Forem: Akarshan Gandotra The latest articles on Forem by Akarshan Gandotra (@akarshan). https://forem.com/akarshan https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F69510%2F5056764e-527e-442d-860b-cab2dbbf57cd.jpg Forem: Akarshan Gandotra https://forem.com/akarshan en I Dug Up My 10-Year-Old Android App, Dusted It Off With AI, and Put It Back on the Play Store Akarshan Gandotra Sun, 22 Feb 2026 06:44:45 +0000 https://forem.com/akarshan/i-dug-up-my-10-year-old-android-app-dusted-it-off-with-ai-and-put-it-back-on-the-play-store-4a3c https://forem.com/akarshan/i-dug-up-my-10-year-old-android-app-dusted-it-off-with-ai-and-put-it-back-on-the-play-store-4a3c <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl2f75kytgn8vdsqcwtz4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl2f75kytgn8vdsqcwtz4.png" alt=" " width="800" height="533"></a></p> <p>Last week I did something I didn't expect to enjoy as much as I did — I resurrected a side project I hadn't touched in a decade.</p> <p>Meet <strong>Drivelert</strong>: an anti-drowsiness app I built ages ago to help drivers stay alert on long trips. The Play Store had quietly pulled it down due to ancient target SDK, zero maintenance, the usual graveyard story. I'd moved on. The app hadn't.</p> <p>Then, for reasons I can't fully explain (nostalgia? a slow weekend? some stubborn refusal to let past-me's work die?), I decided to bring it back.</p> <h2> What Even Was This Thing? </h2> <p>Drivelert was a simple but genuinely useful idea: monitor signs of driver fatigue and alert them before it becomes dangerous. I built it back when I was younger, more idealistic, and apparently not bothered by shipping something and completely abandoning it.</p> <p>The code was... a time capsule. Deprecated APIs, patterns I wouldn't touch today, some choices that made me genuinely wince. But the <em>idea</em> was solid. The bones were good.</p> <h2> A decade later: smarter, more experienced, and AI finally made the revival real </h2> <p>This time around, I wasn't flying solo. I brought AI into the workflow for unpicking outdated patterns, modernizing chunks of logic, and accelerating the parts that would've taken me days to slog through manually. </p> <p>It's a weird experience, honestly. You're reading code written by a younger version of yourself, and then having an AI help you translate it into something modern. Felt a bit like co-writing a letter to the past.</p> <p>What made it work was the mix of experience and capability.<br> I had the wisdom and context of why things were built a certain way. AI brought the momentum and precision to rebuild them better.<br> That blend of hindsight, experience, and AI support turned out to be surprisingly powerful.</p> <h2> It's Live Again </h2> <p>After a week of evenings, Drivelert is back up on the Play Store:</p> <p>👉 <strong><a href="https://play.google.com/store/apps/details?id=com.drivelert.app" rel="noopener noreferrer">Drivelert on Google Play</a></strong></p> <p>There's something quietly satisfying about seeing an old project breathe again not just preserved, but actually improved. Younger-me would probably be pleased. Slightly jealous of the tools available now, but pleased.</p> <h2> What I Actually Learned </h2> <ul> <li>Old side projects aren't necessarily dead, sometimes they just need the right moment and a better toolkit.</li> <li>AI assistance genuinely changes the calculus on revival projects. The "is this worth the effort?" math shifts when you can move faster.</li> <li>Shipping something imperfect 10 years ago &gt; never shipping the perfect version. Past-me understood this intuitively. I'd forgotten.</li> </ul> <p>It's a second innings for a scrappy little app. Let's see how it goes. 🏏</p> ai android showdev sideprojects Testing Redis Circuit Breaker with Toxiproxy Akarshan Gandotra Tue, 03 Feb 2026 07:28:46 +0000 https://forem.com/akarshan/testing-redis-circuit-breaker-with-toxiproxy-4p8a https://forem.com/akarshan/testing-redis-circuit-breaker-with-toxiproxy-4p8a <p>Building resilient distributed systems requires thorough testing of failure scenarios. While unit tests are great for business logic, they can't simulate the complex network failures that happen in production. This is where <strong>Toxiproxy</strong> comes in—a powerful tool for testing how your application handles real-world network chaos.</p> <p>In this tutorial, we'll explore how to test a Redis circuit breaker implementation using Toxiproxy to simulate various failure modes, from complete outages to subtle network degradation.</p> <h2> What is Toxiproxy? </h2> <p><a href="https://github.com/Shopify/toxiproxy" rel="noopener noreferrer">Toxiproxy</a> is a TCP proxy developed by Shopify that simulates network and system conditions for chaos and resiliency testing. Unlike traditional testing approaches that mock dependencies, Toxiproxy sits between your application and its dependencies, allowing you to inject real network failures:</p> <ul> <li> <strong>Connection failures</strong> (service down)</li> <li> <strong>Latency</strong> (slow networks)</li> <li> <strong>Bandwidth limitations</strong> (network congestion)</li> <li> <strong>Connection resets</strong> (unstable networks)</li> <li> <strong>Data corruption</strong> (packet loss)</li> </ul> <p>This makes it ideal for testing circuit breakers, retry logic, timeouts, and other resilience patterns.</p> <h2> Understanding Circuit Breakers </h2> <p>Before we dive into testing, let's briefly review the circuit breaker pattern. A circuit breaker prevents an application from repeatedly trying to execute an operation that's likely to fail, giving the failing service time to recover.</p> <p>The circuit breaker has three states:</p> <ol> <li> <strong>Closed</strong>: Normal operation, requests pass through</li> <li> <strong>Open</strong>: Too many failures detected, requests are blocked or fail-fast</li> <li> <strong>Half-Open</strong>: Testing if the service has recovered</li> </ol> <p>For our Redis implementation, we'll configure the circuit breaker to:</p> <ul> <li>Open after 5 consecutive failures</li> <li>Either fail-open (allow requests through) or fail-closed (block requests)</li> <li>Log when state transitions occur</li> </ul> <h2> Setup </h2> <h3> Installing Toxiproxy </h3> <p>First, install Toxiproxy on your system:</p> <p><strong>macOS:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>brew <span class="nb">install </span>toxiproxy </code></pre> </div> <h3> Starting the Toxiproxy Server </h3> <p>Start the Toxiproxy server in the background:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>toxiproxy-server &amp; </code></pre> </div> <p>The server starts on <code>localhost:8474</code> by default. You can verify it's running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl http://localhost:8474/version </code></pre> </div> <h3> Creating a Proxy for Redis </h3> <p>Now create a proxy that sits between your auth service and Redis:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create proxy: listens on 6380, forwards to Redis on 6379</span> toxiproxy-cli create redis-proxy <span class="se">\</span> <span class="nt">-l</span> localhost:6380 <span class="se">\</span> <span class="nt">-u</span> localhost:6379 </code></pre> </div> <p>This creates a proxy named <code>redis-proxy</code> that:</p> <ul> <li>Listens on port <strong>6380</strong> (your application will connect here)</li> <li>Forwards traffic to Redis on port <strong>6379</strong> </li> </ul> <p>Verify the proxy was created:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>toxiproxy-cli list </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Name Listen Upstream Enabled ============================================================ redis-proxy localhost:6380 localhost:6379 true </code></pre> </div> <h3> Configuring Your Application </h3> <p>Point your auth service to use the Toxiproxy port instead of connecting directly to Redis:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">REDIS_HOST</span><span class="o">=</span>localhost <span class="nb">export </span><span class="nv">REDIS_PORT</span><span class="o">=</span>6380 <span class="c"># Toxiproxy port, not 6379</span> <span class="c"># Restart your service</span> </code></pre> </div> <p>Now all Redis traffic flows through Toxiproxy, allowing you to inject failures without modifying your application code.</p> <h2> Testing Scenarios </h2> <p>Let's explore different failure scenarios and verify our circuit breaker behaves correctly.</p> <h3> Scenario 1: Simulate Redis Down (Circuit Opens) </h3> <p>The most critical test—what happens when Redis becomes completely unavailable?</p> <p><strong>Disable the proxy:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>toxiproxy-cli toggle redis-proxy </code></pre> </div> <p>This simulates Redis being down. Your application will start getting connection failures.</p> <p><strong>Expected Behavior:</strong></p> <ol> <li>First 4 requests fail but circuit remains closed</li> <li> <strong>5th consecutive failure</strong> → Circuit breaker opens</li> <li>Logs should show: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> {"level":"warn","msg":"Circuit breaker opened - Redis failures exceeded threshold","service":"auth"} </code></pre> </div> <ol> <li>Subsequent requests are either: <ul> <li> <strong>Fail-open</strong>: Allowed through (degraded mode, no Redis caching)</li> <li> <strong>Fail-closed</strong>: Rejected immediately (fail-fast)</li> </ul> </li> </ol> <p><strong>Monitoring the circuit state:</strong></p> <p>While the circuit is open, check your application metrics or logs. The circuit should remain open for the configured recovery period.</p> <p><strong>Re-enable the proxy:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>toxiproxy-cli toggle redis-proxy </code></pre> </div> <p>After re-enabling, the circuit should transition to <strong>half-open</strong> on the next request, then back to <strong>closed</strong> if the request succeeds.</p> <p><strong>Verification checklist:</strong></p> <ul> <li>✅ Circuit opens after 5 failures</li> <li>✅ Log message appears with correct timestamp</li> <li>✅ Requests are handled according to fail-open/fail-closed policy</li> <li>✅ Circuit recovers when service returns</li> <li>✅ Application continues functioning (degraded or failed requests)</li> </ul> <h3> Scenario 2: Add Latency (Slow Redis) </h3> <p>Network latency is often more insidious than complete failures. It can cause timeouts, thread pool exhaustion, and cascading failures.</p> <p><strong>Add 5-second latency:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>toxiproxy-cli toxic add redis-proxy <span class="se">\</span> <span class="nt">-t</span> latency <span class="se">\</span> <span class="nt">-a</span> <span class="nv">latency</span><span class="o">=</span>5000 </code></pre> </div> <p>This adds a 5000ms (5 second) delay to all requests passing through the proxy.</p> <p><strong>Expected Behavior:</strong></p> <p>If your Redis client timeout is less than 5 seconds (e.g., 2 seconds), requests will timeout and count as failures. After 5 consecutive timeouts, the circuit should open.</p> <p><strong>Logs you should see:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{"level":"error","msg":"Redis operation timeout","error":"context deadline exceeded"} {"level":"warn","msg":"Circuit breaker opened - Redis failures exceeded threshold"} </code></pre> </div> <p><strong>Testing different latency levels:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Moderate latency (1 second)</span> toxiproxy-cli toxic update redis-proxy <span class="se">\</span> <span class="nt">-n</span> latency_downstream <span class="se">\</span> <span class="nt">-a</span> <span class="nv">latency</span><span class="o">=</span>1000 <span class="c"># Extreme latency (10 seconds)</span> toxiproxy-cli toxic update redis-proxy <span class="se">\</span> <span class="nt">-n</span> latency_downstream <span class="se">\</span> <span class="nt">-a</span> <span class="nv">latency</span><span class="o">=</span>10000 </code></pre> </div> <p><strong>Remove the latency toxic:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>toxiproxy-cli toxic remove redis-proxy <span class="nt">-n</span> latency_downstream </code></pre> </div> <p><strong>Key insights:</strong></p> <ul> <li>Latency above your timeout threshold behaves like a failure</li> <li>Helps verify your timeouts are properly configured</li> <li>Tests thread pool behavior under slow dependencies</li> </ul> <h3> Scenario 3: Connection Reset (Network Errors) </h3> <p>Simulate unstable network connections that reset mid-request:</p> <p><strong>Add reset_peer toxic:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>toxiproxy-cli toxic add redis-proxy <span class="se">\</span> <span class="nt">-t</span> reset_peer <span class="se">\</span> <span class="nt">-a</span> <span class="nb">timeout</span><span class="o">=</span>500 </code></pre> </div> <p>This closes the connection 500ms after receiving data, simulating network instability.</p> <p><strong>Expected Behavior:</strong></p> <p>Connections will be abruptly closed, causing errors like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>connection reset by peer unexpected EOF broken pipe </code></pre> </div> <p>These should count as failures and eventually open the circuit.</p> <p><strong>Remove the toxic:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>toxiproxy-cli toxic remove redis-proxy <span class="nt">-n</span> reset_peer_downstream </code></pre> </div> <p><strong>When to use this test:</strong></p> <ul> <li>Verifying connection pool recovery</li> <li>Testing retry logic</li> <li>Ensuring proper cleanup of broken connections</li> </ul> <h3> Scenario 4: Bandwidth Limit (Network Congestion) </h3> <p>Simulate network congestion with bandwidth restrictions:</p> <p><strong>Limit to 1KB/s:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>toxiproxy-cli toxic add redis-proxy <span class="se">\</span> <span class="nt">-t</span> bandwidth <span class="se">\</span> <span class="nt">-a</span> <span class="nv">rate</span><span class="o">=</span>1 </code></pre> </div> <p>This restricts throughput to 1 kilobyte per second, simulating a severely congested network.</p> <p><strong>Expected Behavior:</strong></p> <ul> <li>Small Redis operations (GET, SET) might still work but slowly</li> <li>Large operations (fetching big values, pipeline operations) will timeout</li> <li>Gradual degradation rather than immediate failure</li> </ul> <p><strong>Test different bandwidth levels:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Moderate congestion (10 KB/s)</span> toxiproxy-cli toxic update redis-proxy <span class="se">\</span> <span class="nt">-n</span> bandwidth_downstream <span class="se">\</span> <span class="nt">-a</span> <span class="nv">rate</span><span class="o">=</span>10 <span class="c"># Severe congestion (100 bytes/s)</span> toxiproxy-cli toxic update redis-proxy <span class="se">\</span> <span class="nt">-n</span> bandwidth_downstream <span class="se">\</span> <span class="nt">-a</span> <span class="nv">rate</span><span class="o">=</span>0.1 </code></pre> </div> <p><strong>Remove the toxic:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>toxiproxy-cli toxic remove redis-proxy <span class="nt">-n</span> bandwidth_downstream </code></pre> </div> <p><strong>What this tests:</strong></p> <ul> <li>Application behavior under sustained degradation</li> <li>Whether your timeouts are appropriate for typical data sizes</li> <li>If your circuit breaker is sensitive enough to detect slow failures</li> </ul> <h3> Scenario 5: Jitter (Variable Latency) </h3> <p>Real networks don't have consistent latency—they fluctuate. Simulate this with jitter:</p> <p><strong>Add latency with jitter:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>toxiproxy-cli toxic add redis-proxy <span class="se">\</span> <span class="nt">-t</span> latency <span class="se">\</span> <span class="nt">-a</span> <span class="nv">latency</span><span class="o">=</span>1000 <span class="se">\</span> <span class="nt">-a</span> <span class="nv">jitter</span><span class="o">=</span>500 </code></pre> </div> <p>This creates latency ranging from 500ms to 1500ms (1000ms ± 500ms).</p> <p><strong>Expected Behavior:</strong></p> <ul> <li>Some requests complete quickly</li> <li>Others timeout randomly</li> <li>Circuit breaker sees intermittent failures</li> <li>Tests the circuit breaker's threshold logic</li> </ul> <p><strong>Why this matters:</strong></p> <ul> <li>More realistic than fixed latency</li> <li>Reveals issues with retry timing</li> <li>Tests how your system handles sporadic failures</li> </ul> <h3> Scenario 6: Slow Close (Graceful Degradation) </h3> <p>Simulate a service slowly dying:</p> <p><strong>Add slice toxic:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>toxiproxy-cli toxic add redis-proxy <span class="se">\</span> <span class="nt">-t</span> slice <span class="se">\</span> <span class="nt">-a</span> <span class="nv">average_size</span><span class="o">=</span>64 <span class="se">\</span> <span class="nt">-a</span> <span class="nv">size_variation</span><span class="o">=</span>32 <span class="se">\</span> <span class="nt">-a</span> <span class="nv">delay</span><span class="o">=</span>100 </code></pre> </div> <p>This slices data into small chunks with delays between them.</p> <p><strong>Expected Behavior:</strong></p> <ul> <li>Operations take progressively longer</li> <li>Eventually exceed timeouts</li> <li>Allows testing gradual degradation vs sudden failure</li> </ul> <h2> Advanced Testing Patterns </h2> <h3> Combining Multiple Toxics </h3> <p>You can apply multiple toxics simultaneously to simulate complex scenarios:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Add both latency and packet loss</span> toxiproxy-cli toxic add redis-proxy <span class="nt">-t</span> latency <span class="nt">-a</span> <span class="nv">latency</span><span class="o">=</span>200 toxiproxy-cli toxic add redis-proxy <span class="nt">-t</span> slow_close <span class="nt">-a</span> <span class="nv">delay</span><span class="o">=</span>100 </code></pre> </div> <p>This simulates a network that's both slow AND unstable.</p> <h3> Automated Testing Script </h3> <p>Create a bash script to run your test scenarios automatically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nb">echo</span> <span class="s2">"Starting Redis circuit breaker tests..."</span> <span class="c"># Test 1: Complete failure</span> <span class="nb">echo</span> <span class="s2">"Test 1: Simulating Redis down"</span> toxiproxy-cli toggle redis-proxy <span class="nb">sleep </span>5 curl http://localhost:8080/health toxiproxy-cli toggle redis-proxy <span class="c"># Test 2: High latency</span> <span class="nb">echo</span> <span class="s2">"Test 2: Adding high latency"</span> toxiproxy-cli toxic add redis-proxy <span class="nt">-t</span> latency <span class="nt">-a</span> <span class="nv">latency</span><span class="o">=</span>5000 <span class="nb">sleep </span>5 curl http://localhost:8080/health toxiproxy-cli toxic remove redis-proxy <span class="nt">-n</span> latency_downstream <span class="c"># Test 3: Reset connections</span> <span class="nb">echo</span> <span class="s2">"Test 3: Reset connections"</span> toxiproxy-cli toxic add redis-proxy <span class="nt">-t</span> reset_peer <span class="nt">-a</span> <span class="nb">timeout</span><span class="o">=</span>500 <span class="nb">sleep </span>5 curl http://localhost:8080/health toxiproxy-cli toxic remove redis-proxy <span class="nt">-n</span> reset_peer_downstream <span class="nb">echo</span> <span class="s2">"Tests complete!"</span> </code></pre> </div> <h3> Key Metrics to Track </h3> <ol> <li> <strong>Circuit state</strong>: closed, open, half-open</li> <li> <strong>Failure count</strong>: Number of consecutive failures</li> <li> <strong>Success rate</strong>: Percentage of successful requests</li> <li> <strong>Latency percentiles</strong>: p50, p95, p99</li> <li> <strong>Request volume</strong>: Total requests during the test</li> </ol> <h2> Best Practices </h2> <h3> 1. Test All Failure Modes </h3> <p>Don't just test complete outages. Real production issues include:</p> <ul> <li>Partial failures (some operations succeed, others fail)</li> <li>Slow failures (latency-induced timeouts)</li> <li>Intermittent failures (flaky networks)</li> </ul> <h3> 2. Verify Recovery </h3> <p>Always test that your circuit breaker recovers properly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Cause failure</span> toxiproxy-cli toggle redis-proxy <span class="c"># Wait for circuit to open</span> <span class="nb">sleep </span>10 <span class="c"># Restore service</span> toxiproxy-cli toggle redis-proxy <span class="c"># Verify recovery</span> curl http://localhost:8080/health </code></pre> </div> <h3> 3. Test Under Load </h3> <p>Run toxics while your service is under load to see realistic behavior:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Start load test</span> hey <span class="nt">-z</span> 60s <span class="nt">-c</span> 10 http://localhost:8080/api/endpoint &amp; <span class="c"># Inject failure mid-test</span> <span class="nb">sleep </span>20 toxiproxy-cli toxic add redis-proxy <span class="nt">-t</span> latency <span class="nt">-a</span> <span class="nv">latency</span><span class="o">=</span>3000 </code></pre> </div> <h3> 4. Clean Up Between Tests </h3> <p>Always remove toxics and reset state:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Remove all toxics</span> toxiproxy-cli toxic remove redis-proxy <span class="nt">--all</span> <span class="c"># Or reset the entire proxy</span> toxiproxy-cli delete redis-proxy toxiproxy-cli create redis-proxy <span class="nt">-l</span> localhost:6380 <span class="nt">-u</span> localhost:6379 </code></pre> </div> <h2> Real-World Example </h2> <p>Here's a complete test scenario simulating a production incident:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nb">echo</span> <span class="s2">"=== Simulating Production Incident ==="</span> <span class="c"># Phase 1: Normal operation</span> <span class="nb">echo</span> <span class="s2">"Phase 1: Normal operation (30s)"</span> <span class="nb">sleep </span>30 <span class="c"># Phase 2: Redis starts slowing down</span> <span class="nb">echo</span> <span class="s2">"Phase 2: Redis latency increases (1s → 3s)"</span> toxiproxy-cli toxic add redis-proxy <span class="nt">-t</span> latency <span class="nt">-a</span> <span class="nv">latency</span><span class="o">=</span>1000 <span class="nb">sleep </span>10 toxiproxy-cli toxic update redis-proxy <span class="nt">-n</span> latency_downstream <span class="nt">-a</span> <span class="nv">latency</span><span class="o">=</span>3000 <span class="nb">sleep </span>10 <span class="c"># Phase 3: Redis becomes unstable</span> <span class="nb">echo</span> <span class="s2">"Phase 3: Connections start resetting"</span> toxiproxy-cli toxic add redis-proxy <span class="nt">-t</span> reset_peer <span class="nt">-a</span> <span class="nb">timeout</span><span class="o">=</span>1000 <span class="nb">sleep </span>10 <span class="c"># Phase 4: Complete outage</span> <span class="nb">echo</span> <span class="s2">"Phase 4: Redis goes down completely"</span> toxiproxy-cli toggle redis-proxy <span class="nb">sleep </span>20 <span class="c"># Phase 5: Redis recovers</span> <span class="nb">echo</span> <span class="s2">"Phase 5: Redis comes back online"</span> toxiproxy-cli toggle redis-proxy toxiproxy-cli toxic remove redis-proxy <span class="nt">--all</span> <span class="nb">sleep </span>20 <span class="nb">echo</span> <span class="s2">"=== Incident simulation complete ==="</span> <span class="nb">echo</span> <span class="s2">"Check logs and metrics to verify circuit breaker behavior"</span> </code></pre> </div> <p><strong>Expected outcome</strong>:</p> <ul> <li>Phase 1-2: Elevated latency, some timeouts</li> <li>Phase 3: Circuit might start opening/closing intermittently</li> <li>Phase 4: Circuit should open and stay open</li> <li>Phase 5: Circuit should recover to closed state</li> </ul> <h2> Conclusion </h2> <p>Testing with Toxiproxy transforms abstract resilience patterns into concrete, verifiable behaviors. By simulating real network failures, you can:</p> <ul> <li> <strong>Validate</strong> that your circuit breaker opens at the correct threshold</li> <li> <strong>Verify</strong> that your application handles failures gracefully</li> <li> <strong>Discover</strong> edge cases before they occur in production</li> <li> <strong>Build confidence</strong> in your system's resilience</li> </ul> <p>The key is to test not just complete failures, but the spectrum of degradation that happens in production: latency spikes, intermittent errors, bandwidth constraints, and gradual deterioration.</p> <p>Remember: A circuit breaker that's never tested is just technical debt in disguise.</p> <h2> Resources </h2> <ul> <li><a href="https://github.com/Shopify/toxiproxy" rel="noopener noreferrer">Toxiproxy GitHub Repository</a></li> <li><a href="https://github.com/Netflix/Hystrix/wiki/How-it-Works#circuit-breaker" rel="noopener noreferrer">Netflix's Hystrix Circuit Breaker</a></li> <li><a href="https://martinfowler.com/bliki/CircuitBreaker.html" rel="noopener noreferrer">Martin Fowler on Circuit Breakers</a></li> <li><a href="https://redis.io/docs/manual/client-side-caching/" rel="noopener noreferrer">Redis Client Best Practices</a></li> </ul> <p><strong>Have you used Toxiproxy for testing? What failure scenarios have you discovered that surprised you? Share your experiences in the comments!</strong> 💬</p> redis testing resilience devops LRU vs TinyLFU: Choosing the Right Cache Eviction Strategy 🚀 Akarshan Gandotra Sat, 03 Jan 2026 06:30:51 +0000 https://forem.com/akarshan/lru-vs-tinylfu-choosing-the-right-cache-eviction-strategy-56pd https://forem.com/akarshan/lru-vs-tinylfu-choosing-the-right-cache-eviction-strategy-56pd <p>When building high-performance applications, choosing the right cache eviction policy can make or break your system's performance. While both TinyLRU and TinyLFU aim to keep your hot data cached, they take fundamentally different approaches. Understanding when to use each can save you from performance disasters and wasted CPU cycles.</p> <h2> The Fundamentals 📚 </h2> <h3> What is LRU? </h3> <p>LRU (Least Recently Used) is one of the most intuitive cache eviction policies. The principle is simple: when the cache is full and you need to make room for new data, evict the item that was accessed longest ago.</p> <p>Think of it like organizing books on a small shelf. Every time you read a book, you put it at the front. When the shelf fills up, you remove the book from the back that you haven't touched in the longest time.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>LRU Cache Operations: ┌─────────────────────────┐ │ Get(key) │ │ └─ Move to front │ │ │ │ Set(key, value) │ │ └─ Add to front │ │ └─ Evict oldest if full│ └─────────────────────────┘ </code></pre> </div> <h3> What is TinyLFU? </h3> <p>TinyLFU (Least Frequently Used with Frequency sketch) takes a different approach. Instead of just tracking when items were accessed, it tracks how often they've been accessed. Before admitting a new item, TinyLFU asks: "Is this item more valuable than what I'd have to evict?"<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>TinyLFU Cache Operations: ┌─────────────────────────────┐ │ Get(key) │ │ └─ Increment frequency │ │ └─ Return if cached │ │ │ │ Set(key, value) │ │ └─ Compare frequencies │ │ └─ Admit if worthy │ │ └─ Reject if not valuable │ └─────────────────────────────┘ </code></pre> </div> <h2> The Critical Difference: Recency vs Frequency 🎯 </h2> <p>The fundamental distinction between these algorithms is what they optimize for:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>LRU optimizes for: RECENCY (when was it last used?) TinyLFU optimizes for: FREQUENCY (how often is it used?) </code></pre> </div> <p>This difference seems subtle but has massive implications for real-world systems.</p> <h2> Visual Comparison 📊 </h2> <h3> LRU Behavior </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Timeline of Cache Operations: Initial: [A] ← → [B] ← → [C] ↑ ↑ MRU LRU Access B: [B] ← → [A] ← → [C] Add D (full): [D] ← → [B] ← → [A] ↑ ↑ MRU Evicted → C Result: C removed (oldest), regardless of access count </code></pre> </div> <h3> TinyLFU Behavior </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Cache State: Item A: frequency = 500 Item B: frequency = 300 Item C: frequency = 100 ← LFU victim New Item D arrives (frequency = 5) ↓ Compare: D(5) vs C(100) ↓ Decision: REJECT ❌ ↓ Result: D never enters cache C stays (more valuable) New Item E arrives (frequency = 150) ↓ Compare: E(150) vs C(100) ↓ Decision: ADMIT ✅ ↓ Result: E enters cache C evicted </code></pre> </div> <h2> The Real-World Problem: JWT Authentication 🔐 </h2> <p>Let's examine a production scenario that perfectly illustrates why the choice matters. This example is drawn from real JWT authentication systems handling 100,000 requests per second.</p> <h3> The Setup </h3> <p>You're running an auth gateway. Every incoming request carries a JWT. Verifying that JWT costs 200 microseconds. At 100,000 requests per second, that's <strong>20 full CPU cores</strong> doing nothing but crypto.</p> <p>So you add caching. Problem solved... until it isn't.</p> <h3> Your Traffic Pattern </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>🔥 Hot Tokens (70% of traffic) └─ Long-lived sessions └─ Service accounts: 20 req/sec each └─ Browser sessions: 50 req/min each └─ Thousands of hits per 20-min lifetime ❄️ Cold Tokens (25% of traffic) └─ One-off API calls └─ Batch jobs with unique tokens └─ Each token: 1-2 hits, never again 🎲 Noise Tokens (5% of traffic) └─ Scanners └─ Malformed requests └─ Expired tokens from broken clients └─ Pure garbage </code></pre> </div> <h3> The LRU Failure Mode </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Time: 3:00 AM Event: Batch job spawns 1000 workers Each worker: unique JWT, single request LRU Decision Tree: ┌─────────────────────────────┐ │ New token arrives │ │ Cache is full │ └──────────┬──────────────────┘ │ ▼ ┌──────────────┐ │ Admit token │ ← Always admits │ Evict oldest │ ← Evicts hot tokens └──────────────┘ │ ▼ ┌─────────────────────────────┐ │ Cache now full of 1000 │ │ tokens that will NEVER │ │ be seen again │ └─────────────────────────────┘ Impact: ├─ Service account tokens evicted ├─ Active browser sessions evicted ├─ Hit rate: 92% → 61% └─ CPU usage doubles </code></pre> </div> <p>As the author of the <a href="https://dev.to/akarshan/tinylfu-why-your-jwt-auth-cache-needs-better-eviction-3j71">TinyLFU JWT authentication analysis</a> notes, this scenario transforms a stable caching system into an unpredictable performance disaster. Hot tokens that should remain cached for their entire 20-minute lifetime get evicted by cold tokens that will never be seen again.</p> <h3> The TinyLFU Solution </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Same scenario: 1000 batch job tokens arrive TinyLFU Decision for Each Token: ┌─────────────────────────────┐ │ New batch token │ │ Frequency: 1 │ └──────────┬──────────────────┘ │ ▼ ┌──────────────┐ │ Compare with │ │ LFU victim │ │ (freq: 500) │ └──────┬───────┘ │ ▼ ┌──────────────┐ │ 1 &lt; 500 │ │ REJECT ❌ │ └──────────────┘ │ ▼ ┌─────────────────────────────┐ │ Token never enters cache │ │ Hot tokens remain cached │ │ Hit rate stays: 92% │ └─────────────────────────────┘ </code></pre> </div> <p>TinyLFU's admission gate prevents cache pollution. Batch tokens never achieve sufficient frequency to compete with legitimate hot tokens.</p> <h2> Data Structure Comparison 🏗️ </h2> <h3> LRU Implementation </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Components: ┌─────────────────────────────────┐ │ HashMap: key → node │ │ (O(1) lookups) │ └─────────────────────────────────┘ │ ▼ ┌─────────────────────────────────┐ │ Doubly Linked List │ │ (maintains access order) │ │ │ │ [Head] ← → [Node] ← → [Tail] │ │ (MRU) (LRU) │ └─────────────────────────────────┘ Operations: Get: HashMap lookup + move to head = O(1) Set: HashMap insert + add to head = O(1) (evict tail if full) Memory: ~100 bytes/entry overhead </code></pre> </div> <h3> TinyLFU Implementation </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Components: ┌─────────────────────────────────┐ │ Main Cache (LRU) │ │ 99% of capacity │ └─────────────────────────────────┘ │ ▼ ┌─────────────────────────────────┐ │ Admission Window (tiny LRU) │ │ 1% of capacity │ │ (for cold-start protection) │ └─────────────────────────────────┘ │ ▼ ┌─────────────────────────────────┐ │ Count-Min Sketch │ │ (frequency tracking) │ │ 10x cache size │ │ ~4 bits per counter │ └─────────────────────────────────┘ Operations: Get: Increment sketch + cache lookup = O(1) Set: Compare frequencies + conditional admit = O(1) Memory: ~500 KB for 100k cache with 1M counters </code></pre> </div> <h2> Count-Min Sketch: The Magic Behind TinyLFU 🎩 </h2> <p>The Count-Min Sketch is the secret sauce that makes TinyLFU practical. It's a probabilistic data structure that tracks frequencies for millions of items using only a tiny amount of memory.</p> <h3> The Problem It Solves </h3> <p>Imagine you need to track access frequencies for every JWT token you've ever seen:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Naive Approach: HashMap: token → counter Problems: ├─ Need to store every unique token ├─ 1 million tokens × 64 bytes = 64 MB just for keys ├─ Plus counter storage └─ Total: ~100 MB+ for frequency tracking alone ❌ </code></pre> </div> <p>Count-Min Sketch solves this with a clever tradeoff: instead of exact counts, it provides approximate counts with strong guarantees.</p> <h3> How Count-Min Sketch Works </h3> <p>Think of it as a 2D grid of counters with multiple hash functions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Count-Min Sketch Structure: Hash1 → [ 3][ 1][ 5][ 2][ 8][ 0][ 4]... Hash2 → [ 2][ 4][ 1][ 7][ 3][ 1][ 2]... Hash3 → [ 1][ 2][ 6][ 3][ 1][ 4][ 5]... Hash4 → [ 4][ 1][ 3][ 5][ 2][ 1][ 8]... ↑ Counters (4 bits each) Dimensions: ├─ Width (w): Number of counters per row ├─ Depth (d): Number of hash functions └─ Total memory: w × d × 4 bits </code></pre> </div> <h3> Operations Visualized </h3> <p><strong>Incrementing a Token:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Token: "jwt_user_123" ↓ Apply 4 hash functions: ├─ Hash1(token) = 42 → Increment row1[42] ├─ Hash2(token) = 157 → Increment row2[157] ├─ Hash3(token) = 891 → Increment row3[891] └─ Hash4(token) = 23 → Increment row4[23] Before: Row1: ...[ 3][ 5]... (position 42) Row2: ...[10][ 2]... (position 157) Row3: ...[ 7][ 1]... (position 891) Row4: ...[ 2][ 8]... (position 23) After: Row1: ...[ 4][ 5]... ← Incremented Row2: ...[11][ 2]... ← Incremented Row3: ...[ 8][ 1]... ← Incremented Row4: ...[ 3][ 8]... ← Incremented Time: O(1) - Just 4 increments </code></pre> </div> <p><strong>Querying Frequency:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Token: "jwt_user_123" ↓ Apply same 4 hash functions: ├─ Hash1(token) = 42 → Read row1[42] = 4 ├─ Hash2(token) = 157 → Read row2[157] = 11 ├─ Hash3(token) = 891 → Read row3[891] = 8 └─ Hash4(token) = 23 → Read row4[23] = 3 Estimated frequency: min(4, 11, 8, 3) = 3 ✅ Why minimum? └─ Counters can be inflated by collisions Take the minimum = most conservative estimate Time: O(1) - Just 4 lookups + min operation </code></pre> </div> <h3> Why It Works: Hash Collisions </h3> <p>Different tokens can hash to the same positions (collisions), but the Count-Min Sketch handles this elegantly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Collision Example: Token A and Token B both hash to position 42 in Row1 Row1[42] stores: countA + countB = 15 ↓ When querying Token A: ├─ Row1: 15 (includes Token B) ← Overestimate ├─ Row2: 12 (includes Token C) ← Overestimate ├─ Row3: 9 (no collision) ← True count └─ Row4: 11 (includes Token D) ← Overestimate Result: min(15, 12, 9, 11) = 9 Key Property: ├─ Estimates can be HIGHER than true count ├─ Estimates are NEVER LOWER than true count └─ Using multiple rows reduces overestimation </code></pre> </div> <h3> The Guarantee </h3> <p>Count-Min Sketch provides mathematical guarantees:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>True frequency: f Estimated frequency: f' Guarantee: f ≤ f' ≤ f + ε × N Where: ├─ ε (epsilon): Error parameter (e.g., 0.01 = 1%) ├─ N: Total number of items seen └─ f' never underestimates Example with ε = 0.01: ├─ True count: 100 ├─ Total items: 1,000,000 ├─ Max error: 0.01 × 1,000,000 = 10,000 └─ Estimated: 100 to 10,100 </code></pre> </div> <p>For TinyLFU caching decisions, this is perfect because we're making relative comparisons:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Admission Decision: Token A frequency: ~500 (might be 500-600) Token B frequency: ~50 (might be 50-100) Decision: A &gt; B is correct regardless of small errors ✅ </code></pre> </div> <h3> Memory Efficiency </h3> <p>Compare memory usage for tracking 1 million tokens:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Exact HashMap: ├─ 1M entries × 64 bytes (key) ├─ 1M entries × 8 bytes (counter) └─ Total: ~72 MB Count-Min Sketch (w=10M, d=4): ├─ 10M counters × 4 rows ├─ 40M counters × 4 bits each ├─ 160M bits = 20 MB └─ 72% memory savings ✅ Even Better - 4-bit Counters: ├─ Each counter: 0 to 15 ├─ When counter reaches 15, halve all counters ├─ Maintains relative frequencies └─ Prevents overflow </code></pre> </div> <h3> Counter Decay in Action </h3> <p>TinyLFU uses periodic decay to keep frequencies fresh:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Before Decay: Row1: [15][12][ 8][15]... Row2: [13][15][ 6][ 9]... Row3: [15][ 7][11][15]... Row4: [10][15][15][ 4]... Decay Event (right shift by 1 bit = divide by 2): Row1: [ 7][ 6][ 4][ 7]... Row2: [ 6][ 7][ 3][ 4]... Row3: [ 7][ 3][ 5][ 7]... Row4: [ 5][ 7][ 7][ 2]... Benefits: ├─ Recent activity matters more ├─ Old patterns fade away ├─ Prevents counter overflow └─ Extremely fast (bit shift operation) </code></pre> </div> <h3> Real-World Example: JWT Cache </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Scenario: 100k req/sec, tracking 5M unique tokens Configuration: ├─ Width: 10M counters ├─ Depth: 4 hash functions ├─ Counter size: 4 bits └─ Total memory: 20 MB Token Types: ┌─────────────────────────────────────┐ │ Service Account (Token A) │ │ True frequency: 2000 │ │ Sketch estimate: 2003 │ │ Error: 0.15% │ └─────────────────────────────────────┘ ┌─────────────────────────────────────┐ │ Batch Job Token (Token B) │ │ True frequency: 1 │ │ Sketch estimate: 1 │ │ Error: 0% │ └─────────────────────────────────────┘ ┌─────────────────────────────────────┐ │ Random Attack Token (Token C) │ │ True frequency: 1 │ │ Sketch estimate: 2 (collision) │ │ Error: 100% (but still tiny!) │ └─────────────────────────────────────┘ Admission Decision: ├─ Token A (2003) vs Token B (1) → A wins ✅ ├─ Token A (2003) vs Token C (2) → A wins ✅ └─ Small errors don't affect decisions </code></pre> </div> <h3> Why This Matters for TinyLFU </h3> <p>The Count-Min Sketch enables TinyLFU to:</p> <ol> <li> <strong>Track millions of items</strong> with minimal memory</li> <li> <strong>Make instant decisions</strong> with O(1) operations</li> <li> <strong>Handle high throughput</strong> without becoming a bottleneck</li> <li> <strong>Adapt to changing patterns</strong> through decay</li> <li> <strong>Tolerate approximation</strong> because relative comparisons still work</li> </ol> <p>Without Count-Min Sketch, TinyLFU would need exact frequency counters for every item ever seen, making it impractical for high-scale systems. The sketch transforms TinyLFU from a theoretical idea into a production-ready cache algorithm.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>The Trade-off: ├─ Give up: Exact counts ├─ Gain: 70-90% memory savings ├─ Guarantee: Never underestimate └─ Result: Practical frequency-based caching ✅ </code></pre> </div> <h2> Attack Resilience 🛡️ </h2> <h3> LRU Under Attack </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Attacker Strategy: 50k random JWTs/sec LRU Response: ┌─────────────────────────────────┐ │ Random Token 1 → ADMIT │ │ Random Token 2 → ADMIT │ │ Random Token 3 → ADMIT │ │ ... (evicting legitimate tokens)│ │ Random Token 50000 → ADMIT │ └─────────────────────────────────┘ Result: ├─ Cache fills with garbage ├─ Legitimate tokens evicted ├─ Hit rate collapses └─ CPU usage spikes </code></pre> </div> <h3> TinyLFU Under Attack </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Same Attack: 50k random JWTs/sec TinyLFU Response: ┌─────────────────────────────────┐ │ Random Token 1 (freq=1) → REJECT│ │ Random Token 2 (freq=1) → REJECT│ │ Random Token 3 (freq=1) → REJECT│ │ ... (legitimate tokens safe) │ │ Random Token 50000 → REJECT │ └─────────────────────────────────┘ Meanwhile: ├─ Legitimate Token A (freq=2000) → stays cached ├─ Service Account B (freq=1500) → stays cached └─ Hit rate remains: 92% </code></pre> </div> <p>As demonstrated in the JWT authentication case study, the attack actually makes TinyLFU's cache more resilient because random tokens can never achieve the frequency needed to displace legitimate hot tokens.</p> <h2> Configuration Deep Dive ⚙️ </h2> <h3> LRU Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Simple Parameters: cache := NewLRU(100000) // Just capacity Optional: ├─ TTL per entry ├─ Expiration callback └─ Memory limit (bytes) Rule of Thumb: Size = ActiveUsers × AverageSessionRequests × SafetyMargin = 10,000 × 50 × 2 = 1,000,000 entries </code></pre> </div> <h3> TinyLFU Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Critical Parameters: cache := NewTinyLFU(TinyLFUConfig{ MaxSize: 100000, // Main cache capacity NumCounters: 1000000, // Frequency sketch size (10x) BufferItems: 1000, // Admission window (1%) }) Parameter Breakdown: NumCounters: ├─ Rule: 10x cache size ├─ Why: Reduces hash collisions ├─ Memory: counters × 4 bits └─ Example: 1M counters = 500 KB BufferItems: ├─ Rule: 1% of MaxSize ├─ Purpose: Cold-start protection ├─ Behavior: New items land here first └─ Graduation: Build frequency → main cache MaxCost (optional): ├─ For variable-sized entries ├─ Memory-bounded eviction └─ Example: 50 MB budget for mixed sizes </code></pre> </div> <h2> Conclusion 🎯 </h2> <p>Both TinyLRU and TinyLFU have their place in modern systems:</p> <p><strong>TinyLRU</strong> is your default choice. It's simple, fast, and works well for most caching scenarios. Use it when recency correlates with value in your workload.</p> <p><strong>TinyLFU</strong> is your specialist tool. It shines when you have frequency-skewed workloads, face burst traffic, or need resilience against cache pollution. The JWT authentication scenario demonstrates how critical this becomes at scale where poor cache decisions directly translate to wasted CPU cores and degraded latency.</p> <p>The right choice depends on understanding your access patterns. Monitor your cache behavior, measure hit rates under realistic load, and choose the algorithm that matches your workload characteristics.</p> <p><strong>Further Reading:</strong></p> <ul> <li>📄 <a href="https://arxiv.org/abs/1512.00727" rel="noopener noreferrer">TinyLFU: A Highly Efficient Cache Admission Policy</a> </li> <li>🔐 <a href="https://dev.to/akarshan/tinylfu-why-your-jwt-auth-cache-needs-better-eviction-3j71">TinyLFU in JWT Authentication Systems</a> </li> <li>🔧 <a href="https://github.com/dgraph-io/ristretto" rel="noopener noreferrer">Ristretto: A fast, concurrent TinyLFU cache</a> </li> <li>📚 <a href="https://github.com/hashicorp/golang-lru" rel="noopener noreferrer">golang-lru: Simple LRU implementation</a> </li> <li>📊 Count-Min Sketch: The probabilistic data structure powering TinyLFU</li> </ul> <p><em>Choose wisely, cache efficiently, and may your hit rates stay high!</em> 🚀</p> lru tinylfu cache TinyLFU: Why Your JWT Auth Cache Needs Better Eviction 🔐 Akarshan Gandotra Mon, 22 Dec 2025 05:29:20 +0000 https://forem.com/akarshan/tinylfu-why-your-jwt-auth-cache-needs-better-eviction-3j71 https://forem.com/akarshan/tinylfu-why-your-jwt-auth-cache-needs-better-eviction-3j71 <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3e41lehwi2wnkfm3q16u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3e41lehwi2wnkfm3q16u.png" alt=" " width="800" height="533"></a></p> <p>You're running an auth gateway. Every incoming request carries a JWT. Verifying that JWT checking the signature, validating claims, maybe hitting a revocation list costs you 200 microseconds. At 100,000 requests per second, that's <strong>20 full CPU cores</strong> doing nothing but crypto. 💸</p> <p>So you cache verified tokens. Problem solved. ✅</p> <p>Except three weeks later, your P99 latency spikes during a product launch. Cache hit rate drops from 92% to 61%. CPU usage doubles. You scale horizontally, and the problem... gets <strong>worse</strong>. 📉</p> <p>This isn't a configuration issue. It's not a bug. It's LRU doing exactly what it was designed to do, which happens to be the wrong thing for your workload.</p> <h2> The Problem With LRU in Auth Systems 🚨 </h2> <p>LRU (Least Recently Used) evicts whatever you touched longest ago. In theory, this keeps "hot" data in cache. In practice, at high throughput with diverse traffic patterns, LRU makes decisions that actively hurt you.</p> <p>Here's why: your JWT traffic isn't uniform. You have three categories of tokens hitting your gateway:</p> <h3> Your Token Traffic Breakdown 📊 </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>🔥 Hot Tokens (70% of traffic) └─ Long-lived sessions └─ Browsers, mobile apps, service accounts └─ Single user = 50 req/min └─ Service account = 20 req/sec └─ Thousands of hits per 20-min lifetime ❄️ Cold Tokens (25% of traffic) └─ One-off API calls └─ Scheduled jobs └─ Infrequent users └─ Each token appears 1-2 times, never again 🎲 Random Tokens (5% of traffic) └─ Scanners └─ Malformed requests └─ Expired tokens from broken clients └─ Attackers probing endpoints └─ Pure noise </code></pre> </div> <p><strong>The LRU Failure Mode:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Time: 3:00 AM Event: Batch job spawns 1000 workers Each worker: unique JWT, single request LRU Decision Tree: ┌─────────────────────────────┐ │ New token arrives │ │ Cache is full │ └──────────┬──────────────────┘ │ ▼ ┌──────────────┐ │ Admit token │ ← Always admits │ Evict oldest │ ← Evicts your hot tokens └──────────────┘ │ ▼ ┌─────────────────────────────┐ │ Result: Cache now full of │ │ 1000 tokens that will │ │ NEVER be seen again │ └─────────────────────────────┘ </code></pre> </div> <p>Now your hot tokens miss the cache. You're verifying the same legitimate user tokens over and over, burning CPU, while your cache is full of one-time tokens that will never be seen again. </p> <p><strong>Your hit rate collapses. Your latency spikes.</strong> And because this happens gradually as the cache churns, you don't see a clean error you see slow, expensive drift. 🐌</p> <h3> The Core Problem 🎯 </h3> <p>LRU optimizes for <strong>recency</strong>, but recency is the wrong signal when traffic has massive frequency skew.</p> <h2> What TinyLFU Actually Changes 🔄 </h2> <p>TinyLFU splits caching into two distinct decisions: <strong>admission</strong> and <strong>eviction</strong>.</p> <h3> LRU vs TinyLFU Flow </h3> <p><strong>Traditional LRU:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Token arrives → Miss → ALWAYS admit → Evict something old ↓ No questions asked </code></pre> </div> <p><strong>TinyLFU:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Token arrives → Miss → Is this token valuable enough? ├─ Yes → Admit &amp; evict └─ No → Reject, verify once, move on </code></pre> </div> <p>TinyLFU adds a <strong>gate</strong>. When a JWT arrives and misses the cache, TinyLFU asks:</p> <blockquote> <p>"Is this token more valuable than what I'd have to evict?"</p> </blockquote> <p>If the answer is no, the token doesn't enter the cache at all. You verify it, return the response, and move on.</p> <h3> The Signal Shift 📡 </h3> <ul> <li> <strong>LRU measures</strong>: Recency (when was it last accessed?)</li> <li> <strong>TinyLFU measures</strong>: Frequency (how often has it been accessed?)</li> </ul> <p>For auth workloads, frequency is the correct signal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Token A: 5000 accesses &gt; Token B: 1 access ↑ ↑ More valuable Less valuable (regardless of which one you saw most recently) </code></pre> </div> <h2> TinyLFU Without Jargon 🧮 </h2> <p>TinyLFU keeps <strong>approximate frequency counts</strong> for every item it's seen recently. Not exact counts approximate. This matters for performance and memory.</p> <h3> The Admission Algorithm </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>JWT arrives ↓ 1. Increment counter for this token ↓ 2. Already in cache? → HIT ✅ (done) ↓ 3. Not in cache? → MISS ↓ 4. Compare frequencies: ┌─────────────────────────────────────┐ │ New token frequency: 3 │ │ Victim token frequency: 500 │ │ │ │ Decision: REJECT (3 &lt; 500) │ │ Action: Verify once, don't cache │ └─────────────────────────────────────┘ OR ┌─────────────────────────────────────┐ │ New token frequency: 520 │ │ Victim token frequency: 480 │ │ │ │ Decision: ADMIT (520 &gt; 480) │ │ Action: Cache new, evict victim │ └─────────────────────────────────────┘ </code></pre> </div> <h3> Counter Decay ⏰ </h3> <p>Counters decay over time to keep frequency reflecting <strong>recent</strong> history:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Counter Values Before Decay: Token A: 1000 Token B: 500 Token C: 200 [Decay event: halve all counters] Counter Values After Decay: Token A: 500 Token B: 250 Token C: 100 </code></pre> </div> <p>Why this matters: A token that was hot yesterday but hasn't been seen in an hour shouldn't still dominate. Decay is fast (just bit-shifting memory) and keeps the frequency signal fresh.</p> <p><strong>At 100k TPS</strong>, "recent history" typically means the last few seconds to a minute. That's enough to distinguish genuinely hot tokens from noise, but short enough that stale patterns don't stick around.</p> <h2> Applying TinyLFU to a JWT Cache 🎯 </h2> <p>Let's trace what happens to each category of token:</p> <h3> 🔥 Hot Tokens (Browsers, Service Accounts) </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Timeline of a Browser Token: Request #1 → Miss, frequency=1 → Verify, reject admission Request #2 → Miss, frequency=2 → Verify, reject admission Request #3 → Miss, frequency=3 → Verify, reject admission ... Request #8 → Miss, frequency=8 → Verify, WIN admission ✅ Request #9 → HIT ✅ Request #10 → HIT ✅ Request #50 → HIT ✅ (frequency=50+) ... Request #3000 → HIT ✅ (frequency=3000+) Result: Cached for entire 20-min lifetime </code></pre> </div> <p>Hot tokens naturally win admission after a few misses and stay cached because every access keeps their frequency elevated. 🎉</p> <h3> ❄️ Cold Tokens (One-off Requests) </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Timeline of a Batch Job Token: Request #1 → Miss, frequency=1 → Verify ↓ Compare for admission: New token frequency: 1 Victim frequency: 500 Decision: REJECT ❌ ↓ Cache unchanged ↓ Token never seen again Result: Never pollutes the cache </code></pre> </div> <p>Cold tokens never build enough frequency to compete. They bounce off the admission gate. ✋</p> <h3> 🎲 Random/Attack Tokens </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Attacker floods 50k requests/sec with random JWTs: Random Token 1: frequency=1 → REJECT ❌ Random Token 2: frequency=1 → REJECT ❌ Random Token 3: frequency=1 → REJECT ❌ ... Random Token 50000: frequency=1 → REJECT ❌ Meanwhile: Legitimate Token A: frequency=2000 → ADMIT ✅ (stays cached) </code></pre> </div> <p>Attackers can't displace your hot tokens because random tokens never achieve sufficient frequency. <strong>The attack makes your cache MORE resilient, not less.</strong> 🛡️</p> <h3> The Key Insight 💡 </h3> <p>TinyLFU doesn't need to be told what's hot. It <strong>infers value from access patterns</strong>:</p> <ul> <li>Service account polling every 100ms → naturally high frequency → stays cached</li> <li>Batch job with 1000 one-time tokens → 1000 low-frequency items → never admitted</li> </ul> <p>The policy emerges from the data.</p> <h2> Admission Decisions in Practice ⚖️ </h2> <p><strong>Scenario:</strong> Cache holds 100k tokens. It's full. New JWT arrives.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────┐ │ New JWT arrives (miss) │ │ Token: eyJhbGc... │ └──────────────┬──────────────────────────┘ │ ▼ ┌─────────────────────────────────────────┐ │ Lookup frequency │ │ New token: 3 hits │ │ LFU victim (least frequent cached): 480 │ └──────────────┬──────────────────────────┘ │ ▼ ┌─────────────────────────────────────────┐ │ 3 &lt; 480 │ │ Decision: REJECT ❌ │ │ Action: Verify token, return response │ │ Cache remains unchanged │ └─────────────────────────────────────────┘ </code></pre> </div> <p>Another token arrives:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────┐ │ New JWT arrives (miss) │ └──────────────┬──────────────────────────┘ │ ▼ ┌─────────────────────────────────────────┐ │ Lookup frequency │ │ New token: 520 hits │ │ LFU victim: 480 │ └──────────────┬──────────────────────────┘ │ ▼ ┌─────────────────────────────────────────┐ │ 520 &gt; 480 │ │ Decision: ADMIT ✅ │ │ Action: Evict victim, cache new token │ └─────────────────────────────────────────┘ </code></pre> </div> <p>This comparison happens on every miss. It's <strong>fast</strong> TinyLFU uses a probabilistic data structure (Count-Min Sketch) to track frequencies in O(1) time with tiny memory footprint.</p> <h3> Why This Matters Under Attack 🛡️ </h3> <p><strong>Attack scenario:</strong> Adversary sends 50k req/sec with random JWTs</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Cache Type</th> <th>Result</th> </tr> </thead> <tbody> <tr> <td><strong>LRU</strong></td> <td>❌ Random tokens churn cache, evict legitimate tokens, cache hit rate collapses</td> </tr> <tr> <td><strong>TinyLFU</strong></td> <td>✅ Each random token has frequency=1, legitimate tokens have frequency=100s-1000s, random tokens never win admission, cache remains stable</td> </tr> </tbody> </table></div> <p><strong>Burst scenario:</strong> Batch job spawns 5000 workers at midnight</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Cache Type</th> <th>Result</th> </tr> </thead> <tbody> <tr> <td><strong>LRU</strong></td> <td>❌ 5000 one-time tokens flush out service accounts and browser sessions</td> </tr> <tr> <td><strong>TinyLFU</strong></td> <td>✅ Batch tokens never achieve sufficient frequency, hot tokens remain cached</td> </tr> </tbody> </table></div> <h2> Why Configuration Matters ⚙️ </h2> <p>TinyLFU has a few knobs. They're not arbitrary, they map directly to your workload.</p> <h3> 🎛️ NumCounters </h3> <p><strong>What it controls:</strong> Size of the frequency sketch</p> <p><strong>Rule of thumb:</strong> 10x your cache size</p> <p><strong>Example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Cache capacity: 100k tokens NumCounters: 1 million Why? ├─ Sketch uses hash functions to map tokens → counters ├─ Too few counters = frequent collisions │ └─ Different tokens share same counter │ └─ Frequency estimates degrade └─ Enough counters = rare collisions = accurate tracking Memory cost: 1M counters × 4 bits = 500 KB ✅ </code></pre> </div> <p><strong>At 100k TPS with 20-min token lifetimes:</strong></p> <ul> <li>You might see <strong>5 million distinct tokens</strong> in an hour</li> <li>Using 1-2M counters gives low collision rates</li> <li>Total memory cost: <strong>~1 MB</strong> (cheap!)</li> </ul> <h3> 🎛️ BufferItems </h3> <p><strong>What it is:</strong> TinyLFU's admission buffer (small LRU window)</p> <p><strong>Typical size:</strong> 1% of total cache size</p> <p><strong>Why it exists:</strong> Protects against cold-start problem<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Problem without buffer: New token arrives → frequency=0 → loses every admission battle Solution with buffer: New token arrives → lands in admission buffer → builds frequency over next few hits → graduates to main cache once proven </code></pre> </div> <p><strong>Critical for bursts:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1000 browser clients log in simultaneously ↓ Their tokens start cold (frequency=0) ↓ Buffer holds them while they accumulate hits ↓ Once they've proven frequency → graduate to main cache </code></pre> </div> <h3> 🎛️ MaxCost </h3> <p><strong>What it controls:</strong> Memory-bounded eviction</p> <p><strong>When it matters:</strong> Variable-sized cache entries<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Scenario 1: Uniform token size ├─ Most JWTs: ~500 bytes ├─ MaxCost = 100k tokens × 500 bytes = 50 MB └─ Simple: count-based eviction works fine Scenario 2: Variable token size + metadata ├─ Small JWT: 300 bytes ├─ JWT + user roles: 2 KB ├─ JWT + org context: 10 KB ├─ MaxCost = 50 MB total budget └─ Cost-based eviction keeps memory bounded (might cache 100k small tokens OR 5k large ones) </code></pre> </div> <p>For most auth caches, token size is uniform, so MaxCost is just <code>token_count × avg_size</code>. But if you're caching metadata with each token, costs matter.</p> <h2> What TinyLFU Does Not Guarantee ⚠️ </h2> <h3> ❌ Eventual Consistency of <code>Set</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Your code: cache.Set("token123", verifiedJWT) value := cache.Get("token123") // Might be nil! Why? Admission can fail. </code></pre> </div> <p>TinyLFU might drop your <code>Set</code> on the floor if admission fails. This is <strong>by design</strong> a tradeoff for resilience.</p> <p><strong>In practice, this doesn't matter for auth:</strong></p> <ul> <li>JWTs are ephemeral</li> <li>Verification is deterministic</li> <li>If a token misses cache → verify it → return response</li> <li>User doesn't know the difference</li> <li>Over a few seconds, hot tokens accumulate frequency and stabilize</li> </ul> <p>The system converges to the right steady state. ✅</p> <h3> 📊 Approximate Counts </h3> <p>Count-Min Sketch uses hash collisions:</p> <ul> <li>Counts can be <strong>overestimated</strong> </li> <li>Counts are <strong>never underestimated</strong> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>True frequency: 100 Reported frequency: 105 or 110 (due to collision) Impact: None └─ You're making relative comparisons └─ Error is small and consistent └─ Doesn't affect admission quality </code></pre> </div> <h3> ⏰ No Explicit TTL Tracking </h3> <p>TinyLFU doesn't track TTLs that happens independently.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Your auth cache setup: ├─ TinyLFU: controls admission + frequency-based eviction └─ TTL: handles expiration (20 min = JWT lifetime) Result: ├─ Tokens naturally age out via TTL └─ TinyLFU ensures what stays cached is worth keeping </code></pre> </div> <p><strong>How to tell if you need it:</strong></p> <p>Have you ever seen your cache hit rate drop during traffic bursts, despite having enough memory? That's LRU churning under cold traffic. TinyLFU fixes it. 🔧</p> <h2> Final Mental Model 🧠 </h2> <p>Think of TinyLFU as a <strong>nightclub bouncer</strong>. 🕴️</p> <h3> LRU Bouncer 👎 </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Policy: Let everyone in, kick out whoever's been standing around longest Bus of tourists arrives ↓ All tourists get in ↓ Regulars get kicked out to make room ↓ Tourists leave after 5 minutes ↓ Regulars are outside ↓ Club full of strangers who don't want to be there </code></pre> </div> <h3> TinyLFU Bouncer 👍 </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Policy: Check how many times you've visited this month Regulars get in. Tourists stay out. Bus of tourists arrives ↓ Bouncer checks visit history: ├─ Regulars: 50+ visits → Come in ✅ └─ Tourists: 0 visits → Sorry, no room ❌ ↓ Even if there's technically space, letting tourists in means kicking out regulars ↓ Club stays full of people who actually want to be there </code></pre> </div> <h3> For a JWT Auth Cache 🔐 </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>🔥 "Regulars" = Active user sessions, service accounts ❄️ "Tourists" = One-off tokens, batch jobs, scanner garbage TinyLFU keeps regulars in and tourists out. </code></pre> </div> <p><strong>The result:</strong></p> <ul> <li>✅ Stable hit rates</li> <li>✅ Predictable CPU usage</li> <li>✅ Cache does what you wanted: keep hot stuff hot, let cold stuff stay cold</li> </ul> <h2> TL;DR 📝 </h2> <p>TinyLFU isn't magic. It's a policy that matches the reality of how traffic actually behaves.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>LRU: Designed for workloads where recency = value TinyLFU: Designed for workloads where frequency = value </code></pre> </div> <p>In modern high-throughput systems, <strong>frequency equals value</strong>. TinyLFU makes that tradeoff explicit, and your cache gets better as a result.</p> <p>If you're running an auth service at scale, it's worth the switch. 🚀</p> <p><strong>Further Reading:</strong></p> <ul> <li>📄 Original TinyLFU paper: "TinyLFU: A Highly Efficient Cache Admission Policy"</li> <li>🔧 Popular implementation: <code>github.com/dgraph-io/ristretto</code> </li> <li>📊 Count-Min Sketch: The probabilistic data structure behind frequency tracking</li> </ul> algorithms security performance architecture The Delete Button Dilemma: When to Soft Delete vs Hard Delete Akarshan Gandotra Mon, 24 Nov 2025 07:33:15 +0000 https://forem.com/akarshan/the-delete-button-dilemma-when-to-soft-delete-vs-hard-delete-3a0i https://forem.com/akarshan/the-delete-button-dilemma-when-to-soft-delete-vs-hard-delete-3a0i <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4lg29emcudhkjtyetlrn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4lg29emcudhkjtyetlrn.png" alt=" " width="800" height="533"></a></p> <p>Every developer has been there. You're building a feature, the user clicks "delete," and you pause. Should this record actually disappear from the database, or should you just mark it as deleted? It seems like a simple question, but get it wrong and you'll either compromise user privacy, break your analytics, or wake up to a panicked Slack message about accidentally deleted data that's gone forever.</p> <p>Let me save you from those 2 AM emergencies.</p> <h2> The Tale of Two Deletes </h2> <p><strong>Soft delete</strong> means you're not really deleting anything. You're marking a record with a <code>deleted_at</code> timestamp or an <code>is_deleted</code> flag, then hiding it from normal queries. The data stays in your database, living its best ghost life.</p> <p><strong>Hard delete</strong> is the real deal. Execute that SQL DELETE statement and the record is gone. Unless you've got backups (and please tell me you have backups), there's no coming back from this.</p> <h2> When Soft Deletes Save Your Day </h2> <p>Here’s the thing. In many systems, deleting data feels straightforward. Something’s no longer needed, so you remove it permanently. Clean and simple.</p> <p>Until it isn’t.</p> <p>Picture a company that manages a product catalog. Users can delete products that are discontinued. The team implemented hard delete because it felt efficient.</p> <p>Fast forward a few months. The analytics team tries to generate annual revenue reports. Suddenly, every past order linked to a deleted product starts showing up as "Unknown." Historical reports break. Finance panics. Leadership demands answers. The engineering team scrambles to restore data from backups, patch broken queries, and rebuild what used to work.</p> <p>All because they chose hard delete without thinking about long-term consequences.</p> <p>Soft delete would have preserved history, maintained referential integrity, and saved everyone a lot of pain.</p> <p>What this really means is: sometimes the data you think you’ll never need again becomes the data you desperately need later. Soft delete keeps the door open. Hard delete slams it shut.</p> <p><strong>Use soft deletes when:</strong></p> <h3> 1. Money is Involved </h3> <p>Anything touching financial transactions should probably stick around. Tax audits don't care that you deleted that invoice three years ago, they want to see it. Orders, invoices, payment records, subscription history... soft delete all of it. Your accountant will thank you.</p> <h3> 2. You Need to Tell a Story </h3> <p>Analytics and business intelligence thrive on historical data. If you're trying to understand why customer churn increased last quarter, you need to see those deleted accounts. If you're analyzing which products perform best, you need the full lifecycle (including when they were discontinued).</p> <h3> 3. Relationships Matter </h3> <p>Your database is a web of relationships. When a user deletes their account, you've got comments, posts, orders, reviews, and a dozen other records pointing to that user. Hard delete the user and suddenly you've got orphaned records everywhere.</p> <p>Soft deletes preserve referential integrity. The data relationships stay intact, your foreign keys don't break, and you can still run joins without your queries exploding.</p> <h3> 4. Oops, Can I Have That Back? </h3> <p>Users delete things by accident. Constantly. If you've ever worked in customer support, you know the pain of "I deleted my account/post/file by mistake, can you restore it?"</p> <p>With soft deletes, you're a hero who recovers their data in seconds. With hard deletes, you're digging through backups (if you're lucky) or delivering bad news (if you're not).</p> <h2> When Hard Deletes Are Non-Negotiable </h2> <p>But here's the thing: soft deletes aren't always the answer. Sometimes they're actually the wrong choice legally, ethically, and practically.</p> <h3> 1. Privacy Laws Aren't Suggestions </h3> <p>Let’s break it down. There are situations where soft delete is absolutely the wrong choice, and privacy regulations are at the top of that list.</p> <p>Consider global data protection laws like GDPR in Europe or CCPA in California. They include a legally enforceable right to erasure. When someone requests their personal data to be removed, regulators expect that data to be truly gone (not just flagged as inactive in a table).</p> <p>Some organizations assumed a soft delete was enough and kept the data sitting quietly in the database. Then came audits. Regulators discovered that “deleted” records were still accessible internally. The penalties that followed were painful, both financially and reputationally.</p> <p>The lesson here: compliance isn’t optional, and soft delete won’t save you when the law requires complete removal. When privacy is on the line, hard delete is the only correct answer.</p> <h3> 2. Security Isn't Negotiable </h3> <p>Authentication tokens, session data, password reset codes this stuff needs to actually disappear. Soft deleting a compromised password or an expired auth token is a security vulnerability waiting to happen.</p> <p>Same goes for credit card data. PCI-DSS compliance requires that you don't store card data longer than necessary. "Soft deleted" card numbers are still stored card numbers. That's a compliance violation and a security risk.</p> <h3> 3. Your Database Isn't Infinite </h3> <p>Early-stage startups often soft delete everything because it's easier and safer. Fast forward two years: their database is 80% soft-deleted records, queries are slow, backups take forever, and storage costs are through the roof.</p> <h3> 4. Some Data Is Just Temporary </h3> <p>Shopping cart items, temporary file uploads, notification read status this is ephemeral data. It exists to serve an immediate purpose, then it's done. There's no business value in keeping soft-deleted shopping cart items from three years ago. Just actually delete them.</p> <h2> The Hybrid Approach: Best of Both Worlds </h2> <p>Here's what I recommend for most applications: <strong>two-stage deletion</strong>.</p> <p>When a user clicks delete:</p> <ol> <li> <strong>Soft delete immediately</strong> - Mark it as deleted, hide it from the UI</li> <li> <strong>Grace period</strong> - Keep it recoverable for 30-90 days</li> <li> <strong>Hard delete automatically</strong> - Purge old soft-deletes with a scheduled job</li> </ol> <p>This gives you:</p> <ul> <li>Instant recovery for accidental deletions</li> <li>Time for users to change their minds</li> <li>Analytics on recently deleted items</li> <li>Eventual compliance with privacy laws</li> <li>Controlled database growth</li> </ul> <p>We implemented this for a social media platform. Users could delete posts, which were soft deleted for 30 days. During that period, they could undo the deletion. After 30 days, a nightly job permanently removed posts deleted more than 30 days ago. Accidental deletion complaints dropped to nearly zero, and we stayed compliant with privacy regulations.</p> <h2> A Real Decision Tree </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5llsj8uhtbpg3528tv3c.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5llsj8uhtbpg3528tv3c.png" alt=" " width="800" height="670"></a></p> <h2> Implementation Tips That'll Save You Headaches </h2> <p>If you're implementing soft deletes:</p> <p><strong>Use timestamps, not booleans.</strong> <code>deleted_at</code> is better than <code>is_deleted</code> because you automatically capture when deletion happened. NULL means active, timestamp means deleted. Simple.</p> <p><strong>Index that column.</strong> You'll be filtering on it constantly. <code>WHERE deleted_at IS NULL</code> should be fast.</p> <p><strong>Create a database view</strong> for active records. Instead of every query needing <code>WHERE deleted_at IS NULL</code>, create a view or base filter that filters it automatically.</p> <p><strong>Be consistent.</strong> If you're soft deleting users, soft delete everything related to users. Mixing approaches in related tables is a recipe for confusion and bugs.</p> <p><strong>Don't forget to cascade.</strong> When soft deleting a parent record, decide whether children should also be soft deleted. An active comment on a deleted post creates awkward edge cases.</p> <h2> The Bottom Line </h2> <p>There's no one-size-fits-all answer. Soft deletes are powerful for business data, analytics, and preventing mistakes. Hard deletes are essential for privacy, security, and keeping your database lean.</p> <p>Most applications need both. The key is being deliberate about which deletion strategy serves each type of data best.</p> <p>And whatever you choose, document it. Future you (or the developer who inherits your code) will want to know why customer accounts are soft deleted but session tokens are hard deleted.</p> <p>Trust me on this one. I've been the developer digging through undocumented deletion logic at midnight, trying to figure out why some data disappeared and other data didn't. Don't be the person who creates that mystery.</p> <p><em>What's your deletion strategy? Have you been burned by choosing the wrong one? I'd love to hear your war stories in the comments.</em></p> architecture database designpatterns Implementing Multitenancy in Auth0 Using Organizations: A Complete Guide Akarshan Gandotra Wed, 12 Nov 2025 10:18:42 +0000 https://forem.com/akarshan/implementing-multitenancy-in-auth0-using-organizations-a-complete-guide-433c https://forem.com/akarshan/implementing-multitenancy-in-auth0-using-organizations-a-complete-guide-433c <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcywy7j93inn6xb7t9dwh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcywy7j93inn6xb7t9dwh.png" alt=" " width="800" height="800"></a></p> <h2> Introduction </h2> <h3> What is Multitenancy? </h3> <p>Multitenancy is an architectural pattern where a single instance of software serves multiple customers (tenants). Each tenant's data and configuration remain isolated from others, creating the illusion of having their own dedicated system. For SaaS applications, multitenancy is essential for scalability, cost-efficiency, and maintaining separate customer environments.</p> <h3> The Challenge </h3> <p>When building modern SaaS applications, you often face complex authentication requirements:</p> <ul> <li> <strong>Tenant Isolation</strong>: Different organizations need separate user pools and authentication policies</li> <li> <strong>Flexible Authentication</strong>: Each organization may require different login methods (social, enterprise SSO, username/password)</li> <li> <strong>Branding</strong>: Organizations want customized login experiences reflecting their brand</li> <li> <strong>Security</strong>: Strict isolation between tenants to prevent data leakage</li> <li> <strong>Scalability</strong>: Managing hundreds or thousands of organizations without infrastructure overhead</li> </ul> <h3> Why Auth0 Organizations? </h3> <p>Auth0 Organizations provide a native solution for multitenancy within a single Auth0 tenant. Instead of creating multiple Auth0 tenants (expensive and hard to manage) or building custom isolation logic, Organizations offer:</p> <ul> <li> <strong>Built-in tenant isolation</strong> with proper security boundaries</li> <li> <strong>Flexible connection management</strong> per organization</li> <li> <strong>Simplified user management</strong> with organization membership</li> <li> <strong>Customizable branding</strong> for each organization</li> <li> <strong>Single infrastructure</strong> to manage, reducing operational complexity</li> </ul> <h2> Architecture Overview </h2> <p>Auth0 Organizations create logical groupings within your Auth0 tenant. Each organization acts as an isolated container for users and authentication methods, while sharing the underlying Auth0 infrastructure.</p> <h3> High-Level Architecture </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9exx48nhe2xomvypa7ky.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9exx48nhe2xomvypa7ky.png" alt=" " width="800" height="155"></a></p> <h3> Key Components </h3> <ol> <li> <strong>Auth0 Tenant</strong>: Your main Auth0 account</li> <li> <strong>Organizations</strong>: Logical containers representing each customer/tenant</li> <li> <strong>Connections</strong>: Authentication methods (database, social, enterprise) available to organizations</li> <li> <strong>Users</strong>: Individuals who belong to one or more organizations</li> <li> <strong>Applications</strong>: Your SaaS app(s) that authenticate users</li> </ol> <h3> Benefits Over Alternative Approaches </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Approach</th> <th>Pros</th> <th>Cons</th> </tr> </thead> <tbody> <tr> <td><strong>Multiple Auth0 Tenants</strong></td> <td>Complete isolation</td> <td>Expensive, complex management, no shared infrastructure</td> </tr> <tr> <td><strong>Single Tenant + Custom Logic</strong></td> <td>Full control</td> <td>Security risks, maintenance burden, reinventing the wheel</td> </tr> <tr> <td><strong>Auth0 Organizations</strong></td> <td>Native isolation, scalable, flexible, cost-effective</td> <td>Requires proper implementation, learning curve</td> </tr> </tbody> </table></div> <h2> Implementation Steps </h2> <h3> Step 1: Creating Machine-to-Machine (M2M) Application </h3> <p>Machine-to-Machine applications enable your backend services to interact with Auth0 Management API programmatically. This is essential for automating organization creation, user management, and configuration.</p> <h4> What are M2M Applications? </h4> <p>M2M applications use the OAuth 2.0 Client Credentials flow to obtain access tokens without user interaction. They authenticate using a Client ID and Client Secret, making them perfect for server-to-server communication.</p> <h4> Creating an M2M Application </h4> <p><strong>Via Auth0 Dashboard:</strong></p> <ol> <li>Navigate to <strong>Auth0 Dashboard</strong> → <strong>Applications</strong> → <strong>Applications</strong> </li> <li>Click <strong>Create Application</strong> </li> <li>Enter application name (e.g., "Organization Management Service")</li> <li>Select <strong>Machine to Machine Applications</strong> </li> <li>Choose the <strong>Auth0 Management API</strong> as the authorized API</li> <li>Select required scopes: <ul> <li><code>read:organizations</code></li> <li><code>create:organizations</code></li> <li><code>update:organizations</code></li> <li><code>delete:organizations</code></li> <li><code>read:organization_members</code></li> <li><code>create:organization_members</code></li> <li><code>read:organization_connections</code></li> <li><code>create:organization_connections</code></li> <li><code>update:organization_connections</code></li> <li><code>read:connections</code></li> </ul> </li> <li>Click <strong>Authorize</strong> </li> </ol> <p><strong>Obtaining Credentials:</strong></p> <p>After creation, navigate to the application's <strong>Settings</strong> tab to find:</p> <ul> <li> <strong>Client ID</strong>: Public identifier for your M2M application</li> <li> <strong>Client Secret</strong>: Secret key (keep this secure!)</li> <li> <strong>Domain</strong>: Your Auth0 domain (e.g., <code>your-tenant.auth0.com</code>)</li> </ul> <h4> M2M Authentication Flow </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sequenceDiagram participant App as Your Backend Service participant Auth0 as Auth0 Token Endpoint participant API as Auth0 Management API App-&gt;&gt;Auth0: POST /oauth/token&lt;br/&gt;(client_id, client_secret, audience) Auth0-&gt;&gt;Auth0: Validate credentials Auth0--&gt;&gt;App: Access Token (JWT) App-&gt;&gt;API: API Request&lt;br/&gt;(Authorization: Bearer {token}) API-&gt;&gt;API: Validate token API--&gt;&gt;App: API Response </code></pre> </div> <h4> Example: Authenticating with M2M Credentials </h4> <p><strong>Python:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">requests</span> <span class="kn">import</span> <span class="n">os</span> <span class="k">def</span> <span class="nf">get_management_api_token</span><span class="p">():</span> <span class="sh">"""</span><span class="s"> Obtain an access token for Auth0 Management API </span><span class="sh">"""</span> <span class="n">auth0_domain</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">AUTH0_DOMAIN</span><span class="sh">'</span><span class="p">)</span> <span class="n">client_id</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">AUTH0_M2M_CLIENT_ID</span><span class="sh">'</span><span class="p">)</span> <span class="n">client_secret</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">AUTH0_M2M_CLIENT_SECRET</span><span class="sh">'</span><span class="p">)</span> <span class="n">token_url</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">'</span><span class="s">https://</span><span class="si">{</span><span class="n">auth0_domain</span><span class="si">}</span><span class="s">/oauth/token</span><span class="sh">'</span> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">client_id</span><span class="sh">'</span><span class="p">:</span> <span class="n">client_id</span><span class="p">,</span> <span class="sh">'</span><span class="s">client_secret</span><span class="sh">'</span><span class="p">:</span> <span class="n">client_secret</span><span class="p">,</span> <span class="sh">'</span><span class="s">audience</span><span class="sh">'</span><span class="p">:</span> <span class="sa">f</span><span class="sh">'</span><span class="s">https://</span><span class="si">{</span><span class="n">auth0_domain</span><span class="si">}</span><span class="s">/api/v2/</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">grant_type</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">client_credentials</span><span class="sh">'</span> <span class="p">}</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">token_url</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="n">payload</span><span class="p">)</span> <span class="n">response</span><span class="p">.</span><span class="nf">raise_for_status</span><span class="p">()</span> <span class="k">return</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()[</span><span class="sh">'</span><span class="s">access_token</span><span class="sh">'</span><span class="p">]</span> <span class="c1"># Usage </span><span class="n">token</span> <span class="o">=</span> <span class="nf">get_management_api_token</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Access token obtained: </span><span class="si">{</span><span class="n">token</span><span class="p">[</span><span class="si">:</span><span class="mi">20</span><span class="p">]</span><span class="si">}</span><span class="s">...</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> Step 2: Creating Organizations and Linking Login Methods </h3> <p>Organizations are the core entities that represent your tenants. Each organization can have its own set of enabled authentication connections, branding, and metadata.</p> <h4> Understanding Auth0 Organizations </h4> <p>An organization in Auth0 represents a group of users who share common access to applications. Key properties include:</p> <ul> <li> <strong>Organization ID</strong>: Unique identifier (e.g., <code>org_abc123xyz</code>)</li> <li> <strong>Display Name</strong>: Human-readable name shown to users</li> <li> <strong>Enabled Connections</strong>: Authentication methods available for this organization</li> <li> <strong>Metadata</strong>: Custom key-value pairs for your application logic</li> <li> <strong>Branding</strong>: Colors, logos, and styling for login pages</li> </ul> <h4> Creating Organizations </h4> <p><strong>Via Auth0 Dashboard (Manual):</strong></p> <ol> <li>Navigate to <strong>Organizations</strong> in the Auth0 Dashboard</li> <li>Click <strong>Create Organization</strong> </li> <li>Enter <strong>Organization Name</strong> and <strong>Display Name</strong> </li> <li>(Optional) Add metadata</li> <li>Click <strong>Create</strong> </li> </ol> <p><strong>Via Management API (Programmatic):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">requests</span> <span class="k">def</span> <span class="nf">create_organization</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">name</span><span class="p">,</span> <span class="n">display_name</span><span class="p">,</span> <span class="n">metadata</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Create a new organization in Auth0 </span><span class="sh">"""</span> <span class="n">auth0_domain</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">AUTH0_DOMAIN</span><span class="sh">'</span><span class="p">)</span> <span class="n">url</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">'</span><span class="s">https://</span><span class="si">{</span><span class="n">auth0_domain</span><span class="si">}</span><span class="s">/api/v2/organizations</span><span class="sh">'</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Authorization</span><span class="sh">'</span><span class="p">:</span> <span class="sa">f</span><span class="sh">'</span><span class="s">Bearer </span><span class="si">{</span><span class="n">token</span><span class="si">}</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Content-Type</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">application/json</span><span class="sh">'</span> <span class="p">}</span> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">:</span> <span class="n">name</span><span class="p">,</span> <span class="c1"># Must be unique, URL-friendly </span> <span class="sh">'</span><span class="s">display_name</span><span class="sh">'</span><span class="p">:</span> <span class="n">display_name</span><span class="p">,</span> <span class="sh">'</span><span class="s">metadata</span><span class="sh">'</span><span class="p">:</span> <span class="n">metadata</span> <span class="ow">or</span> <span class="p">{}</span> <span class="p">}</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="n">payload</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> <span class="n">response</span><span class="p">.</span><span class="nf">raise_for_status</span><span class="p">()</span> <span class="n">org</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Organization created: </span><span class="si">{</span><span class="n">org</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">org</span> <span class="c1"># Usage </span><span class="n">token</span> <span class="o">=</span> <span class="nf">get_management_api_token</span><span class="p">()</span> <span class="n">org</span> <span class="o">=</span> <span class="nf">create_organization</span><span class="p">(</span> <span class="n">token</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="sh">'</span><span class="s">acme-corp</span><span class="sh">'</span><span class="p">,</span> <span class="n">display_name</span><span class="o">=</span><span class="sh">'</span><span class="s">Acme Corporation</span><span class="sh">'</span><span class="p">,</span> <span class="n">metadata</span><span class="o">=</span><span class="p">{</span> <span class="sh">'</span><span class="s">plan</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">enterprise</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">industry</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">technology</span><span class="sh">'</span> <span class="p">}</span> <span class="p">)</span> </code></pre> </div> <h4> Linking Authentication Connections </h4> <p>Connections define how users authenticate. Auth0 supports:</p> <ol> <li> <strong>Database Connections</strong>: Username/password authentication</li> <li> <strong>Social Connections</strong>: Google, Microsoft, Facebook, LinkedIn, etc.</li> <li> <strong>Enterprise Connections</strong>: SAML, OIDC, ADFS, Azure AD, etc.</li> </ol> <p><strong>Enabling Connections for an Organization:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">enable_connection_for_org</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">org_id</span><span class="p">,</span> <span class="n">connection_id</span><span class="p">,</span> <span class="n">assign_membership_on_login</span><span class="o">=</span><span class="bp">True</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Enable an authentication connection for an organization </span><span class="sh">"""</span> <span class="n">auth0_domain</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">AUTH0_DOMAIN</span><span class="sh">'</span><span class="p">)</span> <span class="n">url</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">'</span><span class="s">https://</span><span class="si">{</span><span class="n">auth0_domain</span><span class="si">}</span><span class="s">/api/v2/organizations/</span><span class="si">{</span><span class="n">org_id</span><span class="si">}</span><span class="s">/enabled_connections</span><span class="sh">'</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Authorization</span><span class="sh">'</span><span class="p">:</span> <span class="sa">f</span><span class="sh">'</span><span class="s">Bearer </span><span class="si">{</span><span class="n">token</span><span class="si">}</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Content-Type</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">application/json</span><span class="sh">'</span> <span class="p">}</span> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">connection_id</span><span class="sh">'</span><span class="p">:</span> <span class="n">connection_id</span><span class="p">,</span> <span class="sh">'</span><span class="s">assign_membership_on_login</span><span class="sh">'</span><span class="p">:</span> <span class="n">assign_membership_on_login</span> <span class="p">}</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="n">payload</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> <span class="n">response</span><span class="p">.</span><span class="nf">raise_for_status</span><span class="p">()</span> <span class="k">return</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="c1"># Enable Google Social connection </span><span class="nf">enable_connection_for_org</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="sh">'</span><span class="s">org_abc123xyz</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">con_google123</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Enable Database connection </span><span class="nf">enable_connection_for_org</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="sh">'</span><span class="s">org_abc123xyz</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">con_database456</span><span class="sh">'</span><span class="p">)</span> </code></pre> </div> <p><strong>Getting Available Connections:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">get_connections</span><span class="p">(</span><span class="n">token</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Retrieve all available connections </span><span class="sh">"""</span> <span class="n">auth0_domain</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">AUTH0_DOMAIN</span><span class="sh">'</span><span class="p">)</span> <span class="n">url</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">'</span><span class="s">https://</span><span class="si">{</span><span class="n">auth0_domain</span><span class="si">}</span><span class="s">/api/v2/connections</span><span class="sh">'</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">Authorization</span><span class="sh">'</span><span class="p">:</span> <span class="sa">f</span><span class="sh">'</span><span class="s">Bearer </span><span class="si">{</span><span class="n">token</span><span class="si">}</span><span class="sh">'</span> <span class="p">}</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">)</span> <span class="n">response</span><span class="p">.</span><span class="nf">raise_for_status</span><span class="p">()</span> <span class="n">connections</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="k">for</span> <span class="n">conn</span> <span class="ow">in</span> <span class="n">connections</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Connection: </span><span class="si">{</span><span class="n">conn</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> (ID: </span><span class="si">{</span><span class="n">conn</span><span class="p">[</span><span class="sh">'</span><span class="s">id</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">, Strategy: </span><span class="si">{</span><span class="n">conn</span><span class="p">[</span><span class="sh">'</span><span class="s">strategy</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">)</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">connections</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdrj5simuli6oja2xq24z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdrj5simuli6oja2xq24z.png" alt=" " width="800" height="639"></a></p> <h3> Step 3: User Authentication with Organization Context </h3> <p>The final step is directing users to authenticate within the context of their organization. This ensures they only see login methods available to their organization and that tokens include organization information.</p> <h4> The /authorize Endpoint </h4> <p>Auth0's <code>/authorize</code> endpoint initiates the authentication flow. When you include the <code>organization</code> parameter, Auth0:</p> <ol> <li>Filters available login methods to only those enabled for that organization</li> <li>Includes organization claims in the returned tokens</li> <li>Applies organization-specific branding (if configured)</li> </ol> <h4> Building the Authentication URL </h4> <p><strong>Required Parameters:</strong></p> <ul> <li> <code>organization</code>: The organization ID (e.g., <code>org_abc123xyz</code>)</li> <li> <code>client_id</code>: Your application's Client ID</li> <li> <code>redirect_uri</code>: Where Auth0 redirects after authentication</li> <li> <code>response_type</code>: Typically <code>code</code> for authorization code flow</li> <li> <code>scope</code>: Requested scopes (e.g., <code>openid profile email</code>)</li> </ul> <p><strong>Example Authentication URL:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://your-tenant.auth0.com/authorize ?organization=org_abc123xyz &amp;client_id=your_app_client_id &amp;redirect_uri=https://yourapp.com/callback &amp;response_type=code &amp;scope=openid profile email &amp;state=random_state_value </code></pre> </div> <h4> Complete Authentication Flow </h4> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F510ir0671wtm2nf1tlcg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F510ir0671wtm2nf1tlcg.png" alt=" " width="800" height="796"></a></p> <h4> Implementation Example </h4> <p><strong>Python (Flask):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">redirect</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">session</span><span class="p">,</span> <span class="n">url_for</span> <span class="kn">from</span> <span class="n">authlib.integrations.flask_client</span> <span class="kn">import</span> <span class="n">OAuth</span> <span class="kn">import</span> <span class="n">os</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">Flask</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="n">app</span><span class="p">.</span><span class="n">secret_key</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">FLASK_SECRET_KEY</span><span class="sh">'</span><span class="p">)</span> <span class="n">oauth</span> <span class="o">=</span> <span class="nc">OAuth</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="n">auth0</span> <span class="o">=</span> <span class="n">oauth</span><span class="p">.</span><span class="nf">register</span><span class="p">(</span> <span class="sh">'</span><span class="s">auth0</span><span class="sh">'</span><span class="p">,</span> <span class="n">client_id</span><span class="o">=</span><span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">AUTH0_CLIENT_ID</span><span class="sh">'</span><span class="p">),</span> <span class="n">client_secret</span><span class="o">=</span><span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">AUTH0_CLIENT_SECRET</span><span class="sh">'</span><span class="p">),</span> <span class="n">api_base_url</span><span class="o">=</span><span class="sa">f</span><span class="sh">'</span><span class="s">https://</span><span class="si">{</span><span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">AUTH0_DOMAIN</span><span class="sh">"</span><span class="p">)</span><span class="si">}</span><span class="sh">'</span><span class="p">,</span> <span class="n">access_token_url</span><span class="o">=</span><span class="sa">f</span><span class="sh">'</span><span class="s">https://</span><span class="si">{</span><span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">AUTH0_DOMAIN</span><span class="sh">"</span><span class="p">)</span><span class="si">}</span><span class="s">/oauth/token</span><span class="sh">'</span><span class="p">,</span> <span class="n">authorize_url</span><span class="o">=</span><span class="sa">f</span><span class="sh">'</span><span class="s">https://</span><span class="si">{</span><span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">AUTH0_DOMAIN</span><span class="sh">"</span><span class="p">)</span><span class="si">}</span><span class="s">/authorize</span><span class="sh">'</span><span class="p">,</span> <span class="n">client_kwargs</span><span class="o">=</span><span class="p">{</span><span class="sh">'</span><span class="s">scope</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">openid profile email</span><span class="sh">'</span><span class="p">}</span> <span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/login/&lt;org_id&gt;</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">login</span><span class="p">(</span><span class="n">org_id</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Initiate login for a specific organization </span><span class="sh">"""</span> <span class="c1"># Store org_id in session for validation later </span> <span class="n">session</span><span class="p">[</span><span class="sh">'</span><span class="s">expected_org_id</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="n">org_id</span> <span class="k">return</span> <span class="n">auth0</span><span class="p">.