vigneshio opened a new pull request, #4620: URL: https://github.com/apache/polaris/pull/4620
TokenBroker is request-scoped, so we spin up a new one on every HTTP request. Right now `verify()` rebuilds the `JWTVerifier` on every call, and both `verify()` and `sign()` rebuild the `Algorithm` via `getAlgorithm()`. Since both are immutable and thread-safe, there's no reason to keep reconstructing them. This PR just caches them in the constructor instead. Fewer allocations, simpler lifecycle. ## Files changed - `JWTBroker.java` โ takes `Algorithm` in the constructor, caches it + a pre-built `JWTVerifier` - `RSAKeyPairJWTBroker.java` โ builds `Algorithm.RSA256(...)` up front - `SymmetricKeyJWTBroker.java` โ builds `Algorithm.HMAC256(...)` up front ## One small behavior note If you're using a **file-based symmetric secret** (`file:` instead of `secret:` in config), the file gets read once per broker instance now instead of on every JWT operation. For the normal `secret:` config case, nothing changes. ## Tests Added `testMultipleVerificationsWithSameBroker()` to both `JWTSymmetricKeyGeneratorTest` and `RSAKeyPairJWTBrokerTest` to make sure the cached verifier works across multiple calls on the same broker. ## Checklist - [x] ๐ก๏ธ No security issues disclosed - [x] ๐ Explained why the change is needed - [x] ๐งช Added tests (compile-verified; full suite via CI) - [ ] ๐ก Comments for complex logic โ change is straightforward, no extra comments needed - [x] ๐งพ Updated `CHANGELOG.md` - [ ] ๐ Updated documentation โ no user-facing changes -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
