Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make sure we don't return the token of the wrong user #95

Merged
merged 11 commits into from
Sep 14, 2023

Conversation

psrpinto
Copy link
Member

@psrpinto psrpinto commented Sep 14, 2023

This shouldn't be possible, but just in case.

@akirk
Copy link
Member

akirk commented Sep 14, 2023

Could we also get the user_meta for the user and confirm that it exists?

@psrpinto psrpinto force-pushed the check-multiple-users branch from 54d9fb5 to 0a62f5f Compare September 14, 2023 14:52
@psrpinto psrpinto force-pushed the check-multiple-users branch from 0a62f5f to ea29354 Compare September 14, 2023 14:53
@ashfame
Copy link
Member

ashfame commented Sep 14, 2023

We would need a change on L29 as well

@psrpinto
Copy link
Member Author

Could we also get the user_meta for the user and confirm that it exists?

I'm working on this.

@ashfame
Copy link
Member

ashfame commented Sep 14, 2023

Where would we dump this info though?

@psrpinto
Copy link
Member Author

psrpinto commented Sep 14, 2023

Where would we dump this info though?

I think what Alex meant was check double-check that the user has the meta for the token. I did that in 92cc419.

src/Storage/AuthorizationCodeStorage.php Outdated Show resolved Hide resolved
src/Storage/AuthorizationCodeStorage.php Outdated Show resolved Hide resolved
src/Storage/AuthorizationCodeStorage.php Outdated Show resolved Hide resolved
@ashfame ashfame requested a review from akirk September 14, 2023 16:13
akirk
akirk previously approved these changes Sep 14, 2023
Copy link
Member

@akirk akirk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, even if this adds a lot of complexity for now, we can remove it in a follow up if this helps us find the reason.

@psrpinto
Copy link
Member Author

Agree, we should remove/simplify some of this code once we identified the issue.

@psrpinto
Copy link
Member Author

Testing locally.

Didn't change any logic, just so that the "main path" of the code is clearer.
@psrpinto psrpinto merged commit c90d9db into main Sep 14, 2023
1 check passed
@psrpinto psrpinto deleted the check-multiple-users branch September 14, 2023 16:58
@psrpinto psrpinto mentioned this pull request Sep 14, 2023
ashfame added a commit that referenced this pull request Sep 21, 2023
ashfame added a commit that referenced this pull request Sep 21, 2023
Revert "Merge pull request #95 from Automattic/check-multiple-users"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants