Fix race condition in OAuth2AccessToken.is_valid() causing HTTP 500

DenisKoleda · john-westcott-iv · commit 21b7066c369e · 2026-02-26T13:39:27.000-05:00
Replace save(update_fields=['last_used']) with QuerySet.update() to avoid
DatabaseError when concurrent requests try to update the same token's
last_used timestamp.

The previous implementation could fail with:
django.db.utils.DatabaseError: Save with update_fields did not affect any rows.

This happened because between exists() check and save() call, another
process could modify the row, causing save() to affect 0 rows and raise
an exception. QuerySet.update() handles this gracefully by simply
returning 0 affected rows without raising an error.
diff --git a/ansible_base/oauth2_provider/models/access_token.py b/ansible_base/oauth2_provider/models/access_token.py
@@ -82,8 +82,7 @@ def is_valid(self, scopes=None):
             self.last_used = now()
 
             def _update_last_used():
-                if OAuth2AccessToken.objects.filter(pk=self.pk).exists():
-                    self.save(update_fields=['last_used'])
+                OAuth2AccessToken.objects.filter(pk=self.pk).update(last_used=self.last_used)
 
             connection.on_commit(_update_last_used)
         return valid
