KTOR-8107 Don't add auth header for requests with AuthCircuitBreaker attribute (#4815)

okalman · web-flow · commit d491930dd1fa · 2025-04-29T14:05:54.000+02:00
diff --git a/ktor-client/ktor-client-plugins/ktor-client-auth/common/src/io/ktor/client/plugins/auth/providers/BearerAuthProvider.kt b/ktor-client/ktor-client-plugins/ktor-client-auth/common/src/io/ktor/client/plugins/auth/providers/BearerAuthProvider.kt
@@ -151,7 +151,9 @@ public class BearerAuthProvider(
             if (contains(HttpHeaders.Authorization)) {
                 remove(HttpHeaders.Authorization)
             }
-            append(HttpHeaders.Authorization, tokenValue)
+            if (request.attributes.contains(AuthCircuitBreaker).not()) {
+                append(HttpHeaders.Authorization, tokenValue)
+            }
         }
     }
 
diff --git a/ktor-client/ktor-client-plugins/ktor-client-auth/common/test/io/ktor/client/plugins/auth/AuthTest.kt b/ktor-client/ktor-client-plugins/ktor-client-auth/common/test/io/ktor/client/plugins/auth/AuthTest.kt
@@ -765,4 +765,40 @@ class AuthTest : ClientLoader() {
             }
         }
     }
+
+    @Test
+    fun testBearerAuthWithCircuitBreaker() = testWithEngine(MockEngine) {
+        config {
+            install(Auth) {
+                bearer {
+                    loadTokens { BearerTokens("invalid", null) }
+                }
+            }
+            engine {
+                addHandler { request ->
+                    val authHeader = request.headers[HttpHeaders.Authorization]
+                    if (authHeader == null) {
+                        // no header - this is expected for refresh token requests
+                        respond("OK", HttpStatusCode.OK)
+                    } else {
+                        // header is invalid throw unauthorized
+                        respond("No Auth Header", HttpStatusCode.Unauthorized)
+                    }
+                }
+            }
+        }
+
+        test { client ->
+            // Test without circuit breaker - should add auth header with invalid token
+            val response1 = client.get("/")
+            assertEquals(HttpStatusCode.Unauthorized, response1.status)
+
+            // Test with circuit breaker - should not add auth header
+            val response2 = client.get("/") {
+                // add AuthCircuitBreaker like any refresh token request would have
+                attributes.put(AuthCircuitBreaker, Unit)
+            }
+            assertEquals(HttpStatusCode.OK, response2.status)
+        }
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -151,7 +151,9 @@ public class BearerAuthProvider(`
`151`	`151`	`if (contains(HttpHeaders.Authorization)) {`
`152`	`152`	`remove(HttpHeaders.Authorization)`
`153`	`153`	`}`
`154`		`- append(HttpHeaders.Authorization, tokenValue)`
	`154`	`+ if (request.attributes.contains(AuthCircuitBreaker).not()) {`
	`155`	`+ append(HttpHeaders.Authorization, tokenValue)`
	`156`	`+ }`
`155`	`157`	`}`
`156`	`158`	`}`
`157`	`159`