chore: experimental TLA+ proof

Author: SoulPancake

src/main/java/dev/openfga/sdk/api/auth/OAuth2Client.java

@@ -22,6 +22,16 @@ public class OAuth2Client {
     private final Configuration config;
     private final Telemetry telemetry;
 
+    /**
+     * Test-only seam invoked on the cold path after the lock-free snapshot check fails and
+     * before entering the synchronized acquisition gate. Defaults to a no-op. Used by tests to
+     * deterministically interleave threads around the post-exchange race window. Not part of the
+     * public API.
+     */
+    static final Runnable NO_OP_HOOK = () -> {};
+
+    volatile Runnable beforeAcquireHook = NO_OP_HOOK;
+
     /**
      * Initializes a new instance of the {@link OAuth2Client} class
      *
@@ -49,24 +59,55 @@ public OAuth2Client(Configuration configuration, ApiClient apiClient) throws Fga
      * snapshot until it expires. Concurrent calls are deduplicated: only one exchange is in flight
      * at a time; other callers join the same future rather than issuing redundant requests.
      *
+     * <p>The hot path (valid cached token) is lock-free. The cold path serializes the
+     * "is snapshot valid? / is there an in-flight exchange? / publish my promise" decision
+     * under a monitor so that:
+     * <ul>
+     *   <li>at most one exchange is started per expiry,</li>
+     *   <li>joiners always observe the same in-flight promise that the owner will complete.</li>
+     * </ul>
+     * The exchange itself (the HTTP round-trip) runs asynchronously outside the monitor.
+     *
      * @return An access token in a {@link CompletableFuture}
      */
     public CompletableFuture<String> getAccessToken() throws FgaInvalidParameterException, ApiException {
+        // Lock-free hot path: a valid cached token short-circuits everything.
         AccessToken current = snapshot.get();
         if (current.isValid()) {
             return CompletableFuture.completedFuture(current.token());
         }
+        // Cold-path test seam (no-op in production).
+        beforeAcquireHook.run();
+        return acquireToken();
+    }
 
-        CompletableFuture<String> promise = new CompletableFuture<>();
-        if (!inFlight.compareAndSet(null, promise)) {
-            // Another thread won the race — join its exchange rather than starting a new one.
-            CompletableFuture<String> existing = inFlight.get();
-            return existing != null ? existing : getAccessToken();
+    /**
+     * Cold path: snapshot is missing or expired. Serialized to guarantee a single in-flight
+     * exchange and to avoid the join-vs-clear race that an atomic-CAS-only approach is prone to.
+     */
+    private synchronized CompletableFuture<String> acquireToken()
+            throws FgaInvalidParameterException, ApiException {
+        // Re-check under the monitor: another thread may have just refreshed the snapshot.
+        AccessToken current = snapshot.get();
+        if (current.isValid()) {
+            return CompletableFuture.completedFuture(current.token());
+        }
+
+        // Join an existing exchange if one is already in flight.
+        CompletableFuture<String> existing = inFlight.get();
+        if (existing != null) {
+            return existing;
         }
 
-        // This thread owns the exchange. Start it, wiring completion back to `promise`.
+        // This thread owns the exchange. Publish the promise so concurrent callers can join.
+        CompletableFuture<String> promise = new CompletableFuture<>();
+        inFlight.set(promise);
+
         try {
             exchangeToken().whenComplete((response, ex) -> {
+                // Completion runs asynchronously, outside the monitor. That's fine: state
+                // transitions here (snapshot, inFlight, promise) are each individually
+                // thread-safe, and the monitor only guards the decision to *start* an exchange.
                 if (ex != null) {
                     inFlight.set(null);
                     promise.completeExceptionally(ex);
@@ -75,14 +116,13 @@ public CompletableFuture<String> getAccessToken() throws FgaInvalidParameterExce
                     // Write snapshot before clearing the gate so any new caller that arrives
                     // after inFlight becomes null immediately sees a valid token.
                     snapshot.set(new AccessToken(token, Instant.now().plusSeconds(response.getExpiresInSeconds())));
-
-                    // Clear before completing
                     inFlight.set(null);
                     promise.complete(token);
                     telemetry.metrics().credentialsRequest(1L, new HashMap<>());
                 }
             });
         } catch (Exception e) {
+            // Synchronous failure to even dispatch the request: clear the gate and propagate.
             inFlight.set(null);
             promise.completeExceptionally(e);
             throw e;

