Back to Resources

Production-Grade Idempotency Middleware with Redis and Lua Scripts

18 min read
Goh Ling Yong
Technology enthusiast and software architect specializing in AI-driven development tools and modern software engineering practices. Passionate about the intersection of artificial intelligence and human creativity in building tomorrow's digital solutions.

The Unavoidable Challenge of Duplicate Messages

In any non-trivial distributed system, particularly those leveraging event-driven architectures, the promise of "exactly-once" message delivery is a myth. Network partitions, consumer crashes, and broker redelivery mechanisms conspire to create a world where "at-least-once" delivery is the practical reality. For a senior engineer, this isn't news; it's a fundamental constraint to design around. The consequence is clear: without a deliberate strategy, a single logical operation (a payment, an order creation, a notification) could be executed multiple times, leading to data corruption, financial discrepancies, and a catastrophic loss of system integrity.

The solution is idempotency. An operation is idempotent if making the same request multiple times produces the same result as making it once. This isn't about preventing duplicate requests from arriving; it's about neutralizing their effects at the consumer or API endpoint. While the concept is simple, a production-grade implementation is fraught with subtle complexities, race conditions, and failure modes that can undermine the entire system.

This article bypasses the introductory SETNX examples. We assume you understand the basic race condition of a non-atomic GET followed by a SET. Instead, we will construct a robust, state-aware idempotency middleware using Redis, focusing on atomic operations via Lua scripting, handling long-running processes, and architecting for failure.

Designing the Idempotency Contract

Before writing a line of code, we must define the contract. A robust idempotency layer hinges on a well-defined Idempotency Key. This key, provided by the client or message producer, uniquely identifies a single logical operation.

Characteristics of a good Idempotency Key:

  • Uniqueness: A new key must be generated for every new logical operation. A client-generated UUIDv4 is a common and effective choice.
  • Stability: The same key must be used for all retries of the same operation.
  • Ownership: The client or producer, the entity initiating the operation, is responsible for generating and managing the key. The server should treat it as an opaque identifier.

    • In an HTTP API context, this is typically passed as a header, e.g., Idempotency-Key: 27b50a58-1555-4ea2-94b9-a292453c5188. In a message queue, it's part of the message metadata or payload.

    The Flaw in Simple `SETNX` Locking

    A common first attempt at implementing idempotency in Redis looks like this:

    javascript
    // DO NOT USE THIS IN PRODUCTION - FLAWED EXAMPLE
async function naiveIdempotencyCheck(idempotencyKey) {
  const redisKey = `idempotency:${idempotencyKey}`;
  const isNew = await redis.setnx(redisKey, 'locked');

  if (isNew) {
    // New request, proceed with business logic
    return { canProceed: true };
  } else {
    // Duplicate request
    return { canProceed: false };
  }
}

    This pattern has two critical flaws that make it unsuitable for production:

  • No Distinction Between In-Progress and Completed: If a second request arrives while the first is still processing, SETNX correctly blocks it. However, if a second request arrives after the first has completed, it is also blocked. The client has no way of knowing if the original request succeeded or is still running. We need to return the original result on subsequent calls.
  • No Crash Recovery: If the consumer acquires the lock by setting the key and then crashes before completing its work (and before storing a result), the key is locked forever. A TTL (EXPIRE) can mitigate this, but it introduces its own race conditions, which we will explore.

    • A Stateful, Multi-Stage Idempotency Model

    To build a robust system, we need to track the state of an operation through its lifecycle. A simple state machine for an idempotent operation looks like this:

  • UNKNOWN: The key has never been seen.
  • PROCESSING: The key has been seen, and an operation is currently in progress.
  • COMPLETED: The operation finished, and its result is stored.

    • We can represent this state in Redis by storing a JSON object as the value for our idempotency key.

    json
    // Example value for key 'idempotency:27b50a58-...' 

// State: PROCESSING
{ "status": "processing" }

// State: COMPLETED
{ "status": "completed", "statusCode": 201, "body": { "orderId": "ord_123", "amount": 1000 } }

    Now, the challenge is to transition between these states atomically to prevent race conditions. This is where Redis Lua scripting becomes indispensable.

    Stage 1: Atomic Check-and-Set with Lua

    Our first interaction with Redis needs to do the following in a single, atomic operation:

  • If the key does not exist, create it, set its state to PROCESSING, and set a TTL. Return a signal to proceed.
  • If the key exists, return its current value (which could be the PROCESSING state or a COMPLETED result).

    • This cannot be done with standard Redis commands without introducing a race condition. A Lua script executed with EVAL is the solution, as Redis guarantees its atomic execution.

