[Task] Split auth session check from full user bootstrap #258
Closed
opened 2026-07-14 00:13:18 +02:00 by zemion
·
1 comment
Labels
Clear labels
area/api
HTTP API contracts, routers, schemas, or API smoke behavior.
area/auth
Authentication, sessions, access bootstrap, or login behavior.
area/db
Database sessions, models, transactions, or persistence primitives.
area/deployment
Deployment, release, operations, or runtime packaging.
area/devex
Local developer workflow, scripts, tests, tooling, or release helpers.
area/docs
Durable documentation and project guidance.
area/governance
Governance policy, audit, privacy, retention, or compliance behavior.
area/marketing
Public website, product messaging, publication copy, or legal page content.
area/migrations
Alembic migrations, schema bootstrap, or persistence evolution.
area/module-system
Module discovery, manifests, capabilities, routing, or optional integrations.
area/rbac
Permissions, roles, delegation, or authorization policy.
area/release
Versioning, release locks, tags, packaging, or dependency pins.
area/security
Security posture, static analysis, supply-chain hardening, or vulnerability remediation.
area/tenancy
Tenant boundaries, provisioning, or tenant-scoped data behavior.
area/webui
Shared WebUI shell, frontend components, routing, or frontend tests.
audit/complexity
Complexity finding from Radon, Xenon, or equivalent maintainability scans.
audit/duplication
Duplicated-code finding from jscpd or equivalent similarity scans.
audit/false-positive
Audit finding reviewed as a narrow false positive or acceptable risk.
audit/needs-design
Audit finding that needs an architectural or product decision before implementation.
audit/quick-fix
Audit finding that appears narrow and directly fixable.
audit/structural
Audit finding that needs design, refactoring, or behavior review.
codex/needs-human
Needs an explicit human decision before Codex should implement.
codex/ready
Suitable for Codex to pick up with the existing issue context.
module/access
GovOPlaN access, identity, authentication, RBAC, and administration behavior.
module/addresses
GovOPlaN Addresses module behavior or integration.
module/admin
GovOPlaN Admin module behavior or integration.
module/appointments
GovOPlaN Appointments module behavior or integration.
module/approvals
GovOPlaN Approvals module behavior or integration.
module/assets
GovOPlaN Assets module behavior or integration.
module/audit
GovOPlaN Audit module behavior or integration.
module/booking
GovOPlaN Booking module behavior or integration.
module/calendar
GovOPlaN Calendar module behavior or integration.
module/campaign
GovOPlaN campaign module behavior or integration.
module/cases
GovOPlaN Cases module behavior or integration.
module/certificates
GovOPlaN Certificates module behavior or integration.
module/committee
GovOPlaN Committee module behavior or integration.
module/connectors
GovOPlaN Connectors module behavior or integration.
module/consultation
GovOPlaN Consultation module behavior or integration.
module/contracts
GovOPlaN Contracts module behavior or integration.
module/core
GovOPlaN core runner, shared primitives, shell, or extension points.
module/dist-lists
GovOPlaN Distribution Lists module behavior or integration.
module/dms
GovOPlaN Dms module behavior or integration.
module/docs
GovOPlaN documentation layer behavior or integration.
module/erp
GovOPlaN Erp module behavior or integration.
module/evaluation
GovOPlaN Evaluation module behavior or integration.
module/facilities
GovOPlaN Facilities module behavior or integration.
module/files
GovOPlaN files module behavior or integration.
module/fit-connect
GovOPlaN Fit Connect module behavior or integration.
module/forms
GovOPlaN Forms module behavior or integration.
module/forms-runtime
GovOPlaN Forms Runtime module behavior or integration.
module/grants
GovOPlaN Grants module behavior or integration.
module/helpdesk
GovOPlaN Helpdesk module behavior or integration.
module/identity
GovOPlaN Identity module behavior or integration.
module/identity-trust
GovOPlaN Identity Trust module behavior or integration.
module/idm
GovOPlaN Idm module behavior or integration.
module/inspections
GovOPlaN Inspections module behavior or integration.
module/issue-reporting
GovOPlaN Issue Reporting module behavior or integration.
module/learning
GovOPlaN Learning module behavior or integration.
module/ledger
GovOPlaN Ledger module behavior or integration.
module/mail
GovOPlaN mail module behavior or integration.
module/notifications
GovOPlaN Notifications module behavior or integration.
