Duplicate Code Opportunity
Summary
- Pattern: Identical
getToken() method body duplicated verbatim across three BaseOidcTokenProvider subclasses
- Locations:
containers/api-proxy/anthropic-oidc-token-provider.js lines 36–46, containers/api-proxy/gcp-oidc-token-provider.js lines 55–65, containers/api-proxy/oidc-token-provider.js lines 73–83
- Impact: 10 lines × 3 copies = 30 duplicate lines in security-critical token-serving path; any future change to cache-miss/refresh-trigger logic must be applied in three places
Evidence
All three subclasses contain this identical body (only one comment differs):
anthropic-oidc-token-provider.js lines 36–46:
getToken() {
const now = Math.floor(Date.now() / 1000);
if (this._cachedToken && this._expiresAt > now) {
return this._cachedToken;
}
if (!this._refreshInFlight) {
this._scheduleRefresh(0);
}
return null;
}gcp-oidc-token-provider.js lines 55–65: identical.
oidc-token-provider.js (Azure) lines 73–83: identical (one extra inline comment).
BaseOidcTokenProvider already has an isReady() method that reads this._getCachedValue() and this._expiresAt. The same abstract accessor can power a base-class getToken(). The AWS provider intentionally exposes getCredentials() instead of getToken(), so it is unaffected.
Suggested Refactoring
Add getToken() to oidc-token-provider-base.js, delegating to the existing _getCachedValue() abstract method:
/** `@returns` {unknown} cached token if valid, otherwise null */
getToken() {
const now = Math.floor(Date.now() / 1000);
const cached = this._getCachedValue();
if (cached && this._expiresAt > now) {
return cached;
}
if (!this._refreshInFlight) {
this._scheduleRefresh(0);
}
return null;
}Remove the three overrides. No call-site changes are needed.
Affected Files
containers/api-proxy/oidc-token-provider-base.js — add shared implementationcontainers/api-proxy/anthropic-oidc-token-provider.js — lines 35–46, remove overridecontainers/api-proxy/gcp-oidc-token-provider.js — lines 54–65, remove overridecontainers/api-proxy/oidc-token-provider.js — lines 72–83, remove override
Effort Estimate
Low
Detected by Duplicate Code Detector workflow. Run date: 2026-05-26
Generated by Duplicate Code Detector · sonnet46 2.8M · ◷
Duplicate Code Opportunity
Summary
getToken()method body duplicated verbatim across threeBaseOidcTokenProvidersubclassescontainers/api-proxy/anthropic-oidc-token-provider.jslines 36–46,containers/api-proxy/gcp-oidc-token-provider.jslines 55–65,containers/api-proxy/oidc-token-provider.jslines 73–83Evidence
All three subclasses contain this identical body (only one comment differs):
anthropic-oidc-token-provider.jslines 36–46:gcp-oidc-token-provider.jslines 55–65: identical.oidc-token-provider.js(Azure) lines 73–83: identical (one extra inline comment).BaseOidcTokenProvideralready has anisReady()method that readsthis._getCachedValue()andthis._expiresAt. The same abstract accessor can power a base-classgetToken(). The AWS provider intentionally exposesgetCredentials()instead ofgetToken(), so it is unaffected.Suggested Refactoring
Add
getToken()tooidc-token-provider-base.js, delegating to the existing_getCachedValue()abstract method:Remove the three overrides. No call-site changes are needed.
Affected Files
containers/api-proxy/oidc-token-provider-base.js— add shared implementationcontainers/api-proxy/anthropic-oidc-token-provider.js— lines 35–46, remove overridecontainers/api-proxy/gcp-oidc-token-provider.js— lines 54–65, remove overridecontainers/api-proxy/oidc-token-provider.js— lines 72–83, remove overrideEffort Estimate
Low
Detected by Duplicate Code Detector workflow. Run date: 2026-05-26