Azure-Samples
diff --git a/‎5-AccessControl/2-call-api-groups/API/app.js
+31-18 b/‎5-AccessControl/2-call-api-groups/API/app.js
+31-18
diff --git a/‎5-AccessControl/2-call-api-groups/API/auth/guard.js
+7-7 b/‎5-AccessControl/2-call-api-groups/API/auth/guard.js
+7-7
diff --git a/‎5-AccessControl/2-call-api-groups/API/auth/overage.js
+22-3 b/‎5-AccessControl/2-call-api-groups/API/auth/overage.js
+22-3
diff --git a/‎5-AccessControl/2-call-api-groups/API/auth/permissionUtils.js
+12-2 b/‎5-AccessControl/2-call-api-groups/API/auth/permissionUtils.js
+12-2
diff --git a/‎5-AccessControl/2-call-api-groups/API/authConfig.json
+2-1 b/‎5-AccessControl/2-call-api-groups/API/authConfig.json
+2-1
diff --git a/‎5-AccessControl/2-call-api-groups/API/package-lock.json
+13 b/‎5-AccessControl/2-call-api-groups/API/package-lock.json
+13
diff --git a/‎5-AccessControl/2-call-api-groups/API/package.json
+1 b/‎5-AccessControl/2-call-api-groups/API/package.json
+1
diff --git a/‎5-AccessControl/2-call-api-groups/API/utils/cacheProvider.js
+39 b/‎5-AccessControl/2-call-api-groups/API/utils/cacheProvider.js
+39
diff --git a/‎5-AccessControl/2-call-api-groups/AppCreationScripts/sample.json
-4 b/‎5-AccessControl/2-call-api-groups/AppCreationScripts/sample.json
-4
@@ -4,13 +4,27 @@ const cors = require('cors');
 
 const passport = require('passport');
 const passportAzureAd = require('passport-azure-ad');
+const NodeCache = require('node-cache');
 
-const authConfig = require('./authConfig');
+const authConfig = require('./authConfig.json');
 const router = require('./routes/router');
 const routeGuard = require('./auth/guard');
 
-const app = express();
+/**
+ * IMPORTANT: In case of overage, group list is cached for 1 hr by default, and thus cached groups 
+ * will miss any changes to a users group membership for this duration. For capturing real-time 
+ * changes to a user's group membership, consider implementing Microsoft Graph change notifications. 
+ * For more information, visit: https://learn.microsoft.com/graph/api/resources/webhooks
+ */
+const nodeCache = new NodeCache({ 
+    stdTTL: authConfig.cacheTTL, // in seconds
+    checkperiod: 60 * 100,
+    deleteOnExpire: true
+});
+
+const cacheProvider = require('./utils/cacheProvider')(nodeCache);
 
+const app = express();
 /**
  * Enable CORS middleware. In production, modify as to allow only designated origins and methods.
  * If you are using Azure App Service, we recommend removing the line below and configure CORS on the App Service itself.
@@ -89,7 +103,6 @@ app.use('/api', (req, res, next) => {
             return res.status(401).json({ error: err.message });
         }
 
-        
         if (!user) {
             // If no user object found, send a 401 response.
             return res.status(401).json({ error: 'Unauthorized' });
@@ -103,21 +116,21 @@ app.use('/api', (req, res, next) => {
     })(req, res, next);
 },
 
-routeGuard(authConfig.accessMatrix), 
-router,
- (err, req, res, next) => {
-     /**
-      * Add your custom error handling logic here. For more information, see:
-      * http://expressjs.com/en/guide/error-handling.html
-      */
-
-     // set locals, only providing error in development
-     res.locals.message = err.message;
-     res.locals.error = req.app.get('env') === 'development' ? err : {};
-
-     // send error response
-     res.status(err.status || 500).send(err);
- }
+    routeGuard(authConfig.accessMatrix, cacheProvider),
+    router,
+    (err, req, res, next) => {
+        /**
+         * Add your custom error handling logic here. For more information, see:
+         * http://expressjs.com/en/guide/error-handling.html
+         */
+
+        // set locals, only providing error in development
+        res.locals.message = err.message;
+        res.locals.error = req.app.get('env') === 'development' ? err : {};
+
+        // send error response
+        res.status(err.status || 500).send(err);
+    }
 );
 
 const port = process.env.PORT || 5000;
 
@@ -1,16 +1,16 @@
 const handleOverage = require('./overage');
-const { requestHasRequiredAttributes } = require('./permissionUtils');
+const { hasRequiredGroups, hasOverageOccurred } = require('./permissionUtils');
 
-const routeGuard = (accessMatrix) => {
+const routeGuard = (accessMatrix, cache) => {
     return async (req, res, next) => {
         if (req.authInfo.groups === undefined) {
-            if (req.authInfo['_claim_names'] && req.authInfo['_claim_sources']) {
-                return handleOverage(req, res, next);
-            } else {
-                return res.status(403).json({ error: 'No group claim found!' });
+            if (hasOverageOccurred(req.authInfo)) {
+                return handleOverage(req, res, next, cache);
             }
+
+            return res.status(403).json({ error: 'No group claim found!' });
         } else {
-            if (!requestHasRequiredAttributes(accessMatrix, req.path, req.method, req.authInfo['groups'])) {
+            if (!hasRequiredGroups(accessMatrix, req.path, req.method, req.authInfo['groups'])) {
                 return res.status(403).json({ error: 'User does not have the group, method or path' });
             }
         }
 
