Fix ANR risk and error handling in WP.com OAuth login

- Replace runBlocking with async coroutine scope to avoid blocking
  the main thread during token exchange (Critical #1)
- Use dedicated CoroutineScope instead of Dispatchers.IO so
  dispose() only cancels this helper's coroutines (Critical #2)
- Propagate login errors to the caller via Consumer<Exception>
  instead of swallowing them
- Show error state on the loading screen with a retry button
  instead of silently failing
- Cancel coroutine scope in LoginActivity.onDestroy()

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: jkmassel

WordPress/src/main/java/org/wordpress/android/ui/accounts/LoginActivity.java

@@ -6,8 +6,10 @@
 import android.content.Intent;
 import android.net.Uri;
 import android.os.Bundle;
+import android.view.View;
 import android.view.ViewGroup;
 import android.widget.FrameLayout;
+import android.widget.TextView;
 
 import androidx.annotation.NonNull;
 import androidx.core.view.WindowCompat;
@@ -125,15 +127,16 @@ protected void onCreate(@Nullable Bundle savedInstanceState) {
         // Enable edge-to-edge display
         WindowCompat.setDecorFitsSystemWindows(getWindow(), false);
 
-        // Attempt Login if this activity was created in response to a user confirming login, and if
-        // successful clear the intent so we don't reuse the OAuth code if the activity is recreated
-        boolean loginProcessed = mLoginHelper.tryLoginWithDataString(getIntent().getDataString());
-
-        if (loginProcessed) {
+        // Attempt Login if this activity was created in response to a user confirming login
+        String dataString = getIntent().getDataString();
+        if (mLoginHelper.hasOAuthCallback(dataString)) {
             getIntent().setData(null);
-            // OAuth login successful - show loading UI and finish the login flow
             setContentView(R.layout.login_loading);
-            this.loggedInAndFinish(new ArrayList<Integer>(), true);
+            mLoginHelper.tryLoginWithDataString(
+                    dataString,
+                    () -> loggedInAndFinish(new ArrayList<>(), true),
+                    error -> showLoginError(error)
+            );
             return;
         } else {
             // Not an OAuth callback - clear any pending login mode from a previous flow
@@ -222,11 +225,15 @@ protected void onNewIntent(@NonNull Intent intent) {
         setIntent(intent);
 
         // Handle OAuth callback when activity is reused (singleTop)
-        boolean loginProcessed = mLoginHelper.tryLoginWithDataString(intent.getDataString());
-        if (loginProcessed) {
+        String dataString = intent.getDataString();
+        if (mLoginHelper.hasOAuthCallback(dataString)) {
             intent.setData(null);
             setContentView(R.layout.login_loading);
-            this.loggedInAndFinish(new ArrayList<Integer>(), true);
+            mLoginHelper.tryLoginWithDataString(
+                    dataString,
+                    () -> loggedInAndFinish(new ArrayList<>(), true),
+                    error -> showLoginError(error)
+            );
         }
     }
 
@@ -242,6 +249,12 @@ protected void onStop() {
         mDispatcher.unregister(this);
     }
 
+    @Override
+    protected void onDestroy() {
+        super.onDestroy();
+        mLoginHelper.dispose();
+    }
+
     @Override
     protected void onResume() {
         super.onResume();
@@ -302,6 +315,45 @@ private void navigateToMainActivityOrFinish() {
         finish();
     }
 
+    private void showPrologueScreen() {
+        LoginFlowThemeHelper.injectMissingCustomAttributes(getTheme());
+        FrameLayout fragmentContainer = new FrameLayout(this);
+        mFragmentContainerId = R.id.fragment_container;
+        fragmentContainer.setId(mFragmentContainerId);
+        fragmentContainer.setFitsSystemWindows(false);
+        fragmentContainer.setLayoutParams(new ViewGroup.LayoutParams(
+                ViewGroup.LayoutParams.MATCH_PARENT,
+                ViewGroup.LayoutParams.MATCH_PARENT
+        ));
+        setContentView(fragmentContainer);
+        showFragment(
+                new LoginPrologueRevampedFragment(),
+                LoginPrologueRevampedFragment.TAG
+        );
+    }
+
+    private void showLoginError(@NonNull Exception error) {
+        AppLog.e(T.MAIN, "OAuth login failed", error);
+
+        View progressBar = findViewById(R.id.progress_bar);
+        View loadingText = findViewById(R.id.loading_text);
+        TextView errorText = findViewById(R.id.error_text);
+        View retryButton = findViewById(R.id.retry_button);
+
+        if (progressBar != null) progressBar.setVisibility(View.GONE);
+        if (loadingText != null) loadingText.setVisibility(View.GONE);
+
+        if (errorText != null) {
+            errorText.setText(getString(R.string.error_generic_network));
+            errorText.setVisibility(View.VISIBLE);
+        }
+
+        if (retryButton != null) {
+            retryButton.setVisibility(View.VISIBLE);
+            retryButton.setOnClickListener(v -> showPrologueScreen());
+        }
+    }
+
     private void showFragment(@NonNull Fragment fragment, @NonNull String tag) {
         FragmentTransaction fragmentTransaction = getSupportFragmentManager().beginTransaction();
         fragmentTransaction.replace(mFragmentContainerId, fragment, tag);

WordPress/src/main/java/org/wordpress/android/ui/accounts/login/WPcomLoginHelper.kt

@@ -3,56 +3,75 @@ package org.wordpress.android.ui.accounts.login
 import android.content.ComponentName
 import android.content.Context
 import android.net.Uri
-import android.util.Log
 import androidx.browser.customtabs.CustomTabsCallback
 import androidx.browser.customtabs.CustomTabsClient
 import androidx.browser.customtabs.CustomTabsServiceConnection
 import androidx.browser.customtabs.CustomTabsSession
 import androidx.core.net.toUri
+import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.SupervisorJob
 import kotlinx.coroutines.cancel
-import kotlinx.coroutines.runBlocking
+import kotlinx.coroutines.launch
+import kotlinx.coroutines.withContext
 import org.wordpress.android.fluxc.network.rest.wpapi.WPcomLoginClient
 import org.wordpress.android.fluxc.network.rest.wpcom.auth.AppSecrets
 import org.wordpress.android.fluxc.store.AccountStore
+import org.wordpress.android.util.AppLog
+import org.wordpress.android.util.AppLog.T
 import javax.inject.Inject
-import kotlin.coroutines.CoroutineContext
 
 class WPcomLoginHelper @Inject constructor(
     private val loginClient: WPcomLoginClient,
     private val accountStore: AccountStore,
     appSecrets: AppSecrets,
 ) {
-    private val context: CoroutineContext = Dispatchers.IO
+    private val scope = CoroutineScope(SupervisorJob() + Dispatchers.IO)
 
     val wpcomLoginUri = loginClient.loginUri(appSecrets.redirectUri)
     private val customTabsServiceConnection = ServiceConnection(wpcomLoginUri)
-    private var processedAuthData: String? = null
 
-    @Suppress("ReturnCount")
-    fun tryLoginWithDataString(data: String?): Boolean {
-        if (data == null || data == processedAuthData) {
-            return false
-        }
-
-        val code = data.toUri().getQueryParameter("code") ?: return false
+    /**
+     * Returns true if the data string contains an OAuth callback code.
+     */
+    fun hasOAuthCallback(data: String?): Boolean {
+        if (data == null) return false
+        return data.toUri().getQueryParameter("code") != null
+    }
 
-        runBlocking {
-            val tokenResult = loginClient.exchangeAuthCodeForToken(code)
-            accountStore.updateAccessToken(tokenResult.getOrThrow())
-            Log.i("WPCOM_LOGIN", "Login Successful")
+    /**
+     * Asynchronously exchanges the OAuth code in the data string for
+     * an access token. Calls [onSuccess] on the main thread if the
+     * exchange succeeds, or [onFailure] with the exception if it
+     * fails.
+     */
+    fun tryLoginWithDataString(
+        data: String,
+        onSuccess: Runnable,
+        onFailure: java.util.function.Consumer<Exception>
+    ) {
+        val code = data.toUri().getQueryParameter("code") ?: return
+
+        scope.launch {
+            try {
+                val tokenResult = loginClient
+                    .exchangeAuthCodeForToken(code)
+                accountStore.updateAccessToken(
+                    tokenResult.getOrThrow()
+                )
+                withContext(Dispatchers.Main) { onSuccess.run() }
+            } catch (e: Exception) {
+                withContext(Dispatchers.Main) { onFailure.accept(e) }
+            }
         }
-
-        processedAuthData = data
-        return true
     }
 
     fun isLoggedIn(): Boolean {
         return accountStore.hasAccessToken()
     }
 
     fun dispose() {
-        context.cancel()
+        scope.cancel()
     }
 
     fun bindCustomTabsService(context: Context) {
@@ -62,17 +81,24 @@ class WPcomLoginHelper @Inject constructor(
 
 class ServiceConnection(
     var uri: Uri
-): CustomTabsServiceConnection() {
+) : CustomTabsServiceConnection() {
     private var client: CustomTabsClient? = null
     private var session: CustomTabsSession? = null
 
-    override fun onCustomTabsServiceConnected(name: ComponentName, client: CustomTabsClient) {
+    override fun onCustomTabsServiceConnected(
+        name: ComponentName,
+        client: CustomTabsClient
+    ) {
         client.warmup(0)
         this.client = client
 
         val session = client.newSession(CustomTabsCallback())
         session?.mayLaunchUrl(uri, null, null)
-        session?.mayLaunchUrl("https://wordpress.com/log-in/".toUri(), null, null)
+        session?.mayLaunchUrl(
+            "https://wordpress.com/log-in/".toUri(),
+            null,
+            null
+        )
 
         this.session = session
     }
@@ -90,8 +116,13 @@ class ServiceConnection(
 
         // Get the default browser package name, this will be null if
         // the default browser does not provide a CustomTabsService
-        val packageName = CustomTabsClient.getPackageName(context, null)  ?:  return
-
-        CustomTabsClient.bindCustomTabsService(context, packageName, this)
+        val packageName =
+            CustomTabsClient.getPackageName(context, null) ?: return
+
+        CustomTabsClient.bindCustomTabsService(
+            context,
+            packageName,
+            this
+        )
     }
 }

WordPress/src/main/res/layout/login_loading.xml

@@ -26,4 +26,30 @@
         app:layout_constraintStart_toStartOf="parent"
         app:layout_constraintTop_toBottomOf="@id/progress_bar" />
 
+    <TextView
+        android:id="@+id/error_text"
+        android:layout_width="0dp"
+        android:layout_height="wrap_content"
+        android:layout_marginHorizontal="@dimen/margin_extra_large"
+        android:gravity="center"
+        android:textAppearance="?attr/textAppearanceBody1"
+        android:visibility="gone"
+        app:layout_constraintBottom_toTopOf="@id/retry_button"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toStartOf="parent"
+        app:layout_constraintTop_toTopOf="parent"
+        app:layout_constraintVertical_chainStyle="packed" />
+
+    <com.google.android.material.button.MaterialButton
+        android:id="@+id/retry_button"
+        android:layout_width="wrap_content"
+        android:layout_height="wrap_content"
+        android:layout_marginTop="@dimen/margin_large"
+        android:text="@string/retry"
+        android:visibility="gone"
+        app:layout_constraintBottom_toBottomOf="parent"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toStartOf="parent"
+        app:layout_constraintTop_toBottomOf="@id/error_text" />
+
 </androidx.constraintlayout.widget.ConstraintLayout>