fix: LRU cache for invalidated tokens

Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
projectcapsule · Aug 6, 2024 · 8e400c0 · 8e400c0
1 parent 665c45c
commit 8e400c0
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/internal/webserver/middleware/jwt.go b/internal/webserver/middleware/jwt.go
@@ -11,19 +11,22 @@ import (
 	"github.com/gorilla/mux"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/projectcapsule/capsule-proxy/internal/webserver/errors"
 )
 
 func CheckJWTMiddleware(client client.Writer) mux.MiddlewareFunc {
+	invalidatedToken := sets.New[string]()
+
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
 			var err error
 
 			token := strings.ReplaceAll(request.Header.Get("Authorization"), "Bearer ", "")
 
-			if len(token) > 0 {
+			if len(token) > 0 && !invalidatedToken.Has(token) {
 				tr := authenticationv1.TokenReview{
 					TypeMeta: metav1.TypeMeta{
 						Kind:       "TokenReview",
@@ -37,6 +40,8 @@ func CheckJWTMiddleware(client client.Writer) mux.MiddlewareFunc {
 					errors.HandleError(writer, err, "cannot create TokenReview")
 				}
 				if statusErr := tr.Status.Error; len(statusErr) > 0 {
+					invalidatedToken.Insert(token)
+
 					errors.HandleUnauthorized(writer, fmt.Errorf(statusErr), "cannot authenticate the token due to error")
 				}
 			}