Merge branch 'master' into fix/mfa-challenge-oob-code-snake-case

Author: subhankarmaiti

.version

@@ -1 +1 @@
-v5.5.0
+v5.5.1

CHANGELOG.md

@@ -1,5 +1,14 @@
 # Change Log
 
+## [v5.5.1](https://github.com/auth0/react-native-auth0/tree/v5.5.1) (2026-04-23)
+
+[Full Changelog](https://github.com/auth0/react-native-auth0/compare/v5.5.0...v5.5.1)
+
+**Fixed**
+
+- fix: remove conflicting broad scheme from MainActivity to prevent Android disambiguation dialog [\#1514](https://github.com/auth0/react-native-auth0/pull/1514) ([subhankarmaiti](https://github.com/subhankarmaiti))
+- fix: filter universal link callbacks by Auth0 domain in iOS [\#1512](https://github.com/auth0/react-native-auth0/pull/1512) ([subhankarmaiti](https://github.com/subhankarmaiti))
+
 ## [v5.5.0](https://github.com/auth0/react-native-auth0/tree/v5.5.0) (2026-04-09)
 
 [Full Changelog](https://github.com/auth0/react-native-auth0/compare/v5.4.1...v5.5.0)

package.json

@@ -1,7 +1,7 @@
 {
   "name": "react-native-auth0",
   "title": "React Native Auth0",
-  "version": "5.5.0",
+  "version": "5.5.1",
   "description": "React Native toolkit for Auth0 API",
   "main": "lib/commonjs/index.js",
   "module": "lib/module/index.js",

src/core/utils/telemetry.ts

@@ -1,6 +1,6 @@
 export const telemetry = {
   name: 'react-native-auth0',
-  version: '5.5.0',
+  version: '5.5.1',
 };
 
 export type Telemetry = {

src/platforms/native/adapters/NativeWebAuthProvider.ts

@@ -44,7 +44,16 @@ export class NativeWebAuthProvider implements IWebAuthProvider {
     let linkSubscription: EmitterSubscription | null = null;
     if (Platform.OS === 'ios') {
       linkSubscription = Linking.addEventListener('url', async (event) => {
-        // This listener catches the deep link and forwards it to the native side.
+        // Only forward URLs whose hostname matches the Auth0 domain.
+        // This prevents universal links on other domains from being
+        // incorrectly treated as Auth0 callbacks (e.g. when using
+        // customScheme: 'https' alongside app-specific universal links).
+        try {
+          const url = new URL(event.url);
+          if (url.hostname !== this.domain) return;
+        } catch {
+          return;
+        }
         linkSubscription?.remove();
         await this.bridge.resumeWebAuth(event.url);
       });

src/platforms/native/adapters/__tests__/NativeWebAuthProvider.spec.ts

@@ -139,12 +139,49 @@ describe('NativeWebAuthProvider', () => {
         // We don't await this, as it would "hang" until the listener is called.
         provider.authorize({});
 
-        // Simulate the deep link event.
-        const resumeUrl = 'my-app://callback?code=123';
+        // Simulate the deep link event with a URL matching the Auth0 domain.
+        const resumeUrl = `https://${domain}/ios/com.my-app/callback?code=123`;
         await listenerCallback({ url: resumeUrl });
 
         expect(mockBridge.resumeWebAuth).toHaveBeenCalledWith(resumeUrl);
       });
+
+      it('should ignore URLs whose hostname does not match the Auth0 domain', async () => {
+        let listenerCallback: (event: { url: string }) => void = () => {};
+        const mockSubscription = { remove: jest.fn() };
+        mockAddEventListener.mockImplementation((_event, callback) => {
+          listenerCallback = callback;
+          return mockSubscription;
+        });
+
+        provider.authorize({});
+
+        // Simulate a universal link from a different domain.
+        await listenerCallback({
+          url: 'https://app.example.com/some-path',
+        });
+
+        expect(mockBridge.resumeWebAuth).not.toHaveBeenCalled();
+        // The subscription should NOT be removed, so it can still catch the real callback.
+        expect(mockSubscription.remove).not.toHaveBeenCalled();
+      });
+
+      it('should ignore URLs that cannot be parsed', async () => {
+        let listenerCallback: (event: { url: string }) => void = () => {};
+        const mockSubscription = { remove: jest.fn() };
+        mockAddEventListener.mockImplementation((_event, callback) => {
+          listenerCallback = callback;
+          return mockSubscription;
+        });
+
+        provider.authorize({});
+
+        // Simulate a malformed URL.
+        await listenerCallback({ url: 'not-a-valid-url' });
+
+        expect(mockBridge.resumeWebAuth).not.toHaveBeenCalled();
+        expect(mockSubscription.remove).not.toHaveBeenCalled();
+      });
     });
 
