dms-middleware-auth 1.0.10 → 1.1.1

package/__tests__/auth.middleware.spec.ts

@@ -4,7 +4,7 @@ import { HttpStatusCode } from 'axios';
 const baseOptions = {
   publicKey: 'PUBLIC_KEY',
   keycloakUrl: '',
-  realm: '',
+  realm: 'my-realm',
   clientId: 'client',
   clientSecret: '',
   clientUuid: '',
@@ -29,94 +29,92 @@ const createRes = () => {
 };
 
 const createReq = (override: Record<string, any> = {}) =>
-  ({
-    headers: { authorization: 'Bearer access-token' },
-    originalUrl: '/route',
-    body: {},
-    ...override,
-  } as any);
+({
+  headers: { authorization: 'Bearer access-token' },
+  originalUrl: '/route',
+  body: {},
+  ...override,
+} as any);
 
 describe('AuthMiddleware licensing', () => {
+  let cache: any;
+  let middleware: AuthMiddleware;
+
   beforeEach(() => {
     jest.restoreAllMocks();
     jest.clearAllMocks();
     jest.useRealTimers();
+
     // Reset static flags/timers between tests
     const cls: any = AuthMiddleware;
-    if (cls.shutdownTimer) {
-      clearTimeout(cls.shutdownTimer);
-    }
+    if (cls.shutdownTimer) clearTimeout(cls.shutdownTimer);
+    if (cls.licenceExpiryTimer) clearTimeout(cls.licenceExpiryTimer);
     cls.licenceExpired = false;
     cls.shutdownTimer = null;
+    cls.licenceExpiryTimer = null;
+    cls.licenceValidatedUntilMs = null;
+    cls.shutdownInitiated = false;
+
+    cache = createCacheMock();
+    middleware = new AuthMiddleware(cache as any, baseOptions as any);
   });
 
-  it('allows requests when licence is valid (supports seconds epoch)', async () => {
-    const cache = createCacheMock({ client_access_token: 'cached-client-token' });
-    const middleware = new AuthMiddleware(cache as any, baseOptions as any);
+  it('checks the licence in cache first', async () => {
+    cache.get.mockResolvedValueOnce('cached-token');
+    const verifySpy = jest.spyOn(middleware as any, 'verifyJwt').mockReturnValue({
+      lic_end: Math.floor(Date.now() / 1000) + 3600, // Valid for 1 hour
+    });
+    const fetchSpy = jest.spyOn(middleware as any, 'getLicencingDetails');
+
+    const result = await (middleware as any).checkLicenceAndValidate('my-realm', 'PUBLIC_KEY');
+
+    expect(result).toBe(true);
+    expect(cache.get).toHaveBeenCalledWith('client_Licence_token');
+    expect(verifySpy).toHaveBeenCalledWith('cached-token', 'PUBLIC_KEY');
+    expect(fetchSpy).not.toHaveBeenCalled();
+  });
 
+  it('fetches licence from server if not in cache', async () => {
+    cache.get.mockResolvedValueOnce(null);
     jest.spyOn(middleware as any, 'getLicencingDetails').mockResolvedValue({
       code: HttpStatusCode.Ok,
-      data: 'licence-token',
+      data: 'server-token',
     });
     jest.spyOn(middleware as any, 'verifyJwt').mockReturnValue({
-      lic_end: Math.floor(Date.now() / 1000) + 60, // seconds epoch
+      lic_end: Math.floor(Date.now() / 1000) + 3600,
     });
-    jest
-      .spyOn(middleware as any, 'decodeAccessToken')
-      .mockReturnValue({
-        resource_access: { client: { roles: ['admin'] } },
-        preferred_username: 'user',
-      });
-    jest.spyOn(middleware as any, 'getClientRoleAttributes').mockResolvedValue({
-      attributes: { '/route': '{"params":"false"}' },
-    });
-
-    const req = createReq();
-    const res = createRes();
-    const next = jest.fn();
 
-    await middleware.use(req, res as any, next);
+    const result = await (middleware as any).checkLicenceAndValidate('my-realm', 'PUBLIC_KEY');
 
