KTOR-6569 Add option for Bearer auth to not cache client token

Author: e5l

ktor-client/ktor-client-plugins/ktor-client-auth/common/src/io/ktor/client/plugins/auth/providers/BearerAuthProvider.kt

@@ -11,6 +11,9 @@ import io.ktor.client.statement.*
 import io.ktor.http.*
 import io.ktor.http.auth.*
 import io.ktor.utils.io.*
+import kotlinx.coroutines.Job
+import kotlinx.coroutines.sync.Mutex
+import kotlinx.coroutines.sync.withLock
 
 /**
  * Installs the client's [BearerAuthProvider].
@@ -19,7 +22,7 @@ import io.ktor.utils.io.*
  */
 public fun AuthConfig.bearer(block: BearerAuthConfig.() -> Unit) {
     with(BearerAuthConfig().apply(block)) {
-        this@bearer.providers.add(BearerAuthProvider(refreshTokens, loadTokens, sendWithoutRequest, realm))
+        this@bearer.providers.add(BearerAuthProvider(refreshTokens, loadTokens, sendWithoutRequest, realm, cacheTokens))
     }
 }
 
@@ -61,6 +64,13 @@ public class BearerAuthConfig {
     internal var sendWithoutRequest: (HttpRequestBuilder) -> Boolean = { true }
 
     public var realm: String? = null
+    
+    /**
+     * Controls whether to cache tokens between requests.
+     * When set to false, the provider will call [loadTokens] for each request.
+     * Default value is true.
+     */
+    public var cacheTokens: Boolean = true
 
     /**
      * Configures a callback that refreshes a token when the 401 status code is received.
@@ -97,23 +107,34 @@ public class BearerAuthConfig {
  * As an example, these tokens can be used as a part of OAuth flow to authorize users of your application
  * by using external providers, such as Google, Facebook, Twitter, and so on.
  *
+ * You can control whether tokens are cached between requests with the [cacheTokens] parameter:
+ * - When `true` (default), tokens are cached after the first request and reused.
+ * - When `false`, [loadTokens] is called for each request, and the token is never cached.
+ *
  * You can learn more from [Bearer authentication](https://ktor.io/docs/bearer-client.html).
  *
  * [Report a problem](https://ktor.io/feedback/?fqname=io.ktor.client.plugins.auth.providers.BearerAuthProvider)
  */
 public class BearerAuthProvider(
     private val refreshTokens: suspend RefreshTokensParams.() -> BearerTokens?,
-    loadTokens: suspend () -> BearerTokens?,
+    private val loadTokensCallback: suspend () -> BearerTokens?,
     private val sendWithoutRequestCallback: (HttpRequestBuilder) -> Boolean = { true },
-    private val realm: String?
+    private val realm: String?,
+    private val cacheTokens: Boolean = true
 ) : AuthProvider {
 
     @Suppress("OverridingDeprecatedMember")
     @Deprecated("Please use sendWithoutRequest function instead", level = DeprecationLevel.ERROR)
     override val sendWithoutRequest: Boolean
         get() = error("Deprecated")
 
-    private val tokensHolder = AuthTokenHolder(loadTokens)
+    // Only create the tokens holder if caching is enabled
+    private val tokensHolder = if (cacheTokens) AuthTokenHolder(loadTokensCallback) else null
+    
+    // When caching is disabled, we still need to store the current refreshed token
+    // so it can be used in the retry mechanism during the current request cycle
+    private val currentRefreshTokenMutex = Mutex()
+    private var currentRefreshedToken: BearerTokens? = null
 
     override fun sendWithoutRequest(request: HttpRequestBuilder): Boolean = sendWithoutRequestCallback(request)
 
@@ -144,24 +165,65 @@ public class BearerAuthProvider(
      * [Report a problem](https://ktor.io/feedback/?fqname=io.ktor.client.plugins.auth.providers.BearerAuthProvider.addRequestHeaders)
      */
     override suspend fun addRequestHeaders(request: HttpRequestBuilder, authHeader: HttpAuthHeader?) {
-        val token = tokensHolder.loadToken() ?: return
+        // If the request has the circuit breaker attribute, don't add any auth headers
+        if (request.attributes.contains(AuthCircuitBreaker)) {
+            LOGGER.trace("Circuit breaker active - no auth header will be added")
+            return
+        }
+        
+        // Get the appropriate token based on caching settings
+        val token = currentRefreshTokenMutex.withLock {
+            if (currentRefreshedToken != null) {
+                // If we have a refreshed token for the current retry cycle, use that
+                LOGGER.trace("Using refreshed token for request: ${currentRefreshedToken!!.accessToken}")
+                return@withLock currentRefreshedToken
+            } else if (cacheTokens) {
+                // If caching is enabled, use tokensHolder to cache between requests
+                return@withLock tokensHolder!!.loadToken()
+            } else {
+                // If caching is disabled, load a fresh token
+                val freshToken = loadTokensCallback()
+                LOGGER.trace("Using fresh token for request: ${freshToken?.accessToken}")
+                return@withLock freshToken
+            }
+        } ?: return
 
         request.headers {
             val tokenValue = "Bearer ${token.accessToken}"
             if (contains(HttpHeaders.Authorization)) {
                 remove(HttpHeaders.Authorization)
             }
-            if (request.attributes.contains(AuthCircuitBreaker).not()) {
-                append(HttpHeaders.Authorization, tokenValue)
-            }
+            append(HttpHeaders.Authorization, tokenValue)
         }
     }
 
     public override suspend fun refreshToken(response: HttpResponse): Boolean {
-        val newToken = tokensHolder.setToken {
-            refreshTokens(RefreshTokensParams(response.call.client, response, tokensHolder.loadToken()))
+        return if (cacheTokens) {
+            // With caching enabled, use the token holder for persistent caching
+            val newToken = tokensHolder!!.setToken {
+                refreshTokens(RefreshTokensParams(response.call.client, response, tokensHolder.loadToken()))
+            }
+            newToken != null
+        } else {
+            // Thread-safe access to currentRefreshedToken
+            currentRefreshTokenMutex.withLock {
+                // Get the current token (used as oldTokens in RefreshTokensParams)
+                val currentToken = loadTokensCallback()
+                
+                // Get the new token from the refresh function
+                val newToken = refreshTokens(RefreshTokensParams(response.call.client, response, currentToken))
+                
+                // Store the refreshed token for use in the retry process
+                if (newToken != null) {
+                    LOGGER.trace("Setting refreshed token: ${newToken.accessToken}")
+                    currentRefreshedToken = newToken
+                    true
+                } else {
+                    LOGGER.trace("No refreshed token returned")
+                    false
+                }
+            }
         }
-        return newToken != null
     }
 
     /**
@@ -171,13 +233,22 @@ public class BearerAuthProvider(
      * - When access or refresh tokens have been updated externally
      * - When you want to clear sensitive token data (for example, during logout)
      *
-     * Note: The result of `loadTokens` invocation is cached internally.
+     * Note: The result of `loadTokens` invocation is cached internally when [cacheTokens] is true.
      * Calling this method will force the next authentication attempt to fetch fresh tokens
      * through the configured `loadTokens` function.
      *
+     * If [cacheTokens] is false, this method will clear any temporarily stored refresh token.
+     *
      * [Report a problem](https://ktor.io/feedback/?fqname=io.ktor.client.plugins.auth.providers.BearerAuthProvider.clearToken)
      */
-    public fun clearToken() {
-        tokensHolder.clearToken()
+    public suspend fun clearToken() {
+        if (cacheTokens) {
+            tokensHolder!!.clearToken()
+        } else {
+            // Thread-safe access to clear any temporarily stored refreshed token
+            currentRefreshTokenMutex.withLock {
+                currentRefreshedToken = null
+            }
+        }
     }
 }

ktor-client/ktor-client-plugins/ktor-client-auth/common/test/io/ktor/client/plugins/auth/AuthTest.kt

