chore: make cached token configurable and added UT

Author: zhengzheng-jason

README.md

@@ -168,8 +168,10 @@ const client = new ReferralExchangeClient({
 ### JWT Authenticated Client
 
 If you need to authenticate requests by signing short-lived JWTs locally, use the `ReferralExchangeJwtClient`. It
-accepts a PEM-encoded ES256 private key and the API key name to embed as the issuer claim. Each request automatically
-receives a freshly signed token (15 second TTL) in the `Authorization` header.
+accepts a PEM-encoded ES256 private key and the API key name to embed as the issuer claim. By default each request
+receives a freshly signed token (15 second TTL) in the `Authorization` header, but you can opt into caching with a
+refresh buffer to reuse tokens safely. When opting in, you must supply the refresh buffer explicitly so the SDK knows
+how early to rotate tokens.
 
 ```typescript
 import { ReferralExchangeJwtClient } from "@opengovsg/refx-ts-sdk";
@@ -178,11 +180,19 @@ const client = new ReferralExchangeJwtClient({
     privateKey: process.env.REFX_PRIVATE_KEY!,
     apiKeyName: process.env.REFX_API_KEY_NAME!,
     environment: "Production", // or pass baseUrl
+    tokenCache: {
+        // The refresh buffer (required when enabling caching) is how much time must remain
+        // before we stop reusing a JWT so requests don't arrive after the token's exp timestamp.
+        refreshBufferSeconds: 5,
+    },
 });
 
 const offerings = await client.offerings.list();
 ```
 
+Omit the `tokenCache` block (the default) to sign a new token for every request. When you opt in, you must specify
+`refreshBufferSeconds` to control how early the SDK rotates tokens.
+
 ## Contributing
 
 While we value open-source contributions to this SDK, this library is generated programmatically.

src/wrapper/ReferralExchangeJwtClient.ts

@@ -10,13 +10,18 @@ export declare namespace ReferralExchangeJwtClient {
     export interface Options extends Omit<ReferralExchangeClient.Options, "fetcher" | "apiKey"> {
         privateKey: string;
         apiKeyName: string;
+        tokenCache?: TokenCacheOptions;
+    }
+
+    export interface TokenCacheOptions {
+        refreshBufferSeconds: number;
     }
 }
 
 export class ReferralExchangeJwtClient extends ReferralExchangeClient {
     constructor(options: ReferralExchangeJwtClient.Options) {
-        const { privateKey, apiKeyName, ...baseOptions } = options;
-        const signer = new JwtSigner({ privateKey, issuer: apiKeyName });
+        const { privateKey, apiKeyName, tokenCache, ...baseOptions } = options;
+        const signer = new JwtSigner({ privateKey, issuer: apiKeyName, tokenCache });
         const fetcher = createJwtFetcher(signer);
         super({
             ...baseOptions,
@@ -28,30 +33,47 @@ export class ReferralExchangeJwtClient extends ReferralExchangeClient {
 interface JwtSignerConfig {
     privateKey: string;
     issuer: string;
+    tokenCache?: ReferralExchangeJwtClient.TokenCacheOptions;
 }
 
 class JwtSigner {
     private readonly privateKey: string;
     private readonly issuer: string;
+    private readonly cacheEnabled: boolean;
+    private readonly refreshBufferSeconds: number;
     private cachedToken: { token: string; expiresAtEpochSeconds: number } | undefined;
 
-    constructor({ privateKey, issuer }: JwtSignerConfig) {
+    constructor({ privateKey, issuer, tokenCache }: JwtSignerConfig) {
         this.privateKey = privateKey;
         this.issuer = issuer;
+        const cacheEnabled = tokenCache != null;
+        this.cacheEnabled = cacheEnabled;
+        this.refreshBufferSeconds = cacheEnabled ? clampRefreshBufferSeconds(tokenCache.refreshBufferSeconds) : 0;
     }
 
     public async getToken(): Promise<string> {
+        if (!this.cacheEnabled) {
+            return this.signToken().token;
+        }
+
         const nowSeconds = Math.floor(Date.now() / 1000);
-        if (this.cachedToken != null && nowSeconds < this.cachedToken.expiresAtEpochSeconds - 1) {
+        if (
+            this.cachedToken != null &&
+            nowSeconds < this.cachedToken.expiresAtEpochSeconds - this.refreshBufferSeconds
+        ) {
             return this.cachedToken.token;
         }
 
-        const { token, expiresAtEpochSeconds } = createSignedJwt({
+        const signedToken = this.signToken();
+        this.cachedToken = signedToken;
+        return signedToken.token;
+    }
+
+    private signToken(): { token: string; expiresAtEpochSeconds: number } {
+        return createSignedJwt({
             privateKey: this.privateKey,
             issuer: this.issuer,
         });
-        this.cachedToken = { token, expiresAtEpochSeconds };
-        return token;
     }
 }
 
@@ -95,3 +117,9 @@ function createSignedJwt({ privateKey, issuer }: CreateSignedJwtArgs): {
         expiresAtEpochSeconds,
     };
 }
+
+function clampRefreshBufferSeconds(refreshBufferSeconds: number): number {
+    const lowerBound = 0;
+    const upperBound = Math.max(JWT_TTL_SECONDS - 1, 0);
+    return Math.min(Math.max(refreshBufferSeconds, lowerBound), upperBound);
+}

tests/unit/wrapper/ReferralExchangeJwtClient.test.ts

@@ -0,0 +1,157 @@
+jest.mock("../../../src/core/fetcher/Fetcher", () => ({
+    fetcherImpl: jest.fn(),
+}));
+
+jest.mock("jsonwebtoken", () => ({
+    __esModule: true,
+    default: {
+        sign: jest.fn(),
+    },
+}));
+
+import jwt from "jsonwebtoken";
+
+import { ReferralExchangeJwtClient } from "../../../src/wrapper/ReferralExchangeJwtClient";
+
+const fetcherImplMock = jest.requireMock("../../../src/core/fetcher/Fetcher").fetcherImpl as jest.Mock;
+const signMock = jwt.sign as jest.Mock<string, any[]>;
+
+describe("ReferralExchangeJwtClient", () => {
+    const requestArgs = { url: "https://refx.test/resource", method: "GET" };
+
+    beforeEach(() => {
+        fetcherImplMock.mockReset();
+        fetcherImplMock.mockResolvedValue({ ok: true });
+        signMock.mockReset();
+    });
+
+    it("signs a new token for every request when caching is disabled", async () => {
+        signMock.mockReturnValueOnce("token-1").mockReturnValueOnce("token-2");
+
+        const client = new ReferralExchangeJwtClient({
+            privateKey: "fake-private-key",
+            apiKeyName: "issuer",
+        });
+
+        const fetcher = ((client as any)._options.fetcher) as (args: typeof requestArgs) => Promise<unknown>;
+
+        await fetcher(requestArgs);
+        await fetcher(requestArgs);
+
+        expect(signMock).toHaveBeenCalledTimes(2);
+        expect(fetcherImplMock).toHaveBeenNthCalledWith(
+            1,
+            expect.objectContaining({
+                headers: expect.objectContaining({
+                    Authorization: "Bearer token-1",
+                }),
+            }),
+        );
+        expect(fetcherImplMock).toHaveBeenNthCalledWith(
+            2,
+            expect.objectContaining({
+                headers: expect.objectContaining({
+                    Authorization: "Bearer token-2",
+                }),
+            }),
+        );
+    });
+
+    it("reuses cached tokens until the refresh buffer elapses", async () => {
+        signMock.mockReturnValueOnce("token-1").mockReturnValueOnce("token-2");
+
+        const client = new ReferralExchangeJwtClient({
+            privateKey: "fake-private-key",
+            apiKeyName: "issuer",
+            tokenCache: { refreshBufferSeconds: 5 },
+        });
+        const fetcher = ((client as any)._options.fetcher) as (args: typeof requestArgs) => Promise<unknown>;
+
+        let nowMs = 0;
+        const dateSpy = jest.spyOn(Date, "now").mockImplementation(() => nowMs);
+
+        nowMs = 0;
+        await fetcher(requestArgs);
+        nowMs = 2_000; // 2 seconds, still outside the 5 second refresh buffer window.
+        await fetcher(requestArgs);
+        nowMs = 11_000; // 11 seconds -> only 4 seconds remain before expiry, so refresh.
+        await fetcher(requestArgs);
+
+        expect(signMock).toHaveBeenCalledTimes(2);
+        expect(fetcherImplMock).toHaveBeenNthCalledWith(
+            1,
+            expect.objectContaining({
+                headers: expect.objectContaining({
+                    Authorization: "Bearer token-1",
+                }),
+            }),
+        );
+        expect(fetcherImplMock).toHaveBeenNthCalledWith(
+            2,
+            expect.objectContaining({
+                headers: expect.objectContaining({
+                    Authorization: "Bearer token-1",
+                }),
+            }),
+        );
+        expect(fetcherImplMock).toHaveBeenNthCalledWith(
+            3,
+            expect.objectContaining({
+                headers: expect.objectContaining({
+                    Authorization: "Bearer token-2",
+                }),
+            }),
+        );
+
+        dateSpy.mockRestore();
+    });
+
+    it("clamps refresh buffer to the JWT lifetime", async () => {
+        signMock.mockReturnValueOnce("token-1").mockReturnValueOnce("token-2");
+
+        const client = new ReferralExchangeJwtClient({
+            privateKey: "fake-private-key",
+            apiKeyName: "issuer",
+            tokenCache: { refreshBufferSeconds: 30 }, // larger than JWT_TTL_SECONDS
+        });
+        const fetcher = ((client as any)._options.fetcher) as (args: typeof requestArgs) => Promise<unknown>;
+
+        let nowMs = 0;
+        const dateSpy = jest.spyOn(Date, "now").mockImplementation(() => nowMs);
+
+        nowMs = 0;
+        await fetcher(requestArgs);
+        nowMs = 500; // 0.5 seconds < (15s - 14s clamp) so the cached token is still valid
+        await fetcher(requestArgs);
+        nowMs = 1_500; // 1.5 seconds -> exceeds the clamped threshold, so a new token is signed
+        await fetcher(requestArgs);
+
+        expect(signMock).toHaveBeenCalledTimes(2);
+        expect(fetcherImplMock).toHaveBeenNthCalledWith(
+            1,
+            expect.objectContaining({
+                headers: expect.objectContaining({
+                    Authorization: "Bearer token-1",
+                }),
+            }),
+        );
+        expect(fetcherImplMock).toHaveBeenNthCalledWith(
+            2,
+            expect.objectContaining({
+                headers: expect.objectContaining({
+                    Authorization: "Bearer token-1",
+                }),
+            }),
+        );
+        expect(fetcherImplMock).toHaveBeenNthCalledWith(
+            3,
+            expect.objectContaining({
+                headers: expect.objectContaining({
+                    Authorization: "Bearer token-2",
+                }),
+            }),
+        );
+
+        dateSpy.mockRestore();
+    });
+});