The Wayback Machine - https://web.archive.org/web/20210101092128/https://github.com/amark/gun/issues/725
Skip to content

/ gun

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Race condition - on user.leave if authenticated with pair #725

Open
mitra42 opened this issue Mar 15, 2019 · 4 comments
Open

Race condition - on user.leave if authenticated with pair #725

mitra42 opened this issue Mar 15, 2019 · 4 comments

Comments

@mitra42
Copy link

@mitra42 mitra42 commented Mar 15, 2019

There appears to be a race condition....

If you are trying to do a: user.auth(pair) then user.get.put; user.leave

Then it works if, and only if, you wait for the ack on the put,
If you don't wait for the ack, then you get a "No! Unverified Data" message, probably because with Gun's state its no longer logged in.

Personally ... I think its a bug/design flaw that Gun uses state in the global user to represent logged in, rather than state which is determined at the time the put is invoked, but if that is intended behavior, then this is probably just. documentation bug.

Note .... for some weird reason, this ONLY happens if you user.auth(pair) and not if you user.auth(alias, password).

Also ... same problem if you do a authenticate as a different user without waiting for the Ack (which was actually the problem I was hitting), but I think the 2nd authentication probably does an implicit leave.
@amark
Copy link
Owner

@amark amark commented Mar 15, 2019

Yes, this is a bug, I agree this is a poor design.

Any good ideas on how I could improve/change this without dropping support for a secure enclave?

If a user logs out of the browser / hardware wallet / extension / enclave, then the put would still fail, because the keys shouldn't be exposed in-memory in the web app if possible.

But if a put is able to "keep" a user logged in on the browser/wallet/extension/enclave, couldn't that be used as a security exploit/vulnerability?

If you think if something, please let me know. It is causing some other race conditions I'd like to address too.
@mitra42
Copy link
Author

@mitra42 mitra42 commented Mar 15, 2019

I think the issue is that we have seperate user.auth and user.get steps, i.e. the state is carried a global variable. My preference would be that
user.auth(pair) returns (via callback) the user context, and that this user context is used on get and put operations rather than a global context which implicitly assumes a certain model - that there is a single logged in user, rather than operation happen within the context of a pair that can be used to sign things ....

If its too late for that change, then I guess heavy documentation would be useful, but since basic documentation is missing, Im not sure that is possible :-(

As a race of course, this makes for horendous debugging if you don't realize what is happening.
@mitra42
Copy link
Author

@mitra42 mitra42 commented Mar 15, 2019

Note - I've worked around this bug ... so its not a requirement for me, but couple odd behavior and poor documentation and you've got a high likelyhood of other people going down the rathole of trying to debug.
@mitra42
Copy link
Author

@mitra42 mitra42 commented Mar 15, 2019

It would also be superhelpful if putJS existed - like put but with Javascript callback semantics so that it could be put into a waterfall or each. I've monkeypatched Gun to add Javascript semantics to some functions, but can't figure out how to do it on put because I can't figure out the class of the context returned by the "get" .
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
2 participants
@amark @mitra42
You can’t perform that action at this time.