Skip to content

fix: SessionStore race conditions and async initialization (WAPI-1118)#71

Open
chakra-guy wants to merge 1 commit intocyfrin/wapi-1116from
cyfrin/wapi-1118
Open

fix: SessionStore race conditions and async initialization (WAPI-1118)#71
chakra-guy wants to merge 1 commit intocyfrin/wapi-1116from
cyfrin/wapi-1118

Conversation

@chakra-guy
Copy link
Collaborator

@chakra-guy chakra-guy commented Feb 25, 2026
edited by cursor bot
Loading

Summary

Fixes race conditions in SessionStore and replaces fire-and-forget garbage collection with proper async initialization.

  • BREAKING: SessionStore constructor is now private; use await SessionStore.create(kvstore) instead
  • SessionStore.create() runs garbage collection to completion before returning
  • Mutex protection on master list read-modify-write operations (addToMasterList, removeFromMasterList)
  • Updated all call sites across packages, apps, and tests

Note: This PR is based on cyfrin/wapi-1116 and should be merged after PR #70.

Jira

Test plan

  • New test: GC completes before first public method returns
  • New test: concurrent session sets don't lose entries (mutex)
  • All unit tests pass (68/68)
  • Lint passes
  • All new SessionStore(kvstore) call sites updated to await SessionStore.create(kvstore)

Note

Medium Risk
Breaking API change and modified session persistence/concurrency behavior; issues here could impact session listing/deletion under load, though coverage was added for the new guarantees.

Overview
Fixes SessionStore initialization and concurrency by making construction async-only and serializing master-list updates.

SessionStore now exposes await SessionStore.create(kvstore) (constructor made private) which runs startup garbage collection to completion before the instance is used, and uses an async-mutex to prevent lost updates in addToMasterList/removeFromMasterList during concurrent set/delete calls.

All apps/tests/load-tests/demos are updated to use the new async factory, and new unit tests cover GC completion on init and concurrent set behavior; changelog and core deps are updated accordingly.

Written by Cursor Bugbot for commit fcf6205. This will update automatically on new commits. Configure here.

@socket-security
Copy link

socket-security bot commented Feb 25, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedasync-mutex@​0.5.010010010080100

View full report

@chakra-guy chakra-guy force-pushed the cyfrin/wapi-1118 branch 2 times, most recently from 840959f to 4ce2384 Compare February 25, 2026 08:44
@chakra-guy
fix: SessionStore race conditions and async initialization (WAPI-1118)
fcf6205 
Replace fire-and-forget garbage collection with an async factory method
(SessionStore.create) that completes GC before the store is usable.
Add mutex protection around master list read-modify-write operations to
prevent concurrent session set/delete from corrupting the list.

BREAKING: SessionStore constructor is now private. Use
await SessionStore.create(kvstore) instead of new SessionStore(kvstore).
adonesky1
adonesky1 approved these changes Feb 26, 2026
View reviewed changes
Copy link

@adonesky1 adonesky1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks right to me!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adonesky1 adonesky1 adonesky1 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chakra-guy @adonesky1