feat: add agent cache in user package

- use cached agent in all middlewares
- fix: race in casbin that gave permission denied error.
- stop loading permissions into casbin on every `Enforce` function call instead cache user permissions in authz package and when permissions change only the load permission as policies atomically.
- sort permissions in get-agents to make the permissions slice comparsion using slices.Equal work

Author: abhinavxd

cmd/middlewares.go

@@ -24,7 +24,7 @@ func tryAuth(handler fastglue.FastRequestHandler) fastglue.FastRequestHandler {
 		}
 
 		// Try to get user.
-		user, err := app.user.GetAgent(userSession.ID, "")
+		user, err := app.user.GetAgentCachedOrLoad(userSession.ID)
 		if err != nil {
 			return handler(r)
 		}
@@ -54,7 +54,7 @@ func auth(handler fastglue.FastRequestHandler) fastglue.FastRequestHandler {
 		}
 
 		// Set user in the request context.
-		user, err := app.user.GetAgent(userSession.ID, "")
+		user, err := app.user.GetAgentCachedOrLoad(userSession.ID)
 		if err != nil {
 			return sendErrorEnvelope(r, err)
 		}
@@ -92,8 +92,8 @@ func perm(handler fastglue.FastRequestHandler, perm string) fastglue.FastRequest
 			return r.SendErrorEnvelope(http.StatusUnauthorized, app.i18n.T("auth.invalidOrExpiredSession"), nil, envelope.GeneralError)
 		}
 
-		// Get user from DB.
-		user, err := app.user.GetAgent(sessUser.ID, "")
+		// Get agent user from cache or load it.
+		user, err := app.user.GetAgentCachedOrLoad(sessUser.ID)
 		if err != nil {
 			return sendErrorEnvelope(r, err)
 		}

cmd/users.go

@@ -148,6 +148,7 @@ func handleCreateAgent(r *fastglue.Request) error {
 	var (
 		app  = r.Context.(*App)
 		user = models.User{}
+		err  error
 	)
 	if err := r.Decode(&user, "json"); err != nil {
 		return r.SendErrorEnvelope(fasthttp.StatusBadRequest, app.i18n.Ts("globals.messages.errorParsing", "name", "{globals.terms.request}"), nil, envelope.InputError)
@@ -165,8 +166,7 @@ func handleCreateAgent(r *fastglue.Request) error {
 		return r.SendErrorEnvelope(fasthttp.StatusBadRequest, app.i18n.Ts("globals.messages.empty", "name", "`first_name`"), nil, envelope.InputError)
 	}
 
-	// Right now, only agents can be created.
-	if err := app.user.CreateAgent(&user); err != nil {
+	if user, err = app.user.CreateAgent(&user); err != nil {
 		return sendErrorEnvelope(r, err)
 	}
 
@@ -204,7 +204,7 @@ func handleCreateAgent(r *fastglue.Request) error {
 			return r.SendEnvelope(true)
 		}
 	}
-	return r.SendEnvelope(true)
+	return r.SendEnvelope(user)
 }
 
 // handleUpdateAgent updates an agent.
@@ -214,9 +214,9 @@ func handleUpdateAgent(r *fastglue.Request) error {
 		user  = models.User{}
 		auser = r.RequestCtx.UserValue("user").(amodels.User)
 		ip    = realip.FromRequest(r.RequestCtx)
+		id, _ = strconv.Atoi(r.RequestCtx.UserValue("id").(string))
 	)
-	id, err := strconv.Atoi(r.RequestCtx.UserValue("id").(string))
-	if err != nil || id == 0 {
+	if id == 0 {
 		return r.SendErrorEnvelope(fasthttp.StatusBadRequest, app.i18n.Ts("globals.messages.empty", "name", "`id`"), nil, envelope.InputError)
 	}
 
@@ -247,6 +247,9 @@ func handleUpdateAgent(r *fastglue.Request) error {
 		return sendErrorEnvelope(r, err)
 	}
 
