fix: tokenizer cache ttls and guardrails for config (#9776)

2025-12-05 11:01:05 +05:30
parent 8867e1ef38
commit 44f00943a8
4 changed files with 19 additions and 3 deletions
--- a/pkg/cache/memorycache/provider.go
+++ b/pkg/cache/memorycache/provider.go
@@ -105,6 +105,12 @@ func (provider *provider) Set(ctx context.Context, orgID valuer.UUID, cacheKey s
 		return err
 	}

+	// To make sure ristretto does not go into no-op
+	if ttl < 0 {
+		provider.settings.Logger().WarnContext(ctx, "ttl is less than 0, setting it to 0")
+		ttl = 0
+	}
+
 	if cloneable, ok := data.(cachetypes.Cloneable); ok {
 		span.SetAttributes(attribute.Bool("memory.cloneable", true))
 		span.SetAttributes(attribute.Int64("memory.cost", 1))
--- a/pkg/tokenizer/config.go
+++ b/pkg/tokenizer/config.go
@@ -93,6 +93,16 @@ func newConfig() factory.Config {
 }

 func (c Config) Validate() error {
+	// Ensure that lifetime idle is not negative
+	if c.Lifetime.Idle < 0 {
+		return errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "lifetime::idle must not be negative")
+	}
+
+	// Ensure that lifetime max is not negative
+	if c.Lifetime.Max < 0 {
+		return errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "lifetime::max must not be negative")
+	}
+
 	// Ensure that rotation interval is smaller than lifetime idle
 	if c.Rotation.Interval >= c.Lifetime.Idle {
 		return errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "rotation::interval must be smaller than lifetime::idle")
--- a/pkg/tokenizer/jwttokenizer/provider.go
+++ b/pkg/tokenizer/jwttokenizer/provider.go
@@ -263,7 +263,7 @@ func (provider *provider) getOrSetIdentity(ctx context.Context, orgID, userID va
 		return nil, err
 	}

-	err = provider.cache.Set(ctx, orgID, identityCacheKey(identity.UserID), identity, -1)
+	err = provider.cache.Set(ctx, orgID, identityCacheKey(identity.UserID), identity, 0)
 	if err != nil {
 		provider.settings.Logger().ErrorContext(ctx, "failed to cache identity", "error", err)
 	}
--- a/pkg/tokenizer/opaquetokenizer/provider.go
+++ b/pkg/tokenizer/opaquetokenizer/provider.go
@@ -410,7 +410,7 @@ func (provider *provider) setToken(ctx context.Context, token *authtypes.Token,
 }

 func (provider *provider) setIdentity(ctx context.Context, identity *authtypes.Identity) error {
-	err := provider.cache.Set(ctx, emptyOrgID, identityCacheKey(identity.UserID), identity, -1)
+	err := provider.cache.Set(ctx, emptyOrgID, identityCacheKey(identity.UserID), identity, 0)
 	if err != nil {
 		return err
 	}
@@ -434,7 +434,7 @@ func (provider *provider) getOrGetSetIdentity(ctx context.Context, userID valuer
 		return nil, err
 	}

-	err = provider.cache.Set(ctx, emptyOrgID, identityCacheKey(userID), identity, -1)
+	err = provider.cache.Set(ctx, emptyOrgID, identityCacheKey(userID), identity, 0)
 	if err != nil {
 		return nil, err
 	}