fix: clean up expired OAuth codes to prevent memory leak#43
Conversation
|
@nanookclaw is attempting to deploy a commit to the freedisch's projects Team on Vercel. A member of the Team first needs to authorize it. |
Freedisch
left a comment
There was a problem hiding this comment.
Thanks for your contribution the leaks are the major changes when it's done feel free ask for review again
| return &OAuthHandler{baseURL: baseURL, userRepo: userRepo} | ||
| h := &OAuthHandler{baseURL: baseURL, userRepo: userRepo} | ||
| go func() { | ||
| for range time.Tick(5 * time.Minute) { |
There was a problem hiding this comment.
we should ensure that time.Tick is closed bcs it cannot be recovered by a garbage collector and will lead to more memory leaks
| func NewOAuthHandler(baseURL string, userRepo *user.Repository) *OAuthHandler { | ||
| return &OAuthHandler{baseURL: baseURL, userRepo: userRepo} | ||
| h := &OAuthHandler{baseURL: baseURL, userRepo: userRepo} | ||
| go func() { |
There was a problem hiding this comment.
this goroutine lacks an exit. in this current state there will be accumulation of goroutines if we have users multiple being login in
| h := &OAuthHandler{baseURL: baseURL, userRepo: userRepo} | ||
| go func() { | ||
| for range time.Tick(5 * time.Minute) { | ||
| h.codes.Range(func(k, v any) bool { |
There was a problem hiding this comment.
regarding that, I feel like if have the DoS vector attack that can leak huge cpu spike not sure if my current vpc could handle that 😅
we can keep that for now
|
Ran the local Go test suite from the module root: cd havril && go test ./...Result: all packages pass; the repo currently has no Go test files, so this verifies compile/package integrity. The leak fix is limited to Requesting review again since the branch is ready from my side. |
|
Please check the changes mentioned up there about the memory/goroutines leak |
Looks solid, but the background loop will leak a goroutine every time |
Signed-off-by: Nanook <nanookclaw@users.noreply.github.com>
|
Updated the cleanup worker so it no longer uses Changes in
Verification rerun: cd havril && go test ./...
git diff --checkBoth pass locally. |
|
The leak feedback on this PR is addressed in
Local verification from the branch still stands: |
Closes #30
Problem
Auth codes in the
codessync.Map are only removed when redeemed viaPOST /oauth/token. Codes that expire without being redeemed accumulate indefinitely, causing unbounded memory growth. This is both a slow leak under normal usage and a DoS vector under targeted abuse (floodingPOST /oauth/authorize).Fix
Start a background goroutine in
NewOAuthHandlerthat ticks every 5 minutes and deletes anycodeEntrywhoseexpiresAtis in the past. This mirrors the cleanup approach suggested in the issue.Single-file change to
oauth_handler.go. Builds cleanly, passesgo vet.