    Lua Script: begin_processing.lua

    lua
    -- KEYS[1]: The idempotency key (e.g., 'idempotency:some-uuid')
-- ARGV[1]: The 'processing' state payload (e.g., '{"status":"processing"}')
-- ARGV[2]: The lock TTL in seconds (e.g., 30)

local key = KEYS[1]
local processing_payload = ARGV[1]
local lock_ttl = ARGV[2]

-- redis.call returns 'false' for a non-existent key
local existing_value = redis.call('GET', key)

if existing_value == false then
  -- Key does not exist. This is the first time we've seen this request.
  -- Set the key to the processing state with a TTL.
  redis.call('SET', key, processing_payload, 'EX', lock_ttl)
  return 'PROCEED'
else
  -- Key exists. Return the stored value (which is either the 'processing' payload
  -- or the final 'completed' result).
  return existing_value
end

    Now, let's implement this in our middleware.

    javascript
    // Filename: redis/idempotency.js
const Redis = require('ioredis');
const fs = require('fs');
const path = require('path');

// --- Redis Setup and Lua Script Loading ---
const redis = new Redis({
  // your connection options
});

// Load Lua scripts at application startup
const LUA_SCRIPTS = {
  beginProcessing: fs.readFileSync(path.join(__dirname, 'lua/begin_processing.lua'), 'utf8'),
  // We will add complete_processing.lua later
};

// Register scripts with Redis for caching via SHA1 hash
const SCRIPT_SHAS = {};
(async () => {
  for (const [name, script] of Object.entries(LUA_SCRIPTS)) {
    SCRIPT_SHAS[name] = await redis.script('load', script);
    console.log(`Lua script '${name}' loaded with SHA: ${SCRIPT_SHAS[name]}`);
  }
})();

// --- Middleware Implementation ---

const LOCK_TTL_SECONDS = 30; // A reasonable default
const RESULT_TTL_SECONDS = 24 * 60 * 60; // 24 hours

async function idempotencyMiddleware(req, res, next) {
  const idempotencyKey = req.get('Idempotency-Key');

  if (!idempotencyKey) {
    // Or handle as a non-idempotent request, depending on your API contract
    return res.status(400).json({ error: 'Idempotency-Key header is required.' });
  }

  const redisKey = `idempotency:${idempotencyKey}`;
  const processingPayload = JSON.stringify({ status: 'processing' });

  try {
    const result = await redis.evalsha(
      SCRIPT_SHAS.beginProcessing,
      1, // Number of keys
      redisKey,
      processingPayload,
      LOCK_TTL_SECONDS
    );

    if (result === 'PROCEED') {
      // This is a new request. Attach the key to the response object
      // so we can store the result later.
      res.locals.idempotencyKey = idempotencyKey;
      
      // Monkey-patch res.json and res.send to capture the result
      const originalJson = res.json.bind(res);
      res.json = (body) => {
          res.locals.result = { statusCode: res.statusCode, body };
          return originalJson(body);
      };

      // Listen for the 'finish' event to store the result after the response is sent.
      res.on('finish', async () => {
        if (res.locals.result) {
          await completeProcessing(idempotencyKey, res.locals.result);
        }
      });

      return next(); // Proceed to the actual business logic
    } else {
      // This is a duplicate request.
      const storedState = JSON.parse(result);

      if (storedState.status === 'processing') {
        // A request is already in-flight.
        return res.status(409).json({ 
          error: 'Conflict: A request with this Idempotency-Key is already being processed.' 
        });
      } else if (storedState.status === 'completed') {
        // The original request completed. Return the saved result.
        console.log(`Returning cached response for Idempotency-Key: ${idempotencyKey}`);
        return res.status(storedState.statusCode).json(storedState.body);
      }
    }
  } catch (err) {
    console.error('Redis error during idempotency check:', err);
    // This is a critical failure. See section on fail-open vs fail-closed.
    return res.status(503).json({ error: 'Service Unavailable: Could not contact idempotency store.' });
  }
}

async function completeProcessing(idempotencyKey, result) {
    const redisKey = `idempotency:${idempotencyKey}`;
    const completedPayload = JSON.stringify({ 
        status: 'completed', 
        ...result 
    });
    
    console.log(`Storing final result for Idempotency-Key: ${idempotencyKey}`);
    // Use SET with a longer TTL for the final result
    await redis.set(redisKey, completedPayload, 'EX', RESULT_TTL_SECONDS);
}

module.exports = { idempotencyMiddleware };

    This implementation is a significant improvement. It correctly handles concurrent requests and returns cached responses. However, it still has a subtle but critical flaw in the completeProcessing function. What if the consumer crashes between sending the response and the redis.set call? The key would remain in the processing state until its TTL expires, at which point a retry would be processed again. We can do better.

