fix(providers): address Copilot review — disposal, dedupe, validation, sync path

Aaronontheweb · Aaronontheweb · commit 1c81c99c1f41 · 2026-05-20T15:57:06.000Z
Four bug fixes from the GitHub Copilot pull-request review:

1. OAuthDeviceFlowService.PostFormAsync leaked HttpRequestMessage (and
   its FormUrlEncodedContent). Callers also did not dispose the response.
   In the device-flow polling loop both grew connection-handle pressure.
   Now wraps the request in `using`, makes the helper async, and
   `using`s the response at every call site.

2. CopilotTokenExchanger.GetTokenAsync allowed N concurrent calls to
   ExchangeAsync for the same OAuth token when a burst of chat requests
   arrived inside the 2-minute refresh buffer. Adds a per-key
   SemaphoreSlim with double-checked locking — the first caller refreshes,
   the rest wait and read the new cache entry. Cuts the worst-case fan-out
   to a single /copilot_internal/v2/token request per refresh.

3. ExchangeAsync trusted the deserialized token payload. System.Text.Json
   does not enforce required-ness on positional record parameters, so a
   {} response would yield Token=null/ExpiresAt=0 and we'd cache a
   useless Bearer. Validates non-empty Token and positive ExpiresAt
   before caching; failure throws an InvalidOperationException with the
   offending endpoint URL in the message.

4. CopilotRequestPolicy.Process performed sync-over-async via
   GetAwaiter().GetResult() on an HTTP call. Deadlock risk under a sync
   context, blocks the calling thread on network I/O. The OpenAI SDK
   uses ProcessAsync for chat completions; the sync overload was only
   present because PipelinePolicy declares it. Now throws
   NotSupportedException with a clear message directing callers to the
   async pipeline. Adds a regression test.
diff --git a/src/Netclaw.Daemon.Tests/Providers/GitHubCopilot/CopilotRequestPolicyTests.cs b/src/Netclaw.Daemon.Tests/Providers/GitHubCopilot/CopilotRequestPolicyTests.cs
@@ -96,6 +96,27 @@ public async Task ProcessAsync_OverwritesPreviousAuthorizationHeader()
         Assert.Equal("Bearer copilot-real", auth);
     }
 
+    [Fact]
+    public void Process_Synchronous_ThrowsNotSupported()
+    {
+        // The sync pipeline path would require blocking on async token exchange.
+        // The OpenAI SDK uses the async pipeline for chat completions; the sync
+        // overload is only hit by misconfigured callers and we fail loudly.
+        var policy = new CopilotRequestPolicy(
+            ExchangerReturning("copilot-bearer"), OAuthEntry());
+
+        var clientPipeline = ClientPipeline.Create(new ClientPipelineOptions());
+        using var message = clientPipeline.CreateMessage();
+        message.Request.Method = "POST";
+        message.Request.Uri = new Uri("https://api.githubcopilot.com/chat/completions");
+
+        IReadOnlyList<PipelinePolicy> pipeline = [policy, new TerminalCapturingPolicy(() => { })];
+
+        var ex = Assert.Throws<NotSupportedException>(() =>
+            policy.Process(message, pipeline, 0));
+        Assert.Contains("async", ex.Message, StringComparison.OrdinalIgnoreCase);
+    }
+
     /// <summary>
     /// No-op terminal policy that records whether the previous policy invoked
     /// the chain. Used so ProcessNextAsync has somewhere to land without
diff --git a/src/Netclaw.Providers/GitHubCopilot/CopilotRequestPolicy.cs b/src/Netclaw.Providers/GitHubCopilot/CopilotRequestPolicy.cs
@@ -21,10 +21,17 @@ internal sealed class CopilotRequestPolicy(CopilotTokenExchanger exchanger, Prov
     public override void Process(
         PipelineMessage message, IReadOnlyList<PipelinePolicy> pipeline, int currentIndex)
     {
-        var token = exchanger.GetTokenAsync(entry, message.CancellationToken)
-            .GetAwaiter().GetResult();
-        Apply(message, token);
-        ProcessNext(message, pipeline, currentIndex);
+        // The OpenAI SDK's chat-completions path always invokes ProcessAsync.
+        // The sync overload exists on PipelinePolicy because the abstract
+        // contract requires it, but in practice it's only hit by callers
+        // that misconfigure their client. We refuse to block on an async
+        // network call (deadlock risk under a sync context, synchronous I/O
+        // on the calling thread) and fail loudly per the no-silent-fallback
+        // rule in CLAUDE.md.
+        throw new NotSupportedException(
+            "CopilotRequestPolicy requires the async pipeline. Token exchange " +
+            "is an async network call; use the OpenAI SDK's async chat methods " +
+            "(e.g. ChatClient.CompleteChatAsync) rather than the synchronous overloads.");
     }
 
     public override async ValueTask ProcessAsync(
diff --git a/src/Netclaw.Providers/GitHubCopilot/CopilotTokenExchanger.cs b/src/Netclaw.Providers/GitHubCopilot/CopilotTokenExchanger.cs
@@ -39,6 +39,13 @@ public sealed class CopilotTokenExchanger(HttpClient httpClient, TimeProvider? t
     private readonly TimeProvider time = timeProvider ?? TimeProvider.System;
     private readonly ConcurrentDictionary<string, CachedToken> cache = new();
 
