fix(auth): publish AuthenticationChangedEvent after releasing the auth lock

myieye · claude · myieye · commit 1078705a4869 · 2026-06-03T16:07:14.000+02:00
RemoveAccountAsync published AuthenticationChangedEvent while GetAuth still
held _authSemaphore. Subject.OnNext dispatches synchronously, so a subscriber
re-entering GetAuth/Logout would self-deadlock on the non-reentrant semaphore.
Mirror Logout: GetAuth now captures the result under the lock, releases, then
publishes outside it only when an account was removed.

Co-Authored-By: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/backend/FwLite/FwLiteShared.Tests/Auth/OAuthClientSilentRefreshTests.cs b/backend/FwLite/FwLiteShared.Tests/Auth/OAuthClientSilentRefreshTests.cs
@@ -58,6 +58,27 @@ public async Task InvalidGrant_RemovesAccountAndRaisesEvent()
         events.Should().ContainSingle().Which.Server.Should().Be(Server);
     }
 
+    // The AuthenticationChangedEvent must be published after _authSemaphore is released: Subject.OnNext
+    // dispatches synchronously, so a subscriber that re-enters a semaphore-taking auth method (here
+    // GetCurrentToken -> GetAuth) would self-deadlock on the non-reentrant semaphore if we published
+    // while still holding it. Re-entering synchronously and completing proves the lock is free.
+    [Fact]
+    public async Task RemoveAccount_PublishesEventAfterLockReleased()
+    {
+        var (client, _, eventBus, events) = BuildClient((_, _) =>
+            throw new MsalUiRequiredException("invalid_grant", "refresh token expired"));
+
+        bool? reentrantTokenWasNull = null;
+        eventBus.OnAuthenticationChanged.Subscribe(_ =>
+            reentrantTokenWasNull = client.GetCurrentToken().AsTask().GetAwaiter().GetResult() is null);
+
+        await client.GetAuth();
+
+        events.Should().ContainSingle("the event still fires exactly once");
+        reentrantTokenWasNull.Should().Be(true,
+            "the subscriber re-entered GetAuth synchronously without deadlocking, proving the publish happens after the lock is released");
+    }
+
     [Fact]
     public async Task Cancellation_KeepsCachedAccount()
     {
diff --git a/backend/FwLite/FwLiteShared/Auth/OAuthClient.cs b/backend/FwLite/FwLiteShared/Auth/OAuthClient.cs
@@ -179,6 +179,8 @@ public async Task Logout()
         {
             _authSemaphore.Release();
         }
+        //publish outside the lock: Subject.OnNext dispatches synchronously, so a subscriber that
+        //re-enters a GetAuth/Logout path would self-deadlock on the non-reentrant _authSemaphore.
         _globalEventBus.PublishEvent(new AuthenticationChangedEvent(_lexboxServer));
     }
 
@@ -202,6 +204,8 @@ public async ValueTask<bool> IsSignedIn()
             return _authResult;
         }
 
+        var accountRemoved = false;
+        AuthenticationResult? result;
         await _authSemaphore.WaitAsync();
         try
         {
@@ -226,6 +230,7 @@ public async ValueTask<bool> IsSignedIn()
                     case SilentAuthFailureOutcome.RemoveAccount:
                         _logger.LogWarning(e, "Silent token acquisition failed with a non-recoverable error, logging out");
                         await RemoveAccountAsync(account);
+                        accountRemoved = true;
                         break;
                     case SilentAuthFailureOutcome.KeepCachedCredentials:
                         _logger.LogWarning(e, "Silent token acquisition failed with a transient or unknown error; keeping cached credentials");
@@ -241,12 +246,17 @@ public async ValueTask<bool> IsSignedIn()
                 }
             }
 
-            return _authResult;
+            //capture under the lock: after release a concurrent GetAuth could repopulate _authResult.
+            result = _authResult;
         }
         finally
         {
             _authSemaphore.Release();
         }
+
+        //publish outside the lock, as Logout does (see the rationale there).
+        if (accountRemoved) _globalEventBus.PublishEvent(new AuthenticationChangedEvent(_lexboxServer));
+        return result;
     }
 
