search

HGInsights / avalanche

Avalanche is an Elixir Snowflake Connector built on top of the Snowflake SQL API v2.
Apache License 2.0
17 stars 4 forks source link

TokenCache caches data based on priv_key only #47

Closed jojoca-appcues closed 3 months ago

jojoca-appcues commented 6 months ago

Describe the bug When multiple users or accounts share the same priv_key, TokenCache will return the data associated with the first cached information.

To Reproduce

  1. Call fetch_token with an account, user and priv_key
  2. Verify the result is properly cached and generate a valid JWT
  3. Call again fetch_token with the same priv_key used above, but different user or account
  4. Verify that the data returned will be the one associated with the first call.

Expected behavior Each account/user/priv_key must have an independent key on the cache

PR with the suggested fix https://github.com/HGInsights/avalanche/pull/48

forest commented 6 months ago

If two users are using the same priv_key, which isn't a good practice anyway, why do you need to cache it twice? The key is the same, so why double cache it?

forest commented 6 months ago

Ah. I see. The token is cached with the user details, so the cache key needs to include that.

Not a great security practice to use the same key for multiple users, but I understand how it can be needed sometimes.