merge: resolve conflicts with dev (ProjectAuth Redis cache, async asset refs)

Merge dev into fix/encryption-review-issues, resolving conflicts:
- auth.go: combine KEK helper functions (HEAD) with Redis-cached project lookups (dev)
- session.go: keep AssetRefWriter buffered approach over goroutine approach
- container.go/main.go: keep AssetRefWriter DI registration and shutdown
- router_admin.go: update ProjectAuth call to include Redis parameter

Author: GenerQAQ

.github/workflows/e2e-test.yaml

@@ -70,3 +70,9 @@ jobs:
         run: |
           cd src/server
           docker compose -f docker-compose.test.yml logs
+
+      - name: Teardown
+        if: always()
+        run: |
+          cd src/server
+          docker compose -f docker-compose.test.yml down --timeout 10

src/server/api/go/cmd/server/main.go

@@ -98,6 +98,7 @@ func main() {
 	engine := router.NewRouter(router.RouterDeps{
 		Config:               cfg,
 		DB:                   db,
+		Redis:                rdb,
 		Log:                  log,
 		SessionHandler:       sessionHandler,
 		DiskHandler:          diskHandler,

src/server/api/go/configs/config.yaml

@@ -15,8 +15,8 @@ log:
 
 database:
   dsn: "host=${DATABASE_HOST} user=${DATABASE_USER} password=${DATABASE_PASSWORD} dbname=${DATABASE_NAME} port=${DATABASE_EXPORT_PORT} sslmode=disable TimeZone=UTC"
-  maxOpen: 50
-  maxIdle: 25
+  maxOpen: 100
+  maxIdle: 50
   maxIdleTimeSec: 300
   autoMigrate: true
   enableTLS: ${DATABASE_ENABLE_TLS}

src/server/api/go/internal/middleware/auth.go

@@ -1,12 +1,16 @@
 package middleware
 
 import (
+	"context"
 	"encoding/base64"
+	"encoding/json"
 	"errors"
 	"net/http"
 	"strings"
+	"time"
 
 	"github.com/gin-gonic/gin"
+	"github.com/redis/go-redis/v9"
 	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/trace"
@@ -61,10 +65,16 @@ func GetUserKEKBase64IfEncrypted(c *gin.Context) string {
 	return base64.StdEncoding.EncodeToString(kek)
 }
 
+const (
+	projectAuthCachePrefix = "project:auth:"
+	projectAuthCacheTTL    = 5 * time.Minute
+)
+
 // ProjectAuth returns a middleware that authenticates requests using project bearer tokens.
 // Token format: sk-ac-{auth_secret}.{encrypted_master_key}
 // Derives a KEK and stores it in context for downstream encryption operations.
-func ProjectAuth(cfg *config.Config, db *gorm.DB) gin.HandlerFunc {
+// It caches project lookups in Redis to avoid hitting the database on every request.
+func ProjectAuth(cfg *config.Config, db *gorm.DB, rdb *redis.Client) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		// Create auth span without propagating context to avoid nested span hierarchy
 		authCtx, authSpan := otel.Tracer("middleware").Start(
@@ -93,8 +103,8 @@ func ProjectAuth(cfg *config.Config, db *gorm.DB) gin.HandlerFunc {
 		// HMAC lookup uses auth_secret (both formats)
 		lookup := tokens.HMAC256Hex(cfg.Root.SecretPepper, parsed.AuthSecret)
 
-		var project model.Project
-		if err := db.WithContext(authCtx).Where(&model.Project{SecretKeyHMAC: lookup}).First(&project).Error; err != nil {
+		project, err := lookupProject(authCtx, db, rdb, lookup)
+		if err != nil {
 			if errors.Is(err, gorm.ErrRecordNotFound) {
 				authSpan.SetAttributes(attribute.Bool("authenticated", false))
 				authSpan.End()
@@ -135,7 +145,7 @@ func ProjectAuth(cfg *config.Config, db *gorm.DB) gin.HandlerFunc {
 		)
 		authSpan.End()
 
-		c.Set("project", &project)
+		c.Set("project", project)
 		SetWideEventField(c, "project_id", project.ID.String())
 
 		// Derive KEK: unwrap master_key from token if present.
@@ -157,3 +167,35 @@ func ProjectAuth(cfg *config.Config, db *gorm.DB) gin.HandlerFunc {
 		c.Next()
 	}
 }
+
+// lookupProject tries Redis cache first, falls back to DB on miss or Redis error.
+func lookupProject(ctx context.Context, db *gorm.DB, rdb *redis.Client, hmac string) (*model.Project, error) {
+	cacheKey := projectAuthCachePrefix + hmac
+
+	// Try Redis first
+	if rdb != nil {
+		data, err := rdb.Get(ctx, cacheKey).Bytes()
+		if err == nil {
+			var project model.Project
+			if json.Unmarshal(data, &project) == nil {
+				return &project, nil
+			}
+		}
+		// On redis.Nil or any other error, fall through to DB
+	}
+
+	// DB lookup
+	var project model.Project
+	if err := db.WithContext(ctx).Where(&model.Project{SecretKeyHMAC: hmac}).First(&project).Error; err != nil {
+		return nil, err
+	}
+
+	// Write-back to Redis (best-effort, don't block on failure)
+	if rdb != nil {
+		if data, err := json.Marshal(&project); err == nil {
+			_ = rdb.Set(ctx, cacheKey, data, projectAuthCacheTTL).Err()
+		}
+	}
+
+	return &project, nil
+}

src/server/api/go/internal/router/router.go

@@ -4,6 +4,7 @@ import (
 	"net/http"
 
 	"github.com/gin-gonic/gin"
+	"github.com/redis/go-redis/v9"
 	"go.uber.org/zap"
 	"gorm.io/gorm"
 
@@ -19,6 +20,7 @@ import (
 type RouterDeps struct {
 	Config               *config.Config
 	DB                   *gorm.DB
+	Redis                *redis.Client
 	Log                  *zap.Logger
 	SessionHandler       *handler.SessionHandler
 	DiskHandler          *handler.DiskHandler
@@ -66,7 +68,7 @@ func NewRouter(d RouterDeps) *gin.Engine {
 	{
 		projectAuth := d.ProjectAuthOverride
 		if projectAuth == nil {
-			projectAuth = middleware.ProjectAuth(d.Config, d.DB)
+			projectAuth = middleware.ProjectAuth(d.Config, d.DB, d.Redis)
 		}
 		v1.Use(projectAuth)
 

src/server/api/go/internal/router/router_admin.go

@@ -39,7 +39,7 @@ func NewAdminRouter(d AdminRouterDeps) *gin.Engine {
 	// Admin project encryption routes - protected by ProjectAuth (Bearer API key)
 	adminProject := r.Group("/admin/v1")
 	{
-		adminProject.Use(middleware.ProjectAuth(d.Config, d.DB))
+		adminProject.Use(middleware.ProjectAuth(d.Config, d.DB, d.Redis))
 
 		adminProject.POST("/project/encrypt", d.AdminHandler.EncryptProject)
 		adminProject.POST("/project/decrypt", d.AdminHandler.DecryptProject)