jwkCache can't be updated concurrently

dusty-phillips commented 3 months ago

Last night my service failed with this traceback:

fatal error: concurrent map writes
goroutine 20214 [running]:
github.com/passageidentity/passage-go.(*App).fetchJWKS(0xc00017a390)
    /opt/render/project/go/pkg/mod/github.com/passageidentity/passage-go@v1.11.0/authentication.go:70 +0xb8
github.com/passageidentity/passage-go.New({0xc00003a33f, 0x18}, 0x0?)
    /opt/render/project/go/pkg/mod/github.com/passageidentity/passage-go@v1.11.0/app.go:41 +0x185
       <snip>

This is because fetchJWKS() is writing to the jwkCache without synchronization: https://github.com/passageidentity/passage-go/blob/main/authentication.go#L70C2-L70C10

I think one of these changes is needed:

This code needs to be wrapped in a lock or mutex (the reads may need them as well)
The jwkCache global (defined here) needs to be converted to e.g. sync.Map or similar.
The cache needs to be stored per-app instead of global
The documentation needs to be updated to encourage users to create a single app instance (using e.g. OnceValue) instead of one per request.

Great product and service, BTW. Your dev experience blows the competition out of the water.

dusty-phillips commented 3 months ago

This happened again after I tried a singleton app instance, so I think the fourth option doesn’t work.

bertrmz commented 3 months ago

Hi @dusty-phillips, thank you for raising this issue.

We're working on a fix; I'll post an update here when it's available.

passageidentity / passage-go

jwkCache can't be updated concurrently #65