fix: move email & sms send out of the POST /user transaction
#2022
Conversation
Pull Request Test Coverage Report for Build 15113577233Warning: This coverage report may be inaccurate.This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.
Details
💛 - Coveralls |
There was a problem hiding this comment.
Apologies if you already considered this, but I think it's worth noting this is a really big behavior change and I worry without extensive tests there could be potential bugs or potential security considerations we are missing. I think it's worth thinking about what is done and rolled back in the current transaction.
For example the transaction in UserUpdate will:
- UpdatePassword
- UpdateUserMetadata
- UpdateAppMetadata
- Conditionally:
- Call emailChangeVerify
- Calls ClearOneTimeTokenForUser
- Updates confirmation status
- Update identities and perform email confirmation
- Call emailChangeVerify
Knowing that I think it's worth evaluating what sendEmailChange does and how it fails. For example it will call validateSentWithinFrequencyLimit, have we carefully considered the consequences of leaving the transaction in UserUpdate committed without performing all the write operations within sendEmailChange.
| @@ -263,5 +261,19 @@ func (a *API) UserUpdate(w http.ResponseWriter, r *http.Request) error { | |||
| return err | |||
| } | |||
|
|
|||
| if sendEmailChange { | |||
| // email sending should not hold a database transaction open as latency incurred by SMTP or HTTP hooks can exhaust the database pool | |||
| if err := a.sendEmailChange(r, db, user, params.Email, flowType); err != nil { | |||
There was a problem hiding this comment.
Have we thought through the consequences of not rolling back the previous values in the transaction when sendEmailChange fails at every failure point?
There was a problem hiding this comment.
In general I think it should be fine. Yea the email send will fail, but the request will also fail and user can ask for re-send when email sending / SMS sending is back online.
There was a problem hiding this comment.
Maybe we need to do the rate limit prior the transaction as well.
There was a problem hiding this comment.
Agree with the concerns that we lose the atomicity: if the user updates multiple attributes in one API call(e.g raw_user_meta_data and email) and sendEmail fails, the user will have the partial updates(raw_user_meta_data will be updated even if the call fails). However I don't have the number how many users make multiple changes in one request, so could be OK to ignore.
As far as I check the api.UserUpdate, all the updates are idempotent (except logging audit entries) so retrying a request in case of sending email/sms fails should be fine.
There was a problem hiding this comment.
Oh I see. Changed up the code a bit more.
There was a problem hiding this comment.
That wasn't exactly what I was describing, but it's nice we added the transaction handling to the sendEmailChange function 👍
I was highlighting the (possible) confusion for the users, when they send the payload below to api.UpdateUser and the sendEmail function fails:
{
"email": "[email protected]",
"raw_user_meta_data": {"test":"test"}
}In that case, users would get a non-200 response from API but the database would be updated with the new raw_user_meta_data values.
What about returning success even if sending email/sms is failing? IMHO decoupling notification logic from the request handling would be way to go and in the long run, we can also process the notifications completely async.
There was a problem hiding this comment.
I think it may be worth evaluating some other options, such as:
- Writing a task to a queue in the db instead of sending the mail. It would be simply to spin up some workers to pull tasks at startup.
- Using
hookafterin a more general way, such astaskafter. This would be clean, simple and keep the operation within the request.
There was a problem hiding this comment.
What about returning success even if sending email/sms is failing? IMHO decoupling notification logic from the request handling would be way to go and in the long run, we can also process the notifications completely async.
I agree with you here, me and Stojan discussed this a little over the weekend and I just have a lot of concerns with changing the behavior of so many flows with the number of writes we do in this tx. I feel there is a subtle security or high impact bug in here somewhere.
hf
force-pushed
the
hf/move-email-sms-send-out-of-update-user-transaction
branch
from
278aa80 to
01c04ef
Compare
Keeping this inside the transaction can exhaust the database pool grinding full Auth to a halt, especially if the SMTP server or hook takes more than a few milliseconds to complete.