Merge pull request #20244 from mozilla/fix-client-ids

dschom · web-flow · commit 7e670e82883e · 2026-03-24T10:55:49.000-07:00
polish(auth): Cache registered client ids for 1 minute
diff --git a/packages/fxa-auth-server/config/index.ts b/packages/fxa-auth-server/config/index.ts
@@ -2795,6 +2795,14 @@ const convictConf = convict({
       },
     },
   },
+  registeredClients: {
+    refreshInterval: {
+      default: 60_000,
+      doc: 'The interval in ms at which we update the list of known registered client ids',
+      env: 'REGISTERED_CLIENTS__REFRESH_INTERVAL',
+      format: Number,
+    },
+  },
 });
 
 // handle configuration files.  you can specify a CSV list of configuration
@@ -2956,4 +2964,3 @@ export type ConfigType = ReturnType<conf['getProperties']>;
 
 export { convictConf as config };
 export default convictConf;
-
diff --git a/packages/fxa-auth-server/lib/registeredClients.spec.ts b/packages/fxa-auth-server/lib/registeredClients.spec.ts
@@ -0,0 +1,113 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import * as Sentry from '@sentry/node';
+import { OAuthDb } from './registeredClients';
+import { getRegisteredClientIds, reset } from './registeredClients';
+
+jest.mock('@sentry/node', () => ({
+  captureException: jest.fn(),
+}));
+
+/**
+ * Creates a mock OAuthDb whose `getAllClientIds` resolves with the given
+ * hex-encoded client ID strings converted to Buffer rows.
+ */
+function makeDb(ids: string[]): OAuthDb {
+  return {
+    mysql: {
+      getAllClientIds: jest
+        .fn()
+        .mockResolvedValue(ids.map((id) => ({ id: Buffer.from(id, 'hex') }))),
+    },
+  };
+}
+
+describe('getRegisteredClientIds', () => {
+  beforeEach(() => {
+    jest.useFakeTimers();
+    jest.clearAllMocks();
+  });
+
+  afterEach(() => {
+    reset();
+    jest.useRealTimers();
+  });
+
+  it('fetches from DB on first call and returns client IDs', async () => {
+    const db = makeDb(['aabbccdd11223344', 'deadbeefdeadbeef']);
+
+    const result = await getRegisteredClientIds(db);
+
+    expect(db.mysql.getAllClientIds).toHaveBeenCalledTimes(1);
+    expect(result).toEqual(new Set(['aabbccdd11223344', 'deadbeefdeadbeef']));
+  });
+
+  it('returns cached IDs on second call within 60 seconds', async () => {
+    const db = makeDb(['aabbccdd11223344']);
+
+    await getRegisteredClientIds(db);
+    jest.advanceTimersByTime(30_000);
+    const result = await getRegisteredClientIds(db);
+
+    expect(db.mysql.getAllClientIds).toHaveBeenCalledTimes(1);
+    expect(result).toEqual(new Set(['aabbccdd11223344']));
+  });
+
+  it('refetches from DB after 60 seconds', async () => {
+    const db = makeDb(['aabbccdd11223344']);
+
+    await getRegisteredClientIds(db);
+    jest.advanceTimersByTime(61_000);
+    await getRegisteredClientIds(db);
+
+    expect(db.mysql.getAllClientIds).toHaveBeenCalledTimes(2);
+  });
+
+  it('returns empty Set and captures to Sentry when DB fails on first call', async () => {
+    const error = new Error('DB unavailable');
+    const db: OAuthDb = {
+      mysql: { getAllClientIds: jest.fn().mockRejectedValue(error) },
+    };
+
+    const result = await getRegisteredClientIds(db);
+
+    expect(result).toEqual(new Set());
+    expect(Sentry.captureException).toHaveBeenCalledWith(error);
+  });
+
+  it('returns last successful Set and captures to Sentry when DB fails on subsequent call', async () => {
+    const db = makeDb(['aabbccdd11223344']);
+
+    // Successful first fetch
+    await getRegisteredClientIds(db);
+
+    // DB fails on refetch
+    jest.advanceTimersByTime(61_000);
+    const error = new Error('DB unavailable');
+    (db.mysql.getAllClientIds as jest.Mock).mockRejectedValueOnce(error);
+    const result = await getRegisteredClientIds(db);
+
+    expect(result).toEqual(new Set(['aabbccdd11223344']));
+    expect(Sentry.captureException).toHaveBeenCalledWith(error);
+  });
+
+  it('returns an empty Set when DB returns no clients', async () => {
+    const db = makeDb([]);
+
+    const result = await getRegisteredClientIds(db);
+
+    expect(result).toEqual(new Set());
+  });
+
+  it('re-fetches exactly at the 60-second boundary', async () => {
+    const db = makeDb(['aabbccdd11223344']);
+
+    await getRegisteredClientIds(db);
+    jest.advanceTimersByTime(60_001);
+    await getRegisteredClientIds(db);
+
+    expect(db.mysql.getAllClientIds).toHaveBeenCalledTimes(2);
+  });
+});
diff --git a/packages/fxa-auth-server/lib/registeredClients.ts b/packages/fxa-auth-server/lib/registeredClients.ts
@@ -0,0 +1,65 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import * as Sentry from '@sentry/node';
+import { config } from '../config';
+
+const refreshInterval =
+  config.get('registeredClients.refreshInterval') ?? 60_000;
+let registeredClientIds: Set<string> | null = null;
+let lastFetch = Date.now();
+
+/**
+ * Minimal interface for the OAuth database required by this module.
+ * Only the `getAllClientIds` method is needed to populate the registered-client cache.
+ */
+export type OAuthDb = {
+  mysql: {
+    getAllClientIds: () => Promise<Array<{ id: Buffer }>>;
+  };
+};
+
+/**
+ * Returns the set of registered OAuth client IDs, refreshing from the database
+ * at most once per `refreshInterval` milliseconds.
+ *
+ * Results are cached in module-level state to avoid a DB round-trip on every
+ * request. If the database call fails, the previous successful set is returned
+ * (or an empty set on the very first call) and the error is forwarded to Sentry.
+ *
+ * @param oauthDb - Database handle exposing `mysql.getAllClientIds`.
+ * @returns A Set of lowercase hex-encoded client ID strings.
+ */
+export async function getRegisteredClientIds(oauthDb: OAuthDb) {
+  // Refresh the cache on the initial call or after the configured interval
+  // to avoid a DB round-trip on every request.
+  if (Date.now() - lastFetch > refreshInterval || registeredClientIds == null) {
+    // Record the fetch time before awaiting so concurrent callers don't
+    // all trigger simultaneous refreshes.
+    lastFetch = Date.now();
+
+    // Validate clientId/service against registered OAuth clients to prevent
+    // unbounded cardinality and normalize onto request.app for StatsD/Sentry tags.
+    // Client IDs are loaded from the fxa_oauth.clients table on each request;
+    // the table is small and MySQL serves it from cache.
+    try {
+      const clients = await oauthDb.mysql.getAllClientIds();
+      registeredClientIds = new Set(clients.map((c) => c.id.toString('hex')));
+    } catch (err) {
+      Sentry.captureException(err);
+    }
+  }
+
+  // Return the last successful set, or an empty set to guard against an initial failure.
+  return registeredClientIds ?? new Set();
+}
+
+/**
+ * Resets the in-memory cache so the next call to `getRegisteredClientIds`
+ * triggers a fresh database fetch. Intended for use in tests.
+ */
+export async function reset() {
+  registeredClientIds = null;
+  lastFetch = Date.now();
+}
diff --git a/packages/fxa-auth-server/lib/server.js b/packages/fxa-auth-server/lib/server.js
@@ -97,6 +97,7 @@ async function create(
   oauthDb
 ) {
   const getGeoData = require('./geodb')(log);
+  const { getRegisteredClientIds } = require('./registeredClients');
   const metricsContext = require('./metrics/context')(log, config);
   const metricsEvents = require('./metrics/events')(log, config, glean);
   const { sharedSecret: SUBSCRIPTIONS_SECRET } = config.subscriptions;
@@ -327,19 +328,10 @@ async function create(
       await customs.checkIpOnly(request, action);
     }
 
-    // Validate clientId/service against registered OAuth clients to prevent
-    // unbounded cardinality and normalize onto request.app for StatsD/Sentry tags.
-    // Client IDs are loaded from the fxa_oauth.clients table on each request;
-    // the table is small and MySQL serves it from cache.
-    let registeredClientIds;
-    try {
-      const clients = await oauthDb.mysql.getAllClientIds();
-      registeredClientIds = new Set(clients.map((c) => c.id.toString('hex')));
-    } catch (err) {
-      Sentry.captureException(err);
-      registeredClientIds = new Set();
-    }
-    const tags = await resolveClientTags(request, registeredClientIds);
+    const tags = await resolveClientTags(
+      request,
+      await getRegisteredClientIds(oauthDb)
+    );
     if (tags.clientId) {
       request.app.clientIdTag = tags.clientId;
       Sentry.setTag('clientId', tags.clientId);
