[pbs-devel] [PATCH proxmox 1/3] proxmox-access-control: cache verified API token secrets

Samuel Rufinatscha s.rufinatscha at proxmox.com
Fri Dec 5 14:25:57 CET 2025 

Currently, every token-based API request reads the token.shadow file and
runs the expensive password hash verification for the given token
secret. This issue was first observed as part of profiling the PBS
/status endpoint (see bug #6049 [1]) and is required for the factored
out proxmox_access_control token_shadow implementation too.

This patch introduces an in-memory cache of successfully verified token
secrets. Subsequent requests for the same token+secret combination only
perform a comparison using openssl::memcmp::eq and avoid re-running the
password hash. The cache is updated when a token secret is set and
cleared when a token is deleted. Note, this does NOT include manual
config changes, which will be covered in a subsequent patch.

This patch is a partly-fix.

[1] https://bugzilla.proxmox.com/show_bug.cgi?id=7017

Signed-off-by: Samuel Rufinatscha <s.rufinatscha at proxmox.com>
---
 proxmox-access-control/src/token_shadow.rs | 57 +++++++++++++++++++++-
 1 file changed, 56 insertions(+), 1 deletion(-)

diff --git a/proxmox-access-control/src/token_shadow.rs b/proxmox-access-control/src/token_shadow.rs
index c586d834..2dcd117d 100644
--- a/proxmox-access-control/src/token_shadow.rs
+++ b/proxmox-access-control/src/token_shadow.rs
@@ -1,4 +1,5 @@
 use std::collections::HashMap;
+use std::sync::{OnceLock, RwLock};
 
 use anyhow::{bail, format_err, Error};
 use serde_json::{from_value, Value};
@@ -8,6 +9,13 @@ use proxmox_product_config::{open_api_lockfile, replace_config, ApiLockGuard};
 
 use crate::init::impl_feature::{token_shadow, token_shadow_lock};
 
+/// Global in-memory cache for successfully verified API token secrets.
+/// The cache stores plain text secrets for token Authids that have already been
+/// verified against the hashed values in `token.shadow`. This allows for cheap
+/// subsequent authentications for the same token+secret combination, avoiding
+/// recomputing the password hash on every request.
+static TOKEN_SECRET_CACHE: OnceLock<RwLock<ApiTokenSecretCache>> = OnceLock::new();
+
 // Get exclusive lock
 fn lock_config() -> Result<ApiLockGuard, Error> {
     open_api_lockfile(token_shadow_lock(), None, true)
@@ -36,9 +44,25 @@ pub fn verify_secret(tokenid: &Authid, secret: &str) -> Result<(), Error> {
         bail!("not an API token ID");
     }
 
+    // Fast path
+    if let Some(cached) = token_secret_cache().read().unwrap().secrets.get(tokenid) {
+        // Compare cached secret with provided one using constant time comparison
+        if openssl::memcmp::eq(cached.as_bytes(), secret.as_bytes()) {
+            // Already verified before
+            return Ok(());
+        }
+        // Fall through to slow path if secret doesn't match cached one
+    }
+
+    // Slow path: read file + verify hash
     let data = read_file()?;
     match data.get(tokenid) {
-        Some(hashed_secret) => proxmox_sys::crypt::verify_crypt_pw(secret, hashed_secret),
+        Some(hashed_secret) => {
+            proxmox_sys::crypt::verify_crypt_pw(secret, hashed_secret)?;
+            // Cache the plain secret for future requests
+            cache_insert_secret(tokenid.clone(), secret.to_owned());
+            Ok(())
+        }
         None => bail!("invalid API token"),
     }
 }
@@ -56,6 +80,8 @@ pub fn set_secret(tokenid: &Authid, secret: &str) -> Result<(), Error> {
     data.insert(tokenid.clone(), hashed_secret);
     write_file(data)?;
 
+    cache_insert_secret(tokenid.clone(), secret.to_owned());
+
     Ok(())
 }
 
@@ -71,6 +97,8 @@ pub fn delete_secret(tokenid: &Authid) -> Result<(), Error> {
     data.remove(tokenid);
     write_file(data)?;
 
+    cache_remove_secret(tokenid);
+
     Ok(())
 }
 
@@ -81,3 +109,30 @@ pub fn generate_and_set_secret(tokenid: &Authid) -> Result<String, Error> {
     set_secret(tokenid, &secret)?;
     Ok(secret)
 }
+
+struct ApiTokenSecretCache {
+    /// Keys are token Authids, values are the corresponding plain text secrets.
+    /// Entries are added after a successful on-disk verification in
+    /// `verify_secret` or when a new token secret is generated by
+    /// `generate_and_set_secret`. Used to avoid repeated
+    /// password-hash computation on subsequent authentications.
+    secrets: HashMap<Authid, String>,
+}
+
+fn token_secret_cache() -> &'static RwLock<ApiTokenSecretCache> {
+    TOKEN_SECRET_CACHE.get_or_init(|| {
+        RwLock::new(ApiTokenSecretCache {
+            secrets: HashMap::new(),
+        })
+    })
+}
+
+fn cache_insert_secret(tokenid: Authid, secret: String) {
+    let mut cache = token_secret_cache().write().unwrap();
+    cache.secrets.insert(tokenid, secret);
+}
+
+fn cache_remove_secret(tokenid: &Authid) {
+    let mut cache = token_secret_cache().write().unwrap();
+    cache.secrets.remove(tokenid);
+}
-- 
2.47.3

More information about the pbs-devel mailing list