Access token leakage when reusing the client between users #3043
Description
Description
Reusing the github.Client instance between different users' sessions leads to leaking the access_token between sessions.
How to reproduce
This scenario works in a hosted service environment.
- Create a global client configured WithEnterpriseURLs
- For client requests, create a clone using WithAuthToken(userToken)
- All underlying API calls will be performed with the first used access_token, ignoring the other tokens
This test reproduces the issue
func Test_github_access_token(t *testing.T) {
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
accessToken := r.Header.Get("Authorization")
_, _ = fmt.Fprintf(w, `{"login": "%s"}`, accessToken)
}))
clientPreconfiguredWithURLs, err := github.NewClient(nil).WithEnterpriseURLs(srv.URL, srv.URL)
require.NoError(t, err)
aliseClient := clientPreconfiguredWithURLs.WithAuthToken("alise")
bobClient := clientPreconfiguredWithURLs.WithAuthToken("bob")
alise, _, err := aliseClient.Users.Get(context.Background(), "")
require.NoError(t, err)
assert.Equal(t, "Bearer alise", alise.GetLogin())
bob, _, err := bobClient.Users.Get(context.Background(), "")
require.NoError(t, err)
assert.Equal(t, "Bearer bob", bob.GetLogin())
}and the result
Error: Not equal:
expected: "Bearer bob"
actual : "Bearer alise"
Used environment
- go version go1.21.3 darwin/amd64
- github.com/google/go-github/v57 v57.0.0
- github.com/google/go-github/v57 v57.0.0 h1:L+Y3UPTY8ALM8x+TV0lg+IEBI+upibemtBD8Q9u7zHs=
- github.com/google/go-github/v57 v57.0.0/go.mod h1:s0omdnye0hvK/ecLvpsGfJMiRt85PimQh4oygmLIxHw=
Metadata
Metadata
Assignees
Labels
No labels