Add token refresh coordinator by bbirman · Pull Request #4087 · forcedotcom/SalesforceMobileSDK-iOS

bbirman · 2026-06-26T21:49:13Z

Adds a layer to coordinate token refreshes so that only a single refresh is requested at a time across SFRestAPI, SFIdentityCoordinator and SFUserAccountManager
Consumers calling refresh directly should go through SFUserAccountManager
Deprecates SFOAuthSessionRefresher so that it will be internal only in the future

github-actions · 2026-06-26T21:49:53Z

	1 Warning
⚠️	Big PR, try to keep changes smaller if you can.

Generated by 🚫 Danger

github-actions · 2026-06-26T21:52:17Z

	1 Warning
⚠️	Static Analysis found an issue with one or more files you modified. Please fix the issue(s).

Clang Static Analysis Issues

File	Type	Category	Description	Line	Col
SFRestAPI	Nullability	Memory error	nil assigned to a pointer which is expected to have non-null value	95	5
SFUserAccountManager	Nullability	Memory error	Null passed to a callee that requires a non-null 2nd parameter	1601	15
SFUserAccountManager	Nullability	Memory error	Null passed to a callee that requires a non-null 2nd parameter	1616	15
SFUserAccountManager	Nullability	Memory error	nil passed to a callee that requires a non-null 2nd parameter	2257	13

Generated by 🚫 Danger

codecov · 2026-06-26T21:53:25Z

Codecov Report

❌ Patch coverage is 88.76404% with 20 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.46%. Comparing base (29439f0) to head (997c4e0).

Files with missing lines	Patch %	Lines
...KCore/Classes/OAuth/SFSDKTokenRefreshCoordinator.m	88.17%	11 Missing ⚠️
...SDKCore/Classes/UserAccount/SFUserAccountManager.m	75.00%	3 Missing ⚠️
...forceSDKCore/Classes/RestAPI/WebSocketClient.swift	83.33%	2 Missing ⚠️
...KCore/SalesforceSDKCore/Classes/Util/SFSDKOAuth2.m	66.66%	2 Missing ⚠️
...ceSDKCore/Classes/Identity/SFIdentityCoordinator.m	0.00%	1 Missing ⚠️
...Core/SalesforceSDKCore/Classes/RestAPI/SFRestAPI.m	97.29%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##              dev    #4087      +/-   ##
==========================================
- Coverage   70.73%   68.46%   -2.28%     
==========================================
  Files         246      247       +1     
  Lines       21541    21611      +70     
==========================================
- Hits        15237    14795     -442     
- Misses       6304     6816     +512

Components	Coverage Δ
Analytics	`70.78% <ø> (ø)`
Common	`70.79% <ø> (-0.19%)`	⬇️
Core	`62.15% <88.76%> (-3.48%)`	⬇️
SmartStore	`73.60% <ø> (ø)`
MobileSync	`88.56% <ø> (ø)`

Files with missing lines	Coverage Δ
...DKCore/Classes/Extensions/UserAccountManager.swift	`28.57% <100.00%> (+22.11%)`	⬆️
...rceSDKCore/Classes/OAuth/SFOAuthSessionRefresher.m	`91.54% <100.00%> (+2.50%)`	⬆️
...ceSDKCore/Classes/Identity/SFIdentityCoordinator.m	`47.72% <0.00%> (-24.13%)`	⬇️
...Core/SalesforceSDKCore/Classes/RestAPI/SFRestAPI.m	`89.42% <97.29%> (-0.22%)`	⬇️
...forceSDKCore/Classes/RestAPI/WebSocketClient.swift	`87.34% <83.33%> (ø)`
...KCore/SalesforceSDKCore/Classes/Util/SFSDKOAuth2.m	`76.17% <66.66%> (-2.15%)`	⬇️
...SDKCore/Classes/UserAccount/SFUserAccountManager.m	`54.62% <75.00%> (-7.54%)`	⬇️
...KCore/Classes/OAuth/SFSDKTokenRefreshCoordinator.m	`88.17% <88.17%> (ø)`

... and 25 files with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

github-actions · 2026-06-26T21:59:37Z

	Tests	Passed	Skipped	Failed ❌️
AuthFlowTester UI Test Results all	1 ran			1 ❌

Test	Result
AuthFlowTester UI Test Results all
AuthFlowTesterUITests.xctest
LegacyLoginTests.testCAOpaque_DefaultScopes_WebServerFlow()	❌ failure

github-actions · 2026-06-26T22:03:56Z

	Tests	Passed ☑️	Skipped	Failed ❌️
SalesforceSDKCore iOS ^26 Test Results	694 ran	693 ✅		1 ❌

Test	Result
SalesforceSDKCore iOS ^26 Test Results
SFSDKAuthUtilTests.testSingleRefreshWithRevokedAccessToken()	❌ failure

wmathurin · 2026-06-26T23:39:30Z

+ * the callbacks are appended to the waiting list and no new network request is made.
+ * When the single in-flight refresh completes, all registered callbacks receive the same result.
+ *
+ * Completion and error callbacks are dispatched on the main queue.


Thread contract mismatch: This says callbacks are dispatched on the main queue, but completeRefreshForKey:credentials:error: calls them directly on the serial queue — no main-queue hop. The old SFOAuthSessionRefresher.completeWithSuccess wrapped callbacks in dispatch_async(dispatch_get_main_queue(), ...), which this PR removes.

Callers updating UI or expecting main-thread delivery will now run on a background thread. Either dispatch in completeRefreshForKey:, or drop this claim from the header and audit call sites.

wmathurin · 2026-06-26T23:39:32Z

-                    });
-                }
-            }];
+        if (self.refreshCycleActive) {


refreshCycleActive is not reset by cleanup, creating a timing gap. If cleanup runs while a refresh is in-flight, refreshCycleActive stays YES. Any new request enqueued after cleanup but before the coordinator callback resets the flag will hit this guard and silently skip triggering a refresh.

testNewRefreshCyclePossibleAfterCleanup avoids this by manually setting refreshCycleActive = NO rather than going through the real timing path. Consider resetting the flag inside cleanup after clearing activeRequests.

wmathurin · 2026-06-26T23:39:34Z

-                }
-            });
+            if (completionBlock) {
+                completionBlock(endpointResponse);


Main-queue removal affects all callers of SFSDKOAuth2, not just the coordinator path. The dispatch_async(dispatch_get_main_queue(), ...) wrapper was removed from error-path completions in both accessTokenForApprovalCode: and accessTokenForRefresh:. Any direct caller of these methods that touches UI in the completion block will now run on a background URL session thread.

wmathurin · 2026-06-26T23:39:36Z

+        XCTAssertNotEqual(account.credentials.accessToken, originalAccessToken,
+                          "Access token should be rotated after refresh")
+        XCTAssertNotNil(account.credentials.refreshToken)
+        print("original refresh token: \(originalRefreshToken)")


Debug print() statements — looks unintentional.

wmathurin · 2026-06-26T23:39:39Z

+        let notificationCount = Mutex<Int>(0)
+
+        let observer = NotificationCenter.default.addObserver(
+            forName: .init(rawValue: "SFNotificationOAuthUserDidRefreshToken"),


Fragile raw notification name string. Observing "SFNotificationOAuthUserDidRefreshToken" instead of kSFNotificationUserDidRefreshToken means if the constant value ever changes this test silently vacuously passes. Use the typed constant.

wmathurin · 2026-06-26T23:39:41Z

+
+#pragma mark - Integration Test (Mock at authClient level)
+
+- (void)testIntegrationSingleNetworkCallForConcurrentRefreshes {


Integration test assertion may be vacuously true. SFOAuthSessionRefresher constructs its own SFOAuthCoordinator internally and calls accessTokenForRefresh: directly — it does not go through SFUserAccountManager.authClient(). With realCoordinator.refresherFactory = nil (real refresher path), mockClient.accessTokenForRefreshCallCount likely stays 0 regardless of how many network calls go out, making the key assertion (== 1) always pass.

Suggest adding XCTAssertGreaterThan(mockClient.accessTokenForRefreshCallCount, 0, @"mock was never called") before the coalescing assertion to confirm the mock is actually hit.

wmathurin · 2026-06-26T23:40:17Z

+        }
+        SFOAuthInfo *authInfo = [[SFOAuthInfo alloc] initWithAuthType:SFOAuthTypeRefresh];
+        [userInfo setValue:authInfo forKey:kSFNotificationUserInfoAuthTypeKey];
+        [[NSNotificationCenter defaultCenter] postNotificationName:kSFNotificationUserDidRefreshToken


Notification sender has changed. The old refreshCredentials: in SFUserAccountManager posted kSFNotificationUserDidRefreshToken with object:strongSelf (the account manager). Now this posts with object:self (the refresher). Any observer filtering on notification.object — e.g. addObserver:selector:name:object:accountManager — will silently stop receiving notifications.

Add token refresh coordinator

997c4e0

bbirman commented Jun 26, 2026

View reviewed changes

Comment thread libs/SalesforceSDKCore/SalesforceSDKCore/Classes/Extensions/UserAccountManager.swift

bbirman commented Jun 26, 2026

View reviewed changes

Comment thread libs/SalesforceSDKCore/SalesforceSDKCore/Classes/OAuth/SFOAuthSessionRefresher.m

wmathurin reviewed Jun 26, 2026

View reviewed changes

Comment thread libs/SalesforceSDKCore/SalesforceSDKCore/Classes/Identity/SFIdentityCoordinator.m

wmathurin reviewed Jun 26, 2026

View reviewed changes


		#pragma mark - Integration Test (Mock at authClient level)

		- (void)testIntegrationSingleNetworkCallForConcurrentRefreshes {

Uh oh!

Conversation

bbirman commented Jun 26, 2026

Uh oh!

Uh oh!

github-actions Bot commented Jun 26, 2026

Uh oh!

Uh oh!

github-actions Bot commented Jun 26, 2026

Clang Static Analysis Issues

Uh oh!

codecov Bot commented Jun 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

github-actions Bot commented Jun 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions Bot commented Jun 26, 2026

Uh oh!

wmathurin Jun 26, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

wmathurin Jun 26, 2026

Choose a reason for hiding this comment

Uh oh!

wmathurin Jun 26, 2026

Choose a reason for hiding this comment

Uh oh!

wmathurin Jun 26, 2026

Choose a reason for hiding this comment

Uh oh!

wmathurin Jun 26, 2026

Choose a reason for hiding this comment

Uh oh!

wmathurin Jun 26, 2026

Choose a reason for hiding this comment

Uh oh!

wmathurin Jun 26, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

codecov Bot commented Jun 26, 2026 •

edited

Loading

github-actions Bot commented Jun 26, 2026 •

edited

Loading