refactor: Remove JWKClient and use RWMutex to protect keys in cache

KShivendu · KShivendu · commit 11a8ae02da9c · 2023-06-14T13:43:42.000+05:30
diff --git a/supertokens_python/recipe/session/access_token.py b/supertokens_python/recipe/session/access_token.py
@@ -42,12 +42,11 @@ def sanitize_number(n: Any) -> Union[Union[int, float], None]:
     return None
 
 
-from supertokens_python.recipe.session.jwks import JWKClient
+from supertokens_python.recipe.session.jwks import get_latest_keys
 
 
 def get_info_from_access_token(
     jwt_info: ParsedJWTInfo,
-    jwk_client: JWKClient,
     do_anti_csrf_check: bool,
 ):
     try:
@@ -59,19 +58,17 @@ def get_info_from_access_token(
         )
 
         if jwt_info.version >= 3:
-            matching_key = jwk_client.get_matching_key_from_jwt(
-                jwt_info.raw_token_string
-            )
+            matching_keys = get_latest_keys(jwt_info.kid)
             payload = jwt.decode(  # type: ignore
                 jwt_info.raw_token_string,
-                matching_key.key,  # type: ignore
+                matching_keys[0].key,  # type: ignore
                 algorithms=[decode_algo],
                 options={"verify_signature": True, "verify_exp": True},
             )
         else:
             # It won't have kid. So we'll have to try the token against all the keys from all the jwk_clients
             # If any of them work, we'll use that payload
-            for k in jwk_client.get_latest_keys():
+            for k in get_latest_keys():
                 try:
                     payload = jwt.decode(  # type: ignore
                         jwt_info.raw_token_string,
diff --git a/supertokens_python/recipe/session/constants.py b/supertokens_python/recipe/session/constants.py
@@ -33,7 +33,7 @@
 
 available_token_transfer_methods: List[TokenTransferMethod] = ["cookie", "header"]
 
-JWKCacheMaxAgeInMs = 60 * 1000  # 1min
+JWKCacheMaxAgeInMs = 6 * 1000  # 6s
 JWKRequestCooldownInMs = 500  # 0.5s
 protected_props = [
     "sub",
diff --git a/supertokens_python/recipe/session/interfaces.py b/supertokens_python/recipe/session/interfaces.py
@@ -36,7 +36,6 @@
 
 if TYPE_CHECKING:
     from supertokens_python.framework import BaseRequest
-    from .jwks import JWKClient
 
 from supertokens_python.framework import BaseResponse
 
@@ -128,8 +127,6 @@ class GetSessionTokensDangerouslyDict(TypedDict):
 
 
 class RecipeInterface(ABC):  # pylint: disable=too-many-public-methods
-    JWK_clients: List[JWKClient] = []
-
     def __init__(self):
         pass
 
diff --git a/supertokens_python/recipe/session/jwks.py b/supertokens_python/recipe/session/jwks.py
@@ -1,106 +1,133 @@
-import json
+# Copyright (c) 2023, VRAI Labs and/or its affiliates. All rights reserved.
+#
+# This software is licensed under the Apache License, Version 2.0 (the
+# "License") as published by the Apache Software Foundation.
+#
+# You may not use this file except in compliance with the License. You may
+# obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
 import requests
+from os import environ
 from typing import List, Optional
+from typing_extensions import TypedDict
 
 from jwt import PyJWK, PyJWKSet
-from jwt.api_jwt import decode_complete as decode_token  # type: ignore
-
-from supertokens_python.utils import get_timestamp_ms
 
 from .constants import JWKCacheMaxAgeInMs, JWKRequestCooldownInMs
 
+from supertokens_python.utils import RWMutex, RWLockContext, get_timestamp_ms
+from supertokens_python.querier import Querier
 from supertokens_python.logger import log_debug_message
 
 
-class JWKClient:
-    def __init__(
-        self,
-        uri: str,
-        cooldown_duration: int = JWKRequestCooldownInMs,
-        cache_max_age: int = JWKCacheMaxAgeInMs,
-    ):
-        """A client for retrieving JSON Web Key Sets (JWKS) from a given URI.
-
-        Args:
-            uri (str): The URI of the JWKS.
-            cooldown_duration (int, optional): The cooldown duration in ms. Defaults to 500 seconds.
-            cache_max_age (int, optional): The cache max age in ms. Defaults to 5 minutes.
-
-        Note: The JSON Web Key Set is fetched when no key matches the selection
-        process but only as frequently as the `self.cooldown_duration` option
-        allows to prevent abuse. The `self.cache_max_age` option is used to
-        determine how long the JWKS is cached for.
-
-        Whenever you make a call to `get_signing_key_from_jwt`, the JWKS
-        is fetched if it is older than `self.cache_max_age` ms unless
-        cooldown is active.
-        """
-        self.uri = uri
-        self.cooldown_duration = cooldown_duration
-        self.cache_max_age = cache_max_age
-        self.timeout_sec = 5
-        self.last_fetch_time: int = 0
-        self.cached_jwks: Optional[PyJWKSet] = None
-
-    def fetch(self):
-        try:
-            log_debug_message("Fetching jwk set from the configured uri")
-            with requests.get(self.uri, timeout=self.timeout_sec) as response:
-                response.raise_for_status()
-                self.cached_jwks = PyJWKSet.from_dict(json.load(response))  # type: ignore
-                self.last_fetch_time = get_timestamp_ms()
-        except requests.HTTPError:
-            raise JWKSRequestError("Failed to fetch jwk set from the configured uri")
-
-    def is_cooling_down(self) -> bool:
-        return (self.last_fetch_time > 0) and (
-            get_timestamp_ms() - self.last_fetch_time < self.cooldown_duration
-        )
+class JWKSConfigType(TypedDict):
+    cache_max_age: int
+    refresh_rate_limit: int
+    request_timeout: int
+
+
+JWKSConfig: JWKSConfigType = {
+    "cache_max_age": JWKCacheMaxAgeInMs,
+    "refresh_rate_limit": JWKRequestCooldownInMs,  # FIXME: Not used
+    "request_timeout": 5000, # 5s
+}
 
-    def is_fresh(self) -> bool:
-        return (self.last_fetch_time > 0) and (
-            get_timestamp_ms() - self.last_fetch_time < self.cache_max_age
+
+class CachedKeys:
+    def __init__(self, path: str, keys: List[PyJWK]):
+        self.path = path
+        self.keys = keys
+        self.last_refresh_time = get_timestamp_ms()
+
+    def is_fresh(self):
+        return (
+            get_timestamp_ms() - self.last_refresh_time < JWKSConfig["cache_max_age"]
         )
 
-    def get_latest_keys(self) -> List[PyJWK]:
-        if self.cached_jwks is None or not self.is_fresh():
-            self.fetch()
 
-        if self.cached_jwks is None:
-            raise JWKSRequestError("Failed to fetch the latest keys")
+cached_keys: Optional[CachedKeys] = None
+mutex = RWMutex()
 
-        all_keys: List[PyJWK] = self.cached_jwks.keys  # type: ignore
+# only for testing purposes
+def reset_jwks_cache():
+    with RWLockContext(mutex, read=False):
+        global cached_keys
+        cached_keys = None
 
-        return all_keys
 
-    def get_matching_key_from_jwt(self, token: str) -> PyJWK:
-        header = decode_token(token, options={"verify_signature": False})["header"]
-        kid: str = header["kid"]  # type: ignore
+def get_cached_keys() -> Optional[CachedKeys]:
+    with RWLockContext(mutex, read=True):
+        if cached_keys is not None:
+            # This means that we have valid JWKs for the given core path
+            # We check if we need to refresh before returning
 
-        if self.cached_jwks is None or not self.is_fresh():
-            self.fetch()
+            # This means that the value in cache is not expired, in this case we return the cached value
+            # Note that this also means that the SDK will not try to query any other core (if there are multiple)
+            # if it has a valid cache entry from one of the core URLs. It will only attempt to fetch
+            # from the cores again after the entry in the cache is expired
+            if cached_keys.is_fresh():
+                if environ.get("SUPERTOKENS_ENV") == "testing":
+                    log_debug_message("Returning JWKS from cache")
+                return cached_keys
 
-        assert self.cached_jwks is not None
+        return None
 
-        try:
-            return self.cached_jwks[kid]  # type: ignore
-        except KeyError:
-            if not self.is_cooling_down():
-                # One more attempt to fetch the latest keys
-                # and then try to find the key again.
-                self.fetch()
-                try:
-                    return self.cached_jwks[kid]  # type: ignore
-                except KeyError:
-                    pass
-        except Exception:
-            raise JWKSKeyNotFoundError("No key found for the given kid")
 
-        raise JWKSKeyNotFoundError("No key found for the given kid")
+def get_latest_keys(kid: Optional[str] = None) -> List[PyJWK]:
+    global cached_keys
 
+    if environ.get("SUPERTOKENS_ENV") == "testing":
+        log_debug_message("Called find_jwk_client")
 
-class JWKSKeyNotFoundError(Exception):
-    pass
+    keys_from_cache = get_cached_keys()
+    if keys_from_cache is not None:
+        if kid is None:
+            # return all keys since the token does not have a kid
+            return keys_from_cache.keys
+
+        # kid has been provided so filter the keys
+        matching_keys = [key for key in keys_from_cache.keys if key.key_id == kid]  # type: ignore
+        if len(matching_keys) > 0:
+            return matching_keys
+        # otherwise unknown kid, will continue to reload the keys
+
+    core_paths = Querier.get_instance().get_all_core_urls_for_path(
+        "./.well-known/jwks.json"
+    )
+
+    if len(core_paths) == 0:
+        raise Exception(
+            "No SuperTokens core available to query. Please pass supertokens > connection_uri to the init function, or override all the functions of the recipe you are using."
+        )
+
+    last_error: Exception = Exception("No valid JWKS found")
+
+    with RWLockContext(mutex, read=False):
+        for path in core_paths:
+            if environ.get("SUPERTOKENS_ENV") == "testing":
+                log_debug_message("Attempting to fetch JWKS from path: %s", path)
+
+            cached_jwks: Optional[List[PyJWK]] = None
+            try:
+                log_debug_message("Fetching jwk set from the configured uri")
+                with requests.get(path, timeout=JWKSConfig['request_timeout']/1000) as response:  # 5 second timeout
+                    response.raise_for_status()
+                    cached_jwks = PyJWKSet.from_dict(response.json()).keys  # type: ignore
+            except Exception as e:
+                last_error = e
+
+            if cached_jwks is not None:  # we found a valid JWKS
+                cached_keys = CachedKeys(path, cached_jwks)
+                log_debug_message("Returning JWKS from fetch")
+                return cached_keys.keys
+
+    raise last_error
 
 
 class JWKSRequestError(Exception):
diff --git a/supertokens_python/recipe/session/recipe_implementation.py b/supertokens_python/recipe/session/recipe_implementation.py
@@ -18,7 +18,7 @@
 
 from supertokens_python.logger import log_debug_message
 from supertokens_python.normalised_url_path import NormalisedURLPath
-from supertokens_python.utils import resolve, RWMutex, RWLockContext
+from supertokens_python.utils import resolve
 
 from ...types import MaybeAwaitable
 from . import session_functions
@@ -38,7 +38,6 @@
     SessionInformationResult,
     SessionObj,
 )
-from .jwks import JWKClient
 from .jwt import ParsedJWTInfo, parse_jwt_without_signature_verification
 from .session_class import Session
 from .utils import SessionConfig, validate_claims_in_payload
@@ -51,90 +50,6 @@
 from supertokens_python.querier import Querier
 
 
-from typing_extensions import TypedDict
-from os import environ
-
-
-class JWKSConfigType(TypedDict):
-    cache_max_age: int
-    refresh_rate_limit: int
-
-
-JWKSConfig: JWKSConfigType = {
-    "cache_max_age": 6000,
-    "refresh_rate_limit": 500,
-}
-
-cached_jwk_client: Optional[JWKClient] = None
-mutex = RWMutex()
-
-# only for testing purposes
-def reset_jwks_cache():
-    with RWLockContext(mutex, read=False):
-        global cached_jwk_client
-        cached_jwk_client = None
-
-
-def get_jwk_client_from_cache() -> Optional[JWKClient]:
-    with RWLockContext(mutex, read=True):
-        if cached_jwk_client is not None:
-            # This means that we have valid JWKs for the given core path
-            # We check if we need to refresh before returning
-
-            # This means that the value in cache is not expired, in this case we return the cached value
-            # Note that this also means that the SDK will not try to query any other Core (if there are multiple)
-            # if it has a valid cache entry from one of the core URLs. It will only attempt to fetch
-            # from the cores again after the entry in the cache is expired
-            if cached_jwk_client.is_fresh():
-                if environ.get("SUPERTOKENS_ENV") == "testing":
-                    log_debug_message("Returning JWKS from cache")
-                return cached_jwk_client
-
-        return None
-
-
-def find_jwk_client() -> JWKClient:
-    global cached_jwk_client
-
-    if environ.get("SUPERTOKENS_ENV") == "testing":
-        log_debug_message("Called find_jwk_client")
-
-    core_paths = Querier.get_instance().get_all_core_urls_for_path(
-        "./.well-known/jwks.json"
-    )
-
-    if len(core_paths) == 0:
-        raise Exception(
-            "No SuperTokens core available to query. Please pass supertokens > connection_uri to the init function, or override all the functions of the recipe you are using."
-        )
-
-    client_from_cache = get_jwk_client_from_cache()
-    if client_from_cache is not None:
-        return client_from_cache
-
-    last_error: Exception = Exception("No valid JWKS found")
-
-    with RWLockContext(mutex, read=False):
-        for path in core_paths:
-            if environ.get("SUPERTOKENS_ENV") == "testing":
-                log_debug_message("Attempting to fetch JWKS from path: %s", path)
-
-            client = JWKClient(
-                path, JWKSConfig["refresh_rate_limit"], JWKSConfig["cache_max_age"]
-            )
-            try:
-                client.fetch()
-            except Exception as e:
-                last_error = e
-
-            if client.cached_jwks is not None:  # we found a valid JWKS
-                cached_jwk_client = client
-                log_debug_message("Returning JWKS from fetch")
-                return cached_jwk_client
-
-    raise last_error
-
-
 class RecipeImplementation(RecipeInterface):  # pylint: disable=too-many-public-methods
     def __init__(self, querier: Querier, config: SessionConfig, app_info: AppInfo):
         super().__init__()
diff --git a/supertokens_python/recipe/session/session_functions.py b/supertokens_python/recipe/session/session_functions.py
@@ -150,14 +150,8 @@ async def get_session(
     access_token_info: Optional[Dict[str, Any]] = None
 
     try:
-        from supertokens_python.recipe.session.recipe_implementation import (
-            find_jwk_client,
-        )
-
-        jwk_client = find_jwk_client()
         access_token_info = get_info_from_access_token(
             parsed_access_token,
-            jwk_client,
             config.anti_csrf == "VIA_TOKEN" and do_anti_csrf_check,
         )
 
diff --git a/tests/sessions/test_access_token_v3.py b/tests/sessions/test_access_token_v3.py
diff --git a/tests/sessions/test_jwks.py b/tests/sessions/test_jwks.py
