@W-19461869: [M1][MSDK13.1] Enable Flexible Server Matching for QR Code Login (Android) (W.I.P.: Code Review Updates w/Remaining To-Dos And Disabling Test That Only Fail In CI)

Author: JohnsonEricAtSalesforce

libs/SalesforceSDK/src/com/salesforce/androidsdk/config/LoginServerManager.java

@@ -271,7 +271,7 @@ public List<LoginServer> getLoginServers() {
 		} else {
 			allServers = getLoginServersFromPreferences(runtimePrefs);
 		}
-		return allServers;
+		return allServers; // TODO: Evaluate this new warning. ECJ20250911
 	}
 
 	/**
@@ -447,37 +447,6 @@ private List<LoginServer> getLoginServersFromPreferences(SharedPreferences prefs
 		return (!allServers.isEmpty() ? allServers : null);
 	}
 
-    // region Login Server Managing Implementation
-
-    /**
-     * Returns the login server at the specified index.
-     *
-     * @param index The index of the login server to retrieve
-     * @return The Login server instance at the specified index, or null if index is out of bounds
-     */
-    @Override
-    public LoginServer loginServerAtIndex(int index) {
-        final List<LoginServer> servers = getLoginServers();
-        if (servers != null && index >= 0 && index < servers.size()) {
-            return servers.get(index);
-        }
-        return null;
-    }
-
-    /**
-     * Returns the total number of login servers.
-     *
-     * @return The number of available login servers
-     */
-    @Override
-    public int numberOfLoginServers() {
-        final List<LoginServer> servers = getLoginServers();
-        return servers != null ? servers.size() : 0;
-    }
-
-    // endregion
-
-
 	/**
 	 * Class to encapsulate a login server name, URL, index and type (custom or not).
 	 */

libs/SalesforceSDK/src/com/salesforce/androidsdk/config/LoginServerManaging.kt

@@ -36,19 +36,9 @@ import com.salesforce.androidsdk.config.LoginServerManager.LoginServer
 internal interface LoginServerManaging {
 
     /**
-     * Returns the login server at the specified index.
-     *
-     * @param index The index of the login server to retrieve
-     * @return The login server instance at the specified index, or null if
-     * index is out of bounds
+     * Returns the list of login servers.
+     * @return The list of login servers
      */
-    fun loginServerAtIndex(index: Int): LoginServer?
-
-    /**
-     * Returns the total number of login servers.
-     *
-     * @return The number of available login servers
-     */
-    fun numberOfLoginServers(): Int
+    val loginServers: List<LoginServer>
 }
 

libs/SalesforceSDK/src/com/salesforce/androidsdk/ui/FrontdoorBridgeLoginOverride.kt

@@ -90,9 +90,7 @@ internal class FrontdoorBridgeLoginOverride(
         private set
 
     init {
-        val frontdoorBridgeUrlComponents = frontdoorBridgeUrl.toString()
-        val frontdoorBridgeUri = frontdoorBridgeUrlComponents.toUri()
-        val startUrlParam = frontdoorBridgeUri.getQueryParameter("startURL")
+        val startUrlParam = frontdoorBridgeUrl.getQueryParameter("startURL")
 
         // Check if the client_id matches the app's consumer key
         startUrlParam?.let { startUrlString ->
@@ -106,20 +104,20 @@ internal class FrontdoorBridgeLoginOverride(
         }
 
         // Check if the front door URL host matches the app's selected login server
-        val addingAndSwitchingLoginServersAllowedResolved = if (!addingAndSwitchingLoginServersPerMdm) {
-            addingAndSwitchingLoginServerOverride
-        } else {
+        val addingAndSwitchingLoginServersAllowedResolved = if (addingAndSwitchingLoginServersPerMdm) {
             addingAndSwitchingLoginServersAllowed
+        } else {
+            addingAndSwitchingLoginServerOverride
         }
 
-        val frontdoorBridgeUrlAppLoginServerMatch = FrontdoorBridgeUrlAppLoginServerMatch(
+        val frontdoorBridgeUrlAppLoginServerMatch = appLoginServerForFrontdoorBridgeUrl(
             frontdoorBridgeUrl = frontdoorBridgeUrl,
             loginServerManaging = loginServerManager,
             addingAndSwitchingLoginServersAllowed = addingAndSwitchingLoginServersAllowedResolved,
             selectedAppLoginServer = selectedAppLoginServer
         )
 
-        var appLoginServer = frontdoorBridgeUrlAppLoginServerMatch.appLoginServerMatch
+        var appLoginServer = frontdoorBridgeUrlAppLoginServerMatch
         if (appLoginServer == null && addingAndSwitchingLoginServersAllowedResolved) {
             appLoginServer = frontdoorBridgeUrl.host
         }
@@ -136,13 +134,14 @@ internal class FrontdoorBridgeLoginOverride(
     private val addingAndSwitchingLoginServersAllowed: Boolean
         get() {
             val runtimeConfig = getRuntimeConfig(SalesforceSDKManager.getInstance().appContext)
-            val onlyShowAuthorizedServers = runtimeConfig.getBoolean(OnlyShowAuthorizedHosts)
+            // If true, prevents users from modifying the list of hosts that the Salesforce mobile app can connect to.
+            val onlyShowAuthorizedHosts = runtimeConfig.getBoolean(OnlyShowAuthorizedHosts)
             val mdmLoginServers = try {
                 runtimeConfig.getStringArrayStoredAsArrayOrCSV(AppServiceHosts)
             } catch (_: Exception) {
                 null
             }
-            return !onlyShowAuthorizedServers && (mdmLoginServers?.isEmpty() != false)
+            return !onlyShowAuthorizedHosts && (mdmLoginServers?.isEmpty() != false)
         }
 
     private val loginServerManager: LoginServerManaging

libs/SalesforceSDK/src/com/salesforce/androidsdk/ui/FrontdoorBridgeUrlAppLoginServerMatch.kt

@@ -30,86 +30,77 @@ import android.net.Uri
 import com.salesforce.androidsdk.config.LoginServerManaging
 import java.net.URL
 
-internal data class FrontdoorBridgeUrlAppLoginServerMatch(
-    val frontdoorBridgeUrl: Uri,
-    val loginServerManaging: LoginServerManaging,
-    val addingAndSwitchingLoginServersAllowed: Boolean,
-    val selectedAppLoginServer: String
-) {
+internal fun appLoginServerForFrontdoorBridgeUrl(
+    frontdoorBridgeUrl: Uri,
+    loginServerManaging: LoginServerManaging,
+    addingAndSwitchingLoginServersAllowed: Boolean,
+    selectedAppLoginServer: String
+): String? {
+    val frontdoorBridgeUrlHost = frontdoorBridgeUrl.host ?: return null
 
-    internal val appLoginServerMatch: String? by lazy {
-        appLoginServerForFrontdoorBridgeUrl(
-            frontdoorBridgeUrl,
-            loginServerManaging,
-            addingAndSwitchingLoginServersAllowed,
-            selectedAppLoginServer
-        )
+    val eligibleAppLoginServers = eligibleAppLoginServersForFrontdoorBridgeUrl(
+        loginServerManaging,
+        addingAndSwitchingLoginServersAllowed,
+        selectedAppLoginServer
+    )
+
+    // TODO: "Would be more efficient to combine this so you aren't iterating through the list twice." ECJ20250911
+    for (eligibleAppLoginServer in eligibleAppLoginServers) {
+        if (frontdoorBridgeUrlHost == eligibleAppLoginServer) {
+            return eligibleAppLoginServer
+        }
     }
 
