Nh/refresh access token (#4147)

* Add a timer to refresh the access_token before it expires

Author: nhachicha

CHANGELOG.md

@@ -12,9 +12,13 @@
 * Bug causing classes to be replaced by classes already in Gradle's classpath (#3568).
 * NullPointerException when notifying a single object that it changed (#4086).
 
+### Enhancements
+
+* [ObjectServer] Add a timer to refresh periodically the access_token.
+
 ## 2.3.0
 
-### Object Server API Changes 
+### Object Server API Changes
 
 * Realm Sync v1.0.0 has been released, and Realm Mobile Platform is no longer considered in beta.
 * Breaking change: Location of Realm files are now placed in `getFilesDir()/<userIdentifier>` instead of `getFilesDir()/`.

realm/realm-library/src/androidTestObjectServer/java/io/realm/AuthenticateRequestTests.java

@@ -22,6 +22,7 @@
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 import static org.mockito.Matchers.any;
 import static org.mockito.Mockito.when;
@@ -39,10 +40,10 @@ public void setUp() {
     @Test
     public void realmLogin() throws URISyntaxException, JSONException {
         Token t = SyncTestUtils.createTestUser().getSyncUser().getUserToken();
-        AuthenticateRequest request = AuthenticateRequest.realmLogin(t, new URI("realm://objectserver/" + t.value() + "/default"));
+        AuthenticateRequest request = AuthenticateRequest.realmLogin(t, new URI("realm://objectserver/" + t.identity() + "/default"));
 
         JSONObject obj = new JSONObject(request.toJson());
-        assertEquals("/" + t.value() + "/default", obj.get("path"));
+        assertEquals("/" + t.identity() + "/default", obj.get("path"));
         assertEquals(t.value(), obj.get("data"));
         assertEquals("realm", obj.get("provider"));
     }
@@ -60,10 +61,10 @@ public void userLogin() throws URISyntaxException, JSONException {
     @Test
     public void userRefresh() throws URISyntaxException, JSONException {
         Token t = SyncTestUtils.createTestUser().getSyncUser().getUserToken();
-        AuthenticateRequest request = AuthenticateRequest.userRefresh(t);
+        AuthenticateRequest request = AuthenticateRequest.userRefresh(t, new URI("realm://objectserver/" + t.identity() + "/default"));
 
         JSONObject obj = new JSONObject(request.toJson());
-        assertFalse(obj.has("path"));
+        assertTrue(obj.has("path"));
         assertEquals(t.value(), obj.get("data"));
         assertEquals("realm", obj.get("provider"));
     }

realm/realm-library/src/main/java/io/realm/RealmResults.java

@@ -789,7 +789,7 @@ public void remove() {
             throw new UnsupportedOperationException("remove() is not supported by RealmResults iterators.");
         }
 
-        protected void checkRealmIsStable() {
+        void checkRealmIsStable() {
             long version = table.getVersion();
             // Any change within a write transaction will immediately update the table version. This means that we
             // cannot depend on the tableVersion heuristic in that case.

realm/realm-library/src/objectServer/java/io/realm/SyncUser.java

@@ -361,7 +361,7 @@ public String toJson() {
      * Returns {@code true} if the user is logged into the Realm Object Server. If this method returns {@code true} it
      * implies that the user has valid credentials that have not expired.
      * <p>
-     * The user might still be have been logged out by the Realm Object Server which will not be detected before the
+     * The user might still have been logged out by the Realm Object Server which will not be detected before the
      * user tries to actively synchronize a Realm. If a logged out user tries to synchronize a Realm, an error will be
      * reported to the {@link SyncSession.ErrorHandler} defined by
      * {@link SyncConfiguration.Builder#errorHandler(SyncSession.ErrorHandler)}.

realm/realm-library/src/objectServer/java/io/realm/internal/network/AuthenticateRequest.java

@@ -56,11 +56,11 @@ public static AuthenticateRequest userLogin(SyncCredentials credentials) {
     /**
      * Generates a request for refreshing a user token.
      */
-    public static AuthenticateRequest userRefresh(Token userToken) {
+    public static AuthenticateRequest userRefresh(Token userToken, URI serverUrl) {
         return new AuthenticateRequest("realm",
                 userToken.value(),
                 SyncManager.APP_ID,
-                null,
+                serverUrl.getPath(),
                 Collections.<String, Object>emptyMap()
         );
     }

realm/realm-library/src/objectServer/java/io/realm/internal/network/AuthenticationServer.java

@@ -48,7 +48,7 @@ public interface AuthenticationServer {
      * Before it expires, the client should try to refresh the token, effectively keeping the user logged in on the
      * Object Server. Failing to do so will cause a "soft logout", where the User will have limited access rights.
      */
-    AuthenticateResponse refreshUser(Token userToken, URL authenticationUrl);
+    AuthenticateResponse refreshUser(Token userToken, URI serverUrl, URL authenticationUrl);
 
     /**
      * Logs out the user on the Object Server by invalidating the refresh token. Each device should be given their

realm/realm-library/src/objectServer/java/io/realm/internal/network/ExponentialBackoffTask.java

@@ -44,7 +44,7 @@ protected boolean shouldAbortTask(T response) {
         }
     }
 
-    // Callback when task is have succeeded
+    // Callback when task have succeeded
     protected abstract void onSuccess(T response);
 
     // Callback when task has failed

realm/realm-library/src/objectServer/java/io/realm/internal/network/OkHttpAuthenticationServer.java

@@ -67,9 +67,9 @@ public AuthenticateResponse loginToRealm(Token refreshToken, URI serverUrl, URL
     }
 
     @Override
-    public AuthenticateResponse refreshUser(Token userToken, URL authenticationUrl) {
+    public AuthenticateResponse refreshUser(Token userToken, URI serverUrl, URL authenticationUrl) {
         try {
-            String requestBody = AuthenticateRequest.userRefresh(userToken).toJson();
+            String requestBody = AuthenticateRequest.userRefresh(userToken, serverUrl).toJson();
             return authenticate(authenticationUrl, requestBody);
         } catch (Exception e) {
             return AuthenticateResponse.from(new ObjectServerError(ErrorCode.UNKNOWN, e));

realm/realm-library/src/objectServer/java/io/realm/internal/objectserver/ObjectServerSession.java

@@ -19,6 +19,9 @@
 import java.net.URI;
 import java.util.HashMap;
 import java.util.concurrent.Future;
+import java.util.concurrent.ScheduledFuture;
+import java.util.concurrent.ScheduledThreadPoolExecutor;
+import java.util.concurrent.TimeUnit;
 
 import io.realm.ErrorCode;
 import io.realm.ObjectServerError;
@@ -99,14 +102,18 @@ public final class ObjectServerSession {
     private long nativeSessionPointer;
     private final ObjectServerUser user;
     RealmAsyncTask networkRequest;
+    private RealmAsyncTask refreshTokenTask;
+    private RealmAsyncTask refreshTokenNetworkRequest;
     NetworkStateReceiver.ConnectionListener networkListener;
     private SyncPolicy syncPolicy;
 
     // Keeping track of current FSM state
     private SessionState currentStateDescription;
     private FsmState currentState;
     private SyncSession userSession;
-    private SyncSession publicSession;
+
+    private final static ScheduledThreadPoolExecutor REFRESH_TOKENS_EXECUTOR = new ScheduledThreadPoolExecutor(1);
+    private final static long REFRESH_MARGIN_DELAY = TimeUnit.SECONDS.toMillis(10);
 
     /**
      * Creates a new Object Server Session.
@@ -166,6 +173,8 @@ public synchronized void start() {
      * Stops the session. The session can no longer be used.
      */
     public synchronized void stop() {
+        // tries to stop any scheduled access_token refresh
+        clearScheduledAccessTokenRefresh();
         currentState.onStop();
     }
 
@@ -238,6 +247,25 @@ void stopNativeSession() {
             nativeUnbind(nativeSessionPointer);
             nativeSessionPointer = 0;
         }
+        clearScheduledAccessTokenRefresh();
+    }
+
+    // It is an error to call this function before calling Client::bind() state
+    private boolean updateSessionAccessToken(String userToken) {
+        if (nativeSessionPointer != 0 && isBound()) {
+            nativeRefresh(nativeSessionPointer, userToken);
+            return true;
+        }
+        return false;
+    }
+
+    private void clearScheduledAccessTokenRefresh() {
+        if (refreshTokenTask != null) {
+            refreshTokenTask.cancel();
+        }
+        if (refreshTokenNetworkRequest != null) {
+            refreshTokenNetworkRequest.cancel();
+        }
     }
 
