mirror of
https://github.com/pewdiepie-archdaemon/odysseus.git
synced 2026-06-30 00:22:10 -04:00
fix(auth): add config lock around migration methods (#4447)
Per code audit #4388: Wrap _migrate_single_user and _drop_reserved_loaded_users with _config_lock to ensure atomic config reads/writes and prevent potential race conditions during concurrent access. This is a defense-in-depth fix - these methods run at startup before concurrent requests are accepted, but adding the lock makes the code consistent with other config mutations.
This commit is contained in:
+12
-10
@@ -176,16 +176,17 @@ class AuthManager:
|
|||||||
)
|
)
|
||||||
old_user = "admin"
|
old_user = "admin"
|
||||||
old_hash = self._config["password_hash"]
|
old_hash = self._config["password_hash"]
|
||||||
self._config = {
|
with self._config_lock:
|
||||||
"users": {
|
self._config = {
|
||||||
old_user: {
|
"users": {
|
||||||
"password_hash": old_hash,
|
old_user: {
|
||||||
"created": time.time(),
|
"password_hash": old_hash,
|
||||||
"is_admin": True,
|
"created": time.time(),
|
||||||
|
"is_admin": True,
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
self._save()
|
||||||
self._save()
|
|
||||||
logger.info(f"Migrated single-user auth to multi-user (admin: {old_user})")
|
logger.info(f"Migrated single-user auth to multi-user (admin: {old_user})")
|
||||||
|
|
||||||
def _drop_reserved_loaded_users(self):
|
def _drop_reserved_loaded_users(self):
|
||||||
@@ -204,8 +205,9 @@ class AuthManager:
|
|||||||
continue
|
continue
|
||||||
normalized[key] = data
|
normalized[key] = data
|
||||||
if removed or normalized != users:
|
if removed or normalized != users:
|
||||||
self._config["users"] = normalized
|
with self._config_lock:
|
||||||
self._save()
|
self._config["users"] = normalized
|
||||||
|
self._save()
|
||||||
if removed:
|
if removed:
|
||||||
logger.warning(
|
logger.warning(
|
||||||
"Removed reserved username(s) from auth config: %s",
|
"Removed reserved username(s) from auth config: %s",
|
||||||
|
|||||||
Reference in New Issue
Block a user