fix(auth): add config lock around migration methods (#4447)

Per code audit #4388: Wrap _migrate_single_user and _drop_reserved_loaded_users with _config_lock to ensure atomic config reads/writes and prevent potential race conditions during concurrent access. This is a defense-in-depth fix - these methods run at startup before concurrent requests are accepted, but adding the lock makes the code consistent with other config mutations.
2026-06-28 07:35:27 -04:00 · 2026-06-27 00:05:11 +05:30
parent d4cd6d60f1
commit a9b208f470
1 changed files with 12 additions and 10 deletions
@@ -176,16 +176,17 @@ class AuthManager:
                )
                old_user = "admin"
            old_hash = self._config["password_hash"]
-            self._config = {
-                "users": {
-                    old_user: {
-                        "password_hash": old_hash,
-                        "created": time.time(),
-                        "is_admin": True,
+            with self._config_lock:
+                self._config = {
+                    "users": {
+                        old_user: {
+                            "password_hash": old_hash,
+                            "created": time.time(),
+                            "is_admin": True,
+                        }
                    }
                }
-            }
-            self._save()
+                self._save()
            logger.info(f"Migrated single-user auth to multi-user (admin: {old_user})")

    def _drop_reserved_loaded_users(self):
@@ -204,8 +205,9 @@ class AuthManager:
                continue
            normalized[key] = data
        if removed or normalized != users:
-            self._config["users"] = normalized
-            self._save()
+            with self._config_lock:
+                self._config["users"] = normalized
+                self._save()
        if removed:
            logger.warning(
                "Removed reserved username(s) from auth config: %s",