[Task] Split auth session check from full user bootstrap #258

Closed
opened 2026-07-14 00:13:18 +02:00 by zemion · 1 comment
Owner

Objective

Make interactive session validation fast by splitting the current heavy /api/v1/auth/me behavior into a lightweight session check and a separate full bootstrap/profile payload.

Context

Performance sampling on 2026-07-14 showed:

  • /api/v1/auth/login: ~175-210 ms after removing the duplicate login MeResponse build.
  • /api/v1/auth/me: ~1.3-5.0 s and still the main login/session-check hotspot.
  • /api/v1/platform/modules: ~2-3 ms, so module registry lookup is not the steady-state bottleneck.

The current /auth/me rebuilds roles, system roles, groups, scopes, language context, all tenant memberships, identity context, function assignments, and delegations. The frontend blocks on this as the session check.

Scope

  • Owning repositories: govoplan-core, govoplan-access.
  • Add a fast endpoint or response mode for "is this session valid and who is the active account/tenant?".
  • Keep the existing full bootstrap/profile payload available where the shell actually needs roles, tenants, languages, principal details, and preferences.
  • Update frontend startup and focus-refresh behavior to use the fast check where possible.
  • Preserve tenant switching, relogin, maintenance mode, API-key behavior, and permission boundaries.

Checklist

  • Define the fast session-check API contract.
  • Add backend endpoint or mode with focused tests.
  • Update App.tsx startup/session refresh flow.
  • Keep full bootstrap/profile loading explicit and non-duplicated.
  • Measure before/after on dev data.

Verification Target

  • python -m unittest tests.test_api_smoke.ApiSmokeTests.test_cookie_session_requires_csrf_for_mutations
  • Core webui build.
  • Manual timing: /api/v1/auth/session or equivalent should be well below the current /auth/me path.
## Objective Make interactive session validation fast by splitting the current heavy `/api/v1/auth/me` behavior into a lightweight session check and a separate full bootstrap/profile payload. ## Context Performance sampling on 2026-07-14 showed: - `/api/v1/auth/login`: ~175-210 ms after removing the duplicate login `MeResponse` build. - `/api/v1/auth/me`: ~1.3-5.0 s and still the main login/session-check hotspot. - `/api/v1/platform/modules`: ~2-3 ms, so module registry lookup is not the steady-state bottleneck. The current `/auth/me` rebuilds roles, system roles, groups, scopes, language context, all tenant memberships, identity context, function assignments, and delegations. The frontend blocks on this as the session check. ## Scope - Owning repositories: `govoplan-core`, `govoplan-access`. - Add a fast endpoint or response mode for "is this session valid and who is the active account/tenant?". - Keep the existing full bootstrap/profile payload available where the shell actually needs roles, tenants, languages, principal details, and preferences. - Update frontend startup and focus-refresh behavior to use the fast check where possible. - Preserve tenant switching, relogin, maintenance mode, API-key behavior, and permission boundaries. ## Checklist - [ ] Define the fast session-check API contract. - [ ] Add backend endpoint or mode with focused tests. - [ ] Update `App.tsx` startup/session refresh flow. - [ ] Keep full bootstrap/profile loading explicit and non-duplicated. - [ ] Measure before/after on dev data. ## Verification Target - `python -m unittest tests.test_api_smoke.ApiSmokeTests.test_cookie_session_requires_csrf_for_mutations` - Core webui build. - Manual timing: `/api/v1/auth/session` or equivalent should be well below the current `/auth/me` path.
Author
Owner

Recorded before closing, using the isolated core API smoke-test app on 2026-07-14.

Method:

  • SQLite test database with bootstrap_dev_data().
  • fastapi.testclient.TestClient, cookie session after /api/v1/auth/login.
  • 30 warm-cache requests per endpoint after one warm-up request.
  • Values are in milliseconds and are intended as relative endpoint-cost measurements, not network/browser timings.
Endpoint n min median mean p95 max
/api/v1/auth/session 30 4.591 5.057 5.219 6.316 6.627
/api/v1/auth/shell 30 9.101 10.196 10.417 12.907 13.717
/api/v1/auth/profile 30 5.889 6.729 6.763 7.710 8.133
/api/v1/auth/roles 30 7.994 8.801 8.856 9.711 10.104
/api/v1/auth/groups 30 5.422 5.844 6.124 7.687 8.314
legacy /api/v1/auth/me 30 65.500 68.167 69.450 71.661 101.536

Conclusion: the lightweight session/shell/profile split is implemented and materially cheaper than the legacy full /auth/me bootstrap. Follow-up DB query timing and deeper auth batching remain tracked in govoplan-core#259.

Recorded before closing, using the isolated core API smoke-test app on 2026-07-14. Method: - SQLite test database with `bootstrap_dev_data()`. - `fastapi.testclient.TestClient`, cookie session after `/api/v1/auth/login`. - 30 warm-cache requests per endpoint after one warm-up request. - Values are in milliseconds and are intended as relative endpoint-cost measurements, not network/browser timings. | Endpoint | n | min | median | mean | p95 | max | | --- | ---: | ---: | ---: | ---: | ---: | ---: | | `/api/v1/auth/session` | 30 | 4.591 | 5.057 | 5.219 | 6.316 | 6.627 | | `/api/v1/auth/shell` | 30 | 9.101 | 10.196 | 10.417 | 12.907 | 13.717 | | `/api/v1/auth/profile` | 30 | 5.889 | 6.729 | 6.763 | 7.710 | 8.133 | | `/api/v1/auth/roles` | 30 | 7.994 | 8.801 | 8.856 | 9.711 | 10.104 | | `/api/v1/auth/groups` | 30 | 5.422 | 5.844 | 6.124 | 7.687 | 8.314 | | legacy `/api/v1/auth/me` | 30 | 65.500 | 68.167 | 69.450 | 71.661 | 101.536 | Conclusion: the lightweight session/shell/profile split is implemented and materially cheaper than the legacy full `/auth/me` bootstrap. Follow-up DB query timing and deeper auth batching remain tracked in `govoplan-core#259`.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: add-ideas/govoplan-core#258
No description provided.