fix: handle back button cancel and make logoutCallback required in registerCallbacks

Author: utkrishtsahu

V4_MIGRATION_GUIDE.md

@@ -344,7 +344,7 @@ class LoginActivity : AppCompatActivity() {
 | **Configuration change** (rotation, locale, dark mode) | Any result cached while the Activity was recreating is delivered on the next `onResume` |
 | **Process death** (system killed the app while browser was open) | `loginCallback` is registered as a listener and auto-removed when `lifecycleOwner` is destroyed — no manual `addCallback`/`removeCallback` calls needed |
 
-> **Note:** `logoutCallback` is optional — pass it only if your screen initiates logout flows.
+> **Note:** Both `loginCallback` and `logoutCallback` are required — this ensures results from either flow are never lost during configuration changes or process death.
 
 > **Note:** If you use the `suspend fun await()` API from a ViewModel coroutine scope, the
 > Activity is never captured in the callback chain, so you do not need `registerCallbacks()` calls.

auth0/src/main/java/com/auth0/android/provider/AuthenticationActivity.kt

@@ -20,6 +20,7 @@ import com.google.androidbrowserhelper.trusted.TwaLauncher
 public open class AuthenticationActivity : Activity() {
     private var intentLaunched = false
     private var customTabsController: CustomTabsController? = null
+    private var returnedFromBrowser = false
     override fun onNewIntent(intent: Intent?) {
         super.onNewIntent(intent)
         setIntent(intent)
@@ -45,6 +46,13 @@ public open class AuthenticationActivity : Activity() {
         }
     }
 
+    override fun onStop() {
+        super.onStop()
+        if (intentLaunched) {
+            returnedFromBrowser = true
+        }
+    }
+
     override fun onResume() {
         super.onResume()
         val authenticationIntent = intent
@@ -57,11 +65,12 @@ public open class AuthenticationActivity : Activity() {
             launchAuthenticationIntent()
             return
         }
-        // Only deliver result if intent.data is present (user returned from browser).
-        // If data is null, the Activity resumed due to rotation or other config change
-        // while the CustomTab is still open — don't finish, let the browser continue.
-        val resultMissing = authenticationIntent.data == null
-        if (!resultMissing) {
+        val hasResult = authenticationIntent.data != null
+        if (hasResult || returnedFromBrowser) {
+            returnedFromBrowser = false
+            if (!hasResult) {
+                setResult(RESULT_CANCELED)
+            }
             deliverAuthenticationResult(authenticationIntent)
             finish()
         }

auth0/src/main/java/com/auth0/android/provider/WebAuthProvider.kt

@@ -55,17 +55,20 @@ public object WebAuthProvider {
     internal val pendingLogoutResult = AtomicReference<PendingResult<Void?>?>(null)
 
     /**
-     * Registers login (and optionally logout) callbacks for the duration of the given
+     * Registers login and logout callbacks for the duration of the given
      * [lifecycleOwner]'s lifetime. Call this once in `onCreate()` — it covers both recovery
      * scenarios automatically:
      *
-     * - **Process death**: [loginCallback] is registered immediately so that if the process
-     *   was killed while the browser was open, the result is delivered when the Activity is
-     *   restored. The callback is automatically unregistered when [lifecycleOwner] is destroyed,
+     * - **Process death**: callbacks are registered immediately so that if the process
+     *   was killed while the browser was open, results are delivered when the Activity is
+     *   restored. Callbacks are automatically unregistered when [lifecycleOwner] is destroyed,
      *   so there is no need to call [removeCallback] manually.
      * - **Configuration change** (rotation, locale, dark mode): any login or logout result
      *   that arrived while the Activity was being recreated is delivered on the next `onResume`.
      *
+     * Both callbacks are required to ensure results are not lost during configuration changes
+     * (e.g. user logs out to switch accounts and rotates during the logout flow).
+     *
      * ```kotlin
      * override fun onCreate(savedInstanceState: Bundle?) {
      *     super.onCreate(savedInstanceState)
@@ -81,7 +84,7 @@ public object WebAuthProvider {
     public fun registerCallbacks(
         lifecycleOwner: LifecycleOwner,
         loginCallback: Callback<Credentials, AuthenticationException>,
-        logoutCallback: Callback<Void?, AuthenticationException>? = null,
+        logoutCallback: Callback<Void?, AuthenticationException>,
     ) {
         // Process-death recovery: register immediately so result is routed here on restore
         callbacks += loginCallback
@@ -95,14 +98,12 @@ public object WebAuthProvider {
                     }
                     resetManagerInstance()
                 }
-                logoutCallback?.let { cb ->
-                    pendingLogoutResult.getAndSet(null)?.let { pending ->
-                        when (pending) {
-                            is PendingResult.Success -> cb.onSuccess(pending.result)
-                            is PendingResult.Failure -> cb.onFailure(pending.error)
-                        }
-                        resetManagerInstance()
+                pendingLogoutResult.getAndSet(null)?.let { pending ->
+                    when (pending) {
+                        is PendingResult.Success -> logoutCallback.onSuccess(pending.result)
+                        is PendingResult.Failure -> logoutCallback.onFailure(pending.error)
                     }
+                    resetManagerInstance()
                 }
             }
 
@@ -115,7 +116,7 @@ public object WebAuthProvider {
 
     @Deprecated(
         message = "Use registerCallbacks() instead — it registers the callback and auto-removes it when the lifecycle owner is destroyed.",
-        replaceWith = ReplaceWith("registerCallbacks(lifecycleOwner, loginCallback = callback)")
+        replaceWith = ReplaceWith("registerCallbacks(lifecycleOwner, loginCallback = callback, logoutCallback = logoutCallback)")
     )
     @JvmStatic
     public fun addCallback(callback: Callback<Credentials, AuthenticationException>) {
@@ -124,7 +125,7 @@ public object WebAuthProvider {
 
     @Deprecated(
         message = "Use registerCallbacks() instead — it auto-removes the callback when the lifecycle owner is destroyed.",
-        replaceWith = ReplaceWith("registerCallbacks(lifecycleOwner, loginCallback = callback)")
+        replaceWith = ReplaceWith("registerCallbacks(lifecycleOwner, loginCallback = callback, logoutCallback = logoutCallback)")
     )
     @JvmStatic
     public fun removeCallback(callback: Callback<Credentials, AuthenticationException>) {

auth0/src/test/java/com/auth0/android/provider/AuthenticationActivityTest.kt

@@ -214,10 +214,13 @@ public class AuthenticationActivityTest {
         MatcherAssert.assertThat(launchAsTwaCaptor.value, Is.`is`(false))
         MatcherAssert.assertThat(activity.deliveredIntent, Is.`is`(Matchers.nullValue()))
         activityController.pause().stop()
-        //Browser is shown, resume WITHOUT new intent — should NOT deliver or finish
         activityController.start().resume()
-        MatcherAssert.assertThat(activity.deliveredIntent, Is.`is`(Matchers.nullValue())) //nothing delivered
-        MatcherAssert.assertThat(activity.isFinishing, Is.`is`(false)) //still waiting for result
+        MatcherAssert.assertThat(activity.deliveredIntent, Is.`is`(Matchers.notNullValue()))
+        MatcherAssert.assertThat(
+            activity.deliveredIntent!!.data,
+            Is.`is`(Matchers.nullValue())
+        ) 
+        MatcherAssert.assertThat(activity.isFinishing, Is.`is`(true))
         activityController.destroy()
         Mockito.verify(customTabsController).unbindService()
     }

auth0/src/test/java/com/auth0/android/provider/WebAuthProviderTest.kt

@@ -3302,7 +3302,7 @@ public class WebAuthProviderTest {
         Mockito.`when`(lifecycleOwner.lifecycle).thenReturn(lifecycle)
 
         val observerCaptor = argumentCaptor<DefaultLifecycleObserver>()
-        WebAuthProvider.registerCallbacks(lifecycleOwner, loginCallback = callback)
+        WebAuthProvider.registerCallbacks(lifecycleOwner, loginCallback = callback, logoutCallback = voidCallback)
         verify(lifecycle).addObserver(observerCaptor.capture())
 
         // Pending result is delivered on onResume, not immediately
@@ -3323,7 +3323,7 @@ public class WebAuthProviderTest {
         Mockito.`when`(lifecycleOwner.lifecycle).thenReturn(lifecycle)
 
         val observerCaptor = argumentCaptor<DefaultLifecycleObserver>()
-        WebAuthProvider.registerCallbacks(lifecycleOwner, loginCallback = callback)
+        WebAuthProvider.registerCallbacks(lifecycleOwner, loginCallback = callback, logoutCallback = voidCallback)
         verify(lifecycle).addObserver(observerCaptor.capture())
 
         observerCaptor.firstValue.onResume(lifecycleOwner)
@@ -3375,7 +3375,7 @@ public class WebAuthProviderTest {
         val lifecycle = Mockito.mock(Lifecycle::class.java)
         Mockito.`when`(lifecycleOwner.lifecycle).thenReturn(lifecycle)
 
-        WebAuthProvider.registerCallbacks(lifecycleOwner, loginCallback = callback)
+        WebAuthProvider.registerCallbacks(lifecycleOwner, loginCallback = callback, logoutCallback = voidCallback)
 
         Assert.assertTrue(WebAuthProvider.callbacks.contains(callback))
     }
@@ -3387,7 +3387,7 @@ public class WebAuthProviderTest {
         Mockito.`when`(lifecycleOwner.lifecycle).thenReturn(lifecycle)
 
         val observerCaptor = argumentCaptor<DefaultLifecycleObserver>()
-        WebAuthProvider.registerCallbacks(lifecycleOwner, loginCallback = callback)
+        WebAuthProvider.registerCallbacks(lifecycleOwner, loginCallback = callback, logoutCallback = voidCallback)
         verify(lifecycle).addObserver(observerCaptor.capture())
 
         Assert.assertTrue(WebAuthProvider.callbacks.contains(callback))
@@ -3398,24 +3398,6 @@ public class WebAuthProviderTest {
         Assert.assertFalse(WebAuthProvider.callbacks.contains(callback))
     }
 
-    @Test
-    public fun shouldNotDeliverLogoutResultWhenNoLogoutCallbackPassedToRegisterCallbacks() {
-        setPendingLogoutResult(WebAuthProvider.PendingResult.Success(null))
-
-        val lifecycleOwner = Mockito.mock(LifecycleOwner::class.java)
-        val lifecycle = Mockito.mock(Lifecycle::class.java)
-        Mockito.`when`(lifecycleOwner.lifecycle).thenReturn(lifecycle)
-
-        val observerCaptor = argumentCaptor<DefaultLifecycleObserver>()
-        WebAuthProvider.registerCallbacks(lifecycleOwner, loginCallback = callback)
-        verify(lifecycle).addObserver(observerCaptor.capture())
-
-        // registerCallbacks without logoutCallback — pending logout result should stay untouched
-        observerCaptor.firstValue.onResume(lifecycleOwner)
-
-        verify(voidCallback, Mockito.never()).onSuccess(any())
-        Assert.assertNotNull(getPendingLogoutResult())
-    }
 
     // Direct access — pendingLoginResult/pendingLogoutResult are internal in WebAuthProvider
     private fun setPendingLoginResult(result: WebAuthProvider.PendingResult<Credentials>?) {