Credentials invalidation.

Chriztiaan · Chriztiaan · commit ec51dd2c05ed · 2025-05-19T13:18:41.000+02:00
diff --git a/PowerSync/PowerSync.Common/Client/Sync/Stream/Remote.cs b/PowerSync/PowerSync.Common/Client/Sync/Stream/Remote.cs
@@ -6,6 +6,7 @@ namespace PowerSync.Common.Client.Sync.Stream;
 using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
+using System.Text.RegularExpressions;
 
 using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
@@ -29,7 +30,6 @@ public class RequestDetails
 
 public class Remote
 {
-    private static int REFRESH_CREDENTIALS_SAFETY_PERIOD_MS = 30_000;
     private readonly HttpClient httpClient;
     protected IPowerSyncBackendConnector connector;
 
@@ -41,18 +41,48 @@ public Remote(IPowerSyncBackendConnector connector)
         this.connector = connector;
     }
 
+    /// <summary>
+    /// Get credentials currently cached, or fetch new credentials if none are available.
+    /// These credentials may have expired already.
+    /// </summary>
     public async Task<PowerSyncCredentials?> GetCredentials()
     {
-        if (credentials?.ExpiresAt > DateTime.Now.AddMilliseconds(REFRESH_CREDENTIALS_SAFETY_PERIOD_MS))
+        if (credentials != null)
         {
             return credentials;
         }
+        return await PrefetchCredentials();
+    }
 
-        credentials = await connector.FetchCredentials();
-
+    /// <summary>
+    /// Fetch a new set of credentials and cache it.
+    /// Until this call succeeds, GetCredentials will still return the old credentials.
+    /// This may be called before the current credentials have expired.
+    /// </summary>
+    public async Task<PowerSyncCredentials?> PrefetchCredentials()
+    {
+        credentials = await FetchCredentials();
         return credentials;
     }
 
+    /// <summary>
+    /// Get credentials for PowerSync.
+    /// This should always fetch a fresh set of credentials - don't use cached values.
+    /// </summary>
+    public async Task<PowerSyncCredentials?> FetchCredentials()
+    {
+        return await connector.FetchCredentials();
+    }
+
+    /// <summary>
+    /// Immediately invalidate credentials.
+    /// This may be called when the current credentials have expired.
+    /// </summary>
+    public void InvalidateCredentials()
+    {
+        credentials = null;
+    }
+
     static string GetUserAgent()
     {
         object[] attributes = Assembly.GetExecutingAssembly()
@@ -76,6 +106,11 @@ public async Task<T> Get<T>(string path, Dictionary<string, string>? headers = n
         using var client = new HttpClient();
         var response = await client.SendAsync(request);
 
+        if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized)
+        {
+            InvalidateCredentials();
+        }
+
         if (!response.IsSuccessStatusCode)
         {
             var errorMessage = await response.Content.ReadAsStringAsync();
@@ -95,7 +130,12 @@ public async Task<T> Get<T>(string path, Dictionary<string, string>? headers = n
         {
             throw new HttpRequestException($"HTTP {response.StatusCode}: No content");
         }
-        else
+
+        if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized)
+        {
+            InvalidateCredentials();
+        }
+
         if (!response.IsSuccessStatusCode)
         {
             var errorText = await response.Content.ReadAsStringAsync();
diff --git a/PowerSync/PowerSync.Common/Client/Sync/Stream/StreamingSyncImplementation.cs b/PowerSync/PowerSync.Common/Client/Sync/Stream/StreamingSyncImplementation.cs
@@ -539,12 +539,18 @@ protected async Task<StreamingSyncIterationResult> StreamingSyncIteration(Cancel
                         {
                             // Connection would be closed automatically right after this
                             logger.LogDebug("Token expiring; reconnect");
+                            Options.Remote.InvalidateCredentials();
 
                             // For a rare case where the backend connector does not update the token
                             // (uses the same one), this should have some delay.
                             //
                             await DelayRetry();
                             return new StreamingSyncIterationResult { Retry = true };
+                        } else if (remainingSeconds < 30) {
+                            logger.LogDebug("Token will expire soon; reconnect");
+                            // Pre-emptively refresh the token
+                            Options.Remote.InvalidateCredentials();
+                            return new StreamingSyncIterationResult { Retry = true };
                         }
                         TriggerCrudUpload();
                     }

Original file line number	Diff line number	Diff line change
`@@ -539,12 +539,18 @@ protected async Task<StreamingSyncIterationResult> StreamingSyncIteration(Cancel`
`539`	`539`	`{`
`540`	`540`	`// Connection would be closed automatically right after this`
`541`	`541`	`logger.LogDebug("Token expiring; reconnect");`
	`542`	`+ Options.Remote.InvalidateCredentials();`
`542`	`543`
`543`	`544`	`// For a rare case where the backend connector does not update the token`
`544`	`545`	`// (uses the same one), this should have some delay.`
`545`	`546`	`//`
`546`	`547`	`await DelayRetry();`
`547`	`548`	`return new StreamingSyncIterationResult { Retry = true };`
	`549`	`+ } else if (remainingSeconds < 30) {`
	`550`	`+ logger.LogDebug("Token will expire soon; reconnect");`
	`551`	`+ // Pre-emptively refresh the token`
	`552`	`+ Options.Remote.InvalidateCredentials();`
	`553`	`+ return new StreamingSyncIterationResult { Retry = true };`
`548`	`554`	`}`
`549`	`555`	`TriggerCrudUpload();`
`550`	`556`	`}`