Skip to content

Restrict WFE account cache to POST-as-GET requests#8852

Open
aarongable wants to merge 4 commits into
mainfrom
get-only-account-cache
Open

Restrict WFE account cache to POST-as-GET requests#8852
aarongable wants to merge 4 commits into
mainfrom
get-only-account-cache

Conversation

@aarongable

Copy link
Copy Markdown
Contributor

Add an argument to some of wfe2/verify.go's JWK-verification functions, which supplies the AccountGetter which should be used to look up the account. For all POST codepaths, supply wfe.sa (i.e. a connection to the real database) as the source. For all POST-as-GET codepaths, supply wfe.accountCache, to reduce database load from frequent-but-idempotent read-only requests.

This prevents situations where an account rotates its key, but a subsequent request using the same key is still able to make changes to the account (such as rotating the key again) due to the account cache.

Also add a new ability to purge entries from the account cache, and call it when accounts are deactivated or have their key rotated. This is an imperfect defense-in-depth measure, as multiple WFEs may have the old account data cached and only one WFE instance will see the request which triggers the cache purge, but it still helps reduce confusing behavior.

This is a simpler alternative to #8796, building on the diff introduced in that PR.

Fixes #8795
Fixes #6144

@aarongable aarongable changed the title Restrict WFE account cache to GET requests Restrict WFE account cache to POST-as-GET requests Jul 6, 2026
@aarongable aarongable marked this pull request as ready for review July 6, 2026 19:42
@aarongable aarongable requested a review from a team as a code owner July 6, 2026 19:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

wfe2: stale account cache can authenticate mutations with old account state wfe: account cache is missing invalidation after account update

2 participants