src/test/java/dev/openfga/sdk/api/auth/OAuth2ClientTest.java

@@ -23,6 +23,7 @@
 import java.util.List;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicReference;
 import java.util.stream.Stream;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
@@ -209,6 +210,102 @@ void exchangeOAuth2Token_concurrentRequests_singleExchange(WireMockRuntimeInfo w
         verify(1, postRequestedFor(urlEqualTo("/oauth/token")));
     }
 
+    /**
+     * After a successful exchange, subsequent calls must hit the cached snapshot and avoid the
+     * network entirely. This guards the lock-free hot path in {@link OAuth2Client#getAccessToken()}.
+     */
+    @Test
+    void exchangeOAuth2Token_cachedAcrossCalls_noSecondRequest(WireMockRuntimeInfo wm) throws Exception {
+        stubFor(post(urlEqualTo("/oauth/token"))
+                .willReturn(ok(String.format("{\"access_token\":\"%s\",\"expires_in\":3600}", ACCESS_TOKEN))));
+
+        OAuth2Client client = newOAuth2Client(wm.getHttpBaseUrl(), false);
+
+        // Prime the cache.
+        assertEquals(ACCESS_TOKEN, client.getAccessToken().get());
+
+        // Many subsequent calls should all be served from the snapshot.
+        for (int i = 0; i < 20; i++) {
+            assertEquals(ACCESS_TOKEN, client.getAccessToken().get());
+        }
+
+        verify(1, postRequestedFor(urlEqualTo("/oauth/token")));
+    }
+
+    /**
+     * Deterministic regression test for the post-exchange race that the synchronized cold path
+     * is meant to close.
+     *
+     * <p>Race being pinned: thread A reads an invalid snapshot, parks; thread B completes a full
+     * exchange (writes snapshot, clears the in-flight gate); thread A then reaches the
+     * acquisition gate. With the original CAS-only logic, A would have started a redundant
+     * second exchange. With the synchronized re-check, A must observe the freshly-written
+     * snapshot and return the cached token without contacting the IdP.
+     *
+     * <p>Determinism is achieved via a package-private {@code beforeAcquireHook} test seam in
+     * {@link OAuth2Client}: thread A is parked at the hook between its lock-free snapshot read
+     * and the synchronized gate; thread B runs end-to-end with the hook disarmed; A is then
+     * released. No sleeps, no thread-scheduling assumptions.
+     *
+     * <p>Asserts: exactly one HTTP exchange total, both threads receive the same token.
+     */
+    @Test
+    void exchangeOAuth2Token_postCompletionRace_noSecondExchange(WireMockRuntimeInfo wm) throws Exception {
+        stubFor(post(urlEqualTo("/oauth/token"))
+                .willReturn(ok(String.format("{\"access_token\":\"%s\",\"expires_in\":3600}", ACCESS_TOKEN))));
+
+        OAuth2Client client = newOAuth2Client(wm.getHttpBaseUrl(), false);
+
+        CountDownLatch threadAParked = new CountDownLatch(1);
+        CountDownLatch releaseThreadA = new CountDownLatch(1);
+
+        // Arm the hook: the next caller (thread A) will park here right between its lock-free
+        // snapshot check and entering the synchronized gate.
+        client.beforeAcquireHook = () -> {
+            threadAParked.countDown();
+            try {
+                if (!releaseThreadA.await(5, TimeUnit.SECONDS)) {
+                    throw new IllegalStateException("thread A was never released");
+                }
+            } catch (InterruptedException e) {
+                Thread.currentThread().interrupt();
+                throw new RuntimeException(e);
+            }
+        };
+
+        // Thread A: enters, sees invalid snapshot, parks at the hook.
+        AtomicReference<String> tokenA = new AtomicReference<>();
+        AtomicReference<Throwable> failureA = new AtomicReference<>();
+        Thread a = new Thread(() -> {
+            try {
+                tokenA.set(client.getAccessToken().get(5, TimeUnit.SECONDS));
+            } catch (Throwable t) {
+                failureA.set(t);
+            }
+        }, "race-thread-A");
+        a.start();
+
+        assertTrue(threadAParked.await(2, TimeUnit.SECONDS), "thread A never reached the hook");
+
+        // Disarm the hook so thread B (this thread) is *not* trapped, then perform a full
+        // exchange end-to-end. After this returns: snapshot is valid, inFlight is null.
+        client.beforeAcquireHook = OAuth2Client.NO_OP_HOOK;
+        String tokenB = client.getAccessToken().get(5, TimeUnit.SECONDS);
+        assertEquals(ACCESS_TOKEN, tokenB);
+        verify(1, postRequestedFor(urlEqualTo("/oauth/token")));
+
+        // Now release A. It will enter acquireToken() in *exactly* the post-completion state
+        // (snapshot valid, inFlight null) that the original CAS-only code mishandled.
+        releaseThreadA.countDown();
+        a.join(5_000);
+        assertFalse(a.isAlive(), "thread A did not finish");
+        assertNull(failureA.get(), "thread A threw");
+        assertEquals(ACCESS_TOKEN, tokenA.get());
+
+        // The decisive assertion: A must NOT have triggered a second exchange.
+        verify(1, postRequestedFor(urlEqualTo("/oauth/token")));
+    }
+
     @Test
     public void apiTokenIssuer_invalidScheme() {
         // When

tla/.gitignore

@@ -0,0 +1,10 @@
+# TLA+ tools jar — download on demand, see README
+tla2tools.jar
+
+# TLC working directories
+states/
+*.old
+
+# Default cfg auto-written by pcal.trans (we use named cfgs instead)
+OAuth2Client.cfg
+

tla/OAuth2Client.tla

@@ -0,0 +1,160 @@
+--------------------------- MODULE OAuth2Client ---------------------------
+EXTENDS Naturals, FiniteSets, TLC
+
+CONSTANTS Threads, BUGGY
+
+ASSUME Cardinality(Threads) >= 2
+
+NONE == 0
+
+(* --algorithm OAuth2Client {
+  variables
+    valid      = FALSE,
+    inFlight   = NONE,
+    monitor    = NONE,
+    exchanges  = 0,
+    tokens     = [t \in Threads |-> 0];
+
+  define {
+    AtMostOneExchange == exchanges <= 1
+    AllDone           == \A t \in Threads : tokens[t] = 1
+  }
+
+  process (Thr \in Threads)
+  variables joined = NONE;
+  {
+    HotPath:
+      if (valid) {
+        tokens[self] := 1;
+        goto Finish;
+      };
+
+    Acquire:
+      await monitor = NONE;
+      monitor := self;
+
+    UnderMonitor:
+      if (~BUGGY /\ valid) {
+        monitor := NONE;
+        tokens[self] := 1;
+        goto Finish;
+      } else if (inFlight # NONE) {
+        joined := inFlight;
+        monitor := NONE;
+        goto AwaitJoined;
+      } else {
+        inFlight := self;
+        exchanges := exchanges + 1;
+        monitor := NONE;
+        goto DoExchange;
+      };
+
+    DoExchange:
+      valid := TRUE;
+      inFlight := NONE;
+      tokens[self] := 1;
+      goto Finish;
+
+    AwaitJoined:
+      await valid;
+      tokens[self] := 1;
+      goto Finish;
+
+    Finish: skip;
+  }
+}
+*)
+\* BEGIN TRANSLATION
+VARIABLES valid, inFlight, monitor, exchanges, tokens, pc
+
+(* define statement *)
+AtMostOneExchange == exchanges <= 1
+AllDone           == \A t \in Threads : tokens[t] = 1
+
+VARIABLE joined
+
+vars == << valid, inFlight, monitor, exchanges, tokens, pc, joined >>
+
+ProcSet == (Threads)
+
+Init == (* Global variables *)
+        /\ valid = FALSE
+        /\ inFlight = NONE
+        /\ monitor = NONE
+        /\ exchanges = 0
+        /\ tokens = [t \in Threads |-> 0]
+        (* Process Thr *)
+        /\ joined = [self \in Threads |-> NONE]
+        /\ pc = [self \in ProcSet |-> "HotPath"]
+
+HotPath(self) == /\ pc[self] = "HotPath"
+                 /\ IF valid
+                       THEN /\ tokens' = [tokens EXCEPT ![self] = 1]
+                            /\ pc' = [pc EXCEPT ![self] = "Finish"]
+                       ELSE /\ pc' = [pc EXCEPT ![self] = "Acquire"]
+                            /\ UNCHANGED tokens
+                 /\ UNCHANGED << valid, inFlight, monitor, exchanges, joined >>
+
+Acquire(self) == /\ pc[self] = "Acquire"
+                 /\ monitor = NONE
+                 /\ monitor' = self
+                 /\ pc' = [pc EXCEPT ![self] = "UnderMonitor"]
+                 /\ UNCHANGED << valid, inFlight, exchanges, tokens, joined >>
+
+UnderMonitor(self) == /\ pc[self] = "UnderMonitor"
+                      /\ IF ~BUGGY /\ valid
+                            THEN /\ monitor' = NONE
+                                 /\ tokens' = [tokens EXCEPT ![self] = 1]
+                                 /\ pc' = [pc EXCEPT ![self] = "Finish"]
+                                 /\ UNCHANGED << inFlight, exchanges, joined >>
+                            ELSE /\ IF inFlight # NONE
+                                       THEN /\ joined' = [joined EXCEPT ![self] = inFlight]
+                                            /\ monitor' = NONE
+                                            /\ pc' = [pc EXCEPT ![self] = "AwaitJoined"]
+                                            /\ UNCHANGED << inFlight, 
+                                                            exchanges >>
+                                       ELSE /\ inFlight' = self
+                                            /\ exchanges' = exchanges + 1
+                                            /\ monitor' = NONE
+                                            /\ pc' = [pc EXCEPT ![self] = "DoExchange"]
+                                            /\ UNCHANGED joined
+                                 /\ UNCHANGED tokens
+                      /\ valid' = valid
+
+DoExchange(self) == /\ pc[self] = "DoExchange"
+                    /\ valid' = TRUE
+                    /\ inFlight' = NONE
+                    /\ tokens' = [tokens EXCEPT ![self] = 1]
+                    /\ pc' = [pc EXCEPT ![self] = "Finish"]
+                    /\ UNCHANGED << monitor, exchanges, joined >>
+
+AwaitJoined(self) == /\ pc[self] = "AwaitJoined"
+                     /\ valid
+                     /\ tokens' = [tokens EXCEPT ![self] = 1]
+                     /\ pc' = [pc EXCEPT ![self] = "Finish"]
+                     /\ UNCHANGED << valid, inFlight, monitor, exchanges, 
+                                     joined >>
+
+Finish(self) == /\ pc[self] = "Finish"
+                /\ TRUE
+                /\ pc' = [pc EXCEPT ![self] = "Done"]
+                /\ UNCHANGED << valid, inFlight, monitor, exchanges, tokens, 
+                                joined >>
+
+Thr(self) == HotPath(self) \/ Acquire(self) \/ UnderMonitor(self)
+                \/ DoExchange(self) \/ AwaitJoined(self) \/ Finish(self)
+
+(* Allow infinite stuttering to prevent deadlock on termination. *)
+Terminating == /\ \A self \in ProcSet: pc[self] = "Done"
+               /\ UNCHANGED vars
+
+Next == (\E self \in Threads: Thr(self))
+           \/ Terminating
+
+Spec == Init /\ [][Next]_vars
+
+Termination == <>(\A self \in ProcSet: pc[self] = "Done")
+
+\* END TRANSLATION
+=============================================================================
+