cache introspected tokens

Author: elfkuzco

backend/src/zimfarm_backend/api/token.py

@@ -1,4 +1,6 @@
 import datetime
+import hashlib
+from dataclasses import dataclass
 
 import jwt
 from ory_client.api.o_auth2_api import OAuth2Api as OryOAuth2Api
@@ -16,14 +18,70 @@
     KIWIX_ISSUER,
     ORY_ACCESS_TOKEN,
 )
+from zimfarm_backend.common import getnow
 
 _ory_client_configuration = OryClientConfiguration(
     host=KIWIX_ISSUER, access_token=ORY_ACCESS_TOKEN
 )
 
 
+@dataclass
+class _CachedToken:
+    """Cached introspected token with expiration time."""
+
+    introspected_token: IntrospectedOAuth2Token
+    expires_at: datetime.datetime
+
+
+# Cache to store introspected tokens with their expiration time
+# Key is SHA256 hash of the token, value is _CachedToken
+_introspection_token_cache: dict[str, _CachedToken] = {}
+
+
+def _hash_token(token: str) -> str:
+    """Hash token for use as cache key to avoid storing raw tokens in memory."""
+    return hashlib.sha256(token.encode()).hexdigest()
+
+
+def _is_cache_entry_valid(cached: _CachedToken) -> bool:
+    """Check if a cached token entry is still valid (not expired)."""
+    return getnow() < cached.expires_at
+
+
+def _get_cached_introspection_token(token: str) -> IntrospectedOAuth2Token | None:
+    """Get cached introspection result if available and not expired."""
+    token_hash = _hash_token(token)
+    if cached := _introspection_token_cache.get(token_hash):
+        if _is_cache_entry_valid(cached):
+            return cached.introspected_token
+        # Remove expired entry
+        del _introspection_token_cache[token_hash]
+    return None
+
+
+def _cache_introspection_token(token: str, introspected_token: IntrospectedOAuth2Token):
+    """Cache an introspected token with TTL based on its expiration time."""
+    token_hash = _hash_token(token)
+    # Use token's exp time if available, otherwise cache for a short duration
+    if introspected_token.exp:
+        # exp is a Unix timestamp (seconds since epoch)
+        expires_at = datetime.datetime.fromtimestamp(introspected_token.exp)
+        _introspection_token_cache[token_hash] = _CachedToken(
+            introspected_token=introspected_token,
+            expires_at=expires_at,
+        )
+
+
 def verify_kiwix_access_token(token: str) -> IntrospectedOAuth2Token:
-    """Verify a Kiwix access token by calling introspection endpoint."""
+    """Verify a Kiwix access token by calling introspection endpoint.
+
+    Results are cached based on token expiration time to reduce API calls.
+    """
+    # Check cache first
+    if cached_token := _get_cached_introspection_token(token):
+        return cached_token
+
+    # Cache miss - perform introspection
     with OryApiClient(_ory_client_configuration) as api_client:
         api_instance = OryOAuth2Api(api_client)
         try:
@@ -37,6 +95,10 @@ def verify_kiwix_access_token(token: str) -> IntrospectedOAuth2Token:
             raise ValueError("Kiwix access token issuer is not valid")
         if KIWIX_CLIENT_ID != introspected_token.client_id:
             raise ValueError("Kiwix access token client ID is not valid")
+
+        # Cache the successful introspection result
+        _cache_introspection_token(token, introspected_token)
+
         return introspected_token
 
 

frontend-ui/src/components/UpdateUser.vue

@@ -26,7 +26,17 @@
                 hide-details
               />
             </v-col>
-            <v-col cols="12" sm="6" md="4" class="d-flex align-end">
+            <v-col cols="12" sm="6" md="4">
+              <v-text-field
+                v-model="form.idp_sub"
+                label="IDP Sub (UUID)"
+                placeholder="00000000-0000-0000-0000-000000000000"
+                variant="outlined"
+                density="compact"
+                hide-details
+              />
+            </v-col>
+            <v-col cols="12" sm="12" md="4" class="d-flex align-end">
               <v-btn type="submit" color="primary" variant="elevated" :disabled="!payload" block>
                 Update User
               </v-btn>
@@ -167,6 +177,7 @@ interface Props {
     email: string
     role?: string
     scope?: Record<string, Record<string, boolean>>
+    idp_sub?: string
   }
 }
 
