Fix the race condition in token refresh logic

[NipuniBhagya]

Purpose

This pull request addresses a race condition in the token refresh logic for the @asgardeo/browser and @asgardeo/react packages. The main improvement is the introduction of a locking mechanism to prevent multiple simultaneous token refresh requests, ensuring more reliable authentication flows.

Token Refresh Race Condition Fix

• Added a private _isTokenRefreshLoading flag in the SPAHelper class to prevent concurrent token refresh attempts.
• Updated the token refresh logic to check and set _isTokenRefreshLoading before starting a refresh, and to reset it after completion, ensuring only one refresh runs at a time.

Meta and Documentation

• Updated copyright years in spa-helper.ts to include 2026.
• Added a changeset describing the patch and its purpose.

Checklist

• Followed the CONTRIBUTING guidelines.
• Manual test round performed and verified.
• Documentation provided. (Add links if there are any)
• Unit tests provided. (Add links if there are any)

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines?
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets?

[asgardeo-github-bot]

🦋 Changeset detected

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.