[Backport 5.5.x] fix(appliance): cache authorization status (#64219)

Backport 156aa5a0ad from #64213 Co-authored-by: Craig Furman <craig.furman@sourcegraph.com>
2026-02-06 18:51:59 +00:00 · 2024-08-01 09:57:47 -07:00 · 2024-08-01 09:57:47 -07:00 · 17871a4647
commit 17871a4647
parent d24e8fe7f3
1 changed files with 12 additions and 0 deletions
--- a/internal/appliance/auth.go
+++ b/internal/appliance/auth.go
@ -2,6 +2,7 @@ package appliance

 import (
 	"net/http"
+	"sync"

 	"golang.org/x/crypto/bcrypt"
 )
@ -10,14 +11,25 @@ const (
 	authHeaderName = "admin-password"
 )

+// The bcrypt operation is expensive, and the frontend calls auth-gated
+// endpoints in a tight loop. Caching valid passwords in memory massively
+// improves performance.
+var authzCache = &sync.Map{}
+
 func (a *Appliance) checkAuthorization(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		userPass := r.Header.Get(authHeaderName)
+		if _, ok := authzCache.Load(userPass); ok {
+			next.ServeHTTP(w, r)
+			return
+		}
+
 		if err := bcrypt.CompareHashAndPassword(a.adminPasswordBcrypt, []byte(userPass)); err != nil {
 			a.invalidAdminPasswordResponse(w, r)
 			return
 		}

+		authzCache.Store(userPass, struct{}{})
 		next.ServeHTTP(w, r)
 	})
 }