From e967aaabfbc64b3533fa5500d25d4a57b7ea8a78 Mon Sep 17 00:00:00 2001 From: anti Date: Fri, 17 Apr 2026 20:36:39 -0400 Subject: [PATCH] perf: cache get_user_by_username on the login hot path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Locust @task(2) hammers /auth/login in steady state on top of the on_start burst. After caching the uuid-keyed user lookup and every other read endpoint, login alone accounted for 47% of total _execute at 500c/u — pure DB queueing on SELECT users WHERE username=?. 5s TTL, positive hits only (misses bypass so a freshly-created user can log in immediately). Password verify still runs against the cached hash, so security is unchanged — the only staleness window is: a changed password accepts the old password for up to 5s until invalidate_user_cache fires (it's called on every write). --- decnet/web/dependencies.py | 43 +++++++++++++++++++++++++++-- decnet/web/router/auth/api_login.py | 4 +-- 2 files changed, 43 insertions(+), 4 deletions(-) diff --git a/decnet/web/dependencies.py b/decnet/web/dependencies.py index 2c7f12c..1b1c798 100644 --- a/decnet/web/dependencies.py +++ b/decnet/web/dependencies.py @@ -32,22 +32,61 @@ _USER_TTL = 10.0 _user_cache: dict[str, tuple[Optional[dict[str, Any]], float]] = {} _user_cache_lock: Optional[asyncio.Lock] = None +# Username cache for the login hot path. Short TTL — the bcrypt verify +# still runs against the cached hash, so security is unchanged. The +# staleness window is: if a password is changed, the old password is +# usable for up to _USERNAME_TTL seconds until the cache expires (or +# invalidate_user_cache fires). We invalidate on every user write. +# Missing lookups are NOT cached to avoid locking out a just-created user. +_USERNAME_TTL = 5.0 +_username_cache: dict[str, tuple[dict[str, Any], float]] = {} +_username_cache_lock: Optional[asyncio.Lock] = None + def _reset_user_cache() -> None: - global _user_cache, _user_cache_lock + global _user_cache, _user_cache_lock, _username_cache, _username_cache_lock _user_cache = {} _user_cache_lock = None + _username_cache = {} + _username_cache_lock = None def invalidate_user_cache(user_uuid: Optional[str] = None) -> None: - """Drop a single user (or all users) from the auth cache. + """Drop a single user (or all users) from the auth caches. Callers: password change, role change, user create/delete. + The username cache is always cleared wholesale — we don't track + uuid→username and user writes are rare, so the cost is trivial. """ if user_uuid is None: _user_cache.clear() else: _user_cache.pop(user_uuid, None) + _username_cache.clear() + + +async def get_user_by_username_cached(username: str) -> Optional[dict[str, Any]]: + """Cached read of get_user_by_username for the login path. + + Positive hits are cached for _USERNAME_TTL seconds. Misses bypass + the cache so a freshly-created user can log in immediately. + """ + global _username_cache_lock + entry = _username_cache.get(username) + now = time.monotonic() + if entry is not None and now - entry[1] < _USERNAME_TTL: + return entry[0] + if _username_cache_lock is None: + _username_cache_lock = asyncio.Lock() + async with _username_cache_lock: + entry = _username_cache.get(username) + now = time.monotonic() + if entry is not None and now - entry[1] < _USERNAME_TTL: + return entry[0] + user = await repo.get_user_by_username(username) + if user is not None: + _username_cache[username] = (user, time.monotonic()) + return user async def _get_user_cached(user_uuid: str) -> Optional[dict[str, Any]]: diff --git a/decnet/web/router/auth/api_login.py b/decnet/web/router/auth/api_login.py index d3c1af7..a41eaab 100644 --- a/decnet/web/router/auth/api_login.py +++ b/decnet/web/router/auth/api_login.py @@ -9,7 +9,7 @@ from decnet.web.auth import ( averify_password, create_access_token, ) -from decnet.web.dependencies import repo +from decnet.web.dependencies import get_user_by_username_cached from decnet.web.db.models import LoginRequest, Token router = APIRouter() @@ -27,7 +27,7 @@ router = APIRouter() ) @_traced("api.login") async def login(request: LoginRequest) -> dict[str, Any]: - _user: Optional[dict[str, Any]] = await repo.get_user_by_username(request.username) + _user: Optional[dict[str, Any]] = await get_user_by_username_cached(request.username) if not _user or not await averify_password(request.password, _user["password_hash"]): raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED,