAI,IAAI;IASd,OAAO,CAAC,UAAU;IAOlB,iBAAiB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI;IAIzC,qEAAqE;IACrE,oBAAoB,CAAC,OAAO,EAAE,gBAAgB,GAAG,SAAS,GAAG,IAAI;IAQjE,IAAI,SAAU;IACd,OAAO;IACP,MAAM,CAAC,KAAK,EAAE,OAAO;CAGtB;AAED,eAAO,MAAM,UAAU,SAAgB,CAAC"}

package/lib/typescript/module/create-auth-service.d.ts

@@ -0,0 +1,5 @@
+import type { Auth } from "./Auth.nitro";
+type AuthSource = () => Auth;
+export declare function createAuthService(getAuth: AuthSource): Auth;
+export {};
+//# sourceMappingURL=create-auth-service.d.ts.map

package/lib/typescript/module/create-auth-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-auth-service.d.ts","sourceRoot":"","sources":["../../../src/create-auth-service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,IAAI,EAKL,MAAM,cAAc,CAAC;AAGtB,KAAK,UAAU,GAAG,MAAM,IAAI,CAAC;AAiB7B,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,UAAU,GAAG,IAAI,CAsE3D"}

package/lib/typescript/module/service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"service.d.ts","sourceRoot":"","sources":["../../../src/service.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,IAAI,EAKL,MAAM,cAAc,CAAC;AAUtB,eAAO,MAAM,WAAW,EAAE,IA4FzB,CAAC"}
+{"version":3,"file":"service.d.ts","sourceRoot":"","sources":["../../../src/service.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,cAAc,CAAC;AAUzC,eAAO,MAAM,WAAW,EAAE,IAAsC,CAAC"}

package/lib/typescript/module/service.web.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"service.web.d.ts","sourceRoot":"","sources":["../../../src/service.web.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,IAAI,EAKL,MAAM,cAAc,CAAC;AAItB,eAAO,MAAM,WAAW,EAAE,IA4FzB,CAAC"}
+{"version":3,"file":"service.web.d.ts","sourceRoot":"","sources":["../../../src/service.web.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,cAAc,CAAC;AAIzC,eAAO,MAAM,WAAW,EAAE,IAA0C,CAAC"}

package/lib/typescript/module/use-auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"use-auth.d.ts","sourceRoot":"","sources":["../../../src/use-auth.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,QAAQ,EACR,YAAY,EACZ,YAAY,EACZ,UAAU,EACX,MAAM,cAAc,CAAC;AAEtB,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAI/C,KAAK,SAAS,GAAG;IACf,IAAI,EAAE,QAAQ,GAAG,SAAS,CAAC;IAC3B,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,SAAS,GAAG,SAAS,CAAC;CAC9B,CAAC;AAwBF,MAAM,MAAM,aAAa,GAAG,SAAS,GAAG;IACtC,eAAe,EAAE,OAAO,CAAC;IACzB,KAAK,EAAE,CAAC,QAAQ,EAAE,YAAY,EAAE,OAAO,CAAC,EAAE,YAAY,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACzE,MAAM,EAAE,MAAM,IAAI,CAAC;IACnB,aAAa,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACnD,YAAY,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAClD,cAAc,EAAE,MAAM,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;IAClD,YAAY,EAAE,MAAM,OAAO,CAAC,UAAU,CAAC,CAAC;IACxC,aAAa,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CACpC,CAAC;AAEF,wBAAgB,OAAO,IAAI,aAAa,CA+KvC"}
+{"version":3,"file":"use-auth.d.ts","sourceRoot":"","sources":["../../../src/use-auth.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,QAAQ,EACR,YAAY,EACZ,YAAY,EACZ,UAAU,EACX,MAAM,cAAc,CAAC;AAEtB,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAQ/C,KAAK,SAAS,GAAG;IACf,IAAI,EAAE,QAAQ,GAAG,SAAS,CAAC;IAC3B,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,SAAS,GAAG,SAAS,CAAC;CAC9B,CAAC;AAwBF,MAAM,MAAM,aAAa,GAAG,SAAS,GAAG;IACtC,eAAe,EAAE,OAAO,CAAC;IACzB,KAAK,EAAE,CAAC,QAAQ,EAAE,YAAY,EAAE,OAAO,CAAC,EAAE,YAAY,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACzE,MAAM,EAAE,MAAM,IAAI,CAAC;IACnB,aAAa,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACnD,YAAY,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAClD,cAAc,EAAE,MAAM,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;IAClD,YAAY,EAAE,MAAM,OAAO,CAAC,UAAU,CAAC,CAAC;IACxC,aAAa,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CACpC,CAAC;AAEF,wBAAgB,OAAO,IAAI,aAAa,CA+KvC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "react-native-nitro-auth",
-  "version": "0.5.8",
+  "version": "0.5.9",
   "description": "High-performance authentication library for React Native with Google Sign-In, Apple Sign-In, and Microsoft Sign-In support, powered by Nitro Modules (JSI)",
   "main": "lib/commonjs/index.js",
   "module": "lib/module/index.js",
@@ -17,6 +17,7 @@
     "ios",
     "nitrogen",
     "nitro.json",
+    "CHANGELOG.md",
     "*.podspec",
     "app.plugin.js",
     "!**/__tests__",
@@ -39,6 +40,7 @@
     "test": "jest",
     "test:coverage": "jest --coverage",
     "test:cpp": "node scripts/test-cpp.js",
+    "test:cpp:coverage": "node scripts/test-cpp.js --coverage",
     "prepublishOnly": "bun run clean && bun run codegen && bun run build && bun run typecheck && bun run lint && bun run test && bun run test:cpp",
     "prepack": "bun ../../scripts/sync-package-docs.ts",
     "pack:dry-run": "bun pm pack --dry-run",
@@ -82,13 +84,13 @@
   },
   "devDependencies": {
     "@expo/config-plugins": "^55.0.8",
-    "@react-native/babel-preset": "^0.83.0",
+    "@react-native/babel-preset": "^0.83.6",
     "@testing-library/react": "^16.3.2",
-    "@types/node": "^22.19.11",
+    "@types/node": "^22.19.17",
     "jest-environment-jsdom": "^29.7.0",
     "react": "19.2.0",
-    "react-native": "0.83.4",
-    "react-native-nitro-modules": "^0.35.4",
+    "react-native": "0.83.6",
+    "react-native-nitro-modules": "^0.35.5",
     "react-native-web": "^0.21.2",
     "typescript": "^5.9.3"
   },

package/react-native-nitro-auth.podspec

@@ -19,6 +19,7 @@ Pod::Spec.new do |s|
     "ios/**/*.{h,m,mm,swift}",
     "cpp/**/*.{h,hpp,c,cpp}"
   ]
+  s.exclude_files = "cpp/__tests__/**/*"
 
   s.pod_target_xcconfig = {
     "CLANG_CXX_LANGUAGE_STANDARD" => "c++20",

package/src/Auth.web.ts

@@ -4,6 +4,7 @@ import type {
   AuthProvider,
   LoginOptions,
   AuthTokens,
+  AuthErrorCode,
 } from "./Auth.nitro";
 import type { JSStorageAdapter } from "./js-storage-adapter";
 import { logger } from "./utils/logger";
@@ -23,6 +24,24 @@ const WEB_STORAGE_MODES = new Set([
   STORAGE_MODE_LOCAL,
   STORAGE_MODE_MEMORY,
 ] as const);
+const WEB_AUTH_ERROR_CODES: ReadonlySet<string> = new Set<AuthErrorCode>([
+  "cancelled",
+  "timeout",
+  "popup_blocked",
+  "network_error",
+  "configuration_error",
+  "not_signed_in",
+  "operation_in_progress",
+  "unsupported_provider",
+  "invalid_state",
+  "invalid_nonce",
+  "token_error",
+  "no_id_token",
+  "parse_error",
+  "refresh_failed",
+  "unknown",
+]);
+const JWT_BASE64_URL_RE = /^[A-Za-z0-9_-]+$/;
 const inMemoryWebStorage = new Map<string, string>();
 let _appleSdkLoadPromise: Promise<void> | undefined;
 
@@ -60,7 +79,7 @@ type JsonObject = Record<string, unknown>;
 class AuthWebError extends Error {
   public readonly underlyingError?: string;
 
