Skip to content

Redis

mail_intake.credentials.redis

Summary

Redis-backed credential persistence for Mail Intake.

This module provides a Redis-based implementation of the CredentialStore abstraction, enabling credential persistence across distributed and horizontally scaled deployments.

The Redis credential store is designed for environments where authentication credentials must be shared safely across multiple processes, containers, or nodes, such as container orchestration platforms and microservice architectures.

Key characteristics:

  • Distributed-safe, shared storage using Redis.
  • Explicit, caller-defined serialization and deserialization.
  • No reliance on unsafe mechanisms such as pickle.
  • Optional time-to-live (TTL) support for automatic credential expiry.

This module is responsible solely for persistence concerns. Credential validation, refresh, rotation, and acquisition remain the responsibility of authentication provider implementations.

Classes

RedisCredentialStore 

1
RedisCredentialStore(redis_client: Any, key: str, serialize: Callable[[T], bytes], deserialize: Callable[[bytes], T], ttl_seconds: Optional[int] = None)

Bases: CredentialStore[T]

Redis-backed implementation of CredentialStore.

This store persists credentials in Redis and is suitable for distributed and horizontally scaled deployments where credentials must be shared across multiple processes or nodes.

Notes

Responsibilities:

1
2
3
- This class is responsible only for persistence and retrieval.
- It does not interpret, validate, refresh, or otherwise manage the
  lifecycle of the credentials being stored.

Guarantees:

1
2
3
4
- The store is intentionally generic and delegates all serialization
  concerns to caller-provided functions.
- This avoids unsafe mechanisms such as `pickle` and allows
  credential formats to be explicitly controlled and audited.

Initialize a Redis-backed credential store.

Parameters:

Name Type Description Default
redis_client Any

An initialized Redis client instance (for example, redis.Redis or a compatible interface) used to communicate with the Redis server.

 required
key str

The Redis key under which credentials are stored. Callers are responsible for applying appropriate namespacing to avoid collisions.

 required
serialize Callable[[T], bytes]

A callable that converts a credential object of type T into a bytes representation suitable for storage in Redis.

 required
deserialize Callable[[bytes], T]

A callable that converts a bytes payload retrieved from Redis back into a credential object of type T.

 required
ttl_seconds Optional[int]

Optional time-to-live (TTL) for the stored credentials, expressed in seconds. When provided, Redis will automatically expire the stored credentials after the specified duration. If None, credentials are stored without an expiration.

 None
Functions
clear 
1
clear() -> None

Remove stored credentials from Redis.

Notes

Lifecycle:

1
2
- This operation deletes the configured Redis key if it exists
- Implementations should treat this method as idempotent
load 
1
load() -> Optional[T]

Load credentials from Redis.

Returns:

Type Description
Optional[T]

Optional[T]: An instance of type T if credentials are present and successfully deserialized; otherwise None.
Notes

Guarantees:

1
2
3
4
5
6
- If no value exists for the configured key, or if the stored
  payload cannot be successfully deserialized, this method
  returns `None`.
- The store does not attempt to validate the returned
  credentials or determine whether they are expired or
  otherwise usable.
save 
1
save(credentials: T) -> None

Persist credentials to Redis.

Parameters:

Name Type Description Default
credentials T

The credential object to persist.

 required
Notes

Responsibilities:

1
2
- Any previously stored credentials under the same key are overwritten
- If a TTL is configured, the credentials will expire automatically after the specified duration