Fix login race condition and JWT FAIL_UNAUTHORIZED blocking callers

1. Split LoginHelper into switchUser() + enqueueLogin() so the
   non-suspend login() can synchronously swap user models (instant,
   no network) while the backend create-user call fires in the
   background. This prevents ANRs on main thread while ensuring
   tags target the correct user after each login() call.
   loginSuspend() still uses the full login() which awaits the
   backend operation.

2. Wake enqueueAndWait waiters on FAIL_UNAUTHORIZED and
   FAIL_PAUSE_OPREPO before re-queuing operations. Re-queued items
   use waiter=null so future retries don't reference stale waiters.
   This prevents loginSuspend from hanging forever when a JWT is
   invalid or the op repo pauses.

Fixes SDK-4338

Made-with: Cursor

Author: AR Abdul Azeez

OneSignalSDK/onesignal/core/src/main/java/com/onesignal/core/internal/operations/impl/OperationRepo.kt

@@ -288,8 +288,15 @@ internal class OperationRepo(
                     if (externalId != null) {
                         _jwtTokenStore.invalidateJwt(externalId)
                         Logging.warn("Operation execution failed with 401 Unauthorized, JWT invalidated for user: $externalId. Operations re-queued.")
+                        // Unblock any enqueueAndWait callers so loginSuspend doesn't hang.
+                        ops.forEach { it.waiter?.wake(false) }
+                        // Re-queue with waiter = null: the operation is preserved for retry
+                        // (once a new JWT is provided via updateUserJwt), but the original
+                        // waiter is detached since it was already woken above.
                         synchronized(queue) {
-                            ops.reversed().forEach { queue.add(0, it) }
+                            ops.reversed().forEach {
+                                queue.add(0, OperationQueueItem(it.operation, waiter = null, bucket = it.bucket, retries = it.retries))
+                            }
                         }
                         dispatchJwtInvalidatedToApp(externalId)
                     } else {
@@ -331,9 +338,15 @@ internal class OperationRepo(
                     Logging.error("Operation execution failed with eventual retry, pausing the operation repo: $operations")
                     // keep the failed operation and pause the operation repo from executing
                     paused = true
-                    // add back all operations to the front of the queue to be re-executed.
+                    // Unblock any enqueueAndWait callers so loginSuspend doesn't hang.
+                    ops.forEach { it.waiter?.wake(false) }
+                    // Re-queue with waiter = null: the operation is preserved for retry
+                    // on next cold start, but the original waiter is detached since it
+                    // was already woken above.
                     synchronized(queue) {
-                        ops.reversed().forEach { queue.add(0, it) }
+                        ops.reversed().forEach {
+                            queue.add(0, OperationQueueItem(it.operation, waiter = null, bucket = it.bucket, retries = it.retries))
+                        }
                     }
                 }
             }

OneSignalSDK/onesignal/core/src/main/java/com/onesignal/internal/OneSignalImp.kt

@@ -384,14 +384,20 @@ internal class OneSignalImp(
 
         if (isBackgroundThreadingEnabled) {
             waitForInit(operationName = "login")
-            suspendifyOnIO { loginHelper.login(externalId, jwtBearerToken) }
         } else {
             if (!isInitialized) {
                 throw IllegalStateException("Must call 'initWithContext' before 'login'")
             }
+        }
+
+        val context = loginHelper.switchUser(externalId, jwtBearerToken) ?: return
+
+        if (isBackgroundThreadingEnabled) {
+            suspendifyOnIO { loginHelper.enqueueLogin(context) }
+        } else {
             Thread {
                 runBlocking(runtimeIoDispatcher) {
-                    loginHelper.login(externalId, jwtBearerToken)
+                    loginHelper.enqueueLogin(context)
                 }
             }.start()
         }

OneSignalSDK/onesignal/core/src/main/java/com/onesignal/user/internal/LoginHelper.kt

@@ -15,22 +15,30 @@ class LoginHelper(
     private val jwtTokenStore: JwtTokenStore,
     private val lock: Any,
 ) {
-    suspend fun login(
+    internal data class LoginEnqueueContext(
+        val appId: String,
+        val newIdentityOneSignalId: String,
+        val externalId: String,
+        val existingOneSignalId: String?,
+    )
+
+    /**
+     * Synchronously switches local user models under the login/logout lock.
+     * Returns context needed for [enqueueLogin], or null if the user was
+     * already logged in with [externalId] (no switch needed).
+     */
+    internal fun switchUser(
         externalId: String,
         jwtBearerToken: String? = null,
-    ) {
-        var currentIdentityExternalId: String? = null
-        var currentIdentityOneSignalId: String? = null
-        var newIdentityOneSignalId: String = ""
-
+    ): LoginEnqueueContext? {
         synchronized(lock) {
-            currentIdentityExternalId = identityModelStore.model.externalId
-            currentIdentityOneSignalId = identityModelStore.model.onesignalId
+            val currentExternalId = identityModelStore.model.externalId
+            val currentOneSignalId = identityModelStore.model.onesignalId
 
-            if (currentIdentityExternalId == externalId) {
+            if (currentExternalId == externalId) {
                 jwtTokenStore.putJwt(externalId, jwtBearerToken)
                 operationRepo.forceExecuteOperations()
-                return
+                return null
             }
 
             jwtTokenStore.putJwt(externalId, jwtBearerToken)
@@ -39,28 +47,47 @@ class LoginHelper(
                 identityModel.externalId = externalId
             }
 
-            newIdentityOneSignalId = identityModelStore.model.onesignalId
-        }
+            val newOneSignalId = identityModelStore.model.onesignalId
 
-        val existingOneSignalId =
-            if (configModel.useIdentityVerification == true) {
-                null
-            } else {
-                if (currentIdentityExternalId == null) currentIdentityOneSignalId else null
-            }
+            val existingOneSignalId =
+                if (configModel.useIdentityVerification == true) {
+                    null
+                } else {
+                    if (currentExternalId == null) currentOneSignalId else null
+                }
 
+            return LoginEnqueueContext(configModel.appId, newOneSignalId, externalId, existingOneSignalId)
+        }
+    }
+
+    /**
+     * Enqueues the [LoginUserOperation] and suspends until it completes.
+     */
+    internal suspend fun enqueueLogin(context: LoginEnqueueContext) {
         val result =
             operationRepo.enqueueAndWait(
                 LoginUserOperation(
-                    configModel.appId,
-                    newIdentityOneSignalId,
-                    externalId,
-                    existingOneSignalId,
+                    context.appId,
+                    context.newIdentityOneSignalId,
+                    context.externalId,
+                    context.existingOneSignalId,
                 ),
             )
 
         if (!result) {
             Logging.warn("Could not login user")
         }
     }
+
+    /**
+     * Full login: switches user models then waits for the backend operation.
+     * Used by [loginSuspend] where the caller can afford to suspend.
+     */
+    suspend fun login(
+        externalId: String,
+        jwtBearerToken: String? = null,
+    ) {
+        val context = switchUser(externalId, jwtBearerToken) ?: return
+        enqueueLogin(context)
+    }
 }