From f6d1ca82ef78da8e516819b68c71cb95038196ae Mon Sep 17 00:00:00 2001
From: Andy Witrisna <witrisna@gmail.com>
Date: Tue, 13 Aug 2024 12:43:52 -0700
Subject: [PATCH] SDKS-3346 Potential CustomTabManager ServiceConnection leak.

---
 CHANGELOG.md                                           |  3 +++
 .../android/auth/centralize/AuthorizeContract.kt       | 10 +++++++---
 .../android/auth/centralize/EndSessionContract.kt      |  8 ++++++--
 .../org/forgerock/android/auth/ServerConfigTest.java   |  6 +++---
 .../src/main/java/com/example/app/env/EnvViewModel.kt  |  1 -
 5 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1298ca6c..3b60c414 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,9 @@
 #### Added
 - Skip Type 4 TextOutputCallback [SDKS-3227]
 
+#### Fixed
+- Potential CustomTabManager ServiceConnection leak. [SDKS-3346]
+
 ## [4.5.0]
 #### Added
 - Added SDK support for deleting registered WebAuthn devices from the server. [SDKS-1710]
diff --git a/forgerock-auth/src/main/java/org/forgerock/android/auth/centralize/AuthorizeContract.kt b/forgerock-auth/src/main/java/org/forgerock/android/auth/centralize/AuthorizeContract.kt
index 31ca7e41..75435a22 100644
--- a/forgerock-auth/src/main/java/org/forgerock/android/auth/centralize/AuthorizeContract.kt
+++ b/forgerock-auth/src/main/java/org/forgerock/android/auth/centralize/AuthorizeContract.kt
@@ -30,6 +30,9 @@ import org.forgerock.android.auth.exception.BrowserAuthenticationException
  */
 internal class AuthorizeContract :
     ActivityResultContract<Browser, Result<AuthorizationResponse, Throwable>>() {
+
+    private lateinit var authorizationService: AuthorizationService
+
     /**
      * Creates an intent for the authorization request.
      *
@@ -63,7 +66,7 @@ internal class AuthorizeContract :
         //Allow caller to override AppAuth default setting
         val appAuthConfigurationBuilder = AppAuthConfiguration.Builder()
         configurer.appAuthConfigurationBuilder.accept(appAuthConfigurationBuilder)
-        val authorizationService =
+        authorizationService =
             AuthorizationService(context, appAuthConfigurationBuilder.build())
 
         //Allow caller to override custom tabs default setting
@@ -73,7 +76,6 @@ internal class AuthorizeContract :
 
         val request = builder.build()
         return authorizationService.getAuthorizationRequestIntent(request, intentBuilder.build())
-
     }
 
     /**
@@ -87,6 +89,7 @@ internal class AuthorizeContract :
         resultCode: Int,
         intent: Intent?,
     ): Result<AuthorizationResponse, Throwable> {
+        authorizationService.dispose()
         intent?.let { i ->
             val error = AuthorizationException.fromIntent(i)
             error?.let {
@@ -100,7 +103,8 @@ internal class AuthorizeContract :
             val result = AuthorizationResponse.fromIntent(i)
             result?.let {
                 return Result.Success(it)
-            } ?: return Result.Failure(BrowserAuthenticationException("Failed to retrieve authorization code"))
+            }
+                ?: return Result.Failure(BrowserAuthenticationException("Failed to retrieve authorization code"))
         }
         return Result.Failure(BrowserAuthenticationException("No response data"))
     }
diff --git a/forgerock-auth/src/main/java/org/forgerock/android/auth/centralize/EndSessionContract.kt b/forgerock-auth/src/main/java/org/forgerock/android/auth/centralize/EndSessionContract.kt
index 9e9d6029..22b655ea 100644
--- a/forgerock-auth/src/main/java/org/forgerock/android/auth/centralize/EndSessionContract.kt
+++ b/forgerock-auth/src/main/java/org/forgerock/android/auth/centralize/EndSessionContract.kt
@@ -26,6 +26,9 @@ import org.forgerock.android.auth.StringUtils
  */
 internal class EndSessionContract :
     ActivityResultContract<EndSessionInput, Result<EndSessionResponse, Throwable>>() {
+
+    private lateinit var authorizationService: AuthorizationService
+
     /**
      * Creates an intent for the end session request.
      * @param context The context to use for creating the intent.
@@ -52,10 +55,10 @@ internal class EndSessionContract :
             builder.setIdTokenHint(input.idToken)
         }
 
-        val authService =
+        authorizationService =
             AuthorizationService(context, input.appAuthConfiguration)
 
-        return authService.getEndSessionRequestIntent(builder.build())
+        return authorizationService.getEndSessionRequestIntent(builder.build())
     }
 
     /**
@@ -68,6 +71,7 @@ internal class EndSessionContract :
         resultCode: Int,
         intent: Intent?,
     ): Result<EndSessionResponse, Throwable> {
+        authorizationService.dispose()
         intent?.let { i ->
             val resp = EndSessionResponse.fromIntent(i)
             resp?.let {
diff --git a/forgerock-auth/src/test/java/org/forgerock/android/auth/ServerConfigTest.java b/forgerock-auth/src/test/java/org/forgerock/android/auth/ServerConfigTest.java
index 5fef818e..4e064fdf 100644
--- a/forgerock-auth/src/test/java/org/forgerock/android/auth/ServerConfigTest.java
+++ b/forgerock-auth/src/test/java/org/forgerock/android/auth/ServerConfigTest.java
@@ -80,7 +80,7 @@ public void testSha256Pinning() throws InterruptedException {
         ServerConfig serverConfig = ServerConfig.builder()
                 .context(context)
                 .url("https://api.ipify.org")
-                .pin("2lFvaIHpsTcbb5uqa08S2k6wzLKscXXx1k1hKoX9R1Q=")
+                .pin("tWrCr1GAahCs75/Wfx+5pjRXCtOTzMPyw8TNPPivO0I=")
                 .build();
 
         OkHttpClient client = OkHttpClientProvider.getInstance().lookup(serverConfig);
@@ -122,7 +122,7 @@ public void testMultiplePinning() throws InterruptedException {
         ServerConfig serverConfig = ServerConfig.builder()
                 .context(context)
                 .url("https://api.ipify.org")
-                .pin("2lFvaIHpsTcbb5uqa08S2k6wzLKscXXx1k1hKoX9R1Q=")
+                .pin("tWrCr1GAahCs75/Wfx+5pjRXCtOTzMPyw8TNPPivO0I=")
                 .pin("invalid")
                 .build();
 
@@ -214,7 +214,7 @@ public void testBuildStepWithCustomPin() throws InterruptedException {
                 .context(context)
                 .url("https://api.ipify.org")
                 .buildStep(builder -> builder.certificatePinner(
-                        new CertificatePinner.Builder().add("api.ipify.org", "sha1/FAx66BsuUMrmrBnZ8F0GKxBZxLs=" ).build()))
+                        new CertificatePinner.Builder().add("api.ipify.org", "sha256/tWrCr1GAahCs75/Wfx+5pjRXCtOTzMPyw8TNPPivO0I=" ).build()))
                 .build();
 
         OkHttpClient client = OkHttpClientProvider.getInstance().lookup(serverConfig);
diff --git a/samples/app/src/main/java/com/example/app/env/EnvViewModel.kt b/samples/app/src/main/java/com/example/app/env/EnvViewModel.kt
index 617b4c09..98ce4fb0 100644
--- a/samples/app/src/main/java/com/example/app/env/EnvViewModel.kt
+++ b/samples/app/src/main/java/com/example/app/env/EnvViewModel.kt
@@ -127,7 +127,6 @@ class EnvViewModel : ViewModel() {
         }
         oauth {
             oauthClientId = "AndroidTest"
-            oauthRedirectUri = "org.forgerock.demo:/oauth2redirect"
             oauthCacheSeconds = 0
             oauthScope = "openid profile email address phone"
             oauthThresholdSeconds = 0