Prevent ASWebAuthenticationSession crash when browser reloads due to cookies being cleared (#904)

Widcket · web-flow · commit 457ada23d3a4 · 2025-03-31T21:29:35.000+01:00
diff --git a/App/ViewController.swift b/App/ViewController.swift
@@ -2,33 +2,25 @@ import UIKit
 import Auth0
 
 class ViewController: UIViewController {
-    
-    var onAuth: ((WebAuthResult<Credentials>) -> ())!
-    
-    override func viewDidLoad() {
-        super.viewDidLoad()
-        
-        self.onAuth = {
-            switch $0 {
-            case .failure(let error):
-                DispatchQueue.main.async {
-                    self.alert(title: "Error", message: "\(error)")
-                }
-            case .success(let credentials):
-                DispatchQueue.main.async {
-                    self.alert(title: "Success",
-                               message: "Authorized and got a token \(credentials.accessToken)")
-                }
-            }
-            print($0)
-        }
-    }
-    
+
     @IBAction func login(_ sender: Any) {
         Auth0
             .webAuth()
             .logging(enabled: true)
-            .start(onAuth)
+            .start {
+                switch $0 {
+                case .failure(let error):
+                    DispatchQueue.main.async {
+                        self.alert(title: "Error", message: "\(error)")
+                    }
+                case .success(let credentials):
+                    DispatchQueue.main.async {
+                        self.alert(title: "Success",
+                                   message: "Authorized and got a token \(credentials.accessToken)")
+                    }
+                }
+                print($0)
+            }
     }
 
     @IBAction func logout(_ sender: Any) {
diff --git a/Auth0.xcodeproj/project.pbxproj b/Auth0.xcodeproj/project.pbxproj
@@ -176,6 +176,9 @@
 		5CF539292836FB0C0073F623 /* ClearSessionTransactionSpec.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5CF539272836FB0C0073F623 /* ClearSessionTransactionSpec.swift */; };
 		5CF5392B283835470073F623 /* ASProviderSpec.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5CF5392A283835460073F623 /* ASProviderSpec.swift */; };
 		5CF5392C283835470073F623 /* ASProviderSpec.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5CF5392A283835460073F623 /* ASProviderSpec.swift */; };
+		5CFB82612D6D221F009FD237 /* Barrier.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5CFB82602D6D221C009FD237 /* Barrier.swift */; };
+		5CFB82622D6D221F009FD237 /* Barrier.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5CFB82602D6D221C009FD237 /* Barrier.swift */; };
+		5CFB82632D6D221F009FD237 /* Barrier.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5CFB82602D6D221C009FD237 /* Barrier.swift */; };
 		5F06DDC91CC66B710011842B /* Auth0.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5F06DDC81CC66B710011842B /* Auth0.swift */; };
 		5F06DDCA1CC66B710011842B /* Auth0.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5F06DDC81CC66B710011842B /* Auth0.swift */; };
 		5F1FBB9A1D8A44C0006B0B85 /* ResponseSpec.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5F1FBB981D8A4465006B0B85 /* ResponseSpec.swift */; };
@@ -678,6 +681,7 @@
 		5CF539232836DCC10073F623 /* SafariProviderSpec.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SafariProviderSpec.swift; sourceTree = "<group>"; };
 		5CF539272836FB0C0073F623 /* ClearSessionTransactionSpec.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ClearSessionTransactionSpec.swift; sourceTree = "<group>"; };
 		5CF5392A283835460073F623 /* ASProviderSpec.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ASProviderSpec.swift; sourceTree = "<group>"; };
+		5CFB82602D6D221C009FD237 /* Barrier.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Barrier.swift; sourceTree = "<group>"; };
 		5F049B6E1CB42C29006F6C05 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; name = Info.plist; path = Auth0/Info.plist; sourceTree = "<group>"; };
 		5F06DD781CC448B10011842B /* Auth0.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = Auth0.framework; sourceTree = BUILT_PRODUCTS_DIR; };
 		5F06DD851CC448C90011842B /* Auth0.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = Auth0.framework; sourceTree = BUILT_PRODUCTS_DIR; };
@@ -1111,6 +1115,7 @@
 				5FAE9C901D8878D400A871CE /* Auth0WebAuth.swift */,
 				5FD255B91D14F70B00387ECB /* WebAuthError.swift */,
 				5C0AF09C2833420200162044 /* WebAuthentication.swift */,
+				5CFB82602D6D221C009FD237 /* Barrier.swift */,
 			);
 			name = WebAuth;
 			sourceTree = "<group>";
@@ -2024,6 +2029,7 @@
 				5CB41D4823D0BA2C00074024 /* IDTokenValidator.swift in Sources */,
 				5C354C04276CE1A500ADBC86 /* PasswordlessType.swift in Sources */,
 				5FCAB1711D09005A00331C84 /* NSURLComponents+OAuth2.swift in Sources */,
+				5CFB82632D6D221F009FD237 /* Barrier.swift in Sources */,
 				5FDE876D1D8A424700EA27DC /* Handlers.swift in Sources */,
 				5FE2F8BB1CD0EAAD003628F4 /* Response.swift in Sources */,
 				970BC36B25C27095007A7745 /* Challenge.swift in Sources */,
@@ -2102,6 +2108,7 @@
 				5FD255B81D14F00900387ECB /* Auth0Error.swift in Sources */,
 				5C41F6D0244F971700252548 /* JWK+RSA.swift in Sources */,
 				5C41F6C7244F968B00252548 /* AuthTransaction.swift in Sources */,
+				5CFB82612D6D221F009FD237 /* Barrier.swift in Sources */,
 				5FD255B51D14DD2600387ECB /* ManagementError.swift in Sources */,
 				5C0AF09B28330CBA00162044 /* SafariProvider.swift in Sources */,
 				5FE2F8B31CCEAED8003628F4 /* Requestable.swift in Sources */,
@@ -2386,6 +2393,7 @@
 				C1B3BA012C24B6D4004A32A4 /* Array+Encode.swift in Sources */,
 				C1B3BA022C24B6D4004A32A4 /* String+URLSafe.swift in Sources */,
 				C1B3BA032C24B6D4004A32A4 /* NSData+URLSafe.swift in Sources */,
+				5CFB82622D6D221F009FD237 /* Barrier.swift in Sources */,
 				C1B3BA042C24B6D4004A32A4 /* NSURL+Auth0.swift in Sources */,
 				C1B3BA052C24B6D4004A32A4 /* NSURLComponents+OAuth2.swift in Sources */,
 				C1B3BA062C24B6D4004A32A4 /* JWT+Header.swift in Sources */,
diff --git a/Auth0/ASProvider.swift b/Auth0/ASProvider.swift
@@ -59,23 +59,23 @@ extension WebAuthentication {
 
