fix(dashboard-api): invalidate auth cache on team membership changes (#2288)

ben-fornefeld · claude · web-flow · commit 5ba9cf55dd0c · 2026-04-02T06:45:00.000+02:00
* fix(dashboard-api): invalidate auth cache on team membership changes

Evict the cached user-team auth entry when a member is added or removed,
so the change takes effect immediately instead of waiting for TTL expiry.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;

* fix(auth): normalize teamID in cache key to prevent case mismatch

The teamID from the X-Supabase-Team header could differ in casing
(e.g. uppercase UUID) from uuid.UUID.String() used during invalidation,
causing cache keys to not match and invalidation to silently fail.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;

---------

Co-authored-by: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/packages/auth/pkg/auth/service.go b/packages/auth/pkg/auth/service.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"strings"
 
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
@@ -155,7 +156,7 @@ func (s *AuthService[T]) ValidateSupabaseTeam(ctx context.Context, ginCtx *gin.C
 		}
 	}
 
-	cacheKey := fmt.Sprintf("%s-%s", userID.String(), teamID)
+	cacheKey := supabaseTeamCacheKey(userID, teamID)
 
 	result, err := s.teamCache.GetOrSet(ctx, cacheKey, func(ctx context.Context, _ string) (T, error) {
 		return s.store.GetTeamByIDAndUserID(ctx, userID, teamID)
@@ -197,6 +198,12 @@ func (s *AuthService[T]) ValidateSupabaseTeam(ctx context.Context, ginCtx *gin.C
 	return result, nil
 }
 
+// InvalidateTeamMemberCache removes the cached auth entry for a specific user-team pair.
+// This should be called when team membership changes (member added or removed).
+func (s *AuthService[T]) InvalidateTeamMemberCache(userID uuid.UUID, teamID string) {
+	s.teamCache.Invalidate(supabaseTeamCacheKey(userID, teamID))
+}
+
 // InvalidateTeamCache queries the team's API key hashes and removes their cached entries.
 func (s *AuthService[T]) InvalidateTeamCache(ctx context.Context, teamID uuid.UUID) error {
 	hashes, err := s.store.GetTeamAPIKeyHashes(ctx, teamID)
@@ -211,6 +218,10 @@ func (s *AuthService[T]) InvalidateTeamCache(ctx context.Context, teamID uuid.UU
 	return nil
 }
 
+func supabaseTeamCacheKey(userID uuid.UUID, teamID string) string {
+	return fmt.Sprintf("%s-%s", userID.String(), strings.ToLower(teamID))
+}
+
 // Close stops the underlying cache's background refresh goroutines.
 func (s *AuthService[T]) Close(ctx context.Context) error {
 	return s.teamCache.Close(ctx)
diff --git a/packages/dashboard-api/internal/handlers/team_members.go b/packages/dashboard-api/internal/handlers/team_members.go
@@ -107,6 +107,8 @@ func (s *APIStore) PostTeamsTeamIDMembers(c *gin.Context, teamID api.TeamID) {
 		return
 	}
 
+	s.authService.InvalidateTeamMemberCache(user.ID, teamInfo.Team.ID.String())
+
 	c.Status(http.StatusCreated)
 }
 
@@ -187,5 +189,7 @@ func (s *APIStore) DeleteTeamsTeamIDMembersUserId(c *gin.Context, teamID api.Tea
 		return
 	}
 
+	s.authService.InvalidateTeamMemberCache(userId, teamInfo.Team.ID.String())
+
 	c.Status(http.StatusNoContent)
 }

Original file line number	Diff line number	Diff line change
`@@ -107,6 +107,8 @@ func (s APIStore) PostTeamsTeamIDMembers(c gin.Context, teamID api.TeamID) {`
`107`	`107`	`return`
`108`	`108`	`}`
`109`	`109`
	`110`	`+ s.authService.InvalidateTeamMemberCache(user.ID, teamInfo.Team.ID.String())`
	`111`	`+`
`110`	`112`	`c.Status(http.StatusCreated)`
`111`	`113`	`}`
`112`	`114`
`@@ -187,5 +189,7 @@ func (s APIStore) DeleteTeamsTeamIDMembersUserId(c gin.Context, teamID api.Tea`
`187`	`189`	`return`
`188`	`190`	`}`
`189`	`191`
	`192`	`+ s.authService.InvalidateTeamMemberCache(userId, teamInfo.Team.ID.String())`
	`193`	`+`
`190`	`194`	`c.Status(http.StatusNoContent)`
`191`	`195`	`}`