feat(fresh_dio): implement token refresh locking mechanism

packages/fresh_dio/lib/src/fresh.dart

@@ -2,6 +2,7 @@ import 'dart:async';
 
 import 'package:dio/dio.dart';
 import 'package:fresh_dio/fresh_dio.dart';
+import 'package:synchronized/synchronized.dart';
 
 /// Signature for `shouldRefresh` on [Fresh].
 typedef ShouldRefresh = bool Function(Response<dynamic>? response);
@@ -75,6 +76,9 @@ class Fresh<T> extends QueuedInterceptor with FreshMixin<T> {
   final ShouldRefresh _shouldRefresh;
   final RefreshToken<T> _refreshToken;
 
+  final Lock _refreshLock = Lock();
+  T? _latestRefreshedToken;
+
   @override
   Future<dynamic> onRequest(
     RequestOptions options,
@@ -166,9 +170,31 @@ Example:
   }
 
   Future<Response<dynamic>> _tryRefresh(Response<dynamic> response) async {
-    late final T refreshedToken;
+    return _refreshLock.synchronized(() async {
+      final currentToken = await token;
+
+      if (currentToken == null) {
+        throw DioException(
+          requestOptions: response.requestOptions,
+          error: RevokeTokenException(),
+          response: response,
+        );
+      }
+
+      if (identical(currentToken, _latestRefreshedToken)) {
+        return _retryRequest(response, currentToken);
+      }
+
+      final refreshedToken = await _performRefresh(response, currentToken);
+      await setToken(refreshedToken);
+      _latestRefreshedToken = refreshedToken;
+      return _retryRequest(response, refreshedToken);
+    });
+  }
+
+  Future<T> _performRefresh(Response<dynamic> response, T? currentToken) async {
     try {
-      refreshedToken = await _refreshToken(await token, _httpClient);
+      return await _refreshToken(currentToken, _httpClient);
     } on RevokeTokenException catch (error) {
       await clearToken();
       throw DioException(
@@ -177,8 +203,12 @@ Example:
         response: response,
       );
     }
+  }
 
-    await setToken(refreshedToken);
+  Future<Response<dynamic>> _retryRequest(
+    Response<dynamic> response,
+    T refreshedToken,
+  ) async {
     _httpClient.options.baseUrl = response.requestOptions.baseUrl;
     final data = response.requestOptions.data;
     return _httpClient.request<dynamic>(

packages/fresh_dio/pubspec.yaml

@@ -13,6 +13,7 @@ environment:
 dependencies:
   dio: ^5.5.0+1
   fresh: ^0.4.0
+  synchronized: ^3.4.0
 
 dev_dependencies:
   mocktail: ^1.0.0

packages/fresh_dio/test/refresh_test.dart

@@ -81,6 +81,195 @@ void main() {
           .having((m) => m['stack_trace'], 'stack trace', isA<StackTrace>()),
     );
   });
+
+  test('calls refreshToken only once when multiple requests are queued',
+      () async {
+    var refreshCallCount = 0;
+
+    final mockRefreshClient = Dio()
+      ..httpClientAdapter = _MockAdapter(
+        (options) {
+          return ResponseBody.fromString(
+            '{"success": true}',
+            200,
+            headers: {
+              Headers.contentTypeHeader: [Headers.jsonContentType],
+            },
+          );
+        },
+      );
+
+    final fresh = Fresh.oAuth2(
+      tokenStorage: InMemoryTokenStorage<OAuth2Token>(),
+      httpClient: mockRefreshClient,
+      refreshToken: (token, _) async {
+        refreshCallCount++;
+        await Future<void>.delayed(const Duration(milliseconds: 100));
+        return const OAuth2Token(
+          accessToken: 'new.access.token',
+          refreshToken: 'new.refresh.token',
+        );
+      },
+    );
+
+    await fresh.setToken(
+      const OAuth2Token(
+        accessToken: 'invalid.token',
+        refreshToken: 'refresh.token',
+      ),
+    );
+
+    final dio = Dio();
+    dio.interceptors.add(fresh);
+    dio.options.baseUrl = 'http://example.com';
+    dio.httpClientAdapter = _MockAdapter(
+      (options) {
+        if (options.headers.containsKey('authorization')) {
+          final auth = options.headers['authorization'] as String;
+          if (auth.contains('invalid.token')) {
+            return ResponseBody.fromString(
+              '{"error": "Unauthorized"}',
+              401,
+              headers: {
+                Headers.contentTypeHeader: [Headers.jsonContentType],
+              },
+            );
+          }
+        }
+        return ResponseBody.fromString(
+          '{"success": true}',
+          200,
+          headers: {
+            Headers.contentTypeHeader: [Headers.jsonContentType],
+          },
+        );
+      },
+    );
+
+    final futures = <Future<Response<Object?>>>[
+      dio.get<Object?>('/1'),
+      dio.get<Object?>('/2'),
+      dio.get<Object?>('/3'),
+    ];
+
+    final responses = await Future.wait(futures);
+
+    for (final response in responses) {
+      expect(response.statusCode, equals(200));
+    }
+
+    expect(
+      refreshCallCount,
+      equals(1),
+      reason: 'refreshToken should only be called once even with multiple '
+          'queued requests',
+    );
+  });
+
+  test('uses refreshed token for all queued requests after refresh', () async {
+    final capturedTokens = <String>[];
+
+    final mockRefreshClient = Dio()
+      ..httpClientAdapter = _MockAdapter(
+        (options) {
+          if (options.headers.containsKey('authorization')) {
+            final auth = options.headers['authorization'] as String;
+            capturedTokens.add(auth);
+          }
+          return ResponseBody.fromString(
+            '{"success": true}',
+            200,
+            headers: {
+              Headers.contentTypeHeader: [Headers.jsonContentType],
+            },
+          );
+        },
+      );
+
+    final fresh = Fresh.oAuth2(
+      tokenStorage: InMemoryTokenStorage<OAuth2Token>(),
+      httpClient: mockRefreshClient,
+      refreshToken: (token, _) async {
+        await Future<void>.delayed(const Duration(milliseconds: 100));
+        return const OAuth2Token(
+          accessToken: 'new.access.token',
+          refreshToken: 'new.refresh.token',
+        );
+      },
+    );
+
+    await fresh.setToken(
+      const OAuth2Token(
+        accessToken: 'invalid.token',
+        refreshToken: 'refresh.token',
+      ),
+    );
+
+    final dio = Dio();
+    dio.interceptors.add(fresh);
+    dio.options.baseUrl = 'http://example.com';
+    dio.httpClientAdapter = _MockAdapter(
+      (options) {
+        if (options.headers.containsKey('authorization')) {
+          final auth = options.headers['authorization'] as String;
+          capturedTokens.add(auth);
+          if (auth.contains('invalid.token')) {
+            return ResponseBody.fromString(
+              '{"error": "Unauthorized"}',
+              401,
+              headers: {
+                Headers.contentTypeHeader: [Headers.jsonContentType],
+              },
+            );
+          }
+        }
+        return ResponseBody.fromString(
+          '{"success": true}',
+          200,
+          headers: {
+            Headers.contentTypeHeader: [Headers.jsonContentType],
+          },
+        );
+      },
+    );
+
+    final futures = <Future<Response<Object?>>>[
+      dio.get<Object?>('/1'),
+      dio.get<Object?>('/2'),
+      dio.get<Object?>('/3'),
+    ];
+
+    final responses = await Future.wait(futures);
+
+    for (final response in responses) {
+      expect(response.statusCode, equals(200));
+    }
+
+    expect(
+      capturedTokens.length,
+      equals(6),
+      reason: 'should capture tokens from initial attempts (3) and retries (3)',
+    );
+
+    final initialTokens = capturedTokens.sublist(0, 3);
+    final retryTokens = capturedTokens.sublist(3);
+
+    for (final token in initialTokens) {
+      expect(
+        token,
+        contains('invalid.token'),
+        reason: 'initial requests should use the invalid token',
+      );
+    }
+
+    for (final token in retryTokens) {
+      expect(
+        token,
+        contains('new.access.token'),
+        reason: 'retry requests should use the refreshed token',
+      );
+    }
+  });
 }
 
 class _MockAdapter implements HttpClientAdapter {