Harden AuthInterceptor: retry guard, single-flight refresh, shared pref keys
Addresses PR review on the auth interceptor: - Guard against unbounded retry recursion: tag the replayed request with extra['auth_retried'] and skip the refresh/replay path on a second 401 so it can't recurse refresh -> replay indefinitely. Drop the redundant manual Authorization header on the replay (onRequest re-injects it). - Fix the concurrent-refresh race: coalesce concurrent 401s onto a single in-flight refresh future so the rotating refresh token is only consumed once, instead of later refreshes posting an already-consumed token and spuriously logging out. (Chose the shared-future approach over QueuedInterceptor, which deadlocks with the replay-via-same-Dio pattern.) - Centralise the 'bearer' / 'refresh_token' / 'customer_data' pref keys in a PrefKeys constants class used by the interceptor, network manager, auth service and router so they can't silently diverge. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,12 @@
|
||||
/// Keys used for values persisted in [SharedPreferences].
|
||||
///
|
||||
/// Centralised here so the auth flow, the network layer and the router all
|
||||
/// agree on the same key. Renaming a key in one place would otherwise silently
|
||||
/// diverge from the others (e.g. the interceptor's defensive logout fallback).
|
||||
class PrefKeys {
|
||||
PrefKeys._();
|
||||
|
||||
static const String bearer = 'bearer';
|
||||
static const String refreshToken = 'refresh_token';
|
||||
static const String customerData = 'customer_data';
|
||||
}
|
||||
Reference in New Issue
Block a user