You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We encountered an issue with how the accessToken structure is stored in the request, which results in details from one request overwriting details of another request.
This comes up specifically when:
You're handling more than one request at a time
You're referencing the req.oauth2.accessToken structure after a call to an external service.
In our case, we have a rate limiter middleware which references the accessToken, and then we make a HTTP request after that to some external resource. The issue is caused by the fact that req.oauth2 actually is always the same one instance.
req.oauth2=_self
Here's how it plays out:
Two requests come into our app, say they're for bearer tokens A and B.
Node handles the token A request, and hits the rate limiter (which calls to redis for example).
While waiting for a response from redis, node begins handling token B.
At this point, the accessToken structure on the shared req.oauth2 object is changed.
The token B request hits the rate limiter.
While waiting for a response for the token B request, the token A rate limiter request has returned so node starts working on that again.
The token A request now actually contains authentication information from the token B request.
We call out to the external resource with the token B credentials for the token A request.
If your API is providing information specific to a user, then potentially sensitive information can be provided to the wrong person.
We found that by making the change in this commit the problem no longer occurs.
We will have a proper PR coming, but in the meantime wanted to ensure this issue is surfaced.
The text was updated successfully, but these errors were encountered:
We encountered an issue with how the
accessTokenstructure is stored in the request, which results in details from one request overwriting details of another request.This comes up specifically when:
req.oauth2.accessTokenstructure after a call to an external service.In our case, we have a rate limiter middleware which references the accessToken, and then we make a HTTP request after that to some external resource. The issue is caused by the fact that
req.oauth2actually is always the same one instance.Here's how it plays out:
AandB.Arequest, and hits the rate limiter (which calls to redis for example).B.accessTokenstructure on the sharedreq.oauth2object is changed.Brequest hits the rate limiter.Brequest, the tokenArate limiter request has returned so node starts working on that again.Arequest now actually contains authentication information from the tokenBrequest.Bcredentials for the tokenArequest.If your API is providing information specific to a user, then potentially sensitive information can be provided to the wrong person.
We found that by making the change in this commit the problem no longer occurs.
We will have a proper PR coming, but in the meantime wanted to ensure this issue is surfaced.
The text was updated successfully, but these errors were encountered: