react-native-nitro-auth 0.6.3 → 0.6.5

package/CHANGELOG.md

@@ -1,38 +1,48 @@
 # Changelog
 
+## 0.6.5 - 2026-06-11
+
+### Fixed
+
+- Moved the Expo iOS Google Sign-In CocoaPods modular-header setup into the package config plugin so Expo/CNG consumers no longer need app-level `AppCheckCore`, `GoogleUtilities`, or `RecaptchaInterop` pod workarounds.
+- Added the package plugin dependency needed to apply the iOS build-properties setup from the package.
+
+## 0.6.4 - 2026-06-11
+
+### Added
+
+- Added a modern `exports` map with `react-native`, `browser`, `import`, and `require` conditions plus explicit `./app.plugin`, `./app.plugin.js`, and `./package.json` subpaths, so bundlers and Node resolve the package deterministically.
+
+### Changed
+
+- Strengthened the package TypeScript configuration (`exactOptionalPropertyTypes`, `noUncheckedIndexedAccess`, `noImplicitOverride`, `noImplicitReturns`, `noFallthroughCasesInSwitch`, `useUnknownInCatchVariables`) so editor and tooling diagnostics catch more mistakes at compile time.
+
+### Fixed
+
+- Encoded iOS Microsoft token request bodies as form data so authorization codes, redirect URIs, and refresh tokens containing reserved characters are posted correctly.
+
 ## 0.6.3 - 2026-06-10
 
 ### Fixed
 
 - Hardened Microsoft authority URL construction to reject absolute tenant URLs and invalid B2C domains while building valid B2C tenant/policy authority paths.
-- Kept the Expo example iOS build on source-built Expo modules until precompiled module linking is supported by the current native dependency set.
 
 ### Changed
 
-- Updated the Expo example SDK 56 patch dependencies so Expo Doctor passes cleanly.
-- Polished the Expo example app UI for more consistent provider cards, controls, smoke-test status, and action states.
-- Reduced unnecessary example-app React work by memoizing repeated demo rows, smoke-test UI, social buttons, and stable action handlers.
-- Updated README setup, provider examples, option tables, badge links, error codes, and typed API documentation to match the current package surface.
+- Updated README setup, provider examples, option tables, error codes, and typed API documentation to match the current package surface.
 - Added stronger compile-time coverage for provider-specific login options used by `AuthService.login()` and `useAuth().login()`.
 
 ## 0.6.1 - 2026-05-21
 
 ### Changed
 
-- Updated the package and Expo example baseline to Expo SDK 56, React Native 0.85.3, React 19.2.3, TypeScript 6.0.3, Nitro Modules 0.35.7, and nitrogen 0.35.7.
+- Updated the package baseline to Expo SDK 56, React Native 0.85.3, React 19.2.3, TypeScript 6.0.3, Nitro Modules 0.35.7, and nitrogen 0.35.7.
 - Raised the iOS deployment target to 16.4 for SDK 56 compatibility.
-- Added release preflight checks for Expo dependency validation, Expo Doctor, config introspection, package build, tests, C++ tests, and publish dry run.
-- Simplified the example app by keeping provider-specific advanced options collapsed by default.
-- Updated README badges, setup commands, release checks, and typed API examples to match the 0.6.1 package state.
 - Added compile-time coverage for provider-specific login option types.
-- Added CI setup and versioned tool detection for LLVM C++ coverage tools.
-- Added a CI-safe release preflight mode that skips unauthenticated npm publish dry runs while keeping local publish dry runs intact.
 
 ### Fixed
 
 - Retained the active iOS Apple Sign-In controller until completion to avoid premature native lifecycle cleanup.
-- Removed the example app's import-time native logging side effect.
-- Removed Turbo cache-output warnings from lint and typecheck tasks.
 
 ## 0.6.0 - 2026-05-14
 
@@ -42,7 +52,7 @@
 - Added Apple nonce and authorization-code/user-id result support.
 - Added Microsoft tenant and prompt option coverage across native and web flows.
 - Added `revokeAccess()` to the native/web auth API and `useAuth()` hook.
-- Added native logging hooks and platform-gated example controls for supported provider options only.
+- Added native logging hooks.
 - Added provider-specific TypeScript option types for `AuthService.login()` and `useAuth().login()`.
 
