Merge pull request #112 from bflad/bflad/authenticate-requests-httpx-retries

speakeasybot · web-flow · commit 8ab6c8ebc93e · 2025-04-03T15:14:10.000-04:00
feat: Implement retries and caching in JWKS helpers
diff --git a/src/clerk_backend_api/jwks_helpers/cache.py b/src/clerk_backend_api/jwks_helpers/cache.py
@@ -0,0 +1,28 @@
+import time
+
+class Cache:
+    """ In-memory cache with expiration. """
+
+    def __init__(self):
+        self.cache = {}
+        self.expiration_time = 300 # 5 minutes
+
+    def set(self, key: str | None, value: str):
+        if key is None:
+            return
+
+        self.cache[key] = (value, time.time() + self.expiration_time)
+
+    def get(self, key: str | None) -> str | None:
+        if key is None:
+            return None
+
+        if key in self.cache:
+            value, expiration = self.cache[key]
+
+            if time.time() < expiration:
+                return value
+
+            del self.cache[key]
+
+        return None
diff --git a/src/clerk_backend_api/jwks_helpers/verifytoken.py b/src/clerk_backend_api/jwks_helpers/verifytoken.py
@@ -9,6 +9,10 @@
 from enum import Enum
 from typing import Any, Dict, List, Union, Optional, cast
 
+from .cache import Cache
+
+__jwkcache = Cache()
+
 
 class TokenVerificationErrorReason(Enum):
 
@@ -110,12 +114,20 @@ def fetch_jwks(options: VerifyTokenOptions) -> Dict[str, Any]:
     """ Fetch JWKS from Clerk's Backend API."""
 
     jwks_url = f'{options.api_url}/{options.api_version}/jwks'
-    with httpx.Client() as client:
-        http_res = client.get(jwks_url, headers={
-            'Accept': 'application/json', 'Authorization': f'Bearer {options.secret_key}'
-        })
-
-        if http_res.status_code != 200:
+    transport = httpx.HTTPTransport(retries=10) # handles ConnectError and ConnectTimeout
+    with httpx.Client(transport=transport) as client:
+        http_res = None
+
+        for _ in range(10):
+            try:
+                http_res = client.get(jwks_url, headers={
+                    'Accept': 'application/json', 'Authorization': f'Bearer {options.secret_key}'
+                })
+            except httpx.TimeoutException:
+                continue
+            break
+
+        if http_res is None or http_res.status_code != 200:
             raise TokenVerificationError(TokenVerificationErrorReason.JWK_FAILED_TO_LOAD)
 
         try:
@@ -136,6 +148,10 @@ def get_remote_jwt_key(token: str, options: VerifyTokenOptions) -> str:
     except jwt.InvalidTokenError as e:
         raise TokenVerificationError(TokenVerificationErrorReason.TOKEN_INVALID) from e
 
+    decoded_pem = __jwkcache.get(kid)
+    if decoded_pem is not None:
+        return decoded_pem
+
     jwks = fetch_jwks(options).get('keys')
     if jwks is None:
         raise TokenVerificationError(TokenVerificationErrorReason.JWK_REMOTE_INVALID)
@@ -149,7 +165,9 @@ def get_remote_jwt_key(token: str, options: VerifyTokenOptions) -> str:
                     encoding=serialization.Encoding.PEM,
                     format=serialization.PublicFormat.SubjectPublicKeyInfo
                 )
-                return pem.decode('utf-8')
+                decoded_pem = pem.decode('utf-8')
+                __jwkcache.set(kid, decoded_pem)
+                return decoded_pem
 
     raise TokenVerificationError(TokenVerificationErrorReason.JWK_KID_MISMATCH)
 
