(twitter.com)

475 points danielstocks | 1 comments | 27 May 21 10:28 UTC | HN request time: 0.001s | source

Show context

mavster ◴[27 May 21 13:50 UTC] No.27303085[source]▶

I'm just guessing, but...

"developer gets a great idea - let's push an update to the API as a GET request so we can cache this on the CDN... forgetting that the JWT token is potentially returned in the call. Now, whoever makes the call first gets their JWT token stored for everyone else to load instead when the API call is made."

Ta-da, Klarna.

replies(10): >>27303554 #>>27303645 #>>27303782 #>>27303857 #>>27303919 #>>27304192 #>>27304408 #>>27304728 #>>27305016 #>>27305863 #

irjustin ◴[27 May 21 15:23 UTC] No.27304192[source]▶

>>27303085 #

I can 100% see this being the cause if this comes out as the root.

But... API's really shouldn't be cached? At least not at the CDN level. The risk of serving up stale dashboard data alone makes users go ????... and we definitely don't want - not even mentioning the problem here, that's crazy.

replies(3): >>27304609 #>>27305462 #>>27307674 #

1. chrisrogers ◴[27 May 21 16:02 UTC] No.27304609[source]▶

>>27304192 #

Depends on the scope of the API of course, but it's a good rule of thumb for any API with private auth

↑

Klarna users are being signed in to random accounts