Recover early iOS sessions with shared service lookup

ivo liondov · ivo liondov · commit 58e4baebb32e · 2026-03-11T08:32:48.000Z
diff --git a/ios/ApproovPinningDelegate.h b/ios/ApproovPinningDelegate.h
@@ -40,15 +40,15 @@ NS_ASSUME_NONNULL_BEGIN
 /// @param approovService is the ApproovService that will provide the pinning
 /// information
 + (instancetype)createWithDelegate:(id<NSURLSessionDataDelegate> _Nullable)delegate
-                    approovService:(ApproovService *)approovService;
+                    approovService:(ApproovService *_Nullable)approovService;
 
 /// Initializes a pinning URL session delegate.
 ///
 /// @param delegate is the original delgate
 /// @param approovService is the ApproovService that will provide the pinning
 /// information
 - (instancetype)initWithDelegate:(id<NSURLSessionDataDelegate> _Nullable)delegate
-                  approovService:(ApproovService *)approovService;
+                  approovService:(ApproovService *_Nullable)approovService;
 
 @end
 
diff --git a/ios/ApproovPinningDelegate.m b/ios/ApproovPinningDelegate.m
@@ -38,7 +38,7 @@ @interface PinningURLSessionDelegate ()
 
 // the ApproovService that is able to interpret the trust decisions against the
 // dynamic pins
-@property ApproovService *approovService;
+@property(nonatomic, strong, nullable) ApproovService *approovService;
 
 // the original delegate to which non-authentication calls are passed
 @property(nullable) id<NSURLSessionDataDelegate> originalDelegate;
@@ -54,7 +54,7 @@ @implementation PinningURLSessionDelegate
  * information
  */
 + (instancetype)createWithDelegate:(id<NSURLSessionDataDelegate> _Nullable)delegate
-                    approovService:(ApproovService *)approovService {
+                    approovService:(ApproovService *_Nullable)approovService {
   return [[self alloc] initWithDelegate:delegate approovService:approovService];
 }
 
@@ -66,7 +66,7 @@ + (instancetype)createWithDelegate:(id<NSURLSessionDataDelegate> _Nullable)deleg
  * information
  */
 - (instancetype)initWithDelegate:(id<NSURLSessionDataDelegate> _Nullable)delegate
-                  approovService:(ApproovService *)approovService {
+                  approovService:(ApproovService *_Nullable)approovService {
   self = [super init];
   if (self) {
     _approovService = approovService;
@@ -77,6 +77,19 @@ - (instancetype)initWithDelegate:(id<NSURLSessionDataDelegate> _Nullable)delegat
   return self;
 }
 
+/**
+ * Resolves the current ApproovService. Delegates created during early
+ * swizzling may be initialized before the native module exists, so pinning
+ * must recover the live service at challenge time.
+ */
+- (ApproovService *_Nullable)currentApproovService {
+  ApproovService *service = _approovService ?: [ApproovService sharedService];
+  if (_approovService == nil && service != nil) {
+    _approovService = service;
+  }
+  return service;
+}
+
 /**
  * Forwards authentication challenges to the wrapped delegate when available.
  * Task-level callback is preferred when a task is available, then
@@ -156,9 +169,23 @@ - (void)URLSession:(NSURLSession *)session
               host);
   if ([challenge.protectionSpace.authenticationMethod
           isEqualToString:NSURLAuthenticationMethodServerTrust]) {
+    ApproovService *service = [self currentApproovService];
+    if (service == nil) {
+      ApproovLogW(@"ApproovService unavailable for task server-trust "
+                  @"challenge on %@, forwarding without pin verification",
+                  host);
+      [self forwardChallengeToOriginalDelegateForSession:session
+                                                    task:dataTask
+                                               challenge:challenge
+                                       completionHandler:completionHandler
+                                           challengeType:@"server-trust "
+                                                         @"(service "
+                                                         @"unavailable)"];
+      return;
+    }
+
     ApproovTrustDecision trustDecision =
-        [_approovService verifyPins:challenge.protectionSpace.serverTrust
-                            forHost:host];
+        [service verifyPins:challenge.protectionSpace.serverTrust forHost:host];
 
     // Notify interceptor that pinning was invoked
     if (self.authChallengeCallback) {
@@ -212,9 +239,23 @@ - (void)URLSession:(NSURLSession *)session
               authMethod, host);
   if ([challenge.protectionSpace.authenticationMethod
           isEqualToString:NSURLAuthenticationMethodServerTrust]) {
+    ApproovService *service = [self currentApproovService];
+    if (service == nil) {
+      ApproovLogW(@"ApproovService unavailable for session server-trust "
+                  @"challenge on %@, forwarding without pin verification",
+                  host);
+      [self forwardChallengeToOriginalDelegateForSession:session
+                                                    task:nil
+                                               challenge:challenge
+                                       completionHandler:completionHandler
+                                           challengeType:@"server-trust "
+                                                         @"(service "
+                                                         @"unavailable)"];
+      return;
+    }
+
     ApproovTrustDecision trustDecision =
-        [_approovService verifyPins:challenge.protectionSpace.serverTrust
-                            forHost:host];
+        [service verifyPins:challenge.protectionSpace.serverTrust forHost:host];
 
     // Notify interceptor that pinning was invoked
     if (self.authChallengeCallback) {
diff --git a/ios/ApproovRCTInterceptor.m b/ios/ApproovRCTInterceptor.m
@@ -345,9 +345,25 @@ - (void)logSessionMethodResolution:(NSURLSession *)session
   NSString *tokenHeader = [ApproovService sharedTokenHeader];
   NSString *traceIDHeader = [ApproovService sharedTraceIDHeader];
   NSString *tokenBefore = [request valueForHTTPHeaderField:tokenHeader];
+  ApproovService *service = self.approovService ?: [ApproovService sharedService];
+
+  if (service == nil) {
+    ApproovLogW(@"skipping %@ interception for %@ on session %p because "
+                @"ApproovService is not yet available",
+                taskType, request.URL, session);
+    return [ApproovInterceptorResult createWithRequest:request
+                                            withAction:
+                                                ApproovInterceptorActionProceed
+                                           withMessage:@"ApproovService not "
+                                                       @"ready"];
+  }
+
+  if (self.approovService == nil) {
+    self.approovService = service;
+  }
 
   ApproovInterceptorResult *result =
-      [self.approovService interceptRequest:request];
+      [service interceptRequest:request];
   NSString *tokenAfterIntercept =
       [result.request valueForHTTPHeaderField:tokenHeader];
   NSString *traceAfterIntercept =
diff --git a/ios/ApproovService.h b/ios/ApproovService.h
@@ -74,6 +74,9 @@ typedef NS_ENUM(NSUInteger, ApproovTrustDecision) {
 /// interceptors and bridges calls from Javascript
 @interface ApproovService : NSObject <RCTBridgeModule>
 
+/// Returns the current shared service instance when available.
++ (nullable ApproovService *)sharedService;
+
 /// Intercepts a request and updates it to potentially add an Approov token
 /// and/or perform substitutions on headers and query parameters.
 ///
diff --git a/ios/ApproovService.m b/ios/ApproovService.m
@@ -109,6 +109,9 @@ @implementation ApproovService
 // Approov itself can be initialized - or 0.0 they may proceed immediately
 NSTimeInterval earliestNetworkRequestTime = 0.0;
 
+// the current shared ApproovService instance
+static ApproovService *sharedApproovService = nil;
+
 // original config string used during initialization
 NSString *initialConfigString = nil;
 
@@ -209,6 +212,10 @@ - (instancetype)init {
                 format:@"Approov native module failed to initialize"];
   }
 
+  @synchronized([ApproovService class]) {
+    sharedApproovService = self;
+  }
+
   // setup the state for the ApproovService
   substitutionHeaders = [[NSMutableDictionary alloc] init];
   substitutionQueryParams = [[NSMutableSet alloc] init];
@@ -1701,6 +1708,12 @@ + (BOOL)sharedUseApproovStatusIfNoToken {
   return useApproovStatusIfNoToken;
 }
 
++ (ApproovService *)sharedService {
+  @synchronized([ApproovService class]) {
+    return sharedApproovService;
+  }
+}
+
 + (NSString *)sharedTokenHeader {
   @synchronized(approovTokenHeader) {
     return approovTokenHeader;
