Fix PR review issues: fallback 401 handling, volatile fields, TOCTOU race

- Add UNAUTHORIZED check to fetchInAppMessagesWithoutRywToken so the
  JWT retry mechanism works when the fallback (no RYW token) path hits
  a 401/403.
- Add @volatile to pendingJwtRetryExternalId and pendingJwtRetryRywData
  for cross-thread memory visibility.
- Fix TOCTOU race in UserManager between fireJwtInvalidated and
  addJwtInvalidatedListener using a synchronized lock, preventing a
  lost JWT invalidated event when the two methods interleave.

Made-with: Cursor

Author: nan-li

OneSignalSDK/onesignal/core/src/main/java/com/onesignal/user/internal/UserManager.kt

@@ -55,14 +55,18 @@ internal open class UserManager(
     private val jwtInvalidatedAppCallbackScope =
         CoroutineScope(SupervisorJob() + Dispatchers.Default)
 
-    @Volatile
+    private val jwtInvalidatedLock = Any()
     private var pendingJwtInvalidatedExternalId: String? = null
 
     fun addJwtInvalidatedListener(listener: IUserJwtInvalidatedListener) {
-        jwtInvalidatedNotifier.subscribe(listener)
-        pendingJwtInvalidatedExternalId?.let { externalId ->
+        val pendingExternalId: String?
+        synchronized(jwtInvalidatedLock) {
+            jwtInvalidatedNotifier.subscribe(listener)
+            pendingExternalId = pendingJwtInvalidatedExternalId
             pendingJwtInvalidatedExternalId = null
-            listener.onUserJwtInvalidated(UserJwtInvalidatedEvent(externalId))
+        }
+        pendingExternalId?.let {
+            listener.onUserJwtInvalidated(UserJwtInvalidatedEvent(it))
         }
     }
 
@@ -77,18 +81,20 @@ internal open class UserManager(
      * listener is added via [addJwtInvalidatedListener].
      */
     fun fireJwtInvalidated(externalId: String) {
-        if (jwtInvalidatedNotifier.hasSubscribers) {
-            jwtInvalidatedAppCallbackScope.launch {
-                runCatching {
-                    jwtInvalidatedNotifier.fire { listener ->
-                        listener.onUserJwtInvalidated(UserJwtInvalidatedEvent(externalId))
+        synchronized(jwtInvalidatedLock) {
+            if (jwtInvalidatedNotifier.hasSubscribers) {
+                jwtInvalidatedAppCallbackScope.launch {
+                    runCatching {
+                        jwtInvalidatedNotifier.fire { listener ->
+                            listener.onUserJwtInvalidated(UserJwtInvalidatedEvent(externalId))
+                        }
+                    }.onFailure {
+                        Logging.warn("Failed to deliver JWT invalidated event for externalId=$externalId", it)
                     }
-                }.onFailure {
-                    Logging.warn("Failed to deliver JWT invalidated event for externalId=$externalId", it)
                 }
+            } else {
+                pendingJwtInvalidatedExternalId = externalId
             }
-        } else {
-            pendingJwtInvalidatedExternalId = externalId
         }
     }
 

OneSignalSDK/onesignal/in-app-messages/src/main/java/com/onesignal/inAppMessages/internal/InAppMessagesManager.kt

@@ -129,7 +129,10 @@ internal class InAppMessagesManager(
 
     // Pending IAM retry state for 401 (expired JWT) responses.
     // Stores the externalId and rywData from the failed fetch so we can retry after JWT refresh.
+    @Volatile
     private var pendingJwtRetryExternalId: String? = null
+
+    @Volatile
     private var pendingJwtRetryRywData: RywData? = null
 
     private val identityModelChangeHandler =

OneSignalSDK/onesignal/in-app-messages/src/main/java/com/onesignal/inAppMessages/internal/backend/impl/InAppBackendService.kt

@@ -271,6 +271,8 @@ internal class InAppBackendService(
         if (response.isSuccess) {
             val jsonResponse = response.payload?.let { JSONObject(it) }
             return jsonResponse?.let { hydrateInAppMessages(it) }
+        } else if (NetworkUtils.getResponseStatusType(response.statusCode) == NetworkUtils.ResponseStatusType.UNAUTHORIZED) {
+            throw BackendException(response.statusCode, response.payload, response.retryAfterSeconds)
         } else {
             return null
         }

OneSignalSDK/onesignal/in-app-messages/src/test/java/com/onesignal/inAppMessages/internal/backend/InAppBackendServiceTests.kt

@@ -105,6 +105,33 @@ class InAppBackendServiceTests :
             coVerify(exactly = 1) { mockHttpClient.get("apps/appId/users/by/onesignal_id/user123/subscriptions/subscriptionId/iams", any()) }
         }
 
+        test("listInAppMessages throws BackendException on 401 from fallback (no RYW token) path") {
+            // Given
+            val mockHydrator = InAppHydrator(MockHelper.time(1000), MockHelper.propertiesModelStore())
+            val mockHttpClient = mockk<IHttpClient>()
+
+            // Exhaust retries with 425 then return 401 on the fallback request (without RYW token)
+            coEvery {
+                mockHttpClient.get(any(), any())
+            } returnsMany
+                listOf(
+                    HttpResponse(425, null, retryAfterSeconds = 0, retryLimit = 0),
+                    HttpResponse(401, "{\"errors\":[\"Invalid token\"]}"),
+                )
+
+            val inAppBackendService = InAppBackendService(mockHttpClient, MockHelper.deviceService(), mockHydrator)
+
+            // When / Then
+            val exception =
+                shouldThrowUnit<BackendException> {
+                    inAppBackendService.listInAppMessages("appId", "onesignal_id", "user123", "subscriptionId", RywData("123", 500L), mockSessionDurationProvider, "expired-jwt")
+                }
+
+            exception.statusCode shouldBe 401
+            // First call is the retry attempt (with RYW), second is the fallback (without RYW)
+            coVerify(exactly = 2) { mockHttpClient.get(any(), any()) }
+        }
+
         test("listInAppMessages returns null when non-success response") {
             // Given
             val mockHydrator = InAppHydrator(MockHelper.time(1000), MockHelper.propertiesModelStore())