Retry IAM fetch after JWT refresh on 401/403 response

When an IAM fetch returns an unauthorized response (401 or 403), the SDK
now saves the pending fetch state and automatically retries once the JWT
is refreshed for the same user. Switching users clears any stale retry.

Made-with: Cursor

Author: nan-li

OneSignalSDK/onesignal/core/src/main/java/com/onesignal/user/internal/backend/impl/JSONConverter.kt

@@ -8,8 +8,8 @@ import com.onesignal.common.putSafe
 import com.onesignal.common.safeBool
 import com.onesignal.common.safeDouble
 import com.onesignal.common.safeInt
-import com.onesignal.common.safeLong
 import com.onesignal.common.safeJSONObject
+import com.onesignal.common.safeLong
 import com.onesignal.common.safeString
 import com.onesignal.common.toMap
 import com.onesignal.user.internal.backend.CreateUserResponse

OneSignalSDK/onesignal/core/src/main/java/com/onesignal/user/internal/identity/JwtTokenStore.kt

@@ -1,12 +1,17 @@
 package com.onesignal.user.internal.identity
 
+import com.onesignal.common.events.EventProducer
 import com.onesignal.core.internal.preferences.IPreferencesService
 import com.onesignal.core.internal.preferences.PreferenceOneSignalKeys
 import com.onesignal.core.internal.preferences.PreferenceStores
 import com.onesignal.debug.internal.logging.Logging
 import org.json.JSONException
 import org.json.JSONObject
 
+fun interface IJwtUpdateListener {
+    fun onJwtUpdated(externalId: String)
+}
+
 /**
  * Persistent store mapping externalId -> JWT token. Supports multiple users simultaneously
  * so that queued operations for a previous user can still resolve their JWT at execution time.
@@ -20,6 +25,7 @@ class JwtTokenStore(
 ) {
     private val tokens: MutableMap<String, String> = mutableMapOf()
     private var isLoaded = false
+    private val jwtUpdateNotifier = EventProducer<IJwtUpdateListener>()
 
     /** Not thread-safe; callers must hold `synchronized(tokens)`. */
     private fun ensureLoaded() {
@@ -61,6 +67,14 @@ class JwtTokenStore(
         }
     }
 
+    fun subscribe(listener: IJwtUpdateListener) {
+        jwtUpdateNotifier.subscribe(listener)
+    }
+
+    fun unsubscribe(listener: IJwtUpdateListener) {
+        jwtUpdateNotifier.unsubscribe(listener)
+    }
+
     /**
      * Stores (or replaces) the JWT for [externalId]. Passing a null [jwt] is a no-op;
      * use [invalidateJwt] to remove a token.
@@ -75,6 +89,7 @@ class JwtTokenStore(
             tokens[externalId] = jwt
             persist()
         }
+        jwtUpdateNotifier.fire { it.onJwtUpdated(externalId) }
     }
 
     /**

OneSignalSDK/onesignal/in-app-messages/src/main/java/com/onesignal/inAppMessages/internal/InAppMessagesManager.kt

@@ -4,6 +4,7 @@ import android.app.AlertDialog
 import com.onesignal.common.AndroidUtils
 import com.onesignal.common.IDManager
 import com.onesignal.common.JSONUtils
+import com.onesignal.common.NetworkUtils
 import com.onesignal.common.consistency.IamFetchReadyCondition
 import com.onesignal.common.consistency.RywData
 import com.onesignal.common.consistency.models.IConsistencyManager
@@ -46,6 +47,7 @@ import com.onesignal.session.internal.session.ISessionLifecycleHandler
 import com.onesignal.session.internal.session.ISessionService
 import com.onesignal.user.IUserManager
 import com.onesignal.user.internal.backend.IdentityConstants
+import com.onesignal.user.internal.identity.IJwtUpdateListener
 import com.onesignal.user.internal.identity.IdentityModel
 import com.onesignal.user.internal.identity.IdentityModelStore
 import com.onesignal.user.internal.identity.JwtTokenStore
@@ -85,7 +87,8 @@ internal class InAppMessagesManager(
     IInAppLifecycleEventHandler,
     ITriggerHandler,
     ISessionLifecycleHandler,
-    IApplicationLifecycleHandler {
+    IApplicationLifecycleHandler,
+    IJwtUpdateListener {
     private val lifecycleCallback = EventProducer<IInAppMessageLifecycleListener>()
     private val messageClickCallback = EventProducer<IInAppMessageClickListener>()
 
@@ -124,12 +127,20 @@ internal class InAppMessagesManager(
     // Tracks trigger keys added early on cold start (before first fetch completes), for redisplay logic
     private val earlySessionTriggers: MutableSet<String> = java.util.Collections.synchronizedSet(mutableSetOf())
 
+    // Pending IAM retry state for 401 (expired JWT) responses.
+    // Stores the externalId and rywData from the failed fetch so we can retry after JWT refresh.
+    private var pendingJwtRetryExternalId: String? = null
+    private var pendingJwtRetryRywData: RywData? = null
+
     private val identityModelChangeHandler =
         object : ISingletonModelStoreChangeHandler<IdentityModel> {
             override fun onModelReplaced(
                 model: IdentityModel,
                 tag: String,
-            ) { }
+            ) {
+                pendingJwtRetryExternalId = null
+                pendingJwtRetryRywData = null
+            }
 
             override fun onModelUpdated(
                 args: ModelChangedArgs,
@@ -192,6 +203,7 @@ internal class InAppMessagesManager(
         _sessionService.subscribe(this)
         _applicationService.addApplicationLifecycleHandler(this)
         _identityModelStore.subscribe(identityModelChangeHandler)
+        _jwtTokenStore.subscribe(this)
 
         suspendifyOnIO {
             _repository.cleanCachedInAppMessages()
@@ -326,7 +338,17 @@ internal class InAppMessagesManager(
 
         // lambda so that it is updated on each potential retry
         val sessionDurationProvider = { _time.currentTimeMillis - _sessionService.startTime }
-        val newMessages = _backend.listInAppMessages(appId, aliasLabel, aliasValue, subscriptionId, rywData, sessionDurationProvider, jwt)
+        val newMessages =
+            try {
+                _backend.listInAppMessages(appId, aliasLabel, aliasValue, subscriptionId, rywData, sessionDurationProvider, jwt)
+            } catch (ex: BackendException) {
+                if (NetworkUtils.getResponseStatusType(ex.statusCode) == NetworkUtils.ResponseStatusType.UNAUTHORIZED) {
+                    Logging.debug("InAppMessagesManager.fetchMessages: ${ex.statusCode} response. Will retry after JWT refresh for externalId=$externalId")
+                    pendingJwtRetryExternalId = externalId
+                    pendingJwtRetryRywData = rywData
+                }
+                null
+            }
 
         if (newMessages != null) {
             this.messages = newMessages as MutableList<InAppMessage>
@@ -1017,6 +1039,21 @@ internal class InAppMessagesManager(
             .show()
     }
 
+    override fun onJwtUpdated(externalId: String) {
+        val retryExternalId = pendingJwtRetryExternalId ?: return
+        val retryRywData = pendingJwtRetryRywData ?: return
+
+        if (externalId != retryExternalId) return
+
+        Logging.debug("InAppMessagesManager.onJwtUpdated: JWT refreshed for $externalId, retrying IAM fetch")
+        pendingJwtRetryExternalId = null
+        pendingJwtRetryRywData = null
+
+        suspendifyOnIO {
+            fetchMessages(retryRywData)
+        }
+    }
+
     override fun onFocus(firedOnSubscribe: Boolean) { }
 
     override fun onUnfocused() { }

OneSignalSDK/onesignal/in-app-messages/src/main/java/com/onesignal/inAppMessages/internal/backend/impl/InAppBackendService.kt

@@ -239,6 +239,8 @@ internal class InAppBackendService(
                 response.retryAfterSeconds?.let {
                     delay(it * 1_000L)
                 }
+            } else if (NetworkUtils.getResponseStatusType(response.statusCode) == NetworkUtils.ResponseStatusType.UNAUTHORIZED) {
+                throw BackendException(response.statusCode, response.payload, response.retryAfterSeconds)
             } else if (response.statusCode in 500..599) {
                 return null
             } else {

OneSignalSDK/onesignal/in-app-messages/src/test/java/com/onesignal/inAppMessages/internal/InAppMessagesManagerTests.kt

@@ -6,6 +6,7 @@ import com.onesignal.common.consistency.IamFetchReadyCondition
 import com.onesignal.common.consistency.RywData
 import com.onesignal.common.consistency.models.IConsistencyManager
 import com.onesignal.common.exceptions.BackendException
+import com.onesignal.common.modeling.ISingletonModelStoreChangeHandler
 import com.onesignal.common.modeling.ModelChangedArgs
 import com.onesignal.core.internal.config.ConfigModel
 import com.onesignal.debug.LogLevel
@@ -31,6 +32,7 @@ import com.onesignal.session.internal.influence.IInfluenceManager
 import com.onesignal.session.internal.outcomes.IOutcomeEventsController
 import com.onesignal.session.internal.session.ISessionService
 import com.onesignal.user.IUserManager
+import com.onesignal.user.internal.identity.IdentityModel
 import com.onesignal.user.internal.identity.JwtTokenStore
 import com.onesignal.user.internal.subscriptions.ISubscriptionManager
 import com.onesignal.user.internal.subscriptions.SubscriptionModel
@@ -45,6 +47,7 @@ import io.mockk.just
 import io.mockk.mockk
 import io.mockk.mockkObject
 import io.mockk.runs
+import io.mockk.slot
 import io.mockk.spyk
 import io.mockk.unmockkObject
 import io.mockk.verify
@@ -169,6 +172,20 @@ private class Mocks {
         return property.get(manager) as Boolean
     }
 
+    fun getPendingJwtRetryExternalId(manager: InAppMessagesManager): String? {
+        val property = InAppMessagesManager::class.memberProperties
+            .first { it.name == "pendingJwtRetryExternalId" }
+        property.isAccessible = true
+        return property.get(manager) as String?
+    }
+
+    fun getPendingJwtRetryRywData(manager: InAppMessagesManager): RywData? {
+        val property = InAppMessagesManager::class.memberProperties
+            .first { it.name == "pendingJwtRetryRywData" }
+        property.isAccessible = true
+        return property.get(manager) as RywData?
+    }
+
     // Helper function to create InAppMessagesManager with all dependencies
     val inAppMessagesManager = InAppMessagesManager(
         applicationService,
@@ -1418,4 +1435,123 @@ class InAppMessagesManagerTests : FunSpec({
             messageAfterClear.isTriggerChanged shouldBe false
         }
     }
+
+    context("JWT 401 Retry") {
+        test("fetchMessages stores pending retry state on 401 BackendException") {
+            // Given
+            every { mocks.userManager.onesignalId } returns "onesignal-id"
+            every { mocks.applicationService.isInForeground } returns true
+            every { mocks.pushSubscription.id } returns "subscription-id"
+            mocks.identityModelStore.model.externalId = "test-external-id"
+            coEvery {
+                mocks.backend.listInAppMessages(any(), any(), any(), any(), any(), any(), any())
+            } throws BackendException(401, "Unauthorized")
+
+            // When
+            mocks.inAppMessagesManager.onSessionStarted()
+            awaitIO()
+
+            // Then
+            mocks.getPendingJwtRetryExternalId(mocks.inAppMessagesManager) shouldBe "test-external-id"
+            mocks.getPendingJwtRetryRywData(mocks.inAppMessagesManager) shouldBe mocks.rywData
+        }
+
+        test("onJwtUpdated retries fetch when externalId matches pending retry") {
+            // Given
+            every { mocks.userManager.onesignalId } returns "onesignal-id"
+            every { mocks.applicationService.isInForeground } returns true
+            every { mocks.pushSubscription.id } returns "subscription-id"
+            mocks.identityModelStore.model.externalId = "test-external-id"
+            mocks.configModelStore.model.fetchIAMMinInterval = 0L
+
+            // First call throws 401, second call succeeds
+            coEvery {
+                mocks.backend.listInAppMessages(any(), any(), any(), any(), any(), any(), any())
+            } throws BackendException(401, "Unauthorized") andThen listOf(mocks.createInAppMessage())
+
+            // Trigger the initial fetch that will 401
+            mocks.inAppMessagesManager.onSessionStarted()
+            awaitIO()
+
+            // Verify pending state was set
+            mocks.getPendingJwtRetryExternalId(mocks.inAppMessagesManager) shouldBe "test-external-id"
+
+            // When - JWT is updated for the same external ID
+            mocks.inAppMessagesManager.onJwtUpdated("test-external-id")
+            awaitIO()
+
+            // Then - should have retried and cleared the pending state
+            coVerify(exactly = 2) { mocks.backend.listInAppMessages(any(), any(), any(), any(), any(), any(), any()) }
+            mocks.getPendingJwtRetryExternalId(mocks.inAppMessagesManager) shouldBe null
+            mocks.getPendingJwtRetryRywData(mocks.inAppMessagesManager) shouldBe null
+        }
+
+        test("onJwtUpdated does not retry when externalId does not match pending retry") {
+            // Given
+            every { mocks.userManager.onesignalId } returns "onesignal-id"
+            every { mocks.applicationService.isInForeground } returns true
+            every { mocks.pushSubscription.id } returns "subscription-id"
+            mocks.identityModelStore.model.externalId = "test-external-id"
+            coEvery {
+                mocks.backend.listInAppMessages(any(), any(), any(), any(), any(), any(), any())
+            } throws BackendException(401, "Unauthorized")
+
+            // Trigger the initial fetch that will 401
+            mocks.inAppMessagesManager.onSessionStarted()
+            awaitIO()
+
+            // When - JWT is updated for a DIFFERENT external ID
+            mocks.inAppMessagesManager.onJwtUpdated("different-external-id")
+            awaitIO()
+
+            // Then - should NOT have retried, pending state remains
+            coVerify(exactly = 1) { mocks.backend.listInAppMessages(any(), any(), any(), any(), any(), any(), any()) }
+            mocks.getPendingJwtRetryExternalId(mocks.inAppMessagesManager) shouldBe "test-external-id"
+        }
+
+        test("onJwtUpdated does nothing when no pending retry") {
+            // Given - no 401 has happened, so no pending retry
+
+            // When
+            mocks.inAppMessagesManager.onJwtUpdated("any-external-id")
+            awaitIO()
+
+            // Then
+            coVerify(exactly = 0) { mocks.backend.listInAppMessages(any(), any(), any(), any(), any(), any(), any()) }
+        }
+
+        test("pending retry state is cleared on user switch (identity model replaced)") {
+            // Given
+            every { mocks.userManager.onesignalId } returns "onesignal-id"
+            every { mocks.applicationService.isInForeground } returns true
+            every { mocks.pushSubscription.id } returns "subscription-id"
+            mocks.identityModelStore.model.externalId = "test-external-id"
+            coEvery {
+                mocks.backend.listInAppMessages(any(), any(), any(), any(), any(), any(), any())
+            } throws BackendException(401, "Unauthorized")
+
+            // Capture the handler passed to identityModelStore.subscribe
+            val handlerSlot = slot<ISingletonModelStoreChangeHandler<IdentityModel>>()
+            every { mocks.identityModelStore.subscribe(capture(handlerSlot)) } just runs
+
+            // Start the manager to subscribe
+            val mockRepository = mocks.repository
+            coEvery { mockRepository.cleanCachedInAppMessages() } just runs
+            coEvery { mockRepository.listInAppMessages() } returns emptyList()
+            mocks.inAppMessagesManager.start()
+            awaitIO()
+
+            // Trigger 401
+            mocks.inAppMessagesManager.onSessionStarted()
+            awaitIO()
+            mocks.getPendingJwtRetryExternalId(mocks.inAppMessagesManager) shouldBe "test-external-id"
+
+            // When - simulate user switch via the captured handler
+            handlerSlot.captured.onModelReplaced(IdentityModel(), "test")
+
+            // Then - pending retry state should be cleared
+            mocks.getPendingJwtRetryExternalId(mocks.inAppMessagesManager) shouldBe null
+            mocks.getPendingJwtRetryRywData(mocks.inAppMessagesManager) shouldBe null
+        }
+    }
 })

OneSignalSDK/onesignal/in-app-messages/src/test/java/com/onesignal/inAppMessages/internal/backend/InAppBackendServiceTests.kt

@@ -87,6 +87,24 @@ class InAppBackendServiceTests :
             coVerify(exactly = 1) { mockHttpClient.get("apps/appId/users/by/onesignal_id/user123/subscriptions/subscriptionId/iams", any()) }
         }
 
+        test("listInAppMessages throws BackendException on 401 response") {
+            // Given
+            val mockHydrator = InAppHydrator(MockHelper.time(1000), MockHelper.propertiesModelStore())
+            val mockHttpClient = mockk<IHttpClient>()
+            coEvery { mockHttpClient.get(any(), any()) } returns HttpResponse(401, "{\"errors\":[\"Invalid token\"]}")
+
+            val inAppBackendService = InAppBackendService(mockHttpClient, MockHelper.deviceService(), mockHydrator)
+
+            // When / Then
+            val exception =
+                shouldThrowUnit<BackendException> {
+                    inAppBackendService.listInAppMessages("appId", "onesignal_id", "user123", "subscriptionId", RywData("123", 500L), mockSessionDurationProvider, "expired-jwt")
+                }
+
+            exception.statusCode shouldBe 401
+            coVerify(exactly = 1) { mockHttpClient.get("apps/appId/users/by/onesignal_id/user123/subscriptions/subscriptionId/iams", any()) }
+        }
+
         test("listInAppMessages returns null when non-success response") {
             // Given
             val mockHydrator = InAppHydrator(MockHelper.time(1000), MockHelper.propertiesModelStore())