perf: optimize password authentication path with caching (#894)

Author: v0idpwn

lib/supavisor/client_handler.ex

@@ -743,6 +743,7 @@ defmodule Supavisor.ClientHandler do
   ## Internal functions
   defp handle_auth_success(sock, final_secrets, data) do
     Logger.info("ClientHandler: Connection authenticated")
+    cache_validated_password(data, final_secrets)
 
     if data.mode != :proxy do
       Supavisor.UpstreamAuthentication.put_upstream_auth_secrets(data.id, final_secrets)
@@ -766,6 +767,19 @@ defmodule Supavisor.ClientHandler do
     }
   end
 
+  defp cache_validated_password(%{tenant: tenant}, %Supavisor.Secrets.PasswordSecrets{} = secrets) do
+    case Supavisor.ClientAuthentication.get_validation_secrets(tenant, secrets.user) do
+      {:ok, %{password_secrets: nil} = validation} ->
+        updated = %{validation | password_secrets: secrets}
+        Supavisor.ClientAuthentication.put_validation_secrets(tenant, secrets.user, updated)
+
+      _ ->
+        :ok
+    end
+  end
+
+  defp cache_validated_password(_data, _secrets), do: :ok
+
   defp handle_auth_failure(exception, data) do
     AuthMethods.handle_auth_failure(data.auth_context, exception)
     Supavisor.CircuitBreaker.record_failure({data.tenant, data.peer_ip}, :auth_error)

lib/supavisor/client_handler/auth_methods/password.ex

@@ -83,7 +83,7 @@ defmodule Supavisor.ClientHandler.AuthMethods.Password do
   defp validate_password(password, ctx) do
     with {:ok, %{password_secrets: password_secrets, sasl_secrets: sasl_secrets}} <-
            ClientAuthentication.fetch_validation_secrets(ctx.id, ctx.tenant, ctx.user) do
-      if password_secrets && password == password_secrets.password do
+      if password_secrets && Plug.Crypto.secure_compare(password, password_secrets.password) do
         :ok
       else
         salted_password =