Filter expired items from Dynamo

2026-04-21 00:28:02 +01:00 · 2022-08-15 17:51:55 -05:00
parent 27f67a077c
commit 27b749abbd
4 changed files with 44 additions and 20 deletions
--- a/service/src/main/java/org/whispersystems/textsecuregcm/storage/PushChallengeDynamoDb.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/storage/PushChallengeDynamoDb.java
@@ -5,11 +5,11 @@

 package org.whispersystems.textsecuregcm.storage;

+import com.google.common.annotations.VisibleForTesting;
 import java.time.Clock;
 import java.time.Duration;
 import java.util.Map;
 import java.util.UUID;
-import com.google.common.annotations.VisibleForTesting;
 import org.whispersystems.textsecuregcm.util.AttributeValues;
 import software.amazon.awssdk.services.dynamodb.DynamoDbClient;
 import software.amazon.awssdk.services.dynamodb.model.ConditionalCheckFailedException;
@@ -29,7 +29,8 @@ public class PushChallengeDynamoDb extends AbstractDynamoDbStore {
  static final String ATTR_TTL = "T";

  private static final Map<String, String> UUID_NAME_MAP = Map.of("#uuid", KEY_ACCOUNT_UUID);
-  private static final Map<String, String> CHALLENGE_TOKEN_NAME_MAP = Map.of("#challenge", ATTR_CHALLENGE_TOKEN);
+  private static final Map<String, String> CHALLENGE_TOKEN_NAME_MAP = Map.of("#challenge", ATTR_CHALLENGE_TOKEN, "#ttl",
+      ATTR_TTL);

  public PushChallengeDynamoDb(final DynamoDbClient dynamoDB, final String tableName) {
    this(dynamoDB, tableName, Clock.systemUTC());
@@ -87,9 +88,10 @@ public class PushChallengeDynamoDb extends AbstractDynamoDbStore {
      db().deleteItem(DeleteItemRequest.builder()
          .tableName(tableName)
          .key(Map.of(KEY_ACCOUNT_UUID, AttributeValues.fromUUID(accountUuid)))
-          .conditionExpression("#challenge = :challenge")
+          .conditionExpression("#challenge = :challenge AND #ttl >= :currentTime")
          .expressionAttributeNames(CHALLENGE_TOKEN_NAME_MAP)
-          .expressionAttributeValues(Map.of(":challenge", AttributeValues.fromByteArray(challengeToken)))
+          .expressionAttributeValues(Map.of(":challenge", AttributeValues.fromByteArray(challengeToken),
+              ":currentTime", AttributeValues.fromLong(clock.instant().getEpochSecond())))
          .build());
      return true;
    } catch (final ConditionalCheckFailedException e) {
--- a/service/src/main/java/org/whispersystems/textsecuregcm/storage/VerificationCodeStore.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/storage/VerificationCodeStore.java
@@ -5,10 +5,15 @@

 package org.whispersystems.textsecuregcm.storage;

+import static com.codahale.metrics.MetricRegistry.name;
+
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.google.common.annotations.VisibleForTesting;
 import io.micrometer.core.instrument.Metrics;
 import io.micrometer.core.instrument.Timer;
+import java.time.Instant;
+import java.util.Map;
+import java.util.Optional;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.whispersystems.textsecuregcm.auth.StoredVerificationCode;
@@ -19,11 +24,6 @@ import software.amazon.awssdk.services.dynamodb.model.DeleteItemRequest;
 import software.amazon.awssdk.services.dynamodb.model.GetItemRequest;
 import software.amazon.awssdk.services.dynamodb.model.GetItemResponse;
 import software.amazon.awssdk.services.dynamodb.model.PutItemRequest;
-import java.time.Instant;
-import java.util.Map;
-import java.util.Optional;
-
-import static com.codahale.metrics.MetricRegistry.name;

 public class VerificationCodeStore {

@@ -83,7 +83,8 @@ public class VerificationCodeStore {

      try {
        return response.hasItem()
-            ? Optional.of(SystemMapper.getMapper().readValue(response.item().get(ATTR_STORED_CODE).s(), StoredVerificationCode.class))
+            ? filterMaybeExpiredCode(
+            SystemMapper.getMapper().readValue(response.item().get(ATTR_STORED_CODE).s(), StoredVerificationCode.class))
            : Optional.empty();
      } catch (final JsonProcessingException e) {
        log.error("Failed to parse stored verification code", e);
@@ -92,6 +93,16 @@ public class VerificationCodeStore {
    });
  }

+  private Optional<StoredVerificationCode> filterMaybeExpiredCode(StoredVerificationCode storedVerificationCode) {
+    // It's possible for DynamoDB to return items after their expiration time (although it is very unlikely for small
+    // tables)
+    if (getExpirationTimestamp(storedVerificationCode) < Instant.now().getEpochSecond()) {
+      return Optional.empty();
+    }
+
+    return Optional.of(storedVerificationCode);
+  }
+
  public void remove(final String number) {
    removeTimer.record(() -> {
      dynamoDbClient.deleteItem(DeleteItemRequest.builder()