Start only one login sequence at a time when retrying requests that responded with 401 status code #498
Description
Expected behavior
When retrying a request due to the response error 401 - Unauthorized (reference), we should ensure that only one login sequence is triggered at a time.
Actual behavior
Currently, we check the value of isAuthenticating for this purpose. However, it's never set to true, and therefore the login sequence can be triggered several times. This might lead to generating a lot of login requests, and in some cases API request blocks due to a high volume of login attempts, if such restrictions are set up in the hosting.
Steps to reproduce the behavior
Preparation:
Reproducing this issue requires modifying somehow the requests to fail with status code 401. This can be achieved by using a proxy, like the Charles proxy app, and rewriting the responses to return the desired status code.
- Listen for requests made using
CookieNonceAuthenticatorand select one endpoint for modifying its response.
NOTE: Currently, this authenticator is used in WordPress-iOS for requests made to .ORG sites via API rest. - Force the status code response for the selected endpoint to be
401(this can be achieved with a proxy and bypassing requests). - Trigger multiple requests to the selected endpoint and observe that each one triggers a login sequence (i.e. requests to the login URL).
WordPressKit Environment
- WordPressKit Version [e.g. 22]: 4.49.0
- OS: [e.g. iOS 12.1.3 (16D40)] iOS 15.4
- Device: [e.g. iPhone XS] iPhone 13
- Xcode Version: [e.g. Xcode 10.1 (10B61)] N/A
Additional Context
More information about this issue can be found in p1650593568370329-slack-C011BKNU1V5.