Fix SEC-08: make system token issuance atomic
- Add IssueSystemToken() method in internal/db/accounts.go that wraps revoke-old, track-new, and upsert-system_tokens in a single SQLite transaction - Update handleTokenIssue in internal/server/server.go to use the new atomic method instead of three separate DB calls - Update IssueServiceToken in internal/grpcserver/tokenservice.go with the same fix - Add TestIssueSystemTokenAtomic test covering first issue and rotation Security: token issuance now uses a single transaction to prevent inconsistent state (e.g., old token revoked but new token not tracked) if a crash occurs between operations. Follows the same pattern as RenewToken which was already correctly transactional. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -445,6 +445,79 @@ func TestSystemTokenRotationRevokesOld(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
// TestIssueSystemTokenAtomic verifies that IssueSystemToken atomically
|
||||
// revokes an old token, tracks the new token, and upserts system_tokens.
|
||||
func TestIssueSystemTokenAtomic(t *testing.T) {
|
||||
db := openTestDB(t)
|
||||
acct, err := db.CreateAccount("svc-atomic", model.AccountTypeSystem, "hash")
|
||||
if err != nil {
|
||||
t.Fatalf("CreateAccount: %v", err)
|
||||
}
|
||||
|
||||
now := time.Now().UTC()
|
||||
exp := now.Add(time.Hour)
|
||||
|
||||
// Issue first system token with no old JTI.
|
||||
jti1 := "atomic-sys-tok-1"
|
||||
if err := db.IssueSystemToken("", jti1, acct.ID, now, exp); err != nil {
|
||||
t.Fatalf("IssueSystemToken first: %v", err)
|
||||
}
|
||||
|
||||
// Verify the first token is tracked and not revoked.
|
||||
rec1, err := db.GetTokenRecord(jti1)
|
||||
if err != nil {
|
||||
t.Fatalf("GetTokenRecord jti1: %v", err)
|
||||
}
|
||||
if rec1.IsRevoked() {
|
||||
t.Error("first token should not be revoked")
|
||||
}
|
||||
|
||||
// Verify system_tokens points to the first token.
|
||||
st1, err := db.GetSystemToken(acct.ID)
|
||||
if err != nil {
|
||||
t.Fatalf("GetSystemToken after first issue: %v", err)
|
||||
}
|
||||
if st1.JTI != jti1 {
|
||||
t.Errorf("system token JTI = %q, want %q", st1.JTI, jti1)
|
||||
}
|
||||
|
||||
// Issue second token, which should atomically revoke the first.
|
||||
jti2 := "atomic-sys-tok-2"
|
||||
if err := db.IssueSystemToken(jti1, jti2, acct.ID, now, exp); err != nil {
|
||||
t.Fatalf("IssueSystemToken second: %v", err)
|
||||
}
|
||||
|
||||
// First token must be revoked.
|
||||
rec1After, err := db.GetTokenRecord(jti1)
|
||||
if err != nil {
|
||||
t.Fatalf("GetTokenRecord jti1 after rotation: %v", err)
|
||||
}
|
||||
if !rec1After.IsRevoked() {
|
||||
t.Error("first token should be revoked after second issue")
|
||||
}
|
||||
if rec1After.RevokeReason != "rotated" {
|
||||
t.Errorf("revoke reason = %q, want %q", rec1After.RevokeReason, "rotated")
|
||||
}
|
||||
|
||||
// Second token must be tracked and not revoked.
|
||||
rec2, err := db.GetTokenRecord(jti2)
|
||||
if err != nil {
|
||||
t.Fatalf("GetTokenRecord jti2: %v", err)
|
||||
}
|
||||
if rec2.IsRevoked() {
|
||||
t.Error("second token should not be revoked")
|
||||
}
|
||||
|
||||
// system_tokens must point to the second token.
|
||||
st2, err := db.GetSystemToken(acct.ID)
|
||||
if err != nil {
|
||||
t.Fatalf("GetSystemToken after second issue: %v", err)
|
||||
}
|
||||
if st2.JTI != jti2 {
|
||||
t.Errorf("system token JTI = %q, want %q", st2.JTI, jti2)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRevokeAllUserTokens(t *testing.T) {
|
||||
db := openTestDB(t)
|
||||
acct, err := db.CreateAccount("ivan", model.AccountTypeHuman, "hash")
|
||||
|
||||
Reference in New Issue
Block a user