Skip to content

[Feedback]: loginWithJWT unimplemented blocks Identity Verification #1148

Description

@T-moz

What's on your mind?

Summary

OneSignal.loginWithJWT(externalId, jwt) in lib/onesignal_flutter.dart:75 is marked @deprecated('Do not use, this method is not implemented'). iOS branch early-returns; Android branch routes through but
the native iOS SDK path is broken too (see below). Flutter apps using OneSignal cannot enable Identity Verification on iOS.

Why this is urgent

Without JWT, the OneSignal User Model REST API (/apps/{appId}/users/by/onesignal_id/..., /subscriptions/{id}) is unauthenticated. Any party that obtains a target's onesignal_id (a UUIDv4, leakable from
app traffic or app-side storage) can:

  • Read PII: phone number, device model, push token, external_id
  • PATCH the subscription token → intercept all push notifications for that user
  • DELETE the subscription → DoS notifications
  • PATCH external_id → break the app-side identity link

This is a high-severity vulnerability class for any Flutter app handling sensitive data.

Current state in the SDK

  • lib/onesignal_flutter.dart:75 — loginWithJWT deprecated, iOS path is no-op.
  • test/onesignalflutter_test.dart:40 — corresponding test group is skip: true.
  • iOS native (OneSignal-iOS-SDK): OSUserRequest.swift addJWTHeader is entirely commented out, so even direct native calls don't send Authorization: Bearer . The Flutter shim cannot be fixed in
    isolation — iOS native needs the header re-enabled.
  • Android native: JWT plumbing works (HttpClient.kt sets the Bearer header, tested in HttpClientTests.kt). Only the Flutter Dart surface is missing.

Please:

  1. Un-deprecate and implement loginWithJWT on the Flutter SDK across both platforms.
  2. Re-enable addJWTHeader in the iOS SDK (OSUserRequest.swift) so the stored jwtBearerToken actually reaches outgoing requests.
  3. Document an officially supported timeline for Identity Verification on mobile.

Code of Conduct

  • I agree to follow this project's Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions