search

logto-io / js

šŸ¤“ Logto JS SDKs.
https://docs.logto.io/quick-starts/
MIT License
61 stars 40 forks source link

bug: organization token is the same between orgs #711

Closed alfonsograziano closed 4 months ago

alfonsograziano commented 5 months ago

Describe the bug

Scenario: a user has two linked organizations, requests organizations token using SDKs Problem: the token returned for the two organizations is the same. When decrypted the value in aud, which ends with the organization id, is the same.

Expected behavior

In the organization tokens array we get different tokens for different organizations

How to reproduce?

Logto Config

export const logtoConfig = {
  appId: process.env.LOGTO_APP_ID as string,
  cookieSecure: process.env.NODE_ENV === "production",
  baseUrl: process.env.LOGTO_BASE_URL as string,
  endpoint: process.env.LOGTO_ENDPOINT as string,
  appSecret: process.env.LOGTO_APP_SECRET as string,
  cookieSecret: process.env.LOGTO_COOKIE_SECRET as string,
  resources: ["http://localhost:8001/"],
  scopes: [
    UserScope.Email,
    UserScope.Phone,
    UserScope.CustomData,
    UserScope.Identities,
    UserScope.Organizations,
  ],
};
export const getUser = async () => {
  const context = await getLogtoContext(logtoConfig, {
    fetchUserInfo: true,
    getAccessToken: true,
    resource: "http://localhost:8001/",
    getOrganizationToken: true,
  });
  if (!context.isAuthenticated || !context.accessToken) {
    return redirect("/login");
  }

  return {
    accessToken: context.accessToken,
    ...context,
  };
};

//Login Route
import { signIn } from "@logto/next/server-actions";
import { logtoConfig } from "../../../../libraries/logtoConfig";

export async function GET(request: Request) {
  await signIn(logtoConfig);
}

//Callback route
export async function GET(request: NextRequest) {
  const searchParams = request.nextUrl.searchParams;
  await handleSignIn(logtoConfig, searchParams);

  redirect("/");
}

When user is logged in we print it. Output value is

{
 ...,
  "organizationTokens": {
    "qyallvg2duq4": "eyJhbGciOiJFUzM4NCIsInR5cCI6ImF0K2p3dCIsImtpZCI6InVSQVhTS0hfaVNiWU1ncHRTbGFqMnozeWZxYWphcDJjbUNVMzVPRFluaHMifQ.eyJqdGkiOiJERFFNVTJNcGJIcTQ0dkU4aExLZHkiLCJzdWIiOiJrenkweG43c2Q0OGoiLCJpYXQiOjE3MTM3NzU4NjEsImV4cCI6MTcxMzc3OTQ2MSwic2NvcGUiOiJwYXltZW50czpyZWFkIiwiY2xpZW50X2lkIjoicndmcWt2NWNveDFrN25xcHFrZWdjIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDozMzAxL29pZGMiLCJhdWQiOiJ1cm46bG9ndG86b3JnYW5pemF0aW9uOnF5YWxsdmcyZHVxNCJ9.MiIYdVsXSkyuqeH_bG1sW8P1g3V5VLeNU5BIKUWj3CnFErpKqvgQ_PwTTM2ql7JjqnmVKOAKxecTjCPFco4F0Mj_sGCIw4YXaTMvT_kah_xjt5WgYhZRUwq2kB-ARZf5",
    "wg87wjmt9v1z": "eyJhbGciOiJFUzM4NCIsInR5cCI6ImF0K2p3dCIsImtpZCI6InVSQVhTS0hfaVNiWU1ncHRTbGFqMnozeWZxYWphcDJjbUNVMzVPRFluaHMifQ.eyJqdGkiOiJERFFNVTJNcGJIcTQ0dkU4aExLZHkiLCJzdWIiOiJrenkweG43c2Q0OGoiLCJpYXQiOjE3MTM3NzU4NjEsImV4cCI6MTcxMzc3OTQ2MSwic2NvcGUiOiJwYXltZW50czpyZWFkIiwiY2xpZW50X2lkIjoicndmcWt2NWNveDFrN25xcHFrZWdjIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDozMzAxL29pZGMiLCJhdWQiOiJ1cm46bG9ndG86b3JnYW5pemF0aW9uOnF5YWxsdmcyZHVxNCJ9.MiIYdVsXSkyuqeH_bG1sW8P1g3V5VLeNU5BIKUWj3CnFErpKqvgQ_PwTTM2ql7JjqnmVKOAKxecTjCPFco4F0Mj_sGCIw4YXaTMvT_kah_xjt5WgYhZRUwq2kB-ARZf5"
  }
}

Context

"@logto/next": "^3.2.1", Application: Next.Js with server actions

charIeszhao commented 5 months ago

I can reproduce the same with the next server actions sample project. Please take a look when you have time @wangsijie

wangsijie commented 5 months ago

There is a bug when we make concurrent requests for granting organization tokens.

wangsijie commented 5 months ago

https://github.com/logto-io/js/pull/712