fix: rework ttl access token cache

Closes #90

Author: dajay

.husky/.gitignore

@@ -0,0 +1 @@
+_

.husky/commit-msg

@@ -0,0 +1,4 @@
+#!/bin/sh
+. "$(dirname "$0")/_/husky.sh"
+
+npx --no-install commitlint --edit $1

package.json

@@ -2,6 +2,9 @@
   "engines": {
     "node": ">=10"
   },
+  "scripts": {
+    "prepare": "husky install"
+  },
   "devDependencies": {
     "@commitlint/cli": "12.1.4",
     "@commitlint/config-conventional": "12.1.4",

pom.xml

@@ -58,6 +58,8 @@
     <guava-testlib.version>31.0.1-jre</guava-testlib.version>
     <json.version>20210307</json.version>
     <commons-text.version>1.9</commons-text.version>
+    <java-jwt.version>3.18.2</java-jwt.version>
+    <nimbus-jose-jwt.version>9.14</nimbus-jose-jwt.version>
   </properties>
   <!-- Define where the source code for this project lives -->
   <scm>
@@ -134,6 +136,11 @@
       <artifactId>commons-text</artifactId>
       <version>${commons-text.version}</version>
     </dependency>
+    <dependency>
+      <groupId>com.nimbusds</groupId>
+      <artifactId>nimbus-jose-jwt</artifactId>
+      <version>${nimbus-jose-jwt.version}</version>
+    </dependency>
     <!-- JUnit is a Java testing framework.
   It is optional in the workflow of deploying with maven-semantic-release. -->
     <dependency>

src/main/java/fr/redfroggy/ilg/spring/boot/autoconfigure/AuthorizationInterceptor.java

@@ -5,6 +5,7 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpRequest;
+import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.client.ClientHttpRequestExecution;
 import org.springframework.http.client.ClientHttpRequestInterceptor;
@@ -30,9 +31,18 @@ public AuthorizationInterceptor(AuthenticationApiClient auth) {
     @Override
     public ClientHttpResponse intercept(HttpRequest request, byte[] body, ClientHttpRequestExecution execution) throws IOException
     {
+        ClientHttpResponse response = addAuthorizationHeader(request, body, execution);
+        if (response.getStatusCode() == HttpStatus.UNAUTHORIZED) {
+            log.info("Reload tokens due to 401 status");
+            auth.invalidateTokens();
+            return addAuthorizationHeader(request, body, execution);
+        }
+        return response;
+    }
+
+    private ClientHttpResponse addAuthorizationHeader(HttpRequest request, byte[] body, ClientHttpRequestExecution execution) throws IOException {
         request.getHeaders().setAccept(Arrays.asList(MediaType.APPLICATION_JSON_UTF8));
         request.getHeaders().add(HttpHeaders.AUTHORIZATION, BEARER_TYPE +" "+ auth.getTokens().getToken());
-        ClientHttpResponse response = execution.execute(request, body);
-        return response;
+        return execution.execute(request, body);
     }
 }

src/main/java/fr/redfroggy/ilg/spring/boot/autoconfigure/IlgConfiguration.java

@@ -1,6 +1,7 @@
 package fr.redfroggy.ilg.spring.boot.autoconfigure;
 
 import fr.redfroggy.ilg.spring.boot.autoconfigure.client.AuthenticationApiClient;
+import fr.redfroggy.ilg.spring.boot.autoconfigure.client.cache.JwtCache;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
@@ -23,7 +24,8 @@ public RestTemplate simpleRestTemplate()
 
     @Bean
     @DependsOn("simpleRestTemplate")
-    public AuthenticationApiClient authenticationService(IlgProperties properties, RestTemplate simpleRestTemplate) {
-        return new AuthenticationApiClient(properties, simpleRestTemplate);
+    public AuthenticationApiClient authenticationService(IlgProperties properties,
+                                                         RestTemplate simpleRestTemplate, JwtCache jwtCache) {
+        return new AuthenticationApiClient(properties, simpleRestTemplate, jwtCache);
     }
 }

src/main/java/fr/redfroggy/ilg/spring/boot/autoconfigure/IlgProperties.java

@@ -1,10 +1,10 @@
 package fr.redfroggy.ilg.spring.boot.autoconfigure;
 
-import org.hibernate.validator.constraints.NotBlank;
-import org.hibernate.validator.constraints.NotEmpty;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.validation.annotation.Validated;
 
+import javax.validation.constraints.NotEmpty;
+
 /**
  * Properties to manage authentication to Ilg api
  *
@@ -22,8 +22,6 @@ public class IlgProperties {
 
     private boolean debugging;
 
-    private String tokenCacheSpec = "expireAfterWrite=14m";
-
     private boolean decode404;
 
     @NotEmpty
@@ -61,15 +59,6 @@ public void setDebugging(boolean debugging) {
         this.debugging = debugging;
     }
 
-    @NotBlank
-    public String getTokenCacheSpec() {
-        return tokenCacheSpec;
-    }
-
-    public void setTokenCacheSpec(String tokenCacheSpec) {
-        this.tokenCacheSpec = tokenCacheSpec;
-    }
-
     public boolean isDecode404() {
         return decode404;
     }

src/main/java/fr/redfroggy/ilg/spring/boot/autoconfigure/client/AuthenticationApiClient.java

@@ -1,11 +1,10 @@
 package fr.redfroggy.ilg.spring.boot.autoconfigure.client;
 
-import com.github.benmanes.caffeine.cache.Caffeine;
-import com.github.benmanes.caffeine.cache.LoadingCache;
 import fr.redfroggy.ilg.client.authentication.AuthenticationApi;
 import fr.redfroggy.ilg.client.authentication.AuthenticationJwt;
 import fr.redfroggy.ilg.client.authentication.Credentials;
 import fr.redfroggy.ilg.spring.boot.autoconfigure.IlgProperties;
+import fr.redfroggy.ilg.spring.boot.autoconfigure.client.cache.JwtCache;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.http.ResponseEntity;
@@ -20,35 +19,36 @@ public class AuthenticationApiClient implements AuthenticationApi {
 
     private final Credentials credentials;
     private final RestTemplate client;
-    private final LoadingCache<String, AuthenticationJwt> tokens;
+
+    private final JwtCache jwtCache;
 
     private final String baseUrl;
 
-    public AuthenticationApiClient(IlgProperties properties, RestTemplate client) {
+    public AuthenticationApiClient(IlgProperties properties, RestTemplate client,
+                                   JwtCache jwtCache) {
         Assert.notNull(properties, "Can't build token service without properties");
+        Assert.notNull(jwtCache, "Can't build token service without jwt cache");
 
         baseUrl = properties.getUrl();
         credentials = new Credentials(properties.getUsername(),
                 properties.getPassword());
-
         this.client = client;
-
-        tokens = Caffeine.from(properties.getTokenCacheSpec())
-                .build(key -> getNewTokens());
+        this.jwtCache = jwtCache;
     }
 
     public AuthenticationJwt getTokens() {
-        return tokens.get("tokens");
+        return jwtCache.get("tokens", () -> getNewTokens());
     }
 
-    public AuthenticationJwt getNewTokens() {
+    private AuthenticationJwt getNewTokens() {
+        AuthenticationJwt jwt = login(credentials).getBody();
         log.info("New ilg tokens requested");
-        return login(credentials).getBody();
+        return jwt;
     }
 
     public void invalidateTokens() {
         log.info("Evict requested tokens");
-        tokens.invalidate("tokens");
+        jwtCache.invalidate("tokens");
     }
 
     @Override

src/main/java/fr/redfroggy/ilg/spring/boot/autoconfigure/client/cache/JwtCache.java

