fix(proxy): honor access token cache ttl#3056
Conversation
Up to standards βπ’ Issues
|
| Metric | Results |
|---|---|
| Duplication | -6 |
π’ Coverage 100.00% diff coverage Β· +0.02% coverage variation
Metric Results Coverage variation β +0.02% coverage variation (-1.00%) Diff coverage β 100.00% diff coverage Coverage variation details
Coverable lines Covered lines Coverage Common ancestor commit (93fb9cb) Report Missing Report Missing Report Missing Head commit (5457ef8) 82290 (+1) 18974 (+19) 23.06% (+0.02%) Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch:
<coverage of head commit> - <coverage of common ancestor commit>Diff coverage details
Coverable lines Covered lines Diff coverage Pull request (#3056) 1 1 100.00% Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified:
<covered lines added or modified>/<coverable lines added or modified> * 100%1 Codacy didn't receive coverage data for the commit, or there was an error processing the received data. Check your integration for errors and validate that your coverage setup is correct.
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
rhafer
left a comment
There was a problem hiding this comment.
@stonith404 Thanks a lot for the fix! Good catch.
##### [\`7.3.0\`](https://github.com/opencloud-eu/opencloud/blob/HEAD/CHANGELOG.md#730---2026-07-14) ##### π Bug Fixes - fix(proxy): honor access token cache ttl \[[#3056](opencloud-eu/opencloud#3056)] - chore(idp): update axios \[[#3094](opencloud-eu/opencloud#3094)] - fix: make the collaboration service events optional \[[#3001](opencloud-eu/opencloud#3001)] - Revert "fix: disallow thumbnails for tiff and jpeg2000 images" \[[#2973](opencloud-eu/opencloud#2973)] - bump reva \[[#2950](opencloud-eu/opencloud#2950)] - change error level for trashing items interaction with search \[[#2951](opencloud-eu/opencloud#2951)] - fix: Send SSE events for SpaceEnabled/Disabled to affected users \[[#2871](opencloud-eu/opencloud#2871)] ##### π Documentation - update collaboration readme \[[#3076](opencloud-eu/opencloud#3076)] - fix: fix typo in proxy service documentation \[[#3089](opencloud-eu/opencloud#3089)] - roling release template \[[#2972](opencloud-eu/opencloud#2972)] - enhance: fix typos in webfinger service description \[[#2958](opencloud-eu/opencloud#2958)] ##### β Tests - \[full-ci] gherkin steps refactoring. cleaning code \[[#3100](opencloud-eu/opencloud#3100)] - \[decomposed] more cli command tests \[[#3087](opencloud-eu/opencloud#3087)] - test(apiSpaces): a space admin can delete a space with no manager \[[#3040](opencloud-eu/opencloud#3040)] - Update tests for [opencloud-eu/reva#655](opencloud-eu/reva#655) \[[#2889](opencloud-eu/opencloud#2889)] - api-test: deleting space \[[#2970](opencloud-eu/opencloud#2970)] ##### π Enhancement - feat: add disableSponsorLink web config option \[[#3093](opencloud-eu/opencloud#3093)] - feat(graph): add MS Graph colon-syntax path lookup middleware \[[#2688](opencloud-eu/opencloud#2688)] - feat: adjust theme chrome colors and logos \[[#2599](opencloud-eu/opencloud#2599)] - add tls support for all nats connections \[[#2063](opencloud-eu/opencloud#2063)] - feat: add more roles \[[#2928](opencloud-eu/opencloud#2928)] - next to main \[[#2924](opencloud-eu/opencloud#2924)] - feat: add core apps env variable to override the default core apps \[[#2930](opencloud-eu/opencloud#2930)] ##### π¦οΈ Dependencies - build(deps): bump golang.org/x/image from 0.43.0 to 0.44.0 \[[#3112](opencloud-eu/opencloud#3112)] - build(deps): bump golang.org/x/text from 0.39.0 to 0.40.0 \[[#3101](opencloud-eu/opencloud#3101)] - \[full-ci] chore: bump web to v7.2.0 \[[#3121](opencloud-eu/opencloud#3121)] - build(deps): bump golang.org/x/term from 0.44.0 to 0.45.0 \[[#3103](opencloud-eu/opencloud#3103)] - build(deps): bump github.com/coreos/go-oidc/v3 from 3.19.0 to 3.20.0 \[[#3102](opencloud-eu/opencloud#3102)] - build(deps): bump golang.org/x/text from 0.38.0 to 0.39.0 \[[#3085](opencloud-eu/opencloud#3085)] - build(deps): bump github.com/go-chi/chi/v5 from 5.3.0 to 5.3.1 \[[#3073](opencloud-eu/opencloud#3073)] - build(deps): bump github.com/nats-io/nats-server/v2 from 2.14.2 to 2.14.3 \[[#3063](opencloud-eu/opencloud#3063)] - build(deps): bump github.com/gookit/config/v2 from 2.2.8 to 2.2.9 \[[#3075](opencloud-eu/opencloud#3075)] - build(deps): bump github.com/open-policy-agent/opa from 1.18.1 to 1.18.2 \[[#3061](opencloud-eu/opencloud#3061)] - build(deps): bump github.com/kovidgoyal/imaging from 1.8.21 to 1.8.22 \[[#3060](opencloud-eu/opencloud#3060)] - build(deps): bump github.com/libregraph/lico from 0.66.0 to 0.67.0 \[[#3028](opencloud-eu/opencloud#3028)] - chore: bump web to v7.2.0-beta.3 \[[#2953](opencloud-eu/opencloud#2953)] - chore: bump reva to latest main \[[#2943](opencloud-eu/opencloud#2943)]
Description
Pass the configured fallback access token TTL into the OIDC authenticator.
When the proxy cannot derive an expiration from the access token, for example with opaque tokens and
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none, it should usePROXY_OIDC_USERINFO_CACHE_TTLfor userinfo cache entries. The option was parsed and passed into the middleware setup, but not copied onto the authenticator, causing cache entries to expire immediately.This change makes the implementation match the documented fallback behavior.
Related Issue
Motivation and Context
I maintain Pocket ID and ran into this while setting up OpenCloud on my own server. Desktop sync stalled because OpenCloud repeatedly called Pocket IDβs
userinfoendpoint until Pocket ID started rate limiting those requests.The setup uses opaque access tokens with
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none, so OpenCloud cannot derive an expiration from the access token and should fall back toPROXY_OIDC_USERINFO_CACHE_TTL. That fallback TTL was configured, but it was not applied by the OIDC authenticator, causing userinfo cache entries to expire immediately.How Has This Been Tested?
I have created a custom image with this change, deployed it on my server and I can confirm that the TTL is now correctly respected and Pocket ID doesn't get spammed anymore with
userinforequests.Types of changes
Checklist: