New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tokenmanager.appAccessTokenKey(appID)为固定参数，导致NewClient验证第二次传入的错误appsecret时绕过了服务端请求 #126

Open

yayayahei opened this issue Mar 4, 2024 · 1 comment

yayayahei commented Mar 4, 2024 •

edited

Loading

problem:
tokenmanager.appAccessTokenKey(appID)为固定参数，localCache为全局变量，appID对应的缓存不过期时，NewClient(appID,wrongSecret)，导致验证wrongSecret成功

want:
tokenmanager.appAccessTokenKey(appID) 加上随机码参数，通过client option传递进来，防止appID token被复用

yayayahei changed the title ~~tokenmanage.appAccessTokenKey(appID)为固定参数，导致NewClient验证第二次传入的错误appsecret时绕过了服务端请求~~ tokenmanager.appAccessTokenKey(appID)为固定参数，导致NewClient验证第二次传入的错误appsecret时绕过了服务端请求

idaaser commented Mar 14, 2024

是的，我在tenant access token的cache中也有类似的问题:

func tenantAccessTokenKey(appID, tenantKey string) string {
return fmt.Sprintf("%s-%s-%s", tenantAccessTokenKeyPrefix, appID, tenantKey)
}

在缓存有效期过期之前，可以使用错误的appsecret来复用有效的access_token.
建议缓存的key需要考虑把appsecret(或其转换后的hash) 当做key的一部分。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment