Merge branch 'main' into main

Author: w-goog

.github/workflows/pr_notification.yml

@@ -11,13 +11,18 @@ jobs:
     - name: Pull Request Details
       run: |
         echo "Pull Request: ${{ github.event.pull_request.number }}"
-        echo "Author: ${{ github.event.pull_request.user.login }}"
+        echo "Author: ${GITHUB_EVENT_PULL_REQUEST_USER_LOGIN}"
+      env:
+        GITHUB_EVENT_PULL_REQUEST_USER_LOGIN: ${{ github.event.pull_request.user.login }}
 
     - name: Google Chat Notification
       shell: bash
       env:
         TITLE: ${{ github.event.pull_request.title }}
         LABELS: ${{ join(github.event.pull_request.labels.*.name, ', ') }}
+        GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }}
+        GITHUB_EVENT_PULL_REQUEST_USER_LOGIN: ${{ github.event.pull_request.user.login }}
+        GITHUB_EVENT_PULL_REQUEST_HTML_URL: ${{ github.event.pull_request.html_url }}
       run: |
         curl --location --request POST '${{ secrets.WEBHOOK_URL }}' \
         --header 'Content-Type: application/json' \
@@ -34,7 +39,7 @@ jobs:
                     {
                       "keyValue": {
                         "topLabel": "Repo",
-                        "content": "${{ github.event.pull_request.head.repo.full_name }}"
+                        "content": "${GITHUB_EVENT_PULL_REQUEST_HEAD_REPO_FULL_NAME}"
                       }
                     },
                     {
@@ -46,7 +51,7 @@ jobs:
                     {
                       "keyValue": {
                         "topLabel": "Creator",
-                        "content": "${{ github.event.pull_request.user.login }}"
+                        "content": "${GITHUB_EVENT_PULL_REQUEST_USER_LOGIN}"
                       }
                     },
                     {
@@ -80,7 +85,7 @@ jobs:
                             "text": "Open Pull Request",
                             "onClick": {
                               "openLink": {
-                                "url": "${{ github.event.pull_request.html_url }}"
+                                "url": "${GITHUB_EVENT_PULL_REQUEST_HTML_URL}"
                               }
                             }
                           }

.github/workflows/push_notification.yml

@@ -14,8 +14,11 @@ jobs:
     - name: Main Branch Push
       run: |
         echo "Workflow initiated by event with name: ${{ github.event_name }}"
-        echo "Pushing commit to main: ${{ github.event.head_commit.id }}"
-        echo "Pushed by: ${{ github.event.pusher.name }}"
+        echo "Pushing commit to main: ${GITHUB_EVENT_HEAD_COMMIT_ID}"
+        echo "Pushed by: ${GITHUB_EVENT_PUSHER_NAME}"
+      env:
+        GITHUB_EVENT_HEAD_COMMIT_ID: ${{ github.event.head_commit.id }}
+        GITHUB_EVENT_PUSHER_NAME: ${{ github.event.pusher.name }}
 
     - name: Push Notification to Google Chat
       run: |
@@ -34,13 +37,13 @@ jobs:
                     {
                       "keyValue": {
                         "topLabel": "Repo",
-                        "content": "${{ github.event.repository.full_name }}"
+                        "content": "${GITHUB_EVENT_REPOSITORY_FULL_NAME}"
                       }
                     },
                     {
                       "keyValue": {
                         "topLabel": "Committed by",
-                        "content": "${{ github.event.head_commit.author.username }}"
+                        "content": "${GITHUB_EVENT_HEAD_COMMIT_AUTHOR_USERNAME}"
                       }
                     },
                     {
@@ -50,7 +53,7 @@ jobs:
                             "text": "Ref comparison",
                             "onClick": {
                               "openLink": {
-                                "url": "${{ github.event.compare }}"
+                                "url": "${GITHUB_EVENT_COMPARE}"
                               }
                             }
                           }
@@ -63,4 +66,8 @@ jobs:
             }
           ]
         }'
+      env:
+        GITHUB_EVENT_REPOSITORY_FULL_NAME: ${{ github.event.repository.full_name }}
+        GITHUB_EVENT_HEAD_COMMIT_AUTHOR_USERNAME: ${{ github.event.head_commit.author.username }}
+        GITHUB_EVENT_COMPARE: ${{ github.event.compare }}
 

GoogleSignIn/Sources/GIDSignIn.m

@@ -120,8 +120,7 @@
 // Error string for user cancelations.
 static NSString *const kUserCanceledError = @"The user canceled the sign-in flow.";
 
-// User preference key to detect fresh install of the app.
-static NSString *const kAppHasRunBeforeKey = @"GID_AppHasRunBefore";
+NSString *const kAppHasRunBeforeKey = @"GID_AppHasRunBefore";
 
 // Maximum retry interval in seconds for the fetcher.
 static const NSTimeInterval kFetcherMaxRetryInterval = 15.0;
@@ -672,6 +671,11 @@ - (instancetype)initWithKeychainStore:(GTMKeychainStore *)keychainStore
 
