@oneuptime/common 10.4.13 → 10.4.14

package/Server/Infrastructure/Postgres/SchemaMigrations/1779392970424-AddPerformanceIndexes.ts

@@ -0,0 +1,160 @@
+import { MigrationInterface, QueryRunner } from "typeorm";
+
+export class AddPerformanceIndexes1779392970424 implements MigrationInterface {
+  public name: string = "AddPerformanceIndexes1779392970424";
+
+  public async up(queryRunner: QueryRunner): Promise<void> {
+    // Active-X badge counters on the dashboard.
+    await queryRunner.query(
+      `CREATE INDEX "IDX_d846ce00a02d1073efc07178fa" ON "Incident" ("projectId", "currentIncidentStateId") `,
+    );
+    await queryRunner.query(
+      `CREATE INDEX "IDX_0c7286dfa90fd7d8201ec6f217" ON "Alert" ("projectId", "currentAlertStateId") `,
+    );
+
+    // Alert filtering by monitor (monitor detail page).
+    await queryRunner.query(
+      `CREATE INDEX "IDX_b57071fc2f1e27430e651382ee" ON "Alert" ("monitorId") `,
+    );
+
+    // Notification log tables: filter by project + status / time range.
+    await queryRunner.query(
+      `CREATE INDEX "IDX_8a0f032f20cd845c9bb908f38c" ON "CallLog" ("projectId", "status") `,
+    );
+    await queryRunner.query(
+      `CREATE INDEX "IDX_b59ee5f702882c10066cdd1128" ON "CallLog" ("projectId", "createdAt") `,
+    );
+    await queryRunner.query(
+      `CREATE INDEX "IDX_8f4eea9e7f20eaf121625f5787" ON "EmailLog" ("projectId", "status") `,
+    );
+    await queryRunner.query(
+      `CREATE INDEX "IDX_33d38c24249a256f89001acf83" ON "EmailLog" ("projectId", "createdAt") `,
+    );
+    await queryRunner.query(
+      `CREATE INDEX "IDX_c37d2fcfcb591afb284dad27d9" ON "SmsLog" ("projectId", "status") `,
+    );
+    await queryRunner.query(
+      `CREATE INDEX "IDX_c6bbede6b3bb66781bc7c82463" ON "SmsLog" ("projectId", "createdAt") `,
+    );
+
+    // Feed timelines on alert/incident/monitor detail pages.
+    await queryRunner.query(
+      `CREATE INDEX "IDX_6f97cb7c189e6339cf364a3608" ON "AlertFeed" ("alertId", "postedAt") `,
+    );
+    await queryRunner.query(
+      `CREATE INDEX "IDX_e26bf84ec503bbfb06bcde139e" ON "IncidentFeed" ("incidentId", "postedAt") `,
+    );
+    await queryRunner.query(
+      `CREATE INDEX "IDX_5771fc57305fb0f508153b53ce" ON "MonitorFeed" ("monitorId", "postedAt") `,
+    );
+
+    // Monitor probe scheduler.
+    await queryRunner.query(
+      `CREATE INDEX "IDX_4bf4109d325af5e5b5a5665bc7" ON "MonitorProbe" ("probeId", "isEnabled", "nextPingAt") `,
+    );
+
+    // On-call duty time logs (active-on-call lookups).
+    await queryRunner.query(
+      `CREATE INDEX "IDX_43da7ffeee531e9452d36a89ba" ON "OnCallDutyPolicyTimeLog" ("userId") `,
+    );
+    await queryRunner.query(
+      `CREATE INDEX "IDX_977d907fb45cbc1a2067f490af" ON "OnCallDutyPolicyTimeLog" ("startsAt") `,
+    );
+    await queryRunner.query(
+      `CREATE INDEX "IDX_002727a958120be971790fd016" ON "OnCallDutyPolicyTimeLog" ("endsAt") `,
+    );
+
+    // Telemetry exceptions dashboard.
+    await queryRunner.query(
+      `CREATE INDEX "IDX_fa102ae5073b428e514cc2ceea" ON "TelemetryException" ("occuranceCount") `,
+    );
+    await queryRunner.query(
+      `CREATE INDEX "IDX_3836772be478de8a9df86a938d" ON "TelemetryException" ("projectId", "isResolved", "isArchived") `,
+    );
+
+    // Status page subscriber dedupe.
+    await queryRunner.query(
+      `CREATE INDEX "IDX_c28628545faa67976e1d462e69" ON "StatusPageSubscriber" ("statusPageId", "subscriberPhone") `,
+    );
+    await queryRunner.query(
+      `CREATE INDEX "IDX_3a2d83fc5107c639d10a7c5cc0" ON "StatusPageSubscriber" ("statusPageId", "subscriberEmail") `,
+    );
+
+    // Worker sweeps.
+    await queryRunner.query(
+      `CREATE INDEX "IDX_094b044a3d6a79695ba754cdfb" ON "UserOnCallLog" ("status") `,
+    );
+    await queryRunner.query(
+      `CREATE INDEX "IDX_7a5dc4760803e57f2d0b363e6e" ON "WorkflowLog" ("workflowStatus", "createdAt") `,
+    );
+  }
+
+  public async down(queryRunner: QueryRunner): Promise<void> {
+    await queryRunner.query(
+      `DROP INDEX "public"."IDX_7a5dc4760803e57f2d0b363e6e"`,
+    );
+    await queryRunner.query(
+      `DROP INDEX "public"."IDX_094b044a3d6a79695ba754cdfb"`,
+    );
+    await queryRunner.query(
+      `DROP INDEX "public"."IDX_3a2d83fc5107c639d10a7c5cc0"`,
+    );
+    await queryRunner.query(
+      `DROP INDEX "public"."IDX_c28628545faa67976e1d462e69"`,
+    );
+    await queryRunner.query(
+      `DROP INDEX "public"."IDX_3836772be478de8a9df86a938d"`,
+    );
+    await queryRunner.query(
+      `DROP INDEX "public"."IDX_fa102ae5073b428e514cc2ceea"`,
+    );
+    await queryRunner.query(
+      `DROP INDEX "public"."IDX_002727a958120be971790fd016"`,
+    );
+    await queryRunner.query(
+      `DROP INDEX "public"."IDX_977d907fb45cbc1a2067f490af"`,
+    );
+    await queryRunner.query(
+      `DROP INDEX "public"."IDX_43da7ffeee531e9452d36a89ba"`,
+    );
+    await queryRunner.query(
+      `DROP INDEX "public"."IDX_4bf4109d325af5e5b5a5665bc7"`,
+    );
+    await queryRunner.query(
+      `DROP INDEX "public"."IDX_5771fc57305fb0f508153b53ce"`,
+    );
+    await queryRunner.query(
+      `DROP INDEX "public"."IDX_e26bf84ec503bbfb06bcde139e"`,
+    );
+    await queryRunner.query(
+      `DROP INDEX "public"."IDX_6f97cb7c189e6339cf364a3608"`,
+    );
+    await queryRunner.query(
+      `DROP INDEX "public"."IDX_c6bbede6b3bb66781bc7c82463"`,
+    );
+    await queryRunner.query(
+      `DROP INDEX "public"."IDX_c37d2fcfcb591afb284dad27d9"`,
+    );
+    await queryRunner.query(
+      `DROP INDEX "public"."IDX_33d38c24249a256f89001acf83"`,
+    );
+    await queryRunner.query(
+      `DROP INDEX "public"."IDX_8f4eea9e7f20eaf121625f5787"`,
+    );
+    await queryRunner.query(
+      `DROP INDEX "public"."IDX_b59ee5f702882c10066cdd1128"`,
+    );
+    await queryRunner.query(
+      `DROP INDEX "public"."IDX_8a0f032f20cd845c9bb908f38c"`,
+    );
+    await queryRunner.query(
+      `DROP INDEX "public"."IDX_b57071fc2f1e27430e651382ee"`,
+    );
+    await queryRunner.query(
+      `DROP INDEX "public"."IDX_0c7286dfa90fd7d8201ec6f217"`,
+    );
+    await queryRunner.query(
+      `DROP INDEX "public"."IDX_d846ce00a02d1073efc07178fa"`,
+    );
+  }
+}

