Skip to content

Commit a0b71a2

Browse files
lahirumarambalahirumaramba
authored
fix(fac): Verify Token: Change the jwks cache duration from 1 day to 6 hours (#1439)
Change the jwks cache duration (used by the verify token API) from 1 day to 6 hours.
1 parent 894b04a commit a0b71a2

File tree

2 files changed

+11
-11
lines changed

2 files changed

+11
-11
lines changed

src/utils/jwt.ts

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@ const JWT_CALLBACK_ERROR_PREFIX = 'error in secret or public key callback: ';
3131
const NO_MATCHING_KID_ERROR_MESSAGE = 'no-matching-kid-error';
3232
const NO_KID_IN_HEADER_ERROR_MESSAGE = 'no-kid-in-header-error';
3333

34-
const ONE_DAY_IN_SECONDS = 24 * 3600;
34+
const HOUR_IN_SECONDS = 3600;
3535

3636
export type Dictionary = { [key: string]: any }
3737

@@ -60,7 +60,7 @@ export class JwksFetcher implements KeyFetcher {
6060

6161
this.client = jwks({
6262
jwksUri: jwksUrl,
63-
cache: false, // disable jwks-rsa LRU cache as the keys are always cahced for 24 hours.
63+
cache: false, // disable jwks-rsa LRU cache as the keys are always cached for 6 hours.
6464
});
6565
}
6666

@@ -84,7 +84,7 @@ export class JwksFetcher implements KeyFetcher {
8484
map[signingKey.kid] = signingKey.getPublicKey();
8585
return map;
8686
}, {});
87-
this.publicKeysExpireAt = Date.now() + (ONE_DAY_IN_SECONDS * 1000);
87+
this.publicKeysExpireAt = Date.now() + (HOUR_IN_SECONDS * 6 * 1000);
8888
this.publicKeys = newKeys;
8989
return newKeys;
9090
}).catch((err) => {

test/unit/utils/jwt.spec.ts

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ import {
3333
const expect = chai.expect;
3434

3535
const ONE_HOUR_IN_SECONDS = 60 * 60;
36-
const ONE_DAY_IN_SECONDS = 86400;
36+
const SIX_HOURS_IN_SECONDS = ONE_HOUR_IN_SECONDS * 6;
3737
const publicCertPath = '/robot/v1/metadata/x509/[email protected]';
3838
const jwksPath = '/v1alpha/jwks';
3939

@@ -709,24 +709,24 @@ describe('JwksFetcher', () => {
709709

710710
return keyFetcher.fetchPublicKeys().then(() => {
711711
expect(https.request).to.have.been.calledOnce;
712-
clock!.tick((ONE_DAY_IN_SECONDS - 1) * 1000);
712+
clock!.tick((SIX_HOURS_IN_SECONDS - 1) * 1000);
713713
return keyFetcher.fetchPublicKeys();
714714
}).then(() => {
715715
expect(https.request).to.have.been.calledOnce;
716-
clock!.tick(ONE_DAY_IN_SECONDS * 1000); // 24 hours in milliseconds
716+
clock!.tick(SIX_HOURS_IN_SECONDS * 1000); // 6 hours in milliseconds
717717
return keyFetcher.fetchPublicKeys();
718718
}).then(() => {
719-
// App check keys do not contain cache headers so we cache the keys for 24 hours.
720-
// 24 hours has passed
719+
// App check keys do not contain cache headers so we cache the keys for 6 hours.
720+
// 6 hours has passed
721721
expect(https.request).to.have.been.calledTwice;
722-
clock!.tick((ONE_DAY_IN_SECONDS - 1) * 1000);
722+
clock!.tick((SIX_HOURS_IN_SECONDS - 1) * 1000);
723723
return keyFetcher.fetchPublicKeys();
724724
}).then(() => {
725725
expect(https.request).to.have.been.calledTwice;
726-
clock!.tick(ONE_DAY_IN_SECONDS * 1000);
726+
clock!.tick(SIX_HOURS_IN_SECONDS * 1000);
727727
return keyFetcher.fetchPublicKeys();
728728
}).then(() => {
729-
// 48 hours have passed
729+
// 12 hours have passed
730730
expect(https.request).to.have.been.calledThrice;
731731
});
732732
});

0 commit comments

Comments
 (0)