+	// Invalidate authz cache.
+	app.authz.InvalidateUserCache(id)
+
 	// Create activity log if user availability status changed.
 	if oldAvailabilityStatus != user.AvailabilityStatus {
 		if err := app.activityLog.UserAvailability(auser.ID, auser.Email, user.AvailabilityStatus, ip, user.Email.String, id); err != nil {

frontend/src/features/admin/agents/AgentForm.vue

@@ -85,7 +85,7 @@
 
     <FormField v-slot="{ componentField, handleChange }" name="teams">
       <FormItem v-auto-animate>
-        <FormLabel>{{ $t('globals.terms.teams') }}</FormLabel>
+        <FormLabel>{{ $t('globals.terms.team', 2) }}</FormLabel>
         <FormControl>
           <SelectTag
             :items="teamOptions"

internal/authz/authz.go

@@ -6,6 +6,7 @@ import (
 	"slices"
 	"strconv"
 	"strings"
+	"sync"
 
 	cmodels "github.com/abhinavxd/libredesk/internal/conversation/models"
 	"github.com/abhinavxd/libredesk/internal/envelope"
@@ -19,8 +20,11 @@ import (
 // Enforcer is a wrapper around Casbin enforcer.
 type Enforcer struct {
 	enforcer *casbin.SyncedEnforcer
-	lo       *logf.Logger
-	i18n     *i18n.I18n
+	// User permissions cache to avoid loading policies into Casbin every time.
+	permsCache   map[int][]string
+	permsCacheMu sync.RWMutex
+	lo           *logf.Logger
+	i18n         *i18n.I18n
 }
 
 const casbinModel = `
@@ -48,36 +52,67 @@ func NewEnforcer(lo *logf.Logger, i18n *i18n.I18n) (*Enforcer, error) {
 		return nil, fmt.Errorf("failed to create Casbin enforcer: %v", err)
 	}
 
-	return &Enforcer{enforcer: e, lo: lo, i18n: i18n}, nil
+	return &Enforcer{
+		enforcer:   e,
+		permsCache: make(map[int][]string),
+		lo:         lo,
+		i18n:       i18n,
+	}, nil
 }
 
-// LoadPermissions syncs user permissions with Casbin enforcer by removing existing
-// policies and adding current permissions as new policies
+// LoadPermissions syncs user permissions with Casbin enforcer by removing existing policies and adding current permissions as new policies.
 func (e *Enforcer) LoadPermissions(user umodels.User) error {
-	// Remove existing policies for the user
-	_, err := e.enforcer.RemoveFilteredPolicy(0, strconv.Itoa(user.ID))
-	if err != nil {
-		return fmt.Errorf("failed to remove policies: %v", err)
+	e.permsCacheMu.RLock()
+	cached, exists := e.permsCache[user.ID]
+	e.permsCacheMu.RUnlock()
+
+	if exists && slices.Equal(cached, user.Permissions) {
+		return nil
 	}
 
-	// Add each permission as a policy
+	e.lo.Debug("loading user permissions in enforcer cache", "user_id", user.ID, "permissions", user.Permissions)
+
+	// Build all policies and add them to the enforcer.
+	var policies [][]string
+	userID := strconv.Itoa(user.ID)
 	for _, perm := range user.Permissions {
 		parts := strings.Split(perm, ":")
 		if len(parts) != 2 {
 			return fmt.Errorf("invalid permission format: %s", perm)
 		}
+		policies = append(policies, []string{userID, parts[0], parts[1]})
+	}
+
+	_, err := e.enforcer.RemoveFilteredPolicy(0, userID)
+	if err != nil {
+		return fmt.Errorf("failed to remove policies: %v", err)
+	}
 
-		userID, permObj, permAct := strconv.Itoa(user.ID), parts[0], parts[1]
-		if _, err := e.enforcer.AddPolicy(userID, permObj, permAct); err != nil {
-			return fmt.Errorf("failed to add casbin policy: %v", err)
+	if len(policies) > 0 {
+		_, err = e.enforcer.AddPolicies(policies)
+		if err != nil {
+			return fmt.Errorf("failed to add policies: %v", err)
 		}
 	}
+
+	// Update permsCache with the latest permissions
+	e.permsCacheMu.Lock()
+	e.permsCache[user.ID] = slices.Clone(user.Permissions)
+	e.permsCacheMu.Unlock()
+
 	return nil
 }
 
+// InvalidateUserCache removes user from permsCache to be called when user permissions change.
+func (e *Enforcer) InvalidateUserCache(userID int) {
+	e.permsCacheMu.Lock()
+	delete(e.permsCache, userID)
+	e.permsCacheMu.Unlock()
+}
+
 // Enforce checks if a user has permission to perform an action on an object.
 func (e *Enforcer) Enforce(user umodels.User, obj, act string) (bool, error) {
-	// Load permissions before enforcing.
+	// Load permissions before enforcing as user perjissions might have changed.
 	err := e.LoadPermissions(user)
 	if err != nil {
 		e.lo.Error("error loading permissions", "user_id", user.ID, "object", obj, "action", act, "error", err)
@@ -93,12 +128,11 @@ func (e *Enforcer) Enforce(user umodels.User, obj, act string) (bool, error) {
 }
 
 // EnforceConversationAccess determines if a user has access to a specific conversation based on their permissions.
-// Access can be granted under the following conditions:
+// Requires basic "read" permission AND one of the following conditions:
 // 1. User has the "read_all" permission, allowing access to all conversations.
 // 2. User has the "read_assigned" permission and is the assigned user.
 // 3. User has the "read_team_inbox" permission and is part of the assigned team, with the conversation NOT assigned to any user.
 // 4. User has the "read_unassigned" permission and the conversation is not assigned to any user or team.
-// 5. User has the "read" permission, allowing access to the conversation.
 // Returns true if access is granted, false otherwise. In case of an error while checking permissions returns false and the error.
 func (e *Enforcer) EnforceConversationAccess(user umodels.User, conversation cmodels.Conversation) (bool, error) {
 	checkPermission := func(action string) (bool, error) {

internal/user/agent.go

@@ -29,9 +29,44 @@ func (u *Manager) MonitorAgentAvailability(ctx context.Context) {
 	}
 }
 
-// GetAgent retrieves an agent by ID.
+// GetAgent retrieves an agent by ID and also caches it for future requests.
 func (u *Manager) GetAgent(id int, email string) (models.User, error) {
-	return u.Get(id, email, models.UserTypeAgent)
+	agent, err := u.Get(id, email, models.UserTypeAgent)
+	if err != nil {
+		return models.User{}, err
+	}
+
+	u.agentCacheMu.Lock()
+	u.agentCache[id] = agent
+	u.agentCacheMu.Unlock()
+
+	return agent, nil
+}
+
+// GetAgentFromCache retrieves an agent from the cache by ID.
+func (u *Manager) GetAgentFromCache(id int) (models.User, bool) {
+	u.agentCacheMu.RLock()
+	defer u.agentCacheMu.RUnlock()
+	agent, exists := u.agentCache[id]
+	if !exists {
+		return models.User{}, false
+	}
+	return agent, true
+}
+
+// GetAgentCachedOrLoad retrieves an agent from cache, falling back to DB if not cached.
+func (u *Manager) GetAgentCachedOrLoad(id int) (models.User, error) {
+	if agent, exists := u.GetAgentFromCache(id); exists {
+		return agent, nil
+	}
+	return u.GetAgent(id, "")
+}
+
+// InvalidateAgentCache invalidates the agent cache for a specific agent ID.
+func (u *Manager) InvalidateAgentCache(id int) {
+	u.agentCacheMu.Lock()
+	defer u.agentCacheMu.Unlock()
+	delete(u.agentCache, id)
 }
 
 // GetAgentsCompact returns a compact list of users with limited fields.
@@ -47,22 +82,22 @@ func (u *Manager) GetAgentsCompact() ([]models.User, error) {
 	return users, nil
 }
 
-// CreateAgent creates a new agent user.
-func (u *Manager) CreateAgent(user *models.User) error {
+// CreateAgent creates a new agent user and returns the created user.
+func (u *Manager) CreateAgent(user *models.User) (models.User, error) {
 	password, err := u.generatePassword()
 	if err != nil {
 		u.lo.Error("error generating password", "error", err)
-		return envelope.NewError(envelope.GeneralError, u.i18n.Ts("globals.messages.errorCreating", "name", "{globals.terms.user}"), nil)
+		return models.User{}, envelope.NewError(envelope.GeneralError, u.i18n.Ts("globals.messages.errorCreating", "name", "{globals.terms.user}"), nil)
 	}
 	user.Email = null.NewString(strings.TrimSpace(strings.ToLower(user.Email.String)), user.Email.Valid)
 	if err := u.q.InsertAgent.QueryRow(user.Email, user.FirstName, user.LastName, password, user.AvatarURL, pq.Array(user.Roles)).Scan(&user.ID); err != nil {
 		if dbutil.IsUniqueViolationError(err) {
-			return envelope.NewError(envelope.GeneralError, u.i18n.T("user.sameEmailAlreadyExists"), nil)
+			return models.User{}, envelope.NewError(envelope.GeneralError, u.i18n.T("user.sameEmailAlreadyExists"), nil)
 		}
 		u.lo.Error("error creating user", "error", err)
-		return envelope.NewError(envelope.GeneralError, u.i18n.Ts("globals.messages.errorCreating", "name", "{globals.terms.user}"), nil)
+		return models.User{}, envelope.NewError(envelope.GeneralError, u.i18n.Ts("globals.messages.errorCreating", "name", "{globals.terms.user}"), nil)
 	}
-	return nil
+	return u.GetAgent(user.ID, "")
 }
 
 // UpdateAgent updates an agent in the database, including their password if provided.
@@ -85,11 +120,12 @@ func (u *Manager) UpdateAgent(id int, user models.User) error {
 		u.lo.Info("setting new password for user", "user_id", id)
 	}
 
-	// Update user in the database.
+	// Update user in the database and clear cache.
 	if _, err := u.q.UpdateAgent.Exec(id, user.FirstName, user.LastName, user.Email, pq.Array(user.Roles), user.AvatarURL, hashedPassword, user.Enabled, user.AvailabilityStatus); err != nil {
 		u.lo.Error("error updating user", "error", err)
 		return envelope.NewError(envelope.GeneralError, u.i18n.Ts("globals.messages.errorUpdating", "name", "{globals.terms.user}"), nil)
 	}
+	u.InvalidateAgentCache(id)
 	return nil
 }
 

internal/user/queries.sql

@@ -56,7 +56,7 @@ SELECT
          WHERE tm.user_id = u.id),
         '[]'
     ) AS teams,
-    array_agg(DISTINCT p) FILTER (WHERE p IS NOT NULL) AS permissions
+    array_agg(DISTINCT p ORDER BY p) FILTER (WHERE p IS NOT NULL) AS permissions
 FROM users u
 LEFT JOIN user_roles ur ON ur.user_id = u.id
 LEFT JOIN roles r ON r.id = ur.role_id

internal/user/user.go

@@ -11,6 +11,7 @@ import (
 	"os"
 	"regexp"
 	"strings"
+	"sync"
 
 	"log"
 
@@ -43,10 +44,12 @@ var (
 
 // Manager handles user-related operations.
 type Manager struct {
-	lo   *logf.Logger
-	i18n *i18n.I18n
-	q    queries
-	db   *sqlx.DB
+	lo           *logf.Logger
+	i18n         *i18n.I18n
+	q            queries
+	db           *sqlx.DB
+	agentCache   map[int]models.User
+	agentCacheMu sync.RWMutex
 }
 
 // Opts contains options for initializing the Manager.
@@ -88,10 +91,11 @@ func New(i18n *i18n.I18n, opts Opts) (*Manager, error) {
 		return nil, err
 	}
 	return &Manager{
-		q:    q,
-		lo:   opts.Lo,
-		i18n: i18n,
-		db:   opts.DB,
+		q:          q,
+		lo:         opts.Lo,
+		i18n:       i18n,
+		db:         opts.DB,
+		agentCache: make(map[int]models.User),
 	}, nil
 }