Skip to content

Commit

Permalink
feat: graduate jwksCache to stable API
Browse files Browse the repository at this point in the history
  • Loading branch information
panva committed Aug 19, 2024
1 parent 13c197f commit 0e0e1d2
Show file tree
Hide file tree
Showing 8 changed files with 34 additions and 34 deletions.
2 changes: 1 addition & 1 deletion docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,7 @@ Support from the community to continue maintaining and improving this module is
- [customFetch](variables/customFetch.md)
- [expectNoNonce](variables/expectNoNonce.md)
- [expectNoState](variables/expectNoState.md)
- [experimental\_jwksCache](variables/experimental_jwksCache.md)
- [jwksCache](variables/jwksCache.md)
- [skipAuthTimeCheck](variables/skipAuthTimeCheck.md)
- [skipStateCheck](variables/skipStateCheck.md)
- [skipSubjectCheck](variables/skipSubjectCheck.md)
Expand Down
6 changes: 3 additions & 3 deletions docs/interfaces/JWKSCacheOptions.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@ Support from the community to continue maintaining and improving this module is

## Properties

### \[experimental\_jwksCache\]?
### \[jwksCache\]?

`optional` **\[experimental\_jwksCache\]**: [`JWKSCacheInput`](../type-aliases/JWKSCacheInput.md)
`optional` **\[jwksCache\]**: [`JWKSCacheInput`](../type-aliases/JWKSCacheInput.md)

See [experimental_jwksCache](../variables/experimental_jwksCache.md).
See [jwksCache](../variables/jwksCache.md).
6 changes: 3 additions & 3 deletions docs/interfaces/ValidateDetachedSignatureResponseOptions.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,11 @@ See [customFetch](../variables/customFetch.md).

***

### \[experimental\_jwksCache\]?
### \[jwksCache\]?

`optional` **\[experimental\_jwksCache\]**: [`JWKSCacheInput`](../type-aliases/JWKSCacheInput.md)
`optional` **\[jwksCache\]**: [`JWKSCacheInput`](../type-aliases/JWKSCacheInput.md)

See [experimental_jwksCache](../variables/experimental_jwksCache.md).
See [jwksCache](../variables/jwksCache.md).

***

Expand Down
6 changes: 3 additions & 3 deletions docs/interfaces/ValidateJWTAccessTokenOptions.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,11 +43,11 @@ See [customFetch](../variables/customFetch.md).

***

### \[experimental\_jwksCache\]?
### \[jwksCache\]?

`optional` **\[experimental\_jwksCache\]**: [`JWKSCacheInput`](../type-aliases/JWKSCacheInput.md)
`optional` **\[jwksCache\]**: [`JWKSCacheInput`](../type-aliases/JWKSCacheInput.md)

See [experimental_jwksCache](../variables/experimental_jwksCache.md).
See [jwksCache](../variables/jwksCache.md).

***

Expand Down
6 changes: 3 additions & 3 deletions docs/interfaces/ValidateJwtAuthResponseOptions.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,11 @@ See [customFetch](../variables/customFetch.md).

***

### \[experimental\_jwksCache\]?
### \[jwksCache\]?

`optional` **\[experimental\_jwksCache\]**: [`JWKSCacheInput`](../type-aliases/JWKSCacheInput.md)
`optional` **\[jwksCache\]**: [`JWKSCacheInput`](../type-aliases/JWKSCacheInput.md)

See [experimental_jwksCache](../variables/experimental_jwksCache.md).
See [jwksCache](../variables/jwksCache.md).

***

Expand Down
Original file line number Diff line number Diff line change
@@ -1,15 +1,12 @@
# Variable: experimental\_jwksCache
# Variable: jwksCache

[💗 Help the project](https://github.com/sponsors/panva)

Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by [becoming a sponsor](https://github.com/sponsors/panva).

***

`const` **experimental\_jwksCache**: unique `symbol`

This is an experimental feature, it is not subject to semantic versioning rules. Non-backward
compatible changes or removal may occur in any future release.
`const` **jwksCache**: unique `symbol`

DANGER ZONE - This option has security implications that must be understood, assessed for
applicability, and accepted before use. It is critical that the JSON Web Key Set cache only be
Expand Down Expand Up @@ -54,7 +51,7 @@ const { uat } = jwksCache

// Use JSON Web Key Set cache
const accessTokenClaims = await validateJwtAccessToken(as, request, expectedAudience, {
[oauth.experimental_jwksCache]: jwksCache,
[oauth.jwksCache]: jwksCache,
})

if (uat !== jwksCache.uat) {
Expand Down
27 changes: 15 additions & 12 deletions src/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -328,9 +328,6 @@ export const clockTolerance: unique symbol = Symbol()
export const customFetch: unique symbol = Symbol()

/**
* This is an experimental feature, it is not subject to semantic versioning rules. Non-backward
* compatible changes or removal may occur in any future release.
*
* DANGER ZONE - This option has security implications that must be understood, assessed for
* applicability, and accepted before use. It is critical that the JSON Web Key Set cache only be
* writable by your own code.
Expand Down Expand Up @@ -374,7 +371,7 @@ export const customFetch: unique symbol = Symbol()
*
* // Use JSON Web Key Set cache
* const accessTokenClaims = await validateJwtAccessToken(as, request, expectedAudience, {
* [oauth.experimental_jwksCache]: jwksCache,
* [oauth.jwksCache]: jwksCache,
* })
*
* if (uat !== jwksCache.uat) {
Expand All @@ -383,7 +380,7 @@ export const customFetch: unique symbol = Symbol()
* }
* ```
*/
export const experimental_jwksCache: unique symbol = Symbol()
export const jwksCache: unique symbol = Symbol()

/**
* When combined with {@link customFetch} (to use a Fetch API implementation that supports client
Expand Down Expand Up @@ -1018,9 +1015,9 @@ const SUPPORTED_JWS_ALGS: JWSAlgorithm[] = [

export interface JWKSCacheOptions {
/**
* See {@link experimental_jwksCache}.
* See {@link jwksCache}.
*/
[experimental_jwksCache]?: JWKSCacheInput
[jwksCache]?: JWKSCacheInput
}

export interface HttpRequestOptions {
Expand Down Expand Up @@ -2297,8 +2294,8 @@ async function getPublicSigKeyFromIssuerJwksUri(
const { alg, kid } = header
checkSupportedJwsAlg(alg)

if (!jwksMap?.has(as) && isFreshJwksCache(options?.[experimental_jwksCache])) {
setJwksCache(as, options?.[experimental_jwksCache].jwks, options?.[experimental_jwksCache].uat)
if (!jwksMap?.has(as) && isFreshJwksCache(options?.[jwksCache])) {
setJwksCache(as, options?.[jwksCache].jwks, options?.[jwksCache].uat)
}

let jwks: JWKS
Expand All @@ -2308,13 +2305,13 @@ async function getPublicSigKeyFromIssuerJwksUri(
;({ jwks, age } = jwksMap.get(as)!)
if (age >= 300) {
// force a re-fetch every 5 minutes
clearJwksCache(as, options?.[experimental_jwksCache])
clearJwksCache(as, options?.[jwksCache])
return getPublicSigKeyFromIssuerJwksUri(as, options, header)
}
} else {
jwks = await jwksRequest(as, options).then(processJwksResponse)
age = 0
setJwksCache(as, jwks, epochTime(), options?.[experimental_jwksCache])
setJwksCache(as, jwks, epochTime(), options?.[jwksCache])
}

let kty: string
Expand Down Expand Up @@ -2376,7 +2373,7 @@ async function getPublicSigKeyFromIssuerJwksUri(
if (!length) {
if (age >= 60) {
// allow re-fetch if cache is at least 1 minute old
clearJwksCache(as, options?.[experimental_jwksCache])
clearJwksCache(as, options?.[jwksCache])
return getPublicSigKeyFromIssuerJwksUri(as, options, header)
}
throw new OPE('error when selecting a JWT verification key, no applicable keys found')
Expand Down Expand Up @@ -4736,3 +4733,9 @@ export const experimental_validateDetachedSignatureResponse = (
export const experimental_validateJwtAccessToken = (
...args: Parameters<typeof validateJwtAccessToken>
) => validateJwtAccessToken(...args)
/**
* @ignore
*
* @deprecated Use {@link jwksCache}.
*/
export const experimental_jwksCache = jwksCache
6 changes: 3 additions & 3 deletions test/jwks_lifecycle_with_cache.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ test.serial('cache is empty at first and set after', async (t) => {
let params = new URLSearchParams({ response: jwt })

await lib.validateJwtAuthResponse(as, c, params, undefined, {
[lib.experimental_jwksCache]: cache,
[lib.jwksCache]: cache,
})

t.truthy(cache.uat)
Expand Down Expand Up @@ -75,7 +75,7 @@ test.serial('cache is set and not updated', async (t) => {
let params = new URLSearchParams({ response: jwt })

await lib.validateJwtAuthResponse(as, c, params, undefined, {
[lib.experimental_jwksCache]: cache,
[lib.jwksCache]: cache,
})

t.deepEqual(before, cache)
Expand Down Expand Up @@ -114,7 +114,7 @@ test.serial('cache is set and updated', async (t) => {
let params = new URLSearchParams({ response: jwt })

await lib.validateJwtAuthResponse(as, c, params, undefined, {
[lib.experimental_jwksCache]: cache,
[lib.jwksCache]: cache,
})

t.deepEqual(before.jwks, cache.jwks)
Expand Down

0 comments on commit 0e0e1d2

Please sign in to comment.