@@ -0,0 +1,58 @@
+package fr.redfroggy.ilg.spring.boot.autoconfigure.client.cache;
+
+import com.github.benmanes.caffeine.cache.Cache;
+import com.github.benmanes.caffeine.cache.Caffeine;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTParser;
+import fr.redfroggy.ilg.client.authentication.AuthenticationJwt;
+import fr.redfroggy.ilg.spring.boot.autoconfigure.client.AuthenticationApiClient;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Component;
+
+import java.text.ParseException;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Date;
+import java.util.Optional;
+import java.util.function.Supplier;
+
+@Component
+public class JwtCache {
+
+    private static final Logger log = LoggerFactory.getLogger(AuthenticationApiClient.class);
+
+    private Cache<String, AuthenticationJwt> authorizedCache = Caffeine.newBuilder().build();
+
+    private Duration durationCache = Duration.ZERO;
+
+    public AuthenticationJwt get(String key, Supplier<AuthenticationJwt> getNewToken) {
+        return Optional.ofNullable(authorizedCache.getIfPresent(key))
+                .orElseGet(() -> putAndGet(key,getNewToken) );
+    }
+
+    public AuthenticationJwt putAndGet(String key, Supplier<AuthenticationJwt> getNewToken) {
+        AuthenticationJwt jwt =  getNewToken.get();
+        JWT accessToken;
+        Date expirationTime = null;
+        try {
+            accessToken = JWTParser.parse(jwt.getToken());
+            expirationTime = accessToken.getJWTClaimsSet().getExpirationTime();
+        } catch (ParseException e) {
+            log.error("Cannot parse authentication jwt.",e);
+        }
+        Duration durationCache = Duration.between(Instant.now().plusSeconds(5), expirationTime.toInstant());
+        if (!(durationCache.getSeconds() == this.durationCache.getSeconds())) {
+            log.info("New duration for jwt cache {} s (previous is {} s)", durationCache.getSeconds(),
+                    this.durationCache.getSeconds());
+            this.durationCache = durationCache;
+            authorizedCache = Caffeine.newBuilder().expireAfterWrite(durationCache).build();
+        }
+        authorizedCache.put(key, jwt);
+        return jwt;
+    }
+
+    public void invalidate(String key) {
+        authorizedCache.invalidate(key);
+    }
+}

src/test/java/fr/redfroggy/ilg/client/ApiClientMockRestTest.java

@@ -3,6 +3,7 @@
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import fr.redfroggy.ilg.client.authentication.AuthenticationJwt;
+import fr.redfroggy.ilg.spring.boot.autoconfigure.client.cache.JWTFixture;
 import org.hamcrest.core.StringContains;
 import org.junit.jupiter.api.BeforeEach;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -16,6 +17,8 @@
 
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.time.Instant;
+import java.util.Date;
 
 import static org.hamcrest.Matchers.startsWith;
 import static org.springframework.test.web.client.match.MockRestRequestMatchers.*;
@@ -32,10 +35,12 @@ public abstract class ApiClientMockRestTest {
     private MockRestServiceServer mockAuthorizedServer;
     protected ObjectMapper mapper = new ObjectMapper();
 
+    public static final String ACCESS_TOKEN = JWTFixture.anAccessToken(Date.from(Instant.now().plusSeconds(360)));
+
     @BeforeEach
     public void init() throws URISyntaxException, JsonProcessingException {
         mockAuthorizedServer = MockRestServiceServer.createServer(simpleRestTemplate);
-        AuthenticationJwt jwt = new AuthenticationJwt("test-token", "test-refreshToken");
+        AuthenticationJwt jwt = new AuthenticationJwt(ACCESS_TOKEN, "test-refreshToken");
         mockAuthorizedServer.expect(ExpectedCount.once(),
                 requestTo(new URI("http://ilg.fr/login_json")))
                 .andRespond(withStatus(HttpStatus.OK)
@@ -50,7 +55,7 @@ protected void mockApi(String uri, String body) throws URISyntaxException {
         mockApiServer.expect(ExpectedCount.once(),
                 requestTo(new URI(uri)))
                 .andExpect(method(HttpMethod.GET))
-                .andExpect(header("authorization", "Bearer test-token"))
+                .andExpect(header("authorization", "Bearer "+ACCESS_TOKEN))
                 .andExpect(header("accept", MediaType.APPLICATION_JSON_UTF8_VALUE))
                 .andRespond(withStatus(HttpStatus.OK)
                         .contentType(MediaType.APPLICATION_JSON)
@@ -63,7 +68,7 @@ protected void mockPostData(String uri, String body, String formDataKey, String
                 requestTo(
                         new URI(uri)))
                 .andExpect(method(HttpMethod.POST))
-                .andExpect(header("authorization","Bearer test-token"))
+                .andExpect(header("authorization","Bearer "+ACCESS_TOKEN))
                 .andExpect(header("accept",MediaType.APPLICATION_JSON_UTF8_VALUE))
                 .andExpect(header(HttpHeaders.CONTENT_TYPE, startsWith("multipart/form-data")))
                 .andExpect(content().string(StringContains.containsString("Content-Disposition: form-data; " +