Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Getting a token takes nearly a second #820

Open
AzureIP opened this issue Aug 7, 2024 · 4 comments
Open

Getting a token takes nearly a second #820

AzureIP opened this issue Aug 7, 2024 · 4 comments

Comments

@AzureIP
Copy link

AzureIP commented Aug 7, 2024

Hi
I am trying out this library with Django 5 and python 3.12.
It works as expected, but getting a token for a user takes nearly a second. Around 950ms. Why? Is there some setting that improoves the generation time?
@mohamed666666
Copy link

up

@aperezlillo
Copy link

This is probably caused by https://forum.djangoproject.com/t/stop-increasing-default-pbkdf2-iteration-count/25539, if you change the password hasher or reduce the steps this will reduce the performance (but you will require to recreate all hashes... and theoretically the application will be less secure)

@ThirVondukr
Copy link

ThirVondukr commented Nov 6, 2024
edited
Loading

@aperezlillo Affecting password security to gain performance is a bad idea.
I recently stumbled upon pyjwt taking 25ms when creating a JWT, compared to around 1ms in rust/go. Fixing this could be a single line change in some cases - you have to manually load your key in case you're using RSA:

import time

import jwt
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa

key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
key_str = key.private_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PrivateFormat.PKCS8,
    encryption_algorithm=serialization.NoEncryption(),
)

# key = serialization.load_pem_private_key(key_str.encode(), password=None)

t = time.perf_counter()
tok = jwt.encode(payload={}, key=key, algorithm="RS256")
print((time.perf_counter() - t) * 1000)

t = time.perf_counter()
tok = jwt.encode(payload={}, key=key_str, algorithm="RS256")
print((time.perf_counter() - t) * 1000)

@ThirVondukr
Copy link

ThirVondukr commented Nov 13, 2024
edited
Loading

I ran some tests, while majority of time is spent on checking if password is valid:

In [4]: %timeit hashlib.pbkdf2_hmac("sha256", b"abcde", b"abcde", 600_000)
153 ms ± 665 µs per loop (mean ± std. dev. of 7 runs, 10 loops each)

generating a new access token for user could be made faster:

   ...: 
   ...: import jwt
   ...: from cryptography.hazmat.primitives import serialization
   ...: from cryptography.hazmat.primitives.asymmetric import rsa
In [3]: key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
   ...: key_str = key.private_bytes(
   ...:     encoding=serialization.Encoding.PEM,
   ...:     format=serialization.PrivateFormat.PKCS8,
   ...:     encryption_algorithm=serialization.NoEncryption(),
   ...: )
   ...: 
In [4]: %timeit jwt.encode(payload={}, key=key, algorithm="RS256")
181 µs ± 6.21 µs per loop (mean ± std. dev. of 7 runs, 10,000 loops each)
In [5]: %timeit jwt.encode(payload={}, key=key_str, algorithm="RS256")
23.9 ms ± 152 µs per loop (mean ± std. dev. of 7 runs, 10 loops each)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@aperezlillo @AzureIP @mohamed666666 @ThirVondukr