Documentation
¶
Overview ¶
Package jti provides JTI (JWT ID) replay prevention caches.
Two backends are supported: in-memory (for single-instance deployments) and Redis (for multi-instance deployments). Both implement the Cache interface with atomic reserve semantics.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Cache ¶
type Cache interface {
Reserve(ctx context.Context, jti string, expiresAt time.Time) (bool, error)
Release(ctx context.Context, jti string) error
}
Cache is the interface for JTI replay prevention.
Reserve atomically checks whether the JTI has been seen and, if new, stores it so concurrent requests with the same JTI are rejected. Returns (true, nil) if the JTI is new and has been reserved, (false, nil) if already seen, or (false, error) on backend failure (fail-closed).
Release removes a previously reserved JTI from the cache. This should be called when a downstream operation fails after a successful Reserve, allowing the client to retry with the same OIDC token.
type CacheError ¶
type CacheError struct {
Err error
}
CacheError wraps backend errors (Redis connection failures, etc.).
func (*CacheError) Error ¶
func (e *CacheError) Error() string
func (*CacheError) Unwrap ¶
func (e *CacheError) Unwrap() error
type InMemoryCache ¶
type InMemoryCache struct {
// contains filtered or unexported fields
}
InMemoryCache stores JTIs in a map protected by sync.Mutex. Suitable for single-instance deployments. Expired entries are evicted by a background goroutine to keep Reserve() O(1).
func NewInMemoryCache ¶
func NewInMemoryCache(ttl time.Duration) *InMemoryCache
NewInMemoryCache creates an in-memory JTI cache with the given default TTL. Call Stop() to halt the background cleanup goroutine.
func (*InMemoryCache) Release ¶
func (c *InMemoryCache) Release(_ context.Context, jti string) error
Release removes a previously reserved JTI, allowing the OIDC token to be retried after a transient downstream failure.
func (*InMemoryCache) Reserve ¶
Reserve atomically checks whether the JTI has been seen and stores it if new. O(1) — expired entry eviction is handled by the background goroutine.
func (*InMemoryCache) Stop ¶ added in v0.0.3
func (c *InMemoryCache) Stop()
Stop halts the background cleanup goroutine.
type RedisCache ¶
type RedisCache struct {
// contains filtered or unexported fields
}
RedisCache stores JTIs in Redis using SET NX EX for atomic check-and-store. Suitable for multi-instance deployments. Fail-closed on errors.
func NewRedisCache ¶
func NewRedisCache(client *redis.Client, ttl time.Duration) *RedisCache
NewRedisCache creates a Redis-backed JTI cache.
Source Files