fix(guard): remove token cache from repo host account (#153)

Author: forestileao

ee/rbac/lib/rbac/front_repo/repo_host_account.ex

@@ -46,6 +46,7 @@ defmodule Rbac.FrontRepo.RepoHostAccount do
     field(:permission_scope, :string)
     field(:token, :string)
     field(:refresh_token, :string)
+    field(:token_expires_at, :utc_datetime)
     field(:revoked, :boolean, default: false)
 
     timestamps(inserted_at: :created_at, updated_at: :updated_at, type: :utc_datetime)

ee/rbac/priv/front_repo/migrations/20220314144013_create_repo_host_accounts.exs

@@ -13,6 +13,7 @@ defmodule Rbac.FrontRepo.Migrations.CreateRepoHostAccounts do
       add :permission_scope, :string
       add :revoked, :boolean, default: false, null: false
       add :refresh_token, :string
+      add :token_expires_at, :utc_datetime
       add :created_at, :utc_datetime
       add :updated_at, :utc_datetime
     end

github_hooks/Gemfile

@@ -32,7 +32,7 @@ gem "sentry-rails"
 gem "sentry-sidekiq"
 
 gem "sprockets", "< 4"
-gem "nokogiri", "~> 1.18.3"
+gem "nokogiri", "~> 1.18.4"
 
 gem "rt-watchman", :require => "watchman", :github => "renderedtext/watchman", :ref => "74530687a232aea678b6738114c82dfc163657cd"
 gem "rt-logman", :require => "logman"

github_hooks/Gemfile.lock

@@ -221,7 +221,7 @@ GEM
     net-smtp (0.5.0)
       net-protocol
     nio4r (2.7.4)
-    nokogiri (1.18.3)
+    nokogiri (1.18.5)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
     octokit (4.20.0)
@@ -466,7 +466,7 @@ DEPENDENCIES
   kaminari (~> 1.2.2)
   lograge
   net-http
-  nokogiri (~> 1.18.3)
+  nokogiri (~> 1.18.4)
   octokit
   pg (~> 1.1)
   pry-byebug (~> 3.10, >= 3.10.1)

github_hooks/db/migrate/20250321112218_add_token_expires_at_to_repo_host_accounts.rb

@@ -0,0 +1,5 @@
+class AddTokenExpiresAtToRepoHostAccounts < ActiveRecord::Migration[5.1]
+  def change
+    add_column :repo_host_accounts, :token_expires_at, :datetime, null: true, default: nil
+  end
+end

guard/lib/guard/api/bitbucket.ex

@@ -35,18 +35,10 @@ defmodule Guard.Api.Bitbucket do
   Fetch or refresh access token
   """
   def user_token(repo_host_account) do
-    cache_key = OAuth.token_cache_key(repo_host_account)
-
-    case Cachex.get(:token_cache, cache_key) do
-      {:ok, {token, expires_at}} when not is_nil(token) and token != "" ->
-        if OAuth.valid_token?(expires_at) do
-          {:ok, {token, expires_at}}
-        else
-          fetch_and_cache_token(repo_host_account)
-        end
-
-      _ ->
-        fetch_and_cache_token(repo_host_account)
+    if OAuth.valid_token?(repo_host_account.token_expires_at, nil_valid: false) do
+      {:ok, {repo_host_account.token, repo_host_account.token_expires_at}}
+    else
+      fetch_token(repo_host_account)
     end
   end
 
@@ -63,7 +55,12 @@ defmodule Guard.Api.Bitbucket do
     end
   end
 
-  defp fetch_and_cache_token(repo_host_account) do
+  defp fetch_token(%{refresh_token: refresh_token}) when refresh_token in [nil, ""] do
+    Logger.warning("No refresh token found for Bitbucket repo host account, account is revoked")
+    {:error, :revoked}
+  end
+
+  defp fetch_token(repo_host_account) do
     body_params = %{
       "grant_type" => "refresh_token",
       "refresh_token" => repo_host_account.refresh_token

guard/lib/guard/api/github.ex

@@ -36,6 +36,11 @@ defmodule Guard.Api.Github do
 
   @doc """
   Fetch or refresh access token
+
+  # Important Considerations:
+  - By default, GitHub tokens do not expire unless the optional setting in the GitHub app is changed.
+  - If altered, the expires_in and refresh_token will not be null.
+  - That's why we have refresh token logic for GitHub, even if it's not typically used.
   """
   def user_token(repo_host_account) do
     case validate_token(repo_host_account.token) do
@@ -44,6 +49,11 @@ defmodule Guard.Api.Github do
     end
   end
 
+  defp handle_fetch_token(%{refresh_token: refresh_token}) when refresh_token in [nil, ""] do
+    Logger.warning("No refresh token found for GitHub repo host account, account is revoked")
+    {:error, :revoked}
+  end
+
   defp handle_fetch_token(repo_host_account) do
     {:ok, {client_id, client_secret}} = Guard.GitProviderCredentials.get(:github)
 
@@ -58,7 +68,7 @@ defmodule Guard.Api.Github do
 
     case Tesla.post(client, @oauth_path, nil, query: query_params) do
       {:ok, %Tesla.Env{status: status, body: body}} when status in 200..299 ->
-        OAuth.handle_ok_token_response(repo_host_account, body, cache: false)
+        OAuth.handle_ok_token_response(repo_host_account, body)
 
       {:ok, %Tesla.Env{status: status}} when status in 400..499 ->
         Logger.warning("Failed to refresh github token, account might be revoked")

guard/lib/guard/api/gitlab.ex

@@ -11,18 +11,10 @@ defmodule Guard.Api.Gitlab do
   Fetch or refresh access token
   """
   def user_token(repo_host_account) do
-    cache_key = OAuth.token_cache_key(repo_host_account)
-
-    case Cachex.get(:token_cache, cache_key) do
-      {:ok, {token, expires_at}} when not is_nil(token) and token != "" ->
-        if OAuth.valid_token?(expires_at) do
-          {:ok, {token, expires_at}}
-        else
-          handle_fetch_and_cache_token(repo_host_account)
-        end
-
-      _ ->
-        handle_fetch_and_cache_token(repo_host_account)
+    if OAuth.valid_token?(repo_host_account.token_expires_at, nil_valid: false) do
+      {:ok, {repo_host_account.token, repo_host_account.token_expires_at}}
+    else
+      handle_fetch_token(repo_host_account)
     end
   end
 
@@ -32,15 +24,20 @@ defmodule Guard.Api.Gitlab do
     case Tesla.get(client, @oauth_token_info_path) do
       {:ok, res} ->
         expires_at = OAuth.calc_expires_at(res.body["expires_in"])
-        {:ok, res.status in 200..299 && OAuth.valid_token?(expires_at)}
+        {:ok, res.status in 200..299 && OAuth.valid_token?(expires_at, nil_valid: false)}
 
       {:error, error} ->
         Logger.error("Error validating token: #{inspect(error)}")
         {:error, :network_error}
     end
   end
 
-  defp handle_fetch_and_cache_token(repo_host_account) do
+  defp handle_fetch_token(%{refresh_token: refresh_token}) when refresh_token in [nil, ""] do
+    Logger.warning("No refresh token found for GitLab repo host account, account is revoked")
+    {:error, :revoked}
+  end
+
+  defp handle_fetch_token(repo_host_account) do
     body_params = %{
       "grant_type" => "refresh_token",
       "refresh_token" => repo_host_account.refresh_token,

guard/lib/guard/application.ex

@@ -144,10 +144,6 @@ defmodule Guard.Application do
         worker: Supervisor.child_spec({Cachex, :ppl_cache}, id: :ppl_cache),
         active: true
       },
-      %{
-        worker: Supervisor.child_spec({Cachex, :token_cache}, id: :token_cache),
-        active: true
-      },
       %{
         worker:
           Supervisor.child_spec({Cachex, :feature_provider_cache}, id: :feature_provider_cache),

guard/lib/guard/front_repo/repo_host_account.ex

@@ -46,6 +46,7 @@ defmodule Guard.FrontRepo.RepoHostAccount do
     field(:permission_scope, :string)
     field(:token, :string)
     field(:refresh_token, :string)
+    field(:token_expires_at, :utc_datetime)
     field(:revoked, :boolean, default: false)
 
     timestamps(inserted_at: :created_at, updated_at: :updated_at, type: :utc_datetime)
@@ -184,8 +185,14 @@ defmodule Guard.FrontRepo.RepoHostAccount do
     end
   end
 
-  def update_token_pair(rha, token, refresh_token) do
-    update_account(%{token: token, refresh_token: refresh_token}, rha)
+  def update_token(rha, token, refresh_token, expires_at) do
+    params = %{
+      token: token,
+      refresh_token: refresh_token,
+      token_expires_at: expires_at
+    }
+
+    update_account(params, rha)
   end
 
   @spec get_uid_by_login(String.t(), String.t()) :: {:ok, String.t()} | {:error, :not_found}
@@ -314,6 +321,7 @@ defmodule Guard.FrontRepo.RepoHostAccount do
           :revoked,
           :token,
           :refresh_token,
+          :token_expires_at,
           :permission_scope
         ]
       )