     it('should NOT add a Linking listener on Android', async () => {

src/plugin/__tests__/withAuth0-test.ts

@@ -213,6 +213,159 @@ describe(addAndroidAuth0Manifest, () => {
     expect(dataElement?.$['android:host']).toBe('sample.auth0.com');
   });
 
+  it(`should remove conflicting broad scheme from other activity intent filter`, () => {
+    const config = getConfig();
+    const mainApp = AndroidConfig.Manifest.getMainApplicationOrThrow(
+      config.modResults
+    );
+    mainApp.activity = mainApp.activity || [];
+    mainApp.activity.push({
+      '$': {
+        'android:name': '.MainActivity',
+      },
+      'intent-filter': [
+        {
+          action: [{ $: { 'android:name': 'android.intent.action.VIEW' } }],
+          category: [
+            { $: { 'android:name': 'android.intent.category.DEFAULT' } },
+            {
+              $: { 'android:name': 'android.intent.category.BROWSABLE' },
+            },
+          ],
+          data: [
+            { $: { 'android:scheme': 'smtest' } },
+            { $: { 'android:scheme': 'exp+smtest' } },
+          ],
+        },
+      ],
+    } as AndroidConfig.Manifest.ManifestActivity);
+
+    const result = addAndroidAuth0Manifest(
+      [{ domain: 'sample.auth0.com', customScheme: 'smtest' }],
+      config,
+      'com.sample.app'
+    );
+
+    const mainApplication = AndroidConfig.Manifest.getMainApplicationOrThrow(
+      result.modResults
+    );
+
+    // MainActivity should have 'smtest' removed but keep 'exp+smtest'
+    const mainActivity = mainApplication.activity?.find(
+      (a) => a.$['android:name'] === '.MainActivity'
+    );
+    const mainIntentFilter = mainActivity?.['intent-filter']?.[0];
+    const schemes = mainIntentFilter?.data?.map((d) => d.$['android:scheme']);
+    expect(schemes).toEqual(['exp+smtest']);
+    expect(schemes).not.toContain('smtest');
+
+    // RedirectActivity should still have the auth0 scheme
+    const redirectActivity = mainApplication.activity?.find(
+      (a) =>
+        a.$['android:name'] === 'com.auth0.android.provider.RedirectActivity'
+    );
+    const redirectIntentFilter = redirectActivity?.['intent-filter']?.[0];
+    const redirectData = redirectIntentFilter?.data?.[0];
+    expect(redirectData?.$['android:scheme']).toBe('smtest');
+    expect(redirectData?.$['android:host']).toBe('sample.auth0.com');
+    expect(redirectData?.$['android:pathPrefix']).toBe(
+      '/android/com.sample.app/callback'
+    );
+  });
+
+  it(`should not modify other activities when no scheme conflict exists`, () => {
+    const config = getConfig();
+    const mainApp = AndroidConfig.Manifest.getMainApplicationOrThrow(
+      config.modResults
+    );
+    mainApp.activity = mainApp.activity || [];
+    mainApp.activity.push({
+      '$': {
+        'android:name': '.MainActivity',
+      },
+      'intent-filter': [
+        {
+          action: [{ $: { 'android:name': 'android.intent.action.VIEW' } }],
+          category: [
+            { $: { 'android:name': 'android.intent.category.DEFAULT' } },
+            {
+              $: { 'android:name': 'android.intent.category.BROWSABLE' },
+            },
+          ],
+          data: [
+            { $: { 'android:scheme': 'myapp' } },
+            { $: { 'android:scheme': 'exp+myapp' } },
+          ],
+        },
+      ],
+    } as AndroidConfig.Manifest.ManifestActivity);
+
+    const result = addAndroidAuth0Manifest(
+      [{ domain: 'sample.auth0.com', customScheme: 'smtest' }],
+      config,
+      'com.sample.app'
+    );
+
+    const mainApplication = AndroidConfig.Manifest.getMainApplicationOrThrow(
+      result.modResults
+    );
+    const mainActivity = mainApplication.activity?.find(
+      (a) => a.$['android:name'] === '.MainActivity'
+    );
+    const mainIntentFilter = mainActivity?.['intent-filter']?.[0];
+    const schemes = mainIntentFilter?.data?.map((d) => d.$['android:scheme']);
+    expect(schemes).toEqual(['myapp', 'exp+myapp']);
+  });
+
+  it(`should not remove scheme data that has a host (specific match)`, () => {
+    const config = getConfig();
+    const mainApp = AndroidConfig.Manifest.getMainApplicationOrThrow(
+      config.modResults
+    );
+    mainApp.activity = mainApp.activity || [];
+    mainApp.activity.push({
+      '$': {
+        'android:name': '.MainActivity',
+      },
+      'intent-filter': [
+        {
+          action: [{ $: { 'android:name': 'android.intent.action.VIEW' } }],
+          category: [
+            { $: { 'android:name': 'android.intent.category.DEFAULT' } },
+            {
+              $: { 'android:name': 'android.intent.category.BROWSABLE' },
+            },
+          ],
+          data: [
+            {
+              $: {
+                'android:scheme': 'smtest',
+                'android:host': 'myapp.example.com',
+              },
+            },
+          ],
+        },
+      ],
+    } as AndroidConfig.Manifest.ManifestActivity);
+
+    const result = addAndroidAuth0Manifest(
+      [{ domain: 'sample.auth0.com', customScheme: 'smtest' }],
+      config,
+      'com.sample.app'
+    );
+
+    const mainApplication = AndroidConfig.Manifest.getMainApplicationOrThrow(
+      result.modResults
+    );
+    const mainActivity = mainApplication.activity?.find(
+      (a) => a.$['android:name'] === '.MainActivity'
+    );
+    const mainIntentFilter = mainActivity?.['intent-filter']?.[0];
+    const schemes = mainIntentFilter?.data?.map((d) => d.$['android:scheme']);
+    // Should keep the data element because it has a host (specific match, won't cause disambiguation)
+    expect(schemes).toEqual(['smtest']);
+  });
+
   it(`should add android:autoVerify="true" when customScheme is https`, () => {
     const config = getConfig();
     const result = addAndroidAuth0Manifest(

src/plugin/withAuth0.ts

@@ -107,6 +107,31 @@ export const addAndroidAuth0Manifest = (
     let auth0Scheme =
       config.customScheme ?? applicationId + APPLICATION_ID_SUFFIX;
 
+    // Remove conflicting broad scheme handlers from other activities to prevent
+    // Android from showing a disambiguation dialog when both MainActivity and
+    // RedirectActivity handle the same scheme. This mirrors the iOS dedup logic
+    // in addIOSAuth0ConfigInInfoPList.
+    const activities = mainApplication.activity || [];
+    activities.forEach((activity) => {
+      if (
+        activity.$['android:name'] ===
+        'com.auth0.android.provider.RedirectActivity'
+      ) {
+        return;
+      }
+      const intentFilters = activity['intent-filter'] || [];
+      intentFilters.forEach((filter) => {
+        if (!filter.data) return;
+        filter.data = filter.data.filter((dataElement) => {
+          const scheme = dataElement.$?.['android:scheme'];
+          const host = dataElement.$?.['android:host'];
+          // Remove broad scheme matchers (no host) that would conflict
+          // with RedirectActivity's more specific intent filter
+          return !(scheme === auth0Scheme && !host);
+        });
+      });
+    });
+
     const dataElement = {
       $: {
         'android:scheme': auth0Scheme,