Skip to content

fix(oauth): add locking to prevent race conditions in grant exchange #85570

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 29, 2025
Merged

fix(oauth): add locking to prevent race conditions in grant exchange #85570

merged 3 commits into from
Apr 29, 2025

Conversation

mdtro
Copy link
Member

@mdtro mdtro commented Feb 20, 2025

Pulled from #82052 to break out these changes into smaller PRs.

Use locks to ensure an ApiGrant cannot be used twice during a race condition that would result in multiple access/refresh token pairs.

@mdtro mdtro requested review from a team as code owners February 20, 2025 19:22
@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Feb 20, 2025
@codecov Codecov
Copy link

codecov bot commented Feb 20, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 95.74468% with 2 lines in your changes missing coverage. Please review.

✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
src/sentry/models/apitoken.py 83.33% 2 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff             @@
##           master   #85570       +/-   ##
===========================================
+ Coverage   33.00%   87.78%   +54.78%     
===========================================
  Files        8694    10263     +1569     
  Lines      483957   580499    +96542     
  Branches    22645    22645               
===========================================
+ Hits       159725   509616   +349891     
+ Misses     323797    70448   -253349     
  Partials      435      435

mdtro added 3 commits April 28, 2025 16:24
@mdtro
feat(security): Add locking to prevent race conditions in API grant e…
555601a 
…xchanges

- Add InvalidGrantError and ExpiredGrantError
- Add get_lock_key method to ApiGrant
- Add locking around grant exchanges in ApiToken.from_grant
- Add tests for race conditions
@mdtro
fix(oauth): improve oauth token validation and error handling
10b51c6 
- add application status check in grant validation
- better error handling for lock acquisition failures
- add tests for concurrent grant usage
@mdtro
fix: use lock in grant exchanger
51e64ce
@mdtro mdtro force-pushed the mdtro/api-grant-security branch from d2c982f to 51e64ce Compare April 28, 2025 22:34
sentaur-athena
sentaur-athena approved these changes Apr 29, 2025
View reviewed changes
Copy link
Member

@sentaur-athena sentaur-athena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

@mdtro mdtro merged commit df0af00 into master Apr 29, 2025
65 checks passed
@mdtro mdtro deleted the mdtro/api-grant-security branch April 29, 2025 21:00
@mdtro mdtro mentioned this pull request Apr 30, 2025
Open
andrewshie-sentry pushed a commit that referenced this pull request May 12, 2025
@mdtro @andrewshie-sentry
fix(oauth): add locking to prevent race conditions in grant exchange (#…
57f0129 
…85570)

Pulled from #82052 to break out these changes into smaller PRs.

Use locks to ensure an `ApiGrant` cannot be used twice during a race
condition that would result in multiple access/refresh token pairs.
@github-actions github-actions bot locked and limited conversation to collaborators May 16, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@dcramer dcramer dcramer left review comments

@sentaur-athena sentaur-athena sentaur-athena approved these changes

Assignees
No one assigned
Labels
Scope: Backend Automatically applied to PRs that change backend components
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mdtro @dcramer @sentaur-athena