Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

idtoken caching does not handle missing age in http response header #1711

Closed
eytankidron opened this issue Oct 14, 2022 · 1 comment
Closed

idtoken caching does not handle missing age in http response header #1711

eytankidron opened this issue Oct 14, 2022 · 1 comment
Assignees
@codyoss
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@eytankidron
Copy link
Contributor

In function calculateExpireTime (see

google-api-go-client/idtoken/cache.go

Lines 98 to 119 in 977e871

func (c *cachingClient) calculateExpireTime(headers http.Header) time.Time {
var maxAge int
cc := strings.Split(headers.Get("cache-control"), ",")
for _, v := range cc {
if strings.Contains(v, "max-age") {
ss := strings.Split(v, "=")
if len(ss) < 2 {
return c.now()
}
ma, err := strconv.Atoi(ss[1])
if err != nil {
return c.now()
}
maxAge = ma
}
}
age, err := strconv.Atoi(headers.Get("age"))
if err != nil {
return c.now()
}
return c.now().Add(time.Duration(maxAge-age) * time.Second)
}
) the code expects the "age" field to be present, otherwise the caching expiration is set to "now", which effectively means that the response is not cached.

According to https://httpwg.org/specs/rfc9111.html#age.calculations, a missing "age" field in the response header should be allowed and treated as if it was 0. So I think we should allow it to be missing.
@eytankidron eytankidron added priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. labels Oct 14, 2022
eytankidron added a commit to eytankidron/google-api-go-client that referenced this issue Oct 17, 2022
@eytankidron
Per googleapis#1711 allow
bf9340b 
the "age" field to be missing from the http response header file and
treat it as a zero if it is missing.
@eytankidron eytankidron mentioned this issue Oct 17, 2022
Merged
@codyoss
Copy link
Member

codyoss commented Oct 25, 2022

This issue has been addressed and released.

@codyoss codyoss closed this as completed Oct 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@codyoss codyoss

Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@codyoss @eytankidron