[WIP] Feature - Identity verification implementation

[jinliu9508]

Description

One Line Summary

Implement identity verification functionality to our Android SDK with JWT (JSON Web Token) that manage a specific User, their Subscriptions, and Identities, if enabled using OneSignal dashboard.

Details

Motivation

OneSignal Identity Verification feature only exists today for the Player model and we want to bring this feature to the User Model and gives us an opportunity to switch to a more standard client security model, JWT (JSON Web Token).

For Developers

If identity verification is enabled, all operations requiring identity or authorization must be accompanied by a correct JWT. Developers can use OneSignal.login(external_id, jwt) to set a JWT for a specific user identified by their external ID, or OneSignal.updateUserJwt(external_id, jwt) to update the JWT for that user. Additionally, developers can add a JWTInvalidatedListener by calling OneSignal.addUserJwtInvalidatedListener, allowing them to listen for a JWTInvalidatedEvent triggered when a JWT is invalidated by any operation, and subsequently update the JWT as necessary.

To Help With Review

This PR contains a some major structural changes working around identity verification.

• New public API methods addUserJwtInvalidatedListener and updateUserJwt in UserManager.
• Certain backend services and operations are now able to make request with JWT or deviceAuthPushToken depending on the operation type and purpose. They can also handle the UNAUTHORIZED http response and fire onUserJwtInvalidated callback accordingly.
• Optional headers like JWT and deviceAuthPushToken can now be passed to HttpClient to be included in each request.
• OperationRepo behavior change depends on the status of identity verification
• initWithContext behavior change: switching user is now placed after the remote params fetch. Creating anonymous user or subscription when identity verification is on will suppress backend operations.
• Login behavior change: update JWT for all future requests from the user.
• Logout behavior change: suspend the push subscription

Testing

Unit testing

I have include a testing case that simulate a UNAUTHROIZED error (401, 403) and ensure that the jwt for the specific user is invalidated and the JWTInvalidatedEvent is fired.

Manual testing

• Fresh Install: An anonymous user is created upon a fresh install and will not create a login request until Login with a JWT is called.
• Upgrade from User Model:
  • If a user is logged prior the upgrade and does not have JWT, app will fire the callback to retrieve a JWT and then attempt to send the request.
  • If the user has JWT cached, app will directly send a login request.
  • If no user has previously logged in successfully, the app will work the same as fresh install.
• When an UNAUTHORIZED http error is caught: onJwtInvalidatedEvent will be fired and the code that retrieves a new JWT in UserJwtInvalidatedListener will be called to update user JWT. The request will then retry with the new JWT.

Affected code checklist

• Notifications
  • Display
  • Open
  • Push Processing
  • Confirm Deliveries
• Outcomes
• Sessions
• In-App Messaging
• REST API requests
• Public API changes

Checklist

Overview

• I have filled out all REQUIRED sections above
• PR does one thing
  • If it is hard to explain how any codes changes are related to each other then it most likely needs to be more than one PR
• Any Public API changes are explained in the PR details and conform to existing APIs

Testing

• I have included test coverage for these changes, or explained why they are not needed
• All automated tests pass, or I explained why that is not possible
• I have personally tested this on my device, or explained why that is not possible

Final pass

• Code is as readable as possible.
  • Simplify with less code, followed by splitting up code into well named functions and variables, followed by adding comments to the code.
• I have reviewed this PR myself, ensuring it meets each checklist item
  • WIP (Work In Progress) is ok, but explain what is still in progress and what you would like feedback on. Start the PR title with "WIP" to indicate this.

---

This change is 

[jkasten2]

Most of my feedback was added inline, but I have one additional comment that wasn't clear if it is TODO yet or not. Is the new JWT endpoint to remove email and SMS by token still TODO in this PR, or did I miss it?

[jkasten2]

Revert before merging.

[jkasten2]

Remove manual testing before merging.

[jkasten2]

Remove commented out code

[jkasten2]

Revert app_id change

[jkasten2]

Address TODO

[jkasten2]

Why don't we want to propagate?

[jkasten2]

The jwtToken has two invalidate states; blank string and null. Can we set this to null here so we don't have to worry about a blank string state?

[jkasten2]

I believe this whole class is not used when identity verification is on, so we should move and rework it to fit that.

[jkasten2]

I see we call this _identityModelStore.invalidateJwt() in every executor, do you think it would work out to have the OperationRepo process ExecutionResult.FAIL_UNAUTHORIZED so it is the only one calling invalidateJwt()?

[jkasten2]

This SDK supports fireOS and Huawei push so you will need a more complete check. However, since this looks like it is for Device Auth then we can remove it.

• That is, once we have 100% committed to that path, so hold on addressing this comment until then.