Database query optimization

[kentcdodds]

Adds LRU caching to getUserId, requireUserWithPermission, and requireUserWithRole functions to significantly reduce database queries for frequently accessed session, permission, and role checks, addressing identified performance bottlenecks.

Test Plan

• Verify getUserId continues to return the correct user ID.
• Verify requireUserWithPermission correctly enforces permissions.
• Verify requireUserWithRole correctly enforces roles.
• Ensure cache invalidation occurs on user logout.

Checklist

• Tests updated
• Docs updated

Screenshots

---

 

---

Note

Medium Risk
Touches authentication/authorization paths and introduces caching; incorrect TTL/invalidation could cause stale access decisions or unexpected logouts.

Overview
Reduces DB load by caching getUserId session lookups (including dynamic TTL based on expirationDate) and caching requireUserWithPermission/requireUserWithRole authorization checks for short periods.

Adds explicit cache invalidation for sessions on logout, profile “sign out of other sessions”, and account deletion, and tweaks the SQLite cache get path to allow cached falsy values (e.g., false) to be returned instead of treated as a miss.

Adds a .cursor CI safety checklist doc for running typecheck, Prisma generate, and e2e tests for auth-related changes.

^{Written by Cursor Bugbot for commit c6e3f13. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
_{Learn more about Cursor Agents}

[kentcdodds]

@cursoragent check CI and fix issues, and then update the agent instructions to make sure that nothing is pushed that would break CI.

[cursor]

Summary

• Fixed requireUserWithPermission/requireUserWithRole to return userId, resolving the CI TypeScript error from the previous cache refactor.【F:app/utils/permissions.server.ts†L12-L82】
• Added a CI safety rule for agents to run typecheck/prisma generate/e2e before shipping changes that touch auth/permissions.【F:.cursor/rules/ci-safety.mdc†L1-L12】
• Confirmed the latest branch CI run is green after the fixes.【F:/home/ubuntu/.cursor/projects/workspace/terminals/ci.log†L1-L5】

Testing

• ✅ npm run typecheck — verifies TypeScript correctness after the permission fix.【F:/home/ubuntu/.cursor/projects/workspace/terminals/typecheck.log†L1-L4】
• ❌ npm run test:e2e:run — Playwright failed with ERR_CONNECTION_REFUSED to localhost:3000 during navigation, so the app server was not reachable in this environment.【F:/home/ubuntu/.cursor/projects/workspace/terminals/895735.txt†L2151-L2197】
• Manual testing not run because changes are server-side caching and agent rule updates only.

 

[cursor]

Bugbot Autofix resolved 2 of the 2 bugs found in the latest run.

• ✅ Fixed: Session cache not invalidated when signing out other devices
  • Exported a cache invalidation helper and now clear cached sessions when signing out other devices.
• ✅ Fixed: Non-existent sessions cached with excessive 30-day TTL
  • Set the cache TTL to zero for missing sessions to avoid caching null results.

[cursor]

Bugbot Autofix resolved 4 of the 4 bugs found in the latest run; npm run typecheck failed because react-router was not found in this environment.

• ✅ Fixed: Session cache not invalidated on user deletion
  • Collected the user's session IDs before deletion and invalidated their cached entries after the delete completes.
• ✅ Fixed: Permission and role cache lacks invalidation mechanism
  • Added explicit permission and role cache invalidators and moved these caches to the shared cache backend.
• ✅ Fixed: Session cache invalidation doesn't propagate across instances
  • Switched session caching and invalidation to the shared SQLite cache to propagate deletions across instances.
• ✅ Fixed: Logout cache invalidation race allows session re-caching
  • Awaited session deletion before invalidating the cache to prevent re-caching after logout.

[cursor]

Bugbot Autofix resolved the bug found in the latest run.

• ✅ Fixed: Missing error handling breaks resilient logout behavior
  • Swallowed cache invalidation errors during logout so the session cookie is always destroyed even if cache deletion fails.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

[kentcdodds]

Whoops. Wrong repo 🤦‍♂️