Fixed retrigger of completeUserLogin on new auth token

Author: franco-zalamena-iterable

CHANGELOG.md

@@ -2,6 +2,14 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [Unreleased]
+
+### Added
+- Added `updateAuthToken(String)` method for updating the auth token without triggering login side effects (push registration, in-app sync, embedded sync). Use this when you only need to refresh the token for an already logged-in user.
+
+### Deprecated
+- `setAuthToken(String)` is now deprecated. It still triggers login operations (push registration, in-app sync, embedded sync) for backward compatibility, but will be changed to only store the token in a future release. Migrate to `updateAuthToken(String)` to update the token without side effects, or use `setEmail(email, authToken)` / `setUserId(userId, authToken)` to set credentials and trigger login operations.
+
 ## [3.6.5]
 ### Fixed
 - Fixed IterableEmbeddedView not having an empty constructor and causing crashes

iterableapi/src/main/java/com/iterable/iterableapi/IterableApi.java

@@ -137,7 +137,7 @@ public String getAuthToken() {
     private void checkAndUpdateAuthToken(@Nullable String authToken) {
         // If authHandler exists and if authToken is new, it will be considered as a call to update the authToken.
         if (config.authHandler != null && authToken != null && authToken != _authToken) {
-            setAuthToken(authToken);
+            updateAuthToken(authToken);
         }
     }
 
@@ -425,20 +425,24 @@ private void onLogin(
             @Nullable IterableHelper.FailureHandler failureHandler
     ) {
         if (!isInitialized()) {
-            setAuthToken(null);
+            updateAuthToken(null);
             return;
         }
 
         getAuthManager().pauseAuthRetries(false);
         if (authToken != null) {
-            setAuthToken(authToken);
+            updateAuthToken(authToken);
+            completeUserLogin();
             attemptMergeAndEventReplay(userIdOrEmail, isEmail, merge, replay, isUnknown, failureHandler);
         } else {
-            getAuthManager().requestNewAuthToken(false, data -> attemptMergeAndEventReplay(userIdOrEmail, isEmail, merge, replay, isUnknown, failureHandler));
+            getAuthManager().requestNewAuthToken(false, data -> {
+                completeUserLogin();
+                attemptMergeAndEventReplay(userIdOrEmail, isEmail, merge, replay, isUnknown, failureHandler);
+            });
         }
     }
 
-    private void completeUserLogin() {
+    void completeUserLogin() {
         completeUserLogin(_email, _userId, _authToken);
     }
 
@@ -679,19 +683,16 @@ public void resetAuth() {
 
 //region API functions (private/internal)
 //---------------------------------------------------------------------------------------
-    void setAuthToken(String authToken, boolean bypassAuth) {
+
+    /**
+     * Updates the auth token without triggering login side effects (push registration, in-app sync, etc.).
+     * Use this method when you only need to update the token for an already logged-in user.
+     * For initial login, use {@code setEmail(email, authToken)} or {@code setUserId(userId, authToken)}.
+     */
+    public void updateAuthToken(@Nullable String authToken) {
         if (isInitialized()) {
-            if ((authToken != null && !authToken.equalsIgnoreCase(_authToken)) || (_authToken != null && !_authToken.equalsIgnoreCase(authToken))) {
-                _authToken = authToken;
-                // SECURITY: Use completion handler to atomically store and pass validated credentials.
-                // The completion handler receives exact values stored to keychain, preventing TOCTOU
-                // attacks where keychain could be modified between storage and completeUserLogin execution.
-                storeAuthData((email, userId, token) -> completeUserLogin(email, userId, token));
-            } else if (bypassAuth) {
-                // SECURITY: Pass current credentials directly to completeUserLogin.
-                // completeUserLogin will validate authToken presence when JWT auth is enabled.
-                completeUserLogin(_email, _userId, _authToken);
-            }
+            _authToken = authToken;
+            storeAuthData();
         }
     }
 
@@ -1211,8 +1212,24 @@ private void attemptAndProcessMerge(@NonNull String destinationUser, boolean isE
         });
     }
 
-    public void setAuthToken(String authToken) {
-        setAuthToken(authToken, false);
+    /**
+     * Sets the auth token and triggers login operations (push registration, in-app sync, embedded sync).
+     *
+     * @deprecated This method triggers login side effects beyond just setting the token.
+     * To update the auth token without login side effects, use {@link #updateAuthToken(String)}.
+     * To set credentials and trigger login operations, use {@code setEmail(email, authToken)}
+     * or {@code setUserId(userId, authToken)}.
+     * In a future release, this method will only store the auth token without triggering login operations.
+     */
+    @Deprecated
+    public void setAuthToken(@Nullable String authToken) {
+        if (isInitialized()) {
+            IterableLogger.w(TAG, "setAuthToken() is deprecated. Use updateAuthToken() to update the token, " +
+                    "or setEmail(email, authToken) / setUserId(userId, authToken) for login. " +
+                    "In a future release, this method will only store the auth token without triggering login operations.");
+            _authToken = authToken;
+            storeAuthData(this::completeUserLogin);
+        }
     }
 
     /**

iterableapi/src/main/java/com/iterable/iterableapi/IterableAuthManager.java

@@ -204,7 +204,7 @@ public void run() {
             }
 
         } else {
-            IterableApi.getInstance().setAuthToken(null, true);
+            IterableApi.getInstance().completeUserLogin();
         }
     }
 
@@ -213,15 +213,15 @@ private void handleAuthTokenSuccess(String authToken, IterableHelper.SuccessHand
             // Token obtained but not yet verified by a request - set state to UNKNOWN.
             // setAuthState will notify listeners only if previous state was INVALID.
             setAuthState(AuthState.UNKNOWN);
-            IterableApi.getInstance().setAuthToken(authToken);
+            IterableApi.getInstance().updateAuthToken(authToken);
             queueExpirationRefresh(authToken);
 
             if (successCallback != null) {
                 handleSuccessForAuthToken(authToken, successCallback);
             }
         } else {
             handleAuthFailure(authToken, AuthFailureReason.AUTH_TOKEN_NULL);
-            IterableApi.getInstance().setAuthToken(authToken);
+            IterableApi.getInstance().updateAuthToken(authToken);
             scheduleAuthTokenRefresh(getNextRetryInterval(), false, null);
             return;
         }

iterableapi/src/test/java/com/iterable/iterableapi/IterableApiAuthSecurityTests.java

@@ -99,13 +99,13 @@ public void testCompleteUserLogin_WithJWTAuth_NoToken_SkipsSensitiveOps() throws
         when(api.getInAppManager()).thenReturn(mockInAppManager);
         when(api.getEmbeddedManager()).thenReturn(mockEmbeddedManager);
 
-        // Directly call setAuthToken with null and bypassAuth=true to simulate
+        // Directly call updateAuthToken with null to simulate
         // attempting to bypass with no token (user-controlled bypass scenario)
-        api.setAuthToken(null, true);
+        api.updateAuthToken(null);
 
         shadowOf(getMainLooper()).idle();
 
-        // Verify sensitive operations were NOT called (JWT auth enabled, no token)
+        // Verify sensitive operations were NOT called (updateAuthToken only stores, no login side effects)
         verify(mockInAppManager, never()).syncInApp();
         verify(mockEmbeddedManager, never()).syncMessages();
     }
@@ -246,14 +246,16 @@ public void testSetAuthToken_UsesCompletionHandlerPattern() throws Exception {
         org.mockito.Mockito.clearInvocations(mockInAppManager, mockEmbeddedManager);
 
         // Now update auth token (simulating token refresh)
+        // updateAuthToken just stores the token — it does not trigger completeUserLogin.
+        // Sensitive operations (syncInApp, syncMessages) are only triggered during login flow.
         final String newToken = "new_jwt_token_here";
-        api.setAuthToken(newToken, false);
+        api.updateAuthToken(newToken);
 
         shadowOf(getMainLooper()).idle();
 
