Merge pull request #7 from darrarski/feature/refresh-token

Automatically refresh access token when needed

Author: darrarski

Example/DropboxClientExampleApp/Dependencies.swift

@@ -51,6 +51,7 @@ extension DropboxClient.Client: DependencyKey {
         isSignedInStream: { isSignedIn.eraseToStream() },
         signIn: { await isSignedIn.setValue(true) },
         handleRedirect: { _ in false },
+        refreshToken: {},
         signOut: { await isSignedIn.setValue(false) }
       ),
       listFolder: .init { _ in

Sources/DropboxClient/Auth.swift

@@ -5,6 +5,7 @@ public struct Auth: Sendable {
   public typealias IsSignedInStream = @Sendable () -> AsyncStream<Bool>
   public typealias SignIn = @Sendable () async -> Void
   public typealias HandleRedirect = @Sendable (URL) async throws -> Bool
+  public typealias RefreshToken = @Sendable () async throws -> Void
   public typealias SignOut = @Sendable () async -> Void
 
   public enum Error: Swift.Error, Sendable, Equatable {
@@ -18,19 +19,22 @@ public struct Auth: Sendable {
     isSignedInStream: @escaping IsSignedInStream,
     signIn: @escaping SignIn,
     handleRedirect: @escaping HandleRedirect,
+    refreshToken: @escaping RefreshToken,
     signOut: @escaping SignOut
   ) {
     self.isSignedIn = isSignedIn
     self.isSignedInStream = isSignedInStream
     self.signIn = signIn
     self.handleRedirect = handleRedirect
+    self.refreshToken = refreshToken
     self.signOut = signOut
   }
 
   public var isSignedIn: IsSignedIn
   public var isSignedInStream: IsSignedInStream
   public var signIn: SignIn
   public var handleRedirect: HandleRedirect
+  public var refreshToken: RefreshToken
   public var signOut: SignOut
 }
 
@@ -180,6 +184,59 @@ extension Auth {
 
         return true
       },
+      refreshToken: {
+        guard let credentials = await keychain.loadCredentials() else { return }
+        guard credentials.expiresAt <= now() else { return }
+
+        let request: URLRequest = {
+          var components = URLComponents()
+          components.scheme = "https"
+          components.host = "api.dropboxapi.com"
+          components.path = "/oauth2/token"
+
+          var request = URLRequest(url: components.url!)
+          request.httpMethod = "POST"
+          request.setValue(
+            "application/x-www-form-urlencoded",
+            forHTTPHeaderField: "Content-Type"
+          )
+          request.httpBody = [
+            "grant_type=refresh_token",
+            "refresh_token=\(credentials.refreshToken)",
+            "client_id=\(config.appKey)",
+          ].joined(separator: "&").data(using: .utf8)
+
+          return request
+        }()
+
+        let (responseData, response) = try await httpClient.data(for: request)
+        let statusCode = (response as? HTTPURLResponse)?.statusCode
+
+        guard let statusCode, (200..<300).contains(statusCode) else {
+          throw Error.response(statusCode: statusCode, data: responseData)
+        }
+
+        struct ResponseBody: Decodable {
+          var accessToken: String
+          var tokenType: String
+          var expiresIn: Int
+        }
+
+        let responseBody = try JSONDecoder.api.decode(
+          ResponseBody.self,
+          from: responseData
+        )
+
+        var newCredentials = credentials
+        newCredentials.accessToken = responseBody.accessToken
+        newCredentials.tokenType = responseBody.tokenType
+        newCredentials.expiresAt = Date(
+          timeInterval: TimeInterval(responseBody.expiresIn),
+          since: now()
+        )
+
+        await saveCredentials(newCredentials)
+      },
       signOut: {
         await saveCredentials(nil)
       }

Sources/DropboxClient/Client.swift

@@ -29,28 +29,34 @@ extension Client {
     dateGenerator: DateGenerator = .live,
     pkceUtils: PKCEUtils = .live
   ) -> Client {
-    Client(
-      auth: .live(
-        config: config,
-        keychain: keychain,
-        httpClient: httpClient,
-        openURL: openURL,
-        dateGenerator: dateGenerator,
-        pkceUtils: pkceUtils
-      ),
+    let auth = Auth.live(
+      config: config,
+      keychain: keychain,
+      httpClient: httpClient,
+      openURL: openURL,
+      dateGenerator: dateGenerator,
+      pkceUtils: pkceUtils
+    )
+
+    return Client(
+      auth: auth,
       listFolder: .live(
+        auth: auth,
         keychain: keychain,
         httpClient: httpClient
       ),
       downloadFile: .live(
+        auth: auth,
         keychain: keychain,
         httpClient: httpClient
       ),
       deleteFile: .live(
+        auth: auth,
         keychain: keychain,
         httpClient: httpClient
       ),
       uploadFile: .live(
+        auth: auth,
         keychain: keychain,
         httpClient: httpClient
       )

Sources/DropboxClient/DeleteFile.swift

@@ -41,10 +41,13 @@ public struct DeleteFile: Sendable {
 
 extension DeleteFile {
   public static func live(
+    auth: Auth,
     keychain: Keychain,
     httpClient: HTTPClient
   ) -> DeleteFile {
     DeleteFile { params in
+      try await auth.refreshToken()
+
       guard let credentials = await keychain.loadCredentials() else {
         throw Error.notAuthorized
       }

Sources/DropboxClient/DownloadFile.swift

@@ -33,10 +33,13 @@ public struct DownloadFile: Sendable {
 
 extension DownloadFile {
   public static func live(
+    auth: Auth,
     keychain: Keychain,
     httpClient: HTTPClient
   ) -> DownloadFile {
     DownloadFile { params in
+      try await auth.refreshToken()
+
       guard let credentials = await keychain.loadCredentials() else {
         throw Error.notAuthorized
       }

Sources/DropboxClient/ListFolder.swift

@@ -71,10 +71,13 @@ public struct ListFolder: Sendable {
 
 extension ListFolder {
   public static func live(
+    auth: Auth,
     keychain: Keychain,
     httpClient: HTTPClient
   ) -> ListFolder {
     ListFolder { params in
+      try await auth.refreshToken()
+
       guard let credentials = await keychain.loadCredentials() else {
         throw Error.notAuthorized
       }

Sources/DropboxClient/UploadFile.swift

@@ -58,10 +58,13 @@ public struct UploadFile: Sendable {
 
 extension UploadFile {
   public static func live(
+    auth: Auth,
     keychain: Keychain,
     httpClient: HTTPClient
   ) -> UploadFile {
     UploadFile { params in
+      try await auth.refreshToken()
+
       guard let credentials = await keychain.loadCredentials() else {
         throw Error.notAuthorized
       }

