fix(collect): prevent caching argon2id timeout errors as invalid credentials

edospadoni · edospadoni · commit 8d446026938b · 2026-03-03T08:46:45.000+01:00
Timeout errors from the argon2id semaphore were cached as negative auth
results, blocking legitimate systems for 1 minute even after load subsided.
Also make the concurrency semaphore configurable via ARGON2_CONCURRENCY env
var (default: 2) and initialize it at runtime instead of package init.
diff --git a/collect/.env.example b/collect/.env.example
@@ -64,6 +64,9 @@ REDIS_URL=redis://localhost:6379
 # Authentication cache
 #SYSTEM_AUTH_CACHE_TTL=5m
 
+# Argon2id concurrent verifications (each uses ~64MB RAM)
+#ARGON2_CONCURRENCY=2
+
 # API configuration
 #API_MAX_REQUEST_SIZE=10485760  # 10MB
 #API_REQUEST_TIMEOUT=30s
diff --git a/collect/configuration/configuration.go b/collect/configuration/configuration.go
@@ -67,6 +67,7 @@ type Configuration struct {
 	// System authentication configuration
 	SystemSecretMinLength int           `json:"system_secret_min_length"`
 	SystemAuthCacheTTL    time.Duration `json:"system_auth_cache_ttl"`
+	Argon2Concurrency     int           `json:"argon2_concurrency"`
 
 	// API configuration
 	APIMaxRequestSize int64         `json:"api_max_request_size"`
@@ -147,6 +148,7 @@ func Init() {
 	// System authentication configuration
 	Config.SystemSecretMinLength = parseIntWithDefault("SYSTEM_SECRET_MIN_LENGTH", 32)
 	Config.SystemAuthCacheTTL = parseDurationWithDefault("SYSTEM_AUTH_CACHE_TTL", 5*time.Minute)
+	Config.Argon2Concurrency = parseIntWithDefault("ARGON2_CONCURRENCY", 2)
 
 	// API configuration
 	Config.APIMaxRequestSize = parseInt64WithDefault("API_MAX_REQUEST_SIZE", 10*1024*1024) // 10MB
diff --git a/collect/main.go b/collect/main.go
@@ -71,6 +71,9 @@ func main() {
 	// Init configuration
 	configuration.Init()
 
+	// Initialize Argon2id concurrency semaphore (after config is loaded)
+	middleware.InitArgon2Semaphore()
+
 	// Initialize database connection
 	err = database.Init()
 	if err != nil {
diff --git a/collect/middleware/auth.go b/collect/middleware/auth.go
@@ -31,9 +31,15 @@ import (
 )
 
 // argon2Semaphore limits concurrent Argon2id verifications to prevent OOM.
-// Each Argon2id verification allocates ~64MB (m=65536), so limiting to 2
-// concurrent verifications caps auth memory at ~128MB.
-var argon2Semaphore = make(chan struct{}, 2)
+// Each Argon2id verification allocates ~64MB (m=65536). The concurrency limit
+// is configurable via ARGON2_CONCURRENCY (default: 2, ~128MB max auth memory).
+var argon2Semaphore chan struct{}
+
+// InitArgon2Semaphore initializes the semaphore with the configured concurrency.
+// Must be called after configuration.Init().
+func InitArgon2Semaphore() {
+	argon2Semaphore = make(chan struct{}, configuration.Config.Argon2Concurrency)
+}
 
 // inProcessAuthCache provides an in-process cache for auth results.
 // After a service restart, Redis auth cache entries are gone; this avoids
@@ -284,9 +290,8 @@ func validateSystemCredentials(c *gin.Context, systemKey, systemSecret string) (
 			Str("system_id", creds.SystemID).
 			Msg("Failed to verify system secret part")
 
-		// Cache negative result
-		cacheCredentialsResult(c, systemKey, systemSecret, "", false)
-		setInProcessCache(systemKey, systemSecret, "", false)
+		// Do not cache timeout errors as invalid: the credentials may be valid,
+		// but the server is under load. Caching would block legitimate systems.
 		return "", false
 	}
 
diff --git a/collect/middleware/auth_unit_test.go b/collect/middleware/auth_unit_test.go
@@ -30,6 +30,7 @@ func TestBasicAuthMiddleware(t *testing.T) {
 
 	// Initialize configuration for testing
 	configuration.Init()
+	InitArgon2Semaphore()
 
 	tests := []struct {
 		name           string
