You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
the previous SSE library only supported subscriptions to a single topic. with the console, we need to support sending SSE messages to multiple topics (e.g., "all_users") instead of addressing each user individually (which is still possible).
Testing
its a drop in replacement, no other changes are needed.
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
The PR successfully migrates to tmaxmax/go-sse to support multi-topic subscriptions; however, there are several critical issues that must be addressed before merging. The most significant concern is the keep-alive implementation, which currently exhibits $O(N^2)$ message complexity and triggers goroutine leaks on every connection.
Additionally, the Go toolchain version in go.mod is flagged for multiple critical vulnerabilities (CVEs). While Codacy reports the PR is 'up to standards', the core logic in services/sse/pkg/service/sse.go remains complex and largely uncovered by tests, specifically the event listening loop. You must resolve the resource leaks and the heartbeat architecture to prevent production performance degradation.
About this PR
There is a discrepancy between the code (using 'all') and the PR description (using 'all_users') for the broadcast topic. Please ensure this aligns with external event producers. Additionally, multiple goroutines are spawned without adequate lifecycle management (keep-alives and event listeners), which will lead to memory exhaustion under load.
1 comment outside of the diffgo.mod
line 3 🔴 HIGH RISK
Update the Go version to at least 1.25.10 to resolve critical security vulnerabilities in the standard library, including TLS session resumption issues and potential DoS vectors.
go 1.25.10
Test suggestions
SSEHandler initialization with valid configuration and context
SSE connection failure when user context is missing from the request
Client receives SSE messages targeted at their specific user ID
Client receives broadcast messages targeted at the global 'all' topic
Verify graceful shutdown of the SSE server and event listeners upon context cancellation
Verify periodic keep-alive heartbeats are successfully sent to the client
Verify listen() loop correctly processes events.SendSSE and publishes to the server
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify graceful shutdown of the SSE server and event listeners upon context cancellation
2. Verify periodic keep-alive heartbeats are successfully sent to the client
3. Verify `listen()` loop correctly processes `events.SendSSE` and publishes to the server
The reason will be displayed to describe this comment to others. Learn more.
🔴 HIGH RISK
The current keep-alive implementation has significant performance and resource issues:
Complexity: Spawning a ticker per request results in $O(N^2)$ message volume.
Leaks: The goroutine will leak because range ticker.C does not exit when the ticker is stopped.
Protocol: Heartbeats should use SSE comments (:keep-alive) instead of data fields to avoid triggering client-side message events.
Refactoring Suggestion: Move the keep-alive logic to a single background goroutine in NewSSEHandler that publishes an SSE comment to the SSETopicAllUsers topic once per interval. Use a context-aware loop to ensure it terminates when the service shuts down.
The reason will be displayed to describe this comment to others. Learn more.
🟡 MEDIUM RISK
The listen() loop (lines 85-99) is critical for message delivery but lacks context-aware termination and is entirely uncovered by tests. If the event channel isn't closed, this goroutine will leak upon service shutdown. Ensure this loop selects on ctx.Done() and add unit tests to verify that events.SendSSE events are correctly routed to the server.
The reason will be displayed to describe this comment to others. Learn more.
🟡 MEDIUM RISK
Suggestion: Using the already-cancelled ctx for Shutdown will prevent the server from waiting for active connections to drain. Use a fresh context with a timeout.
Suggested change
select {
case<-ctx.Done():
iferr:=handler.server.Shutdown(ctx); err!=nil {
logger.Error().Err(err).Msg("failed to shutdown SSE handler")
logger.Error().Err(err).Msg("failed to shutdown SSE handler")
}
return
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fschade
force-pushed
the
sse-service-n-topic
branch
from
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
the previous SSE library only supported subscriptions to a single topic. with the console, we need to support sending SSE messages to multiple topics (e.g., "all_users") instead of addressing each user individually (which is still possible).
Testing
REF: https://github.com/opencloud-eu/console/issues/287 (1/3)