Skip to content

fix(dashboard-api): invalidate auth cache on team membership changes#2288

Merged
ben-fornefeld merged 3 commits intomainfrom
fix/dashboard-api-auth-cache-invalidation
Apr 2, 2026
Merged

fix(dashboard-api): invalidate auth cache on team membership changes#2288
ben-fornefeld merged 3 commits intomainfrom
fix/dashboard-api-auth-cache-invalidation

Conversation

@ben-fornefeld
Copy link
Copy Markdown
Member

@ben-fornefeld ben-fornefeld commented Apr 2, 2026

No description provided.

@ben-fornefeld @claude
fix(dashboard-api): invalidate auth cache on team membership changes
f63c2a4 
Evict the cached user-team auth entry when a member is added or removed,
so the change takes effect immediately instead of waiting for TTL expiry.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@ben-fornefeld ben-fornefeld added the bug Something isn't working label Apr 2, 2026
@ben-fornefeld ben-fornefeld requested a review from dobrac as a code owner April 2, 2026 04:05
@cursor
Copy link
Copy Markdown

cursor bot commented Apr 2, 2026
edited
Loading

PR Summary

Medium Risk
Touches authentication cache keying and invalidation, which can impact authorization behavior if incorrect, but the change is small and localized to cache maintenance.

Overview
This PR fixes stale Supabase team-membership authorization by normalizing the cache key (lowercasing teamID) and adding a targeted InvalidateTeamMemberCache path that is invoked after adding or removing a team member, ensuring membership changes take effect immediately without waiting for TTL expiry.

Written by Cursor Bugbot for commit 58827e7. This will update automatically on new commits. Configure here.

@ben-fornefeld
Merge remote-tracking branch 'origin/main' into fix/dashboard-api-aut…
84731c8 
…h-cache-invalidation

# Conflicts:
#	packages/auth/pkg/auth/cache.go
#	packages/auth/pkg/auth/service.go
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f63c2a4382

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

packages/auth/pkg/auth/service.go Outdated
Comment on lines +205 to +206
func supabaseTeamCacheKey(userID uuid.UUID, teamID string) string {
return fmt.Sprintf("%s-%s", userID.String(), teamID)
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Normalize team IDs before composing cache key

supabaseTeamCacheKey uses the raw teamID string, but invalidation now passes teamInfo.Team.ID.String() from the DB-backed UUID object. If a client sends an equivalent but differently formatted header value (for example uppercase UUID text), ValidateSupabaseTeam caches under one key while InvalidateTeamMemberCache deletes another, so removed members can keep access until TTL expires. Parsing/normalizing teamID before key generation would make invalidation reliable.

Useful? React with 👍 / 👎.

@ben-fornefeld @claude
fix(auth): normalize teamID in cache key to prevent case mismatch
58827e7 
The teamID from the X-Supabase-Team header could differ in casing
(e.g. uppercase UUID) from uuid.UUID.String() used during invalidation,
causing cache keys to not match and invalidation to silently fail.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@ben-fornefeld
Copy link
Copy Markdown
Member Author

ben-fornefeld commented Apr 2, 2026

this pr is only half of the story. it does not invalidate infra api's in memory auth cache

@ben-fornefeld ben-fornefeld merged commit 5ba9cf5 into main Apr 2, 2026
36 checks passed
@ben-fornefeld ben-fornefeld deleted the fix/dashboard-api-auth-cache-invalidation branch April 2, 2026 04:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@dobrac dobrac dobrac approved these changes

@ValentaTomas ValentaTomas Awaiting requested review from ValentaTomas ValentaTomas is a code owner

@jakubno jakubno Awaiting requested review from jakubno jakubno is a code owner

Assignees

@ValentaTomas ValentaTomas

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ben-fornefeld @dobrac @matthewlouisbrockman @ValentaTomas