Add cache issuer directory

src/bindings.ts

@@ -2,6 +2,7 @@ import type { R2Bucket } from '@cloudflare/workers-types/2023-07-01';
 
 export interface Bindings {
 	// variables and secrets
+	DIRECTORY_CACHE_MAX_AGE_SECONDS: string;
 	ENVIRONMENT: string;
 	LOGGING_SHIM_TOKEN: string;
 	SENTRY_ACCESS_CLIENT_ID: string;

src/context/metrics.ts

@@ -13,23 +13,33 @@ export class MetricsRegistry {
 	registry: RegistryType;
 	options: RegistryOptions;
 
-	requestsTotal: CounterType;
+	directoryCacheMissTotal: CounterType;
 	erroredRequestsTotal: CounterType;
+	issuanceRequestTotal: CounterType;
 	keyRotationTotal: CounterType;
 	keyClearTotal: CounterType;
-	issuanceRequestTotal: CounterType;
+	requestsTotal: CounterType;
 	signedTokenTotal: CounterType;
 
 	constructor(options: RegistryOptions) {
 		this.options = options;
 		this.registry = new Registry();
 
-		this.requestsTotal = this.registry.create('counter', 'requests_total', 'total requests');
+		this.directoryCacheMissTotal = this.registry.create(
+			'counter',
+			'directory_cache_miss_total',
+			'Number of requests for private token issuer directory which are not served by the cache.'
+		);
 		this.erroredRequestsTotal = this.registry.create(
 			'counter',
 			'errored_requests_total',
 			'Errored requests served to eyeball'
 		);
+		this.issuanceRequestTotal = this.registry.create(
+			'counter',
+			'issuance_request_total',
+			'Number of requests for private token issuance.'
+		);
 		this.keyRotationTotal = this.registry.create(
 			'counter',
 			'key_rotation_total',
@@ -40,11 +50,7 @@ export class MetricsRegistry {
 			'key_clear_total',
 			'Number of key clear performed.'
 		);
-		this.issuanceRequestTotal = this.registry.create(
-			'counter',
-			'issuance_request_total',
-			'Number of requests for private token issuance.'
-		);
+		this.requestsTotal = this.registry.create('counter', 'requests_total', 'total requests');
 		this.signedTokenTotal = this.registry.create(
 			'counter',
 			'signed_token_total',

src/index.ts

@@ -79,7 +79,24 @@ export const handleTokenRequest = async (ctx: Context, request: Request) => {
 	});
 };
 
+const getDirectoryCache = async (): Promise<Cache> => {
+	return caches.open('response/issuer-directory');
+};
+
+const FAKE_DOMAIN_CACHE = 'cache.local';
+const DIRECTORY_CACHE_REQUEST = new Request(
+	`https://${FAKE_DOMAIN_CACHE}${PRIVATE_TOKEN_ISSUER_DIRECTORY}`
+);
+
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
 export const handleTokenDirectory = async (ctx: Context, request?: Request) => {
+	const cache = await getDirectoryCache();
+	const cachedResponse = await cache.match(DIRECTORY_CACHE_REQUEST);
+	if (cachedResponse) {
+		return cachedResponse;
+	}
+	ctx.metrics.directoryCacheMissTotal.inc({ env: ctx.env.ENVIRONMENT });
+
 	const keys = await ctx.env.ISSUANCE_KEYS.list({ include: ['customMetadata'] });
 
 	if (keys.objects.length === 0) {
@@ -95,14 +112,23 @@ export const handleTokenDirectory = async (ctx: Context, request?: Request) => {
 		})),
 	};
 
-	return new Response(JSON.stringify(directory), {
+	const response = new Response(JSON.stringify(directory), {
 		headers: {
 			'content-type': MediaType.PRIVATE_TOKEN_ISSUER_DIRECTORY,
-			'cache-control': 'public, max-age=86400',
+			'cache-control': `public, max-age=${ctx.env.DIRECTORY_CACHE_MAX_AGE_SECONDS}`,
 		},
 	});
+	ctx.waitUntil(cache.put(DIRECTORY_CACHE_REQUEST, response.clone()));
+
+	return response;
 };
 
+const clearDirectoryCache = async (): Promise<boolean> => {
+	const cache = await getDirectoryCache();
+	return cache.delete(DIRECTORY_CACHE_REQUEST);
+};
+
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
 export const handleRotateKey = async (ctx: Context, request?: Request) => {
 	ctx.metrics.keyRotationTotal.inc({ env: ctx.env.ENVIRONMENT });
 
@@ -148,9 +174,12 @@ export const handleRotateKey = async (ctx: Context, request?: Request) => {
 		customMetadata: metadata,
 	});
 
+	ctx.waitUntil(clearDirectoryCache());
+
 	return new Response(`New key ${publicKeyEnc}`, { status: 201 });
 };
 
