Skip to content

Add a mechanism to prevent concurrent token refreshes #15493

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+329 −1
Open

Add a mechanism to prevent concurrent token refreshes #15493

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 18 additions & 1 deletion FirebaseAuth/Sources/Swift/SystemService/SecureTokenService.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,10 @@ private let kFiveMinutes = 5 * 60.0

@available(iOS 13, tvOS 13, macOS 10.15, macCatalyst 13, watchOS 7, *)
actor SecureTokenServiceInternal {
/// Coalescer to deduplicate concurrent token refresh requests.
/// When multiple requests arrive at the same time, only one network call is made.
private let refreshCoalescer = TokenRefreshCoalescer()

/// Fetch a fresh ephemeral access token for the ID associated with this instance. The token
/// received in the callback should be considered short lived and not cached.
///
Expand All @@ -32,7 +36,20 @@ actor SecureTokenServiceInternal {
return (service.accessToken, false)
} else {
AuthLog.logDebug(code: "I-AUT000017", message: "Fetching new token from backend.")
return try await requestAccessToken(retryIfExpired: true, service: service, backend: backend)

// Use coalescer to deduplicate concurrent refresh requests.
// If multiple requests arrive while one is in progress, they all wait
// for the same network response instead of making redundant calls.
let currentToken = service.accessToken
return try await refreshCoalescer.coalescedRefresh(
currentToken: currentToken
) {
Copy link
Member

@ncooke3 ncooke3 Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about calls within quick succession that have a different token?

Example

Task { try await tokenRefreshCoalescer.coalescedRefresh(currentToken: token1, ...) }  // 1
Task { try await tokenRefreshCoalescer.coalescedRefresh(currentToken: token1, ...) }  // 2
Task { try await tokenRefreshCoalescer.coalescedRefresh(currentToken: token2, ...) }  // 3

The last call has a different token so that would cancel out the first two calls? Was this a realistic scenario within your sample app?

Copy link
Author

@lilpit lilpit Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good question !
In our sample app the refresh request would be executed multiple time with the same token (the one that expired)

Yeah requesting a different token would cancel the previous requests. Do you think the scenario you're describing could happen ?

Copy link
Member

@ncooke3 ncooke3 Nov 13, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIRC, I don't think there are multiple access tokens, each with their own refresh lifecycle. I'll look within the SDK.

cc: @pashanka

try await self.requestAccessToken(
retryIfExpired: true,
service: service,
backend: backend
)
}
}
}

Expand Down
102 changes: 102 additions & 0 deletions FirebaseAuth/Sources/Swift/SystemService/TokenRefreshCoalescer.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
// Copyright 2025 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

import Foundation

/// Coalesces multiple concurrent token refresh requests into a single network call.
///
/// When multiple requests for a token refresh arrive concurrently (e.g., from Storage, Firestore,
/// and auto-refresh), instead of making separate network calls for each one, this class ensures
/// that only ONE network request is made. All concurrent callers wait for and receive the same
/// refreshed token.
///
/// This prevents redundant STS (Secure Token Service) calls and reduces load on both the client
/// and server.
///
/// Example:
/// ```
/// // Multiple concurrent requests arrive at the same time
/// Task { try await tokenRefreshCoalescer.coalescedRefresh(backend: backend, ...) } // 1
/// Task { try await tokenRefreshCoalescer.coalescedRefresh(backend: backend, ...) } // 2
/// Task { try await tokenRefreshCoalescer.coalescedRefresh(backend: backend, ...) } // 3
Comment on lines +30 to +32
Copy link
Member

@ncooke3 ncooke3 Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
/// Task { try await tokenRefreshCoalescer.coalescedRefresh(backend: backend, ...) } // 1
/// Task { try await tokenRefreshCoalescer.coalescedRefresh(backend: backend, ...) } // 2
/// Task { try await tokenRefreshCoalescer.coalescedRefresh(backend: backend, ...) } // 3
/// Task { try await tokenRefreshCoalescer.coalescedRefresh(currentToken: token, ...) } // 1
/// Task { try await tokenRefreshCoalescer.coalescedRefresh(currentToken: token, ...) } // 2
/// Task { try await tokenRefreshCoalescer.coalescedRefresh(currentToken: token, ...) } // 3

///
/// // Only ONE network call is made. All three tasks receive the same refreshed token.
/// ```
@available(iOS 13, tvOS 13, macOS 10.15, macCatalyst 13, watchOS 7, *)
actor TokenRefreshCoalescer {
/// The in-flight token refresh task, if any.
/// When this is set, all concurrent calls wait for this task instead of starting their own.
private var pendingRefreshTask: Task<(String?, Bool), Error>?

/// The token string of the pending refresh.
/// Used to ensure we only coalesce requests for the same token.
private var pendingRefreshToken: String?

/// Performs a coalesced token refresh.
///
/// If a refresh is already in progress, this method waits for that refresh to complete
/// and returns its result. If no refresh is in progress, it starts a new one and stores
/// the task so other concurrent callers can wait for it.
///
/// - Parameters:
/// - currentToken: The current token string. Used to detect token changes.
/// If the current token differs from the pending refresh token,
/// a new refresh is started (old one is ignored).
/// - refreshFunction: A closure that performs the actual network request and refresh.
/// Should be called only if a new refresh is needed.
///
/// - Returns: A tuple containing (refreshedToken, wasUpdated) matching the format
/// of SecureTokenService.
///
/// - Throws: Any error from the refresh operation.
func coalescedRefresh(currentToken: String,
refreshFunction: @escaping () async throws -> (String?, Bool)) async throws
-> (
String?,
Bool
) {
// Check if a refresh is already in progress for this token
if let pendingTask = pendingRefreshTask,
pendingRefreshToken == currentToken {
// Token hasn't changed and a refresh is in progress
// Wait for the pending refresh to complete
return try await pendingTask.value
}

// Either no refresh is in progress, or the token has changed.
// Start a new refresh task.
let task = Task {
try await refreshFunction()
}

// Store the task so other concurrent callers can wait for it
pendingRefreshTask = task
pendingRefreshToken = currentToken

defer {
// Clean up the pending task after it completes
pendingRefreshTask = nil
pendingRefreshToken = nil
}

do {
return try await task.value
} catch {
// On error, clear the pending task so the next call will retry
pendingRefreshTask = nil
pendingRefreshToken = nil
throw error
}
}
}
209 changes: 209 additions & 0 deletions FirebaseAuth/Tests/Unit/TokenRefreshCoalescerTests.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,209 @@
// Copyright 2025 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

@testable import FirebaseAuth
import XCTest

actor Counter {
private var valueInternal: Int = 0
func increment() { valueInternal += 1 }
func value() -> Int { valueInternal }
}

@available(iOS 13, tvOS 13, macOS 10.15, macCatalyst 13, watchOS 7, *)
class TokenRefreshCoalescerTests: XCTestCase {
/// Tests that when multiple concurrent refresh requests arrive for the same token,
/// only ONE network call is made.
///
/// This is the main issue fix: Previously, each concurrent caller would make its own
/// network request, resulting in redundant STS calls.
func testCoalescedRefreshMakesOnlyOneNetworkCall() async throws {
let coalescer = TokenRefreshCoalescer()
let counter = Counter()

// Simulate multiple concurrent refresh requests
async let result1 = try coalescer.coalescedRefresh(currentToken: "token_v1") {
await counter.increment()

// Simulate network delay
try await Task.sleep(nanoseconds: 100_000_000) // 0.1 seconds

return ("new_token", true)
}

async let result2 = try coalescer.coalescedRefresh(currentToken: "token_v1") {
await counter.increment()

try await Task.sleep(nanoseconds: 100_000_000)
return ("new_token", true)
}

async let result3 = try coalescer.coalescedRefresh(currentToken: "token_v1") {
await counter.increment()

try await Task.sleep(nanoseconds: 100_000_000)
return ("new_token", true)
}

// Wait for all three to complete
let (token1, updated1) = try await result1
let (token2, updated2) = try await result2
let (token3, updated3) = try await result3

// All three should get the same token
XCTAssertEqual(token1, "new_token")
XCTAssertEqual(token2, "new_token")
XCTAssertEqual(token3, "new_token")

XCTAssertTrue(updated1)
XCTAssertTrue(updated2)
XCTAssertTrue(updated3)

