singleflight incoming idp token session creation (#5491)

2025-04-30 02:46:30 +02:00 · 2025-02-24 08:24:57 -07:00 · 2025-02-24 08:24:57 -07:00 · f15400493d
commit f15400493d
parent 4b95eda51e
1 changed files with 75 additions and 61 deletions
--- a/config/session.go
+++ b/config/session.go
@ -8,6 +8,7 @@ import (
 	"time"

 	"github.com/google/uuid"
+	"golang.org/x/sync/singleflight"
 	"google.golang.org/protobuf/types/known/timestamppb"

 	"github.com/pomerium/pomerium/internal/encoding"
@ -138,6 +139,7 @@ type incomingIDPTokenSessionCreator struct {
 	timeNow      func() time.Time
 	getRecord    func(ctx context.Context, recordType, recordID string) (*databroker.Record, error)
 	putRecords   func(ctx context.Context, records []*databroker.Record) error
+	singleflight singleflight.Group
 }

 func NewIncomingIDPTokenSessionCreator(
@ -179,6 +181,7 @@ func (c *incomingIDPTokenSessionCreator) createSessionAccessToken(
 	}

 	sessionID := getAccessTokenSessionID(idp, rawAccessToken)
+	res, err, _ := c.singleflight.Do(sessionID, func() (any, error) {
 		s, err := c.getSession(ctx, sessionID)
 		if err == nil {
 			return s, nil
@ -214,6 +217,11 @@ func (c *incomingIDPTokenSessionCreator) createSessionAccessToken(
 		}

 		return s, nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	return res.(*session.Session), nil
 }

 func (c *incomingIDPTokenSessionCreator) createSessionForIdentityToken(
@ -228,6 +236,7 @@ func (c *incomingIDPTokenSessionCreator) createSessionForIdentityToken(
 	}

 	sessionID := getIdentityTokenSessionID(idp, rawIdentityToken)
+	res, err, _ := c.singleflight.Do(sessionID, func() (any, error) {
 		s, err := c.getSession(ctx, sessionID)
 		if err == nil {
 			return s, nil
@ -259,6 +268,11 @@ func (c *incomingIDPTokenSessionCreator) createSessionForIdentityToken(
 		}

 		return s, nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	return res.(*session.Session), nil
 }

 func (c *incomingIDPTokenSessionCreator) newSessionFromIDPClaims(