Caching JWKS

cachedJwks.ts

import * as https from 'https';

import { JwksModel, JwksKidToPemMap } from '../models/jwks';
import jwkToPem from 'jwk-to-pem';
import { AWS_CONFIG } from '../variables-config';


export class CachedJwks {
  private static jwks: JwksKidToPemMap = new Map<string, string>();
  private static invalidTime = 0;

  static get(): Promise<JwksKidToPemMap> {
    // env vars are loaded here because of line length restriction
    const { AWS_COGNITO_IDP_ENDPOINT, AWS_COGNITO_USER_POOL_ID } = AWS_CONFIG;

    return new Promise((resolve, reject) => {
      if (Date.now() < CachedJwks.invalidTime && CachedJwks.jwks) return resolve(CachedJwks.jwks);
      https
        .get(
          `${AWS_COGNITO_IDP_ENDPOINT}/${AWS_COGNITO_USER_POOL_ID}/.well-known/jwks.json`,
          (res) => {
            let data = '';

            res.on('data', (d) => {
              data += d;
            });

            res.on('end', () => {
              // cheating: we know for fact that
              // this well-known endpoint allows caching
              // for 1 day. It is supposed to be 86400, but
              // API call takes time, giving 50 seconds to
              // be safe
              CachedJwks.invalidTime = Date.now() + 86350 * 1000;
              const newJwks = JSON.parse(data) as JwksModel;
              const kidToPemMap = newJwks.keys.reduce((prevMap, currentJwk) => {
                return prevMap.set(currentJwk.kid, jwkToPem(currentJwk));
              }, new Map<string, string>());
              CachedJwks.jwks = kidToPemMap;
              resolve(kidToPemMap);
            });
          }
        )
        .on('error', (e) => {
          reject(e);
        });
    });
  }
}