mirror of
https://github.com/ClusterCockpit/cc-metric-store.git
synced 2026-07-14 13:40:37 +02:00
153ecb6dff
The per-handler JWT validation cache was never pruned, so a long-running process accumulated one map entry per distinct rotating token, growing without bound (a slow memory leak / DoS vector). Evict stale entries on the cache-miss path and cap the cache at maxTokenCacheSize, clearing it if eviction of expired tokens cannot free space. Also document in the README that auth verifies only the token signature and expiry (claims/roles are not enforced) and that an empty jwt-public-key disables authentication entirely. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>