Fix: Critical login state and authentication issues

[zerox80]

Fix: Critical Login State Loss & Authentication Issues

📋 Overview

This PR resolves critical issues in the login process, specifically regarding OAuth authentication (OIDC). The primary issue was that the LoginActivity state (and thus crucial authentication parameters) was lost when the user switched to the browser view (Custom Tabs) and returned. This resulted in login failures or app crashes/restarts, particularly on devices with aggressive memory management.

🐛 The Problem

When the app opens the browser for OAuth login, LoginActivity is pushed to the background. Android may terminate the app process at this point to reclaim memory.
When the user returns after logging in:

1. LoginActivity is recreated (onCreate).
2. All in-memory variables (like codeVerifier, codeChallenge, serverBaseUrl) are gone.
3. The app no longer knows where to connect or how to verify the received "Auth Code".
4. Result: Login fails or the app returns to the start screen (URL input field), forcing the user to re-enter the URL even though they had already done so. This commonly occurred when switching apps, for example, to copy credentials from a Password Manager.

🛠 The Solution

The solution consists of three main components:

1. Persistent Storage (SharedPreferences): Critical OAuth parameters (codeVerifier, codeChallenge, oidcState) are now explicitly saved to SharedPreferences before the browser is opened. This is more robust than onSaveInstanceState as it survives complete process restarts.
2. State Restoration: In onCreate and onSaveInstanceState, the UI state (URL input, Auth method) is now correctly saved and restored.
3. Intent Handling (SingleTop): Prevents a new instance of LoginActivity from being placed on the stack when the browser returns. Instead, the existing instance is reused.

---

🔍 Detailed Code Analysis

1. AuthenticationViewModel.kt - Mutability for Restore

We need to make the OAuth parameters mutable so we can overwrite them when restoring the old state from storage.

// BEFORE: Immutable values (val), generated when the class was created
// val codeVerifier: String = OAuthUtils().generateRandomCodeVerifier()

// AFTER: Mutable values (var), so we can overwrite them
// when restoring the old state.
var codeVerifier: String = OAuthUtils().generateRandomCodeVerifier()
var codeChallenge: String = OAuthUtils().generateCodeChallenge(codeVerifier)
var oidcState: String = OAuthUtils().generateRandomState()

2. LoginActivity.kt - Intent & Task Management

When the browser returns with the Auth Code, we don't want Android to layer a new LoginActivity over the old one. We want to reactivate the old one.

override fun onCreate(savedInstanceState: Bundle?) {
    // Check if we are returning via a Redirect (Deep Link) with an Auth Code
    if (intent.data != null && (intent.data?.getQueryParameter("code") != null || intent.data?.getQueryParameter("error") != null)) {
        if (!isTaskRoot) {
            // IMPORTANT: If we are not the root activity, bring the existing instance to the front.
            // FLAG_ACTIVITY_CLEAR_TOP: Removes everything that might be above LoginActivity.
            // FLAG_ACTIVITY_SINGLE_TOP: Uses the existing instance (calls onNewIntent) instead of creating a new one.
            val newIntent = Intent(this, LoginActivity::class.java)
            newIntent.data = intent.data
            newIntent.addFlags(Intent.FLAG_ACTIVITY_CLEAR_TOP or Intent.FLAG_ACTIVITY_SINGLE_TOP)
            startActivity(newIntent)
            finish()
            return
        }
    }
    super.onCreate(savedInstanceState)
    // ...

3. LoginActivity.kt - Saving & Loading Auth State

Here lies the magic of persistence. We don't just rely on RAM.

Saving before Browser Launch:

private fun startOAuthAuthorization(...) {
    // ...
    try {
        // BEFORE opening the browser, we save everything securely to "disk" (SharedPreferences).
        saveAuthState() 
        customTabsIntent.launchUrl(this, authorizationEndpointUri)
    } catch (e: Exception) { ... }
}

private fun saveAuthState() {
    val prefs = getSharedPreferences("auth_state", android.content.Context.MODE_PRIVATE)
    prefs.edit().apply {
        // We save the cryptographic keys needed to verify the login.
        putString(KEY_CODE_VERIFIER, authenticationViewModel.codeVerifier)
        putString(KEY_CODE_CHALLENGE, authenticationViewModel.codeChallenge)
        putString(KEY_OIDC_STATE, authenticationViewModel.oidcState)
        apply()
    }
}

Restoring on Start (onCreate):

// In onCreate...
} else {
    // If savedInstanceState exists (e.g., screen rotated or restored by system)
    authTokenType = savedInstanceState.getString(KEY_AUTH_TOKEN_TYPE)
    
    // Restore Server URL so the input field isn't empty
    savedInstanceState.getString(KEY_SERVER_BASE_URL)?.let { serverBaseUrl = it }
    oidcSupported = savedInstanceState.getBoolean(KEY_OIDC_SUPPORTED)

    // Restore ViewModel data from Bundle
    savedInstanceState.getString(KEY_CODE_VERIFIER)?.let { authenticationViewModel.codeVerifier = it }
    // ...
}

// ... further down in onCreate ...

// If we return with an Auth Code (Intent Data has "code")
if (intent.data != null && (intent.data?.getQueryParameter("code") != null ...)) {
    // If savedInstanceState is null (e.g., process was completely dead),
    // we try to rescue the state from SharedPreferences.
    if (savedInstanceState == null) {
        restoreAuthState()
    }
    handleGetAuthorizationCodeResponse(intent)
}

Cleanup on Success:

// If login was successful, we delete the temporary data.
private fun onAccountCreationSuccessful(...) {
    // ...
    clearAuthState()
}

4. LoginActivity.kt - UI State Restoration

We ensure that the UI (input fields, button visibility) is correctly restored so the user isn't faced with an empty screen.

// Restore UI state
if (::serverBaseUrl.isInitialized && serverBaseUrl.isNotEmpty()) {
    binding.hostUrlInput.setText(serverBaseUrl)
    
    // Show correct fields (Basic Auth vs. OAuth) based on previous state
    if (authTokenType == BASIC_TOKEN_TYPE) {
        showOrHideBasicAuthFields(shouldBeVisible = true)
    } else if (authTokenType == OAUTH_TOKEN_TYPE) {
        showOrHideBasicAuthFields(shouldBeVisible = false)
    }
}

✅ Verification / Testing

1. Scenario: Simulate Process Death
   • Open App -> Enter Server URL -> Click "Connect".
   • Browser opens for login.
   • Now: Switch to a different App (Password Manager)
   • Return to browser -> Complete login.
   • Expectation: App opens, does NOT crash, login completes successfully.
2. Scenario: Normal Flow
   • Standard login flow without interruption.
   • Expectation: Works as before, no regressions.

---

Notice: I utilized Gemini 3 Pro to accelerate the development of this PR. Therefore, I consider a single-person review (2-eye principle) insufficient. I strictly prefer a 4-eye principle review by another contributor to ensure correctness.

[zerox80]

Notice: I utilized Gemini 3 Pro to accelerate the development of this PR. Therefore, I consider a single-person review (2-eye principle) insufficient. I strictly prefer a 4-eye principle review by another contributor to ensure correctness.

[guruz]

Looks fine in general 👍 I will give it a test

[guruz]

@zerox80 Why is this line here?
If this is a glitch from something else, can you please re-base this PR so we see if it's still there?

[zerox80]

its not glitch from something else, i always rebase all PRs after u merge something. What do u mean ? im confused

[guruz]

New app installation, fails immediatly after initial launch (I can still accept that the app sends me notifications)

01-12 17:16:37.513 32691 32691 D AndroidRuntime: Shutting down VM
01-12 17:16:37.514 32691 32691 E AndroidRuntime: FATAL EXCEPTION: main
01-12 17:16:37.514 32691 32691 E AndroidRuntime: Process: eu.opencloud.android.debug, PID: 32691
01-12 17:16:37.514 32691 32691 E AndroidRuntime: java.lang.RuntimeException: Unable to start activity ComponentInfo{eu.opencloud.android.debug/eu.opencloud.android.presentation.authentication.LoginActivity}: java.lang.IllegalStateException: SavedStateRegistry was already restored.
01-12 17:16:37.514 32691 32691 E AndroidRuntime: 	at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:4280)
01-12 17:16:37.514 32691 32691 E AndroidRuntime: 	at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:4467)
01-12 17:16:37.514 32691 32691 E AndroidRuntime: 	at android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:222)
01-12 17:16:37.514 32691 32691 E AndroidRuntime: 	at android.app.servertransaction.TransactionExecutor.executeNonLifecycleItem(TransactionExecutor.java:133)
01-12 17:16:37.514 32691 32691 E AndroidRuntime: 	at android.app.servertransaction.TransactionExecutor.executeTransactionItems(TransactionExecutor.java:103)
01-12 17:16:37.514 32691 32691 E AndroidRuntime: 	at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:80)
01-12 17:16:37.514 32691 32691 E AndroidRuntime: 	at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2823)
01-12 17:16:37.514 32691 32691 E AndroidRuntime: 	at android.os.Handler.dispatchMessage(Handler.java:110)
01-12 17:16:37.514 32691 32691 E AndroidRuntime: 	at android.os.Looper.loopOnce(Looper.java:248)
01-12 17:16:37.514 32691 32691 E AndroidRuntime: 	at android.os.Looper.loop(Looper.java:338)
01-12 17:16:37.514 32691 32691 E AndroidRuntime: 	at android.app.ActivityThread.main(ActivityThread.java:9067)
01-12 17:16:37.514 32691 32691 E AndroidRuntime: 	at java.lang.reflect.Method.invoke(Native Method)
01-12 17:16:37.514 32691 32691 E AndroidRuntime: 	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:593)
01-12 17:16:37.514 32691 32691 E AndroidRuntime: 	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:932)
01-12 17:16:37.514 32691 32691 E AndroidRuntime: Caused by: java.lang.IllegalStateException: SavedStateRegistry was already restored.
01-12 17:16:37.514 32691 32691 E AndroidRuntime: 	at androidx.savedstate.SavedStateRegistry.performRestore$savedstate_release(SavedStateRegistry.kt:221)
01-12 17:16:37.514 32691 32691 E AndroidRuntime: 	at androidx.savedstate.SavedStateRegistryController.performRestore(SavedStateRegistryController.kt:69)
01-12 17:16:37.514 32691 32691 E AndroidRuntime: 	at androidx.activity.ComponentActivity.onCreate(ComponentActivity.java:361)
01-12 17:16:37.514 32691 32691 E AndroidRuntime: 	at androidx.fragment.app.FragmentActivity.onCreate(FragmentActivity.java:217)
01-12 17:16:37.514 32691 32691 E AndroidRuntime: 	at eu.opencloud.android.presentation.authentication.LoginActivity.onCreate(LoginActivity.kt:140)
01-12 17:16:37.514 32691 32691 E AndroidRuntime: 	at android.app.Activity.performCreate(Activity.java:9155)
01-12 17:16:37.514 32691 32691 E AndroidRuntime: 	at android.app.Activity.performCreate(Activity.java:9133)
01-12 17:16:37.514 32691 32691 E AndroidRuntime: 	at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1521)
01-12 17:16:37.514 32691 32691 E AndroidRuntime: 	at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:4262)
01-12 17:16:37.514 32691 32691 E AndroidRuntime: 	... 13 more
01-12 17:16:37.519   676  1500 W ActivityTaskManager:   Force finishing activity eu.opencloud.android.debug/eu.opencloud.android.presentation.authentication.LoginActivity

Might also be fishy that I see super.onCreate(savedInstanceState)called twice from same function

[zerox80]

yes i solved that super stuff in other PR xD

[zerox80]

will focus this PR soon, i am cooking stuff with conflict management while syncing.

[guruz]

OK, yes, rebase because I think all the stuff in ic_action_open_shortcut.xml is also not relevant herew :-)

[zerox80]

@guruz

[guruz]

@zerox80 Thanks for fixes, it seems to work now. Tried adding an account and switching away to another app as soon as the browser opens. Then switch back to app.

I wonnder, I see this one in debug output:

01-14 11:27:01.506  4362  4362 D MainApp$onCreate: LoginActivity onCreate(Bundle) starting
01-14 11:27:01.507  4362  4362 D (MainApp.kt:128): D: LoginActivity onCreate(Bundle) starting
01-14 11:27:01.510  4362  4362 D LoginActivity: onCreate called with intent data: null, isTaskRoot: true
01-14 11:27:01.510  4362  4362 D (LoginActivity.kt:127): D: onCreate called with intent data: null, isTaskRoot: true

But I do not see this message. Am I supposed to see it?
Timber.d("OAuth redirect detected with code or error parameter")
(I have the Android default, so Chrome. Not firefox)

Am I testing this the right way?

Or does this just mean my activity was not taken out of memory?

[zerox80]

@zerox80 Thanks for fixes, it seems to work now. Tried adding an account and switching away to another app as soon as the browser opens. Then switch back to app.

I wonnder, I see this one in debug output:

01-14 11:27:01.506  4362  4362 D MainApp$onCreate: LoginActivity onCreate(Bundle) starting
01-14 11:27:01.507  4362  4362 D (MainApp.kt:128): D: LoginActivity onCreate(Bundle) starting
01-14 11:27:01.510  4362  4362 D LoginActivity: onCreate called with intent data: null, isTaskRoot: true
01-14 11:27:01.510  4362  4362 D (LoginActivity.kt:127): D: onCreate called with intent data: null, isTaskRoot: true

But I do not see this message. Am I supposed to see it? Timber.d("OAuth redirect detected with code or error parameter") (I have the Android default, so Chrome. Not firefox)

Am I testing this the right way?

Or does this just mean my activity was not taken out of memory?

The message "OAuth redirect detected with code or error parameter" only appears when the Activity is launched/recreated via an OAuth redirect (i.e., with ?code= or ?error= parameter in the intent data).

What you're seeing is completely correct - your Activity was still in memory and simply resumed when you switched back to the app. The debug output shows intent data: null, which confirms no OAuth redirect triggered the restart.

The primary use case this fix addresses is exactly what you tested: switching to a Password Manager (or another app) while the browser is open. Before this fix, if Android decided to kill the app (which happens frequently on devices with aggressive memory management), users would return to an empty URL field and have to start over.

The fact that you didn't see the specific log message just means your device had enough memory to keep the Activity alive this time. But the fix is now in place to handle the cases where it doesn't!

If you want to specifically test the edge case, you can enable Developer Options -> "Don't keep activities" - but if login worked successfully for you, everything is working as intended!