feat: cache JWT on disk to respect issuance rate limit#4
Open
adamkrim wants to merge 1 commit into
Open
Conversation
Each CLI invocation (e.g. a Terraform command) was a new process that minted a fresh JWT via checkAPIToken, quickly exceeding the API's JWT issuance rate limit (15/hour per user and per IP). Persist the issued JWT to a user-private file (os.UserCacheDir, mode 0600, keyed by a hash of the credentials) and reuse it until it nears expiry (5 min margin, read from the token's exp claim). On a 401 the cache is dropped and we sign in once more, so a server-revoked token self-heals. Set ELESTIO_DISABLE_JWT_CACHE=1 to opt out. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Each CLI invocation (e.g. a Terraform command) is a new process that mints a fresh JWT via
checkAPIToken. A few commands per hour exceed the API's JWT issuance rate limit (15/hour per user and per IP).Solution
Persist the issued JWT and reuse it until it nears expiry, so we only call
checkAPITokenwhen there's no valid token.os.UserCacheDir()/elestio/, mode0600, filename =sha256(email:apiKey)so accounts don't collide and raw credentials never hit disk.expclaim (golang-jwt/jwt/v5,ParseUnverified— the server stays the authority on validity). Reused only while >5 min from expiry.401the cache is dropped and we sign in once more, so a server-revoked token recovers automatically (the auth endpoint itself is excluded to avoid a loop).ELESTIO_DISABLE_JWT_CACHE=1disables caching entirely.Caching is best-effort: any cache read/write error falls back to a normal sign-in.
Tests
cache_test.gocoversexpparsing, round-trip, per-credential isolation, the expiry margin, deletion, and the disable flag.go build,go vet, and tests pass.Notes for reviewers / security
0600), shorter-lived than the API key already stored in env/config, and never written to Terraform state or the repo.🤖 Generated with Claude Code