Invalidate iOS device push token on user logout

Question

How do I reliably invalidate (remove from the users profile on my server) a device's push token for a users of my service when they log out of my app?

I keep an array of strings containing apns tokens on my user profiles, adding one whenever the user enables push notifications on a given device.

Later I realized the push token is unique to the device, but obviously knows nothing of my internal user accounts, so if one user logs out and another logs in (same device) they each have the same token. Then the current user of the device gets push notifications directed for either of them.

The basic solution is to remove a device's token from the user profile on logout, but I'm coming up with a bunch of gotchas as I think that through:

1. Logout should not require network access – I can try to notify my server, but need logout to succeed asynchronously even if the user does not have network access (?)
2. The actual device-token might be unknown – if the user has temporarily shut off push permission then the current token is not given. And storing device<->key info seems tenuous at best since identifierForVendor changes per install and UDID methods are deprecated.
3. Do server side uniquing (on adding a token to an account, make sure the same token is not set for any other accounts) – this depends on a second user logging in, which is not guaranteed.

Are there more edge cases I'm missing and what strategies can I use to work around them?

Answer 1

Your gotcha's do present some of the difficult situations you may face. I would recommend you shift or make sure that the push-sending logic is entirely on the server-side: link a pushtoken to a user identifier of your choice (meaning one push token could be linked to several users indeed). This identifier that you control is to be the account identifier that is targeted when you need to send a push. This way, you can control which user is supposed to receive a notification and retrieve his pushtoken based on this identifier (vs any device identifier provided by Apple which assumes that 1 device = 1 user).

In the event that your user logs out offline, you will not know about it. You might send that user a notification. If the user chooses to act on it, your app will open and you can, at that point, unsubscribe the user identifier from your server (since he's obviously online at this point).