Skip to content

[cds^9.2] feat(auth): xssec's caching enabled by default #1998

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Aug 13, 2025
Merged

[cds^9.2] feat(auth): xssec's caching enabled by default #1998

Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
a602ca2
[cds^9.2] feat(auth): xssec's caching enabled by default
sjvans Jul 31, 2025
f45a654
Merge branch 'main' into xssec-caching
johannes-vogel Aug 11, 2025
2dec441
Merge branch 'main' into xssec-caching
renejeglinsky Aug 12, 2025
9602f86
Apply suggestions from code review
renejeglinsky Aug 12, 2025
a04fd95
fix link
renejeglinsky Aug 12, 2025
1da2812
Update node.js/authentication.md
sjvans Aug 13, 2025
6b1668b
Update node.js/authentication.md
sjvans Aug 13, 2025
e473376
Merge branch 'main' into xssec-caching
sjvans Aug 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 26 additions & 1 deletion node.js/authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -464,12 +464,37 @@ export default function custom_auth(req: Req, res: Response, next: NextFunction)
[If you want to customize the user ID, please also have a look at this example.](/node.js/cds-serve#customization-of-cds-context-user){.learn-more}


## Authentication Enforced in Production
## Authentication in Production

### Enforced by Default

In a productive scenario with an authentication strategy configured, for example the default `jwt`, all CAP service endpoints are authenticated by default, regardless of the authorization model. That is, all services without `@restrict` or `@requires` implicitly get `@requires: 'authenticated-user'`.

This can be disabled via feature flag <Config>cds.requires.auth.restrict_all_services: false</Config>, or by using [mocked authentication](#mocked) explicitly in production.

### Cached by Default

`@sap/xssec^4.8` provides a way to improve latency on subsequent requests with the same token by introducing two caches for CPU-intensive operations:
- **Signature cache**: This cache handles the cryptographic signature validation of a JWT token.
- **Token decode cache**: This cache manages the base64-decoding of a JWT token.

Both caches are enabled by default.

The _signature cache_ can be configured or deactivated via <Config keyOnly>cds.requires.auth.config</Config> (which is passed through to `@sap/xssec`).

[Learn more about signature cache and its configuration.](https://www.npmjs.com/package/@sap/xssec#signature-cache)[.learn-more]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
[Learn more about signature cache and its configuration.](https://www.npmjs.com/package/@sap/xssec#signature-cache)[.learn-more]
[Learn more about signature cache and its configuration.][.learn-more](https://www.npmjs.com/package/@sap/xssec#signature-cache)


The _token decode cache_, on the other hand, can only be configured programmatically during bootstrapping, for example in a [custom `server.js`](cds-server#custom-server-js) file, as follows:
```js
require('@sap/xssec').Token.enableDecodeCache(config?)
```
and deactivated via
```js
require('@sap/xssec').Token.decodeCache = false
```

[Learn more about caching CPU intensive operations in `@sap/xssec`](https://www.npmjs.com/package/@sap/xssec#caching-cpu-intensive-operations){.learn-more}


## XSUAA in Hybrid Setup {#xsuaa-setup}

Expand Down
Loading