Performing notifyLogin request can include previous keychain sig in request body.

[markst]

Checklist

• I have read the relevant SDK documentation and have not found a suitable solution or answer.
• I agree to the terms within the SAP Code of Conduct.

Description

When logging in we perform a accounts.notifyLogin passing the UIDSig UIDSignature + UIDTimestamp we get from our account service.

This works fine for a fresh app install when there is no GigyaSession persisted to keychain.

If for whatever reason a Keychain is not cleared but we attempt to login again, a subsequent accounts.notifyLogin will pass the sig; resulting in the following response:

{
  "callId": "3a987ae3c34485e9054a28ce24938491",
  "errorCode": 403005,
  "errorDetails": "Session not found",
  "errorMessage": "Unauthorized user",
  "apiVersion": 2,
  "statusCode": 403,
  "statusReason": "Forbidden",
  "time": "2024-07-30T03:19:53.327Z"
}

Repeating the same request omitting the sig will correctly return a 200 response with our sessionInfo required for persisting new GigyaSession.

We don't have the ability to remove keychain without performing gigya.logout which subsequently calls removeFromKeychain.

This means that we must perform a gigya.logout prior to any accounts.notifyLogin requests to ensure no previous keychains session data is passed.

Reproduction

• add an invalid GigyaSession to gigya sdk gigya.setSession(.init(sessionToken: "bad", secret: "bad"))
• attempt to perform a accounts.notifyLogin with new UID

Additional context

No response

SDK version

1.6.3

[markst]

Potentially we should always be performing gigya.logout prior to performing any notifyLogin requests.

Otherwise perhaps the SignatureUtils should not be including the session similar to getSdkConfig.

For example:

if path.contains(GigyaDefinitions.API.getSdkConfig) || path.contains(GigyaDefinitions.API.verifyLogin) {
            // clear session for requests

https://github.com/SAP/gigya-swift-sdk/blob/main/GigyaSwift/Global/Utils/SignatureUtils.swift#L24