.git · PR #1325

Checks passing

Overview

Files Changed 4

Commits 3

Conversation 8

Description

## Summary This PR introduces a robust session validation mechanism with automatic token refresh for long-running WebSocket connections. Addresses performance bottlenecks in the current auth flow and reduces unnecessary re-authentication calls by 85%. ## Changes - Implemented sliding window token refresh - Added JWT signature verification caching - Migrated legacy session store to Redis cluster - Updated OpenAPI specs & generated types ## Testing - ✅ Unit tests: 98% coverage - ✅ Integration: E2E auth flows passing - ✅ Load test: 10k concurrent sessions stable

Update API documentation
Run security audit scan
Backport to v2.x branch

src/middleware/auth.ts
                                    +42
                                    -18
                                
                                  const validateSession = async (req) => {
                            
                                    const session = await db.sessions.find(req.headers.token);
                            
                                    if (!session || session.expires < Date.now()) throw new Error('INVALID_SESSION');
                            
                                    const cached = await redis.get(`auth:${req.headers.token}`);
                            
                                    if (cached) return JSON.parse(cached);
                            
                                    const payload = await verifyJWT(req.headers.token);
                            
                                    await redis.setex(`auth:${req.headers.token}`, 86400, JSON.stringify(payload));
                            
                                    return payload;

Metadata

Basemain

Headfeat/session-refresh

Milestonev3.2.0 Release

Last Push2h ago

Labels

feature performance security

Assignees

MK m.kovac

AL a.lin

Reviews

✓ sarah.chen 3h ago

~ dev.reviews-bot Changes requested

src/middleware/auth.ts +42 -18

package.json

+5-2

tests/session.e2e.ts

+89-4

docs/api/v3.md

+24-0

a1b2c3d feat: implement sliding window token refresh 2h ago

Added redis caching layer and automatic refresh logic for JWT tokens. Resolves #1298

e4f5g6h perf: optimize DB query for session lookup 3h ago

Replaced sequential checks with batched IN query. Reduced p95 latency by 40ms.

i7j8k9l test: add E2E coverage for auth edge cases 4h ago

Added replay attack simulation and concurrent session tests.

sarah.chen 3 hours ago

The Redis caching strategy looks solid. One suggestion: consider adding a TTL jitter to prevent thundering herd issues on mass token refresh. Otherwise approved! 👍

jason.kim 2 hours ago

Good catch! Added exponential backoff + random jitter (±500ms) in a1b2c3d. Updated load tests to verify it holds under 50k rps.

🤖

.git-security-bot 4 hours ago

✅ Security scan passed. No vulnerable dependencies detected. SAST analysis: Clean.

Refactor session validation & token refresh logic #1325