knocklabs / one_and_done Goto Github PK

Hey, y'all,

I saw the announcement about this library and decided to look at the internals. Unfortunately, you have a subtle bug that allows a user to violate idempotent guarantees.

The current order of operations is to check the cache, and if there is no key, allow a request to continue. Once the request is handled, it caches the response and returns it to the user. But, because the caching is done after the request has been completed, there is a possibility that the caller initiates two requests with the same key, and both are allowed to process.

A quick example would be if the caller adds a 500ms timeout and retries if the timeout is violated. This sort of thing is very typical with idempotent APIs. If the request takes longer than 500ms to complete, the caller will retry, and at that point, both requests will process, and your guarantees will be violated. The solution here would be to either lock that key, serialize access to it, cache the key before the request has started processing, etc. I leave it to you to decide how best to handle this.

You also have a minor second issue: if your request handler process throws or raises, register_before_send will not fire, and your response will not be recorded. I don't know if you want to handle that directly.