Address Qodo code review: CancellationToken, nullable ExpiresIn, scope on refresh

alexeyzimarev · claude · alexeyzimarev · commit 267475755aaf · 2026-03-01T17:22:07.000+01:00
- Add optional CancellationToken to IAuthenticator.Authenticate and propagate
  it through all authenticators to SemaphoreSlim.WaitAsync, HttpClient.PostAsync,
  and the user delegate in OAuth2TokenAuthenticator
- Make OAuth2TokenResponse.ExpiresIn nullable (int?) so missing expires_in from
  the server is treated as non-expiring instead of causing a refresh storm
- Send scope parameter in OAuth2RefreshTokenAuthenticator when configured

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/RestSharp/Authenticators/AuthenticatorBase.cs b/src/RestSharp/Authenticators/AuthenticatorBase.cs
@@ -19,6 +19,6 @@ public abstract class AuthenticatorBase(string token) : IAuthenticator {
 
     protected abstract ValueTask<Parameter> GetAuthenticationParameter(string accessToken);
 
-    public async ValueTask Authenticate(IRestClient client, RestRequest request)
+    public async ValueTask Authenticate(IRestClient client, RestRequest request, CancellationToken cancellationToken = default)
         => request.AddOrUpdateParameter(await GetAuthenticationParameter(Token).ConfigureAwait(false));
 }
diff --git a/src/RestSharp/Authenticators/IAuthenticator.cs b/src/RestSharp/Authenticators/IAuthenticator.cs
@@ -15,5 +15,5 @@
 namespace RestSharp.Authenticators;
 
 public interface IAuthenticator {
-    ValueTask Authenticate(IRestClient client, RestRequest request);
+    ValueTask Authenticate(IRestClient client, RestRequest request, CancellationToken cancellationToken = default);
 }
diff --git a/src/RestSharp/Authenticators/OAuth/OAuth1Authenticator.cs b/src/RestSharp/Authenticators/OAuth/OAuth1Authenticator.cs
@@ -41,7 +41,7 @@ public class OAuth1Authenticator : IAuthenticator {
     public virtual string?                 ClientUsername     { get; set; }
     public virtual string?                 ClientPassword     { get; set; }
 
-    public ValueTask Authenticate(IRestClient client, RestRequest request) {
+    public ValueTask Authenticate(IRestClient client, RestRequest request, CancellationToken cancellationToken = default) {
         var workflow = new OAuthWorkflow {
             ConsumerKey        = ConsumerKey,
             ConsumerSecret     = ConsumerSecret,
diff --git a/src/RestSharp/Authenticators/OAuth2/OAuth2EndpointAuthenticatorBase.cs b/src/RestSharp/Authenticators/OAuth2/OAuth2EndpointAuthenticatorBase.cs
@@ -49,8 +49,8 @@ protected void SetInitialToken(string accessToken, DateTimeOffset expiresAt) {
         _tokenExpiry = expiresAt;
     }
 
-    public async ValueTask Authenticate(IRestClient client, RestRequest request) {
-        var token = await GetOrRefreshTokenAsync().ConfigureAwait(false);
+    public async ValueTask Authenticate(IRestClient client, RestRequest request, CancellationToken cancellationToken = default) {
+        var token = await GetOrRefreshTokenAsync(cancellationToken).ConfigureAwait(false);
         request.AddOrUpdateParameter(new HeaderParameter(KnownHeaders.Authorization, $"Bearer {token}"));
     }
 
@@ -65,11 +65,11 @@ public async ValueTask Authenticate(IRestClient client, RestRequest request) {
     /// </summary>
     protected virtual void OnTokenResponse(OAuth2TokenResponse response) { }
 
-    async Task<string> GetOrRefreshTokenAsync() {
+    async Task<string> GetOrRefreshTokenAsync(CancellationToken cancellationToken) {
         if (_accessToken != null && DateTimeOffset.UtcNow < _tokenExpiry)
             return _accessToken;
 
-        await _lock.WaitAsync().ConfigureAwait(false);
+        await _lock.WaitAsync(cancellationToken).ConfigureAwait(false);
 
         try {
             if (_accessToken != null && DateTimeOffset.UtcNow < _tokenExpiry)
@@ -83,7 +83,7 @@ async Task<string> GetOrRefreshTokenAsync() {
             }
 
             using var content = new FormUrlEncodedContent(parameters);
-            using var response = await _tokenClient.PostAsync(TokenRequest.TokenEndpointUrl, content).ConfigureAwait(false);
+            using var response = await _tokenClient.PostAsync(TokenRequest.TokenEndpointUrl, content, cancellationToken).ConfigureAwait(false);
 
             var body = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
 
@@ -96,7 +96,9 @@ async Task<string> GetOrRefreshTokenAsync() {
                 throw new InvalidOperationException($"Token endpoint returned an invalid response: {body}");
 
             _accessToken = tokenResponse.AccessToken;
-            _tokenExpiry = DateTimeOffset.UtcNow.AddSeconds(tokenResponse.ExpiresIn) - TokenRequest.ExpiryBuffer;
+            _tokenExpiry = tokenResponse.ExpiresIn.HasValue
+                ? DateTimeOffset.UtcNow.AddSeconds(tokenResponse.ExpiresIn.Value) - TokenRequest.ExpiryBuffer
+                : DateTimeOffset.MaxValue;
 
             OnTokenResponse(tokenResponse);
             TokenRequest.OnTokenRefreshed?.Invoke(tokenResponse);
diff --git a/src/RestSharp/Authenticators/OAuth2/OAuth2RefreshTokenAuthenticator.cs b/src/RestSharp/Authenticators/OAuth2/OAuth2RefreshTokenAuthenticator.cs
@@ -38,14 +38,20 @@ DateTimeOffset expiresAt
         SetInitialToken(accessToken, expiresAt);
     }
 
-    protected override Dictionary<string, string> BuildRequestParameters()
-        => new() {
+    protected override Dictionary<string, string> BuildRequestParameters() {
+        var parameters = new Dictionary<string, string> {
             ["grant_type"]    = "refresh_token",
             ["client_id"]     = TokenRequest.ClientId,
             ["client_secret"] = TokenRequest.ClientSecret,
             ["refresh_token"] = _refreshToken
         };
 
+        if (TokenRequest.Scope != null)
+            parameters["scope"] = TokenRequest.Scope;
+
+        return parameters;
+    }
+
     protected override void OnTokenResponse(OAuth2TokenResponse response) {
         if (!string.IsNullOrEmpty(response.RefreshToken))
             _refreshToken = response.RefreshToken;
diff --git a/src/RestSharp/Authenticators/OAuth2/OAuth2TokenAuthenticator.cs b/src/RestSharp/Authenticators/OAuth2/OAuth2TokenAuthenticator.cs
@@ -36,22 +36,22 @@ public OAuth2TokenAuthenticator(Func<CancellationToken, Task<OAuth2Token>> getTo
         _tokenType = tokenType;
     }
 
-    public async ValueTask Authenticate(IRestClient client, RestRequest request) {
-        var token = await GetOrRefreshTokenAsync().ConfigureAwait(false);
+    public async ValueTask Authenticate(IRestClient client, RestRequest request, CancellationToken cancellationToken = default) {
+        var token = await GetOrRefreshTokenAsync(cancellationToken).ConfigureAwait(false);
         request.AddOrUpdateParameter(new HeaderParameter(KnownHeaders.Authorization, $"{_tokenType} {token}"));
     }
 
-    async Task<string> GetOrRefreshTokenAsync() {
+    async Task<string> GetOrRefreshTokenAsync(CancellationToken cancellationToken) {
         if (_accessToken != null && DateTimeOffset.UtcNow < _tokenExpiry)
             return _accessToken;
 
-        await _lock.WaitAsync().ConfigureAwait(false);
+        await _lock.WaitAsync(cancellationToken).ConfigureAwait(false);
 
         try {
             if (_accessToken != null && DateTimeOffset.UtcNow < _tokenExpiry)
                 return _accessToken;
 
-            var result = await _getToken(CancellationToken.None).ConfigureAwait(false);
+            var result = await _getToken(cancellationToken).ConfigureAwait(false);
             _accessToken = result.AccessToken;
             _tokenExpiry = result.ExpiresAt;
 
diff --git a/src/RestSharp/Authenticators/OAuth2/OAuth2TokenResponse.cs b/src/RestSharp/Authenticators/OAuth2/OAuth2TokenResponse.cs
@@ -28,7 +28,7 @@ public record OAuth2TokenResponse {
     public string TokenType { get; init; } = "";
 
     [JsonPropertyName("expires_in")]
-    public int ExpiresIn { get; init; }
+    public int? ExpiresIn { get; init; }
 
     [JsonPropertyName("refresh_token")]
     public string? RefreshToken { get; init; }
diff --git a/src/RestSharp/RestClient.Async.cs b/src/RestSharp/RestClient.Async.cs
@@ -108,7 +108,7 @@ async Task<HttpResponse> ExecuteRequestAsync(RestRequest request, CancellationTo
         var authenticator = request.Authenticator ?? Options.Authenticator;
 
         if (authenticator != null) {
-            await authenticator.Authenticate(this, request).ConfigureAwait(false);
+            await authenticator.Authenticate(this, request, cancellationToken).ConfigureAwait(false);
         }
 
         var contentToDispose = new List<RequestContent>();
diff --git a/test/RestSharp.Tests/Auth/AuthenticatorTests.cs b/test/RestSharp.Tests/Auth/AuthenticatorTests.cs
@@ -34,7 +34,7 @@ public async Task Should_add_authorization_form_parameter() {
     }
 
     class TestAuthenticator(ParameterType type, string name, string value) : IAuthenticator {
-        public ValueTask Authenticate(IRestClient client, RestRequest request) {
+        public ValueTask Authenticate(IRestClient client, RestRequest request, CancellationToken cancellationToken = default) {
             request.AddParameter(name, value, type);
             return default;
         }
diff --git a/test/RestSharp.Tests/Auth/OAuth2ClientCredentialsAuthenticatorTests.cs b/test/RestSharp.Tests/Auth/OAuth2ClientCredentialsAuthenticatorTests.cs
@@ -153,6 +153,33 @@ await act.Should().ThrowAsync<InvalidOperationException>()
             .WithMessage("*invalid response*");
     }
 
+    [Fact]
+    public async Task Should_treat_missing_expires_in_as_non_expiring() {
+        var callCount = 0;
+
+        _mockHttp.When(HttpMethod.Post, TokenEndpoint)
+            .Respond(_ => {
+                Interlocked.Increment(ref callCount);
+                return new HttpResponseMessage(HttpStatusCode.OK) {
+                    Content = new StringContent(
+                        """{"access_token":"no-expiry-token","token_type":"Bearer"}""",
+                        System.Text.Encoding.UTF8,
+                        "application/json"
+                    )
+                };
+            });
+
+        using var authenticator = new OAuth2ClientCredentialsAuthenticator(CreateRequest());
+
+        var request1 = new RestRequest();
+        await authenticator.Authenticate(null!, request1);
+
+        var request2 = new RestRequest();
+        await authenticator.Authenticate(null!, request2);
+
+        callCount.Should().Be(1, "token without expires_in should be cached indefinitely");
+    }
+
     [Fact]
     public async Task Should_send_scope_when_configured() {
         _mockHttp.When(HttpMethod.Post, TokenEndpoint)
diff --git a/test/RestSharp.Tests/Auth/OAuth2RefreshTokenAuthenticatorTests.cs b/test/RestSharp.Tests/Auth/OAuth2RefreshTokenAuthenticatorTests.cs
@@ -161,6 +161,33 @@ public async Task Should_invoke_callback_on_refresh() {
         capturedResponse.TokenType.Should().Be("Bearer");
     }
 
+    [Fact]
+    public async Task Should_send_scope_when_configured() {
+        var request2 = new OAuth2TokenRequest(TokenEndpoint, ClientId, ClientSecret) {
+            HttpClient   = new HttpClient(_mockHttp),
+            ExpiryBuffer = TimeSpan.Zero,
+            Scope        = "api.read api.write"
+        };
+
+        _mockHttp.When(HttpMethod.Post, TokenEndpoint)
+            .WithFormData("scope", "api.read api.write")
+            .Respond("application/json", TokenJson());
+
+        using var authenticator = new OAuth2RefreshTokenAuthenticator(
+            request2,
+            InitialAccess,
+            InitialRefresh,
+            DateTimeOffset.MinValue
+        );
+
+        var request = new RestRequest();
+        await authenticator.Authenticate(null!, request);
+
+        var authHeader = request.Parameters.FirstOrDefault(p => p.Name == KnownHeaders.Authorization);
+        authHeader.Should().NotBeNull();
+        authHeader.Value.Should().Be("Bearer new-access-token");
+    }
+
     [Fact]
     public async Task Should_throw_on_error_response() {
         _mockHttp.When(HttpMethod.Post, TokenEndpoint)

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,6 @@ public abstract class AuthenticatorBase(string token) : IAuthenticator {`
`19`	`19`
`20`	`20`	`protected abstract ValueTask<Parameter> GetAuthenticationParameter(string accessToken);`
`21`	`21`
`22`		`- public async ValueTask Authenticate(IRestClient client, RestRequest request)`
	`22`	`+ public async ValueTask Authenticate(IRestClient client, RestRequest request, CancellationToken cancellationToken = default)`
`23`	`23`	`=> request.AddOrUpdateParameter(await GetAuthenticationParameter(Token).ConfigureAwait(false));`
`24`	`24`	`}`
Original file line number	Diff line number	Diff line change
`@@ -15,5 +15,5 @@`
`15`	`15`	`namespace RestSharp.Authenticators;`
`16`	`16`
`17`	`17`	`public interface IAuthenticator {`
`18`		`- ValueTask Authenticate(IRestClient client, RestRequest request);`
	`18`	`+ ValueTask Authenticate(IRestClient client, RestRequest request, CancellationToken cancellationToken = default);`
`19`	`19`	`}`
Original file line number	Diff line number	Diff line change
`@@ -108,7 +108,7 @@ async Task<HttpResponse> ExecuteRequestAsync(RestRequest request, CancellationTo`
`108`	`108`	`var authenticator = request.Authenticator ?? Options.Authenticator;`
`109`	`109`
`110`	`110`	`if (authenticator != null) {`
`111`		`- await authenticator.Authenticate(this, request).ConfigureAwait(false);`
	`111`	`+ await authenticator.Authenticate(this, request, cancellationToken).ConfigureAwait(false);`
`112`	`112`	`}`
`113`	`113`
`114`	`114`	`var contentToDispose = new List<RequestContent>();`
Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ public async Task Should_add_authorization_form_parameter() {`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`class TestAuthenticator(ParameterType type, string name, string value) : IAuthenticator {`
`37`		`- public ValueTask Authenticate(IRestClient client, RestRequest request) {`
	`37`	`+ public ValueTask Authenticate(IRestClient client, RestRequest request, CancellationToken cancellationToken = default) {`
`38`	`38`	`request.AddParameter(name, value, type);`
`39`	`39`	`return default;`
`40`	`40`	`}`