module/ops
GovOPlaN Ops module behavior or integration.
module/organizations
GovOPlaN Organizations module behavior or integration.
module/payments
GovOPlaN Payments module behavior or integration.
module/permits
GovOPlaN Permits module behavior or integration.
module/policy
GovOPlaN Policy module behavior or integration.
module/poll
GovOPlaN Poll module behavior or integration.
module/portal
GovOPlaN Portal module behavior or integration.
module/postbox
GovOPlaN Postbox module behavior or integration.
module/procurement
GovOPlaN Procurement module behavior or integration.
module/records
GovOPlaN Records module behavior or integration.
module/reporting
GovOPlaN Reporting module behavior or integration.
module/resources
GovOPlaN Resources module behavior or integration.
module/risk-compliance
GovOPlaN Risk Compliance module behavior or integration.
module/scheduling
GovOPlaN Scheduling module behavior or integration.
module/search
GovOPlaN Search module behavior or integration.
module/tasks
GovOPlaN Tasks module behavior or integration.
module/templates
GovOPlaN Templates module behavior or integration.
module/tenancy
GovOPlaN Tenancy module behavior or integration.
module/transparency
GovOPlaN Transparency module behavior or integration.
module/web
GovOPlaN public website, product page, or publication content.
module/workflow
GovOPlaN Workflow module behavior or integration.
module/xoev
GovOPlaN Xoev module behavior or integration.
module/xrechnung
GovOPlaN Xrechnung module behavior or integration.
module/xta-osci
GovOPlaN Xta Osci module behavior or integration.
priority
p0
Immediate stop-the-line priority.
priority
p1
High priority for the next focused work window.
priority
p2
Normal planned priority.
priority
p3
Low priority or opportunistic cleanup.
source/backlog-import
Imported from markdown backlog, roadmap, plan, or TODO files.
source/module-roadmap
Created from GovOPlaN module and integration roadmap planning.
source/security-audit
Created from a structured security or code-quality audit report.
source/todo-scan
Imported from inline TODO/FIXME/HACK markers by the Gitea TODO importer.
status
blocked
Cannot progress without a decision, dependency, credential, or external change.
status
in-progress
Currently being worked.
status
needs-info
Needs clarifying input before implementation can proceed safely.
status
ready
Ready for implementation.
status
triage
Needs review, ownership, priority, or acceptance criteria.
type
bug
A reproducible defect, regression, or incorrect behavior.
type
debt
Cleanup, refactoring, risk reduction, or deferred engineering work.
type
docs
Documentation, process, or developer workflow work.
type
feature
New user-visible behavior or platform capability.
type
task
Implementation, maintenance, migration, or operational work.
type
user-story
End-to-end user journey or real-world process story used to steer product slices.
Milestone
No items
No Milestone
Projects
Clear projects
No project
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: add-ideas/govoplan-core#258
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Objective
Make interactive session validation fast by splitting the current heavy
/api/v1/auth/mebehavior into a lightweight session check and a separate full bootstrap/profile payload.Context
Performance sampling on 2026-07-14 showed:
/api/v1/auth/login: ~175-210 ms after removing the duplicate loginMeResponsebuild./api/v1/auth/me: ~1.3-5.0 s and still the main login/session-check hotspot./api/v1/platform/modules: ~2-3 ms, so module registry lookup is not the steady-state bottleneck.The current
/auth/merebuilds roles, system roles, groups, scopes, language context, all tenant memberships, identity context, function assignments, and delegations. The frontend blocks on this as the session check.Scope
govoplan-core,govoplan-access.Checklist
App.tsxstartup/session refresh flow.Verification Target
python -m unittest tests.test_api_smoke.ApiSmokeTests.test_cookie_session_requires_csrf_for_mutations/api/v1/auth/sessionor equivalent should be well below the current/auth/mepath.Recorded before closing, using the isolated core API smoke-test app on 2026-07-14.
Method:
bootstrap_dev_data().fastapi.testclient.TestClient, cookie session after/api/v1/auth/login./api/v1/auth/session/api/v1/auth/shell/api/v1/auth/profile/api/v1/auth/roles/api/v1/auth/groups/api/v1/auth/meConclusion: the lightweight session/shell/profile split is implemented and materially cheaper than the legacy full
/auth/mebootstrap. Follow-up DB query timing and deeper auth batching remain tracked ingovoplan-core#259.