fix: make UserRistrettoCache a singleton so all callers share one cache

AchoArnold · Copilot · AchoArnold · commit a3889cdcdc2e · 2026-05-13T22:10:20.000+03:00
The root cause of the test failure: UserRistrettoCache() created a new
ristretto cache on every call. The auth middleware and the RotateAPIKey
handler received separate cache instances, so cache.Del() in the
handler had no effect on the middleware's cache — the old key kept
authenticating.

Fix: store the cache as a field on the Container struct and return it
on subsequent calls (lazy singleton pattern), matching how db, app,
and eventDispatcher are already handled.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/api/pkg/di/container.go b/api/pkg/di/container.go
@@ -86,6 +86,7 @@ type Container struct {
 	eventDispatcher      *services.EventDispatcher
 	logger               telemetry.Logger
 	attachmentRepository repositories.AttachmentRepository
+	userRistrettoCache   *ristretto.Cache[string, entities.AuthContext]
 }
 
 // NewLiteContainer creates a Container without any routes or listeners
@@ -1730,8 +1731,11 @@ func (container *Container) PhoneRistrettoCache() (cache *ristretto.Cache[string
 }
 
 // UserRistrettoCache creates an in-memory *ristretto.Cache[string, entities.AuthContext]
-func (container *Container) UserRistrettoCache() (cache *ristretto.Cache[string, entities.AuthContext]) {
-	container.logger.Debug(fmt.Sprintf("creating %T", cache))
+func (container *Container) UserRistrettoCache() *ristretto.Cache[string, entities.AuthContext] {
+	if container.userRistrettoCache != nil {
+		return container.userRistrettoCache
+	}
+	container.logger.Debug(fmt.Sprintf("creating %T", container.userRistrettoCache))
 	ristrettoCache, err := ristretto.NewCache[string, entities.AuthContext](&ristretto.Config[string, entities.AuthContext]{
 		MaxCost:     5000,
 		NumCounters: 5000 * 10,
@@ -1740,6 +1744,7 @@ func (container *Container) UserRistrettoCache() (cache *ristretto.Cache[string,
 	if err != nil {
 		container.logger.Fatal(stacktrace.Propagate(err, "cannot create user ristretto cache"))
 	}
+	container.userRistrettoCache = ristrettoCache
 	return ristrettoCache
 }
 
diff --git a/api/pkg/repositories/gorm_user_repository.go b/api/pkg/repositories/gorm_user_repository.go
@@ -84,9 +84,8 @@ func (repository *gormUserRepository) RotateAPIKey(ctx context.Context, userID e
 	}
 
 	if err == nil && oldAPIKey != "" {
-		// Wait() flushes any pending buffered Set operations in ristretto
-		// before Del, preventing a race where a prior request's async Set
-		// re-adds the key after our Del removes it from the store.
+		// Flush pending ristretto Set operations before Del to avoid a
+		// buffered Set re-adding the entry after removal.
 		repository.cache.Wait()
 		repository.cache.Del(oldAPIKey)
 	}

Original file line number	Diff line number	Diff line change
`@@ -84,9 +84,8 @@ func (repository *gormUserRepository) RotateAPIKey(ctx context.Context, userID e`
`84`	`84`	`}`
`85`	`85`
`86`	`86`	`if err == nil && oldAPIKey != "" {`
`87`		`- // Wait() flushes any pending buffered Set operations in ristretto`
`88`		`- // before Del, preventing a race where a prior request's async Set`
`89`		`- // re-adds the key after our Del removes it from the store.`
	`87`	`+ // Flush pending ristretto Set operations before Del to avoid a`
	`88`	`+ // buffered Set re-adding the entry after removal.`
`90`	`89`	`repository.cache.Wait()`
`91`	`90`	`repository.cache.Del(oldAPIKey)`
`92`	`91`	`}`