fix(GODT-2606): Improve Vault concurrency scopes

Rewrite the vault to have one RWlock rather then two separate locks for data and reference counts. In certain circumstance, it could be possible that that different requests could end up in undefined states if a user got deleted successfully while at he same time another goroutine/thread is loading the given user. While I have not been able to reproduce this in a test, restricting the access scope to one lock rather than two, should avoid corner cases where logic code is executing outside of the lock scope.
2025-12-11 05:06:51 +00:00 · 2023-05-12 16:01:31 +02:00
parent faf3780eee
commit 0ef9c9c9c9
7 changed files with 214 additions and 110 deletions
--- a/internal/bridge/user.go
+++ b/internal/bridge/user.go
@ -584,29 +584,7 @@ func (bridge *Bridge) newVaultUser(
 	authUID, authRef string,
 	saltedKeyPass []byte,
 ) (*vault.User, bool, error) {
-	if !bridge.vault.HasUser(apiUser.ID) {
-		user, err := bridge.vault.AddUser(apiUser.ID, apiUser.Name, apiUser.Email, authUID, authRef, saltedKeyPass)
-		if err != nil {
-			return nil, false, fmt.Errorf("failed to add user to vault: %w", err)
-		}
-
-		return user, true, nil
-	}
-
-	user, err := bridge.vault.NewUser(apiUser.ID)
-	if err != nil {
-		return nil, false, err
-	}
-
-	if err := user.SetAuth(authUID, authRef); err != nil {
-		return nil, false, err
-	}
-
-	if err := user.SetKeyPass(saltedKeyPass); err != nil {
-		return nil, false, err
-	}
-
-	return user, false, nil
+	return bridge.vault.GetOrAddUser(apiUser.ID, apiUser.Name, apiUser.Email, authUID, authRef, saltedKeyPass)
 }

 // logout logs out the given user, optionally logging them out from the API too.