Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat: use JWT ticket to avoid DB queries on apps #6148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 18 commits into from
Mar 7, 2023
Merged

feat: use JWT ticket to avoid DB queries on apps #6148

merged 18 commits into from
Mar 7, 2023

Conversation

deansheather
Copy link
Member

@deansheather deansheather commented Feb 10, 2023
edited
Loading

Issues a JWT ticket on the first request with a short expiry that contains details about which workspace/agent/app combo the ticket is valid for. This lets us avoid the ~5 DB queries on each app request, and reduces them to ~5 per minute.

Large dev server apps will often make hundreds of requests to get bundles, which strains the database. The goal of this PR is to alleviate DB strain in large deployments that heavily lean on workspace apps.

Refactors the workspace app auth logic into workspaceappsauth.go.

Disables using me as the username in workspace app requests. For subdomains we never used this, but it's possible that it has been used for path apps, so path apps will redirect to contain the correct username.

TODO:

  • Generate a secret key on first start, store in DB, cache in memory
  • JWT signing and parsing
  • Path-cookies for path apps
  • New workspace auth internal tests
  • Test for path app me username redirect
  • Test for no port proxying allowed in paths
  • TODOs in the code
  • Fix bugs that break existing tests

Closes #6361

@deansheather
feat: use JWT ticket to avoid DB queries on apps
cd239fa 
WIP

Issue a JWT ticket on the first request with a short expiry that
contains details about which workspace/agent/app combo the ticket is
valid for.

Refactor the workspace app auth logic into workspaceappsauth.go.
@deansheather
get existing tests working
24d1112
@deansheather
progress
8ffd8d4
@deansheather
progress
a392635
@deansheather
working session tickets
e60c645
@deansheather
progress
e681f4c
@github-actions
Copy link

This Pull Request is becoming stale. In order to minimize WIP, prevent merge conflicts and keep the tracker readable, I'm going close to this PR in 3 days if there isn't more activity.

@github-actions github-actions bot added the stale This issue is like stale bread. label Feb 19, 2023
@deansheather deansheather removed the stale This issue is like stale bread. label Feb 20, 2023
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 28, 2023
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 28, 2023
View reviewed changes
@deansheather
Copy link
Member Author

I've decided to not make the ticket expiry configurable yet until a customer asks us to make it configurable.

@deansheather
Copy link
Member Author

I apologize for the large line count in this PR, the majority of the code is in two files auth.go and ticket.go, and the rest of the changed lines are moved code and tests.

@deansheather deansheather marked this pull request as ready for review February 28, 2023 19:41
@deansheather deansheather requested a review from sreya March 2, 2023 17:25
mafredri
mafredri approved these changes Mar 2, 2023
View reviewed changes
Copy link
Member

@mafredri mafredri left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given the size of this PR, another pair of eyes on the auth stuff might be good, but other than the minor things I commented on, this looks OK to me!

coderd/database/dbfake/databasefake.go
if _, ok := tx.fakeQuerier.locks[id]; ok {
return false, nil
}
tx.fakeQuerier.locks[id] = struct{}{}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be protected or use sync.Map? Otherwise we may have concurrent map read/writes between goroutines.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wouldn't expect a transaction to be used concurrently from two places at once (and I don't think that even works anyways) but I can add this

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For example, the lock on the underlying data struct is replaced with a noop lock in a tx, so concurrent database read/writes may panic

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've actually decided against this for the above reason.

coderd/workspaceapps.go Outdated
httpmw.RedirectToLogin(rw, r, httpmw.SignedOutErrorMessage)
mw.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
user := httpmw.UserParam(r)
http.Redirect(rw, r, strings.Replace(r.URL.Path, "@me", "@"+user.Username, 1), http.StatusTemporaryRedirect)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we will never support @me for these apps, we could consider using permanent redirect perceived performance gain. Temporary is more future proof though.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Problem with permanent redirect is if you login to a different user and have a similar workspace it'll always hit the wrong one.

sreya
sreya approved these changes Mar 6, 2023
View reviewed changes
Copy link
Collaborator

@sreya sreya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@deansheather deansheather requested a review from sreya March 7, 2023 18:26
@deansheather deansheather enabled auto-merge (squash) March 7, 2023 19:08
@deansheather deansheather merged commit 1bdd2ab into main Mar 7, 2023
@deansheather deansheather deleted the dean/app-tickets branch March 7, 2023 19:38
@github-actions github-actions bot locked and limited conversation to collaborators Mar 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mafredri mafredri mafredri approved these changes

@sreya sreya sreya approved these changes

@kylecarbs kylecarbs Awaiting requested review from kylecarbs

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Use JWT signatures for app requests to avoid db load on request-heavy apps
3 participants
@deansheather @mafredri @sreya