From a85bf5c30a3cf11d2a9077e2ee34858037654bd2 Mon Sep 17 00:00:00 2001 From: gbrodman Date: Mon, 22 Jun 2026 14:26:02 -0400 Subject: [PATCH] Use a (small) map to cache token verifiers (#3088) we shouldn't have to rebuild it each time we get a request to a different service or really ever at all -- we might get a tiny bit of cache benefit here --- .../google/registry/request/auth/AuthModule.java | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/core/src/main/java/google/registry/request/auth/AuthModule.java b/core/src/main/java/google/registry/request/auth/AuthModule.java index a7443f9cf..7554acc3b 100644 --- a/core/src/main/java/google/registry/request/auth/AuthModule.java +++ b/core/src/main/java/google/registry/request/auth/AuthModule.java @@ -43,6 +43,7 @@ import jakarta.inject.Qualifier; import jakarta.inject.Singleton; import java.io.IOException; import java.time.Duration; +import java.util.concurrent.ConcurrentHashMap; import java.util.function.Supplier; import javax.annotation.Nullable; @@ -88,8 +89,8 @@ public class AuthModule { TokenVerifier provideIapTokenVerifier( @Config("projectIdNumber") long projectIdNumber, @Named("backendServiceIdMap") Supplier> backendServiceIdMap) { - com.google.auth.oauth2.TokenVerifier.Builder tokenVerifierBuilder = - com.google.auth.oauth2.TokenVerifier.newBuilder().setIssuer(IAP_ISSUER_URL); + ConcurrentHashMap tokenVerifiers = + new ConcurrentHashMap<>(); return (String service, String token) -> { Long backendServiceId = backendServiceIdMap.get().get(service); checkNotNull( @@ -98,7 +99,15 @@ public class AuthModule { service, backendServiceIdMap); String audience = String.format(IAP_AUDIENCE_FORMAT, projectIdNumber, backendServiceId); - return tokenVerifierBuilder.setAudience(audience).build().verify(token); + com.google.auth.oauth2.TokenVerifier verifier = + tokenVerifiers.computeIfAbsent( + audience, + aud -> + com.google.auth.oauth2.TokenVerifier.newBuilder() + .setIssuer(IAP_ISSUER_URL) + .setAudience(aud) + .build()); + return verifier.verify(token); }; }