</span><span class="nf">authorize_redirect</span><span class="p">(</span> <span class="n">redirect_uri</span><span class="o">=</span><span class="nf">url_for</span><span class="p">(</span><span class="sh">'</span><span class="s">callback</span><span class="sh">'</span><span class="p">,</span> <span class="n">_external</span><span class="o">=</span><span class="bp">True</span><span class="p">),</span> <span class="n">organization</span><span class="o">=</span><span class="n">org_id</span> <span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/callback</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">callback</span><span class="p">():</span> <span class="sh">"""</span><span class="s"> Handle the Auth0 callback </span><span class="sh">"""</span> <span class="c1"># Exchange authorization code for tokens </span> <span class="n">token</span> <span class="o">=</span> <span class="n">auth0</span><span class="p">.</span><span class="nf">authorize_access_token</span><span class="p">()</span> <span class="c1"># Get user info from ID token </span> <span class="n">user_info</span> <span class="o">=</span> <span class="n">token</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">userinfo</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Validate organization </span> <span class="n">org_id</span> <span class="o">=</span> <span class="n">user_info</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">org_id</span><span class="sh">'</span><span class="p">)</span> <span class="n">expected_org_id</span> <span class="o">=</span> <span class="n">session</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">expected_org_id</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="n">org_id</span> <span class="o">!=</span> <span class="n">expected_org_id</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">Organization mismatch!</span><span class="sh">"</span><span class="p">,</span> <span class="mi">403</span> <span class="c1"># Store user session </span> <span class="n">session</span><span class="p">[</span><span class="sh">'</span><span class="s">user</span><span class="sh">'</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">:</span> <span class="n">user_info</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">),</span> <span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">:</span> <span class="n">user_info</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">),</span> <span class="sh">'</span><span class="s">org_id</span><span class="sh">'</span><span class="p">:</span> <span class="n">org_id</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">(</span><span class="sh">'</span><span class="s">/dashboard</span><span class="sh">'</span><span class="p">)</span> <span class="nd">@app.route</span><span class="p">(</span><span class="sh">'</span><span class="s">/dashboard</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">dashboard</span><span class="p">():</span> <span class="sh">"""</span><span class="s"> Protected route - requires authentication </span><span class="sh">"""</span> <span class="k">if</span> <span class="sh">'</span><span class="s">user</span><span class="sh">'</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">session</span><span class="p">:</span> <span class="k">return</span> <span class="nf">redirect</span><span class="p">(</span><span class="nf">url_for</span><span class="p">(</span><span class="sh">'</span><span class="s">login</span><span class="sh">'</span><span class="p">,</span> <span class="n">org_id</span><span class="o">=</span><span class="sh">'</span><span class="s">default</span><span class="sh">'</span><span class="p">))</span> <span class="n">user</span> <span class="o">=</span> <span class="n">session</span><span class="p">[</span><span class="sh">'</span><span class="s">user</span><span class="sh">'</span><span class="p">]</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Welcome </span><span class="si">{</span><span class="n">user</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> from organization </span><span class="si">{</span><span class="n">user</span><span class="p">[</span><span class="sh">'</span><span class="s">org_id</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">!</span><span class="sh">"</span> </code></pre> </div> <h4> Extracting Organization Information from Tokens </h4> <p>After successful authentication, the ID token will contain organization claims:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"auth0|123456789"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"user@example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"John Doe"</span><span class="p">,</span><span class="w"> </span><span class="nl">"org_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"org_abc123xyz"</span><span class="p">,</span><span class="w"> </span><span class="nl">"org_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Acme Corporation"</span><span class="p">,</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1635360000</span><span class="p">,</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1635363600</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Token Validation:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">jwt</span> <span class="kn">from</span> <span class="n">jwt</span> <span class="kn">import</span> <span class="n">PyJWKClient</span> <span class="k">def</span> <span class="nf">validate_token</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">expected_org_id</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Validate JWT token and verify organization claim </span><span class="sh">"""</span> <span class="n">auth0_domain</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">AUTH0_DOMAIN</span><span class="sh">'</span><span class="p">)</span> <span class="n">jwks_url</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">'</span><span class="s">https://</span><span class="si">{</span><span class="n">auth0_domain</span><span class="si">}</span><span class="s">/.well-known/jwks.json</span><span class="sh">'</span> <span class="c1"># Get signing key </span> <span class="n">jwks_client</span> <span class="o">=</span> <span class="nc">PyJWKClient</span><span class="p">(</span><span class="n">jwks_url</span><span class="p">)</span> <span class="n">signing_key</span> <span class="o">=</span> <span class="n">jwks_client</span><span class="p">.</span><span class="nf">get_signing_key_from_jwt</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> <span class="c1"># Decode and verify token </span> <span class="n">payload</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span> <span class="n">token</span><span class="p">,</span> <span class="n">signing_key</span><span class="p">.</span><span class="n">key</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="sh">'</span><span class="s">RS256</span><span class="sh">'</span><span class="p">],</span> <span class="n">audience</span><span class="o">=</span><span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">'</span><span class="s">AUTH0_CLIENT_ID</span><span class="sh">'</span><span class="p">),</span> <span class="n">issuer</span><span class="o">=</span><span class="sa">f</span><span class="sh">'</span><span class="s">https://</span><span class="si">{</span><span class="n">auth0_domain</span><span class="si">}</span><span class="s">/</span><span class="sh">'</span> <span class="p">)</span> <span class="c1"># Verify organization claim </span> <span class="k">if</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">org_id</span><span class="sh">'</span><span class="p">)</span> <span class="o">!=</span> <span class="n">expected_org_id</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">'</span><span class="s">Organization ID mismatch</span><span class="sh">'</span><span class="p">)</span> <span class="k">return</span> <span class="n">payload</span> </code></pre> </div> <p>Additional Resources</p> <ul> <li>Auth0 Documentation: <a href="https://auth0.com/docs/manage-users/organizations" rel="noopener noreferrer">https://auth0.com/docs/manage-users/organizations</a> </li> <li>Management API Reference: <a href="https://auth0.com/docs/api/management/v2/organizations" rel="noopener noreferrer">https://auth0.com/docs/api/management/v2/organizations</a> </li> <li>Auth0 Community: <a href="https://community.auth0.com" rel="noopener noreferrer">https://community.auth0.com</a> </li> <li>GitHub Examples: Search for "auth0-organizations" for community examples</li> </ul> <p>Questions or need help? Join the Auth0 community forums or reach out to Auth0 support. Share your implementation experiences and help others building multitenant applications!</p> saas security tutorial architecture FastAPI: request.state vs Context Variables - When to Use What? 🚀 Akarshan Gandotra Wed, 30 Jul 2025 17:52:28 +0000 https://forem.com/akarshan/fastapi-requeststate-vs-context-variables-when-to-use-what-2c07 https://forem.com/akarshan/fastapi-requeststate-vs-context-variables-when-to-use-what-2c07 <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1zahw5bz5uedfsajh7wz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1zahw5bz5uedfsajh7wz.png" alt=" " width="800" height="800"></a></p> <p>When building FastAPI applications, you'll often need to share data across different parts of your request lifecycle i.e. middleware, dependencies, and route handlers. FastAPI provides two primary mechanisms for this: <code>request.state</code> and context variables (contextvars). But when should you use each one?</p> <h2> Understanding request.state 📦 </h2> <p><code>request.state</code> is a simple namespace object attached to each FastAPI request. It's designed to store arbitrary data that needs to be shared during the processing of a single request.</p> <h3> Basic Usage 🔧 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span><span class="p">,</span> <span class="n">Depends</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="nd">@app.middleware</span><span class="p">(</span><span class="sh">"</span><span class="s">http</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">add_user_info</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">call_next</span><span class="p">):</span> <span class="c1"># Store data in request.state </span> <span class="n">request</span><span class="p">.</span><span class="n">state</span><span class="p">.</span><span class="n">user_id</span> <span class="o">=</span> <span class="sh">"</span><span class="s">user_123</span><span class="sh">"</span> <span class="n">request</span><span class="p">.</span><span class="n">state</span><span class="p">.</span><span class="n">request_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="n">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">call_next</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="k">return</span> <span class="n">response</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/profile</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_profile</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="c1"># Access data from request.state </span> <span class="n">user_id</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">state</span><span class="p">.</span><span class="n">user_id</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">user_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">User profile</span><span class="sh">"</span><span class="p">}</span> </code></pre> </div> <h3> Pros of request.state ✅ </h3> <ul> <li>✅ Simple and straightforward</li> <li>✅ Explicitly tied to the request object</li> <li>✅ Easy to understand and debug</li> <li>✅ No additional imports needed</li> <li>✅ Works well with dependency injection</li> </ul> <h3> Cons of request.state ❌ </h3> <ul> <li>❌ Requires passing the <code>Request</code> object around</li> <li>❌ Not accessible in deeply nested functions without explicit passing</li> <li>❌ Can become verbose in complex applications</li> </ul> <h2> Understanding Context Variables 🌍 </h2> <p>Context variables (contextvars) provide a way to store data that's automatically available throughout the execution context of a request, without explicitly passing it around.</p> <h3> Basic Usage 🚀 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">contextvars</span> <span class="kn">import</span> <span class="n">ContextVar</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span> <span class="kn">import</span> <span class="n">time</span> <span class="c1"># Define context variables </span><span class="n">user_id_var</span><span class="p">:</span> <span class="n">ContextVar</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="o">=</span> <span class="nc">ContextVar</span><span class="p">(</span><span class="sh">'</span><span class="s">user_id</span><span class="sh">'</span><span class="p">)</span> <span class="n">request_time_var</span><span class="p">:</span> <span class="n">ContextVar</span><span class="p">[</span><span class="nb">float</span><span class="p">]</span> <span class="o">=</span> <span class="nc">ContextVar</span><span class="p">(</span><span class="sh">'</span><span class="s">request_time</span><span class="sh">'</span><span class="p">)</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="nd">@app.middleware</span><span class="p">(</span><span class="sh">"</span><span class="s">http</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">add_user_info</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">call_next</span><span class="p">):</span> <span class="c1"># Set context variables </span> <span class="n">user_id_var</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="sh">"</span><span class="s">user_123</span><span class="sh">"</span><span class="p">)</span> <span class="n">request_time_var</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">())</span> <span class="n">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">call_next</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="k">return</span> <span class="n">response</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/profile</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_profile</span><span class="p">():</span> <span class="c1"># Access context variables from anywhere </span> <span class="n">user_id</span> <span class="o">=</span> <span class="n">user_id_var</span><span class="p">.</span><span class="nf">get</span><span class="p">()</span> <span class="n">request_time</span> <span class="o">=</span> <span class="n">request_time_var</span><span class="p">.</span><span class="nf">get</span><span class="p">()</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">user_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">request_time</span><span class="sh">"</span><span class="p">:</span> <span class="n">request_time</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">User profile</span><span class="sh">"</span> <span class="p">}</span> </code></pre> </div> <h3> Pros of Context Variables ✅ </h3> <ul> <li>✅ Available anywhere in the execution context</li> <li>✅ No need to pass request object around</li> <li>✅ Cleaner function signatures</li> <li>✅ Automatic cleanup after request completion</li> <li>✅ Thread-safe and async-safe</li> </ul> <h3> Cons of Context Variables ❌ </h3> <ul> <li>❌ Less explicit than request.state</li> <li>❌ Harder to debug and trace</li> <li>❌ Requires additional setup and imports</li> <li>❌ Can make testing more complex</li> </ul> <h2> Advanced Patterns 🎨 </h2> <h3> Using Context Variables with Dependencies 🔗 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">contextvars</span> <span class="kn">import</span> <span class="n">ContextVar</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Depends</span><span class="p">,</span> <span class="n">HTTPException</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Optional</span> <span class="n">current_user_var</span><span class="p">:</span> <span class="n">ContextVar</span><span class="p">[</span><span class="n">Optional</span><span class="p">[</span><span class="nb">dict</span><span class="p">]]</span> <span class="o">=</span> <span class="nc">ContextVar</span><span class="p">(</span><span class="sh">'</span><span class="s">current_user</span><span class="sh">'</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="bp">None</span><span class="p">)</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_current_user</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="n">user</span> <span class="o">=</span> <span class="n">current_user_var</span><span class="p">.</span><span class="nf">get</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">user</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">User not authenticated</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">user</span> <span class="nd">@app.middleware</span><span class="p">(</span><span class="sh">"</span><span class="s">http</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">auth_middleware</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">call_next</span><span class="p">):</span> <span class="c1"># Simulate user authentication </span> <span class="n">token</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">authorization</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">token</span><span class="p">:</span> <span class="n">user</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">123</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">John Doe</span><span class="sh">"</span><span class="p">}</span> <span class="c1"># Simulate user lookup </span> <span class="n">current_user_var</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">call_next</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="k">return</span> <span class="n">response</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/protected</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">protected_route</span><span class="p">(</span><span class="n">user</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_current_user</span><span class="p">)):</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Hello </span><span class="si">{</span><span class="n">user</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">!</span><span class="sh">"</span><span class="p">}</span> </code></pre> </div> <h3> Combining Both Approaches 🤝 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">contextvars</span> <span class="kn">import</span> <span class="n">ContextVar</span> <span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Request</span> <span class="kn">import</span> <span class="n">uuid</span> <span class="c1"># Context var for request ID (global access) </span><span class="n">request_id_var</span><span class="p">:</span> <span class="n">ContextVar</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="o">=</span> <span class="nc">ContextVar</span><span class="p">(</span><span class="sh">'</span><span class="s">request_id</span><span class="sh">'</span><span class="p">)</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="nd">@app.middleware</span><span class="p">(</span><span class="sh">"</span><span class="s">http</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">request_middleware</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">call_next</span><span class="p">):</span> <span class="c1"># Generate request ID and store in both places </span> <span class="n">request_id</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="n">uuid</span><span class="p">.</span><span class="nf">uuid4</span><span class="p">())</span> <span class="c1"># Store in context var for global access </span> <span class="n">request_id_var</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="n">request_id</span><span class="p">)</span> <span class="c1"># Store in request.state for explicit access </span> <span class="n">request</span><span class="p">.</span><span class="n">state</span><span class="p">.</span><span class="n">request_id</span> <span class="o">=</span> <span class="n">request_id</span> <span class="n">request</span><span class="p">.</span><span class="n">state</span><span class="p">.</span><span class="n">start_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="n">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">call_next</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="k">return</span> <span class="n">response</span> </code></pre> </div> <h2> Performance Considerations ⚡ </h2> <h3> Memory Usage </h3> <ul> <li> <strong>request.state</strong>: Minimal overhead, data is garbage collected with the request 🗑️</li> <li> <strong>contextvars</strong>: Slightly higher overhead due to context management, but still very efficient 💪</li> </ul> <h2> When to Use What? 🤔 </h2> <h3> Use request.state when: </h3> <ul> <li>🎯 You want explicit, traceable data flow</li> <li>🎯 Building simple applications</li> <li>🎯 You're already passing Request objects around</li> <li>🎯 You need to store request-specific metadata</li> <li>🎯 Debugging and testing simplicity is important</li> </ul> <h3> Use context variables when: </h3> <ul> <li>🎯 You have deeply nested function calls</li> <li>🎯 You want cleaner function signatures</li> <li>🎯 Building complex applications with many layers</li> <li>🎯 You need global access to request-scoped data</li> <li>🎯 Working with third-party libraries that need access to request data</li> </ul> <h2> Real-World Example: Logging System 📝 </h2> <p>Here's how you might implement a request logging system with both approaches:</p> <h3> With Context Variables 🌐 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">contextvars</span> <span class="kn">import</span> <span class="n">ContextVar</span> <span class="kn">import</span> <span class="n">logging</span> <span class="kn">import</span> <span class="n">uuid</span> <span class="n">request_id_var</span><span class="p">:</span> <span class="n">ContextVar</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="o">=</span> <span class="nc">ContextVar</span><span class="p">(</span><span class="sh">'</span><span class="s">request_id</span><span class="sh">'</span><span class="p">)</span> <span class="n">logger</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="k">class</span> <span class="nc">RequestLogger</span><span class="p">:</span> <span class="nd">@staticmethod</span> <span class="k">def</span> <span class="nf">info</span><span class="p">(</span><span class="n">message</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">request_id</span> <span class="o">=</span> <span class="n">request_id_var</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">unknown</span><span class="sh">"</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[</span><span class="si">{</span><span class="n">request_id</span><span class="si">}</span><span class="s">] </span><span class="si">{</span><span class="n">message</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@app.middleware</span><span class="p">(</span><span class="sh">"</span><span class="s">http</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">logging_middleware</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">call_next</span><span class="p">):</span> <span class="n">request_id_var</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nf">str</span><span class="p">(</span><span class="n">uuid</span><span class="p">.</span><span class="nf">uuid4</span><span class="p">()))</span> <span class="n">RequestLogger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Request started: </span><span class="si">{</span><span class="n">request</span><span class="p">.</span><span class="n">method</span><span class="si">}</span><span class="s"> </span><span class="si">{</span><span class="n">request</span><span class="p">.</span><span class="n">url</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">call_next</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="n">RequestLogger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Request completed: </span><span class="si">{</span><span class="n">response</span><span class="p">.</span><span class="n">status_code</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">response</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/users/{user_id}</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_user</span><span class="p">(</span><span class="n">user_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="n">RequestLogger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Fetching user </span><span class="si">{</span><span class="n">user_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Your business logic here </span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">user_id</span><span class="p">}</span> </code></pre> </div> <h3> With request.state 📋 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">logging</span> <span class="kn">import</span> <span class="n">uuid</span> <span class="n">logger</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nf">getLogger</span><span class="p">(</span><span class="n">__name__</span><span class="p">)</span> <span class="k">def</span> <span class="nf">log_with_request_id</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">message</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">request_id</span> <span class="o">=</span> <span class="nf">getattr</span><span class="p">(</span><span class="n">request</span><span class="p">.</span><span class="n">state</span><span class="p">,</span> <span class="sh">'</span><span class="s">request_id</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">unknown</span><span class="sh">'</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[</span><span class="si">{</span><span class="n">request_id</span><span class="si">}</span><span class="s">] </span><span class="si">{</span><span class="n">message</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/users/{user_id}</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_user</span><span class="p">(</span><span class="n">user_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="nf">log_with_request_id</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Fetching user </span><span class="si">{</span><span class="n">user_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Your business logic here </span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">user_id</span><span class="p">}</span> </code></pre> </div> <p><em>Have you used both approaches in your FastAPI projects? Share your experiences in the comments below! 👇</em></p> fastapi python webdev backend 🔌 Building Resilient Database Operations with Async SQLAlchemy + CircuitBreaker Akarshan Gandotra Mon, 14 Jul 2025 04:16:58 +0000 https://forem.com/akarshan/building-resilient-database-operations-with-aiobreaker-async-sqlalchemy-fastapi-23dl https://forem.com/akarshan/building-resilient-database-operations-with-aiobreaker-async-sqlalchemy-fastapi-23dl <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fon8t8n5ekug1we2ytwbb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fon8t8n5ekug1we2ytwbb.png" alt=" " width="800" height="533"></a></p> <p>When building production applications, database failures are inevitable. Network issues, high load, or database maintenance can cause your application to hang or crash. The Circuit Breaker pattern provides an elegant solution to handle these failures gracefully while maintaining system stability. 🛡️</p> <h2> ⚡ What is the Circuit Breaker Pattern? </h2> <p>The Circuit Breaker pattern prevents your application from repeatedly attempting operations that are likely to fail. Just like an electrical circuit breaker, it monitors failures and "trips" when a threshold is reached, preventing further calls until the system recovers. 🔄</p> <h3> 🚦 Circuit Breaker States </h3> <ul> <li> <strong>🟢 Closed</strong>: Normal operation, requests flow through</li> <li> <strong>🔴 Open</strong>: Failures exceeded threshold, requests fail immediately</li> <li> <strong>🟡 Half-Open</strong>: Testing if the system has recovered</li> </ul> <h2> 🗄️ Why Use Circuit Breakers for Database Operations? </h2> <p>Database operations are particularly vulnerable to:</p> <ul> <li>⏰ Network timeouts</li> <li>🏊 Connection pool exhaustion </li> <li>📈 Database server overload</li> <li>🔧 Temporary unavailability during maintenance</li> </ul> <p>Without circuit breakers, your application might:</p> <ul> <li>💥 Exhaust connection pools</li> <li>🌊 Create cascading failures</li> <li>😤 Provide poor user experience with long timeouts</li> <li>💸 Waste resources on doomed operations</li> </ul> <h2> 🏗️ Implementation: Database Circuit Breaker in Python </h2> <p>Let's build a robust database layer with circuit breaker protection using SQLAlchemy and asyncio.</p> <h3> 🔧 Core Circuit Breaker Component </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">aiobreaker</span> <span class="kn">import</span> <span class="n">CircuitBreaker</span><span class="p">,</span> <span class="n">CircuitBreakerError</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">timedelta</span> <span class="kn">import</span> <span class="n">logging</span> <span class="k">class</span> <span class="nc">DatabaseCircuitBreakerError</span><span class="p">(</span><span class="nb">Exception</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Custom exception for circuit breaker failures.</span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">message</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="bp">None</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">message</span> <span class="o">=</span> <span class="n">message</span> <span class="ow">or</span> <span class="sh">"</span><span class="s">Database service is temporarily unavailable</span><span class="sh">"</span> <span class="n">self</span><span class="p">.</span><span class="n">error_code</span> <span class="o">=</span> <span class="sh">"</span><span class="s">DB_CIRCUIT_BREAKER_OPEN</span><span class="sh">"</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">message</span><span class="p">)</span> <span class="k">class</span> <span class="nc">DatabaseCircuitBreaker</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Circuit breaker for database operations.</span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">failure_threshold</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">5</span><span class="p">,</span> <span class="n">recovery_timeout</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">60</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">circuit_breaker</span> <span class="o">=</span> <span class="nc">CircuitBreaker</span><span class="p">(</span> <span class="n">fail_max</span><span class="o">=</span><span class="n">failure_threshold</span><span class="p">,</span> <span class="n">timeout_duration</span><span class="o">=</span><span class="nf">timedelta</span><span class="p">(</span><span class="n">seconds</span><span class="o">=</span><span class="n">recovery_timeout</span><span class="p">),</span> <span class="n">exclude</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="nf">_get_excluded_exceptions</span><span class="p">(),</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">_get_excluded_exceptions</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">tuple</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Exclude application errors, include infrastructure errors.</span><span class="sh">"""</span> <span class="nf">return </span><span class="p">(</span> <span class="n">IntegrityError</span><span class="p">,</span> <span class="c1"># Data validation errors </span> <span class="n">InvalidRequestError</span><span class="p">,</span> <span class="c1"># SQL syntax errors </span> <span class="nb">ValueError</span><span class="p">,</span> <span class="c1"># Application logic errors </span> <span class="nb">TypeError</span><span class="p">,</span> <span class="c1"># Programming errors </span> <span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">call</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">func</span><span class="p">,</span> <span class="o">*</span><span class="n">args</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="k">return</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="n">circuit_breaker</span><span class="p">.</span><span class="nf">call_async</span><span class="p">(</span><span class="n">func</span><span class="p">,</span> <span class="o">*</span><span class="n">args</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="k">except</span> <span class="n">CircuitBreakerError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">warning</span><span class="p">(</span><span class="sh">"</span><span class="s">Circuit breaker is open, cannot execute database operation</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> <span class="nc">DatabaseCircuitBreakerError</span><span class="p">()</span> <span class="k">from</span> <span class="n">e</span> </code></pre> </div> <h4> 🔧 Understanding Circuit Breaker Configuration </h4> <p>Let's break down the key parameters of the <code>CircuitBreaker</code> initialization:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nc">CircuitBreaker</span><span class="p">(</span> <span class="n">fail_max</span><span class="o">=</span><span class="n">failure_threshold</span><span class="p">,</span> <span class="n">timeout_duration</span><span class="o">=</span><span class="nf">timedelta</span><span class="p">(</span><span class="n">seconds</span><span class="o">=</span><span class="n">recovery_timeout</span><span class="p">),</span> <span class="n">exclude</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="nf">_get_excluded_exceptions</span><span class="p">(),</span> <span class="p">)</span> </code></pre> </div> <p><strong><code>fail_max</code></strong> - The failure threshold that triggers the circuit breaker:</p> <ul> <li>After this many consecutive failures, the circuit breaker "trips" and opens</li> <li>Example: With <code>fail_max=5</code>, the circuit breaker opens after 5 database connection failures</li> </ul> <p><strong><code>timeout_duration</code></strong> - How long the circuit breaker stays open:</p> <ul> <li>When open, it waits this duration before testing recovery (half-open state)</li> <li>Example: With <code>timeout_duration=60</code>, it waits 60 seconds before retrying</li> </ul> <p><strong><code>exclude</code></strong> - Exceptions that should NOT count toward failures:</p> <ul> <li>These are "application errors" rather than infrastructure failures</li> <li>Infrastructure failures (network timeouts, connection refused) should trip the breaker</li> <li>Application failures (bad SQL, invalid data) should not trip the breaker</li> </ul> <h4> 🚦 Circuit Breaker State Flow </h4> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>🟢 CLOSED (Normal operation) ↓ (5 consecutive failures) 🔴 OPEN (Blocking all requests) ↓ (60 seconds timeout) 🟡 HALF-OPEN (Testing recovery) ↓ (Success) → 🟢 CLOSED ↓ (Failure) → 🔴 OPEN </code></pre> </div> <h3> 🎯 Session Manager with Circuit Breaker </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">sqlalchemy.ext.asyncio</span> <span class="kn">import</span> <span class="n">create_async_engine</span><span class="p">,</span> <span class="n">async_sessionmaker</span><span class="p">,</span> <span class="n">AsyncSession</span> <span class="kn">from</span> <span class="n">contextlib</span> <span class="kn">import</span> <span class="n">asynccontextmanager</span> <span class="kn">import</span> <span class="n">asyncio</span> <span class="k">class</span> <span class="nc">SessionManager</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Database session manager with circuit breaker protection.</span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">engine</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">self</span><span class="p">.</span><span class="n">session_factory</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">self</span><span class="p">.</span><span class="n">circuit_breaker</span> <span class="o">=</span> <span class="nc">DatabaseCircuitBreaker</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="n">_is_initialized</span> <span class="o">=</span> <span class="bp">False</span> <span class="n">self</span><span class="p">.</span><span class="n">_engine_lock</span> <span class="o">=</span> <span class="n">asyncio</span><span class="p">.</span><span class="nc">Lock</span><span class="p">()</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">init_db</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Initialize database engine and session factory.</span><span class="sh">"""</span> <span class="k">async</span> <span class="k">with</span> <span class="n">self</span><span class="p">.</span><span class="n">_engine_lock</span><span class="p">:</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">_is_initialized</span><span class="p">:</span> <span class="k">return</span> <span class="c1"># Database URL construction </span> <span class="n">database_url</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_build_database_url</span><span class="p">()</span> <span class="c1"># Create engine with optimized settings </span> <span class="n">self</span><span class="p">.</span><span class="n">engine</span> <span class="o">=</span> <span class="nf">create_async_engine</span><span class="p">(</span> <span class="n">database_url</span><span class="p">,</span> <span class="n">pool_size</span><span class="o">=</span><span class="mi">10</span><span class="p">,</span> <span class="n">max_overflow</span><span class="o">=</span><span class="mi">20</span><span class="p">,</span> <span class="n">pool_pre_ping</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">pool_recycle</span><span class="o">=</span><span class="mi">3600</span><span class="p">,</span> <span class="n">pool_timeout</span><span class="o">=</span><span class="mi">30</span><span class="p">,</span> <span class="n">connect_args</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">server_settings</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statement_timeout</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">5000</span><span class="sh">"</span> <span class="c1"># 5 second timeout </span> <span class="p">}</span> <span class="p">}</span> <span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">session_factory</span> <span class="o">=</span> <span class="nf">async_sessionmaker</span><span class="p">(</span> <span class="n">bind</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">engine</span><span class="p">,</span> <span class="n">expire_on_commit</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">autoflush</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">class_</span><span class="o">=</span><span class="n">AsyncSession</span><span class="p">,</span> <span class="p">)</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="nf">_health_check</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="n">_is_initialized</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">Database initialized successfully</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">_health_check</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Verify database connectivity.</span><span class="sh">"""</span> <span class="k">try</span><span class="p">:</span> <span class="k">async</span> <span class="k">with</span> <span class="n">self</span><span class="p">.</span><span class="n">engine</span><span class="p">.</span><span class="nf">begin</span><span class="p">()</span> <span class="k">as</span> <span class="n">conn</span><span class="p">:</span> <span class="k">await</span> <span class="n">conn</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="nf">text</span><span class="p">(</span><span class="sh">"</span><span class="s">SELECT 1</span><span class="sh">"</span><span class="p">))</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">Database health check passed</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Database health check failed: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Database health check failed: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">from</span> <span class="n">e</span> <span class="nd">@asynccontextmanager</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_session</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Get a circuit breaker protected session.</span><span class="sh">"""</span> <span class="n">session</span> <span class="o">=</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="n">circuit_breaker</span><span class="p">.</span><span class="nf">call</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">_create_session</span><span class="p">)</span> <span class="n">protected_session</span> <span class="o">=</span> <span class="nc">CircuitBreakerSession</span><span class="p">(</span><span class="n">session</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">circuit_breaker</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="k">yield</span> <span class="n">protected_session</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">await</span> <span class="n">session</span><span class="p">.</span><span class="nf">rollback</span><span class="p">()</span> <span class="n">logger</span><span class="p">.</span><span class="nf">exception</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Exception in DB session, rolling back: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> <span class="k">finally</span><span class="p">:</span> <span class="k">await</span> <span class="n">session</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">_create_session</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">AsyncSession</span><span class="p">:</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">self</span><span class="p">.</span><span class="n">_is_initialized</span><span class="p">:</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="nf">init_db</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">self</span><span class="p">.</span><span class="n">session_factory</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sh">"</span><span class="s">Database session factory is not initialized.</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="nf">session_factory</span><span class="p">()</span> </code></pre> </div> <h3> 🛡️ Protected Session Wrapper </h3> <p>The <code>CircuitBreakerSession</code> wraps the original SQLAlchemy session and applies circuit breaker protection to all database operations. This ensures that every database call goes through the circuit breaker, providing consistent protection across your application.</p> <h4> 🔍 Key Design Principles </h4> <p><strong>Selective Protection</strong>: Only async operations that can fail due to infrastructure issues are protected:</p> <ul> <li> <code>execute()</code> - Running SQL queries</li> <li> <code>commit()</code> - Persisting transactions </li> <li> <code>rollback()</code> - Reverting transactions</li> <li> <code>flush()</code> - Synchronizing with database</li> <li> <code>refresh()</code> - Reloading object state</li> </ul> <p><strong>Synchronous Operations</strong>: Methods like <code>add()</code> and <code>delete()</code> are not protected because they only modify in-memory state and don't communicate with the database until a flush/commit occurs.</p> <h4> 🏗️ Implementation Details </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">CircuitBreakerSession</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Session wrapper that applies circuit breaker to all operations.</span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">session</span><span class="p">:</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="n">circuit_breaker</span><span class="p">:</span> <span class="n">DatabaseCircuitBreaker</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">_session</span> <span class="o">=</span> <span class="n">session</span> <span class="n">self</span><span class="p">.</span><span class="n">_circuit_breaker</span> <span class="o">=</span> <span class="n">circuit_breaker</span> <span class="n">self</span><span class="p">.</span><span class="n">_is_closed</span> <span class="o">=</span> <span class="bp">False</span> <span class="k">def</span> <span class="nf">_ensure_not_closed</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Prevent operations on closed sessions.</span><span class="sh">"""</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">_is_closed</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sh">"</span><span class="s">Session is already closed</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">execute</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">statement</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Execute statement with circuit breaker protection.</span><span class="sh">"""</span> <span class="n">self</span><span class="p">.</span><span class="nf">_ensure_not_closed</span><span class="p">()</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">_execute</span><span class="p">():</span> <span class="k">return</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="n">_session</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="n">statement</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="k">return</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="n">_circuit_breaker</span><span class="p">.</span><span class="nf">call</span><span class="p">(</span><span class="n">_execute</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">commit</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Commit transaction with circuit breaker protection.</span><span class="sh">"""</span> <span class="n">self</span><span class="p">.</span><span class="nf">_ensure_not_closed</span><span class="p">()</span> <span class="k">return</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="n">_circuit_breaker</span><span class="p">.</span><span class="nf">call</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">_session</span><span class="p">.</span><span class="n">commit</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">rollback</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Rollback transaction with circuit breaker protection.</span><span class="sh">"""</span> <span class="n">self</span><span class="p">.</span><span class="nf">_ensure_not_closed</span><span class="p">()</span> <span class="k">return</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="n">_circuit_breaker</span><span class="p">.</span><span class="nf">call</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">_session</span><span class="p">.</span><span class="n">rollback</span><span class="p">)</span> <span class="c1"># Synchronous operations don't need circuit breaker </span> <span class="k">def</span> <span class="nf">add</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">instance</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Add object to session (in-memory only).</span><span class="sh">"""</span> <span class="n">self</span><span class="p">.</span><span class="nf">_ensure_not_closed</span><span class="p">()</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">_session</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="n">instance</span><span class="p">)</span> <span class="k">def</span> <span class="nf">delete</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">instance</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Mark object for deletion (in-memory only).</span><span class="sh">"""</span> <span class="n">self</span><span class="p">.</span><span class="nf">_ensure_not_closed</span><span class="p">()</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">_session</span><span class="p">.</span><span class="nf">delete</span><span class="p">(</span><span class="n">instance</span><span class="p">)</span> </code></pre> </div> <h4> 🔄 How It Works </h4> <ol> <li> <strong>Wrapping Pattern</strong>: The session wrapper intercepts all method calls</li> <li> <strong>State Checking</strong>: Each method verifies the session isn't closed</li> <li> <strong>Selective Protection</strong>: Only async database operations get circuit breaker protection</li> <li> <strong>Transparent Interface</strong>: Behaves exactly like a regular SQLAlchemy session</li> <li> <strong>Error Propagation</strong>: Circuit breaker errors are raised when the breaker is open</li> </ol> <h2> 🚀 Usage with FastAPI </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Depends</span><span class="p">,</span> <span class="n">HTTPException</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="n">sessionmanager</span> <span class="o">=</span> <span class="nc">SessionManager</span><span class="p">()</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_db</span><span class="p">():</span> <span class="sh">"""</span><span class="s">FastAPI dependency for database sessions.</span><span class="sh">"""</span> <span class="k">async</span> <span class="k">with</span> <span class="n">sessionmanager</span><span class="p">.</span><span class="nf">get_session</span><span class="p">()</span> <span class="k">as</span> <span class="n">session</span><span class="p">:</span> <span class="k">yield</span> <span class="n">session</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/users/{user_id}</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_user</span><span class="p">(</span><span class="n">user_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">db</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_db</span><span class="p">)):</span> <span class="k">try</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">db</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="nf">select</span><span class="p">(</span><span class="n">User</span><span class="p">).</span><span class="nf">where</span><span class="p">(</span><span class="n">User</span><span class="p">.</span><span class="nb">id</span> <span class="o">==</span> <span class="n">user_id</span><span class="p">)</span> <span class="p">)</span> <span class="n">user</span> <span class="o">=</span> <span class="n">result</span><span class="p">.</span><span class="nf">scalar_one_or_none</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">user</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">404</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">User not found</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">user</span> <span class="k">except</span> <span class="n">DatabaseCircuitBreakerError</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">503</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Database service temporarily unavailable</span><span class="sh">"</span> <span class="p">)</span> <span class="nd">@app.on_event</span><span class="p">(</span><span class="sh">"</span><span class="s">startup</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">startup</span><span class="p">():</span> <span class="k">await</span> <span class="n">sessionmanager</span><span class="p">.</span><span class="nf">init_db</span><span class="p">()</span> <span class="nd">@app.on_event</span><span class="p">(</span><span class="sh">"</span><span class="s">shutdown</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">shutdown</span><span class="p">():</span> <span class="k">await</span> <span class="n">sessionmanager</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> </code></pre> </div> <h2> ⚙️ Configuration Best Practices </h2> <h3> 🌍 Environment Variables </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Circuit breaker settings </span><span class="n">DB_CIRCUIT_BREAKER_FAILURE_THRESHOLD</span> <span class="o">=</span> <span class="mi">5</span> <span class="c1"># Trip after 5 failures </span><span class="n">DB_CIRCUIT_BREAKER_RECOVERY_TIMEOUT</span> <span class="o">=</span> <span class="mi">60</span> <span class="c1"># Wait 60 seconds before retry </span> <span class="c1"># Connection pool settings </span><span class="n">POOL_SIZE</span> <span class="o">=</span> <span class="mi">10</span> <span class="n">MAX_OVERFLOW</span> <span class="o">=</span> <span class="mi">20</span> <span class="n">POOL_RECYCLE</span> <span class="o">=</span> <span class="mi">3600</span> <span class="n">POOL_TIMEOUT</span> <span class="o">=</span> <span class="mi">30</span> </code></pre> </div> <h2> ⚖️ Benefits and Trade-offs </h2> <h3> ✅ Benefits </h3> <ul> <li> <strong>🛡️ Improved resilience</strong>: Prevents cascading failures</li> <li> <strong>😊 Better user experience</strong>: Fast failure instead of timeouts</li> <li> <strong>🔐 Resource protection</strong>: Prevents connection pool exhaustion</li> <li> <strong>🔄 Automatic recovery</strong>: Tests system health periodically</li> </ul> <h3> ⚠️ Trade-offs </h3> <ul> <li> <strong>🔧 Added complexity</strong>: More moving parts to monitor</li> <li> <strong>❌ False positives</strong>: May block valid requests during recovery</li> <li> <strong>⚙️ Configuration overhead</strong>: Requires tuning for your workload</li> </ul> <h2> ✅ Demo Video </h2> <p> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fmedia2.giphy.com%2Fmedia%2Fv1.Y2lkPTc5MGI3NjExcmp5cTV0YTVlMHZuNWV0anZoM25uYnJoZmJ1OTV6cWhieDZlZjdncSZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw%2FDqwOXZusmxig9ZlJ0v%2Fgiphy.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fmedia2.giphy.com%2Fmedia%2Fv1.Y2lkPTc5MGI3NjExcmp5cTV0YTVlMHZuNWV0anZoM25uYnJoZmJ1OTV6cWhieDZlZjdncSZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw%2FDqwOXZusmxig9ZlJ0v%2Fgiphy.gif" alt="Circuit Breaker Example" width="480" height="270"></a> </p> <h2> 🎯 Conclusion </h2> <p>The Circuit Breaker pattern is essential for building resilient database layers in production applications. By implementing circuit breakers around your database operations, you can:</p> <ul> <li>🚫 Prevent cascading failures</li> <li>💪 Improve system stability</li> <li>🎯 Provide better error handling</li> <li>🛡️ Protect system resources</li> </ul> <p>The implementation shown here provides a solid foundation that you can adapt to your specific needs. Remember to monitor circuit breaker behavior and tune the configuration based on your application's requirements. 📊</p> <p><em>What patterns do you use for database resilience in your applications? Share your experiences in the comments below!</em> 💬</p> aiobreaker sqlalchemy fastapi python Supercharging Your API Cache: A Deep Dive into Serialization Performance 🚀 Akarshan Gandotra Thu, 10 Jul 2025 08:16:38 +0000 https://forem.com/akarshan/supercharging-your-api-cache-a-deep-dive-into-serialization-performance-2if3 https://forem.com/akarshan/supercharging-your-api-cache-a-deep-dive-into-serialization-performance-2if3 <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsaq6u00n0ckqukiqgm14.png" alt=" " width="800" height="533"> </h2> <p><em>When milliseconds matter, choosing the right serialization format can make or break your application's performance.</em></p> <h2> The Performance Problem We All Face </h2> <p>Picture this: Your API is handling thousands of requests per second, and your cache is working overtime. But here's the catch – every time you serialize and deserialize data for caching, you're eating into precious microseconds that add up to real performance bottlenecks.</p> <p>As developers, we often default to JSON for caching without questioning whether it's the optimal choice. But what if I told you that switching serialization formats could give you a <strong>3-10x performance boost</strong> with minimal code changes?</p> <h2> The Great Serialization Showdown </h2> <p>I recently implemented support for multiple serialization formats in our API caching layer and ran comprehensive performance tests. The results were eye-opening! Here's what we compared:</p> <ul> <li> <strong>JSON (stdlib)</strong> - The trusty default</li> <li> <strong>orjson</strong> - The speed demon</li> <li> <strong>Pickle</strong> - Python's native powerhouse </li> </ul> <h2> Implementation Architecture </h2> <h3> The Multi-Format Cache Manager </h3> <p>First, let's look at how we structured the enhanced caching layer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">enum</span> <span class="kn">import</span> <span class="n">Enum</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Any</span><span class="p">,</span> <span class="n">Optional</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">pickle</span> <span class="kn">import</span> <span class="n">time</span> <span class="k">class</span> <span class="nc">SerializationFormat</span><span class="p">(</span><span class="n">Enum</span><span class="p">):</span> <span class="n">JSON</span> <span class="o">=</span> <span class="sh">"</span><span class="s">json</span><span class="sh">"</span> <span class="n">ORJSON</span> <span class="o">=</span> <span class="sh">"</span><span class="s">orjson</span><span class="sh">"</span> <span class="n">PICKLE</span> <span class="o">=</span> <span class="sh">"</span><span class="s">pickle</span><span class="sh">"</span> <span class="k">class</span> <span class="nc">PerformanceMetrics</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Tracks performance metrics for different serialization formats.</span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">metrics</span> <span class="o">=</span> <span class="p">{</span> <span class="nb">format</span><span class="p">.</span><span class="n">value</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">serialize_times</span><span class="sh">"</span><span class="p">:</span> <span class="p">[],</span> <span class="sh">"</span><span class="s">deserialize_times</span><span class="sh">"</span><span class="p">:</span> <span class="p">[],</span> <span class="sh">"</span><span class="s">sizes</span><span class="sh">"</span><span class="p">:</span> <span class="p">[],</span> <span class="sh">"</span><span class="s">total_operations</span><span class="sh">"</span><span class="p">:</span> <span class="mi">0</span> <span class="p">}</span> <span class="k">for</span> <span class="nb">format</span> <span class="ow">in</span> <span class="n">SerializationFormat</span> <span class="p">}</span> <span class="k">def</span> <span class="nf">record_operation</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="nb">format</span><span class="p">:</span> <span class="n">SerializationFormat</span><span class="p">,</span> <span class="n">serialize_time</span><span class="p">:</span> <span class="nb">float</span><span class="p">,</span> <span class="n">deserialize_time</span><span class="p">:</span> <span class="nb">float</span><span class="p">,</span> <span class="n">size</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="n">format_key</span> <span class="o">=</span> <span class="nb">format</span><span class="p">.</span><span class="n">value</span> <span class="n">self</span><span class="p">.</span><span class="n">metrics</span><span class="p">[</span><span class="n">format_key</span><span class="p">][</span><span class="sh">"</span><span class="s">serialize_times</span><span class="sh">"</span><span class="p">].</span><span class="nf">append</span><span class="p">(</span><span class="n">serialize_time</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">metrics</span><span class="p">[</span><span class="n">format_key</span><span class="p">][</span><span class="sh">"</span><span class="s">deserialize_times</span><span class="sh">"</span><span class="p">].</span><span class="nf">append</span><span class="p">(</span><span class="n">deserialize_time</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">metrics</span><span class="p">[</span><span class="n">format_key</span><span class="p">][</span><span class="sh">"</span><span class="s">sizes</span><span class="sh">"</span><span class="p">].</span><span class="nf">append</span><span class="p">(</span><span class="n">size</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">metrics</span><span class="p">[</span><span class="n">format_key</span><span class="p">][</span><span class="sh">"</span><span class="s">total_operations</span><span class="sh">"</span><span class="p">]</span> <span class="o">+=</span> <span class="mi">1</span> </code></pre> </div> <h3> The Serialization Manager </h3> <p>The heart of our implementation is the <code>SerializationManager</code> class that handles all formats with built-in performance tracking:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">SerializationManager</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">metrics</span> <span class="o">=</span> <span class="nc">PerformanceMetrics</span><span class="p">()</span> <span class="k">def</span> <span class="nf">serialize_orjson</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">data</span><span class="p">:</span> <span class="n">Any</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bytes</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Serialize using orjson - the performance champion.</span><span class="sh">"""</span> <span class="kn">import</span> <span class="n">orjson</span> <span class="n">start_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="n">serialized</span> <span class="o">=</span> <span class="n">orjson</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="n">serialize_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">-</span> <span class="n">start_time</span> <span class="k">return</span> <span class="n">serialized</span><span class="p">,</span> <span class="n">serialize_time</span> <span class="k">def</span> <span class="nf">deserialize_orjson</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">data</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Any</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Deserialize using orjson.</span><span class="sh">"""</span> <span class="kn">import</span> <span class="n">orjson</span> <span class="n">start_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="n">deserialized</span> <span class="o">=</span> <span class="n">orjson</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="n">deserialize_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">-</span> <span class="n">start_time</span> <span class="k">return</span> <span class="n">deserialized</span><span class="p">,</span> <span class="n">deserialize_time</span> <span class="c1"># Similar methods for JSON and Pickle... </span></code></pre> </div> <h3> Cache Manager with Format Selection </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">APICacheManager</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">default_format</span><span class="p">:</span> <span class="n">SerializationFormat</span> <span class="o">=</span> <span class="n">SerializationFormat</span><span class="p">.</span><span class="n">JSON</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">default_format</span> <span class="o">=</span> <span class="n">default_format</span> <span class="n">self</span><span class="p">.</span><span class="n">serialization_manager</span> <span class="o">=</span> <span class="nc">SerializationManager</span><span class="p">()</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">set</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">key</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">value</span><span class="p">:</span> <span class="n">Any</span><span class="p">,</span> <span class="n">ttl</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">3600</span><span class="p">,</span> <span class="nb">format</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="n">SerializationFormat</span><span class="p">]</span> <span class="o">=</span> <span class="bp">None</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Cache data with specified serialization format.</span><span class="sh">"""</span> <span class="nb">format</span> <span class="o">=</span> <span class="nb">format</span> <span class="ow">or</span> <span class="n">self</span><span class="p">.</span><span class="n">default_format</span> <span class="c1"># Serialize based on format </span> <span class="k">if</span> <span class="nb">format</span> <span class="o">==</span> <span class="n">SerializationFormat</span><span class="p">.</span><span class="n">ORJSON</span><span class="p">:</span> <span class="n">serialized_data</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">serialization_manager</span><span class="p">.</span><span class="nf">serialize_orjson</span><span class="p">(</span><span class="n">value</span><span class="p">)</span> <span class="k">elif</span> <span class="nb">format</span> <span class="o">==</span> <span class="n">SerializationFormat</span><span class="p">.</span><span class="n">PICKLE</span><span class="p">:</span> <span class="n">serialized_data</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">serialization_manager</span><span class="p">.</span><span class="nf">serialize_pickle</span><span class="p">(</span><span class="n">value</span><span class="p">)</span> <span class="c1"># ... handle other formats </span> <span class="c1"># Store in cache (Redis/Memcached/etc.) </span> <span class="k">return</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="nf">_store_in_cache</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">serialized_data</span><span class="p">,</span> <span class="n">ttl</span><span class="p">)</span> </code></pre> </div> <h2> The Performance Results That Will Blow Your Mind 🤯 </h2> <p>I tested three different data sizes across 1,000 operations each:</p> <h3> Small Data (242 bytes) - Typical API Response </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Format</th> <th>Serialization</th> <th>Deserialization</th> <th>Data Size</th> </tr> </thead> <tbody> <tr> <td> <strong>orjson</strong> ⭐</td> <td>0.000000s</td> <td>0.000001s</td> <td>221 bytes</td> </tr> <tr> <td>JSON</td> <td>0.000003s</td> <td>0.000002s</td> <td>242 bytes</td> </tr> <tr> <td>Pickle</td> <td>0.000001s</td> <td>0.000001s</td> <td>232 bytes</td> </tr> </tbody> </table></div> <h3> Medium Data (561 bytes) - Complex API Response </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Format</th> <th>Serialization</th> <th>Deserialization</th> <th>Data Size</th> </tr> </thead> <tbody> <tr> <td> <strong>orjson</strong> ⭐</td> <td>0.000001s</td> <td>0.000001s</td> <td>516 bytes</td> </tr> <tr> <td>JSON</td> <td>0.000005s</td> <td>0.000004s</td> <td>561 bytes</td> </tr> <tr> <td>Pickle</td> <td>0.000002s</td> <td>0.000002s</td> <td>521 bytes</td> </tr> </tbody> </table></div> <h3> Large Data (3,346 bytes) - Data-Heavy Response </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Format</th> <th>Serialization</th> <th>Deserialization</th> <th>Data Size</th> </tr> </thead> <tbody> <tr> <td> <strong>orjson</strong> ⭐</td> <td>0.000003s</td> <td>0.000006s</td> <td>2,963 bytes</td> </tr> <tr> <td>JSON</td> <td>0.000030s</td> <td>0.000022s</td> <td>3,346 bytes</td> </tr> <tr> <td> <strong>Pickle</strong> ⭐</td> <td>0.000009s</td> <td>0.000009s</td> <td><strong>2,536 bytes</strong></td> </tr> </tbody> </table></div> <h2> The Clear Winner: orjson 🏆 </h2> <p><strong>orjson absolutely dominates</strong> in almost every category:</p> <ul> <li> <strong>3-10x faster serialization</strong> than standard JSON</li> <li> <strong>2-4x faster deserialization</strong> than standard JSON </li> <li> <strong>Smallest data size</strong> for small and medium payloads</li> <li> <strong>Drop-in replacement</strong> for standard JSON</li> </ul> <p>Here's the math that'll make you happy:</p> <ul> <li>1,000 cache operations per second</li> <li>Standard JSON: 30ms total serialization time</li> <li>orjson: 3ms total serialization time</li> <li><strong>Savings: 27ms per 1,000 operations = 27 seconds per million operations!</strong></li> </ul> <h2> When to Use Each Format </h2> <h3> 🚀 Use orjson when: </h3> <ul> <li>Performance is critical</li> <li>You're dealing with high-throughput APIs</li> <li>You want easy migration from standard JSON</li> <li>You need language-agnostic serialization </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Easy migration example </span><span class="nd">@cache_response</span><span class="p">(</span> <span class="n">prefix</span><span class="o">=</span><span class="sh">"</span><span class="s">users</span><span class="sh">"</span><span class="p">,</span> <span class="n">ttl</span><span class="o">=</span><span class="mi">3600</span><span class="p">,</span> <span class="nb">format</span><span class="o">=</span><span class="n">SerializationFormat</span><span class="p">.</span><span class="n">ORJSON</span> <span class="c1"># Just change this line! </span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_user</span><span class="p">(</span><span class="n">user_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="k">return</span> <span class="k">await</span> <span class="nf">fetch_user_from_db</span><span class="p">(</span><span class="n">user_id</span><span class="p">)</span> </code></pre> </div> <h3> 🐍 Use Pickle when: </h3> <ul> <li>You're in a Python-only environment</li> <li>You have very large, complex data structures</li> <li>You need the smallest possible data size for large objects</li> <li>You don't need cross-language compatibility</li> </ul> <h3> 🔧 Use Standard JSON when: </h3> <ul> <li>Cross-language compatibility is essential</li> <li>You're working with legacy systems</li> <li>You need human-readable cached data for debugging</li> <li>Performance is acceptable for your use case</li> </ul> <h2> Real-World Implementation Tips </h2> <h3> 1. Gradual Migration Strategy </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Start with high-traffic endpoints </span><span class="n">cache_mgr_fast</span> <span class="o">=</span> <span class="nc">APICacheManager</span><span class="p">(</span><span class="n">default_format</span><span class="o">=</span><span class="n">SerializationFormat</span><span class="p">.</span><span class="n">ORJSON</span><span class="p">)</span> <span class="n">cache_mgr_compatible</span> <span class="o">=</span> <span class="nc">APICacheManager</span><span class="p">(</span><span class="n">default_format</span><span class="o">=</span><span class="n">SerializationFormat</span><span class="p">.</span><span class="n">JSON</span><span class="p">)</span> <span class="c1"># Use fast cache for internal APIs </span><span class="nd">@cache_response</span><span class="p">(</span><span class="n">manager</span><span class="o">=</span><span class="n">cache_mgr_fast</span><span class="p">,</span> <span class="n">ttl</span><span class="o">=</span><span class="mi">3600</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">internal_user_data</span><span class="p">(</span><span class="n">user_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="k">pass</span> <span class="c1"># Use compatible cache for external APIs </span><span class="nd">@cache_response</span><span class="p">(</span><span class="n">manager</span><span class="o">=</span><span class="n">cache_mgr_compatible</span><span class="p">,</span> <span class="n">ttl</span><span class="o">=</span><span class="mi">3600</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">public_api_endpoint</span><span class="p">():</span> <span class="k">pass</span> </code></pre> </div> <h3> 2. Performance Monitoring </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">log_cache_metrics</span><span class="p">():</span> <span class="n">metrics</span> <span class="o">=</span> <span class="n">serialization_manager</span><span class="p">.</span><span class="nf">get_performance_summary</span><span class="p">()</span> <span class="k">for</span> <span class="nb">format</span><span class="p">,</span> <span class="n">data</span> <span class="ow">in</span> <span class="n">metrics</span><span class="p">.</span><span class="nf">items</span><span class="p">():</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="nb">format</span><span class="si">}</span><span class="s">: avg_serialize=</span><span class="si">{</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">avg_serialize_time</span><span class="sh">'</span><span class="p">]</span><span class="si">:</span><span class="p">.</span><span class="mi">6</span><span class="n">f</span><span class="si">}</span><span class="s">s, </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">avg_deserialize=</span><span class="si">{</span><span class="n">data</span><span class="p">[</span><span class="sh">'</span><span class="s">avg_deserialize_time</span><span class="sh">'</span><span class="p">]</span><span class="si">:</span><span class="p">.</span><span class="mi">6</span><span class="n">f</span><span class="si">}</span><span class="s">s</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> 3. Fallback Strategies </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">robust_cache_get</span><span class="p">(</span><span class="n">key</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">formats</span><span class="p">:</span> <span class="n">List</span><span class="p">[</span><span class="n">SerializationFormat</span><span class="p">]):</span> <span class="sh">"""</span><span class="s">Try multiple formats for backward compatibility.</span><span class="sh">"""</span> <span class="k">for</span> <span class="nb">format</span> <span class="ow">in</span> <span class="n">formats</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">data</span> <span class="o">=</span> <span class="k">await</span> <span class="n">cache_mgr</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="nb">format</span><span class="o">=</span><span class="nb">format</span><span class="p">)</span> <span class="k">if</span> <span class="n">data</span><span class="p">:</span> <span class="k">return</span> <span class="n">data</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">warning</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Failed to deserialize </span><span class="si">{</span><span class="n">key</span><span class="si">}</span><span class="s"> with </span><span class="si">{</span><span class="nb">format</span><span class="si">}</span><span class="s">: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">None</span> </code></pre> </div> <h2> The Bottom Line </h2> <p>After extensive testing, here's my recommendation hierarchy:</p> <ol> <li> <strong>orjson</strong> - Use this for 80% of your caching needs</li> <li> <strong>Pickle</strong> - Use for Python-only, data-heavy scenarios</li> <li> <strong>JSON</strong> - Use when you need maximum compatibility</li> </ol> <h2> Getting Started </h2> <p>Want to implement this in your project? Here's the minimal setup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>orjson </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">enum</span> <span class="kn">import</span> <span class="n">Enum</span> <span class="k">class</span> <span class="nc">SerializationFormat</span><span class="p">(</span><span class="n">Enum</span><span class="p">):</span> <span class="n">ORJSON</span> <span class="o">=</span> <span class="sh">"</span><span class="s">orjson</span><span class="sh">"</span> <span class="n">JSON</span> <span class="o">=</span> <span class="sh">"</span><span class="s">json</span><span class="sh">"</span> <span class="c1"># Your existing cache code here, just add format parameter </span><span class="k">async</span> <span class="k">def</span> <span class="nf">cache_set</span><span class="p">(</span><span class="n">key</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">value</span><span class="p">:</span> <span class="nb">any</span><span class="p">,</span> <span class="nb">format</span><span class="p">:</span> <span class="n">SerializationFormat</span> <span class="o">=</span> <span class="n">SerializationFormat</span><span class="p">.</span><span class="n">ORJSON</span><span class="p">):</span> <span class="k">if</span> <span class="nb">format</span> <span class="o">==</span> <span class="n">SerializationFormat</span><span class="p">.</span><span class="n">ORJSON</span><span class="p">:</span> <span class="kn">import</span> <span class="n">orjson</span> <span class="n">serialized</span> <span class="o">=</span> <span class="n">orjson</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">value</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="kn">import</span> <span class="n">json</span> <span class="n">serialized</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">value</span><span class="p">).</span><span class="nf">encode</span><span class="p">()</span> <span class="c1"># Store in your cache system </span> <span class="k">await</span> <span class="n">your_cache</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">serialized</span><span class="p">)</span> </code></pre> </div> <h2> Conclusion </h2> <p>The numbers don't lie – <strong>orjson is a game-changer</strong> for API caching performance. With minimal code changes, you can achieve significant performance improvements that directly translate to better user experience and lower infrastructure costs.</p> <p>The beauty of this approach is that you can implement it incrementally, starting with your highest-traffic endpoints and gradually migrating your entire caching layer.</p> <p>What serialization format are you currently using? Have you measured its performance impact? Drop a comment below and let's discuss your caching optimization strategies!</p> <p><em>Found this helpful? Give it a ❤️ and follow me for more performance optimization content!</em></p> python performance caching serialization Building a Robust Redis Client: Async Redis + Tenacity + Circuit Breaker Akarshan Gandotra Sun, 06 Jul 2025 20:08:34 +0000 https://forem.com/akarshan/building-a-robust-redis-client-with-retry-logic-in-python-jeg https://forem.com/akarshan/building-a-robust-redis-client-with-retry-logic-in-python-jeg <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1bdn8zln9vsuzih1i87i.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1bdn8zln9vsuzih1i87i.png" alt=" " width="800" height="533"></a></p> <p>Redis is the backbone of many high-performance applications, but network hiccups and temporary outages can wreak havoc on your system. What if I told you there's a way to make your Redis operations virtually bulletproof? 🛡️</p> <p>Today, we'll dive deep into building a production-ready Redis client with comprehensive retry logic, circuit breaker patterns, and connection pooling that can handle the chaos of distributed systems.</p> <h2> 🚨 The Problem: When Redis Goes Down </h2> <p>Picture this: Your application is humming along perfectly, handling thousands of requests per second. Suddenly, Redis experiences a brief network hiccup. Your application starts throwing exceptions, users see errors, and your monitoring dashboard lights up like a Christmas tree. 🎄💥</p> <p>Common Redis failure scenarios:</p> <ul> <li> <strong>Network timeouts</strong> 🌐⏰</li> <li> <strong>Connection drops</strong> 🔌❌</li> <li> <strong>Redis server restarts</strong> 🔄</li> <li> <strong>Memory pressure</strong> 💾⚠️</li> <li> <strong>Temporary unavailability</strong> 🚫</li> </ul> <h2> 🏗️ The Solution: A Resilient Redis Client </h2> <p>Our solution combines several battle-tested patterns:</p> <h3> 1. <strong>Exponential Backoff Retry with Tenacity</strong> 📈 </h3> <p>We leverage the powerful <strong>Tenacity</strong> library for sophisticated retry logic. Tenacity provides a clean, declarative way to handle retries with various strategies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">tenacity</span> <span class="kn">import</span> <span class="n">AsyncRetrying</span><span class="p">,</span> <span class="n">retry_if_exception_type</span><span class="p">,</span> <span class="n">stop_after_attempt</span><span class="p">,</span> <span class="n">wait_exponential</span> <span class="nd">@dataclass</span><span class="p">(</span><span class="n">frozen</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">class</span> <span class="nc">RedisRetryConfig</span><span class="p">:</span> <span class="n">max_attempts</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="n">settings</span><span class="p">.</span><span class="n">REDIS_MAX_ATTEMPTS</span> <span class="n">base_delay</span><span class="p">:</span> <span class="nb">float</span> <span class="o">=</span> <span class="n">settings</span><span class="p">.</span><span class="n">REDIS_BASE_DELAY</span> <span class="n">max_delay</span><span class="p">:</span> <span class="nb">float</span> <span class="o">=</span> <span class="n">settings</span><span class="p">.</span><span class="n">REDIS_MAX_DELAY</span> <span class="n">exponential_base</span><span class="p">:</span> <span class="nb">float</span> <span class="o">=</span> <span class="n">settings</span><span class="p">.</span><span class="n">REDIS_EXPONENTIAL_BASE</span> <span class="n">retry_exceptions</span><span class="p">:</span> <span class="nb">tuple</span> <span class="o">=</span> <span class="nf">field</span><span class="p">(</span> <span class="n">default_factory</span><span class="o">=</span><span class="k">lambda</span><span class="p">:</span> <span class="p">(</span> <span class="n">redis</span><span class="p">.</span><span class="nb">ConnectionError</span><span class="p">,</span> <span class="n">redis</span><span class="p">.</span><span class="nb">TimeoutError</span><span class="p">,</span> <span class="n">redis</span><span class="p">.</span><span class="n">RedisError</span><span class="p">,</span> <span class="nb">ConnectionRefusedError</span><span class="p">,</span> <span class="nb">TimeoutError</span><span class="p">,</span> <span class="p">)</span> <span class="p">)</span> </code></pre> </div> <p><strong>Why Tenacity?</strong> 🎯</p> <ul> <li> <strong>Declarative syntax</strong> - Easy to read and configure</li> <li> <strong>Multiple retry strategies</strong> - Exponential, linear, random jitter</li> <li> <strong>Exception filtering</strong> - Retry only on specific exceptions</li> <li> <strong>Async support</strong> - Perfect for modern Python applications</li> <li> <strong>Battle-tested</strong> - Used in production by thousands of applications</li> </ul> <h3> 2. <strong>Circuit Breaker Pattern</strong> 🔌 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">CircuitBreaker</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Simple circuit breaker for Redis operations.</span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">threshold</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">timeout</span><span class="p">:</span> <span class="nb">float</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">threshold</span> <span class="o">=</span> <span class="n">threshold</span> <span class="n">self</span><span class="p">.</span><span class="n">timeout</span> <span class="o">=</span> <span class="n">timeout</span> <span class="n">self</span><span class="p">.</span><span class="n">failure_count</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">self</span><span class="p">.</span><span class="n">last_failure_time</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">self</span><span class="p">.</span><span class="n">state</span> <span class="o">=</span> <span class="sh">"</span><span class="s">closed</span><span class="sh">"</span> <span class="c1"># closed, open, half-open </span></code></pre> </div> <h3> 3. <strong>Connection Pooling</strong> 🏊‍♂️ </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">self</span><span class="p">.</span><span class="n">_connection_pool</span> <span class="o">=</span> <span class="n">ConnectionPool</span><span class="p">.</span><span class="nf">from_url</span><span class="p">(</span> <span class="n">settings</span><span class="p">.</span><span class="n">REDIS_URL</span><span class="p">,</span> <span class="n">max_connections</span><span class="o">=</span><span class="nf">getattr</span><span class="p">(</span><span class="n">settings</span><span class="p">,</span> <span class="sh">"</span><span class="s">REDIS_CONNECTION_POOL</span><span class="sh">"</span><span class="p">,</span> <span class="mi">20</span><span class="p">),</span> <span class="n">retry_on_timeout</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">socket_keepalive</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">health_check_interval</span><span class="o">=</span><span class="mi">30</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <h2> 📚 <strong>Key Dependencies</strong> </h2> <p>This implementation leverages several powerful Python libraries:</p> <ul> <li> <strong>🔄 Tenacity</strong> - The star of our retry logic! Provides declarative retry decorators with exponential backoff, jitter, and exception filtering</li> <li> <strong>🔴 Redis-py</strong> - Official async Redis client for Python</li> <li> <strong>⚙️ Asyncio</strong> - For async/await support and thread-safe operations</li> <li> <strong>📊 Dataclasses</strong> - Clean, immutable configuration objects </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>tenacity redis[hiredis] </code></pre> </div> <h2> 🎯 Key Features </h2> <h3> ✨ <strong>Automatic Retry Logic</strong> </h3> <p>The <code>redis_retry</code> decorator automatically wraps Redis operations with intelligent retry logic using <strong>Tenacity</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">redis_retry</span><span class="p">(</span> <span class="n">config</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="n">RedisRetryConfig</span><span class="p">]</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">operation_name</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">use_circuit_breaker</span><span class="p">:</span> <span class="nb">bool</span> <span class="o">=</span> <span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Callable</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Decorator for Redis operations with retry logic and circuit breaker.</span><span class="sh">"""</span> <span class="n">retry_config</span> <span class="o">=</span> <span class="n">config</span> <span class="ow">or</span> <span class="nc">RedisRetryConfig</span><span class="p">()</span> <span class="k">def</span> <span class="nf">decorator</span><span class="p">(</span><span class="n">func</span><span class="p">:</span> <span class="n">Callable</span><span class="p">[...,</span> <span class="n">T</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="n">Callable</span><span class="p">[...,</span> <span class="n">T</span><span class="p">]:</span> <span class="nd">@wraps</span><span class="p">(</span><span class="n">func</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">wrapper</span><span class="p">(</span><span class="o">*</span><span class="n">args</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">T</span><span class="p">:</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">execute_with_retry</span><span class="p">():</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Tenacity's AsyncRetrying provides the retry logic </span> <span class="k">async</span> <span class="k">for</span> <span class="n">attempt</span> <span class="ow">in</span> <span class="nc">AsyncRetrying</span><span class="p">(</span> <span class="n">stop</span><span class="o">=</span><span class="nf">stop_after_attempt</span><span class="p">(</span><span class="n">retry_config</span><span class="p">.</span><span class="n">max_attempts</span><span class="p">),</span> <span class="n">wait</span><span class="o">=</span><span class="nf">wait_exponential</span><span class="p">(</span> <span class="n">multiplier</span><span class="o">=</span><span class="n">retry_config</span><span class="p">.</span><span class="n">base_delay</span><span class="p">,</span> <span class="nb">max</span><span class="o">=</span><span class="n">retry_config</span><span class="p">.</span><span class="n">max_delay</span><span class="p">,</span> <span class="n">exp_base</span><span class="o">=</span><span class="n">retry_config</span><span class="p">.</span><span class="n">exponential_base</span><span class="p">,</span> <span class="p">),</span> <span class="n">retry</span><span class="o">=</span><span class="nf">retry_if_exception_type</span><span class="p">(</span><span class="n">retry_config</span><span class="p">.</span><span class="n">retry_exceptions</span><span class="p">),</span> <span class="n">reraise</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">):</span> <span class="k">with</span> <span class="n">attempt</span><span class="p">:</span> <span class="k">return</span> <span class="k">await</span> <span class="nf">func</span><span class="p">(</span><span class="o">*</span><span class="n">args</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="k">except</span> <span class="n">RetryError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Failed after </span><span class="si">{</span><span class="n">retry_config</span><span class="p">.</span><span class="n">max_attempts</span><span class="si">}</span><span class="s"> attempts</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> <span class="n">e</span><span class="p">.</span><span class="n">last_attempt</span><span class="p">.</span><span class="nf">exception</span><span class="p">()</span> <span class="k">from</span> <span class="n">e</span> <span class="k">if</span> <span class="n">circuit_breaker</span><span class="p">:</span> <span class="k">return</span> <span class="k">await</span> <span class="n">circuit_breaker</span><span class="p">.</span><span class="nf">call</span><span class="p">(</span><span class="n">execute_with_retry</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="k">return</span> <span class="k">await</span> <span class="nf">execute_with_retry</span><span class="p">()</span> <span class="k">return</span> <span class="n">wrapper</span> <span class="k">return</span> <span class="n">decorator</span> </code></pre> </div> <p><strong>Tenacity Features in Action:</strong> 🚀</p> <ul> <li> <code>stop_after_attempt()</code> - Limits total retry attempts</li> <li> <code>wait_exponential()</code> - Implements exponential backoff with jitter</li> <li> <code>retry_if_exception_type()</code> - Only retries on specific exceptions</li> <li> <code>AsyncRetrying</code> - Async-first design for modern Python apps</li> </ul> <h3> 🔄 <strong>Circuit Breaker States</strong> </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxqgvsrp709si9lu9wqh0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxqgvsrp709si9lu9wqh0.png" alt=" " width="800" height="163"></a></p> <ul> <li> <strong>Closed</strong> 🟢: Normal operation, requests pass through</li> <li> <strong>Open</strong> 🔴: Failing fast, requests immediately rejected</li> <li> <strong>Half-Open</strong> 🟡: Testing if service recovered</li> </ul> <h3> 🏊‍♂️ <strong>Enhanced Redis Client</strong> </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">RedisWithRetry</span><span class="p">(</span><span class="n">redis</span><span class="p">.</span><span class="n">Redis</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Enhanced Redis client with comprehensive retry logic and circuit breaker.</span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">__getattribute__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">name</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Any</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Override attribute access to automatically add retry logic.</span><span class="sh">"""</span> <span class="n">attr</span> <span class="o">=</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__getattribute__</span><span class="p">(</span><span class="n">name</span><span class="p">)</span> <span class="nf">if </span><span class="p">(</span> <span class="n">name</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">_core_methods</span> <span class="ow">and</span> <span class="nf">callable</span><span class="p">(</span><span class="n">attr</span><span class="p">)</span> <span class="ow">and</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">iscoroutinefunction</span><span class="p">(</span><span class="n">attr</span><span class="p">)</span> <span class="p">):</span> <span class="n">retry_config</span> <span class="o">=</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__getattribute__</span><span class="p">(</span><span class="sh">"</span><span class="s">retry_config</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="nf">redis_retry</span><span class="p">(</span><span class="n">retry_config</span><span class="p">,</span> <span class="n">name</span><span class="p">)(</span><span class="n">attr</span><span class="p">)</span> <span class="k">return</span> <span class="n">attr</span> </code></pre> </div> <p>This clever <code>__getattribute__</code> override automatically wraps all Redis operations with retry logic! 🎩✨</p> <h2> 📊 <strong>Health Monitoring</strong> </h2> <p>The client includes comprehensive health checking:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">health_check</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]:</span> <span class="sh">"""</span><span class="s">Comprehensive health check for Redis connection.