Fix handling of users with multiple identities #6837
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tgoyne
force-pushed
the
tg/user-provider
branch
8 times, most recently
from
c6e0a8c
to
d5e5cd1
Compare
|
This unfortunately grew to be pretty large in the process of making tsan happy, but hopefully the commits make enough sense individually that it's not too awful to review. There's no particular hurry here; this is just some incidental bug fixes extracted out of my multiprocess sync work. |
tgoyne
force-pushed
the
tg/user-provider
branch
from
d5e5cd1
to
82cb437
Compare
tgoyne
force-pushed
the
tg/user-provider
branch
3 times, most recently
from
e0a3e6d
to
d95d48c
Compare
tgoyne
force-pushed
the
tg/user-provider
branch
from
d95d48c
to
ded15f1
Compare
ironage
reviewed
Sep 15, 2023
| SyncTestFile config(app, partition, schema); | ||
| auto r = Realm::get_shared_realm(config); | ||
| REQUIRE_FALSE(user->is_logged_in()); | ||
| REQUIRE(user->state() == SyncUser::State::LoggedOut); |
There was a problem hiding this comment.
should this test wait for the access token response before checking the user state?
There was a problem hiding this comment.
oh never mind, we use a synchronous transport
ironage
approved these changes
Sep 19, 2023
ROS users were identified by the pair (identity, auth_url), and in the v10 port this was translated to (user_id, provider_type), but that isn't actually how Atlas users work. An App is the equivalent of the old auth_url, and within an App user_id uniquely identifies a user. Users don't actually have a "provider type" at all: users have one or more identities, each of which has a provider type, and the same SyncUser should be used regardless of which identity was used to log in. This had surprisingly mild consequences, but was visibly broken in a few ways. Logging into the same user using two different identities resulted in two SyncUsers with the same user id. Opening the same partition (or any flx Realm) with both users resulted in both using whichever SyncUser happened to open it first, and the second would not create a SyncSession. This meant that most of the potential bad things (such as creating two session for one file) didn't actually happen, but the second user's list of sessions would be "incorrect", and removing one of the users would remove the incorrect set of local files. Linking identities to anonymous users resulted in the user still being treated as anonymous. The primary negative effect of this was that linking an identity, logging out, then logging back in would result in the user being removed entirely in between, forcing the re-download of all Realms (and the loss of any un-uploaded data). This bumps the schema version of the metadata Realm primarily for the sake of recovery on metadata Realms in invalid states: the migration block handles the case of multiple users with the same user id and unifies them. Since this needs a migration anyway, it fixes some incidental problems with the metadata Realm's schema which weren't fixable without a migration: the marked_for_deletion column was redundant with the Removed state, identity objects were leaked due to not being embedded, and the local_uuid field is no longer used for anything other than opening files written by early v10 versions, so there's no need to populate it for new users.
tgoyne
force-pushed
the
tg/user-provider
branch
2 times, most recently
from
12d2f62
to
dd7e4fa
Compare
…ealm Initializing sync users read from the metadata Realm used the same code path as initializing newly logged in users, resulting in it performing three no-op write transactions per user to write the data which was just read back to the Realm.
It had incorrect semantics (users from different Apps which happened to have the same id would compare equal), and simply isn't neccesary as there should only ever be a single SyncUser instance per user and so pointer equality suffices.
SyncUser previously allowed setting the state to LoggedIn without setting its tokens, and conversely allowed setting tokens while not logged in. This was error-prone and happened to result in a lock-order inversion due to that both the state and the tokens had to be checked in places where we only wanted to care about one of them.
tgoyne
force-pushed
the
tg/user-provider
branch
from
dd7e4fa
to
64bf842
Compare
4 tasks
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
ROS users were identified by the pair (identity, auth_url), and in the v10 port this was translated to (user_id, provider_type), but that isn't actually how Atlas users work. An App is the equivalent of the old auth_url, and within an App user_id uniquely identifies a user. Users don't actually have a "provider type" at all: users have one or more identities, each of which has a provider type, and the same SyncUser should be used regardless of which identity was used to log in.
This had surprisingly mild consequences, but was visibly broken in a few ways. Logging into the same user using two different identities resulted in two SyncUsers with the same user id. Opening the same partition (or any flx Realm) with both users resulted in both using whichever SyncUser happened to open it first, and the second would not create a SyncSession. This meant that most of the potential bad things (such as creating two session for one file) didn't actually happen, but the second user's list of sessions would be "incorrect", and removing one of the users would remove the incorrect set of local files.
Linking identities to anonymous users resulted in the user still being treated as anonymous. The primary negative effect of this was that linking an identity, logging out, then logging back in would result in the user being removed entirely in between, forcing the re-download of all Realms (and the loss of any un-uploaded data).
This bumps the schema version of the metadata Realm primarily for the sake of recovery on metadata Realms in invalid states: the migration block handles the case of multiple users with the same user id and unifies them. Since this needs a migration anyway, it fixes some incidental problems with the metadata Realm's schema which weren't fixable without a migration: the marked_for_deletion column was redundant with the Removed state, identity objects were leaked due to not being embedded, and the local_uuid field is no longer used for anything other than opening files written by early v10 versions, so there's no need to populate it for new users.
Initializing a sync manager opened the metadata Realm, read the persisted users, and then wrote the persisted users back to the Realm using three separate write transactions per user. It now just reads the data and doesn't write anything.
SyncUser's internal API permitted doing some invalid state transitions such as marking a user as logged in despite it not having any tokens. The two specific things which definitely could break was logging out a user while the profile was being updated and logging out a user while the access token was being refreshed, but there may have been more things. There also just was some dead code trying to support state transitions which could never happen.