feat(api): Idempotency-Key support on POST routes (P3-G)#80
Merged
Conversation
Architect audit P3-G. Stripe-style at-most-once semantics for create
operations: clients that opt in by sending `Idempotency-Key: <key>` on
a POST get duplicate-suppression for free.
How it works:
- Cache scope is sha256(authKey || ':' || method || ':' || path),
so two operators (or two routes) cannot collide on the same key.
- Cache key is the raw `Idempotency-Key` header value (printable
ASCII, 1-255 chars, validated). Garbage headers return 400.
- The first response (status + JSON body) is persisted in the new
`dbo.IdempotencyKey` table with a 24h TTL.
- A retry with the SAME (scope, key, request body hash) replays the
cached response verbatim and carries `Idempotency-Replay: true`.
- A retry with the SAME (scope, key) but DIFFERENT body hash returns
`409 { code: "idempotency_key_reused" }` so the client knows it
reused a key for a semantically different request.
- 5xx responses are NOT cached — a real failure must be retriable.
- Request body hashing is canonical-JSON (key-sorted, recursive) so
benign field-order differences don't trip the body-mismatch path.
Migration: new `dbo.IdempotencyKey` table (ikScope, ikKey,
ikRequestHash, ikResponseStatus, ikResponseBody, ikCreatedAt,
ikExpiresAt) with a `UNIQUE (ikScope, ikKey)` constraint that
also handles the concurrent-first-write race via
`ON CONFLICT DO NOTHING`. Expired rows are pruned opportunistically
on each idempotent request — no background sweeper.
Mounted globally on `/v1/*` POSTs after `attachAuth` runs (so the
scope hash can include the resolved auth key). No-op when the
header is absent, so legacy clients are entirely unaffected.
Tests:
- `tests/unit/idempotency.test.js` (14 cases): canonical JSON
stability across key reordering, tenant/path isolation in the
scope hash, `KEY_PATTERN` accept/reject grid.
- `tests/api/idempotency.test.js` (4 cases): HTTP-level mount
verification — no header passes through, malformed header
400s before the controller runs, valid header reaches handler,
GETs are never gated.
- Full suite: 327 pass / 4 skip (was 309/4).
Full first-write→replay round-trip coverage requires a real DB and
lands in the integration suite once P5-M unlocks injectable DB.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part of architect audit issue #73 — iteration P3-G.
Summary
Idempotency-Key: <printable-ASCII, 1-255>on any POST under/v1/*. First response is cached 24h, keyed bysha256(authKey:method:path)+ the raw key.Idempotency-Replay: trueheader).409 { code: "idempotency_key_reused" }.dbo.IdempotencyKeytable + migration; opportunistic TTL prune on each request — no sweeper job.Test plan
tests/unit/idempotency.test.js(14 cases): canonical-JSON stability, scope isolation, KEY_PATTERN accept/reject.tests/api/idempotency.test.js(4 cases): HTTP-level mount verification.This code proudly made in Nebraska. GO BIG RED! 🌽 https://xkcd.com/2347/