Skip to content

Fix race condition in OAuth2AccessToken.is_valid() causing HTTP 500 #907

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
DenisKoleda wants to merge 2 commits into
base: devel
Choose a base branch
from
Open

Fix race condition in OAuth2AccessToken.is_valid() causing HTTP 500 #907

DenisKoleda wants to merge 2 commits into from

Conversation

@DenisKoleda
Copy link

@DenisKoleda DenisKoleda commented Dec 16, 2025
edited
Loading

Summary

  • Fix race condition when concurrent requests use the same OAuth2 token
  • Replace save(update_fields=['last_used']) with QuerySet.update() to prevent DatabaseError

Problem

When multiple parallel requests authenticate with the same OAuth2 token, the Gateway crashes with:

django.db.utils.DatabaseError: Save with update_fields did not affect any rows.

Root cause: In is_valid() method, there's a race condition between exists() check and save() call. When concurrent requests try to update last_used timestamp on the same token:

  1. Request A checks exists() → True
  2. Request B checks exists() → True
  3. Request B calls save() → Success, row version changes
  4. Request A calls save()Fails because Django's save(update_fields=...) expects to affect exactly 1 row, but the row was already modified

Solution

Replace:

if OAuth2AccessToken.objects.filter(pk=self.pk).exists():
    self.save(update_fields=['last_used'])

With:

OAuth2AccessToken.objects.filter(pk=self.pk).update(last_used=self.last_used)

QuerySet.update() is atomic and simply returns 0 if no rows match, without raising an exception. This is the expected behavior for updating last_used — if the token was deleted between validation and update, we don't need to error out.

Test plan

  • Verify existing OAuth2 authentication tests pass
  • Manual test with concurrent requests using the same token
  • Confirm no HTTP 500 errors under parallel load

DenisKoleda and others added 2 commits December 16, 2025 22:38
@DenisKoleda
Fix race condition in OAuth2AccessToken.is_valid() causing HTTP 500
ea8f778 
Replace save(update_fields=['last_used']) with QuerySet.update() to avoid
DatabaseError when concurrent requests try to update the same token's
last_used timestamp.

The previous implementation could fail with:
django.db.utils.DatabaseError: Save with update_fields did not affect any rows.

This happened because between exists() check and save() call, another
process could modify the row, causing save() to affect 0 rows and raise
an exception. QuerySet.update() handles this gracefully by simply
returning 0 affected rows without raising an error.
@DenisKoleda
Merge branch 'devel' into fix/oauth2-token-race-condition
dbb4ae0
@github-actions
Copy link

github-actions bot commented Dec 16, 2025

DVCS PR Check Results:

Could not find JIRA key(s) in PR title, branch name, or commit messages

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DenisKoleda