Improve tokens.

SebastianStehle · SebastianStehle · commit 3aa707985fcb · 2026-01-20T17:42:44.000+01:00
diff --git a/csharp/Squidex.ClientLibrary/Directory.Build.props b/csharp/Squidex.ClientLibrary/Directory.Build.props
@@ -15,7 +15,7 @@
     <PackageTags>Squidex HeadlessCMS</PackageTags>
     <PublishRepositoryUrl>true</PublishRepositoryUrl>
     <SymbolPackageFormat>snupkg</SymbolPackageFormat>
-    <Version>22.1.0</Version>
+    <Version>22.2.0</Version>
   </PropertyGroup>
 
   <PropertyGroup Condition="'$(GITHUB_ACTIONS)' == 'true'">
diff --git a/csharp/Squidex.ClientLibrary/Squidex.ClientLibrary.Tests/ApiKeyAuthTokenTests.cs b/csharp/Squidex.ClientLibrary/Squidex.ClientLibrary.Tests/ApiKeyAuthTokenTests.cs
@@ -0,0 +1,29 @@
+﻿// ==========================================================================
+//  Squidex Headless CMS
+// ==========================================================================
+//  Copyright (c) Squidex UG (haftungsbeschraenkt)
+//  All rights reserved. Licensed under the MIT license.
+// ==========================================================================
+
+namespace Squidex.ClientLibrary.Tests;
+
+public class ApiKeyAuthTokenTests
+{
+    [Fact]
+    public void Should_serialize_as_header()
+    {
+        var sut = new ApiKeyAuthToken("MyApp", "MyKey");
+
+        var header = sut.SerializeAsHeader();
+        Assert.Equal(("Authorization", "ApiKey MyApp:MyKey"), header);
+    }
+
+    [Fact]
+    public void Should_serialize_as_query()
+    {
+        var sut = new ApiKeyAuthToken("MyApp", "MyKey");
+
+        var header = sut.SerializeAsQuery();
+        Assert.Equal(("api_key", "MyApp%3AMyKey"), header);
+    }
+}
diff --git a/csharp/Squidex.ClientLibrary/Squidex.ClientLibrary.Tests/BasicClientServiceTests.cs b/csharp/Squidex.ClientLibrary/Squidex.ClientLibrary.Tests/BasicClientServiceTests.cs
@@ -80,7 +80,7 @@ public async Task Should_not_try_authenticate_again_if_it_failed(int retryHours,
 
     private class CountUrlHandler : DelegatingHandler
     {
-        public Dictionary<string, int> Counts { get; private set; } = new Dictionary<string, int>();
+        public Dictionary<string, int> Counts { get; private set; } = [];
 
         protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request,
             CancellationToken cancellationToken)
diff --git a/csharp/Squidex.ClientLibrary/Squidex.ClientLibrary.Tests/BasicClientTests.cs b/csharp/Squidex.ClientLibrary/Squidex.ClientLibrary.Tests/BasicClientTests.cs
@@ -46,8 +46,8 @@ public async Task Should_get_content()
     [Fact(Skip = "No permissions.")]
     public async Task Should_get_content_with_invalid_token_for_anonymous_access()
     {
-        ((CachingAuthenticator)sut.Options.Authenticator).SetToCache(sut.Options.AppName,
-            new AuthToken("Authorization", "Bearer TOKEN"), DateTimeOffset.MaxValue);
+        ((CachingAuthenticator)sut.Options.Authenticator)
+            .SetToCache(sut.Options.AppName, new BearerAuthToken("TOKEN"), DateTimeOffset.MaxValue);
 
         var result = await sut.DynamicContents("blog").GetAsync();
 