-    expect(res.status).not.toHaveBeenCalled();
-    expect(next).toHaveBeenCalledTimes(1);
-    expect(cache.set).toHaveBeenCalledWith('client_Licence_token', 'licence-token');
+    expect(result).toBe(true);
+    expect(cache.set).toHaveBeenCalledWith('client_Licence_token', 'server-token', 0);
   });
 
-  it('rejects and schedules shutdown when licence is expired', async () => {
+  it('schedules licence expiration correctly but DOES NOT shutdown immediately', async () => {
     jest.useFakeTimers();
-    const cache = createCacheMock({ client_access_token: 'cached-client-token' });
-    const middleware = new AuthMiddleware(cache as any, baseOptions as any);
-
+    cache.get.mockResolvedValueOnce(null);
     jest.spyOn(middleware as any, 'getLicencingDetails').mockResolvedValue({
       code: HttpStatusCode.Ok,
-      data: 'licence-token',
+      data: 'server-token',
     });
     jest.spyOn(middleware as any, 'verifyJwt').mockReturnValue({
-      lic_end: Date.now() - 1, // already expired (ms epoch)
+      lic_end: Date.now() + 1000, // Expires in 1 second
     });
-    const exitSpy = jest.spyOn(process, 'exit').mockImplementation((() => undefined) as any);
 
-    const req = createReq();
-    const res = createRes();
-    const next = jest.fn();
+    await (middleware as any).checkLicenceAndValidate('my-realm', 'PUBLIC_KEY');
 
-    await middleware.use(req, res as any, next);
-
-    expect(res.status).toHaveBeenCalledWith(HttpStatusCode.Forbidden);
-    expect(res.json).toHaveBeenCalled();
-    expect(next).not.toHaveBeenCalled();
+    // Fast forward to expiry
+    jest.advanceTimersByTime(1001);
     expect((AuthMiddleware as any).licenceExpired).toBe(true);
 
-    // advance time to trigger shutdown timer
-    jest.advanceTimersByTime(2 * 60 * 1000);
-    expect(exitSpy).toHaveBeenCalledWith(1);
+    // Should NOT have initiated shutdown yet (no request made after expiry)
+    expect((AuthMiddleware as any).shutdownInitiated).toBe(false);
   });
 
-  it('immediately rejects when already marked expired', async () => {
-    const cache = createCacheMock();
+  it('shuts down on the next request after licence expiry', async () => {
+    jest.useFakeTimers();
     (AuthMiddleware as any).licenceExpired = true;
-    const middleware = new AuthMiddleware(cache as any, baseOptions as any);
-    const checkSpy = jest.spyOn(middleware as any, 'checkLicenceAndValidate');
+    const stopSpy = jest.spyOn(middleware as any, 'stopServer');
 
     const req = createReq();
     const res = createRes();
@@ -124,8 +122,18 @@ describe('AuthMiddleware licensing', () => {
 
     await middleware.use(req, res as any, next);
 
-    expect(checkSpy).not.toHaveBeenCalled();
     expect(res.status).toHaveBeenCalledWith(HttpStatusCode.Forbidden);
-    expect(next).not.toHaveBeenCalled();
+    expect(res.json).toHaveBeenCalledWith({ message: (AuthMiddleware as any).licenceExpiredMessage });
+    expect(stopSpy).toHaveBeenCalled();
+  });
+
+  it('fails if server is invalid and no cache', async () => {
+    cache.get.mockResolvedValueOnce(null);
+    jest.spyOn(middleware as any, 'getLicencingDetails').mockResolvedValue({
+      code: HttpStatusCode.InternalServerError,
+    });
+
+    const result = await (middleware as any).checkLicenceAndValidate('my-realm', 'PUBLIC_KEY');
+    expect(result).toBe(false);
   });
 });

package/dist/auth.middleware.d.ts

@@ -33,6 +33,7 @@ export declare class AuthMiddleware implements NestMiddleware, OnModuleInit {
     private scheduleLicenceShutdown;
     private stopServer;
     private normalizeEpochMs;
+    private getUtcNowMs;
     private verifyJwt;
     private decodeAccessToken;
     private extractBearerToken;

