fix: switch from jsonwebtoken to jose for jwt signing/verification (#678) (#679)

- Supports async jwt signing/verification using libuv
- Add support for OKP (ed25519/Ed448) jwks
- Cleaner implementation across jwt code

Co-authored-by: Lenny <[email protected]>

Author: fenos

Dockerfile

@@ -1,5 +1,5 @@
 # Base stage for shared environment setup
-FROM node:20-alpine3.20 as base
+FROM node:22-alpine3.21 as base
 RUN apk add --no-cache g++ make python3
 WORKDIR /app
 COPY package.json package-lock.json ./

migrations/multitenant/0017-pool-mode.sql

@@ -0,0 +1 @@
+ALTER TABLE tenants ADD COLUMN IF NOT EXISTS database_pool_mode TEXT NULL;

migrations/multitenant/0017-tenants-s3-credentials-fix-notify-key.sql renamed to migrations/multitenant/0018-tenants-s3-credentials-fix-notify-key.sql

@@ -28,6 +28,7 @@
     "node": ">= 14.0.0"
   },
   "dependencies": {
+    "@aws-sdk/client-ecs": "^3.795.0",
     "@aws-sdk/client-s3": "3.654.0",
     "@aws-sdk/lib-storage": "3.654.0",
     "@aws-sdk/s3-request-presigner": "3.654.0",

package-lock.json

@@ -71,6 +71,7 @@ type StorageConfigType = {
   isMultitenant: boolean
   jwtSecret: string
   jwtAlgorithm: string
+  jwtCachingEnabled: boolean
   jwtJWKS?: JwksConfig
   multitenantDatabaseUrl?: string
   dbAnonRole: string
@@ -86,6 +87,7 @@ type StorageConfigType = {
   databaseURL: string
   databaseSSLRootCert?: string
   databasePoolURL?: string
+  databasePoolMode?: 'single_use' | 'recycle'
   databaseMaxConnections: number
   databaseFreePoolAfterInactivity: number
   databaseConnectionTimeout: number
@@ -262,6 +264,7 @@ export function getConfig(options?: { reload?: boolean }): StorageConfigType {
     encryptionKey: getOptionalConfigFromEnv('AUTH_ENCRYPTION_KEY', 'ENCRYPTION_KEY') || '',
     jwtSecret: getOptionalIfMultitenantConfigFromEnv('AUTH_JWT_SECRET', 'PGRST_JWT_SECRET') || '',
     jwtAlgorithm: getOptionalConfigFromEnv('AUTH_JWT_ALGORITHM', 'PGRST_JWT_ALGORITHM') || 'HS256',
+    jwtCachingEnabled: getOptionalConfigFromEnv('JWT_CACHING_ENABLED') === 'true',
 
     // Upload
     uploadFileSizeLimit: Number(
@@ -353,6 +356,7 @@ export function getConfig(options?: { reload?: boolean }): StorageConfigType {
     databaseSSLRootCert: getOptionalConfigFromEnv('DATABASE_SSL_ROOT_CERT'),
     databaseURL: getOptionalIfMultitenantConfigFromEnv('DATABASE_URL') || '',
     databasePoolURL: getOptionalConfigFromEnv('DATABASE_POOL_URL') || '',
+    databasePoolMode: getOptionalConfigFromEnv('DATABASE_POOL_MODE'),
     databaseMaxConnections: parseInt(
       getOptionalConfigFromEnv('DATABASE_MAX_CONNECTIONS') || '20',
       10
@@ -506,8 +510,7 @@ export function getConfig(options?: { reload?: boolean }): StorageConfigType {
 
   if (jwtJWKS) {
     try {
-      const parsed = JSON.parse(jwtJWKS)
-      config.jwtJWKS = parsed
+      config.jwtJWKS = JSON.parse(jwtJWKS)
     } catch {
       throw new Error('Unable to parse JWT_JWKS value to JSON')
     }

package.json

@@ -1,9 +1,10 @@
 import fastifyPlugin from 'fastify-plugin'
 import { JWTPayload } from 'jose'
 
-import { verifyJWT } from '@internal/auth'
+import { verifyJWTWithCache, verifyJWT } from '@internal/auth'
 import { getJwtSecret } from '@internal/database'
 import { ERRORS } from '@internal/errors'
+import { getConfig } from '../../config'
 
 declare module 'fastify' {
   interface FastifyRequest {
@@ -18,6 +19,8 @@ declare module 'fastify' {
   }
 }
 
+const { jwtCachingEnabled } = getConfig()
+
 const BEARER = /^Bearer\s+/i
 
 export const jwt = fastifyPlugin(
@@ -37,7 +40,10 @@ export const jwt = fastifyPlugin(
       const { secret, jwks } = await getJwtSecret(request.tenantId)
 
       try {
-        const payload = await verifyJWT(request.jwt, secret, jwks || null)
+        const payload = await (jwtCachingEnabled
+          ? verifyJWTWithCache(request.jwt, secret, jwks || null)
+          : verifyJWT(request.jwt, secret, jwks || null))
+
         request.jwtPayload = payload
         request.owner = payload.sub
         request.isAuthenticated = true

src/config.ts

@@ -26,6 +26,7 @@ const patchSchema = {
       anonKey: { type: 'string' },
       databaseUrl: { type: 'string' },
       databasePoolUrl: { type: 'string', nullable: true },
+      databasePoolMode: { type: 'string', nullable: true },
       maxConnections: { type: 'number' },
       jwks: { type: 'object', nullable: true },
       fileSizeLimit: { type: 'number' },
@@ -112,6 +113,7 @@ export default async function routes(fastify: FastifyInstance) {
         anon_key,
         database_url,
         database_pool_url,
+        database_pool_mode,
         max_connections,
         file_size_limit,
         jwt_secret,
@@ -130,6 +132,7 @@ export default async function routes(fastify: FastifyInstance) {
         anonKey: decrypt(anon_key),
         databaseUrl: decrypt(database_url),
         databasePoolUrl: database_pool_url ? decrypt(database_pool_url) : undefined,
+        databasePoolMode: database_pool_mode,
         maxConnections: max_connections ? Number(max_connections) : undefined,
         fileSizeLimit: Number(file_size_limit),
         jwtSecret: decrypt(jwt_secret),
@@ -164,6 +167,7 @@ export default async function routes(fastify: FastifyInstance) {
       anon_key,
       database_url,
       database_pool_url,
+      database_pool_mode,
       max_connections,
       file_size_limit,
       jwt_secret,
@@ -188,6 +192,7 @@ export default async function routes(fastify: FastifyInstance) {
           : database_pool_url
           ? decrypt(database_pool_url)
           : undefined,
+      databasePoolMode: database_pool_mode,
       maxConnections: max_connections ? Number(max_connections) : undefined,
       fileSizeLimit: Number(file_size_limit),
       jwtSecret: decrypt(jwt_secret),
@@ -217,6 +222,7 @@ export default async function routes(fastify: FastifyInstance) {
     const {
       anonKey,
       databaseUrl,
+      databasePoolMode,
       fileSizeLimit,
       jwtSecret,
       jwks,
@@ -233,6 +239,7 @@ export default async function routes(fastify: FastifyInstance) {
         anon_key: encrypt(anonKey),
         database_url: encrypt(databaseUrl),
         database_pool_url: databasePoolUrl ? encrypt(databasePoolUrl) : undefined,
+        database_pool_mode: databasePoolMode,
         max_connections: maxConnections ? Number(maxConnections) : undefined,
         file_size_limit: fileSizeLimit,
         jwt_secret: encrypt(jwtSecret),
@@ -280,6 +287,7 @@ export default async function routes(fastify: FastifyInstance) {
         serviceKey,
         features,
         databasePoolUrl,
+        databasePoolMode,
         maxConnections,
         tracingMode,
         disableEvents,
@@ -295,6 +303,7 @@ export default async function routes(fastify: FastifyInstance) {
             : databasePoolUrl === null
             ? null
             : undefined,
+          database_pool_mode: databasePoolMode,
           max_connections: maxConnections ? Number(maxConnections) : undefined,
           file_size_limit: fileSizeLimit,
           jwt_secret: jwtSecret !== undefined ? encrypt(jwtSecret) : undefined,

