Cache decoded tokens (signature check is expensive)

2025-11-04 10:45:07 +01:00 · 2022-03-14 08:50:28 +01:00
parent fdbf94f2a1
commit 5431dd113e
1 changed files with 19 additions and 1 deletions
--- a/api.go
+++ b/api.go
@@ -14,6 +14,7 @@ import (
 	"net/http"
 	"strconv"
 	"strings"
+	"sync"
 	"time"

 	"github.com/golang-jwt/jwt/v4"
@@ -280,6 +281,9 @@ func handleQuery(rw http.ResponseWriter, r *http.Request) {
 }

 func authentication(next http.Handler, publicKey ed25519.PublicKey) http.Handler {
+	cacheLock := sync.RWMutex{}
+	cache := map[string]*jwt.Token{}
+
 	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		authheader := r.Header.Get("Authorization")
 		if authheader == "" || !strings.HasPrefix(authheader, "Bearer ") {
@@ -287,10 +291,20 @@ func authentication(next http.Handler, publicKey ed25519.PublicKey) http.Handler
 			return
 		}

+		rawtoken := authheader[len("Bearer "):]
+		cacheLock.RLock()
+		token, ok := cache[rawtoken]
+		cacheLock.RUnlock()
+		if ok && token.Claims.Valid() == nil {
+			next.ServeHTTP(rw, r)
+			return
+		}
+
 		// The actual token is ignored for now.
 		// In case expiration and so on are specified, the Parse function
 		// already returns an error for expired tokens.
-		_, err := jwt.Parse(authheader[len("Bearer "):], func(t *jwt.Token) (interface{}, error) {
+		var err error
+		token, err = jwt.Parse(rawtoken, func(t *jwt.Token) (interface{}, error) {
 			if t.Method != jwt.SigningMethodEdDSA {
 				return nil, errors.New("only Ed25519/EdDSA supported")
 			}
@@ -303,6 +317,10 @@ func authentication(next http.Handler, publicKey ed25519.PublicKey) http.Handler
 			return
 		}

+		cacheLock.Lock()
+		cache[rawtoken] = token
+		cacheLock.Unlock()
+
 		// Let request through...
 		next.ServeHTTP(rw, r)
 	})