 ### Changed
@@ -53,86 +63,36 @@
 
 ### Fixed
 
-- Fixed Android Metro watcher noise from transient Bun `node_modules/.old-*` directories in the example app.
 - Fixed Android Google cancellation handling so cancellations are not reported as unknown failures.
 - Fixed native session cleanup paths to reject pending work before clearing provider state.
 
 ## 0.5.12 - 2026-05-13
 
-### Changed
-
-- Updated the Expo example to the current SDK 55 recommended `expo`, `expo-build-properties`, and `expo-system-ui` patch ranges.
-
 ### Fixed
 
-- Fixed the Android example launcher icon by adding an adaptive icon foreground and dark brand background.
 - Normalized web `SocialButton` and native login failures so presentation-anchor and missing-code errors surface as stable `AuthError` codes.
 - Shipped package-level Watchman ignores for Android CMake cache output so consumers avoid noisy native build watcher events.
 
 ## 0.5.11 - 2026-05-05
 
-### Changed
-
-- Updated the Expo example to the Expo SDK 55 recommended `expo@~55.0.23` patch and Android API 36 target.
-
 ### Fixed
 
 - Wrapped synchronous native service failures in `AuthError` so public service errors keep a consistent code contract.
 
-### Verified
-
-- `bun install --frozen-lockfile`
-- `bunx expo install --check --cwd apps/example`
-- `bunx expo-doctor@latest apps/example`
-- `bun run check:ci`
-- `bun run --cwd packages/react-native-nitro-auth test:coverage -- --runInBand`
-- `bun run --cwd packages/react-native-nitro-auth test:cpp:coverage`
-- `bun run example:prebuild`
-- `bun run publish-package:dry-run`
-
 ## 0.5.10 - 2026-04-27
 
 ### Fixed
 
 - Fixed iOS Microsoft sign-in so `ASWebAuthenticationSession` is retained until callback or cancellation and duplicate sessions fail with `operation_in_progress`.
-- Fixed the example app header so it displays the current package version.
-
-### Verified
-
-- `bun run check:ci`
-- `bunx expo install --check --cwd apps/example`
-- `bunx expo-doctor@latest apps/example`
-- `bun run example:prebuild`
-- `bun run publish-package:dry-run`
 
 ## 0.5.9 - 2026-04-24
 
-### Added
-
-- Added shared JS service factory coverage and logger behavior tests.
-- Added C++ coverage support with `test:cpp:coverage` and expanded native tests for session restore, token refresh, access-token fallback, scope updates, listener isolation, logout cancellation, and serializer behavior.
-- Added example-app smoke checks for the public auth API, provider support, platform-gated behavior, and session-dependent methods.
-
 ### Changed
 
-- Updated Expo SDK 55 patch dependencies, React Native 0.83.6, Nitro Modules 0.35.5, and related build tooling.
+- Updated Expo SDK 55 patch dependencies, React Native 0.83.6, and Nitro Modules 0.35.5.
 - Refactored native/web `AuthService` creation so native and web error mapping stay consistent.
 - Hardened web OAuth state, cache parsing, token refresh, and provider error handling.
-- Improved example app handling for unsupported providers and unavailable session actions.
-- Improved release validation to include JS and C++ coverage gates and a faster publish dry run path.
 
 ### Fixed
 
-- Fixed native runtime crashes in the example app when optional Nitro methods are not available on the installed native object.
-- Fixed startup `silentRestore()` errors in the example app so restore failures surface in status instead of becoming unhandled promises.
 - Excluded C++ test sources from the iOS pod target to avoid app-target duplicate `main` symbols.
-
-### Verified
-
-- `bun run check:ci`
-- `bun run --cwd packages/react-native-nitro-auth test:coverage -- --runInBand`
-- `bun run --cwd packages/react-native-nitro-auth test:cpp:coverage`
-- `bun run publish-package:dry-run`
-- `bun run example:prebuild`
-- `bun run example:android`
-- `bun run example:ios`

package/README.md

@@ -1,9 +1,11 @@
 # react-native-nitro-auth
 
 [![npm version](https://img.shields.io/npm/v/react-native-nitro-auth?color=f97316&label=npm)](https://www.npmjs.com/package/react-native-nitro-auth)
+[![npm downloads](https://img.shields.io/npm/dm/react-native-nitro-auth?color=22c55e&label=downloads)](https://www.npmjs.com/package/react-native-nitro-auth)
+[![CI](https://github.com/JoaoPauloCMarra/react-native-nitro-auth/actions/workflows/ci.yml/badge.svg)](https://github.com/JoaoPauloCMarra/react-native-nitro-auth/actions/workflows/ci.yml)
 [![license](https://img.shields.io/npm/l/react-native-nitro-auth?color=007ec6)](https://github.com/JoaoPauloCMarra/react-native-nitro-auth/blob/main/LICENSE)
 [![React Native](https://img.shields.io/badge/react--native-%3E%3D0.75-61dafb)](https://reactnative.dev/)
-[![Expo](https://img.shields.io/badge/expo-SDK%2056-000020)](https://expo.dev/)
+[![Expo](https://img.shields.io/badge/expo-SDK%2056-000020)](https://docs.expo.dev/)
 [![Nitro Modules](https://img.shields.io/badge/nitro--modules-%3E%3D0.35.7-black)](https://nitro.margelo.com/)
 [![TypeScript](https://img.shields.io/badge/typescript-6.0-3178c6)](https://www.typescriptlang.org/)
 
@@ -104,6 +106,11 @@ Plugin options:
 Web reads provider client IDs from `expo.extra`; native platforms read values
 written by the plugin during prebuild.
 
+On iOS, the plugin also applies the CocoaPods modular-header settings required
+by the Google Sign-In dependency chain (`AppCheckCore`, `GoogleUtilities`, and
+`RecaptchaInterop`). Expo apps should not add those pods manually through
+`expo-build-properties`.
+
 Microsoft tenant values are validated before opening the authorization URL. Use
 `common`, `organizations`, `consumers`, a tenant ID, or a tenant domain for
 standard Entra ID. For B2C, set `microsoftB2cDomain` to a hostname such as

package/android/src/main/java/com/auth/AuthAdapter.kt

@@ -47,7 +47,6 @@ object AuthAdapter {
     private var currentActivity: Activity? = null
     private var googleSignInClient: GoogleSignInClient? = null
     private var lifecycleCallbacks: Application.ActivityLifecycleCallbacks? = null
-    private var pendingScopes: List<String> = emptyList()
     private var pendingMicrosoftScopes: List<String> = emptyList()
 
     @Volatile
@@ -212,7 +211,6 @@ object AuthAdapter {
         }
 
         val requestedScopes = scopes?.toList() ?: listOf("email", "profile")
-        pendingScopes = requestedScopes
 
         if (useLegacyGoogleSignIn || forceAccountPicker) {
             loginLegacy(context, clientId, requestedScopes, loginHint, forceAccountPicker, forceCodeForRefreshToken, hostedDomain, "login")
@@ -727,7 +725,7 @@ object AuthAdapter {
         val ctx = appContext ?: context.applicationContext
         val account = GoogleSignIn.getLastSignedInAccount(ctx)
         if (account != null) {
-            if (googleSignInClient == null) {
+            val client = googleSignInClient ?: run {
                 val clientId = getClientIdFromResources(ctx)
                 if (clientId == null) {
                     nativeOnRefreshError("configuration_error", "Google Client ID not configured")
@@ -738,9 +736,11 @@ object AuthAdapter {
                     .requestServerAuthCode(clientId)
                     .requestEmail()
                     .build()
-                googleSignInClient = GoogleSignIn.getClient(ctx, gso)
+                GoogleSignIn.getClient(ctx, gso).also {
+                    googleSignInClient = it
+                }
             }
-            googleSignInClient!!.silentSignIn().addOnCompleteListener { task ->
+            client.silentSignIn().addOnCompleteListener { task ->
                 if (task.isSuccessful) {
                     val acc = task.result
                     nativeOnRefreshSuccess(acc?.idToken, null, getJwtExpirationTimeMs(acc?.idToken))

package/app.plugin.js

@@ -1,3 +1,4 @@
+const { withBuildProperties } = require("expo-build-properties");
 const {
   withInfoPlist,
   withEntitlementsPlist,
@@ -8,10 +9,34 @@ const {
 } = require("@expo/config-plugins");
 const pkg = require("./package.json");
 
+const googleSignInIosPods = [
+  { name: "AppCheckCore", modular_headers: true },
+  { name: "GoogleUtilities", modular_headers: true },
+  { name: "RecaptchaInterop", modular_headers: true },
+];
+
+function getNitroAuthIosExtraPods(extraPods = []) {
+  const pods = Array.isArray(extraPods) ? [...extraPods] : [];
+  const existingPodNames = new Set(pods.map((pod) => pod?.name));
+
+  for (const pod of googleSignInIosPods) {
+    if (!existingPodNames.has(pod.name)) {
+      pods.push(pod);
+    }
+  }
+
+  return pods;
+}
+
 const withNitroAuth = (config, props = {}) => {
   const { ios = {}, android = {} } = props;
 
-  // 1. iOS Info.plist
+  config = withBuildProperties(config, {
+    ios: {
+      extraPods: getNitroAuthIosExtraPods(config.ios?.extraPods),
+    },
+  });
+
   config = withInfoPlist(config, (config) => {
     if (ios.googleClientId) {
       config.modResults.GIDClientID = ios.googleClientId;
@@ -34,10 +59,8 @@ const withNitroAuth = (config, props = {}) => {
         ];
       }
     }
-    // Microsoft configuration
     if (ios.microsoftClientId) {
       config.modResults.MSALClientID = ios.microsoftClientId;
-      // Add MSAL redirect URL scheme
       const msalScheme = `msauth.${config.ios?.bundleIdentifier}`;
       const existingSchemes = config.modResults.CFBundleURLTypes || [];
       if (
@@ -62,7 +85,6 @@ const withNitroAuth = (config, props = {}) => {
     return config;
   });
 
-  // 2. iOS Entitlements
   if (ios.appleSignIn === true) {
     config = withEntitlementsPlist(config, (config) => {
       config.modResults["com.apple.developer.applesignin"] = ["Default"];
@@ -70,7 +92,6 @@ const withNitroAuth = (config, props = {}) => {
     });
   }
 
-  // 3. Android Strings (for Google and Microsoft Client IDs)
   config = withStringsXml(config, (config) => {
     if (android.googleClientId) {
       config.modResults = AndroidConfig.Strings.setStringItem(
@@ -119,7 +140,6 @@ const withNitroAuth = (config, props = {}) => {
     return config;
   });
 
-  // 4. Android Manifest for MSAL redirect
   if (android.microsoftClientId) {
     config = withAndroidManifest(config, (config) => {
       const manifest = config.modResults.manifest;
@@ -170,3 +190,8 @@ const withNitroAuth = (config, props = {}) => {
 };
 
 module.exports = createRunOncePlugin(withNitroAuth, pkg.name, pkg.version);
+module.exports.withNitroAuth = withNitroAuth;
+module.exports._internal = {
+  getNitroAuthIosExtraPods,
+  googleSignInIosPods,
+};

package/ios/AuthAdapter.swift

@@ -292,6 +292,21 @@ public class AuthAdapter: NSObject {
       .replacingOccurrences(of: "/", with: "_")
       .replacingOccurrences(of: "=", with: "")
   }
+
+  private static let formUrlEncodedAllowedCharacters = CharacterSet(
+    charactersIn: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~"
+  )
+
+  private static func formUrlEncodedBody(_ params: [String: String]) -> Data? {
+    params
+      .map { key, value in
+        let encodedKey = key.addingPercentEncoding(withAllowedCharacters: formUrlEncodedAllowedCharacters) ?? key
+        let encodedValue = value.addingPercentEncoding(withAllowedCharacters: formUrlEncodedAllowedCharacters) ?? value
+        return "\(encodedKey)=\(encodedValue)"
+      }
+      .joined(separator: "&")
+      .data(using: .utf8)
+  }
   
   private static func exchangeCodeForTokens(
     code: String,
@@ -322,10 +337,7 @@ public class AuthAdapter: NSObject {
       "code_verifier": codeVerifier
     ]
     
-    request.httpBody = bodyParams
-      .map { "\($0.key)=\($0.value.addingPercentEncoding(withAllowedCharacters: .urlQueryAllowed) ?? $0.value)" }
-      .joined(separator: "&")
-      .data(using: .utf8)
+    request.httpBody = formUrlEncodedBody(bodyParams)
     
     URLSession.shared.dataTask(with: request) { data, response, error in
       DispatchQueue.main.async {
@@ -606,10 +618,7 @@ public class AuthAdapter: NSObject {
       "refresh_token": refreshToken
     ]
     
-    request.httpBody = bodyParams
-      .map { "\($0.key)=\($0.value.addingPercentEncoding(withAllowedCharacters: .urlQueryAllowed) ?? $0.value)" }
-      .joined(separator: "&")
-      .data(using: .utf8)
+    request.httpBody = formUrlEncodedBody(bodyParams)
     
     URLSession.shared.dataTask(with: request) { data, response, error in
       DispatchQueue.main.async {
@@ -692,10 +701,7 @@ public class AuthAdapter: NSObject {
       "grant_type": "refresh_token",
       "refresh_token": refreshToken
     ]
-    request.httpBody = bodyParams
-      .map { "\($0.key)=\($0.value.addingPercentEncoding(withAllowedCharacters: .urlQueryAllowed) ?? $0.value)" }
-      .joined(separator: "&")
-      .data(using: .utf8)
+    request.httpBody = formUrlEncodedBody(bodyParams)
     URLSession.shared.dataTask(with: request) { data, response, error in
       DispatchQueue.main.async {
         if error != nil {

package/lib/commonjs/Auth.web.js

@@ -43,6 +43,18 @@ const getOptionalNumber = (source, key) => {
   const candidate = source[key];
   return typeof candidate === "number" && Number.isFinite(candidate) ? candidate : undefined;
 };
+function setIfDefined(target, key, value) {
+  if (value !== undefined) {
+    target[key] = value;
+  }
+}
+function setOrDelete(target, key, value) {
+  if (value === undefined) {
+    delete target[key];
+    return;
+  }
+  target[key] = value;
+}
 const parseExpiresInSeconds = value => {
   const candidate = typeof value === "number" ? value : typeof value === "string" && value.trim().length > 0 ? Number(value) : undefined;
   if (typeof candidate !== "number" || !Number.isFinite(candidate) || candidate < 0) {
@@ -56,19 +68,20 @@ const parseAuthUser = value => {
   }
   const scopesCandidate = value.scopes;
   const scopes = Array.isArray(scopesCandidate) ? scopesCandidate.filter(scope => typeof scope === "string") : undefined;
-  return {
-    provider: value.provider,
-    email: getOptionalString(value, "email"),
-    name: getOptionalString(value, "name"),
-    photo: getOptionalString(value, "photo"),
-    idToken: getOptionalString(value, "idToken"),
-    accessToken: getOptionalString(value, "accessToken"),
-    refreshToken: getOptionalString(value, "refreshToken"),
-    serverAuthCode: getOptionalString(value, "serverAuthCode"),
-    scopes,
-    expirationTime: getOptionalNumber(value, "expirationTime"),
-    underlyingError: getOptionalString(value, "underlyingError")
+  const user = {
+    provider: value.provider
   };
+  setIfDefined(user, "email", getOptionalString(value, "email"));
+  setIfDefined(user, "name", getOptionalString(value, "name"));
+  setIfDefined(user, "photo", getOptionalString(value, "photo"));
+  setIfDefined(user, "idToken", getOptionalString(value, "idToken"));
+  setIfDefined(user, "accessToken", getOptionalString(value, "accessToken"));
+  setIfDefined(user, "refreshToken", getOptionalString(value, "refreshToken"));
+  setIfDefined(user, "serverAuthCode", getOptionalString(value, "serverAuthCode"));
+  setIfDefined(user, "scopes", scopes);
+  setIfDefined(user, "expirationTime", getOptionalNumber(value, "expirationTime"));
+  setIfDefined(user, "underlyingError", getOptionalString(value, "underlyingError"));
+  return user;
 };
 const parseScopes = value => {
   if (!Array.isArray(value)) {
@@ -83,15 +96,15 @@ const parseAuthWebExtraConfig = value => {
   }
   const nitroAuthWebStorageCandidate = value.nitroAuthWebStorage;
   const nitroAuthWebStorage = nitroAuthWebStorageCandidate === STORAGE_MODE_SESSION || nitroAuthWebStorageCandidate === STORAGE_MODE_LOCAL || nitroAuthWebStorageCandidate === STORAGE_MODE_MEMORY ? nitroAuthWebStorageCandidate : undefined;
-  return {
-    googleWebClientId: getOptionalString(value, "googleWebClientId"),
-    microsoftClientId: getOptionalString(value, "microsoftClientId"),
-    microsoftTenant: getOptionalString(value, "microsoftTenant"),
-    microsoftB2cDomain: getOptionalString(value, "microsoftB2cDomain"),
-    appleWebClientId: getOptionalString(value, "appleWebClientId"),
-    nitroAuthWebStorage,
-    nitroAuthPersistTokensOnWeb: typeof value.nitroAuthPersistTokensOnWeb === "boolean" ? value.nitroAuthPersistTokensOnWeb : undefined
-  };
+  const config = {};
+  setIfDefined(config, "googleWebClientId", getOptionalString(value, "googleWebClientId"));
+  setIfDefined(config, "microsoftClientId", getOptionalString(value, "microsoftClientId"));
+  setIfDefined(config, "microsoftTenant", getOptionalString(value, "microsoftTenant"));
+  setIfDefined(config, "microsoftB2cDomain", getOptionalString(value, "microsoftB2cDomain"));
+  setIfDefined(config, "appleWebClientId", getOptionalString(value, "appleWebClientId"));
+  setIfDefined(config, "nitroAuthWebStorage", nitroAuthWebStorage);
+  setIfDefined(config, "nitroAuthPersistTokensOnWeb", typeof value.nitroAuthPersistTokensOnWeb === "boolean" ? value.nitroAuthPersistTokensOnWeb : undefined);
+  return config;
 };
 const getConfig = () => {
   try {
@@ -507,19 +520,18 @@ class AuthWeb {
       const claims = effectiveIdToken ? this.decodeMicrosoftJwt(effectiveIdToken) : {};
       const user = {
         ...currentUser,
-        idToken: effectiveIdToken,
-        accessToken: accessToken ?? undefined,
-        refreshToken: newRefreshToken ?? currentUser.refreshToken,
-        expirationTime,
         ...claims
       };
+      setOrDelete(user, "idToken", effectiveIdToken);
+      setOrDelete(user, "accessToken", accessToken);
+      setOrDelete(user, "refreshToken", newRefreshToken ?? currentUser.refreshToken);
+      setOrDelete(user, "expirationTime", expirationTime);
       this.updateUser(user);
-      const tokens = {
-        accessToken: accessToken ?? undefined,
-        idToken: effectiveIdToken,
-        refreshToken: newRefreshToken ?? undefined,
-        expirationTime
-      };
+      const tokens = {};
+      setIfDefined(tokens, "accessToken", accessToken);
+      setIfDefined(tokens, "idToken", effectiveIdToken);
+      setIfDefined(tokens, "refreshToken", newRefreshToken);
+      setIfDefined(tokens, "expirationTime", expirationTime);
       this.notifyTokenListeners(tokens);
       return tokens;
     }
@@ -529,12 +541,11 @@ class AuthWeb {
     _logger.logger.log("Refreshing tokens...");
     await this.runLoginOperation(() => this.loginGoogle(this._grantedScopes.length > 0 ? this._grantedScopes : DEFAULT_SCOPES, undefined, undefined, generation));
     this.assertActiveGeneration(generation);
-    const tokens = {
-      accessToken: this._currentUser.accessToken,
-      idToken: this._currentUser.idToken,
-      refreshToken: this._currentUser.refreshToken,
-      expirationTime: this._currentUser.expirationTime
-    };
+    const tokens = {};
+    setIfDefined(tokens, "accessToken", this._currentUser.accessToken);
+    setIfDefined(tokens, "idToken", this._currentUser.idToken);
+    setIfDefined(tokens, "refreshToken", this._currentUser.refreshToken);
+    setIfDefined(tokens, "expirationTime", this._currentUser.expirationTime);
     this.notifyTokenListeners(tokens);
     return tokens;
   }
@@ -742,14 +753,14 @@ class AuthWeb {
         const user = {
           provider: "google",
           idToken,
-          accessToken: accessToken ?? undefined,
-          serverAuthCode: code ?? undefined,
-          userId: getOptionalString(decoded, "sub"),
-          hostedDomain: getOptionalString(decoded, "hd"),
           scopes,
-          expirationTime: this.getExpirationTime(expiresIn),
           ...this.decodeGoogleJwt(idToken)
         };
+        setIfDefined(user, "accessToken", accessToken ?? undefined);
+        setIfDefined(user, "serverAuthCode", code ?? undefined);
