Skip to content

fix: stabilize OAuth storage bridge last-write-wins under rapid token rotation [IDE-2104]#1352

Open
basti-snyk wants to merge 1 commit into
mainfrom
fix/IDE-2104-flake
Open

fix: stabilize OAuth storage bridge last-write-wins under rapid token rotation [IDE-2104]#1352
basti-snyk wants to merge 1 commit into
mainfrom
fix/IDE-2104-flake

Conversation

@basti-snyk

Copy link
Copy Markdown
Contributor

Summary

  • Fixes the flaky Test_RegisterOAuthStorageBridge_SerializesRapidTokenRotations (Windows CI, IDE-2104), where after rapid token rotations the first token was stored instead of the last.
  • Root cause: when credentialUpdateWorker writes a token via conf.Set, the persisted OAuth key re-fires the storage-bridge callback, which calls QueueCredentialUpdate again and re-enqueues the same token behind newer ones. On Windows (15 ms clock resolution) all rotation tokens share an expiry, so shouldUpdateToken lets the stale re-enqueued copy overwrite the final token (last-write-wins violation).
  • Fix: an atomic.Pointer[string] guard (writingToken). The worker marks the token it is applying (cleared via defer, so a panic cannot leave the guard armed) and QueueCredentialUpdate skips the re-entrant enqueue of that same token. A guard-drop is logged at Debug level (no token value).
  • Regression test rewritten to be deterministic with require.Never: RED without the guard, GREEN with it, across GOMAXPROCS 1/2/4.

Test plan

  • go test ./infrastructure/authentication/... -race green
  • Regression test proven RED-without-fix / GREEN-with-fix (50/50, -race, -cpu=1,2,4)
  • make test (full unit suite) green at this commit
  • CI integration + smoke suites (run on PR)

This fix was produced by an automated flake-fix loop.

… rotation [IDE-2104]

Test_RegisterOAuthStorageBridge_SerializesRapidTokenRotations flaked on
Windows CI: after three rapid token rotations the stored token was the
first instead of the last.

Root cause: when credentialUpdateWorker writes a token via conf.Set, the
persisted OAuth key re-fires the storage-bridge callback, which calls
QueueCredentialUpdate again and re-enqueues the same token behind newer
ones. On Windows (15ms clock resolution) all rotation tokens share an
expiry, so shouldUpdateToken lets the stale re-enqueued copy overwrite
the final token.

Fix: add an atomic.Pointer[string] guard (writingToken). The worker marks
the token it is applying (cleared via defer so a panic cannot leave it
armed) and QueueCredentialUpdate skips the re-entrant enqueue of that same
token. Add a deterministic regression test using require.Never that is RED
without the guard and GREEN with it across GOMAXPROCS 1/2/4.

Produced by an automated flake-fix loop.
@snyk-io

snyk-io Bot commented Jun 23, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@snyk-pr-review-bot

Copy link
Copy Markdown

PR Reviewer Guide 🔍

🧪 PR contains tests
🔒 No security concerns identified
⚡ No major issues detected
📚 Repository Context Analyzed

This review considered 10 relevant code sections from 6 files (average relevance: 0.99)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant