-
Notifications
You must be signed in to change notification settings - Fork 50
/
NetworkAuthenticationPlugin.swift
340 lines (286 loc) · 12.5 KB
/
NetworkAuthenticationPlugin.swift
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
//
// NetworkAuthenticationPlugin.swift
// Booming
//
// Created by Condy on 2024/6/1.
//
import Foundation
import Alamofire
import Moya
/// 生成授权凭证。用户没有登陆时,可以不生成。
/// let credential = OAuthCredential.restore()
/// 生成授权中心
/// let authenticator = OAuthenticator()
/// 使用授权中心和凭证配置拦截器
/// let interceptor = OAuthentication(authenticator: authenticator, credential: credential)
public struct NetworkAuthenticationPlugin {
public let interceptor: RequestInterceptor
public init(interceptor: RequestInterceptor) {
self.interceptor = interceptor
}
}
extension NetworkAuthenticationPlugin: PluginSubType {
public var pluginName: String {
"Authentication"
}
}
/// The `Authentication` class manages the queuing and threading complexity of authenticating requests.
/// It relies on an `Authenticator` type to handle the actual `URLRequest` authentication and `Credential` refresh.
public class OAuthentication<AuthenticatorType>: RequestInterceptor where AuthenticatorType: Authenticator {
/// Type of credential used to authenticate requests.
public typealias Credential = AuthenticatorType.Credential
// MARK: - Helper Types
/// Type that defines a time window used to identify excessive refresh calls. When enabled, prior to executing a
/// refresh, the `Authentication` compares the timestamp history of previous refresh calls against the
/// `RefreshWindow`. If more refreshes have occurred within the refresh window than allowed, the refresh is
/// cancelled and an `AuthorizationError.excessiveRefresh` error is thrown.
public struct RefreshWindow {
/// `TimeInterval` defining the duration of the time window before the current time in which the number of
/// refresh attempts is compared against `maximumAttempts`. For example, if `interval` is 30 seconds, then the
/// `RefreshWindow` represents the past 30 seconds. If more attempts occurred in the past 30 seconds than
/// `maximumAttempts`, an `.excessiveRefresh` error will be thrown.
public let interval: TimeInterval
/// Total refresh attempts allowed within `interval` before throwing an `.excessiveRefresh` error.
public let maximumAttempts: Int
/// Creates a `RefreshWindow` instance from the specified `interval` and `maximumAttempts`.
///
/// - Parameters:
/// - interval: `TimeInterval` defining the duration of the time window before the current time.
/// - maximumAttempts: The maximum attempts allowed within the `TimeInterval`.
public init(interval: TimeInterval = 30.0, maximumAttempts: Int = 5) {
self.interval = interval
self.maximumAttempts = maximumAttempts
}
}
private struct AdaptOperation {
let urlRequest: URLRequest
let session: Session
let completion: (Result<URLRequest, Error>) -> Void
}
private enum AdaptResult {
case adapt(Credential)
case doNotAdapt(AuthenticationError)
case adaptDeferred
}
private struct MutableState {
var credential: Credential?
var isRefreshing = false
var refreshTimestamps: [TimeInterval] = []
var refreshWindow: RefreshWindow?
var adaptOperations: [AdaptOperation] = []
var requestsToRetry: [(RetryResult) -> Void] = []
}
// MARK: - Properties
/// The `Credential` used to authenticate requests.
public var credential: Credential? {
get { $mutableState.credential }
set { $mutableState.credential = newValue }
}
let authenticator: AuthenticatorType
let queue = DispatchQueue(label: "org.alamofire.authentication.inspector")
@Protected private var mutableState: MutableState
// MARK: - Initialization
/// Creates an `Authentication` instance from the specified parameters.
///
/// A `nil` `RefreshWindow` will result in the `Authentication` not checking for excessive refresh calls.
/// It is recommended to always use a `RefreshWindow` to avoid endless refresh cycles.
///
/// - Parameters:
/// - authenticator: The `Authenticator` type.
/// - credential: The `Credential` if it exists. `nil` by default.
/// - refreshWindow: The `RefreshWindow` used to identify excessive refresh calls. `RefreshWindow()` by default.
public init(authenticator: AuthenticatorType,
credential: Credential? = nil,
refreshWindow: RefreshWindow? = RefreshWindow()) {
self.authenticator = authenticator
mutableState = MutableState(credential: credential, refreshWindow: refreshWindow)
}
// MARK: - Adapt
public func adapt(_ urlRequest: URLRequest, for session: Session, completion: @escaping (Result<URLRequest, Error>) -> Void) {
var authenticatedRequest = urlRequest
if let credential = mutableState.credential {
authenticator.apply(credential, to: &authenticatedRequest)
}
completion(.success(authenticatedRequest))
}
// MARK: - Retry
public func retry(_ request: Request, for session: Session, dueTo error: Error, completion: @escaping (RetryResult) -> Void) {
// Do not attempt retry if there was not an original request and response from the server.
guard let urlRequest = request.request, let response = request.response else {
completion(.doNotRetry)
return
}
// Do not attempt retry unless the `Authenticator` verifies failure was due to authentication error (i.e. 401 status code).
guard authenticator.didRequest(urlRequest, with: response, failDueToAuthenticationError: error) else {
completion(.doNotRetry)
return
}
// Do not attempt retry if there is no credential.
guard let credential = credential else {
let error = AuthenticationError.missingCredential
completion(.doNotRetryWithError(error))
return
}
// Retry the request if the `Authenticator` verifies it was authenticated with a previous credential.
guard authenticator.isRequest(urlRequest, authenticatedWith: credential) else {
completion(.retry)
return
}
$mutableState.write { mutableState in
mutableState.requestsToRetry.append(completion)
guard !mutableState.isRefreshing else {
return
}
refresh(credential, for: session, insideLock: &mutableState)
}
}
// MARK: - Refresh
private func refresh(_ credential: Credential, for session: Session, insideLock mutableState: inout MutableState) {
guard !isRefreshExcessive(insideLock: &mutableState) else {
let error = AuthenticationError.excessiveRefresh
handleRefreshFailure(error, insideLock: &mutableState)
return
}
mutableState.refreshTimestamps.append(ProcessInfo.processInfo.systemUptime)
mutableState.isRefreshing = true
// Dispatch to queue to hop out of the lock in case authenticator.refresh is implemented synchronously.
queue.async {
self.authenticator.refresh(credential, for: session) { result in
self.$mutableState.write { mutableState in
switch result {
case let .success(credential):
self.handleRefreshSuccess(credential, insideLock: &mutableState)
case let .failure(error):
self.handleRefreshFailure(error, insideLock: &mutableState)
}
}
}
}
}
private func isRefreshExcessive(insideLock mutableState: inout MutableState) -> Bool {
guard let refreshWindow = mutableState.refreshWindow else {
return false
}
let refreshWindowMin = ProcessInfo.processInfo.systemUptime - refreshWindow.interval
let raww = mutableState.refreshTimestamps.reduce(into: 0) { attempts, timestamp in
guard refreshWindowMin <= timestamp else { return }
attempts += 1
}
let isRefreshExcessive = raww >= refreshWindow.maximumAttempts
return isRefreshExcessive
}
private func handleRefreshSuccess(_ credential: Credential, insideLock mutableState: inout MutableState) {
mutableState.credential = credential
let adaptOperations = mutableState.adaptOperations
let requestsToRetry = mutableState.requestsToRetry
mutableState.adaptOperations.removeAll()
mutableState.requestsToRetry.removeAll()
mutableState.isRefreshing = false
// Dispatch to queue to hop out of the mutable state lock
queue.async {
adaptOperations.forEach { self.adapt($0.urlRequest, for: $0.session, completion: $0.completion) }
requestsToRetry.forEach { $0(.retry) }
}
}
private func handleRefreshFailure(_ error: Error, insideLock mutableState: inout MutableState) {
let adaptOperations = mutableState.adaptOperations
let requestsToRetry = mutableState.requestsToRetry
mutableState.adaptOperations.removeAll()
mutableState.requestsToRetry.removeAll()
mutableState.isRefreshing = false
// Dispatch to queue to hop out of the mutable state lock
queue.async {
adaptOperations.forEach { $0.completion(.failure(error)) }
requestsToRetry.forEach { $0(.doNotRetryWithError(error)) }
}
}
}
private protocol Lock {
func lock()
func unlock()
}
extension Lock {
/// Executes a closure returning a value while acquiring the lock.
///
/// - Parameter closure: The closure to run.
///
/// - Returns: The value the closure generated.
func around<T>(_ closure: () throws -> T) rethrows -> T {
lock(); defer { unlock() }
return try closure()
}
/// Execute a closure while acquiring the lock.
///
/// - Parameter closure: The closure to run.
func around(_ closure: () throws -> Void) rethrows {
lock(); defer { unlock() }
try closure()
}
}
#if os(Linux) || os(Windows) || os(Android)
extension NSLock: Lock { }
#endif
#if canImport(Darwin)
/// An `os_unfair_lock` wrapper.
final class UnfairLock: Lock {
private let unfairLock: os_unfair_lock_t
init() {
unfairLock = .allocate(capacity: 1)
unfairLock.initialize(to: os_unfair_lock())
}
deinit {
unfairLock.deinitialize(count: 1)
unfairLock.deallocate()
}
fileprivate func lock() {
os_unfair_lock_lock(unfairLock)
}
fileprivate func unlock() {
os_unfair_lock_unlock(unfairLock)
}
}
#endif
/// A thread-safe wrapper around a value.
@propertyWrapper @dynamicMemberLookup final class Protected<T> {
#if canImport(Darwin)
private let lock = UnfairLock()
#elseif os(Linux) || os(Windows) || os(Android)
private let lock = NSLock()
#endif
private var value: T
init(_ value: T) {
self.value = value
}
/// The contained value. Unsafe for anything more than direct read or write.
var wrappedValue: T {
get { lock.around { value } }
set { lock.around { value = newValue } }
}
var projectedValue: Protected<T> { self }
init(wrappedValue: T) {
value = wrappedValue
}
/// Synchronously read or transform the contained value.
///
/// - Parameter closure: The closure to execute.
///
/// - Returns: The return value of the closure passed.
func read<U>(_ closure: (T) throws -> U) rethrows -> U {
try lock.around { try closure(self.value) }
}
/// Synchronously modify the protected value.
///
/// - Parameter closure: The closure to execute.
///
/// - Returns: The modified value.
@discardableResult func write<U>(_ closure: (inout T) throws -> U) rethrows -> U {
try lock.around { try closure(&self.value) }
}
subscript<Property>(dynamicMember keyPath: WritableKeyPath<T, Property>) -> Property {
get { lock.around { value[keyPath: keyPath] } }
set { lock.around { value[keyPath: keyPath] = newValue } }
}
subscript<Property>(dynamicMember keyPath: KeyPath<T, Property>) -> Property {
lock.around { value[keyPath: keyPath] }
}
}