Salastil/odysseus
1
0
Fork 0
mirror of https://github.com/pewdiepie-archdaemon/odysseus.git synced 2026-06-30 00:22:10 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix(auth): add config lock around migration methods (#4447)

Browse Source 
Per code audit #4388: Wrap _migrate_single_user and
   _drop_reserved_loaded_users with _config_lock to ensure atomic
   config reads/writes and prevent potential race conditions during
   concurrent access.

   This is a defense-in-depth fix - these methods run at startup
   before concurrent requests are accepted, but adding the lock
   makes the code consistent with other config mutations.
This commit is contained in:
Sid
2026-06-27 00:05:11 +05:30
committed by GitHub
parent d4cd6d60f1
commit a9b208f470
1 changed files with 12 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
core/auth.py
+2
View File
@@ -176,6 +176,7 @@ class AuthManager:
) )
old_user = "admin" old_user = "admin"
old_hash = self._config["password_hash"] old_hash = self._config["password_hash"]
with self._config_lock:
self._config = { self._config = {
"users": { "users": {
old_user: { old_user: {
@@ -204,6 +205,7 @@ class AuthManager:
continue continue
normalized[key] = data normalized[key] = data
if removed or normalized != users: if removed or normalized != users:
with self._config_lock:
self._config["users"] = normalized self._config["users"] = normalized
self._save() self._save()
if removed: if removed: