codefiesta · codefiesta · Jun 13, 2025
diff --git a/Sources/OAuthKit/Views/OAWebViewCoordinator.swift b/Sources/OAuthKit/Views/OAWebViewCoordinator.swift
@@ -13,17 +13,23 @@ import WebKit
 @MainActor
 public class OAWebViewCoordinator: NSObject {
 
-    var webView: OAWebView
+    var webView: OAWebView?
 
     /// The oauth reference.
-    var oauth: OAuth {
-        webView.oauth
-    }
+    let oauth: OAuth
 
     /// Initializer
     /// - Parameter webView: the webview that is being coordinated.
     init(_ webView: OAWebView) {
         self.webView = webView
+        self.oauth = webView.oauth
+        super.init()
+    }
+
+    /// Initializer. Primarily used for testing.
+    /// - Parameter oauth: the oauth object to use.
+    init(oauth: OAuth) {
+        self.oauth = oauth
         super.init()
     }
 
@@ -83,17 +89,17 @@ public class OAWebViewCoordinator: NSObject {
             break
         case .authorizing(let provider, let grantType):
             // Override the custom user agent for the provider and tell the browser to load the request
-            webView.view.customUserAgent = provider.customUserAgent
+            webView?.view.customUserAgent = provider.customUserAgent
             // Tell the webView to load the authorization request
             guard let request = OAuth.Request.auth(provider: provider, grantType: grantType) else { return }
-            webView.view.load(request)
+            webView?.view.load(request)
         case .receivedDeviceCode(let provider, let deviceCode):
             // Override the custom user agent for the provider and tell the browser to load the request
-            webView.view.customUserAgent = provider.customUserAgent
+            webView?.view.customUserAgent = provider.customUserAgent
             // Tell the webView to load the device code verification request
             guard let url = URL(string: deviceCode.verificationUri) else { return }
             let request = URLRequest(url: url)
-            webView.view.load(request)
+            webView?.view.load(request)
         }
     }
 }

diff --git a/Tests/OAuthKitTests/OAWebViewTests.swift b/Tests/OAuthKitTests/OAWebViewTests.swift
@@ -25,10 +25,12 @@ final class OAWebViewTests {
     }()
 
     let oauth: OAuth
+    let webView: OAWebView
 
     /// Initializer.
     init() async throws {
         oauth = .init(.module)
+        webView = .init()
         oauth.urlSession = urlSession
     }
 
@@ -49,16 +51,42 @@ final class OAWebViewTests {
     @Test("Coordinator Policy Decisons")
     func whenCoordinatorDecidingPolicy() async throws {
 
-        let webView: OAWebView = .init()
-        let coordinator: OAWebViewCoordinator = webView.makeCoordinator()
+        let coordinator: OAWebViewCoordinator = .init(oauth: oauth)
         let wkWebView = webView.view
 
         var urlRequest: URLRequest = .init(url: URL(string: "https://github.com/codefiesta/OAuthKit")!)
         urlRequest.url = nil
 
-        let navigationAction: WKNavigationAction = OAuthTestWKNavigationAction(urlRequest: urlRequest)
-        let policy = await coordinator.webView(wkWebView, decidePolicyFor: navigationAction)
+        // 1) Bad Request Expectations
+        var navigationAction: WKNavigationAction = OAuthTestWKNavigationAction(urlRequest: urlRequest)
+        var policy = await coordinator.webView(wkWebView, decidePolicyFor: navigationAction)
         #expect(policy == .cancel)
+
+        let provider = oauth.providers[0]
+
+        // 2) Authorization Code Expectations
+        let state: String = .secureRandom()
+        let code: String = .secureRandom()
+
+        oauth.authorize(provider: provider, grantType: .authorizationCode(state))
+        coordinator.update(state: oauth.state)
+        var urlString = provider.redirectURI! + "?code=\(code)&state=\(state)"
+        urlRequest = .init(url: URL(string: urlString)!)
+
+        navigationAction = OAuthTestWKNavigationAction(urlRequest: urlRequest)
+        policy = await coordinator.webView(wkWebView, decidePolicyFor: navigationAction)
+        #expect(policy == .allow)
+
+        // 3) PKCE Expectations
+        let pkce: OAuth.PKCE = .init()
+        oauth.authorize(provider: provider, grantType: .pkce(pkce))
+        coordinator.update(state: oauth.state)
+        urlString = provider.redirectURI! + "?code=\(code)&state=\(pkce.state)"
+        urlRequest = .init(url: URL(string: urlString)!)
+
+        navigationAction = OAuthTestWKNavigationAction(urlRequest: urlRequest)
+        policy = await coordinator.webView(wkWebView, decidePolicyFor: navigationAction)
+        #expect(policy == .allow)
     }
 }
 #endif