diff --git a/CHANGELOG.md b/CHANGELOG.md index d615c76bc3..21509a8acc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,11 @@ All notable changes to cmux are documented here. +## [Unreleased] + +### Fixed +- Settings sign-in now opens in your default browser and displays localized error messages when sign-in fails ([#3617](https://github.com/manaflow-ai/cmux/issues/3617)) + ## [0.64.10] - 2026-05-23 ### Added diff --git a/Resources/Info.plist b/Resources/Info.plist index 4bea9049b3..e8e8de2401 100644 --- a/Resources/Info.plist +++ b/Resources/Info.plist @@ -53,19 +53,6 @@ A program running within cmux would like to use AppleScript. CFBundleURLTypes - - CFBundleTypeRole - Viewer - CFBundleURLName - $(PRODUCT_BUNDLE_IDENTIFIER).web - LSHandlerRank - Default - CFBundleURLSchemes - - http - https - - CFBundleTypeRole Viewer diff --git a/Resources/Localizable.xcstrings b/Resources/Localizable.xcstrings index e22a3a5e62..6786ce265c 100644 --- a/Resources/Localizable.xcstrings +++ b/Resources/Localizable.xcstrings @@ -120943,6 +120943,131 @@ } } }, + "settings.account.error.signInTimedOut": { + "extractionState": "manual", + "localizations": { + "ar": { + "stringUnit": { + "state": "translated", + "value": "انتهت مهلة تسجيل الدخول. حاول مرة أخرى." + } + }, + "bs": { + "stringUnit": { + "state": "translated", + "value": "Prijava je istekla. Pokušajte ponovo." + } + }, + "da": { + "stringUnit": { + "state": "translated", + "value": "Login fik timeout. Prøv igen." + } + }, + "de": { + "stringUnit": { + "state": "translated", + "value": "Die Anmeldung ist abgelaufen. Versuche es erneut." + } + }, + "en": { + "stringUnit": { + "state": "translated", + "value": "Sign in timed out. Try again." + } + }, + "es": { + "stringUnit": { + "state": "translated", + "value": "Se agotó el tiempo para iniciar sesión. Inténtalo de nuevo." + } + }, + "fr": { + "stringUnit": { + "state": "translated", + "value": "La connexion a expiré. Réessayez." + } + }, + "it": { + "stringUnit": { + "state": "translated", + "value": "Accesso scaduto. Riprova." + } + }, + "ja": { + "stringUnit": { + "state": "translated", + "value": "サインインがタイムアウトしました。もう一度お試しください。" + } + }, + "km": { + "stringUnit": { + "state": "translated", + "value": "ការចូលបានអស់ពេល។ សូមព្យាយាមម្តងទៀត។" + } + }, + "ko": { + "stringUnit": { + "state": "translated", + "value": "로그인 시간이 초과되었습니다. 다시 시도하세요." + } + }, + "nb": { + "stringUnit": { + "state": "translated", + "value": "Innloggingen tidsavbrøt. Prøv igjen." + } + }, + "pl": { + "stringUnit": { + "state": "translated", + "value": "Logowanie przekroczyło limit czasu. Spróbuj ponownie." + } + }, + "pt-BR": { + "stringUnit": { + "state": "translated", + "value": "O login expirou. Tente novamente." + } + }, + "ru": { + "stringUnit": { + "state": "translated", + "value": "Время ожидания входа истекло. Попробуйте еще раз." + } + }, + "th": { + "stringUnit": { + "state": "translated", + "value": "การลงชื่อเข้าใช้หมดเวลา ลองอีกครั้ง" + } + }, + "tr": { + "stringUnit": { + "state": "translated", + "value": "Oturum açma zaman aşımına uğradı. Tekrar deneyin." + } + }, + "uk": { + "stringUnit": { + "state": "translated", + "value": "Час очікування входу минув. Спробуйте ще раз." + } + }, + "zh-Hans": { + "stringUnit": { + "state": "translated", + "value": "登录超时。请重试。" + } + }, + "zh-Hant": { + "stringUnit": { + "state": "translated", + "value": "登入逾時。請再試一次。" + } + } + } + }, "remote.state.connected.vmNoProxy": { "extractionState": "manual", "localizations": { diff --git a/Sources/Auth/AuthCallbackRouter.swift b/Sources/Auth/AuthCallbackRouter.swift index 311c87690e..6817ff29aa 100644 --- a/Sources/Auth/AuthCallbackRouter.swift +++ b/Sources/Auth/AuthCallbackRouter.swift @@ -3,6 +3,7 @@ import Foundation struct CMUXAuthCallbackPayload: Equatable, Sendable { let refreshToken: String let accessToken: String + let state: String? } enum AuthCallbackRouter { @@ -29,10 +30,19 @@ enum AuthCallbackRouter { return CMUXAuthCallbackPayload( refreshToken: refreshToken, - accessToken: accessToken + accessToken: accessToken, + state: callbackState(in: components) ) } + static func callbackState(from url: URL) -> String? { + guard isAuthCallbackURL(url), + let components = URLComponents(url: url, resolvingAgainstBaseURL: false) else { + return nil + } + return callbackState(in: components) + } + private static func isAllowedScheme(_ scheme: String?) -> Bool { guard let normalized = scheme?.lowercased() else { return false } if normalized == "cmux" || normalized == "cmux-nightly" || normalized == "cmux-dev" { @@ -63,6 +73,11 @@ enum AuthCallbackRouter { .value } + private static func callbackState(in components: URLComponents) -> String? { + queryValue(named: "state", in: components)? + .trimmingCharacters(in: .whitespacesAndNewlines) + } + private static func decodeAccessToken(from accessCookie: String) -> String? { guard accessCookie.hasPrefix("[") else { return accessCookie diff --git a/Sources/Auth/AuthEnvironment.swift b/Sources/Auth/AuthEnvironment.swift index 71452faa15..0093873160 100644 --- a/Sources/Auth/AuthEnvironment.swift +++ b/Sources/Auth/AuthEnvironment.swift @@ -26,7 +26,20 @@ enum AuthEnvironment { } static var callbackURL: URL { - URL(string: "\(callbackScheme)://auth-callback")! + authCallbackURL() + } + + static func authCallbackURL(state: String? = nil) -> URL { + var components = URLComponents() + components.scheme = callbackScheme + components.host = "auth-callback" + if let state, + !state.trimmingCharacters(in: .whitespacesAndNewlines).isEmpty { + components.queryItems = [ + URLQueryItem(name: "state", value: state), + ] + } + return components.url! } static var websiteOrigin: URL { @@ -191,7 +204,7 @@ enum AuthEnvironment { ) } - static func signInURL() -> URL { + static func signInURL(callbackURL: URL = AuthEnvironment.callbackURL) -> URL { // Build the after-sign-in callback URL that includes the native app return scheme. // The after-sign-in handler extracts tokens from the Stack Auth session // and redirects to the native app via the cmux:// callback scheme. diff --git a/Sources/Auth/AuthManager.swift b/Sources/Auth/AuthManager.swift index 842940a294..fa65096331 100644 --- a/Sources/Auth/AuthManager.swift +++ b/Sources/Auth/AuthManager.swift @@ -1,5 +1,4 @@ import AppKit -import AuthenticationServices import CMUXAuthCore import Foundation import os @@ -8,36 +7,17 @@ import StackAuth import Security #endif -private final class AuthPresentationContext: NSObject, ASWebAuthenticationPresentationContextProviding { - static let shared = AuthPresentationContext() - - func presentationAnchor(for session: ASWebAuthenticationSession) -> ASPresentationAnchor { - // ASWebAuthenticationSession invokes this on whichever thread called - // session.start(). When beginSignIn() fires from the socket command - // dispatch thread (cmux auth login), this callback lands off-main, - // and any NSApp access must hop to main before returning. - if Thread.isMainThread { - return Self.currentAnchor() - } - var result: ASPresentationAnchor = NSWindow() - DispatchQueue.main.sync { - result = Self.currentAnchor() - } - return result - } - - @MainActor - private static func currentAnchor() -> ASPresentationAnchor { - NSApp.keyWindow ?? NSApp.mainWindow ?? (NSApp.windows.first ?? NSWindow()) - } -} - enum AuthManagerError: LocalizedError { case invalidCallback case missingAccessToken case missingRefreshToken + case signInTimedOut var errorDescription: String? { + userFacingMessage + } + + var userFacingMessage: String { switch self { case .invalidCallback: return String( @@ -54,6 +34,11 @@ enum AuthManagerError: LocalizedError { localized: "settings.account.error.missingRefreshToken", defaultValue: "Account refresh token is unavailable." ) + case .signInTimedOut: + return String( + localized: "settings.account.error.signInTimedOut", + defaultValue: "Sign in timed out. Try again." + ) } } } @@ -159,6 +144,7 @@ final class AuthManager: ObservableObject { @Published private(set) var isLoading = false @Published private(set) var isRestoringSession = false @Published private(set) var didCompleteBrowserSignIn = false + @Published private(set) var lastSignInError: AuthManagerError? @Published var selectedTeamID: String? { didSet { guard selectedTeamID != oldValue else { return } @@ -170,6 +156,10 @@ final class AuthManager: ObservableObject { Self.resolveTeamID(selectedTeamID: selectedTeamID, teams: availableTeams) } + var userFacingSignInErrorMessage: String? { + lastSignInError?.userFacingMessage + } + let requiresAuthenticationGate = false private let client: any AuthClientProtocol @@ -214,10 +204,12 @@ final class AuthManager: ObservableObject { } private var loginPollTask: Task? - private var webAuthSession: ASWebAuthenticationSession? + private var browserSignInTimeoutTask: Task? private var nextBrowserSignInAttemptID: UInt64 = 0 private var activeBrowserSignInAttemptID: UInt64? + private var activeBrowserSignInAttemptState: String? private var signOutCancelledBrowserSignInAttemptID: UInt64? + private var signOutCancelledBrowserSignInAttemptState: String? private var authMutationGeneration: UInt64 = 0 private var currentAuthMutationKind: AuthMutationKind? @@ -228,75 +220,47 @@ final class AuthManager: ObservableObject { } #if DEBUG - func markBrowserSignInLoadingForTesting() { - _ = startBrowserSignInAttempt() + @discardableResult + func markBrowserSignInLoadingForTesting(state: String = "test") -> String { + _ = startBrowserSignInAttempt(state: state) + return state } #endif - func beginSignIn() { + func beginSignIn(timeout: TimeInterval = 300) { + lastSignInError = nil loginPollTask?.cancel() - webAuthSession?.cancel() - webAuthSession = nil - let attemptID = startBrowserSignInAttempt() - - let signInURL = AuthEnvironment.signInURL() - let callbackScheme = AuthEnvironment.callbackScheme - - let session = ASWebAuthenticationSession( - url: signInURL, - callbackURLScheme: callbackScheme - ) { [weak self] callbackURL, error in - Task { @MainActor [weak self] in - guard let self else { return } - guard self.isCurrentBrowserSignInAttempt(attemptID) else { return } - defer { - self.finishBrowserSignInAttempt(attemptID) - } - if let error { - self.authLog("auth.webauth failed: \(error)") - return - } - guard let callbackURL else { return } - let callbackPayload = AuthCallbackRouter.callbackPayload(from: callbackURL) - do { - try await self.handleCallbackURL(callbackURL) - if self.signOutCancelledBrowserSignInAttemptID == attemptID, - self.activeBrowserSignInAttemptID == nil, - let callbackPayload { - let didClear = await self.tokenStore.clearTokensIfCurrent( - accessToken: callbackPayload.accessToken, - refreshToken: callbackPayload.refreshToken - ) - if didClear { - self.clearSessionState(clearSelectedTeam: true) - } - self.signOutCancelledBrowserSignInAttemptID = nil - } - } catch { - self.authLog("auth.webauth callback failed: \(error)") - } - } - } - session.presentationContextProvider = AuthPresentationContext.shared - session.prefersEphemeralWebBrowserSession = false + let signInState = UUID().uuidString + let callbackURL = AuthEnvironment.authCallbackURL(state: signInState) + let signInURL = AuthEnvironment.signInURL(callbackURL: callbackURL) + let attemptID = startBrowserSignInAttempt(state: signInState) + scheduleBrowserSignInTimeout(attemptID: attemptID, timeout: timeout) + authLog("auth.browserSignIn begin url=\(Self.redactedURLDescription(signInURL))") + urlOpener(signInURL) + } - if session.start() { - webAuthSession = session - } else { - authLog("auth.webauth: session.start() returned false") - finishBrowserSignInAttempt(attemptID) - } + func markBrowserSignInTimedOut() { + guard let attemptID = activeBrowserSignInAttemptID else { return } + lastSignInError = .signInTimedOut + finishBrowserSignInAttempt(attemptID) } - /// Starts the ASWebAuthenticationSession popup and awaits the user's - /// completion by observing isAuthenticated AND isLoading. Resolves when - /// authenticated, when the sign-in attempt settles unsuccessfully (popup - /// dismissed/cancelled/error), or when the deadline elapses. No polling - /// — the $isAuthenticated / $isLoading AsyncPublishers drive the wait. + /// Opens the sign-in page in the user's default browser and awaits the deep-link callback. + /// Resolves when authenticated, when the sign-in attempt settles unsuccessfully, + /// or when the deadline elapses. No polling — the $isAuthenticated / + /// $isLoading AsyncPublishers drive the wait. func beginSignInAndAwait(timeout: TimeInterval) async -> Bool { if isAuthenticated { return true } - beginSignIn() - return await waitForSignInSettled(timeout: timeout) + beginSignIn(timeout: timeout) + if !isLoading { return isAuthenticated } + let signedIn = await waitForSignInSettled(timeout: timeout) + if signedIn || isAuthenticated { + return true + } + if isLoading { + markBrowserSignInTimedOut() + } + return isAuthenticated } /// Signs out and awaits the state to flip. signOut() is already async and @@ -319,9 +283,8 @@ final class AuthManager: ObservableObject { } group.addTask { @MainActor [weak self] in guard let self else { return false } - // Wait for isLoading to flip false after we started the - // popup. If authentication hasn't succeeded by then the - // user cancelled/errored and we can resolve early. + // Wait for isLoading to flip false after the browser sign-in starts. + // If authentication hasn't succeeded by then the attempt failed or timed out. for await loading in self.$isLoading.values { if !loading && !self.isAuthenticated { return false } if self.isAuthenticated { return true } @@ -455,13 +418,42 @@ final class AuthManager: ObservableObject { } func handleCallbackURL(_ url: URL) async throws { - guard let payload = AuthCallbackRouter.callbackPayload(from: url) else { - throw AuthManagerError.invalidCallback + let browserSignInAttemptID = activeBrowserSignInAttemptID + let callbackState = AuthCallbackRouter.callbackState(from: url) + let callbackPayload = AuthCallbackRouter.callbackPayload(from: url) + + if let cancelledState = signOutCancelledBrowserSignInAttemptState, + callbackState == cancelledState { + signOutCancelledBrowserSignInAttemptID = nil + signOutCancelledBrowserSignInAttemptState = nil + authLog("auth.browserSignIn ignored callback cancelledBySignOut state=\(callbackState ?? "nil")") + return } - let mutationGeneration = beginAuthMutation(.signIn) - isLoading = true - defer { isLoading = false } + guard let activeState = activeBrowserSignInAttemptState else { + authLog("auth.browserSignIn ignored callback without active attempt state=\(callbackState ?? "nil")") + return + } + + guard callbackState == activeState else { + authLog("auth.browserSignIn ignored stale callback state=\(callbackState ?? "nil") activeState=\(activeBrowserSignInAttemptState ?? "nil")") + return + } + + guard let payload = callbackPayload else { + let error = AuthManagerError.invalidCallback + if let browserSignInAttemptID { + lastSignInError = error + finishBrowserSignInAttempt(browserSignInAttemptID) + } + throw error + } + defer { + if let browserSignInAttemptID { + finishBrowserSignInAttempt(browserSignInAttemptID) + } + } + let mutationGeneration = beginAuthMutation(.signIn) await tokenStore.seed( accessToken: payload.accessToken, @@ -484,6 +476,11 @@ final class AuthManager: ObservableObject { refreshToken: payload.refreshToken ) return + } catch { + if isCurrentAuthMutation(mutationGeneration), browserSignInAttemptID != nil { + lastSignInError = error as? AuthManagerError ?? .invalidCallback + } + throw error } guard await keepAuthMutationIfCurrent( mutationGeneration, @@ -493,6 +490,7 @@ final class AuthManager: ObservableObject { return } didCompleteBrowserSignIn = true + lastSignInError = nil } func seedTokensFromCLI(refreshToken: String, accessToken: String?) async { @@ -520,6 +518,7 @@ final class AuthManager: ObservableObject { lastKnownAccessToken = resolvedAccess do { try await refreshSession() + lastSignInError = nil authLog("seedTokensFromCLI: success user=\(currentUser?.primaryEmail ?? "nil")") } catch { authLog("seedTokensFromCLI: refreshSession failed: \(error)") @@ -577,6 +576,7 @@ final class AuthManager: ObservableObject { } func applySignInResult(_ result: SignInResult) { + lastSignInError = nil // Cache access token for fast synchronous reads lastKnownAccessToken = result.accessToken // Store tokens in keychain (fire-and-forget) @@ -597,6 +597,7 @@ final class AuthManager: ObservableObject { func signInWithCredential(email: String, password: String) async throws { authLog("signInWithCredential: email=\(email)") + lastSignInError = nil isLoading = true defer { isLoading = false } @@ -658,9 +659,11 @@ final class AuthManager: ObservableObject { selectedTeamID = Self.resolveTeamID(selectedTeamID: selectedTeamID, teams: teams) authLog("signInWithCredential: success user=\(user.primaryEmail ?? "nil") teams=\(teams.count) teamID=\(selectedTeamID ?? "nil")") didCompleteBrowserSignIn = true + lastSignInError = nil } func signOut() async { + lastSignInError = nil let signOutGeneration = beginAuthMutation(.signOut) cancelBrowserSignInForSignOut() let accessTokenAtSignOut = await tokenStore.currentAccessToken() @@ -749,7 +752,7 @@ final class AuthManager: ObservableObject { let redactedMessage = redactedAuthLogMessage(message) authLogger.log(level: authLogType(for: redactedMessage), "\(redactedMessage, privacy: .public)") #if DEBUG - let line = "[\(Self.logTimestampFormatter.string(from: Date()))] auth: \(redactedMessage)\n" + let line = "[\(Self.logTimestampString())] auth: \(redactedMessage)\n" let path = authDebugLogPath if let handle = FileHandle(forWritingAtPath: path) { handle.seekToEndOfFile() @@ -795,19 +798,43 @@ final class AuthManager: ObservableObject { return redacted } + /// Renders URL structure for auth diagnostics without logging token-bearing query values. + nonisolated static func redactedURLDescription(_ url: URL) -> String { + let scheme = url.scheme ?? "nil" + let host = url.host ?? "" + let portPart = url.port.map { ":\($0)" } ?? "" + let path = url.path + let queryItems = URLComponents(url: url, resolvingAgainstBaseURL: false)?.queryItems ?? [] + let keysSummary = queryItems + .map { "\($0.name)(\($0.value?.count ?? 0))" } + .joined(separator: ",") + let queryPart = keysSummary.isEmpty ? "" : "?[\(keysSummary)]" + let fragmentPart = url.fragment.flatMap { $0.isEmpty ? nil : " #len=\($0.count)" } ?? "" + return "\(scheme)://\(host)\(portPart)\(path)\(queryPart)\(fragmentPart)" + } + #if DEBUG nonisolated static func redactedAuthLogMessageForTesting(_ message: String) -> String { redactedAuthLogMessage(message) } #endif - // ISO8601DateFormatter is expensive to construct (calendar + locale + - // time zone). Reuse one instance across the high-frequency authLog path. - private static let logTimestampFormatter: ISO8601DateFormatter = { - let f = ISO8601DateFormatter() - f.formatOptions = [.withInternetDateTime] - return f - }() + // ISO8601DateFormatter is expensive to construct and is not Sendable. + // Keep one formatter per thread so DEBUG auth logging stays off the main actor. + private nonisolated static func logTimestampString() -> String { + let key = "cmux.auth.logTimestampFormatter" + let dictionary = Thread.current.threadDictionary + let formatter: ISO8601DateFormatter + if let cachedFormatter = dictionary[key] as? ISO8601DateFormatter { + formatter = cachedFormatter + } else { + let newFormatter = ISO8601DateFormatter() + newFormatter.formatOptions = [.withInternetDateTime] + dictionary[key] = newFormatter + formatter = newFormatter + } + return formatter.string(from: Date()) + } private func authLog(_ message: String) { Self.authLog(message) @@ -849,6 +876,7 @@ final class AuthManager: ObservableObject { currentUser = nil isAuthenticated = false didCompleteBrowserSignIn = false + lastSignInError = nil if clearSelectedTeam { selectedTeamID = nil } @@ -892,13 +920,13 @@ final class AuthManager: ObservableObject { return false } - private func startBrowserSignInAttempt() -> UInt64 { + private func startBrowserSignInAttempt(state: String) -> UInt64 { nextBrowserSignInAttemptID &+= 1 let attemptID = nextBrowserSignInAttemptID activeBrowserSignInAttemptID = attemptID - if signOutCancelledBrowserSignInAttemptID == attemptID { - signOutCancelledBrowserSignInAttemptID = nil - } + activeBrowserSignInAttemptState = state + signOutCancelledBrowserSignInAttemptID = nil + signOutCancelledBrowserSignInAttemptState = nil isLoading = true return attemptID } @@ -908,23 +936,42 @@ final class AuthManager: ObservableObject { && signOutCancelledBrowserSignInAttemptID != attemptID } + private func scheduleBrowserSignInTimeout(attemptID: UInt64, timeout: TimeInterval) { + browserSignInTimeoutTask?.cancel() + let maxSeconds: Double = 24 * 60 * 60 + let clamped = max(0, min(timeout, maxSeconds)) + browserSignInTimeoutTask = Task { @MainActor [weak self] in + try? await Task.sleep(nanoseconds: UInt64(clamped * 1_000_000_000)) + guard !Task.isCancelled, let self, self.isCurrentBrowserSignInAttempt(attemptID) else { + return + } + self.lastSignInError = .signInTimedOut + self.finishBrowserSignInAttempt(attemptID) + } + } + private func finishBrowserSignInAttempt(_ attemptID: UInt64) { guard activeBrowserSignInAttemptID == attemptID else { return } + browserSignInTimeoutTask?.cancel() + browserSignInTimeoutTask = nil isLoading = false - webAuthSession = nil activeBrowserSignInAttemptID = nil + activeBrowserSignInAttemptState = nil if signOutCancelledBrowserSignInAttemptID == attemptID { signOutCancelledBrowserSignInAttemptID = nil + signOutCancelledBrowserSignInAttemptState = nil } } private func cancelBrowserSignInForSignOut() { + browserSignInTimeoutTask?.cancel() + browserSignInTimeoutTask = nil if let attemptID = activeBrowserSignInAttemptID { signOutCancelledBrowserSignInAttemptID = attemptID + signOutCancelledBrowserSignInAttemptState = activeBrowserSignInAttemptState } activeBrowserSignInAttemptID = nil - webAuthSession?.cancel() - webAuthSession = nil + activeBrowserSignInAttemptState = nil isLoading = false } @@ -952,9 +999,8 @@ final class AuthManager: ObservableObject { } // Open in the user's actual default browser. urlsForApplications(toOpen:) // returns candidates in LaunchServices priority order (user's chosen - // default first). Skip cmux itself, since Info.plist advertises http/https - // at LSHandlerRank=Default and otherwise the app could re-open the URL in - // its own embedded WebView. + // default first). Skip cmux itself defensively so old LaunchServices + // registrations cannot route the auth URL back into this app. let ownBundleIDs: Set = { var ids: Set = [] if let id = Bundle.main.bundleIdentifier { ids.insert(id) } diff --git a/Sources/cmuxApp.swift b/Sources/cmuxApp.swift index 464e599551..87e97a2280 100644 --- a/Sources/cmuxApp.swift +++ b/Sources/cmuxApp.swift @@ -8363,25 +8363,33 @@ private struct AuthSettingsRow: View { @ObservedObject var authManager: AuthManager var body: some View { - HStack(alignment: .center, spacing: 12) { - VStack(alignment: .leading, spacing: 2) { - Text(titleText) - .font(.system(size: 13, weight: .medium)) - if let subtitle = subtitleText { - Text(subtitle) - .font(.system(size: 11)) - .foregroundColor(.secondary) + VStack(alignment: .leading, spacing: 6) { + HStack(alignment: .center, spacing: 12) { + VStack(alignment: .leading, spacing: 2) { + Text(titleText) + .font(.system(size: 13, weight: .medium)) + if let subtitle = subtitleText { + Text(subtitle) + .font(.system(size: 11)) + .foregroundColor(.secondary) + } } + Spacer(minLength: 12) + if authManager.isLoading || authManager.isRestoringSession { + ProgressView().controlSize(.small) + } + Button(action: buttonAction) { + Text(buttonTitle) + } + .controlSize(.small) + .disabled(buttonIsDisabled) } - Spacer(minLength: 12) - if authManager.isLoading || authManager.isRestoringSession { - ProgressView().controlSize(.small) - } - Button(action: buttonAction) { - Text(buttonTitle) + + if let errorMessage = authManager.userFacingSignInErrorMessage { + Text(errorMessage) + .font(.system(size: 11)) + .foregroundColor(.red) } - .controlSize(.small) - .disabled(authManager.isLoading || authManager.isRestoringSession) } .padding(.horizontal, 14) .padding(.vertical, 10) @@ -8426,6 +8434,10 @@ private struct AuthSettingsRow: View { ) } + private var buttonIsDisabled: Bool { + authManager.isRestoringSession || authManager.isLoading + } + private func buttonAction() { if authManager.isAuthenticated { Task { @MainActor in diff --git a/cmux.xcodeproj/project.pbxproj b/cmux.xcodeproj/project.pbxproj index dd5a6a2bf2..d27981d500 100644 --- a/cmux.xcodeproj/project.pbxproj +++ b/cmux.xcodeproj/project.pbxproj @@ -37,6 +37,7 @@ 36CE99ED050785B5E96B72BB /* AuthCallbackRouter.swift in Sources */ = {isa = PBXBuildFile; fileRef = 61A19A4145F034965110CF87 /* AuthCallbackRouter.swift */; }; D9FEC58D5BACCF76459F1BBE /* AuthEnvironment.swift in Sources */ = {isa = PBXBuildFile; fileRef = 43430FA5929121E2EAAB3091 /* AuthEnvironment.swift */; }; 350DAC5EBD38642A3E81471A /* AuthManager.swift in Sources */ = {isa = PBXBuildFile; fileRef = 312DE7503B4658DD173121B8 /* AuthManager.swift */; }; + A36170100000000000000001 /* AuthManagerExternalBrowserSignInTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = A36170100000000000000002 /* AuthManagerExternalBrowserSignInTests.swift */; }; 698944F99A6ADFBA24A7BFB9 /* AuthSettingsStore.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5B1EA8948C5F126FE63CFB4E /* AuthSettingsStore.swift */; }; B9000012A1B2C3D4E5F60719 /* AutomationSocketUITests.swift in Sources */ = {isa = PBXBuildFile; fileRef = B9000011A1B2C3D4E5F60719 /* AutomationSocketUITests.swift */; }; C0DE35860000000000000001 /* BackgroundWorkspacePrimeCoordinator.swift in Sources */ = {isa = PBXBuildFile; fileRef = C0DE35860000000000000002 /* BackgroundWorkspacePrimeCoordinator.swift */; }; @@ -631,6 +632,7 @@ 61A19A4145F034965110CF87 /* AuthCallbackRouter.swift */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.swift; path = AuthCallbackRouter.swift; sourceTree = ""; }; 43430FA5929121E2EAAB3091 /* AuthEnvironment.swift */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.swift; path = AuthEnvironment.swift; sourceTree = ""; }; 312DE7503B4658DD173121B8 /* AuthManager.swift */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.swift; path = AuthManager.swift; sourceTree = ""; }; + A36170100000000000000002 /* AuthManagerExternalBrowserSignInTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AuthManagerExternalBrowserSignInTests.swift; sourceTree = ""; }; 5B1EA8948C5F126FE63CFB4E /* AuthSettingsStore.swift */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = sourcecode.swift; path = AuthSettingsStore.swift; sourceTree = ""; }; B9000011A1B2C3D4E5F60719 /* AutomationSocketUITests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AutomationSocketUITests.swift; sourceTree = ""; }; C0DE35860000000000000002 /* BackgroundWorkspacePrimeCoordinator.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = BackgroundWorkspacePrimeCoordinator.swift; sourceTree = ""; }; @@ -1656,6 +1658,7 @@ F6355601A1B2C3D4E5F60718 /* SSHStartupSignalLifecycleTests.swift */, F6120001A1B2C3D4E5F60718 /* WorkspaceSSHFishShellTests.swift */, F7000001A1B2C3D4E5F60718 /* WorkspaceContentViewVisibilityTests.swift */, + A36170100000000000000002 /* AuthManagerExternalBrowserSignInTests.swift */, F8000001A1B2C3D4E5F60718 /* SocketControlPasswordStoreTests.swift */, F9000001A1B2C3D4E5F60718 /* GhosttyEnsureFocusWindowActivationTests.swift */, F1C1AA20B7E84D10A1C10001 /* InactivePaneFirstClickFocusTests.swift */, @@ -2446,6 +2449,7 @@ C34670010000000000000001 /* AppDelegateRenameShortcutContextTests.swift in Sources */, F6000000A1B2C3D4E5F60718 /* AppDelegateShortcutRoutingTests.swift in Sources */, A11EAA000000000000000000 /* AppearanceSettingsTests.swift in Sources */, + A36170100000000000000001 /* AuthManagerExternalBrowserSignInTests.swift in Sources */, D3622000A1B2C3D4E5F60718 /* BrowserArrowKeyForwardingTests.swift in Sources */, E12E88F82733EC42F32C36A3 /* BrowserConfigTests.swift in Sources */, A5008381 /* BrowserFindJavaScriptTests.swift in Sources */, diff --git a/cmuxTests/AuthManagerExternalBrowserSignInTests.swift b/cmuxTests/AuthManagerExternalBrowserSignInTests.swift new file mode 100644 index 0000000000..9548a51a2e --- /dev/null +++ b/cmuxTests/AuthManagerExternalBrowserSignInTests.swift @@ -0,0 +1,185 @@ +import Foundation +import Testing +import CMUXAuthCore + +#if canImport(cmux_DEV) +@testable import cmux_DEV +#elseif canImport(cmux) +@testable import cmux +#endif + +@MainActor +@Suite +struct AuthManagerExternalBrowserSignInTests { + @Test + func beginSignInOpensSignInURLThroughInjectedBrowserOpener() async throws { + let suiteName = "AuthManagerExternalBrowserSignInTests.\(UUID().uuidString)" + let defaults = try #require(UserDefaults(suiteName: suiteName)) + defer { defaults.removePersistentDomain(forName: suiteName) } + + var openedURL: URL? + let manager = AuthManager( + client: AuthManagerExternalBrowserSignInTestClient(), + tokenStore: AuthManagerExternalBrowserSignInTestTokenStore(), + settingsStore: AuthSettingsStore(userDefaults: defaults), + urlOpener: { url in + openedURL = url + } + ) + await manager.awaitBootstrapped() + + manager.beginSignIn() + let isLoadingAfterBegin = manager.isLoading + await manager.signOut() + + let url = try #require(openedURL) + #expect(url.path == "/handler/sign-in") + + let components = try #require(URLComponents(url: url, resolvingAgainstBaseURL: false)) + let afterAuthReturnTo = try #require( + components.queryItems?.first { $0.name == "after_auth_return_to" }?.value + ) + #expect(afterAuthReturnTo.contains("native_app_return_to=")) + #expect(afterAuthReturnTo.contains("auth-callback")) + #expect(afterAuthReturnTo.contains("state=")) + #expect(isLoadingAfterBegin) + } + + @Test + func beginSignInTimesOutWhenBrowserCallbackDoesNotReturn() async throws { + let suiteName = "AuthManagerExternalBrowserSignInTests.\(UUID().uuidString)" + let defaults = try #require(UserDefaults(suiteName: suiteName)) + defer { defaults.removePersistentDomain(forName: suiteName) } + + let manager = AuthManager( + client: AuthManagerExternalBrowserSignInTestClient(), + tokenStore: AuthManagerExternalBrowserSignInTestTokenStore(), + settingsStore: AuthSettingsStore(userDefaults: defaults), + urlOpener: { _ in } + ) + await manager.awaitBootstrapped() + + manager.beginSignIn(timeout: 0) + try await Task.sleep(nanoseconds: 20_000_000) + + #expect(!manager.isLoading) + #expect(manager.userFacingSignInErrorMessage == AuthManagerError.signInTimedOut.userFacingMessage) + } + + @Test + func stateBearingCallbackAfterTimeoutIsIgnored() async throws { + let suiteName = "AuthManagerExternalBrowserSignInTests.\(UUID().uuidString)" + let defaults = try #require(UserDefaults(suiteName: suiteName)) + defer { defaults.removePersistentDomain(forName: suiteName) } + + var openedURL: URL? + let tokenStore = AuthManagerExternalBrowserSignInTestTokenStore() + let manager = AuthManager( + client: AuthManagerExternalBrowserSignInTestClient(), + tokenStore: tokenStore, + settingsStore: AuthSettingsStore(userDefaults: defaults), + urlOpener: { url in + openedURL = url + } + ) + await manager.awaitBootstrapped() + + manager.beginSignIn(timeout: 0) + let signInURL = try #require(openedURL) + let state = try #require(callbackState(fromSignInURL: signInURL)) + try await Task.sleep(nanoseconds: 20_000_000) + + let staleCallbackURL = try #require( + URL(string: "cmux://auth-callback?stack_refresh=refresh&stack_access=access&state=\(state)") + ) + try await manager.handleCallbackURL(staleCallbackURL) + + #expect(!manager.isAuthenticated) + #expect(await tokenStore.getStoredAccessToken() == nil) + #expect(await tokenStore.getStoredRefreshToken() == nil) + } + + @Test + func statelessCallbackWithoutActiveAttemptIsIgnored() async throws { + let suiteName = "AuthManagerExternalBrowserSignInTests.\(UUID().uuidString)" + let defaults = try #require(UserDefaults(suiteName: suiteName)) + defer { defaults.removePersistentDomain(forName: suiteName) } + + let tokenStore = AuthManagerExternalBrowserSignInTestTokenStore() + let manager = AuthManager( + client: AuthManagerExternalBrowserSignInTestClient(), + tokenStore: tokenStore, + settingsStore: AuthSettingsStore(userDefaults: defaults), + urlOpener: { _ in } + ) + await manager.awaitBootstrapped() + + let callbackURL = try #require( + URL(string: "cmux://auth-callback?stack_refresh=refresh&stack_access=access") + ) + try await manager.handleCallbackURL(callbackURL) + + #expect(!manager.isAuthenticated) + #expect(await tokenStore.getStoredAccessToken() == nil) + #expect(await tokenStore.getStoredRefreshToken() == nil) + } + + private func callbackState(fromSignInURL url: URL) -> String? { + let signInComponents = URLComponents(url: url, resolvingAgainstBaseURL: false) + let afterAuthReturnTo = signInComponents?.queryItems? + .first { $0.name == "after_auth_return_to" }? + .value + let afterAuthComponents = afterAuthReturnTo.flatMap { + URLComponents(string: $0) + } + let nativeReturnTo = afterAuthComponents?.queryItems? + .first { $0.name == "native_app_return_to" }? + .value + let nativeComponents = nativeReturnTo.flatMap { + URLComponents(string: $0) + } + return nativeComponents?.queryItems? + .first { $0.name == "state" }? + .value + } +} + +private struct AuthManagerExternalBrowserSignInTestClient: AuthClientProtocol { + func currentUser() async throws -> CMUXAuthUser? { nil } + func listTeams() async throws -> [AuthTeamSummary] { [] } + func currentAccessToken() async throws -> String? { nil } + func signOut() async throws {} +} + +private actor AuthManagerExternalBrowserSignInTestTokenStore: StackAuthTokenStoreProtocol { + private var accessToken: String? + private var refreshToken: String? + + func getStoredAccessToken() async -> String? { + accessToken + } + + func getStoredRefreshToken() async -> String? { + refreshToken + } + + func setTokens(accessToken: String?, refreshToken: String?) async { + self.accessToken = accessToken + self.refreshToken = refreshToken + } + + func clearTokens() async { + accessToken = nil + refreshToken = nil + } + + func compareAndSet( + compareRefreshToken: String, + newRefreshToken: String?, + newAccessToken: String? + ) async { + guard refreshToken == compareRefreshToken else { return } + refreshToken = newRefreshToken + accessToken = newAccessToken + } +} diff --git a/cmuxTests/SocketControlPasswordStoreTests.swift b/cmuxTests/SocketControlPasswordStoreTests.swift index fef69a4ce9..aad9e46953 100644 --- a/cmuxTests/SocketControlPasswordStoreTests.swift +++ b/cmuxTests/SocketControlPasswordStoreTests.swift @@ -307,7 +307,10 @@ final class AuthManagerSignOutTests: XCTestCase { await manager.awaitBootstrapped() await tokenStore.suspendNextSetTokens() - let callbackURL = try XCTUnwrap(URL(string: "cmux://auth-callback?stack_refresh=refresh-after-signout&stack_access=access-after-signout")) + let signInState = manager.markBrowserSignInLoadingForTesting(state: UUID().uuidString) + let callbackURL = try XCTUnwrap(URL( + string: "cmux://auth-callback?stack_refresh=refresh-after-signout&stack_access=access-after-signout&state=\(signInState)" + )) let callbackTask = Task { @MainActor in try await manager.handleCallbackURL(callbackURL) } @@ -354,7 +357,10 @@ final class AuthManagerSignOutTests: XCTestCase { } await client.waitForSignOutStarted() - let callbackURL = try XCTUnwrap(URL(string: "cmux://auth-callback?stack_refresh=new-refresh&stack_access=new-access")) + let signInState = manager.markBrowserSignInLoadingForTesting(state: UUID().uuidString) + let callbackURL = try XCTUnwrap(URL( + string: "cmux://auth-callback?stack_refresh=new-refresh&stack_access=new-access&state=\(signInState)" + )) try await manager.handleCallbackURL(callbackURL) await client.resumeSignOut() await signOutTask.value diff --git a/web/app/handler/after-sign-in/OpenNativeClient.tsx b/web/app/handler/after-sign-in/OpenNativeClient.tsx index 19c68a27e0..0b44f7273b 100644 --- a/web/app/handler/after-sign-in/OpenNativeClient.tsx +++ b/web/app/handler/after-sign-in/OpenNativeClient.tsx @@ -1,6 +1,12 @@ "use client"; +import { useEffect } from "react"; + export function OpenNativeClient({ href }: { href: string }) { + useEffect(() => { + window.location.assign(href); + }, [href]); + return (
value.startsWith(scheme)); +} + +export function nativeAuthCallbackForReturnTo( + value: string | null | undefined, +): string | null { + const scheme = NATIVE_SCHEMES.find((candidate) => + value?.startsWith(candidate), + ); + if (!scheme) return null; + + const callback = new URL(`${scheme}${NATIVE_AUTH_CALLBACK_TARGET}`); + try { + const source = new URL(value ?? ""); + const state = source.searchParams.get("state"); + if (state) callback.searchParams.set("state", state); + } catch {} + return callback.toString(); +} + +export type NativeHandoffArgs = { + refreshToken: string | undefined; + accessToken: string | undefined; +}; + +export function shouldEmitNativeHandoff(args: NativeHandoffArgs): boolean { + return Boolean(args.refreshToken && args.accessToken); +} diff --git a/web/app/handler/after-sign-in/page.tsx b/web/app/handler/after-sign-in/page.tsx index 13fa2d17c6..720f87ceb2 100644 --- a/web/app/handler/after-sign-in/page.tsx +++ b/web/app/handler/after-sign-in/page.tsx @@ -3,38 +3,43 @@ import { notFound, redirect } from "next/navigation"; import { stackServerApp } from "../../lib/stack"; import { env } from "../../env"; import { OpenNativeClient } from "./OpenNativeClient"; +import { + nativeAuthCallbackForReturnTo, + shouldEmitNativeHandoff, +} from "./native-handoff"; export const dynamic = "force-dynamic"; -const NATIVE_SCHEME = "cmux://"; -const NATIVE_SCHEMES = [NATIVE_SCHEME, "cmux-nightly://", "cmux-dev://"]; - function findStackCookie( cookieStore: { getAll: () => { name: string; value: string }[] }, - baseName: string + baseName: string, ): string | undefined { const all = cookieStore.getAll(); for (const prefix of ["__Host-", "__Secure-", ""]) { const withBranch = all.find( - (c) => c.name.startsWith(`${prefix}${baseName}--`) && c.value + (c) => c.name.startsWith(`${prefix}${baseName}--`) && c.value, ); if (withBranch) return withBranch.value; - const exact = all.find( - (c) => c.name === `${prefix}${baseName}` && c.value - ); + const exact = all.find((c) => c.name === `${prefix}${baseName}` && c.value); if (exact) return exact.value; } return undefined; } -function decodeAccessCookie(value: string | undefined): { refreshToken?: string; accessToken?: string } { +function decodeAccessCookie(value: string | undefined): { + refreshToken?: string; + accessToken?: string; +} { if (!value) return {}; const decoded = value.includes("%") ? decodeURIComponent(value) : value; if (!decoded.startsWith("[")) return { accessToken: decoded }; try { const arr = JSON.parse(decoded) as unknown[]; if (Array.isArray(arr) && arr.length >= 2) { - return { refreshToken: arr[0] as string, accessToken: arr[1] as string }; + return { + refreshToken: arr[0] as string, + accessToken: arr[1] as string, + }; } } catch {} return {}; @@ -52,19 +57,18 @@ function decodeRefreshCookie(value: string | undefined): string | undefined { } function buildNativeHref( - baseHref: string | null, + baseHref: string, refreshToken: string | undefined, - accessCookie: string | undefined + accessCookie: string | undefined, ): string | null { - if (!refreshToken || !accessCookie) return baseHref; - const href = baseHref ?? `${NATIVE_SCHEME}auth-callback`; + if (!refreshToken || !accessCookie) return null; try { - const url = new URL(href); + const url = new URL(baseHref); url.searchParams.set("stack_refresh", refreshToken); url.searchParams.set("stack_access", accessCookie); return url.toString(); } catch { - return `${NATIVE_SCHEME}auth-callback?stack_refresh=${encodeURIComponent(refreshToken)}&stack_access=${encodeURIComponent(accessCookie)}`; + return null; } } @@ -72,7 +76,9 @@ type Props = { searchParams?: Promise>; }; -export default async function AfterSignInPage({ searchParams: searchParamsPromise }: Props) { +export default async function AfterSignInPage({ + searchParams: searchParamsPromise, +}: Props) { const projectId = env.NEXT_PUBLIC_STACK_PROJECT_ID; if (!stackServerApp || !projectId) notFound(); @@ -85,13 +91,19 @@ export default async function AfterSignInPage({ searchParams: searchParamsPromis let refreshToken = parsedAccess.refreshToken ?? parsedRefresh; let accessToken = parsedAccess.accessToken; - let accessCookie = rawAccessCookie ? (rawAccessCookie.includes("%") ? decodeURIComponent(rawAccessCookie) : rawAccessCookie) : undefined; + let accessCookie = rawAccessCookie + ? rawAccessCookie.includes("%") + ? decodeURIComponent(rawAccessCookie) + : rawAccessCookie + : undefined; // Create a fresh session to get valid tokens for the native app try { const user = await stackServerApp.getUser({ or: "return-null" }); if (user) { - const session = await user.createSession({ expiresInMillis: 30 * 24 * 60 * 60 * 1000 }); + const session = await user.createSession({ + expiresInMillis: 30 * 24 * 60 * 60 * 1000, + }); const tokens = await session.getTokens(); if (tokens.refreshToken) refreshToken = tokens.refreshToken; if (tokens.accessToken) accessToken = tokens.accessToken; @@ -105,37 +117,32 @@ export default async function AfterSignInPage({ searchParams: searchParamsPromis } const searchParams = await searchParamsPromise; - const nativeReturnTo = typeof searchParams?.native_app_return_to === "string" - ? searchParams.native_app_return_to - : null; + const nativeReturnTo = + typeof searchParams?.native_app_return_to === "string" + ? searchParams.native_app_return_to + : null; // Native app deep link. Only emit the handoff when both tokens are // available; otherwise the OpenNativeClient would launch cmux with an empty // auth payload, which would produce a spurious "not signed in" flash. + const nativeCallbackHref = nativeAuthCallbackForReturnTo(nativeReturnTo); if ( - refreshToken && - accessCookie && - nativeReturnTo !== null && - NATIVE_SCHEMES.some((scheme) => nativeReturnTo.startsWith(scheme)) + shouldEmitNativeHandoff({ refreshToken, accessToken }) && + nativeCallbackHref ) { - const href = buildNativeHref(nativeReturnTo, refreshToken, accessCookie); + const href = buildNativeHref(nativeCallbackHref, refreshToken, accessCookie); if (href) return ; } // Web redirect (relative paths only). Reject protocol-relative paths like // "//evil.com" that Next.js would treat as external redirects. - const afterAuth = typeof searchParams?.after_auth_return_to === "string" - ? searchParams.after_auth_return_to - : null; + const afterAuth = + typeof searchParams?.after_auth_return_to === "string" + ? searchParams.after_auth_return_to + : null; if (afterAuth && afterAuth.startsWith("/") && !afterAuth.startsWith("//")) { redirect(afterAuth); } - // Fallback: try native app only when we actually have tokens to hand off. - if (refreshToken && accessCookie) { - const fallback = buildNativeHref(null, refreshToken, accessCookie); - if (fallback) return ; - } - redirect("/"); } diff --git a/web/tests/native-handoff.test.ts b/web/tests/native-handoff.test.ts new file mode 100644 index 0000000000..e34045c6d0 --- /dev/null +++ b/web/tests/native-handoff.test.ts @@ -0,0 +1,88 @@ +import { describe, expect, test } from "bun:test"; +import { + isNativeReturnScheme, + nativeAuthCallbackForReturnTo, + shouldEmitNativeHandoff, +} from "../app/handler/after-sign-in/native-handoff"; + +describe("native-handoff", () => { + describe("isNativeReturnScheme", () => { + test("returns true for cmux native schemes", () => { + expect(isNativeReturnScheme("cmux://auth-callback")).toBe(true); + expect(isNativeReturnScheme("cmux-nightly://auth-callback")).toBe(true); + expect(isNativeReturnScheme("cmux-dev://auth-callback")).toBe(true); + }); + + test("returns false for non-native schemes", () => { + expect(isNativeReturnScheme("https://cmux.com")).toBe(false); + expect(isNativeReturnScheme("cmuxapp://auth-callback")).toBe(false); + expect(isNativeReturnScheme(null)).toBe(false); + expect(isNativeReturnScheme(undefined)).toBe(false); + expect(isNativeReturnScheme("")).toBe(false); + }); + }); + + describe("nativeAuthCallbackForReturnTo", () => { + test("coerces native return targets to auth-callback", () => { + expect(nativeAuthCallbackForReturnTo("cmux://workspace/123")).toBe( + "cmux://auth-callback", + ); + expect( + nativeAuthCallbackForReturnTo("cmux-nightly://workspace/123"), + ).toBe("cmux-nightly://auth-callback"); + expect(nativeAuthCallbackForReturnTo("cmux-dev://workspace/123")).toBe( + "cmux-dev://auth-callback", + ); + }); + + test("preserves the callback state", () => { + expect( + nativeAuthCallbackForReturnTo("cmux-dev://auth-callback?state=abc123"), + ).toBe("cmux-dev://auth-callback?state=abc123"); + }); + + test("returns null for non-native return targets", () => { + expect(nativeAuthCallbackForReturnTo("https://cmux.com")).toBe(null); + expect(nativeAuthCallbackForReturnTo(null)).toBe(null); + expect(nativeAuthCallbackForReturnTo(undefined)).toBe(null); + }); + }); + + describe("shouldEmitNativeHandoff", () => { + test("returns true when both tokens are present", () => { + expect( + shouldEmitNativeHandoff({ + refreshToken: "refresh", + accessToken: "access", + }), + ).toBe(true); + }); + + test("returns false when refreshToken is missing", () => { + expect( + shouldEmitNativeHandoff({ + refreshToken: undefined, + accessToken: "access", + }), + ).toBe(false); + }); + + test("returns false when accessToken is empty string", () => { + expect( + shouldEmitNativeHandoff({ + refreshToken: "refresh", + accessToken: "", + }), + ).toBe(false); + }); + + test("returns false when accessToken is undefined", () => { + expect( + shouldEmitNativeHandoff({ + refreshToken: "refresh", + accessToken: undefined, + }), + ).toBe(false); + }); + }); +});