{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":96946735,"defaultBranch":"main","name":"Conduit","ownerLogin":"mindbody","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2017-07-11T23:55:27.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/1529724?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1719571756.0","currentOid":""},"activityList":{"items":[{"before":"62ec0e6362cbe7fdb29663d3788d89b42562faab","after":"8cf0985ef16102d690c35fa1f6023b7f43f42a2b","ref":"refs/heads/Task/1331575-Update-Refresh-Token-Call-to-5-minutes","pushedAt":"2024-06-28T10:50:43.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"amrutakamat-mindbody","name":null,"path":"/amrutakamat-mindbody","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/145741623?s=80&v=4"},"commit":{"message":"T 1331575: Updated Refresh Token API minimumExpirationTime to 5 minutes","shortMessageHtmlLink":"T 1331575: Updated Refresh Token API minimumExpirationTime to 5 minutes"}},{"before":null,"after":"62ec0e6362cbe7fdb29663d3788d89b42562faab","ref":"refs/heads/Task/1331575-Update-Refresh-Token-Call-to-5-minutes","pushedAt":"2024-06-28T10:49:16.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"amrutakamat-mindbody","name":null,"path":"/amrutakamat-mindbody","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/145741623?s=80&v=4"},"commit":{"message":"(Task AB#1268089) | [Token Refresh Flow] Defer token store unlock until refresh response action occurs (#168)\n\n- [z] I've read, understood, and done my best to follow the [*CONTRIBUTING guidelines*](https://github.com/mindbody/conduit/blob/master/CONTRIBUTING.md).\r\n\r\nThis pull request includes (pick all that apply):\r\n\r\n- [x] Bugfixes\r\n- [ ] New features\r\n- [ ] Breaking changes\r\n- [ ] Documentation updates\r\n- [ ] Unit tests\r\n- [ ] Other\r\n\r\n### Summary\r\nThe goal of this pull request is to ensure that during a token refresh, the token store lock stays engaged until after any token store I/O resulting from the outcome of the token refresh has occurred. \r\n\r\nPresently the token store lock disengages immediately after a token refresh response is received _but before_ any actions are taken on the token store (such as saving the new token to the token store). This, theoretically, could allow premature token store access before the outcome of the token refresh call has had a chance to propagate its result to the token store.  If this were to occur, the premature access would result in the token store returning a token that was just burnt by the token refresh call, resulting in call failure due to either an access token that's no longer valid, or a refresh token that was just used.\r\n\r\n### Implementation\r\nMove & split the disengagement of the token store lock from where it is now (executing immediately after receiving a refresh response), into two places: \r\n1) In the case of a token refresh success, the token store unluck now occurs directly after the new token is stored to the token store.\r\n2) In the case of a token refresh failure, the token store unlock now occurs directly after the previous token is purged from the token store.\r\n\r\n### Test Plan\r\nInduce token refreshes in any client apps that consume this framework & ensure regular functionality is observed.  I have been testing these changes in MBApp while hunting down a refresh token race condition and all is working as expected","shortMessageHtmlLink":"(Task AB#1268089) | [Token Refresh Flow] Defer token store unlock unt…"}},{"before":null,"after":"c203f19d86a06f771e92625c1b6bb933264fb708","ref":"refs/heads/pbi/1293209-id_token-support","pushedAt":"2024-03-12T23:22:41.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"bartpowers","name":null,"path":"/bartpowers","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/12663670?s=80&v=4"},"commit":{"message":"Add tests and id token to Bearer Token","shortMessageHtmlLink":"Add tests and id token to Bearer Token"}},{"before":"00b678a46d81272fd966acdcb3909e09d9c87f23","after":null,"ref":"refs/heads/task/AB#1268089-delay-tokenstore-unlock-until-refresh-response-action-occurs","pushedAt":"2024-02-02T22:43:25.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"brettwellmanmbo","name":"Brett Wellman","path":"/brettwellmanmbo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3410957?s=80&v=4"}},{"before":"8485e1fde387f961bb64161e2f9ecbf7cc77559c","after":"62ec0e6362cbe7fdb29663d3788d89b42562faab","ref":"refs/heads/main","pushedAt":"2024-02-02T22:43:24.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"brettwellmanmbo","name":"Brett Wellman","path":"/brettwellmanmbo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3410957?s=80&v=4"},"commit":{"message":"(Task AB#1268089) | [Token Refresh Flow] Defer token store unlock until refresh response action occurs (#168)\n\n- [z] I've read, understood, and done my best to follow the [*CONTRIBUTING guidelines*](https://github.com/mindbody/conduit/blob/master/CONTRIBUTING.md).\r\n\r\nThis pull request includes (pick all that apply):\r\n\r\n- [x] Bugfixes\r\n- [ ] New features\r\n- [ ] Breaking changes\r\n- [ ] Documentation updates\r\n- [ ] Unit tests\r\n- [ ] Other\r\n\r\n### Summary\r\nThe goal of this pull request is to ensure that during a token refresh, the token store lock stays engaged until after any token store I/O resulting from the outcome of the token refresh has occurred. \r\n\r\nPresently the token store lock disengages immediately after a token refresh response is received _but before_ any actions are taken on the token store (such as saving the new token to the token store). This, theoretically, could allow premature token store access before the outcome of the token refresh call has had a chance to propagate its result to the token store.  If this were to occur, the premature access would result in the token store returning a token that was just burnt by the token refresh call, resulting in call failure due to either an access token that's no longer valid, or a refresh token that was just used.\r\n\r\n### Implementation\r\nMove & split the disengagement of the token store lock from where it is now (executing immediately after receiving a refresh response), into two places: \r\n1) In the case of a token refresh success, the token store unluck now occurs directly after the new token is stored to the token store.\r\n2) In the case of a token refresh failure, the token store unlock now occurs directly after the previous token is purged from the token store.\r\n\r\n### Test Plan\r\nInduce token refreshes in any client apps that consume this framework & ensure regular functionality is observed.  I have been testing these changes in MBApp while hunting down a refresh token race condition and all is working as expected","shortMessageHtmlLink":"(Task AB#1268089) | [Token Refresh Flow] Defer token store unlock unt…"}},{"before":null,"after":"00b678a46d81272fd966acdcb3909e09d9c87f23","ref":"refs/heads/task/AB#1268089-delay-tokenstore-unlock-until-refresh-response-action-occurs","pushedAt":"2024-01-31T12:49:52.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"brettwellmanmbo","name":"Brett Wellman","path":"/brettwellmanmbo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3410957?s=80&v=4"},"commit":{"message":"Moved individual endTokenRefresh's calls based on refresh outcome to shared call\n\n- Removed some `self` references\n- Added comment","shortMessageHtmlLink":"Moved individual endTokenRefresh's calls based on refresh outcome to …"}},{"before":"00b678a46d81272fd966acdcb3909e09d9c87f23","after":null,"ref":"refs/heads/bugfix/AB#1268089-token-refresh-race-condition-refresh-token-double-use","pushedAt":"2024-01-31T12:48:25.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"brettwellmanmbo","name":"Brett Wellman","path":"/brettwellmanmbo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3410957?s=80&v=4"}},{"before":"28df4044944c9be3ca45372f85b39334fc213e5e","after":"00b678a46d81272fd966acdcb3909e09d9c87f23","ref":"refs/heads/bugfix/AB#1268089-token-refresh-race-condition-refresh-token-double-use","pushedAt":"2024-01-29T16:50:25.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"brettwellmanmbo","name":"Brett Wellman","path":"/brettwellmanmbo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3410957?s=80&v=4"},"commit":{"message":"Moved individual endTokenRefresh's calls based on refresh outcome to shared call\n\n- Removed some `self` references\n- Added comment","shortMessageHtmlLink":"Moved individual endTokenRefresh's calls based on refresh outcome to …"}},{"before":null,"after":"28df4044944c9be3ca45372f85b39334fc213e5e","ref":"refs/heads/bugfix/AB#1268089-token-refresh-race-condition-refresh-token-double-use","pushedAt":"2024-01-24T20:11:52.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"brettwellmanmbo","name":"Brett Wellman","path":"/brettwellmanmbo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3410957?s=80&v=4"},"commit":{"message":"Modify OAuth2 request middleware to delay token storage unlock until after new token stored or old token deleted\n\nCurrently the token store unlock occurs directly after the token refresh call completes, but prior to the new token being stored or the old token being deleted.  In situations with a high volume of asynchronous calls occurring leading up to the token refresh flow initiating, a race condition can occur upon token store unlock whereby a subsequent token refresh call that was queued then immediately retrieves the previous refresh token from the unlocked token store before the new refresh token has had a chance to be written to the token store.\nThe resulting token refresh API call attempt using a burnt/no longer valid refresh token results in a 400 level error (e.g. 'invalid_grant' ) from the OAuth2 identity server.","shortMessageHtmlLink":"Modify OAuth2 request middleware to delay token storage unlock until …"}},{"before":"4587fa45cb2e56f92bdefa777a852de9baa94776","after":null,"ref":"refs/heads/Task/1250801-Conduit-library-Enhance-Security-by-Removing-`#file`-Usage","pushedAt":"2023-09-15T10:10:54.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"AnshulMindbody","name":"Anshul Jain","path":"/AnshulMindbody","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/63385254?s=80&v=4"}},{"before":"5fa6640a3cd5bfff567c92350fbda64dc4544702","after":"8485e1fde387f961bb64161e2f9ecbf7cc77559c","ref":"refs/heads/main","pushedAt":"2023-09-15T10:10:53.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"AnshulMindbody","name":"Anshul Jain","path":"/AnshulMindbody","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/63385254?s=80&v=4"},"commit":{"message":"T 1250801: Conduit library Enhance Security by Removing `#file` Usage (#167)\n\n* T 1250801: Conduit library Enhance Security by Removing `#file` Usage","shortMessageHtmlLink":"T 1250801: Conduit library Enhance Security by Removing <code>#file</code> Usage (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"1894891925\" data-permission-text=\"Title is private\" data-url=\"https://github.com/mindbody/Conduit/issues/167\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/mindbody/Conduit/pull/167/hovercard\" href=\"https://github.com/mindbody/Conduit/pull/167\">…</a>"}},{"before":"b1a572987d096f1dfbf5fba7d192f3af46e49391","after":"4587fa45cb2e56f92bdefa777a852de9baa94776","ref":"refs/heads/Task/1250801-Conduit-library-Enhance-Security-by-Removing-`#file`-Usage","pushedAt":"2023-09-15T09:52:51.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"AnshulMindbody","name":"Anshul Jain","path":"/AnshulMindbody","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/63385254?s=80&v=4"},"commit":{"message":"updated the swift-tools-version:5.4 and path","shortMessageHtmlLink":"updated the swift-tools-version:5.4 and path"}},{"before":null,"after":"b1a572987d096f1dfbf5fba7d192f3af46e49391","ref":"refs/heads/Task/1250801-Conduit-library-Enhance-Security-by-Removing-`#file`-Usage","pushedAt":"2023-09-13T16:34:56.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"AnshulMindbody","name":"Anshul Jain","path":"/AnshulMindbody","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/63385254?s=80&v=4"},"commit":{"message":"T 1250801: Conduit library Enhance Security by Removing `#file` Usage","shortMessageHtmlLink":"T 1250801: Conduit library Enhance Security by Removing <code>#file</code> Usage"}},{"before":"c5ea3ba5f00d7c9d9cc9ee0069218cceca9a0668","after":null,"ref":"refs/heads/origin/task/opsgenie_crash_analysis","pushedAt":"2023-08-17T05:43:00.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"himanshunamdeoMB","name":null,"path":"/himanshunamdeoMB","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/111865842?s=80&v=4"}},{"before":null,"after":"c5ea3ba5f00d7c9d9cc9ee0069218cceca9a0668","ref":"refs/heads/origin/task/opsgenie_crash_analysis","pushedAt":"2023-08-16T07:44:27.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"himanshunamdeoMB","name":null,"path":"/himanshunamdeoMB","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/111865842?s=80&v=4"},"commit":{"message":"Test branch for recreating a crash due to expired token","shortMessageHtmlLink":"Test branch for recreating a crash due to expired token"}}],"hasNextPage":false,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAAEccLLzwA","startCursor":null,"endCursor":null}},"title":"Activity · mindbody/Conduit"}