Address code review feedback.

Author: jiuyangzhao

examples/android/src/main/java/com/dropbox/core/examples/android/DropboxActivity.java

@@ -3,7 +3,6 @@
 import android.content.SharedPreferences;
 import android.support.v7.app.AppCompatActivity;
 
-import android.util.Log;
 import com.dropbox.core.android.Auth;
 import com.dropbox.core.json.JsonReadException;
 import com.dropbox.core.oauth.DbxCredential;
@@ -15,7 +14,8 @@
  */
 public abstract class DropboxActivity extends AppCompatActivity {
 
-    public final static boolean USE_SLT = false; //If USE_SLT is set to true, our Android example will use our beta feature Short Live Token.
+    private final static boolean USE_SLT = false; //If USE_SLT is set to true, our Android example
+    // will use our beta feature Short Live Token.
 
     @Override
     protected void onResume() {
@@ -84,4 +84,12 @@ protected boolean hasToken() {
             return accessToken != null;
         }
     }
+
+    public static void startOAuth2Authentication(Context context) {
+        if (USE_SLT) {
+            Auth.startOAuth2PKCE(context, getString(R.string.app_key), DbxRequestConfigFactory.getRequestConfig());
+        } else {
+            Auth.startOAuth2Authentication(context, getString(R.string.app_key));
+        }
+    }
 }

examples/android/src/main/java/com/dropbox/core/examples/android/UserActivity.java

@@ -32,11 +32,7 @@ protected void onCreate(Bundle savedInstanceState) {
         loginButton.setOnClickListener(new View.OnClickListener() {
             @Override
             public void onClick(View v) {
-                if (DropboxActivity.USE_SLT) {
-                    Auth.startOAuth2PKCE(UserActivity.this, getString(R.string.app_key), DbxRequestConfigFactory.getRequestConfig());
-                } else {
-                    Auth.startOAuth2Authentication(UserActivity.this, getString(R.string.app_key));
-                }
+                DropboxActivity.startOAuth2Authentication(UserActivity.this);
             }
         });
 

src/main/java/com/dropbox/core/DbxAppInfo.java

@@ -25,7 +25,7 @@ public class DbxAppInfo extends Dumpable {
 
     /**
      * <b>Beta</b>: This feature is not available to all developers. Please do NOT use it unless
-     * you are early access partner of this feature. The function signature is subjected to change
+     * you are early access partner of this feature. The function signature is subject to change
      * in next minor version release.
      *
      * DbxAppInfo without secret. Should only be used in PKCE flow.

src/main/java/com/dropbox/core/DbxAuthFinish.java

@@ -42,7 +42,7 @@ public DbxAuthFinish(String accessToken, String userId, String accountId, String
     /**
      *
      * <b>Beta</b>: This feature is not available to all developers. Please do NOT use it unless you are
-     * early access partner of this feature. The function signature is subjected to change
+     * early access partner of this feature. The function signature is subject to change
      * in next minor version release.
      *
      * @param accessToken OAuth access token.
@@ -62,7 +62,7 @@ public DbxAuthFinish(String accessToken, Long expiresIn, String refreshToken, St
     /**
      *
      * <b>Beta</b>: This feature is not available to all developers. Please do NOT use it unless you are
-     * early access partner of this feature. The function signature is subjected to change
+     * early access partner of this feature. The function signature is subject to change
      * in next minor version release.
      *
      * @param accessToken OAuth access token.
@@ -104,7 +104,7 @@ public String getAccessToken() {
     /**
      *
      * <b>Beta</b>: This feature is not available to all developers. Please do NOT use it unless you are
-     * early access partner of this feature. The function signature is subjected to change
+     * early access partner of this feature. The function signature is subject to change
      * in next minor version release.
      *
      * Returns the time when {@link DbxAuthFinish#accessToken} expires in millisecond. If null then
@@ -121,7 +121,7 @@ public Long getExpiresAt() {
 
     /**
      * <b>Beta</b>: This feature is not available to all developers. Please do NOT use it unless you are
-     * early access partner of this feature. The function signature is subjected to change
+     * early access partner of this feature. The function signature is subject to change
      * in next minor version release.
      *
      * Returns an <em>refresh token</em> which can be used to obtain new
@@ -167,7 +167,7 @@ public String getTeamId() {
     /**
      *
      * <b>Beta</b>: This feature is not available to all developers. Please do NOT use it unless you are
-     * early access partner of this feature. The function signature is subjected to change
+     * early access partner of this feature. The function signature is subject to change
      * in next minor version release.
      *
      * Return the <em>scopes</em> of current OAuth flow. Each scope correspond to a group of

src/main/java/com/dropbox/core/DbxAuthInfo.java

@@ -31,7 +31,7 @@ public DbxAuthInfo(String accessToken, DbxHost host) {
 
     /**
      * <b>Beta</b>: This feature is not available to all developers. Please do NOT use it unless you are
-     * early access partner of this feature. The function signature is subjected to change
+     * early access partner of this feature. The function signature is subject to change
      * in next minor version release.
      *
      * Creates a new instance with the given parameters.
@@ -62,7 +62,7 @@ public String getAccessToken() {
 
     /**
      * <b>Beta</b>: This feature is not available to all developers. Please do NOT use it unless you are
-     * early access partner of this feature. The function signature is subjected to change
+     * early access partner of this feature. The function signature is subject to change
      * in next minor version release.
      *
      * Return the millisecond when accessToken is going to expire.
@@ -75,7 +75,7 @@ public Long getExpiresAt() {
 
     /**
      * <b>Beta</b>: This feature is not available to all developers. Please do NOT use it unless you are
-     * early access partner of this feature. The function signature is subjected to change
+     * early access partner of this feature. The function signature is subject to change
      * in next minor version release.
      *
      * Return the refresh token which can be used to obtain new access token.

src/main/java/com/dropbox/core/DbxPKCEManager.java

@@ -4,6 +4,7 @@
 import com.dropbox.core.util.LangUtil;
 import com.dropbox.core.v2.DbxRawClientV2;
 
+import java.io.IOException;
 import java.io.Serializable;
 import java.io.UnsupportedEncodingException;
 import java.security.MessageDigest;
@@ -18,14 +19,13 @@
  * This class should be lib/jar private. We make it public so that Android related code can use it.
  *
  * <b>Beta</b>: This feature is not available to all developers. Please do NOT use it unless you are
- * early access partner of this feature. The function signature is subjected to change
+ * early access partner of this feature. The function signature is subject to change
  * in next minor version release.
  *
  * This class does code verifier and code challenge generation in Proof Key for Code Exchange(PKCE).
  * @see <a href="https://tools.ietf.org/html/rfc7636">https://tools.ietf.org/html/rfc7636</a>
  */
-public class DbxPKCEManager implements Serializable {
-    public static final long serialVersionUID = 0;
+public class DbxPKCEManager {
     public static final String CODE_CHALLENGE_METHODS = "S256";
     public static final int CODE_VERIFIER_SIZE = 128;
 
@@ -43,7 +43,12 @@ public class DbxPKCEManager implements Serializable {
      */
     public DbxPKCEManager() {
         this.codeVerifier = generateCodeVerifier();
-        this.codeChallenge = generateCodeChallenge();
+        this.codeChallenge = generateCodeChallenge(this.codeVerifier);
+    }
+
+    public DbxPKCEManager(String codeVerifier) {
+        this.codeVerifier = codeVerifier;
+        this.codeChallenge = generateCodeChallenge(this.codeVerifier);
     }
 
     String generateCodeVerifier() {
@@ -56,10 +61,6 @@ String generateCodeVerifier() {
         return sb.toString();
     }
 
-    String generateCodeChallenge() {
-        return generateCodeChallenge(this.codeVerifier);
-    }
-
     static String generateCodeChallenge(String codeVerifier) {
         try {
             MessageDigest digest = MessageDigest.getInstance("SHA-256");
@@ -88,7 +89,7 @@ public String getCodeChallenge() {
 
     /**
      * Make oauth2/token request to exchange code for oauth2 access token. Client secret is not
-     * requried.
+     * required.
      * @param requestConfig Default attributes to use for each request.
      * @param oauth2Code OAuth2 code defined in OAuth2 code flow.
      * @param appKey Client Key

src/main/java/com/dropbox/core/DbxPKCEWebAuth.java

@@ -16,7 +16,7 @@
 /**
  *
  * <b>Beta</b>: This feature is not available to all developers. Please do NOT use it unless you are
- * early access partner of this feature. The function signature is subjected to change
+ * early access partner of this feature. The function signature is subject to change
  * in next minor version release.
  *
  * This class does the OAuth2 "authorization code" flow with Proof Key for Code Exchange(PKCE).