</span><span class="sh">"""</span> <span class="k">try</span><span class="p">:</span> <span class="n">start_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="nf">ping</span><span class="p">()</span> <span class="n">ping_time</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">-</span> <span class="n">start_time</span> <span class="n">info</span> <span class="o">=</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="nf">info</span><span class="p">()</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">healthy</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ping_time_ms</span><span class="sh">"</span><span class="p">:</span> <span class="nf">round</span><span class="p">(</span><span class="n">ping_time</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="mi">2</span><span class="p">),</span> <span class="sh">"</span><span class="s">connected_clients</span><span class="sh">"</span><span class="p">:</span> <span class="n">info</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">connected_clients</span><span class="sh">"</span><span class="p">,</span> <span class="mi">0</span><span class="p">),</span> <span class="sh">"</span><span class="s">used_memory</span><span class="sh">"</span><span class="p">:</span> <span class="n">info</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">used_memory</span><span class="sh">"</span><span class="p">,</span> <span class="mi">0</span><span class="p">),</span> <span class="sh">"</span><span class="s">used_memory_human</span><span class="sh">"</span><span class="p">:</span> <span class="n">info</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">used_memory_human</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">0B</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">redis_version</span><span class="sh">"</span><span class="p">:</span> <span class="n">info</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">redis_version</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">unknown</span><span class="sh">"</span><span class="p">),</span> <span class="p">}</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">unhealthy</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">),</span> <span class="sh">"</span><span class="s">error_type</span><span class="sh">"</span><span class="p">:</span> <span class="nf">type</span><span class="p">(</span><span class="n">e</span><span class="p">).</span><span class="n">__name__</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <h2> 🔧 <strong>Advanced Tenacity Configurations</strong> </h2> <p>Tenacity offers incredible flexibility for different retry scenarios:</p> <h3> <strong>Custom Wait Strategies</strong> ⏱️ </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">tenacity</span> <span class="kn">import</span> <span class="n">wait_fixed</span><span class="p">,</span> <span class="n">wait_random</span><span class="p">,</span> <span class="n">wait_combine</span> <span class="c1"># Fixed delay </span><span class="n">wait</span><span class="o">=</span><span class="nf">wait_fixed</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> <span class="c1"># Always wait 2 seconds </span> <span class="c1"># Random jitter to prevent thundering herd </span><span class="n">wait</span><span class="o">=</span><span class="nf">wait_random</span><span class="p">(</span><span class="nb">min</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="nb">max</span><span class="o">=</span><span class="mi">3</span><span class="p">)</span> <span class="c1"># Combine strategies </span><span class="n">wait</span><span class="o">=</span><span class="nf">wait_combine</span><span class="p">(</span> <span class="nf">wait_exponential</span><span class="p">(</span><span class="n">multiplier</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="nb">max</span><span class="o">=</span><span class="mi">10</span><span class="p">),</span> <span class="nf">wait_random</span><span class="p">(</span><span class="nb">min</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span> <span class="nb">max</span><span class="o">=</span><span class="mi">2</span><span class="p">)</span> <span class="c1"># Add jitter </span><span class="p">)</span> </code></pre> </div> <h3> <strong>Stop Conditions</strong> 🛑 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">tenacity</span> <span class="kn">import</span> <span class="n">stop_after_delay</span><span class="p">,</span> <span class="n">stop_never</span> <span class="c1"># Stop after total time </span><span class="n">stop</span><span class="o">=</span><span class="nf">stop_after_delay</span><span class="p">(</span><span class="mi">30</span><span class="p">)</span> <span class="c1"># Stop after 30 seconds total </span> <span class="c1"># Stop after attempts OR time </span><span class="n">stop</span><span class="o">=</span><span class="p">(</span><span class="nf">stop_after_attempt</span><span class="p">(</span><span class="mi">5</span><span class="p">)</span> <span class="o">|</span> <span class="nf">stop_after_delay</span><span class="p">(</span><span class="mi">30</span><span class="p">))</span> </code></pre> </div> <h3> <strong>Custom Retry Conditions</strong> 🎯 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">tenacity</span> <span class="kn">import</span> <span class="n">retry_if_result</span><span class="p">,</span> <span class="n">retry_if_not_result</span> <span class="c1"># Retry based on return value </span><span class="nd">@retry</span><span class="p">(</span><span class="n">retry</span><span class="o">=</span><span class="nf">retry_if_result</span><span class="p">(</span><span class="k">lambda</span> <span class="n">x</span><span class="p">:</span> <span class="n">x</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">))</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_data</span><span class="p">():</span> <span class="k">return</span> <span class="k">await</span> <span class="n">redis_client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">key</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Retry on specific exception attributes </span><span class="nd">@retry</span><span class="p">(</span><span class="n">retry</span><span class="o">=</span><span class="nf">retry_if_exception</span><span class="p">(</span> <span class="k">lambda</span> <span class="n">e</span><span class="p">:</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">e</span><span class="p">,</span> <span class="n">redis</span><span class="p">.</span><span class="nb">ConnectionError</span><span class="p">)</span> <span class="ow">and</span> <span class="sh">"</span><span class="s">timeout</span><span class="sh">"</span> <span class="ow">in</span> <span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="p">))</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">redis_operation</span><span class="p">():</span> <span class="c1"># Your Redis operation here </span> <span class="k">pass</span> </code></pre> </div> <h2> 🔧 <strong>Usage Examples</strong> </h2> <h3> Basic Usage </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Get the singleton client </span><span class="n">client</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">get_redis_client</span><span class="p">()</span> <span class="c1"># All operations now have automatic retry logic! </span><span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="sh">"</span><span class="s">key</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">value</span><span class="sh">"</span><span class="p">)</span> <span class="n">value</span> <span class="o">=</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">key</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> Pipeline Operations </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">with</span> <span class="nf">redis_pipeline</span><span class="p">()</span> <span class="k">as</span> <span class="n">pipeline</span><span class="p">:</span> <span class="n">pipeline</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="sh">"</span><span class="s">key1</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">value1</span><span class="sh">"</span><span class="p">)</span> <span class="n">pipeline</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="sh">"</span><span class="s">key2</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">value2</span><span class="sh">"</span><span class="p">)</span> <span class="n">results</span> <span class="o">=</span> <span class="k">await</span> <span class="n">pipeline</span><span class="p">.</span><span class="nf">execute</span><span class="p">()</span> <span class="c1"># Retries included! </span></code></pre> </div> <h3> Health Monitoring </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">health</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">redis_health_check</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Redis status: </span><span class="si">{</span><span class="n">health</span><span class="p">[</span><span class="sh">'</span><span class="s">status</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Ping time: </span><span class="si">{</span><span class="n">health</span><span class="p">[</span><span class="sh">'</span><span class="s">ping_time_ms</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">ms</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h2> 📈 <strong>Performance Benefits</strong> </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>Without Retry</th> <th>With Retry + Circuit Breaker</th> </tr> </thead> <tbody> <tr> <td>Network blip (100ms)</td> <td>❌ Immediate failure</td> <td>✅ Transparent recovery</td> </tr> <tr> <td>Redis restart (5s)</td> <td>❌ 5s of errors</td> <td>✅ Fast failure → recovery</td> </tr> <tr> <td>Sustained outage</td> <td>❌ Continuous timeouts</td> <td>✅ Fail fast after threshold</td> </tr> </tbody> </table></div> <h2> 🛠️ <strong>Configuration Options</strong> </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Custom retry configuration </span><span class="n">config</span> <span class="o">=</span> <span class="nc">RedisRetryConfig</span><span class="p">(</span> <span class="n">max_attempts</span><span class="o">=</span><span class="mi">5</span><span class="p">,</span> <span class="n">base_delay</span><span class="o">=</span><span class="mf">0.1</span><span class="p">,</span> <span class="n">max_delay</span><span class="o">=</span><span class="mf">60.0</span><span class="p">,</span> <span class="n">exponential_base</span><span class="o">=</span><span class="mf">2.0</span><span class="p">,</span> <span class="n">circuit_breaker_threshold</span><span class="o">=</span><span class="mi">5</span><span class="p">,</span> <span class="n">circuit_breaker_timeout</span><span class="o">=</span><span class="mf">30.0</span> <span class="p">)</span> <span class="n">client</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">get_redis_client</span><span class="p">(</span><span class="n">config</span><span class="p">)</span> </code></pre> </div> <h2> 🔐 <strong>Thread Safety &amp; Singleton Pattern</strong> </h2> <p>The <code>RedisClientManager</code> ensures thread-safe singleton behavior:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">RedisClientManager</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Thread-safe singleton manager for Redis client.</span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="n">RedisWithRetry</span><span class="p">]</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">self</span><span class="p">.</span><span class="n">_lock</span> <span class="o">=</span> <span class="n">asyncio</span><span class="p">.</span><span class="nc">Lock</span><span class="p">()</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_client</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">RedisWithRetry</span><span class="p">:</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="k">async</span> <span class="k">with</span> <span class="n">self</span><span class="p">.</span><span class="n">_lock</span><span class="p">:</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="nf">_initialize_client</span><span class="p">()</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">_client</span> </code></pre> </div> <h2> 🚀 <strong>Production Tips</strong> </h2> <h3> 1. <strong>Monitor Circuit Breaker States</strong> 📊 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Add metrics collection </span><span class="k">if</span> <span class="n">circuit_breaker</span><span class="p">.</span><span class="n">state</span> <span class="o">==</span> <span class="sh">"</span><span class="s">open</span><span class="sh">"</span><span class="p">:</span> <span class="n">metrics</span><span class="p">.</span><span class="nf">counter</span><span class="p">(</span><span class="sh">"</span><span class="s">redis.circuit_breaker.open</span><span class="sh">"</span><span class="p">).</span><span class="nf">increment</span><span class="p">()</span> </code></pre> </div> <h3> 2. <strong>Tune Retry Parameters</strong> ⚙️ </h3> <ul> <li>Start with conservative values</li> <li>Monitor success/failure rates</li> <li>Adjust based on your Redis setup</li> </ul> <h3> 3. <strong>Connection Pool Sizing</strong> 🏊‍♂️ </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Rule of thumb: 2-3x your concurrent request count </span><span class="n">max_connections</span> <span class="o">=</span> <span class="n">concurrent_requests</span> <span class="o">*</span> <span class="mf">2.5</span> </code></pre> </div> <h3> 4. <strong>Health Check Integration</strong> 🏥 </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Add to your application health endpoint </span><span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/health</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">health_check</span><span class="p">():</span> <span class="n">redis_health</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">redis_health_check</span><span class="p">()</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">redis</span><span class="sh">"</span><span class="p">:</span> <span class="n">redis_health</span><span class="p">}</span> </code></pre> </div> <h2> 🎭 <strong>Error Handling Hierarchy</strong> </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frgo5ugup2jegeea96dg8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frgo5ugup2jegeea96dg8.png" alt=" " width="800" height="1120"></a></p> <h2> 📝 <strong>Conclusion</strong> </h2> <p>Building resilient systems requires more than just hoping nothing goes wrong. With this Redis client, you get:</p> <ul> <li>🔄 <strong>Automatic retries</strong> with exponential backoff</li> <li>🔌 <strong>Circuit breaker</strong> protection</li> <li>🏊‍♂️ <strong>Connection pooling</strong> for performance</li> <li>📊 <strong>Health monitoring</strong> for observability</li> <li>🛡️ <strong>Production-ready</strong> error handling</li> </ul> <p>Your Redis operations will now gracefully handle network issues, temporary outages, and other distributed system challenges. No more 3 AM alerts for transient Redis hiccups! 🌙😴</p> <blockquote> <p><a href="https://pastebin.com/63aCSELy" rel="noopener noreferrer">Full Code Snippet</a></p> </blockquote> redis circuitbreaker asyncio tenacity Building Bulletproof Authentication: A Modern Stateless Session Guide 🔐 Akarshan Gandotra Tue, 01 Jul 2025 19:05:12 +0000 https://forem.com/akarshan/building-bulletproof-authentication-a-modern-stateless-session-guide-1obk https://forem.com/akarshan/building-bulletproof-authentication-a-modern-stateless-session-guide-1obk <p><strong>Building Secure, Scalable Authentication with Auth0 Integration</strong></p> <h2> 🎯 The Problem: Traditional Sessions Don't Scale </h2> <p>Picture this: Your app hits 100K users, and suddenly your Redis session store becomes the bottleneck. Users get logged out randomly when load balancers route them to different servers. Sound familiar?<br> We faced this exact problem and decided to go completely stateless. Here's how we built a bulletproof authentication system that scales horizontally without breaking a sweat.</p> <h2> 🧠 Understanding Stateless Session Management </h2> <h3> 🤔 What Is It? </h3> <p>Stateless session management is like having a self-contained passport for every request. Instead of the server remembering who you are (like a hotel keeping your room key), all the information travels with you in a secure, tamper-proof token.</p> <h3> 🔍 Key Characteristics </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F738n6xxj6ojrcr5zc9sk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F738n6xxj6ojrcr5zc9sk.png" alt=" " width="800" height="328"></a></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Aspect</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>🗄️ Storage</td> <td>No server-side session storage</td> </tr> <tr> <td>📦 Data Location</td> <td>Session data embedded in tokens</td> </tr> <tr> <td>🔄 Request Context</td> <td>Each request carries complete authentication context</td> </tr> <tr> <td>🔐 Security</td> <td>Cryptographic signatures ensure token integrity</td> </tr> </tbody> </table></div> <h2> ⭐ Why Go Stateless? </h2> <h3> 🚀 1. Horizontal Scalability </h3> <p>Think of it like a food truck festival - any truck can serve any customer because the order is written on the receipt!</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Benefit</th> <th>Impact</th> </tr> </thead> <tbody> <tr> <td>No Sticky Sessions</td> <td>Requests can be handled by any server instance</td> </tr> <tr> <td>Load Balancer Simplicity</td> <td>No need for session affinity</td> </tr> <tr> <td>Auto-Scaling Friendly</td> <td>New instances can immediately handle requests</td> </tr> </tbody> </table></div> <h3> ⚡ 2. Performance Optimization </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Improvement</th> </tr> </thead> <tbody> <tr> <td>Database Calls</td> <td>Eliminated session lookups</td> </tr> <tr> <td>Memory Footprint</td> <td>Reduced server memory usage</td> </tr> <tr> <td>Processing Speed</td> <td>Direct token validation</td> </tr> </tbody> </table></div> <p><strong>Traditional Sessions:</strong> Request → DB Lookup → Validation → Response<br><br> <strong>Stateless Sessions:</strong> Request → Token Validation → Response</p> <h3> 🛠️ 3. Operational Excellence </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Area</th> <th>Advantage</th> </tr> </thead> <tbody> <tr> <td>Deployment</td> <td>No session replication concerns</td> </tr> <tr> <td>Disaster Recovery</td> <td>No session state to backup/restore</td> </tr> <tr> <td>Microservices</td> <td>Tokens can be validated independently</td> </tr> </tbody> </table></div> <h3> 🔒 4. Security Benefits </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Security Feature</th> <th>Benefit</th> </tr> </thead> <tbody> <tr> <td>Reduced Attack Surface</td> <td>No centralized session store to compromise</td> </tr> <tr> <td>Token-Based Security</td> <td>Cryptographic validation ensures integrity</td> </tr> <tr> <td>Fine-Grained Expiration</td> <td>Individual token control vs global session invalidation</td> </tr> </tbody> </table></div> <h2> 🛡️ Security Arsenal </h2> <p>Our multi-layered security approach protects against various attack vectors:</p> <h3> 🛡️ 1. Token Theft Protection </h3> <h4> Device Fingerprinting </h4> <p>Device fingerprinting creates a unique digital signature for each device, like a fingerprint for your browser/device combination.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">generate_device_fingerprint</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Creates a unique device signature</span><span class="sh">"""</span> <span class="n">fingerprint_data</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">user_agent</span><span class="sh">'</span><span class="p">:</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">User-Agent</span><span class="sh">'</span><span class="p">),</span> <span class="sh">'</span><span class="s">accept_language</span><span class="sh">'</span><span class="p">:</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Accept-Language</span><span class="sh">'</span><span class="p">),</span> <span class="sh">'</span><span class="s">screen_resolution</span><span class="sh">'</span><span class="p">:</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">X-Screen-Resolution</span><span class="sh">'</span><span class="p">),</span> <span class="sh">'</span><span class="s">timezone</span><span class="sh">'</span><span class="p">:</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">X-Timezone</span><span class="sh">'</span><span class="p">),</span> <span class="sh">'</span><span class="s">ip_subnet</span><span class="sh">'</span><span class="p">:</span> <span class="nf">get_ip_subnet</span><span class="p">(</span><span class="n">request</span><span class="p">.</span><span class="n">client</span><span class="p">.</span><span class="n">host</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">hashlib</span><span class="p">.</span><span class="nf">sha256</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">fingerprint_data</span><span class="p">,</span> <span class="n">sort_keys</span><span class="o">=</span><span class="bp">True</span><span class="p">).</span><span class="nf">encode</span><span class="p">()).</span><span class="nf">hexdigest</span><span class="p">()</span> </code></pre> </div> <p><strong>Challenges with Device Fingerprinting:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>Impact</th> <th>Frequency</th> </tr> </thead> <tbody> <tr> <td>Browser updates</td> <td>User-Agent changes</td> <td>Weekly/Monthly</td> </tr> <tr> <td>Network changes</td> <td>IP address changes</td> <td>Daily</td> </tr> <tr> <td>Mobile networks</td> <td>IP changes frequently</td> <td>Constant</td> </tr> <tr> <td>Browser settings</td> <td>Accept headers change</td> <td>Occasional</td> </tr> <tr> <td>Corporate proxies</td> <td>Headers modified</td> <td>Common</td> </tr> </tbody> </table></div> <p><strong>Advanced Fingerprint Validation:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">AdvancedFingerprintValidator</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Smart fingerprint validation with flexibility</span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">weights</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">user_agent</span><span class="sh">'</span><span class="p">:</span> <span class="mf">0.4</span><span class="p">,</span> <span class="c1"># Most important </span> <span class="sh">'</span><span class="s">screen_resolution</span><span class="sh">'</span><span class="p">:</span> <span class="mf">0.3</span><span class="p">,</span> <span class="c1"># Hardware specific </span> <span class="sh">'</span><span class="s">timezone</span><span class="sh">'</span><span class="p">:</span> <span class="mf">0.2</span><span class="p">,</span> <span class="c1"># Geographic </span> <span class="sh">'</span><span class="s">accept_language</span><span class="sh">'</span><span class="p">:</span> <span class="mf">0.1</span> <span class="c1"># User preference </span> <span class="p">}</span> <span class="c1"># Different thresholds for different scenarios </span> <span class="n">self</span><span class="p">.</span><span class="n">thresholds</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">'</span><span class="s">strict</span><span class="sh">'</span><span class="p">:</span> <span class="mf">0.95</span><span class="p">,</span> <span class="c1"># Banking/financial </span> <span class="sh">'</span><span class="s">normal</span><span class="sh">'</span><span class="p">:</span> <span class="mf">0.85</span><span class="p">,</span> <span class="c1"># Regular apps </span> <span class="sh">'</span><span class="s">relaxed</span><span class="sh">'</span><span class="p">:</span> <span class="mf">0.70</span> <span class="c1"># Public/demo apps </span> <span class="p">}</span> <span class="k">def</span> <span class="nf">calculate_similarity</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">stored_fp</span><span class="p">,</span> <span class="n">current_fp</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Calculate similarity score between fingerprints</span><span class="sh">"""</span> <span class="n">total_score</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">for</span> <span class="n">component</span><span class="p">,</span> <span class="n">weight</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">weights</span><span class="p">.</span><span class="nf">items</span><span class="p">():</span> <span class="k">if</span> <span class="n">stored_fp</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">component</span><span class="p">)</span> <span class="o">==</span> <span class="n">current_fp</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">component</span><span class="p">):</span> <span class="n">total_score</span> <span class="o">+=</span> <span class="n">weight</span> <span class="k">return</span> <span class="n">total_score</span> <span class="k">def</span> <span class="nf">is_valid_device</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">stored_fp</span><span class="p">,</span> <span class="n">current_fp</span><span class="p">,</span> <span class="n">security_level</span><span class="o">=</span><span class="sh">'</span><span class="s">normal</span><span class="sh">'</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Determine if device fingerprint is valid</span><span class="sh">"""</span> <span class="n">similarity</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">calculate_similarity</span><span class="p">(</span><span class="n">stored_fp</span><span class="p">,</span> <span class="n">current_fp</span><span class="p">)</span> <span class="n">threshold</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">thresholds</span><span class="p">[</span><span class="n">security_level</span><span class="p">]</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">valid</span><span class="sh">'</span><span class="p">:</span> <span class="n">similarity</span> <span class="o">&gt;=</span> <span class="n">threshold</span><span class="p">,</span> <span class="sh">'</span><span class="s">similarity_score</span><span class="sh">'</span><span class="p">:</span> <span class="n">similarity</span><span class="p">,</span> <span class="sh">'</span><span class="s">threshold_used</span><span class="sh">'</span><span class="p">:</span> <span class="n">threshold</span><span class="p">,</span> <span class="sh">'</span><span class="s">risk_level</span><span class="sh">'</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="nf">get_risk_level</span><span class="p">(</span><span class="n">similarity</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><strong>Implementation Features:</strong></p> <ul> <li>✅ Embed device fingerprint in JWT claims</li> <li>✅ Validate fingerprint on each request</li> <li>✅ Automatic logout on fingerprint mismatch</li> <li>✅ Gradual fingerprint validation (allow minor changes)</li> </ul> <p>🛡️ How Fingerprinting Prevents Token Theft</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh3wgcthfcy7o0skj47cx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh3wgcthfcy7o0skj47cx.png" alt=" " width="800" height="1108"></a></p> <h4> ⏰ Short Access Token TTL </h4> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Token Type</th> <th>Duration</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td>Access Tokens</td> <td>15-30 minutes</td> <td>Short-lived for security</td> </tr> <tr> <td>Refresh Tokens</td> <td>7-30 days</td> <td>Based on risk assessment</td> </tr> <tr> <td>Sliding Window</td> <td>Dynamic</td> <td>For active sessions</td> </tr> </tbody> </table></div> <h3> 🛡️ 2. Replay Attack Prevention </h3> <p>We only track JTI in cases with extremely sensitive operations. In normal API usage, the same access token is used repeatedly until it expires.</p> <h4> 🎯 JTI (JWT ID) Implementation </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">generate_jti</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Creates unique token identifier</span><span class="sh">"""</span> <span class="k">return</span> <span class="nf">str</span><span class="p">(</span><span class="n">uuid</span><span class="p">.</span><span class="nf">uuid4</span><span class="p">())</span> <span class="k">def</span> <span class="nf">validate_jti</span><span class="p">(</span><span class="n">jti</span><span class="p">,</span> <span class="n">user_id</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Prevents token reuse</span><span class="sh">"""</span> <span class="n">cache_key</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">jti_blacklist:</span><span class="si">{</span><span class="n">user_id</span><span class="si">}</span><span class="s">:</span><span class="si">{</span><span class="n">jti</span><span class="si">}</span><span class="sh">"</span> <span class="k">if</span> <span class="n">redis_client</span><span class="p">.</span><span class="nf">exists</span><span class="p">(</span><span class="n">cache_key</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">InvalidTokenError</span><span class="p">(</span><span class="sh">"</span><span class="s">Token already used</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Add to blacklist with TTL equal to token expiry </span> <span class="n">redis_client</span><span class="p">.</span><span class="nf">setex</span><span class="p">(</span><span class="n">cache_key</span><span class="p">,</span> <span class="n">token_ttl_seconds</span><span class="p">,</span> <span class="sh">"</span><span class="s">used</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h4> 🔒 Security Measures </h4> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>Unique JTI</td> <td>Each token is generated with a unique identifier (jti)</td> </tr> <tr> <td>Distributed Blacklist</td> <td>Redis cluster tracks revoked/expired tokens across nodes</td> </tr> <tr> <td>Automatic Cleanup</td> <td>Expired tokens automatically removed from blacklist</td> </tr> <tr> <td>Rate Limiting</td> <td>Tracks token usage frequency and enforces limits</td> </tr> </tbody> </table></div> <h3> 🛡️ 3. Long-term Compromise Protection </h3> <h4> 🗝️ Key Rotation Strategy </h4> <p><strong>Step-by-Step Key Rotation Process:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Step</th> <th>When</th> <th>Action</th> <th>Result</th> </tr> </thead> <tbody> <tr> <td>1. Create New Key</td> <td>June 1</td> <td>Generate Key A</td> <td>New secret password created</td> </tr> <tr> <td>2. Sign New Tokens</td> <td>June 1-July 1</td> <td>Use Key A for all tokens</td> <td>All new tokens use Key A</td> </tr> <tr> <td>3. Create Key B</td> <td>July 1</td> <td>Generate Key B</td> <td>Prepare for rotation</td> </tr> <tr> <td>4. Grace Period</td> <td>July 1-3</td> <td>Accept both keys</td> <td>Smooth transition</td> </tr> <tr> <td>5. Retire Key A</td> <td>July 3</td> <td>Remove Key A</td> <td>Only Key B tokens work</td> </tr> </tbody> </table></div> <h4> ⏰ Rotation Schedule </h4> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Key Type</th> <th>Frequency</th> <th>Emergency</th> </tr> </thead> <tbody> <tr> <td>Signing Keys</td> <td>Monthly</td> <td>1 hour</td> </tr> <tr> <td>Key Retirement</td> <td>48-hour overlap</td> <td>Immediate</td> </tr> </tbody> </table></div> <h4> 🔑 Key ID (kid) in JWTs </h4> <p>The <code>kid</code> (Key ID) is a header claim in JWT that tells the verifier which key was used to sign the token.</p> <p><strong>JWT Header Example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"alg"</span><span class="p">:</span><span class="w"> </span><span class="s2">"RS256"</span><span class="p">,</span><span class="w"> </span><span class="nl">"typ"</span><span class="p">:</span><span class="w"> </span><span class="s2">"JWT"</span><span class="p">,</span><span class="w"> </span><span class="nl">"kid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"key-2025-06"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 🛡️ 4. Token Farming Attack Prevention </h3> <p><strong>Scenario:</strong> Attacker collects multiple refresh tokens and rapidly exchanges them for access tokens to harvest credentials or maintain persistent access.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb2dhvwt93d437169ap2e.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb2dhvwt93d437169ap2e.png" alt=" " width="800" height="734"></a></p> <p>The Token Bucket Rate Limiter prevents abuse of refresh token endpoints by controlling the request processing rate.</p> <p><strong>Key Features:</strong></p> <ul> <li> <strong>Burst Tolerance:</strong> Allows legitimate users to make multiple requests quickly</li> <li> <strong>Smooth Rate Limiting:</strong> Tokens refill at a steady rate over time</li> <li> <strong>Per-User Isolation:</strong> Each user has their own token bucket</li> <li> <strong>Memory Efficient:</strong> Automatic cleanup and minimal memory footprint</li> <li> <strong>Configurable:</strong> Easy to adjust capacity, refill rate, and intervals</li> </ul> <p><strong>Algorithm Flow:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Request Arrives → Check Bucket → Has Tokens? → Process Request ↓ No Reject with 429 Error </code></pre> </div> <h3> 🛡️ 5. Brute Force and Bot Attack Prevention with Auth0 </h3> <p>Auth0 provides built-in capabilities to protect authentication endpoints.</p> <h4> Brute Force Protection </h4> <p><strong>How it works:</strong></p> <ul> <li>Monitors failed login attempts per user</li> <li>After 10 failed attempts, account is blocked for 1 minute (configurable)</li> <li>Block duration increases progressively with persistent failures</li> <li>All blocked attempts are logged in Auth0 Dashboard</li> </ul> <p><strong>Benefits:</strong></p> <ul> <li>Protects against brute-force password guessing</li> <li>Reduces risk of account enumeration</li> </ul> <h4> Bot Detection </h4> <p><strong>How it works:</strong></p> <ul> <li>Analyzes login requests for suspicious patterns</li> <li>Uses reputation intelligence and anomaly detection</li> <li>Challenges or blocks requests automatically</li> <li>May show CAPTCHA for suspicious logins</li> </ul> <p><strong>Benefits:</strong></p> <ul> <li>Stops automated attacks before reaching authentication pipeline</li> <li>Reduces system load from malicious traffic</li> </ul> <h2> 🧾 Example JWT Structures </h2> <h3> 🎫 Access Token </h3> <p><strong>JWT Header:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"alg"</span><span class="p">:</span><span class="w"> </span><span class="s2">"RS256"</span><span class="p">,</span><span class="w"> </span><span class="nl">"typ"</span><span class="p">:</span><span class="w"> </span><span class="s2">"JWT"</span><span class="p">,</span><span class="w"> </span><span class="nl">"kid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"key-2025-06"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>JWT Payload:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://iam.yourcompany.com/"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"user_123456"</span><span class="p">,</span><span class="w"> </span><span class="nl">"aud"</span><span class="p">:</span><span class="w"> </span><span class="s2">"your-app-client-id"</span><span class="p">,</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1717500000</span><span class="p">,</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1717496400</span><span class="p">,</span><span class="w"> </span><span class="nl">"jti"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0d2ae315-01de-42e0-9f21-3b4e4212f41f"</span><span class="p">,</span><span class="w"> </span><span class="nl">"scope"</span><span class="p">:</span><span class="w"> </span><span class="s2">"read:profile write:profile"</span><span class="p">,</span><span class="w"> </span><span class="nl">"device_fingerprint"</span><span class="p">:</span><span class="w"> </span><span class="s2">"9f6a3cbcf56d2f2b5a4bfb59e5fcbba9f2..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"session_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"session_abc123"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 🔄 Refresh Token </h3> <p><strong>JWT Header:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"alg"</span><span class="p">:</span><span class="w"> </span><span class="s2">"RS256"</span><span class="p">,</span><span class="w"> </span><span class="nl">"typ"</span><span class="p">:</span><span class="w"> </span><span class="s2">"JWT"</span><span class="p">,</span><span class="w"> </span><span class="nl">"kid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"key-2025-06"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>JWT Payload:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"iss"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://iam.yourcompany.com/"</span><span class="p">,</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"user_123456"</span><span class="p">,</span><span class="w"> </span><span class="nl">"aud"</span><span class="p">:</span><span class="w"> </span><span class="s2">"your-app-client-id"</span><span class="p">,</span><span class="w"> </span><span class="nl">"exp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1719500000</span><span class="p">,</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">1717496400</span><span class="p">,</span><span class="w"> </span><span class="nl">"jti"</span><span class="p">:</span><span class="w"> </span><span class="s2">"67c4d2f2-317b-4a83-b5cb-8e7d5ad732ba"</span><span class="p">,</span><span class="w"> </span><span class="nl">"device_fingerprint"</span><span class="p">:</span><span class="w"> </span><span class="s2">"9f6a3cbcf56d2f2b5a4bfb59e5fcbba9f2..."</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Key Fields </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Field</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>kid</td> <td>Identifies which signing key was used</td> </tr> <tr> <td>alg</td> <td>Algorithm used to sign the token (RS256)</td> </tr> <tr> <td>iss</td> <td>Who issued the token</td> </tr> <tr> <td>sub</td> <td>User ID</td> </tr> <tr> <td>aud</td> <td>Intended recipient</td> </tr> <tr> <td>exp</td> <td>Expiration time</td> </tr> <tr> <td>iat</td> <td>Issued-at timestamp</td> </tr> <tr> <td>jti</td> <td>Unique identifier for the token</td> </tr> <tr> <td>scope</td> <td>Permissions granted</td> </tr> <tr> <td>device_fingerprint</td> <td>Unique signature of the device</td> </tr> <tr> <td>session_id</td> <td>Session reference</td> </tr> </tbody> </table></div> <h2> 🔄 Architecture Flows </h2> <h3> 🚀 1. Login Flow </h3> <p>The login flow orchestrates the complete authentication process, from Auth0 validation to secure token generation with comprehensive security checks.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F03erv01mveqc73p1n7nt.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F03erv01mveqc73p1n7nt.png" alt=" " width="800" height="475"></a></p> <h3> 🔄 2. Refresh Token Flow </h3> <p>The refresh flow implements secure token rotation with comprehensive validation to prevent token replay attacks and unauthorized access.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzqjc4d0hil4d7bd1kfsu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzqjc4d0hil4d7bd1kfsu.png" alt=" " width="800" height="759"></a></p> <h3> 👋 3. Logout Flow </h3> <p>The logout flow ensures complete session termination with comprehensive cleanup to prevent any residual access or security vulnerabilities.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe4vne7du7d72wtg7gmxq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe4vne7du7d72wtg7gmxq.png" alt=" " width="800" height="482"></a></p> <h2> 📊 Session Activity Management </h2> <p>Session activity management is a critical component that monitors user engagement, detects anomalies, and automatically handles session lifecycle events including inactivity-based logouts. This system ensures optimal security while maintaining user experience through intelligent session management.</p> <p>Session activity management is our digital fitness tracker 📱 for user sessions! It monitors engagement, detects anomalies, and automatically handles session lifecycle events.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5ya45vvtadtmoml06mrd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5ya45vvtadtmoml06mrd.png" alt=" " width="800" height="540"></a></p> <h3> 🧩 How It Works </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc3x7t1yz90qxgwve5zz7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fc3x7t1yz90qxgwve5zz7.png" alt=" " width="800" height="601"></a></p> <h4> 📈 Activity Tracking Pipeline </h4> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Stage</th> <th>Description</th> <th>Example</th> </tr> </thead> <tbody> <tr> <td>1. Event Capture</td> <td>Every user interaction recorded via WebSocket</td> <td>Mouse click, API call, typing</td> </tr> <tr> <td>2. Weight Assignment</td> <td>Each event gets a relevance score</td> <td>Keyboard = 0.3, API call = 0.7</td> </tr> <tr> <td>3. Score Calculation</td> <td>Activity score measures engagement</td> <td>Higher = more active session</td> </tr> <tr> <td>4. Session Update</td> <td>Redis record gets refreshed</td> <td>Timestamp, score, device info</td> </tr> <tr> <td>5. Timeout Reset</td> <td>TTL gets reset to idle_timeout</td> <td>30 minutes from last activity</td> </tr> </tbody> </table></div> <h3> ⚙️ Configuration Matrix </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Setting</th> <th>Value</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>Idle Timeout</td> <td>30 minutes</td> <td>Session expires after inactivity</td> </tr> <tr> <td>Max Concurrent</td> <td>5 sessions</td> <td>Per user limit</td> </tr> <tr> <td>Activity Buffer</td> <td>100 events</td> <td>Rolling activity log</td> </tr> </tbody> </table></div> <h3> 🎯 Activity Event Weights </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Event Type</th> <th>Weight</th> <th>Rationale</th> </tr> </thead> <tbody> <tr> <td>Mouse</td> <td>0.1</td> <td>Basic interaction</td> </tr> <tr> <td>Keyboard</td> <td>0.3</td> <td>Active engagement</td> </tr> <tr> <td>Navigation</td> <td>0.5</td> <td>Intentional movement</td> </tr> <tr> <td>API Calls</td> <td>0.7</td> <td>System interaction</td> </tr> <tr> <td>Sensitive Operations</td> <td>1.0</td> <td>Critical actions</td> </tr> </tbody> </table></div> <h3> Event Types Catalog </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Event</th> <th>Description</th> <th>Trigger</th> </tr> </thead> <tbody> <tr> <td>activity_update</td> <td>New user action extended session</td> <td>Any qualifying activity</td> </tr> <tr> <td>session_expired</td> <td>Session expired due to inactivity</td> <td>Timeout reached</td> </tr> <tr> <td>session_terminated</td> <td>Admin or policy terminated session</td> <td>Manual/automatic termination</td> </tr> <tr> <td>warning_threshold_reached</td> <td>User approaching idle timeout</td> <td>5 minutes before expiry</td> </tr> </tbody> </table></div> <h3> Example Client Payload </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"activity_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"keyboard_input"</span><span class="p">,</span><span class="w"> </span><span class="nl">"is_sensitive_operation"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"is_automated"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhp5dix34gzngcjizknwc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhp5dix34gzngcjizknwc.png" alt=" " width="800" height="601"></a></p> <h2> 🛑 Redis Outage Impact and Fallback </h2> <h3> Impacts of Redis Outage </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Impact</th> </tr> </thead> <tbody> <tr> <td>Session Cap Enforcement</td> <td>❌ Cannot track or enforce maximum sessions per user</td> </tr> <tr> <td>Token Revocation</td> <td>❌ Cannot check blacklist, revoked tokens still accepted</td> </tr> <tr> <td>Session Timeout Tracking</td> <td>❌ Cannot auto-expire sessions based on inactivity</td> </tr> <tr> <td>Real-time Notifications</td> <td>❌ No WebSocket notifications for session changes</td> </tr> <tr> <td>Refresh Token Rate Limiter</td> <td>❌ No Token Bucket maintained per user</td> </tr> <tr> <td>Token Validation (Signature)</td> <td>✅ Still works (JWT signature validation is stateless)</td> </tr> </tbody> </table></div> <h3> Fallback Strategy: Stateless-Only Mode </h3> <p>When Redis is down, fall back to purely stateless validation:</p> <h4> What We Keep Doing ✅ </h4> <ul> <li>Validate token signatures using signing key</li> <li>Validate expiry (exp claim)</li> <li>Validate claims (sub, aud, etc.)</li> <li>Users can log in and receive new tokens</li> </ul> <h4> What We Temporarily Lose ❌ </h4> <ul> <li>Enforcement of maximum sessions per user</li> <li>Token revocation (can't check if jti is blacklisted)</li> <li>Inactivity-based session expiry</li> <li>Token Rate Limiter</li> </ul> <h2> 📚 Glossary </h2> <h3> Technical Terms </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Term</th> <th>Definition</th> </tr> </thead> <tbody> <tr> <td>JWT (JSON Web Token)</td> <td>A self-contained token that carries user information and is cryptographically signed</td> </tr> <tr> <td>JTI (JWT ID)</td> <td>A unique identifier for each JWT to prevent replay attacks</td> </tr> <tr> <td>Device Fingerprinting</td> <td>Technique to uniquely identify devices based on browser/system characteristics</td> </tr> <tr> <td>TTL (Time To Live)</td> <td>How long a token or session remains valid before expiring</td> </tr> <tr> <td>Token Rotation</td> <td>Security practice of regularly changing cryptographic keys</td> </tr> <tr> <td>Replay Attack</td> <td>Security attack where valid tokens are reused maliciously</td> </tr> <tr> <td>WebSocket</td> <td>Real-time, bidirectional communication protocol between client and server</td> </tr> <tr> <td>Redis</td> <td>In-memory data store used for caching and session management</td> </tr> <tr> <td>Stateless</td> <td>Architecture where servers don't store client session information</td> </tr> <tr> <td>Auth0</td> <td>Third-party authentication service for identity management</td> </tr> </tbody> </table></div> <h3> Security Concepts </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Concept</th> <th>Explanation</th> </tr> </thead> <tbody> <tr> <td>Defense in Depth</td> <td>Multiple layers of security controls working together</td> </tr> <tr> <td>Principle of Least Privilege</td> <td>Users get minimum access needed for their role</td> </tr> <tr> <td>Risk-Based Authentication</td> <td>Security measures adjust based on calculated risk levels</td> </tr> <tr> <td>Session Sliding Window</td> <td>Session timeout resets with each user activity</td> </tr> <tr> <td>Concurrent Session Limiting</td> <td>Restricting number of simultaneous user sessions</td> </tr> </tbody> </table></div> <h2> Conclusion </h2> <p>This stateless session management approach provides a robust, scalable, and secure foundation for our FastAPI IAM Platform. By combining Auth0's authentication capabilities with our comprehensive security measures, we achieve both excellent user experience and enterprise-grade security.</p> Setting Up Telemetry in Golang Akarshan Gandotra Thu, 03 Apr 2025 07:47:09 +0000 https://forem.com/akarshan/setting-up-telemetry-in-golang-37lo https://forem.com/akarshan/setting-up-telemetry-in-golang-37lo <h2> Introduction </h2> <p>Observability is a key aspect of modern applications, enabling developers to monitor and troubleshoot their systems effectively. OpenTelemetry (OTel) provides a standardized framework for tracing and metrics collection. This blog post covers the setup of telemetry in a Golang application using OpenTelemetry, focusing on traces and metrics.</p> <p>By integrating OpenTelemetry into your application, you can:</p> <ul> <li>Collect detailed traces of API calls and internal function executions.</li> <li>Monitor system performance through structured metrics.</li> <li>Gain insight into potential bottlenecks and optimize resource utilization.</li> </ul> <p>This guide will walk you through setting up telemetry for a Golang service, including trace and metric collection, middleware integration, and best practices.</p> <h2> Initializing Telemetry Objects </h2> <h3> 1. <code>serviceResource</code> </h3> <p>The <code>serviceResource</code> object defines metadata about the service, such as its name. It uses OpenTelemetry's semantic conventions to describe the running application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">var</span> <span class="n">serviceResource</span> <span class="o">=</span> <span class="n">resource</span><span class="o">.</span><span class="n">NewWithAttributes</span><span class="p">(</span> <span class="n">semconv</span><span class="o">.</span><span class="n">SchemaURL</span><span class="p">,</span> <span class="n">semconv</span><span class="o">.</span><span class="n">ServiceNameKey</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="s">"pth-auth-service"</span><span class="p">),</span> <span class="p">)</span> </code></pre> </div> <p>This helps identify telemetry data originating from this service when viewed in monitoring tools like Grafana or Jaeger.</p> <h3> 2. <code>initTracer</code> </h3> <p>This function initializes the OpenTelemetry Tracer Provider, which enables distributed tracing. Distributed tracing is useful for tracking requests across different microservices and identifying latency issues.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">initTracer</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">otlpEndpoint</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">exporter</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">otlptracehttp</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">otlptracehttp</span><span class="o">.</span><span class="n">WithEndpoint</span><span class="p">(</span><span class="n">otlpEndpoint</span><span class="p">),</span> <span class="n">otlptracehttp</span><span class="o">.</span><span class="n">WithInsecure</span><span class="p">())</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"failed to create OTLP trace exporter: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">traceProvider</span> <span class="o">=</span> <span class="n">trace</span><span class="o">.</span><span class="n">NewTracerProvider</span><span class="p">(</span> <span class="n">trace</span><span class="o">.</span><span class="n">WithBatcher</span><span class="p">(</span><span class="n">exporter</span><span class="p">),</span> <span class="n">trace</span><span class="o">.</span><span class="n">WithResource</span><span class="p">(</span><span class="n">serviceResource</span><span class="p">),</span> <span class="p">)</span> <span class="n">otel</span><span class="o">.</span><span class="n">SetTracerProvider</span><span class="p">(</span><span class="n">traceProvider</span><span class="p">)</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>This function sets up an HTTP-based OpenTelemetry exporter, which sends trace data to an OpenTelemetry collector or a monitoring backend. The <code>WithBatcher(exporter)</code> option ensures that traces are batched before being exported to improve performance.</p> <h3> 3. <code>initMetricProvider</code> </h3> <p>This function sets up the Metric Provider, allowing the application to collect and export metrics for monitoring performance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">initMetricProvider</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">otelMetricsEndpoint</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">exporter</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">otlpmetrichttp</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">otlpmetrichttp</span><span class="o">.</span><span class="n">WithEndpoint</span><span class="p">(</span><span class="n">otelMetricsEndpoint</span><span class="p">),</span> <span class="n">otlpmetrichttp</span><span class="o">.</span><span class="n">WithInsecure</span><span class="p">())</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"failed to create OTLP metric exporter: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">MeterProvider</span> <span class="o">=</span> <span class="n">sdkmetric</span><span class="o">.</span><span class="n">NewMeterProvider</span><span class="p">(</span> <span class="n">sdkmetric</span><span class="o">.</span><span class="n">WithReader</span><span class="p">(</span><span class="n">sdkmetric</span><span class="o">.</span><span class="n">NewPeriodicReader</span><span class="p">(</span><span class="n">exporter</span><span class="p">)),</span> <span class="n">sdkmetric</span><span class="o">.</span><span class="n">WithResource</span><span class="p">(</span><span class="n">serviceResource</span><span class="p">),</span> <span class="p">)</span> <span class="n">otel</span><span class="o">.</span><span class="n">SetMeterProvider</span><span class="p">(</span><span class="n">MeterProvider</span><span class="p">)</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p>Metrics are crucial for tracking application behavior over time. Examples include HTTP request durations, memory usage, and active database connections.</p> <h3> 4. <code>registerMetrics</code> </h3> <p>This function registers various HTTP server metrics to track API performance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">registerMetrics</span><span class="p">(</span><span class="n">meter</span> <span class="n">metric</span><span class="o">.</span><span class="n">Meter</span><span class="p">)</span> <span class="p">{</span> <span class="n">metrics</span> <span class="o">:=</span> <span class="p">[]</span><span class="k">struct</span> <span class="p">{</span> <span class="n">name</span> <span class="kt">string</span> <span class="n">description</span> <span class="kt">string</span> <span class="n">register</span> <span class="k">func</span><span class="p">(</span><span class="n">metric</span><span class="o">.</span><span class="n">Meter</span><span class="p">)</span> <span class="p">(</span><span class="k">interface</span><span class="p">{},</span> <span class="kt">error</span><span class="p">)</span> <span class="p">}{</span> <span class="p">{</span><span class="n">HTTPServerDuration</span><span class="p">,</span> <span class="s">"Measures the duration of inbound HTTP requests"</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">m</span> <span class="n">metric</span><span class="o">.</span><span class="n">Meter</span><span class="p">)</span> <span class="p">(</span><span class="k">interface</span><span class="p">{},</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">m</span><span class="o">.</span><span class="n">Float64Histogram</span><span class="p">(</span><span class="n">HTTPServerDuration</span><span class="p">)</span> <span class="p">}},</span> <span class="p">{</span><span class="n">HTTPServerActiveRequests</span><span class="p">,</span> <span class="s">"Number of concurrent HTTP requests in flight"</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">m</span> <span class="n">metric</span><span class="o">.</span><span class="n">Meter</span><span class="p">)</span> <span class="p">(</span><span class="k">interface</span><span class="p">{},</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">m</span><span class="o">.</span><span class="n">Int64UpDownCounter</span><span class="p">(</span><span class="n">HTTPServerActiveRequests</span><span class="p">)</span> <span class="p">}},</span> <span class="p">{</span><span class="n">HTTPServerRequestSize</span><span class="p">,</span> <span class="s">"Measures the size of HTTP request messages"</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">m</span> <span class="n">metric</span><span class="o">.</span><span class="n">Meter</span><span class="p">)</span> <span class="p">(</span><span class="k">interface</span><span class="p">{},</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">m</span><span class="o">.</span><span class="n">Float64Histogram</span><span class="p">(</span><span class="n">HTTPServerRequestSize</span><span class="p">)</span> <span class="p">}},</span> <span class="p">{</span><span class="n">HTTPServerResponseSize</span><span class="p">,</span> <span class="s">"Measures the size of HTTP response messages"</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">m</span> <span class="n">metric</span><span class="o">.</span><span class="n">Meter</span><span class="p">)</span> <span class="p">(</span><span class="k">interface</span><span class="p">{},</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="n">m</span><span class="o">.</span><span class="n">Float64Histogram</span><span class="p">(</span><span class="n">HTTPServerResponseSize</span><span class="p">)</span> <span class="p">}},</span> <span class="p">}</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">metricDef</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">metrics</span> <span class="p">{</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">metricDef</span><span class="o">.</span><span class="n">register</span><span class="p">(</span><span class="n">meter</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"[Telemetry] Failed to create metric %s: %v</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">metricDef</span><span class="o">.</span><span class="n">name</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>These metrics help monitor key aspects of API performance, such as latency and data transfer sizes.</p> <h3> 5. <code>InitTelemetry</code> </h3> <p>This function ties everything together by initializing both tracing and metrics. It reads necessary configurations from environment variables and ensures that telemetry is properly set up before the application starts handling requests.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">InitTelemetry</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">if</span> <span class="n">strings</span><span class="o">.</span><span class="n">ToLower</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"OTEL_SDK_DISABLED"</span><span class="p">))</span> <span class="o">==</span> <span class="s">"true"</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="n">otelEndpoint</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"OTEL_EXPORTER_OTLP_ENDPOINT"</span><span class="p">)</span> <span class="k">if</span> <span class="n">otelEndpoint</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"failed to create OTLP trace exporter: endpoint not set"</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">initTracer</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">otelEndpoint</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="n">appLogger</span><span class="o">.</span><span class="n">Debug</span><span class="p">()</span><span class="o">.</span><span class="n">Msg</span><span class="p">(</span><span class="s">"[Telemetry] Tracer initialized"</span><span class="p">)</span> <span class="n">otelMetricsEndpoint</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"OTEL_EXPORTER_OTLP_METRICS_ENDPOINT"</span><span class="p">)</span> <span class="k">if</span> <span class="n">otelMetricsEndpoint</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="n">otelMetricsEndpoint</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">Getenv</span><span class="p">(</span><span class="s">"OTEL_EXPORTER_OTLP_ENDPOINT"</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">otelMetricsEndpoint</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"failed to create OTLP metric exporter: endpoint not set"</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">initMetricProvider</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">otelMetricsEndpoint</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="n">appLogger</span><span class="o">.</span><span class="n">Debug</span><span class="p">()</span><span class="o">.</span><span class="n">Msg</span><span class="p">(</span><span class="s">"[Telemetry] Metric Provider initialized"</span><span class="p">)</span> <span class="n">meter</span> <span class="o">:=</span> <span class="n">MeterProvider</span><span class="o">.</span><span class="n">Meter</span><span class="p">(</span><span class="s">"pth-auth-service"</span><span class="p">)</span> <span class="n">registerMetrics</span><span class="p">(</span><span class="n">meter</span><span class="p">)</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <h2> Integrating Telemetry with the Router </h2> <p>To enable telemetry in the router, we use OpenTelemetry middleware, which ensures all incoming requests are instrumented for tracing and metrics:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">SetupRouter</span><span class="p">()</span> <span class="o">*</span><span class="n">gin</span><span class="o">.</span><span class="n">Engine</span> <span class="p">{</span> <span class="n">router</span> <span class="o">:=</span> <span class="n">gin</span><span class="o">.</span><span class="n">Default</span><span class="p">()</span> <span class="n">router</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">otelgin</span><span class="o">.</span><span class="n">Middleware</span><span class="p">(</span><span class="s">"pth-auth-service"</span><span class="p">))</span> <span class="k">if</span> <span class="n">telemetry</span><span class="o">.</span><span class="n">MeterProvider</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">router</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">middlewares</span><span class="o">.</span><span class="n">RequestMetricsMiddleware</span><span class="p">(</span><span class="n">telemetry</span><span class="o">.</span><span class="n">MeterProvider</span><span class="o">.</span><span class="n">Meter</span><span class="p">(</span><span class="s">"pth-auth-service"</span><span class="p">)))</span> <span class="p">}</span> <span class="n">router</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">middlewares</span><span class="o">.</span><span class="n">LogRequestResponseMiddleware</span><span class="p">)</span> <span class="n">router</span><span class="o">.</span><span class="n">GET</span><span class="p">(</span><span class="s">"/401"</span><span class="p">,</span> <span class="n">controllers</span><span class="o">.</span><span class="n">UnauthorizedResponse</span><span class="p">)</span> <span class="n">router</span><span class="o">.</span><span class="n">GET</span><span class="p">(</span><span class="s">"/403"</span><span class="p">,</span> <span class="n">controllers</span><span class="o">.</span><span class="n">ForbiddenResponse</span><span class="p">)</span> <span class="n">router</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">middlewares</span><span class="o">.</span><span class="n">TenantValidation</span><span class="p">())</span> <span class="n">router</span><span class="o">.</span><span class="n">Use</span><span class="p">(</span><span class="n">middlewares</span><span class="o">.</span><span class="n">TokenVerification</span><span class="p">())</span> <span class="n">router</span><span class="o">.</span><span class="n">POST</span><span class="p">(</span><span class="s">"/auth"</span><span class="p">,</span> <span class="n">controllers</span><span class="o">.</span><span class="n">Auth</span><span class="p">)</span> <span class="n">router</span><span class="o">.</span><span class="n">GET</span><span class="p">(</span><span class="s">"/health"</span><span class="p">,</span> <span class="n">controllers</span><span class="o">.</span><span class="n">Health</span><span class="p">)</span> <span class="n">router</span><span class="o">.</span><span class="n">GET</span><span class="p">(</span><span class="s">"/version"</span><span class="p">,</span> <span class="n">controllers</span><span class="o">.</span><span class="n">Version</span><span class="p">)</span> <span class="k">return</span> <span class="n">router</span> <span class="p">}</span> </code></pre> </div> <p>By adding OpenTelemetry middleware, we ensure that all HTTP requests are traced, allowing developers to debug issues more effectively.</p> <h2> References </h2> <ul> <li><a href="https://opentelemetry.io/docs/languages/go/" rel="noopener noreferrer">OpenTelemetry for Go</a></li> <li><a href="https://github.com/open-telemetry/opentelemetry-go" rel="noopener noreferrer">OpenTelemetry GitHub Repository</a></li> <li><a href="https://github.com/open-telemetry/opentelemetry-go-contrib/tree/main/instrumentation/github.com/gin-gonic/gin/otelgin" rel="noopener noreferrer">Gin Middleware for OpenTelemetry</a></li> </ul> <p>This setup ensures observability for our Golang service, helping developers gain insights into system behavior and performance.</p>