admin/WerkoutIOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
WerkoutIOS/docs/step6_audit_round1.md

2.7 KiB
Raw Permalink Blame History

Step 6 Audit Round 1 (P0/P1)

Coverage

  • Reviewed high-risk auth/session/network/watch files:
    • iphone/Werkout_ios/UserStore.swift
    • iphone/Werkout_ios/Network/Network.swift
    • iphone/Werkout_ios/BridgeModule+Watch.swift
    • iphone/Werkout_watch Watch App/WatchMainViewModel.swift
    • iphone/Werkout_watch Watch App/WatchMainViewModel+WCSessionDelegate.swift
    • iphone/Werkout_ios/HealthKitHelper.swift
    • iphone/Werkout_ios/CurrentWorkoutInfo.swift
  • Ran:
    • ./scripts/smoke/smoke_all.sh
  • Added/ran regression tests in SharedCore for token lifecycle and watch payload validation.

Findings And Fixes

  1. P1 Watch command loss during activation

    • Evidence: iphone/Werkout_watch Watch App/WatchMainViewModel+WCSessionDelegate.swift:40
    • Problem: payloads were dropped when WCSession was not activated.
    • Fix: added bounded queue (maxQueuedPayloads), enqueue on inactive session, flush on activation.

  2. P1 Silent/unsafe watch payload decode failures

    • Evidence: iphone/Werkout_ios/BridgeModule+Watch.swift:73
    • Evidence: iphone/Werkout_watch Watch App/WatchMainViewModel.swift:74
    • Problem: try? decode silently ignored malformed payloads.
    • Fix: added shared WatchPayloadValidation with size checks and structured decode failures; both decode paths now reject+log bad payloads.

  3. P1 Auth token normalization gap for prefixed tokens

    • Evidence: SharedCore/Sources/SharedCore/TokenSecurity.swift:24
    • Problem: "Token ..." / "Bearer ..." values were not normalized.
    • Fix: normalize known auth prefixes and reject bare prefix-only strings.

  4. P1 Network reliability/threading risk

    • Evidence: iphone/Werkout_ios/Network/Network.swift:12
    • Problem: infinite request timeouts and completion handlers returning on background threads.
    • Fix: finite timeout (30s) and centralized main-thread completion delivery.

  5. P1 HealthKit helper shared mutable-state race

    • Evidence: iphone/Werkout_ios/HealthKitHelper.swift:20
    • Problem: mutable cross-request state (completion, counters, shared result object) could race and mis-route results.
    • Fix: per-request aggregation via DispatchGroup, single UUID query (limit: 1), thread-safe aggregation queue, structured runtime logging.

  6. P2 Workout order inconsistency across helpers

    • Evidence: iphone/Werkout_ios/CurrentWorkoutInfo.swift:24
    • Problem: some paths used unsorted workout.supersets while others used sorted supersets.
    • Fix: unified core navigation/lookup paths on sorted superset accessor and corrected bounds check.

Validation

  • Smoke suite passed after fixes:
    • token scan
    • SharedCore tests (including new regression tests)
    • iOS/watchOS/tvOS builds
Reference in New Issue View Git Blame Copy Permalink