Merging to release-5.11: [TT-16468] Using a JWKS URL causes memory leak in gateway 5.11 (#7703) (#7707)

probelabs[bot] · Tyk Bot · buraksezer · web-flow · commit 927cc49310eb · 2026-01-28T15:11:59.000Z
Cherry-pick of `60367d7374d7c3fe1d2eb0d65f1439be77a42533` from `master` to `release-5.11` requires manual resolution. **Conflicts detected:** 3 - gateway/mw_jwt_test.go Tips: - Check out this branch locally and run: `git cherry-pick -x 60367d7` - Resolve conflicts (including submodules if any), then push back to this branch. Original commit: 60367d7 --------- Co-authored-by: Tyk Bot <bot@tyk.io> Co-authored-by: Burak Sezer <burak.sezer.developer@gmail.com>
diff --git a/README.md b/README.md
@@ -193,6 +193,6 @@ To write your own test please use this guide [https://github.com/TykTechnologies
 
 ## Contributing
 
-For more information about contributing PRs and issues, see [CONTRIBUTING.md](https://github.com/TykTechnologies/tyk/blob/master/CONTRIBUTING.md).
+For more information about contributing PRs and issues, see [CONTRIBUTING.md](https://github.com/TykTechnologies/tyk/blob/master/CONTRIBUTING.md)
 
 —
diff --git a/gateway/mw_jwt.go b/gateway/mw_jwt.go
@@ -76,7 +76,8 @@ func (k *JWTMiddleware) Init() {
 		go func() {
 			k.Logger().Debug("Pre-fetching JWKs asynchronously")
 			// Drop the previous cache for the API ID
-			JWKCaches.Delete(k.Spec.APIID)
+			deleteJWKCacheByAPIID(k.Spec.APIID)
+
 			jwkCache := loadOrCreateJWKCacheByApiID(k.Spec.APIID)
 
 			// Create client factory for JWK fetching
@@ -114,8 +115,16 @@ func (k *JWTMiddleware) Unload() {
 	// Init tries to clean the cache for the API ID when it starts
 	spec := k.Gw.getApiSpec(k.Spec.APIID)
 	if spec == nil {
-		// Drop the cache for API ID if it's removed from Tyk
-		JWKCaches.Delete(k.Spec.APIID)
+		// delete the cache from the global map and stop its janitor.
+		deleteJWKCacheByAPIID(k.Spec.APIID)
+	}
+}
+
+func deleteJWKCacheByAPIID(apiID string) {
+	if existing, ok := JWKCaches.LoadAndDelete(apiID); ok {
+		if repo, ok := existing.(cache.Repository); ok {
+			repo.Close()
+		}
 	}
 }
 
@@ -128,10 +137,22 @@ func (k *JWTMiddleware) loadOrCreateJWKCache() cache.Repository {
 }
 
 func loadOrCreateJWKCacheByApiID(apiID string) cache.Repository {
-	raw, _ := JWKCaches.LoadOrStore(apiID, cache.New(240, 30))
+	if raw, ok := JWKCaches.Load(apiID); ok {
+		if jwkCache, ok := raw.(cache.Repository); ok {
+			return jwkCache
+		}
+	}
+
+	newCache := cache.New(240, 30)
+	raw, loaded := JWKCaches.LoadOrStore(apiID, newCache)
+
+	// If another goroutine won the race, close the unused cache
+	if loaded {
+		newCache.Close()
+	}
+
 	jwkCache, ok := raw.(cache.Repository)
 	if !ok {
-		// This should not be possible
 		panic("JWKCache instance must implement cache.Repository")
 	}
 	return jwkCache
@@ -1594,15 +1615,8 @@ func getUserIDFromClaim(claims jwt.MapClaims, identityBaseField string, shouldFa
 }
 
 func invalidateJWKSCacheByAPIID(apiID string) {
-	raw, ok := JWKCaches.Load(apiID)
-	if ok {
-		jwkCache, interfaceOK := raw.(cache.Repository)
-		if !interfaceOK {
-			panic("JWKCache must implement cache.Repository")
-		}
-		jwkCache.Flush()
-		mainLog.Debugf("JWKS cache for API: %s has been flushed", apiID)
-	}
+	deleteJWKCacheByAPIID(apiID)
+	mainLog.Debugf("JWKS cache for API: %s has been invalidated", apiID)
 }
 
 func (gw *Gateway) invalidateJWKSCacheForAPIID(w http.ResponseWriter, r *http.Request) {
@@ -1614,7 +1628,13 @@ func (gw *Gateway) invalidateJWKSCacheForAPIID(w http.ResponseWriter, r *http.Re
 }
 
 func (gw *Gateway) invalidateJWKSCacheForAllAPIs(w http.ResponseWriter, _ *http.Request) {
-	JWKCaches.Clear()
+	JWKCaches.Range(func(key, _ any) bool {
+		apiID, ok := key.(string)
+		if ok {
+			deleteJWKCacheByAPIID(apiID)
+		}
+		return true
+	})
 
 	doJSONWrite(w, http.StatusOK, apiOk("cache invalidated"))
 }
diff --git a/gateway/mw_jwt_test.go b/gateway/mw_jwt_test.go
@@ -5022,3 +5022,23 @@ func TestJWT_TraditionalAuth_ExistingSessionNoPolicyInToken(t *testing.T) {
 		})
 	})
 }
+
+func TestDeleteJWKCacheByAPIID(t *testing.T) {
+	apiID := "test-api-" + uuid.NewHex()
+
+	// Create and populate a cache
+	jwkCache := loadOrCreateJWKCacheByApiID(apiID)
+	jwkCache.Set("test-key", "test-value", 0)
+
+	// Verify the cache has items before deletion
+	assert.Equal(t, 1, jwkCache.Count())
+
+	deleteJWKCacheByAPIID(apiID)
+
+	// Verify cache is removed from the JWKCaches map
+	_, exists := JWKCaches.Load(apiID)
+	assert.False(t, exists, "cache should be removed from JWKCaches")
+
+	// Verify cache contents are flushed (Close calls Flush)
+	assert.Equal(t, 0, jwkCache.Count(), "cache items should be flushed after Close()")
+}
diff --git a/internal/cache/janitor.go b/internal/cache/janitor.go
@@ -1,20 +1,22 @@
 package cache
 
 import (
+	"sync"
 	"time"
 )
 
 // Janitor is responsible for performing periodic cleanup operations.
 type Janitor struct {
 	Interval time.Duration
-	stop     chan bool
+	stop     chan struct{}
+	once     sync.Once
 }
 
 // NewJanitor returns a new Janitor that performs cleanup at the specified interval.
 func NewJanitor(interval time.Duration, cleanup func()) *Janitor {
 	janitor := &Janitor{
 		Interval: interval,
-		stop:     make(chan bool, 1),
+		stop:     make(chan struct{}),
 	}
 
 	go janitor.Run(cleanup)
@@ -32,13 +34,15 @@ func (j *Janitor) Run(cleanup func()) {
 		case <-ticker.C:
 			cleanup()
 		case <-j.stop:
-			close(j.stop)
 			return
 		}
 	}
 }
 
 // Close stops the janitor from performing further cleanup operations.
+// It is safe to call Close multiple times.
 func (j *Janitor) Close() {
-	j.stop <- true
+	j.once.Do(func() {
+		close(j.stop)
+	})
 }
diff --git a/internal/cache/janitor_test.go b/internal/cache/janitor_test.go
@@ -1,6 +1,7 @@
 package cache
 
 import (
+	"sync"
 	"sync/atomic"
 	"testing"
 	"time"
@@ -31,3 +32,40 @@ func TestJanitor(t *testing.T) {
 
 	assert.NotEqual(t, int32(0), finalCount, "Expected cleanup() called")
 }
+
+func TestJanitor_MultipleClose(t *testing.T) {
+	cleanup := func() {}
+
+	t.Run("Multiple sequential calls to Close should not panic or block.", func(t *testing.T) {
+		janitor := NewJanitor(10*time.Millisecond, cleanup)
+
+		janitor.Close()
+		janitor.Close()
+		janitor.Close()
+	})
+
+	t.Run("Multiple concurrent calls to Close should not panic or block", func(t *testing.T) {
+		janitor := NewJanitor(10*time.Millisecond, cleanup)
+
+		var wg sync.WaitGroup
+		for i := 0; i < 10; i++ {
+			wg.Add(1)
+			go func() {
+				defer wg.Done()
+				janitor.Close()
+			}()
+		}
+
+		done := make(chan struct{})
+		go func() {
+			wg.Wait()
+			close(done)
+		}()
+
+		select {
+		case <-done:
+		case <-time.After(time.Second):
+			assert.Fail(t, "Close() blocked or deadlocked")
+		}
+	})
+}

Original file line number	Diff line number	Diff line change
`@@ -1,20 +1,22 @@`
`1`	`1`	`package cache`
`2`	`2`
`3`	`3`	`import (`
	`4`	`+ "sync"`
`4`	`5`	`"time"`
`5`	`6`	`)`
`6`	`7`
`7`	`8`	`// Janitor is responsible for performing periodic cleanup operations.`
`8`	`9`	`type Janitor struct {`
`9`	`10`	`Interval time.Duration`
`10`		`- stop chan bool`
	`11`	`+ stop chan struct{}`
	`12`	`+ once sync.Once`
`11`	`13`	`}`
`12`	`14`
`13`	`15`	`// NewJanitor returns a new Janitor that performs cleanup at the specified interval.`
`14`	`16`	`func NewJanitor(interval time.Duration, cleanup func()) *Janitor {`
`15`	`17`	`janitor := &Janitor{`
`16`	`18`	`Interval: interval,`
`17`		`- stop: make(chan bool, 1),`
	`19`	`+ stop: make(chan struct{}),`
`18`	`20`	`}`
`19`	`21`
`20`	`22`	`go janitor.Run(cleanup)`
`@@ -32,13 +34,15 @@ func (j *Janitor) Run(cleanup func()) {`
`32`	`34`	`case <-ticker.C:`
`33`	`35`	`cleanup()`
`34`	`36`	`case <-j.stop:`
`35`		`- close(j.stop)`
`36`	`37`	`return`
`37`	`38`	`}`
`38`	`39`	`}`
`39`	`40`	`}`
`40`	`41`
`41`	`42`	`// Close stops the janitor from performing further cleanup operations.`
	`43`	`+// It is safe to call Close multiple times.`
`42`	`44`	`func (j *Janitor) Close() {`
`43`		`- j.stop <- true`
	`45`	`+ j.once.Do(func() {`
	`46`	`+ close(j.stop)`
	`47`	`+ })`
`44`	`48`	`}`