[google_sign_in_android] Fix IllegalStateException on duplicate authorization result

[brunovsiqueira]

google_sign_in_android's GoogleSignInPlugin.Delegate.onActivityResult resolved the pending authorization callback on its success path and returned true before clearing pendingAuthorizationCallback — that field was only nulled on the ApiException (failure) path. As a result, when the REQUEST_CODE_AUTHORIZE activity result is delivered more than once (for example when a saved result is re-delivered after a configuration change or process death), the method re-enters with the field still set and completes the same Pigeon Reply a second time, throwing:

java.lang.IllegalStateException: Reply already submitted

This change captures the callback into a local and nulls pendingAuthorizationCallback before completing it, so any duplicate or late delivery for the same request code falls through to the existing "Unexpected authorization result callback" branch instead of double-completing the reply. The existing success/failure return semantics are unchanged.

A regression test (authorize_ignoresDuplicateActivityResult) drives the authorize → success flow, invokes onActivityResult twice, and asserts the callback is resolved exactly once and the second delivery is not consumed. It fails before this change and passes after.

Issues fixed by this PR

Fixes flutter/flutter#188062

Notes

• Opened as a draft: the CLA still needs to be signed before this can be marked ready for review.
• Developed with AI assistance (Claude Code); I have reviewed and understand the change and take responsibility for it per the AI contribution guidelines.
• Ran the repo-pinned auto-formatter (google-java-format v1.28.0) on the changed Java — no changes needed.
• All google_sign_in_android Android unit tests pass locally via testDebugUnitTest, including the new regression test.

Pre-Review Checklist

• I read the Contributor Guide and followed the process outlined there for submitting PRs.
• I read the AI contribution guidelines and understand my responsibilities, or I am not using AI tools.
• I read the Tree Hygiene page, which explains my responsibilities.
• I read and followed the relevant style guides and ran the auto-formatter.
• I signed the CLA.
• The title of the PR starts with the name of the package surrounded by square brackets, e.g. [shared_preferences]
• I linked to at least one issue that this PR fixes in the description above.
• I followed the version and CHANGELOG instructions, using semantic versioning and the repository CHANGELOG style, or I have commented below to indicate which documented exception this PR falls under¹.
• I updated/added any relevant documentation (doc comments with ///).
• I added new tests to check the change I am making, or I have commented below to indicate which test exemption this PR falls under¹.
• All existing and new tests are passing.

Footnotes

1. Regular contributors who have demonstrated familiarity with the repository guidelines only need to comment if the PR is not auto-exempted by repo tooling. ↩ ↩²

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[gemini-code-assist]

Code Review

This pull request updates the Android implementation of the google_sign_in plugin to prevent an IllegalStateException crash caused by duplicate activity results. In GoogleSignInPlugin.java, the pendingAuthorizationCallback is now cleared before it is resolved, ensuring that a re-delivered result does not complete the callback twice. A regression test has been added to verify that duplicate results are ignored, and the package version is bumped to 7.2.14. There are no review comments, and I have no feedback to provide.

[brunovsiqueira]

@googlebot I signed it!