mirror of
https://github.com/zed-industries/zed.git
synced 2026-07-09 16:00:35 +00:00
The tokens are organization-specific (the organization id in the JWT claims). Before this commit, the `LlmApiToken` cache was an `Option<String>`, and `cached()` ignored the `organization_id` argument on cache hit. Correctness relied on `RefreshLlmTokenListener` clearing and refreshing the token when it observed an `OrganizationChanged` event. That leaves two windows where a token minted for the wrong organization could be served from the cache: - the refresh runs in a spawned task, so between the organization switch and the task acquiring the write lock, any request calling `cached()` would get the previous organization's token. - `Client::authenticated_llm_request` snapshots the organization id at call time; if the server demanded a token refresh after the user had switched organizations mid-request, the retry path would mint a fresh token for the old organization and write it into the shared cache, poisoning it for all subsequent requests until the next refresh event. The fix is to store the organization id corresponding to the token next to it in the cache, and to check that the cached token is for the correct organization in `cached()`. Release Notes: - Fixed a race where LLM and edit prediction requests made immediately after switching organizations could be attributed to the previously selected organization. |
||
|---|---|---|
| .. | ||
| src | ||
| Cargo.toml | ||
| LICENSE-APACHE | ||