Replace argon2id-per-row session lookup with sha256 indexed lookup#60
Merged
Replace argon2id-per-row session lookup with sha256 indexed lookup#60
Conversation
validateSession was scanning every non-expired row in the session table and running argon2id verify against each one until it found a match — ~430ms per request at ~7 sessions today, scaling linearly with total active sessions. Same anti-pattern in getInvitationByToken. Session and invitation tokens are 256-bit CSPRNG output; their entropy alone defeats offline preimage attacks, so the slow-hash verifier was buying nothing. Switch to a unique-indexed token_hash bytea column storing sha256(rawToken). Each lookup is now a single B-tree probe. Benchmarked at p50 1.1ms / p95 2.2ms with 50 sessions, vs the previous ~3s extrapolated for the same load. Migration 009 truncates session and invitation tables (raw tokens are unrecoverable from argon2 hashes), drops the token column on both — which cascades the redundant idx_session_token / idx_invitation_token plus the unique-constraint indexes — and adds the new token_hash column with its unique index. CLI now recognizes UNAUTHORIZED on accounts RPCs, clears the stored session token, and prints "Session expired. Run 'me login' to sign in again." so users aren't stuck repeating 401s.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
validateSession was scanning every non-expired row in the session table and running argon2id verify against each one until it found a match — ~430ms per request at ~7 sessions today, scaling linearly with total active sessions. Same anti-pattern in getInvitationByToken.
Session and invitation tokens are 256-bit CSPRNG output; their entropy alone defeats offline preimage attacks, so the slow-hash verifier was buying nothing. Switch to a unique-indexed token_hash bytea column storing sha256(rawToken). Each lookup is now a single B-tree probe. Benchmarked at p50 1.1ms / p95 2.2ms with 50 sessions, vs the previous ~3s extrapolated for the same load.
Migration 009 truncates session and invitation tables (raw tokens are unrecoverable from argon2 hashes), drops the token column on both — which cascades the redundant idx_session_token / idx_invitation_token plus the unique-constraint indexes — and adds the new token_hash column with its unique index.
CLI now recognizes UNAUTHORIZED on accounts RPCs, clears the stored session token, and prints "Session expired. Run 'me login' to sign in again." so users aren't stuck repeating 401s.