fix: DPoP nonce retry race issue

[nandan-bhat]

Background:

The proxy code reused shared fetcher state for requests to the same audience. As part of that reuse, it replaced the fetcher’s token lookup function on every request. When DPoP nonce retry happened, request A could pause, request B could come in and replace that function, and then request A’s retry could continue using request B’s token.

Fix:

This PR stops sharing request-specific token lookup state across requests. It now only reuses the DPoP handle per audience, and creates a fresh fetcher for each request with that request’s own token lookup function. That keeps DPoP nonce state reusable, while making sure retries stay bound to the correct session.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.18%. Comparing base (b06d30f) to head (372d576).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2580      +/-   ##
==========================================
+ Coverage   90.09%   90.18%   +0.08%     
==========================================
  Files          63       63              
  Lines        7614     7590      -24     
  Branches     1615     1615              
==========================================
- Hits         6860     6845      -15     
+ Misses        742      733       -9     
  Partials       12       12              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Piyush-85]

Removing getProxyFetcher from this file makes getProxyFetcher a dead code, that can be removed.

[tusharpandey13]

auth-client-provider.ts:42: const MAX_PROXY_FETCHERS = 100
auth-client-provider.ts:64: private proxyFetchers: LruMap<string, any>
auth-client-provider.ts:79: this.proxyFetchers = new LruMap(MAX_PROXY_FETCHERS
auth-client-provider.ts:207-220: getProxyFetcher() method
auth-client-provider.test.ts:519-600: Tests for getProxyFetcher  
mcd.integration.test.ts:750-780: MCD integration tests for proxy fetcher caching  

These are dead code after this change

[nandan-bhat]

Addressed in 372d576

[Piyush-85]

Not sure about this implementation even if useDPoP is false and user passes some dpopHandle this will pass.

[nandan-bhat]

Addressed in 372d576

[tusharpandey13]

Was dropping support for MCD cross-instance DPoP handle sharing intentional?
This change moves the cache from provider to internal client.
Before: AuthClientProvider (this.provider.getProxyFetcher(cacheKey))
New: AuthClient (this.proxyDpopHandles[audience]).

[nandan-bhat]

Was dropping support for MCD cross-instance DPoP handle sharing intentional? This change moves the cache from provider to internal client. Before: AuthClientProvider (this.provider.getProxyFetcher(cacheKey)) New: AuthClient (this.proxyDpopHandles[audience]).

This is intentional. In practice we still share the DPoP handle for the same domain, because the provider already reuses a single AuthClient per domain. So moving the cache from the provider to AuthClient does not lose the useful MCD sharing, but it does avoid sharing request-specific fetcher state which was the root cause of the issue.