Fix stale JWT replay on user switch and IAM fetch with null ryw data

- UserManager.onModelReplaced: clear pendingJwtInvalidatedExternalId
  under jwtInvalidatedLock to prevent stale JWT events replaying to a
  new user
- LoginUserOperationExecutor: call resolveConditionsWithID
  unconditionally to clean up stale IamFetchReadyCondition("") entries
- InAppMessagesManager: remove null guards so IAMs are fetched even
  when the consistency condition resolves with null rywData; adjust
  onJwtUpdated to use pendingJwtRetryExternalId as sole sentinel
- IInAppBackendService/InAppBackendService: accept nullable RywData and
  branch internally to fetch without ryw token when null

Made-with: Cursor

Author: nan-li

OneSignalSDK/detekt/detekt-baseline-in-app-messages.xml

@@ -68,7 +68,7 @@
     <ID>LongMethod:InAppRepository.kt$InAppRepository$override suspend fun cleanCachedInAppMessages()</ID>
     <ID>LongParameterList:IInAppBackendService.kt$IInAppBackendService$( appId: String, subscriptionId: String, variantId: String?, messageId: String, clickId: String?, isFirstClick: Boolean, )</ID>
     <ID>LongParameterList:InAppDisplayer.kt$InAppDisplayer$( private val _applicationService: IApplicationService, private val _lifecycle: IInAppLifecycleService, private val _promptFactory: IInAppMessagePromptFactory, private val _backend: IInAppBackendService, private val _influenceManager: IInfluenceManager, private val _configModelStore: ConfigModelStore, private val _languageContext: ILanguageContext, private val _time: ITime, )</ID>
-    <ID>LongParameterList:InAppMessagesManager.kt$InAppMessagesManager$( private val _applicationService: IApplicationService, private val _sessionService: ISessionService, private val _influenceManager: IInfluenceManager, private val _configModelStore: ConfigModelStore, private val _userManager: IUserManager, private val _identityModelStore: IdentityModelStore, private val _subscriptionManager: ISubscriptionManager, private val _outcomeEventsController: IOutcomeEventsController, private val _state: InAppStateService, private val _prefs: IInAppPreferencesController, private val _repository: IInAppRepository, private val _backend: IInAppBackendService, private val _triggerController: ITriggerController, private val _triggerModelStore: TriggerModelStore, private val _displayer: IInAppDisplayer, private val _lifecycle: IInAppLifecycleService, private val _languageContext: ILanguageContext, private val _time: ITime, private val _consistencyManager: IConsistencyManager, )</ID>
+    <ID>LongParameterList:InAppMessagesManager.kt$InAppMessagesManager$( private val _applicationService: IApplicationService, private val _sessionService: ISessionService, private val _influenceManager: IInfluenceManager, private val _configModelStore: ConfigModelStore, private val _userManager: IUserManager, private val _identityModelStore: IdentityModelStore, private val _subscriptionManager: ISubscriptionManager, private val _outcomeEventsController: IOutcomeEventsController, private val _state: InAppStateService, private val _prefs: IInAppPreferencesController, private val _repository: IInAppRepository, private val _backend: IInAppBackendService, private val _triggerController: ITriggerController, private val _triggerModelStore: TriggerModelStore, private val _displayer: IInAppDisplayer, private val _lifecycle: IInAppLifecycleService, private val _languageContext: ILanguageContext, private val _time: ITime, private val _consistencyManager: IConsistencyManager, private val _jwtTokenStore: JwtTokenStore, )</ID>