@@ -696,6 +696,198 @@ class AuthTest : ClientLoader() {
             assertEquals(2, loadCount)
         }
     }
+    
+    @Test
+    fun testDisableTokenCaching() = testWithEngine(MockEngine) {
+        var loadCount = 0
+        config {
+            install(Auth) {
+                bearer {
+                    loadTokens {
+                        loadCount++
+                        BearerTokens("valid-token", "refresh-token")
+                    }
+                    // Disable token caching
+                    cacheTokens = false
+                }
+            }
+            
+            engine {
+                addHandler { request ->
+                    val token = request.headers[HttpHeaders.Authorization]?.removePrefix("Bearer ")
+                    if (token == "valid-token") {
+                        respond("OK", HttpStatusCode.OK)
+                    } else {
+                        respond("Unauthorized", HttpStatusCode.Unauthorized)
+                    }
+                }
+            }
+        }
+        
+        test { client ->
+            loadCount = 0
+            
+            // First request should call loadTokens
+            val response1 = client.get("/")
+            assertEquals(HttpStatusCode.OK, response1.status)
+            assertEquals(1, loadCount)
+            
+            // Second request should call loadTokens again since caching is disabled
+            val response2 = client.get("/")
+            assertEquals(HttpStatusCode.OK, response2.status)
+            assertEquals(2, loadCount)
+            
+            // Third request should call loadTokens once more
+            val response3 = client.get("/")
+            assertEquals(HttpStatusCode.OK, response3.status)
+            assertEquals(3, loadCount)
+        }
+    }
+    
+    @Test
+    fun testRefreshWithCachingDisabled() = testWithEngine(MockEngine) {
+        var loadCount = 0
+        var refreshCount = 0
+        
+        // Storage of the current token to mimic Firebase token cache
+        var tokenCache = "initial-token"
+        
+        config {
+            install(Auth) {
+                bearer {
+                    loadTokens {
+                        loadCount++
+                        // Return token from cache
+                        println("loadTokens called (#$loadCount) - returning $tokenCache")
+                        BearerTokens(tokenCache, "refresh")
+                    }
+                    refreshTokens {
+                        refreshCount++
+                        // Update token in cache
+                        val newToken = "refreshed-token-$refreshCount"
+                        tokenCache = newToken
+                        println("refreshTokens called (#$refreshCount) - updating cache to $newToken")
+                        BearerTokens(newToken, "refresh")
+                    }
+                    // Disable token caching
+                    cacheTokens = false
+                }
+            }
+            
+            engine {
+                addHandler { request ->
+                    val token = request.headers[HttpHeaders.Authorization]?.removePrefix("Bearer ")
+                    println("Received request with token: ${token ?: "none"}")
+                    
+                    if (token == "initial-token") {
+                        // Initial token is rejected
+                        println("Returning 401 for initial-token")
+                        respond("Unauthorized", HttpStatusCode.Unauthorized, 
+                            headers = headersOf(HttpHeaders.WWWAuthenticate, "Bearer"))
+                    } else if (token?.startsWith("refreshed-token") == true) {
+                        // Refreshed tokens are accepted
+                        println("Returning 200 for refreshed token: $token")
+                        respond("OK", HttpStatusCode.OK)
+                    } else {
+                        println("Returning 401 for unexpected token: $token")
+                        respond("No token", HttpStatusCode.Unauthorized, 
+                            headers = headersOf(HttpHeaders.WWWAuthenticate, "Bearer"))
+                    }
+                }
+            }
+        }
+        
+        test { client ->
+            loadCount = 0
+            refreshCount = 0
+            
+            // Token is loaded from cache first, then refreshed during the 401 scenario
+            val response1 = client.get("/first")
+            
+            // Wait a moment to ensure processing completes
+            delay(100)
+            
+            // The retry should use the refreshed token from our cache
+            assertEquals(HttpStatusCode.OK, response1.status)
+            
+            // Verify refresh was called once
+            assertEquals(1, refreshCount, "Expected refresh to be called once")
+            
+            // Second request should use the fresh token from our external cache
+            val response2 = client.get("/second")
+            assertEquals(HttpStatusCode.OK, response2.status)
+            
+            // Loadtokens should be called at least twice - once for each request
+            assertTrue(loadCount >= 2, "Expected loadTokens to be called at least twice")
+            
+            // No additional refresh needed for second request since our cache has the valid token
+            assertEquals(1, refreshCount, "No additional refresh needed for second request")
+        }
+    }
+    
+    @Test
+    fun testRefreshWithCachingEnabled() = testWithEngine(MockEngine) {
+        var loadCount = 0
+        var refreshCount = 0
+        
+        config {
+            install(Auth) {
+                bearer {
+                    loadTokens {
+                        loadCount++
+                        // Always return the same token from loadTokens
+                        BearerTokens("initial-token", "refresh")
+                    }
+                    refreshTokens {
+                        refreshCount++
+                        // Return a different token from refreshTokens
+                        BearerTokens("refreshed-token-$refreshCount", "refresh")
+                    }
+                    // Enable token caching (default)
+                    cacheTokens = true
+                }
+            }
+            
+            engine {
+                addHandler { request ->
+                    val token = request.headers[HttpHeaders.Authorization]?.removePrefix("Bearer ")
+                    if (token == "initial-token") {
+                        // Initial token is rejected
+                        respond("Unauthorized", HttpStatusCode.Unauthorized, 
+                            headers = headersOf(HttpHeaders.WWWAuthenticate, "Bearer"))
+                    } else if (token?.startsWith("refreshed-token") == true) {
+                        // Refreshed tokens are accepted
+                        respond("OK", HttpStatusCode.OK)
+                    } else {
+                        respond("No token", HttpStatusCode.Unauthorized)
+                    }
+                }
+            }
+        }
+        
+        test { client ->
+            loadCount = 0
+            refreshCount = 0
+            
+            // First request:
+            // 1. loadTokens called -> returns "initial-token"
+            // 2. Request with "initial-token" gets 401
+            // 3. refreshTokens called -> returns "refreshed-token-1"
+            // 4. Request with "refreshed-token-1" succeeds
+            val response1 = client.get("/")
+            assertEquals(HttpStatusCode.OK, response1.status)
+            assertEquals(1, loadCount)
+            assertEquals(1, refreshCount)
+            
+            // Second request:
+            // Since caching is enabled, it uses the cached "refreshed-token-1" directly
+            // No 401 response, no refresh needed
+            val response2 = client.get("/")
+            assertEquals(HttpStatusCode.OK, response2.status)
+            assertEquals(1, loadCount)  // Not called again because caching is enabled
+            assertEquals(1, refreshCount)  // No refresh needed
+        }
+    }
 
     @Test
     fun testMultipleChallengesInHeader() = clientTests {