From a602ca20ad863798fc688b268ab2115962f75ee7 Mon Sep 17 00:00:00 2001 From: D050513 Date: Thu, 31 Jul 2025 11:55:38 +0200 Subject: [PATCH 1/5] [cds^9.2] feat(auth): xssec's caching enabled by default --- node.js/authentication.md | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/node.js/authentication.md b/node.js/authentication.md index 2394829ea..fc0cdfe6e 100644 --- a/node.js/authentication.md +++ b/node.js/authentication.md @@ -440,12 +440,35 @@ export default function custom_auth(req: Req, res: Response, next: NextFunction) [If you want to customize the user ID, please also have a look at this example.](/node.js/cds-serve#customization-of-cds-context-user){.learn-more} -## Authentication Enforced in Production +## Authentication in Production + +### Enforced by Default In a productive scenario with an authentication strategy configured, for example the default `jwt`, all CAP service endpoints are authenticated by default, regardless of the authorization model. That is, all services without `@restrict` or `@requires` implicitly get `@requires: 'authenticated-user'`. This can be disabled via feature flag cds.requires.auth.restrict_all_services: false, or by using [mocked authentication](#mocked) explicitly in production. +### Cached by Default + +`@sap/xssec^4.8` provides a way to improve latency on subsequent requests with the same token by introducing two caches for CPU-intensive operations: +- **Signature cache**: This cache handles the cryptographic signature validation of a JWT token. +- **Token decode cache**: This cache manages the base64-decoding of a JWT token. + +Both caches are enabled by default. + +The _signature cache_ can be configured or deactivated via `cds.requires.auth.config` (which is passed through to `@sap/xssec`). + +The _token decode cache_, on the other hand, can be configured programmatically during bootstrapping (e.g., in a [custom `server.js`](../cds-server#custom-server-js)) via +```js +require('@sap/xssec').Token.enableDecodeCache(config?) +``` +and deactivated via +```js +require('@sap/xssec').Token.decodeCache = false +``` + +[Learn more about caching CPU intensive operations in `@sap/xssec`](https://www.npmjs.com/package/@sap/xssec#caching-cpu-intensive-operations){.learn-more} + ## XSUAA in Hybrid Setup {#xsuaa-setup} From 9602f86b75069d309e009fbf3684d8d5a9a0c25d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ren=C3=A9=20Jeglinsky?= Date: Tue, 12 Aug 2025 12:34:50 +0200 Subject: [PATCH 2/5] Apply suggestions from code review --- node.js/authentication.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/node.js/authentication.md b/node.js/authentication.md index 77cb82eaa..d487a30a9 100644 --- a/node.js/authentication.md +++ b/node.js/authentication.md @@ -480,9 +480,9 @@ This can be disabled via feature flag cds.requires.auth.restrict_all_ser Both caches are enabled by default. -The _signature cache_ can be configured or deactivated via `cds.requires.auth.config` (which is passed through to `@sap/xssec`). +The _signature cache_ can be configured or deactivated via cds.requires.auth.config.signature-cache (which is passed through to `@sap/xssec`). -The _token decode cache_, on the other hand, can be configured programmatically during bootstrapping (e.g., in a [custom `server.js`](../cds-server#custom-server-js)) via +The _token decode cache_, on the other hand, can be configured programmatically during bootstrapping, for example in a [custom `server.js`](../cds-server#custom-server-js) file, as follows: ```js require('@sap/xssec').Token.enableDecodeCache(config?) ``` From a04fd9518ffd8f6c77e11dadc5bec02d015b8f4e Mon Sep 17 00:00:00 2001 From: Rene Jeglinsky Date: Tue, 12 Aug 2025 13:33:33 +0200 Subject: [PATCH 3/5] fix link --- node.js/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/node.js/authentication.md b/node.js/authentication.md index d487a30a9..b911d5d37 100644 --- a/node.js/authentication.md +++ b/node.js/authentication.md @@ -482,7 +482,7 @@ Both caches are enabled by default. The _signature cache_ can be configured or deactivated via cds.requires.auth.config.signature-cache (which is passed through to `@sap/xssec`). -The _token decode cache_, on the other hand, can be configured programmatically during bootstrapping, for example in a [custom `server.js`](../cds-server#custom-server-js) file, as follows: +The _token decode cache_, on the other hand, can be configured programmatically during bootstrapping, for example in a [custom `server.js`](cds-server#custom-server-js) file, as follows: ```js require('@sap/xssec').Token.enableDecodeCache(config?) ``` From 1da2812f19908182c07389783f40f4953c1510fb Mon Sep 17 00:00:00 2001 From: sjvans <30337871+sjvans@users.noreply.github.com> Date: Wed, 13 Aug 2025 12:57:48 +0200 Subject: [PATCH 4/5] Update node.js/authentication.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: René Jeglinsky --- node.js/authentication.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/node.js/authentication.md b/node.js/authentication.md index b911d5d37..493d4c5e2 100644 --- a/node.js/authentication.md +++ b/node.js/authentication.md @@ -480,7 +480,9 @@ This can be disabled via feature flag cds.requires.auth.restrict_all_ser Both caches are enabled by default. -The _signature cache_ can be configured or deactivated via cds.requires.auth.config.signature-cache (which is passed through to `@sap/xssec`). +The _signature cache_ can be configured or deactivated via cds.requires.auth.config (which is passed through to `@sap/xssec`). + +[Learn more about signature cache and its configuration.](https://www.npmjs.com/package/@sap/xssec#signature-cache)[.learn-more] The _token decode cache_, on the other hand, can be configured programmatically during bootstrapping, for example in a [custom `server.js`](cds-server#custom-server-js) file, as follows: ```js From 6b1668bae08bde28986ea8e790492008be55e531 Mon Sep 17 00:00:00 2001 From: sjvans <30337871+sjvans@users.noreply.github.com> Date: Wed, 13 Aug 2025 12:58:08 +0200 Subject: [PATCH 5/5] Update node.js/authentication.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: René Jeglinsky --- node.js/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/node.js/authentication.md b/node.js/authentication.md index 493d4c5e2..b2f7413a7 100644 --- a/node.js/authentication.md +++ b/node.js/authentication.md @@ -484,7 +484,7 @@ The _signature cache_ can be configured or deactivated via cds.r [Learn more about signature cache and its configuration.](https://www.npmjs.com/package/@sap/xssec#signature-cache)[.learn-more] -The _token decode cache_, on the other hand, can be configured programmatically during bootstrapping, for example in a [custom `server.js`](cds-server#custom-server-js) file, as follows: +The _token decode cache_, on the other hand, can only be configured programmatically during bootstrapping, for example in a [custom `server.js`](cds-server#custom-server-js) file, as follows: ```js require('@sap/xssec').Token.enableDecodeCache(config?) ```