[PR #6866] Add 30s cache to SSO exchange_refresh_token #7492

New Issue

GiteaMirror · 2026-03-07T21:18:26-06:00

GiteaMirror commented

2026-03-07 21:18:26 -06:00

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/6866
Author: @Timshel
Created: 2/23/2026
Status: 🔄 Open

Base: main ← Head: fix/refresh_token

📝 Commits (1)

5b8fbd7 Add 30s cache to SSO exchange_refresh_token

📊 Changes

3 files changed (+37 additions, -138 deletions)

View changed files

📝 Cargo.lock (+6 -119)
📝 Cargo.toml (+1 -1)
📝 src/sso_client.rs (+30 -18)

📄 Description

This add a cache to the refresh_token endpoint to prevent calling a provider twice with the same token (some providers prevent reuse).

I contributed a patch to the clients to prevent the issue https://github.com/bitwarden/clients/pull/10799.
But it appears some users still have issues: Ex: https://github.com/dani-garcia/vaultwarden/issues/6311#issuecomment-3775829084.

Looking at the client code I couldn't identify how to reproduce the issue :(.
But at the same time the fix is relatively trivial, so I believe it's worth to integrate it (Only issue I could see is it'won't work in multinode setup unless some affinity is set at the loadbalancer).

Switched to Moka to be able to use get_with.
Did not change the current CLIENT_CACHE since it's not an issue if two clients are instantiated and ApiResult is not Cloneable so it would be kind of a pain to replace.

The capacity is a bit random just though it was better not to let it unbounded and the 30s should be way enough to handle any concurrent calls without keeping it around too long which would negate the utility of rolling tokens.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/6866 **Author:** [@Timshel](https://github.com/Timshel) **Created:** 2/23/2026 **Status:** 🔄 Open **Base:** `main` ← **Head:** `fix/refresh_token` --- ### 📝 Commits (1) - [`5b8fbd7`](https://github.com/dani-garcia/vaultwarden/commit/5b8fbd730aa61ca65ce02fb43dce8158b62264ee) Add 30s cache to SSO exchange_refresh_token ### 📊 Changes **3 files changed** (+37 additions, -138 deletions) <details> <summary>View changed files</summary> 📝 `Cargo.lock` (+6 -119) 📝 `Cargo.toml` (+1 -1) 📝 `src/sso_client.rs` (+30 -18) </details> ### 📄 Description This add a cache to the `refresh_token` endpoint to prevent calling a provider twice with the same token (some providers prevent reuse). I contributed a patch to the clients to prevent the issue https://github.com/bitwarden/clients/pull/10799. But it appears some users still have issues: Ex: https://github.com/dani-garcia/vaultwarden/issues/6311#issuecomment-3775829084. Looking at the client code I couldn't identify how to reproduce the issue :(. But at the same time the fix is relatively trivial, so I believe it's worth to integrate it (Only issue I could see is it'won't work in multinode setup unless some affinity is set at the loadbalancer). Switched to `Moka` to be able to use `get_with`. Did not change the current `CLIENT_CACHE` since it's not an issue if two clients are instantiated and `ApiResult` is not Cloneable so it would be kind of a pain to replace. The capacity is a bit random just though it was better not to let it unbounded and the 30s should be way enough to handle any concurrent calls without keeping it around too long which would negate the utility of rolling tokens. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-03-07 21:18:26 -06:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#7492