Race condition in Redis#ReadAndDestroy

[dillonstreator]

There is a race condition in the Redis ReadAndDestroy implementation that can allow multiple clients to retrieve the same secret value. This happens because the 'read and destroy' operation is not currently atomic. Redis Lua scripts do execute in an atomic fashion and and would be a good use case for this operation and solve for the race condition. https://redis.io/docs/latest/develop/interact/programmability/eval-intro/

ots/pkg/storage/redis/redis.go

Lines 79 to 93 in 8fadf72

	func (s storageRedis) ReadAndDestroy(id string) (string, error) {
	secret, err := s.conn.Get(context.Background(), s.redisKey(id)).Result()
	if err != nil {
	if errors.Is(err, redis.Nil) {
	return "", storage.ErrSecretNotFound
	}
	return "", fmt.Errorf("getting key: %w", err)
	}
	err = s.conn.Del(context.Background(), s.redisKey(id)).Err()
	if err != nil {
	return secret, fmt.Errorf("deleting key: %w", err)
	}
	return secret, nil
	}