@@ -179,6 +190,7 @@ const emit = defineEmits<{
       role?: (typeof constants.ROLES)[number]
       email?: string
       scope?: Record<string, Record<string, boolean>>
+      idp_sub?: string
     },
   ): void
   (e: 'change-password', password: string): void
@@ -193,6 +205,7 @@ const form = ref({
   role: '' as (typeof constants.ROLES)[number],
   password: '',
   customScope: '',
+  idp_sub: '',
 })
 
 const keyForm = ref({
@@ -211,6 +224,7 @@ const payload = computed(() => {
     role?: (typeof constants.ROLES)[number]
     email?: string
     scope?: Record<string, Record<string, boolean>>
+    idp_sub?: string
   } = {}
 
   // If role is custom, we send scope instead of role
@@ -234,8 +248,13 @@ const payload = computed(() => {
     result.email = form.value.email
   }
 
+  // Only include idp_sub if it has changed
+  if (form.value.idp_sub !== (props.user.idp_sub || '')) {
+    result.idp_sub = form.value.idp_sub || undefined
+  }
+
   // Return null if no changes were made
-  if (!result.role && !result.scope && !result.email) {
+  if (!result.role && !result.scope && !result.email && !result.idp_sub) {
     return null
   }
 
@@ -390,6 +409,7 @@ onMounted(() => {
       role,
       password: genPassword(),
       customScope,
+      idp_sub: props.user.idp_sub || '',
     }
   }
 })

frontend-ui/src/stores/user.ts

@@ -116,14 +116,27 @@ export const useUserStore = defineStore('user', () => {
 
   const updateUser = async (
     username: string,
-    payload: { role?: string; email?: string; scope?: Record<string, Record<string, boolean>> },
+    payload: {
+      role?: string
+      email?: string
+      scope?: Record<string, Record<string, boolean>>
+      idp_sub?: string
+    },
   ) => {
     const service = await authStore.getApiService('users')
+    const cleanedPayload = Object.fromEntries(
+      Object.entries(payload).filter(([, value]) => value !== null || value != undefined),
+    )
     try {
       await service.patch<
-        { role?: string; email?: string; scope?: Record<string, Record<string, boolean>> },
+        {
+          role?: string
+          email?: string
+          scope?: Record<string, Record<string, boolean>>
+          idp_sub?: string
+        },
         null
-      >(`/${username}`, payload)
+      >(`/${username}`, cleanedPayload)
       errors.value = []
       return true
     } catch (error) {

frontend-ui/src/types/user.ts

@@ -16,6 +16,7 @@ export interface JWTPayload {
 
 export interface User extends JWTUser {
   role: string
+  idp_sub?: string
 }
 
 export interface Token {

frontend-ui/src/views/UserView.vue

@@ -64,6 +64,11 @@
                       </a>
                     </p>
 
+                    <!-- IDP Sub -->
+                    <p v-if="user.idp_sub" class="mb-4">
+                      <strong>IDP Sub:</strong> <code>{{ user.idp_sub }}</code>
+                    </p>
+
                     <!-- Permissions List -->
                     <v-card class="mb-4" variant="outlined">
                       <v-card-title class="text-subtitle-1">
@@ -363,8 +368,9 @@ const updateUser = async (payload: {
   role?: string
   email?: string
   scope?: Record<string, Record<string, boolean>>
+  idp_sub?: string
 }) => {
-  if (!(payload.role || payload.email || payload.scope)) return
+  if (!(payload.role || payload.email || payload.scope || payload.idp_sub)) return
 
   loadingStore.startLoading('updating user…')
   const success = await userStore.updateUser(props.username, payload)