Handle race condition of state and code verifier #144
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix #67
When triggering multiple times the OAuth2 flow, each redirect to the authorization URL sets the same cookie with the
stateandcodeVerifiervalues. This can cause a race condition where only the last one will work as the previous states and code verifiers will be overwritten by the last Set-Cookie header.This PR implements a StateStore class that's used internally to keep track of multiple states and code verifiers.
The way it works is that every redirect to the authorization URL will now set a different cookie name, using the provided cookie name (or
oauth2) as the prefix and appending a UUID (e.g.oauth2:b450faeb-1f67-461e-bf4d-004b6f0a6e55orcustom-name:b450faeb-1f67-461e-bf4d-004b6f0a6e55).Then when the user is back on the application, the StateStore can read all of these cookies to get every state and code verifier, if the state in the URL matches one of the stored ones, it will then use the associated code verifier to get the tokens from the identity provider.
Because each state and code verifier is stored in a separate cookie, each one can expire individually, which allows using short max age of the cookies (the default is 5 minutes but it could probably be reduced to one or two safely).