fix(auth): skip WorkOS reads when org already linked locally#2844
Conversation
https://linear.app/speakeasy/issue/AGE-2324/authcallback-latency-n1-workos-getorganization-fan-out-on-every-login `syncMembershipsFromWorkOS` previously made two WorkOS API reads per membership on every login: one direct `GetOrganization` for the org name/external_id, and one inside `EnsureOrgExternalID`. A user in ten orgs paid ~20 sequential cross-region round-trips on each login, driving 3-5s `auth.callback` latency. The org name and external_id are only needed when the local row is missing or unlinked. Reorder the per-membership work to look up by workos_id first; on hit, skip both WorkOS calls. The rare new-org / link path still fetches from WorkOS and pushes external_id back so disaster recovery via `resolveGramOrgID`'s external_id fallback keeps working. The background webhook reconcile path already keeps `workos_id` in sync locally, so steady-state logins after a webhook-only sync now make zero WorkOS reads. Linking external_id remotely is only required when this login is the first to touch the org locally, which is also the only path that still calls `EnsureOrgExternalID`.
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Claude Code Review
This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.
Tip: disable this comment in your organization's Code Review settings.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
🦋 Changeset detectedLatest commit: 1cbd92c The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
🚀 Preview Environment (PR #2844)Preview URL: https://pr-2844.dev.getgram.ai
Gram Preview Bot |
adaam2
left a comment
adaam2
left a comment
There was a problem hiding this comment.
I think this looks good! I would test on dev first though to ensure no funny business
bflad
deleted the
bflad-age-2324-authcallback-latency-n1-workos-getorganization-fan-out-on-e14B
branch
3 participants
https://linear.app/speakeasy/issue/AGE-2324/authcallback-latency-n1-workos-getorganization-fan-out-on-every-login
syncMembershipsFromWorkOSpreviously made two WorkOS API reads per membership on every login: one directGetOrganizationfor the org name/external_id, and one insideEnsureOrgExternalID. A user in ten orgs paid ~20 sequential cross-region round-trips on each login, driving 3-5sauth.callbacklatency.The org name and external_id are only needed when the local row is missing or unlinked. Reorder the per-membership work to look up by workos_id first; on hit, skip both WorkOS calls. The rare new-org / link path still fetches from WorkOS and pushes external_id back so disaster recovery via
resolveGramOrgID's external_id fallback keeps working.The background webhook reconcile path already keeps
workos_idin sync locally, so steady-state logins after a webhook-only sync now make zero WorkOS reads. Linking external_id remotely is only required when this login is the first to touch the org locally, which is also the only path that still callsEnsureOrgExternalID.