This is an automated email from the ASF dual-hosted git repository.
liurenjie1024 pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/iceberg-rust.git
The following commit(s) were added to refs/heads/main by this push:
new dc349284 refactor: Improve REST catalog's authenticate method (#1712)
dc349284 is described below
commit dc349284a4204c1a56af47fb3177ace6f9e899a0
Author: Raminder Singh <[email protected]>
AuthorDate: Mon Sep 29 16:28:29 2025 +0530
refactor: Improve REST catalog's authenticate method (#1712)
---
crates/catalog/rest/src/client.rs | 42 ++++++++++++++++++---------------------
1 file changed, 19 insertions(+), 23 deletions(-)
diff --git a/crates/catalog/rest/src/client.rs
b/crates/catalog/rest/src/client.rs
index 0b9af9b5..361c036b 100644
--- a/crates/catalog/rest/src/client.rs
+++ b/crates/catalog/rest/src/client.rs
@@ -193,15 +193,17 @@ impl HttpClient {
Ok(())
}
- /// Authenticate the request by filling token.
+ /// Authenticates the request by adding a bearer token to the
authorization header.
///
- /// - If neither token nor credential is provided, this method will do
nothing.
- /// - If only credential is provided, this method will try to fetch token
from the server.
- /// - If token is provided, this method will use the token directly.
+ /// This method supports three authentication modes:
///
- /// # TODO
+ /// 1. **No authentication** - Skip authentication when both `credential`
and `token` are missing.
+ /// 2. **Token authentication** - Use the provided `token` directly for
authentication.
+ /// 3. **OAuth authentication** - Exchange `credential` for a token, cache
it, then use it for authentication.
///
- /// Support refreshing token while needed.
+ /// When both `credential` and `token` are present, `token` takes
precedence.
+ ///
+ /// # TODO: Support automatic token refreshing.
async fn authenticate(&self, req: &mut Request) -> Result<()> {
// Clone the token from lock without holding the lock for entire
function.
let token = self.token.lock().await.clone();
@@ -210,24 +212,18 @@ impl HttpClient {
return Ok(());
}
- // Use token if provided.
- if let Some(token) = &token {
- req.headers_mut().insert(
- http::header::AUTHORIZATION,
- format!("Bearer {token}").parse().map_err(|e| {
- Error::new(
- ErrorKind::DataInvalid,
- "Invalid token received from catalog server!",
- )
- .with_source(e)
- })?,
- );
- return Ok(());
- }
+ // Either use the provided token or exchange credential for token,
cache and use that
+ let token = match token {
+ Some(token) => token,
+ None => {
+ let token = self.exchange_credential_for_token().await?;
+ // Update token so that we use it for next request instead of
+ // exchanging credential for token from the server again
+ *self.token.lock().await = Some(token.clone());
+ token
+ }
+ };
- let token = self.exchange_credential_for_token().await?;
- // Update token.
- *self.token.lock().await = Some(token.clone());
// Insert token in request.
req.headers_mut().insert(
http::header::AUTHORIZATION,
