Skip to content

fix: Scope cached http(s) agents per-destination#6716

Open
davidkna-sap wants to merge 3 commits into
mainfrom
davidkna-sap_sap-key-http-agent-cache
Open

fix: Scope cached http(s) agents per-destination#6716
davidkna-sap wants to merge 3 commits into
mainfrom
davidkna-sap_sap-key-http-agent-cache

Conversation

@davidkna-sap

@davidkna-sap davidkna-sap commented Jun 29, 2026

Copy link
Copy Markdown
Member

): HttpAgentConfig | HttpsAgentConfig {
const protocol = getProtocolOrDefault(destination);
const cacheKey = hashCacheKey({ protocol, options });
const cacheKey = hashCacheKey({ destination, options });

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Nit] destination.certificates and options already overlap — the same cert material ends up in the hash twice. Is there any functional impact on this change?

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Including the full destination busts the cache on every token refresh for OAuth2ClientCredentials/OAuth2SAMLBearerFlow destinations — `authTokens.value changes hourly but is never read by createAgent, so keep-alive reuse breaks entirely for those destinations.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would like to suggest scoping the key to only what affects agent behavior:

  const cacheKey = hashCacheKey({
    protocol,
    options,
    proxyConfiguration: destination.proxyConfiguration,
    cloudConnectorLocationId: destination.cloudConnectorLocationId
  });

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think a 1h cache is acceptable for this use-case. In addition to cloudConnectorLocationId for the proxy the agent also needs to be keyed per-user.

@InjunPark-sap InjunPark-sap left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit question and suggest changes on http-agent.ts:309

@InjunPark-sap InjunPark-sap left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two open questions:

  1. Does authTokens actually appear in the destination object passed to getAgentConfig in OAuth2 flows? If yes, every token refresh produces a new cache key and keep-alive reuse is lost.

  2. Is proxyConfiguration sufficient for per-user keying, or are there cases where the user identity affects agent behavior outside of proxyConfiguration.headers?

@davidkna-sap

Copy link
Copy Markdown
Member Author

@InjunPark-sap

  1. I would say that is acceptable.
  2. The user keying appears to work for the specific support cases, but in general other destination types appear to be less picky.

InjunPark-sap
InjunPark-sap previously approved these changes Jul 8, 2026

@InjunPark-sap InjunPark-sap left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approval with the understanding that OAuth2 destinations will see reduced agent reuse on token refresh. (Worth revisiting if it shows up as a connection overhead issue in production.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants