Skip to content

fix(Session): avoid race conditions on clustered setups #46398

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
blizzz merged 2 commits into from
Jul 11, 2024
Merged

fix(Session): avoid race conditions on clustered setups #46398

blizzz merged 2 commits into from
Jul 11, 2024

Conversation

@blizzz
Copy link
Member

@blizzz blizzz commented Jul 10, 2024
edited
Loading

Summary

  • re-stablishes old behaviour with cache to return null instead of throwing an InvalidTokenException when the token is cached as non-existing
  • token invalidation and re-generation are bundled in a DB transaction now

Maybe that is not the final solution to this problem.

Checklist

@blizzz blizzz added bug 3. to review Waiting for reviews labels Jul 10, 2024
@blizzz blizzz requested review from a team, Altahrim, ChristophWurst, juliusknorr, nickvergessen, sorbaugh and yemkareems and removed request for a team July 10, 2024 11:17
@blizzz
Copy link
Member Author

blizzz commented Jul 10, 2024

/backport to stable29

@blizzz
Copy link
Member Author

blizzz commented Jul 10, 2024

/backport to stable28

@blizzz
Copy link
Member Author

blizzz commented Jul 10, 2024

/backport to stable27

@blizzz blizzz mentioned this pull request Jul 10, 2024
Closed
@blizzz
fix(Session): avoid race conditions on clustered setups
6a783d9 
- re-stablishes old behaviour with cache to return null instead of throwing
  an InvalidTokenException when the token is cached as non-existing
- token invalidation and re-generation are bundled in a DB transaction now

Signed-off-by: Arthur Schiwon <[email protected]>
@blizzz blizzz force-pushed the fix/46165/token-race branch from 346e5c6 to 6a783d9 Compare July 10, 2024 11:28
blizzz
blizzz commented Jul 10, 2024
View reviewed changes
lib/private/User/Session.php
$this->atomic(function () use ($sessionId, $uid, $loginName, $pwd, $name, $remember) {
$this->tokenProvider->invalidateToken($sessionId);
$this->tokenProvider->generateToken($sessionId, $uid, $loginName, $pwd, $name, IToken::TEMPORARY_TOKEN, $remember);
}, \OCP\Server::get(IDBConnection::class));
Copy link
Member Author

@blizzz blizzz Jul 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ℹ️ cannot be passed as early dependency in the constructor, it would break setup.

@blizzz
ci(psalm): update baseline
abd8708 
prefer to keep this check as PublicEmitter should be dropped sooner or
later

Signed-off-by: Arthur Schiwon <[email protected]>
@blizzz blizzz added this to the Nextcloud 30 milestone Jul 10, 2024
juliusknorr
juliusknorr approved these changes Jul 10, 2024
View reviewed changes
Copy link
Member

@juliusknorr juliusknorr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That sounds reasonable and would safeguard if a second request would try to get the token between the delete and insert of the first request. 👍

@dsisysteme
Copy link

dsisysteme commented Jul 10, 2024

We manually applied your proposal to our test platform on version 29.0.3, and it appears to effectively resolve our looping issue after authentication with user_saml as explained in #46165

@blizzz blizzz mentioned this pull request Jul 10, 2024
Merged
ChristophWurst
ChristophWurst approved these changes Jul 11, 2024
View reviewed changes
Copy link
Member

@ChristophWurst ChristophWurst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense

@blizzz
Copy link
Member Author

blizzz commented Jul 11, 2024

Cypress is unrelated and fixed with #46428 → merge

@blizzz blizzz merged commit 95af299 into master Jul 11, 2024
@blizzz blizzz deleted the fix/46165/token-race branch July 11, 2024 07:24
@backportbot backportbot bot mentioned this pull request Jul 11, 2024
Merged
2 tasks
@blizzz blizzz mentioned this pull request Jul 11, 2024
Merged
@blizzz blizzz mentioned this pull request Jul 11, 2024
Merged
This was referenced Jul 11, 2024
Merged
Merged
@kesselb kesselb mentioned this pull request Jul 11, 2024
Closed
8 tasks
This was referenced Jul 18, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ChristophWurst ChristophWurst ChristophWurst approved these changes

@juliusknorr juliusknorr juliusknorr approved these changes

@nickvergessen nickvergessen Awaiting requested review from nickvergessen

@Altahrim Altahrim Awaiting requested review from Altahrim

@yemkareems yemkareems Awaiting requested review from yemkareems yemkareems is a code owner automatically assigned from nextcloud/server-backend

@sorbaugh sorbaugh Awaiting requested review from sorbaugh sorbaugh is a code owner automatically assigned from nextcloud/server-backend

Assignees

No one assigned

Labels

3. to review Waiting for reviews bug feature: authentication

Projects

None yet

Milestone

Nextcloud 30

Development

Successfully merging this pull request may close these issues.

[Bug]: Invalid LocalCache Token on a Load-Balanced System

6 participants

@blizzz @dsisysteme @ChristophWurst @juliusknorr @joshtrichards