feat: multi-replica readiness (P1 hardening)#538
Merged
Conversation
Prepare PicImpact to run as multiple replicas behind a load balancer. - auth: shorten the better-auth signed cookie-cache TTL from 30m to 60s. The cookie cache is per-instance in-memory state, so a long TTL let a revoked session keep validating on a replica that still held the cached cookie. 60s bounds cross-replica revocation lag while still absorbing repeat reads. - preprocess tick: add an optional shared-secret gate on POST /api/v1/preprocess-tasks/tick via PREPROCESS_TICK_SECRET + x-preprocess-tick-secret header (constant-time compared, never logged). This is the public-cron driver path for multi-replica; when the env var is unset the endpoint stays open so single-instance / internal-ticker deployments are unaffected. - docs: add docs/multi-replica.md covering single-driver ticker (PREPROCESS_TICKER_ENABLED=false + one external cron), DB connection budgeting (N x pool), session revocation latency, and the interim per-replica data-cache behavior. Document the new env vars in .env.example. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
First phase of multi-replica readiness: lets PicImpact run as multiple replicas behind a load balancer. Most state is already shared and safe (DB-backed sessions; the preprocess task queue is claimed via a PostgreSQL advisory lock + lease), so this PR only addresses the per-instance concerns that matter when scaling past one replica. No behavior change for single-instance deployments.
Changes
server/auth/index.ts). The better-auth cookie cache is per-instance in-memory state, so a long TTL let a revoked session keep validating on a replica that still held the cached cookie. 60s bounds cross-replica revocation lag while still absorbing repeat reads.hono/preprocess-tasks.ts).POST /api/v1/preprocess-tasks/tickis the external-cron driver used in multi-replica setups, so it can be reached publicly. WhenPREPROCESS_TICK_SECRETis set, callers must send it in thex-preprocess-tick-secretheader (constant-time compared, never logged); otherwise401. When the env var is unset the endpoint stays open, so single-instance / internal-ticker deployments are unaffected.docs/multi-replica.md(single-driver ticker viaPREPROCESS_TICKER_ENABLED=false+ one external cron, DB connection budgeting, session-revocation latency, interim per-replica data-cache behavior) and document the new env vars in.env.example.Notes
docs/multi-replica.md./api/v1/*and/admincurrently rely on client-side auth only; server-side enforcement is a pre-existing gap unrelated to multi-replica and left as-is per maintainer direction.requireAuthalready exists inhono/_lib/context.tsif/when we wire it up.Test plan
next buildpasses;tsc --noEmitclean for the changed files.PREPROCESS_TICK_SECRETunset,POST /tickworks as before; with it set, a request without / with a wrong header returns 401, and a request with the matching header succeeds.