fix(oxauth): corrected race condition during refresh token usage (4.5.5)

#1909
GluuFederation · Jul 31, 2024 · 8f337db · 8f337db
1 parent 7a2a819
commit 8f337db
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/Server/src/main/java/org/gluu/oxauth/token/ws/rs/TokenRestWebServiceImpl.java b/Server/src/main/java/org/gluu/oxauth/token/ws/rs/TokenRestWebServiceImpl.java
@@ -582,13 +582,20 @@ private TokenLdap lockRefreshToken(String refreshTokenCode) {
                         return null;
                     }
 
+                    final String lockKey = token.getAttributes().getAttributes().get("lockKey");
+                    if (StringUtils.isNotBlank(lockKey) && !NODE_ID.equals(lockKey)) {
+                        log.trace("Refresh token is already locked. Refresh Token {}, lockKey {}", refreshTokenCode, NODE_ID);
+                        return null;
+                    }
+
                     refreshTokenLocalLock.put(refreshTokenCode, token);
 
+                    log.trace("Trying to lock refresh token ... refresh token {}, lockKey {}", refreshTokenCode, NODE_ID);
                     token.getAttributes().getAttributes().put("lockKey", NODE_ID);
                     grantService.mergeSilently(token);
                     final TokenLdap tokenFromDb = grantService.getGrantByCode(refreshTokenCode);
                     if (NODE_ID.equals(tokenFromDb.getAttributes().getAttributes().get("lockKey"))) {
-                        log.trace("Successfully locked refresh token {}, attempt {}", refreshTokenCode, attempt);
+                        log.trace("Successfully locked refresh token {}, attempt {}, lockKey {}", refreshTokenCode, attempt, NODE_ID);
                         return token;
                     }