Skip to content

Refactor auth single instance #10872

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
abnegate merged 52 commits into from
Dec 18, 2025
Merged

Refactor auth single instance #10872

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
52 commits
Select commit Hold shift + click to select a range
4ad249f
Revert "Revert "Merge pull request #10682 from appwrite/refactor-auth…
shimonewman Nov 26, 2025
cee9906
reverting the revert
shimonewman Nov 26, 2025
b69bf3d
Revert previous revert of the merge for auth single instance refactor
shimonewman Nov 26, 2025
830eda7
Refactor: Update functions to include Authorization parameter and ena…
shimonewman Nov 26, 2025
4dc4cc2
Update PHPUnit configuration to disable stopOnFailure
shimonewman Nov 26, 2025
c2ea1b5
Add referenceType and reference parameters to Create deployment template
shimonewman Nov 26, 2025
1bfd413
Remove unnecessary authorization injection from StatsResources class
shimonewman Nov 26, 2025
81c2ff5
Refactor: Adjust parameter order in getUserGitHub function calls for …
shimonewman Nov 27, 2025
35e3294
teams update
shimonewman Nov 27, 2025
b76f01b
Merge remote-tracking branch 'origin/refactor-auth-single-instance' i…
shimonewman Nov 27, 2025
fb95a05
teams update
shimonewman Nov 27, 2025
f216ea5
Merge branch '1.8.x' of github.com:appwrite/appwrite into refactor-au…
shimonewman Nov 27, 2025
5da1f79
sync with 1.8.x
shimonewman Nov 27, 2025
67311fe
Refactor: Update role retrieval to use authorization object in multip…
shimonewman Nov 27, 2025
aed0079
Fix: Correct role retrieval method call and update project test asser…
shimonewman Nov 28, 2025
95e29d1
Merge branch '1.8.x' into refactor-auth-single-instance
shimonewman Nov 28, 2025
5b3659a
Remove unused Auth import in storage controller and fix formatting in…
shimonewman Nov 28, 2025
b899e13
Refactor: Update database authorization handling in realtime.php and …
shimonewman Nov 28, 2025
013e961
Refactor: Remove unused authorization parameter from redeployVcsFunct…
shimonewman Nov 28, 2025
d3fac8a
Refactor: Clean up code formatting in Compute, Functions, and Sites m…
shimonewman Nov 28, 2025
c5a45aa
Refactor: Remove unused parameters and clean up code in TablesDB and …
shimonewman Nov 29, 2025
b061f95
Refactor: Add missing Query import in Compute module and fix code for…
shimonewman Nov 29, 2025
cf66057
Merge branch '1.8.x' of github.com:appwrite/appwrite into refactor-au…
shimonewman Nov 30, 2025
5b2fdf7
tmp debug health db api
shimonewman Dec 1, 2025
21ef33e
debug
shimonewman Dec 1, 2025
e4755c6
debug
shimonewman Dec 1, 2025
27d88a4
debug
shimonewman Dec 1, 2025
eb1c119
debug
shimonewman Dec 1, 2025
2563a8f
health api fix
shimonewman Dec 1, 2025
22c90ca
debug
shimonewman Dec 1, 2025
2dfa7d9
Enhance health check logic to allow partial database failures without…
shimonewman Dec 1, 2025
beea3ab
remove debug prints
shimonewman Dec 1, 2025
1d0c522
Merge branch '1.8.x' of github.com:appwrite/appwrite into refactor-au…
shimonewman Dec 1, 2025
d472978
debug
shimonewman Dec 2, 2025
f208aa2
Merge branch 'refactor-auth-single-instance' of github.com:appwrite/a…
shimonewman Dec 2, 2025
250a7da
debug
shimonewman Dec 2, 2025
e0e9b2b
Remove debug output from RealtimeConsoleClientTest
shimonewman Dec 2, 2025
fde30b6
Merge branch 'refactor-auth-single-instance' of github.com:appwrite/a…
shimonewman Dec 2, 2025
c34649c
remove debug prints
shimonewman Dec 2, 2025
7392f6a
Merge branch '1.8.x' of github.com:appwrite/appwrite into refactor-au…
shimonewman Dec 2, 2025
b5537bb
Merge branch 'refactor-auth-single-instance' of github.com:appwrite/a…
shimonewman Dec 2, 2025
7041cae
Refactor health check logic to simplify database failure handling
shimonewman Dec 2, 2025
13f886f
Add authorization handling in Realtime connection management
shimonewman Dec 2, 2025
77face0
Update utopia-php/storage to version 0.18.16 and clean up whitespace …
shimonewman Dec 3, 2025
e47802d
Refactor Realtime message handling to improve authorization preservat…
shimonewman Dec 3, 2025
4713ae5
composer format
shimonewman Dec 3, 2025
0a0cf26
Merge branch '1.8.x' of github.com:appwrite/appwrite into refactor-au…
shimonewman Dec 8, 2025
b79ff7f
sync with 1.8.x
shimonewman Dec 8, 2025
13f4aa9
Merge remote-tracking branch 'origin/1.8.x' into refactor-auth-single…
abnegate Dec 18, 2025
fd08f7d
Update lock
abnegate Dec 18, 2025
2dc8133
Fix merge
abnegate Dec 18, 2025
f46ec96
Fix merge
abnegate Dec 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 18 additions & 10 deletions app/cli.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,8 +41,6 @@
// require controllers after overwriting runtimes
require_once __DIR__ . '/controllers/general.php';

