[Feature] Identity verification implementation

[jinliu9508]

READ AND DELETE THIS SECTION BEFORE SUBMITTING PR

• Fill out each REQUIRED section
• Fill out OPTIONAL sections, remove section if it doesn't apply to your PR
• Read and fill out each of the checklists below
• Remove this section after reading

Description

One Line Summary

Implement identity verification functionality to our Android SDK with JWT (JSON Web Token) that manage a specific User, their Subscriptions, and Identities, if enabled using OneSignal dashboard.

Details

Motivation

OneSignal Identity Verification feature only exists today for the Player model and we want to bring this feature to the User Model and gives us an opportunity to switch to a more standard client security model, JWT (JSON Web Token).

Scope

If identity verification is enabled, all operations requiring identity or authorization must be accompanied by a correct JWT. Developers can use OneSignal.login(external_id, jwt) to set a JWT for a specific user identified by their external ID, or OneSignal.updateUserJwt(external_id, jwt) to update the JWT for that user. Additionally, developers can add a JWTInvalidatedListener by calling OneSignal.addUserJwtInvalidatedListener, allowing them to listen for a JWTInvalidatedEvent triggered when a JWT is invalidated by any operation, and subsequently update the JWT as necessary.

Testing

Unit testing

I have include a testing case that simulate a UNAUTHROIZED error (401, 403) and ensure that the jwt for the specific user is invalidated and the JWTInvalidatedEvent is fired.

Manual testing

!!! Note that we are unable to manual test this feature at the moment due to the backend service is not completed. However, I have tested other normal functionalities to ensure the code does not break for existing users.

Affected code checklist

• Notifications
  • Display
  • Open
  • Push Processing
  • Confirm Deliveries
• Outcomes
• Sessions
• In-App Messaging
• REST API requests
• Public API changes

Checklist

Overview

• I have filled out all REQUIRED sections above
• PR does one thing
  • If it is hard to explain how any codes changes are related to each other then it most likely needs to be more than one PR
• Any Public API changes are explained in the PR details and conform to existing APIs

Testing

• I have included test coverage for these changes, or explained why they are not needed
• All automated tests pass, or I explained why that is not possible
• I have personally tested this on my device, or explained why that is not possible

Final pass

• Code is as readable as possible.
  • Simplify with less code, followed by splitting up code into well named functions and variables, followed by adding comments to the code.
• I have reviewed this PR myself, ensuring it meets each checklist item
  • WIP (Work In Progress) is ok, but explain what is still in progress and what you would like feedback on. Start the PR title with "WIP" to indicate this.

---

This change is 

[nan-li]

It's not testable yet, but have you thought about how to handle the anonymous user that would have been automatically created in initWithContext since I didn't see any changes for anonymous users, and unsubscribing the user on logout (if JWT-enabled)?

[nan-li]

main has changed a bit since some PRs have been merged; this refresh on login was removed in a previous PR

[nan-li]

This returns early but the SDK may need to update JWT for previous users?

[jkasten2]

Remove underscore, rename to externalId.

This was a mistake in the spec, and just corrected it there.

[nan-li]

This will add jwt_token as an alias on the Identity Model and get enqueued as a set-alias operation. If you look at IdentityModelStoreListener, any changes are detected as aliases.

[nan-li]

This !! is dangerous, since the constructor for this class just below says jwt passed in can be null, and it will call this set method directly within it.

[jkasten2]

I don't think this is the right high level concept here. We want to remove any operations called before OneSignal.login(). If addTags() are call right after login we want to keep it, but if it was call before we want to discard.

• An edge case that comes to mind which is tricky is subscription updates, such as the user accepting the notification permission.

[jkasten2]

I notice we have a ConfigModel that has subscribe and unsubscribe methods. I see some of the remote params are on ConfigModel. I am not sure why all remote level params didn't go through the ConfigModel to begin with, but now sounds like a good time to consolidate, if it is a good fit.

[jkasten2]

(ignore if this is just a test function we delete later) Shouldn't this be called getParametersOfType and return a list?

[jinliu9508]

Close and re-create another PR for this feature.