refactor: oauth

burmudar · burmudar · commit e2d7bd2638f8 · 2026-03-09T11:27:49.000+02:00
- add mutex to guard concurrent changes of token
- pull refreshing of token out into `refreshToken`
- additional comments
diff --git a/internal/oauth/http_transport.go b/internal/oauth/http_transport.go
@@ -3,6 +3,7 @@ package oauth
 import (
 	"context"
 	"net/http"
+	"sync"
 	"time"
 )
 
@@ -13,6 +14,8 @@ var _ http.RoundTripper = (*Transport)(nil)
 type Transport struct {
 	Base  http.RoundTripper
 	Token *Token
+
+	mu sync.Mutex
 }
 
 // storeRefreshedTokenFn is the function the transport should use to persist the token - mainly used during
@@ -22,16 +25,10 @@ var storeRefreshedTokenFn = StoreToken
 // RoundTrip implements http.RoundTripper.
 func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
 	ctx := req.Context()
-	prevToken := t.Token
-	token, err := maybeRefresh(ctx, t.Token)
-	if err != nil {
+
+	if err := t.refreshToken(ctx); err != nil {
 		return nil, err
 	}
-	t.Token = token
-	if token != prevToken {
-		// try to save the token if we fail let the request continue with in memory token
-		_ = storeRefreshedTokenFn(ctx, token)
-	}
 
 	req2 := req.Clone(req.Context())
 	req2.Header.Set("Authorization", "Bearer "+t.Token.AccessToken)
@@ -42,8 +39,32 @@ func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
 	return http.DefaultTransport.RoundTrip(req2)
 }
 
+// refreshToken checks if the token has expired or expiring soon and refreshes it. Once the token is
+// refreshed, the in-memory token is updated and a best effort is made to store the token.
+// If storing the token fails, no error is returned.
+func (t *Transport) refreshToken(ctx context.Context) error {
+	t.mu.Lock()
+	defer t.mu.Unlock()
+
+	prevToken := t.Token
+	token, err := maybeRefresh(ctx, t.Token)
+	if err != nil {
+		return err
+	}
+	t.Token = token
+	if token != prevToken {
+		// try to save the token if we fail let the request continue with in memory token
+		_ = storeRefreshedTokenFn(ctx, token)
+	}
+
+	return nil
+}
+
+// maybeRefresh conditionally refreshes the token. If the token has expired or is expriing in the next 30s
+// it will be refreshed and the updated token will be returned. Otherwise, no refresh occurs and the original
+// token is returned.
 func maybeRefresh(ctx context.Context, token *Token) (*Token, error) {
-	// token has NOT expired or NOT about to expire in 30s
+	// token has NOT expired and is NOT about to expire in 30s
 	if !(token.HasExpired() || token.ExpiringIn(time.Duration(30)*time.Second)) {
 		return token, nil
 	}
@@ -59,6 +80,7 @@ func maybeRefresh(ctx context.Context, token *Token) (*Token, error) {
 	return next, nil
 }
 
+// IsOAuthTransport checks wether the underlying type of the given RoundTripper is a OAuthTransport
 func IsOAuthTransport(trp http.RoundTripper) bool {
 	_, ok := trp.(*Transport)
 	return ok
