forked from mystiq/dex
fix: do not update offlinesession lastUsed field if refresh token was not change
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
This commit is contained in:
m.nabokikh
parent
c319983ecc
commit
9fad0602ec
3 changed files with 11 additions and 8 deletions
|
|
@ -227,16 +227,13 @@ func (s *Server) updateRefreshToken(token *internal.RefreshToken, refresh *stora
|
||||||
|
|
||||||
lastUsed := s.now()
|
lastUsed := s.now()
|
||||||
|
|
||||||
rerr := s.updateOfflineSession(refresh, ident, lastUsed)
|
|
||||||
if rerr != nil {
|
|
||||||
return nil, rerr
|
|
||||||
}
|
|
||||||
|
|
||||||
refreshTokenUpdater := func(old storage.RefreshToken) (storage.RefreshToken, error) {
|
refreshTokenUpdater := func(old storage.RefreshToken) (storage.RefreshToken, error) {
|
||||||
if s.refreshTokenPolicy.RotationEnabled() {
|
if s.refreshTokenPolicy.RotationEnabled() {
|
||||||
if old.Token != token.Token {
|
if old.Token != token.Token {
|
||||||
if s.refreshTokenPolicy.AllowedToReuse(old.LastUsed) && old.ObsoleteToken == token.Token {
|
if s.refreshTokenPolicy.AllowedToReuse(old.LastUsed) && old.ObsoleteToken == token.Token {
|
||||||
newToken.Token = old.Token
|
newToken.Token = old.Token
|
||||||
|
// Do not update last used time for offline session if token is allowed to be reused
|
||||||
|
lastUsed = old.LastUsed
|
||||||
return old, nil
|
return old, nil
|
||||||
}
|
}
|
||||||
return old, errors.New("refresh token claimed twice")
|
return old, errors.New("refresh token claimed twice")
|
||||||
|
|
@ -268,6 +265,11 @@ func (s *Server) updateRefreshToken(token *internal.RefreshToken, refresh *stora
|
||||||
return nil, newInternalServerError()
|
return nil, newInternalServerError()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
rerr := s.updateOfflineSession(refresh, ident, lastUsed)
|
||||||
|
if rerr != nil {
|
||||||
|
return nil, rerr
|
||||||
|
}
|
||||||
|
|
||||||
return newToken, nil
|
return newToken, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -740,13 +740,14 @@ func retryOnConflict(ctx context.Context, action func() error) error {
|
||||||
for {
|
for {
|
||||||
select {
|
select {
|
||||||
case <-time.After(getNextStep()):
|
case <-time.After(getNextStep()):
|
||||||
if err := action(); err == nil || !isKubernetesAPIConflictError(err) {
|
err := action()
|
||||||
|
if err == nil || !isKubernetesAPIConflictError(err) {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
attempts++
|
attempts++
|
||||||
if attempts >= 4 {
|
if attempts >= 4 {
|
||||||
return errors.New("maximum timeout reached while retrying a conflicted request")
|
return fmt.Errorf("maximum timeout reached while retrying a conflicted request: %w", err)
|
||||||
}
|
}
|
||||||
case <-ctx.Done():
|
case <-ctx.Done():
|
||||||
return errors.New("canceled")
|
return errors.New("canceled")
|
||||||
|
|
|
||||||
|
|
@ -262,7 +262,7 @@ func TestRetryOnConflict(t *testing.T) {
|
||||||
{
|
{
|
||||||
"Timeout reached",
|
"Timeout reached",
|
||||||
func() error { err := httpErr{status: 409}; return error(&err) },
|
func() error { err := httpErr{status: 409}; return error(&err) },
|
||||||
"maximum timeout reached while retrying a conflicted request",
|
"maximum timeout reached while retrying a conflicted request: Conflict: response from server \"\"",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"HTTP Error",
|
"HTTP Error",
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue