-
Notifications
You must be signed in to change notification settings - Fork 263
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[JWT] App startup #1473
Open
nan-li
wants to merge
61
commits into
internal_dump_method
Choose a base branch
from
identity_verification_app_startup
base: internal_dump_method
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
[JWT] App startup #1473
+3,632
−641
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nan-li
force-pushed
the
internal_dump_method
branch
from
August 22, 2024 18:31
0ba7ad5
to
039479d
Compare
nan-li
force-pushed
the
identity_verification_app_startup
branch
4 times, most recently
from
August 22, 2024 19:56
6fe9b03
to
4827f36
Compare
nan-li
force-pushed
the
internal_dump_method
branch
2 times, most recently
from
August 22, 2024 23:26
186c65d
to
35677bc
Compare
nan-li
force-pushed
the
identity_verification_app_startup
branch
from
August 23, 2024 15:41
4827f36
to
a012272
Compare
* Add text fields and buttons for testing * Use staging * remove app clips * Make Client more verbose with headers
For debugging
* Make OSUserJwtConfig object to handle auth status etc * User manager owns an instance of the JWT Config
* Add `OSUD_USE_IDENTITY_VERIFICATION` flag to OneSignalCommonDefines
public updateUserJwt method
* User request instances already have a `prepareForExecution()` method that indicates if this request can be sent yet. For example, does the onesignal ID exist to make this request. * Use this existing method to check for auth and block sending this request if auth is required but invalid, or auth is unknown, etc. * OSRequestFetchUser will have onesignalId as a property, regardless of JWT on or off. The aliasLabel and aliasId pair is already expected to be onesignal ID, so make it explicit. * Keeping the onesignal ID can be used to know if the user has actually been created on the server and to check for the post-create cool-off period. The request will be translated to use the onesignal ID or the external ID based on JWT on/off. Requests Updated: * OSRequestCreateUser * OSRequestFetchUser * OSRequestAddAliases * OSRequestRemoveAlias * OSRequestUpdateProperties Requests Not Allowed with Identity Verification: * OSRequestFetchIdentityBySubscription * OSRequestIdentifyUser
* Identity Model Store Listener will ignore it so no Deltas will be enqueued
* As a refresher, the Identity Model Repo holds all Identity Models present during an app run, which can include past users that have pending updates, while the Identity Model Store contains only the current user's Identity Model. * Let the OSIdentityModelRepo be the listener for changes to JWT token updates, and it needs to pass on that information to the User Manager who manages the JWT Config and fires other listeners of token changes.
Updates to: * OSPropertyOperationExecutor * OSIdentityOperationExecutor * OSUserExecutor Updates to OSSubscriptionOperationExecutor is still to be done.
* Refactor from a static shared instance to a instance managed by User Manager * Operation Repo does not flush while Identity Verification is unknown * Currently it is not going to process Deltas based on JWT. Executors will.
nan-li
force-pushed
the
identity_verification_app_startup
branch
from
August 23, 2024 15:56
a012272
to
a0baad8
Compare
nan-li
force-pushed
the
internal_dump_method
branch
from
August 23, 2024 18:54
35677bc
to
039479d
Compare
This will always fire it for 401 even if JWT is not required, so validate the JWT config in the user manager before firing the callback
This PR adds a pendingAuthRequests dictionary that stores the requests that are waiting for an updated JWT keyed on externalId. When a requests fails with a 401 due to JWT or fails when preparing for execution we remove the request from the request queue and add it to the pending dictionary. Once we get the onJWTUpdated callback for that externalId we requeue the pending requests and try again. Also update tests to account for the callback object change and add tests for the new case
When a requests fails with a 401 due to JWT or fails when preparing for execution we remove the request from the request queue and add it to the pending dictionary. Once we get the onJWTUpdated callback for that externalId we requeue the pending requests and try again. fixup property operations
When a requests fails with a 401 due to JWT or fails when preparing for execution we remove the request from the request queue and add it to the pending dictionary. Once we get the onJWTUpdated callback for that externalId we requeue the pending requests and try again.
adds handling for pending unauthorized subscription executor requests. Doesn't yet handle prepare for execution properly No unit tests yet
Run swiftlint and make a log more helpful
* Uncaching now involves more queues, can be refactored when op repo is refactored * Some executors added a helper to remove requests from the active queue and cache the queue after removal.
* Use a string constant `OS_JWT_TOKEN_INVALID` for a jwt token when we internally invalidated it, instead of setting to `nil`. * OSIdentityModelRepo will not notify user manager when a token has been set to `OS_JWT_TOKEN_INVALID`. The user manager will already be notified of invalidation by executors.
* The delete subscription request now has identity model, similar to the Create subscription request * The update subscription request is used only for the push sub, and it does not use User JWT, only a push token header * The "Device-Auth-Push-Token" header has to be base 64 encoded * Move some auth helpers into the JWT extension, and move execute request methods into an extension to address swiflint type_body_length violation
* OneSignalUserManagerImpl.swift violated the 1000 line file limit of Swiftlint * Options include modifing the rule but let's pull out 2 public protocols. * Additionally add more folders to organize the top-level files: MODELING for models and listeners, PUBLIC for publicly accessed objects and protocols
* Remove test on Update Subscription with JWT; it does not use User JWT * Make some changes to existing tests
* Remote params returns `jwt_required` as the key to use
* If logging into an external ID that already exists in the SDK, re-use that one to keep the same model.
* If multiple create user requests are enqueued for the same external ID, only keep the most recent one, and remove the previous. * These requests should all have the same identity model since they share external IDs, so only keeping the latest is adequate. * This prevents multiple Create User requests with the same external ID from being executed simultaneously, which is possible when JWT is on, as we allow future logins to be sent before past user's login succeeds. * An example of this is login(a) > login(b) > login(a) > login(b) but user A has an expired token. Once the token is updated for userA, potentially both logins could be executed if we don't prevent duplicates.
* Remove the push subscription if not current user; we don't want to transfer the push sub. * This detail is meant to handle JWT on, and previous failed user creates can be sent even though the user has changed successfully. * However, don't remove the push sub if the user is anonymous or else the create will fail. Also, when JWT is off and anonymous users can be created, this will block requests until it succeeds so there is no risk of accidentally transferring the push sub to an old user.
* Update the API for the listener, add and removal function names, event name * The listener API is OSUserJwtInvalidatedListener * The event is OSUserJwtInvalidatedEvent
* Usually, on logout, the user observer will fire once the anonymous user is created to the backend and returns with an OSID. However, when Identity Verification is on, that will not happen, so fire the observer early with `nil` values to represent there is no user in the SDK currently. * Firing the observer will save the state and necessary to know when the user logs back in. This is used by the messaging controller to fetch IAM appropriately. On a new session, it will not fetch IAM if logged out, but as the user observer, it will fetch once a user logs in.
* Revert back to prod servers * Add app clips back
[JWT] Handle logout when Identity verification is on
…e_users [JWT] Improve management of multiple users + finalize API
Fire jwt invalidated callback when receiving 401 errors
[JWT] Get In-App Messages from Server
…ith_prod [JWT] Handle when jwt_required is not returned in remote params
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
One Line Summary
Handles basic-level app startup for Identity Verification - on new install and minor migrations on upgrades.
Details
Internal JWT Config management and listeners
OSUserJwtConfig
object to handle auth required status, etc.print()
s to help debug, these will be removed eventually.Request objects updated to consider JWT
prepareForExecution()
method that indicates if this request can be sent yet. For example, does the onesignal ID exist to make this request.What has been tested in this PR
[OneSignal updateUserJwt:"externalUserId" withToken:"token"]
What is not included in this PR
Motivation
Support Identity Verification
Testing
Unit testing
🚧 WIP
Manual Testing
How to Test:
com.onesignal.example.staging
. Update the app ID to either168...
to test Identity Verification off, and013...
to test Identity Verification on. This is documented somewhere and please reach out for the keys and IDs.New install - Identity Verification is off - no login is called
New install - Identity Verification is ON - then login is called
Upgrade from main - Identity Verification is ON
main
, turn off connection, do a new install and call:[OneSignal updateUserJwt:@"nanaug23a" withToken:@"validToken"]
for the external ID that was logged into.Upgrade from player model - Identity Verification is ON
This is the test process I did:
player-model-main
, do a new install and I did not set external ID.OSRequestFetchIdentityBySubscription
that was previously generated is dropped.Affected code checklist
Checklist
Overview
Testing
Final pass
This change is