Skip to content

fix: detect when Identity verification becomes turned off#1674

Open
nan-li wants to merge 4 commits into
fix/identity_verification_crashesfrom
fix/detect_iv_turned_off
Open

fix: detect when Identity verification becomes turned off#1674
nan-li wants to merge 4 commits into
fix/identity_verification_crashesfrom
fix/detect_iv_turned_off

Conversation

@nan-li

@nan-li nan-li commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Description

One Line Summary

Detect when Identity Verification is turned off and release any requests that were waiting on a JWT.

Details

Motivation

The SDK detected Identity Verification (IV) turning on but never handled it turning off. Two gaps:

  1. A missing jwt_required field in remote params only set IV off when the value was previously unknown, so an app that had IV on stayed on after it was disabled remotely — the on→off transition was never even produced.
  2. No OSUserJwtConfigListener acted on the off transition, so requests parked per-external-id awaiting a JWT (each executor's pendingAuthRequests) were stranded forever — once IV is off, no JWT will ever arrive to release them.

Scope

  • A missing jwt_required remote param now always resolves IV to off (including the previously-on case).
  • On the off transition, each executor (User, Identity, Subscription, Property, CustomEvents) re-queues its auth-pended requests and flushes them without a JWT; the IAM controller re-fires a deferred fetch.
  • Not changed: the on/unknown transitions, the deferral of requests while IV status is unknown, and OSOperationRepo (deltas still flush on the normal poll cadence).
  • Also fixes a pre-existing bug where removeInvalidDeltasAndRequests persisted updateRequestQueue under the add/remove subscription queue keys.

Testing

Unit testing

Added per-executor tests asserting parked requests are released and sent without auth on the off transition, plus OSUserJwtConfig tests verifying a missing jwt_required resolves to off (including previously-on) and that an unchanged value does not re-fire listeners. All pass in OneSignalUserTests.

Manual testing

Not tested on a physical device; behavior is covered by the unit tests above.

Affected code checklist

  • Notifications
    • Display
    • Open
    • Push Processing
    • Confirm Deliveries
  • Outcomes
  • Sessions
  • In-App Messaging
  • REST API requests
  • Public API changes

Checklist

Overview

  • I have filled out all REQUIRED sections above
  • PR does one thing
  • Any Public API changes are explained in the PR details and conform to existing APIs

Testing

  • I have included test coverage for these changes, or explained why they are not needed
  • All automated tests pass, or I explained why that is not possible
  • I have personally tested this on my device, or explained why that is not possible

Final pass

  • Code is as readable as possible.
  • I have reviewed this PR myself, ensuring it meets each checklist item

nan-li and others added 4 commits June 10, 2026 18:09
@nan-li @claude
fix: turn Identity Verification off when remote params omit jwt_required
7169732 
A missing jwt_required field previously set the flag off only when it was still unknown, so an app that had Identity Verification on stayed on after it was disabled remotely. Treat a missing field as off unconditionally so the on->off transition is actually detected.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@nan-li @claude
fix: release auth-pended requests when Identity Verification is turne…
8dc649e 
…d off

While auth is required, requests without a valid JWT are parked per external ID awaiting a token. Once Identity Verification is turned off no token will arrive, so each JWT listener (User, Identity, Subscription, Property, and CustomEvents executors, plus the IAM controller) now releases the parked work and flushes it on the off transition.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@nan-li @claude
fix: persist correct add/remove subscription queues on JWT cleanup
d3423c5 
removeInvalidDeltasAndRequests saved updateRequestQueue under both the add and remove request queue keys, corrupting those caches when Identity Verification is enabled. Persist the matching addRequestQueue and removeRequestQueue instead.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@nan-li @claude
test: cover Identity Verification turned-off transition
aef1699 
Add per-executor tests asserting parked requests are released and sent without auth once Identity Verification is turned off, plus OSUserJwtConfig tests verifying a missing jwt_required remote param resolves to off (including the previously-on case) and that an unchanged value does not re-fire listeners.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@nan-li

nan-li commented Jun 11, 2026

Copy link
Copy Markdown
Contributor Author

@claude review

@nan-li nan-li changed the title Fix/detect iv turned off fix: detect when Identity verification becomes turned off Jun 11, 2026
@nan-li nan-li force-pushed the fix/detect_iv_turned_off branch from b000fdc to aef1699 Compare June 11, 2026 01:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nan-li