Skip to content

Github api token caching: race condition in installation token refresh #528

Description

@itsmiso-ai

Parent umbrella issue: #495
Source audit: Weekly tech debt audit: dispatch - 2026-07-01
Source audit date: 2026-07-01

Original recommendation

Github api token caching: race condition in installation token refresh

Evidence: src/lib/github.ts lines 47-128 — the GitHub App installation token cache uses module-level mutable state (installationTokenCache). The refreshIfNeeded() and getGitHubToken() functions are not mutex-protected. If two concurrent requests enter refreshIfNeeded() when the cache is near expiry, both could attempt to fetch a new token simultaneously, causing redundant API calls. In the worst case, a race condition during initial ensureInit() could leave useGitHubApp=false after a transient failure, silently falling back to PAT auth.


Matched top finding

Evidence: src/lib/github.ts lines 47-128 — the GitHub App installation token cache uses module-level mutable state (installationTokenCache). The refreshIfNeeded() and getGitHubToken() functions are not mutex-protected. If two concurrent requests enter refreshIfNeeded() when the cache is near expiry, both could attempt to fetch a new token simultaneously, causing redundant API calls. In the worst case, a race condition during initial ensureInit() could leave useGitHubApp=false after a transient failure, silently falling back to PAT auth.


Metadata

Metadata

Assignees

No one assigned

    Labels

    auditAudit, review, or investigation work.priority/p1High priority.status/backlogNot ready for worker pickup yet.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions