From d58b5fc4b6dffd1594dd2e743379bb76433fd12b Mon Sep 17 00:00:00 2001 From: John Smith Date: Wed, 11 Dec 2024 08:16:13 +1030 Subject: [PATCH 1/4] chore: Cache customer auth context --- control-plane/src/modules/auth/api-secret.ts | 16 ++++++---------- control-plane/src/modules/auth/auth.ts | 1 + control-plane/src/modules/auth/customer-auth.ts | 17 ++++++++++++++++- control-plane/src/utilities/cache.ts | 6 ++++++ 4 files changed, 29 insertions(+), 11 deletions(-) diff --git a/control-plane/src/modules/auth/api-secret.ts b/control-plane/src/modules/auth/api-secret.ts index 0c5cbf6c..239f77fa 100644 --- a/control-plane/src/modules/auth/api-secret.ts +++ b/control-plane/src/modules/auth/api-secret.ts @@ -1,21 +1,17 @@ import * as data from "../data"; import { eq, and, isNull } from "drizzle-orm"; -import { createHash, randomBytes } from "crypto"; +import { randomBytes } from "crypto"; import { logger } from "../observability/logger"; -import { createCache } from "../../utilities/cache"; +import { createCache, hashFromSecret } from "../../utilities/cache"; -const authContextCache = createCache<{ +const apiKeyContextCache = createCache<{ clusterId: string; id: string; organizationId: string; }>( - Symbol("authContextCach"), + Symbol("apiKeyContextCache"), ); -const hashFromSecret = (secret: string): string => { - return createHash("sha256").update(secret).digest("hex"); -}; - export const isApiSecret = (authorization: string): boolean => authorization.startsWith("sk_"); @@ -26,7 +22,7 @@ export const verifyApiKey = async ( > => { const secretHash = hashFromSecret(secret); - const cached = await authContextCache.get(secretHash); + const cached = await apiKeyContextCache.get(secretHash); if (cached) { return cached; @@ -60,7 +56,7 @@ export const verifyApiKey = async ( return undefined; } - await authContextCache.set(secretHash, { + await apiKeyContextCache.set(secretHash, { clusterId: result.clusterId, id: result.id, organizationId: result.organizationId, diff --git a/control-plane/src/modules/auth/auth.ts b/control-plane/src/modules/auth/auth.ts index c904223a..c02a8470 100644 --- a/control-plane/src/modules/auth/auth.ts +++ b/control-plane/src/modules/auth/auth.ts @@ -373,6 +373,7 @@ export const extractCustomerAuthState = async ( if (!cluster.enable_customer_auth) { throw new AuthenticationError( "Customer auth is not enabled for this cluster", + "https://docs.inferable.ai/pages/auth#customer-provided-secrets" ); } diff --git a/control-plane/src/modules/auth/customer-auth.ts b/control-plane/src/modules/auth/customer-auth.ts index 98baf325..ebeeb357 100644 --- a/control-plane/src/modules/auth/customer-auth.ts +++ b/control-plane/src/modules/auth/customer-auth.ts @@ -7,11 +7,16 @@ import { packer } from "../packer"; import * as jobs from "../jobs/jobs"; import { getJobStatusSync } from "../jobs/jobs"; import { getServiceDefinition } from "../service-definitions"; +import { createCache, hashFromSecret } from "../../utilities/cache"; export const VERIFY_FUNCTION_NAME = "handleCustomerAuth"; export const VERIFY_FUNCTION_SERVICE = "default"; const VERIFY_FUNCTION_ID = `${VERIFY_FUNCTION_SERVICE}_${VERIFY_FUNCTION_NAME}`; +const customerAuthContextCache = createCache( + Symbol("customerAuthContextCache"), +); + /** * Calls the customer provided verify function and returns the result */ @@ -22,6 +27,14 @@ export const verifyCustomerProvidedAuth = async ({ token: string; clusterId: string; }): Promise => { + + const secretHash = hashFromSecret(token); + + const cached = await customerAuthContextCache.get(secretHash); + if (cached) { + return cached; + } + try { const serviceDefinition = await getServiceDefinition({ service: VERIFY_FUNCTION_SERVICE, @@ -56,7 +69,7 @@ export const verifyCustomerProvidedAuth = async ({ const result = await getJobStatusSync({ jobId: id, owner: { clusterId }, - ttl: 5_000, + ttl: 15_000, }); if ( @@ -69,6 +82,8 @@ export const verifyCustomerProvidedAuth = async ({ ); } + await customerAuthContextCache.set(secretHash, result, 300); + return packer.unpack(result.result); } catch (e) { if (e instanceof JobPollTimeoutError) { diff --git a/control-plane/src/utilities/cache.ts b/control-plane/src/utilities/cache.ts index 2ca4bf02..810c9b7d 100644 --- a/control-plane/src/utilities/cache.ts +++ b/control-plane/src/utilities/cache.ts @@ -1,3 +1,4 @@ +import { createHash } from "crypto"; import NodeCache from "node-cache"; import { redisClient } from "../modules/redis"; @@ -37,3 +38,8 @@ export const createCache = (namespace: symbol) => { // const cache = createCache(Symbol("cache")); // cache.set("key", "value"); // const value = cache.get("key"); + +export const hashFromSecret = (secret: string): string => { + return createHash("sha256").update(secret).digest("hex"); +}; + From 43060ae503108b27f1bb35b3965e7722743b9d2e Mon Sep 17 00:00:00 2001 From: John Smith Date: Wed, 11 Dec 2024 08:18:27 +1030 Subject: [PATCH 2/4] chore: Add docLinks to customer auth errors --- control-plane/src/modules/auth/customer-auth.ts | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/control-plane/src/modules/auth/customer-auth.ts b/control-plane/src/modules/auth/customer-auth.ts index ebeeb357..4f08c3b6 100644 --- a/control-plane/src/modules/auth/customer-auth.ts +++ b/control-plane/src/modules/auth/customer-auth.ts @@ -89,14 +89,17 @@ export const verifyCustomerProvidedAuth = async ({ if (e instanceof JobPollTimeoutError) { throw new AuthenticationError( `Call to ${VERIFY_FUNCTION_ID} did not complete in time`, + "https://docs.inferable.ai/pages/auth#handlecustomerauth" ); } - if (e instanceof InvalidJobArgumentsError) { + if (e instanceof Error) { throw new AuthenticationError( - `Could not find ${VERIFY_FUNCTION_ID} registration`, + `Call to ${VERIFY_FUNCTION_ID} failed with error: ${e.message}`, + "https://docs.inferable.ai/pages/auth#handlecustomerauth" ); } + throw e; } }; From 403bc239a45b2041574f5cffa09cad82949b43ae Mon Sep 17 00:00:00 2001 From: John Smith Date: Wed, 11 Dec 2024 08:42:29 +1030 Subject: [PATCH 3/4] feat: Cache customer auth failures --- .../src/modules/auth/customer-auth.ts | 41 ++++++++++++++----- 1 file changed, 30 insertions(+), 11 deletions(-) diff --git a/control-plane/src/modules/auth/customer-auth.ts b/control-plane/src/modules/auth/customer-auth.ts index 4f08c3b6..eebbd505 100644 --- a/control-plane/src/modules/auth/customer-auth.ts +++ b/control-plane/src/modules/auth/customer-auth.ts @@ -8,6 +8,7 @@ import * as jobs from "../jobs/jobs"; import { getJobStatusSync } from "../jobs/jobs"; import { getServiceDefinition } from "../service-definitions"; import { createCache, hashFromSecret } from "../../utilities/cache"; +import { logger } from "../observability/logger"; export const VERIFY_FUNCTION_NAME = "handleCustomerAuth"; export const VERIFY_FUNCTION_SERVICE = "default"; @@ -32,6 +33,12 @@ export const verifyCustomerProvidedAuth = async ({ const cached = await customerAuthContextCache.get(secretHash); if (cached) { + if (typeof cached === "object" && 'error' in cached && typeof cached.error === "string") { + throw new AuthenticationError( + cached.error, + "https://docs.inferable.ai/pages/auth#handlecustomerauth" + ); + } return cached; } @@ -72,13 +79,24 @@ export const verifyCustomerProvidedAuth = async ({ ttl: 15_000, }); - if ( - result.status !== "success" || - result.resultType !== "resolution" || - !result.result - ) { + if (result.status == "success" && result.resultType !== "resolution") { + throw new AuthenticationError( + "Customer provided token is not valid", + "https://docs.inferable.ai/pages/auth#handlecustomerauth" + ); + } + + // This isn't expected + if (result.status != "success") { + throw new Error( + `Failed to call ${VERIFY_FUNCTION_ID}: ${result.result}`, + ); + } + + if (!result.result) { throw new AuthenticationError( - `Call to ${VERIFY_FUNCTION_ID} failed. Result: ${result.result}`, + `${VERIFY_FUNCTION_ID} did not return a result`, + "https://docs.inferable.ai/pages/auth#handlecustomerauth" ); } @@ -93,11 +111,12 @@ export const verifyCustomerProvidedAuth = async ({ ); } - if (e instanceof Error) { - throw new AuthenticationError( - `Call to ${VERIFY_FUNCTION_ID} failed with error: ${e.message}`, - "https://docs.inferable.ai/pages/auth#handlecustomerauth" - ); + // Cache the auth error for 1 minutes + if (e instanceof AuthenticationError) { + await customerAuthContextCache.set(secretHash, { + error: e.message + }, 60); + throw e; } throw e; From 877a7f9963ccb36449e4c072593b975a7f7b6442 Mon Sep 17 00:00:00 2001 From: John Smith Date: Wed, 11 Dec 2024 08:44:23 +1030 Subject: [PATCH 4/4] chore: Deliniate cache key via clusterId --- control-plane/src/modules/auth/customer-auth.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/control-plane/src/modules/auth/customer-auth.ts b/control-plane/src/modules/auth/customer-auth.ts index eebbd505..8dec119d 100644 --- a/control-plane/src/modules/auth/customer-auth.ts +++ b/control-plane/src/modules/auth/customer-auth.ts @@ -29,7 +29,7 @@ export const verifyCustomerProvidedAuth = async ({ clusterId: string; }): Promise => { - const secretHash = hashFromSecret(token); + const secretHash = hashFromSecret(`${clusterId}:${token}`); const cached = await customerAuthContextCache.get(secretHash); if (cached) {