feat: add expo-crypto dependency and integrate randomUUID for nonce generation in useAppleSignIn hook

- Added expo-crypto as a dependency in package.json.
- Updated useAppleSignIn hook to use Crypto.randomUUID() for generating a cryptographically secure nonce instead of Math.random().
- Mocked expo-crypto in useAppleSignIn tests to return a fixed UUID for consistent testing.
- Updated tests to verify that randomUUID is called and the correct nonce is used in the sign-in flow.

Author: chriscanin

packages/expo/package.json

@@ -96,6 +96,7 @@
     "@types/base-64": "^1.0.2",
     "expo-apple-authentication": "^7.2.4",
     "expo-auth-session": "^5.4.0",
+    "expo-crypto": "^15.0.7",
     "expo-local-authentication": "^13.8.0",
     "expo-secure-store": "^12.8.1",
     "expo-web-browser": "^12.8.2",
@@ -105,6 +106,7 @@
     "@clerk/expo-passkeys": ">=0.0.6",
     "expo-apple-authentication": ">=7.0.0",
     "expo-auth-session": ">=5",
+    "expo-crypto": ">=12",
     "expo-local-authentication": ">=13.5.0",
     "expo-secure-store": ">=12.4.0",
     "expo-web-browser": ">=12.5.0",

packages/expo/src/hooks/__tests__/useAppleSignIn.test.ts

@@ -9,6 +9,7 @@ const mocks = vi.hoisted(() => {
     useSignUp: vi.fn(),
     signInAsync: vi.fn(),
     isAvailableAsync: vi.fn(),
+    randomUUID: vi.fn(),
   };
 });
 
@@ -30,6 +31,12 @@ vi.mock('expo-apple-authentication', () => {
   };
 });
 
+vi.mock('expo-crypto', () => {
+  return {
+    randomUUID: mocks.randomUUID,
+  };
+});
+
 vi.mock('react-native', () => {
   return {
     Platform: {
@@ -69,6 +76,7 @@ describe('useAppleSignIn', () => {
     });
 
     mocks.isAvailableAsync.mockResolvedValue(true);
+    mocks.randomUUID.mockReturnValue('test-nonce-uuid');
   });
 
   afterEach(() => {
@@ -98,10 +106,11 @@ describe('useAppleSignIn', () => {
       const response = await result.current.startAppleSignInFlow();
 
       expect(mocks.isAvailableAsync).toHaveBeenCalled();
+      expect(mocks.randomUUID).toHaveBeenCalled();
       expect(mocks.signInAsync).toHaveBeenCalledWith(
         expect.objectContaining({
           requestedScopes: expect.any(Array),
-          nonce: expect.any(String),
+          nonce: 'test-nonce-uuid',
         }),
       );
       expect(mockSignIn.create).toHaveBeenCalledWith({

packages/expo/src/hooks/useAppleSignIn.ts

@@ -1,6 +1,7 @@
 import { useSignIn, useSignUp } from '@clerk/clerk-react';
 import type { SetActive, SignInResource, SignUpResource, SignUpUnsafeMetadata } from '@clerk/types';
 import * as AppleAuthentication from 'expo-apple-authentication';
+import * as Crypto from 'expo-crypto';
 import { Platform } from 'react-native';
 
 import { errorThrower } from '../utils/errors';
@@ -83,9 +84,8 @@ export function useAppleSignIn() {
     }
 
     try {
-      // Generate a nonce for the Apple Sign-In request (required by Clerk)
-      // Note: Using Math.random() is acceptable here as the identity token is validated by Clerk's backend
-      const nonce = Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
+      // Generate a cryptographically secure nonce for the Apple Sign-In request (required by Clerk)
+      const nonce = Crypto.randomUUID();
 
       // Request Apple authentication with requested scopes
       const credential = await AppleAuthentication.signInAsync({