fix: Caching wrong auth token when fetching destination from provider account#6007
Draft
ZhongpinWang wants to merge 10 commits intomainfrom
Draft
fix: Caching wrong auth token when fetching destination from provider account#6007ZhongpinWang wants to merge 10 commits intomainfrom
ZhongpinWang wants to merge 10 commits intomainfrom
Conversation
marikaner
requested changes
Mar 18, 2026
Contributor
marikaner
left a comment
marikaner
left a comment
There was a problem hiding this comment.
I don't fully understand the comments, maybe let's talk about them.
packages/connectivity/src/scp-cf/destination/forward-auth-token.ts
Outdated
Show resolved
Hide resolved
packages/connectivity/src/scp-cf/destination/destination-from-env.ts
Outdated
Show resolved
Hide resolved
packages/connectivity/src/scp-cf/destination/destination-from-service.ts
Outdated
Show resolved
Hide resolved
packages/connectivity/src/scp-cf/destination/destination-from-service.ts
Outdated
Show resolved
Hide resolved
| // -> Auth token can be cached in destination cache as subscriber is not used. | ||
| // If origin is subscriber, subscriber jwt + refresh token is used. | ||
| // -> Auth token can be cached in destination cache as destination is tenant-isolated. | ||
| destination = await this.fetchDestinationWithRefreshTokenFlow( |
Contributor
There was a problem hiding this comment.
Suggested change
| destination = await this.fetchDestinationWithRefreshTokenFlow( | |
| return this.fetchDestinationWithRefreshTokenFlow( |
| !this.usesSystemUser(destination)) | ||
| ) { | ||
| // VERY BAD... | ||
| // If origin is provider, next time subscriber jwt might change. |
Contributor
There was a problem hiding this comment.
[q] I don't understand this sentence.
Contributor
Author
There was a problem hiding this comment.
I think I meant
If destination is fetched from the provider subaccount (origin = 'provider'), then we use provider tenant id to build the cache key.
But these auth flows need specific user jwt, which comes from certain subscriber tenant, and the auth token will be cached together with the destination using provider tenant id + user id only (no subscriber tenant id). This is a problem for multi-tenant app as next get destination may be for a user from a different subscriber.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes SAP/cloud-sdk-backlog#1278.