[Bug]: Scripts may not close windows that were not opened by script on web mobile (Android only)

JPFrancoia commented 9 months ago

Description

I used to have my auth flow fully working, but after a big refactor it started not for web browsers on mobiles, and web browsers for mobiles only. It works with:

My app on Android
My app on ios
My app on web, on a desktop computer

But it does NOT work on Android, in a browser (I tried Chrome and Firefox). I used debugging via USB and I got this error message:

Scripts may not close windows that were not opened by script. [auth.html:17:13]

This is really weird to me, as I expected the web version to work the same on phones and desktop computer.

In the browser on mobile, when I trigger my auth flow, everything seems to go well:

I click a button that triggers the auth flow
I get the popup "Prevent this site from opening a pop-up window?"
I click Allow
A new tab is open
In this new tab, the auth flow redirects to e.g Facebook
I can allow my app in facebook
Facebook redirects to auth.html (in the same tab)
The new tab doesn't close, and I'm not redirected to the original tab

Minimal Reproduction

The dart code for the authentication:

/// Starts an auth flow to authenticate the client (this app).
///
/// This function will trigger an OAuth flow for the SSO provider [providerName].
/// The function will return a refresh token.
Future<String> authenticate(String providerName) async {
  final url = "${cfg.API_URL}/auth/$providerName?is_web=$kIsWeb";

  final result = await FlutterWebAuth2.authenticate(
      url: url, callbackUrlScheme: "callback-scheme");

  final refreshToken = Uri.parse(result).queryParameters['refresh_token']!;

  return refreshToken;
}

auth.html:

<!DOCTYPE html>
<title>Authentication complete</title>
<p>Authentication is complete. If this does not happen automatically, please close the window.</p>
<script>
  function postAuthenticationMessage() {
    const message = {
      'flutter-web-auth-2': window.location.href
    };

    if (window.opener) {
      window.opener.postMessage(message, window.location.origin);
      window.close();
    } else if (window.parent && window.parent !== window) {
      window.parent.postMessage(message, window.location.origin);
    } else {
      localStorage.setItem('flutter-web-auth-2', window.location.href);
      window.close();
    }
  }

  postAuthenticationMessage();
</script>

I tried flutter_web_auth_2 version 2^ and 3^, same result.

Exception or Error

Scripts may not close windows that were not opened by script. [auth.html:17:13]

Expected Behaviour

I would expect the tab opened during the auth flow to close, and I would expect my app to finish the auth flow

Screenshots

No response

Additional context

No response

Device

Xiaomi REDMI Note 10 Pro

OS

Android 13

Browser

Chrome, Firefox

Flutter version

3.16.3

flutter_web_auth_2 version

3^

Checklist

[X] I have read and followed the entire troubleshooting guide and it has not provided the solution I need.
[X] I have provided all the information I can.

ThexXTURBOXx commented 9 months ago

Yes, the current flow seems like it is highly dependent on the browser being used. Some browsers allow this behaviour (which some developers even call a "bug" because it could be insecure), while some others block it. I will need to see what could be done or someone could provide a PR with a better system, if possible.

lavinov-mercury commented 6 months ago

I have the same warning on Desktop Firefox, and auth.html doesn't close automatically.

Scripts may not close windows that were not opened by script.

ThexXTURBOXx / flutter_web_auth_2