LG-9449: Prevent ArcGIS Token Expiration

app/jobs/arcgis_token_job.rb

@@ -0,0 +1,26 @@
+class ArcgisTokenJob < ApplicationJob
+  queue_as :default
+
+  def perform
+    analytics.idv_arcgis_token_job_started
+    token_keeper.refresh_token
+    return true
+  ensure
+    analytics.idv_arcgis_token_job_completed
+  end
+
+  private
+
+  def token_keeper
+    ArcgisApi::TokenKeeper.new
+  end
+
+  def analytics
+    @analytics ||= Analytics.new(
+      user: AnonymousUser.new,
+      request: nil,
+      session: {},
+      sp: nil,
+    )
+  end
+end

app/services/analytics_events.rb

@@ -559,6 +559,56 @@ def idv_arcgis_request_failure(
     )
   end
 
+  # Tracks if request to get auth token from ArcGIS fails
+  # @param [String] exception_class
+  # @param [String] exception_message
+  # @param [Boolean] response_body_present
+  # @param [Hash] response_body
+  # @param [Integer] response_status_code
+  # @param [Integer,nil] retry_count
+  # @param [Integer,nil] retry_max
+  # @param [Float,nil] will_retry_in
+  def idv_arcgis_token_failure(
+    exception_class:,
+    exception_message:,
+    response_body_present:,
+    response_body:,
+    response_status_code:,
+    retry_count: nil,
+    retry_max: nil,
+    will_retry_in: nil,
+    **extra
+  )
+    track_event(
+      'Request ArcGIS Token: request failed',
+      exception_class: exception_class,
+      exception_message: exception_message,
+      response_body_present: response_body_present,
+      response_body: response_body,
+      response_status_code: response_status_code,
+      retry_count: retry_count,
+      retry_max: retry_max,
+      will_retry_in: will_retry_in,
+      **extra,
+    )
+  end
+
+  # Track when ArcGIS auth token refresh job completed
+  def idv_arcgis_token_job_completed(**extra)
+    track_event(
+      'ArcgisTokenJob: Completed',
+      **extra,
+    )
+  end
+
+  # Track when ArcGIS auth token refresh job started
+  def idv_arcgis_token_job_started(**extra)
+    track_event(
+      'ArcgisTokenJob: Started',
+      **extra,
+    )
+  end
+
   # @param [String] step the step that the user was on when they clicked cancel
   # @param [Idv::ProofingComponentsLogging] proofing_components User's current proofing components
   # The user confirmed their choice to cancel going through IDV

app/services/arcgis_api/auth/authentication.rb

@@ -0,0 +1,97 @@
+module ArcgisApi::Auth
+  # Authenticate with the ArcGIS API
+  class Authentication
+    def initialize(analytics: nil)
+      @analytics = analytics || Analytics.new(
+        user: AnonymousUser.new,
+        request: nil,
+        session: {},
+        sp: nil,
+      )
+    end
+
+    # Makes a request to retrieve a new token
+    # it expires after 1 hour
+    # @return [ArcgisApi::Auth::Token] Auth token
+    def retrieve_token
+      token, expires = request_token.fetch_values('token', 'expires')
+      expires_at = Time.zone.at(expires / 1000).to_f
+      return ArcgisApi::Auth::Token.new(token: token, expires_at: expires_at)
+    end
+
+    private
+
+    # Makes HTTP request to authentication endpoint and
+    # returns the token and when it expires (1 hour).
+    # @return [Hash] API response
+    def request_token
+      body = {
+        username: arcgis_api_username,
+        password: arcgis_api_password,
+        referer: domain_name,
+        f: 'json',
+      }
+
+      connection.post(
+        arcgis_api_generate_token_url, URI.encode_www_form(body)
+      ) do |req|
+        req.options.context = { service_name: 'arcgis_token' }
+      end.body
+    end
+
+    def connection
+      ::Faraday.new do |conn|
+        ArcgisApi::Faraday::Configuration.setup(conn)
+        ArcgisApi::Faraday::Configuration.add_retry(conn) do |**args|
+          log_retry(**args)
+        end
+        yield conn if block_given?
+      end
+    end
+
+    # @param [Faraday::Env] env Request environment
+    # @param [Faraday::Options] options middleware options
+    # @param [Integer] retry_count how many retries have already occured (starts at 0)
+    # @param [Exception] exception exception that triggered the retry,
+    #        will be the synthetic `Faraday::RetriableResponse` if the
+    #        retry was triggered by something other than an exception.
+    # @param [Float] will_retry_in retry_block is called *before* the retry
+    #        delay, actual retry will happen in will_retry_in number of
+    #        seconds.
+    def log_retry(env:, options:, retry_count:, exception:, will_retry_in:)
+      resp_body = env.body.then do |body|
+        if body.is_a?(String)
+          JSON.parse(body)
+        else
+          body
+        end
+      rescue
+        body
+      end
+
+      http_status = env.status
+      api_status_code = resp_body.is_a?(Hash) ? resp_body.dig('error', 'code') : http_status
+      analytics.idv_arcgis_token_failure(
+        exception_class: exception.class.name,
+        exception_message: exception.message,
+        response_body_present: resp_body.present?,
+        response_body: resp_body,
+        response_status_code: http_status,
+        api_status_code: api_status_code,
+
+        # Include retry-specific data
+        retry_count:,
+        retry_max: options.max,
+        will_retry_in:,
+      )
+    end
+
+    attr_accessor :analytics
+
+    delegate :arcgis_api_username,
+             :arcgis_api_password,
+             :domain_name,
+             :arcgis_api_generate_token_url,
+             to: :"IdentityConfig.store"
+  end
+end

app/services/arcgis_api/auth/cache/raw_token_cache.rb

@@ -0,0 +1,34 @@
+module ArcgisApi::Auth::Cache
+  class RawTokenCache
+    # @param [ActiveSupport::Cache::Store] cache
+    # @param [String] cache_key
+    def initialize(cache: nil, cache_key: nil)
+      @cache = cache || Rails.cache
+      @cache_key = cache_key || default_api_token_cache_key
+    end
+
+    # @return [Object,nil] Cached auth token
+    def token
+      raw_token = cache.read(cache_key)
+      raw_token || nil
+    end
+
+    # @param [Object,nil] cache_value the value to write to cache
+    # @param [Number] expires_at the hard expiration time in unix time (milliseconds)
+    def save_token(cache_value, expires_at)
+      cache.write(cache_key, cache_value, expires_at)
+    end
+
+    private
+
+    def default_api_token_cache_key
+      "#{arcgis_api_token_cache_key_prefix}:#{URI(arcgis_api_generate_token_url).host}"
+    end
+
+    delegate :arcgis_api_token_cache_key_prefix,
+             :arcgis_api_generate_token_url,
+             to: :"IdentityConfig.store"
+
+    attr_accessor :cache, :cache_key
+  end
+end

app/services/arcgis_api/auth/cache/token_cache_info_writer.rb

@@ -0,0 +1,8 @@
+module ArcgisApi::Auth::Cache
+  class TokenCacheInfoWriter < TokenCacheWriter
+    # @param [ArcgisApi::Auth::Token] cache_value the value to write to cache
+    def save_token(cache_value)
+      token_cache.save_token(cache_value, expires_at: cache_value.expires_at)
+    end
+  end
+end

app/services/arcgis_api/auth/cache/token_cache_raw_writer.rb

@@ -0,0 +1,8 @@
+module ArcgisApi::Auth::Cache
+  class TokenCacheRawWriter < TokenCacheWriter
+    # @param [ArcgisApi::Auth::Token] cache_value the value to write to cache
+    def save_token(cache_value)
+      token_cache.save_token(cache_value.token, expires_at: cache_value.expires_at)
+    end
+  end
+end

