Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

getDestination with `useCache: true` returns valid grant token when it should not

See original GitHub issue

Describe the bug I’m using getDestination with useCache: true and am able to get a grant token from the cache, even though I have an invalid token for principal propagation.

I believe this is due to the caching being done on the wrong key: https://github.com/SAP/cloud-sdk-js/blob/b31e3e68065049875b44e077fcb5156a10028fa0/packages/connectivity/src/scp-cf/token-accessor.ts#L49 The serviceCredentials.clientid here is static in my case (destination service credentials are statically stored in the VCAP_SERVICES) and thus is the same on each request. For destination access with principal propagation the token.email (or similar) should be considered.

To Reproduce Steps to reproduce the behavior:

Setup application with VCAP_SERVICES.destination...credentials set
Get a token not suited for principal proagation (e.g. client credentials instead of authorization code) -> getDestination(..., {useCache: true}) returns 401
Get a valid authorization code token -> getDestination is successfull
Repeat step 2

Expected behavior A 401 is returned again

Actual behavior A valid grant token is returned from cache

Used Versions:

node version: v14.16.1
npm version: 6.14.12
SAP Cloud SDK version: 1.51.0

Code Examples

 service.destination = await getDestination(service.destinationName, {
        userJwt: getJwt(req),
        useCache: true,
      });

Impact / Priority High - Unauthorized access might be possible

Additional context If necessary I can provide more details and instruction for how to reproduce this behavior.

Issue Analytics

State:
Created 2 years ago
Comments:11 (9 by maintainers)

Top GitHub Comments

1reaction

FrankEssenbergercommented, Nov 5, 2021

We were able to find the cause in the call, that the wrong token is passed in the cache. I also understood why the alwaysSubscriber did lead to an error. These two PRs should fix it:

https://github.com/SAP/cloud-sdk-js/pull/1769 -> reason wrong token is passed
https://github.com/SAP/cloud-sdk-js/pull/1770 -> broken cache keys are not passed

@johenning thanks once more for bringing this up. I hope we do not have things like this so often, but the next time feel free to contact us via an internal channel, then we would do the whole fix and discussion on a private issue and release it once the fix is available.

0reactions

FrankEssenbergercommented, Nov 5, 2021

Version 1.52.0 is released and already available on npm. Please migrate to this version to fix the issue.

Top Results From Across the Web

Acquire and cache tokens with Microsoft Authentication ...

Your application code should first try to get a token silently from the cache before attempting to acquire a token by other means....

The Authorization Code grant (in excruciating detail) Part 2 of 2

The client makes another request to the Todo API with the new token. The Todo API returns the todos. At this point you...

Destinations | SAP Cloud SDK

You can securely store authentication information that should not be part of the ... Fetch a client-credential-grant token if needed; Return a destination ......

Refresh token grant always returns the same refresh ... - GitHub

I created a client with refresh token validity set to 180 seconds and access token validity set to 60 seconds. The following is...

Implementing a token cache - Stack Overflow

One possible solution is to assign a timestamp to the retrieved token. Time timestamp does not have to be "real", a sequence number...