I'm coding a web app at present that uses an Implicit Grant flow for the browser to obtain an ID token that is attached to all subsequent requests to the backend api.
On my backend, whenever a requests comes in, the id token needs to have it's JWKS information fetched and verified, and the unique user id then has to be sent to our database to lookup that user's account, which will include their role information.
Right now I'm fetching the user account from my database just assuming that the token can be trusted, while simultaneously verifying the token, and then only proceeding if both succeeed. So I'm making extra db requests even if the token is expired so that the data is ready as soon as the token is verified, but the recent Spectre and Meltdown speculative execution attacks have me wondering if there's any security risks of your server prefetching data before it knows to trust the user?
I'm guessing that in practical terms there shouldn't be but I'm far from an expert and have struggled to find any writing on this...
As far as I can tell this pattern should be perfectly fine. If the api compromised you'll have far bigger problems then the prefetching of data.