fix: refresh permission snapshots so they stop expiring after 10 minutes#7
Merged
Conversation
The module calls GroundsServerContext.activeModuleProviders, added in 0.3.0. The GroundsModule/GroundsModuleProvider SPI is unchanged across 0.3.0..0.4.0, so this is a straight bump.
This was referenced Jul 13, 2026
hbrombeer
marked this pull request as ready for review
July 13, 2026 18:14
hbrombeer
added a commit
that referenced
this pull request
Jul 13, 2026
The sweep landed in #7 under a chore: subject, so release-please never cut a release and the fix was sitting on main unpublished. Release-As: 0.4.0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The bug
service-permissionsstamps every snapshot withrefreshAfter = now + 5minandexpiresAt = now + 10min.SnapshotPermissions.hasPermissionfails closed once the snapshot expires:But a snapshot is
put()only at login. There is no refresh path anywhere — no scheduler, no re-fetch, andRefreshOnlinePlayerson the service is a stub that logs "refresh accepted" and does nothing.InMemoryPermissionSnapshots.replaceAllwas dead code.Three consequences, one root cause:
The fix
A sweep on both platforms, every
PERMISSIONS_REFRESH_INTERVAL_SECONDS(default 60), that re-fetches snapshots for online players oncerefreshAfterhas passed. No proto change — the contract already said all of this, nothing was listening.Two things that are easy to get wrong, and are deliberate here:
It merges into the live map, it does not replace it. A login that lands mid-sweep writes a snapshot the sweep never sampled; a blind
replaceAllwould wipe it and leave that player with no snapshot — no permissions at all — until the next tick. The sweep does blocking gRPC calls, so that window is real.keepsSnapshotWrittenByALoginThatRacedTheSweepfails against the replace-based version.It drops only offline AND expired entries. An offline player's unexpired snapshot is exactly what the login path reads as its service-outage fallback (
cached.expiresAt.isAfter(now)), so evicting on disconnect — the obvious fix for the leak — would have broken it. Offline+expired is the only combination that is provably unusable.A failed refresh keeps the existing snapshot and retries on the next tick; only the login path may ever deny a player.
Also bumps
runtime-api0.3.0 → 0.4.0 (the module callsactiveModuleProviders; the SPI is unchanged across those versions).Verification
./gradlew buildgreen. 7 unit tests on the sweep: refresh-when-due, skip-when-fresh, keep-on-fetch-failure, keep-offline-unexpired, drop-offline-expired, fetch-when-absent, and the login race above.