     <ID>LongParameterList:OneSignalAnimate.kt$OneSignalAnimate$( view: View, deltaFromY: Float, deltaToY: Float, duration: Int, interpolator: Interpolator?, animCallback: Animation.AnimationListener?, )</ID>
     <ID>MagicNumber:DraggableRelativeLayout.kt$DraggableRelativeLayout$3</ID>
     <ID>MagicNumber:DraggableRelativeLayout.kt$DraggableRelativeLayout$3000</ID>
@@ -103,12 +103,12 @@
     <ID>ReturnCount:DraggableRelativeLayout.kt$DraggableRelativeLayout.&lt;no name provided&gt;$override fun clampViewPositionVertical( child: View, top: Int, dy: Int, ): Int</ID>
     <ID>ReturnCount:DynamicTriggerController.kt$DynamicTriggerController$fun dynamicTriggerShouldFire(trigger: Trigger): Boolean</ID>
     <ID>ReturnCount:InAppBackendService.kt$InAppBackendService$override suspend fun getIAMData( appId: String, messageId: String, variantId: String?, ): GetIAMDataResponse</ID>
-    <ID>ReturnCount:InAppBackendService.kt$InAppBackendService$private suspend fun attemptFetchWithRetries( baseUrl: String, rywData: RywData, sessionDurationProvider: () -&gt; Long, ): List&lt;InAppMessage&gt;?</ID>
+    <ID>ReturnCount:InAppBackendService.kt$InAppBackendService$private suspend fun attemptFetchWithRetries( baseUrl: String, rywData: RywData, sessionDurationProvider: () -&gt; Long, jwt: String? = null, ): List&lt;InAppMessage&gt;?</ID>
     <ID>ReturnCount:InAppHydrator.kt$InAppHydrator$fun hydrateIAMMessageContent(jsonObject: JSONObject): InAppMessageContent?</ID>
     <ID>ReturnCount:InAppMessage.kt$InAppMessage$private fun parseEndTimeJson(json: JSONObject): Date?</ID>
     <ID>ReturnCount:InAppMessagePreviewHandler.kt$InAppMessagePreviewHandler$private fun inAppPreviewPushUUID(payload: JSONObject): String?</ID>
     <ID>ReturnCount:InAppMessagesManager.kt$InAppMessagesManager$override fun onMessageWasDisplayed(message: InAppMessage)</ID>
-    <ID>ReturnCount:InAppMessagesManager.kt$InAppMessagesManager$private suspend fun fetchMessages(rywData: RywData)</ID>
+    <ID>ReturnCount:InAppMessagesManager.kt$InAppMessagesManager$private suspend fun fetchMessages(rywData: RywData?)</ID>
     <ID>ReturnCount:TriggerController.kt$TriggerController$override fun evaluateMessageTriggers(message: InAppMessage): Boolean</ID>
     <ID>ReturnCount:TriggerController.kt$TriggerController$override fun isTriggerOnMessage( message: InAppMessage, triggersKeys: Collection&lt;String&gt;, ): Boolean</ID>
     <ID>ReturnCount:TriggerController.kt$TriggerController$override fun messageHasOnlyDynamicTriggers(message: InAppMessage): Boolean</ID>
@@ -124,7 +124,7 @@
     <ID>TooManyFunctions:InAppBackendService.kt$InAppBackendService : IInAppBackendService</ID>
     <ID>TooManyFunctions:InAppMessage.kt$InAppMessage : IInAppMessage</ID>
     <ID>TooManyFunctions:InAppMessageView.kt$InAppMessageView</ID>
-    <ID>TooManyFunctions:InAppMessagesManager.kt$InAppMessagesManager : IInAppMessagesManagerIStartableServiceISubscriptionChangedHandlerISingletonModelStoreChangeHandlerIInAppLifecycleEventHandlerITriggerHandlerISessionLifecycleHandlerIApplicationLifecycleHandler</ID>
+    <ID>TooManyFunctions:InAppMessagesManager.kt$InAppMessagesManager : IInAppMessagesManagerIStartableServiceISubscriptionChangedHandlerISingletonModelStoreChangeHandlerIInAppLifecycleEventHandlerITriggerHandlerISessionLifecycleHandlerIApplicationLifecycleHandlerIJwtUpdateListener</ID>
     <ID>TooManyFunctions:TriggerController.kt$TriggerController : ITriggerControllerIModelStoreChangeHandler</ID>
     <ID>TooManyFunctions:WebViewManager.kt$WebViewManager : IActivityLifecycleHandler</ID>
     <ID>UndocumentedPublicClass:TriggerModel.kt$TriggerModel : Model</ID>

OneSignalSDK/onesignal/core/src/main/java/com/onesignal/user/internal/UserManager.kt

@@ -316,7 +316,11 @@ internal open class UserManager(
     override fun onModelReplaced(
         model: IdentityModel,
         tag: String,
-    ) { }
+    ) {
+        synchronized(jwtInvalidatedLock) {
+            pendingJwtInvalidatedExternalId = null
+        }
+    }
 
     override fun onModelUpdated(
         args: ModelChangedArgs,

OneSignalSDK/onesignal/core/src/main/java/com/onesignal/user/internal/operations/impl/executors/LoginUserOperationExecutor.kt

@@ -230,9 +230,8 @@ internal class LoginUserOperationExecutor(
 
             if (response.rywData != null) {
                 _consistencyManager.setRywData(backendOneSignalId, IamFetchRywTokenKey.USER, response.rywData)
-            } else {
-                _consistencyManager.resolveConditionsWithID(IamFetchReadyCondition.ID)
             }
+            _consistencyManager.resolveConditionsWithID(IamFetchReadyCondition.ID)
 
             val wasPossiblyAnUpsert = identities.isNotEmpty()
             val followUpOperations =

OneSignalSDK/onesignal/core/src/test/java/com/onesignal/user/internal/UserManagerTests.kt

@@ -2,6 +2,7 @@ package com.onesignal.user.internal
 
 import com.onesignal.core.internal.language.ILanguageContext
 import com.onesignal.mocks.MockHelper
+import com.onesignal.user.internal.identity.IdentityModel
 import com.onesignal.user.internal.subscriptions.ISubscriptionManager
 import com.onesignal.user.internal.subscriptions.SubscriptionList
 import io.kotest.assertions.throwables.shouldNotThrow
@@ -15,6 +16,8 @@ import io.mockk.mockk
 import io.mockk.runs
 import io.mockk.slot
 import io.mockk.verify
+import kotlin.reflect.full.memberFunctions
+import kotlin.reflect.jvm.isAccessible
 
 class UserManagerTests : FunSpec({
 
@@ -235,4 +238,27 @@ class UserManagerTests : FunSpec({
             )
         }
     }
+
+    test("onModelReplaced clears pendingJwtInvalidatedExternalId") {
+        // Given
+        val mockSubscriptionManager = mockk<ISubscriptionManager>()
+        val userManager =
+            UserManager(mockSubscriptionManager, MockHelper.identityModelStore(), MockHelper.propertiesModelStore(), MockHelper.customEventController(), MockHelper.languageContext())
+
+        // Fire a JWT invalidated event with no subscribers, so it pends
+        val fireMethod = UserManager::class.memberFunctions.first { it.name == "fireJwtInvalidated" }
+        fireMethod.isAccessible = true
+        fireMethod.call(userManager, "user-alice")
+
+        // Verify pending state is set
+        val pendingField = UserManager::class.java.getDeclaredField("pendingJwtInvalidatedExternalId")
+        pendingField.isAccessible = true
+        pendingField.get(userManager) shouldBe "user-alice"
+
+        // When — user switches (model replaced)
+        userManager.onModelReplaced(IdentityModel(), "test")
+
+        // Then — pending state should be cleared
+        pendingField.get(userManager) shouldBe null
+    }
 })

OneSignalSDK/onesignal/in-app-messages/src/main/java/com/onesignal/inAppMessages/internal/InAppMessagesManager.kt

@@ -160,10 +160,8 @@ internal class InAppMessagesManager(
                         suspendifyOnIO {
                             val updateConditionDeferred =
                                 _consistencyManager.getRywDataFromAwaitableCondition(IamFetchReadyCondition(newOneSignalId))
-                            val rywToken = updateConditionDeferred.await()
-                            if (rywToken != null) {
-                                fetchMessages(rywToken)
-                            }
+                            val rywData = updateConditionDeferred.await()
+                            fetchMessages(rywData)
                         }
                     }
                 }
@@ -294,15 +292,12 @@ internal class InAppMessagesManager(
             val iamFetchCondition =
                 _consistencyManager.getRywDataFromAwaitableCondition(IamFetchReadyCondition(onesignalId))
             val rywData = iamFetchCondition.await()
-
-            if (rywData != null) {
-                fetchMessages(rywData)
-            }
+            fetchMessages(rywData)
         }
     }
 
     // called when a new push subscription is added, or the app id is updated, or a new session starts
-    private suspend fun fetchMessages(rywData: RywData) {
+    private suspend fun fetchMessages(rywData: RywData?) {
         // We only want to fetch IAMs if we know the app is in the
         // foreground, as we don't want to do this for background
         // events (such as push received), wasting resources for
@@ -1046,9 +1041,10 @@ internal class InAppMessagesManager(
     }
 
     override fun onJwtUpdated(externalId: String) {
-        val retryExternalId = pendingJwtRetryExternalId
+        val retryExternalId = pendingJwtRetryExternalId ?: return
+        if (externalId != retryExternalId) return
+
         val retryRywData = pendingJwtRetryRywData
-        if (retryExternalId == null || retryRywData == null || externalId != retryExternalId) return
 
         Logging.debug("InAppMessagesManager.onJwtUpdated: JWT refreshed for $externalId, retrying IAM fetch")
         pendingJwtRetryExternalId = null

OneSignalSDK/onesignal/in-app-messages/src/main/java/com/onesignal/inAppMessages/internal/backend/IInAppBackendService.kt

@@ -24,7 +24,7 @@ internal interface IInAppBackendService {
         aliasLabel: String,
         aliasValue: String,
         subscriptionId: String,
-        rywData: RywData,
+        rywData: RywData?,
         sessionDurationProvider: () -> Long,
         jwt: String? = null,
     ): List<InAppMessage>?

OneSignalSDK/onesignal/in-app-messages/src/main/java/com/onesignal/inAppMessages/internal/backend/impl/InAppBackendService.kt

@@ -29,14 +29,19 @@ internal class InAppBackendService(
         aliasLabel: String,
         aliasValue: String,
         subscriptionId: String,
-        rywData: RywData,
+        rywData: RywData?,
         sessionDurationProvider: () -> Long,
         jwt: String?,
     ): List<InAppMessage>? {
+        val baseUrl = "apps/$appId/users/by/$aliasLabel/$aliasValue/subscriptions/$subscriptionId/iams"
+
+        if (rywData == null) {
+            return fetchInAppMessagesWithoutRywToken(baseUrl, sessionDurationProvider, jwt)
+        }
+
         val rywDelay = rywData.rywDelay ?: DEFAULT_RYW_DELAY_MS
-        delay(rywDelay) // Delay by the specified amount
+        delay(rywDelay)
 
-        val baseUrl = "apps/$appId/users/by/$aliasLabel/$aliasValue/subscriptions/$subscriptionId/iams"
         return attemptFetchWithRetries(baseUrl, rywData, sessionDurationProvider, jwt)
     }
 

OneSignalSDK/onesignal/in-app-messages/src/test/java/com/onesignal/inAppMessages/internal/InAppMessagesManagerTests.kt

@@ -1436,6 +1436,71 @@ class InAppMessagesManagerTests : FunSpec({
         }
     }
 
+    context("Null RYW data") {
+        test("fetchMessagesWhenConditionIsMet fetches without ryw token when condition resolves with null") {
+            // Given
+            every { mocks.userManager.onesignalId } returns "onesignal-id"
+            every { mocks.applicationService.isInForeground } returns true
+            every { mocks.pushSubscription.id } returns "subscription-id"
+
+            val nullRywDeferred = mockk<CompletableDeferred<RywData?>> {
+                coEvery { await() } returns null
+            }
+            coEvery {
+                mocks.consistencyManager.getRywDataFromAwaitableCondition(any<IamFetchReadyCondition>())
+            } returns nullRywDeferred
+            coEvery {
+                mocks.backend.listInAppMessages(any(), any(), any(), any(), isNull(), any(), any())
+            } returns listOf(mocks.createInAppMessage())
+
+            // When
+            mocks.inAppMessagesManager.onSessionStarted()
+            awaitIO()
+
+            // Then — should call listInAppMessages with null rywData
+            coVerify(exactly = 1) {
+                mocks.backend.listInAppMessages(any(), any(), any(), any(), isNull(), any(), any())
+            }
+        }
+
+        test("onJwtUpdated retries with null rywData when pendingJwtRetryExternalId is set") {
+            // Given
+            every { mocks.userManager.onesignalId } returns "onesignal-id"
+            every { mocks.applicationService.isInForeground } returns true
+            every { mocks.pushSubscription.id } returns "subscription-id"
+            mocks.identityModelStore.model.externalId = "test-external-id"
+
+            val nullRywDeferred = mockk<CompletableDeferred<RywData?>> {
+                coEvery { await() } returns null
+            }
+            coEvery {
+                mocks.consistencyManager.getRywDataFromAwaitableCondition(any<IamFetchReadyCondition>())
+            } returns nullRywDeferred
+
+            // First call throws 401, second (retry) succeeds
+            coEvery {
+                mocks.backend.listInAppMessages(any(), any(), any(), any(), isNull(), any(), any())
+            } throws BackendException(401, "Unauthorized") andThen listOf(mocks.createInAppMessage())
+
+            // Trigger initial fetch that will 401
+            mocks.inAppMessagesManager.onSessionStarted()
+            awaitIO()
+
+            mocks.getPendingJwtRetryExternalId(mocks.inAppMessagesManager) shouldBe "test-external-id"
+            mocks.getPendingJwtRetryRywData(mocks.inAppMessagesManager) shouldBe null
+
+            // When — JWT is refreshed
+            mocks.inAppMessagesManager.onJwtUpdated("test-external-id")
+            awaitIO()
+
+            // Then — should have retried, pending state cleared
+            coVerify(exactly = 2) {
+                mocks.backend.listInAppMessages(any(), any(), any(), any(), isNull(), any(), any())
+            }
+            mocks.getPendingJwtRetryExternalId(mocks.inAppMessagesManager) shouldBe null
+        }
+    }
+
     context("JWT 401 Retry") {
         test("fetchMessages stores pending retry state on 401 BackendException") {
             // Given