We still need to take care of:

Added a test for the password validation

phpstan

Now taking the ldap password into account

• Simplify again

• Simplify/Unify

• Couple of fixes, tenant-condition for wallets

In D2566#30199, @machniak wrote:

On the other hand, maybe %dms format would be better for query time.

In D2494#30205, @machniak wrote:

To sum up the current state:

1. All tests pass!
2. Tokens refresh request is fast now, but /auth/login is still 0.3-0.4 sec. I didn't investigate how much of that is passport.

To sum up the current state:

1. All tests pass!
2. Tokens refresh request is fast now, but /auth/login is still 0.3-0.4 sec. I didn't investigate how much of that is passport.
3. We should probably add some code to Kernel as in https://laravel.com/docs/6.x/passport#purging-tokens
4. @vanmeeuwen, should take a look at this regarding deployment of the oauth keys and client secret (and ./artisan passport:keys --force) - we need the same keys on every Kolab4 host.

On the other hand, maybe %dms format would be better for query time.

• phpstan
• Addressed slow token issuing by customizing the PassportServiceProvider

We're not the first to encounter the crypto slowness:

• https://github.com/thephpleague/oauth2-server/issues/812
• https://github.com/laravel/passport/pull/820/commits/30e175f3876a9838b5d5b4eafe2711221e958883

One culprit is certainly Crypto::decryptWithPassword, which takes ~150ms.

• The bulk of the request is spent in League\OAuth2\Server\AuthorizationServer::respondToAccessTokenRequest: 0.4621s out of 0.4741s total
  • League\OAuth2\Server\Grant\RefreshTokenGrant::respondToAccessTokenRequest: takes up ~300ms out of that
  • League\OAuth2\Server\ResponseTypes\BearerTokenResponse::generateHttpResponse: the remaining ~150ms

There clearly seems to be room for improvement from an overall request execution time of 0.3450s, with < 0.1s used by the sql queries.

• Add exportPublicKey() use

• Use Laravel's Storage functionality

From phpunit tests/Browser/Admin I now have only testUserInfo failing, because the user is somehow not imapReady (no idea why), but that seems unrelated.

• I also turned the expires_in comparison into a fuzzy comparison. Because of passport internals it's possible that some time has already passed and the expires_in response is off by a second.

• Lowered timeout
• Removed throttling on token route

• Switch new keypair algorithms to RSA

Hmm, does Arcanist offer a way to do fast-forward merges?

Looks reasonable, thanks for the patch.

Superseded by D2548. Turns out the first commit is no longer needed (and I messed up the diff during rebase).

Superseded by D2542.

I did another run of tests and got the same result as above. I.e. I run vendor/bin/phpunit tests/Browser/Admin twice on master and all is green. Then I run the same on this diff and I got three tests failing. Looks like the problem is with refreshing the token. I see this in console dump:

https:\/\/admin.alec.dev.kolab.io\/api\/auth\/info?refresh=1 - Failed to load resource: the server responded with a status of 401 ()

I see C: POST https://admin.alec.dev.kolab.io/api/auth/info?refresh=1 [5M]: 0.0055 sec in the log and this is strange because it's too fast and there are no sql queries for this request logged.