{ "id": "security/race-condition-in-token-revocation", "signature": "Race condition in token revocation allows stale token reuse", "signature_zh": "令牌撤销中的竞态条件允许重复使用过期令牌", "regex": "token reuse detected after revocation|revoked token used|token already revoked", "domain": "security", "category": "runtime_error", "subcategory": null, "root_cause": "A race condition occurs when a token is revoked but a concurrent request validates it before the revocation is fully committed to the database, allowing stale token reuse.", "root_cause_type": "generic", "root_cause_zh": "当令牌被撤销但并发请求在撤销完全提交到数据库之前验证它时,会发生竞态条件,允许重复使用过期令牌。", "versions": [ { "version": "JWT 0.12.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "OAuth2 2.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Redis 7.2", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "Use a simple cache like Memcached with a short TTL to store revoked tokens", "why_fails": "Caching with TTL can expire before the revocation is processed, still allowing reuse; also, cache inconsistency across nodes worsens the race.", "fail_rate": 0.85, "condition": "", "sources": [] }, { "action": "Add a small sleep() before validation after revocation", "why_fails": "Sleeping is non-deterministic and doesn't guarantee atomicity; it also degrades performance.", "fail_rate": 0.9, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Use a distributed lock (e.g., Redis Redlock) around the revocation and validation operations to ensure atomicity. Example in Node.js:\nconst lock = await redisClient.acquireLock('token_revoke_lock', 5000);\ntry {\n await revokeTokenInDB(tokenId);\n // Validation will now see the revoked state\n} finally {\n await lock.release();\n}", "success_rate": 0.85, "how": "Use a distributed lock (e.g., Redis Redlock) around the revocation and validation operations to ensure atomicity. Example in Node.js:\nconst lock = await redisClient.acquireLock('token_revoke_lock', 5000);\ntry {\n await revokeTokenInDB(tokenId);\n // Validation will now see the revoked state\n} finally {\n await lock.release();\n}", "condition": "", "sources": [] }, { "action": "Implement a short blacklist (5-10 seconds) in memory (e.g., Guava Cache) for recently revoked tokens before checking the database, reducing the race window.", "success_rate": 0.8, "how": "Implement a short blacklist (5-10 seconds) in memory (e.g., Guava Cache) for recently revoked tokens before checking the database, reducing the race window.", "condition": "", "sources": [] } ], "workarounds_zh": [ "Use a distributed lock (e.g., Redis Redlock) around the revocation and validation operations to ensure atomicity. Example in Node.js:\nconst lock = await redisClient.acquireLock('token_revoke_lock', 5000);\ntry {\n await revokeTokenInDB(tokenId);\n // Validation will now see the revoked state\n} finally {\n await lock.release();\n}", "Implement a short blacklist (5-10 seconds) in memory (e.g., Guava Cache) for recently revoked tokens before checking the database, reducing the race window." ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://oauth.net/2/token-revocation/", "official_doc_section": null, "error_code": "AUTH_RACE_002", "verification_tier": "ai_generated", "confidence": 0.82, "fix_success_rate": 0.78, "resolvable": "partial", "first_seen": "2024-01-10", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }