react-native-nitro-auth 0.6.2 → 0.6.4

package/CHANGELOG.md

@@ -1,6 +1,20 @@
 # Changelog
 
-## 0.6.2 - 2026-06-07
+## 0.6.4 - 2026-06-11
+
+### Added
+
+- Added a modern `exports` map with `react-native`, `browser`, `import`, and `require` conditions plus explicit `./app.plugin`, `./app.plugin.js`, and `./package.json` subpaths, so bundlers and Node resolve the package deterministically.
+
+### Changed
+
+- Strengthened the package TypeScript configuration (`exactOptionalPropertyTypes`, `noUncheckedIndexedAccess`, `noImplicitOverride`, `noImplicitReturns`, `noFallthroughCasesInSwitch`, `useUnknownInCatchVariables`) so editor and tooling diagnostics catch more mistakes at compile time.
+
+### Fixed
+
+- Encoded iOS Microsoft token request bodies as form data so authorization codes, redirect URIs, and refresh tokens containing reserved characters are posted correctly.
+
+## 0.6.3 - 2026-06-10
 
 ### Fixed
 
@@ -8,26 +22,20 @@
 
 ### Changed
 
-- Updated the Expo example SDK 56 patch dependencies so Expo Doctor passes cleanly.
+- Updated README setup, provider examples, option tables, error codes, and typed API documentation to match the current package surface.
+- Added stronger compile-time coverage for provider-specific login options used by `AuthService.login()` and `useAuth().login()`.
 
 ## 0.6.1 - 2026-05-21
 
 ### Changed
 
-- Updated the package and Expo example baseline to Expo SDK 56, React Native 0.85.3, React 19.2.3, TypeScript 6.0.3, Nitro Modules 0.35.7, and nitrogen 0.35.7.
+- Updated the package baseline to Expo SDK 56, React Native 0.85.3, React 19.2.3, TypeScript 6.0.3, Nitro Modules 0.35.7, and nitrogen 0.35.7.
 - Raised the iOS deployment target to 16.4 for SDK 56 compatibility.
-- Added release preflight checks for Expo dependency validation, Expo Doctor, config introspection, package build, tests, C++ tests, and publish dry run.
-- Simplified the example app by keeping provider-specific advanced options collapsed by default.
-- Updated README badges, setup commands, release checks, and typed API examples to match the 0.6.1 package state.
 - Added compile-time coverage for provider-specific login option types.
-- Added CI setup and versioned tool detection for LLVM C++ coverage tools.
-- Added a CI-safe release preflight mode that skips unauthenticated npm publish dry runs while keeping local publish dry runs intact.
 
 ### Fixed
 
 - Retained the active iOS Apple Sign-In controller until completion to avoid premature native lifecycle cleanup.
-- Removed the example app's import-time native logging side effect.
-- Removed Turbo cache-output warnings from lint and typecheck tasks.
 
 ## 0.6.0 - 2026-05-14
 
@@ -37,7 +45,7 @@
 - Added Apple nonce and authorization-code/user-id result support.
 - Added Microsoft tenant and prompt option coverage across native and web flows.
 - Added `revokeAccess()` to the native/web auth API and `useAuth()` hook.
-- Added native logging hooks and platform-gated example controls for supported provider options only.
+- Added native logging hooks.
 - Added provider-specific TypeScript option types for `AuthService.login()` and `useAuth().login()`.
 
 ### Changed
@@ -48,86 +56,36 @@
 
 ### Fixed
 
-- Fixed Android Metro watcher noise from transient Bun `node_modules/.old-*` directories in the example app.
 - Fixed Android Google cancellation handling so cancellations are not reported as unknown failures.
 - Fixed native session cleanup paths to reject pending work before clearing provider state.
 
 ## 0.5.12 - 2026-05-13
 
-### Changed
-
-- Updated the Expo example to the current SDK 55 recommended `expo`, `expo-build-properties`, and `expo-system-ui` patch ranges.
-
 ### Fixed
 
-- Fixed the Android example launcher icon by adding an adaptive icon foreground and dark brand background.
 - Normalized web `SocialButton` and native login failures so presentation-anchor and missing-code errors surface as stable `AuthError` codes.
 - Shipped package-level Watchman ignores for Android CMake cache output so consumers avoid noisy native build watcher events.
 
 ## 0.5.11 - 2026-05-05
 
-### Changed
-
-- Updated the Expo example to the Expo SDK 55 recommended `expo@~55.0.23` patch and Android API 36 target.
-
 ### Fixed
 
 - Wrapped synchronous native service failures in `AuthError` so public service errors keep a consistent code contract.
 
-### Verified
-
-- `bun install --frozen-lockfile`
-- `bunx expo install --check --cwd apps/example`
-- `bunx expo-doctor@latest apps/example`
-- `bun run check:ci`
-- `bun run --cwd packages/react-native-nitro-auth test:coverage -- --runInBand`
-- `bun run --cwd packages/react-native-nitro-auth test:cpp:coverage`
-- `bun run example:prebuild`
-- `bun run publish-package:dry-run`
-
 ## 0.5.10 - 2026-04-27
 
 ### Fixed
 
 - Fixed iOS Microsoft sign-in so `ASWebAuthenticationSession` is retained until callback or cancellation and duplicate sessions fail with `operation_in_progress`.
-- Fixed the example app header so it displays the current package version.
-
-### Verified
-
-- `bun run check:ci`
-- `bunx expo install --check --cwd apps/example`
-- `bunx expo-doctor@latest apps/example`
-- `bun run example:prebuild`
-- `bun run publish-package:dry-run`
 
 ## 0.5.9 - 2026-04-24
 
-### Added
-
-- Added shared JS service factory coverage and logger behavior tests.
-- Added C++ coverage support with `test:cpp:coverage` and expanded native tests for session restore, token refresh, access-token fallback, scope updates, listener isolation, logout cancellation, and serializer behavior.
-- Added example-app smoke checks for the public auth API, provider support, platform-gated behavior, and session-dependent methods.
-
 ### Changed
 
-- Updated Expo SDK 55 patch dependencies, React Native 0.83.6, Nitro Modules 0.35.5, and related build tooling.
+- Updated Expo SDK 55 patch dependencies, React Native 0.83.6, and Nitro Modules 0.35.5.
 - Refactored native/web `AuthService` creation so native and web error mapping stay consistent.
 - Hardened web OAuth state, cache parsing, token refresh, and provider error handling.
-- Improved example app handling for unsupported providers and unavailable session actions.
-- Improved release validation to include JS and C++ coverage gates and a faster publish dry run path.
 
 ### Fixed
 
-- Fixed native runtime crashes in the example app when optional Nitro methods are not available on the installed native object.
-- Fixed startup `silentRestore()` errors in the example app so restore failures surface in status instead of becoming unhandled promises.
 - Excluded C++ test sources from the iOS pod target to avoid app-target duplicate `main` symbols.
-
-### Verified
-
-- `bun run check:ci`
-- `bun run --cwd packages/react-native-nitro-auth test:coverage -- --runInBand`
-- `bun run --cwd packages/react-native-nitro-auth test:cpp:coverage`
-- `bun run publish-package:dry-run`
-- `bun run example:prebuild`
-- `bun run example:android`
-- `bun run example:ios`

package/README.md

@@ -1,10 +1,13 @@
 # react-native-nitro-auth
 
 [![npm version](https://img.shields.io/npm/v/react-native-nitro-auth?color=f97316&label=npm)](https://www.npmjs.com/package/react-native-nitro-auth)
+[![npm downloads](https://img.shields.io/npm/dm/react-native-nitro-auth?color=22c55e&label=downloads)](https://www.npmjs.com/package/react-native-nitro-auth)
+[![CI](https://github.com/JoaoPauloCMarra/react-native-nitro-auth/actions/workflows/ci.yml/badge.svg)](https://github.com/JoaoPauloCMarra/react-native-nitro-auth/actions/workflows/ci.yml)
 [![license](https://img.shields.io/npm/l/react-native-nitro-auth?color=007ec6)](https://github.com/JoaoPauloCMarra/react-native-nitro-auth/blob/main/LICENSE)
 [![React Native](https://img.shields.io/badge/react--native-%3E%3D0.75-61dafb)](https://reactnative.dev/)
-[![Expo](https://img.shields.io/badge/expo-SDK%2056-000020)](https://expo.dev/)
+[![Expo](https://img.shields.io/badge/expo-SDK%2056-000020)](https://docs.expo.dev/)
 [![Nitro Modules](https://img.shields.io/badge/nitro--modules-%3E%3D0.35.7-black)](https://nitro.margelo.com/)
+[![TypeScript](https://img.shields.io/badge/typescript-6.0-3178c6)](https://www.typescriptlang.org/)
 
