fix: address all PR review comments

- HTTPClient: replace isRefreshing bool with shared Task to safely coalesce concurrent 401 refresh attempts; surface JSON serialization error instead of silently dropping request body - AuthService.logout: always clear Keychain tokens via defer, even when refresh token is absent, preventing stale access token - NotificationsAPIService: remove updateAppBadge (UIKit call moved to @MainActor NotificationsViewModel); drop unused UIKit import - NotificationsViewModel: guard startPolling() against duplicate tasks; update badge directly on @MainActor instead of hopping to actor - VerifyEmailView: replace Timer (never invalidated) with async Task cancelled in .onDisappear - NotificationsView: use Text(date, style: .relative) — auto-updates without custom formatter; remove duplicate Date extension - SettingsView: handle logoutAll errors explicitly with alert instead of silently proceeding with local logout - MaydayLiveActivity/Info.plist: add NSExtensionPrincipalClass so the widget extension is discoverable by the system - Live Activity widget: replace frozen duration(from:) with Text(date, style: .timer); replace frozen relativeFormatted with Text(date, style: .relative); localize status badge to Russian Co-authored-by: robonen <26167508+robonen@users.noreply.github.com>
2026-03-13 23:29:19 +00:00
parent 9259a3693a
commit 597787a6c9
9 changed files with 91 additions and 78 deletions
@@ -52,9 +52,11 @@ actor AuthService {
    }

    func logout() async throws {
+        // Always clear local tokens, regardless of whether the network call succeeds,
+        // to avoid leaving a stale access token in Keychain.
+        defer { keychain.clearTokens() }
        guard let refreshToken = keychain.loadRefreshToken() else { return }
        let _: EmptyResponse = try await client.request(.logout(refreshToken: refreshToken))
-        keychain.clearTokens()
    }

    func getMe() async throws -> UserResponse {
@@ -122,7 +122,8 @@ actor HTTPClient {

    private let baseURL: String
    private let keychain = KeychainService.shared
-    private var isRefreshing = false
+    // Single in-flight refresh task; concurrent 401s await this rather than racing.
+    private var refreshTask: Task<Void, Error>?

    private init() {
        #if DEBUG
@@ -133,8 +134,7 @@ actor HTTPClient {
    }

    func request<T: Decodable>(_ endpoint: Endpoint) async throws -> T {
-        let response: T = try await performRequest(endpoint, retryOnUnauthorized: endpoint.requiresAuth)
-        return response
+        try await performRequest(endpoint, retryOnUnauthorized: endpoint.requiresAuth)
    }

    private func performRequest<T: Decodable>(_ endpoint: Endpoint, retryOnUnauthorized: Bool) async throws -> T {
@@ -160,7 +160,11 @@ actor HTTPClient {
                    urlRequest.url = components.url
                }
            } else {
-                urlRequest.httpBody = try? JSONSerialization.data(withJSONObject: body)
+                do {
+                    urlRequest.httpBody = try JSONSerialization.data(withJSONObject: body)
+                } catch {
+                    throw APIError.networkError(error)
+                }
            }
        }

@@ -175,10 +179,12 @@ actor HTTPClient {
            throw APIError.networkError(URLError(.badServerResponse))
        }

-        if httpResponse.statusCode == 401 && retryOnUnauthorized && !isRefreshing {
-            isRefreshing = true
-            defer { isRefreshing = false }
-            try await refreshTokens()
+        if httpResponse.statusCode == 401 && retryOnUnauthorized {
+            do {
+                try await ensureTokenRefreshed()
+            } catch {
+                throw APIError.unauthorized
+            }
            return try await performRequest(endpoint, retryOnUnauthorized: false)
        }

@@ -210,15 +216,35 @@ actor HTTPClient {
        }
    }

-    private func refreshTokens() async throws {
+    /// Ensures tokens are refreshed exactly once even when multiple requests receive 401
+    /// concurrently. All callers await the same Task; only one network request is made.
+    private func ensureTokenRefreshed() async throws {
+        if let existing = refreshTask {
+            try await existing.value
+            return
+        }
+
        guard let refreshToken = keychain.loadRefreshToken() else {
+            keychain.clearTokens()
            throw APIError.unauthorized
        }
-        let response: TokenRefreshResponse = try await performRequest(
-            .refresh(refreshToken: refreshToken),
-            retryOnUnauthorized: false
-        )
-        try keychain.saveTokens(response.tokens)
+
+        let task = Task<Void, Error> {
+            let response: TokenRefreshResponse = try await self.performRequest(
+                .refresh(refreshToken: refreshToken),
+                retryOnUnauthorized: false
+            )
+            try self.keychain.saveTokens(response.tokens)
+        }
+        refreshTask = task
+        do {
+            try await task.value
+            refreshTask = nil
+        } catch {
+            refreshTask = nil
+            keychain.clearTokens()
+            throw error
+        }
    }
 }

@@ -1,5 +1,4 @@
 import Foundation
-import UIKit

 actor NotificationsAPIService {
    static let shared = NotificationsAPIService()
@@ -31,10 +30,6 @@ actor NotificationsAPIService {
    func changePassword(current: String, new: String) async throws -> UserResponse {
        try await client.request(.changePassword(current: current, new: new))
    }
-
-    func updateAppBadge(_ count: Int) async {
-        await UIApplication.shared.setApplicationIconBadgeNumber(count)
-    }
 }

 struct LogoutAllResponse: Decodable {