package/Server/Infrastructure/Postgres/SchemaMigrations/Index.ts

@@ -342,6 +342,8 @@ import { DropServiceDependencyTable1779277271302 } from "./1779277271302-DropSer
 import { AddTelemetryRetentionToHostDockerKubernetes1779282769946 } from "./1779282769946-AddTelemetryRetentionToHostDockerKubernetes";
 import { AttachKubernetesAndDockerToIncidentAndAlert1779302536475 } from "./1779302536475-AttachKubernetesAndDockerToIncidentAndAlert";
 import { AttachServiceToIncidentAndAlert1779303924241 } from "./1779303924241-AttachServiceToIncidentAndAlert";
+import { AddAgentVersionToKubernetesDockerHost1779392865146 } from "./1779392865146-AddAgentVersionToKubernetesDockerHost";
+import { AddPerformanceIndexes1779392970424 } from "./1779392970424-AddPerformanceIndexes";
 export default [
   InitialMigration,
   MigrationName1717678334852,
@@ -687,4 +689,6 @@ export default [
   AddTelemetryRetentionToHostDockerKubernetes1779282769946,
   AttachKubernetesAndDockerToIncidentAndAlert1779302536475,
   AttachServiceToIncidentAndAlert1779303924241,
+  AddAgentVersionToKubernetesDockerHost1779392865146,
+  AddPerformanceIndexes1779392970424,
 ];

package/Server/Infrastructure/PostgresDatabase.ts

@@ -82,12 +82,9 @@ export default class Database {
 
   @CaptureSpan()
   public static async checkConnnectionStatus(): Promise<boolean> {
-    // check popstgres connection to see if it is still alive
-
+    // SELECT 1 round-trips a connection without scanning any user table.
     try {
-      const result: any = await this.dataSource?.query(
-        `SELECT COUNT(domain) FROM "AcmeChallenge"`,
-      ); // this is a dummy query to check if the connection is still alive
+      const result: any = await this.dataSource?.query(`SELECT 1`);
 
       if (!result) {
         return false;

package/Server/Middleware/ProjectAuthorization.ts

@@ -1,20 +1,17 @@
 import ApiKeyService from "../Services/ApiKeyService";
 import GlobalConfigService from "../Services/GlobalConfigService";
 import UserService from "../Services/UserService";
-import QueryHelper from "../Types/Database/QueryHelper";
 import {
   ExpressRequest,
   ExpressResponse,
   NextFunction,
   OneUptimeRequest,
 } from "../Utils/Express";
-import OneUptimeDate from "../../Types/Date";
 import Dictionary from "../../Types/Dictionary";
 import BadDataException from "../../Types/Exception/BadDataException";
 import ObjectID from "../../Types/ObjectID";
 import { UserTenantAccessPermission } from "../../Types/Permission";
 import UserType from "../../Types/UserType";
-import ApiKey from "../../Models/DatabaseModels/ApiKey";
 import GlobalConfig from "../../Models/DatabaseModels/GlobalConfig";
 import User from "../../Models/DatabaseModels/User";
 import APIKeyAccessPermission from "../Utils/APIKey/AccessPermission";
@@ -89,62 +86,43 @@ export default class ProjectMiddleware {
         );
       }
 
-      let apiKeyModel: ApiKey | null = null;
+      /*
+       * Cached lookup — see ApiKeyService.findApiKey. Hot path for any
+       * automated caller hitting the API by key.
+       */
+      const apiKeyRow: { id: ObjectID; projectId: ObjectID } | null =
+        await ApiKeyService.findApiKey(apiKey);
 
