fix(providers): 🐛 fix race condition in lock creation

Mirrowel · Mirrowel · commit 2da1c3f4fc47 · 2026-01-25T06:17:10.000+01:00
Implement a thread-safe `_get_lock` method in auth providers to handle the retrieval and creation of refresh locks. This ensures that the `_refresh_locks` dictionary is modified under a master lock (`_locks_lock`), preventing Time-of-check to time-of-use (TOCTOU) bugs where multiple coroutines could simultaneously create duplicate locks for the same path.
diff --git a/src/rotator_library/providers/iflow_auth_base.py b/src/rotator_library/providers/iflow_auth_base.py
@@ -428,6 +428,14 @@ def _is_token_expired(self, creds: Dict[str, Any]) -> bool:
 
         return expiry_timestamp < time.time() + REFRESH_EXPIRY_BUFFER_SECONDS
 
+    async def _get_lock(self, path: str) -> asyncio.Lock:
+        # [FIX RACE CONDITION] Protect lock creation with a master lock
+        # This prevents TOCTOU bug where multiple coroutines check and create simultaneously
+        async with self._locks_lock:
+            if path not in self._refresh_locks:
+                self._refresh_locks[path] = asyncio.Lock()
+            return self._refresh_locks[path]
+
     def _is_token_truly_expired(self, creds: Dict[str, Any]) -> bool:
         """Check if token is TRULY expired (past actual expiry, not just threshold).
 
diff --git a/src/rotator_library/providers/qwen_auth_base.py b/src/rotator_library/providers/qwen_auth_base.py
@@ -273,6 +273,14 @@ def _is_token_expired(self, creds: Dict[str, Any]) -> bool:
         expiry_timestamp = creds.get("expiry_date", 0) / 1000
         return expiry_timestamp < time.time() + REFRESH_EXPIRY_BUFFER_SECONDS
 
+    async def _get_lock(self, path: str) -> asyncio.Lock:
+        # [FIX RACE CONDITION] Protect lock creation with a master lock
+        # This prevents TOCTOU bug where multiple coroutines check and create simultaneously
+        async with self._locks_lock:
+            if path not in self._refresh_locks:
+                self._refresh_locks[path] = asyncio.Lock()
+            return self._refresh_locks[path]
+
     def _is_token_truly_expired(self, creds: Dict[str, Any]) -> bool:
         """Check if token is TRULY expired (past actual expiry, not just threshold).
 
