KTOR-6569 Add option for Bearer auth to not cache client token

Author: e5l

ktor-client/ktor-client-plugins/ktor-client-auth/api/ktor-client-auth.api

@@ -68,18 +68,20 @@ public final class io/ktor/client/plugins/auth/providers/BasicAuthProviderKt {
 
 public final class io/ktor/client/plugins/auth/providers/BearerAuthConfig {
 	public fun <init> ()V
+	public final fun getCacheTokens ()Z
 	public final fun getRealm ()Ljava/lang/String;
 	public final fun loadTokens (Lkotlin/jvm/functions/Function1;)V
 	public final fun refreshTokens (Lkotlin/jvm/functions/Function2;)V
 	public final fun sendWithoutRequest (Lkotlin/jvm/functions/Function1;)V
+	public final fun setCacheTokens (Z)V
 	public final fun setRealm (Ljava/lang/String;)V
 }
 
 public final class io/ktor/client/plugins/auth/providers/BearerAuthProvider : io/ktor/client/plugins/auth/AuthProvider {
-	public fun <init> (Lkotlin/jvm/functions/Function2;Lkotlin/jvm/functions/Function1;Lkotlin/jvm/functions/Function1;Ljava/lang/String;)V
-	public synthetic fun <init> (Lkotlin/jvm/functions/Function2;Lkotlin/jvm/functions/Function1;Lkotlin/jvm/functions/Function1;Ljava/lang/String;ILkotlin/jvm/internal/DefaultConstructorMarker;)V
+	public fun <init> (Lkotlin/jvm/functions/Function2;Lkotlin/jvm/functions/Function1;Lkotlin/jvm/functions/Function1;Ljava/lang/String;Z)V
+	public synthetic fun <init> (Lkotlin/jvm/functions/Function2;Lkotlin/jvm/functions/Function1;Lkotlin/jvm/functions/Function1;Ljava/lang/String;ZILkotlin/jvm/internal/DefaultConstructorMarker;)V
 	public fun addRequestHeaders (Lio/ktor/client/request/HttpRequestBuilder;Lio/ktor/http/auth/HttpAuthHeader;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
-	public final fun clearToken ()V
+	public final fun clearToken (Lkotlin/coroutines/Continuation;)Ljava/lang/Object;
 	public fun getSendWithoutRequest ()Z
 	public fun isApplicable (Lio/ktor/http/auth/HttpAuthHeader;)Z
 	public fun refreshToken (Lio/ktor/client/statement/HttpResponse;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;

ktor-client/ktor-client-plugins/ktor-client-auth/common/src/io/ktor/client/plugins/auth/providers/BearerAuthProvider.kt

@@ -11,6 +11,8 @@ import io.ktor.client.statement.*
 import io.ktor.http.*
 import io.ktor.http.auth.*
 import io.ktor.utils.io.*
+import kotlinx.coroutines.sync.Mutex
+import kotlinx.coroutines.sync.withLock
 
 /**
  * Installs the client's [BearerAuthProvider].
@@ -19,7 +21,7 @@ import io.ktor.utils.io.*
  */
 public fun AuthConfig.bearer(block: BearerAuthConfig.() -> Unit) {
     with(BearerAuthConfig().apply(block)) {
-        this@bearer.providers.add(BearerAuthProvider(refreshTokens, loadTokens, sendWithoutRequest, realm))
+        this@bearer.providers.add(BearerAuthProvider(refreshTokens, loadTokens, sendWithoutRequest, realm, cacheTokens))
     }
 }
 
@@ -62,6 +64,13 @@ public class BearerAuthConfig {
 
     public var realm: String? = null
 
+    /**
+     * Controls whether to cache tokens between requests.
+     * When set to false, the provider will call [loadTokens] for each request.
+     * Default value is true.
+     */
+    public var cacheTokens: Boolean = true
+
     /**
      * Configures a callback that refreshes a token when the 401 status code is received.
      *
@@ -97,23 +106,34 @@ public class BearerAuthConfig {
  * As an example, these tokens can be used as a part of OAuth flow to authorize users of your application
  * by using external providers, such as Google, Facebook, Twitter, and so on.
  *
+ * You can control whether tokens are cached between requests with the [cacheTokens] parameter:
+ * - When `true` (default), tokens are cached after the first request and reused.
+ * - When `false`, [loadTokens] is called for each request, and the token is never cached.
+ *
  * You can learn more from [Bearer authentication](https://ktor.io/docs/bearer-client.html).
  *
  * [Report a problem](https://ktor.io/feedback/?fqname=io.ktor.client.plugins.auth.providers.BearerAuthProvider)
  */
 public class BearerAuthProvider(
     private val refreshTokens: suspend RefreshTokensParams.() -> BearerTokens?,
-    loadTokens: suspend () -> BearerTokens?,
+    private val loadTokensCallback: suspend () -> BearerTokens?,
     private val sendWithoutRequestCallback: (HttpRequestBuilder) -> Boolean = { true },
-    private val realm: String?
+    private val realm: String?,
+    private val cacheTokens: Boolean = true
 ) : AuthProvider {
 
     @Suppress("OverridingDeprecatedMember")
     @Deprecated("Please use sendWithoutRequest function instead", level = DeprecationLevel.ERROR)
     override val sendWithoutRequest: Boolean
         get() = error("Deprecated")
 
-    private val tokensHolder = AuthTokenHolder(loadTokens)
+    // Only create the tokens holder if caching is enabled
+    private val tokensHolder = if (cacheTokens) AuthTokenHolder(loadTokensCallback) else null
+
+    // When caching is disabled, we still need to store the current refreshed token
+    // so it can be used in the retry mechanism during the current request cycle
+    private val currentRefreshTokenMutex = Mutex()
+    private var currentRefreshedToken: BearerTokens? = null
 
     override fun sendWithoutRequest(request: HttpRequestBuilder): Boolean = sendWithoutRequestCallback(request)
 
@@ -144,24 +164,65 @@ public class BearerAuthProvider(
      * [Report a problem](https://ktor.io/feedback/?fqname=io.ktor.client.plugins.auth.providers.BearerAuthProvider.addRequestHeaders)
      */
     override suspend fun addRequestHeaders(request: HttpRequestBuilder, authHeader: HttpAuthHeader?) {
-        val token = tokensHolder.loadToken() ?: return
+        // If the request has the circuit breaker attribute, don't add any auth headers
+        if (request.attributes.contains(AuthCircuitBreaker)) {
+            LOGGER.trace("Circuit breaker active - no auth header will be added")
+            return
+        }
+
+        // Get the appropriate token based on caching settings
+        val token = currentRefreshTokenMutex.withLock {
+            if (currentRefreshedToken != null) {
+                // If we have a refreshed token for the current retry cycle, use that
+                LOGGER.trace("Using refreshed token for request: ${currentRefreshedToken!!.accessToken}")
+                return@withLock currentRefreshedToken
+            } else if (cacheTokens) {
+                // If caching is enabled, use tokensHolder to cache between requests
+                return@withLock tokensHolder!!.loadToken()
+            } else {
+                // If caching is disabled, load a fresh token
+                val freshToken = loadTokensCallback()
+                LOGGER.trace("Using fresh token for request: ${freshToken?.accessToken}")
+                return@withLock freshToken
+            }
+        } ?: return
 
         request.headers {
             val tokenValue = "Bearer ${token.accessToken}"
             if (contains(HttpHeaders.Authorization)) {
                 remove(HttpHeaders.Authorization)
             }
-            if (request.attributes.contains(AuthCircuitBreaker).not()) {
-                append(HttpHeaders.Authorization, tokenValue)
-            }
+            append(HttpHeaders.Authorization, tokenValue)
         }
     }
 
     public override suspend fun refreshToken(response: HttpResponse): Boolean {
-        val newToken = tokensHolder.setToken {
-            refreshTokens(RefreshTokensParams(response.call.client, response, tokensHolder.loadToken()))
+        return if (cacheTokens) {
+            // With caching enabled, use the token holder for persistent caching
+            val newToken = tokensHolder!!.setToken {
+                refreshTokens(RefreshTokensParams(response.call.client, response, tokensHolder.loadToken()))
+            }
+            newToken != null
+        } else {
+            // Thread-safe access to currentRefreshedToken
+            currentRefreshTokenMutex.withLock {
+                // Get the current token (used as oldTokens in RefreshTokensParams)
+                val currentToken = loadTokensCallback()
+
+                // Get the new token from the refresh function
+                val newToken = refreshTokens(RefreshTokensParams(response.call.client, response, currentToken))
+
+                // Store the refreshed token for use in the retry process
+                if (newToken != null) {
+                    LOGGER.trace("Setting refreshed token: ${newToken.accessToken}")
+                    currentRefreshedToken = newToken
+                    true
+                } else {
+                    LOGGER.trace("No refreshed token returned")
+                    false
+                }
+            }
         }
-        return newToken != null
     }
 
     /**
@@ -171,13 +232,22 @@ public class BearerAuthProvider(
      * - When access or refresh tokens have been updated externally
      * - When you want to clear sensitive token data (for example, during logout)
      *
-     * Note: The result of `loadTokens` invocation is cached internally.
+     * Note: The result of `loadTokens` invocation is cached internally when [cacheTokens] is true.
      * Calling this method will force the next authentication attempt to fetch fresh tokens
      * through the configured `loadTokens` function.
      *
+     * If [cacheTokens] is false, this method will clear any temporarily stored refresh token.
+     *
      * [Report a problem](https://ktor.io/feedback/?fqname=io.ktor.client.plugins.auth.providers.BearerAuthProvider.clearToken)
      */
-    public fun clearToken() {
-        tokensHolder.clearToken()
+    public suspend fun clearToken() {
+        if (cacheTokens) {
+            tokensHolder!!.clearToken()
+        } else {
+            // Thread-safe access to clear any temporarily stored refreshed token
+            currentRefreshTokenMutex.withLock {
+                currentRefreshedToken = null
+            }
+        }
     }
 }