 Google Sign-In, Apple Sign-In, and Microsoft Entra ID for React Native and
 Expo, powered by Nitro Modules.
@@ -113,15 +116,21 @@ path such as `contoso.onmicrosoft.com/B2C_1_signin`.
 ## Quick Start
 
 ```tsx
-import { AuthService, AuthProvider, useAuth } from "react-native-nitro-auth";
+import {
+  AuthService,
+  useAuth,
+  type ProviderLoginOptions,
+} from "react-native-nitro-auth";
 
 export function SignInButton() {
-  const { user, login, logout, loading, error } = useAuth();
+  const { user, login, logout } = useAuth();
 
   async function signInWithGoogle() {
-    await login(AuthProvider.Google, {
+    const options: ProviderLoginOptions<"google"> = {
       scopes: ["openid", "profile", "email"],
-    });
+    };
+
+    await login("google", options);
   }
 
   if (user) {
@@ -131,8 +140,9 @@ export function SignInButton() {
   return <Button title="Continue with Google" onPress={signInWithGoogle} />;
 }
 
-await AuthService.login(AuthProvider.Microsoft, {
+await AuthService.login("microsoft", {
   tenant: "organizations",
+  prompt: "select_account",
 });
 ```
 
@@ -155,12 +165,39 @@ Main exports:
 - `useAuth()` for React state, login, logout, refresh, and listeners.
 - `AuthService` for imperative login, refresh, logout, and user reads.
 - `SocialButton` for provider-aware UI.
-- `AuthProvider` for Google, Apple, and Microsoft provider names.
+- `AuthProvider` for the `"google"`, `"apple"`, and `"microsoft"` provider names.
 - `AuthError` and `AuthErrorCode` for deterministic failures.
 - Provider option types for strongly typed login calls.
 
-Login options include `scopes`, `loginHint`, `accountId`, `forceRefresh`,
-`nonce`, `state`, `tenant`, `prompt`, and provider-specific fields.
+Provider-aware login calls reject unsupported option fields at compile time:
+
+```ts
+import type {
+  ProviderLoginOptions,
+  MicrosoftLoginOptions,
+} from "react-native-nitro-auth";
+
+const googleOptions: ProviderLoginOptions<"google"> = {
+  scopes: ["openid", "email"],
+  hostedDomain: "company.com",
+  forceAccountPicker: true,
+};
+
+const microsoftOptions: MicrosoftLoginOptions = {
+  tenant: "organizations",
+  prompt: "select_account",
+};
+```
+
+Supported login options:
+
+| Provider  | Options                                                                                                                                                                                                 |
+| --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Google    | `scopes`, `loginHint`, `nonce`, `forceAccountPicker`, `hostedDomain`, `useSheet`, `openIDRealm`, `useOneTap`, `filterByAuthorizedAccounts`, `useLegacyGoogleSignIn`, `forceCodeForRefreshToken`, `requestVerifiedPhoneNumber` |
+| Apple     | `scopes`, `nonce`                                                                                                                                                                                       |
+| Microsoft | `scopes`, `loginHint`, `tenant`, `prompt`                                                                                                                                                               |
+
+`prompt` is typed as `"login"`, `"consent"`, `"select_account"`, or `"none"`.
 
 ## Storage Model
 
@@ -174,8 +211,10 @@ server.
 Async public APIs throw `AuthError` with a stable `code`, `provider`, `platform`,
 and `message`. Use `instanceof AuthError` when branching in UI code.
 
-Common codes include `cancelled`, `configuration_error`, `network_error`,
-`provider_unavailable`, `token_refresh_failed`, and `unknown`.
+Error codes are `cancelled`, `timeout`, `popup_blocked`, `network_error`,
+`configuration_error`, `not_signed_in`, `operation_in_progress`,
+`unsupported_provider`, `invalid_state`, `invalid_nonce`, `token_error`,
+`no_id_token`, `parse_error`, `refresh_failed`, and `unknown`.
 
 ## Platform Support
 

package/android/src/main/java/com/auth/AuthAdapter.kt

@@ -47,7 +47,6 @@ object AuthAdapter {
     private var currentActivity: Activity? = null
     private var googleSignInClient: GoogleSignInClient? = null
     private var lifecycleCallbacks: Application.ActivityLifecycleCallbacks? = null
-    private var pendingScopes: List<String> = emptyList()
     private var pendingMicrosoftScopes: List<String> = emptyList()
 
     @Volatile
@@ -212,7 +211,6 @@ object AuthAdapter {
         }
 
         val requestedScopes = scopes?.toList() ?: listOf("email", "profile")
-        pendingScopes = requestedScopes
 
         if (useLegacyGoogleSignIn || forceAccountPicker) {
             loginLegacy(context, clientId, requestedScopes, loginHint, forceAccountPicker, forceCodeForRefreshToken, hostedDomain, "login")
@@ -727,7 +725,7 @@ object AuthAdapter {
         val ctx = appContext ?: context.applicationContext
         val account = GoogleSignIn.getLastSignedInAccount(ctx)
         if (account != null) {
-            if (googleSignInClient == null) {
+            val client = googleSignInClient ?: run {
                 val clientId = getClientIdFromResources(ctx)
                 if (clientId == null) {
                     nativeOnRefreshError("configuration_error", "Google Client ID not configured")
@@ -738,9 +736,11 @@ object AuthAdapter {
                     .requestServerAuthCode(clientId)
                     .requestEmail()
                     .build()
-                googleSignInClient = GoogleSignIn.getClient(ctx, gso)
+                GoogleSignIn.getClient(ctx, gso).also {
+                    googleSignInClient = it
+                }
             }
-            googleSignInClient!!.silentSignIn().addOnCompleteListener { task ->
+            client.silentSignIn().addOnCompleteListener { task ->
                 if (task.isSuccessful) {
                     val acc = task.result
                     nativeOnRefreshSuccess(acc?.idToken, null, getJwtExpirationTimeMs(acc?.idToken))

package/ios/AuthAdapter.swift

@@ -292,6 +292,21 @@ public class AuthAdapter: NSObject {
       .replacingOccurrences(of: "/", with: "_")
       .replacingOccurrences(of: "=", with: "")
   }
+
+  private static let formUrlEncodedAllowedCharacters = CharacterSet(
+    charactersIn: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~"
+  )
+
+  private static func formUrlEncodedBody(_ params: [String: String]) -> Data? {
+    params
+      .map { key, value in
+        let encodedKey = key.addingPercentEncoding(withAllowedCharacters: formUrlEncodedAllowedCharacters) ?? key
+        let encodedValue = value.addingPercentEncoding(withAllowedCharacters: formUrlEncodedAllowedCharacters) ?? value
+        return "\(encodedKey)=\(encodedValue)"
+      }
+      .joined(separator: "&")
+      .data(using: .utf8)
+  }
   
   private static func exchangeCodeForTokens(
     code: String,
@@ -322,10 +337,7 @@ public class AuthAdapter: NSObject {
       "code_verifier": codeVerifier
     ]
     
-    request.httpBody = bodyParams
-      .map { "\($0.key)=\($0.value.addingPercentEncoding(withAllowedCharacters: .urlQueryAllowed) ?? $0.value)" }
-      .joined(separator: "&")
-      .data(using: .utf8)
+    request.httpBody = formUrlEncodedBody(bodyParams)
     
     URLSession.shared.dataTask(with: request) { data, response, error in
       DispatchQueue.main.async {
@@ -606,10 +618,7 @@ public class AuthAdapter: NSObject {
       "refresh_token": refreshToken
     ]
     
-    request.httpBody = bodyParams
-      .map { "\($0.key)=\($0.value.addingPercentEncoding(withAllowedCharacters: .urlQueryAllowed) ?? $0.value)" }
-      .joined(separator: "&")
-      .data(using: .utf8)
+    request.httpBody = formUrlEncodedBody(bodyParams)
     
     URLSession.shared.dataTask(with: request) { data, response, error in
       DispatchQueue.main.async {
@@ -692,10 +701,7 @@ public class AuthAdapter: NSObject {
       "grant_type": "refresh_token",
       "refresh_token": refreshToken
     ]
-    request.httpBody = bodyParams
-      .map { "\($0.key)=\($0.value.addingPercentEncoding(withAllowedCharacters: .urlQueryAllowed) ?? $0.value)" }
-      .joined(separator: "&")
-      .data(using: .utf8)
+    request.httpBody = formUrlEncodedBody(bodyParams)
     URLSession.shared.dataTask(with: request) { data, response, error in
       DispatchQueue.main.async {
         if error != nil {

package/lib/commonjs/Auth.web.js

@@ -43,6 +43,18 @@ const getOptionalNumber = (source, key) => {
   const candidate = source[key];
   return typeof candidate === "number" && Number.isFinite(candidate) ? candidate : undefined;
 };
+function setIfDefined(target, key, value) {
+  if (value !== undefined) {
+    target[key] = value;
+  }
+}
+function setOrDelete(target, key, value) {
+  if (value === undefined) {
+    delete target[key];
+    return;
+  }
+  target[key] = value;
+}
 const parseExpiresInSeconds = value => {
   const candidate = typeof value === "number" ? value : typeof value === "string" && value.trim().length > 0 ? Number(value) : undefined;
   if (typeof candidate !== "number" || !Number.isFinite(candidate) || candidate < 0) {
@@ -56,19 +68,20 @@ const parseAuthUser = value => {
   }
   const scopesCandidate = value.scopes;
   const scopes = Array.isArray(scopesCandidate) ? scopesCandidate.filter(scope => typeof scope === "string") : undefined;
-  return {
-    provider: value.provider,
-    email: getOptionalString(value, "email"),
-    name: getOptionalString(value, "name"),
-    photo: getOptionalString(value, "photo"),
-    idToken: getOptionalString(value, "idToken"),
-    accessToken: getOptionalString(value, "accessToken"),
-    refreshToken: getOptionalString(value, "refreshToken"),
-    serverAuthCode: getOptionalString(value, "serverAuthCode"),
-    scopes,
-    expirationTime: getOptionalNumber(value, "expirationTime"),
-    underlyingError: getOptionalString(value, "underlyingError")
+  const user = {
+    provider: value.provider
   };
+  setIfDefined(user, "email", getOptionalString(value, "email"));
+  setIfDefined(user, "name", getOptionalString(value, "name"));
+  setIfDefined(user, "photo", getOptionalString(value, "photo"));
+  setIfDefined(user, "idToken", getOptionalString(value, "idToken"));
+  setIfDefined(user, "accessToken", getOptionalString(value, "accessToken"));
+  setIfDefined(user, "refreshToken", getOptionalString(value, "refreshToken"));
+  setIfDefined(user, "serverAuthCode", getOptionalString(value, "serverAuthCode"));
+  setIfDefined(user, "scopes", scopes);
+  setIfDefined(user, "expirationTime", getOptionalNumber(value, "expirationTime"));
+  setIfDefined(user, "underlyingError", getOptionalString(value, "underlyingError"));
+  return user;
 };
 const parseScopes = value => {
   if (!Array.isArray(value)) {
@@ -83,15 +96,15 @@ const parseAuthWebExtraConfig = value => {
   }
   const nitroAuthWebStorageCandidate = value.nitroAuthWebStorage;
   const nitroAuthWebStorage = nitroAuthWebStorageCandidate === STORAGE_MODE_SESSION || nitroAuthWebStorageCandidate === STORAGE_MODE_LOCAL || nitroAuthWebStorageCandidate === STORAGE_MODE_MEMORY ? nitroAuthWebStorageCandidate : undefined;
-  return {
-    googleWebClientId: getOptionalString(value, "googleWebClientId"),
-    microsoftClientId: getOptionalString(value, "microsoftClientId"),
-    microsoftTenant: getOptionalString(value, "microsoftTenant"),
-    microsoftB2cDomain: getOptionalString(value, "microsoftB2cDomain"),
-    appleWebClientId: getOptionalString(value, "appleWebClientId"),
-    nitroAuthWebStorage,
-    nitroAuthPersistTokensOnWeb: typeof value.nitroAuthPersistTokensOnWeb === "boolean" ? value.nitroAuthPersistTokensOnWeb : undefined
-  };
+  const config = {};
+  setIfDefined(config, "googleWebClientId", getOptionalString(value, "googleWebClientId"));
+  setIfDefined(config, "microsoftClientId", getOptionalString(value, "microsoftClientId"));
+  setIfDefined(config, "microsoftTenant", getOptionalString(value, "microsoftTenant"));
+  setIfDefined(config, "microsoftB2cDomain", getOptionalString(value, "microsoftB2cDomain"));
+  setIfDefined(config, "appleWebClientId", getOptionalString(value, "appleWebClientId"));
+  setIfDefined(config, "nitroAuthWebStorage", nitroAuthWebStorage);
+  setIfDefined(config, "nitroAuthPersistTokensOnWeb", typeof value.nitroAuthPersistTokensOnWeb === "boolean" ? value.nitroAuthPersistTokensOnWeb : undefined);
+  return config;
 };
 const getConfig = () => {
   try {
@@ -507,19 +520,18 @@ class AuthWeb {
       const claims = effectiveIdToken ? this.decodeMicrosoftJwt(effectiveIdToken) : {};
       const user = {
         ...currentUser,
-        idToken: effectiveIdToken,
-        accessToken: accessToken ?? undefined,
-        refreshToken: newRefreshToken ?? currentUser.refreshToken,
-        expirationTime,
         ...claims
       };
+      setOrDelete(user, "idToken", effectiveIdToken);
+      setOrDelete(user, "accessToken", accessToken);
+      setOrDelete(user, "refreshToken", newRefreshToken ?? currentUser.refreshToken);
+      setOrDelete(user, "expirationTime", expirationTime);
       this.updateUser(user);
-      const tokens = {
-        accessToken: accessToken ?? undefined,
-        idToken: effectiveIdToken,
-        refreshToken: newRefreshToken ?? undefined,
-        expirationTime
-      };
+      const tokens = {};
+      setIfDefined(tokens, "accessToken", accessToken);
+      setIfDefined(tokens, "idToken", effectiveIdToken);
+      setIfDefined(tokens, "refreshToken", newRefreshToken);
+      setIfDefined(tokens, "expirationTime", expirationTime);
       this.notifyTokenListeners(tokens);
       return tokens;
     }
@@ -529,12 +541,11 @@ class AuthWeb {
     _logger.logger.log("Refreshing tokens...");
     await this.runLoginOperation(() => this.loginGoogle(this._grantedScopes.length > 0 ? this._grantedScopes : DEFAULT_SCOPES, undefined, undefined, generation));
     this.assertActiveGeneration(generation);
-    const tokens = {
-      accessToken: this._currentUser.accessToken,
-      idToken: this._currentUser.idToken,
-      refreshToken: this._currentUser.refreshToken,
-      expirationTime: this._currentUser.expirationTime
-    };
+    const tokens = {};
+    setIfDefined(tokens, "accessToken", this._currentUser.accessToken);
+    setIfDefined(tokens, "idToken", this._currentUser.idToken);
+    setIfDefined(tokens, "refreshToken", this._currentUser.refreshToken);
+    setIfDefined(tokens, "expirationTime", this._currentUser.expirationTime);
     this.notifyTokenListeners(tokens);
     return tokens;
   }
@@ -742,14 +753,14 @@ class AuthWeb {
         const user = {
           provider: "google",
           idToken,
-          accessToken: accessToken ?? undefined,
-          serverAuthCode: code ?? undefined,
-          userId: getOptionalString(decoded, "sub"),
-          hostedDomain: getOptionalString(decoded, "hd"),
           scopes,
-          expirationTime: this.getExpirationTime(expiresIn),
           ...this.decodeGoogleJwt(idToken)
         };
+        setIfDefined(user, "accessToken", accessToken ?? undefined);
+        setIfDefined(user, "serverAuthCode", code ?? undefined);
+        setIfDefined(user, "userId", getOptionalString(decoded, "sub"));
+        setIfDefined(user, "hostedDomain", getOptionalString(decoded, "hd"));
+        setIfDefined(user, "expirationTime", this.getExpirationTime(expiresIn));
         this.updateUser(user);
       }).then(() => {
         resolve();
@@ -761,13 +772,13 @@ class AuthWeb {
   decodeGoogleJwt(token) {
     try {
       const decoded = this.parseJwtPayload(token);
-      return {
-        email: getOptionalString(decoded, "email"),
-        name: getOptionalString(decoded, "name"),
-        photo: getOptionalString(decoded, "picture"),
-        userId: getOptionalString(decoded, "sub"),
-        hostedDomain: getOptionalString(decoded, "hd")
-      };
+      const user = {};
+      setIfDefined(user, "email", getOptionalString(decoded, "email"));
+      setIfDefined(user, "name", getOptionalString(decoded, "name"));
+      setIfDefined(user, "photo", getOptionalString(decoded, "picture"));
+      setIfDefined(user, "userId", getOptionalString(decoded, "sub"));
+      setIfDefined(user, "hostedDomain", getOptionalString(decoded, "hd"));
+      return user;
     } catch (error) {
       _logger.logger.warn("Failed to decode Google ID token", {
         error: String(error)
@@ -894,12 +905,12 @@ class AuthWeb {
     const user = {
       provider: "microsoft",
       idToken,
-      accessToken: accessToken ?? undefined,
-      refreshToken: refreshToken ?? undefined,
       scopes,
-      expirationTime: this.getExpirationTime(json["expires_in"]),
       ...claims
     };
+    setIfDefined(user, "accessToken", accessToken);
+    setIfDefined(user, "refreshToken", refreshToken);
+    setIfDefined(user, "expirationTime", this.getExpirationTime(json["expires_in"]));
     this.updateUser(user);
   }
   getMicrosoftAuthBaseUrl(tenant, b2cDomain) {
@@ -940,10 +951,10 @@ class AuthWeb {
   decodeMicrosoftJwt(token) {
     try {
       const decoded = this.parseJwtPayload(token);
-      return {
-        email: getOptionalString(decoded, "preferred_username") ?? getOptionalString(decoded, "email"),
-        name: getOptionalString(decoded, "name")
-      };
+      const user = {};
+      setIfDefined(user, "email", getOptionalString(decoded, "preferred_username") ?? getOptionalString(decoded, "email"));
+      setIfDefined(user, "name", getOptionalString(decoded, "name"));
+      return user;
     } catch (error) {
       _logger.logger.warn("Failed to decode Microsoft ID token", {
         error: String(error)
@@ -1003,13 +1014,14 @@ class AuthWeb {
     if (!window.AppleID) {
       throw new Error("Apple SDK not loaded");
     }
-    window.AppleID.auth.init({
+    const appleAuthConfig = {
       clientId,
       scope: (options?.scopes?.length ? options.scopes : ["name", "email"]).join(" "),
       redirectURI: window.location.origin,
-      nonce: options?.nonce,
       usePopup: true
-    });
+    };
+    setIfDefined(appleAuthConfig, "nonce", options?.nonce);
+    window.AppleID.auth.init(appleAuthConfig);
     try {
       const response = await window.AppleID.auth.signIn();
       if (generation !== undefined) {
@@ -1017,11 +1029,11 @@ class AuthWeb {
       }
       const user = {
         provider: "apple",
-        idToken: response.authorization.id_token,
-        authorizationCode: response.authorization.code,
-        email: response.user?.email,
-        name: response.user?.name ? `${response.user.name.firstName} ${response.user.name.lastName}`.trim() : undefined
+        idToken: response.authorization.id_token
       };
+      setIfDefined(user, "authorizationCode", response.authorization.code);
+      setIfDefined(user, "email", response.user?.email);
+      setIfDefined(user, "name", response.user?.name ? `${response.user.name.firstName} ${response.user.name.lastName}`.trim() : undefined);
       this.updateUser(user);
     } catch (error) {
       throw this.mapError(error);