    Stage 2: Atomic Result Storage

    We can introduce a second Lua script to atomically update the key from PROCESSING to COMPLETED. This prevents a race condition where a lock expires just as we are trying to write the final result.

    Lua Script: complete_processing.lua

    lua
    -- KEYS[1]: The idempotency key
-- ARGV[1]: The 'completed' state payload (e.g., '{"status":"completed", ...}')
-- ARGV[2]: The final result TTL in seconds

local key = KEYS[1]
local completed_payload = ARGV[1]
local result_ttl = ARGV[2]

-- We only want to store the result if the key is still in the 'processing' state.
-- This prevents overwriting a result from a competing process if our lock expired.
local current_value = redis.call('GET', key)

-- We could be more specific and check if current_value is '{"status":"processing"}'
-- but for simplicity, we assume any existing non-completed value is our lock.
if current_value then 
  redis.call('SET', key, completed_payload, 'EX', result_ttl)
  return 'OK'
else
  -- The key expired before we could save the result. This indicates the process
  -- took too long. Another worker may have already started.
  return 'LOCK_EXPIRED'
end

    Now, update the completeProcessing function:

    javascript
    // In idempotency.js
async function completeProcessing(idempotencyKey, result) {
    const redisKey = `idempotency:${idempotencyKey}`;
    const completedPayload = JSON.stringify({ 
        status: 'completed', 
        ...result 
    });
    
    console.log(`Storing final result for Idempotency-Key: ${idempotencyKey}`);
    
    const scriptResult = await redis.evalsha(
      SCRIPT_SHAS.completeProcessing, // Assuming this is loaded
      1,
      redisKey,
      completedPayload,
      RESULT_TTL_SECONDS
    );

    if (scriptResult === 'LOCK_EXPIRED') {
        // CRITICAL: Our lock expired before we could save the result.
        // This means another process might have started or completed the same operation.
        // The system is in a potentially inconsistent state for this specific operation.
        // This requires immediate alerting and investigation.
        console.error(`CRITICAL ALERT: Idempotency lock expired for key ${idempotencyKey} before result was stored.`);
    }
}

    Advanced Edge Cases and Production Hardening

    With our core atomic logic in place, we must now consider the harsh realities of a production environment.

    1. Long-Running Processes and Lock Expiration

    The most dangerous scenario is when your business logic takes longer than the lock's TTL. If LOCK_TTL_SECONDS is 30, but your process takes 35 seconds, another consumer can acquire a lock for the same key at the 31-second mark, leading to duplicate execution.

    Solution: Lock Heartbeating

    For processes that can exceed a reasonable static TTL, the consumer must actively extend the lock's lifetime. This is often called a "heartbeat."

    javascript
    // In your business logic controller/service
async function processPayment(req, res) {
    const { idempotencyKey } = res.locals;
    const redisKey = `idempotency:${idempotencyKey}`;

    // Start a heartbeat to extend the lock every 10 seconds
    const heartbeatInterval = setInterval(() => {
        console.log(`Heartbeating lock for key: ${redisKey}`);
        redis.expire(redisKey, LOCK_TTL_SECONDS).catch(err => {
            console.error(`Failed to heartbeat lock for key ${redisKey}:`, err);
            // If heartbeating fails, we should probably stop the process
            // to avoid running without a lock.
            clearInterval(heartbeatInterval);
            // Implement cancellation logic here if possible.
        });
    }, (LOCK_TTL_SECONDS / 3) * 1000); // Heartbeat at 1/3 of the TTL

    try {
        // --- Your long-running business logic here --- //
        const result = await someLongRunningTask();
        // --- End of business logic --- //
        
        res.status(201).json(result);
    } catch (error) {
        // Handle business logic errors
        res.status(500).json({ error: 'Payment processing failed.' });
    } finally {
        // IMPORTANT: Always clear the heartbeat interval
        clearInterval(heartbeatInterval);
    }
}

    Trade-offs: Heartbeating adds complexity and requires careful management of the interval timer, especially ensuring it's cleared in finally blocks. For many use cases (99% of requests < 5s), setting a generous static TTL (e.g., 60 seconds) and adding monitoring to alert on processes approaching this limit is a more pragmatic and simpler solution.

    2. Failure of the Idempotency Store (Redis)

    What happens if Redis is down when a request comes in? Our evalsha call will fail.