Tests/DropboxClientTests/AuthTests.swift

@@ -257,6 +257,174 @@ final class AuthTests: XCTestCase {
     }
   }
 
+  func testDontRefreshTokenWithoutCredentials() async throws {
+    let auth = Auth.live(
+      config: .test,
+      keychain: {
+        var keychain = Keychain.unimplemented()
+        keychain.loadCredentials = { nil }
+        return keychain
+      }(),
+      httpClient: .unimplemented(),
+      openURL: .unimplemented(),
+      dateGenerator: .unimplemented(),
+      pkceUtils: .unimplemented()
+    )
+
+    try await auth.refreshToken()
+  }
+
+  func testDontRefreshTokenIfNotExpired() async throws {
+    let date = Date(timeIntervalSince1970: 1_000_000)
+    let credentials = ActorIsolated<Credentials?>(Credentials(
+      accessToken: "",
+      tokenType: "",
+      expiresAt: date.addingTimeInterval(1),
+      refreshToken: "",
+      scope: "",
+      uid: "",
+      accountId: ""
+    ))
+    let auth = Auth.live(
+      config: .test,
+      keychain: {
+        var keychain = Keychain.unimplemented()
+        keychain.loadCredentials = { await credentials.value }
+        return keychain
+      }(),
+      httpClient: .unimplemented(),
+      openURL: .unimplemented(),
+      dateGenerator: .init { date },
+      pkceUtils: .unimplemented()
+    )
+
+    try await auth.refreshToken()
+  }
+
+  func testRefreshExpiredToken() async throws {
+    let httpRequests = ActorIsolated<[URLRequest]>([])
+    let date = Date(timeIntervalSince1970: 1_000_000)
+    let credentials = ActorIsolated<Credentials?>(Credentials(
+      accessToken: "access-token-1",
+      tokenType: "token-type-1",
+      expiresAt: date.addingTimeInterval(-1),
+      refreshToken: "refresh-token-1",
+      scope: "scope-1",
+      uid: "uid-1",
+      accountId: "accountId-1"
+    ))
+    let auth = Auth.live(
+      config: .test,
+      keychain: {
+        var keychain = Keychain.unimplemented()
+        keychain.loadCredentials = { await credentials.value }
+        keychain.saveCredentials = { await credentials.setValue($0) }
+        return keychain
+      }(),
+      httpClient: .init { request in
+        await httpRequests.withValue { $0.append(request) }
+        return (
+          """
+          {
+            "access_token": "access-token-2",
+            "expires_in": 4321,
+            "token_type": "token-type-2"
+          }
+          """.data(using: .utf8)!,
+          HTTPURLResponse(
+            url: URL(filePath: "/"),
+            statusCode: 200,
+            httpVersion: nil,
+            headerFields: nil
+          )!
+        )
+      },
+      openURL: .unimplemented(),
+      dateGenerator: .init { date },
+      pkceUtils: .unimplemented()
+    )
+
+    try await auth.refreshToken()
+
+    await httpRequests.withValue {
+      let url = URL(string: "https://api.dropboxapi.com/oauth2/token")!
+      var expectedRequest = URLRequest(url: url)
+      expectedRequest.httpMethod = "POST"
+      expectedRequest.allHTTPHeaderFields = [
+        "Content-Type": "application/x-www-form-urlencoded"
+      ]
+      expectedRequest.httpBody = [
+        "grant_type=refresh_token",
+        "refresh_token=refresh-token-1",
+        "client_id=\(Config.test.appKey)",
+      ].joined(separator: "&").data(using: .utf8)!
+
+      XCTAssertEqual($0, [expectedRequest])
+      XCTAssertEqual($0.first?.httpBody, expectedRequest.httpBody!)
+    }
+    await credentials.withValue {
+      XCTAssertEqual($0, Credentials(
+        accessToken: "access-token-2",
+        tokenType: "token-type-2",
+        expiresAt: date.addingTimeInterval(4321),
+        refreshToken: "refresh-token-1",
+        scope: "scope-1",
+        uid: "uid-1",
+        accountId: "accountId-1"
+      ))
+    }
+  }
+
+  func testRefreshTokenErrorResponse() async {
+    let date = Date(timeIntervalSince1970: 1_000_000)
+    let credentials = ActorIsolated<Credentials?>(Credentials(
+      accessToken: "access-token-1",
+      tokenType: "token-type-1",
+      expiresAt: date.addingTimeInterval(-1),
+      refreshToken: "refresh-token-1",
+      scope: "scope-1",
+      uid: "uid-1",
+      accountId: "accountId-1"
+    ))
+    let auth = Auth.live(
+      config: .test,
+      keychain: {
+        var keychain = Keychain.unimplemented()
+        keychain.loadCredentials = { await credentials.value }
+        keychain.saveCredentials = { await credentials.setValue($0) }
+        return keychain
+      }(),
+      httpClient: .init { _ in
+        (
+          "Error!!!".data(using: .utf8)!,
+          HTTPURLResponse(
+            url: URL(filePath: "/"),
+            statusCode: 500,
+            httpVersion: nil,
+            headerFields: nil
+          )!
+        )
+      },
+      openURL: .unimplemented(),
+      dateGenerator: .init { date },
+      pkceUtils: .unimplemented()
+    )
+
+    do {
+      try await auth.refreshToken()
+      XCTFail("Expected to throw, but didn't")
+    } catch {
+      XCTAssertEqual(
+        error as? Auth.Error,
+        .response(
+          statusCode: 500,
+          data: "Error!!!".data(using: .utf8)!
+        ),
+        "Expected to throw response error, got \(error)"
+      )
+    }
+  }
+
   func testSignOut() async {
     let credentials = ActorIsolated<Credentials?>(Credentials(
       accessToken: "",