Salastil/odysseus
1
0
Fork 0
mirror of https://github.com/pewdiepie-archdaemon/odysseus.git synced 2026-06-30 00:22:10 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix(auth): add config lock around migration methods (#4447)

Browse Source 
Per code audit #4388: Wrap _migrate_single_user and
   _drop_reserved_loaded_users with _config_lock to ensure atomic
   config reads/writes and prevent potential race conditions during
   concurrent access.

   This is a defense-in-depth fix - these methods run at startup
   before concurrent requests are accepted, but adding the lock
   makes the code consistent with other config mutations.
This commit is contained in:
Sid
2026-06-27 00:05:11 +05:30
committed by GitHub
parent d4cd6d60f1
commit a9b208f470
1 changed files with 12 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
core/auth.py
+12 -10
View File
@@ -176,16 +176,17 @@ class AuthManager:
) )
old_user = "admin" old_user = "admin"
old_hash = self._config["password_hash"] old_hash = self._config["password_hash"]
self._config = { with self._config_lock:
"users": { self._config = {
old_user: { "users": {
"password_hash": old_hash, old_user: {
"created": time.time(), "password_hash": old_hash,
"is_admin": True, "created": time.time(),
"is_admin": True,
}
} }
} }
} self._save()
self._save()
logger.info(f"Migrated single-user auth to multi-user (admin: {old_user})") logger.info(f"Migrated single-user auth to multi-user (admin: {old_user})")
def _drop_reserved_loaded_users(self): def _drop_reserved_loaded_users(self):
@@ -204,8 +205,9 @@ class AuthManager:
continue continue
normalized[key] = data normalized[key] = data
if removed or normalized != users: if removed or normalized != users:
self._config["users"] = normalized with self._config_lock:
self._save() self._config["users"] = normalized
self._save()
if removed: if removed:
logger.warning( logger.warning(
"Removed reserved username(s) from auth config: %s", "Removed reserved username(s) from auth config: %s",