Skip to content

fix: prevent token refresh thundering herd #333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rhamzeh merged 4 commits into from
Apr 28, 2026
+96 −1
Merged

fix: prevent token refresh thundering herd #333

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5f952ed
test: reproduce concurrent token refresh thundering herd
aaguiarz Feb 16, 2026
68527be
fix: deduplicate concurrent token refresh requests
aaguiarz Feb 16, 2026
76ba394
test: enforce single token exchange call with nock
aaguiarz Feb 16, 2026
b62bdd2
test: cover failed shared token refresh retry path
aaguiarz Feb 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion credentials/credentials.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ export class Credentials {
private accessToken?: string;
private accessTokenExpiryDate?: Date;
private accessTokenExpiryBufferInMs = 0;
private refreshAccessTokenPromise?: Promise<string | undefined>;

public static init(configuration: { credentials: AuthCredentialsConfig, telemetry: TelemetryConfiguration, baseOptions?: any }, axios: AxiosInstance = globalAxios): Credentials {
return new Credentials(configuration.credentials, axios, configuration.telemetry, configuration.baseOptions);
Expand Down Expand Up @@ -146,7 +147,13 @@ export class Credentials {
return this.accessToken;
}

return this.refreshAccessToken();
if (!this.refreshAccessTokenPromise) {
this.refreshAccessTokenPromise = this.refreshAccessToken().finally(() => {
this.refreshAccessTokenPromise = undefined;
});
}

return this.refreshAccessTokenPromise;
}
Comment thread
SoulPancake marked this conversation as resolved.
}
}
Expand Down
88 changes: 88 additions & 0 deletions tests/credentials.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -539,6 +539,94 @@ describe("Credentials", () => {
expect(scope.isDone()).toBe(true);
});

test("should send a single token request for concurrent access token reads", async () => {
const apiTokenIssuer = "issuer.fga.example";
const expectedBaseUrl = "https://issuer.fga.example";
const expectedPath = `/${DEFAULT_TOKEN_ENDPOINT_PATH}`;

const scope = nock(expectedBaseUrl)
.post(expectedPath)
.once()
.delay(20)
.reply(200, {
access_token: "shared-token",
expires_in: 300,
});

const credentials = new Credentials(
{
method: CredentialsMethod.ClientCredentials,
config: {
apiTokenIssuer,
apiAudience: OPENFGA_API_AUDIENCE,
clientId: OPENFGA_CLIENT_ID,
clientSecret: OPENFGA_CLIENT_SECRET,
},
} as AuthCredentialsConfig,
undefined,
mockTelemetryConfig,
);

const headers = await Promise.all(
Array.from({ length: 5 }, () => credentials.getAccessTokenHeader())
);

headers.forEach(header => {
expect(header?.value).toBe("Bearer shared-token");
});
expect(scope.isDone()).toBe(true);
});

test("should clear shared refresh promise after failure and retry on the next call", async () => {
const apiTokenIssuer = "issuer.fga.example";
const expectedBaseUrl = "https://issuer.fga.example";
const expectedPath = `/${DEFAULT_TOKEN_ENDPOINT_PATH}`;

const scope = nock(expectedBaseUrl)
.post(expectedPath)
.once()
.reply(404, {
code: "not_found",
message: "token exchange failed",
})
.post(expectedPath)
.once()
.reply(200, {
access_token: "recovered-token",
expires_in: 300,
});

const credentials = new Credentials(
{
method: CredentialsMethod.ClientCredentials,
config: {
apiTokenIssuer,
apiAudience: OPENFGA_API_AUDIENCE,
clientId: OPENFGA_CLIENT_ID,
clientSecret: OPENFGA_CLIENT_SECRET,
},
} as AuthCredentialsConfig,
undefined,
mockTelemetryConfig,
);

const results = await Promise.allSettled(
Array.from({ length: 5 }, () => credentials.getAccessTokenHeader())
);
const rejected = results.filter((result): result is PromiseRejectedResult => result.status === "rejected");

expect(rejected).toHaveLength(5);
expect(rejected[0].reason).toBe(rejected[1].reason);
expect(rejected[1].reason).toBe(rejected[2].reason);
expect(rejected[2].reason).toBe(rejected[3].reason);
expect(rejected[3].reason).toBe(rejected[4].reason);

const header = await credentials.getAccessTokenHeader();

expect(header?.value).toBe("Bearer recovered-token");
expect(scope.isDone()).toBe(true);
});

test("should refresh cached token when it is close to expiration", async () => {
const apiTokenIssuer = "issuer.fga.example";
const expectedBaseUrl = "https://issuer.fga.example";
Expand Down
Loading