fix race condition on code exchange for token

juanifioren / django-oidc-provider

OpenID Connect and OAuth2 provider implementation for Djangonauts.

http://django-oidc-provider.readthedocs.org

MIT License

425 stars 239 forks source link

fix race condition on code exchange for token #411

Closed jpaniagualaconich closed 1 year ago

jpaniagualaconich commented 1 year ago

During token exchange where an authorization code is exchanged for an access token and a refresh token, the same code can be used more than once. This happens if more requests are issued in parallel.

This PR adds a .select_for_update so only the first attempt goes through.

Fixes #410.

jpaniagualaconich commented 1 year ago

@juanifioren thank you!