Cache JWKSClient property

steventux · steventux · commit 5c12134edfa1 · 2026-04-28T16:57:13.000+01:00
The JWKSClient caches the keys from the given discovery keys endpoint, so this property should also be cached on the Authentication instance.
Cache a couple of other properties we only need to create once per instance.
diff --git a/manage_breast_screening/dicom/authentication.py b/manage_breast_screening/dicom/authentication.py
@@ -1,5 +1,6 @@
 import logging
 import os
+from functools import cached_property
 
 import jwt
 from django.conf import settings
@@ -28,10 +29,10 @@ def _decode(self, token: str) -> dict | None:
         Checks the signature, audience, and issuer claims to ensure the token is valid and intended for this API.
         """
         try:
-            signing_key = self.jwks_client.get_signing_key_from_jwt(token).key
+            signing_key = self.jwks_client.get_signing_key_from_jwt(token)
             payload = jwt.decode(
                 token,
-                signing_key,
+                signing_key.key,
                 algorithms=ALLOWED_ALGORITHMS,
                 audience=self.audience,
                 issuer=self.issuers,
@@ -48,7 +49,7 @@ def _decode(self, token: str) -> dict | None:
         except Exception:
             logger.exception("Unable to parse authentication token.")
 
-    @property
+    @cached_property
     def jwks_client(self) -> jwt.PyJWKClient:
         """
         Creates a PyJWKClient instance for fetching and caching the JWKS keys from Azure AD.
@@ -62,7 +63,7 @@ def jwks_client(self) -> jwt.PyJWKClient:
             lifespan=JWT_SET_CACHE_TTL_SECONDS,
         )
 
-    @property
+    @cached_property
     def discovery_keys_url(self) -> str:
         return f"https://login.microsoftonline.com/{self.tenant_id}/discovery/v2.0/keys"
 
@@ -80,7 +81,7 @@ def tenant_id(self) -> str | None:
         """
         return os.getenv("TENANT_ID", "")
 
-    @property
+    @cached_property
     def issuers(self) -> list:
         """
         The expected issuer claim(s) in the JWT token. This should match the tenant ID and the Azure AD endpoints.
diff --git a/manage_breast_screening/dicom/tests/test_api.py b/manage_breast_screening/dicom/tests/test_api.py
@@ -9,7 +9,6 @@
 from pydicom.uid import generate_uid
 
 from manage_breast_screening.core.api import api
-from manage_breast_screening.dicom.models import Study
 from manage_breast_screening.gateway.models import GatewayActionStatus
 from manage_breast_screening.gateway.tests.factories import GatewayActionFactory
 from manage_breast_screening.participants.models.appointment import (
@@ -157,7 +156,9 @@ def test_upload_missing_uids(dataset, mock_authentication, appointment_stub):
     )
 
 
-def test_upload_appointment_not_in_progress(dicom_file, mock_authentication, appointment_stub):
+def test_upload_appointment_not_in_progress(
+    dicom_file, mock_authentication, appointment_stub
+):
     appointment_stub.is_in_progress.return_value = False
 
     with patch(
