Hi,
we have been struggling with this issue for a long time now and debugged pretty much every piece of code we wrote in order to find the root cause. Issue:
1) User logs in via Facebook and uses the Token based authenticator to authenticate with the sync gateway.
2) User logs out and logs in with a basic HTTP authenticator
Problem: even though the authenticator is correctly configured and the logic is sound, the first authentication attempt happens under the old Facebook user and hence the replication is messed up.
At first, we thought that it must be an issue on our side and therefore we spent days troubleshooting but now we found evidence that something else is going on. We delete the database, we deallocate every object that is remotely related and still the issue occurs. Here are a few scenarios that have been tested:
1) Basic to Basic Authentication works
- Basic HTTP user logs in and out
- Another basic HTTP user logs in and it works as expected
2) Basic to Facebook authentication
- Basic HTTP user logs in and out
- A Facebook user logs and it works as expected
2) Facebook user and restarting the app
- Facebook user logs in and out
- App is restarted
- Basic HTTP user logs in and it works as expected
The problem is the Facebook session in combination with the CBLManager.
When a Facebook user logs in and out, the immediate next user who tries to logs in still get the old Facebook user's context. Even when flushing the Facebook session it didn't change the behavior...it seems that if another user tries log in after a FB user has been authenticated the issue occurs. But it is solely memory based because restarting the app eliminates the issue...
We then suspected that the CBLManager might be the root cause as this is the only process that doesn't get deallocated. We found a bug on GitHub regarding session cookies and then tried to clear any cookies manually - that worked!
So here is what we do in order to work around the problem:
1) Facebook user logs in and out
2) At logout, run
for (NSHTTPCookie *cookie in [[NSHTTPCookieStorage sharedHTTPCookieStorage] cookies]) [[NSHTTPCookieStorage sharedHTTPCookieStorage] deleteCookie:cookie];
3) Immediately log in with a Basic HTTP and voila, its working...
Is that expected? Is that a bug? I find it hard to believe that no one else is running into this...
Thanks Christoph