fix: set jwks_cached_at

Author: kangmingtay

src/GoTrueClient.ts

@@ -6,6 +6,7 @@ import {
   AUTO_REFRESH_TICK_THRESHOLD,
   GOTRUE_URL,
   STORAGE_KEY,
+  JWKS_TTL,
 } from './lib/constants'
 import {
   AuthError,
@@ -150,6 +151,7 @@ export default class GoTrueClient {
    * The JWKS used for verifying asymmetric JWTs
    */
   protected jwks: { keys: JWK[] }
+  protected jwks_cached_at: number
   protected autoRefreshToken: boolean
   protected persistSession: boolean
   protected storage: SupportedStorage
@@ -230,6 +232,7 @@ export default class GoTrueClient {
       this.lock = lockNoOp
     }
     this.jwks = { keys: [] }
+    this.jwks_cached_at = Number.MIN_SAFE_INTEGER
     this.mfa = {
       verify: this._verify.bind(this),
       enroll: this._enroll.bind(this),
@@ -2607,7 +2610,9 @@ export default class GoTrueClient {
 
     // try fetching from cache
     jwk = this.jwks.keys.find((key) => key.kid === kid)
-    if (jwk) {
+
+    // jwk exists and jwks isn't stale
+    if (jwk && Date.now() - JWKS_TTL < this.jwks_cached_at) {
       return jwk
     }
     // jwk isn't cached in memory so we need to fetch it from the well-known endpoint
@@ -2621,6 +2626,7 @@ export default class GoTrueClient {
       throw new AuthInvalidJwtError('JWKS is empty')
     }
     this.jwks = data
+    this.jwks_cached_at = Date.now()
     // Find the signing key
     jwk = data.keys.find((key: any) => key.kid === kid)
     if (!jwk) {

src/lib/constants.ts

@@ -30,3 +30,5 @@ export const API_VERSIONS = {
 }
 
 export const BASE64URL_REGEX = /^([a-z0-9_-]{4})*($|[a-z0-9_-]{3}$|[a-z0-9_-]{2}$)$/i
+
+export const JWKS_TTL = 600000 // 10 minutes

test/GoTrueClient.test.ts

@@ -13,11 +13,10 @@ import {
   authAdminApiAutoConfirmEnabledClient,
   GOTRUE_URL_SIGNUP_ENABLED_AUTO_CONFIRM_ON,
   authClient,
-  authClientWithAsymmetricSession,
   GOTRUE_URL_SIGNUP_ENABLED_ASYMMETRIC_AUTO_CONFIRM_ON,
 } from './lib/clients'
 import { mockUserCredentials } from './lib/utils'
-import { Session } from '../src'
+import { JWK, Session } from '../src'
 
 describe('GoTrueClient', () => {
   // @ts-expect-error 'Allow access to private _refreshAccessToken'
@@ -1149,3 +1148,55 @@ describe('GoTrueClient with storageisServer = true', () => {
     expect(store.getItem('test-storage-key')).toEqual(JSON.stringify(newSession))
   })
 })
+
+describe('fetchJwk', () => {
+  let fetchedUrls: any[] = []
+
+  const cases = [
+    {
+      desc: 'jwk exists but cache is stale',
+      jwks: { keys: [{ kid: '123', kty: 'RSA', key_ops: ['verify'] }] },
+      jwksCachedAt: Number.MIN_SAFE_INTEGER,
+      fetchedUrlsLength: 1,
+    },
+    {
+      desc: 'jwk does not exist and cache is stale',
+      jwks: { keys: [{ kid: '234', kty: 'RSA', key_ops: ['verify'] }] },
+      jwksCachedAt: Number.MIN_SAFE_INTEGER,
+      fetchedUrlsLength: 1,
+    },
+    {
+      desc: 'jwk exists in cache',
+      jwks: { keys: [{ kid: '123', kty: 'RSA', key_ops: ['verify'] }] },
+      jwksCachedAt: Number.MAX_SAFE_INTEGER,
+      fetchedUrlsLength: 0,
+    },
+    {
+      desc: 'jwk does not exist in cache',
+      jwks: { keys: [{ kid: '234', kty: 'RSA', key_ops: ['verify'] }] },
+      jwksCachedAt: Number.MAX_SAFE_INTEGER,
+      fetchedUrlsLength: 1,
+    },
+  ]
+
+  beforeEach(() => {
+    fetchedUrls = []
+  })
+
+  cases.forEach((c) => {
+    test(`${c.desc}`, async () => {
+      // override fetch to return a hard-coded JWKS
+      authWithAsymmetricSession['fetch'] = async (url: RequestInfo | URL, _options = {}) => {
+        fetchedUrls.push(url)
+        return new Response(
+          JSON.stringify({ keys: [{ kid: '123', kty: 'RSA', key_ops: ['verify'] }] })
+        )
+      }
+      authWithAsymmetricSession['jwks'] = c.jwks as { keys: JWK[] }
+      authWithAsymmetricSession['jwks_cached_at'] = c.jwksCachedAt
+      // @ts-ignore 'Allow access to private fetchJwk'
+      await authWithAsymmetricSession.fetchJwk('123')
+      expect(fetchedUrls).toHaveLength(c.fetchedUrlsLength)
+    })
+  })
+})