Merge branch 'token-federation-pr2-federation-caching' into token-federation-pr3-examples

madhav-db · madhav-db · commit 921fa0dac76a · 2026-02-06T06:17:16.000Z
diff --git a/lib/connection/auth/tokenProvider/FederationProvider.ts b/lib/connection/auth/tokenProvider/FederationProvider.ts
@@ -28,6 +28,21 @@ const DEFAULT_SCOPE = 'sql';
  */
 const REQUEST_TIMEOUT_MS = 30000;
 
+/**
+ * Maximum number of retry attempts for transient errors.
+ */
+const MAX_RETRY_ATTEMPTS = 3;
+
+/**
+ * Base delay in milliseconds for exponential backoff.
+ */
+const RETRY_BASE_DELAY_MS = 1000;
+
+/**
+ * HTTP status codes that are considered retryable.
+ */
+const RETRYABLE_STATUS_CODES = new Set([429, 500, 502, 503, 504]);
+
 /**
  * A token provider that wraps another provider with automatic token federation.
  * When the base provider returns a token from a different issuer, this provider
@@ -111,6 +126,7 @@ export default class FederationProvider implements ITokenProvider {
 
   /**
    * Exchanges the token for a Databricks-compatible token using RFC 8693.
+   * Includes retry logic for transient errors with exponential backoff.
    * @param token - The token to exchange
    * @returns The exchanged token
    */
@@ -128,47 +144,102 @@ export default class FederationProvider implements ITokenProvider {
       params.append('client_id', this.clientId);
     }
 
-    const controller = new AbortController();
-    const timeoutId = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+    let lastError: Error | undefined;
 
-    try {
-      const response = await fetch(url, {
-        method: 'POST',
-        headers: {
-          'Content-Type': 'application/x-www-form-urlencoded',
-        },
-        body: params.toString(),
-        signal: controller.signal,
-      });
-
-      if (!response.ok) {
-        const errorText = await response.text();
-        throw new Error(`Token exchange failed: ${response.status} ${response.statusText} - ${errorText}`);
+    for (let attempt = 0; attempt <= MAX_RETRY_ATTEMPTS; attempt++) {
+      if (attempt > 0) {
+        // Exponential backoff: 1s, 2s, 4s
+        const delay = RETRY_BASE_DELAY_MS * Math.pow(2, attempt - 1);
+        await this.sleep(delay);
       }
 
-      const data = (await response.json()) as {
-        access_token?: string;
-        token_type?: string;
-        expires_in?: number;
-      };
-
-      if (!data.access_token) {
-        throw new Error('Token exchange response missing access_token');
+      const controller = new AbortController();
+      const timeoutId = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+
+      try {
+        const response = await fetch(url, {
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+          },
+          body: params.toString(),
+          signal: controller.signal,
+        });
+
+        if (!response.ok) {
+          const errorText = await response.text();
+          const error = new Error(`Token exchange failed: ${response.status} ${response.statusText} - ${errorText}`);
+
+          // Check if this is a retryable status code
+          if (RETRYABLE_STATUS_CODES.has(response.status) && attempt < MAX_RETRY_ATTEMPTS) {
+            lastError = error;
+            continue;
+          }
+
+          throw error;
+        }
+
+        const data = (await response.json()) as {
+          access_token?: string;
+          token_type?: string;
+          expires_in?: number;
+        };
+
+        if (!data.access_token) {
+          throw new Error('Token exchange response missing access_token');
+        }
+
+        // Calculate expiration from expires_in
+        let expiresAt: Date | undefined;
+        if (typeof data.expires_in === 'number') {
+          expiresAt = new Date(Date.now() + data.expires_in * 1000);
+        }
+
+        return new Token(data.access_token, {
+          tokenType: data.token_type ?? 'Bearer',
+          expiresAt,
+        });
+      } catch (error) {
+        clearTimeout(timeoutId);
+
+        // Retry on network errors (timeout, connection issues)
+        if (this.isRetryableError(error) && attempt < MAX_RETRY_ATTEMPTS) {
+          lastError = error instanceof Error ? error : new Error(String(error));
+          continue;
+        }
+
+        throw error;
+      } finally {
+        clearTimeout(timeoutId);
       }
+    }
 
-      // Calculate expiration from expires_in
-      let expiresAt: Date | undefined;
-      if (typeof data.expires_in === 'number') {
-        expiresAt = new Date(Date.now() + data.expires_in * 1000);
-      }
+    // If we exhausted all retries, throw the last error
+    throw lastError ?? new Error('Token exchange failed after retries');
+  }
 
-      return new Token(data.access_token, {
-        tokenType: data.token_type ?? 'Bearer',
-        expiresAt,
-      });
-    } finally {
-      clearTimeout(timeoutId);
+  /**
+   * Determines if an error is retryable (network errors, timeouts).
+   */
+  private isRetryableError(error: unknown): boolean {
+    if (error instanceof Error) {
+      // AbortError from timeout
+      if (error.name === 'AbortError') {
+        return true;
+      }
+      // Network errors from node-fetch
+      if (error.name === 'FetchError') {
+        return true;
+      }
     }
+    return false;
+  }
+
+  /**
+   * Sleeps for the specified duration.
+   */
+  private sleep(ms: number): Promise<void> {
+    return new Promise((resolve) => setTimeout(resolve, ms));
   }
 
   /**
diff --git a/lib/connection/auth/tokenProvider/StaticTokenProvider.ts b/lib/connection/auth/tokenProvider/StaticTokenProvider.ts
@@ -1,5 +1,5 @@
 import ITokenProvider from './ITokenProvider';
-import Token from './Token';
+import Token, { TokenOptions, TokenFromJWTOptions } from './Token';
 
 /**
  * A token provider that returns a static token.
@@ -13,15 +13,7 @@ export default class StaticTokenProvider implements ITokenProvider {
    * @param accessToken - The access token string
    * @param options - Optional token configuration (tokenType, expiresAt, refreshToken, scopes)
    */
-  constructor(
-    accessToken: string,
-    options?: {
-      tokenType?: string;
-      expiresAt?: Date;
-      refreshToken?: string;
-      scopes?: string[];
-    },
-  ) {
+  constructor(accessToken: string, options?: TokenOptions) {
     this.token = new Token(accessToken, options);
   }
 
@@ -31,14 +23,7 @@ export default class StaticTokenProvider implements ITokenProvider {
    * @param jwt - The JWT token string
    * @param options - Optional token configuration
    */
-  static fromJWT(
-    jwt: string,
-    options?: {
-      tokenType?: string;
-      refreshToken?: string;
-      scopes?: string[];
-    },
-  ): StaticTokenProvider {
+  static fromJWT(jwt: string, options?: TokenFromJWTOptions): StaticTokenProvider {
     const token = Token.fromJWT(jwt, options);
     return new StaticTokenProvider(token.accessToken, {
       tokenType: token.tokenType,
diff --git a/lib/connection/auth/tokenProvider/Token.ts b/lib/connection/auth/tokenProvider/Token.ts
@@ -6,6 +6,26 @@ import { HeadersInit } from 'node-fetch';
  */
 const EXPIRATION_BUFFER_SECONDS = 30;
 
+/**
+ * Options for creating a Token instance.
+ */
+export interface TokenOptions {
+  /** The token type (e.g., "Bearer"). Defaults to "Bearer". */
+  tokenType?: string;
+  /** The expiration time of the token. */
+  expiresAt?: Date;
+  /** The refresh token, if available. */
+  refreshToken?: string;
+  /** The scopes associated with this token. */
+  scopes?: string[];
+}
+
+/**
+ * Options for creating a Token from a JWT string.
+ * Does not include expiresAt since it is extracted from the JWT payload.
+ */
+export type TokenFromJWTOptions = Omit<TokenOptions, 'expiresAt'>;
+
 /**
  * Represents an access token with optional metadata and lifecycle management.
  */
@@ -20,15 +40,7 @@ export default class Token {
 
   private readonly _scopes?: string[];
 
-  constructor(
-    accessToken: string,
-    options?: {
-      tokenType?: string;
-      expiresAt?: Date;
-      refreshToken?: string;
-      scopes?: string[];
-    },
-  ) {
+  constructor(accessToken: string, options?: TokenOptions) {
     this._accessToken = accessToken;
     this._tokenType = options?.tokenType ?? 'Bearer';
     this._expiresAt = options?.expiresAt;
@@ -101,17 +113,11 @@ export default class Token {
    * If the JWT cannot be decoded, the token is created without expiration info.
    * The server will validate the token anyway, so decoding failures are handled gracefully.
    * @param jwt - The JWT token string
-   * @param options - Additional token options (tokenType, refreshToken, scopes)
+   * @param options - Additional token options (tokenType, refreshToken, scopes).
+   *                  Note: expiresAt is not accepted here as it is extracted from the JWT payload.
    * @returns A new Token instance with expiration extracted from the JWT (if available)
    */
-  static fromJWT(
-    jwt: string,
-    options?: {
-      tokenType?: string;
-      refreshToken?: string;
-      scopes?: string[];
-    },
-  ): Token {
+  static fromJWT(jwt: string, options?: TokenFromJWTOptions): Token {
     let expiresAt: Date | undefined;
 
     try {
diff --git a/lib/connection/auth/tokenProvider/TokenProviderAuthenticator.ts b/lib/connection/auth/tokenProvider/TokenProviderAuthenticator.ts
@@ -36,7 +36,9 @@ export default class TokenProviderAuthenticator implements IAuthentication {
     const token = await this.tokenProvider.getToken();
 
     if (token.isExpired()) {
-      logger.log(LogLevel.warn, `TokenProviderAuthenticator: token from ${providerName} is expired`);
+      const message = `TokenProviderAuthenticator: token from ${providerName} is expired`;
+      logger.log(LogLevel.error, message);
+      throw new Error(message);
     }
 
     return token.setAuthHeader(this.headers);
diff --git a/tests/unit/connection/auth/tokenProvider/TokenProviderAuthenticator.test.ts b/tests/unit/connection/auth/tokenProvider/TokenProviderAuthenticator.test.ts
@@ -104,5 +104,21 @@ describe('TokenProviderAuthenticator', () => {
         expect(e).to.equal(error);
       }
     });
+
+    it('should throw error when token is expired', async () => {
+      const provider = new MockTokenProvider('my-access-token', 'TestProvider');
+      const expiredDate = new Date(Date.now() - 60000); // 1 minute ago
+      provider.setToken(new Token('expired-token', { expiresAt: expiredDate }));
+      const authenticator = new TokenProviderAuthenticator(provider, context);
+
+      try {
+        await authenticator.authenticate();
+        expect.fail('Should have thrown an error');
+      } catch (e) {
+        expect(e).to.be.instanceOf(Error);
+        expect((e as Error).message).to.include('expired');
+        expect((e as Error).message).to.include('TestProvider');
+      }
+    });
   });
 });

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,9 @@ export default class TokenProviderAuthenticator implements IAuthentication {`
`36`	`36`	`const token = await this.tokenProvider.getToken();`
`37`	`37`
`38`	`38`	`if (token.isExpired()) {`
`39`		- logger.log(LogLevel.warn, `TokenProviderAuthenticator: token from ${providerName} is expired`);
	`39`	+ const message = `TokenProviderAuthenticator: token from ${providerName} is expired`;
	`40`	`+ logger.log(LogLevel.error, message);`
	`41`	`+ throw new Error(message);`
`40`	`42`	`}`
`41`	`43`
`42`	`44`	`return token.setAuthHeader(this.headers);`