diff options
author | Robert Newson <rnewson@apache.org> | 2020-03-20 12:32:16 +0000 |
---|---|---|
committer | Robert Newson <rnewson@apache.org> | 2020-03-22 23:16:29 +0000 |
commit | c1e7c5ac2c754a342fb5fd7dc6473c1630ce422c (patch) | |
tree | ac56457ffafeebcfcd43d8cd3dfe5c799b607922 /src/couch/src/couch_httpd_auth.erl | |
parent | 623ae9acbed5f60244cde30fc969e0ffb2792abf (diff) | |
download | couchdb-c1e7c5ac2c754a342fb5fd7dc6473c1630ce422c.tar.gz |
Create in-memory cache of JWT keys
Decoding RSA and EC keys is a little expensive and we don't want to do
it for every single request. Add a cache that is invalidated on config change.
Diffstat (limited to 'src/couch/src/couch_httpd_auth.erl')
-rw-r--r-- | src/couch/src/couch_httpd_auth.erl | 15 |
1 files changed, 1 insertions, 14 deletions
diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl index 62fc694e1..86d583c56 100644 --- a/src/couch/src/couch_httpd_auth.erl +++ b/src/couch/src/couch_httpd_auth.erl @@ -193,7 +193,7 @@ jwt_authentication_handler(Req) -> "Bearer " ++ Jwt -> RequiredClaims = get_configured_claims(), AllowedAlgorithms = get_configured_algorithms(), - case jwtf:decode(?l2b(Jwt), [{alg, AllowedAlgorithms} | RequiredClaims], fun jwt_keystore/2) of + case jwtf:decode(?l2b(Jwt), [{alg, AllowedAlgorithms} | RequiredClaims], fun jwtf_keystore:get/2) of {ok, {Claims}} -> case lists:keyfind(<<"sub">>, 1, Claims) of false -> throw({unauthorized, <<"Token missing sub claim.">>}); @@ -213,19 +213,6 @@ get_configured_algorithms() -> get_configured_claims() -> re:split(config:get("jwt_auth", "required_claims", ""), "\s*,\s*", [{return, binary}]). -jwt_keystore(Alg, undefined) -> - jwt_keystore(Alg, "_default"); -jwt_keystore(Alg, KID) -> - Key = config:get("jwt_keys", KID), - case jwtf:verification_algorithm(Alg) of - {hmac, _} -> - Key; - {public_key, _} -> - BinKey = ?l2b(string:replace(Key, "\\n", "\n", all)), - [PEMEntry] = public_key:pem_decode(BinKey), - public_key:pem_entry_decode(PEMEntry) - end. - cookie_authentication_handler(Req) -> cookie_authentication_handler(Req, couch_auth_cache). |