Skip to content

fix(rn): avoid safari popup block on web sign-in#63

Open
simeng-li wants to merge 1 commit into
masterfrom
simeng-fix-safari-popup-blocked-signin
Open

fix(rn): avoid safari popup block on web sign-in#63
simeng-li wants to merge 1 commit into
masterfrom
simeng-fix-safari-popup-blocked-signin

Conversation

@simeng-li
Copy link
Copy Markdown
Contributor

@simeng-li simeng-li commented Jun 8, 2026

Summary

Closes #45.

On web, signIn opens the authorization window via WebBrowser.openAuthSessionAsync (→ window.open), but only after super.signIn awaits OIDC discovery, PKCE, and storage. By then the click's user activation is gone, so Safari and Firefox block it as a popup (Chrome/Edge are lenient, which is why it only reproduced in Safari).

What changed

  • packages/rn/src/client.ts: on web, pre-open a named blank window (WebBrowser.openBrowserAsync('', { windowName: 'logtoAuth' })) synchronously at the start of signIn, while the user activation is still alive. openAuthSessionAsync is then called with the same windowName, so the browser reuses the existing window as a navigation rather than a blocked new popup. A try/catch closes the blank window if sign-in fails before the auth window opens.
  • Added a disableWebPopupWorkaround config flag (default false) so developers can opt out and fall back to opening the window directly.
  • packages/rn/src/client.test.ts: unit tests for the ordering invariant (pre-open before auth session), native no-op, the opt-out flag, and the failure-path window cleanup.

Expected result

  • Safari / Firefox (web): sign-in popup is no longer blocked.
  • Chrome / Edge (web): continue to work; the only change is a sub-second about:blank flash before redirect (the standard sync-open-then-navigate popup pattern). Worst case equals current behavior.
  • Native iOS / Android: unaffected. The workaround is gated behind Platform.OS === 'web', and windowName is a web-only expo-web-browser option (@platform web) that the native auth session ignores.

Reviewer notes

  • The pre-open must stay in signIn (not the navigate adapter) — navigate runs after super.signIn's async work, i.e. after the gesture is already lost.

Testing

Unit tests

Checklist

  • .changeset
  • unit tests
  • integration tests
  • necessary TSDoc comments

@simeng-li
fix(rn): avoid safari popup block on web sign-in
051749d 
On web, the auth popup was opened only after super.signIn awaited OIDC
config, PKCE and storage, so the click's user activation was gone and
Safari/Firefox blocked it. Pre-open a named blank window synchronously on
click and reuse it by name for the auth session, which browsers treat as a
navigation rather than a new popup. Native is unaffected.

A disableWebPopupWorkaround config flag lets developers opt out and fall
back to opening the window directly.
@simeng-li simeng-li requested review from a team, charIeszhao, Copilot and wangsijie and removed request for a team June 8, 2026 06:40
Copilot AI reviewed Jun 8, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes Safari/Firefox popup blocking during web sign-in by ensuring the auth window is opened while the user activation from the click is still valid, then reusing that same named window for the actual OIDC authorization navigation.

Changes:

  • Pre-opens a named window on web at the start of LogtoClient.signIn() and reuses it via windowName in openAuthSessionAsync.
  • Adds a disableWebPopupWorkaround config flag (default false) to opt out of the pre-open behavior.
  • Adds unit tests covering web ordering, native no-op behavior, opt-out behavior, and failure-path cleanup.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
packages/rn/src/client.ts Adds the web pre-open + named-window reuse workaround, plus an opt-out config flag.
packages/rn/src/client.test.ts Adds Vitest coverage for the popup workaround ordering, platform gating, opt-out, and cleanup behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@wangsijie wangsijie Awaiting requested review from wangsijie wangsijie was automatically assigned from logto-io/mandatory-reviewers

@charIeszhao charIeszhao Awaiting requested review from charIeszhao charIeszhao was automatically assigned from logto-io/mandatory-reviewers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Popup Blocked error on safari browser when calling signIn(redirectUri) function provided by logto/rn sdk.

2 participants

@simeng-li