fix: reduce db lookups in whoami for aal check

[aeneasr]

This PR removes queries to identity_credentials, identity_credential_types, and identity_credential_identifiers when performing the whoami check.

It does this by “caching” the maximum available AAL in the identity table. The value is updated whenever an identity is created or updated.

The mechanism can also fall back to generate the AAL value itself if the value is not available in the identity (this is a migration strategy).

One potential issue: If the available_aal is not correctly set, it might lead to issues where the user has 2FA enabled, but the system thinks they only have 1FA enabled.

[Benehiko]

LGTM

[zepatrik]

I have some doubts about the migration strategy, see comments.

[zepatrik]

Doesn't NOT NULL DEFAULT ... do a full table update? Wouldn't it be better to use a nullable column here instead?
Like this every identity would have available_aal set to 0 after the migration, and only on update we would set the correct value.

[aeneasr]

Yep, absolutely. However as I understood the people from CRDB, this should not be an issue due to the way migrations work. We still need to verify that though.

[aeneasr]

It's now nullable

[zepatrik]

A nullable column makes this unnecessary, because we can distinguish the "not yet computed" from the "zero" case.

[aeneasr]

I think that this state could also happen during an import, which is why I think this fallback is required.

[zepatrik]

Why does this lack the new column?

[aeneasr]

Because it's not exposed in JSON

[zepatrik]

I think it makes more sense to make this a function on the identity, and provide the manager as a dependency there (potentially as an interface). The logic is duplicated in the session manager well.

[aeneasr]

done

[zepatrik]

Suggested change

	i.AvailableAAL = available
	i.SetAvailableAAL(s.r.IdentityManager())

[zepatrik]

During the "migration" we just recompute it for everyone. Users that don't log in during the migration period stay at AAL0 forever. I think a nullable column is the way to go instead.

Suggested change

	// This is the migration strategy for identities that already exist.
	if managerOpts.upsertAAL {
	// This is the migration strategy for identities that already exist.
	if !i.AvailableAAL.Valid {

[aeneasr]

Yup - it's now nullable. This parameter however is still here because we don't always want to perform an INSERT or UPDATE statement when this method is called, so there has to be a way to control it.

[zepatrik]

OK, makes sense.

[zepatrik]

Looks good now 👍

[zepatrik]

This comment is not accurate anymore.

[zepatrik]

OK, makes sense.

[codecov]

Codecov Report

Merging #3372 (70e4eac) into master (eaa3f3c) will increase coverage by 0.00%.
The diff coverage is 75.86%.

❗ Current head 70e4eac differs from pull request most recent head 8fedaf1. Consider uploading reports for the commit 8fedaf1 to get more accurate results

@@           Coverage Diff           @@
##           master    #3372   +/-   ##
=======================================
  Coverage   77.98%   77.99%           
=======================================
  Files         327      327           
  Lines       21279    21331   +52     
=======================================
+ Hits        16595    16637   +42     
- Misses       3449     3456    +7     
- Partials     1235     1238    +3     

Impacted Files	Coverage Δ
identity/manager.go	76.92% <0.00%> (-3.73%)	⬇️
identity/identity.go	89.67% <53.84%> (-2.33%)	⬇️
session/manager_http.go	79.36% <68.75%> (+0.71%)	⬆️
identity/credentials.go	83.78% <84.00%> (+0.11%)	⬆️
cmd/clidoc/main.go	68.05% <100.00%> (ø)
identity/test/pool.go	100.00% <100.00%> (ø)
selfservice/strategy/code/strategy_recovery.go	70.56% <100.00%> (ø)
selfservice/strategy/code/strategy_verification.go	74.25% <100.00%> (ø)
session/handler.go	68.60% <100.00%> (+0.24%)	⬆️
text/message_node.go	100.00% <100.00%> (ø)

... and 1 file with indirect coverage changes