Add tests

Author: sumeruchat

iterableapi/src/main/java/com/iterable/iterableapi/IterableApi.java

@@ -441,9 +441,9 @@ private void completeUserLogin(@Nullable String email, @Nullable String userId,
         // This prevents user-controlled bypass where unvalidated userId/email from keychain
         // could be used to access another user's data in JWT auth scenarios
         if (config.authHandler != null && authToken == null) {
-            IterableLogger.d(TAG, "Skipping sensitive operations - JWT auth enabled but no validated authToken present");
-            if (_setUserSuccessCallbackHandler != null) {
-                _setUserSuccessCallbackHandler.onSuccess(new JSONObject());
+            IterableLogger.w(TAG, "Cannot complete user login - JWT auth enabled but no validated authToken present");
+            if (_setUserFailureCallbackHandler != null) {
+                _setUserFailureCallbackHandler.onFailure("JWT authentication is enabled but no valid authToken is available", null);
             }
             return;
         }

iterableapi/src/test/java/com/iterable/iterableapi/IterableApiAuthSecurityTests.java

@@ -3,10 +3,7 @@
 import static android.os.Looper.getMainLooper;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertNull;
-import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyString;
-import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.doAnswer;
 import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.mock;
@@ -25,7 +22,6 @@
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
-import org.mockito.ArgumentCaptor;
 
 import java.io.IOException;
 import java.util.concurrent.CountDownLatch;
@@ -37,7 +33,7 @@
 
 /**
  * Security tests for TOCTOU (Time-Of-Check-Time-Of-Use) vulnerabilities in auth flow.
- * 
+ *
  * These tests verify that credentials cannot be swapped mid-flight between storage
  * and usage, preventing user-controlled bypass attacks.
  */
@@ -56,7 +52,7 @@ public void setUp() throws IOException {
         dispatcher = new PathBasedQueueDispatcher();
         server.setDispatcher(dispatcher);
         IterableApi.overrideURLEndpointPath(server.url("").toString());
-        
+
         mockKeychain = mock(IterableKeychain.class);
     }
 
