Access token leakage when reusing the client between users
legigor opened this issue · comments
Description
Reusing the github.Client
instance between different users' sessions leads to leaking the access_token between sessions.
How to reproduce
This scenario works in a hosted service environment.
- Create a global client configured WithEnterpriseURLs
- For client requests, create a clone using WithAuthToken(userToken)
- All underlying API calls will be performed with the first used access_token, ignoring the other tokens
This test reproduces the issue
func Test_github_access_token(t *testing.T) {
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
accessToken := r.Header.Get("Authorization")
_, _ = fmt.Fprintf(w, `{"login": "%s"}`, accessToken)
}))
clientPreconfiguredWithURLs, err := github.NewClient(nil).WithEnterpriseURLs(srv.URL, srv.URL)
require.NoError(t, err)
aliseClient := clientPreconfiguredWithURLs.WithAuthToken("alise")
bobClient := clientPreconfiguredWithURLs.WithAuthToken("bob")
alise, _, err := aliseClient.Users.Get(context.Background(), "")
require.NoError(t, err)
assert.Equal(t, "Bearer alise", alise.GetLogin())
bob, _, err := bobClient.Users.Get(context.Background(), "")
require.NoError(t, err)
assert.Equal(t, "Bearer bob", bob.GetLogin())
}
and the result
Error: Not equal:
expected: "Bearer bob"
actual : "Bearer alise"
Used environment
- go version go1.21.3 darwin/amd64
- github.com/google/go-github/v57 v57.0.0
- github.com/google/go-github/v57 v57.0.0 h1:L+Y3UPTY8ALM8x+TV0lg+IEBI+upibemtBD8Q9u7zHs=
- github.com/google/go-github/v57 v57.0.0/go.mod h1:s0omdnye0hvK/ecLvpsGfJMiRt85PimQh4oygmLIxHw=
Have you tried the latest version after #3011?
So, I tried the new version, and the test still fails
github.com/google/go-github/v58 v58.0.0
github.com/google/go-github/v58 v58.0.0 h1:Una7GGERlF/37XfkPwpzYJe0Vp4dt2k1kCjlxwjIvzw=
github.com/google/go-github/v58 v58.0.0/go.mod h1:k4hxDKEfoWpSqFlc8LTpGd9fu2KrV1YAa6Hi6FmDNY4=
Also, I've tested it on master
ref e9f5269 and test still fails with unexpected assertions
👍 So, I confirm that the test PASSED being runned on the branch https://github.com/gmlewis/go-github/tree/i3043-leaky-client-transport-copy
Thank you!
@gmlewis 👍 LGTM
I know it's too late, but I just wanted to express my appreciation :)