Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Helper function expired() prone to race condition #131

Closed
sudowork opened this issue May 10, 2017 · 1 comment
Closed

Helper function expired() prone to race condition #131

sudowork opened this issue May 10, 2017 · 1 comment

Comments

@sudowork
Copy link
Contributor

This may or may not be an issue depending on how you view it.

If you take this approach:

// Sample of a JSON access token (you got it through previous steps)
const tokenObject = {
  'access_token': '<access-token>',
  'refresh_token': '<refresh-token>',
  'expires_in': '7200'
};

// Create the access token wrapper
let token = oauth2.accessToken.create(tokenObject);

// Check if the token is expired. If expired it is refreshed.
if (token.expired()) {
  token.refresh()
  .then((result) => {
    token = result;
  });
}

Then there is an inherent race condition when checking the expiration time against the time the token actually expires:

  1. Server creates access token with expiration time (for example 7200 seconds from time t0)
  2. Response is received and processed by the client after time t_l1
  3. Client checks if token is expired (not expired according to the client) and issues its next API request.
  4. Server receives and checks access token expiration after time t_l2, sees that token has expired.

There is a window of time where the latency of t_l1 + t_l2 (plus a ton of other small contributors to latency) could cause the client to use the access token, but for the server to reject it due to expiration.

One approach to fixing this would be to add a buffer; however, I can definitely see this being an issue for the consumer of the simple-oauth2 library to solve. Thoughts @jonathansamines ?
sudowork added a commit to sudowork/simple-oauth2 that referenced this issue May 10, 2017
@sudowork
Add option for expiredBuffer
5ab781c 
When checking if an access token has expired, there is a common race
condition where using a near-expiring token may actually be expired by
the time the API server checks it. This is due to things like round-trip
latency, clock skew, processing time, etc.

One solution is to allow clients to configure a buffer so that a token
will be reported as "expired" before it actually is. This allows some
leeway to account for various latencies.

Fixes lelylan#131
@sudowork sudowork mentioned this issue May 10, 2017
Closed
@jonathansamines
Copy link
Collaborator

The corresponding documentation was already added in #140

@jonathansamines jonathansamines mentioned this issue Jan 28, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sudowork @jonathansamines