In case a client get request is immediately followed by another client get or subscribe request, while the first request is still collecting resources, the response for the second request may not contain the resources that was included in the response to the first request.
Since any resource sent in a response to a client get request should not be considered subscribed, any successive get or subscribe request should resend those resources if needed.
How to recreate
Assume we have a resource, test.a, which has a resource reference to another resource, test.b.
1) Client sends request: get.test.a
2) Resgate sends NATS request: get.test.a
3) Client sends request: get.test.b
4) Resgate gets result from request 3)
5) Resgate sends NATS request: get.test.b
6) Resgate gets result from request 4)
7) Resgate responds to request 1), including both test.a and test.b
8) Resgate responds to request 3) with no resource data, wrongly assuming client already has test.a
Impact
The bug has no security impact, and low impact on usage as it only affects a get request corner case. In addition, get requests are currently not used by any known client. ResClient only uses subscribe requests to fetch data, and is therefor unaffected.
Issue
In case a client get request is immediately followed by another client get or subscribe request, while the first request is still collecting resources, the response for the second request may not contain the resources that was included in the response to the first request.
Since any resource sent in a response to a client get request should not be considered subscribed, any successive get or subscribe request should resend those resources if needed.
How to recreate
Assume we have a resource,
test.a, which has a resource reference to another resource,test.b.1) Client sends request:
get.test.a2) Resgate sends NATS request:get.test.a3) Client sends request:get.test.b4) Resgate gets result from request 3) 5) Resgate sends NATS request:get.test.b6) Resgate gets result from request 4) 7) Resgate responds to request 1), including bothtest.aandtest.b8) Resgate responds to request 3) with no resource data, wrongly assuming client already hastest.aImpact
The bug has no security impact, and low impact on usage as it only affects a get request corner case. In addition, get requests are currently not used by any known client. ResClient only uses subscribe requests to fetch data, and is therefor unaffected.