fix: prevent forced re-login from concurrent refresh token rotation
Rotated refresh tokens now stay valid for a 60s grace window so concurrent refreshes (e.g. multiple browser tabs) each obtain a valid new pair instead of being logged out. Admin-web additionally serializes refreshes across tabs via the Web Locks API and reuses tokens already rotated by another tab. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -5,6 +5,7 @@ import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"strconv"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
@@ -21,12 +22,16 @@ local current = redis.call("GET", KEYS[1])
|
||||
if not current then
|
||||
return 0
|
||||
end
|
||||
if current ~= ARGV[1] then
|
||||
return -1
|
||||
if current == ARGV[1] then
|
||||
redis.call("PSETEX", KEYS[1], ARGV[4], "grace:" .. ARGV[1])
|
||||
redis.call("PSETEX", KEYS[2], ARGV[3], ARGV[2])
|
||||
return 1
|
||||
end
|
||||
redis.call("DEL", KEYS[1])
|
||||
redis.call("PSETEX", KEYS[2], ARGV[3], ARGV[2])
|
||||
return 1
|
||||
if current == "grace:" .. ARGV[1] then
|
||||
redis.call("PSETEX", KEYS[2], ARGV[3], ARGV[2])
|
||||
return 1
|
||||
end
|
||||
return -1
|
||||
`)
|
||||
|
||||
var setMaxSessionVersionScript = redis.NewScript(`
|
||||
@@ -42,6 +47,13 @@ return next_number
|
||||
|
||||
const sessionVersionFallbackTTL = 30 * 24 * time.Hour
|
||||
|
||||
// refreshRotationGraceTTL keeps a rotated refresh token usable for a short
|
||||
// window so concurrent refreshes (e.g. multiple browser tabs racing with the
|
||||
// same token) each obtain a valid new pair instead of being logged out.
|
||||
const refreshRotationGraceTTL = 60 * time.Second
|
||||
|
||||
const rotationGracePrefix = "grace:"
|
||||
|
||||
type SessionStore struct {
|
||||
rdb *redis.Client
|
||||
fallback *memorySessionStore
|
||||
@@ -71,10 +83,20 @@ func (s *SessionStore) GetRefresh(ctx context.Context, jti string) (string, erro
|
||||
if s.rdb != nil {
|
||||
value, err := s.rdb.Get(ctx, key).Result()
|
||||
if err == nil {
|
||||
if strings.HasPrefix(value, rotationGracePrefix) {
|
||||
return "", ErrRefreshSessionNotFound
|
||||
}
|
||||
return value, nil
|
||||
}
|
||||
}
|
||||
return s.fallback.get(key)
|
||||
value, err := s.fallback.get(key)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
if strings.HasPrefix(value, rotationGracePrefix) {
|
||||
return "", ErrRefreshSessionNotFound
|
||||
}
|
||||
return value, nil
|
||||
}
|
||||
|
||||
func (s *SessionStore) DeleteRefresh(ctx context.Context, jti string) error {
|
||||
@@ -104,6 +126,7 @@ func (s *SessionStore) RotateRefresh(ctx context.Context, oldJTI, oldHash, newJT
|
||||
oldHash,
|
||||
newHash,
|
||||
ttl.Milliseconds(),
|
||||
refreshRotationGraceTTL.Milliseconds(),
|
||||
).Int()
|
||||
if err != nil {
|
||||
return s.fallback.rotate(oldKey, oldHash, newKey, newHash, ttl)
|
||||
@@ -298,10 +321,17 @@ func (s *memorySessionStore) rotate(oldKey, oldHash, newKey, newHash string, ttl
|
||||
delete(s.items, oldKey)
|
||||
return ErrRefreshSessionNotFound
|
||||
}
|
||||
if item.value != oldHash {
|
||||
switch item.value {
|
||||
case oldHash:
|
||||
s.items[oldKey] = memorySessionItem{
|
||||
value: rotationGracePrefix + oldHash,
|
||||
expiresAt: time.Now().Add(refreshRotationGraceTTL),
|
||||
}
|
||||
case rotationGracePrefix + oldHash:
|
||||
// Already rotated within the grace window; keep the marker as-is.
|
||||
default:
|
||||
return ErrRefreshTokenMismatch
|
||||
}
|
||||
delete(s.items, oldKey)
|
||||
if ttl > 0 {
|
||||
s.items[newKey] = memorySessionItem{
|
||||
value: newHash,
|
||||
|
||||
Reference in New Issue
Block a user