Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
ioredis-lock
Advanced tools
Node distributed locking using redis with lua scripts. Compatible with redis >= 2.6.12. A better alternative to locking strategies based on SETNX or WATCH/MULTI. Refer to Implementation and Alternatives for details.
Using npm, you can install redislock with npm install ioredis-lock -S
.
Note: since version 3.4.0 it's possible to use this with node@4 once again
redislock offers both atomic acquire and release operations, avoiding race conditions among clients, as well as the need for lock-specific redis connections. Lock creation requires a node_redis client, and accepts an object specifying the following three options:
const Promise = require('bluebird');
const Redis = require('ioredis');
const client = new Redis();
const lock = require('ioredis-lock').createLock(client, {
timeout: 20000,
retries: 3,
delay: 100,
});
// this uses bind feature of `bluebird`
Promise
.bind(lock)
.call('acquire', 'app:feature:lock')
.catch(err => {
// handle err
})
.call('release')
.catch(err => {
// handle err
})
.then(() => {
// all good
});
});
Supports promises, thanks to bluebird, out of the box:
const Redis = require('ioredis');
const client = new Redis();
const lock = require('ioredis-lock').createLock(client);
const LockAcquisitionError = redislock.LockAcquisitionError;
const LockReleaseError = redislock.LockReleaseError;
lock.acquire('app:feature:lock').then(() => {
// Lock has been acquired
return lock.release();
}).then(() => {
// Lock has been released
}).catch(LockAcquisitionError, (err) => {
// The lock could not be acquired
}).catch(LockReleaseError, (err) => {
// The lock could not be released
});
And an example with co:
const co = require('co');
const Redis = require('ioredis');
const client = new Redis();
const lock = require('ioredis-lock').createLock(client);
co(function *(){
try {
yield lock.acquire('app:feature:lock');
} catch (e) {
// Failed to acquire the lock
}
try {
yield lock.release();
} catch (e) {
// Failed to release
}
})();
Locking is performed using the following redis command:
SET key uuid PX timeout NX
If the SET returns OK, the lock has been acquired on the given key, and an expiration has been set. Then, releasing a lock uses the following redis script:
if redis.call('GET', KEYS[1]) == ARGV[1] then
return redis.call('DEL', KEYS[1])
end
return 0
This ensures that the key is deleted only if it is currently holding the lock, by passing its UUID as an argument. Extending a lock is done with a similar lua script:
if redis.call('GET', KEYS[1]) == ARGV[1] then
return redis.call('PEXPIRE', KEYS[1], ARGV[2])
end
return 0
Some alternative locking implementations do not use a random identifier, but
instead simply invoke SETNX
, assigning a timestamp. This has the problem of
requiring synchronization of clocks between all instances to maintain timeout
accuracy. Furthermore, freeing a lock with such an implementation may risk
deleting a key set by a different lock.
Another technique used is to WATCH
the key for changes when freeing,
achieving a CAS-like operation, as described below:
WATCH key # Begin watching the key for changes
GET key # Retrieve its value, return an error if not equal to the lock's UUID
MULTI # Start transaction
DEL key # Delete the key
EXEC # Execute the transaction, which will fail if the key had expired
However, this has the issue of requiring that you use a 1:1 mapping of redis
clients to locks to ensure that a competing MULTI
is not invoked, and that
the release is unaffected by other watched keys.
In addition to the above, most locking libraries aren't compatible with promises
by default, and due to their API, require "promisifying" individual locks.
redislock
avoids this issue by taking advantage of bluebird's nodeify
function to offer an API that easily supports both callbacks and promises.
The module exports three functions for lock creation and management, as well as two errors for simplified error handling when using promises.
Creates and returns a new Lock instance, configured for use with the supplied redis client, as well as options, if provided. The options object may contain following three keys, as outlined at the start of the documentation: timeout, retries and delay.
var lock = redislock.createLock(client, {
timeout: 10000,
retries: 3,
delay: 100
})
Sets the default options to be used by any new lock created by redislock. Only available options are modified, and all other keys are ignored.
redislock.setDefaults({
timeout: 200000,
retries: 1,
delay: 50
});
Returns an array of currently active/acquired locks.
// Create 3 locks, but only acquire 2
redislock.createLock(client);
redislock.createLock(client).acquire('app:lock1', function(err) {
redislock.createLock(client).acquire('app:lock2', function(err) {
const locks = redislock.getAcquiredLocks(); // [lock, lock]
});
});
The constructor for a LockAcquisitionError. Thrown or returned when a lock could not be acquired.
The constructor for a LockReleaseError. Thrown or returned when a lock could not be released.
The constructor for a LockExtendError. Thrown or returned when a lock could not be extended.
The lock class exposed by redislock. Each instance is assigned a UUID v1 string as an id, and is configured to work with the given redis client. The default options from which is inherits may be changed by using redislock.setDefaults.
Attempts to acquire a lock, given a key, and an optional callback function. If the initial lock fails, additional attempts will be made for the configured number of retries, and padded by the delay. The callback is invoked with an error on failure, and returns a promise if no callback is supplied. If invoked in the context of a promise, it may throw a LockAcquisitionError.
const lock = redislock.createLock(client);
lock.acquire('example:lock', function(err) {
if (err) return console.log(err.message); // 'Lock already held'
});
Attempts to release the lock, and accepts an optional callback function. The callback is invoked with an error on failure, and returns a promise if no callback is supplied. If invoked in the context of a promise, it may throw a LockReleaseError.
const lock = redislock.createLock(client);
lock.acquire('app:lock', err => {
if (err) return;
setTimeout(() => {
lock.release(err => {
if (err) return console.log(err.message); // 'Lock on app:lock has expired'
});
}, 20000);
});
Attempts to extend the timeout of a lock, and accepts an optional callback function. The callback is invoked with an error on failure, and returns a promise if no callback is supplied. If invoked in the context of a promise, it may throw a LockExtendError.
const lock = redislock.createLock(client);
lock.acquire('app:lock', function(err) {
if (err) return;
setTimeout(function() {
lock.extend(20000, function(err) {
if (err) return console.log(err.message); // 'Lock on app:lock has expired'
});
}, 20000)
});
Unit and functional tests are available in the base spec directory, and can
be ran using npm test
. Additional integration tests, which require an active
redis-server configured on the default port and host, can be ran using
mocha spec/integration/
. Both tests suites are ran as part of the Travis CI
build thanks to their support for services such as redis.
FAQs
Node distributed locking using redis with ioredis adapter
The npm package ioredis-lock receives a total of 2,114 weekly downloads. As such, ioredis-lock popularity was classified as popular.
We found that ioredis-lock demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.