Skip to content

[google_sign_in_android] Fix IllegalStateException on duplicate authorization result#11984

Merged
auto-submit[bot] merged 3 commits into
flutter:mainfrom
brunovsiqueira:fix-gsi-android-duplicate-activity-result
Jul 7, 2026
Merged

[google_sign_in_android] Fix IllegalStateException on duplicate authorization result#11984
auto-submit[bot] merged 3 commits into
flutter:mainfrom
brunovsiqueira:fix-gsi-android-duplicate-activity-result

Conversation

@brunovsiqueira

@brunovsiqueira brunovsiqueira commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

google_sign_in_android's GoogleSignInPlugin.Delegate.onActivityResult resolved the pending authorization callback on its success path and returned true before clearing pendingAuthorizationCallback — that field was only nulled on the ApiException (failure) path. As a result, when the REQUEST_CODE_AUTHORIZE activity result is delivered more than once (for example when a saved result is re-delivered after a configuration change or process death), the method re-enters with the field still set and completes the same Pigeon Reply a second time, throwing:

java.lang.IllegalStateException: Reply already submitted

This change captures the callback into a local and nulls pendingAuthorizationCallback before completing it, so any duplicate or late delivery for the same request code falls through to the existing "Unexpected authorization result callback" branch instead of double-completing the reply. The existing success/failure return semantics are unchanged.

A regression test (authorize_ignoresDuplicateActivityResult) drives the authorize → success flow, invokes onActivityResult twice, and asserts the callback is resolved exactly once and the second delivery is not consumed. It fails before this change and passes after.

Issues fixed by this PR

Fixes flutter/flutter#188062

Notes

  • Opened as a draft: the CLA still needs to be signed before this can be marked ready for review.
  • Developed with AI assistance (Claude Code); I have reviewed and understand the change and take responsibility for it per the AI contribution guidelines.
  • Ran the repo-pinned auto-formatter (google-java-format v1.28.0) on the changed Java — no changes needed.
  • All google_sign_in_android Android unit tests pass locally via testDebugUnitTest, including the new regression test.

Pre-Review Checklist

Footnotes

  1. Regular contributors who have demonstrated familiarity with the repository guidelines only need to comment if the PR is not auto-exempted by repo tooling. 2

@google-cla

google-cla Bot commented Jun 25, 2026

Copy link
Copy Markdown

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@brunovsiqueira brunovsiqueira force-pushed the fix-gsi-android-duplicate-activity-result branch from 11f23f9 to 53bf0ed Compare June 25, 2026 13:47
@brunovsiqueira brunovsiqueira marked this pull request as ready for review June 25, 2026 13:51

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the Android implementation of the google_sign_in plugin to prevent an IllegalStateException crash caused by duplicate activity results. In GoogleSignInPlugin.java, the pendingAuthorizationCallback is now cleared before it is resolved, ensuring that a re-delivered result does not complete the callback twice. A regression test has been added to verify that duplicate results are ignored, and the package version is bumped to 7.2.14. There are no review comments, and I have no feedback to provide.

@brunovsiqueira

Copy link
Copy Markdown
Contributor Author

@googlebot I signed it!

…rization result

Delegate.onActivityResult resolved the authorization callback on its success
path and returned before clearing pendingAuthorizationCallback (which only
happened on the ApiException path). A re-delivered activity result for
REQUEST_CODE_AUTHORIZE (e.g. after a configuration change or process death)
then completed the same Pigeon Reply twice, throwing IllegalStateException
("Reply already submitted").

Capture the callback and null the field before completing it, so any
duplicate/late delivery falls through to the "Unexpected authorization result
callback" branch. Adds a regression test.

Fixes flutter/flutter#188062
@brunovsiqueira brunovsiqueira force-pushed the fix-gsi-android-duplicate-activity-result branch from 53bf0ed to ad4c575 Compare June 25, 2026 13:55

@stuartmorgan-g stuartmorgan-g left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with one CHANGELOG nit

Comment thread packages/google_sign_in/google_sign_in_android/CHANGELOG.md Outdated
@stuartmorgan-g stuartmorgan-g added the CICD Run CI/CD label Jul 7, 2026
@flutter-dashboard

Copy link
Copy Markdown

This pull request is not mergeable in its current state, likely because of a merge conflict. Pre-submit CI jobs were not triggered. Pushing a new commit to this branch that resolves the issue will result in pre-submit jobs being scheduled.

@stuartmorgan-g stuartmorgan-g added the triage-android Should be looked at in Android triage label Jul 7, 2026
@flutter-dashboard flutter-dashboard Bot removed the CICD Run CI/CD label Jul 7, 2026
@stuartmorgan-g stuartmorgan-g added the CICD Run CI/CD label Jul 7, 2026
@stuartmorgan-g stuartmorgan-g added the autosubmit Merge PR when tree becomes green via auto submit App label Jul 7, 2026
@auto-submit auto-submit Bot merged commit 7404524 into flutter:main Jul 7, 2026
89 checks passed
srawlins pushed a commit to srawlins/flutter that referenced this pull request Jul 8, 2026
…r#189134)

flutter/packages@92525f5...52d84d6

2026-07-08 engine-flutter-autoroll@skia.org Manual roll Flutter from
6995038 to 91939cc (48 revisions) (flutter/packages#12137)
2026-07-08 engine-flutter-autoroll@skia.org Manual roll Flutter from
ca9f874 to 6995038 (44 revisions) (flutter/packages#12135)
2026-07-07 engine-flutter-autoroll@skia.org Manual roll Flutter from
0c80830 to ca9f874 (119 revisions) (flutter/packages#12081)
2026-07-07 43054281+camsim99@users.noreply.github.com Add code coverage
presubmit test (flutter/packages#11942)
2026-07-07 brunovsiq@gmail.com [google_sign_in_android] Fix
IllegalStateException on duplicate authorization result
(flutter/packages#11984)
2026-07-07 saurabhmirajkar000@gmail.com [webview_flutter] Document
NavigationDelegate callbacks (flutter/packages#11921)
2026-07-07 engine-flutter-autoroll@skia.org Roll Flutter (stable) from
ad70ec4 to f94f4fc (8 revisions) (flutter/packages#12125)

If this roll has caused a breakage, revert this CL and stop the roller
using the controls here:
https://autoroll.skia.org/r/flutter-packages-flutter-autoroll
Please CC flutter-ecosystem@google.com on the revert to ensure that a
human
is aware of the problem.

To file a bug in Flutter:
https://github.com/flutter/flutter/issues/new/choose

To report a problem with the AutoRoller itself, please file a bug:
https://issues.skia.org/issues/new?component=1389291&template=1850622

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+doc/main/autoroll/README.md
kalyujniy pushed a commit to brickit-app/camera that referenced this pull request Jul 8, 2026
…rization result (flutter#11984)

`google_sign_in_android`'s `GoogleSignInPlugin.Delegate.onActivityResult` resolved the pending authorization callback on its success path and returned `true` **before** clearing `pendingAuthorizationCallback` — that field was only nulled on the `ApiException` (failure) path. As a result, when the `REQUEST_CODE_AUTHORIZE` activity result is delivered more than once (for example when a saved result is re-delivered after a configuration change or process death), the method re-enters with the field still set and completes the same Pigeon `Reply` a second time, throwing:

```
java.lang.IllegalStateException: Reply already submitted
```

This change captures the callback into a local and nulls `pendingAuthorizationCallback` **before** completing it, so any duplicate or late delivery for the same request code falls through to the existing `"Unexpected authorization result callback"` branch instead of double-completing the reply. The existing success/failure return semantics are unchanged.

A regression test (`authorize_ignoresDuplicateActivityResult`) drives the authorize → success flow, invokes `onActivityResult` twice, and asserts the callback is resolved exactly once and the second delivery is not consumed. It fails before this change and passes after.

## Issues fixed by this PR

Fixes flutter/flutter#188062

## Notes

- Opened as a **draft**: the CLA still needs to be signed before this can be marked ready for review.
- Developed with AI assistance (Claude Code); I have reviewed and understand the change and take responsibility for it per the AI contribution guidelines.
- Ran the repo-pinned auto-formatter (`google-java-format` v1.28.0) on the changed Java — no changes needed.
- All `google_sign_in_android` Android unit tests pass locally via `testDebugUnitTest`, including the new regression test.

## Pre-Review Checklist

[^1]: Regular contributors who have demonstrated familiarity with the repository guidelines only need to comment if the PR is not auto-exempted by repo tooling.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

autosubmit Merge PR when tree becomes green via auto submit App CICD Run CI/CD p: google_sign_in platform-android triage-android Should be looked at in Android triage

Projects

None yet

3 participants