fix for caching

Author: karpikpl

server/api/teams.ts

@@ -1,12 +1,6 @@
 import { Options, type Scope } from '@/model/Options'
 import type { H3Event, EventHandlerRequest } from 'h3'
 
-const cache = new Map<string, CacheData>()
-
-interface CacheData {
-    data: Team[]
-    valid_until: number
-}
 interface Team { name: string; slug: string; description: string }
 interface GitHubTeam { name: string; slug: string; description?: string }
 
@@ -72,16 +66,6 @@ export async function getTeams(event: H3Event<EventHandlerRequest>): Promise<Tea
         return teams
     }
 
-    // Use cache if valid
-    if (cache.has(event.path)) {
-        const cachedData = cache.get(event.path)
-        if (cachedData && cachedData.valid_until > Math.floor(Date.now() / 1000)) {
-            logger.info(`Returning cached data for ${event.path}`)
-            return cachedData.data
-        }
-        cache.delete(event.path)
-    }
-
     if (!event.context.headers.has('Authorization')) {
         logger.error('No Authentication provided')
         throw new TeamsError('No Authentication provided', 401)
@@ -114,7 +98,5 @@ export async function getTeams(event: H3Event<EventHandlerRequest>): Promise<Tea
         page += 1
     }
 
-    // Cache for 60 seconds
-    cache.set(event.path, { data: allTeams, valid_until: Math.floor(Date.now() / 1000) + 60 })
     return allTeams
 }

shared/utils/metrics-util.ts

@@ -5,12 +5,14 @@ import { readFileSync } from 'fs';
 import { resolve } from 'path';
 import { getLocale } from "./getLocale";
 import { filterHolidaysFromMetrics, isHoliday, parseUtcDate } from '@/utils/dateUtils';
+import { createHash } from 'crypto';
 
 const cache = new Map<string, CacheData>();
 
 interface CacheData {
   data: CopilotMetrics[];
   valid_until: number;
+  auth_fingerprint: string; // hashed representation of Authorization header used to populate cache
 }
 
 class MetricsError extends Error {
@@ -24,6 +26,50 @@ class MetricsError extends Error {
   }
 }
 
+/**
+ * Builds a cache key for metrics data that is bound to the caller's Authorization header (hashed) + path + query.
+ * Exported for unit testing.
+ */
+type QueryParamValue = string | string[] | undefined;
+type QueryParams = Record<string, QueryParamValue>;
+
+export function buildMetricsCacheKey(path: string, query: QueryParams, authHeader: string): string {
+  // Split existing query params from provided path (if any)
+  const [rawPath, existingQueryString] = path.split('?');
+  const merged = new Map<string, string>();
+
+  // Add existing params first
+  if (existingQueryString) {
+    const existingParams = new URLSearchParams(existingQueryString);
+    existingParams.forEach((value, key) => {
+      merged.set(key, value);
+    });
+  }
+
+  // Merge in provided query object (overrides existing)
+  Object.entries(query).forEach(([k, v]) => {
+    if (v === undefined || v === null) return;
+    if (Array.isArray(v)) {
+      if (v.length === 0) return;
+      merged.set(k, v.join(','));
+    } else if (v !== '') {
+      merged.set(k, v);
+    }
+  });
+
+  // Build stable, sorted query string
+  const sortedKeys = Array.from(merged.keys()).sort();
+  const finalParams = new URLSearchParams();
+  sortedKeys.forEach(k => {
+    const val = merged.get(k);
+    if (val !== undefined) finalParams.set(k, val);
+  });
+  const finalQueryString = finalParams.toString();
+
+  const authFingerprint = createHash('sha256').update(authHeader).digest('hex').slice(0, 16); // short fingerprint
+  return `${authFingerprint}:${rawPath}${finalQueryString ? `?${finalQueryString}` : ''}`;
+}
+
 export async function getMetricsData(event: H3Event<EventHandlerRequest>): Promise<CopilotMetrics[]> {
   const logger = console;
   const query = getQuery(event);
@@ -52,30 +98,33 @@ export async function getMetricsData(event: H3Event<EventHandlerRequest>): Promi
     return usageData;
   }
 
-  // Create cache key that includes query parameters to differentiate between different date ranges
-  const queryString = new URLSearchParams(query as Record<string, string>).toString();
-  const cacheKey = queryString ? `${event.path}?${queryString}` : event.path;
+  // Authorization must be validated BEFORE any cache lookup to prevent leakage of cached data
+  const authHeader = event.context.headers.get('Authorization');
+  if (!authHeader) {
+    logger.error('No Authentication provided');
+    throw new MetricsError('No Authentication provided', 401);
+  }
+
+  // Build auth-bound cache key
+  const path = event.path || '/api/metrics'; // fallback path (should always exist in practice)
+  const cacheKey = buildMetricsCacheKey(path, query as QueryParams, authHeader);
 
-  if (cache.has(cacheKey)) {
-    const cachedData = cache.get(cacheKey);
-    if (cachedData && cachedData.valid_until > Date.now() / 1000) {
+  // Attempt cache lookup with auth fingerprint validation
+  const cachedData = cache.get(cacheKey);
+  if (cachedData) {
+    if (cachedData.valid_until > Date.now() / 1000 && cachedData.auth_fingerprint === cacheKey.split(':')[0]) {
       logger.info(`Returning cached data for ${cacheKey}`);
       return cachedData.data;
     } else {
-      logger.info(`Cached data for ${cacheKey} is expired, fetching new data`);
+      logger.info(`Cached data for ${cacheKey} is expired or fingerprint mismatch, fetching new data`);
       cache.delete(cacheKey);
     }
   }
 
-  if (!event.context.headers.has('Authorization')) {
-    logger.error('No Authentication provided');
-    throw new MetricsError('No Authentication provided', 401);
-  }
-
   logger.info(`Fetching metrics data from ${apiUrl}`);
 
   try {
-    const response = await $fetch(apiUrl, {
+  const response = await $fetch(apiUrl, {
       headers: event.context.headers
     }) as unknown[];
 
@@ -85,7 +134,8 @@ export async function getMetricsData(event: H3Event<EventHandlerRequest>): Promi
     const filteredUsageData = filterHolidaysFromMetrics(usageData, options.excludeHolidays || false, options.locale);
     // metrics is the old API format
     const validUntil = Math.floor(Date.now() / 1000) + 5 * 60; // Cache for 5 minutes
-    cache.set(cacheKey, { data: filteredUsageData, valid_until: validUntil });
+  const authFingerprint: string = cacheKey.split(':', 1)[0] || '';
+  cache.set(cacheKey, { data: filteredUsageData, valid_until: validUntil, auth_fingerprint: authFingerprint });
     return filteredUsageData;
   } catch (error: unknown) {
     logger.error('Error fetching metrics data:', error);
@@ -131,17 +181,12 @@ function updateMockDataDates(originalData: CopilotMetrics[], since?: string, unt
   }
 
   // Update dates in the dataset, copying existing entries when needed
-  const result = dateRange.map((date, index) => {
-    // Use existing data entries, cycling through them
+  const result: CopilotMetrics[] = dateRange.map((date, index) => {
     const dataIndex = index % originalData.length;
-    const entry = { ...originalData[dataIndex] };
-
-    // Update the date
-    entry.date = date.toISOString().split('T')[0];
-
-    return entry;
+    const src = originalData[dataIndex];
+    const newDate = date.toISOString().split('T')[0];
+    return { ...(src as CopilotMetrics), date: newDate } as CopilotMetrics;
   });
-
   return result;
 }
 

tests/metrics-auth-cache.nuxt.spec.ts

@@ -0,0 +1,63 @@
+// @vitest-environment nuxt
+import { describe, it, expect } from 'vitest'
+import { buildMetricsCacheKey } from '../shared/utils/metrics-util'
+
+/**
+ * These tests validate that the new cache key generation logic binds cache entries
+ * to the caller's Authorization header fingerprint and that different auth headers
+ * produce distinct keys even when path + query are identical.
+ */
+
+describe('Metrics Auth-Bound Cache Key', () => {
+  const path = '/api/metrics'
+  const query = { since: '2024-01-01', until: '2024-01-31', scope: 'organization', githubOrg: 'test-org' }
+
+  it('produces different keys for different auth headers', () => {
+    const keyA1 = buildMetricsCacheKey(path, query, 'token userA-1')
+    const keyA2 = buildMetricsCacheKey(path, query, 'token userA-2')
+    const keyB = buildMetricsCacheKey(path, query, 'token userB-1')
+
+    expect(keyA1).not.toBe(keyA2)
+    expect(keyA1.split(':')[0]).not.toBe(keyA2.split(':')[0])
+    expect(keyA1.split(':')[0]).not.toBe(keyB.split(':')[0])
+  })
+
+  it('is stable for same auth header + query', () => {
+    const key1 = buildMetricsCacheKey(path, query, 'token stable-user')
+    const key2 = buildMetricsCacheKey(path, query, 'token stable-user')
+    expect(key1).toBe(key2)
+  })
+
+  it('filters out undefined/empty query params', () => {
+    const key = buildMetricsCacheKey(path, { since: '2024-01-01', empty: '', undef: undefined }, 'token x')
+    expect(key).toContain('since=2024-01-01')
+    expect(key).not.toContain('empty=')
+    expect(key).not.toContain('undef=')
+  })
+
+  it('joins array query params deterministically', () => {
+    const key = buildMetricsCacheKey(path, { since: ['2024-01-01'], tag: ['a','b'] }, 'token y')
+    expect(key).toContain('since=2024-01-01')
+    expect(key).toMatch(/tag=a%2Cb|tag=b%2Ca/) // order preserved from input array join
+  })
+
+  it('merges existing path query params with provided query object without duplication', () => {
+    const pathWithQuery = '/api/metrics?since=2024-01-01&scope=organization'
+    const key = buildMetricsCacheKey(pathWithQuery, { githubOrg: 'test-org', since: '2024-01-01' }, 'token z')
+    // should not duplicate since param and should include githubOrg
+    const pieces = key.split(':')
+    expect(pieces.length).toBeGreaterThan(1)
+    const qs = pieces.slice(1).join(':').split('?')[1]
+    expect(qs?.match(/since=/g)?.length).toBe(1)
+    expect(qs).toContain('githubOrg=test-org')
+  })
+
+  it('sorts final query params for stable ordering', () => {
+    const key1 = buildMetricsCacheKey('/api/metrics?b=2&a=1', { c: '3' }, 'token sort')
+    const key2 = buildMetricsCacheKey('/api/metrics?a=1&b=2', { c: '3' }, 'token sort')
+    expect(key1).toBe(key2)
+  const qs = key1.split('?')[1]
+  expect(qs).toBeDefined()
+  expect(qs!.startsWith('a=1&b=2&c=3')).toBe(true)
+  })
+})