add TODO about caching token validation IQSS#9229

Co-authored-by: Oliver Bertuch <poikilotherm@users.noreply.github.com>
johannes-darms · May 17, 2023 · 2885f68 · 2885f68
1 parent af93712
commit 2885f68
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/src/main/java/edu/harvard/iq/dataverse/api/auth/BearerTokenAuthMechanism.java b/src/main/java/edu/harvard/iq/dataverse/api/auth/BearerTokenAuthMechanism.java
@@ -40,7 +40,8 @@ public User findUserFromRequest(ContainerRequestContext containerRequestContext)
             if (!bearerToken.isPresent()) {
                 return null;
             }
-            //validate and verify provided Bearer Token, and retrieve UserRecordIdentifier
+            // Validate and verify provided Bearer Token, and retrieve UserRecordIdentifier
+            // TODO: Get the identifier from an invalidating cache to avoid lookup bursts of the same token. Tokens in the cache should be removed after some (configurable) time.
             UserRecordIdentifier userInfo = verifyOidcBearerTokenAndGetUserIndentifier(bearerToken.get());
 
             // retrieve Authenticated User from AuthService