@@ -93,22 +89,22 @@ private void initIterableWithoutAuth() {
     @Test
     public void testCompleteUserLogin_WithJWTAuth_NoToken_SkipsSensitiveOps() throws Exception {
         initIterableWithAuth();
-        
+
         // Spy on the API instance to verify method calls
         IterableApi api = spy(IterableApi.getInstance());
         IterableApi.sharedInstance = api;
-        
+
         IterableInAppManager mockInAppManager = mock(IterableInAppManager.class);
         IterableEmbeddedManager mockEmbeddedManager = mock(IterableEmbeddedManager.class);
         when(api.getInAppManager()).thenReturn(mockInAppManager);
         when(api.getEmbeddedManager()).thenReturn(mockEmbeddedManager);
-        
-        // Directly call setAuthToken with null and bypassAuth=true to simulate 
+
+        // Directly call setAuthToken with null and bypassAuth=true to simulate
         // attempting to bypass with no token (user-controlled bypass scenario)
         api.setAuthToken(null, true);
-        
+
         shadowOf(getMainLooper()).idle();
-        
+
         // Verify sensitive operations were NOT called (JWT auth enabled, no token)
         verify(mockInAppManager, never()).syncInApp();
         verify(mockEmbeddedManager, never()).syncMessages();
@@ -121,25 +117,25 @@ public void testCompleteUserLogin_WithJWTAuth_NoToken_SkipsSensitiveOps() throws
     @Test
     public void testCompleteUserLogin_WithJWTAuth_WithToken_ExecutesSensitiveOps() throws Exception {
         initIterableWithAuth();
-        
+
         dispatcher.enqueueResponse("/users/update", new MockResponse().setResponseCode(200).setBody("{}"));
-        
+
         doReturn(validJWT).when(authHandler).onAuthTokenRequested();
-        
+
         // Spy on the API instance to verify method calls
         IterableApi api = spy(IterableApi.getInstance());
         IterableApi.sharedInstance = api;
-        
+
         IterableInAppManager mockInAppManager = mock(IterableInAppManager.class);
         IterableEmbeddedManager mockEmbeddedManager = mock(IterableEmbeddedManager.class);
         when(api.getInAppManager()).thenReturn(mockInAppManager);
         when(api.getEmbeddedManager()).thenReturn(mockEmbeddedManager);
-        
+
         api.setEmail("[email protected]");
-        
+
         server.takeRequest(1, TimeUnit.SECONDS);
         shadowOf(getMainLooper()).idle();
-        
+
         // Verify sensitive operations WERE called with valid token
         verify(mockInAppManager).syncInApp();
         verify(mockEmbeddedManager).syncMessages();
@@ -152,20 +148,20 @@ public void testCompleteUserLogin_WithJWTAuth_WithToken_ExecutesSensitiveOps() t
     @Test
     public void testCompleteUserLogin_WithoutJWTAuth_NoToken_ExecutesSensitiveOps() throws Exception {
         initIterableWithoutAuth();
-        
+
         // Spy on the API instance to verify method calls
         IterableApi api = spy(IterableApi.getInstance());
         IterableApi.sharedInstance = api;
-        
+
         IterableInAppManager mockInAppManager = mock(IterableInAppManager.class);
         IterableEmbeddedManager mockEmbeddedManager = mock(IterableEmbeddedManager.class);
         when(api.getInAppManager()).thenReturn(mockInAppManager);
         when(api.getEmbeddedManager()).thenReturn(mockEmbeddedManager);
-        
+
         api.setEmail("[email protected]");
-        
+
         shadowOf(getMainLooper()).idle();
-        
+
         // Verify sensitive operations WERE called (no JWT auth required)
         verify(mockInAppManager).syncInApp();
         verify(mockEmbeddedManager).syncMessages();
@@ -178,13 +174,13 @@ public void testCompleteUserLogin_WithoutJWTAuth_NoToken_ExecutesSensitiveOps()
     @Test
     public void testStoreAuthData_CompletionHandler_ReceivesStoredCredentials() throws Exception {
         initIterableWithAuth();
-        
+
         IterableApi api = IterableApi.getInstance();
-        
+
         // Use reflection to spy on storeAuthData behavior
         IterableApi spyApi = spy(api);
         IterableApi.sharedInstance = spyApi;
-        
+
         // Set up mock keychain that attempts to swap credentials mid-flight
         doAnswer(invocation -> {
             // Malicious keychain that tries to swap email after storage
@@ -193,17 +189,17 @@ public void testStoreAuthData_CompletionHandler_ReceivesStoredCredentials() thro
             // Simulate attacker trying to modify keychain after storage
             return null;
         }).when(mockKeychain).saveEmail(anyString());
-        
+
         when(spyApi.getKeychain()).thenReturn(mockKeychain);
-        
+
         dispatcher.enqueueResponse("/users/update", new MockResponse().setResponseCode(200).setBody("{}"));
         doReturn(validJWT).when(authHandler).onAuthTokenRequested();
-        
+
         final String originalEmail = "[email protected]";
         final AtomicReference<String> completionHandlerEmail = new AtomicReference<>();
         final AtomicReference<String> completionHandlerToken = new AtomicReference<>();
         final CountDownLatch latch = new CountDownLatch(1);
-        
+
         // Capture what the completion handler receives
         spyApi.setEmail(originalEmail, new IterableHelper.SuccessHandler() {
             @Override
@@ -212,11 +208,11 @@ public void onSuccess(JSONObject data) {
                 latch.countDown();
             }
         }, null);
-        
+
         server.takeRequest(1, TimeUnit.SECONDS);
         shadowOf(getMainLooper()).idle();
         latch.await(2, TimeUnit.SECONDS);
-        
+
         // Verify the API instance has the correct email
         assertEquals("Email should match original", originalEmail, spyApi.getEmail());
         assertNotNull("AuthToken should be set", spyApi.getAuthToken());
@@ -229,32 +225,32 @@ public void onSuccess(JSONObject data) {
     @Test
     public void testSetAuthToken_UsesCompletionHandlerPattern() throws Exception {
         initIterableWithAuth();
-        
+
         dispatcher.enqueueResponse("/users/update", new MockResponse().setResponseCode(200).setBody("{}"));
         doReturn(validJWT).when(authHandler).onAuthTokenRequested();
-        
+
         IterableApi api = spy(IterableApi.getInstance());
         IterableApi.sharedInstance = api;
-        
+
         IterableInAppManager mockInAppManager = mock(IterableInAppManager.class);
         IterableEmbeddedManager mockEmbeddedManager = mock(IterableEmbeddedManager.class);
         when(api.getInAppManager()).thenReturn(mockInAppManager);
         when(api.getEmbeddedManager()).thenReturn(mockEmbeddedManager);
-        
+
         // First set user
         api.setEmail("[email protected]");
         server.takeRequest(1, TimeUnit.SECONDS);
         shadowOf(getMainLooper()).idle();
-        
+
         // Clear previous invocations
         org.mockito.Mockito.clearInvocations(mockInAppManager, mockEmbeddedManager);
-        
+
         // Now update auth token (simulating token refresh)
         final String newToken = "new_jwt_token_here";
         api.setAuthToken(newToken, false);
-        
+
         shadowOf(getMainLooper()).idle();
-        
+
         // Verify sensitive operations were called with updated token
         verify(mockInAppManager).syncInApp();
         verify(mockEmbeddedManager).syncMessages();
@@ -268,20 +264,20 @@ public void testSetAuthToken_UsesCompletionHandlerPattern() throws Exception {
     @Test
     public void testSetAuthToken_BypassAuth_StillValidatesToken() throws Exception {
         initIterableWithAuth();
-        
+
         IterableApi api = spy(IterableApi.getInstance());
         IterableApi.sharedInstance = api;
-        
+
         IterableInAppManager mockInAppManager = mock(IterableInAppManager.class);
         IterableEmbeddedManager mockEmbeddedManager = mock(IterableEmbeddedManager.class);
         when(api.getInAppManager()).thenReturn(mockInAppManager);
         when(api.getEmbeddedManager()).thenReturn(mockEmbeddedManager);
-        
+
         // Try to bypass with no token set
         api.setAuthToken(null, true);
-        
+
         shadowOf(getMainLooper()).idle();
-        
+
         // Verify sensitive operations were NOT called (JWT auth enabled, no token)
         verify(mockInAppManager, never()).syncInApp();
         verify(mockEmbeddedManager, never()).syncMessages();
@@ -294,32 +290,32 @@ public void testSetAuthToken_BypassAuth_StillValidatesToken() throws Exception {
     @Test
     public void testCredentialConsistency_StorageToUsage() throws Exception {
         initIterableWithAuth();
-        
+
         dispatcher.enqueueResponse("/users/update", new MockResponse().setResponseCode(200).setBody("{}"));
-        
+
         final String testEmail = "[email protected]";
         doReturn(validJWT).when(authHandler).onAuthTokenRequested();
-        
+
         IterableApi api = IterableApi.getInstance();
-        
+
         // Set email
         api.setEmail(testEmail);
         server.takeRequest(1, TimeUnit.SECONDS);
         shadowOf(getMainLooper()).idle();
-        
+
         // Verify credentials match exactly
         assertEquals("Email should match", testEmail, api.getEmail());
         assertEquals("AuthToken should match", validJWT, api.getAuthToken());
-        
+
         // Now test with userId
         dispatcher.enqueueResponse("/users/update", new MockResponse().setResponseCode(200).setBody("{}"));
         final String testUserId = "user123";
         doReturn(validJWT).when(authHandler).onAuthTokenRequested();
-        
+
         api.setUserId(testUserId);
         server.takeRequest(1, TimeUnit.SECONDS);
         shadowOf(getMainLooper()).idle();
-        
+
         // Verify userId matches
         assertEquals("UserId should match", testUserId, api.getUserId());
         assertEquals("AuthToken should still match", validJWT, api.getAuthToken());
@@ -339,20 +335,20 @@ public void testStaleKeychainCredentials_NoToken_SkipsSensitiveOps() throws Exce
         editor.putString(IterableConstants.SHARED_PREFS_USERID_KEY, "staleUserId");
         // No auth token stored
         editor.apply();
-        
+
         initIterableWithAuth();
-        
+
         IterableApi api = spy(IterableApi.getInstance());
         IterableApi.sharedInstance = api;
-        
+
         IterableInAppManager mockInAppManager = mock(IterableInAppManager.class);
         IterableEmbeddedManager mockEmbeddedManager = mock(IterableEmbeddedManager.class);
         when(api.getInAppManager()).thenReturn(mockInAppManager);
         when(api.getEmbeddedManager()).thenReturn(mockEmbeddedManager);
-        
+
         // Trigger initialization flow
         shadowOf(getMainLooper()).idle();
-        
+
         // Verify sensitive operations were NOT called with stale credentials
         verify(mockInAppManager, never()).syncInApp();
         verify(mockEmbeddedManager, never()).syncMessages();