firebase.JWKS public keys expire and don't get refreshed

[jleclanche]

This took me a while to track down. I would sometimes get {"detail":"JWK public Attribute for authorization token not found"} after 7 days of the fastapi instance being up. This hinted towards something expiring.

The firebase.JWKsVerifier class sets self._jwks_to_key = jwks.keys; where jwks is a firebase.JWKS instance. JWKS.firebase is constructed like so:

    @classmethod
    def firebase(cls, url: str) -> "JWKS":
        """
        get and parse json into jwks from endpoint for Firebase,
        """
        certs = requests.get(url).json()
        keys = {
            kid: jwk.construct(publickey, algorithm="RS256")
            for kid, publickey in certs.items()
        }
        return cls(keys=keys)

What this means is the keys are queried with certs = requests.get(url).json() and stored for as long as the instance is up, but they are never refreshed.

@tokusumi I can raise a PR to fix this if you're too busy; but i'd like your take on how to proceed with it. I'm not sure where to even do the detection for expired keys.

[jleclanche]

It's worth noting: The URL https://www.googleapis.com/robot/v1/metadata/x509/[email protected] has an expires header which indicates a ~6 hours TTL. This is much lower than the time they actually disappear; probably on purpose to give time to roll over. My take is that we should store the expires header, and simply update the keys if they have expired (probably with some kind of lock to prevent a bunch of attempts re-querying at the same time).

[tokusumi]

@jleclanche Thank you for your issue and PR!
This problem is fixed in Release 0.4.1