fix: use lock in grant exchanger

mdtro · mdtro · commit 51e64ceec356 · 2025-04-28T17:34:09.000-05:00
diff --git a/src/sentry/sentry_apps/token_exchange/grant_exchanger.py b/src/sentry/sentry_apps/token_exchange/grant_exchanger.py
@@ -6,6 +6,7 @@
 from django.utils.functional import cached_property
 
 from sentry import analytics
+from sentry.locks import locks
 from sentry.models.apiapplication import ApiApplication
 from sentry.models.apigrant import ApiGrant
 from sentry.models.apitoken import ApiToken
@@ -35,12 +36,22 @@ class GrantExchanger:
     def run(self):
         with transaction.atomic(using=router.db_for_write(ApiToken)):
             try:
-                self._validate()
-                token = self._create_token()
+                lock = locks.get(
+                    ApiGrant.get_lock_key(self.grant.id),
+                    duration=10,
+                    name="api_grant",
+                )
+
+                # we use a lock to prevent race conditions when creating the ApiToken
+                # an attacker could send two requests to create an access/refresh token pair
+                # at the same time, using the same grant, and get two different tokens
+                with lock.acquire():
+                    self._validate()
+                    token = self._create_token()
 
-                # Once it's exchanged it's no longer valid and should not be
-                # exchangeable, so we delete it.
-                self._delete_grant()
+                    # Once it's exchanged it's no longer valid and should not be
+                    # exchangeable, so we delete it.
+                    self._delete_grant()
             except SentryAppIntegratorError:
                 logger.info(
                     "grant-exchanger.context",
