Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Distributed cache won't remove the last item #6954

Closed
1 of 2 tasks
piquet-h opened this issue Mar 15, 2024 · 1 comment · Fixed by #7426
Closed
1 of 2 tasks

Distributed cache won't remove the last item #6954

piquet-h opened this issue Mar 15, 2024 · 1 comment · Fixed by #7426
Assignees
@Robbie-Microsoft
Labels
b2c Related to Azure B2C library-specific issues bug-unconfirmed A reported bug that needs to be investigated and confirmed confidential-client Issues regarding ConfidentialClientApplications msal-node Related to msal-node package question Customer is asking for a clarification, use case or information.

Comments

@piquet-h
Copy link

Core Library

MSAL Node (@azure/msal-node)

Core Library Version

2.5

Wrapper Library

Not Applicable

Wrapper Library Version

n/a

Public or Confidential Client?

Confidential

Description

When you use a distributed cache, it won't remove the last item or the partition it belongs to when using

cache.getAccountByHomeId(homeId).then(account => {
  if(account) {
    tokenCache.removeAccount(accounts[0])
  }
})

Error Message

No error message - it just won't delete.

The key code is here. In lib/msal-node/src/cache/distributed/DistributedCachePlugin.ts - in the afterCacheAccess method. What's happening is that it only serializes the cache if there are still accountEntities in there... but if you remove the last one, it won't update. Therefore the last entity won't ever be removed.

            if (accountEntities.length > 0) {
                const accountEntity = accountEntities[0] as AccountEntity;
                const partitionKey = await this.partitionManager.extractKey(
                    accountEntity
                );

                await this.client.set(
                    partitionKey,
                    cacheContext.tokenCache.serialize()
                );
            }

MSAL Logs

[2024-03-15T06:48:03.217Z] Executing HTTP request: {
[2024-03-15T06:48:03.217Z] "requestId": "14ff06be-b635-4a78-bb9d-a3383b462c29",
[2024-03-15T06:48:03.217Z] "method": "DELETE",
[2024-03-15T06:48:03.217Z] "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36",
[2024-03-15T06:48:03.217Z] "uri": "/api/deleteAccount"
[2024-03-15T06:48:03.217Z] }
[2024-03-15T06:48:03.218Z] Executing 'Functions.account-delete' (Reason='This function was programmatically called via the host APIs.', Id=355e0997-0453-44d4-a4c9-534ea8f762e9)
[2024-03-15T06:48:03.221Z] Executing 1 "preInvocation" hooks[2024-03-15T06:48:03.221Z] Executed "preInvocation" hooks
[2024-03-15T06:48:03.221Z] Worker 456f09db-337a-4202-86c3-0189f752a46f received FunctionInvocationRequest with invocationId 355e0997-0453-44d4-a4c9-534ea8f762e9

[2024-03-15T06:48:03.865Z] [Fri, 15 Mar 2024 06:48:03 GMT] : [ff1e6beb-2d6d-4895-b103-6c9f2c7390c4] : @azure/[email protected] : Warning - No client info in response
[2024-03-15T06:48:05.095Z] [Fri, 15 Mar 2024 06:48:05 GMT] : [] : @azure/[email protected] : Info - getTokenCache called
[2024-03-15T06:48:05.509Z] [Fri, 15 Mar 2024 06:48:05 GMT] : [] : @azure/[email protected] : Info - CacheManager:getIdToken - Returning ID token
[2024-03-15T06:48:05.818Z] [Fri, 15 Mar 2024 06:48:05 GMT] : [ef96915a-84bb-4e93-a753-52b228683662] : @azure/[email protected] : Warning - No client info in response
[2024-03-15T06:48:07.286Z] Executed 'Functions.account-delete' (Succeeded, Id=355e0997-0453-44d4-a4c9-534ea8f762e9, Duration=4068ms)
[2024-03-15T06:48:07.286Z] Executed HTTP request: {
[2024-03-15T06:48:07.286Z] "requestId": "14ff06be-b635-4a78-bb9d-a3383b462c29",
[2024-03-15T06:48:07.286Z] "identities": "",
[2024-03-15T06:48:07.286Z] "status": "204",
[2024-03-15T06:48:07.286Z] "duration": "4069"
[2024-03-15T06:48:07.286Z] }

Network Trace (Preferrably Fiddler)

  • Sent
  • Pending

MSAL Configuration

{
  auth: {
    clientId: process.env.CLIENT_ID,
    authority: 'https://login.microsoftonline.com/common,
    clientSecret: process.env.CLIENT_SECRET
  },
  system: {
    loggerOptions: {
      logLevel: msal.LogLevel.Trace,
      loggerCallback(loglevel, message, containsPii) {
        console.debug(message)
      }
    }
  },
  cache: {
    cachePlugin: new msal.DistributedCachePlugin(cache, new PartitionManager(cache, id))
  }
}

Relevant Code Snippets

if (accountEntities.length > 0) {
                const accountEntity = accountEntities[0] as AccountEntity;
                const partitionKey = await this.partitionManager.extractKey(
                    accountEntity
                );

                await this.client.set(
                    partitionKey,
                    cacheContext.tokenCache.serialize()
                );
            }


### Reproduction Steps

1. Create a distributed cache
2. Login with an account where the token is added to a distributed cache
3. Try and delete the last/only account in a partition

cache.getAccountByHomeId(homeId).then(account => {
if(account) {
tokenCache.removeAccount(accounts[0])
}
})


### Expected Behavior

I expect to be able to delete the last entry and the partition.

### Identity Provider

Azure B2C Basic Policy

### Browsers Affected (Select all that apply)

None (Server)

### Regression

n/a

### Source

Internal (Microsoft)
@piquet-h piquet-h added bug-unconfirmed A reported bug that needs to be investigated and confirmed question Customer is asking for a clarification, use case or information. labels Mar 15, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: Attention 👋 Awaiting response from the MSAL.js team label Mar 15, 2024
@github-actions github-actions bot added b2c Related to Azure B2C library-specific issues confidential-client Issues regarding ConfidentialClientApplications msal-node Related to msal-node package labels Mar 15, 2024
@piquet-h
Copy link
Author

Just thinking more on this, I'd consider this a potential security / privacy issue. If as a user I want to delete my account, I should expect that all tokens associated in a persistent cache would also be deleted.

@Robbie-Microsoft Robbie-Microsoft self-assigned this Nov 12, 2024
@Robbie-Microsoft Robbie-Microsoft mentioned this issue Nov 12, 2024
Closed
2 tasks
@Robbie-Microsoft Robbie-Microsoft linked a pull request Nov 12, 2024 that will close this issue
fix: handle case where account entities is empty in after cache access #7329
Closed
@Robbie-Microsoft Robbie-Microsoft mentioned this issue Nov 18, 2024
Merged
@microsoft-github-policy-service microsoft-github-policy-service bot removed the Needs: Attention 👋 Awaiting response from the MSAL.js team label Nov 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Robbie-Microsoft Robbie-Microsoft

Labels
b2c Related to Azure B2C library-specific issues bug-unconfirmed A reported bug that needs to be investigated and confirmed confidential-client Issues regarding ConfidentialClientApplications msal-node Related to msal-node package question Customer is asking for a clarification, use case or information.
Projects
None yet
Milestone
No milestone
2 participants
@piquet-h @Robbie-Microsoft