ory / fosite

Extensible security first OAuth 2.0 and OpenID Connect SDK for Go.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=fosite
Apache License 2.0
2.33k stars 367 forks source link

Why does HMACStrategy.Generate uses a lock? #803

Open mitar opened 8 months ago

mitar commented 8 months ago

Preflight checklist

Ory Network Project

No response

Describe the bug

While reading the code, I noticed that HMACStrategy.Generate uses a mutex lock, but I do not get why it exists. No code there has any global or local state?

This was introduced in https://github.com/ory/fosite/commit/b4b9be5640c9d814b35f54b2c8621137364209ca, but I also do not get why.

Given that this is used a lot, I think mutex could be removed?

Reproducing the bug

N/A

Relevant log output

No response

Relevant configuration

No response

Version

latest master

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

No response

james-d-elliott commented 8 months ago

I suspect it may have been implemented at a time where there was a lot of information about it being unsafe for concurrent usage, which I believe from memory was false and it was based on a couple articles from prominent bloggers who misinterpreted the issues with math/rand's global Read func instead of crypto/rand's global Reader.

But I can't say for sure.

mitar commented 8 months ago

You mean RandomBytes? But then the lock could be in RandomBytes?

james-d-elliott commented 8 months ago

Yeah I'm not sure, I would have thought so too.. I can't see anything else unless the crypto module being used at the time needed it.