src/main/java/com/dropbox/core/DbxWebAuth.java

@@ -877,7 +877,7 @@ public Builder withDisableSignup(Boolean disableSignup) {
 
             /**
              * <b>Beta</b>: This feature is not available to all developers. Please do NOT use it unless you are
-             * early access partner of this feature. The function signature is subjected to change
+             * early access partner of this feature. The function signature is subject to change
              * in next minor version release.
              *
              * Whether or not to include refresh token in {@link DbxAuthFinish}
@@ -901,7 +901,7 @@ public Builder withTokenAccessType(TokenAccessType tokenAccessType) {
             /**
              *
              * <b>Beta</b>: This feature is not available to all developers. Please do NOT use it unless you are
-             * early access partner of this feature. The function signature is subjected to change
+             * early access partner of this feature. The function signature is subject to change
              * in next minor version release.
              *
              * @param scope A list of scope returned by Dropbox server. Each scope correspond to a group of

src/main/java/com/dropbox/core/android/Auth.java

@@ -34,7 +34,7 @@ public static void startOAuth2Authentication(Context context, String appKey, Str
 
     /**
      * <b>Beta</b>: This feature is not available to all developers. Please do NOT use it unless you are
-     * early access partner of this feature. The function signature is subjected to change
+     * early access partner of this feature. The function signature is subject to change
      * in next minor version release.
      *
      * @see Auth#startOAuth2PKCE(Context, String, DbxRequestConfig, DbxHost)
@@ -46,11 +46,11 @@ public static void startOAuth2PKCE(Context context, String appKey,
 
     /**
      * <b>Beta</b>: This feature is not available to all developers. Please do NOT use it unless you are
-     * early access partner of this feature. The function signature is subjected to change
+     * early access partner of this feature. The function signature is subject to change
      * in next minor version release.
      *
      * Starts the Dropbox OAuth process by launching the Dropbox official app (AKA DAuth) or web
-     * browser if dropbox official app is not available. In browser flow, normally user need to
+     * browser if dropbox official app is not available. In browser flow, normally user needs to
      * sign in.
      * @param context               the {@link Context} to use to launch the
      *      *                       Dropbox authentication activity. This will typically be an
@@ -164,7 +164,7 @@ public static String getUid() {
 
     /**
      * <b>Beta</b>: This feature is not available to all developers. Please do NOT use it unless you are
-     * early access partner of this feature. The function signature is subjected to change
+     * early access partner of this feature. The function signature is subject to change
      * in next minor version release.
      *
      * @return The result after

src/main/java/com/dropbox/core/android/AuthActivity.java

@@ -143,7 +143,7 @@ public class AuthActivity extends Activity {
     private static final String SIS_KEY_AUTH_STATE_NONCE = "SIS_KEY_AUTH_STATE_NONCE";
 
     // saved instance PKCE manger key
-    private static final String SIS_KEY_PKCE_MANAGER = "SIS_KEY_PKCE_MANAGER";
+    private static final String SIS_KEY_PKCE_CODE_VERIFIER = "SIS_KEY_PKCE_CODE_VERIFIER";
     /**
      * Provider of the local security needs of an AuthActivity.
      *
@@ -228,7 +228,8 @@ static void setAuthParams(String appKey, String desiredUid,
     }
 
     /**
-     * Set static authentication parameters
+     * Set static authentication parameters. If both host and webHost are provided, we take use
+     * host as source of truth.
      */
     static void setAuthParams(String appKey, String desiredUid,
                               String[] alreadyAuthedUids, String sessionId, String webHost,
@@ -291,12 +292,17 @@ public static Intent makeIntent(Context context, String appKey, String webHost,
      */
     public static Intent makeIntent(Context context, String appKey, String desiredUid, String[] alreadyAuthedUids,
                                     String sessionId, String webHost, String apiType) {
-        if (appKey == null) throw new IllegalArgumentException("'appKey' can't be null");
+        if (appKey == null) {
+            throw new IllegalArgumentException("'appKey' can't be null");
+        }
         setAuthParams(appKey, desiredUid, alreadyAuthedUids, sessionId, webHost, apiType, null,
             null, null);
         return new Intent(context, AuthActivity.class);
     }
 
