HTTP client only overwrites and appends JWK to local cache during refresh (#41)

Author: MicahParks

examples/storage_operations/go.mod

@@ -5,8 +5,8 @@ go 1.21
 replace github.com/MicahParks/jwkset => ../..
 
 require (
-	github.com/MicahParks/jwkset v0.5.6
-	github.com/google/uuid v1.5.0
+	github.com/MicahParks/jwkset v0.6.0
+	github.com/google/uuid v1.6.0
 )
 
-require golang.org/x/time v0.5.0 // indirect
+require golang.org/x/time v0.9.0 // indirect

examples/storage_operations/go.sum

@@ -1,4 +1,4 @@
-github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU=
-github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
+golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=

go.mod

@@ -2,4 +2,6 @@ module github.com/MicahParks/jwkset
 
 go 1.21
 
-require golang.org/x/time v0.5.0
+require golang.org/x/time v0.9.0
+
+retract [v0.5.0, v0.5.15] // HTTP client only overwrites and appends JWK to local cache during refresh: https://github.com/MicahParks/jwkset/issues/40

go.sum

@@ -1,2 +1,2 @@
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
+golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=

http_test.go

@@ -5,6 +5,7 @@ import (
 	"context"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"strings"
 	"sync"
 	"testing"
@@ -144,6 +145,119 @@ func TestClient(t *testing.T) {
 	}
 }
 
+func TestClientCacheReplacement(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	kid := "my-key-id"
+	secret := []byte("my-hmac-secret")
+	serverStore := NewMemoryStorage()
+	marshalOptions := JWKMarshalOptions{
+		Private: true,
+	}
+	metadata := JWKMetadataOptions{
+		KID: kid,
+	}
+	options := JWKOptions{
+		Marshal:  marshalOptions,
+		Metadata: metadata,
+	}
+	jwk, err := NewJWKFromKey(secret, options)
+	if err != nil {
+		t.Fatalf("Failed to create a JWK from the given HMAC secret.\nError: %s", err)
+	}
+	err = serverStore.KeyWrite(ctx, jwk)
+	if err != nil {
+		t.Fatalf("Failed to write the given JWK to the store.\nError: %s", err)
+	}
+	rawJWKS, err := serverStore.JSON(ctx)
+	if err != nil {
+		t.Fatalf("Failed to get the JSON.\nError: %s", err)
+	}
+
+	rawJWKSMux := sync.RWMutex{}
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		rawJWKSMux.RLock()
+		defer rawJWKSMux.RUnlock()
+		_, _ = w.Write(rawJWKS)
+	}))
+
+	u, err := url.ParseRequestURI(server.URL)
+	if err != nil {
+		t.Fatalf("Failed to parse the URL.\nError: %s", err)
+	}
+
+	refreshInterval := 50 * time.Millisecond
+	httpOptions := HTTPClientStorageOptions{
+		Ctx:             ctx,
+		RefreshInterval: refreshInterval,
+	}
+	clientStore, err := NewStorageFromHTTP(u, httpOptions)
+	if err != nil {
+		t.Fatalf("Failed to create a new HTTP client.\nError: %s", err)
+	}
+
+	jwk, err = clientStore.KeyRead(ctx, kid)
+	if err != nil {
+		t.Fatalf("Failed to read the JWK.\nError: %s", err)
+	}
+
+	if !bytes.Equal(jwk.Key().([]byte), secret) {
+		t.Fatalf("The key read from the HTTP client did not match the original key.")
+	}
+
+	jwks, err := clientStore.KeyReadAll(ctx)
+	if err != nil {
+		t.Fatalf("Failed to read all the JWKs.\nError: %s", err)
+	}
+	if len(jwks) != 1 {
+		t.Fatalf("Expected to read 1 JWK, but got %d.", len(jwks))
+	}
+	if !bytes.Equal(jwks[0].Key().([]byte), secret) {
+		t.Fatalf("The key read from the HTTP client did not match the original key.")
+	}
+
+	otherKeyID := myKeyID + "2"
+	options.Metadata.KID = otherKeyID
+	otherSecret := []byte("my-other-hmac-secret")
+	jwk, err = NewJWKFromKey(otherSecret, options)
+	if err != nil {
+		t.Fatalf("Failed to create a JWK from the given HMAC secret.\nError: %s", err)
+	}
+	err = serverStore.KeyWrite(ctx, jwk)
+	if err != nil {
+		t.Fatalf("Failed to write the given JWK to the store.\nError: %s", err)
+	}
+	ok, err := serverStore.KeyDelete(ctx, kid)
+	if err != nil {
+		t.Fatalf("Failed to delete the given JWK from the store.\nError: %s", err)
+	}
+	if !ok {
+		t.Fatalf("Expected the key to be deleted.")
+	}
+	rawJWKSMux.Lock()
+	rawJWKS, err = serverStore.JSON(ctx)
+	rawJWKSMux.Unlock()
+	if err != nil {
+		t.Fatalf("Failed to get the JSON.\nError: %s", err)
+	}
+	time.Sleep(2 * refreshInterval)
+
+	jwks, err = clientStore.KeyReadAll(ctx)
+	if err != nil {
+		t.Fatalf("Failed to read the JWK.\nError: %s", err)
+	}
+	if len(jwks) != 1 {
+		t.Fatalf("Expected to read 1 JWK, but got %d.", len(jwks))
+	}
+	if jwks[0].marshal.KID != otherKeyID {
+		t.Fatalf("The key read from the HTTP client did not match the original key.")
+	}
+	if !bytes.Equal(jwks[0].Key().([]byte), otherSecret) {
+		t.Fatalf("The key read from the HTTP client did not match the original key.")
+	}
+}
+
 func TestClientError(t *testing.T) {
 	_, err := NewHTTPClient(HTTPClientOptions{})
 	if err == nil {

storage.go

@@ -49,19 +49,19 @@ type Storage interface {
 	MarshalWithOptions(ctx context.Context, marshalOptions JWKMarshalOptions, validationOptions JWKValidateOptions) (JWKSMarshal, error)
 }
 
-var _ Storage = &memoryJWKSet{}
+var _ Storage = &MemoryJWKSet{}
 
-type memoryJWKSet struct {
+type MemoryJWKSet struct {
 	set []JWK
 	mux sync.RWMutex
 }
 
 // NewMemoryStorage creates a new in-memory Storage implementation.
-func NewMemoryStorage() Storage {
-	return &memoryJWKSet{}
+func NewMemoryStorage() *MemoryJWKSet {
+	return &MemoryJWKSet{}
 }
 
-func (m *memoryJWKSet) KeyDelete(_ context.Context, keyID string) (ok bool, err error) {
+func (m *MemoryJWKSet) KeyDelete(_ context.Context, keyID string) (ok bool, err error) {
 	m.mux.Lock()
 	defer m.mux.Unlock()
 	for i, jwk := range m.set {
@@ -72,7 +72,12 @@ func (m *memoryJWKSet) KeyDelete(_ context.Context, keyID string) (ok bool, err
 	}
 	return ok, nil
 }
-func (m *memoryJWKSet) KeyRead(_ context.Context, keyID string) (JWK, error) {
+func (m *MemoryJWKSet) KeyDeleteAll() {
+	m.mux.Lock()
+	defer m.mux.Unlock()
+	m.set = make([]JWK, 0)
+}
+func (m *MemoryJWKSet) KeyRead(_ context.Context, keyID string) (JWK, error) {
 	m.mux.RLock()
 	defer m.mux.RUnlock()
 	for _, jwk := range m.set {
@@ -82,12 +87,12 @@ func (m *memoryJWKSet) KeyRead(_ context.Context, keyID string) (JWK, error) {
 	}
 	return JWK{}, fmt.Errorf("%w: kid %q", ErrKeyNotFound, keyID)
 }
-func (m *memoryJWKSet) KeyReadAll(_ context.Context) ([]JWK, error) {
+func (m *MemoryJWKSet) KeyReadAll(_ context.Context) ([]JWK, error) {
 	m.mux.RLock()
 	defer m.mux.RUnlock()
 	return slices.Clone(m.set), nil
 }
-func (m *memoryJWKSet) KeyWrite(_ context.Context, jwk JWK) error {
+func (m *MemoryJWKSet) KeyWrite(_ context.Context, jwk JWK) error {
 	m.mux.Lock()
 	defer m.mux.Unlock()
 	for i, j := range m.set {
@@ -100,30 +105,30 @@ func (m *memoryJWKSet) KeyWrite(_ context.Context, jwk JWK) error {
 	return nil
 }
 
-func (m *memoryJWKSet) JSON(ctx context.Context) (json.RawMessage, error) {
+func (m *MemoryJWKSet) JSON(ctx context.Context) (json.RawMessage, error) {
 	jwks, err := m.Marshal(ctx)
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal JWK Set: %w", err)
 	}
 	return json.Marshal(jwks)
 }
-func (m *memoryJWKSet) JSONPublic(ctx context.Context) (json.RawMessage, error) {
+func (m *MemoryJWKSet) JSONPublic(ctx context.Context) (json.RawMessage, error) {
 	return m.JSONWithOptions(ctx, JWKMarshalOptions{}, JWKValidateOptions{})
 }
-func (m *memoryJWKSet) JSONPrivate(ctx context.Context) (json.RawMessage, error) {
+func (m *MemoryJWKSet) JSONPrivate(ctx context.Context) (json.RawMessage, error) {
 	marshalOptions := JWKMarshalOptions{
 		Private: true,
 	}
 	return m.JSONWithOptions(ctx, marshalOptions, JWKValidateOptions{})
 }
-func (m *memoryJWKSet) JSONWithOptions(ctx context.Context, marshalOptions JWKMarshalOptions, validationOptions JWKValidateOptions) (json.RawMessage, error) {
+func (m *MemoryJWKSet) JSONWithOptions(ctx context.Context, marshalOptions JWKMarshalOptions, validationOptions JWKValidateOptions) (json.RawMessage, error) {
 	jwks, err := m.MarshalWithOptions(ctx, marshalOptions, validationOptions)
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal JWK Set with options: %w", err)
 	}
 	return json.Marshal(jwks)
 }
-func (m *memoryJWKSet) Marshal(ctx context.Context) (JWKSMarshal, error) {
+func (m *MemoryJWKSet) Marshal(ctx context.Context) (JWKSMarshal, error) {
 	keys, err := m.KeyReadAll(ctx)
 	if err != nil {
 		return JWKSMarshal{}, fmt.Errorf("failed to read snapshot of all keys from storage: %w", err)
@@ -134,7 +139,7 @@ func (m *memoryJWKSet) Marshal(ctx context.Context) (JWKSMarshal, error) {
 	}
 	return jwks, nil
 }
-func (m *memoryJWKSet) MarshalWithOptions(ctx context.Context, marshalOptions JWKMarshalOptions, validationOptions JWKValidateOptions) (JWKSMarshal, error) {
+func (m *MemoryJWKSet) MarshalWithOptions(ctx context.Context, marshalOptions JWKMarshalOptions, validationOptions JWKValidateOptions) (JWKSMarshal, error) {
 	jwks := JWKSMarshal{}
 
 	keys, err := m.KeyReadAll(ctx)
@@ -203,11 +208,6 @@ type HTTPClientStorageOptions struct {
 	// Provide the Ctx option to end the goroutine when it's no longer needed.
 	RefreshInterval time.Duration
 
-	// Storage is the underlying storage implementation to use.
-	//
-	// This defaults to NewMemoryStorage().
-	Storage Storage
-
 	// ValidateOptions are the options to use when validating the JWKs.
 	ValidateOptions JWKValidateOptions
 }
@@ -238,10 +238,7 @@ func NewStorageFromHTTP(u *url.URL, options HTTPClientStorageOptions) (Storage,
 	if options.HTTPMethod == "" {
 		options.HTTPMethod = http.MethodGet
 	}
-	store := options.Storage
-	if store == nil {
-		store = NewMemoryStorage()
-	}
+	store := NewMemoryStorage()
 
 	refresh := func(ctx context.Context) error {
 		req, err := http.NewRequestWithContext(ctx, options.HTTPMethod, u.String(), nil)
@@ -262,6 +259,7 @@ func NewStorageFromHTTP(u *url.URL, options HTTPClientStorageOptions) (Storage,
 		if err != nil {
 			return fmt.Errorf("failed to decode JWK Set response: %w", err)
 		}
+		store.KeyDeleteAll() // Clear local cache in case of key revocation.
 		for _, marshal := range jwks.Keys {
 			marshalOptions := JWKMarshalOptions{
 				Private: true,