Authorization::disable();

CLI::setResource('register', fn () => $register);

CLI::setResource('cache', function ($pools) {
Expand All @@ -60,7 +58,13 @@
return $register->get('pools');
}, ['register']);

CLI::setResource('dbForPlatform', function ($pools, $cache) {
CLI::setResource('authorization', function () {
$authorization = new Authorization();
$authorization->disable();
return $authorization;
}, []);

CLI::setResource('dbForPlatform', function ($pools, $cache, $authorization) {
$sleep = 3;
$maxAttempts = 5;
$attempts = 0;
Expand All @@ -74,6 +78,7 @@
$dbForPlatform = new Database($adapter, $cache);

$dbForPlatform
->setAuthorization($authorization)
->setNamespace('_console')
->setMetadata('host', \gethostname())
->setMetadata('project', 'console');
Expand All @@ -99,7 +104,7 @@
}

return $dbForPlatform;
}, ['pools', 'cache']);
}, ['pools', 'cache', 'authorization']);

CLI::setResource('console', function () {
return new Document(Config::getParam('console'));
Expand All @@ -110,10 +115,10 @@
fn () => fn (Document $project, string $resourceType, ?string $resourceId) => false
);

CLI::setResource('getProjectDB', function (Group $pools, Database $dbForPlatform, $cache) {
CLI::setResource('getProjectDB', function (Group $pools, Database $dbForPlatform, $cache, $authorization) {
$databases = []; // TODO: @Meldiron This should probably be responsibility of utopia-php/pools

return function (Document $project) use ($pools, $dbForPlatform, $cache, &$databases) {
return function (Document $project) use ($pools, $dbForPlatform, $cache, $authorization, &$databases) {
if ($project->isEmpty() || $project->getId() === 'console') {
return $dbForPlatform;
}
Expand Down Expand Up @@ -146,6 +151,7 @@

$adapter = new DatabasePool($pools->get($dsn->getHost()));
$database = new Database($adapter, $cache);

$databases[$dsn->getHost()] = $database;
$sharedTables = \explode(',', System::getEnv('_APP_DATABASE_SHARED_TABLES', ''));

Expand All @@ -162,17 +168,18 @@
}

$database
->setAuthorization($authorization)
->setMetadata('host', \gethostname())
->setMetadata('project', $project->getId());

return $database;
};
}, ['pools', 'dbForPlatform', 'cache']);
}, ['pools', 'dbForPlatform', 'cache', 'authorization']);

CLI::setResource('getLogsDB', function (Group $pools, Cache $cache) {
CLI::setResource('getLogsDB', function (Group $pools, Cache $cache, Authorization $authorization) {
$database = null;

return function (?Document $project = null) use ($pools, $cache, $database) {
return function (?Document $project = null) use ($pools, $cache, $database, $authorization) {
if ($database !== null && $project !== null && !$project->isEmpty() && $project->getId() !== 'console') {
$database->setTenant((int)$project->getSequence());
return $database;
Expand All @@ -182,6 +189,7 @@
$database = new Database($adapter, $cache);

$database
->setAuthorization($authorization)
->setSharedTables(true)
->setNamespace('logsV1')
->setTimeout(APP_DATABASE_TIMEOUT_MILLISECONDS_TASK)
Expand All @@ -194,7 +202,7 @@

return $database;
};
}, ['pools', 'cache']);
}, ['pools', 'cache', 'authorization']);
CLI::setResource('publisher', function (Group $pools) {
return new BrokerPool(publisher: $pools->get('publisher'));
}, ['pools']);
Expand Down
4 changes: 3 additions & 1 deletion app/config/storage/resource_limits.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,6 @@
use Utopia\Image\Image;
use Utopia\System\System;

Image::setResourceLimit('memory', intval(System::getEnv('_APP_IMAGES_RESOURCE_LIMIT_MEMORY', 1024*1024*64)));
if (\class_exists('Imagick')) {
Image::setResourceLimit('memory', intval(System::getEnv('_APP_IMAGES_RESOURCE_LIMIT_MEMORY', 1024*1024*64)));
}
146 changes: 84 additions & 62 deletions app/controllers/api/account.php
View file
Open in desktop

Large diffs are not rendered by default.

29 changes: 16 additions & 13 deletions app/controllers/api/avatars.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,9 +70,9 @@
unset($image);
};

$getUserGitHub = function (string $userId, Document $project, Database $dbForProject, Database $dbForPlatform, ?Logger $logger) {
$getUserGitHub = function (string $userId, Document $project, Database $dbForProject, Database $dbForPlatform, Authorization $authorization, ?Logger $logger) {
try {
$user = Authorization::skip(fn () => $dbForPlatform->getDocument('users', $userId));
$user = $authorization->skip(fn () => $dbForPlatform->getDocument('users', $userId));

$sessions = $user->getAttribute('sessions', []);

Expand Down Expand Up @@ -123,15 +123,15 @@
->setAttribute('providerRefreshToken', $refreshToken)
->setAttribute('providerAccessTokenExpiry', DateTime::addSeconds(new \DateTime(), (int)$oauth2->getAccessTokenExpiry('')));

Authorization::skip(fn () => $dbForProject->updateDocument('sessions', $gitHubSession->getId(), $gitHubSession));
$authorization->skip(fn () => $dbForProject->updateDocument('sessions', $gitHubSession->getId(), $gitHubSession));

$dbForProject->purgeCachedDocument('users', $user->getId());
} catch (Throwable $err) {
$index = 0;
do {
$previousAccessToken = $gitHubSession->getAttribute('providerAccessToken');

$user = Authorization::skip(fn () => $dbForPlatform->getDocument('users', $userId));
$user = $authorization->skip(fn () => $dbForPlatform->getDocument('users', $userId));
$sessions = $user->getAttribute('sessions', []);

$gitHubSession = new Document();
Expand Down Expand Up @@ -841,8 +841,9 @@
->inject('contributors')
->inject('employees')
->inject('logger')
->action(function (string $userId, string $mock, int $width, int $height, Document $user, Document $project, Database $dbForProject, Database $dbForPlatform, Response $response, array $heroes, array $contributors, array $employees, ?Logger $logger) use ($getUserGitHub) {
$user = Authorization::skip(fn () => $dbForPlatform->getDocument('users', $userId));
->inject('authorization')
->action(function (string $userId, string $mock, int $width, int $height, Document $user, Document $project, Database $dbForProject, Database $dbForPlatform, Response $response, array $heroes, array $contributors, array $employees, ?Logger $logger, Authorization $authorization) use ($getUserGitHub) {
$user = $authorization->skip(fn () => $dbForPlatform->getDocument('users', $userId));

if ($user->isEmpty() && empty($mock)) {
throw new Exception(Exception::USER_NOT_FOUND);
Expand All @@ -853,7 +854,7 @@
$email = $user->getAttribute('email', '');
$createdAt = new \DateTime($user->getCreatedAt());

$gitHub = $getUserGitHub($user->getId(), $project, $dbForProject, $dbForPlatform, $logger);
$gitHub = $getUserGitHub($user->getId(), $project, $dbForProject, $dbForPlatform, $authorization, $logger);
$githubName = $gitHub['name'] ?? '';
$githubId = $gitHub['id'] ?? '';

Expand Down Expand Up @@ -1048,8 +1049,9 @@
->inject('contributors')
->inject('employees')
->inject('logger')
->action(function (string $userId, string $mock, int $width, int $height, Document $user, Document $project, Database $dbForProject, Database $dbForPlatform, Response $response, array $heroes, array $contributors, array $employees, ?Logger $logger) use ($getUserGitHub) {
$user = Authorization::skip(fn () => $dbForPlatform->getDocument('users', $userId));
->inject('authorization')
->action(function (string $userId, string $mock, int $width, int $height, Document $user, Document $project, Database $dbForProject, Database $dbForPlatform, Response $response, array $heroes, array $contributors, array $employees, ?Logger $logger, Authorization $authorization) use ($getUserGitHub) {
$user = $authorization->skip(fn () => $dbForPlatform->getDocument('users', $userId));

if ($user->isEmpty() && empty($mock)) {
throw new Exception(Exception::USER_NOT_FOUND);
Expand All @@ -1059,7 +1061,7 @@
$userId = $user->getId();
$email = $user->getAttribute('email', '');

