do not cache JWKS when kid not found

nov · nov · commit cdaafeece6be · 2023-01-23T18:48:00.000+09:00
diff --git a/lib/json/jwk/set/fetcher.rb b/lib/json/jwk/set/fetcher.rb
@@ -6,6 +6,8 @@ class Cache
           def fetch(cache_key, options = {})
             yield
           end
+
+          def delete(cache_key, options = {}); end
         end
 
         def self.logger
@@ -72,7 +74,12 @@ def self.fetch(jwks_uri, kid:, auto_detect: true, **options)
           )
 
           if auto_detect
-            jwks[kid] or raise KidNotFound
+            if jwks[kid]
+              jwks[kid]
+            else
+              cache.delete(cache_key)
+              raise KidNotFound
+            end
           else
             jwks
           end
diff --git a/spec/json/jwk/set/fetcher_spec.rb b/spec/json/jwk/set/fetcher_spec.rb
@@ -68,6 +68,10 @@ def fetch(cache_key, options = {})
           yield
         end
       end
+
+      def delete(cache_key)
+        # ignore
+      end
     end
 
     let(:jwks_uri) { CustomCache::JWKS_URI }
@@ -109,8 +113,16 @@ def fetch(cache_key, options = {})
 
         context 'when unknown' do
           let(:kid) { 'unknown' }
+          let(:cache_key) do
+            [
+              'json:jwk:set',
+              OpenSSL::Digest::MD5.hexdigest(jwks_uri),
+              kid
+            ].collect(&:to_s).join(':')
+          end
 
-          it "should not request to jwks_uri" do
+          it do
+            expect(JSON::JWK::Set::Fetcher.cache).to receive(:delete).with(cache_key)
             expect do
               mock_json :get, jwks_uri, 'jwks' do
                 subject
