search

Patreon / patreon-php

Interact with the Patreon API via OAuth
Apache License 2.0
145 stars 41 forks source link

request cache #71

Closed drcrack closed 4 years ago

drcrack commented 5 years ago

src/API.php:12

// The cache for request results - an array that matches md5 of the unique API request to the returned result
public static $request_cache;

should be non-static to prevent using the same cache for requests made from different instances with different access tokens OR access token should be a part of the md5 input

codebard commented 5 years ago

Indeed, that could benefit installations which may be serving more than one creator, or initiating more than one instance of the class for whatever reason.

I'll take a note of this. It'll likely be included in the next update.

codebard commented 4 years ago

@drcrack As i posted in the other thread: the below branch adds access token to cache hashes, as well as implementing a 'skip_read_from_cache' argument to skip reading from cache altogether.

https://github.com/codebard/patreon-php/tree/add_access_token_to_cache_hash

Tested, works. Please check it out and let me know if it works with your setup and resolves your issue.

ThibaultVlacich commented 4 years ago

I’m using this lib, and discovering this “feature” after noticing weird stuff happening in my application.

What in the hell did the devs of this lib had in mind when making this? You’re allowing creation of multiple instances of \Patreon\Api with a different auth token (so different users), but then you’re caching results only based on the url of the query, so it returns the same result for every user???

Big security flaw, because since it’s not documented, people using this lib without noticing, this can lead to leak of personal data.

codebard commented 4 years ago

@ThibaultVlacich This shouldnt cause security concerns on a given page load that is exposed to a given user. In a page load all info cached should be related to the given user in any case. However it is indeed true that if you do mass processing of users in the backend it may cause inconsistencies. This will be addressed.

In the meantime, please check this new branch and let me know if it solves your problems:

https://github.com/codebard/patreon-php/tree/add_access_token_to_cache_hash

marketergraham commented 4 years ago

Hey, y'all, can you take me off the Patreon Github. I haven't worked at Patreon for 6 years or so.

On Wed, Jul 29, 2020 at 11:13 AM Oz (CodeBard) notifications@github.com wrote:

Closed #71 https://github.com/Patreon/patreon-php/issues/71.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Patreon/patreon-php/issues/71#event-3600248265, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABIDMTYKCW7FFTSY4SPPZCLR6BRE5ANCNFSM4I3RASTQ .