$gitHub = $getUserGitHub($user->getId(), $project, $dbForProject, $dbForPlatform, $logger);
$gitHub = $getUserGitHub($user->getId(), $project, $dbForProject, $dbForPlatform, $authorization, $logger);
$githubId = $gitHub['id'] ?? '';

$isHero = \array_key_exists($email, $heroes);
Expand Down Expand Up @@ -1126,8 +1128,9 @@
->inject('contributors')
->inject('employees')
->inject('logger')
->action(function (string $userId, string $mock, int $width, int $height, Document $user, Document $project, Database $dbForProject, Database $dbForPlatform, Response $response, array $heroes, array $contributors, array $employees, ?Logger $logger) use ($getUserGitHub) {
$user = Authorization::skip(fn () => $dbForPlatform->getDocument('users', $userId));
->inject('authorization')
->action(function (string $userId, string $mock, int $width, int $height, Document $user, Document $project, Database $dbForProject, Database $dbForPlatform, Response $response, array $heroes, array $contributors, array $employees, ?Logger $logger, Authorization $authorization) use ($getUserGitHub) {
$user = $authorization->skip(fn () => $dbForPlatform->getDocument('users', $userId));

if ($user->isEmpty() && empty($mock)) {
throw new Exception(Exception::USER_NOT_FOUND);
Expand All @@ -1142,7 +1145,7 @@
$email = $user->getAttribute('email', '');
$createdAt = new \DateTime($user->getCreatedAt());

$gitHub = $getUserGitHub($user->getId(), $project, $dbForProject, $dbForPlatform, $logger);
$gitHub = $getUserGitHub($user->getId(), $project, $dbForProject, $dbForPlatform, $authorization, $logger);
$githubName = $gitHub['name'] ?? '';
$githubId = $gitHub['id'] ?? '';

Expand Down
5 changes: 3 additions & 2 deletions app/controllers/api/graphql.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,11 +28,12 @@
App::init()
->groups(['graphql'])
->inject('project')
->action(function (Document $project) {
->inject('authorization')
->action(function (Document $project, Authorization $authorization) {
if (
array_key_exists('graphql', $project->getAttribute('apis', []))
&& !$project->getAttribute('apis', [])['graphql']
&& !(User::isPrivileged(Authorization::getRoles()) || User::isApp(Authorization::getRoles()))
&& !(User::isPrivileged($authorization->getRoles()) || User::isApp($authorization->getRoles()))
) {
throw new AppwriteException(AppwriteException::GENERAL_API_DISABLED);
}
Expand Down
12 changes: 7 additions & 5 deletions app/controllers/api/health.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@
$output[] = new Document([
'name' => $key . " ($database)",
'status' => 'pass',
'ping' => \round((\microtime(true) - $checkStart) / 1000)
'ping' => \round((\microtime(true) - $checkStart) * 1000)
]);
} else {
$failures[] = $database;
Expand All @@ -131,6 +131,8 @@
}
}

// Only throw error if ALL databases failed (no successful pings)
// This allows partial failures in environments where not all DBs are ready
if (!empty($failures)) {
throw new Exception(Exception::GENERAL_SERVER_ERROR, 'DB failure on: ' . implode(", ", $failures));
}
Expand Down Expand Up @@ -180,7 +182,7 @@
$output[] = new Document([
'name' => $key . " ($cache)",
'status' => 'pass',
'ping' => \round((\microtime(true) - $checkStart) / 1000)
'ping' => \round((\microtime(true) - $checkStart) * 1000)
]);
} else {
$failures[] = $cache;
Expand Down Expand Up @@ -240,7 +242,7 @@
$output[] = new Document([
'name' => $key . " ($pubsub)",
'status' => 'pass',
'ping' => \round((\microtime(true) - $checkStart) / 1000)
'ping' => \round((\microtime(true) - $checkStart) * 1000)
]);
} else {
$failures[] = $pubsub;
Expand Down Expand Up @@ -822,7 +824,7 @@

$output = [
'status' => 'pass',
'ping' => \round((\microtime(true) - $checkStart) / 1000)
'ping' => \round((\microtime(true) - $checkStart) * 1000)
];

$response->dynamic(new Document($output), Response::MODEL_HEALTH_STATUS);
Expand Down Expand Up @@ -874,7 +876,7 @@

$output = [
'status' => 'pass',
'ping' => \round((\microtime(true) - $checkStart) / 1000)
'ping' => \round((\microtime(true) - $checkStart) * 1000)
];

$response->dynamic(new Document($output), Response::MODEL_HEALTH_STATUS);
Expand Down
Loading