Auth tokens can be given to the wrong user by simultaneous refresh requests #88
Labels
Comments
|
This can be closed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If two refresh requests happen concurrently, the tokens can get jumbled between the requests. Example:
Request A and Request B happen very close together. Request A begins a refresh call. Before Request A finishes, Request B begins a refresh call. Request A's refresh call finishes, storing the token in the access_token object. Request B's refresh call finishes, overwriting Request A's token. Request A's callback is triggered, handing Request B's token to request A's callback. Now Request A's user has Request B's user's token.
This is because of https://github.com/lelylan/simple-oauth2/blob/master/lib/client/access-token.js#L13 not creating a new instance to store the access token in, meaning there is a singleton to store the access token that can be overwritten by concurrent requests.
The text was updated successfully, but these errors were encountered: