You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If two refresh requests happen concurrently, the tokens can get jumbled between the requests. Example:
Request A and Request B happen very close together. Request A begins a refresh call. Before Request A finishes, Request B begins a refresh call. Request A's refresh call finishes, storing the token in the access_token object. Request B's refresh call finishes, overwriting Request A's token. Request A's callback is triggered, handing Request B's token to request A's callback. Now Request A's user has Request B's user's token.
If two refresh requests happen concurrently, the tokens can get jumbled between the requests. Example:
Request A and Request B happen very close together. Request A begins a refresh call. Before Request A finishes, Request B begins a refresh call. Request A's refresh call finishes, storing the token in the access_token object. Request B's refresh call finishes, overwriting Request A's token. Request A's callback is triggered, handing Request B's token to request A's callback. Now Request A's user has Request B's user's token.
This is because of https://github.com/lelylan/simple-oauth2/blob/master/lib/client/access-token.js#L13 not creating a new instance to store the access token in, meaning there is a singleton to store the access token that can be overwritten by concurrent requests.
The text was updated successfully, but these errors were encountered: