galaxy-game/authsession/docs/redis-config.md

Decision: Redis configuration shape

PG_PLAN.md §7. Captures the standing rules adopted by Auth/Session Service when it joined the project-wide Redis topology defined in ARCHITECTURE.md §Persistence Backends.

Context

Auth/Session Service intentionally stays Redis-only. All authsession state is TTL-bounded and recoverable from a fresh login flow:

• challenge records expire with the login window;
• device-session records expire with their session TTL;
• gateway projection cache keys are write-through reflections of the source-of-truth session record;
• the gateway-session-events stream is consumed lazily by the gateway and trimmed by MAXLEN ~;
• the resend-throttle protector is purely TTL-driven.

Stage 7 brought authsession in line with the steady-state rules established in Stage 0: every Galaxy service uses one master plus zero-or-more replicas with a mandatory password, no TLS, and no Redis ACL username; the connection is configured by the shared pkg/redisconn helper.

Decisions

One shared *redis.Client owned by the runtime

internal/app/runtime.go constructs a single *redis.Client via internal/adapters/redis.NewClient, attaches OpenTelemetry tracing and metrics via internal/adapters/redis.InstrumentClient, performs one bounded PING via internal/adapters/redis.Ping, and registers client.Close for shutdown. The challenge store, session store, config provider, projection publisher and resend-throttle protector all receive this same client.

Adapters no longer build or own a Redis client. Their Config structs hold only namespace and per-adapter timeout settings (no Addr/Username/Password/ DB/TLSEnabled). Adapter constructors take (*redis.Client, Config).

One env-var prefix per service

Connection topology is loaded from a single AUTHSESSION_REDIS_* group via redisconn.LoadFromEnv("AUTHSESSION"):

• AUTHSESSION_REDIS_MASTER_ADDR (required)
• AUTHSESSION_REDIS_REPLICA_ADDRS (optional, comma-separated; currently unused, reserved for future read-routing)
• AUTHSESSION_REDIS_PASSWORD (required)
• AUTHSESSION_REDIS_DB (default 0)
• AUTHSESSION_REDIS_OPERATION_TIMEOUT (default 250ms)

The per-adapter namespace and stream env vars (*_KEY_PREFIX, *_STREAM, *_STREAM_MAX_LEN) keep their existing names and semantics — they describe key shape, not connection topology.

Retired env vars (hard removal)

• AUTHSESSION_REDIS_ADDR — replaced by AUTHSESSION_REDIS_MASTER_ADDR.
• AUTHSESSION_REDIS_USERNAME — Redis ACL not used.
• AUTHSESSION_REDIS_TLS_ENABLED — TLS disabled by policy.
• AUTHSESSION_REDIS_OPERATION_TIMEOUT keeps its name (it now lives in redisconn.Config).

pkg/redisconn.LoadFromEnv rejects AUTHSESSION_REDIS_TLS_ENABLED and AUTHSESSION_REDIS_USERNAME at startup with a clear error pointing to ARCHITECTURE.md §Persistence Backends. There is no backward-compatibility shim; this is consistent with the project-wide rule that the migration window has no production deploys to preserve.

Telemetry

redisconn.Instrument wires redisotel.InstrumentTracing (with WithDBStatement(false)) and redisotel.InstrumentMetrics. This is the first authsession release that emits Redis tracing and connection-pool metrics; downstream dashboards will start populating without further changes.

Consequences

• Test code that previously constructed a Redis client per adapter must now construct one client and pass it to every adapter under test (see the pattern in internal/adapters/redis/<adapter>/store_test.go).
• Operators must set AUTHSESSION_REDIS_PASSWORD. A passwordless local Redis is still acceptable as long as a placeholder password is supplied to the binary; Redis without requirepass accepts AUTH unconditionally.
• The integration test harness passes AUTHSESSION_REDIS_PASSWORD = "integration" alongside AUTHSESSION_REDIS_MASTER_ADDR (see integration/internal/harness/authsessionservice.go).