Add multi-token support for HxClient#52
Merged
pditommaso merged 11 commits intomasterfrom Feb 22, 2026
Merged
Conversation
Introduce HxAuth, HxTokenStore, and HxMapTokenStore to support multiple authentication sessions with automatic token refresh. - HxAuth: Immutable JWT credential container with SHA-256 key - HxTokenStore: Interface for pluggable token storage - HxMapTokenStore: Default ConcurrentHashMap implementation - HxTokenManager: Extended with multi-token methods - HxClient.Builder: Added tokenStore() method for custom stores 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
- Move key() method from HxTokenStore to HxAuth as static method - Add keyOrDefault(auth, defaultValue) for null-safe key computation - Remove key() default method from HxTokenStore interface - key() now throws IllegalArgumentException for null auth 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
Refactored no-arg methods to delegate to their HxAuth counterparts: - addAuthHeader() - delegates with basic auth fallback - canRefreshToken() - delegates to canRefreshToken(HxAuth) - refreshToken() - delegates to refreshToken(HxAuth) - doRefreshToken() - delegates to doRefreshToken(HxAuth) - refreshTokenAsync() - delegates to refreshTokenAsync(HxAuth) - getOrRefreshTokenAsync() - delegates to getOrRefreshTokenAsync(HxAuth) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
… multi-token support - Add synchronized to updateTokens to prevent read-modify-write race - Add putIfAbsent to HxTokenStore interface for atomic check-and-set in getAuth - Create per-refresh CookieManager/HttpClient to prevent cross-user cookie leaking - Mask tokens in HxAuth.toString() to prevent credential leaking in logs - Reject null access token in HxAuth constructor - Update stale Javadoc referencing removed ReentrantReadWriteLock - Fix README putIfAbsent example to match actual interface signature - Reduce updateTokens visibility to package-private Co-Authored-By: Claude Opus 4.6 <[email protected]>
Add private applyAuthHeader, canRefreshToken, and refreshToken helpers that accept nullable HxAuth and delegate to the appropriate tokenManager method, simplifying sendWithRetry and sendWithRetryAsync. Co-Authored-By: Claude Opus 4.6 <[email protected]>
- Extract HxAuth from final class to interface with stable id() contract - Add DefaultHxAuth as immutable record with UUID-based identity preserved across withToken/withRefresh - Add per-auth refreshUrl with fallback to global config - Remove static factory methods and keyOrDefault helper - Replace SHA-256 key derivation with stable UUID identity - Update README with new interface design and usage examples Co-Authored-By: Claude Opus 4.6 <[email protected]>
- Fix stable stable typo in HxAuth Javadoc - Update HxTokenStore Javadoc to reference HxAuth.id() instead of SHA-256 - Use two-arg remove(key, future) in refresh coordination to prevent accidental removal of a concurrent callers future - Make canRefreshToken(HxAuth) side-effect-free by using tokenStore.get() instead of getAuth() which calls putIfAbsent - Add comment clarifying updateTokens synchronized scope - Update HxTokenManager class Javadoc with current API example - Remove DefaultHxAuth references from README (package-private) Co-Authored-By: Claude Opus 4.6 <[email protected]>
…auth test - Remove 8 unused methods from HxTokenManager (refreshToken, refreshTokenAsync, doRefreshToken, getBasicAuthToken, getTokenStore, updateTokens and their overloads) - Replace UUID-based HxAuth id with deterministic id derived from accessToken and refreshUrl using Objects.hash, so stateless requests always resolve to the same token store entry - Simplify HxClient.refreshToken to use getDefaultAuth fallback - Add test verifying stateless requests resolve refreshed tokens by same id Co-Authored-By: Claude Opus 4.6 <[email protected]>
…terface, update docs - Rename withToken → withAccessToken, withRefresh → withRefreshToken for clarity - Remove createdAt/updatedAt from HxAuth interface (kept in DefaultHxAuth only) - Add Future Improvements section in README for refresh HttpClient reuse - Add README note about DefaultHxAuth 32-bit hash limitation and stronger alternatives - Fix DEFAULT_KEY → DEFAULT_TOKEN comment typo in HxTokenManager Co-Authored-By: Claude Opus 4.6 <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Extends
lib-httpxto support multi-tenant JWT authentication. A singleHxClientinstance can now manage multiple concurrent auth sessions, each with independent token refresh.What's new
HxAuthinterface — Represents an auth session with a stableid()across token refreshes. Each session can carry its own refresh URL, falling back to global configHxTokenStoreinterface — Pluggable token storage (default: in-memoryConcurrentHashMap). Implement for distributed deployments (Redis, database, etc.)send(request, auth, handler)andsendAsync(request, auth, handler)route each request through its own auth context with automatic 401 refreshHttpClientprevents cross-tenant cookie leakageDesign notes
DefaultHxAuthis suitable for simple scenarios. Production multi-tenant deployments should implementHxAuthwith explicit identifiers (e.g., tenant ID) for collision-free token store keysKnown limitations
HttpClienthardcodes HTTP/1.1 and redirect policy instead of inheriting from main client configHttpClientis created per refresh to isolate cookies; may cause resource pressure under high concurrencyTest plan
HxAuthcontract: stable identity, token masking, null handlingHxTokenStore: CRUD and putIfAbsent semanticsHxTokenManager: multi-session lifecycle, per-auth refresh URL, stateless resolutionHxClienttests pass unchanged