Skip to content

fix race condition for AccessToken creation in oauth2_validators #611

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Jul 30, 2018
Merged

fix race condition for AccessToken creation in oauth2_validators #611

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
feebf41
work around race condition in which two threads both try to create th…
n2ygk Jun 26, 2018
d68d594
update changelog
n2ygk Jun 26, 2018
99e8c3b
Merge branch 'master' into issue-609
n2ygk Jul 27, 2018
4a86d7c
change to prevent race condition as suggested by @jdelic
n2ygk Jul 27, 2018
86ca379
Revert "change to prevent race condition as suggested by @jdelic"
n2ygk Jul 28, 2018
ee55818
Revert "work around race condition in which two threads both try to c…
n2ygk Jul 28, 2018
1da2a0a
corrected get_or_create
n2ygk Jul 28, 2018
5d466dd
update_or_create instead of two steps go get_or_create then update + …
n2ygk Jul 29, 2018
e626757
flake8
n2ygk Jul 29, 2018
594e2b4
inadvertent commit.
n2ygk Jul 30, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
### 1.2.x [unrealeased]

* Fix a race condition in creation of AccessToken with external oauth2 server.

### 1.2.0 [2018-06-03]

* **Compatibility**: Python 3.4 is the new minimum required version.
Expand Down
67 changes: 24 additions & 43 deletions oauth2_provider/oauth2_validators.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -332,20 +332,15 @@ def _get_token_from_authentication_server(
scope = content.get("scope", "")
expires = make_aware(expires)

try:
access_token = AccessToken.objects.select_related("application", "user").get(token=token)
except AccessToken.DoesNotExist:
access_token = AccessToken.objects.create(
token=token,
user=user,
application=None,
scope=scope,
expires=expires
)
else:
access_token.expires = expires
access_token.scope = scope
access_token.save()
access_token, _created = AccessToken\
.objects.select_related("application", "user")\
.update_or_create(token=token,
defaults={
"user": user,
"application": None,
"scope": scope,
"expires": expires,
})

return access_token

Expand All @@ -362,43 +357,29 @@ def validate_bearer_token(self, token, scopes, request):

try:
access_token = AccessToken.objects.select_related("application", "user").get(token=token)
# if there is a token but invalid then look up the token
if introspection_url and (introspection_token or introspection_credentials):
if not access_token.is_valid(scopes):
access_token = self._get_token_from_authentication_server(
token,
introspection_url,
introspection_token,
introspection_credentials
)
if access_token and access_token.is_valid(scopes):
request.client = access_token.application
request.user = access_token.user
request.scopes = scopes

# this is needed by django rest framework
request.access_token = access_token
return True
self._set_oauth2_error_on_request(request, access_token, scopes)
return False
except AccessToken.DoesNotExist:
# there is no initial token, look up the token
access_token = None

# if there is no token or it's invalid then introspect the token if there's an external OAuth server
if not access_token or not access_token.is_valid(scopes):
if introspection_url and (introspection_token or introspection_credentials):
access_token = self._get_token_from_authentication_server(
token,
introspection_url,
introspection_token,
introspection_credentials
)
if access_token and access_token.is_valid(scopes):
request.client = access_token.application
request.user = access_token.user
request.scopes = scopes

# this is needed by django rest framework
request.access_token = access_token
return True
self._set_oauth2_error_on_request(request, None, scopes)

if access_token and access_token.is_valid(scopes):
request.client = access_token.application
request.user = access_token.user
request.scopes = scopes

# this is needed by django rest framework
request.access_token = access_token
return True
else:
self._set_oauth2_error_on_request(request, access_token, scopes)
return False

def validate_code(self, client_id, code, client, request, *args, **kwargs):
Expand Down