     //test seam — overridable so tests can stub the result without faking MSAL's builder chain.
@@ -273,11 +283,11 @@ internal enum SilentAuthFailureOutcome
         _ => SilentAuthFailureOutcome.KeepCachedCredentials,
     };
 
+    //caller is responsible for publishing AuthenticationChangedEvent after releasing _authSemaphore (see Logout).
     private async Task RemoveAccountAsync(IAccount account)
     {
         await _application.RemoveAsync(account);
         _authResult = null;
-        _globalEventBus.PublishEvent(new AuthenticationChangedEvent(_lexboxServer));
     }
 
     public async Task<string?> GetCurrentName()

Original file line number	Diff line number	Diff line change
`@@ -179,6 +179,8 @@ public async Task Logout()`
`179`	`179`	`{`
`180`	`180`	`_authSemaphore.Release();`
`181`	`181`	`}`
	`182`	`+ //publish outside the lock: Subject.OnNext dispatches synchronously, so a subscriber that`
	`183`	`+ //re-enters a GetAuth/Logout path would self-deadlock on the non-reentrant _authSemaphore.`
`182`	`184`	`_globalEventBus.PublishEvent(new AuthenticationChangedEvent(_lexboxServer));`
`183`	`185`	`}`
`184`	`186`
`@@ -202,6 +204,8 @@ public async ValueTask<bool> IsSignedIn()`
`202`	`204`	`return _authResult;`
`203`	`205`	`}`
`204`	`206`
	`207`	`+ var accountRemoved = false;`
	`208`	`+ AuthenticationResult? result;`
`205`	`209`	`await _authSemaphore.WaitAsync();`
`206`	`210`	`try`
`207`	`211`	`{`
`@@ -226,6 +230,7 @@ public async ValueTask<bool> IsSignedIn()`
`226`	`230`	`case SilentAuthFailureOutcome.RemoveAccount:`
`227`	`231`	`_logger.LogWarning(e, "Silent token acquisition failed with a non-recoverable error, logging out");`
`228`	`232`	`await RemoveAccountAsync(account);`
	`233`	`+ accountRemoved = true;`
`229`	`234`	`break;`
`230`	`235`	`case SilentAuthFailureOutcome.KeepCachedCredentials:`
`231`	`236`	`_logger.LogWarning(e, "Silent token acquisition failed with a transient or unknown error; keeping cached credentials");`
`@@ -241,12 +246,17 @@ public async ValueTask<bool> IsSignedIn()`
`241`	`246`	`}`
`242`	`247`	`}`
`243`	`248`
`244`		`- return _authResult;`
	`249`	`+ //capture under the lock: after release a concurrent GetAuth could repopulate _authResult.`
	`250`	`+ result = _authResult;`
`245`	`251`	`}`
`246`	`252`	`finally`
`247`	`253`	`{`
`248`	`254`	`_authSemaphore.Release();`
`249`	`255`	`}`
	`256`	`+`
	`257`	`+ //publish outside the lock, as Logout does (see the rationale there).`
	`258`	`+ if (accountRemoved) _globalEventBus.PublishEvent(new AuthenticationChangedEvent(_lexboxServer));`
	`259`	`+ return result;`
`250`	`260`	`}`
`251`	`261`
`252`	`262`	`//test seam — overridable so tests can stub the result without faking MSAL's builder chain.`
`@@ -273,11 +283,11 @@ internal enum SilentAuthFailureOutcome`
`273`	`283`	`_ => SilentAuthFailureOutcome.KeepCachedCredentials,`
`274`	`284`	`};`
`275`	`285`
	`286`	`+ //caller is responsible for publishing AuthenticationChangedEvent after releasing _authSemaphore (see Logout).`
`276`	`287`	`private async Task RemoveAccountAsync(IAccount account)`
`277`	`288`	`{`
`278`	`289`	`await _application.RemoveAsync(account);`
`279`	`290`	`_authResult = null;`
`280`		`- _globalEventBus.PublishEvent(new AuthenticationChangedEvent(_lexboxServer));`
`281`	`291`	`}`
`282`	`292`
`283`	`293`	`public async Task<string?> GetCurrentName()`