-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathretry.go
More file actions
115 lines (93 loc) · 2.56 KB
/
retry.go
File metadata and controls
115 lines (93 loc) · 2.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
package acpclient
import (
"bytes"
"context"
"encoding/json"
"fmt"
"io"
"net/http"
"github.com/cloudentity/acp-client-go/clients/system/models"
"golang.org/x/oauth2"
"golang.org/x/oauth2/clientcredentials"
"golang.org/x/sync/singleflight"
)
const (
ErrorInvalidAccessToken = "invalid_access_token"
)
type Authenticator struct {
transport *http.Client
client *http.Client
config clientcredentials.Config
renewers singleflight.Group
}
func NewAuthenticator(config clientcredentials.Config, client *http.Client) *http.Client {
return &http.Client{
Transport: &Authenticator{
transport: config.Client(context.WithValue(context.Background(), oauth2.HTTPClient, client)),
config: config,
client: client,
},
}
}
func (t *Authenticator) RoundTrip(req *http.Request) (*http.Response, error) {
var
(
reqBuf bytes.Buffer
res *http.Response
err error
)
// Clone body using TeeReader for potential retry
if req.Body != nil {
reqReader := io.TeeReader(req.Body, &reqBuf)
defer req.Body.Close()
req.Body = io.NopCloser(reqReader)
}
// First attempt
res, err = t.transport.Do(req)
if err != nil {
return nil, fmt.Errorf("request failed: %w", err)
}
// Check if we need token renewal
if ok, err := t.shouldGetNewTokenAndRetry(res); err != nil {
return nil, err
} else if ok {
if err := t.renew(req.Context()); err != nil {
return nil, fmt.Errorf("failed to renew token: %w", err)
}
req2 := req.Clone(req.Context())
// Restore request body
if req2.Body != nil {
req2.Body = io.NopCloser(&reqBuf)
}
// init next request which will start by minting a new token
return t.transport.Do(req2)
}
return res, nil
}
// init new client to clear token cache and enforce minting a new token
// use singleflight to avoid concurrent renewals
func (t *Authenticator) renew(ctx context.Context) error {
_, err, _ := t.renewers.Do("renew", func() (interface{}, error) {
t.transport = t.config.Client(context.WithValue(ctx, oauth2.HTTPClient, t.client))
return nil, nil
})
return err
}
func (t *Authenticator) shouldGetNewTokenAndRetry(res *http.Response) (bool, error) {
if res.StatusCode == http.StatusUnauthorized && res.Body != nil {
var (
resBuf bytes.Buffer
resReader = io.TeeReader(res.Body, &resBuf)
decoder = json.NewDecoder(resReader)
merr = models.Error{}
err error
)
// Restore response body
res.Body = io.NopCloser(&resBuf)
if err = decoder.Decode(&merr); err != nil {
return false, err
}
return merr.ErrorCode == ErrorInvalidAccessToken, nil
}
return false, nil
}