src/http/plugins/jwt.ts

@@ -10,6 +10,8 @@ import {
   JWTVerifyGetKey,
   SignJWT,
 } from 'jose'
+import { LRUCache } from 'lru-cache'
+import objectSizeOf from 'object-sizeof'
 
 const { jwtAlgorithm } = getConfig()
 
@@ -111,6 +113,54 @@ function getJWTAlgorithms(jwks: JwksConfig | null) {
   return algorithms
 }
 
+const jwtCache = new LRUCache<string, { token: string; payload: JWTPayload }>({
+  maxSize: 1024 * 1024 * 50, // 50MB
+  sizeCalculation: (value) => {
+    return objectSizeOf(value)
+  },
+  ttlResolution: 5000, // 5 seconds
+})
+
+/**
+ * Verifies if a JWT is valid and caches the payload
+ * for the duration of the token's expiration time
+ * @param token
+ * @param secret
+ * @param jwks
+ */
+export async function verifyJWTWithCache(
+  token: string,
+  secret: string,
+  jwks?: { keys: JwksConfigKey[] } | null
+) {
+  const cachedVerification = jwtCache.get(token)
+  if (
+    cachedVerification &&
+    cachedVerification.payload.exp &&
+    cachedVerification.payload.exp * 1000 > Date.now()
+  ) {
+    return Promise.resolve(cachedVerification.payload)
+  }
+
+  try {
+    const payload = await verifyJWT(token, secret, jwks)
+    if (!payload.exp) {
+      return payload
+    }
+
+    jwtCache.set(
+      token,
+      { token, payload: payload },
+      {
+        ttl: payload.exp * 1000 - Date.now(),
+      }
+    )
+    return payload
+  } catch (e) {
+    throw e
+  }
+}
+
 /**
  * Verifies if a JWT is valid
  * @param token

src/http/routes/admin/tenants.ts

@@ -0,0 +1,53 @@
+import { ClusterDiscoveryECS } from '@internal/cluster/ecs'
+
+import { EventEmitter } from 'node:events'
+import { logger } from '@internal/monitoring'
+
+const clusterEvent = new EventEmitter()
+
+export class Cluster {
+  static size: number = 0
+  protected static watcher?: NodeJS.Timeout = undefined
+
+  static on(event: string, listener: (...args: any[]) => void) {
+    clusterEvent.on(event, listener)
+  }
+
+  static async init(abortSignal: AbortSignal) {
+    if (process.env.CLUSTER_DISCOVERY === 'ECS') {
+      const cluster = new ClusterDiscoveryECS()
+      Cluster.size = await cluster.getClusterSize()
+
+      logger.info(`[Cluster] Initial cluster size ${Cluster.size}`, {
+        type: 'cluster',
+        clusterSize: Cluster.size,
+      })
+
+      Cluster.watcher = setInterval(() => {
+        cluster
+          .getClusterSize()
+          .then((size) => {
+            if (size !== Cluster.size) {
+              clusterEvent.emit('change', { size })
+            }
+            Cluster.size = size
+          })
+          .catch((e) => {
+            console.error('Error getting cluster size', e)
+          })
+      }, 20 * 1000)
+
+      abortSignal.addEventListener(
+        'abort',
+        () => {
+          if (Cluster.watcher) {
+            clearInterval(Cluster.watcher)
+            clusterEvent.removeAllListeners()
+            Cluster.watcher = undefined
+          }
+        },
+        { once: true }
+      )
+    }
+  }
+}