package/dist/auth.middleware.js

@@ -60,14 +60,12 @@ let AuthMiddleware = AuthMiddleware_1 = class AuthMiddleware {
     async onModuleInit() {
         const { publicKey, realm } = this.options;
         const isValid = await this.checkLicenceAndValidate(realm, publicKey);
-        if (!isValid) {
-            this.stopServer();
-        }
     }
     async use(req, res, next) {
         const { publicKey, clientId, realm, bypassURL } = this.options;
         try {
             if (AuthMiddleware_1.licenceExpired) {
+                this.stopServer();
                 return res.status(axios_1.HttpStatusCode.Forbidden).json({ message: AuthMiddleware_1.licenceExpiredMessage });
             }
             if (!AuthMiddleware_1.licenceValidatedUntilMs) {
@@ -113,29 +111,13 @@ let AuthMiddleware = AuthMiddleware_1 = class AuthMiddleware {
                     }
                 }
             }
-            // Cache interface details
-            /*const userName = decoded.preferred_username;
-            let userAttributes: any = await this.cacheManager.get(userName);
-            if (!userAttributes) {
-              userAttributes = await this.getUserDetails(userName, clientToken);
-              userAttributes = JSON.stringify(userAttributes.attributes);
-              await this.cacheManager.set(userName, userAttributes, 0);
-            }
-      
-            // Attach attributes to request
-            userAttributes = JSON.parse(userAttributes);*/
             req['user'] = {
                 role: role,
                 userName: decoded.preferred_username
             };
-            // req['attributes'] = {
-            //   client: clientAttributes[req.originalUrl],
-            //   // user: userAttributes,
-            // };
             return next();
         }
         catch (error) {
-            //   console.error('AuthMiddleware error:', error);
             return res.status(500).json({ message: error.message });
         }
     }
@@ -178,19 +160,29 @@ let AuthMiddleware = AuthMiddleware_1 = class AuthMiddleware {
             if (AuthMiddleware_1.licenceExpired) {
                 return false;
             }
-            if (AuthMiddleware_1.licenceValidatedUntilMs && AuthMiddleware_1.licenceValidatedUntilMs > Date.now()) {
+            // 1. check the licence is available in cache if available then check the expiry
+            const cachedToken = await this.cacheManager.get('client_Licence_token');
+            if (cachedToken) {
+                const validate = await this.validateLicence(cachedToken, publicKey, false);
+                if (validate.status) {
+                    return true;
+                }
+                // If cached token is invalid/expired, we'll try to get a new one from the server.
+            }
+            if (AuthMiddleware_1.licenceValidatedUntilMs && AuthMiddleware_1.licenceValidatedUntilMs > this.getUtcNowMs()) {
                 return true;
             }
             if (AuthMiddleware_1.licenceValidationPromise) {
                 return await AuthMiddleware_1.licenceValidationPromise;
             }
+            // 2. if the licence details not available in cache get the data from another server and validate.
             AuthMiddleware_1.licenceValidationPromise = (async () => {
                 const response = await this.getLicencingDetails(realm);
                 if (response.code === axios_1.HttpStatusCode.InternalServerError) {
                     return false;
                 }
                 else {
-                    const validate = await this.validateLicence(response.data, publicKey);
+                    const validate = await this.validateLicence(response.data, publicKey, true);
                     return validate.status;
                 }
             })();
@@ -230,57 +222,49 @@ let AuthMiddleware = AuthMiddleware_1 = class AuthMiddleware {
             };
         }
     }
-    async validateLicence(lic_data, publicKey) {
+    async validateLicence(lic_data, publicKey, updateCache = true) {
         try {
             const token = await this.verifyJwt(lic_data, publicKey);
             const licEndMs = this.normalizeEpochMs(token?.lic_end);
             // Reject when licence end (epoch) is missing or already in the past.
-            if (!licEndMs) {
+            if (!licEndMs || licEndMs <= this.getUtcNowMs()) {
                 this.markLicenceExpired();
-                return {
-                    status: false
-                };
+                return { status: false };
             }
-            if (licEndMs <= Date.now()) {
-                this.markLicenceExpired();
-                return {
-                    status: false
-                };
-            }
-            else {
-                AuthMiddleware_1.licenceValidatedUntilMs = licEndMs;
-                this.scheduleLicenceShutdown(licEndMs);
-                return {
-                    status: true,
-                    ttl: (licEndMs - Date.now()) > 0 ? (licEndMs - Date.now()) : null
-                };
+            // 3. if the licencing server have the future expiry time wait till the expiry time
+            AuthMiddleware_1.licenceValidatedUntilMs = licEndMs;
+            this.scheduleLicenceShutdown(licEndMs);
+            if (updateCache) {
+                const ttl = (licEndMs - this.getUtcNowMs()) > 0 ? (licEndMs - this.getUtcNowMs()) : null;
+                await this.cacheManager.set('client_Licence_token', lic_data, ttl);
             }
+            return {
+                status: true,
+            };
         }
         catch (error) {
             this.markLicenceExpired();
-            return {
-                status: false
-            };
+            return { status: false };
         }
     }
     markLicenceExpired() {
         if (!AuthMiddleware_1.licenceExpired) {
             AuthMiddleware_1.licenceExpired = true;
         }
-        this.stopServer();
     }
     scheduleLicenceShutdown(licEndMs) {
         if (!licEndMs) {
             return;
         }
-        const delay = licEndMs - Date.now();
+        const delay = licEndMs - this.getUtcNowMs();
         if (delay <= 0) {
             this.markLicenceExpired();
             return;
         }
         if (AuthMiddleware_1.licenceExpiryTimer) {
-            return;
+            clearTimeout(AuthMiddleware_1.licenceExpiryTimer);
         }
+        // and then shutdown for till next user request to know the user to respond and shutdown the server.
         AuthMiddleware_1.licenceExpiryTimer = setTimeout(() => {
             this.markLicenceExpired();
         }, delay);
@@ -308,12 +292,14 @@ let AuthMiddleware = AuthMiddleware_1 = class AuthMiddleware {
         if (!epoch || Number.isNaN(epoch)) {
             return null;
         }
-        // Accept seconds or milliseconds since Unix epoch and normalize to ms for Date.now() comparison.
         if (epoch < 1_000_000_000_000) {
             return epoch * 1000;
         }
         return epoch;
     }
+    getUtcNowMs() {
+        return Date.now();
+    }
     verifyJwt(token, publicKey) {
         const publicKeys = `-----BEGIN PUBLIC KEY-----\n${publicKey}\n-----END PUBLIC KEY-----`;
         return jwt.verify(token, publicKeys, { algorithms: ['RS256'] });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dms-middleware-auth",
-  "version": "1.0.10",
+  "version": "1.1.1",
   "description": "Reusable middleware for authentication and authorization in NestJS applications.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -29,4 +29,4 @@
     "ts-jest": "^29.3.4",
     "typescript": "^5.7.2"
   }
-}
+}

package/src/auth.middleware.ts

@@ -1,10 +1,11 @@
-import { Inject, Injectable, NestMiddleware, OnModuleInit } from '@nestjs/common';
+import { Inject, Injectable, NestMiddleware, OnModuleInit } from '@nestjs/common';
 import { Response, NextFunction } from 'express';
 import * as jwt from 'jsonwebtoken';
 import axios, { HttpStatusCode } from 'axios';
 import { CACHE_MANAGER } from '@nestjs/cache-manager';
 import { Cache } from 'cache-manager';
 import * as process from "node:process";
+
 interface AuthMiddlewareOptions {
   publicKey: string;
   keycloakUrl: string;
@@ -16,62 +17,61 @@ interface AuthMiddlewareOptions {
 }
 
 @Injectable()
-export class AuthMiddleware implements NestMiddleware, OnModuleInit {
-  private static licenceExpired = false;
-  private static shutdownTimer: NodeJS.Timeout | null = null;
-  private static licenceExpiryTimer: NodeJS.Timeout | null = null;
-  private static licenceValidatedUntilMs: number | null = null;
-  private static licenceValidationPromise: Promise<boolean> | null = null;
-  private static shutdownInitiated = false;
-  private static readonly licenceExpiredMessage = "server Licence is expired!. please renew";
-
-  constructor(
-    @Inject(CACHE_MANAGER) private cacheManager: Cache,
-    @Inject('AUTH_MIDDLEWARE_OPTIONS') private readonly options: AuthMiddlewareOptions
-  ) {}
-
-  async onModuleInit() {
-    const { publicKey, realm } = this.options;
-    const isValid = await this.checkLicenceAndValidate(realm, publicKey);
-    if (!isValid) {
-      this.stopServer();
-    }
-  }
-
-  async use(req: any, res: Response, next: NextFunction) {
+export class AuthMiddleware implements NestMiddleware, OnModuleInit {
+  private static licenceExpired = false;
+  private static shutdownTimer: NodeJS.Timeout | null = null;
+  private static licenceExpiryTimer: NodeJS.Timeout | null = null;
+  private static licenceValidatedUntilMs: number | null = null;
+  private static licenceValidationPromise: Promise<boolean> | null = null;
+  private static shutdownInitiated = false;
+  private static readonly licenceExpiredMessage = "server Licence is expired!. please renew";
+
+  constructor(
+    @Inject(CACHE_MANAGER) private cacheManager: Cache,
+    @Inject('AUTH_MIDDLEWARE_OPTIONS') private readonly options: AuthMiddlewareOptions
+  ) { }
 
+  async onModuleInit() {
+    const { publicKey, realm } = this.options;
+    const isValid = await this.checkLicenceAndValidate(realm, publicKey);
+  }
 
+  async use(req: any, res: Response, next: NextFunction) {
     const { publicKey, clientId, realm, bypassURL } = this.options;
 
     try {
-        if (AuthMiddleware.licenceExpired) {
+      if (AuthMiddleware.licenceExpired) {
+        this.stopServer();
         return res.status(HttpStatusCode.Forbidden).json({ message: AuthMiddleware.licenceExpiredMessage });
       }
 
-      if (!AuthMiddleware.licenceValidatedUntilMs) {
-        return res.status(HttpStatusCode.Forbidden).json({ message: AuthMiddleware.licenceExpiredMessage });
-      }
-      if (req.originalUrl == bypassURL) {
-        return next();
-      }
-      const authHeader = req.headers['authorization'];
+      if (!AuthMiddleware.licenceValidatedUntilMs) {
+        return res.status(HttpStatusCode.Forbidden).json({ message: AuthMiddleware.licenceExpiredMessage });
+      }
+
+      if (req.originalUrl == bypassURL) {
+        return next();
+      }
 
+      const authHeader = req.headers['authorization'];
       if (!authHeader || !authHeader.startsWith('Bearer ')) {
         return res.status(401).json({ message: 'Bearer token required' });
       }
-      const decoded: any = this.decodeAccessToken(authHeader, publicKey)
+
+      const decoded: any = this.decodeAccessToken(authHeader, publicKey);
+
       // Cache the client token
       let clientToken: any = await this.cacheManager.get('client_access_token');
       if (!clientToken) {
         clientToken = await this.clientLogin();
         const decodedToken: any = jwt.decode(clientToken);
         const ttl = (decodedToken.exp - Math.floor(Date.now() / 1000)) * 1000;
-        await this.cacheManager.set('client_access_token', clientToken, ttl );
+        await this.cacheManager.set('client_access_token', clientToken, ttl);
       }
 
       // Cache client role attributes
       const role = decoded.resource_access[clientId]?.roles?.[0];
-      const clientRoleName = `${clientId+role}`;
+      const clientRoleName = `${clientId + role}`;
       let clientAttributes: any = await this.cacheManager.get(clientRoleName);
       if (!clientAttributes) {
         clientAttributes = await this.getClientRoleAttributes(role, clientToken);
@@ -81,54 +81,32 @@ export class AuthMiddleware implements NestMiddleware, OnModuleInit {
 
