search

mikedeboer / jsDAV

jsDAV allows you to easily add WebDAV support to a NodeJS application. jsDAV is meant to cover the entire standard, and attempts to allow integration using an easy to understand API.
http://www.mikedeboer.nl
MIT License
681 stars 159 forks source link

Single instance of handler and authentication class mixes users #132

Open austein opened 9 years ago

austein commented 9 years ago

Both jsDAV_Auth_Backend_AbstractBasic and Digest classes use a currentUser to store the current successfully-authenticated user. If two users make concurrent requests, the latter's authentication is stored and used for the first user's request. DAVACL will check for permissions and reject the first request once currentUser is set to the second user.

Tested using Mac OSX Yosemite's Contacts with two accounts setup pointing at localhost. Restarting Contacts will cause one or both to fail depending on how the race condition plays out

mikedeboer commented 9 years ago

Very true! Pull Request super welcome!