+    // Per-OAuth-token semaphore so a burst of chat requests arriving inside
+    // the refresh window doesn't fan out into N concurrent calls to
+    // /copilot_internal/v2/token (GitHub rate-limits aggressively). The first
+    // caller refreshes; the others wait, then read the new cache entry under
+    // the lock.
+    private readonly ConcurrentDictionary<string, SemaphoreSlim> refreshLocks = new();
+
     /// <summary>
     /// Returns a valid Copilot API token for the OAuth credential carried by
     /// <paramref name="entry"/>, fetching from <c>/copilot_internal/v2/token</c>
@@ -54,17 +61,39 @@ public async Task<string> GetTokenAsync(
             "GitHub OAuth access token (re-run 'netclaw provider add <name> github-copilot --auth oauth-device')");
 
         var cacheKey = HashKey(oauthToken.Value);
-        var now = time.GetUtcNow();
 
-        if (cache.TryGetValue(cacheKey, out var cached)
-            && cached.ExpiresAt - RefreshBuffer > now)
-        {
+        if (TryGetFresh(cacheKey, out var cached))
             return cached.Token;
+
+        var sem = refreshLocks.GetOrAdd(cacheKey, _ => new SemaphoreSlim(1, 1));
+        await sem.WaitAsync(ct);
+        try
+        {
+            // Re-check under the lock — a previous caller may have refreshed
+            // while we were waiting.
+            if (TryGetFresh(cacheKey, out cached))
+                return cached.Token;
+
+            var fresh = await ExchangeAsync(oauthToken.Value, ct);
+            cache[cacheKey] = fresh;
+            return fresh.Token;
+        }
+        finally
+        {
+            sem.Release();
+        }
+    }
+
+    private bool TryGetFresh(string cacheKey, out CachedToken cached)
+    {
+        if (cache.TryGetValue(cacheKey, out cached!)
+            && cached.ExpiresAt - RefreshBuffer > time.GetUtcNow())
+        {
+            return true;
         }
 
-        var fresh = await ExchangeAsync(oauthToken.Value, ct);
-        cache[cacheKey] = fresh;
-        return fresh.Token;
+        cached = default!;
+        return false;
     }
 
     private async Task<CachedToken> ExchangeAsync(string oauthToken, CancellationToken ct)
@@ -94,7 +123,26 @@ private async Task<CachedToken> ExchangeAsync(string oauthToken, CancellationTok
 
         var parsed = JsonSerializer.Deserialize<TokenResponse>(body)
             ?? throw new InvalidOperationException(
-                "Empty token response from /copilot_internal/v2/token.");
+                $"Empty token response from {TokenEndpoint}.");
+
+        // System.Text.Json doesn't enforce required-ness on positional record
+        // parameters by default, so a {} response would deserialize to
+        // Token=null/ExpiresAt=0 and we'd cache a useless Bearer. Validate
+        // here so the failure surfaces at the exchange boundary, not later
+        // when the chat call returns 401.
+        if (string.IsNullOrWhiteSpace(parsed.Token))
+        {
+            throw new InvalidOperationException(
+                $"GitHub Copilot token exchange at {TokenEndpoint} returned a "
+                + $"payload with no 'token' field: {Truncate(body)}");
+        }
+
+        if (parsed.ExpiresAt <= 0)
+        {
+            throw new InvalidOperationException(
+                $"GitHub Copilot token exchange at {TokenEndpoint} returned an "
+                + $"invalid 'expires_at' value ({parsed.ExpiresAt}).");
+        }
 
         return new CachedToken(
             parsed.Token,
diff --git a/src/Netclaw.Providers/OAuth/OAuthDeviceFlowService.cs b/src/Netclaw.Providers/OAuth/OAuthDeviceFlowService.cs
@@ -104,7 +104,7 @@ public OAuthDeviceFlowService(HttpClient httpClient, TimeProvider? timeProvider
     public async Task<DeviceAuthorizationResponse> StartDeviceAuthorizationAsync(
         OAuthDeviceFlowConfig config, CancellationToken ct = default)
     {
-        var response = await PostFormAsync(
+        using var response = await PostFormAsync(
             config.DeviceAuthorizationEndpoint,
             BuildDeviceAuthParams(config),
             ct);
@@ -143,7 +143,7 @@ public async Task<OAuthDeviceFlowResult> PollForTokenAsync(
                 ["client_id"] = config.ClientId
             };
 
-            var response = await PostFormAsync(config.TokenEndpoint, tokenParams, ct);
+            using var response = await PostFormAsync(config.TokenEndpoint, tokenParams, ct);
 
             var json = await response.Content.ReadAsStringAsync(ct);
             using var doc = JsonDocument.Parse(json);
@@ -213,7 +213,7 @@ public async Task<OAuthDeviceFlowResult> PollForTokenAsync(
             ["refresh_token"] = refreshToken.Value
         };
 
-        var response = await PostFormAsync(tokenEndpoint, tokenParams, ct);
+        using var response = await PostFormAsync(tokenEndpoint, tokenParams, ct);
 
         if (!response.IsSuccessStatusCode)
         {
@@ -261,17 +261,17 @@ private OAuthDeviceFlowResult ParseTokenResponse(JsonElement root)
     // GitHub's OAuth endpoints return application/x-www-form-urlencoded by default
     // and only switch to JSON when the request explicitly asks for it. Other providers
     // (OpenAI Codex) already return JSON, so the header is a safe no-op.
-    private Task<HttpResponseMessage> PostFormAsync(
+    private async Task<HttpResponseMessage> PostFormAsync(
         string url,
         IEnumerable<KeyValuePair<string, string>> form,
         CancellationToken ct)
     {
-        var request = new HttpRequestMessage(HttpMethod.Post, url)
+        using var request = new HttpRequestMessage(HttpMethod.Post, url)
         {
             Content = new FormUrlEncodedContent(form),
         };
         request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
-        return _httpClient.SendAsync(request, ct);
+        return await _httpClient.SendAsync(request, ct);
     }
 
     private static List<KeyValuePair<string, string>> BuildDeviceAuthParams(OAuthDeviceFlowConfig config)
