chore: JWKs caching

Author: coodos

infrastructure/evault-core/src/core/protocol/vault-access-guard.ts

@@ -10,6 +10,14 @@ export type VaultContext = YogaInitialContext & {
     eName: string | null;
 };
 
+type CachedJWKS = {
+    jwks: ReturnType<typeof jose.createLocalJWKSet>;
+    expiresAt: number;
+};
+const jwksCache = new Map<string, CachedJWKS>();
+const JWKS_TTL_MS = 24 * 60 * 60 * 1000;
+const JWKS_FETCH_TIMEOUT_MS = 5000;
+
 export class VaultAccessGuard {
     constructor(private db: DbService) {}
 
@@ -35,12 +43,25 @@ export class VaultAccessGuard {
                 return null;
             }
 
-            const jwksResponse = await axios.get(
-                new URL(`/.well-known/jwks.json`, registryUrl).toString(),
-            );
+            const jwksUrl = new URL(
+                `/.well-known/jwks.json`,
+                registryUrl,
+            ).toString();
+
+            const now = Date.now();
+            let cached = jwksCache.get(jwksUrl);
+            if (!cached || cached.expiresAt <= now) {
+                const jwksResponse = await axios.get(jwksUrl, {
+                    timeout: JWKS_FETCH_TIMEOUT_MS,
+                });
+                cached = {
+                    jwks: jose.createLocalJWKSet(jwksResponse.data),
+                    expiresAt: now + JWKS_TTL_MS,
+                };
+                jwksCache.set(jwksUrl, cached);
+            }
 
-            const JWKS = jose.createLocalJWKSet(jwksResponse.data);
-            const { payload } = await jose.jwtVerify(token, JWKS);
+            const { payload } = await jose.jwtVerify(token, cached.jwks);
 
             return payload;
         } catch (error) {
@@ -115,11 +136,16 @@ export class VaultAccessGuard {
         metaEnvelopeId: string,
         context: VaultContext,
     ): Promise<{ hasAccess: boolean; exists: boolean }> {
-        // Validate token if present
-        const authHeader =
-            context.request?.headers?.get("authorization") ??
-            context.request?.headers?.get("Authorization");
-        const tokenPayload = await this.validateToken(authHeader);
+        // Reuse token payload already validated by validateAuthentication() earlier
+        // in the middleware; only re-validate as a fallback (e.g. store operations
+        // where an upstream pass may not have populated it).
+        let tokenPayload = context.tokenPayload ?? null;
+        if (!tokenPayload) {
+            const authHeader =
+                context.request?.headers?.get("authorization") ??
+                context.request?.headers?.get("Authorization");
+            tokenPayload = await this.validateToken(authHeader);
+        }
 
         if (tokenPayload) {
             // Token is valid, set platform context and allow access