- Notifications
You must be signed in to change notification settings - Fork927
feat: use JWT ticket to avoid DB queries on apps#6148
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
WIPIssue a JWT ticket on the first request with a short expiry thatcontains details about which workspace/agent/app combo the ticket isvalid for.Refactor the workspace app auth logic into workspaceappsauth.go.
This Pull Request is becoming stale. In order to minimize WIP, prevent merge conflicts and keep the tracker readable, I'm going close to this PR in 3 days if there isn't more activity. |
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
I've decided to not make the ticket expiry configurable yet until a customer asks us to make it configurable. |
I apologize for the large line count in this PR, the majority of the code is in two files |
mafredri left a comment• edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Given the size of this PR, another pair of eyes on the auth stuff might be good, but other than the minor things I commented on, this looks OK to me!
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
| if _, ok := tx.fakeQuerier.locks[id]; ok { | ||
| return false, nil | ||
| } | ||
| tx.fakeQuerier.locks[id] = struct{}{} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Should this be protected or use sync.Map? Otherwise we may have concurrent map read/writes between goroutines.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I wouldn't expect a transaction to be used concurrently from two places at once (and I don't think that even works anyways) but I can add this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
For example, the lock on the underlying data struct is replaced with a noop lock in a tx, so concurrent database read/writes may panic
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I've actually decided against this for the above reason.
Uh oh!
There was an error while loading.Please reload this page.
coderd/workspaceapps.go Outdated
| httpmw.RedirectToLogin(rw, r, httpmw.SignedOutErrorMessage) | ||
| mw.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { | ||
| user := httpmw.UserParam(r) | ||
| http.Redirect(rw, r, strings.Replace(r.URL.Path, "@me", "@"+user.Username, 1), http.StatusTemporaryRedirect) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
If we will never support@me for these apps, we could consider using permanent redirect perceived performance gain. Temporary is more future proof though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Problem with permanent redirect is if you login to a different user and have a similar workspace it'll always hit the wrong one.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
LGTM 👍
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Issues a JWT ticket on the first request with a short expiry that contains details about which workspace/agent/app combo the ticket is valid for. This lets us avoid the ~5 DB queries on each app request, and reduces them to ~5 per minute.
Large dev server apps will often make hundreds of requests to get bundles, which strains the database. The goal of this PR is to alleviate DB strain in large deployments that heavily lean on workspace apps.
Refactors the workspace app auth logic into workspaceappsauth.go.
Disables using
meas the username in workspace app requests. For subdomains we never used this, but it's possible that it has been used for path apps, so path apps will redirect to contain the correct username.TODO:
meusername redirectCloses#6361