Switch to in-memory caches for auth

The main reason for this switch is security. By keeping the data only
in-memory we do not have to worry about an external system being
compromised. Additionally, since each server will only have some of the
data we limit the scope of what may be compromised (though really, if
the web server is compromised there are a lot more issues).

Another reasons for this switch is we do not control what type of Rails
cache may be used here. The default Rails cache is file system.
Unfortunately, the file system cache is not thread safe and has some
issues with being multi-process safe (regarding incrementing and
multiple key management).  While Redis is thread/process safe, there's
no guarantee that is the cache type used.

Due to the type and size of the data being stored in this cache, 5
megabytes should be more than enough. This would allow caching tens of
thousands of tokens. Since the main goal of these caches is to help
speed up repeated API requests for the same tokens, this size should be
a sufficient balance between what it can hold and memory overhead.

Author: cupakromer

lib/kracken/authenticator.rb

@@ -2,6 +2,17 @@ module Kracken
   class Authenticator
     attr_reader :auth_hash
 
+    # @private
+    def self.cache
+      @cache
+    end
+    @cache = ActiveSupport::Cache.lookup_store(
+      :memory_store,
+      size: 5.megabytes,
+      expires_in: 1.hour,
+      race_condition_ttl: 1.second,
+    )
+
     ## Factory Methods
 
     # Login the user with their credentails. Used for proxying the
@@ -23,7 +34,7 @@ def self.user_with_token(token)
       # for the user, set it to nil, fetch from cache and only query if there
       # was a cache-hit (thus user is still nil).
       user = nil
-      user_id = Rails.cache.fetch("auth/#{token}/#{auth.etag}") {
+      user_id = Authenticator.cache.fetch("auth/#{token}/#{auth.etag}") {
         user = self.new(auth.body).to_app_user
         user.id
       }

lib/kracken/controllers/token_authenticatable.rb

@@ -1,6 +1,11 @@
 module Kracken
   module Controllers
     module TokenAuthenticatable
+      # @private
+      def self.cache
+        @cache
+      end
+
       def self.included(base)
         base.define_singleton_method(:realm) do |realm = nil|
           realm ||= (superclass.try(:realm) || 'Application')
@@ -35,13 +40,13 @@ def request_http_token_authentication(realm = 'Application')
 
       def cache_valid_auth(token, force: false, &generate_cache)
         cache_key = TOKEN_AUTH_CACHE_PREFIX + token
-        val = Rails.cache.read(cache_key) unless force
+        val = TokenAuthenticatable.cache.read(cache_key) unless force
         val ||= store_valid_auth(cache_key, &generate_cache)
         shallow_freeze(val)
       end
 
       def clear_auth_cache
-        Rails.cache.delete_matched TOKEN_AUTH_CACHE_PREFIX + "*"
+        TokenAuthenticatable.cache.delete_matched TOKEN_AUTH_CACHE_PREFIX + "*"
       end
 
       def shallow_freeze(val)
@@ -52,7 +57,7 @@ def shallow_freeze(val)
 
       def store_valid_auth(cache_key)
         val = yield
-        Rails.cache.write(cache_key, val, CACHE_TTL_OPTS) if val
+        TokenAuthenticatable.cache.write(cache_key, val, CACHE_TTL_OPTS) if val
         val
       end
 
@@ -63,6 +68,11 @@ def store_valid_auth(cache_key)
         race_condition_ttl: 1.second,
       }.freeze
 
+      @cache = ActiveSupport::Cache.lookup_store(
+        :memory_store,
+        CACHE_TTL_OPTS.merge(size: 5.megabytes),
+      )
+
       # `authenticate_or_request_with_http_token` is a nice Rails helper:
       # http://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token/ControllerMethods.html#method-i-authenticate_or_request_with_http_token
       def authenticate_user_with_token!

spec/kracken/controllers/token_authenticatable_spec.rb

@@ -72,7 +72,7 @@ def authenticate_or_request_with_http_token(realm = nil)
             'HTTP_AUTHORIZATION' => "Token token=\"#{cached_token}\""
           }
 
-          Rails.cache.write cache_key, auth_info
+          Controllers::TokenAuthenticatable.cache.write cache_key, auth_info
           stub_const "Kracken::Authenticator", spy("Kracken::Authenticator")
         end
 
@@ -163,7 +163,7 @@ def authenticate_or_request_with_http_token(realm = nil)
           expect {
             a_controller.authenticate_user_with_token!
           }.not_to change {
-            Rails.cache.exist?("auth/token/#{invalid_token}")
+            Controllers::TokenAuthenticatable.cache.exist?("auth/token/#{invalid_token}")
           }.from false
         end
       end
@@ -221,14 +221,16 @@ def authenticate_or_request_with_http_token(realm = nil)
         it "sets the auth info as the cache value" do
           expect {
             a_controller.authenticate_user_with_token!
-          }.to change { Rails.cache.read("auth/token/any token") }.from(nil).to(
+          }.to change {
+            Controllers::TokenAuthenticatable.cache.read("auth/token/any token")
+          }.from(nil).to(
             id: :any_id,
             team_ids: [:some, :team, :ids],
           )
         end
 
         it "sets the cache expiration to one minute by default" do
-          expect(Rails.cache).to receive(:write).with(
+          expect(Controllers::TokenAuthenticatable.cache).to receive(:write).with(
             "auth/token/any token",
             anything,
             include(expires_in: 1.minute),

spec/support/using_cache.rb

@@ -10,5 +10,7 @@
 
   before do
     Rails.cache.clear
+    Kracken::Controllers::TokenAuthenticatable.cache.clear
+    Kracken::Authenticator.cache.clear
   end
 end