Fix/issue 2340 - eliminate RBAC middleware session accumulation under high load

[Lang-Akshay]

Problem

The RBAC middleware held database sessions open for the entire request duration via Depends(get_db), causing critical performance degradation under high load:

Load test results (4000 concurrent users, 10 workers):

Time	RPS	idle_in_tx (max age)	Notes
22:51:43	2180	54 (3s)	System starts healthy
22:52:17	462	54 (37s)	RPS drops 79%, sessions aging
22:52:51	251	51 (72s)	RPS drops 88%, sessions stuck
22:53:01	302	51 (81s)	System severely degraded

Root cause:
get_current_user_with_permissions() opened a session at request start and kept it open until response completion, even though database access was only needed briefly for user lookup. Under high load, sessions accumulated faster than they could be released.

Impact:
All 346 authenticated endpoints were affected.

---

Solution

Remove long-lived database sessions from RBAC middleware and use fresh_db_session() context manager for short-lived, on-demand database access:

Before:

async def get_current_user_with_permissions(
    request: Request,
    credentials: Optional[HTTPAuthorizationCredentials] = Depends(security),
    jwt_token: Optional[str] = Cookie(default=None),
    db: Session = Depends(get_db)  # ← Held for entire request
):
    user = db.execute(select(EmailUser).where(...))  # Brief DB use
    db.commit()
    db.close()  # Manual cleanup (ineffective with Depends)
    return {"email": user.email, "db": db, ...}  # Passes session downstream

After:

async def get_current_user_with_permissions(
    request: Request,
    credentials: Optional[HTTPAuthorizationCredentials] = Depends(security),
    jwt_token: Optional[str] = Cookie(default=None)
    # ← No db parameter
):
    with fresh_db_session() as db:  # ← Short-lived, auto-cleanup
        user = db.execute(select(EmailUser).where(...))
    return {"email": user.email, ...}  # ← No db in context

---

Changes Made

1. mcpgateway/middleware/rbac.py

   • ✅ Removed db: Session = Depends(get_db) parameter from get_current_user_with_permissions()
   • ✅ Replaced with fresh_db_session() context manager for EmailUser lookup
   • ✅ Removed "db": None from all user context return dictionaries
   • ✅ Removed manual db.commit() and db.close() calls (context manager handles this)
   • ✅ Updated all permission decorators (require_permission, require_admin_permission, require_any_permission) to use fresh_db_session() when no endpoint session exists
   • ✅ Updated PermissionChecker class to use fresh_db_session() pattern
   • ✅ Added deprecation warnings to get_db() and get_permission_service() functions

2. Test Files Updated

   • Updated all test mocks to match new function signature (removed db parameter):
     • ✅ tests/unit/mcpgateway/middleware/test_rbac.py
     • ✅ tests/unit/mcpgateway/middleware/test_auth_method_propagation.py
     • ✅ tests/unit/mcpgateway/utils/test_proxy_auth.py (8 test methods)
     • ✅ tests/unit/mcpgateway/test_main.py
     • ✅ tests/unit/mcpgateway/test_main_extended.py
     • ✅ tests/unit/mcpgateway/test_admin_catalog_htmx.py

---

Benefits

1. No session accumulation: Sessions created only when needed, closed immediately after use
2. Better performance under load: Prevents idle-in-transaction bottleneck
3. Reduced connection pool pressure: Sessions released 100-1000x faster (milliseconds vs seconds)
4. Backward compatible: Existing endpoints continue to work; decorators fall back to fresh_db_session() automatically
5. Cleaner code: Context manager pattern is more explicit and less error-prone than manual cleanup

---

Expected Impact

After this fix, under 4000 concurrent users:

• ✅ idle_in_tx count should stay < 50 with max age < 5s
• ✅ RPS should remain stable over time (no degradation)
• ✅ No session accumulation pattern
• ✅ Query execution times stay consistent

---

Related Issues

• Closes [BUG]: RBAC middleware holds database sessions for entire request duration #2340
• Part of [BUG]: Apply fresh_db_session() to remaining 271 endpoints using Depends(get_db) #2334 - Parent issue for endpoint handler session lifetime
• Related to [BUG]: Apply fresh_db_session() to admin.py endpoints (135 usages) #2335 - admin.py session lifetime (135 endpoints)
• Related to [BUG]: Apply fresh_db_session() to remaining 52 REST endpoints in main.py #2336 - main.py REST session lifetime (52 endpoints)

---

Testing

Run the test suite to verify all RBAC tests pass with new session management:

make test

[crivetimihai]

Excellent work on this PR, @Lang-Akshay! The analysis is thorough - the load test data clearly demonstrates the session accumulation problem, and the fix using fresh_db_session() context manager is the right approach.

The code looks good:

• Clean replacement of Depends(get_db) with short-lived context manager sessions
• Proper deprecation warnings on the old patterns
• Comprehensive test updates across 6 test files
• Good simplification in db.py by reusing get_db as a context manager

One minor observation: The new fresh_db_session = contextmanager(get_db) line replaces a more explicit implementation. This is cleaner, but worth noting that it now inherits get_db's commit-on-success behavior (which is correct).

To merge: The DCO check is failing. Please sign off your commits:

git rebase HEAD~N --signoff  # where N is number of commits
# or for a single commit:
git commit --amend --signoff
git push --force-with-lease

Once that's done, this should be ready to merge. Great contribution!

[crivetimihai]

Review Changes

Rebased onto main and applied the following fixes during code review:

Security Fix

• User context extraction hardened: Changed from scanning all kwargs for any dict with "email" key to explicitly checking named parameters (user, _user, current_user, current_user_ctx). This prevents potential request body injection attacks where an attacker could craft a payload like {"email": "admin@..."} to bypass permission checks.

Backward Compatibility Fix

• Restored "db": None in user context: The original PR removed the "db" key entirely, which would cause KeyError in endpoints accessing current_user_ctx["db"]. Restored "db": None to maintain the same behavior as main (returns None instead of raising KeyError).

Performance Fix

• Single session for has_any_permission: PermissionChecker.has_any_permission() was opening N fresh DB sessions for N permission checks. Now uses a single session for all checks.

Test Updates

• Updated tests/unit/mcpgateway/test_main_error_handlers.py mock signature
• Updated tests/utils/rbac_mocks.py to return "db": None instead of MagicMock()

Pre-existing Issue Identified

During review, identified that 22 endpoints across teams.py, email_auth.py, and llm_config_router.py access current_user_ctx["db"] which has been None since commit 93102499e (2026-01-27). This is a pre-existing bug on main, not introduced by this PR.

Tracked separately in: #2641