{"id":50136297,"url":"https://github.com/bivex/jeday","last_synced_at":"2026-05-23T22:03:32.759Z","repository":{"id":342699956,"uuid":"1172870190","full_name":"bivex/jeday","owner":"bivex","description":"auth service","archived":false,"fork":false,"pushed_at":"2026-03-06T22:21:15.000Z","size":7656,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-03-07T02:55:31.298Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bivex.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-04T19:19:41.000Z","updated_at":"2026-03-06T22:21:19.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/bivex/jeday","commit_stats":null,"previous_names":["bivex/jeday"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/bivex/jeday","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bivex%2Fjeday","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bivex%2Fjeday/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bivex%2Fjeday/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bivex%2Fjeday/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bivex","download_url":"https://codeload.github.com/bivex/jeday/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bivex%2Fjeday/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33413624,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-23T18:09:33.147Z","status":"ssl_error","status_checked_at":"2026-05-23T18:09:31.380Z","response_time":53,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-05-23T22:03:27.390Z","updated_at":"2026-05-23T22:03:32.752Z","avatar_url":"https://github.com/bivex.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Jeday Auth Service 🚀\n\nHigh-performance, secure authentication service built with Go, following the **Jedi Architecture** principles.\n\n## 🌟 Key Features\n\n- **Blazing Fast Registration**: Best recent local registration-only benchmark reached **~41k RPS**; the current tuned defaults deliver stable mid-30k RPS on full reset-and-profile runs.\n- **Asynchronous Password Hardening**: Background workers upgrade weak hashes to **Argon2id** (OWASP recommended) without affecting user-facing latency.\n- **High-Performance Web Framework**: Powered by **Atreugo** (fasthttp-based) with **Prefork** mode enabled.\n- **Hot Path Optimized for Writes**: Registration uses real bulk insert into `users` plus queue enqueue into `password_upgrade_queue`.\n- **Worker Isolation**: The hardening worker runs with a smaller DB pool and tighter CPU/memory limits to reduce contention with the API.\n- **Secure Token Management**: Uses **Paseto** (Platform-Agnostic Security Tokens) instead of JWT for improved security.\n- **Clean Architecture**: Strict separation of concerns (Domain, Application, Infrastructure, Delivery).\n- **Database Integrity**: Schema-first approach with **sqlc** and **golang-migrate**.\n- **Observability**: Structured JSON logging with **zerolog** and built-in **pprof** for profiling.\n\n## 🛠 Tech Stack\n\n- **Language**: Go 1.25+\n- **Web Framework**: [Atreugo](https://github.com/savsgio/atreugo) (High performance)\n- **Database**: PostgreSQL 16\n- **Token**: Paseto V2\n- **Hashing**: Argon2id + SHA-256 (Fast Path)\n- **Migrations**: golang-migrate\n- **SQL Gen**: sqlc\n- **Load Testing**: k6\n\n## 🏗 Architecture: The \"Jedi Maneuver\"\n\n1.  **Request**: User sends registration data.\n2.  **Fast Path**: API computes a fast SHA-256 hash (`v1$...`) and batches registration requests.\n3.  **Bulk Write**: The batcher does a real bulk insert into `users` and enqueues weak hashes into `password_upgrade_queue`.\n4.  **Response**: The API returns the created user immediately; password hardening stays off the request path.\n5.  **Hardening**: A background `worker` polls `password_upgrade_queue`, re-hashes with `Argon2id` (64 MiB, 1 iteration, 4 threads), writes the strong hash into `user_passwords`, and removes the queue row.\n6.  **Smart Login**: Login looks up the user by `email` and verifies either the strong hash or the pending weak hash, depending on upgrade state.\n\n## 🚀 Getting Started\n\n### Prerequisites\n- Docker \u0026 Docker Compose\n\n### Run the Stack\n```sh\ndocker compose up --build -d\n```\n\n### Health Check\n```sh\ncurl -sf http://localhost:8080/health\n```\n\n### Run Load Tests\n```sh\n# k6 does NOT auto-start on `docker compose up`; it is kept out of the default stack\n\n# Registration stress test used in recent profiling runs\ndocker compose run --rm -v $(pwd)/load-test-reg-only.js:/load-test.js k6 run --vus 500 --duration 20s /load-test.js\n\n# One-shot reset + rebuild + eBPF/k6 profile run with artifacts\n./scripts/profile_k6.sh full\n```\n\n## ⚙️ Current Tuned Defaults\n\n- `SERVER_PREFORK=true`\n- `APP_DB_POOL_MAX_CONNS=128`\n- `POSTGRES_MAX_CONNECTIONS=256`\n- `POSTGRES_SHARED_BUFFERS=512MB`\n- `POSTGRES_CHECKPOINT_TIMEOUT=15min`\n- `POSTGRES_CHECKPOINT_COMPLETION_TARGET=0.95`\n- `POSTGRES_WAL_BUFFERS=64MB`\n- `POSTGRES_EFFECTIVE_IO_CONCURRENCY=32`\n- `PGBOUNCER_DEFAULT_POOL_SIZE=100`\n- `REGISTRATION_BATCH_SIZE=100`\n- `REGISTRATION_BATCH_WAIT=10ms`\n- worker isolation remains enabled (`WORKER_DB_POOL_MAX_CONNS=4`, `WORKER_GOMAXPROCS=1`, `WORKER_GOMEMLIMIT=256MiB`)\n\n## 📈 Performance (Local Benchmarks)\n\nRecent measured results on local Docker Compose runs:\n\n| Scenario | Registration RPS | Avg Latency | p95 Latency |\n| :--- | :--- | :--- | :--- |\n| Before the hot-path fixes (worker contending with API) | ~3,875.8/s | n/a | n/a |\n| Clean-slate optimized stack | **34,023.7/s** | **14.56ms** | **21.89ms** |\n| After dropping DB-level `username` uniqueness | **34,557.6/s** | **14.32ms** | **20.67ms** |\n| Best measured sweep peak after `CopyFrom(users)` plus tuned API DB pool (`pool_max_conns=128`) | **41,227.2/s** | **11.87ms** | **22.41ms** |\n| After reducing Postgres `max_connections` to `256` (with API pool `128`) | **35,156.0/s** | **14.05ms** | **20.53ms** |\n| Current tuned defaults incl. heavy Postgres combo, confirmatory `full` run | **35,170.0/s** | **14.03ms** | **20.89ms** |\n| Same setup under eBPF profiling | **31,975.0/s** | **15.38ms** | **24.75ms** |\n\nNotes:\n- Numbers above are from registration-only `k6` runs (`500 VUs`, `20s`) against the local Docker Compose stack.\n- Current tuned default for the API path is `APP_DB_POOL_MAX_CONNS=128`; larger defaults like `500` reduced throughput noticeably in the tuning sweep.\n- A later confirmatory A/B still kept `128` ahead of `500` (`35,885.0/s` vs `33,456.5/s`), even though absolute numbers varied between runs.\n- Current tuned Postgres default is `POSTGRES_MAX_CONNECTIONS=256`; in isolated A/B it beat the previous `1000` setting (`35,156.0/s` vs `34,339.9/s`).\n- Additional `shared_buffers` / `checkpoint_timeout` experiments did **not** beat the current baseline, so defaults remain `512MB` and `15min`.\n- Heavy Postgres frontier tuning was fixed to `checkpoint_completion_target=0.95`, `wal_buffers=64MB`, and `effective_io_concurrency=32`; confirmatory A/B showed a repeatable gain over the prior baseline, though local Docker Desktop runs still show visible variance.\n- `email` remains unique and is used for login lookup.\n- `username` is **currently not unique at the DB level**; removing `users_username_key` reduced write cost on the registration path.\n\n## 📁 Project Structure\n\n```text\n.\n├── cmd/\n│   ├── api/          # Entry point for the Atreugo API\n│   └── worker/       # Entry point for the Hardening Worker\n├── internal/\n│   ├── auth/         # Auth domain logic\n│   │   ├── delivery/ # HTTP handlers \u0026 middleware\n│   │   ├── repository/ # Database interactions\n│   │   ├── service/  # Business logic (Usecases)\n│   │   └── token/    # Paseto \u0026 Hashing implementation\n│   ├── config/       # Configuration management\n│   └── db/           # Generated sqlc code\n├── migrations/       # SQL migration files\n├── query.sql         # SQL queries for sqlc\n└── sqlc.yaml         # sqlc configuration\n```\n\n## 🛡 Security Notes\n- **Paseto** eliminates common JWT pitfalls (algorithm confusion, etc.).\n- **Argon2id** is memory-hard and side-channel resistant.\n- **Prefork** isolation: each worker process handles its own memory space.\n- **Current trade-off**: login identity is `email`; `username` is currently treated as display data, not as a unique login identifier.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbivex%2Fjeday","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbivex%2Fjeday","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbivex%2Fjeday/lists"}