+        setIfDefined(user, "userId", getOptionalString(decoded, "sub"));
+        setIfDefined(user, "hostedDomain", getOptionalString(decoded, "hd"));
+        setIfDefined(user, "expirationTime", this.getExpirationTime(expiresIn));
         this.updateUser(user);
       }).then(() => {
         resolve();
@@ -761,13 +772,13 @@ class AuthWeb {
   decodeGoogleJwt(token) {
     try {
       const decoded = this.parseJwtPayload(token);
-      return {
-        email: getOptionalString(decoded, "email"),
-        name: getOptionalString(decoded, "name"),
-        photo: getOptionalString(decoded, "picture"),
-        userId: getOptionalString(decoded, "sub"),
-        hostedDomain: getOptionalString(decoded, "hd")
-      };
+      const user = {};
+      setIfDefined(user, "email", getOptionalString(decoded, "email"));
+      setIfDefined(user, "name", getOptionalString(decoded, "name"));
+      setIfDefined(user, "photo", getOptionalString(decoded, "picture"));
+      setIfDefined(user, "userId", getOptionalString(decoded, "sub"));
+      setIfDefined(user, "hostedDomain", getOptionalString(decoded, "hd"));
+      return user;
     } catch (error) {
       _logger.logger.warn("Failed to decode Google ID token", {
         error: String(error)
@@ -894,12 +905,12 @@ class AuthWeb {
     const user = {
       provider: "microsoft",
       idToken,
-      accessToken: accessToken ?? undefined,
-      refreshToken: refreshToken ?? undefined,
       scopes,
-      expirationTime: this.getExpirationTime(json["expires_in"]),
       ...claims
     };
+    setIfDefined(user, "accessToken", accessToken);
+    setIfDefined(user, "refreshToken", refreshToken);
+    setIfDefined(user, "expirationTime", this.getExpirationTime(json["expires_in"]));
     this.updateUser(user);
   }
   getMicrosoftAuthBaseUrl(tenant, b2cDomain) {
@@ -940,10 +951,10 @@ class AuthWeb {
   decodeMicrosoftJwt(token) {
     try {
       const decoded = this.parseJwtPayload(token);
-      return {
-        email: getOptionalString(decoded, "preferred_username") ?? getOptionalString(decoded, "email"),
-        name: getOptionalString(decoded, "name")
-      };
+      const user = {};
+      setIfDefined(user, "email", getOptionalString(decoded, "preferred_username") ?? getOptionalString(decoded, "email"));
+      setIfDefined(user, "name", getOptionalString(decoded, "name"));
+      return user;
     } catch (error) {
       _logger.logger.warn("Failed to decode Microsoft ID token", {
         error: String(error)
@@ -1003,13 +1014,14 @@ class AuthWeb {
     if (!window.AppleID) {
       throw new Error("Apple SDK not loaded");
     }
-    window.AppleID.auth.init({
+    const appleAuthConfig = {
       clientId,
       scope: (options?.scopes?.length ? options.scopes : ["name", "email"]).join(" "),
       redirectURI: window.location.origin,
-      nonce: options?.nonce,
       usePopup: true
-    });
+    };
+    setIfDefined(appleAuthConfig, "nonce", options?.nonce);
+    window.AppleID.auth.init(appleAuthConfig);
     try {
       const response = await window.AppleID.auth.signIn();
       if (generation !== undefined) {
@@ -1017,11 +1029,11 @@ class AuthWeb {
       }
       const user = {
         provider: "apple",
-        idToken: response.authorization.id_token,
-        authorizationCode: response.authorization.code,
-        email: response.user?.email,
-        name: response.user?.name ? `${response.user.name.firstName} ${response.user.name.lastName}`.trim() : undefined
+        idToken: response.authorization.id_token
       };
+      setIfDefined(user, "authorizationCode", response.authorization.code);
+      setIfDefined(user, "email", response.user?.email);
+      setIfDefined(user, "name", response.user?.name ? `${response.user.name.firstName} ${response.user.name.lastName}`.trim() : undefined);
       this.updateUser(user);
     } catch (error) {
       throw this.mapError(error);