Skip to content

fix: use end-user ID in OBO analytics cache key#268

Merged
MarioCadenas merged 1 commit intomainfrom
fix/obo-analytics-cache-key
Apr 13, 2026
Merged

fix: use end-user ID in OBO analytics cache key#268
MarioCadenas merged 1 commit intomainfrom
fix/obo-analytics-cache-key

Conversation

@MarioCadenas
Copy link
Copy Markdown
Collaborator

@MarioCadenas MarioCadenas commented Apr 13, 2026

Summary

  • Fix cross-user data leak in OBO analytics caching. getCurrentUserId() was called outside runInUserContext, so the cache key for .obo.sql queries used the service principal's ID instead of the requesting user's. Two different users making the same OBO query with the same parameters shared a single cache entry.
  • Read user ID from request header directly via resolveUserId(req) instead of relying on AsyncLocalStorage, which hadn't entered user context yet at the point where the cache key was constructed.
  • Add regression test that verifies two users making identical OBO queries get separate cache entries and their own query results.

Test plan

  • New test: "OBO cache key must use the end user's ID, not the service principal's" — confirms executeStatement is called once per user, not shared via cache
  • All existing analytics tests pass (unit + integration)
  • Full test suite passes (82 files, 1535 tests)
  • TypeScript type check passes
  • Biome lint/format passes

@MarioCadenas
fix: use end-user ID in OBO analytics cache key
4bfb40d 
getCurrentUserId() was called outside runInUserContext, so the cache key
for OBO queries used the service principal's ID instead of the requesting
user's. Two different users making the same OBO query with the same
parameters would share a single cache entry — a cross-user data leak.

Read the user ID directly from the request header via resolveUserId(req),
which is the source of truth for "who is asking."

Signed-off-by: MarioCadenas <MarioCadenas@users.noreply.github.com>
ditadi
ditadi approved these changes Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ditadi ditadi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice

@MarioCadenas MarioCadenas merged commit a8e9f6e into main Apr 13, 2026
7 checks passed
@MarioCadenas MarioCadenas deleted the fix/obo-analytics-cache-key branch April 13, 2026 10:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ditadi ditadi ditadi approved these changes

@atilafassina atilafassina Awaiting requested review from atilafassina

@pkosiec pkosiec Awaiting requested review from pkosiec

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MarioCadenas @ditadi