fix(mobile): logout on upgrade (#26827)

* use cookiejar

* cookie duping hook

* remove old pref

* handle network switching on logout

* remove bootstrapCookies

* dead code

* fix cast

* use constants

* use new event name

* update api

mobile/ios/Runner/Core/Network.g.swift

@@ -225,7 +225,7 @@ protocol NetworkApi {
   func removeCertificate(completion: @escaping (Result<Void, Error>) -> Void)
   func hasCertificate() throws -> Bool
   func getClientPointer() throws -> Int64
-  func setRequestHeaders(headers: [String: String], serverUrls: [String]) throws
+  func setRequestHeaders(headers: [String: String], serverUrls: [String], token: String?) throws
 }
 
 /// Generated setup class from Pigeon to handle messages through the `binaryMessenger`.
@@ -315,8 +315,9 @@ class NetworkApiSetup {
         let args = message as! [Any?]
         let headersArg = args[0] as! [String: String]
         let serverUrlsArg = args[1] as! [String]
+        let tokenArg: String? = nilOrValue(args[2])
         do {
-          try api.setRequestHeaders(headers: headersArg, serverUrls: serverUrlsArg)
+          try api.setRequestHeaders(headers: headersArg, serverUrls: serverUrlsArg, token: tokenArg)
           reply(wrapResult(nil))
         } catch {
           reply(wrapError(error))

mobile/ios/Runner/Core/NetworkApiImpl.swift

@@ -58,42 +58,39 @@ class NetworkApiImpl: NetworkApi {
     return Int64(Int(bitPattern: pointer))
   }
   
-  func setRequestHeaders(headers: [String : String], serverUrls: [String]) throws {
-    var headers = headers
-    if let token = headers.removeValue(forKey: "x-immich-user-token") {
+  func setRequestHeaders(headers: [String : String], serverUrls: [String], token: String?) throws {
+    URLSessionManager.setServerUrls(serverUrls)
+
+    if let token = token {
+      let expiry = Date().addingTimeInterval(COOKIE_EXPIRY_DAYS * 24 * 60 * 60)
       for serverUrl in serverUrls {
         guard let url = URL(string: serverUrl), let domain = url.host else { continue }
         let isSecure = serverUrl.hasPrefix("https")
-        let cookies: [(String, String, Bool)] = [
-          ("immich_access_token", token, true),
-          ("immich_is_authenticated", "true", false),
-          ("immich_auth_type", "password", true),
+        let values: [AuthCookie: String] = [
+          .accessToken: token,
+          .isAuthenticated: "true",
+          .authType: "password",
         ]
-        let expiry = Date().addingTimeInterval(400 * 24 * 60 * 60)
-        for (name, value, httpOnly) in cookies {
+        for (cookie, value) in values {
           var properties: [HTTPCookiePropertyKey: Any] = [
-            .name: name,
+            .name: cookie.name,
             .value: value,
             .domain: domain,
             .path: "/",
             .expires: expiry,
           ]
           if isSecure { properties[.secure] = "TRUE" }
-          if httpOnly { properties[.init("HttpOnly")] = "TRUE" }
-          if let cookie = HTTPCookie(properties: properties) {
-            URLSessionManager.cookieStorage.setCookie(cookie)
+          if cookie.httpOnly { properties[.init("HttpOnly")] = "TRUE" }
+          if let httpCookie = HTTPCookie(properties: properties) {
+            URLSessionManager.cookieStorage.setCookie(httpCookie)
           }
         }
       }
     }
 
-    if serverUrls.first != UserDefaults.group.string(forKey: SERVER_URL_KEY) {
-      UserDefaults.group.set(serverUrls.first, forKey: SERVER_URL_KEY)
-    }
-
     if headers != UserDefaults.group.dictionary(forKey: HEADERS_KEY) as? [String: String] {
       UserDefaults.group.set(headers, forKey: HEADERS_KEY)
-      URLSessionManager.shared.recreateSession() // Recreate session to apply custom headers without app restart
+      URLSessionManager.shared.recreateSession()
     }
   }
 }

mobile/ios/Runner/Core/URLSessionManager.swift

@@ -3,8 +3,30 @@ import native_video_player
 
 let CLIENT_CERT_LABEL = "app.alextran.immich.client_identity"
 let HEADERS_KEY = "immich.request_headers"
-let SERVER_URL_KEY = "immich.server_url"
+let SERVER_URLS_KEY = "immich.server_urls"
 let APP_GROUP = "group.app.immich.share"
+let COOKIE_EXPIRY_DAYS: TimeInterval = 400
+
+enum AuthCookie: CaseIterable {
+  case accessToken, isAuthenticated, authType
+
+  var name: String {
+    switch self {
+    case .accessToken: return "immich_access_token"
+    case .isAuthenticated: return "immich_is_authenticated"
+    case .authType: return "immich_auth_type"
+    }
+  }
+
+  var httpOnly: Bool {
+    switch self {
+    case .accessToken, .authType: return true
+    case .isAuthenticated: return false
+    }
+  }
+
+  static let names: Set<String> = Set(allCases.map(\.name))
+}
 
 extension UserDefaults {
   static let group = UserDefaults(suiteName: APP_GROUP)!
@@ -34,21 +56,94 @@ class URLSessionManager: NSObject {
     return "Immich_iOS_\(version)"
   }()
   static let cookieStorage = HTTPCookieStorage.sharedCookieStorage(forGroupContainerIdentifier: APP_GROUP)
-  
+  private static var serverUrls: [String] = []
+  private static var isSyncing = false
+
   var sessionPointer: UnsafeMutableRawPointer {
     Unmanaged.passUnretained(session).toOpaque()
   }
-  
+
   private override init() {
     delegate = URLSessionManagerDelegate()
     session = Self.buildSession(delegate: delegate)
     super.init()
+    Self.serverUrls = UserDefaults.group.stringArray(forKey: SERVER_URLS_KEY) ?? []
+    NotificationCenter.default.addObserver(
+      Self.self,
+      selector: #selector(Self.cookiesDidChange),
+      name: NSNotification.Name.NSHTTPCookieManagerCookiesChanged,
+      object: Self.cookieStorage
+    )
   }
 
   func recreateSession() {
     session = Self.buildSession(delegate: delegate)
   }
 
+  static func setServerUrls(_ urls: [String]) {
+    guard urls != serverUrls else { return }
+    serverUrls = urls
+    UserDefaults.group.set(urls, forKey: SERVER_URLS_KEY)
+    syncAuthCookies()
+  }
+
+  @objc private static func cookiesDidChange(_ notification: Notification) {
+    guard !isSyncing, !serverUrls.isEmpty else { return }
+    syncAuthCookies()
+  }
+
+  private static func syncAuthCookies() {
+    let serverHosts = Set(serverUrls.compactMap { URL(string: $0)?.host })
+    let allCookies = cookieStorage.cookies ?? []
+    let now = Date()
+
+    let serverAuthCookies = allCookies.filter {
+      AuthCookie.names.contains($0.name) && serverHosts.contains($0.domain)
+    }
+
+    var sourceCookies: [String: HTTPCookie] = [:]
+    for cookie in serverAuthCookies {
+      if cookie.expiresDate.map({ $0 > now }) ?? true {
+        sourceCookies[cookie.name] = cookie
+      }
+    }
+
+    isSyncing = true
+    defer { isSyncing = false }
+
+    if sourceCookies.isEmpty {
+      for cookie in serverAuthCookies {
+        cookieStorage.deleteCookie(cookie)
+      }
+      return
+    }
+
+    for serverUrl in serverUrls {
+      guard let url = URL(string: serverUrl), let domain = url.host else { continue }
+      let isSecure = serverUrl.hasPrefix("https")
+
+      for (_, source) in sourceCookies {
+        if allCookies.contains(where: { $0.name == source.name && $0.domain == domain && $0.value == source.value }) {
+          continue
+        }
+
+        var properties: [HTTPCookiePropertyKey: Any] = [
+          .name: source.name,
+          .value: source.value,
+          .domain: domain,
+          .path: "/",
+          .expires: source.expiresDate ?? Date().addingTimeInterval(COOKIE_EXPIRY_DAYS * 24 * 60 * 60),
+        ]
+        if isSecure { properties[.secure] = "TRUE" }
+        if source.isHTTPOnly { properties[.init("HttpOnly")] = "TRUE" }
+
+        if let cookie = HTTPCookie(properties: properties) {
+          cookieStorage.setCookie(cookie)
+        }
+      }
+    }
+  }
+
   private static func buildSession(delegate: URLSessionManagerDelegate) -> URLSession {
     let config = URLSessionConfiguration.default
     config.urlCache = urlCache