fix(experience): add localStorage fallback for sessionStorage in in-app browsers

[sputnik-mac]

Problem

Closes #7604

In certain in-app browsers (e.g. WeChat, Facebook, LINE), sessionStorage is cleared when the OAuth redirect opens in a new window or WebView context. This causes the social sign-in callback to fail with Sign-in session not found. because the auth state stored before the redirect is no longer accessible after returning.

Root cause

storeState, validateState, storeCallbackLink, getCallbackLinkFromStorage, and removeCallbackLinkFromStorage all write/read exclusively from sessionStorage. In-app browsers that treat each redirect as a new window context reset sessionStorage between navigations.

Fix

Introduce three thin storage helpers in social-connectors.ts:

• setStorageItem — writes to both sessionStorage and localStorage
• getStorageItem — reads from sessionStorage first; if missing, falls back to localStorage, restores it to sessionStorage, and removes the localStorage copy
• removeStorageItem — removes from both stores

All existing public functions (storeState, validateState, storeCallbackLink, etc.) are updated to use these helpers. Logic and public API are otherwise unchanged.

Security note: the localStorage copy is short-lived — it is removed immediately after being read back. The state value is a random nonce used only for CSRF protection within the sign-in flow.

Testing

• Normal browser: behaviour unchanged (sessionStorage hit on first read, localStorage copy cleaned up)
• In-app browser (WeChat/Facebook): after redirect, sessionStorage is empty → localStorage fallback returns the state → sign-in completes successfully

[github-actions]

COMPARE TO master

Total Size Diff 📈 +1.26 KB

Diff by File

Name	Diff
packages/experience/src/utils/social-connectors.ts	📈 +1.26 KB

[victimsss]

I noticed that when using social login in a mobile browser environment, the browser opens the social app in a new tab for authentication, which causes the login to fail. Can this commit resolve this issue?

[sputnik-mac]

Yes, this fix specifically targets the mobile browser scenario. The issue occurs because mobile browsers (especially when opening a social app like Google/Apple via deep link) lose the sessionStorage state when returning to the browser tab after authentication. By falling back to localStorage when sessionStorage is unavailable or the data is missing, the state (including redirectUri and other params) is preserved across tab switches and app redirects. So this should resolve the issue you described.

[victimsss]

是的，这个修复专门针对移动浏览器场景。问题的出现是因为移动浏览器（尤其是通过深度链接打开像Google/Apple这样的社交应用时）在认证后返回浏览器标签页时会失去状态。通过退回到 不可用或数据缺失时，状态（包括和其他参数）在标签开关和应用重定向之间得以保持。这样应该能解决你说的问题。sessionStorage``localStorage``sessionStorage``redirectUri

The CI failed during the lint step due to an ESLint error in packages/experience/src/utils/social-connectors.ts.

The issue is caused by using null as a TypeScript type, which violates the @typescript-eslint/ban-types rule.