A quick way to validate token string #302

dcalsky · 2023-04-02T15:17:14Z

This PR reduces the scope of ToLower for strings and can provide a significant performance gain when validating Token Strings.

import (
	"strings"
	"testing"
)

var (
	authA = "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyIxMjMiOiJka2FzbDtka2FzO2xka2FzbDtka2FzbDtka2FzbDtka2FsO3NrZGw7Y216eC4sbWMsLnp4bWMueix4bWMuLHp4bWMuengsbWMsLnp4bWMuLHp4bWMuLHp4bSxjLiIsImlhdCI6MTY4MDQ0Nzg2OX0.E9n6tm0P1-Z_fj7RmGpk6RpPMQzTJuo7knKNM0sBhvk"
)

func BenchmarkBearer(b *testing.B) {
	b.Run("previous", func(b *testing.B) {
		b.ResetTimer()
		for i := 0; i < b.N; i++ {
			strings.HasPrefix(strings.ToLower(authA), "bearer ")
		}
	})
	b.Run("now", func(b *testing.B) {
		b.ResetTimer()
		for i := 0; i < b.N; i++ {
			strings.HasPrefix(strings.ToLower(authA[:7]), "bearer ")
		}
	})
}

goos: darwin
goarch: arm64
pkg: awesomeProject
BenchmarkBearer
BenchmarkBearer/previous
BenchmarkBearer/previous-10         	 1675801	       719.9 ns/op
BenchmarkBearer/now
BenchmarkBearer/now-10              	40375887	        28.59 ns/op

oxisto · 2023-04-02T15:48:22Z

Wow, to be honest I would not have thought that this is an issue. I wonder why the implementation of HasPrefix does not abort searching the string after n bytes. I will also look at this in the coming days if we have sufficient tests.

Update: Nevermind, obviously the ToLower was the problem here

dcalsky · 2023-04-02T15:59:05Z

Wow, to be honest I would not have thought that this is an issue. I wonder why the implementation of HasPrefix does not abort searching the string after n bytes. I will also look at this in the coming days if we have sufficient tests.

Update: Nevermind, obviously the ToLower was the problem here

Hundreds of projects use this library for authentication, so I want to improve the performance of it as much as possible :D

request/extractor.go

parser.go

oxisto · 2023-07-18T06:52:46Z

LGTM. Sorry for the long delay, I think we can ignore the 0.03 % coverage loss

cc @mfridman

cbandy · 2023-08-18T17:58:28Z

request/extractor.go

@@ -90,7 +90,7 @@ func (e BearerExtractor) ExtractToken(req *http.Request) (string, error) {
 	tokenHeader := req.Header.Get("Authorization")
 	// The usual convention is for "Bearer" to be title-cased. However, there's no
 	// strict rule around this, and it's best to follow the robustness principle here.
-	if tokenHeader == "" || !strings.HasPrefix(strings.ToLower(tokenHeader), "bearer ") {
+	if len(tokenHeader) < 7 || !strings.HasPrefix(strings.ToLower(tokenHeader[:7]), "bearer ") {


This is late and a nitpick, but HasPrefix also slices the front. Is it faster to drop the call completely?

Suggested change

if len(tokenHeader) < 7 || !strings.HasPrefix(strings.ToLower(tokenHeader[:7]), "bearer ") {

if len(tokenHeader) < 7 || strings.ToLower(tokenHeader[:7]) != "bearer " {

We adjusted it in a follow-up PR: https://github.com/golang-jwt/jwt/pull/329/files

