Skip to content

iOS: User logged out after verifying account on back button (mixed-case deviceID) #92392

Description

@MelvinBot

Problem

On the iOS (Hybrid) app, a newly-verified unverified user is logged out after tapping the back button on the Profile page once they save private personal details and enter the magic code.

This was caught during exploratory testing around #91602 and surfaced on PR #91646. It is not caused by that PR — it reproduces on the existing UpdatePrivatePersonalDetails flow and only on iOS.

  • Reproducible in staging?: Yes
  • Reproducible in production?: No
  • Platform: iOS: App

Steps to reproduce

  1. Create a new unverified account (e.g. via "Something else" intent) and launch the Hybrid app.
  2. Go to Account > Profile > Legal name.
  3. Enter all required details and tap Save.
  4. Enter the magic code.
  5. Tap the back button.
  6. Observe the user is logged out of the app (if not immediately, wait a few seconds on the Profile page).

Expected: User lands on the Account tab after tapping back.
Actual: User is logged out.

Conclusion of investigation

heekinho investigated and concluded (investigation comment, root-cause + proposed fix):

  • On web, after UpdatePrivatePersonalDetails the client issues a PusherPing that detects the expired session, followed by an Authenticate that silently refreshes the token. On iOS the app logs out instead of refreshing.
  • Root cause: iOS generates a mixed-case deviceID. DeviceInfo.getDeviceId() returns the hardware model code (e.g. iPhone17,1) — uppercase letters plus a comma — which is concatenated as-is into the device GUID stored in ONYXKEYS.DEVICE_ID, producing values like iPhone17,1_92897F75-.... Web and Android both produce fully lowercase device IDs. This case mismatch is what leads to the logout on iOS.
  • Proposed fix: lowercase the iOS device ID at generation time — a one-liner in src/libs/actions/Device/generateDeviceID/index.ios.ts:9. New iOS sign-ups would then match web/Android; existing installs keep their cached DEVICE_ID (no migration), so currently signed-in users are unaffected.
  • A backend-side fix was explored but rejected: lowercasing on the backend breaks index usage / lookups and still causes logout because it mismatches the mixed-case value the client already stored.

Testing note: App information is persisted, so uninstall / clear app data before testing the fix.

Issue OwnerCurrent Issue Owner: @heekinho

Metadata

Metadata

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions