Merge pull request #128 from gcurtis/oauth-race

Fix OAuth race condition when refreshing

Author: gcurtis

src/main/java/com/box/sdk/BoxAPIConnection.java

@@ -507,4 +507,26 @@ public String save() {
             .add("maxRequestAttempts", this.maxRequestAttempts);
         return state.toString();
     }
+
+    String lockAccessToken() {
+        if (this.autoRefresh && this.canRefresh() && this.needsRefresh()) {
+            this.refreshLock.writeLock().lock();
+            try {
+                if (this.needsRefresh()) {
+                    this.refresh();
+                }
+                this.refreshLock.readLock().lock();
+            } finally {
+                this.refreshLock.writeLock().unlock();
+            }
+        } else {
+            this.refreshLock.readLock().lock();
+        }
+
+        return this.accessToken;
+    }
+
+    void unlockAccessToken() {
+        this.refreshLock.readLock().unlock();
+    }
 }

src/main/java/com/box/sdk/BoxAPIRequest.java

@@ -347,7 +347,7 @@ private BoxAPIResponse trySend(ProgressListener listener) {
         }
 
         if (this.api != null) {
-            connection.addRequestProperty("Authorization", "Bearer " + this.api.getAccessToken());
+            connection.addRequestProperty("Authorization", "Bearer " + this.api.lockAccessToken());
             connection.setRequestProperty("User-Agent", this.api.getUserAgent());
 
             if (this.api instanceof SharedLinkAPIConnection) {
@@ -363,26 +363,34 @@ private BoxAPIResponse trySend(ProgressListener listener) {
         }
 
         this.requestProperties = connection.getRequestProperties();
-        this.writeBody(connection, listener);
 
-        // Ensure that we're connected in case writeBody() didn't write anything.
+        int responseCode;
         try {
-            connection.connect();
-        } catch (IOException e) {
-            throw new BoxAPIException("Couldn't connect to the Box API due to a network error.", e);
-        }
+            this.writeBody(connection, listener);
 
-        this.logRequest(connection);
+            // Ensure that we're connected in case writeBody() didn't write anything.
+            try {
+                connection.connect();
+            } catch (IOException e) {
+                throw new BoxAPIException("Couldn't connect to the Box API due to a network error.", e);
+            }
 
-        // We need to manually handle redirects by creating a new HttpURLConnection so that connection pooling happens
-        // correctly. There seems to be a bug in Oracle's Java implementation where automatically handled redirects will
-        // not keep the connection alive.
-        int responseCode;
-        try {
-            responseCode = connection.getResponseCode();
-        } catch (IOException e) {
-            throw new BoxAPIException("Couldn't connect to the Box API due to a network error.", e);
+            this.logRequest(connection);
+
+            // We need to manually handle redirects by creating a new HttpURLConnection so that connection pooling
+            // happens correctly. There seems to be a bug in Oracle's Java implementation where automatically handled
+            // redirects will not keep the connection alive.
+            try {
+                responseCode = connection.getResponseCode();
+            } catch (IOException e) {
+                throw new BoxAPIException("Couldn't connect to the Box API due to a network error.", e);
+            }
+        } finally {
+            if (this.api != null) {
+                this.api.unlockAccessToken();
+            }
         }
+
         if (isResponseRedirect(responseCode)) {
             return this.handleRedirect(connection, listener);
         }

src/main/java/com/box/sdk/SharedLinkAPIConnection.java

@@ -116,6 +116,16 @@ public void refresh() {
         this.wrappedConnection.refresh();
     }
 
+    @Override
+    String lockAccessToken() {
+        return this.wrappedConnection.lockAccessToken();
+    }
+
+    @Override
+    void unlockAccessToken() {
+        this.wrappedConnection.unlockAccessToken();
+    }
+
     /**
      * Gets the shared link used for accessing shared items.
      * @return the shared link used for accessing shared items.