fix: GC has no grace period (TOCTOU with dedup uploads) #86

Merged
benvin merged 2 commits from benvin/gc-grace-period into master 2026-07-02 22:43:18 +10:00
Showing only changes of commit bf690dda54 - Show all commits
+8 -1
View File
@@ -2,6 +2,8 @@ package proxy
import (
"context"
"crypto/sha256"
"encoding/hex"
"encoding/json"
"errors"
"fmt"
@@ -233,7 +235,7 @@ func (e *Engine) headUpstream(ctx context.Context, remote models.Remote, path st
}
if resp.StatusCode == http.StatusUnauthorized {
resp.Body.Close()
token, terr := fetchBearerToken(ctx, resp.Header.Get("Www-Authenticate"), remote)
token, _, terr := fetchBearerToken(ctx, resp.Header.Get("Www-Authenticate"), remote)
if terr == nil && token != "" {
resp, err = doHead(http.Header{"Authorization": []string{"Bearer " + token}})
if err != nil {
@@ -514,6 +516,11 @@ const (
bearerTokenTTLMargin = 10 * time.Second
)
func sha256Hash(data []byte) string {
h := sha256.Sum256(data)
return hex.EncodeToString(h[:])
}
// cachedBearerToken returns a bearer token for the given challenge, reusing a
// Redis-cached token for the same remote+challenge while it is still valid.
func (e *Engine) cachedBearerToken(ctx context.Context, wwwAuth string, remote models.Remote) (string, error) {