Files
multica/server/internal/handler/personal_access_token.go
Bohan Jiang 86e7de3e41 feat(server/auth): cache auth token lookups in Redis with 10m TTL
* feat(server/auth): cache PAT lookups in Redis with 60s TTL

Personal access tokens used to hit Postgres on every request: a SELECT
to resolve token_hash → user_id, plus a fire-and-forget UPDATE of
last_used_at. For a CLI / daemon making many requests per second this
is wasted DB load — the token is the same and the answer hasn't changed.

Add a Redis-backed cache (auth.PATCache) keyed by token hash, TTL 60s:

- On cache hit, the auth middleware skips both the SELECT and the
  last_used_at UPDATE. last_used_at is now refreshed at most once per
  TTL window per token, not per request.
- On cache miss the middleware falls back to today's behavior: query
  Postgres, populate the cache, async-update last_used_at.
- On revoke, the handler invalidates the cache entry so revocation
  takes effect immediately rather than waiting for the TTL to expire.
  This required changing RevokePersonalAccessToken from :exec to :one
  RETURNING token_hash.

The cache is nil-safe: when REDIS_URL isn't configured, NewPATCache
returns nil and the middleware degrades to today's always-hit-DB
behavior. JWT validation is untouched (already DB-free).

Tested with REDIS_TEST_URL — same gating pattern the rest of the
suite uses for Redis-backed tests. New tests cover nil-safety, set/
get/invalidate, TTL, and the middleware short-circuit on cache hit.

* fix(server/auth): clamp PAT cache TTL to token's remaining lifetime

GPT-Boy review caught: a PAT expiring in <60s would still be cached
for the full PATCacheTTL window, so the token could continue passing
auth on cache hit for up to ~60s after its expires_at. The DB query
filters expired tokens (revoked = FALSE AND expires_at > now()), but
that filter never ran on a cache hit.

Make Set take an explicit ttl, and add TTLForExpiry to compute it:
  - no expires_at      → full PATCacheTTL
  - expires_at far     → full PATCacheTTL
  - expires_at <60s    → time until expiry
  - already expired    → 0, Set skips caching (TOCTOU defense between
                         the SELECT and the Set, since the SELECT
                         already filters expired rows)

Regression test pins the clamp behavior end-to-end against Redis.

* feat(server/auth): cache daemon-token + PAT lookups in DaemonAuth, bump TTL to 10m

Daemon /api/daemon/* requests (heartbeat, claim task) hit DaemonAuth
which previously did its own GetDaemonTokenByHash on every request and
*also* duplicated the PAT lookup on the mul_ fallback — bypassing the
cache added in 1cdd674c. Today's daemons authenticate via mul_ PATs
(mdt_ minting isn't wired up yet), so the duplicate PAT path is the one
that actually matters for hot-path DB load.

Three changes:

1. New auth.DaemonTokenCache mirrors PATCache for the mdt_ path
   (key = mul:auth:daemon:<sha256>, JSON value = {workspace_id, daemon_id}).
   Forward-looking infrastructure for when daemon tokens get minted; the
   middleware short-circuits the DB SELECT on cache hit. TTL clamped to
   the token's expires_at via the shared TTLForExpiry helper.

2. DaemonAuth now also consults PATCache on its mul_ fallback, sharing
   the same cache as the regular Auth middleware. A daemon making 4 hb/min
   collapses from 4 GetPersonalAccessTokenByHash + 4 last_used_at writes
   per minute to ~1 of each per AuthCacheTTL window (~10 minutes).

3. Rename PATCacheTTL → AuthCacheTTL and bump from 60s to 10 minutes.
   The constant is now shared between PAT and daemon caches; 10m matches
   the user-requested longer TTL for further DB write reduction. Revoke
   latency on the happy path is still instant via active invalidation;
   the worst-case (Redis Del miss / direct-DB revoke) grows from ~60s to
   ~10m.

Tests cover nil-safety, set/get/invalidate, TTL, clamped TTL on near-
expiry tokens, and the middleware short-circuit for both cache paths
(mdt_ via DaemonTokenCache, mul_ fallback via PATCache).

* feat(server/auth): cache PAT lookups on the WebSocket auth path

The third place a PAT is resolved — patResolver.ResolveToken used by
realtime.HandleWebSocket — was still hitting Postgres on every /ws
auth and firing an unconditional last_used_at UPDATE, bypassing the
cache added in 1cdd674c. Wire it through the same shared PATCache so
revoking a token through any path (Auth middleware, DaemonAuth PAT
fallback, or WS auth) hits all three caches with one Invalidate.

Also leaves a comment on DeleteDaemonTokensByWorkspaceAndDaemon —
the query has no caller today, but a future deregister/rotate flow
must remember to call DaemonTokenCache.Invalidate(hash) for each
deleted row, otherwise deleted daemon tokens stay valid until TTL.
2026-04-29 17:07:54 +08:00

148 lines
3.8 KiB
Go

package handler
import (
"encoding/json"
"errors"
"net/http"
"time"
"github.com/go-chi/chi/v5"
"github.com/jackc/pgx/v5"
"github.com/jackc/pgx/v5/pgtype"
"github.com/multica-ai/multica/server/internal/auth"
db "github.com/multica-ai/multica/server/pkg/db/generated"
)
type PersonalAccessTokenResponse struct {
ID string `json:"id"`
Name string `json:"name"`
Prefix string `json:"token_prefix"`
ExpiresAt *string `json:"expires_at"`
LastUsedAt *string `json:"last_used_at"`
CreatedAt string `json:"created_at"`
}
type CreatePATResponse struct {
PersonalAccessTokenResponse
Token string `json:"token"`
}
func patToResponse(pat db.PersonalAccessToken) PersonalAccessTokenResponse {
return PersonalAccessTokenResponse{
ID: uuidToString(pat.ID),
Name: pat.Name,
Prefix: pat.TokenPrefix,
ExpiresAt: timestampToPtr(pat.ExpiresAt),
LastUsedAt: timestampToPtr(pat.LastUsedAt),
CreatedAt: timestampToString(pat.CreatedAt),
}
}
type CreatePATRequest struct {
Name string `json:"name"`
ExpiresInDays *int `json:"expires_in_days"`
}
func (h *Handler) CreatePersonalAccessToken(w http.ResponseWriter, r *http.Request) {
userID, ok := requireUserID(w, r)
if !ok {
return
}
var req CreatePATRequest
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
writeError(w, http.StatusBadRequest, "invalid request body")
return
}
if req.Name == "" {
writeError(w, http.StatusBadRequest, "name is required")
return
}
rawToken, err := auth.GeneratePATToken()
if err != nil {
writeError(w, http.StatusInternalServerError, "failed to generate token")
return
}
var expiresAt pgtype.Timestamptz
if req.ExpiresInDays != nil && *req.ExpiresInDays > 0 {
expiresAt = pgtype.Timestamptz{
Time: time.Now().Add(time.Duration(*req.ExpiresInDays) * 24 * time.Hour),
Valid: true,
}
}
prefix := rawToken
if len(prefix) > 12 {
prefix = prefix[:12]
}
pat, err := h.Queries.CreatePersonalAccessToken(r.Context(), db.CreatePersonalAccessTokenParams{
UserID: parseUUID(userID),
Name: req.Name,
TokenHash: auth.HashToken(rawToken),
TokenPrefix: prefix,
ExpiresAt: expiresAt,
})
if err != nil {
writeError(w, http.StatusInternalServerError, "failed to create token")
return
}
writeJSON(w, http.StatusCreated, CreatePATResponse{
PersonalAccessTokenResponse: patToResponse(pat),
Token: rawToken,
})
}
func (h *Handler) ListPersonalAccessTokens(w http.ResponseWriter, r *http.Request) {
userID, ok := requireUserID(w, r)
if !ok {
return
}
pats, err := h.Queries.ListPersonalAccessTokensByUser(r.Context(), parseUUID(userID))
if err != nil {
writeError(w, http.StatusInternalServerError, "failed to list tokens")
return
}
resp := make([]PersonalAccessTokenResponse, len(pats))
for i, pat := range pats {
resp[i] = patToResponse(pat)
}
writeJSON(w, http.StatusOK, resp)
}
func (h *Handler) RevokePersonalAccessToken(w http.ResponseWriter, r *http.Request) {
userID, ok := requireUserID(w, r)
if !ok {
return
}
id := chi.URLParam(r, "id")
idUUID, ok := parseUUIDOrBadRequest(w, id, "token id")
if !ok {
return
}
hash, err := h.Queries.RevokePersonalAccessToken(r.Context(), db.RevokePersonalAccessTokenParams{
ID: idUUID,
UserID: parseUUID(userID),
})
switch {
case err == nil:
// Drop the cache entry immediately so the revocation takes effect
// before the TTL would otherwise expire the cached lookup.
h.PATCache.Invalidate(r.Context(), hash)
case errors.Is(err, pgx.ErrNoRows):
// Token doesn't exist or doesn't belong to this user. Preserve the
// pre-existing idempotent 204 behavior — no cache entry to clear.
default:
writeError(w, http.StatusInternalServerError, "failed to revoke token")
return
}
w.WriteHeader(http.StatusNoContent)
}