fix(expo): always configure native SDK on launch and harden keychain access

chriscanin · chriscanin · commit 118eb563e494 · 2026-03-11T13:29:28.000-07:00
- Remove early return when no bearer token — the iOS SDK must be configured
  on launch so Clerk.shared is initialized before any getSession() calls.
  Without this, a fresh install (empty keychain) would crash with a
  fatalError when NativeSessionSync tried to check for a native session.
- Add clerkConfigured guard to getSession() and signOut() to prevent
  accessing Clerk.shared before configure() has been called.
- Pass keychain config (ClerkKeychainService from Info.plist or bundle ID)
  to Clerk.configure() so the native SDK uses the correct keychain service.
- Use configurable keychainService for all keychain operations instead of
  hardcoded Bundle.main.bundleIdentifier.
- Handle re-configure with refreshClient() when called with a new token
  after initial configuration.
- Always update (not skip) the native device token on re-sign-in, and clear
  stale cached client/environment data when the token changes.
diff --git a/packages/expo/ios/templates/ClerkViewFactory.swift b/packages/expo/ios/templates/ClerkViewFactory.swift
@@ -16,6 +16,16 @@ public class ClerkViewFactory: ClerkViewFactoryProtocol {
 
   private static let clerkLoadMaxAttempts = 30
   private static let clerkLoadIntervalNs: UInt64 = 100_000_000
+  private static var clerkConfigured = false
+
+  /// Resolves the keychain service name, checking ClerkKeychainService in Info.plist first
+  /// (for extension apps sharing a keychain group), then falling back to the bundle identifier.
+  private static var keychainService: String? {
+    if let custom = Bundle.main.object(forInfoDictionaryKey: "ClerkKeychainService") as? String, !custom.isEmpty {
+      return custom
+    }
+    return Bundle.main.bundleIdentifier
+  }
 
   private init() {}
 
@@ -30,12 +40,38 @@ public class ClerkViewFactory: ClerkViewFactoryProtocol {
     // This handles the case where the user signed in via JS SDK but the native SDK
     // has no device token (e.g., after app reinstall or first launch).
     if let token = bearerToken, !token.isEmpty {
-      Self.writeNativeDeviceTokenIfNeeded(token)
+      let existingToken = Self.readNativeDeviceToken()
+      Self.writeNativeDeviceToken(token)
+
+      // If the device token changed (or didn't exist), clear stale cached client/environment.
+      // A previous launch may have cached an anonymous client (no device token), and the
+      // SDK would send both the new device token AND the stale client ID in API requests,
+      // causing a 400 error. Clearing the cache forces a fresh client fetch using only
+      // the device token.
+      if existingToken != token {
+        Self.clearCachedClerkData()
+      }
     } else {
       Self.syncJSTokenToNativeKeychainIfNeeded()
     }
 
-    Clerk.configure(publishableKey: publishableKey)
+    // If already configured with a new bearer token, refresh the client
+    // to pick up the session associated with the device token we just wrote.
+    // Clerk.configure() is a no-op on subsequent calls, so we use refreshClient().
+    if Self.clerkConfigured, let token = bearerToken, !token.isEmpty {
+      _ = try? await Clerk.shared.refreshClient()
+      return
+    }
+
+    Self.clerkConfigured = true
+    if let service = Self.keychainService {
+      Clerk.configure(
+        publishableKey: publishableKey,
+        options: .init(keychainConfig: .init(service: service))
+      )
+    } else {
+      Clerk.configure(publishableKey: publishableKey)
+    }
 
     // Wait for Clerk to finish loading (cached data + API refresh).
     // The static configure() fires off async refreshes; poll until loaded.
@@ -52,7 +88,7 @@ public class ClerkViewFactory: ClerkViewFactoryProtocol {
   /// Both expo-secure-store and the native Clerk SDK use the iOS Keychain with the
   /// bundle identifier as the service name, making cross-SDK token sharing possible.
   private static func syncJSTokenToNativeKeychainIfNeeded() {
-    guard let service = Bundle.main.bundleIdentifier, !service.isEmpty else { return }
+    guard let service = keychainService, !service.isEmpty else { return }
 
     let jsTokenKey = "__clerk_client_jwt"
     let nativeTokenKey = "clerkDeviceToken"
@@ -97,35 +133,78 @@ public class ClerkViewFactory: ClerkViewFactoryProtocol {
     SecItemAdd(writeQuery as CFDictionary, nil)
   }
 
-  /// Writes the provided bearer token as the native SDK's device token,
-  /// but only if the native SDK doesn't already have one.
-  private static func writeNativeDeviceTokenIfNeeded(_ token: String) {
-    guard let service = Bundle.main.bundleIdentifier, !service.isEmpty else { return }
+  /// Reads the native device token from keychain, if present.
+  private static func readNativeDeviceToken() -> String? {
+    guard let service = keychainService, !service.isEmpty else { return nil }
 
-    let nativeTokenKey = "clerkDeviceToken"
-
-    // Check if native SDK already has a device token — don't overwrite
-    let checkQuery: [String: Any] = [
+    var result: CFTypeRef?
+    let query: [String: Any] = [
       kSecClass as String: kSecClassGenericPassword,
       kSecAttrService as String: service,
-      kSecAttrAccount as String: nativeTokenKey,
-      kSecReturnData as String: false,
+      kSecAttrAccount as String: "clerkDeviceToken",
+      kSecReturnData as String: true,
       kSecMatchLimit as String: kSecMatchLimitOne,
     ]
-    if SecItemCopyMatching(checkQuery as CFDictionary, nil) == errSecSuccess {
-      return
+    guard SecItemCopyMatching(query as CFDictionary, &result) == errSecSuccess,
+          let data = result as? Data else { return nil }
+    return String(data: data, encoding: .utf8)
+  }
+
+  /// Clears stale cached client and environment data from keychain.
+  /// This prevents the native SDK from loading a stale anonymous client
+  /// during initialization, which would conflict with a newly-synced device token.
+  private static func clearCachedClerkData() {
+    guard let service = keychainService, !service.isEmpty else { return }
+
+    for key in ["cachedClient", "cachedEnvironment"] {
+      let query: [String: Any] = [
+        kSecClass as String: kSecClassGenericPassword,
+        kSecAttrService as String: service,
+        kSecAttrAccount as String: key,
+      ]
+      SecItemDelete(query as CFDictionary)
     }
+  }
 
-    // Write the provided token as native device token
+  /// Writes the provided bearer token as the native SDK's device token.
+  /// If the native SDK already has a device token, it is updated with the new value.
+  private static func writeNativeDeviceToken(_ token: String) {
+    guard let service = keychainService, !service.isEmpty else { return }
+
+    let nativeTokenKey = "clerkDeviceToken"
     guard let tokenData = token.data(using: .utf8) else { return }
-    let writeQuery: [String: Any] = [
+
+    // Check if native SDK already has a device token
+    let checkQuery: [String: Any] = [
       kSecClass as String: kSecClassGenericPassword,
       kSecAttrService as String: service,
       kSecAttrAccount as String: nativeTokenKey,
-      kSecValueData as String: tokenData,
-      kSecAttrAccessible as String: kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly,
+      kSecReturnData as String: false,
+      kSecMatchLimit as String: kSecMatchLimitOne,
     ]
-    SecItemAdd(writeQuery as CFDictionary, nil)
+
+    if SecItemCopyMatching(checkQuery as CFDictionary, nil) == errSecSuccess {
+      // Update the existing token
+      let updateQuery: [String: Any] = [
+        kSecClass as String: kSecClassGenericPassword,
+        kSecAttrService as String: service,
+        kSecAttrAccount as String: nativeTokenKey,
+      ]
+      let updateAttributes: [String: Any] = [
+        kSecValueData as String: tokenData,
+      ]
+      SecItemUpdate(updateQuery as CFDictionary, updateAttributes as CFDictionary)
+    } else {
+      // Write a new token
+      let writeQuery: [String: Any] = [
+        kSecClass as String: kSecClassGenericPassword,
+        kSecAttrService as String: service,
+        kSecAttrAccount as String: nativeTokenKey,
+        kSecValueData as String: tokenData,
+        kSecAttrAccessible as String: kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly,
+      ]
+      SecItemAdd(writeQuery as CFDictionary, nil)
+    }
   }
 
   public func createAuthViewController(
@@ -206,7 +285,7 @@ public class ClerkViewFactory: ClerkViewFactoryProtocol {
 
   @MainActor
   public func getSession() async -> [String: Any]? {
-    guard let session = Clerk.shared.session else {
+    guard Self.clerkConfigured, let session = Clerk.shared.session else {
       return nil
     }
 
@@ -242,7 +321,7 @@ public class ClerkViewFactory: ClerkViewFactoryProtocol {
 
   @MainActor
   public func signOut() async throws {
-    guard let sessionId = Clerk.shared.session?.id else { return }
+    guard Self.clerkConfigured, let sessionId = Clerk.shared.session?.id else { return }
     try await Clerk.shared.auth.signOut(sessionId: sessionId)
   }
 }
diff --git a/packages/expo/src/provider/ClerkProvider.tsx b/packages/expo/src/provider/ClerkProvider.tsx
@@ -183,13 +183,9 @@ export function ClerkProvider<TUi extends Ui = Ui>(props: ClerkProviderProps<TUi
               }
             }
 
-            // Only configure native SDK if we have a bearer token.
-            // Configuring without a token creates an anonymous native client,
-            // which conflicts when we later try to inject the JS SDK's token.
-            if (!bearerToken) {
-              return;
-            }
-
+            // Always configure the native SDK on launch, even without a token.
+            // The iOS SDK requires Clerk.configure() before Clerk.shared can be accessed.
+            // If we have a bearer token, pass it so the native SDK picks up the JS session.
             await ClerkExpo.configure(pk, bearerToken);
 
             if (!isMountedRef.current) {
