Skip to content

fix(opencode): serialize concurrent auth.json writes#36362

Open
1837620622 wants to merge 1 commit into
anomalyco:devfrom
1837620622:fix/auth-concurrent-write-race
Open

fix(opencode): serialize concurrent auth.json writes#36362
1837620622 wants to merge 1 commit into
anomalyco:devfrom
1837620622:fix/auth-concurrent-write-race

Conversation

@1837620622

Copy link
Copy Markdown

Issue for this PR

Closes #30396

Type of change

  • Bug fix
  • New feature
  • Refactor / code improvement
  • Documentation

What does this PR do?

Auth.set / Auth.remove performed an unlocked read-modify-write of auth.json:

const data = yield* all()          // read whole map
// mutate in memory
yield* fsys.writeJson(file, data)  // write back

Two concurrent set() calls read the same snapshot, so the second write overwrites the first and a provider silently vanishes. Parallel provider logins (or app startup that persists multiple keys) hit this.

Minimal fix: serialize mutations with Semaphore.makeUnsafe(1) + lock.withPermits(1)(...) in the Auth layer (same in-process pattern as snapshot/edit locks). Reads (get/all) stay lock-free.

Source evidence (current dev)

  • packages/opencode/src/auth/index.tsset/remove had no mutual exclusion around RMW
  • Concurrent proof in new test: three unbounded Auth.set calls must leave all three keys

How did you verify your code works?

  • Added regression: set is safe under concurrent calls in packages/opencode/test/auth/auth.test.ts
  • bun test test/auth/auth.test.ts — 5 pass (including concurrent set)

Author

  • GitHub: @1837620622 (传康Kk)
  • Commit email: 35034498+1837620622@users.noreply.github.com (GitHub-verified noreply)

Checklist

  • Linked issue (Closes #30396)
  • No unrelated changes
  • Regression test included

Auth.set/remove used an unlocked read-modify-write of auth.json, so
parallel logins could clobber each other and silently drop providers.

Serialize mutations with a process-local semaphore (same pattern as
snapshot/edit locks) so concurrent sets all survive.

Closes anomalyco#30396
@1837620622

Copy link
Copy Markdown
Author

Review ping when convenient 🙏

Serializes concurrent auth.json set/remove (Semaphore) so parallel logins cannot clobber each other (#30396). Concurrent test included; checks green.

@1837620622

CreatorGhost added a commit to CreatorGhost/TheCode that referenced this pull request Jul 12, 2026
Addresses CodeRabbit review finding on the anomalyco#36362 port.
CreatorGhost added a commit to CreatorGhost/TheCode that referenced this pull request Jul 12, 2026
Addresses CodeRabbit review finding on the anomalyco#36362 port.
CreatorGhost added a commit to CreatorGhost/TheCode that referenced this pull request Jul 12, 2026
* fix(opencode): serialize concurrent auth.json writes

Ported from upstream anomalyco#36362.

* test(auth): cover concurrent set/remove interaction

Addresses CodeRabbit review finding on the anomalyco#36362 port.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Concurrent Auth.set/remove race and silently drop providers in auth.json

1 participant