Addressed review comments

Author: pmathew92

auth0/src/main/java/com/auth0/android/provider/OAuthManager.kt

@@ -394,7 +394,7 @@ internal fun OAuthManager.Companion.fromState(
 ): OAuthManager {
     // Enable DPoP on the restored PKCE's AuthenticationAPIClient so that
     // the token exchange request includes the DPoP proof after process restore.
-    if (state.dPoPEnabled  && state.pkce != null) {
+    if (state.dPoPEnabled && state.pkce != null) {
         state.pkce.apiClient.useDPoP(context)
     }
     return OAuthManager(
@@ -403,7 +403,7 @@ internal fun OAuthManager.Companion.fromState(
         parameters = state.parameters,
         callback = callback,
         customAuthorizeUrl = state.customAuthorizeUrl,
-        dPoP = if (state.dPoPEnabled ) DPoP(context) else null
+        dPoP = if (state.dPoPEnabled) DPoP(context) else null
     ).apply {
         setHeaders(
             state.headers

auth0/src/main/java/com/auth0/android/provider/OAuthManagerState.kt

@@ -36,7 +36,7 @@ internal data class OAuthManagerState(
         val idTokenVerificationLeeway: Int?,
         val idTokenVerificationIssuer: String?,
         val customAuthorizeUrl: String? = null,
-        val dPoPEnabled: Boolean
+        val dPoPEnabled: Boolean = false
     )
 
     fun serializeToJson(

auth0/src/test/java/com/auth0/android/provider/OAuthManagerStateTest.kt

@@ -1,8 +1,16 @@
 package com.auth0.android.provider
 
+import android.content.Context
 import android.graphics.Color
 import com.auth0.android.Auth0
+import com.auth0.android.authentication.AuthenticationAPIClient
+import com.auth0.android.authentication.AuthenticationException
+import com.auth0.android.callback.Callback
+import com.auth0.android.result.Credentials
 import com.nhaarman.mockitokotlin2.mock
+import com.nhaarman.mockitokotlin2.whenever
+import org.hamcrest.MatcherAssert.assertThat
+import org.hamcrest.core.Is.`is`
 import org.junit.Assert
 import org.junit.Test
 import org.junit.runner.RunWith
@@ -128,4 +136,54 @@ internal class OAuthManagerStateTest {
 
         Assert.assertFalse(deserializedState.dPoPEnabled)
     }
+
+    @Test
+    fun `fromState should re-enable DPoP on the restored PKCE's API client when dPoPEnabled is true`() {
+        val context = mock<Context>()
+        whenever(context.applicationContext).thenReturn(context)
+        val auth0 = Auth0.getInstance("clientId", "domain")
+        val apiClient = AuthenticationAPIClient(auth0)
+        val state = OAuthManagerState(
+            auth0 = auth0,
+            parameters = emptyMap(),
+            headers = emptyMap(),
+            requestCode = 0,
+            ctOptions = CustomTabsOptions.newBuilder().build(),
+            pkce = PKCE(apiClient, "codeVerifier", "redirectUri", "codeChallenge", emptyMap()),
+            idTokenVerificationLeeway = null,
+            idTokenVerificationIssuer = null,
+            dPoPEnabled = true
+        )
+        val callback = mock<Callback<Credentials, AuthenticationException>>()
+
+        OAuthManager.fromState(state, callback, context)
+
+        // This is the actual regression guard: the token exchange after process death only
+        // includes the DPoP proof because fromState re-enables DPoP on the restored API client.
+        assertThat(apiClient.isDPoPEnabled, `is`(true))
+    }
+
+    @Test
+    fun `fromState should not enable DPoP on the restored PKCE's API client when dPoPEnabled is false`() {
+        val context = mock<Context>()
+        whenever(context.applicationContext).thenReturn(context)
+        val auth0 = Auth0.getInstance("clientId", "domain")
+        val apiClient = AuthenticationAPIClient(auth0)
+        val state = OAuthManagerState(
+            auth0 = auth0,
+            parameters = emptyMap(),
+            headers = emptyMap(),
+            requestCode = 0,
+            ctOptions = CustomTabsOptions.newBuilder().build(),
+            pkce = PKCE(apiClient, "codeVerifier", "redirectUri", "codeChallenge", emptyMap()),
+            idTokenVerificationLeeway = null,
+            idTokenVerificationIssuer = null,
+            dPoPEnabled = false
+        )
+        val callback = mock<Callback<Credentials, AuthenticationException>>()
+
+        OAuthManager.fromState(state, callback, context)
+
+        assertThat(apiClient.isDPoPEnabled, `is`(false))
+    }
 }

auth0/src/test/java/com/auth0/android/provider/WebAuthProviderTest.kt

@@ -2977,6 +2977,10 @@ public class WebAuthProviderTest {
         WebAuthProvider.onRestoreInstanceState(bundle, activity)
 
         val restoredManager = WebAuthProvider.managerInstance as OAuthManager
+        // This asserts the save/restore wiring reconstructs a DPoP-enabled manager. The actual
+        // regression guard — that DPoP is re-enabled on the restored PKCE's API client so the
+        // token exchange carries the proof — lives in OAuthManagerStateTest.fromState tests,
+        // since OAuthManager.pkce is private and not reachable here without reflection.
         assertThat(restoredManager.dPoP, `is`(notNullValue()))
     }