// CRITICAL: Only ONE network call should have been made
// (Previously, without coalescing, this would be 3)
let callCount = await counter.value()
XCTAssertEqual(callCount, 1, "Expected only 1 network call, but got \(callCount)")
}

/// Tests that when the token changes, a new refresh is started instead of
/// coalescing with the old one.
func testNewRefreshStartsWhenTokenChanges() async throws {
let coalescer = TokenRefreshCoalescer()
let counter = Counter()

// First refresh for token_v1
async let result1 = try coalescer.coalescedRefresh(currentToken: "token_v1") {
await counter.increment()

try await Task.sleep(nanoseconds: 50_000_000)
return ("new_token_1", true)
}

// Wait a bit, then start a refresh for a different token (token_v2)
// This should NOT coalesce with the first one
try await Task.sleep(nanoseconds: 10_000_000)

async let result2 = try coalescer.coalescedRefresh(currentToken: "token_v2") {
await counter.increment()

try await Task.sleep(nanoseconds: 50_000_000)
return ("new_token_2", true)
}

let token1 = try await result1.0
let token2 = try await result2.0

// Should get different tokens
XCTAssertEqual(token1, "new_token_1")
XCTAssertEqual(token2, "new_token_2")

// Should have made TWO network calls (one for each token)
let callsAfterTwoTokens = await counter.value()
XCTAssertEqual(callsAfterTwoTokens, 2)
}

/// Tests that if a refresh fails, the next call will start a fresh attempt
/// instead of waiting for the failed one.
func testFailedRefreshAllowsRetry() async throws {
let coalescer = TokenRefreshCoalescer()
let counter = Counter()

// First call will fail (run it to completion)
do {
_ = try await coalescer.coalescedRefresh(currentToken: "token_v1") {
await counter.increment()
throw NSError(domain: "TestError", code: -1, userInfo: nil)
}
XCTFail("Expected error")
} catch {
// Expected failure
}

// Second call after the failure should start a fresh attempt and succeed
let (token2, updated2) = try await coalescer.coalescedRefresh(currentToken: "token_v1") {
await counter.increment()
return ("recovered_token", true)
}

XCTAssertEqual(token2, "recovered_token")
XCTAssertTrue(updated2)

// Should have made TWO network calls (first failed, second succeeded)
let secondResult = await counter.value()
XCTAssertEqual(secondResult, 2)
}

/// Stress test: Many concurrent calls for the same token
func testManyCurrentCallsWithSameToken() async throws {
let coalescer = TokenRefreshCoalescer()
let counter = Counter()

let numCalls = 50
var tasks: [Task<(String?, Bool), Error>] = []

// Launch 50 concurrent refresh tasks
for _ in 0 ..< numCalls {
let task = Task {
try await coalescer.coalescedRefresh(currentToken: "token_stress") {
await counter.increment()

try await Task.sleep(nanoseconds: 100_000_000)
return ("stress_token", true)
}
}
tasks.append(task)
}

// Wait for all to complete
var successCount = 0
for task in tasks {
let (token, updated) = try await task.value
XCTAssertEqual(token, "stress_token")
XCTAssertTrue(updated)
successCount += 1
}

XCTAssertEqual(successCount, numCalls)

// All 50 concurrent calls should result in ONLY 1 network call
let stressCallCount = await counter.value()
XCTAssertEqual(
stressCallCount,
1,
"Expected 1 network call for 50 concurrent requests, but got \(stressCallCount)"
)
}

/// Tests that concurrent calls with forceRefresh:false still use the cache
/// when tokens are valid.
func testCachingStillWorksWithCoalescer() async throws {
let coalescer = TokenRefreshCoalescer()
let counter = Counter()

// First call triggers a refresh
let result1 = try await coalescer.coalescedRefresh(currentToken: "token_v1") {
await counter.increment()

return ("refreshed_token", true)
}

XCTAssertEqual(result1.0, "refreshed_token")
let resultAfterRefresh = await counter.value()
XCTAssertEqual(resultAfterRefresh, 1)

// This test documents that caching logic happens BEFORE coalescer is called,
// so this scenario doesn't test the coalescer directly, but verifies the
// integration is correct.
}
}
Loading