chore: migrate refresh_token column to id (#374)

.changeset/selfish-waves-draw.md

@@ -0,0 +1,11 @@
+---
+'hasura-auth': minor
+---
+
+chore: migrate `refresh_token` column to `id`
+
+⚠️ **Warning**: This is a breaking change.
+
+We've renamed the `refresh_token` column to `id`. While this change will improve the functionality of Hasura Auth, it may cause issues for any permissions or relationships that were using the old `refresh_token` column.
+
+Please note that any permissions or relationships that were using the `refresh_token` column will be affected by this change. If you're using the `refresh_token` column in any way, you'll need to update your code to use the new `id` column and ensure that your app works as expected.

.github/workflows/test.yaml

@@ -25,7 +25,12 @@ jobs:
         image: nhost/postgres:12-v0.0.6
         env:
           POSTGRES_PASSWORD: ${{ env.POSTGRES_PASSWORD }}
-        options: --restart always --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
+        options: >-
+          --restart always
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
       graphql-engine:
         image: hasura/graphql-engine:v2.15.2
         env:
@@ -75,79 +80,3 @@ jobs:
         with:
           name: coverage
           path: coverage
-
-  e2e-lookup:
-    name: Lookup e2e tests
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          repository: nhost/nhost
-      # * Install Node and dependencies. Package downloads will be cached for the next jobs.
-      - name: Install Node and dependencies
-        uses: ./.github/actions/install-dependencies
-        with:
-          TURBO_TOKEN: ${{ env.TURBO_TOKEN }}
-          TURBO_TEAM: ${{ env.TURBO_TEAM }}
-          BUILD: 'none'
-      # * List packages that has an `e2e` script AND a nhost/config.yaml file, then return an array of their name and path
-      - name: List examples with an e2e script
-        id: set-matrix
-        run: |
-          PACKAGES=$(pnpm recursive list --depth -1 --parseable \
-            | xargs -I@ realpath --relative-to=$PWD @ \
-            | xargs -I@ echo "test -f @/nhost/config.yaml && echo @" | sh \
-            | xargs -I@ jq "if (.scripts.e2e | length) != 0  then {name: .name, path: \"@\"} else null end" @/package.json \
-            | awk "!/null/" \
-            | jq -c --slurp)
-          echo "matrix=$PACKAGES" >> $GITHUB_OUTPUT
-    outputs:
-      matrix: ${{ steps.set-matrix.outputs.matrix }}
-
-  e2e:
-    runs-on: ubuntu-latest
-    needs:
-      - e2e-lookup
-    strategy:
-      matrix:
-        package: ${{ fromJson(needs.e2e-lookup.outputs.matrix) }}
-    name: 'e2e (${{ matrix.package.path }})'
-    steps:
-      - name: Checkout nhost/nhost
-        uses: actions/checkout@v3
-        with:
-          repository: nhost/nhost
-      - name: Checkout hasura-auth
-        uses: actions/checkout@v3
-        with:
-          path: hasura-auth
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: Build
-        uses: docker/build-push-action@v3
-        timeout-minutes: 60
-        with:
-          context: hasura-auth
-          tags: nhost/hasura-auth:local
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          load: true
-      - name: Install Nhost CLI
-        uses: ./.github/actions/nhost-cli
-        with:
-          path: ${{ matrix.package.path }}
-          config: |
-            services:
-              auth:
-                image: nhost/hasura-auth:local
-      - name: Install Node and dependencies
-        uses: ./.github/actions/install-dependencies
-        # TODO Set turborepo in the nhost/hasura-auth repo
-        with:
-          TURBO_TOKEN: ${{ env.TURBO_TOKEN }}
-          TURBO_TEAM: ${{ env.TURBO_TEAM }}
-      - name: Run e2e tests
-        run: pnpm --filter="${{ matrix.package.name }}" run e2e
-        # ? (enable turborepo e2e, and fine-tune turbo cache e2e config: env vars, nhost/config.yaml)
-        env:
-          SERVICES_AUTH_IMAGE: nhost/hasura-auth:local

docker-compose.yaml

@@ -1,7 +1,7 @@
 version: '3.6'
 services:
   postgres:
-    image: postgres
+    image: postgres:14.6
     restart: always
     volumes:
       - ./docker/data/db:/var/lib/postgresql/data

migrations/00015_rename_refresh_token_column.sql

@@ -0,0 +1,10 @@
+BEGIN;
+ALTER TABLE auth.refresh_tokens
+RENAME COLUMN refresh_token TO id;
+COMMENT ON COLUMN auth.refresh_tokens.id IS NULL;
+ALTER TABLE auth.refresh_tokens ALTER COLUMN id SET DEFAULT gen_random_uuid();
+ALTER TABLE auth.refresh_tokens RENAME COLUMN refresh_token_hash TO refresh_token_hash_old;
+ALTER TABLE auth.refresh_tokens ADD COLUMN refresh_token_hash VARCHAR(255);
+UPDATE auth.refresh_tokens SET refresh_token_hash = refresh_token_hash_old;
+ALTER TABLE auth.refresh_tokens DROP COLUMN refresh_token_hash_old;
+COMMIT;

src/gql/refresh-tokens.graphql

@@ -1,6 +1,6 @@
 mutation insertRefreshToken($refreshToken: authRefreshTokens_insert_input!) {
   insertAuthRefreshToken(object: $refreshToken) {
-    refreshToken
+    id
   }
 }
 

src/gql/users.graphql

@@ -63,7 +63,7 @@ query getUsersByRefreshToken($refreshTokenHash: String!) {
       ]
     }
   ) {
-    refreshToken
+    id
     user {
       ...userFields
     }
@@ -81,7 +81,7 @@ query getUsersByPAT($patHash: String!) {
       ]
     }
   ) {
-    refreshToken
+    id
     user {
       ...userFields
     }

src/metadata.ts

@@ -78,21 +78,13 @@ export const hasuraAuthMetadataPatch: MetadataPatch = {
             delete_by_pk: 'deleteAuthRefreshToken',
           },
           custom_column_names: {
-            refresh_token: 'refreshToken',
             refresh_token_hash: 'refreshTokenHash',
-            type: 'type',
             created_at: 'createdAt',
             expires_at: 'expiresAt',
             user_id: 'userId',
           },
         },
         object_relationships: [
-          {
-            name: 'refreshTokenType',
-            using: {
-              foreign_key_constraint_on: 'type',
-            },
-          },
           {
             name: 'user',
             using: {
@@ -105,6 +97,7 @@ export const hasuraAuthMetadataPatch: MetadataPatch = {
             role: 'user',
             permission: {
               columns: [
+                'id',
                 'created_at',
                 'expires_at',
                 'metadata',
@@ -438,6 +431,13 @@ export const hasuraAuthMetadataPatch: MetadataPatch = {
     relationships: [
       { table: { name: 'users', schema }, relationship: 'authenticators' },
     ],
+    columnConfigs: [
+      {
+        source: 'default',
+        table: { name: 'refresh_tokens', schema },
+        column: 'refresh_token',
+      },
+    ],
   },
 };
 export const applyMetadata = async (): Promise<void> => {

src/routes/pat/pat.ts

@@ -1,6 +1,6 @@
 import { sendError } from '@/errors';
 import { logger } from '@/logger';
-import { getUser, gqlSdk } from '@/utils';
+import { getUser, gqlSdk, hash } from '@/utils';
 import { AuthRefreshTokenTypes_Enum } from '@/utils/__generated__/graphql-request';
 import { RequestHandler } from 'express';
 import Joi from 'joi';
@@ -47,19 +47,17 @@ export const createPATHandler: RequestHandler<
 
     const personalAccessToken = uuidv4();
 
-    await gqlSdk.insertRefreshToken({
+    const { insertAuthRefreshToken } = await gqlSdk.insertRefreshToken({
       refreshToken: {
         userId: id,
-        refreshToken: personalAccessToken,
+        refreshTokenHash: hash(personalAccessToken),
         expiresAt: new Date(expiresAt),
         metadata,
         type: AuthRefreshTokenTypes_Enum.Pat,
       },
     });
 
-    return res.send({
-      personalAccessToken,
-    });
+    return res.send({ id: insertAuthRefreshToken?.id, personalAccessToken });
   } catch (error) {
     logger.error(error);