SS-1898 Add configurable caching for auth permission checks#541
Merged
Conversation
Contributor
|
I think I would have implemented this similar to the way you did however some suggestions that I'll paste here that are up for discussion but are non-blocking:
|
j-awada
reviewed
Jun 9, 2026
j-awada
reviewed
Jun 9, 2026
Collaborator
Author
Agreed, I will make these changes. |
j-awada
approved these changes
Jun 11, 2026
j-awada
left a comment
Contributor
There was a problem hiding this comment.
Thanks for making the changes, works as expected locally.
j-awada
pushed a commit
that referenced
this pull request
Jun 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR relates to SS-1898.
This reduces repeated database work on high-traffic auth, status, and public-app flows that can add pressure to the Postgres connection pool during concurrency spikes. The caches are configurable and use short TTLs so they can be enabled gradually without making permission changes stale for long.
/auth/permission cache: caches the internal/auth/allow/deny decision for subdomain requests. It is off by default and can be enabled withAUTH_PERMISSION_CACHE_ENABLED=true./auth/checks so we can see when requests actually hit the permission path instead of being served from cache.can_view_projectdecisions for frequently-polled status endpoints. Grant, revoke, and project delete paths invalidate the relevant project permission cache entry immediately; missing projects are not cached.GetStatusView,BackgroundTaskStatusAPI, andProjectStatusViewnow reject unauthenticated or unauthorized requests before doing project, app, or task lookups.common/auth_cache.py,/auth/-specific logic lives instudio/auth_permission_cache.py, and project permission caching/invalidation lives inprojects/permissions.py./openapi/v1/public-apps, the public apps page, homepage counts, and recent public apps now cache their results withPUBLIC_APPS_CACHE_TIMEOUT.Apps.objects.get(...)calls by using bulk loading,select_related, and.values(...)where appropriate.SESSION_CACHE_ENABLEDfor Django’scached_dbsession backend when Redis-backed session caching should be enabled.Config
AUTH_PERMISSION_CACHE_ENABLEDdefault:falseAUTH_PERMISSION_CACHE_TIMEOUTdefault:30AUTH_PERMISSION_CACHE_DENY_TIMEOUTdefault:5AUTH_REQUEST_LOGGING_ENABLEDdefault:truePROJECT_PERMISSION_CACHE_TIMEOUTdefault:5, set to0to disablePUBLIC_APPS_CACHE_TIMEOUTdefault:30SESSION_CACHE_ENABLEDdefault:falseChecklist