[Backport 5.5.x] fix(appliance): cache authorization status (#64219)

Backport 156aa5a from #64213

Co-authored-by: Craig Furman <[email protected]>

Author: sourcegraph-release-bot

internal/appliance/auth.go

@@ -2,6 +2,7 @@ package appliance
 
 import (
 	"net/http"
+	"sync"
 
 	"golang.org/x/crypto/bcrypt"
 )
@@ -10,14 +11,25 @@ const (
 	authHeaderName = "admin-password"
 )
 
+// The bcrypt operation is expensive, and the frontend calls auth-gated
+// endpoints in a tight loop. Caching valid passwords in memory massively
+// improves performance.
+var authzCache = &sync.Map{}
+
 func (a *Appliance) checkAuthorization(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		userPass := r.Header.Get(authHeaderName)
+		if _, ok := authzCache.Load(userPass); ok {
+			next.ServeHTTP(w, r)
+			return
+		}
+
 		if err := bcrypt.CompareHashAndPassword(a.adminPasswordBcrypt, []byte(userPass)); err != nil {
 			a.invalidAdminPasswordResponse(w, r)
 			return
 		}
 
+		authzCache.Store(userPass, struct{}{})
 		next.ServeHTTP(w, r)
 	})
 }