1

Author: LeafS825

lib/services/auth/sectl_auth_service.dart

@@ -53,6 +53,7 @@ class SectlAuthService {
   AuthLoopbackServer? _loopbackServer;
   Completer<UserInfo>? _activeLoginCompleter;
   WebAuthPopupSession? _webPopupSession;
+  bool _webRedirectFallbackTriggered = false;
 
   static String generateCodeVerifier({int byteLength = 32}) {
     final random = Random.secure();
@@ -141,6 +142,7 @@ class SectlAuthService {
 
     final authUrl = getAuthorizationUrl(session);
     _activeLoginCompleter = Completer<UserInfo>();
+    _webRedirectFallbackTriggered = false;
 
     if (targetPlatform == PendingAuthTargetPlatform.web) {
       final popupSession = await openWebAuthPopup(authUrl);
@@ -493,6 +495,10 @@ class SectlAuthService {
         _activeLoginCompleter!.complete(userInfo);
       }
     } catch (error, stackTrace) {
+      final redirected = await _fallbackWebPopupToFullRedirect(error);
+      if (redirected) {
+        return;
+      }
       if (_activeLoginCompleter != null &&
           !_activeLoginCompleter!.isCompleted) {
         _activeLoginCompleter!.completeError(error, stackTrace);
@@ -506,6 +512,29 @@ class SectlAuthService {
     }
   }
 
+  Future<bool> _fallbackWebPopupToFullRedirect(Object error) async {
+    if (!kIsWeb || _webRedirectFallbackTriggered) {
+      return false;
+    }
+
+    if (error is! StateError ||
+        !error.message.contains('popup was closed before finishing')) {
+      return false;
+    }
+
+    final pendingSession = await _tokenManager.getPendingAuthSession();
+    if (pendingSession == null ||
+        pendingSession.targetPlatform != PendingAuthTargetPlatform.web ||
+        pendingSession.isExpired) {
+      return false;
+    }
+
+    _webRedirectFallbackTriggered = true;
+    final authUrl = getAuthorizationUrl(pendingSession);
+    await navigateBrowserTo(authUrl);
+    return true;
+  }
+
   PendingAuthTargetPlatform _resolveTargetPlatform() {
     if (kIsWeb) {
       return PendingAuthTargetPlatform.web;
@@ -592,6 +621,7 @@ class SectlAuthService {
     _loopbackServer = null;
     await _webPopupSession?.close();
     _webPopupSession = null;
+    _webRedirectFallbackTriggered = false;
     if (clearCompleter) {
       _activeLoginCompleter = null;
     }
@@ -605,6 +635,7 @@ class SectlAuthService {
     _linkSubscription = null;
     _loopbackServer = null;
     _webPopupSession = null;
+    _webRedirectFallbackTriggered = false;
     _activeLoginCompleter = null;
   }
 }

lib/services/auth/web_popup_auth_web.dart

@@ -1,23 +1,29 @@
 import 'dart:async';
+import 'dart:convert';
+import 'dart:js_interop';
 
 import 'package:universal_html/html.dart' as html;
 
+extension on JSObject {
+  external JSAny? operator [](String key);
+}
+
 class WebAuthPopupSession {
   WebAuthPopupSession._(this._popupWindow) {
     _messageSubscription = html.window.onMessage.listen((event) {
-      final data = event.data;
-      if (data is! Map) return;
+      final payload = _normalizeMessagePayload(event.data);
+      if (payload == null) {
+        return;
+      }
+
+      final type = payload['type'];
+      final href = payload['href'];
 
-      final type = data['type'];
-      final href = data['href'];
       if (type != 'sectl-auth-callback' || href is! String) {
         return;
       }
 
-      final expectedOrigin = html.window.location.origin;
-      if (event.origin.isNotEmpty &&
-          expectedOrigin.isNotEmpty &&
-          event.origin != expectedOrigin) {
+      if (href.isEmpty) {
         return;
       }
 
@@ -27,15 +33,78 @@ class WebAuthPopupSession {
       unawaited(close());
     });
 
+    Future.delayed(const Duration(milliseconds: 500), () {
+      if (_callbackCompleter.isCompleted) return;
+      _startClosedTimer();
+    });
+  }
+
+  final html.WindowBase _popupWindow;
+  final Completer<Uri> _callbackCompleter = Completer<Uri>();
+  StreamSubscription<html.MessageEvent>? _messageSubscription;
+  Timer? _closedTimer;
+
+  Future<Uri> waitForCallback() => _callbackCompleter.future;
+
+  Map<String, dynamic>? _normalizeMessagePayload(dynamic data) {
+    if (data is String) {
+      try {
+        final decoded = jsonDecode(data);
+        if (decoded is Map<String, dynamic>) {
+          return decoded;
+        }
+        if (decoded is Map) {
+          return decoded.map(
+            (key, value) => MapEntry(key.toString(), value),
+          );
+        }
+      } catch (_) {
+        return null;
+      }
+    }
+
+    if (data is Map<String, dynamic>) {
+      return data;
+    }
+
+    if (data is Map) {
+      return data.map(
+        (key, value) => MapEntry(key.toString(), value),
+      );
+    }
+
+    try {
+      final object = data as JSObject;
+      final type = object['type'];
+      final href = object['href'];
+      if (type == null || href == null) {
+        return null;
+      }
+      return {
+        'type': (type as JSString).toDart,
+        'href': (href as JSString).toDart,
+      };
+    } catch (_) {
+      return null;
+    }
+  }
+
+  void _startClosedTimer() {
     _closedTimer = Timer.periodic(const Duration(milliseconds: 300), (_) {
+      if (_callbackCompleter.isCompleted) {
+        _closedTimer?.cancel();
+        return;
+      }
+
       final callbackUri = _tryReadPopupCallbackUri();
       if (callbackUri != null && !_callbackCompleter.isCompleted) {
         _callbackCompleter.complete(callbackUri);
         unawaited(close());
         return;
       }
 
-      if (_popupWindow.closed == true && !_callbackCompleter.isCompleted) {
+      final isClosed = _isPopupClosed();
+      if (isClosed && !_callbackCompleter.isCompleted) {
         _callbackCompleter.completeError(
           StateError('The SECTL login popup was closed before finishing.'),
         );
@@ -44,21 +113,30 @@ class WebAuthPopupSession {
     });
   }
 
-  final html.WindowBase _popupWindow;
-  final Completer<Uri> _callbackCompleter = Completer<Uri>();
-  StreamSubscription<html.MessageEvent>? _messageSubscription;
-  Timer? _closedTimer;
-
-  Future<Uri> waitForCallback() => _callbackCompleter.future;
+  bool _isPopupClosed() {
+    try {
+      final popupJs = _popupWindow as JSObject;
+      final closed = popupJs['closed'];
+      return (closed as JSBoolean).toDart;
+    } catch (_) {
+      return false;
+    }
+  }
 
   Uri? _tryReadPopupCallbackUri() {
     try {
-      final href = _popupWindow.location.href;
-      if (href == null || href.isEmpty) {
+      final location = _popupWindow.location as JSObject;
+      final href = location['href'];
+      if (href == null) {
+        return null;
+      }
+
+      final hrefString = (href as JSString).toDart;
+      if (hrefString.isEmpty) {
         return null;
       }
 
-      final uri = Uri.parse(href);
+      final uri = Uri.parse(hrefString);
       if (uri.queryParameters.containsKey('code') ||
           uri.queryParameters.containsKey('error')) {
         return uri;
@@ -107,5 +185,8 @@ Future<WebAuthPopupSession?> openWebAuthPopup(String url) async {
   ].join(',');
 
   final popup = html.window.open(url, 'sectl_auth_popup', features);
+  if (popup == null) {
+    return null;
+  }
   return WebAuthPopupSession._(popup);
 }

web/auth_callback.html

@@ -137,10 +137,10 @@ <h1 id="title">Completing SECTL sign-in</h1>
 
       const target = new URL(targetUrl);
       window.opener.postMessage(
-        {
+        JSON.stringify({
           type: 'sectl-auth-callback',
           href: target.toString()
-        },
+        }),
         target.origin,
       );
       return true;
@@ -192,7 +192,7 @@ <h1 id="title">Completing SECTL sign-in</h1>
 
         setTimeout(() => {
           if (maybeNotifyOpener(payload, targetUrl)) {
-            window.close();
+            setTimeout(() => window.close(), 150);
             return;
           }
           window.location.assign(targetUrl);