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/golang-jwt/jwt/v5](https://togithub.com/golang-jwt/jwt) | require | minor | `v5.0.0` -> `v5.1.0` | | golang.org/x/crypto | require | minor | `v0.14.0` -> `v0.15.0` | | golang.org/x/net | require | minor | `v0.17.0` -> `v0.18.0` | | golang.org/x/oauth2 | require | minor | `v0.13.0` -> `v0.14.0` | | golang.org/x/term | require | minor | `v0.13.0` -> `v0.14.0` | --- ### Release Notes <details> <summary>golang-jwt/jwt (github.com/golang-jwt/jwt/v5)</summary> ### [`v5.1.0`](https://togithub.com/golang-jwt/jwt/releases/tag/v5.1.0) [Compare Source](https://togithub.com/golang-jwt/jwt/compare/v5.0.0...v5.1.0) #### What's Changed - Using jwt's native `ErrInvalidType` instead of `json.UnsupportedTypeError` by [@oxisto](https://togithub.com/oxisto) in [golang-jwt/jwt#316 - Fix typos in comments and test names by [@alexandear](https://togithub.com/alexandear) in [golang-jwt/jwt#317 - Format: add whitespaces, remove empty lines by [@alexandear](https://togithub.com/alexandear) in [golang-jwt/jwt#319 - Refactor example: use io.ReadAll instead of io.Copy by [@alexandear](https://togithub.com/alexandear) in [golang-jwt/jwt#320 - Refactor code by using switch instead of if-else by [@alexandear](https://togithub.com/alexandear) in [golang-jwt/jwt#318 - A quick way to validate token string by [@dcalsky](https://togithub.com/dcalsky) in [golang-jwt/jwt#302 - Refactor: remove unnecessary \[]byte conversion to string by [@alexandear](https://togithub.com/alexandear) in [golang-jwt/jwt#330 - Refactor: compare strings with strings.EqualFold by [@alexandear](https://togithub.com/alexandear) in [golang-jwt/jwt#329 - Avoid use of json.NewDecoder by [@craigpastro](https://togithub.com/craigpastro) in [golang-jwt/jwt#313 - Update ParseUnverified godoc by [@duhaesbaert](https://togithub.com/duhaesbaert) in [golang-jwt/jwt#341 - Update ci workflows (add go1.21) by [@mfridman](https://togithub.com/mfridman) in [golang-jwt/jwt#345 - Bump actions/checkout from 3 to 4 by [@dependabot](https://togithub.com/dependabot) in [golang-jwt/jwt#346 - Key rotation with VerificationKeySet by [@mfridman](https://togithub.com/mfridman) in [golang-jwt/jwt#344 - Add explicit ClaimsValidator implementation check for custom claims by [@epelc](https://togithub.com/epelc) in [golang-jwt/jwt#343 - feat: allow making exp claim required by [@tareksha](https://togithub.com/tareksha) in [golang-jwt/jwt#351 - Add error handling to examples by [@craigpastro](https://togithub.com/craigpastro) in [golang-jwt/jwt#312 #### New Contributors - [@alexandear](https://togithub.com/alexandear) made their first contribution in [golang-jwt/jwt#317 - [@dcalsky](https://togithub.com/dcalsky) made their first contribution in [golang-jwt/jwt#302 - [@craigpastro](https://togithub.com/craigpastro) made their first contribution in [golang-jwt/jwt#313 - [@duhaesbaert](https://togithub.com/duhaesbaert) made their first contribution in [golang-jwt/jwt#341 - [@epelc](https://togithub.com/epelc) made their first contribution in [golang-jwt/jwt#343 - [@tareksha](https://togithub.com/tareksha) made their first contribution in [golang-jwt/jwt#351 **Full Changelog**: golang-jwt/jwt@v5.0.0...v5.1.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am" (UTC), Automerge - "before 4am" (UTC). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/woodpecker-ci/woodpecker).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

[![Mend Renovate logo banner](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/golang-jwt/jwt/v5](https://togithub.com/golang-jwt/jwt) | require | minor | `v5.0.0` -> `v5.1.0` | --- ### Release Notes <details> <summary>golang-jwt/jwt (github.com/golang-jwt/jwt/v5)</summary> ### [`v5.1.0`](https://togithub.com/golang-jwt/jwt/releases/tag/v5.1.0) [Compare Source](https://togithub.com/golang-jwt/jwt/compare/v5.0.0...v5.1.0) #### What's Changed - Using jwt's native `ErrInvalidType` instead of `json.UnsupportedTypeError` by [@oxisto](https://togithub.com/oxisto) in [golang-jwt/jwt#316 - Fix typos in comments and test names by [@alexandear](https://togithub.com/alexandear) in [golang-jwt/jwt#317 - Format: add whitespaces, remove empty lines by [@alexandear](https://togithub.com/alexandear) in [golang-jwt/jwt#319 - Refactor example: use io.ReadAll instead of io.Copy by [@alexandear](https://togithub.com/alexandear) in [golang-jwt/jwt#320 - Refactor code by using switch instead of if-else by [@alexandear](https://togithub.com/alexandear) in [golang-jwt/jwt#318 - A quick way to validate token string by [@dcalsky](https://togithub.com/dcalsky) in [golang-jwt/jwt#302 - Refactor: remove unnecessary \[]byte conversion to string by [@alexandear](https://togithub.com/alexandear) in [golang-jwt/jwt#330 - Refactor: compare strings with strings.EqualFold by [@alexandear](https://togithub.com/alexandear) in [golang-jwt/jwt#329 - Avoid use of json.NewDecoder by [@craigpastro](https://togithub.com/craigpastro) in [golang-jwt/jwt#313 - Update ParseUnverified godoc by [@duhaesbaert](https://togithub.com/duhaesbaert) in [golang-jwt/jwt#341 - Update ci workflows (add go1.21) by [@mfridman](https://togithub.com/mfridman) in [golang-jwt/jwt#345 - Bump actions/checkout from 3 to 4 by [@dependabot](https://togithub.com/dependabot) in [golang-jwt/jwt#346 - Key rotation with VerificationKeySet by [@mfridman](https://togithub.com/mfridman) in [golang-jwt/jwt#344 - Add explicit ClaimsValidator implementation check for custom claims by [@epelc](https://togithub.com/epelc) in [golang-jwt/jwt#343 - feat: allow making exp claim required by [@tareksha](https://togithub.com/tareksha) in [golang-jwt/jwt#351 - Add error handling to examples by [@craigpastro](https://togithub.com/craigpastro) in [golang-jwt/jwt#312 #### New Contributors - [@alexandear](https://togithub.com/alexandear) made their first contribution in [golang-jwt/jwt#317 - [@dcalsky](https://togithub.com/dcalsky) made their first contribution in [golang-jwt/jwt#302 - [@craigpastro](https://togithub.com/craigpastro) made their first contribution in [golang-jwt/jwt#313 - [@duhaesbaert](https://togithub.com/duhaesbaert) made their first contribution in [golang-jwt/jwt#341 - [@epelc](https://togithub.com/epelc) made their first contribution in [golang-jwt/jwt#343 - [@tareksha](https://togithub.com/tareksha) made their first contribution in [golang-jwt/jwt#351 **Full Changelog**: golang-jwt/jwt@v5.0.0...v5.1.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on Monday" in timezone Europe/Paris, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/cozy/cozy-stack).

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [github.com/golang-jwt/jwt/v5](https://togithub.com/golang-jwt/jwt) | `v5.0.0` -> `v5.2.1` | [![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgolang-jwt%2fjwt%2fv5/v5.2.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fgolang-jwt%2fjwt%2fv5/v5.2.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fgolang-jwt%2fjwt%2fv5/v5.0.0/v5.2.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgolang-jwt%2fjwt%2fv5/v5.0.0/v5.2.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>golang-jwt/jwt (github.com/golang-jwt/jwt/v5)</summary> ### [`v5.2.1`](https://togithub.com/golang-jwt/jwt/releases/tag/v5.2.1) [Compare Source](https://togithub.com/golang-jwt/jwt/compare/v5.2.0...v5.2.1) #### What's Changed - chore: remove unnecessary conversions from tests by [@estensen](https://togithub.com/estensen) in [golang-jwt/jwt#370 - Trivial: Typo fix for ECDSA error message by [@tjs-cinemo](https://togithub.com/tjs-cinemo) in [golang-jwt/jwt#373 - Fix incorrect error return by [@ss49919201](https://togithub.com/ss49919201) in [golang-jwt/jwt#371 #### New Contributors - [@tjs-cinemo](https://togithub.com/tjs-cinemo) made their first contribution in [golang-jwt/jwt#373 - [@ss49919201](https://togithub.com/ss49919201) made their first contribution in [golang-jwt/jwt#371 **Full Changelog**: golang-jwt/jwt@v5.2.0...v5.2.1 ### [`v5.2.0`](https://togithub.com/golang-jwt/jwt/releases/tag/v5.2.0) [Compare Source](https://togithub.com/golang-jwt/jwt/compare/v5.1.0...v5.2.0) #### What's Changed - Exported `NewValidator` by [@oxisto](https://togithub.com/oxisto) in [golang-jwt/jwt#349 - Improve ErrInvalidKeyType error messages by [@Laurin-Notemann](https://togithub.com/Laurin-Notemann) in [golang-jwt/jwt#361 - Update MIGRATION_GUIDE.md by [@jbarham](https://togithub.com/jbarham) in [golang-jwt/jwt#363 #### New Contributors - [@Laurin-Notemann](https://togithub.com/Laurin-Notemann) made their first contribution in [golang-jwt/jwt#361 - [@jbarham](https://togithub.com/jbarham) made their first contribution in [golang-jwt/jwt#363 **Full Changelog**: golang-jwt/jwt@v5.1.0...v5.2.0 ### [`v5.1.0`](https://togithub.com/golang-jwt/jwt/releases/tag/v5.1.0) [Compare Source](https://togithub.com/golang-jwt/jwt/compare/v5.0.0...v5.1.0) #### What's Changed - Using jwt's native `ErrInvalidType` instead of `json.UnsupportedTypeError` by [@oxisto](https://togithub.com/oxisto) in [golang-jwt/jwt#316 - Fix typos in comments and test names by [@alexandear](https://togithub.com/alexandear) in [golang-jwt/jwt#317 - Format: add whitespaces, remove empty lines by [@alexandear](https://togithub.com/alexandear) in [golang-jwt/jwt#319 - Refactor example: use io.ReadAll instead of io.Copy by [@alexandear](https://togithub.com/alexandear) in [golang-jwt/jwt#320 - Refactor code by using switch instead of if-else by [@alexandear](https://togithub.com/alexandear) in [golang-jwt/jwt#318 - A quick way to validate token string by [@dcalsky](https://togithub.com/dcalsky) in [golang-jwt/jwt#302 - Refactor: remove unnecessary \[]byte conversion to string by [@alexandear](https://togithub.com/alexandear) in [golang-jwt/jwt#330 - Refactor: compare strings with strings.EqualFold by [@alexandear](https://togithub.com/alexandear) in [golang-jwt/jwt#329 - Avoid use of json.NewDecoder by [@craigpastro](https://togithub.com/craigpastro) in [golang-jwt/jwt#313 - Update ParseUnverified godoc by [@duhaesbaert](https://togithub.com/duhaesbaert) in [golang-jwt/jwt#341 - Update ci workflows (add go1.21) by [@mfridman](https://togithub.com/mfridman) in [golang-jwt/jwt#345 - Bump actions/checkout from 3 to 4 by [@dependabot](https://togithub.com/dependabot) in [golang-jwt/jwt#346 - Key rotation with VerificationKeySet by [@mfridman](https://togithub.com/mfridman) in [golang-jwt/jwt#344 - Add explicit ClaimsValidator implementation check for custom claims by [@epelc](https://togithub.com/epelc) in [golang-jwt/jwt#343 - feat: allow making exp claim required by [@tareksha](https://togithub.com/tareksha) in [golang-jwt/jwt#351 - Add error handling to examples by [@craigpastro](https://togithub.com/craigpastro) in [golang-jwt/jwt#312 #### New Contributors - [@alexandear](https://togithub.com/alexandear) made their first contribution in [golang-jwt/jwt#317 - [@dcalsky](https://togithub.com/dcalsky) made their first contribution in [golang-jwt/jwt#302 - [@craigpastro](https://togithub.com/craigpastro) made their first contribution in [golang-jwt/jwt#313 - [@duhaesbaert](https://togithub.com/duhaesbaert) made their first contribution in [golang-jwt/jwt#341 - [@epelc](https://togithub.com/epelc) made their first contribution in [golang-jwt/jwt#343 - [@tareksha](https://togithub.com/tareksha) made their first contribution in [golang-jwt/jwt#351 **Full Changelog**: golang-jwt/jwt@v5.0.0...v5.1.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/infratographer/x).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

dcalsky changed the title ~~quick way to validate token string~~ A quick way to validate token string Apr 2, 2023

oxisto previously approved these changes Apr 2, 2023

View reviewed changes

mfridman reviewed Apr 10, 2023

View reviewed changes

request/extractor.go Outdated Show resolved Hide resolved

dcalsky dismissed oxisto’s stale review via 6b99099 April 10, 2023 02:45

dcalsky force-pushed the perf_bearer branch from e7729d5 to 6b99099 Compare April 10, 2023 02:45

oxisto reviewed Apr 10, 2023

View reviewed changes

parser.go Outdated Show resolved Hide resolved

perf: quick way to validate token string

c4d17e4

dcalsky force-pushed the perf_bearer branch from 6b99099 to c4d17e4 Compare April 10, 2023 11:46

oxisto approved these changes Jul 18, 2023

View reviewed changes

mfridman approved these changes Jul 20, 2023

View reviewed changes

oxisto merged commit 8b7470d into golang-jwt:main Jul 20, 2023
7 checks passed

alexandear mentioned this pull request Aug 3, 2023

Refactor: compare strings with strings.EqualFold #329

Merged

cbandy reviewed Aug 18, 2023

View reviewed changes

oxisto mentioned this pull request Nov 8, 2023

docs: add CHANGELOG.md #326

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

A quick way to validate token string #302

A quick way to validate token string #302

dcalsky commented Apr 2, 2023

oxisto commented Apr 2, 2023 •

edited

dcalsky commented Apr 2, 2023

oxisto commented Jul 18, 2023

cbandy Aug 18, 2023

oxisto Aug 18, 2023

	if len(tokenHeader) < 7 \|\| !strings.HasPrefix(strings.ToLower(tokenHeader[:7]), "bearer ") {
	if len(tokenHeader) < 7 \|\| strings.ToLower(tokenHeader[:7]) != "bearer " {

A quick way to validate token string #302

A quick way to validate token string #302

Conversation

dcalsky commented Apr 2, 2023

oxisto commented Apr 2, 2023 • edited

dcalsky commented Apr 2, 2023

oxisto commented Jul 18, 2023

cbandy Aug 18, 2023

Choose a reason for hiding this comment

oxisto Aug 18, 2023

Choose a reason for hiding this comment

oxisto commented Apr 2, 2023 •

edited