From 35630fbb3e3b58d6e82a23b0237d0cec204f1ccd Mon Sep 17 00:00:00 2001
From: David Sharnoff <dsharnoff@singlestore.com>
Date: Tue, 27 Sep 2022 18:33:16 -0700
Subject: [PATCH] fix potential race condition during signer update

---
 pkg/op/signer.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkg/op/signer.go b/pkg/op/signer.go
index d05bbe5..828876e 100644
--- a/pkg/op/signer.go
+++ b/pkg/op/signer.go
@@ -3,6 +3,7 @@ package op
 import (
 	"context"
 	"errors"
+	"sync"
 
 	"github.com/zitadel/logging"
 	"gopkg.in/square/go-jose.v2"
@@ -18,6 +19,7 @@ type tokenSigner struct {
 	signer  jose.Signer
 	storage AuthStorage
 	alg     jose.SignatureAlgorithm
+	lock    sync.RWMutex
 }
 
 func NewSigner(ctx context.Context, storage AuthStorage, keyCh <-chan jose.SigningKey) Signer {
@@ -47,6 +49,8 @@ func (s *tokenSigner) Health(_ context.Context) error {
 }
 
 func (s *tokenSigner) Signer() jose.Signer {
+	s.lock.RLock()
+	defer s.lock.RUnlock()
 	return s.signer
 }
 
@@ -62,6 +66,8 @@ func (s *tokenSigner) refreshSigningKey(ctx context.Context, keyCh <-chan jose.S
 }
 
 func (s *tokenSigner) exchangeSigningKey(key jose.SigningKey) {
+	s.lock.Lock()
+	defer s.lock.Unlock()
 	s.alg = key.Algorithm
 	if key.Algorithm == "" || key.Key == nil {
 		s.signer = nil