Skip to main content

Security

It is often discussed whether AsyncLocalStorage is safe to use for concurrent requests (because of a possible context leak) and whether the context could be lost throughout the duration of a request.

The ClsMiddleware and ClsInterceptor by default uses the safe run() method, which it should not leak context, but in some rare cases, the context can be lost.

The ClsGuard (and ClsMiddleware, if configured so) uses the less safe enterWith() method, which might be needed in case the run() method causes context loss.

This has a consequence that should be taken into account:

caution

When the enterWith method is used, any consequent requests get access to the CLS context of the previous request until the request hits the enterWith call.

That means, when using ClsMiddleware with the useEnterWith option, or ClsGuard to set up context, be sure to mount them as early in the request lifetime as possible and do not use any other enhancers that rely on ClsService before them. For ClsGuard, that means you should probably manually mount it in AppModule if you require any other guard to run after it.

The next chapter addresses compatibility with various transport protocols.