Commit 0e17d80
committed
estuary-cdk: serialize token fetches
Concurrent tasks can race to refresh an expiring token and can result in
401 responses depending on the source system's behavior. Each task
independently calls the OAuth2 token endpoint to obtain a new token
without any coordination between them. Some providers revoke the
previous token upon issuing a new one, so a task that received the first
new token finds it already revoked by the time it makes an API request
and can result in a `401` response that crashes the connector.
Fix by adding an asyncio.Lock to TokenSource.fetch_token(). The lock
serializes access to the check-and-refresh logic in the new _fetch_token
method. In the common case (cached token still valid), no await occurs
while the lock is held, so there is no actual contention. This _does_
serialize access for connectors that have non-expiring tokens too, but
those code paths contain no await points, so they were already
effectively atomic and the lock adds no meaningful overhead.1 parent e6a4737 commit 0e17d80
1 file changed
+11
-1
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
3 | 3 | | |
4 | 4 | | |
5 | 5 | | |
6 | | - | |
| 6 | + | |
7 | 7 | | |
8 | 8 | | |
9 | 9 | | |
| |||
277 | 277 | | |
278 | 278 | | |
279 | 279 | | |
| 280 | + | |
280 | 281 | | |
281 | 282 | | |
| 283 | + | |
| 284 | + | |
| 285 | + | |
| 286 | + | |
| 287 | + | |
| 288 | + | |
| 289 | + | |
| 290 | + | |
| 291 | + | |
282 | 292 | | |
283 | 293 | | |
284 | 294 | | |
| |||
0 commit comments