using FIRAllocatedUnfairLock type to combine token and its lock

srushtisv · srushtisv · commit 7ac16e25c9cb · 2025-06-23T15:20:21.000+05:30
diff --git a/FirebaseAuth/Sources/Swift/Auth/Auth.swift b/FirebaseAuth/Sources/Swift/Auth/Auth.swift
@@ -18,6 +18,7 @@ import FirebaseAppCheckInterop
 import FirebaseAuthInterop
 import FirebaseCore
 import FirebaseCoreExtension
+import FirebaseCoreInternal
 #if COCOAPODS
   internal import GoogleUtilities
 #else
@@ -88,21 +89,30 @@ extension Auth: AuthInterop {
         return
       }
       /// Before checking for a standard user, check if we are in a token-only session established
-      /// by a successful `exchangeToken` call.
-      let rGCIPToken = self.rGCIPStateLock.withLock { self._rGCIPFirebaseToken }
+      /// by a successful exchangeToken call.
+      let rGCIPToken = self.rGCIPFirebaseTokenLock.withLock { $0 }
 
       if let token = rGCIPToken {
-        /// If a token exists, this session is active. Check for expiration.
-        if forceRefresh || token.expirationDate < Date() {
-          let errorMessage = forceRefresh ? "A new token was requested via forceRefresh." :
-            "The session token has expired."
-          let error = AuthErrorUtils.userTokenExpiredError(message: errorMessage)
+        /// Logic for tokens obtained via exchangeToken (R-GCIP mode)
+        if token.expirationDate < Date() {
+          /// Token expired
+          let error = AuthErrorUtils
+            .userTokenExpiredError(
+              message: "The firebase access token obtained via exchangeToken() has expired."
+            )
+          Auth.wrapMainAsync(callback: callback, with: .failure(error))
+        } else if forceRefresh {
+          /// Token is not expired, but forceRefresh was requested which is currently unsupported
+          let error = AuthErrorUtils
+            .operationNotAllowedError(
+              message: "forceRefresh is not supported for firebase access tokens obtained via exchangeToken()."
+            )
           Auth.wrapMainAsync(callback: callback, with: .failure(error))
         } else {
-          /// The token is valid; return it.
+          /// The token is valid and not expired.
           Auth.wrapMainAsync(callback: callback, with: .success(token.token))
         }
-        /// Exit here to prevent falling through to the standard `currentUser` logic.
+        /// Exit here as this path is for rGCIPFirebaseToken only.
         return
       }
       /// Fallback to standard `currentUser` logic if not in token-only mode.
@@ -2312,9 +2322,7 @@ public struct FirebaseToken: Sendable {
         /// invalidated to prevent a conflicting auth state.
         /// Clear any R-GCIP session state when a standard user signs in. This ensures we exit
         /// Token-Only Mode.
-        self.rGCIPStateLock.withLock {
-          self._rGCIPFirebaseToken = nil
-        }
+        self.rGCIPFirebaseTokenLock.withLock { $0 = nil }
         /// ... rest of original function
         do {
           try self.updateCurrentUser(authResult.user, byForce: false, savingToDisk: true)
@@ -2497,16 +2505,13 @@ public struct FirebaseToken: Sendable {
 
   // MARK: - R-GCIP Token-Only Session State
 
-  /// The session token obtained from a successful `exchangeToken` call.
+  /// The session token obtained from a successful `exchangeToken` call, protected by a lock.
   ///
   /// This property is used to support a "token-only" authentication mode for Regionalized
   /// GCIP, where no `User` object is created. It is mutually exclusive with `_currentUser`.
-  /// If this property is non-nil, the `AuthInterop` layer will use it for token generation
+  /// If the wrapped value is non-nil, the `AuthInterop` layer will use it for token generation
   /// instead of relying on a `currentUser`.
-  private var _rGCIPFirebaseToken: FirebaseToken?
-
-  /// A lock to ensure thread-safe access to the R-GCIP token state.
-  private let rGCIPStateLock = NSLock()
+  private var rGCIPFirebaseTokenLock = FIRAllocatedUnfairLock<FirebaseToken?>(initialState: nil)
 }
 
 @available(iOS 13, *)
@@ -2558,14 +2563,14 @@ public extension Auth {
           token: response.firebaseToken,
           expirationDate: response.expirationDate
         )
-        self.rGCIPStateLock.withLock {
+        self.rGCIPFirebaseTokenLock.withLock { token in
           // Activating token-only mode requires two steps:
           // 1. Ensure no standard user is active, as these states are mutually exclusive.
           if self._currentUser != nil {
             try? self.signOut()
           }
-          // 2. Store the new session token for `getToken`.
-          self._rGCIPFirebaseToken = firebaseToken
+          // 2. Store the new session token for getToken.
+          token = firebaseToken
         }
         Auth.wrapMainAsync(callback: completion, with: .success(firebaseToken))
       } catch {
@@ -2612,11 +2617,11 @@ public extension Auth {
         token: response.firebaseToken,
         expirationDate: response.expirationDate
       )
-      rGCIPStateLock.withLock {
+      rGCIPFirebaseTokenLock.withLock { token in
         if self._currentUser != nil {
           try? self.signOut()
         }
-        self._rGCIPFirebaseToken = firebaseToken
+        token = firebaseToken
       }
       return firebaseToken
     } catch {