-  constructor(message: string, underlyingError?: string) {
+  constructor(message: AuthErrorCode, underlyingError?: string) {
     super(message);
     this.name = "AuthWebError";
     this.underlyingError = underlyingError;
@@ -86,7 +105,28 @@ const getOptionalNumber = (
   key: string,
 ): number | undefined => {
   const candidate = source[key];
-  return typeof candidate === "number" ? candidate : undefined;
+  return typeof candidate === "number" && Number.isFinite(candidate)
+    ? candidate
+    : undefined;
+};
+
+const parseExpiresInSeconds = (value: unknown): number | undefined => {
+  const candidate =
+    typeof value === "number"
+      ? value
+      : typeof value === "string" && value.trim().length > 0
+        ? Number(value)
+        : undefined;
+
+  if (
+    typeof candidate !== "number" ||
+    !Number.isFinite(candidate) ||
+    candidate < 0
+  ) {
+    return undefined;
+  }
+
+  return candidate;
 };
 
 const parseAuthUser = (value: unknown): AuthUser | undefined => {
@@ -124,6 +164,9 @@ const parseScopes = (value: unknown): string[] | undefined => {
   return value.filter((scope): scope is string => typeof scope === "string");
 };
 
+const isAuthErrorCode = (value: string): value is AuthErrorCode =>
+  WEB_AUTH_ERROR_CODES.has(value);
+
 const parseAuthWebExtraConfig = (value: unknown): AuthWebExtraConfig => {
   if (!isJsonObject(value)) {
     return {};
@@ -438,29 +481,67 @@ class AuthWeb implements Auth {
   }
 
   private notify() {
-    this._listeners.forEach((l) => {
-      l(this._currentUser);
-    });
+    for (const listener of [...this._listeners]) {
+      listener(this._currentUser);
+    }
+  }
+
+  private notifyTokenListeners(tokens: AuthTokens): void {
+    for (const listener of [...this._tokenListeners]) {
+      listener(tokens);
+    }
+  }
+
+  private async runLoginOperation(
+    operation: () => Promise<void>,
+  ): Promise<void> {
+    if (this._loginInFlight) {
+      throw new AuthWebError(
+        "operation_in_progress",
+        "Another login is already in progress",
+      );
+    }
+
+    this._loginInFlight = true;
+    try {
+      await operation();
+    } finally {
+      this._loginInFlight = false;
+    }
   }
 
   async login(provider: AuthProvider, options?: LoginOptions): Promise<void> {
     const loginHint = options?.loginHint;
     logger.log(`Starting login with ${provider}`, { scopes: options?.scopes });
     try {
-      if (provider === "google") {
-        const scopes = options?.scopes ?? DEFAULT_SCOPES;
-        await this.loginGoogle(scopes, loginHint);
-      } else if (provider === "microsoft") {
-        const scopes = options?.scopes ?? MS_DEFAULT_SCOPES;
-        await this.loginMicrosoft(
-          scopes,
-          loginHint,
-          options?.tenant,
-          options?.prompt,
+      await this.runLoginOperation(async () => {
+        if (provider === "google") {
+          const scopes = options?.scopes ?? DEFAULT_SCOPES;
+          await this.loginGoogle(scopes, loginHint);
+          return;
+        }
+
+        if (provider === "microsoft") {
+          const scopes = options?.scopes ?? MS_DEFAULT_SCOPES;
+          await this.loginMicrosoft(
+            scopes,
+            loginHint,
+            options?.tenant,
+            options?.prompt,
+          );
+          return;
+        }
+
+        if (provider === "apple") {
+          await this.loginApple();
+          return;
+        }
+
+        throw new AuthWebError(
+          "unsupported_provider",
+          `Unsupported auth provider: ${provider}`,
         );
-      } else {
-        await this.loginApple();
-      }
+      });
       logger.log(`Login successful with ${provider}`);
     } catch (e: unknown) {
       const error = this.mapError(e);
@@ -482,11 +563,14 @@ class AuthWeb implements Auth {
     logger.log("Requesting additional scopes:", scopes);
     const newScopes = [...new Set([...this._grantedScopes, ...scopes])];
     try {
-      if (provider === "google") {
-        await this.loginGoogle(newScopes);
-      } else {
+      await this.runLoginOperation(async () => {
+        if (provider === "google") {
+          await this.loginGoogle(newScopes);
+          return;
+        }
+
         await this.loginMicrosoft(newScopes);
-      }
+      });
     } catch (e) {
       const error = this.mapError(e);
       logger.error("Requesting scopes failed:", error.message);
@@ -573,7 +657,8 @@ class AuthWeb implements Auth {
 
       const json = await this.parseResponseObject(response);
       if (!response.ok) {
-        throw new Error(
+        throw new AuthWebError(
+          "refresh_failed",
           getOptionalString(json, "error_description") ??
             getOptionalString(json, "error") ??
             "Token refresh failed",
@@ -583,16 +668,12 @@ class AuthWeb implements Auth {
       const idToken = getOptionalString(json, "id_token");
       const accessToken = getOptionalString(json, "access_token");
       const newRefreshToken = getOptionalString(json, "refresh_token");
-      const expiresInSeconds = getOptionalNumber(json, "expires_in");
 
       if (newRefreshToken) {
         this.saveRefreshToken(newRefreshToken);
       }
 
-      const expirationTime =
-        typeof expiresInSeconds === "number"
-          ? Date.now() + expiresInSeconds * 1000
-          : undefined;
+      const expirationTime = this.getExpirationTime(json["expires_in"]);
 
       const effectiveIdToken = idToken ?? this._currentUser.idToken;
       const claims = effectiveIdToken
@@ -614,9 +695,7 @@ class AuthWeb implements Auth {
         refreshToken: newRefreshToken ?? undefined,
         expirationTime,
       };
-      this._tokenListeners.forEach((l) => {
-        l(tokens);
-      });
+      this.notifyTokenListeners(tokens);
       return tokens;
     }
 
@@ -636,18 +715,22 @@ class AuthWeb implements Auth {
       refreshToken: this._currentUser.refreshToken,
       expirationTime: this._currentUser.expirationTime,
     };
-    this._tokenListeners.forEach((l) => {
-      l(tokens);
-    });
+    this.notifyTokenListeners(tokens);
     return tokens;
   }
 
   private mapError(error: unknown): Error {
+    if (error instanceof AuthWebError) {
+      return error;
+    }
+
     const rawMessage = error instanceof Error ? error.message : String(error);
     const msg = rawMessage.toLowerCase();
-    let mappedMsg = rawMessage;
+    let mappedMsg: AuthErrorCode = "unknown";
 
-    if (msg.includes("cancel") || msg.includes("popup_closed")) {
+    if (isAuthErrorCode(rawMessage)) {
+      mappedMsg = rawMessage;
+    } else if (msg.includes("cancel") || msg.includes("popup_closed")) {
       mappedMsg = "cancelled";
     } else if (msg.includes("access_denied")) {
       mappedMsg = "cancelled";
@@ -655,6 +738,21 @@ class AuthWeb implements Auth {
       mappedMsg = "timeout";
     } else if (msg.includes("popup blocked")) {
       mappedMsg = "popup_blocked";
+    } else if (msg.includes("login is already in progress")) {
+      mappedMsg = "operation_in_progress";
+    } else if (msg.includes("state mismatch")) {
+      mappedMsg = "invalid_state";
+    } else if (msg.includes("nonce mismatch")) {
+      mappedMsg = "invalid_nonce";
+    } else if (msg.includes("no id_token") || msg.includes("no_id_token")) {
+      mappedMsg = "no_id_token";
+    } else if (msg.includes("invalid jwt") || msg.includes("json")) {
+      mappedMsg = "parse_error";
+    } else if (
+      msg.includes("no user logged in") ||
+      msg.includes("not signed in")
+    ) {
+      mappedMsg = "not_signed_in";
     } else if (
       msg.includes("network") ||
       msg.includes("server_error") ||
@@ -677,26 +775,105 @@ class AuthWeb implements Auth {
   }
 
   private async parseResponseObject(response: Response): Promise<JsonObject> {
-    const parsed: unknown = await response.json();
+    let parsed: unknown;
+    try {
+      parsed = await response.json();
+    } catch (error) {
+      throw new AuthWebError("parse_error", String(error));
+    }
+
     if (!isJsonObject(parsed)) {
-      throw new Error("Expected JSON object response from auth provider");
+      throw new AuthWebError(
+        "parse_error",
+        "Expected JSON object response from auth provider",
+      );
     }
     return parsed;
   }
 
   private parseJwtPayload(token: string): JsonObject {
-    const payload = token.split(".")[1];
-    if (!payload) {
-      throw new Error("Invalid JWT payload");
+    const parts = token.split(".");
+    const payload = parts[1];
+    if (
+      parts.length < 2 ||
+      !payload ||
+      payload.length % 4 === 1 ||
+      !JWT_BASE64_URL_RE.test(payload)
+    ) {
+      throw new AuthWebError("parse_error", "Invalid JWT payload");
+    }
+
+    try {
+      const normalizedPayload = payload.replace(/-/g, "+").replace(/_/g, "/");
+      const padding = "=".repeat((4 - (normalizedPayload.length % 4)) % 4);
+      const binary = atob(`${normalizedPayload}${padding}`);
+      const decodedText =
+        typeof TextDecoder === "function"
+          ? new TextDecoder().decode(
+              Uint8Array.from(binary, (char) => char.charCodeAt(0)),
+            )
+          : decodeURIComponent(
+              Array.from(
+                binary,
+                (char) =>
+                  `%${char.charCodeAt(0).toString(16).padStart(2, "0")}`,
+              ).join(""),
+            );
+      const decoded: unknown = JSON.parse(decodedText);
+      if (!isJsonObject(decoded)) {
+        throw new Error("Expected JWT payload to be an object");
+      }
+      return decoded;
+    } catch (error) {
+      if (error instanceof AuthWebError) {
+        throw error;
+      }
+      throw new AuthWebError("parse_error", String(error));
+    }
+  }
+
+  private mapOAuthErrorCode(error: string): AuthErrorCode {
+    const normalizedError = error.trim().toLowerCase();
+    if (
+      normalizedError === "access_denied" ||
+      normalizedError === "popup_closed_by_user" ||
+      normalizedError === "user_cancelled"
+    ) {
+      return "cancelled";
+    }
+
+    if (
+      normalizedError === "server_error" ||
+      normalizedError === "temporarily_unavailable"
+    ) {
+      return "network_error";
+    }
+
+    if (
+      normalizedError === "invalid_client" ||
+      normalizedError === "invalid_scope" ||
+      normalizedError === "unauthorized_client"
+    ) {
+      return "configuration_error";
     }
 
-    const normalizedPayload = payload.replace(/-/g, "+").replace(/_/g, "/");
-    const padding = "=".repeat((4 - (normalizedPayload.length % 4)) % 4);
-    const decoded: unknown = JSON.parse(atob(`${normalizedPayload}${padding}`));
-    if (!isJsonObject(decoded)) {
-      throw new Error("Expected JWT payload to be an object");
+    if (
+      normalizedError === "invalid_grant" ||
+      normalizedError === "invalid_token"
+    ) {
+      return "token_error";
     }
-    return decoded;
+
+    return "unknown";
+  }
+
+  private getExpirationTime(expiresIn: unknown): number | undefined {
+    const expiresInSeconds = parseExpiresInSeconds(expiresIn);
+    if (expiresInSeconds === undefined) {
+      return undefined;
+    }
+
+    return Date.now() + expiresInSeconds * 1000;
   }
 
   private waitForPopupRedirect(
@@ -750,7 +927,8 @@ class AuthWeb implements Auth {
         }
 
         cleanup(intervalId, timeoutId, true);
-        void Promise.resolve(onRedirect(url))
+        void Promise.resolve()
+          .then(() => onRedirect(url))
           .then(() => {
             resolve();
           })
@@ -764,24 +942,6 @@ class AuthWeb implements Auth {
   private async loginGoogle(
     scopes: string[],
     loginHint?: string,
-  ): Promise<void> {
-    if (this._loginInFlight) {
-      throw new AuthWebError(
-        "cancelled",
-        "Another login is already in progress",
-      );
-    }
-    this._loginInFlight = true;
-    try {
-      await this._loginGoogleInner(scopes, loginHint);
-    } finally {
-      this._loginInFlight = false;
-    }
-  }
-
-  private async _loginGoogleInner(
-    scopes: string[],
-    loginHint?: string,
   ): Promise<void> {
     const clientId = this._config.googleWebClientId;
 
@@ -831,15 +991,27 @@ class AuthWeb implements Auth {
         const accessToken = params.get("access_token");
         const expiresIn = params.get("expires_in");
         const code = params.get("code");
+        const error = params.get("error");
+        const errorDescription = params.get("error_description");
+
+        if (error) {
+          throw new AuthWebError(
+            this.mapOAuthErrorCode(error),
+            errorDescription ?? error,
+          );
+        }
 
         if (!idToken) {
-          throw new Error("No id_token in response");
+          throw new AuthWebError("no_id_token", "No id_token in response");
         }
 
         const decoded = this.parseJwtPayload(idToken);
         if (decoded["nonce"] !== this._pendingGoogleNonce) {
           this._pendingGoogleNonce = undefined;
-          throw new Error("Nonce mismatch - possible replay attack");
+          throw new AuthWebError(
+            "invalid_nonce",
+            "Nonce mismatch - possible replay attack",
+          );
         }
         this._pendingGoogleNonce = undefined;
 
@@ -852,9 +1024,7 @@ class AuthWeb implements Auth {
           accessToken: accessToken ?? undefined,
           serverAuthCode: code ?? undefined,
           scopes,
-          expirationTime: expiresIn
-            ? Date.now() + parseInt(expiresIn, 10) * 1000
-            : undefined,
+          expirationTime: this.getExpirationTime(expiresIn),
           ...this.decodeGoogleJwt(idToken),
         };
         this.updateUser(user);
@@ -887,26 +1057,6 @@ class AuthWeb implements Auth {
     loginHint?: string,
     tenant?: string,
     prompt?: string,
-  ): Promise<void> {
-    if (this._loginInFlight) {
-      throw new AuthWebError(
-        "cancelled",
-        "Another login is already in progress",
-      );
-    }
-    this._loginInFlight = true;
-    try {
-      await this._loginMicrosoftInner(scopes, loginHint, tenant, prompt);
-    } finally {
-      this._loginInFlight = false;
-    }
-  }
-
-  private async _loginMicrosoftInner(
-    scopes: string[],
-    loginHint?: string,
-    tenant?: string,
-    prompt?: string,
   ): Promise<void> {
     const clientId = this._config.microsoftClientId;
 
@@ -978,15 +1128,24 @@ class AuthWeb implements Auth {
           const errorDescription = urlObj.searchParams.get("error_description");
 
           if (error) {
-            throw new Error(errorDescription ?? error);
+            throw new AuthWebError(
+              this.mapOAuthErrorCode(error),
+              errorDescription ?? error,
+            );
           }
 
           if (returnedState !== state) {
-            throw new Error("State mismatch - possible CSRF attack");
+            throw new AuthWebError(
+              "invalid_state",
+              "State mismatch - possible CSRF attack",
+            );
           }
 
           if (!code) {
-            throw new Error("No authorization code in response");
+            throw new AuthWebError(
+              "token_error",
+              "No authorization code in response",
+            );
           }
 
           await this.exchangeMicrosoftCodeForTokens(
@@ -1061,7 +1220,8 @@ class AuthWeb implements Auth {
     const json = await this.parseResponseObject(response);
 
     if (!response.ok) {
-      throw new Error(
+      throw new AuthWebError(
+        "token_error",
         getOptionalString(json, "error_description") ??
           getOptionalString(json, "error") ??
           "Token exchange failed",
@@ -1070,18 +1230,20 @@ class AuthWeb implements Auth {
 
     const idToken = getOptionalString(json, "id_token");
     if (!idToken) {
-      throw new Error("No id_token in token response");
+      throw new AuthWebError("no_id_token", "No id_token in token response");
     }
 
     const claims = this.decodeMicrosoftJwt(idToken);
     const payload = this.parseJwtPayload(idToken);
     if (getOptionalString(payload, "nonce") !== expectedNonce) {
-      throw new Error("Nonce mismatch - token may be replayed");
+      throw new AuthWebError(
+        "invalid_nonce",
+        "Nonce mismatch - token may be replayed",
+      );
     }
 
     const accessToken = getOptionalString(json, "access_token");
     const refreshToken = getOptionalString(json, "refresh_token");
-    const expiresInSeconds = getOptionalNumber(json, "expires_in");
 
     if (refreshToken) {
       this.saveRefreshToken(refreshToken);
@@ -1096,10 +1258,7 @@ class AuthWeb implements Auth {
       accessToken: accessToken ?? undefined,
       refreshToken: refreshToken ?? undefined,
       scopes,
-      expirationTime:
-        typeof expiresInSeconds === "number"
-          ? Date.now() + expiresInSeconds * 1000
-          : undefined,
+      expirationTime: this.getExpirationTime(json["expires_in"]),
       ...claims,
     };
     this.updateUser(user);