What's on your mind?
Summary
OneSignal.loginWithJWT(externalId, jwt) in lib/onesignal_flutter.dart:75 is marked @deprecated('Do not use, this method is not implemented'). iOS branch early-returns; Android branch routes through but
the native iOS SDK path is broken too (see below). Flutter apps using OneSignal cannot enable Identity Verification on iOS.
Why this is urgent
Without JWT, the OneSignal User Model REST API (/apps/{appId}/users/by/onesignal_id/..., /subscriptions/{id}) is unauthenticated. Any party that obtains a target's onesignal_id (a UUIDv4, leakable from
app traffic or app-side storage) can:
- Read PII: phone number, device model, push token, external_id
- PATCH the subscription token → intercept all push notifications for that user
- DELETE the subscription → DoS notifications
- PATCH external_id → break the app-side identity link
This is a high-severity vulnerability class for any Flutter app handling sensitive data.
Current state in the SDK
- lib/onesignal_flutter.dart:75 — loginWithJWT deprecated, iOS path is no-op.
- test/onesignalflutter_test.dart:40 — corresponding test group is skip: true.
- iOS native (OneSignal-iOS-SDK): OSUserRequest.swift addJWTHeader is entirely commented out, so even direct native calls don't send Authorization: Bearer . The Flutter shim cannot be fixed in
isolation — iOS native needs the header re-enabled.
- Android native: JWT plumbing works (HttpClient.kt sets the Bearer header, tested in HttpClientTests.kt). Only the Flutter Dart surface is missing.
Please:
- Un-deprecate and implement loginWithJWT on the Flutter SDK across both platforms.
- Re-enable addJWTHeader in the iOS SDK (OSUserRequest.swift) so the stored jwtBearerToken actually reaches outgoing requests.
- Document an officially supported timeline for Identity Verification on mobile.
Code of Conduct
What's on your mind?
Summary
OneSignal.loginWithJWT(externalId, jwt) in lib/onesignal_flutter.dart:75 is marked @deprecated('Do not use, this method is not implemented'). iOS branch early-returns; Android branch routes through but
the native iOS SDK path is broken too (see below). Flutter apps using OneSignal cannot enable Identity Verification on iOS.
Why this is urgent
Without JWT, the OneSignal User Model REST API (/apps/{appId}/users/by/onesignal_id/..., /subscriptions/{id}) is unauthenticated. Any party that obtains a target's onesignal_id (a UUIDv4, leakable from
app traffic or app-side storage) can:
This is a high-severity vulnerability class for any Flutter app handling sensitive data.
Current state in the SDK
isolation — iOS native needs the header re-enabled.
Please:
Code of Conduct