feat(auth): use stable key for transient auth to avoid drift (#1002)

georgeh0 · web-flow · commit 5f438de7259b · 2025-09-14T23:16:04.000-07:00
diff --git a/python/cocoindex/auth_registry.py b/python/cocoindex/auth_registry.py
@@ -11,18 +11,6 @@
 
 T = TypeVar("T")
 
-# Global atomic counter for generating unique auth entry keys
-_counter_lock = threading.Lock()
-_auth_key_counter = 0
-
-
-def _generate_auth_key() -> str:
-    """Generate a unique auth entry key using a global atomic counter."""
-    global _auth_key_counter  # pylint: disable=global-statement
-    with _counter_lock:
-        _auth_key_counter += 1
-        return f"__auth_{_auth_key_counter}"
-
 
 @dataclass
 class TransientAuthEntryReference(Generic[T]):
@@ -37,7 +25,8 @@ class AuthEntryReference(TransientAuthEntryReference[T]):
 
 def add_transient_auth_entry(value: T) -> TransientAuthEntryReference[T]:
     """Add an auth entry to the registry. Returns its reference."""
-    return add_auth_entry(_generate_auth_key(), value)
+    key = _engine.add_transient_auth_entry(dump_engine_object(value))
+    return TransientAuthEntryReference(key)
 
 
 def add_auth_entry(key: str, value: T) -> AuthEntryReference[T]:
diff --git a/src/py/mod.rs b/src/py/mod.rs
@@ -559,6 +559,13 @@ fn add_auth_entry(key: String, value: Pythonized<serde_json::Value>) -> PyResult
     Ok(())
 }
 
+#[pyfunction]
+fn add_transient_auth_entry(value: Pythonized<serde_json::Value>) -> PyResult<String> {
+    get_auth_registry()
+        .add_transient(value.into_inner())
+        .into_py_result()
+}
+
 #[pyfunction]
 fn get_app_namespace(py: Python<'_>) -> PyResult<String> {
     let app_namespace = py
@@ -599,6 +606,7 @@ fn cocoindex_engine(m: &Bound<'_, PyModule>) -> PyResult<()> {
     m.add_function(wrap_pyfunction!(make_drop_bundle, m)?)?;
     m.add_function(wrap_pyfunction!(remove_flow_context, m)?)?;
     m.add_function(wrap_pyfunction!(add_auth_entry, m)?)?;
+    m.add_function(wrap_pyfunction!(add_transient_auth_entry, m)?)?;
     m.add_function(wrap_pyfunction!(get_app_namespace, m)?)?;
 
     m.add_class::<builder::flow_builder::FlowBuilder>()?;
diff --git a/src/setup/auth_registry.rs b/src/setup/auth_registry.rs
@@ -32,6 +32,23 @@ impl AuthRegistry {
         Ok(())
     }
 
+    pub fn add_transient(&self, value: serde_json::Value) -> Result<String> {
+        let key = format!(
+            "__transient_{}",
+            utils::fingerprint::Fingerprinter::default()
+                .with("cocoindex_auth")? // salt
+                .with(&value)?
+                .into_fingerprint()
+                .to_base64()
+        );
+        self.entries
+            .write()
+            .unwrap()
+            .entry(key.clone())
+            .or_insert(value);
+        Ok(key)
+    }
+
     pub fn get<T: DeserializeOwned>(&self, entry_ref: &spec::AuthEntryReference<T>) -> Result<T> {
         let entries = self.entries.read().unwrap();
         match entries.get(&entry_ref.key) {