     void removeAccessToken() {
@@ -260,6 +288,10 @@ void authenticateRealm(final Runnable onSuccess, final SyncSession.ErrorHandler
         if (networkRequest != null) {
             networkRequest.cancel();
         }
+        // clear any previously scheduled refresh access_token
+        // since we're going to obtain a new refresh_token
+        clearScheduledAccessTokenRefresh();
+
         // Authenticate in a background thread. This allows incremental backoff and retries in a safe manner.
         Future<?> task = SyncManager.NETWORK_POOL_EXECUTOR.submit(new ExponentialBackoffTask<AuthenticateResponse>() {
             @Override
@@ -279,6 +311,8 @@ protected void onSuccess(AuthenticateResponse response) {
                         configuration.shouldDeleteRealmOnLogout()
                 );
                 user.addRealm(configuration.getServerUrl(), desc);
+                // schedule a token refresh before it expires
+                scheduleRefreshAccessToken(response.getAccessToken().expiresMs());
                 onSuccess.run();
             }
 
@@ -290,6 +324,78 @@ protected void onError(AuthenticateResponse response) {
         networkRequest = new RealmAsyncTaskImpl(task, SyncManager.NETWORK_POOL_EXECUTOR);
     }
 
+    private void scheduleRefreshAccessToken(long expireDateInMs) {
+        // calculate the delay time before which we should refresh the access_token,
+        // we adjust to 10 second to proactively refresh the access_token before the session
+        // hit the expire date on the token
+        long refreshAfter =  expireDateInMs - System.currentTimeMillis() - REFRESH_MARGIN_DELAY;
+        if (refreshAfter < 0) {
+            // Token already expired
+            RealmLog.debug("Expires time already reached for the access token, refreshing now");
+            refreshAccessToken();
+
+        } else {
+            RealmLog.debug("Scheduling an access_token refresh in " + (refreshAfter) + " milliseconds");
+            if (refreshTokenTask != null) {
+                refreshTokenTask.cancel();
+            }
+
+            ScheduledFuture<?> task = REFRESH_TOKENS_EXECUTOR.schedule(new Runnable() {
+                @Override
+                public void run() {
+                    refreshAccessToken();
+                }
+            }, refreshAfter, TimeUnit.MILLISECONDS);
+            refreshTokenTask = new RealmAsyncTaskImpl(task, REFRESH_TOKENS_EXECUTOR);
+        }
+    }
+
+    // Authenticate by getting access tokens for the specific Realm
+    private void refreshAccessToken() {
+        // Authenticate in a background thread. This allows incremental backoff and retries in a safe manner.
+        if (refreshTokenNetworkRequest != null) {
+            refreshTokenNetworkRequest.cancel();
+        }
+        Future<?> task = SyncManager.NETWORK_POOL_EXECUTOR.submit(new ExponentialBackoffTask<AuthenticateResponse>() {
+            @Override
+            protected AuthenticateResponse execute() {
+                return authServer.refreshUser(user.getUserToken(), configuration.getServerUrl(), user.getAuthenticationUrl());
+            }
+
+            @Override
+            protected void onSuccess(AuthenticateResponse response) {
+                synchronized (ObjectServerSession.this) {
+                    RealmLog.debug("Access Token refreshed successfully");
+                    if (updateSessionAccessToken(response.getAccessToken().value())) {
+                        RealmLog.debug("Token applied");
+                        // only schedule an update if the token was updated.
+                        // The callback might return will the session state is not BOUND
+                        // in this case we'll wait for the new session state to transition to
+                        // BOUND, which will schedule a refresh in the process
+
+                        // this will also avoid updating a stopped session
+
+                        // replaced the user old access_token
+                        ObjectServerUser.AccessDescription desc = new ObjectServerUser.AccessDescription(
+                                response.getAccessToken(),
+                                configuration.getPath(),
+                                configuration.shouldDeleteRealmOnLogout()
+                        );
+                        user.addRealm(configuration.getServerUrl(), desc);
+                        // schedule the next refresh
+                        scheduleRefreshAccessToken(response.getAccessToken().expiresMs());
+                    }
+                }
+            }
+
+            @Override
+            protected void onError(AuthenticateResponse response) {
+                RealmLog.error("Unrecoverable error, while refreshing the access Token (" + response.getError().toString() + ") reschedule will not happen");
+            }
+        });
+        refreshTokenNetworkRequest = new RealmAsyncTaskImpl(task, SyncManager.NETWORK_POOL_EXECUTOR);
+    }
+
     /**
      * Checks if a user has valid credentials for accessing this Realm.
      *