fix: Avoid caching jwt if it needs to be forwarded#6007
Merged
ZhongpinWang merged 18 commits intomainfrom Apr 20, 2026
Merged
Conversation
marikaner
requested changes
Mar 18, 2026
Contributor
marikaner
left a comment
marikaner
left a comment
There was a problem hiding this comment.
I don't fully understand the comments, maybe let's talk about them.
| // -> Auth token can be cached in destination cache as subscriber is not used. | ||
| // If origin is subscriber, subscriber jwt + refresh token is used. | ||
| // -> Auth token can be cached in destination cache as destination is tenant-isolated. | ||
| destination = await this.fetchDestinationWithRefreshTokenFlow( |
Contributor
There was a problem hiding this comment.
Suggested change
| destination = await this.fetchDestinationWithRefreshTokenFlow( | |
| return this.fetchDestinationWithRefreshTokenFlow( |
| !this.usesSystemUser(destination)) | ||
| ) { | ||
| // VERY BAD... | ||
| // If origin is provider, next time subscriber jwt might change. |
Contributor
There was a problem hiding this comment.
[q] I don't understand this sentence.
Contributor
Author
There was a problem hiding this comment.
I think I meant
If destination is fetched from the provider subaccount (origin = 'provider'), then we use provider tenant id to build the cache key.
But these auth flows need specific user jwt, which comes from certain subscriber tenant, and the auth token will be cached together with the destination using provider tenant id + user id only (no subscriber tenant id). This is a problem for multi-tenant app as next get destination may be for a user from a different subscriber.
marikaner
reviewed
Apr 20, 2026
marikaner
approved these changes
Apr 20, 2026
ZhongpinWang
changed the title
davidkna-sap
added a commit
that referenced
this pull request
Apr 21, 2026
* origin/main: chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 (#6495) chore: Add composite setup action for pnpm (#6507) fix: Avoid caching jwt if it needs to be forwarded (#6007) Change status from proposed to decided chore(deps): bump typescript-eslint from 8.58.1 to 8.58.2 (#6514) chore(deps): bump @typescript-eslint/parser from 8.58.1 to 8.58.2 (#6513) chore(deps-dev): bump @sap/cds-dk from 9.8.3 to 9.8.4 (#6512) chore(deps): bump fast-xml-parser from 5.5.11 to 5.6.0 (#6509) chore(deps-dev): bump puppeteer from 24.40.0 to 24.41.0 (#6508)
davidkna-sap
added a commit
that referenced
this pull request
Apr 21, 2026
…eckapi * origin/main: chore: Refactor test imports to use @sap-cloud-sdk/test-util-internal pkg (#6467) chore: Add license-checker action for pnpm (#6473) chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 (#6495) chore: Add composite setup action for pnpm (#6507) fix: Avoid caching jwt if it needs to be forwarded (#6007) Change status from proposed to decided chore(deps): bump typescript-eslint from 8.58.1 to 8.58.2 (#6514) chore(deps): bump @typescript-eslint/parser from 8.58.1 to 8.58.2 (#6513) chore(deps-dev): bump @sap/cds-dk from 9.8.3 to 9.8.4 (#6512) chore(deps): bump fast-xml-parser from 5.5.11 to 5.6.0 (#6509) chore(deps-dev): bump puppeteer from 24.40.0 to 24.41.0 (#6508)
davidkna-sap
added a commit
that referenced
this pull request
Apr 21, 2026
* origin/main: chore(check-public-api): Use tempdir instead of mockfs (#6468) chore(deps): bump prettier from 3.8.2 to 3.8.3 (#6510) chore: Refactor test imports to use @sap-cloud-sdk/test-util-internal pkg (#6467) chore: Add license-checker action for pnpm (#6473) chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 (#6495) chore: Add composite setup action for pnpm (#6507) fix: Avoid caching jwt if it needs to be forwarded (#6007) Change status from proposed to decided chore(deps): bump typescript-eslint from 8.58.1 to 8.58.2 (#6514) chore(deps): bump @typescript-eslint/parser from 8.58.1 to 8.58.2 (#6513) chore(deps-dev): bump @sap/cds-dk from 9.8.3 to 9.8.4 (#6512) chore(deps): bump fast-xml-parser from 5.5.11 to 5.6.0 (#6509) chore(deps-dev): bump puppeteer from 24.40.0 to 24.41.0 (#6508)
davidkna-sap
added a commit
that referenced
this pull request
Apr 21, 2026
* origin/main: chore(check-public-api): Use tempdir instead of mockfs (#6468) chore(deps): bump prettier from 3.8.2 to 3.8.3 (#6510) chore: Refactor test imports to use @sap-cloud-sdk/test-util-internal pkg (#6467) chore: Add license-checker action for pnpm (#6473) chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 (#6495) chore: Add composite setup action for pnpm (#6507) fix: Avoid caching jwt if it needs to be forwarded (#6007) Change status from proposed to decided chore(deps): bump typescript-eslint from 8.58.1 to 8.58.2 (#6514) chore(deps): bump @typescript-eslint/parser from 8.58.1 to 8.58.2 (#6513) chore(deps-dev): bump @sap/cds-dk from 9.8.3 to 9.8.4 (#6512) chore(deps): bump fast-xml-parser from 5.5.11 to 5.6.0 (#6509) chore(deps-dev): bump puppeteer from 24.40.0 to 24.41.0 (#6508) chore(deps-dev): bump typedoc from 0.28.18 to 0.28.19 (#6505)
davidkna-sap
added a commit
that referenced
this pull request
Apr 22, 2026
…e-and-write-changelogs * origin/main: (36 commits) chore: Replace mock-fs with memfs/unionfs for fs mocking (#6470) chore(deps-dev): bump @changesets/cli from 2.30.0 to 2.31.0 (#6515) chore(deps): bump bignumber.js from 10.0.2 to 11.0.0 (#6511) chore(deps): bump @changesets/get-release-plan from 4.0.15 to 4.0.16 (#6518) chore(check-public-api): Use tempdir instead of mockfs (#6468) chore(deps): bump prettier from 3.8.2 to 3.8.3 (#6510) chore: Refactor test imports to use @sap-cloud-sdk/test-util-internal pkg (#6467) chore: Add license-checker action for pnpm (#6473) chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 (#6495) chore: Add composite setup action for pnpm (#6507) fix: Avoid caching jwt if it needs to be forwarded (#6007) Change status from proposed to decided chore(deps): bump typescript-eslint from 8.58.1 to 8.58.2 (#6514) chore(deps): bump @typescript-eslint/parser from 8.58.1 to 8.58.2 (#6513) chore(deps-dev): bump @sap/cds-dk from 9.8.3 to 9.8.4 (#6512) chore(deps): bump fast-xml-parser from 5.5.11 to 5.6.0 (#6509) chore(deps-dev): bump puppeteer from 24.40.0 to 24.41.0 (#6508) chore(deps-dev): bump typedoc from 0.28.18 to 0.28.19 (#6505) chore(deps): bump ts-morph from 27.0.2 to 28.0.0 (#6506) chore(deps-dev): bump globals from 17.4.0 to 17.5.0 (#6504) ...
davidkna-sap
added a commit
that referenced
this pull request
Apr 22, 2026
* origin/main: (27 commits) chore: Replace mock-fs with memfs/unionfs for fs mocking (#6470) chore(deps-dev): bump @changesets/cli from 2.30.0 to 2.31.0 (#6515) chore(deps): bump bignumber.js from 10.0.2 to 11.0.0 (#6511) chore(deps): bump @changesets/get-release-plan from 4.0.15 to 4.0.16 (#6518) chore(check-public-api): Use tempdir instead of mockfs (#6468) chore(deps): bump prettier from 3.8.2 to 3.8.3 (#6510) chore: Refactor test imports to use @sap-cloud-sdk/test-util-internal pkg (#6467) chore: Add license-checker action for pnpm (#6473) chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 (#6495) chore: Add composite setup action for pnpm (#6507) fix: Avoid caching jwt if it needs to be forwarded (#6007) Change status from proposed to decided chore(deps): bump typescript-eslint from 8.58.1 to 8.58.2 (#6514) chore(deps): bump @typescript-eslint/parser from 8.58.1 to 8.58.2 (#6513) chore(deps-dev): bump @sap/cds-dk from 9.8.3 to 9.8.4 (#6512) chore(deps): bump fast-xml-parser from 5.5.11 to 5.6.0 (#6509) chore(deps-dev): bump puppeteer from 24.40.0 to 24.41.0 (#6508) chore(deps-dev): bump typedoc from 0.28.18 to 0.28.19 (#6505) chore(deps): bump ts-morph from 27.0.2 to 28.0.0 (#6506) chore(deps-dev): bump globals from 17.4.0 to 17.5.0 (#6504) ...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes SAP/cloud-sdk-backlog#1278.
To be forwarded jwt is no longer part of the destination cache to avoid provider account destination being cached with only provider tenant id as the cache key, and to be forwarded jwt can change next time.
Refactored a lot to make the flow more clear.