diff --git a/src-tauri/src/commands/auth_commands.rs b/src-tauri/src/commands/auth_commands.rs
index e9cabcf..67c1152 100644
--- a/src-tauri/src/commands/auth_commands.rs
+++ b/src-tauri/src/commands/auth_commands.rs
@@ -136,7 +136,7 @@ pub fn start_oauth(app: tauri::AppHandle) -> Result<String, String> {
 
     // Store verifier in managed state
     let state = app.state::<OAuthState>();
-    *state.code_verifier.lock().unwrap() = Some(verifier);
+    *state.code_verifier.lock().map_err(|e| format!("Mutex poisoned: {}", e))? = Some(verifier);
 
     let endpoint = logto_endpoint();
     let client_id = logto_app_id();
@@ -157,7 +157,7 @@ pub fn start_oauth(app: tauri::AppHandle) -> Result<String, String> {
 pub async fn handle_auth_callback(app: tauri::AppHandle, code: String) -> Result<AccountInfo, String> {
     let verifier = {
         let state = app.state::<OAuthState>();
-        let verifier = state.code_verifier.lock().unwrap().take();
+        let verifier = state.code_verifier.lock().map_err(|e| format!("Mutex poisoned: {}", e))?.take();
         verifier.ok_or("No pending OAuth flow (verifier missing)")?
     };
 
diff --git a/src-tauri/src/lib.rs b/src-tauri/src/lib.rs
index ec58338..e433c47 100644
--- a/src-tauri/src/lib.rs
+++ b/src-tauri/src/lib.rs
@@ -178,7 +178,9 @@ fn extract_auth_code(url: &str) -> Option<String> {
     for pair in query.split('&') {
         let mut kv = pair.splitn(2, '=');
         if kv.next()? == "code" {
-            return kv.next().map(|v| v.to_string());
+            return kv.next().map(|v| {
+                urlencoding::decode(v).map(|s| s.into_owned()).unwrap_or_else(|_| v.to_string())
+            });
         }
     }
     None