@oneuptime/common 10.4.13 → 10.4.15

package/Server/Middleware/ProjectAuthorization.ts

@@ -1,20 +1,17 @@
 import ApiKeyService from "../Services/ApiKeyService";
 import GlobalConfigService from "../Services/GlobalConfigService";
 import UserService from "../Services/UserService";
-import QueryHelper from "../Types/Database/QueryHelper";
 import {
   ExpressRequest,
   ExpressResponse,
   NextFunction,
   OneUptimeRequest,
 } from "../Utils/Express";
-import OneUptimeDate from "../../Types/Date";
 import Dictionary from "../../Types/Dictionary";
 import BadDataException from "../../Types/Exception/BadDataException";
 import ObjectID from "../../Types/ObjectID";
 import { UserTenantAccessPermission } from "../../Types/Permission";
 import UserType from "../../Types/UserType";
-import ApiKey from "../../Models/DatabaseModels/ApiKey";
 import GlobalConfig from "../../Models/DatabaseModels/GlobalConfig";
 import User from "../../Models/DatabaseModels/User";
 import APIKeyAccessPermission from "../Utils/APIKey/AccessPermission";
@@ -89,62 +86,43 @@ export default class ProjectMiddleware {
         );
       }
 
-      let apiKeyModel: ApiKey | null = null;
+      /*
+       * Cached lookup — see ApiKeyService.findApiKey. Hot path for any
+       * automated caller hitting the API by key.
+       */
+      const apiKeyRow: { id: ObjectID; projectId: ObjectID } | null =
+        await ApiKeyService.findApiKey(apiKey);
 
-      if (apiKey) {
-        apiKeyModel = await ApiKeyService.findOneBy({
-          query: {
-            apiKey: apiKey,
-            expiresAt: QueryHelper.greaterThan(OneUptimeDate.getCurrentDate()),
-          },
-          select: {
-            _id: true,
-            projectId: true,
-          },
-          props: { isRoot: true },
-        });
+      if (apiKeyRow) {
+        tenantId = apiKeyRow.projectId;
 
-        if (apiKeyModel) {
-          tenantId = apiKeyModel?.projectId || null;
-
-          if (!tenantId) {
-            throw new BadDataException("Invalid API Key");
-          }
+        (req as OneUptimeRequest).tenantId = tenantId;
+        (req as OneUptimeRequest).userType = UserType.API;
+
+        /*
+         * TODO: Add API key permissions.
+         */
+        (req as OneUptimeRequest).userGlobalAccessPermission =
+          await APIKeyAccessPermission.getDefaultApiGlobalPermission(tenantId);
+
+        const userTenantAccessPermission: UserTenantAccessPermission | null =
+          await APIKeyAccessPermission.getApiTenantAccessPermission(
+            tenantId,
+            apiKeyRow.id,
+          );
+
+        if (userTenantAccessPermission) {
+          (req as OneUptimeRequest).userTenantAccessPermission = {};
+          (
+            (req as OneUptimeRequest)
+              .userTenantAccessPermission as Dictionary<UserTenantAccessPermission>
+          )[tenantId.toString()] = userTenantAccessPermission;
 
-          (req as OneUptimeRequest).tenantId = tenantId;
-
-          if (apiKeyModel) {
-            (req as OneUptimeRequest).userType = UserType.API;
-            /*
-             * TODO: Add API key permissions.
-             * (req as OneUptimeRequest).permissions =
-             *     apiKeyModel.permissions || [];
-             */
-            (req as OneUptimeRequest).userGlobalAccessPermission =
-              await APIKeyAccessPermission.getDefaultApiGlobalPermission(
-                tenantId,
-              );
-
-            const userTenantAccessPermission: UserTenantAccessPermission | null =
-              await APIKeyAccessPermission.getApiTenantAccessPermission(
-                tenantId,
-                apiKeyModel.id!,
-              );
-
-            if (userTenantAccessPermission) {
-              (req as OneUptimeRequest).userTenantAccessPermission = {};
-              (
-                (req as OneUptimeRequest)
-                  .userTenantAccessPermission as Dictionary<UserTenantAccessPermission>
-              )[tenantId.toString()] = userTenantAccessPermission;
-
-              return next();
-            }
-          }
+          return next();
         }
       }
 
-      if (!apiKeyModel) {
+      if (!apiKeyRow) {
         // check master key.
         const masterKeyGlobalConfig: GlobalConfig | null =
           await GlobalConfigService.findOneBy({

package/Server/Middleware/UserAuthorization.ts

@@ -17,7 +17,6 @@ import Response from "../Utils/Response";
 import ProjectMiddleware from "./ProjectAuthorization";
 import SpanUtil from "../Utils/Telemetry/SpanUtil";
 import { LIMIT_PER_PROJECT } from "../../Types/Database/LimitMax";
-import OneUptimeDate from "../../Types/Date";
 import Dictionary from "../../Types/Dictionary";
 import Exception from "../../Types/Exception/Exception";
 import NotAuthenticatedException from "../../Types/Exception/NotAuthenticatedException";
@@ -201,8 +200,12 @@ export default class UserMiddleware {
     if (tenantId) {
       oneuptimeRequest.tenantId = tenantId;
 
-      // update last active of project
-      await ProjectService.updateLastActive(tenantId);
+      /*
+       * Fire-and-forget: lastActive write is debounced inside the service
+       * (60s in-process cache) and we don't need the result before
+       * continuing.
+       */
+      void ProjectService.updateLastActive(tenantId);
     }
 
     if (ProjectMiddleware.hasApiKey(req)) {
@@ -253,31 +256,50 @@ export default class UserMiddleware {
         : {}),
     });
 
-    await UserService.updateOneBy({
-      query: {
-        _id: userId,
-      },
-      props: { isRoot: true },
-      data: { lastActive: OneUptimeDate.getCurrentDate() },
-    });
+    /*
+     * Fire-and-forget: lastActive write is debounced inside the service
+     * (60s in-process cache) and we don't need the result before continuing.
+     */
+    void UserService.updateLastActive(new ObjectID(userId));
 
-    const userGlobalAccessPermission: UserGlobalAccessPermission | null =
-      await AccessTokenService.getUserGlobalAccessPermission(
+    /*
+     * Resolve global permission, tenant permission, and team membership in
+     * parallel. These were previously sequential awaits — each added an
+     * extra round-trip latency to every authenticated request. The original
+     * code wrapped only the tenant-side calls in try/catch (to convert
+     * SsoAuthorizationException etc. into an HTTP error response); we
+     * preserve that semantic by routing the rejection through the same
+     * catch only when tenantId is present.
+     */
+    const userGlobalAccessPermissionPromise: Promise<UserGlobalAccessPermission | null> =
+      AccessTokenService.getUserGlobalAccessPermission(
         oneuptimeRequest.userAuthorization.userId,
       );
 
-    if (userGlobalAccessPermission) {
-      oneuptimeRequest.userGlobalAccessPermission = userGlobalAccessPermission;
-    }
+    let userGlobalAccessPermission: UserGlobalAccessPermission | null = null;
 
     if (tenantId) {
       try {
-        const userTenantAccessPermission: UserTenantAccessPermission | null =
-          await UserMiddleware.getUserTenantAccessPermissionWithTenantId({
+        const [globalPermission, userTenantAccessPermission, userTeamIds]: [
+          UserGlobalAccessPermission | null,
+          UserTenantAccessPermission | null,
+          Array<ObjectID>,
+        ] = await Promise.all([
+          userGlobalAccessPermissionPromise,
+          UserMiddleware.getUserTenantAccessPermissionWithTenantId({
             req,
             tenantId,
             userId: new ObjectID(userId),
-          });
+          }),
+          TeamMemberService.getTeamIdsForUser(new ObjectID(userId), tenantId),
+        ]);
+
+        userGlobalAccessPermission = globalPermission;
+
+        if (userGlobalAccessPermission) {
+          oneuptimeRequest.userGlobalAccessPermission =
+            userGlobalAccessPermission;
+        }
 
         if (userTenantAccessPermission) {
           oneuptimeRequest.userTenantAccessPermission = {};
@@ -291,14 +313,17 @@ export default class UserMiddleware {
          * an extra DB roundtrip on every permission check. Absent for non-user
          * callers (API keys, Probes); `Owned` then evaluates as `All`.
          */
-        oneuptimeRequest.userTeamIds =
-          await TeamMemberService.getTeamIdsForUser(
-            new ObjectID(userId),
-            tenantId,
-          );
+        oneuptimeRequest.userTeamIds = userTeamIds;
       } catch (error) {
         return Response.sendErrorResponse(req, res, error as Exception);
       }
+    } else {
+      userGlobalAccessPermission = await userGlobalAccessPermissionPromise;
+
+      if (userGlobalAccessPermission) {
+        oneuptimeRequest.userGlobalAccessPermission =
+          userGlobalAccessPermission;
+      }
     }
 
     if (req.headers["is-multi-tenant-query"]) {
@@ -468,32 +493,36 @@ export default class UserMiddleware {
   }): Promise<UserTenantAccessPermission | null> {
     const { req, tenantId, userId } = data;
 
-    const project: Project | null = await ProjectService.findOneById({
-      id: tenantId,
-      select: {
-        requireSsoForLogin: true,
-      },
-      props: {
-        isRoot: true,
-      },
-    });
-
-    if (!project) {
-      throw new TenantNotFoundException("Invalid tenantId");
-    }
+    /*
+     * Resolve the SSO requirement and the tenant permission in parallel.
+     * `getRequireSsoForLogin` is cached in-process for 60s, so this is
+     * usually free; the tenant permission lookup is the expensive call.
+     */
+    const [requireSsoForLogin, tenantPermission]: [
+      boolean,
+      UserTenantAccessPermission | null,
+    ] = await Promise.all([
+      ProjectService.getRequireSsoForLogin(tenantId).catch((err: Error) => {
+        /*
+         * Preserve the original behavior of throwing a TenantNotFoundException
+         * for an unknown project. Any other error re-throws.
+         */
+        if (err.message === "Project not found") {
+          throw new TenantNotFoundException("Invalid tenantId");
+        }
+        throw err;
+      }),
+      AccessTokenService.getUserTenantAccessPermission(userId, tenantId),
+    ]);
 
     if (
-      project.requireSsoForLogin &&
+      requireSsoForLogin &&
       !UserMiddleware.doesSsoTokenForProjectExist(req, tenantId, userId)
     ) {
       throw new SsoAuthorizationException();
     }
 
-    // get project level permissions if projectid exists in request.
-    return await AccessTokenService.getUserTenantAccessPermission(
-      userId,
-      tenantId,
-    );
+    return tenantPermission;
   }
 
   @CaptureSpan()
@@ -524,34 +553,47 @@ export default class UserMiddleware {
       },
     });
 
-    let result: Dictionary<UserTenantAccessPermission> | null = null;
-    for (const projectId of projectIds) {
-      // check if the force sso login is required. and if it is, then check then token.
-
-      let userTenantAccessPermission: UserTenantAccessPermission | null;
-      if (
-        projects.find((p: Project) => {
-          return p._id === projectId.toString() && p.requireSsoForLogin;
-        }) &&
-        !UserMiddleware.doesSsoTokenForProjectExist(req, projectId, userId)
-      ) {
-        // Add default permissions.
-        userTenantAccessPermission =
-          UserPermissionUtil.getDefaultUserTenantAccessPermission(projectId);
-      } else {
-        // get project level permissions if projectid exists in request.
-        userTenantAccessPermission =
-          await AccessTokenService.getUserTenantAccessPermission(
+    /*
+     * Resolve permissions for every project in parallel. With the previous
+     * for-await loop this scaled linearly with project count, adding one
+     * round-trip per project even on cache hits.
+     */
+    const resolved: Array<{
+      projectId: ObjectID;
+      permission: UserTenantAccessPermission | null;
+    }> = await Promise.all(
+      projectIds.map(async (projectId: ObjectID) => {
+        if (
+          projects.find((p: Project) => {
+            return p._id === projectId.toString() && p.requireSsoForLogin;
+          }) &&
+          !UserMiddleware.doesSsoTokenForProjectExist(req, projectId, userId)
+        ) {
+          return {
+            projectId,
+            permission:
+              UserPermissionUtil.getDefaultUserTenantAccessPermission(
+                projectId,
+              ),
+          };
+        }
+        return {
+          projectId,
+          permission: await AccessTokenService.getUserTenantAccessPermission(
             userId,
             projectId,
-          );
-      }
+          ),
+        };
+      }),
+    );
 
-      if (userTenantAccessPermission) {
+    let result: Dictionary<UserTenantAccessPermission> | null = null;
+    for (const { projectId, permission } of resolved) {
+      if (permission) {
         if (!result) {
           result = {};
         }
-        result[projectId.toString()] = userTenantAccessPermission;
+        result[projectId.toString()] = permission;
       }
     }
 

package/Server/Services/AccessTokenService.ts

@@ -199,7 +199,7 @@ export class AccessTokenService extends BaseService {
 
     await GlobalCache.setJSON(
       PermissionNamespace.ProjectPermission,
-      userId.toString() + projectId.toString(),
+      UserPermissionUtil.buildTenantPermissionCacheKey(userId, projectId),
       permission,
     );
 

package/Server/Services/AnalyticsDatabaseService.ts

@@ -535,9 +535,19 @@ export default class AnalyticsDatabaseService<
   ): Promise<Array<TBaseModel>> {
     try {
       if (!findBy.sort || Object.keys(findBy.sort).length === 0) {
+        /*
+         * Default sort uses the model's declared `defaultSortColumn`
+         * (e.g. `time` for Log, `startTime` for Span) so the query
+         * streams from the ClickHouse sort key. The historical
+         * fallback of `createdAt` is not in the sort key on most
+         * analytics tables, which triggered a full sort even on
+         * small LIMITed queries.
+         */
+        const defaultSortColumn: string =
+          this.model.defaultSortColumn || "createdAt";
         findBy.sort = {
-          createdAt: SortOrder.Descending,
-        };
+          [defaultSortColumn]: SortOrder.Descending,
+        } as any;
 
         if (!findBy.select) {
           findBy.select = {} as any;
@@ -910,10 +920,20 @@ export default class AnalyticsDatabaseService<
       deleteBy.query
     );
 
+    /*
+     * Use ClickHouse lightweight deletes (`DELETE FROM`) rather than
+     * `ALTER TABLE … DELETE`. The latter creates an async mutation that
+     * rewrites whole parts and is bounded by `number_of_mutations_to_throw`
+     * (default 1000). Customers with chatty state transitions hit that
+     * ceiling and every subsequent delete fails with TOO_MANY_MUTATIONS.
+     * Lightweight deletes mark rows via the hidden `_row_exists` column
+     * and are reconciled during normal merges, so they don't accumulate
+     * in the mutations queue.
+     */
     /* eslint-disable prettier/prettier */
     const statement: Statement = SQL`
-            ALTER TABLE ${databaseName}.${this.model.tableName}
-            DELETE WHERE TRUE `.append(whereStatement);
+            DELETE FROM ${databaseName}.${this.model.tableName}
+            WHERE TRUE `.append(whereStatement);
 
     logger.debug(`${this.model.tableName} Delete Statement`, { tableName: this.model.tableName } as LogAttributes);
     logger.debug(statement, { tableName: this.model.tableName } as LogAttributes);

package/Server/Services/ApiKeyService.ts

@@ -1,10 +1,41 @@
 import CreateBy from "../Types/Database/CreateBy";
-import { OnCreate } from "../Types/Database/Hooks";
+import DeleteBy from "../Types/Database/DeleteBy";
+import UpdateBy from "../Types/Database/UpdateBy";
+import { OnCreate, OnDelete, OnUpdate } from "../Types/Database/Hooks";
 import DatabaseService from "./DatabaseService";
+import OneUptimeDate from "../../Types/Date";
 import ObjectID from "../../Types/ObjectID";
+import QueryHelper from "../Types/Database/QueryHelper";
 import Model from "../../Models/DatabaseModels/ApiKey";
 import CaptureSpan from "../Utils/Telemetry/CaptureSpan";
+import InMemoryTTLCache from "../Infrastructure/InMemoryTTLCache";
+
+/*
+ * 60s is the worst-case staleness on any single API node after a key is
+ * revoked from the dashboard. We invalidate in-process immediately on
+ * delete/update; this TTL is the upper bound for *other* processes.
+ */
+const POSITIVE_TTL_MS: number = 60 * 1000;
+/*
+ * Short TTL on misses so an invalid-key flood can't pin entries in the
+ * bounded cache for long while still absorbing repeat hits.
+ */
+const NEGATIVE_TTL_MS: number = 10 * 1000;
+
+interface CachedApiKey {
+  id: string;
+  projectId: string;
+}
+
 export class Service extends DatabaseService<Model> {
+  /*
+   * Cache of `apiKey -> { id, projectId }`. The project-auth middleware hits
+   * this on every API-key-authenticated request; without it that's a
+   * Postgres findOneBy per request for automated callers.
+   */
+  private apiKeyCache: InMemoryTTLCache<CachedApiKey | null> =
+    new InMemoryTTLCache(10_000);
+
   public constructor() {
     super(Model);
   }
@@ -16,6 +47,74 @@ export class Service extends DatabaseService<Model> {
     createBy.data.apiKey = ObjectID.generate();
     return { createBy, carryForward: null };
   }
+
+  @CaptureSpan()
+  protected override async onBeforeUpdate(
+    updateBy: UpdateBy<Model>,
+  ): Promise<OnUpdate<Model>> {
+    /*
+     * We don't know which keys are being updated without a query; updates
+     * are rare so clearing is cheap.
+     */
+    this.apiKeyCache.clear();
+    return { updateBy, carryForward: null };
+  }
+
+  @CaptureSpan()
+  protected override async onBeforeDelete(
+    deleteBy: DeleteBy<Model>,
+  ): Promise<OnDelete<Model>> {
+    this.apiKeyCache.clear();
+    return { deleteBy, carryForward: null };
+  }
+
+  /**
+   * Resolves an API key string to its row, with a short-lived in-process
+   * cache. Returns null for unknown or expired keys (also cached, for a
+   * shorter TTL). Use this from the auth middleware hot path instead of
+   * calling `findOneBy` directly.
+   */
+  @CaptureSpan()
+  public async findApiKey(
+    apiKey: ObjectID,
+  ): Promise<{ id: ObjectID; projectId: ObjectID } | null> {
+    const cacheKey: string = apiKey.toString();
+    const cached: CachedApiKey | null | undefined =
+      this.apiKeyCache.get(cacheKey);
+    if (cached !== undefined) {
+      if (cached === null) {
+        return null;
+      }
+      return {
+        id: new ObjectID(cached.id),
+        projectId: new ObjectID(cached.projectId),
+      };
+    }
+
+    const row: Model | null = await this.findOneBy({
+      query: {
+        apiKey: apiKey,
+        expiresAt: QueryHelper.greaterThan(OneUptimeDate.getCurrentDate()),
+      },
+      select: {
+        _id: true,
+        projectId: true,
+      },
+      props: { isRoot: true },
+    });
+
+    if (!row || !row.id || !row.projectId) {
+      this.apiKeyCache.set(cacheKey, null, NEGATIVE_TTL_MS);
+      return null;
+    }
+
+    this.apiKeyCache.set(
+      cacheKey,
+      { id: row.id.toString(), projectId: row.projectId.toString() },
+      POSITIVE_TTL_MS,
+    );
+    return { id: row.id, projectId: row.projectId };
+  }
 }
 
 export default new Service();