@@ -5,8 +5,8 @@
 
 const msal = require('@azure/msal-node');
 
+const { hasRequiredGroups } = require("./permissionUtils");
 const { getFilteredGroups } = require('../utils/graphClient');
-const { requestHasRequiredAttributes } = require("./permissionUtils");
 
 const config = require('../authConfig.json');
 
@@ -45,13 +45,32 @@ const getOboToken = async (oboAssertion) => {
     }
 };
 
-const handleOverage = async (req, res, next) => {
+const handleOverage = async (req, res, next, cacheProvider) => {
     const authHeader = req.headers.authorization;
     const accessToken = authHeader.split(' ')[1];
 
+    const { oid } = req.authInfo;
+
+    // check if the user has an entry in the cache
+    if (cacheProvider.has(oid)) {
+        const { groups, sourceTokenId } = cacheProvider.get(oid);
+
+        if (sourceTokenId === accessToken['uti']) {
+            res.locals.groups = groups;
+            return checkAccess(req, res, next);
+        }
+    }
+
     try {
         const oboToken = await getOboToken(accessToken);
         res.locals.groups = await getFilteredGroups(oboToken, config.accessMatrix.todolist.groups);
+
+        // cache the groups and the source token id
+        cacheProvider.set(oid, {
+            groups: res.locals.groups,
+            sourceTokenId: accessToken['uti']
+        });
+
         return checkAccess(req, res, next);
     } catch (error) {
         console.log(error);
@@ -60,7 +79,7 @@ const handleOverage = async (req, res, next) => {
 };
 
 const checkAccess = (req, res, next) => {
-    if (!requestHasRequiredAttributes(config.accessMatrix, req.path, req.method, res.locals.groups)) {
+    if (!hasRequiredGroups(config.accessMatrix, req.path, req.method, res.locals.groups)) {
         return res.status(403).json({ error: 'User does not have the group, method or path' });
     }
     next();
 
@@ -23,7 +23,7 @@
  * @param {Array} groups
  * @returns boolean
  */
-const requestHasRequiredAttributes = (accessMatrix, path, method, groups) => {
+const hasRequiredGroups = (accessMatrix, path, method, groups) => {
     const accessRule = Object.values(accessMatrix).find((accessRule) => path.includes(accessRule.path));
 
     if (accessRule.methods.includes(method)) {
@@ -37,7 +37,17 @@ const requestHasRequiredAttributes = (accessMatrix, path, method, groups) => {
     return false;
 };
 
+/**
+ * Checks if the access token has claims indicating that overage has occurred.
+ * @param {Object} accessToken 
+ * @returns {boolean}
+ */
+const hasOverageOccurred = (accessTokenPayload) => {
+    return accessTokenPayload.hasOwnProperty('_claim_names') && accessTokenPayload['_claim_names'].hasOwnProperty('groups');
+};
+
 module.exports = {
     hasRequiredDelegatedPermissions,
-    requestHasRequiredAttributes,
+    hasRequiredGroups,
+    hasOverageOccurred
 };
@@ -12,7 +12,8 @@
     "settings": {
         "validateIssuer": true,
         "passReqToCallback": false,
-        "loggingLevel": "info"
+        "loggingLevel": "info",
+        "cacheTTL": 3600
     },
     "protectedResources": {
         "graphAPI": {
 
@@ -16,6 +16,7 @@
     "isomorphic-fetch": "^3.0.0",
     "lowdb": "^1.0.0",
     "morgan": "^1.10.0",
+    "node-cache": "^5.1.2",
     "passport": "^0.6.0",
     "passport-azure-ad": "^4.3.4"
   },
 
@@ -0,0 +1,39 @@
+/**
+ * Pass below an instance of the cache client of your choice
+ * that implements SET, GET, HAS and DELETE methods.
+ * @param {Object} provider 
+ * @returns 
+ */
+module.exports = (provider) => {
+
+    /**
+     * Sets a key-value pair in the cache.
+     * @param {String} key 
+     * @param {any} item 
+     */
+    const set = (key, item) => {
+        provider.set(key, item);
+        console.log(`Cache set: ${key} - ${item}`);
+    }
+
+    const get = (key) => {
+        return provider.get(key);
+    }
+
+    const has = (key) => {
+        console.log('Cache hit for key: ' + key);
+        return provider.has(key);
+    }
+
+    const del = (key) => {
+        provider.del(key);
+        console.log('Cache deleted for key: ' + key);
+    }
+
+    return {
+        get,
+        set,
+        has,
+        del
+    }
+}
@@ -22,10 +22,6 @@
             "GroupMembershipClaims": "SecurityGroup",
             "PasswordCredentials": "Auto",
             "scopes": ["access_via_group_assignments"],
-            "Sample": {
-                "SampleSubPath": "5-AccessControl\\2-call-api-groups\\SPA",
-                "ProjectDirectory": "\\2-call-api-groups\\SPA"
-            },
             "SecurityGroups": [
                 {
                     "Name": "GroupAdmin",