fix: Make JWKS cache shared across SDK instances

After 1123911 the JWKs cache wasn't working as expected, since the
middleware constructed a new SDK instance on each request and the cache
was an instance variable. So each request was effectively bypassing the
cache and requested the JWKS anew.

With this change, the JWKs cache is made thread-safe and shared between
all instances of the SDK.

Fixes AUTH-76

Gemfile.lock

@@ -1,14 +1,16 @@
 PATH
   remote: .
   specs:
-    clerk-sdk-ruby (2.7.0)
+    clerk-sdk-ruby (2.8.0)
+      concurrent-ruby (~> 1.1)
       faraday (~> 1.4.1)
       jwt (~> 2.2)
 
 GEM
   remote: https://rubygems.org/
   specs:
     byebug (11.1.3)
+    concurrent-ruby (1.1.10)
     faraday (1.4.3)
       faraday-em_http (~> 1.0)
       faraday-em_synchrony (~> 1.0)
@@ -23,11 +25,11 @@ GEM
     faraday-net_http (1.0.1)
     faraday-net_http_persistent (1.2.0)
     jwt (2.5.0)
-    minitest (5.14.2)
+    minitest (5.16.3)
     multipart-post (2.2.3)
-    rake (13.0.3)
+    rake (13.0.6)
     ruby2_keywords (0.0.5)
-    timecop (0.9.4)
+    timecop (0.9.6)
 
 PLATFORMS
   universal-darwin-21

clerk-sdk-ruby.gemspec

@@ -29,6 +29,7 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency "faraday", "~> 1.4.1"
   spec.add_dependency "jwt", '~> 2.2'
+  spec.add_dependency "concurrent-ruby", "~> 1.1"
 
   spec.add_development_dependency "byebug", "~> 11.1"
   spec.add_development_dependency "timecop", "~> 0.9.4"

lib/clerk/jwks_cache.rb

@@ -0,0 +1,25 @@
+class JWKSCache
+  def initialize(lifetime)
+    @lifetime = lifetime
+    @jwks = nil
+    @fetched_at = nil
+    @lock = Concurrent::ReadWriteLock.new
+  end
+
+  def fetch(sdk, force_refresh: false)
+    should_refresh = @lock.with_read_lock do
+      force_refresh || @jwks.nil? || (@fetched_at && ((Time.now.to_i-@fetched_at) > @lifetime))
+    end
+
+    if should_refresh
+      @lock.with_write_lock do
+        @jwks = sdk.jwks.all["keys"]
+        @fetched_at = Time.now.to_i
+      end
+    end
+
+    @lock.with_read_lock do
+      @jwks
+    end
+  end
+end

lib/clerk/sdk.rb

@@ -5,6 +5,7 @@
 require "net/http"
 require "json"
 require "jwt"
+require "concurrent-ruby"
 
 require_relative "resources/allowlist_identifiers"
 require_relative "resources/allowlist"
@@ -19,6 +20,7 @@
 require_relative "resources/users"
 require_relative "resources/jwks"
 require_relative "errors"
+require_relative "jwks_cache"
 
 module Clerk
   class SDK
@@ -30,10 +32,14 @@ class SDK
     # How often (in seconds) should JWKs be refreshed
     JWKS_CACHE_LIFETIME = 3600 # 1 hour
 
+    @@jwks_cache = JWKSCache.new(JWKS_CACHE_LIFETIME)
+
+    def self.jwks_cache
+      @@jwks_cache
+    end
+
     def initialize(api_key: nil, base_url: nil, logger: nil, ssl_verify: true,
                    connection: nil)
-      @jwks_fetched_at = nil
-
       if connection # Inject a Faraday::Connection for testing or full control over Faraday
         @conn = connection
         return
@@ -170,17 +176,9 @@ def decode_token(token)
     # `timeout` argument.
     def verify_token(token, force_refresh_jwks: false, algorithms: ['RS256'], timeout: 5)
       jwk_loader = ->(options) do
-        @cached_jwks = nil if options[:invalidate] || force_refresh_jwks
-        @cached_jwks = nil if @jwks_fetched_at && Time.now.to_i - @jwks_fetched_at > JWKS_CACHE_LIFETIME
-
-        @cached_jwks ||= begin
-          keys = jwks.all["keys"]
-          @jwks_fetched_at = Time.now.to_i
-
-          # JWT.decode requires that the 'keys' key in the Hash is a symbol (as
-          # opposed to a string which our SDK returns by default)
-          { keys: keys }
-        end
+        # JWT.decode requires that the 'keys' key in the Hash is a symbol (as
+        # opposed to a string which our SDK returns by default)
+        { keys: SDK.jwks_cache.fetch(self, force_refresh: (options[:invalidate] || force_refresh_jwks)) }
       end
 
       JWT.decode(token, nil, true, algorithms: algorithms, jwks: jwk_loader).first