[google_sign_in] Add a method to clear auth tokens (#9846)

Adds a new `clearAuthorizationToken` method to all layers of the plugin stack, allowing for removing a token from the cache:
- On Android, this calls a very recently added `AuthorizationClient` method that was added for this purpose.
- On Web it deletes tokens from our own cache.
- On iOS, it's a no-op since this is managed internally.

Originally I hadn't thought this was necessary since all platform manage token expiration automatically, but as the linked issue highlights there are cases where a non-expired token can become invalid, and in that case it will sit in the cache and continue to be returned on Android and Web. Clients are expected to handle this case when API requests using the token fail ([example docs for Android](https://developer.android.com/identity/authorization#clear-token-cache)), so we need to provide a method for it.

Fixes flutter/flutter#173924

## Pre-Review Checklist

**Note**: The Flutter team is currently trialing the use of [Gemini Code Assist for GitHub](https://developers.google.com/gemini-code-assist/docs/review-github-code). Comments from the `gemini-code-assist` bot should not be taken as authoritative feedback from the Flutter team. If you find its comments useful you can update your code accordingly, but if you are unsure or disagree with the feedback, please feel free to wait for a Flutter team member's review for guidance on which automated comments should be addressed.

[^1]: Regular contributors who have demonstrated familiarity with the repository guidelines only need to comment if the PR is not auto-exempted by repo tooling.

Author: stuartmorgan-g

packages/google_sign_in/google_sign_in/CHANGELOG.md

@@ -1,5 +1,7 @@
-## NEXT
+## 7.2.0
 
+* Adds a `clearAuthorizationToken` method to remove an access token from the
+  cache.
 * Updates minimum supported SDK version to Flutter 3.29/Dart 3.7.
 
 ## 7.1.1

packages/google_sign_in/google_sign_in/MIGRATION.md

@@ -61,6 +61,7 @@ include:
   publishing, the only platform that does not support `authenticate` is web,
   where `google_sign_in_web`'s `renderButton` is used to create a sign-in
   button.
+* `clearAuthCache` has been replaced by `clearAuthorizationToken`.
 * Outcomes other than successful authentication or authorization will throw
   `GoogleSignInException`s in most cases, allowing a clear way to distinguish
   different sign in failure outcomes. This includes the user canceling

packages/google_sign_in/google_sign_in/example/pubspec.yaml

@@ -16,7 +16,7 @@ dependencies:
     # The example app is bundled with the plugin so we use a path dependency on
     # the parent directory to use the current plugin's version.
     path: ../
-  google_sign_in_web: ^1.0.0
+  google_sign_in_web: ^1.1.0
   http: ">=0.13.0 <2.0.0"
 
 dev_dependencies:

packages/google_sign_in/google_sign_in/lib/google_sign_in.dart

@@ -136,6 +136,9 @@ class GoogleSignInAuthorizationClient {
   ///
   /// If authorization would require user interaction, this returns null, in
   /// which case [authorizeScopes] should be used instead.
+  ///
+  /// In rare cases, this can return tokens that are no longer valid. See
+  /// [clearAuthorizationToken] for details.
   Future<GoogleSignInClientAuthorization?> authorizationForScopes(
     List<String> scopes,
   ) async {
@@ -150,6 +153,9 @@ class GoogleSignInAuthorizationClient {
   /// allowed (for example, while the app is foregrounded on mobile), and if
   /// [GoogleSignIn.authorizationRequiresUserInteraction] returns true this
   /// should only be called from an user interaction handler.
+  ///
+  /// In rare cases, this can return tokens that are no longer valid. See
+  /// [clearAuthorizationToken] for details.
   Future<GoogleSignInClientAuthorization> authorizeScopes(
     List<String> scopes,
   ) async {
@@ -173,8 +179,10 @@ class GoogleSignInAuthorizationClient {
   /// authorization headers, containing the access token for the given scopes.
   ///
   /// Returns null if the given scopes are not authorized, or there is no
-  /// currently valid authorization token available, and
-  /// [promptIfNecessary] is false.
+  /// unexpired authorization token available, and [promptIfNecessary] is false.
+  ///
+  /// In rare cases, this can return tokens that are no longer valid. See
+  /// [clearAuthorizationToken] for details.
   ///
   /// See also https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization.
   Future<Map<String, String>?> authorizationHeaders(
@@ -207,6 +215,9 @@ class GoogleSignInAuthorizationClient {
   /// allowed (for example, while the app is foregrounded on mobile), and if
   /// [GoogleSignIn.authorizationRequiresUserInteraction] returns true this
   /// should only be called from an user interaction handler.
+  ///
+  /// In rare cases, this can return tokens that are no longer valid. See
+  /// [clearAuthorizationToken] for details.
   Future<GoogleSignInServerAuthorization?> authorizeServer(
     List<String> scopes,
   ) async {
@@ -229,6 +240,20 @@ class GoogleSignInAuthorizationClient {
         );
   }
 
+  /// Removes the given [accessToken] from any local authorization caches.
+  ///
+  /// This should be called if using an access token results in an invalid token
+  /// response from the target API, followed by re-requsting authorization.
+  ///
+  /// A token can be invalidated by, for example, a user removing an
+  /// application's authorization from outside of the application:
+  /// https://support.google.com/accounts/answer/13533235.
+  Future<void> clearAuthorizationToken({required String accessToken}) {
+    return GoogleSignInPlatform.instance.clearAuthorizationToken(
+      ClearAuthorizationTokenParams(accessToken: accessToken),
+    );
+  }
+
   Future<GoogleSignInClientAuthorization?> _authorizeClient(
     List<String> scopes, {
     required bool promptIfUnauthorized,

packages/google_sign_in/google_sign_in/pubspec.yaml

@@ -3,7 +3,7 @@ description: Flutter plugin for Google Sign-In, a secure authentication system
   for signing in with a Google account.
 repository: https://github.com/flutter/packages/tree/main/packages/google_sign_in/google_sign_in
 issue_tracker: https://github.com/flutter/flutter/issues?q=is%3Aissue+is%3Aopen+label%3A%22p%3A+google_sign_in%22
-version: 7.1.1
+version: 7.2.0
 
 environment:
   sdk: ^3.7.0
@@ -24,10 +24,10 @@ flutter:
 dependencies:
   flutter:
     sdk: flutter
-  google_sign_in_android: ^7.0.0
-  google_sign_in_ios: ^6.0.0
-  google_sign_in_platform_interface: ^3.0.0
-  google_sign_in_web: ^1.0.0
+  google_sign_in_android: ^7.1.0
+  google_sign_in_ios: ^6.2.0
+  google_sign_in_platform_interface: ^3.1.0
+  google_sign_in_web: ^1.1.0
 
 dev_dependencies:
   build_runner: ^2.1.10

packages/google_sign_in/google_sign_in/test/google_sign_in_test.dart

@@ -760,4 +760,22 @@ void main() {
       );
     });
   });
+
+  group('clearAuthorizationToken', () {
+    test('passes expected paramaters', () async {
+      final GoogleSignIn googleSignIn = GoogleSignIn.instance;
+
+      const String token = 'someAccessToken';
+      await googleSignIn.authorizationClient.clearAuthorizationToken(
+        accessToken: token,
+      );
+
+      final VerificationResult verification = verify(
+        mockPlatform.clearAuthorizationToken(captureAny),
+      );
+      final ClearAuthorizationTokenParams params =
+          verification.captured[0] as ClearAuthorizationTokenParams;
+      expect(params.accessToken, token);
+    });
+  });
 }

packages/google_sign_in/google_sign_in/test/google_sign_in_test.mocks.dart

@@ -1,4 +1,4 @@
-// Mocks generated by Mockito 5.4.5 from annotations
+// Mocks generated by Mockito 5.4.6 from annotations
 // in google_sign_in/test/google_sign_in_test.dart.
 // Do not manually edit this file.
 
@@ -57,6 +57,14 @@ class MockGoogleSignInPlatform extends _i1.Mock
           )
           as _i4.Future<_i2.AuthenticationResults?>?);
 
+  @override
+  bool supportsAuthenticate() =>
+      (super.noSuchMethod(
+            Invocation.method(#supportsAuthenticate, []),
+            returnValue: false,
+          )
+          as bool);
+
   @override
   _i4.Future<_i2.AuthenticationResults> authenticate(
     _i2.AuthenticateParameters? params,
@@ -72,14 +80,6 @@ class MockGoogleSignInPlatform extends _i1.Mock
           )
           as _i4.Future<_i2.AuthenticationResults>);
 
-  @override
-  bool supportsAuthenticate() =>
-      (super.noSuchMethod(
-            Invocation.method(#supportsAuthenticate, []),
-            returnValue: false,
-          )
-          as bool);
-
   @override
   bool authorizationRequiresUserInteraction() =>
       (super.noSuchMethod(
@@ -110,6 +110,17 @@ class MockGoogleSignInPlatform extends _i1.Mock
           )
           as _i4.Future<_i2.ServerAuthorizationTokenData?>);
 
+  @override
+  _i4.Future<void> clearAuthorizationToken(
+    _i2.ClearAuthorizationTokenParams? params,
+  ) =>
+      (super.noSuchMethod(
+            Invocation.method(#clearAuthorizationToken, [params]),
+            returnValue: _i4.Future<void>.value(),
+            returnValueForMissingStub: _i4.Future<void>.value(),
+          )
+          as _i4.Future<void>);
+
   @override
   _i4.Future<void> signOut(_i2.SignOutParams? params) =>
       (super.noSuchMethod(