       // Check route access
       clientAttributes = JSON.parse(clientAttributes);
-
       if (!clientAttributes[req.originalUrl]) {
-
         return res.status(403).json({ message: 'Access denied for this route' });
-      }
-      else {
-        const  apiPermission = JSON.parse(clientAttributes[req.originalUrl]);
-        if (apiPermission?.params === "true")
-        {
+      } else {
+        const apiPermission = JSON.parse(clientAttributes[req.originalUrl]);
+        if (apiPermission?.params === "true") {
           const event = req?.body?.event;
           const url = req?.originalUrl + `?action=${event}`;
-          if (!clientAttributes[url]){
+          if (!clientAttributes[url]) {
             return res.status(403).json({ message: 'Access denied for event' });
           }
         }
       }
 
-      // Cache interface details
-      /*const userName = decoded.preferred_username;
-      let userAttributes: any = await this.cacheManager.get(userName);
-      if (!userAttributes) {
-        userAttributes = await this.getUserDetails(userName, clientToken);
-        userAttributes = JSON.stringify(userAttributes.attributes);
-        await this.cacheManager.set(userName, userAttributes, 0);
-      }
-
-      // Attach attributes to request
-      userAttributes = JSON.parse(userAttributes);*/
       req['user'] = {
         role: role,
-        userName:decoded.preferred_username
+        userName: decoded.preferred_username
       };
 
-      // req['attributes'] = {
-      //   client: clientAttributes[req.originalUrl],
-      //   // user: userAttributes,
-      // };
-
       return next();
-    } catch (error:any) {
-    //   console.error('AuthMiddleware error:', error);
+    } catch (error: any) {
       return res.status(500).json({ message: error.message });
     }
   }
 
   private async clientLogin() {
     const { keycloakUrl, realm, clientId, clientSecret } = this.options;
-
     try {
       const response = await axios.post(
         `${keycloakUrl}/realms/${realm}/protocol/openid-connect/token`,
@@ -140,187 +118,193 @@ export class AuthMiddleware implements NestMiddleware, OnModuleInit {
         { headers: { 'Content-Type': 'application/x-www-form-urlencoded' } }
       );
       return response.data.access_token;
-    } catch (error:any) {
+    } catch (error: any) {
       throw new Error(`Failed to obtain client token: ${error.response?.data?.error_description || error.message}`);
     }
   }
 
   private async getUserDetails(username: string, token: string) {
     const { keycloakUrl, realm } = this.options;
-
     try {
       const response = await axios.get(
         `${keycloakUrl}/admin/realms/${realm}/users?username=${username}`,
         { headers: { Authorization: `Bearer ${token}` } }
       );
       return response.data[0];
-    } catch (error:any) {
+    } catch (error: any) {
       throw new Error(`Failed to fetch user details: ${error.response?.data?.error_description || error.message}`);
     }
   }
 
   private async getClientRoleAttributes(role: string, token: string) {
     const { keycloakUrl, realm, clientUuid } = this.options;
-
     try {
       const response = await axios.get(
         `${keycloakUrl}/admin/realms/${realm}/clients/${clientUuid}/roles/${role}`,
         { headers: { Authorization: `Bearer ${token}` } }
       );
       return response.data;
-    } catch (error:any) {
+    } catch (error: any) {
       throw new Error(`Failed to fetch client role attributes: ${error.response?.data?.error_description || error.message}`);
     }
   }
 
-  private async checkLicenceAndValidate(realm: string, publicKey:string) {
-    try {
-      if (AuthMiddleware.licenceExpired) {
-        return false;
-      }
-      if (AuthMiddleware.licenceValidatedUntilMs && AuthMiddleware.licenceValidatedUntilMs > Date.now()) {
-        return true;
-      }
-      if (AuthMiddleware.licenceValidationPromise) {
-        return await AuthMiddleware.licenceValidationPromise;
-      }
-      AuthMiddleware.licenceValidationPromise = (async () => {
-        const response:any = await  this.getLicencingDetails(realm);
-        if (response.code === HttpStatusCode.InternalServerError) {
-          return false
-        }
-        else{
-          const validate = await this.validateLicence(response.data, publicKey);
-          return validate.status;
-        }
-      })();
-      try {
-        return await AuthMiddleware.licenceValidationPromise;
-      } finally {
-        AuthMiddleware.licenceValidationPromise = null;
-      }
-    }
-    catch(error:any){
-      return false;
-
-    }
-  }
-  private async getLicencingDetails(realm: string) {
-    try{
+  private async checkLicenceAndValidate(realm: string, publicKey: string) {
+    try {
+      if (AuthMiddleware.licenceExpired) {
+        return false;
+      }
 
+      // 1. check the licence is available in cache if available then check the expiry
+      const cachedToken: string | undefined = await this.cacheManager.get('client_Licence_token');
+      if (cachedToken) {
+        const validate = await this.validateLicence(cachedToken, publicKey, false);
+        if (validate.status) {
+          return true;
+        }
+        // If cached token is invalid/expired, we'll try to get a new one from the server.
+      }
 
+      if (AuthMiddleware.licenceValidatedUntilMs && AuthMiddleware.licenceValidatedUntilMs > this.getUtcNowMs()) {
+        return true;
+      }
 
-        const url = 'https://iiuuckued274sisadalbpf7ivu0eiblk.lambda-url.ap-south-1.on.aws/'
-        const body = {  "client_name": realm };
+      if (AuthMiddleware.licenceValidationPromise) {
+        return await AuthMiddleware.licenceValidationPromise;
+      }
 
-        const response = await axios.post( url , body );
-        if (response.status === HttpStatusCode.Ok) {
-          return {
-            code: HttpStatusCode.Ok,
-            data: response.data.token
-          };
-        }
-        else {
-          return {
-            code: HttpStatusCode.InternalServerError,
-            message: "InternalServer error"
-          };
+      // 2. if the licence details not available in cache get the data from another server and validate.
+      AuthMiddleware.licenceValidationPromise = (async () => {
+        const response: any = await this.getLicencingDetails(realm);
+        if (response.code === HttpStatusCode.InternalServerError) {
+          return false;
+        } else {
+          const validate = await this.validateLicence(response.data, publicKey, true);
+          return validate.status;
         }
+      })();
 
