Skip to content

Commit 65aa793

Browse files
committed
refactor: review linting
Signed-off-by: Josh Wulf <josh.wulf@camunda.com>
1 parent fcd62a8 commit 65aa793

3 files changed

Lines changed: 9 additions & 5 deletions

File tree

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -217,7 +217,7 @@ Camunda SaaS continues returning `401 Unauthorized` for a misconfigured credenti
217217

218218
Behavior:
219219

220-
- First `401` for `(clientId, clientSecret, audienceType)` creates `oauth-401-tarpit-<clientId>-<audience>-<hash>.json` in the cache directory (`$HOME/.camunda` by default). `<hash>` is a truncated SHA-256 of the secret.
220+
- First `401` for `(clientId, clientSecret, audienceType)` creates `oauth-401-tarpit-<clientId>-<audience>-<hash>.json` in the cache directory (`$HOME/.camunda` by default). `<hash>` is a truncated PBKDF2 (100K iterations) hash of the secret.
221221
- Subsequent `getHeaders()` calls for that tuple immediately throw a tarpit error without hitting the token endpoint.
222222
- The tarpit does not auto-expire.
223223

src/__tests__/oauth/OAuthProvider.401-memoization.unit.spec.ts

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -85,9 +85,11 @@ describe('OAuthProvider SaaS persistent 401 tarpit', () => {
8585
)
8686
.toString('hex')
8787
.slice(0, 16)
88+
const clientId = 'ZEEBE'
89+
const audienceType = 'ZEEBE'
8890
const tarpitFile = path.join(
8991
cacheDir,
90-
`oauth-401-tarpit-ZEEBE-ZEEBE-${hash}.json`
92+
`oauth-401-tarpit-${clientId}-${audienceType}-${hash}.json`
9193
)
9294
expect(fs.existsSync(tarpitFile)).toBe(true)
9395
server.close()

src/oauth/lib/OAuthProvider.ts

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -365,6 +365,8 @@ export class OAuthProvider implements IHeadersProvider {
365365
timestamp: Date.now(),
366366
error: e,
367367
}
368+
// Suppress token endpoint backoff/failure counters for permanent SaaS 401 responses.
369+
// This ensures we do not apply retry delays for credentials that are permanently invalid.
368370
this.failed = false
369371
delete this.inflightTokenRequests[credentialKey]
370372
return reject(e)
@@ -786,14 +788,14 @@ export class OAuthProvider implements IHeadersProvider {
786788
fs.unlinkSync(file)
787789
}
788790
// Best-effort in-memory cleanup for existing instances
789-
for (const inst of OAuthProvider.instances ?? []) {
791+
for (const inst of OAuthProvider.instances) {
790792
try {
791-
inst.tarpit401?.delete(file)
793+
inst.tarpit401.delete(file)
792794
const credentialKey = inst.getCredentialAudienceKey({
793795
clientId,
794796
audienceType,
795797
})
796-
delete inst.memoized401?.[credentialKey]
798+
delete inst.memoized401[credentialKey]
797799
} catch (_) {
798800
/* ignore */
799801
}

0 commit comments

Comments
 (0)