-        // Verify sensitive operations were called with updated token
-        verify(mockInAppManager).syncInApp();
-        verify(mockEmbeddedManager).syncMessages();
+        // Verify sensitive operations were NOT called (updateAuthToken only stores, doesn't trigger login)
+        verify(mockInAppManager, never()).syncInApp();
+        verify(mockEmbeddedManager, never()).syncMessages();
         assertEquals("Token should be updated", newToken, api.getAuthToken());
     }
 
@@ -274,7 +276,7 @@ public void testSetAuthToken_BypassAuth_StillValidatesToken() throws Exception {
         when(api.getEmbeddedManager()).thenReturn(mockEmbeddedManager);
 
         // Try to bypass with no token set
-        api.setAuthToken(null, true);
+        api.updateAuthToken(null);
 
         shadowOf(getMainLooper()).idle();
 

iterableapi/src/test/java/com/iterable/iterableapi/IterableApiAuthTests.java

@@ -23,9 +23,14 @@
 import static junit.framework.Assert.assertEquals;
 import static junit.framework.Assert.assertNotNull;
 import static junit.framework.Assert.assertNull;
+import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
 import static org.robolectric.Shadows.shadowOf;
+
+import org.mockito.Mockito;
 import static org.robolectric.annotation.LooperMode.Mode.PAUSED;
 
 @LooperMode(PAUSED)
@@ -509,4 +514,52 @@ public void testAuthTokenRefreshPausesOnBackground() throws Exception {
         // Test passes if no exceptions were thrown and lifecycle methods executed successfully
     }
 
+    @Test
+    public void testTokenRefreshDoesNotTriggerPushRegistration() throws Exception {
+        IterablePushRegistration.IterablePushRegistrationImpl originalPushImpl = IterablePushRegistration.instance;
+        IterablePushRegistration.instance = mock(IterablePushRegistration.IterablePushRegistrationImpl.class);
+
+        try {
+            // Initialize with auth and auto push registration enabled
+            IterableApi.sharedInstance = new IterableApi();
+            authHandler = mock(IterableAuthHandler.class);
+            IterableApi.initialize(getContext(), "apiKey",
+                    new IterableConfig.Builder()
+                            .setAuthHandler(authHandler)
+                            .setAutoPushRegistration(true)
+                            .setPushIntegrationName("pushIntegration")
+                            .build());
+
+            // Initial login: setEmail triggers requestNewAuthToken on executor thread
+            doReturn(validJWT).when(authHandler).onAuthTokenRequested();
+            IterableApi.getInstance().setEmail("test@example.com");
+            // Allow executor thread to complete and main looper to process callbacks
+            Thread.sleep(500);
+            shadowOf(getMainLooper()).idle();
+            shadowOf(getMainLooper()).runToEndOfTasks();
+
+            // Verify initial push registration happened
+            verify(IterablePushRegistration.instance).executePushRegistrationTask(any(IterablePushRegistrationData.class));
+
+            // Reset mock to clear invocation history
+            Mockito.reset(IterablePushRegistration.instance);
+
+            // Trigger auth token refresh with a different JWT
+            doReturn(newJWT).when(authHandler).onAuthTokenRequested();
+            IterableApi.getInstance().getAuthManager().requestNewAuthToken(false, null);
+            // Allow executor thread to complete and main looper to process callbacks
+            Thread.sleep(500);
+            shadowOf(getMainLooper()).idle();
+            shadowOf(getMainLooper()).runToEndOfTasks();
+
+            // Verify the token was actually refreshed
+            assertEquals(newJWT, IterableApi.getInstance().getAuthToken());
+
+            // Assert that push registration was NOT called again on token refresh
+            verify(IterablePushRegistration.instance, never()).executePushRegistrationTask(any(IterablePushRegistrationData.class));
+        } finally {
+            IterablePushRegistration.instance = originalPushImpl;
+        }
+    }
+
 }