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
 const handleClearKey = async (ctx: Context, request?: Request) => {
 	ctx.metrics.keyClearTotal.inc({ env: ctx.env.ENVIRONMENT });
 	const keys = await ctx.env.ISSUANCE_KEYS.list();
@@ -169,6 +198,9 @@ const handleClearKey = async (ctx: Context, request?: Request) => {
 	}
 	const toDeleteArray = [...toDelete];
 	await ctx.env.ISSUANCE_KEYS.delete(toDeleteArray);
+
+	ctx.waitUntil(clearDirectoryCache());
+
 	return new Response(`Keys cleared: ${toDeleteArray.join('\n')}`, { status: 201 });
 };
 

test/index.test.ts

@@ -1,8 +1,10 @@
+import { jest } from '@jest/globals';
+
 import { Context } from '../src/context';
 import { handleTokenRequest, default as workerObject } from '../src/index';
 import { IssuerConfigurationResponse } from '../src/types';
 import { b64ToB64URL, u8ToB64 } from '../src/utils/base64';
-import { ExecutionContextMock, getContext, getEnv } from './mocks';
+import { ExecutionContextMock, MockCache, getContext, getEnv } from './mocks';
 import { RSABSSA } from '@cloudflare/blindrsa-ts';
 import {
 	MediaType,
@@ -147,3 +149,37 @@ describe('rotate and clear key', () => {
 		expect(directory['token-keys']).toHaveLength(1);
 	});
 });
+
+describe('cache directory response', () => {
+	const rotateURL = `${sampleURL}/admin/rotate`;
+	const directoryURL = `${sampleURL}${PRIVATE_TOKEN_ISSUER_DIRECTORY}`;
+
+	const initializeKeys = async (numberOfKeys = 1): Promise<void> => {
+		const rotateRequest = new Request(rotateURL, { method: 'POST' });
+
+		for (let i = 0; i < numberOfKeys; i += 1) {
+			await workerObject.fetch(rotateRequest, getEnv(), new ExecutionContextMock());
+		}
+	};
+
+	it('should cache the directory response', async () => {
+		await initializeKeys();
+
+		const mockCache = new MockCache();
+		const spy = jest.spyOn(caches, 'open').mockResolvedValue(mockCache);
+		const directoryRequest = new Request(directoryURL);
+
+		let response = await workerObject.fetch(directoryRequest, getEnv(), new ExecutionContextMock());
+		expect(response.ok).toBe(true);
+		expect(Object.entries(mockCache.cache)).toHaveLength(1);
+
+		const [cachedURL, _] = Object.entries(mockCache.cache)[0];
+		const cachedResponse = new Response('cached response');
+		mockCache.cache[cachedURL] = cachedResponse;
+
+		response = await workerObject.fetch(directoryRequest, getEnv(), new ExecutionContextMock());
+		expect(response.ok).toBe(true);
+		expect(response).toBe(cachedResponse);
+		spy.mockClear();
+	});
+});

test/mocks.ts

@@ -3,6 +3,31 @@ import { Context, WaitUntilFunc } from '../src/context';
 import { ConsoleLogger, Logger } from '../src/context/logging';
 import { MetricsRegistry } from '../src/context/metrics';
 
+export class MockCache implements Cache {
+	public cache: Record<string, Response> = {};
+
+	async match(info: RequestInfo, options?: CacheQueryOptions): Promise<Response | undefined> {
+		if (options) {
+			throw new Error('CacheQueryOptions not supported');
+		}
+		const url = new URL(info instanceof Request ? info.url : info).href;
+		return this.cache[url];
+	}
+
+	async delete(info: RequestInfo, options?: CacheQueryOptions): Promise<boolean> {
+		if (options) {
+			throw new Error('CacheQueryOptions not supported');
+		}
+		const url = new URL(info instanceof Request ? info.url : info).href;
+		return delete this.cache[url];
+	}
+
+	async put(info: RequestInfo, response: Response): Promise<void> {
+		const url = new URL(info instanceof Request ? info.url : info).href;
+		this.cache[url] = response;
+	}
+}
+
 export class ExecutionContextMock implements ExecutionContext {
 	waitUntils: Promise<any>[] = [];
 	passThrough = false;

wrangler.toml

@@ -14,6 +14,7 @@ route = { pattern = "pp-issuer.example.test", custom_domain=true }
 crons = ["0 0 * * *"]
 
 [env.production.vars]
+DIRECTORY_CACHE_MAX_AGE_SECONDS = "86400"
 ENVIRONMENT = "production"
 SENTRY_SAMPLE_RATE = "0" # Between 0-1 if you log errors on Sentry. 0 disables Sentry logging. Configuration is done through Workers Secrets