From b12f8c12ce94e82ae9b6bee83ec6843b874ee1ad Mon Sep 17 00:00:00 2001
From: cfz <fangzhouchen@outlook.com>
Date: Fri, 2 Jul 2021 13:06:28 +0800
Subject: [PATCH] server/auth: enable tokenProvider if recoved store enables
 auth

we found a lease leak issue:
if a new member(by member add) is recovered by snapshot, and then
become leader, the lease will never expire afterwards. leader will
log the revoke failure caused by "invalid auth token", since the
token provider is not functional, and drops all generated token
from upper layer, which in this case, is the lease revoking
routine.
---
 server/auth/simple_token.go | 5 +++++
 server/auth/store.go        | 3 +++
 2 files changed, 8 insertions(+)

diff --git a/server/auth/simple_token.go b/server/auth/simple_token.go
index 7b1b094ae..be706522a 100644
--- a/server/auth/simple_token.go
+++ b/server/auth/simple_token.go
@@ -156,6 +156,11 @@ func (t *tokenSimple) invalidateUser(username string) {
 }
 
 func (t *tokenSimple) enable() {
+	t.simpleTokensMu.Lock()
+	defer t.simpleTokensMu.Unlock()
+	if t.simpleTokenKeeper != nil { // already enabled
+		return
+	}
 	if t.simpleTokenTTL <= 0 {
 		t.simpleTokenTTL = simpleTokenTTLDefault
 	}
diff --git a/server/auth/store.go b/server/auth/store.go
index 3085b4984..53f0aab10 100644
--- a/server/auth/store.go
+++ b/server/auth/store.go
@@ -358,6 +358,9 @@ func (as *authStore) Recover(be backend.Backend) {
 
 	as.enabledMu.Lock()
 	as.enabled = enabled
+	if enabled {
+		as.tokenProvider.enable()
+	}
 	as.enabledMu.Unlock()
 }