feat: use JWT ticket to avoid DB queries on apps #6148
Conversation
WIP Issue a JWT ticket on the first request with a short expiry that contains details about which workspace/agent/app combo the ticket is valid for. Refactor the workspace app auth logic into workspaceappsauth.go.
|
This Pull Request is becoming stale. In order to minimize WIP, prevent merge conflicts and keep the tracker readable, I'm going close to this PR in 3 days if there isn't more activity. |
|
I've decided to not make the ticket expiry configurable yet until a customer asks us to make it configurable. |
|
I apologize for the large line count in this PR, the majority of the code is in two files |
| if _, ok := tx.fakeQuerier.locks[id]; ok { | ||
| return false, nil | ||
| } | ||
| tx.fakeQuerier.locks[id] = struct{}{} |
There was a problem hiding this comment.
Should this be protected or use sync.Map? Otherwise we may have concurrent map read/writes between goroutines.
There was a problem hiding this comment.
I wouldn't expect a transaction to be used concurrently from two places at once (and I don't think that even works anyways) but I can add this
There was a problem hiding this comment.
For example, the lock on the underlying data struct is replaced with a noop lock in a tx, so concurrent database read/writes may panic
There was a problem hiding this comment.
I've actually decided against this for the above reason.
coderd/workspaceapps.go
Outdated
| httpmw.RedirectToLogin(rw, r, httpmw.SignedOutErrorMessage) | ||
| mw.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { | ||
| user := httpmw.UserParam(r) | ||
| http.Redirect(rw, r, strings.Replace(r.URL.Path, "@me", "@"+user.Username, 1), http.StatusTemporaryRedirect) |
There was a problem hiding this comment.
If we will never support @me for these apps, we could consider using permanent redirect perceived performance gain. Temporary is more future proof though.
There was a problem hiding this comment.
Problem with permanent redirect is if you login to a different user and have a similar workspace it'll always hit the wrong one.
Issues a JWT ticket on the first request with a short expiry that contains details about which workspace/agent/app combo the ticket is valid for. This lets us avoid the ~5 DB queries on each app request, and reduces them to ~5 per minute.
Large dev server apps will often make hundreds of requests to get bundles, which strains the database. The goal of this PR is to alleviate DB strain in large deployments that heavily lean on workspace apps.
Refactors the workspace app auth logic into workspaceappsauth.go.
Disables using
meas the username in workspace app requests. For subdomains we never used this, but it's possible that it has been used for path apps, so path apps will redirect to contain the correct username.TODO:
meusername redirectCloses #6361