 class ASUserAgent: NSObject, WebAuthUserAgent {
 
-    let session: ASWebAuthenticationSession
+    private(set) static var currentSession: ASWebAuthenticationSession?
     let callback: WebAuthProviderCallback
 
     init(session: ASWebAuthenticationSession, callback: @escaping WebAuthProviderCallback) {
-        self.session = session
         self.callback = callback
         super.init()
 
         session.presentationContextProvider = self
+        ASUserAgent.currentSession = session
     }
 
     func start() {
-        _ = self.session.start()
+        _ = ASUserAgent.currentSession?.start()
     }
 
     func finish(with result: WebAuthResult<Void>) {
-        self.session.cancel()
+        ASUserAgent.currentSession?.cancel()
         self.callback(result)
     }
 
diff --git a/Auth0/Auth0WebAuth.swift b/Auth0/Auth0WebAuth.swift
@@ -10,6 +10,7 @@ final class Auth0WebAuth: WebAuth {
     let storage: TransactionStore
 
     var telemetry: Telemetry
+    var barrier: Barrier
     var logger: Logger?
 
     #if os(macOS)
@@ -66,12 +67,14 @@ final class Auth0WebAuth: WebAuth {
          url: URL,
          session: URLSession = URLSession.shared,
          storage: TransactionStore = TransactionStore.shared,
-         telemetry: Telemetry = Telemetry()) {
+         telemetry: Telemetry = Telemetry(),
+         barrier: Barrier = QueueBarrier.shared) {
         self.clientId = clientId
         self.url = url
         self.session = session
         self.storage = storage
         self.telemetry = telemetry
+        self.barrier = barrier
         self.issuer = url.absoluteString
     }
 
@@ -166,8 +169,7 @@ final class Auth0WebAuth: WebAuth {
     }
 
     func start(_ callback: @escaping (WebAuthResult<Credentials>) -> Void) {
-
-        if self.storage.current != nil {
+        guard barrier.raise() else {
             return callback(.failure(WebAuthError(code: .transactionActiveAlready)))
         }
 
@@ -198,8 +200,9 @@ final class Auth0WebAuth: WebAuth {
                                                   invitation: invitation)
 
         let provider = self.provider ?? WebAuthentication.asProvider(redirectURL: redirectURL, ephemeralSession: ephemeralSession)
-        let userAgent = provider(authorizeURL) { [storage, onCloseCallback] result in
+        let userAgent = provider(authorizeURL) { [storage, barrier, onCloseCallback] result in
             storage.clear()
+            barrier.lower()
 
             switch result {
             case .success:
@@ -220,8 +223,7 @@ final class Auth0WebAuth: WebAuth {
     }
 
     func clearSession(federated: Bool, callback: @escaping (WebAuthResult<Void>) -> Void) {
-
-        if self.storage.current != nil {
+        guard barrier.raise() else {
             return callback(.failure(WebAuthError(code: .transactionActiveAlready)))
         }
 
@@ -239,8 +241,9 @@ final class Auth0WebAuth: WebAuth {
         }
 
         let provider = self.provider ?? WebAuthentication.asProvider(redirectURL: redirectURL)
-        let userAgent = provider(logoutURL) { [storage] result in
+        let userAgent = provider(logoutURL) { [storage, barrier] result in
             storage.clear()
+            barrier.lower()
             callback(result)
         }
         let transaction = ClearSessionTransaction(userAgent: userAgent)
diff --git a/Auth0/Barrier.swift b/Auth0/Barrier.swift
@@ -0,0 +1,29 @@
+import Foundation
+
+protocol Barrier: AnyObject {
+    func raise() -> Bool
+    func lower()
+}
+
+final class QueueBarrier: Barrier {
+    static let shared = QueueBarrier()
+
+    private let queue = DispatchQueue(label: "com.auth0.webauth.barrier.serial")
+    private(set) var isRaised: Bool = false
+
+    private init() {}
+
+    func raise() -> Bool {
+        self.queue.sync {
+            guard !self.isRaised else { return false }
+            self.isRaised = true
+            return self.isRaised
+        }
+    }
+
+    func lower() {
+        self.queue.sync {
+            self.isRaised = false
+        }
+    }
+}
diff --git a/Auth0Tests/ASProviderSpec.swift b/Auth0Tests/ASProviderSpec.swift
@@ -36,13 +36,13 @@ class ASProviderSpec: QuickSpec {
             it("should not use an ephemeral session by default") {
                 let provider = WebAuthentication.asProvider(redirectURL: CustomSchemeRedirectURL)
                 userAgent = provider(AuthorizeURL, { _ in }) as? ASUserAgent
-                expect(userAgent.session.prefersEphemeralWebBrowserSession) == false
+                expect(ASUserAgent.currentSession?.prefersEphemeralWebBrowserSession) == false
             }
             
             it("should use an ephemeral session") {
                 let provider = WebAuthentication.asProvider(redirectURL: CustomSchemeRedirectURL, ephemeralSession: true)
                 userAgent = provider(AuthorizeURL, { _ in }) as? ASUserAgent
-                expect(userAgent.session.prefersEphemeralWebBrowserSession) == true
+                expect(ASUserAgent.currentSession?.prefersEphemeralWebBrowserSession) == true
             }
             
         }
diff --git a/Auth0Tests/WebAuthSpec.swift b/Auth0Tests/WebAuthSpec.swift
diff --git a/FAQ.md b/FAQ.md

Original file line number	Diff line number	Diff line change
`@@ -36,13 +36,13 @@ class ASProviderSpec: QuickSpec {`
`36`	`36`	`it("should not use an ephemeral session by default") {`
`37`	`37`	`let provider = WebAuthentication.asProvider(redirectURL: CustomSchemeRedirectURL)`
`38`	`38`	`userAgent = provider(AuthorizeURL, { _ in }) as? ASUserAgent`
`39`		`- expect(userAgent.session.prefersEphemeralWebBrowserSession) == false`
	`39`	`+ expect(ASUserAgent.currentSession?.prefersEphemeralWebBrowserSession) == false`
`40`	`40`	`}`
`41`	`41`
`42`	`42`	`it("should use an ephemeral session") {`
`43`	`43`	`let provider = WebAuthentication.asProvider(redirectURL: CustomSchemeRedirectURL, ephemeralSession: true)`
`44`	`44`	`userAgent = provider(AuthorizeURL, { _ in }) as? ASUserAgent`
`45`		`- expect(userAgent.session.prefersEphemeralWebBrowserSession) == true`
	`45`	`+ expect(ASUserAgent.currentSession?.prefersEphemeralWebBrowserSession) == true`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`}`