master/synapse
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Don't cache introspection failures (#18339)

Browse Source
This commit is contained in:
Quentin Gliech 2025-04-15 17:30:45 +02:00 committed by GitHub
parent 45420b1d42
commit 2c7a61e311
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
changelog.d/18339.bugfix Normal file
View File

@ -0,0 +1 @@
Stop caching introspection failures when delegating auth to MAS.

12
synapse/api/auth/msc3861_delegated.py
View File

@ -49,7 +49,7 @@ from synapse.logging.opentracing import active_span, force_tracing, start_active
from synapse.types import Requester, UserID, create_requester
from synapse.util import json_decoder
from synapse.util.caches.cached_call import RetryOnExceptionCachedCall
from synapse.util.caches.response_cache import ResponseCache
from synapse.util.caches.response_cache import ResponseCache, ResponseCacheContext
if TYPE_CHECKING:
from synapse.rest.admin.experimental_features import ExperimentalFeature
@ -279,7 +279,9 @@ class MSC3861DelegatedAuth(BaseAuth):
metadata = await self._issuer_metadata.get()
return metadata.get("introspection_endpoint")
async def _introspect_token(self, token: str) -> IntrospectionResult:
async def _introspect_token(
self, token: str, cache_context: ResponseCacheContext[str]
) -> IntrospectionResult:
"""
Send a token to the introspection endpoint and returns the introspection response
@ -295,6 +297,8 @@ class MSC3861DelegatedAuth(BaseAuth):
Returns:
The introspection response
"""
# By default, we shouldn't cache the result unless we know it's valid
cache_context.should_cache = False
introspection_endpoint = await self._introspection_endpoint()
raw_headers: Dict[str, str] = {
"Content-Type": "application/x-www-form-urlencoded",
@ -352,6 +356,8 @@ class MSC3861DelegatedAuth(BaseAuth):
"The introspection endpoint returned an invalid JSON response."
)
# We had a valid response, so we can cache it
cache_context.should_cache = True
return IntrospectionResult(
IntrospectionToken(**resp), retrieved_at_ms=self._clock.time_msec()
)
@ -482,7 +488,7 @@ class MSC3861DelegatedAuth(BaseAuth):
try:
introspection_result = await self._introspection_cache.wrap(
token, self._introspect_token, token
token, self._introspect_token, token, cache_context=True
)
except Exception:
logger.exception("Failed to introspect token")