fix(oauth-server): prevent authorization code replay race#2617
Open
Kundan-Krishna366 wants to merge 2 commits into
Open
fix(oauth-server): prevent authorization code replay race#2617Kundan-Krishna366 wants to merge 2 commits into
Kundan-Krishna366 wants to merge 2 commits into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
Bug fix.
What is the current behavior?
Fixes #2613.
The
authorization_codegrant flow atPOST /oauth/tokenwas vulnerable to a replay race condition. The authorization was loaded and validated before the transaction that issued tokens and destroyed the authorization, allowing concurrent requests to redeem the same authorization code before it was consumed. This could result in multiple successful token exchanges for a single-use authorization code, violating RFC 6749 §4.1.2.What is the new behavior?
This PR makes authorization code redemption atomic by:
FOR UPDATE SKIP LOCKED.*apierrors.OAuthErrorso concurrent or already-consumed authorization codes correctly return400 invalid_grantinstead of500 Internal Server Error.Additionally, this PR adds a regression test that:
POST /oauth/tokenrequests using the same authorization code.400 invalid_grant.Additional context
The implementation follows the existing repository locking pattern by extending the existing authorization lookup with a
forUpdatemode instead of introducing a new exported helper.The regression test reproduces the replay scenario described in #2613 and verifies that authorization codes remain single-use under concurrent redemption.