stacklok / toolhive / 28191000743

push

github

Dedup upstream-token refresh on a shared refresher (#5635)

Two code paths refresh an expired upstream token for the same
(session, provider): the runtime token-swap path, which deduplicated
concurrent refreshes through a singleflight.Group, and the
authorization-chain walk, which called the refresher directly,
outside that group. The refresher was also reallocated on every call,
so the group could never have deduplicated across callers regardless.

That gap matters because most corporate IdPs rotate refresh tokens and
detect reuse. Two callers can redeem the same stored token at once:

              RT(v1) in storage
  chain-walk refresh   --read v1--+   (NOT in the singleflight group)
  runtime swap refresh --read v1--+
                                  v
  both POST RT(v1) to the IdP
        +- one rotates -> RT(v2)
        +- other replays v1 -> reuse detection -> family revoked

The IdP treats the replayed token as a breach and revokes the entire
token family, silently logging the user out of that upstream.

Construct a single shared refresher in newServer, move the
singleflight.Group (and the detached-context refresh timeout) onto it,
and have both the chain walk and the runtime path use that one
instance. Concurrent refreshes of the same (session, provider) now
collapse to a single redemption; distinct keys stay independent.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

25 of 27 new or added lines in 3 files covered. (92.59%)

69410 of 103094 relevant lines covered (67.33%)

65.49 hits per line