package/Server/Services/DockerHostService.ts

@@ -132,6 +132,7 @@ export class Service extends DatabaseService<Model> {
     extra?: {
       osType?: string | undefined;
       osVersion?: string | undefined;
+      agentVersion?: string | undefined;
     },
   ): Promise<void> {
     const cacheKey: string = hostId.toString();
@@ -141,6 +142,7 @@ export class Service extends DatabaseService<Model> {
         JSON.stringify({
           osType: extra?.osType ?? null,
           osVersion: extra?.osVersion ?? null,
+          agentVersion: extra?.agentVersion ?? null,
         }),
       )
       .digest("hex");
@@ -173,6 +175,9 @@ export class Service extends DatabaseService<Model> {
     if (extra?.osVersion) {
       data.osVersion = extra.osVersion;
     }
+    if (extra?.agentVersion) {
+      data.agentVersion = extra.agentVersion;
+    }
 
     await this.updateOneById({
       id: hostId,

package/Server/Services/HostService.ts

@@ -135,6 +135,7 @@ export class Service extends DatabaseService<Model> {
       containerRuntime?: string | undefined;
       dockerHostId?: ObjectID | undefined;
       kubernetesClusterId?: ObjectID | undefined;
+      agentVersion?: string | undefined;
     },
   ): Promise<void> {
     /*
@@ -204,6 +205,9 @@ export class Service extends DatabaseService<Model> {
     if (extra?.kubernetesClusterId) {
       data.kubernetesClusterId = extra.kubernetesClusterId;
     }
+    if (extra?.agentVersion) {
+      data.agentVersion = extra.agentVersion;
+    }
 
     await this.updateOneById({
       id: hostId,
@@ -227,6 +231,7 @@ export class Service extends DatabaseService<Model> {
     containerRuntime?: string | undefined;
     dockerHostId?: ObjectID | undefined;
     kubernetesClusterId?: ObjectID | undefined;
+    agentVersion?: string | undefined;
   }): string {
     const normalized: Record<string, string | number | null> = {
       osType: extra?.osType ?? null,
@@ -241,6 +246,7 @@ export class Service extends DatabaseService<Model> {
       containerRuntime: extra?.containerRuntime ?? null,
       dockerHostId: extra?.dockerHostId?.toString() ?? null,
       kubernetesClusterId: extra?.kubernetesClusterId?.toString() ?? null,
+      agentVersion: extra?.agentVersion ?? null,
     };
 
     return crypto

package/Server/Services/KubernetesClusterService.ts

@@ -127,28 +127,51 @@ export class Service extends DatabaseService<Model> {
   }
 
   @CaptureSpan()
-  public async updateLastSeen(clusterId: ObjectID): Promise<void> {
+  public async updateLastSeen(
+    clusterId: ObjectID,
+    extra?: {
+      agentVersion?: string | undefined;
+    },
+  ): Promise<void> {
     const cacheKey: string = clusterId.toString();
+    const extrasFingerprint: string = crypto
+      .createHash("sha1")
+      .update(
+        JSON.stringify({
+          agentVersion: extra?.agentVersion ?? null,
+        }),
+      )
+      .digest("hex");
 
     const cached: string | null = await GlobalCache.getString(
       LAST_SEEN_CACHE_NAMESPACE,
       cacheKey,
     );
 
-    if (cached) {
-      return; // another pod already updated recently
+    if (cached === extrasFingerprint) {
+      return; // same data was written recently
     }
 
-    await GlobalCache.setString(LAST_SEEN_CACHE_NAMESPACE, cacheKey, "1", {
-      expiresInSeconds: LAST_SEEN_THROTTLE_SECONDS,
-    });
+    await GlobalCache.setString(
+      LAST_SEEN_CACHE_NAMESPACE,
+      cacheKey,
+      extrasFingerprint,
+      { expiresInSeconds: LAST_SEEN_THROTTLE_SECONDS },
+    );
+
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const data: any = {
+      lastSeenAt: OneUptimeDate.getCurrentDate(),
+      otelCollectorStatus: "connected",
+    };
+
+    if (extra?.agentVersion) {
+      data.agentVersion = extra.agentVersion;
+    }
 
     await this.updateOneById({
       id: clusterId,
-      data: {
-        lastSeenAt: OneUptimeDate.getCurrentDate(),
-        otelCollectorStatus: "connected",
-      },
+      data: data,
       props: {
         isRoot: true,
       },