Problem
On the iOS (Hybrid) app, a newly-verified unverified user is logged out after tapping the back button on the Profile page once they save private personal details and enter the magic code.
This was caught during exploratory testing around #91602 and surfaced on PR #91646. It is not caused by that PR — it reproduces on the existing UpdatePrivatePersonalDetails flow and only on iOS.
- Reproducible in staging?: Yes
- Reproducible in production?: No
- Platform: iOS: App
Steps to reproduce
- Create a new unverified account (e.g. via "Something else" intent) and launch the Hybrid app.
- Go to Account > Profile > Legal name.
- Enter all required details and tap Save.
- Enter the magic code.
- Tap the back button.
- Observe the user is logged out of the app (if not immediately, wait a few seconds on the Profile page).
Expected: User lands on the Account tab after tapping back.
Actual: User is logged out.
Conclusion of investigation
heekinho investigated and concluded (investigation comment, root-cause + proposed fix):
- On web, after
UpdatePrivatePersonalDetails the client issues a PusherPing that detects the expired session, followed by an Authenticate that silently refreshes the token. On iOS the app logs out instead of refreshing.
- Root cause: iOS generates a mixed-case
deviceID. DeviceInfo.getDeviceId() returns the hardware model code (e.g. iPhone17,1) — uppercase letters plus a comma — which is concatenated as-is into the device GUID stored in ONYXKEYS.DEVICE_ID, producing values like iPhone17,1_92897F75-.... Web and Android both produce fully lowercase device IDs. This case mismatch is what leads to the logout on iOS.
- Proposed fix: lowercase the iOS device ID at generation time — a one-liner in
src/libs/actions/Device/generateDeviceID/index.ios.ts:9. New iOS sign-ups would then match web/Android; existing installs keep their cached DEVICE_ID (no migration), so currently signed-in users are unaffected.
- A backend-side fix was explored but rejected: lowercasing on the backend breaks index usage / lookups and still causes logout because it mismatches the mixed-case value the client already stored.
Testing note: App information is persisted, so uninstall / clear app data before testing the fix.
Issue Owner
Current Issue Owner: @heekinho
Problem
On the iOS (Hybrid) app, a newly-verified unverified user is logged out after tapping the back button on the Profile page once they save private personal details and enter the magic code.
This was caught during exploratory testing around #91602 and surfaced on PR #91646. It is not caused by that PR — it reproduces on the existing
UpdatePrivatePersonalDetailsflow and only on iOS.Steps to reproduce
Expected: User lands on the Account tab after tapping back.
Actual: User is logged out.
Conclusion of investigation
heekinhoinvestigated and concluded (investigation comment, root-cause + proposed fix):UpdatePrivatePersonalDetailsthe client issues aPusherPingthat detects the expired session, followed by anAuthenticatethat silently refreshes the token. On iOS the app logs out instead of refreshing.deviceID.DeviceInfo.getDeviceId()returns the hardware model code (e.g.iPhone17,1) — uppercase letters plus a comma — which is concatenated as-is into the device GUID stored inONYXKEYS.DEVICE_ID, producing values likeiPhone17,1_92897F75-.... Web and Android both produce fully lowercase device IDs. This case mismatch is what leads to the logout on iOS.src/libs/actions/Device/generateDeviceID/index.ios.ts:9. New iOS sign-ups would then match web/Android; existing installs keep their cachedDEVICE_ID(no migration), so currently signed-in users are unaffected.Testing note: App information is persisted, so uninstall / clear app data before testing the fix.
Issue Owner
Current Issue Owner: @heekinho