-    private fun appLoginServerForFrontdoorBridgeUrl(
-        frontdoorBridgeUrl: Uri,
-        loginServerManaging: LoginServerManaging,
-        addingAndSwitchingLoginServersAllowed: Boolean,
-        selectedAppLoginServer: String
-    ): String? {
-        val frontdoorBridgeUrlHost = frontdoorBridgeUrl.host ?: return null
+    // TODO: Complete review of both versions of login host soft-matching logic below. ECJ20250911
+    // Original Notes From Slack
+//    Let me recap what I have, soft matching is defined as:
+//    if QR is not a my domain, existing login server must match exactly
+//    if QR is a my domain, existing login server must either match exactly or match everything after the .my.
+//    (a) If adding and switching are disallowed, only let the QR through if its login server "soft-matches" the currently selected login server.
+//    (b) If adding is disallowed but switching is allowed, let the QR through if its login server "soft-matches" any of the login server and switch to it.
+//    (c) If adding is allowed and switching is allowed, try (b) first, but if no match are found add the QR login server and switch to it.
+
+    // Newer Notes From Github
+    // [Soft match]
+    // Look at part of the hostname in the QR code that comes after .my. and make sure it appears in the currently selected login server
+    //   also as long as the currently selected login server does not have .my, itself.
+    // When the currently login server has a .my. the whole hostname should match.
+    // So mydomain.my.salesforce.com would be allowed if login.salesforce.com is currently selected
+    //   but not if myotherdomain.my.salesforce.com is selected.
 
-        val eligibleAppLoginServers = eligibleAppLoginServersForFrontdoorBridgeUrl(
-            loginServerManaging,
-            addingAndSwitchingLoginServersAllowed,
-            selectedAppLoginServer
-        )
 
+    if (frontdoorBridgeUrl.isMyDomain()) {
+        val frontdoorBridgeUrlMyDomainSuffix = "my.${frontdoorBridgeUrlHost.split(".my.").last()}"
         for (eligibleAppLoginServer in eligibleAppLoginServers) {
-            if (frontdoorBridgeUrlHost == eligibleAppLoginServer) {
+            if (eligibleAppLoginServer.endsWith(frontdoorBridgeUrlMyDomainSuffix)) {
                 return eligibleAppLoginServer
             }
         }
-
-        if (frontdoorBridgeUrl.isMyDomain()) {
-            val frontdoorBridgeUrlMyDomainSuffix = "my.${frontdoorBridgeUrlHost.split(".my.").last()}"
-            if (frontdoorBridgeUrlMyDomainSuffix.isNotEmpty()) {
-                for (eligibleAppLoginServer in eligibleAppLoginServers) {
-                    if (eligibleAppLoginServer.endsWith(frontdoorBridgeUrlMyDomainSuffix)) {
-                        return eligibleAppLoginServer
-                    }
-                }
-            }
-        }
-
-        return null
     }
 
-    private fun eligibleAppLoginServersForFrontdoorBridgeUrl(
-        loginHostStore: LoginServerManaging,
-        addingAndSwitchingLoginHostsAllowed: Boolean,
-        selectedAppLoginHost: String
-    ): List<String> {
-        val results = mutableListOf<String>()
-        if (addingAndSwitchingLoginHostsAllowed) {
-            val numberOfHosts = loginHostStore.numberOfLoginServers()
-            for (i in 0 until numberOfHosts) {
-                val server = loginHostStore.loginServerAtIndex(i)
-                server?.let {
-                    try {
-                        val url = URL(it.url)
-                        results.add(url.host)
-                    } catch (_: Exception) {
-                        // Skip invalid URLs
-                    }
-                }
-            }
-        } else {
-            try {
-                val url = URL(selectedAppLoginHost)
+    return null
+}
+
+private fun eligibleAppLoginServersForFrontdoorBridgeUrl(
+    loginHostStore: LoginServerManaging,
+    addingAndSwitchingLoginHostsAllowed: Boolean,
+    selectedAppLoginHost: String
+): List<String> {
+    val results = mutableListOf<String>()
+    if (addingAndSwitchingLoginHostsAllowed) {
+        for (loginServer in loginHostStore.loginServers ?: return emptyList()) {
+            runCatching {
+                val url = URL(loginServer.url)
                 results.add(url.host)
-            } catch (_: Exception) {
-                // If parsing fails, try to use as-is (might already be just a host)
-                results.add(selectedAppLoginHost)
             }
         }
-        return results
+    } else {
+        runCatching {
+            val url = URL(selectedAppLoginHost)
+            results.add(url.host)
+        }
     }
+    return results
 }
 
 private fun Uri.isMyDomain(): Boolean {

libs/SalesforceSDK/src/com/salesforce/androidsdk/ui/LoginActivity.kt

@@ -109,9 +109,9 @@ import com.salesforce.androidsdk.R.color.sf__background
 import com.salesforce.androidsdk.R.color.sf__background_dark
 import com.salesforce.androidsdk.R.color.sf__primary_color
 import com.salesforce.androidsdk.R.drawable.sf__action_back
+import com.salesforce.androidsdk.R.string.sf__biometric_opt_in_title
 import com.salesforce.androidsdk.R.string.sf__cannot_use_another_apps_login_qr_code
 import com.salesforce.androidsdk.R.string.sf__cannot_use_another_login_hosts_login_qr_code
-import com.salesforce.androidsdk.R.string.sf__biometric_opt_in_title
 import com.salesforce.androidsdk.R.string.sf__generic_authentication_error_title
 import com.salesforce.androidsdk.R.string.sf__jwt_authentication_error
 import com.salesforce.androidsdk.R.string.sf__login_with_biometric
@@ -310,7 +310,8 @@ open class LoginActivity : FragmentActivity() {
                 with(SalesforceSDKManager.getInstance()) {
                     // Fetch well known config and load in custom tab if required.
                     fetchAuthenticationConfiguration {
-                        if (isBrowserLoginEnabled && viewModel.frontdoorBridgeLoginOverride == null /* Browser-based authentication is applicable when not authenticating with a front-door bridge URL */) {
+                        /* Browser-based authentication is applicable when not authenticating with a front-door bridge URL */
+                        if (isBrowserLoginEnabled && viewModel.frontdoorBridgeLoginOverride == null) {
                             if (useWebServerAuthentication) {
                                 viewModel.loginUrl.value?.let { url -> loadLoginPageInCustomTab(url, customTabLauncher) }
                             } else {
@@ -430,7 +431,7 @@ open class LoginActivity : FragmentActivity() {
      */
     @Suppress("MemberVisibilityCanBePrivate")
     fun loginWithFrontdoorBridgeUrl(
-        frontdoorBridgeUrl: Uri,
+        frontdoorBridgeUrl: String,
         pkceCodeVerifier: String?,
     ) = viewModel.loginWithFrontDoorBridgeUrl(frontdoorBridgeUrl, pkceCodeVerifier)
 
@@ -878,15 +879,15 @@ open class LoginActivity : FragmentActivity() {
             uiBridgeApiParametersFromQrCodeLoginUrl(intent.data?.toString())
         } else intent.getStringExtra(EXTRA_KEY_FRONTDOOR_BRIDGE_URL)?.let { frontdoorBridgeUrl ->
             UiBridgeApiParameters(
-                frontdoorBridgeUrl.toUri(),
+                frontdoorBridgeUrl,
                 intent.getStringExtra(EXTRA_KEY_PKCE_CODE_VERIFIER)
             )
         }
 
         // Apply the intent's front door bridge URL parameters to the view model.
         val frontdoorBridgeLoginOverride = uiBridgeApiParameters?.frontdoorBridgeUrl?.let { frontdoorBridgeUrl ->
             val result = FrontdoorBridgeLoginOverride(
-                frontdoorBridgeUrl = frontdoorBridgeUrl,
+                frontdoorBridgeUrl = frontdoorBridgeUrl.toUri(),
                 codeVerifier = uiBridgeApiParameters.pkceCodeVerifier
             )
             if (result.matchesConsumerKey && result.matchesLoginHost) {
@@ -1353,7 +1354,7 @@ open class LoginActivity : FragmentActivity() {
         data class UiBridgeApiParameters(
 
             /** The front door bridge URL */
-            val frontdoorBridgeUrl: Uri,
+            val frontdoorBridgeUrl: String,
 
             /** The PKCE code verifier */
             val pkceCodeVerifier: String?,
@@ -1408,7 +1409,7 @@ open class LoginActivity : FragmentActivity() {
             uiBridgeApiParameterJsonString: String,
         ) = JSONObject(uiBridgeApiParameterJsonString).let { uiBridgeApiParameterJson ->
             UiBridgeApiParameters(
-                uiBridgeApiParameterJson.getString(qrCodeLoginUrlJsonFrontdoorBridgeUrlKey).toUri(),
+                uiBridgeApiParameterJson.getString(qrCodeLoginUrlJsonFrontdoorBridgeUrlKey),
                 when (uiBridgeApiParameterJson.has(qrCodeLoginUrlJsonPkceCodeVerifierKey)) {
                     true -> uiBridgeApiParameterJson.optString(qrCodeLoginUrlJsonPkceCodeVerifierKey)
                     else -> null

libs/SalesforceSDK/src/com/salesforce/androidsdk/ui/LoginViewModel.kt

@@ -26,7 +26,6 @@
  */
 package com.salesforce.androidsdk.ui
 
-import android.net.Uri
 import android.webkit.CookieManager
 import android.webkit.URLUtil
 import android.webkit.WebView
@@ -39,6 +38,7 @@ import androidx.compose.ui.graphics.Color
 import androidx.compose.ui.graphics.Color.Companion.Black
 import androidx.compose.ui.graphics.Color.Companion.White
 import androidx.compose.ui.graphics.luminance
+import androidx.core.net.toUri
 import androidx.lifecycle.MediatorLiveData
 import androidx.lifecycle.ViewModel
 import androidx.lifecycle.ViewModelProvider
@@ -224,6 +224,11 @@ open class LoginViewModel(val bootConfig: BootConfig) : ViewModel() {
     /** Reloads the WebView with a newly generated authorization URL. */
     open fun reloadWebView() {
         if (frontdoorBridgeLoginOverride == null) {
+            // The Web Server Flow code challenge makes the authorization url unique each time,
+            // which triggers recomposition.  For User Agent Flow, change it to blank.
+            if (!SalesforceSDKManager.getInstance().useWebServerAuthentication) {
+                loginUrl.value = ABOUT_BLANK
+            }
             loginUrl.value = getAuthorizationUrl(selectedServer.value ?: return)
         }
     }
@@ -243,18 +248,17 @@ open class LoginViewModel(val bootConfig: BootConfig) : ViewModel() {
      * @param pkceCodeVerifier The PKCE code verifier
      */
     fun loginWithFrontDoorBridgeUrl(
-        frontdoorBridgeUrl: Uri,
+        frontdoorBridgeUrl: String,
         pkceCodeVerifier: String?,
     ) {
-        val frontdoorBridgeLoginOverride = FrontdoorBridgeLoginOverride(
-            frontdoorBridgeUrl = frontdoorBridgeUrl,
+        FrontdoorBridgeLoginOverride(
+            frontdoorBridgeUrl = frontdoorBridgeUrl.toUri(),
             codeVerifier = pkceCodeVerifier
-        )
-
-        // Only assign if both consumer key and login host match
-        if (frontdoorBridgeLoginOverride.matchesConsumerKey && frontdoorBridgeLoginOverride.matchesLoginHost) {
-            this@LoginViewModel.frontdoorBridgeLoginOverride = frontdoorBridgeLoginOverride
-            loginUrl.value = frontdoorBridgeUrl.toString()
+        ).let {
+            if (it.matchesConsumerKey && it.matchesLoginHost) {
+                frontdoorBridgeLoginOverride = it
+                loginUrl.value = frontdoorBridgeUrl
+            }
         }
     }