  • Fail-Closed (Default, Recommended): The middleware, as written, returns a 503 Service Unavailable. This prioritizes consistency over availability. No requests are processed, guaranteeing no duplicates are created. This is the correct choice for critical operations like payments.
  • Fail-Open: In some less critical scenarios (e.g., logging analytics events), you might choose to proceed with the operation, risking duplicates but maintaining availability. This should be a conscious architectural decision.
    • javascript
    // Example of a fail-open strategy
// ... inside the catch block of idempotencyMiddleware
} catch (err) {
    console.error('Redis error during idempotency check. FAILING OPEN:', err);
    // WARNING: This risks duplicate processing.
    // Use only for non-critical operations.
    return next(); 
}

    A robust implementation would use a circuit breaker pattern (e.g., using a library like opossum) around the Redis calls to prevent hammering a failing service and to allow for faster recovery.

    3. Performance and Memory Considerations

  • Latency: Every idempotent request now incurs at least one round trip to Redis. This latency must be acceptable for your application's performance budget. Keep Redis servers geographically close to your application servers.
  • Connection Pooling: Ensure your application uses a robust Redis client library (ioredis is excellent for Node.js) that manages a connection pool. A single connection will become a bottleneck under load.
  • Memory Usage: Idempotency keys consume memory. RESULT_TTL_SECONDS is your primary tool for garbage collection. A 24-hour TTL is a common starting point, balancing the need to handle delayed retries against memory growth. Monitor Redis memory usage closely.

    • To estimate memory usage, you can use the MEMORY USAGE command in redis-cli:

    MEMORY USAGE idempotency:27b50a58-1555-4ea2-94b9-a292453c5188

    A small result payload might consume ~200-300 bytes per key. 1 million idempotent requests per day would consume roughly 200-300 MB of Redis memory, which is very manageable.

    Complete Example: Tying It All Together

    Here is a simplified but complete Express.js server example demonstrating the full flow.

    server.js

    javascript
    const express = require('express');
const { idempotencyMiddleware } = require('./redis/idempotency');

const app = express();
app.use(express.json());

// A mock long-running task
const processPayment = (amount) => {
    console.log(`Processing payment for ${amount}...`);
    return new Promise(resolve => setTimeout(() => {
        const paymentId = `pay_${Date.now()}`;
        console.log(`Payment successful: ${paymentId}`);
        resolve({ paymentId, status: 'succeeded', amount });
    }, 2000)); // Simulate 2 seconds of work
};

// Apply the middleware to a critical endpoint
app.post('/api/payments', idempotencyMiddleware, async (req, res) => {
    try {
        const { amount, currency } = req.body;
        if (!amount || !currency) {
            return res.status(400).json({ error: 'Amount and currency are required.' });
        }

        // The business logic itself is now clean and unaware of idempotency concerns
        const paymentResult = await processPayment(amount);

        res.status(201).json(paymentResult);
    } catch (err) {
        console.error('Error in payment processing:', err);
        // The middleware will still capture this and store an error state if needed
        res.status(500).json({ error: 'Internal Server Error' });
    }
});

const PORT = 3000;
app.listen(PORT, () => {
    console.log(`Server running on http://localhost:${PORT}`);
});

    To test this:

    • Run the server and have Redis running.
    • Send a POST request:
    bash
        curl -X POST http://localhost:3000/api/payments \
    -H "Content-Type: application/json" \
    -H "Idempotency-Key: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee" \
    -d '{"amount": 100, "currency": "USD"}'
  • You will see the "Processing payment..." log, and after 2 seconds, you'll get a 201 Created response.
  • Immediately send the exact same request again. You will get the same 201 Created response instantly, and you will not see the "Processing payment..." log again. The response was served from the Redis cache.
  • Try sending the first request and, while it's processing, send a second one in another terminal. The second request will immediately receive a 409 Conflict error.

    • Conclusion: Idempotency as an Architectural Primitive

    Implementing a production-grade idempotency layer is a significant step toward building truly resilient and reliable distributed systems. By moving beyond naive locking and embracing a stateful model with atomic operations, we can confidently handle the at-least-once nature of modern infrastructure.

    The key takeaways for a senior engineer are:

  • Atomicity is Non-Negotiable: Use Redis Lua scripts or transactions to eliminate race conditions during state transitions.
  • Distinguish PROCESSING from COMPLETED: This is the core of a usable idempotency system, allowing you to reject in-flight duplicates while serving cached results for completed ones.
  • Plan for Long-Running Jobs: Acknowledge that processes can take time. Use either generous, well-monitored TTLs or implement a lock heartbeating mechanism for jobs with unpredictable duration.
  • Architect for Failure: Your idempotency store is a critical piece of infrastructure. Decide between a fail-closed (safe) or fail-open (available) strategy and implement circuit breakers accordingly.

    • Idempotency is not a feature to be bolted on; it is an architectural primitive. By investing in a robust implementation like the one detailed here, you provide a powerful guarantee that enables developers to write simpler, more correct business logic, free from the pervasive fear of the duplicate event.

    Found this article helpful?

    Share it with others who might benefit from it.

    More Articles