Content
View differences
Updated by Pavel Balashou over 1 year ago
###
### Steps to reproduce
Hard to reproduce. It happens on community instance.
### What is the buggy behavior?
* Some users lose connection to Nexcloud, because OAuth tokens are removed suddenly.
### What is the expected behavior?
1. Nextcloud OAuth tokens live longer life.
2. And users do not need complete OAuth grant flow too often.
### Environment information
**OpenProject installation type**
* [x] Hosted cloud edition
### Diagram showing concurrent request issue.
It shows that optimistic locking is not enough. <img class="op-uc-image op-uc-image_inline" src="/api/v3/attachments/198142/content"> src="/api/v3/attachments/198023/content">
Mermaid diagram source code.
```mermaid
sequenceDiagram
participant OP1 as OpenProject Process 1
participant OP2 as OpenProject Process 2
participant OPDB as OpenProject DB
participant NC as Nextcloud
OP1->>OPDB: Get Token
OPDB->>OP1: Return Token!
OP2->>OPDB: Get Token
OPDB->>OP2: Return Token!
OP1->>NC: FileInfo Req
# Note over NC,OP1: A typical interaction
NC->>OP1: FileInfo Resp Auth Failed
OP1->>NC: RefreshToken Req
NC->>OP1: RefreshToken Resp Success
OP1->>NC:
OP2->>NC: FileInfo Req
# Note over OP1,NC: Success because token is new. NC,OP1: A typical interaction
NC->>OP1: FileInfo Resp Auth Success
OP2->>NC: FileInfo Req
NC->>OP2: FileInfo Resp Auth Failed
OP2->>NC: RefreshToken Req
NC->>OP2: RefreshToken Resp Failed
OP2->>OPDB: Destroy Token
OPDB->>OP2: Destroy Token Success
Note over OP2,OPDB: Success due to nothing to prevent that. <br>Optimistic lock does not help.
OP1->>OPDB: Update Token
OPDB->>OP1: Update Token Failure
Note over OP1,OPDB: Failure because token has been destroyed. <br> ActiveRecord::StaleObject if optimistic locking is on.
OP2->>OP2: Return unauthorized response
OP1->>OP1: Return 409 Conflict response
```
### AppSignal logs links
[https://appsignal.com/openproject-gmbh/sites/66b224a4d30d867bed8a1772/logs?sourceIds=66b224a5d30d867bed8a1777&query=OAuthClientToken&timeframe=R7D&from=2024-09-10T09%3A53%3A00.000Z&to=2024-09-10T11%3A53%3A00.000Z](https://appsignal.com/openproject-gmbh/sites/66b224a4d30d867bed8a1772/logs?sourceIds=66b224a5d30d867bed8a1777&query=OAuthClientToken&timeframe=R7D&from=2024-09-10T09%3A53%3A00.000Z&to=2024-09-10T11%3A53%3A00.000Z)
https://appsignal.com/openproject-gmbh/sites/66b224a4d30d867bed8a1772/logs?sourceIds=66b224a5d30d867bed8a1777&query=Error%20while%20refreshing%20OAuth%20token.&timeframe=R7D&from=2024-09-10T09%3A53%3A00.000Z&to=2024-09-10T11%3A53%3A00.000Z
### Steps to reproduce
Hard to reproduce. It happens on community instance.
### What is the buggy behavior?
* Some users lose connection to Nexcloud, because OAuth tokens are removed suddenly.
### What is the expected behavior?
1. Nextcloud OAuth tokens live longer life.
2. And users do not need complete OAuth grant flow too often.
### Environment information
**OpenProject installation type**
* [x] Hosted cloud edition
### Diagram showing concurrent request issue.
It shows that optimistic locking is not enough. <img class="op-uc-image op-uc-image_inline" src="/api/v3/attachments/198142/content">
Mermaid diagram source code.
```mermaid
sequenceDiagram
participant OP1 as OpenProject Process 1
participant OP2 as OpenProject Process 2
participant OPDB as OpenProject DB
participant NC as Nextcloud
OP1->>OPDB: Get Token
OPDB->>OP1: Return Token!
OPDB->>OP2: Return Token!
OP1->>NC: RefreshToken Req
NC->>OP1: RefreshToken Resp Success
OP1->>NC:
OP2->>NC:
NC->>OP1: FileInfo Resp Auth Success
OP2->>NC: FileInfo Req
NC->>OP2: FileInfo Resp Auth Failed
NC->>OP2: RefreshToken Resp Failed
OP2->>OPDB: Destroy Token
OPDB->>OP2: Destroy Token Success
Note over OP2,OPDB: Success due to nothing to prevent that. <br>Optimistic lock does not help.
OP1->>OPDB: Update Token
OPDB->>OP1: Update Token Failure
Note over OP1,OPDB: Failure because token has been destroyed. <br> ActiveRecord::StaleObject if optimistic locking is on.
OP2->>OP2: Return unauthorized response
OP1->>OP1: Return 409 Conflict response
```
### AppSignal logs links
[https://appsignal.com/openproject-gmbh/sites/66b224a4d30d867bed8a1772/logs?sourceIds=66b224a5d30d867bed8a1777&query=OAuthClientToken&timeframe=R7D&from=2024-09-10T09%3A53%3A00.000Z&to=2024-09-10T11%3A53%3A00.000Z](https://appsignal.com/openproject-gmbh/sites/66b224a4d30d867bed8a1772/logs?sourceIds=66b224a5d30d867bed8a1777&query=OAuthClientToken&timeframe=R7D&from=2024-09-10T09%3A53%3A00.000Z&to=2024-09-10T11%3A53%3A00.000Z)
https://appsignal.com/openproject-gmbh/sites/66b224a4d30d867bed8a1772/logs?sourceIds=66b224a5d30d867bed8a1777&query=Error%20while%20refreshing%20OAuth%20token.&timeframe=R7D&from=2024-09-10T09%3A53%3A00.000Z&to=2024-09-10T11%3A53%3A00.000Z