diff --git a/src/node/db/SecurityManager.ts b/src/node/db/SecurityManager.ts index 219d3f2be..6fb4793a5 100644 --- a/src/node/db/SecurityManager.ts +++ b/src/node/db/SecurityManager.ts @@ -75,10 +75,13 @@ exports.checkAccess = async (padID:string, sessionCookie:string, token:string, u } // Authentication and authorization checks. - if (settings.loadTest) { - console.warn( - 'bypassing socket.io authentication and authorization checks due to settings.loadTest'); - } else if (settings.requireAuthentication) { + // settings.loadTest just short-circuits authn/authz; the user-facing + // warning about this configuration choice fires once at startup, not + // per request (see Settings.ts). Re-logging it here was costing + // ~4% of process CPU in the 100-400 author dive sweep (#7756): the + // routed-console-warn went through log4js's clustering dispatch on + // every message. + if (!settings.loadTest && settings.requireAuthentication) { if (userSettings == null) { authLogger.debug('access denied: authentication is required'); return DENY; diff --git a/src/node/utils/Settings.ts b/src/node/utils/Settings.ts index 974130041..e8e6a7983 100644 --- a/src/node/utils/Settings.ts +++ b/src/node/utils/Settings.ts @@ -1193,6 +1193,12 @@ export const reloadSettings = () => { logger.warn("logLayoutType: " + settings.logLayoutType); initLogging(settings.logconfig); + if (settings.loadTest) { + logger.warn( + 'settings.loadTest is true: socket.io authentication and authorization checks ' + + 'will be bypassed for every connection. Do NOT enable this in production.'); + } + if (!settings.skinName) { logger.warn('No "skinName" parameter found. Please check out settings.json.template and ' + 'update your settings.json. Falling back to the default "colibris".');