-      if (apiKey) {
-        apiKeyModel = await ApiKeyService.findOneBy({
-          query: {
-            apiKey: apiKey,
-            expiresAt: QueryHelper.greaterThan(OneUptimeDate.getCurrentDate()),
-          },
-          select: {
-            _id: true,
-            projectId: true,
-          },
-          props: { isRoot: true },
-        });
+      if (apiKeyRow) {
+        tenantId = apiKeyRow.projectId;
 
-        if (apiKeyModel) {
-          tenantId = apiKeyModel?.projectId || null;
-
-          if (!tenantId) {
-            throw new BadDataException("Invalid API Key");
-          }
+        (req as OneUptimeRequest).tenantId = tenantId;
+        (req as OneUptimeRequest).userType = UserType.API;
+
+        /*
+         * TODO: Add API key permissions.
+         */
+        (req as OneUptimeRequest).userGlobalAccessPermission =
+          await APIKeyAccessPermission.getDefaultApiGlobalPermission(tenantId);
+
+        const userTenantAccessPermission: UserTenantAccessPermission | null =
+          await APIKeyAccessPermission.getApiTenantAccessPermission(
+            tenantId,
+            apiKeyRow.id,
+          );
+
+        if (userTenantAccessPermission) {
+          (req as OneUptimeRequest).userTenantAccessPermission = {};
+          (
+            (req as OneUptimeRequest)
+              .userTenantAccessPermission as Dictionary<UserTenantAccessPermission>
+          )[tenantId.toString()] = userTenantAccessPermission;
 
-          (req as OneUptimeRequest).tenantId = tenantId;
-
-          if (apiKeyModel) {
-            (req as OneUptimeRequest).userType = UserType.API;
-            /*
-             * TODO: Add API key permissions.
-             * (req as OneUptimeRequest).permissions =
-             *     apiKeyModel.permissions || [];
-             */
-            (req as OneUptimeRequest).userGlobalAccessPermission =
-              await APIKeyAccessPermission.getDefaultApiGlobalPermission(
-                tenantId,
-              );
-
-            const userTenantAccessPermission: UserTenantAccessPermission | null =
-              await APIKeyAccessPermission.getApiTenantAccessPermission(
-                tenantId,
-                apiKeyModel.id!,
-              );
-
-            if (userTenantAccessPermission) {
-              (req as OneUptimeRequest).userTenantAccessPermission = {};
-              (
-                (req as OneUptimeRequest)
-                  .userTenantAccessPermission as Dictionary<UserTenantAccessPermission>
-              )[tenantId.toString()] = userTenantAccessPermission;
-
-              return next();
-            }
-          }
+          return next();
         }
       }
 
-      if (!apiKeyModel) {
+      if (!apiKeyRow) {
         // check master key.
         const masterKeyGlobalConfig: GlobalConfig | null =
           await GlobalConfigService.findOneBy({

package/Server/Middleware/UserAuthorization.ts

@@ -17,7 +17,6 @@ import Response from "../Utils/Response";
 import ProjectMiddleware from "./ProjectAuthorization";
 import SpanUtil from "../Utils/Telemetry/SpanUtil";
 import { LIMIT_PER_PROJECT } from "../../Types/Database/LimitMax";
-import OneUptimeDate from "../../Types/Date";
 import Dictionary from "../../Types/Dictionary";
 import Exception from "../../Types/Exception/Exception";
 import NotAuthenticatedException from "../../Types/Exception/NotAuthenticatedException";
@@ -201,8 +200,12 @@ export default class UserMiddleware {
     if (tenantId) {
       oneuptimeRequest.tenantId = tenantId;
 
-      // update last active of project
-      await ProjectService.updateLastActive(tenantId);
+      /*
+       * Fire-and-forget: lastActive write is debounced inside the service
+       * (60s in-process cache) and we don't need the result before
+       * continuing.
+       */
+      void ProjectService.updateLastActive(tenantId);
     }
 
     if (ProjectMiddleware.hasApiKey(req)) {
@@ -253,31 +256,50 @@ export default class UserMiddleware {
         : {}),
     });
 
-    await UserService.updateOneBy({
-      query: {
-        _id: userId,
-      },
-      props: { isRoot: true },
-      data: { lastActive: OneUptimeDate.getCurrentDate() },
-    });
+    /*
+     * Fire-and-forget: lastActive write is debounced inside the service
+     * (60s in-process cache) and we don't need the result before continuing.
+     */
+    void UserService.updateLastActive(new ObjectID(userId));
 
-    const userGlobalAccessPermission: UserGlobalAccessPermission | null =
-      await AccessTokenService.getUserGlobalAccessPermission(
+    /*
+     * Resolve global permission, tenant permission, and team membership in
+     * parallel. These were previously sequential awaits — each added an
+     * extra round-trip latency to every authenticated request. The original
+     * code wrapped only the tenant-side calls in try/catch (to convert
+     * SsoAuthorizationException etc. into an HTTP error response); we
+     * preserve that semantic by routing the rejection through the same
+     * catch only when tenantId is present.
+     */
+    const userGlobalAccessPermissionPromise: Promise<UserGlobalAccessPermission | null> =
+      AccessTokenService.getUserGlobalAccessPermission(
         oneuptimeRequest.userAuthorization.userId,
       );
 
-    if (userGlobalAccessPermission) {
-      oneuptimeRequest.userGlobalAccessPermission = userGlobalAccessPermission;
-    }
+    let userGlobalAccessPermission: UserGlobalAccessPermission | null = null;
 
     if (tenantId) {
       try {
-        const userTenantAccessPermission: UserTenantAccessPermission | null =
-          await UserMiddleware.getUserTenantAccessPermissionWithTenantId({
+        const [globalPermission, userTenantAccessPermission, userTeamIds]: [
+          UserGlobalAccessPermission | null,
+          UserTenantAccessPermission | null,
+          Array<ObjectID>,
+        ] = await Promise.all([
+          userGlobalAccessPermissionPromise,
+          UserMiddleware.getUserTenantAccessPermissionWithTenantId({
             req,
             tenantId,
             userId: new ObjectID(userId),
-          });
+          }),
+          TeamMemberService.getTeamIdsForUser(new ObjectID(userId), tenantId),
+        ]);
+
+        userGlobalAccessPermission = globalPermission;
+
+        if (userGlobalAccessPermission) {
+          oneuptimeRequest.userGlobalAccessPermission =
+            userGlobalAccessPermission;
+        }
 
         if (userTenantAccessPermission) {
           oneuptimeRequest.userTenantAccessPermission = {};
@@ -291,14 +313,17 @@ export default class UserMiddleware {
          * an extra DB roundtrip on every permission check. Absent for non-user
          * callers (API keys, Probes); `Owned` then evaluates as `All`.
          */
-        oneuptimeRequest.userTeamIds =
-          await TeamMemberService.getTeamIdsForUser(
-            new ObjectID(userId),
-            tenantId,
-          );
+        oneuptimeRequest.userTeamIds = userTeamIds;
       } catch (error) {
         return Response.sendErrorResponse(req, res, error as Exception);
       }
+    } else {
+      userGlobalAccessPermission = await userGlobalAccessPermissionPromise;
+
+      if (userGlobalAccessPermission) {
+        oneuptimeRequest.userGlobalAccessPermission =
+          userGlobalAccessPermission;
+      }
     }
 
     if (req.headers["is-multi-tenant-query"]) {
@@ -468,32 +493,36 @@ export default class UserMiddleware {
   }): Promise<UserTenantAccessPermission | null> {
     const { req, tenantId, userId } = data;
 
-    const project: Project | null = await ProjectService.findOneById({
-      id: tenantId,
-      select: {
-        requireSsoForLogin: true,
-      },
-      props: {
-        isRoot: true,
-      },
-    });
-
-    if (!project) {
-      throw new TenantNotFoundException("Invalid tenantId");
-    }
+    /*
+     * Resolve the SSO requirement and the tenant permission in parallel.
+     * `getRequireSsoForLogin` is cached in-process for 60s, so this is
+     * usually free; the tenant permission lookup is the expensive call.
+     */
+    const [requireSsoForLogin, tenantPermission]: [
+      boolean,
+      UserTenantAccessPermission | null,
+    ] = await Promise.all([
+      ProjectService.getRequireSsoForLogin(tenantId).catch((err: Error) => {
+        /*
+         * Preserve the original behavior of throwing a TenantNotFoundException
+         * for an unknown project. Any other error re-throws.
+         */
+        if (err.message === "Project not found") {
+          throw new TenantNotFoundException("Invalid tenantId");
+        }
+        throw err;
+      }),
+      AccessTokenService.getUserTenantAccessPermission(userId, tenantId),
+    ]);
 
     if (
-      project.requireSsoForLogin &&
+      requireSsoForLogin &&
       !UserMiddleware.doesSsoTokenForProjectExist(req, tenantId, userId)
     ) {
       throw new SsoAuthorizationException();
     }
 
-    // get project level permissions if projectid exists in request.
-    return await AccessTokenService.getUserTenantAccessPermission(
-      userId,
-      tenantId,
-    );
+    return tenantPermission;
   }
 
   @CaptureSpan()
@@ -524,34 +553,47 @@ export default class UserMiddleware {
       },
     });
 
-    let result: Dictionary<UserTenantAccessPermission> | null = null;
-    for (const projectId of projectIds) {
-      // check if the force sso login is required. and if it is, then check then token.
-
-      let userTenantAccessPermission: UserTenantAccessPermission | null;
-      if (
-        projects.find((p: Project) => {
-          return p._id === projectId.toString() && p.requireSsoForLogin;
-        }) &&
-        !UserMiddleware.doesSsoTokenForProjectExist(req, projectId, userId)
-      ) {
-        // Add default permissions.
-        userTenantAccessPermission =
-          UserPermissionUtil.getDefaultUserTenantAccessPermission(projectId);
-      } else {
-        // get project level permissions if projectid exists in request.
-        userTenantAccessPermission =
-          await AccessTokenService.getUserTenantAccessPermission(
+    /*
+     * Resolve permissions for every project in parallel. With the previous
+     * for-await loop this scaled linearly with project count, adding one
+     * round-trip per project even on cache hits.
+     */
+    const resolved: Array<{
+      projectId: ObjectID;
+      permission: UserTenantAccessPermission | null;
+    }> = await Promise.all(
+      projectIds.map(async (projectId: ObjectID) => {
+        if (
+          projects.find((p: Project) => {
+            return p._id === projectId.toString() && p.requireSsoForLogin;
+          }) &&
+          !UserMiddleware.doesSsoTokenForProjectExist(req, projectId, userId)
+        ) {
+          return {
+            projectId,
+            permission:
+              UserPermissionUtil.getDefaultUserTenantAccessPermission(
+                projectId,
+              ),
+          };
+        }
+        return {
+          projectId,
+          permission: await AccessTokenService.getUserTenantAccessPermission(
             userId,
             projectId,
-          );
-      }
+          ),
+        };
+      }),
+    );
 
-      if (userTenantAccessPermission) {
+    let result: Dictionary<UserTenantAccessPermission> | null = null;
+    for (const { projectId, permission } of resolved) {
+      if (permission) {
         if (!result) {
           result = {};
         }
-        result[projectId.toString()] = userTenantAccessPermission;
+        result[projectId.toString()] = permission;
       }
     }
 

package/Server/Services/ApiKeyService.ts

@@ -1,10 +1,41 @@
 import CreateBy from "../Types/Database/CreateBy";
-import { OnCreate } from "../Types/Database/Hooks";
+import DeleteBy from "../Types/Database/DeleteBy";
+import UpdateBy from "../Types/Database/UpdateBy";
+import { OnCreate, OnDelete, OnUpdate } from "../Types/Database/Hooks";
 import DatabaseService from "./DatabaseService";
+import OneUptimeDate from "../../Types/Date";
 import ObjectID from "../../Types/ObjectID";
+import QueryHelper from "../Types/Database/QueryHelper";
 import Model from "../../Models/DatabaseModels/ApiKey";
 import CaptureSpan from "../Utils/Telemetry/CaptureSpan";
+import InMemoryTTLCache from "../Infrastructure/InMemoryTTLCache";
+
+/*
+ * 60s is the worst-case staleness on any single API node after a key is
+ * revoked from the dashboard. We invalidate in-process immediately on
+ * delete/update; this TTL is the upper bound for *other* processes.
+ */
+const POSITIVE_TTL_MS: number = 60 * 1000;
+/*
+ * Short TTL on misses so an invalid-key flood can't pin entries in the
+ * bounded cache for long while still absorbing repeat hits.
+ */
+const NEGATIVE_TTL_MS: number = 10 * 1000;
+
+interface CachedApiKey {
+  id: string;
+  projectId: string;
+}
+
 export class Service extends DatabaseService<Model> {
+  /*
+   * Cache of `apiKey -> { id, projectId }`. The project-auth middleware hits
+   * this on every API-key-authenticated request; without it that's a
+   * Postgres findOneBy per request for automated callers.
+   */
+  private apiKeyCache: InMemoryTTLCache<CachedApiKey | null> =
+    new InMemoryTTLCache(10_000);
+
   public constructor() {
     super(Model);
   }
@@ -16,6 +47,74 @@ export class Service extends DatabaseService<Model> {
     createBy.data.apiKey = ObjectID.generate();
     return { createBy, carryForward: null };
   }
+
+  @CaptureSpan()
+  protected override async onBeforeUpdate(
+    updateBy: UpdateBy<Model>,
+  ): Promise<OnUpdate<Model>> {
+    /*
+     * We don't know which keys are being updated without a query; updates
+     * are rare so clearing is cheap.
+     */
+    this.apiKeyCache.clear();
+    return { updateBy, carryForward: null };
+  }
+
+  @CaptureSpan()
+  protected override async onBeforeDelete(
+    deleteBy: DeleteBy<Model>,
+  ): Promise<OnDelete<Model>> {
+    this.apiKeyCache.clear();
+    return { deleteBy, carryForward: null };
+  }
+
+  /**
+   * Resolves an API key string to its row, with a short-lived in-process
+   * cache. Returns null for unknown or expired keys (also cached, for a
+   * shorter TTL). Use this from the auth middleware hot path instead of
+   * calling `findOneBy` directly.
+   */
+  @CaptureSpan()
+  public async findApiKey(
+    apiKey: ObjectID,
+  ): Promise<{ id: ObjectID; projectId: ObjectID } | null> {
+    const cacheKey: string = apiKey.toString();
+    const cached: CachedApiKey | null | undefined =
+      this.apiKeyCache.get(cacheKey);
+    if (cached !== undefined) {
+      if (cached === null) {
+        return null;
+      }
+      return {
+        id: new ObjectID(cached.id),
+        projectId: new ObjectID(cached.projectId),
+      };
+    }
+
+    const row: Model | null = await this.findOneBy({
+      query: {
+        apiKey: apiKey,
+        expiresAt: QueryHelper.greaterThan(OneUptimeDate.getCurrentDate()),
+      },
+      select: {
+        _id: true,
+        projectId: true,
+      },
+      props: { isRoot: true },
+    });
+
+    if (!row || !row.id || !row.projectId) {
+      this.apiKeyCache.set(cacheKey, null, NEGATIVE_TTL_MS);
+      return null;
+    }
+
+    this.apiKeyCache.set(
+      cacheKey,
+      { id: row.id.toString(), projectId: row.projectId.toString() },
+      POSITIVE_TTL_MS,
+    );
+    return { id: row.id, projectId: row.projectId };
+  }
 }
 
 export default new Service();