app/services/arcgis_api/auth/cache/token_cache_reader.rb

@@ -0,0 +1,31 @@
+module ArcgisApi::Auth::Cache
+  class TokenCacheReader
+    # @param [ArcgisApi::Auth::Cache::RawTokenCache] token_cache
+    def initialize(token_cache: nil)
+      @token_cache = token_cache || ArcgisApi::Auth::Cache::RawTokenCache.new
+    end
+
+    # @return [String,nil] auth token
+    def token
+      token_entry&.token
+    end
+
+    # Fetch, wrap, and return cache entry for ArcGIS API token
+    # @return [ArcgisApi::Auth::Token,nil] token, or nil if not present in cache
+    def token_entry
+      cache_entry = token_cache.token
+
+      if cache_entry.is_a?(String)
+        ArcgisApi::Auth::Token.new(
+          token: cache_entry,
+        )
+      elsif cache_entry.is_a?(ArcgisApi::Auth::Token)
+        cache_entry
+      end
+    end
+
+    protected
+
+    attr_accessor :token_cache
+  end
+end

app/services/arcgis_api/auth/cache/token_cache_writer.rb

@@ -0,0 +1,6 @@
+module ArcgisApi::Auth::Cache
+  class TokenCacheWriter < TokenCacheReader
+    # @param [ArcgisApi::Auth::Token] cache_value the value to write to cache
+    def save_token(cache_value); end
+  end
+end

app/services/arcgis_api/auth/refresh/always_refresh_strategy.rb

@@ -0,0 +1,13 @@
+module ArcgisApi::Auth::Refresh
+  # Always refreshes the token
+  class AlwaysRefreshStrategy < RefreshStrategy
+    # @param [ArcgisApi::Auth::Authentication] auth
+    # @param [ArcgisApi::Auth::Cache::TokenCacheWriter] cache
+    # @return [ArcgisApi::Auth::Token]
+    def call(auth:, cache:)
+      token_entry = auth.retrieve_token
+      cache.save_token(token_entry)
+      token_entry
+    end
+  end
+end

app/services/arcgis_api/auth/refresh/fetch_without_refresh_strategy.rb

@@ -0,0 +1,13 @@
+module ArcgisApi::Auth::Refresh
+  # Does not attempt to refresh a token when it's expired
+  class FetchWithoutRefreshStrategy < RefreshStrategy
+    # rubocop:disable Lint/UnusedMethodArgument
+    # @param [ArcgisApi::Auth::Authentication] auth
+    # @param [ArcgisApi::Auth::Cache::TokenCacheWriter] cache
+    # @return [ArcgisApi::Auth::Token,nil]
+    def call(auth:, cache:)
+      cache.token_entry
+    end
+    # rubocop:enable Lint/UnusedMethodArgument
+  end
+end

app/services/arcgis_api/auth/refresh/noop_refresh_strategy.rb

@@ -0,0 +1,13 @@
+module ArcgisApi::Auth::Refresh
+  # Does nothing, returns nil
+  class NoopRefreshStrategy < RefreshStrategy
+    # rubocop:disable Lint/UnusedMethodArgument
+    # @param [ArcgisApi::Auth::Authentication] auth
+    # @param [ArcgisApi::Auth::Cache::TokenCacheWriter] cache
+    # @return [nil]
+    def call(auth:, cache:)
+      nil
+    end
+    # rubocop:enable Lint/UnusedMethodArgument
+  end
+end

app/services/arcgis_api/auth/refresh/on_expire_refresh_strategy.rb

@@ -0,0 +1,16 @@
+module ArcgisApi::Auth::Refresh
+  # Refreshes a token when it's expired
+  class OnExpireRefreshStrategy < RefreshStrategy
+    # @param [ArcgisApi::Auth::Authentication] auth
+    # @param [ArcgisApi::Auth::Cache::TokenCacheWriter] cache
+    # @return [ArcgisApi::Auth::Token]
+    def call(auth:, cache:)
+      token_entry = cache.token_entry
+      if token_entry.nil? || token_entry.expired?
+        token_entry = auth.retrieve_token
+        cache.save_token(token_entry)
+      end
+      token_entry
+    end
+  end
+end

app/services/arcgis_api/auth/refresh/refresh_strategy.rb

@@ -0,0 +1,9 @@
+module ArcgisApi::Auth::Refresh
+  # Refreshes a token when it's expired
+  class RefreshStrategy
+    # @param [ArcgisApi::Auth::Authentication] auth
+    # @param [ArcgisApi::Auth::Cache::TokenCacheWriter] cache
+    # @return [ArcgisApi::Auth::Token,nil]
+    def call(auth:, cache:); end
+  end
+end