asUser is vulnerable to race conditions

[ctboeheim]

I've been writing some scripts to manage user storage, which must inspect many users. I have found that results can be non-deterministic when asUser() is used. The as-user header value is stored in global variable which can be clobbered by concurrent tasks.

The main looks like this:

  const { results, errors } = await PromisePool
  .withConcurrency(10)
  .for(bxList)
  .process(async user => {
    await processUser(user);

    return true;
  })

Inside of processUser, this sequence appears:

client.asUser(user.id);
const root = await user.root();
const items = await root.items();
...
client.asSelf();

The first client sets one asUser id, and then gets the root folder. While it's waiting, the event loop runs the second task, which sets a new asUser id and gets that user's root folder. When the first task resumes, it has the wrong user set to get the items the root folder it has retrieved.

This is a somewhat contrived example to boil down a more complicated flow that resulted in random strange results. One can imagine cases in which it would lead to information leakage.

Is there a way to contextualize the user that is being acted on behalf of to isolate different tasks within a single app?
-Chuck