Merge pull request #21 from michaelbabiy/as/principals/ab#1444015-pkce-support-and-token-refresh-error

MB: Add PKCE Support and Distinguish Bad Requests in Token Refresh Error Handling (AB#1444015)

Author: krishnavarma1

Framework/AtomNetworking/Atom/Extensions/Foundation/URLSession+Extensions.swift

@@ -42,7 +42,7 @@ extension URLSession {
                 // - Authorization Failure: Posts `Atom.didFailToAuthorizeRequest` notification.
                 //
                 // Both notifications include the error in `userInfo`.
-                if error.isAccessTokenRefreshFailure {
+                if requestable.isAuthenticationEndpoint, error.isBadRequest {
                     // Notify observers that a token refresh has failed.
                     NotificationCenter.default.post(name: Atom.didFailToRefreshAccessToken, object: nil, userInfo: ["error": error])
                 } else if error.isAuthorizationFailure {

Framework/AtomNetworking/Atom/Extensions/Framework/AtomError+Extensions.swift

@@ -28,19 +28,12 @@ extension AtomError {
         return response.statusCode == 401
     }
 
-    /// Returns `Bool` indicating whether the error is due to a failed attempt to refresh an access token.
+    /// Returns `Bool` indicating whether the error is a general "Bad Request" (HTTP 400) from a normal API response.
     ///
-    /// A client might encouter this error if the authorization server determines that the
-    /// refresh token used in a request is invalid or expired.
-    ///
-    /// Unlike `AtomError` case - `.response` - token refresh error is nested inside of the `.session` error
-    /// case to make differentiation between a standard `Bad Request` and `Bad Request` due to an invalid /
-    /// or expired access token easier.
-    public var isAccessTokenRefreshFailure: Bool {
-        guard
-            case let .session(error) = self,
-            case let .response(response) = error as? AtomError
-        else {
+    /// This detects cases where an API endpoint returned a 400 status code, typically due to invalid parameters,
+    /// malformed requests, or other client errors.
+    public var isBadRequest: Bool {
+        guard case let .response(response) = self else {
             return false
         }
 

Framework/AtomNetworking/Atom/Extensions/Framework/AuthenticationEndpoint+Extensions.swift

@@ -58,9 +58,13 @@ extension AuthenticationEndpoint: Requestable {
     var method: HTTPMethod {
         let grantType = Identifier.grantType.appending(credential.grantType.rawValue)
         let clientID = Identifier.clientID.appending(credential.id)
-        let clientSecret = Identifier.clientSecret.appending(credential.secret)
         let refreshToken = Identifier.refreshToken.appending(writable.tokenCredential.refreshToken)
-        let bodyString = grantType + "&" + clientID + "&" + clientSecret + "&" + refreshToken
+        var bodyString = grantType + "&" + clientID + "&" + refreshToken
+
+        if let secret = credential.secret {
+            bodyString.append("&")
+            bodyString.append(Identifier.clientSecret.appending(secret))
+        }
 
         return .post(Data(bodyString.utf8))
     }

Framework/AtomNetworking/Atom/Extensions/Framework/Requestable+Extensions.swift

@@ -17,6 +17,14 @@
 import Foundation
 
 extension Requestable {
+    /// Returns a `Bool` indicating whether the current requestable is targeted at an authentication endpoint.
+    ///
+    /// This property is `true` when the conforming type is `AuthenticationEndpoint`. It allows Atom to quickly identify
+    /// whether the request involves authentication-related operations, such as token refresh.
+    var isAuthenticationEndpoint: Bool {
+        self is AuthenticationEndpoint
+    }
+
     /// Applies authorization header to the `Requestable` instance.
     ///
     /// - Parameters:

Framework/AtomNetworking/Atom/Models/ClientCredential.swift

@@ -29,7 +29,7 @@ public struct ClientCredential: Sendable, Equatable {
     public let id: String
 
     /// The client secret. The client MAY omit the parameter if the client secret is an empty string. See RFC 6749.
-    public let secret: String
+    public let secret: String?
 
     // MARK: - Lifecycle
 
@@ -39,7 +39,7 @@ public struct ClientCredential: Sendable, Equatable {
     ///   - grantType: The authorization grant type as described in Sections 4.1.3, 4.3.2, 4.4.2, RFC 6749.
     ///   - id:        The client identifier issued to the client during the registration process described by Section 2.2, RFC 6749.
     ///   - secret:    The client secret. The client MAY omit the parameter if the client secret is an empty string. See RFC 6749.
-    public init(grantType: GrantType = .refreshToken, id: String, secret: String) {
+    public init(grantType: GrantType = .refreshToken, id: String, secret: String? = nil) {
         self.id = id
         self.grantType = grantType
         self.secret = secret