User sessions are not getting removed on app uninstall

[Vortec4800]

New Issue Checklist

• I am not disclosing a vulnerability.
• I am not just asking a question.
• I have searched through existing issues.
• I can reproduce the issue with the latest versions of Parse Server and the Parse Swift SDK.

Issue Description

When uninstalling an app and reinstalling, the currentUser still reports the same session from before the app was uninstalled. This doesn't match user expected behavior, where deleting and reinstalling an app would start things "fresh" for them.

This is likely due to the fact that Keychain values are not cleared when an app is uninstalled, which Apple seems to claim is not a bug. This may be happening with other Keychain-stored values as well like Installations, but I haven't checked those specifically at this point.

Steps to reproduce

1. Install a test app and log in using any method.
2. Verify killing and relaunching app logs in the user and currentUser is populated.
3. Uninstall the test app from the simulator/device.
4. Reinstall the test app and launch.

Actual Outcome

Upon launching after second install, currentUser is populated and the app is logged in.

Expected Outcome

The user's expected outcome would be that the newly installed app is not logged in and currentUser would return nil.

Environment

Client

• Parse Swift SDK version: 1.10
• Xcode version: 13
• Operating system (iOS, macOS, watchOS, etc.): iOS
• Operating system version: 15

Server

• Parse Server version: 4.10.3
• Operating system: Ubuntu
• Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc): DO

Database

• System (MongoDB or Postgres): Mongo
• Database version: 4.4
• Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc): DO

[parse-github-assistant]

Thanks for opening this issue!

• 🚀 You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.

[Vortec4800]

I'm happy to put together a PR for this but I'd like some direction first. How should the SDK go about fixing this? A common method is to store something in UserDefaults as that does get cleared as expected and if that key is missing then discard Keychain data. It could also write a plist/dictionary to a folder in the application bundle and check for that as well.

Thoughts on this? Maybe there is also an easier fix I'm not thinking of.

[cbaker6]

You as the app developer are responsible for handling the keychain, particularly when you uninstall the app. Your app doesn't delete the keychain automatically when you uninstall an app. You can check the sample app I released for an example:

        // Clear items out of the Keychain on app first run. Used for debugging
        if UserDefaults.standard.object(forKey: Constants.firstRun) == nil {
            try? User.logout()
            // This is no longer the first run
            UserDefaults.standard.setValue(String(Constants.firstRun),
                                           forKey: Constants.firstRun)
            UserDefaults.standard.synchronize()
        }

The link above is using a SwiftUI app cycle, but the same code can go in your app delegate.

[Vortec4800]

This is indeed a workaround that can be included, but the SDK should be responsible for cleaning up its own keys so behavior matches user expectations.

If the app developer was responsible for the Keychain/User state, then it would be expected that the SDK doesn't handle Keychain storage at all and it would be up to the app to persist the user and installation data on its own. The SDK handles this instead, which implies that it would handle the entire lifecycle of those keys and state.

[cbaker6]

This is indeed a workaround that can be included, but the SDK should be responsible for cleaning up its own keys so behavior matches user expectations.

This has never been handled by any of the iOS related SDKs in the past. Of course, if you have a way of doing so, please submit a PR.

If the app developer was responsible for the Keychain/User state, then it would be expected that the SDK doesn't handle Keychain storage at all and it would be up to the app to persist the user and installation data on its own. The SDK handles this instead, which implies that it would handle the entire lifecycle of those keys and state.

This seems to be an opinion, but if you come up with a solution, I'll review it. You are also assuming that when "every" developer deletes their app, they want their keychain old user info deleted. The OS cleans apps off devices all of the time automatically; forcing the user to always have to login after deletion is a case-by-case scenario, and isn't applicable in "every" case

[Vortec4800]

I haven't investigated how it works, but the current Objective-C Parse SDK returns a nil currentUser after uninstall/reinstall.

As an end-user, my expectation without knowing anything about what the Keychain is would be that after deleting and reinstalling an app, all of my data would be cleared. Being logged in to an app after uninstall/reinstall would be unexpected.

When the OS clears an app off of a device, none of the persisted data is removed (unless it's a cache) and this wouldn't apply.

[cbaker6]

I haven't investigated how it works, but the current Objective-C Parse SDK returns a nil currentUser after uninstall/reinstall.

If this is true, I recommend looking there to get an idea on how/where to add the feature as the Keychain in the Swift SDK is similar.

[cbaker6]

This will be available in Swift SDK 2.0.0.

Adds configuration option to delete Keychain on app first run. This option is disabled by default and should only be enabled after the following in order to avoid users having to re-login:

1. Update to Swift SDK 2.0.0
2. Run/open the Swift SDK based app at least 1 time
3. Then enable the setting:

let newConfiguration = ParseConfiguration(applicationId: "yo",
                                                      serverURL: server,
                                                      deleteKeychainIfNeeded: false)
ParseSwift.initialize(configuration: newConfiguration)