diff --git a/csharp/Squidex.ClientLibrary/Squidex.ClientLibrary.Tests/BearerAuthTokenTests.cs b/csharp/Squidex.ClientLibrary/Squidex.ClientLibrary.Tests/BearerAuthTokenTests.cs
@@ -0,0 +1,29 @@
+﻿// ==========================================================================
+//  Squidex Headless CMS
+// ==========================================================================
+//  Copyright (c) Squidex UG (haftungsbeschraenkt)
+//  All rights reserved. Licensed under the MIT license.
+// ==========================================================================
+
+namespace Squidex.ClientLibrary.Tests;
+
+public class BearerAuthTokenTests
+{
+    [Fact]
+    public void Should_serialize_as_header()
+    {
+        var sut = new BearerAuthToken("MyToken");
+
+        var header = sut.SerializeAsHeader();
+        Assert.Equal(("Authorization", "Bearer MyToken"), header);
+    }
+
+    [Fact]
+    public void Should_serialize_as_query()
+    {
+        var sut = new BearerAuthToken("MyToken");
+
+        var header = sut.SerializeAsQuery();
+        Assert.Equal(("access_token", "MyToken"), header);
+    }
+}
diff --git a/csharp/Squidex.ClientLibrary/Squidex.ClientLibrary/ApiKeyAuthToken.cs b/csharp/Squidex.ClientLibrary/Squidex.ClientLibrary/ApiKeyAuthToken.cs
@@ -0,0 +1,53 @@
+﻿// ==========================================================================
+//  Squidex Headless CMS
+// ==========================================================================
+//  Copyright (c) Squidex UG (haftungsbeschraenkt)
+//  All rights reserved. Licensed under the MIT license.
+// ==========================================================================
+
+using Squidex.Assets.Internal;
+
+namespace Squidex.ClientLibrary;
+
+/// <summary>
+/// A ApiKey auth token.
+/// </summary>
+public sealed class ApiKeyAuthToken : AuthToken
+{
+    /// <summary>
+    /// The app name.
+    /// </summary>
+    public string AppName { get; }
+
+    /// <summary>
+    /// The bearer token.
+    /// </summary>
+    public string Value { get; }
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="ApiKeyAuthToken" /> class with all properties.
+    /// </summary>
+    /// <param name="appName">The app name.</param>
+    /// <param name="value">The APIKey.</param>
+    public ApiKeyAuthToken(string appName, string value)
+    {
+        Guard.NotNullOrEmpty(appName, nameof(appName));
+        Guard.NotNullOrEmpty(value, nameof(value));
+
+        AppName = appName;
+
+        Value = value;
+    }
+
+    /// <inheritdoc />
+    public override (string Name, string Value) SerializeAsQuery()
+    {
+        return ("api_key", Uri.EscapeDataString($"{AppName}:{Value}"));
+    }
+
+    /// <inheritdoc />
+    public override (string Name, string Value) SerializeAsHeader()
+    {
+        return ("Authorization", $"ApiKey {AppName}:{Value}");
+    }
+}
diff --git a/csharp/Squidex.ClientLibrary/Squidex.ClientLibrary/AuthToken.cs b/csharp/Squidex.ClientLibrary/Squidex.ClientLibrary/AuthToken.cs
@@ -12,29 +12,17 @@ namespace Squidex.ClientLibrary;
 /// <summary>
 /// The API key for authentication.
 /// </summary>
-public sealed class AuthToken
+public abstract class AuthToken
 {
     /// <summary>
-    /// Gets the header name.
+    /// Serializes the header value.
     /// </summary>
-    public string HeaderName { get; }
+    /// <returns>The header value.</returns>
+    public abstract (string Name, string Value) SerializeAsHeader();
 
     /// <summary>
-    /// Gets the header value.
+    /// Serializes the query string value.
     /// </summary>
-    public string HeaderValue { get; }
-
-    /// <summary>
-    /// Initializes a new instance of the <see cref="AuthToken" /> class with all properties.
-    /// </summary>
-    /// <param name="headerName">The header name. Cannot be null or empty.</param>
-    /// <param name="headerValue">The header value. Cannot be null or empty.</param>
-    public AuthToken(string headerName, string headerValue)
-    {
-        Guard.NotNullOrEmpty(headerName, nameof(headerName));
-        Guard.NotNullOrEmpty(headerValue, nameof(headerValue));
-
-        HeaderName = headerName;
-        HeaderValue = headerValue;
-    }
+    /// <returns>The query string value.</returns>
+    public abstract (string Name, string Value) SerializeAsQuery();
 }
diff --git a/csharp/Squidex.ClientLibrary/Squidex.ClientLibrary/BearerAuthToken.cs b/csharp/Squidex.ClientLibrary/Squidex.ClientLibrary/BearerAuthToken.cs
@@ -0,0 +1,44 @@
+﻿// ==========================================================================
+//  Squidex Headless CMS
+// ==========================================================================
+//  Copyright (c) Squidex UG (haftungsbeschraenkt)
+//  All rights reserved. Licensed under the MIT license.
+// ==========================================================================
+
+using Squidex.Assets.Internal;
+
+namespace Squidex.ClientLibrary;
+
+/// <summary>
+/// A bearer auth token.
+/// </summary>
+public sealed class BearerAuthToken : AuthToken
+{
+    /// <summary>
+    /// The bearer token.
+    /// </summary>
+    public string Value { get; }
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="BearerAuthToken" /> class with all properties.
+    /// </summary>
+    /// <param name="value">The token.</param>
+    public BearerAuthToken(string value)
+    {
+        Guard.NotNullOrEmpty(value, nameof(value));
+
+        Value = value;
+    }
+
+    /// <inheritdoc />
+    public override (string Name, string Value) SerializeAsHeader()
+    {
+        return ("Authorization", $"Bearer {Value}");
+    }
+
+    /// <inheritdoc />
+    public override (string Name, string Value) SerializeAsQuery()
+    {
+        return ("access_token", Value);
+    }
+}
diff --git a/csharp/Squidex.ClientLibrary/Squidex.ClientLibrary/Configuration/ApiKeyAuthenticator.cs b/csharp/Squidex.ClientLibrary/Squidex.ClientLibrary/Configuration/ApiKeyAuthenticator.cs
@@ -10,8 +10,7 @@ namespace Squidex.ClientLibrary.Configuration;
 internal sealed class ApiKeyAuthenticator(string appName, string apiKey) : IAuthenticator
 {
     private readonly Task<AuthToken> token =
-        Task.FromResult(
-            new AuthToken("Authorization", $"ApiKey {appName}:{apiKey}"));
+        Task.FromResult<AuthToken>(new ApiKeyAuthToken(appName, apiKey));
 
     public Task<AuthToken> GetAuthTokenAsync(string appName, CancellationToken ct)
     {
diff --git a/csharp/Squidex.ClientLibrary/Squidex.ClientLibrary/Configuration/Authenticator.cs b/csharp/Squidex.ClientLibrary/Squidex.ClientLibrary/Configuration/Authenticator.cs
@@ -85,7 +85,7 @@ public async Task<AuthToken> GetAuthTokenAsync(string appName,
 #endif
         var jsonToken = JToken.Parse(jsonString);
 
-        return new AuthToken("Authorization", $"Bearer {jsonToken["access_token"]!}");
+        return new BearerAuthToken($"{jsonToken["access_token"]!}");
     }
 
     private void StorePreviousAttempt(string clientId, string clientSecret, Exception exception)
diff --git a/csharp/Squidex.ClientLibrary/Squidex.ClientLibrary/Utils/AuthenticatingHttpMessageHandler.cs b/csharp/Squidex.ClientLibrary/Squidex.ClientLibrary/Utils/AuthenticatingHttpMessageHandler.cs
@@ -50,7 +50,8 @@ private async Task<HttpResponseMessage> InterceptAsync(HttpRequestMessage reques
     {
         var token = await options.Authenticator.GetAuthTokenAsync(options.AppName, cancellationToken);
 
-        request.Headers.TryAddWithoutValidation(token.HeaderName, token.HeaderValue);
+        var (name, value) = token.SerializeAsHeader();
+        request.Headers.TryAddWithoutValidation(name, value);
 
         var response = await base.SendAsync(request, cancellationToken);
         if (response.StatusCode == HttpStatusCode.Unauthorized)

Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,7 @@ public async Task Should_not_try_authenticate_again_if_it_failed(int retryHours,`
`80`	`80`
`81`	`81`	`private class CountUrlHandler : DelegatingHandler`
`82`	`82`	`{`
`83`		`- public Dictionary<string, int> Counts { get; private set; } = new Dictionary<string, int>();`
	`83`	`+ public Dictionary<string, int> Counts { get; private set; } = [];`
`84`	`84`
`85`	`85`	`protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request,`
`86`	`86`	`CancellationToken cancellationToken)`
Original file line number	Diff line number	Diff line change
`@@ -46,8 +46,8 @@ public async Task Should_get_content()`
`46`	`46`	`[Fact(Skip = "No permissions.")]`
`47`	`47`	`public async Task Should_get_content_with_invalid_token_for_anonymous_access()`
`48`	`48`	`{`
`49`		`- ((CachingAuthenticator)sut.Options.Authenticator).SetToCache(sut.Options.AppName,`
`50`		`- new AuthToken("Authorization", "Bearer TOKEN"), DateTimeOffset.MaxValue);`
	`49`	`+ ((CachingAuthenticator)sut.Options.Authenticator)`
	`50`	`+ .SetToCache(sut.Options.AppName, new BearerAuthToken("TOKEN"), DateTimeOffset.MaxValue);`
`51`	`51`
`52`	`52`	`var result = await sut.DynamicContents("blog").GetAsync();`
`53`	`53`
Original file line number	Diff line number	Diff line change
`@@ -10,8 +10,7 @@ namespace Squidex.ClientLibrary.Configuration;`
`10`	`10`	`internal sealed class ApiKeyAuthenticator(string appName, string apiKey) : IAuthenticator`
`11`	`11`	`{`
`12`	`12`	`private readonly Task<AuthToken> token =`
`13`		`- Task.FromResult(`
`14`		`- new AuthToken("Authorization", $"ApiKey {appName}:{apiKey}"));`
	`13`	`+ Task.FromResult<AuthToken>(new ApiKeyAuthToken(appName, apiKey));`
`15`	`14`
`16`	`15`	`public Task<AuthToken> GetAuthTokenAsync(string appName, CancellationToken ct)`
`17`	`16`	`{`
Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,7 @@ public async Task<AuthToken> GetAuthTokenAsync(string appName,`
`85`	`85`	`#endif`
`86`	`86`	`var jsonToken = JToken.Parse(jsonString);`
`87`	`87`
`88`		`- return new AuthToken("Authorization", $"Bearer {jsonToken["access_token"]!}");`
	`88`	`+ return new BearerAuthToken($"{jsonToken["access_token"]!}");`
`89`	`89`	`}`
`90`	`90`
`91`	`91`	`private void StorePreviousAttempt(string clientId, string clientSecret, Exception exception)`