core-platform Issues #1345

Refactor authentication middleware for v2.0 compatibility

⚡ In Progress 🐛 bug 🔧 core ⚠️ priority-high 🔐 auth Created 3 days ago • Updated 2h ago

The current authentication middleware relies on deprecated session handling that conflicts with the v2.0 runtime architecture. This causes intermittent 401s under high concurrency and breaks JWT rotation.

Expected behavior:

Middleware should use the new async token validation pipeline and support stateless session fallback without blocking the event loop.

Reproduction steps:

# 1. Enable v2.0 runtime flags export GIT_V2_RUNTIME=true # 2. Run stress test ab -n 10000 -c 100 https://api.git.dev/v2/auth/refresh # 3. Observe middleware deadlock in logs

See attached trace logs and proposed migration path in the linked PR. Priority elevated due to SLO impact.

Comments

3 comments
AK
Anika K.
2 days ago • edited
I've reviewed the trace logs. The deadlock happens when the old session store tries to acquire a mutex during async token refresh. We should replace SessionStore.lock() with the new channel-based approach. I've drafted a patch in #1348 that addresses this.
MR
Marcus R.
18 hours ago
Agreed. The channel approach is cleaner. I'll update the integration tests to cover the edge cases around token expiration during mid-request state. Should be ready for review by EOD tomorrow.
LS
Lena S.
2 hours ago
FYI: This is blocking the v2.0 release candidate. Please prioritize the middleware refactor before we freeze the branch on Friday. I've tagged ⚠️ priority-high accordingly.
Markdown is supported