-    }catch(error:any){
+      try {
+        return await AuthMiddleware.licenceValidationPromise;
+      } finally {
+        AuthMiddleware.licenceValidationPromise = null;
+      }
+    } catch (error: any) {
+      return false;
+    }
+  }
+
+  private async getLicencingDetails(realm: string) {
+    try {
+      const url = 'https://iiuuckued274sisadalbpf7ivu0eiblk.lambda-url.ap-south-1.on.aws/';
+      const body = { "client_name": realm };
+      const response = await axios.post(url, body);
+      if (response.status === HttpStatusCode.Ok) {
+        return {
+          code: HttpStatusCode.Ok,
+          data: response.data.token
+        };
+      } else {
+        return {
+          code: HttpStatusCode.InternalServerError,
+          message: "InternalServer error"
+        };
+      }
+    } catch (error: any) {
       return {
         code: HttpStatusCode.InternalServerError,
         data: error?.response?.data || error?.message || 'Licencing service error'
       };
     }
   }
-  private async validateLicence(lic_data:any, publicKey:any){
-    try{
-      const token:any  = await this.verifyJwt(lic_data, publicKey);
-      const licEndMs = this.normalizeEpochMs(token?.lic_end);
-      // Reject when licence end (epoch) is missing or already in the past.
-      if (!licEndMs) {
-        this.markLicenceExpired();
-        return{
-          status: false
-        } 
-      }
-      if (licEndMs <= Date.now()) {
-        this.markLicenceExpired();
-        return {
-          status: false
-        } 
-      } else {
-        AuthMiddleware.licenceValidatedUntilMs = licEndMs;
-        this.scheduleLicenceShutdown(licEndMs);
-        return {
-          status: true,
-          ttl: (licEndMs - Date.now()) > 0 ?  (licEndMs - Date.now()) : null
-        } 
-      }
-    }
-    catch(error:any){
-      this.markLicenceExpired();
-      return {
-        status: false
-      };
-    }
-  }
-
-  private markLicenceExpired() {
-    if (!AuthMiddleware.licenceExpired) {
-      AuthMiddleware.licenceExpired = true;
-    }
-    this.stopServer();
-  }
-
-  private scheduleLicenceShutdown(licEndMs: number) {
-    if (!licEndMs) {
-      return;
-    }
-    const delay = licEndMs - Date.now();
-    if (delay <= 0) {
-      this.markLicenceExpired();
-      return;
-    }
-    if (AuthMiddleware.licenceExpiryTimer) {
-      return;
-    }
-    AuthMiddleware.licenceExpiryTimer = setTimeout(() => {
-      this.markLicenceExpired();
-    }, delay);
-  }
-
-  private stopServer() {
-    if (AuthMiddleware.shutdownInitiated) {
-      return;
-    }
-    AuthMiddleware.shutdownInitiated = true;
-    setTimeout(() => {
-      try {
-        process.kill(process.pid, 'SIGTERM');
-      } catch {
-        process.exit(1);
-      }
-      if (!AuthMiddleware.shutdownTimer) {
-        AuthMiddleware.shutdownTimer = setTimeout(() => {
-          process.exit(1);
-        }, 5000);
-      }
-    }, 0);
-  }
+
+  private async validateLicence(lic_data: any, publicKey: any, updateCache = true) {
+    try {
+      const token: any = await this.verifyJwt(lic_data, publicKey);
+      const licEndMs = this.normalizeEpochMs(token?.lic_end);
+
+      // Reject when licence end (epoch) is missing or already in the past.
+      if (!licEndMs || licEndMs <= this.getUtcNowMs()) {
+        this.markLicenceExpired();
+        return { status: false };
+      }
+
+      // 3. if the licencing server have the future expiry time wait till the expiry time
+      AuthMiddleware.licenceValidatedUntilMs = licEndMs;
+      this.scheduleLicenceShutdown(licEndMs);
+
+      if (updateCache) {
+        const ttl: any = (licEndMs - this.getUtcNowMs()) > 0 ? (licEndMs - this.getUtcNowMs()) : null
+        await this.cacheManager.set('client_Licence_token', lic_data, ttl);
+      }
+
+      return {
+        status: true,
+
+      };
+    } catch (error: any) {
+      this.markLicenceExpired();
+      return { status: false };
+    }
+  }
+
+  private markLicenceExpired() {
+    if (!AuthMiddleware.licenceExpired) {
+      AuthMiddleware.licenceExpired = true;
+    }
+  }
+
+  private scheduleLicenceShutdown(licEndMs: number) {
+    if (!licEndMs) {
+      return;
+    }
+    const delay = licEndMs - this.getUtcNowMs();
+    if (delay <= 0) {
+      this.markLicenceExpired();
+      return;
+    }
+    if (AuthMiddleware.licenceExpiryTimer) {
+      clearTimeout(AuthMiddleware.licenceExpiryTimer);
+    }
+    // and then shutdown for till next user request to know the user to respond and shutdown the server.
+    AuthMiddleware.licenceExpiryTimer = setTimeout(() => {
+      this.markLicenceExpired();
+    }, delay);
+  }
+
+  private stopServer() {
+    if (AuthMiddleware.shutdownInitiated) {
+      return;
+    }
+    AuthMiddleware.shutdownInitiated = true;
+    setTimeout(() => {
+      try {
+        process.kill(process.pid, 'SIGTERM');
+      } catch {
+        process.exit(1);
+      }
+      if (!AuthMiddleware.shutdownTimer) {
+        AuthMiddleware.shutdownTimer = setTimeout(() => {
+          process.exit(1);
+        }, 5000);
+      }
+    }, 0);
+  }
 
   private normalizeEpochMs(epoch: number): number | null {
     if (!epoch || Number.isNaN(epoch)) {
       return null;
     }
-    // Accept seconds or milliseconds since Unix epoch and normalize to ms for Date.now() comparison.
     if (epoch < 1_000_000_000_000) {
       return epoch * 1000;
     }
     return epoch;
   }
 
+  private getUtcNowMs() {
+    return Date.now();
+  }
+
   private verifyJwt(token: string, publicKey: string) {
     const publicKeys = `-----BEGIN PUBLIC KEY-----\n${publicKey}\n-----END PUBLIC KEY-----`;
     return jwt.verify(token, publicKeys, { algorithms: ['RS256'] });