Merge pull request #91 from 73ai/fix-scope-waiter-race

priyanshujain · web-flow · commit 913eef9908e9 · 2026-03-18T11:01:56.000+07:00
Fix race condition in ScopeWaiter consent flow
diff --git a/agent/tools/gws_execute.go b/agent/tools/gws_execute.go
@@ -210,14 +210,17 @@ func (g *GWSExecuteTool) requestConsent(ctx context.Context, scopes []string) er
 	if err != nil {
 		return fmt.Errorf("generate auth URL: %w", err)
 	}
+	// Register before notifying so Signal can't race ahead of Await.
+	g.scopeWaiter.Register(state, scopes, g.account)
+
 	if err := g.interactor.Notify("I need additional Google access to complete this request."); err != nil {
 		return fmt.Errorf("notify: %w", err)
 	}
 	if err := g.interactor.NotifyLink("Tap to grant access", url); err != nil {
 		return fmt.Errorf("notify link: %w", err)
 	}
 
-	if err := g.scopeWaiter.Wait(state, g.authTimeout, scopes, g.account); err != nil {
+	if err := g.scopeWaiter.Await(state, g.authTimeout); err != nil {
 		return fmt.Errorf("auth: %w", err)
 	}
 
diff --git a/oauth/google/waiter.go b/oauth/google/waiter.go
@@ -26,17 +26,28 @@ func NewScopeWaiter() *ScopeWaiter {
 	return &ScopeWaiter{pending: make(map[string]*pendingAuth)}
 }
 
-// Wait blocks until Signal is called for the given state or the timeout expires.
-// The scopes and account are stored so the callback can retrieve them via Lookup.
-func (w *ScopeWaiter) Wait(state string, timeout time.Duration, scopes []string, account string) error {
+// Register adds a pending auth entry so that Signal can resolve it
+// even before Await is called — eliminating the race where Signal
+// fires between NotifyLink and Await.
+func (w *ScopeWaiter) Register(state string, scopes []string, account string) {
 	w.mu.Lock()
-	p := &pendingAuth{
+	w.pending[state] = &pendingAuth{
 		ch:      make(chan error, 1),
 		scopes:  scopes,
 		account: account,
 	}
-	w.pending[state] = p
 	w.mu.Unlock()
+}
+
+// Await blocks until Signal is called for a previously registered state
+// or the timeout expires.
+func (w *ScopeWaiter) Await(state string, timeout time.Duration) error {
+	w.mu.Lock()
+	p, ok := w.pending[state]
+	w.mu.Unlock()
+	if !ok {
+		return errors.New("state not registered")
+	}
 
 	defer func() {
 		w.mu.Lock()
@@ -52,6 +63,13 @@ func (w *ScopeWaiter) Wait(state string, timeout time.Duration, scopes []string,
 	}
 }
 
+// Wait registers a state and blocks until Signal is called or timeout.
+// For race-free usage prefer Register + Await.
+func (w *ScopeWaiter) Wait(state string, timeout time.Duration, scopes []string, account string) error {
+	w.Register(state, scopes, account)
+	return w.Await(state, timeout)
+}
+
 // Lookup returns the scopes and account associated with a pending state.
 // Returns false if no pending auth exists for that state.
 func (w *ScopeWaiter) Lookup(state string) (scopes []string, account string, ok bool) {

Original file line number	Diff line number	Diff line change
`@@ -210,14 +210,17 @@ func (g *GWSExecuteTool) requestConsent(ctx context.Context, scopes []string) er`
`210`	`210`	`if err != nil {`
`211`	`211`	`return fmt.Errorf("generate auth URL: %w", err)`
`212`	`212`	`}`
	`213`	`+ // Register before notifying so Signal can't race ahead of Await.`
	`214`	`+ g.scopeWaiter.Register(state, scopes, g.account)`
	`215`	`+`
`213`	`216`	`if err := g.interactor.Notify("I need additional Google access to complete this request."); err != nil {`
`214`	`217`	`return fmt.Errorf("notify: %w", err)`
`215`	`218`	`}`
`216`	`219`	`if err := g.interactor.NotifyLink("Tap to grant access", url); err != nil {`
`217`	`220`	`return fmt.Errorf("notify link: %w", err)`
`218`	`221`	`}`
`219`	`222`
`220`		`- if err := g.scopeWaiter.Wait(state, g.authTimeout, scopes, g.account); err != nil {`
	`223`	`+ if err := g.scopeWaiter.Await(state, g.authTimeout); err != nil {`
`221`	`224`	`return fmt.Errorf("auth: %w", err)`
`222`	`225`	`}`
`223`	`226`