feat: auth cache (#643)

* feat: initial commit of auth cache currently called directly in `convert_key`, should be a generic layer usable by other handlers as well * fix: expiration logic * refactor: switch dashmap to ttlc_cache * feat: rewrite the cache as a tower service * feat: add cache layer to convert_cookie * feat: cachemanagement trait * feat: refactor layer to be applied to router not specific handlers * refactor: move comment * feat: set cache in cachelayer, invalidate cached jwt on logout * feat: error handling in the cache layer * feat: implement cache layer on gateway * refactor: remove the cache from auth * refactor: revert changes needed for cache in auth * feat: invalidate jwt on logout calls * refactor: clean up logout cache invalidation * refactor: remove cache from shared state * refactor: remove comment * feat: add prepare.sh to auth * feat: move cache to auth layer * feat: invalidate cache on logout also comment out broken test and add TODO to it, and revert auth manifest changes * refactor: error handling in extract expiration * refactor: remove cache-layer, add comment * docs: add comment about logout cache invalidation * refactor: cachemanager new fn, remove comment * fix: make sure cookie is shuttle cookie * feat: add buffer to cache expiration * fix: fmt
shuttle-hq · Feb 27, 2023 · 6686657 · 6686657
1 parent 5187f6a
commit 6686657
Show file tree

Hide file tree

Showing 10 changed files with 281 additions and 113 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/auth/Cargo.toml b/auth/Cargo.toml
@@ -11,16 +11,16 @@ axum = { workspace = true, features = ["headers"] }
 axum-sessions = "0.4.1"
 clap = { workspace = true }
 http = { workspace = true }
-jsonwebtoken = { workspace = true}
+jsonwebtoken = { workspace = true }
 opentelemetry = { workspace = true }
 opentelemetry-datadog = { workspace = true }
 rand = { workspace = true }
 ring = { workspace = true }
-serde = { workspace = true, features = [ "derive" ] }
-sqlx = { version = "0.6.2", features = [ "sqlite", "json", "runtime-tokio-native-tls", "migrate" ] }
+serde = { workspace = true, features = ["derive"] }
+sqlx = { version = "0.6.2", features = ["sqlite", "json", "runtime-tokio-native-tls", "migrate"] }
 strum = { workspace = true }
 thiserror = { workspace = true }
-tokio = { version = "1.22.0", features = [ "full" ] }
+tokio = { version = "1.22.0", features = ["full"] }
 tracing = { workspace = true }
 tracing-opentelemetry = { workspace = true }
 tracing-subscriber = { workspace = true, features = ["env-filter"] }

diff --git a/auth/src/api/builder.rs b/auth/src/api/builder.rs
@@ -18,6 +18,7 @@ use tracing::field;
 use crate::{
     secrets::{EdDsaManager, KeyManager},
     user::{UserManagement, UserManager},
+    COOKIE_EXPIRATION,
 };
 
 use super::handlers::{
@@ -102,7 +103,7 @@ impl ApiBuilder {
         self.session_layer = Some(
             SessionLayer::new(store, &secret)
                 .with_cookie_name("shuttle.sid")
-                .with_session_ttl(Some(std::time::Duration::from_secs(60 * 60 * 24))) // One day
+                .with_session_ttl(Some(COOKIE_EXPIRATION))
                 .with_secure(true),
         );
 
@@ -116,10 +117,12 @@ impl ApiBuilder {
         let user_manager = UserManager { pool };
         let key_manager = EdDsaManager::new();
 
-        self.router.layer(session_layer).with_state(RouterState {
+        let state = RouterState {
             user_manager: Arc::new(Box::new(user_manager)),
             key_manager: Arc::new(Box::new(key_manager)),
-        })
+        };
+
+        self.router.layer(session_layer).with_state(state)
     }
 }
 

diff --git a/auth/src/api/handlers.rs b/auth/src/api/handlers.rs
@@ -51,7 +51,7 @@ pub(crate) async fn login(
         .expect("to set account name");
     session
         .insert("account_tier", user.account_tier)
-        .expect("to set account name");
+        .expect("to set account tier");
 
     Ok(Json(user.into()))
 }
@@ -74,9 +74,9 @@ pub(crate) async fn convert_cookie(
 
     let claim = Claim::new(account_name, account_tier.into());
 
-    let response = shuttle_common::backends::auth::ConvertResponse {
-        token: claim.into_token(key_manager.private_key())?,
-    };
+    let token = claim.into_token(key_manager.private_key())?;
+
+    let response = shuttle_common::backends::auth::ConvertResponse { token };
 
     Ok(Json(response))
 }
@@ -92,15 +92,15 @@ pub(crate) async fn convert_key(
     let User {
         name, account_tier, ..
     } = user_manager
-        .get_user_by_key(key)
+        .get_user_by_key(key.clone())
         .await
         .map_err(|_| StatusCode::UNAUTHORIZED)?;
 
     let claim = Claim::new(name.to_string(), account_tier.into());
 
-    let response = shuttle_common::backends::auth::ConvertResponse {
-        token: claim.into_token(key_manager.private_key())?,
-    };
+    let token = claim.into_token(key_manager.private_key())?;
+
+    let response = shuttle_common::backends::auth::ConvertResponse { token };
 
     Ok(Json(response))
 }

diff --git a/auth/src/lib.rs b/auth/src/lib.rs
@@ -4,7 +4,7 @@ mod error;
 mod secrets;
 mod user;
 
-use std::{io, str::FromStr};
+use std::{io, str::FromStr, time::Duration};
 
 use args::StartArgs;
 use sqlx::{
@@ -22,6 +22,8 @@ use crate::{
 pub use api::ApiBuilder;
 pub use args::{Args, Commands, InitArgs};
 
+pub const COOKIE_EXPIRATION: Duration = Duration::from_secs(60 * 60 * 24); // One day
+
 pub static MIGRATIONS: Migrator = sqlx::migrate!("./migrations");
 
 pub async fn start(pool: SqlitePool, args: StartArgs) -> io::Result<()> {

diff --git a/common/src/backends/auth.rs b/common/src/backends/auth.rs
@@ -152,7 +152,7 @@ pub struct ConvertResponse {
 #[derive(Clone, Debug, Deserialize, Serialize, Eq, PartialEq)]
 pub struct Claim {
     /// Expiration time (as UTC timestamp).
-    exp: usize,
+    pub exp: usize,
     /// Issued at (as UTC timestamp).
     iat: usize,
     /// Issuer.