From c4b7ef9160ff277407baee33b3bd678842631733 Mon Sep 17 00:00:00 2001
From: David Sharnoff <dsharnoff@singlestore.com>
Date: Mon, 3 Oct 2022 22:23:59 -0700
Subject: [PATCH] fix: avoid potential race conditions (#220)

* fix potential race condition during signer update

* avoid potential race conditions with lazy-initializers in OpenIDProvider

* avoid potential race lazy initializers in RelyingParty

* review feedback -- additional potential races

* add pre-calls to NewRelyingPartyOIDC too
---
 pkg/client/rp/relying_party.go | 8 ++++++++
 pkg/op/op.go                   | 6 ++++++
 pkg/op/signer.go               | 6 ++++++
 3 files changed, 20 insertions(+)

diff --git a/pkg/client/rp/relying_party.go b/pkg/client/rp/relying_party.go
index af202a3..bf0619a 100644
--- a/pkg/client/rp/relying_party.go
+++ b/pkg/client/rp/relying_party.go
@@ -154,6 +154,10 @@ func NewRelyingPartyOAuth(config *oauth2.Config, options ...Option) (RelyingPart
 		}
 	}
 
+	// avoid races by calling these early
+	_ = rp.IDTokenVerifier() // sets idTokenVerifier
+	_ = rp.ErrorHandler()    // sets errorHandler
+
 	return rp, nil
 }
 
@@ -186,6 +190,10 @@ func NewRelyingPartyOIDC(issuer, clientID, clientSecret, redirectURI string, sco
 	rp.oauthConfig.Endpoint = endpoints.Endpoint
 	rp.endpoints = endpoints
 
+	// avoid races by calling these early
+	_ = rp.IDTokenVerifier() // sets idTokenVerifier
+	_ = rp.ErrorHandler()    // sets errorHandler
+
 	return rp, nil
 }
 
diff --git a/pkg/op/op.go b/pkg/op/op.go
index bea8569..659464f 100644
--- a/pkg/op/op.go
+++ b/pkg/op/op.go
@@ -167,6 +167,12 @@ func NewOpenIDProvider(ctx context.Context, config *Config, storage Storage, opO
 
 	o.crypto = NewAESCrypto(config.CryptoKey)
 
+	// Avoid potential race conditions by calling these early
+	_ = o.AccessTokenVerifier() // sets accessTokenVerifier
+	_ = o.IDTokenHintVerifier() // sets idTokenHintVerifier
+	_ = o.JWTProfileVerifier()  // sets jwtProfileVerifier
+	_ = o.openIDKeySet()        // sets keySet
+
 	return o, nil
 }
 
diff --git a/pkg/op/signer.go b/pkg/op/signer.go
index d05bbe5..828876e 100644
--- a/pkg/op/signer.go
+++ b/pkg/op/signer.go
@@ -3,6 +3,7 @@ package op
 import (
 	"context"
 	"errors"
+	"sync"
 
 	"github.com/zitadel/logging"
 	"gopkg.in/square/go-jose.v2"
@@ -18,6 +19,7 @@ type tokenSigner struct {
 	signer  jose.Signer
 	storage AuthStorage
 	alg     jose.SignatureAlgorithm
+	lock    sync.RWMutex
 }
 
 func NewSigner(ctx context.Context, storage AuthStorage, keyCh <-chan jose.SigningKey) Signer {
@@ -47,6 +49,8 @@ func (s *tokenSigner) Health(_ context.Context) error {
 }
 
 func (s *tokenSigner) Signer() jose.Signer {
+	s.lock.RLock()
+	defer s.lock.RUnlock()
 	return s.signer
 }
 
@@ -62,6 +66,8 @@ func (s *tokenSigner) refreshSigningKey(ctx context.Context, keyCh <-chan jose.S
 }
 
 func (s *tokenSigner) exchangeSigningKey(key jose.SigningKey) {
+	s.lock.Lock()
+	defer s.lock.Unlock()
 	s.alg = key.Algorithm
 	if key.Algorithm == "" || key.Key == nil {
 		s.signer = nil