feat: Add Storage.removeAll(), default minTTL of 60s, and fix @Ignore tests#918
Open
utkrishtsahu wants to merge 3 commits intov4_developmentfrom
Open
feat: Add Storage.removeAll(), default minTTL of 60s, and fix @Ignore tests#918utkrishtsahu wants to merge 3 commits intov4_developmentfrom
utkrishtsahu wants to merge 3 commits intov4_developmentfrom
Conversation
utkrishtsahu
changed the title
pmathew92
reviewed
Feb 20, 2026
| * This ensures the access token is valid for at least a short window after retrieval, | ||
| * preventing downstream API call failures from nearly-expired tokens. | ||
| */ | ||
| public const val DEFAULT_MIN_TTL: Int = 60 |
Contributor
There was a problem hiding this comment.
Updated the V4_Migration guide for this change. Refer the Swift one
pmathew92
reviewed
Feb 20, 2026
| /** | ||
| * Removes all values from the storage. | ||
| */ | ||
| public fun removeAll() |
Contributor
There was a problem hiding this comment.
Create a corresponding method in the BaseCredentialsManager class , which in turn calls this method. Implement the actual method in the CredentialsManager and SecureCredentialsManager class. Update the V4_ Migration guide with these changes
pmathew92
reviewed
Feb 20, 2026
| manager.setClock(object : Clock { | ||
| override fun getCurrentTimeMillis(): Long { | ||
| return CredentialsMock.CURRENT_TIME_MS - 1000 | ||
| return CredentialsMock.CURRENT_TIME_MS - (DEFAULT_MIN_TTL * 1000 + 1000) |
pmathew92
requested changes
Feb 20, 2026
pmathew92
reviewed
Feb 20, 2026
|
|
||
|
|
||
| //TODO: https://auth0team.atlassian.net/browse/SDK-7752 | ||
| @ConscryptMode(ConscryptMode.Mode.OFF) |
Contributor
There was a problem hiding this comment.
Lets not do this. This relies on BouncyCastle as Security Provider. We plan to remove the bouncyCastle dependency as part of the FedRevamp
pmathew92
reviewed
Feb 20, 2026
|
|
||
|
|
||
| // TODO: https://auth0team.atlassian.net/browse/SDK-7752 | ||
| @ConscryptMode(ConscryptMode.Mode.OFF) |
Contributor
There was a problem hiding this comment.
There was a problem hiding this comment.
Pull request overview
This PR updates the Auth0 Android SDK credential-management defaults and storage API, and stabilizes previously ignored WebAuth provider tests.
Changes:
- Introduces a default minimum TTL of 60s (
DEFAULT_MIN_TTL) for default/no-arg credential retrieval and validity checks to encourage proactive token renewal. - Adds
Storage.removeAll()and implements it forSharedPreferencesStorage(plus corresponding tests). - Re-enables two previously ignored
WebAuthProviderTestcases by switching them to a mockedNetworkingClientapproach and adding a Robolectric shadow implementation.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| auth0/src/main/java/com/auth0/android/authentication/storage/BaseCredentialsManager.kt | Adds DEFAULT_MIN_TTL and applies it to default API-credentials methods. |
| auth0/src/main/java/com/auth0/android/authentication/storage/CredentialsManager.kt | Updates default overloads to use DEFAULT_MIN_TTL. |
| auth0/src/main/java/com/auth0/android/authentication/storage/SecureCredentialsManager.kt | Updates default overloads to use DEFAULT_MIN_TTL. |
| auth0/src/main/java/com/auth0/android/authentication/storage/Storage.kt | Adds new removeAll() API to the Storage interface. |
| auth0/src/main/java/com/auth0/android/authentication/storage/SharedPreferencesStorage.kt | Implements removeAll() via SharedPreferences.Editor.clear().apply(). |
| auth0/src/test/java/com/auth0/android/authentication/storage/SharedPreferencesStorageTest.java | Adds unit test coverage for removeAll(). |
| auth0/src/test/java/com/auth0/android/authentication/storage/CredentialsManagerTest.kt | Adds/adjusts tests for default minTTL behavior. |
| auth0/src/test/java/com/auth0/android/authentication/storage/SecureCredentialsManagerTest.kt | Adds/adjusts tests for default minTTL behavior. |
| auth0/src/test/java/com/auth0/android/provider/WebAuthProviderTest.kt | Re-enables two tests using @ConscryptMode(OFF) and mocked JWKS networking. |
| auth0/src/test/java/com/auth0/android/request/internal/ThreadSwitcherShadow.java | Adds mainThread(Runnable) shadow implementation. |
| .github/actions/rl-scanner/action.yml | Updates RL wrapper install command and index URL. |
Comments suppressed due to low confidence (5)
auth0/src/main/java/com/auth0/android/authentication/storage/CredentialsManager.kt:247
- The KDoc for the no-arg
awaitCredentials()still states credentials are refreshed only when already expired, but this overload now usesDEFAULT_MIN_TTLand can renew credentials that are about to expire as well. Please update the documentation of this overload to reflect the new default minTTL behavior.
*/
@JvmSynthetic
@Throws(CredentialsManagerException::class)
override suspend fun awaitCredentials(): Credentials {
return awaitCredentials(null, DEFAULT_MIN_TTL)
auth0/src/main/java/com/auth0/android/authentication/storage/CredentialsManager.kt:393
- The KDoc for the no-arg
getCredentials(callback)overload still says credentials are refreshed only when already expired, but this overload now defaults toDEFAULT_MIN_TTLand may renew credentials that are close to expiring. Please adjust the documentation for this overload to mention the default minTTL behavior (and what it implies for renewal).
*
* @param callback the callback that will receive a valid [Credentials] or the [CredentialsManagerException].
*/
override fun getCredentials(callback: Callback<Credentials, CredentialsManagerException>) {
getCredentials(null, DEFAULT_MIN_TTL, callback)
auth0/src/main/java/com/auth0/android/authentication/storage/CredentialsManager.kt:705
- The KDoc for
hasValidCredentials()currently describes only "non-expired" credentials, but the no-arg overload now defaults toDEFAULT_MIN_TTLand can returnfalsefor access tokens that are not yet expired but will expire within the default TTL window (when no refresh token is available). Please update the documentation to reflect that this overload enforces a default minimum remaining TTL.
*
* @return whether there are valid credentials stored on this manager.
*/
override fun hasValidCredentials(): Boolean {
return hasValidCredentials(DEFAULT_MIN_TTL.toLong())
auth0/src/main/java/com/auth0/android/authentication/storage/SecureCredentialsManager.kt:782
- The KDoc for the no-arg
hasValidCredentials()describes only "non-expired" credentials, but this overload now defaults toDEFAULT_MIN_TTLand can returnfalsefor tokens that are not yet expired but will expire within the default TTL window (when they can't be refreshed). Please update this documentation to mention the default minTTL behavior.
* Returns whether this manager contains a valid non-expired pair of credentials.
*
* @return whether this manager contains a valid non-expired pair of credentials or not.
*/
override fun hasValidCredentials(): Boolean {
return hasValidCredentials(DEFAULT_MIN_TTL.toLong())
.github/actions/rl-scanner/action.yml:36
pip install rl-wrapperis now unpinned (previously had a lower-bound constraint). Installing an unpinned dependency in CI can make builds non-reproducible and unexpectedly break when a new version is released. Consider pinning to an exact version (or at least a compatible range) and/or documenting why floating to latest is required.
- name: Install RL Wrapper
shell: bash
run: |
pip install rl-wrapper --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python/simple"
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| /** | ||
| * Removes all values from the storage. | ||
| */ | ||
| public fun removeAll() |
There was a problem hiding this comment.
Adding removeAll() as an abstract method to the public Storage interface is a breaking API change for any external/custom Storage implementations (source-breaking for Kotlin, and can lead to AbstractMethodError at runtime for already-compiled implementations). Consider introducing a new sub-interface (e.g., ClearableStorage), providing a backward-compatible alternative (e.g., an extension function), and/or documenting this as a breaking change in the appropriate migration guide/changelog.
Suggested change
| public fun removeAll() | |
| public fun removeAll() { } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
minTTLfor credential retrieval (DEFAULT_MIN_TTL = 60)BaseCredentialsManager2. Storage.removeAll() API
removeAll()API to the Storage interfaceSharedPreferencesStoragevia SharedPreferences.Editor.clear().apply()3. Fix 2 @ignored tests in WebAuthProviderTest
Testing
Build sucessul
UT passed
Checklist
I have read the Auth0 general contribution guidelines
I have read the Auth0 Code of Conduct
All existing and new tests complete without errors