fix: prevent rotation from canceling auth, clear stale pending results on new flow start, make pending fields internal for direct test access

utkrishtsahu · utkrishtsahu · commit 08869534b21e · 2026-04-02T16:48:38.000+05:30
diff --git a/auth0/src/main/java/com/auth0/android/provider/AuthenticationActivity.kt b/auth0/src/main/java/com/auth0/android/provider/AuthenticationActivity.kt
@@ -57,12 +57,14 @@ public open class AuthenticationActivity : Activity() {
             launchAuthenticationIntent()
             return
         }
+        // Only deliver result if intent.data is present (user returned from browser).
+        // If data is null, the Activity resumed due to rotation or other config change
+        // while the CustomTab is still open — don't finish, let the browser continue.
         val resultMissing = authenticationIntent.data == null
-        if (resultMissing) {
-            setResult(RESULT_CANCELED)
+        if (!resultMissing) {
+            deliverAuthenticationResult(authenticationIntent)
+            finish()
         }
-        deliverAuthenticationResult(authenticationIntent)
-        finish()
     }
 
     override fun onDestroy() {
diff --git a/auth0/src/main/java/com/auth0/android/provider/WebAuthProvider.kt b/auth0/src/main/java/com/auth0/android/provider/WebAuthProvider.kt
@@ -50,9 +50,9 @@ public object WebAuthProvider {
         data class Failure(val error: AuthenticationException) : PendingResult<Nothing>()
     }
 
-    private val pendingLoginResult = AtomicReference<PendingResult<Credentials>?>(null)
+    internal val pendingLoginResult = AtomicReference<PendingResult<Credentials>?>(null)
 
-    private val pendingLogoutResult = AtomicReference<PendingResult<Void?>?>(null)
+    internal val pendingLogoutResult = AtomicReference<PendingResult<Void?>?>(null)
 
     /**
      * Registers login (and optionally logout) callbacks for the duration of the given
@@ -332,6 +332,7 @@ public object WebAuthProvider {
          */
         public fun start(context: Context, callback: Callback<Void?, AuthenticationException>) {
             pendingLogoutResult.set(null)
+            pendingLoginResult.set(null)
 
             val effectiveCallback = if (context is LifecycleOwner) {
                 LifecycleAwareCallback<Void?>(
@@ -703,6 +704,7 @@ public object WebAuthProvider {
             callback: Callback<Credentials, AuthenticationException>
         ) {
             pendingLoginResult.set(null)
+            pendingLogoutResult.set(null)
             val effectiveCallback = if (context is LifecycleOwner) {
                 LifecycleAwareCallback<Credentials>(
                     delegateCallback = callback,
diff --git a/auth0/src/test/java/com/auth0/android/provider/WebAuthProviderTest.kt b/auth0/src/test/java/com/auth0/android/provider/WebAuthProviderTest.kt
@@ -65,7 +65,6 @@ import java.io.InputStream
 import java.nio.file.Files
 import java.nio.file.Paths
 import java.util.*
-import java.util.concurrent.atomic.AtomicReference
 
 @RunWith(RobolectricTestRunner::class)
 @Config(shadows = [ThreadSwitcherShadow::class])
@@ -3418,33 +3417,21 @@ public class WebAuthProviderTest {
         Assert.assertNotNull(getPendingLogoutResult())
     }
 
-    // Reflection helpers — pendingLoginResult/pendingLogoutResult are private in WebAuthProvider
-    @Suppress("UNCHECKED_CAST")
+    // Direct access — pendingLoginResult/pendingLogoutResult are internal in WebAuthProvider
     private fun setPendingLoginResult(result: WebAuthProvider.PendingResult<Credentials>?) {
-        val field = WebAuthProvider::class.java.getDeclaredField("pendingLoginResult")
-        field.isAccessible = true
-        (field.get(WebAuthProvider) as AtomicReference<WebAuthProvider.PendingResult<Credentials>?>).set(result)
+        WebAuthProvider.pendingLoginResult.set(result)
     }
 
-    @Suppress("UNCHECKED_CAST")
     private fun getPendingLoginResult(): WebAuthProvider.PendingResult<Credentials>? {
-        val field = WebAuthProvider::class.java.getDeclaredField("pendingLoginResult")
-        field.isAccessible = true
-        return (field.get(WebAuthProvider) as AtomicReference<WebAuthProvider.PendingResult<Credentials>?>).get()
+        return WebAuthProvider.pendingLoginResult.get()
     }
 
-    @Suppress("UNCHECKED_CAST")
     private fun setPendingLogoutResult(result: WebAuthProvider.PendingResult<Void?>?) {
-        val field = WebAuthProvider::class.java.getDeclaredField("pendingLogoutResult")
-        field.isAccessible = true
-        (field.get(WebAuthProvider) as AtomicReference<WebAuthProvider.PendingResult<Void?>?>).set(result)
+        WebAuthProvider.pendingLogoutResult.set(result)
     }
 
-    @Suppress("UNCHECKED_CAST")
     private fun getPendingLogoutResult(): WebAuthProvider.PendingResult<Void?>? {
-        val field = WebAuthProvider::class.java.getDeclaredField("pendingLogoutResult")
-        field.isAccessible = true
-        return (field.get(WebAuthProvider) as AtomicReference<WebAuthProvider.PendingResult<Void?>?>).get()
+        return WebAuthProvider.pendingLogoutResult.get()
     }
 
     private companion object {

Original file line number	Diff line number	Diff line change
`@@ -57,12 +57,14 @@ public open class AuthenticationActivity : Activity() {`
`57`	`57`	`launchAuthenticationIntent()`
`58`	`58`	`return`
`59`	`59`	`}`
	`60`	`+ // Only deliver result if intent.data is present (user returned from browser).`
	`61`	`+ // If data is null, the Activity resumed due to rotation or other config change`
	`62`	`+ // while the CustomTab is still open — don't finish, let the browser continue.`
`60`	`63`	`val resultMissing = authenticationIntent.data == null`
`61`		`- if (resultMissing) {`
`62`		`- setResult(RESULT_CANCELED)`
	`64`	`+ if (!resultMissing) {`
	`65`	`+ deliverAuthenticationResult(authenticationIntent)`
	`66`	`+ finish()`
`63`	`67`	`}`
`64`		`- deliverAuthenticationResult(authenticationIntent)`
`65`		`- finish()`
`66`	`68`	`}`
`67`	`69`
`68`	`70`	`override fun onDestroy() {`