fix(server): keep Kura cache grants compact

Metadata

Source

tuist/tuist #11039

Updated

Jun 24, 2026

Domains

Kura

Details

Resolves N/A

User and user-issued OAuth tokens were embedding every accessible account handle in accounts plus cache_grants.account.read and cache_grants.account.write. For users with thousands of organization memberships, that made JWTs hundreds of KB large, which can break client networking and header forwarding before Kura sees the request.

This keeps those tokens compact by embedding only recent project cache grants for the Kura hot path. Account-scoped grants are omitted from user-issued tokens, stale accounts claims are dropped during refresh, and explicit account or project token subjects keep their existing scoped claim shape.

Kura already falls back to introspection for account-scoped cache authorization and caches successful introspection responses, so account-wide Kura access stays server-verified without making every client JWT scale with membership count.

How to test locally

mix deps.get
mix format lib/tuist/cache.ex lib/tuist/authentication.ex lib/tuist/oauth/token_generator.ex test/tuist/authentication_test.exs test/tuist/oauth/token_generator_test.exs
MIX_ENV=test mix ecto.reset
mix test test/tuist/authentication_test.exs test/tuist/oauth/token_generator_test.exs

Comments

TA

tuist-atlas[bot] Jun 4, 2026

The fix to keep Kura cache grants compact is now available in server@1.205.0. Update to this version to prevent JWTs from growing excessively large for users with many organization memberships.

TA

tuist-atlas[bot] Jun 5, 2026

The changes from this PR are now available in release xcresult-processor-image@0.11.0. Kura cache grants are now kept compact.