     // Check to see if the 3P app is being run for the first time after a fresh install.
     BOOL isFreshInstall = [self isFreshInstall];
+    
+    // If this is a fresh install, ensure that any pre-existing keychain data is purged.
+    if (isFreshInstall) {
+      [self removeAllKeychainEntries];
+    }
 
     NSString *authorizationEnpointURL = [NSString stringWithFormat:kAuthorizationURLTemplate,
                                          [GIDSignInPreferences googleAuthorizationServer]];

GoogleSignIn/Sources/GIDSignIn_Private.h

@@ -32,6 +32,9 @@ NS_ASSUME_NONNULL_BEGIN
 @class GIDAppCheck;
 @class GIDAuthStateMigration;
 
+/// User preference key to detect fresh install of the app.
+extern NSString *const kAppHasRunBeforeKey;
+
 /// Represents a completion block that takes a `GIDSignInResult` on success or an error if the
 /// operation was unsuccessful.
 typedef void (^GIDSignInCompletion)(GIDSignInResult *_Nullable signInResult,

GoogleSignIn/Sources/Public/GoogleSignIn/GoogleSignIn.h

@@ -25,6 +25,4 @@
 #import "GIDToken.h"
 #import "GIDSignInResult.h"
 #import "GIDClaim.h"
-#if TARGET_OS_IOS || TARGET_OS_MACCATALYST
 #import "GIDSignInButton.h"
-#endif

GoogleSignIn/Tests/Unit/GIDSignInTest.m

@@ -120,8 +120,6 @@
      @"com.google.UnitTests:///emmcallback?action=unrecognized";
 static NSString * const kDevicePolicyAppBundleID = @"com.google.DevicePolicy";
 
-static NSString * const kAppHasRunBeforeKey = @"GPP_AppHasRunBefore";
-
 static NSString * const kFingerprintKeychainName = @"fingerprint";
 static NSString * const kVerifierKeychainName = @"verifier";
 static NSString * const kVerifierKey = @"verifier";
@@ -1212,6 +1210,19 @@ - (void)testNotHandleWrongPath {
   XCTAssertFalse(_completionCalled, @"should not call delegate");
 }
 
+#pragma mark - Test Fresh Install
+
+- (void)testFreshInstall_removesKeychainEntries {
+  // Simulate that the app has been deleted and user defaults removed.
+  [NSUserDefaults.standardUserDefaults removeObjectForKey:kAppHasRunBeforeKey];
+  // Initialization should check `isFreshInstall`.
+  GIDSignIn *signIn = [[GIDSignIn alloc] initWithKeychainStore:_keychainStore
+                                     authStateMigrationService:_authStateMigrationService];
+  // If `isFreshInstall`, keychain entries should be removed.
+  XCTAssertNotNil(signIn);
+  XCTAssertTrue(self->_keychainRemoved);
+}
+
 #pragma mark - Tests - disconnectWithCallback:
 
 // Verifies disconnect calls callback with no errors if access token is present.

README.md

@@ -48,14 +48,15 @@ Google Sign-In allows your users to sign-in to your native macOS app using their
 and default browser.  When building for macOS, the `signInWithConfiguration:` and `addScopes:`
 methods take a `presentingWindow:` parameter in place of `presentingViewController:`.  Note that
 in order for your macOS app to store credentials via the Keychain on macOS, you will need to add
-`$(AppIdentifierPrefix)$(CFBundleIdentifier)` to its keychain access group.
+`$(AppIdentifierPrefix)$(CFBundleIdentifier)` as the first item in its keychain access group.
 
 ### Mac Catalyst
 
 Google Sign-In also supports iOS apps that are built for macOS via
 [Mac Catalyst](https://developer.apple.com/mac-catalyst/).  In order for your Mac Catalyst app
 to store credentials via the Keychain on macOS, you will need to add
-`$(AppIdentifierPrefix)$(CFBundleIdentifier)` to its keychain access group.
+`$(AppIdentifierPrefix)$(CFBundleIdentifier)` as the first item in the keychain
+access group.
 
 ## Using the Google Sign-In Button
 
@@ -107,3 +108,19 @@ let signInButton = GoogleSignInButton {
 }
 let hostedButton = NSHostingView(rootView: signInButton)
 ```
+
+## A Note on iOS Keychain Access Groups
+
+GSI uses your default (first listed) keychain access group. If you don't add a
+custom keychain access group, the default keychain access group is provided by
+Xcode and looks like `$(AppIdentifierPrefix)$(CFBundleIdentifier)`.
+
+GSI [removes keychain items upon fresh install](https://github.com/google/GoogleSignIn-iOS/pull/567)
+to ensure that stale credentials from previous installs of your app are not
+mistakenly used. If your app uses a shared access group by default this may
+lead to new installs of apps sharing the same keychain access group to remove
+keychain credentials for apps already installed. 
+
+To prevent unintentional credential removal, you can explicitly list the
+typical default access group (or whatever you prefer so long as it is not
+shared) in your list first. GSI, will then use that default access group.