+    /**
+     * If both host and webHost are provided, we take use host as source of truth.
+     */
     static Intent makeIntent(
         Context context, String appKey, String desiredUid, String[] alreadyAuthedUids,
         String sessionId, String webHost, String apiType, TokenAccessType tokenAccessType,
@@ -430,7 +436,7 @@ protected void onCreate(Bundle savedInstanceState) {
             mPKCEManager = new DbxPKCEManager();
         } else {
             mAuthStateNonce = savedInstanceState.getString(SIS_KEY_AUTH_STATE_NONCE);
-            mPKCEManager = (DbxPKCEManager) savedInstanceState.getSerializable(SIS_KEY_PKCE_MANAGER);
+            mPKCEManager = new DbxPKCEManager(savedInstanceState.getString(SIS_KEY_PKCE_CODE_VERIFIER));
         }
 
         setTheme(android.R.style.Theme_Translucent_NoTitleBar);
@@ -442,7 +448,7 @@ protected void onCreate(Bundle savedInstanceState) {
     protected void onSaveInstanceState(Bundle outState) {
         super.onSaveInstanceState(outState);
         outState.putString(SIS_KEY_AUTH_STATE_NONCE, mAuthStateNonce);
-        outState.putSerializable(SIS_KEY_PKCE_MANAGER, mPKCEManager);
+        outState.putString(SIS_KEY_PKCE_CODE_VERIFIER, mPKCEManager.getCodeVerifier());
     }
 
     /**
@@ -604,14 +610,16 @@ protected void onNewIntent(Intent intent) {
                 newResult.putExtra(EXTRA_UID, uid);
             } else if (token.equals(TokenType.OAUTH2CODE.toString())) {
                 // code flow with PKCE
-                TokenRequest tokenRequest = new TokenRequest(secret);
+                TokenRequestAsyncTask tokenRequest = new TokenRequestAsyncTask(secret);
                 try {
                     DbxAuthFinish dbxAuthFinish = tokenRequest.execute().get();
 
                     if (dbxAuthFinish == null) {
                         newResult = null;
                     } else {
                         newResult = new Intent();
+                        // access_token and access_secret are OAuth1 concept. In OAuth2 we only
+                        // have access token. So I put both of them to be the same.
                         newResult.putExtra(EXTRA_ACCESS_TOKEN, dbxAuthFinish.getAccessToken());
                         newResult.putExtra(EXTRA_ACCESS_SECRET, dbxAuthFinish.getAccessToken());
                         newResult.putExtra(EXTRA_REFRESH_TOKEN, dbxAuthFinish.getRefreshToken());
@@ -677,7 +685,7 @@ private String createStateNonce() {
     }
 
     private String createPKCEStateNonce() {
-        return String.format("oauth2code:%s:%s:%s",
+        return String.format(Locale.US, "oauth2code:%s:%s:%s",
                              mPKCEManager.getCodeChallenge(),
                              DbxPKCEManager.CODE_CHALLENGE_METHODS,
                              mTokenAccessType.toString());
@@ -709,18 +717,18 @@ public String toString() {
         }
     }
 
-    private class TokenRequest extends AsyncTask<Void, Void, DbxAuthFinish> {
+    private class TokenRequestAsyncTask extends AsyncTask<Void, Void, DbxAuthFinish> {
         private final String code;
 
-        private TokenRequest(String code) {
+        private TokenRequestAsyncTask(String code) {
             this.code = code;
         }
 
 
         @Override
         protected DbxAuthFinish doInBackground(Void... p) {
             try {
-                return mPKCEManager.makeTokenRequest(mRequestConfig, code, mAppKey, null,mHost);
+                return mPKCEManager.makeTokenRequest(mRequestConfig, code, mAppKey, null, mHost);
             } catch (DbxException e) {
                 Log.e(TAG, "Token Request Failed: " + e.getMessage());
                 return null;