Auth: add magic-link/session migrations and runtime datasource#44
Auth: add magic-link/session migrations and runtime datasource#44RandyJDean wants to merge 1 commit into
Conversation
- V0004 relaxes members.full_name and adds profile_completed_at so magic-link verification can create shell accounts before sign-up - V0005 creates magic_link_tokens (hashed, single-use, email-keyed) - V0006 creates Spring Session JDBC tables (schema owned by Flyway; spring.session.jdbc.initialize-schema=never) - Re-enable DataSourceAutoConfiguration with spring.datasource wired to the existing DATABASE_* env vars; disable runtime Flyway (migrations stay out-of-band via `just migrate`) - Add spring-session-jdbc, spring-boot-starter-security (previously only transitive via oauth2-client), spring-security-test - New app.auth.* properties (base-url, cookie-secure, magic-link-ttl); dev profile serves non-Secure cookies over plain HTTP - Fix .example.env DATABASE_NAME leftover from codebloom -> patchats Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Graphite Automations"Request reviewers once CI passes" took an action on this PR • (07/10/26)2 reviewers were added to this PR based on Henry Chen's automation. |
| server: | ||
| # Trust X-Forwarded-* from the reverse proxy so rate limiting sees real client IPs. | ||
| forward-headers-strategy: framework |
There was a problem hiding this comment.
Gotta investigate what this does.
| @@ -0,0 +1,9 @@ | |||
| -- Magic-link auth creates a minimal "shell" member row at link-verification time, | |||
There was a problem hiding this comment.
Why are we sending them a magic link before they fill out the sign up form?
| @@ -0,0 +1,12 @@ | |||
| -- Single-use sign-in tokens emailed to users. Keyed by email (not member id) | |||
| -- because the member row is only created once the link is verified. | |||
| CREATE TABLE IF NOT EXISTS "magic_link_tokens" ( | |||
There was a problem hiding this comment.
We should figure out a style guide for SQL stuff. Should the table names be lowercase or caps or whatever standard?
| -- Single-use sign-in tokens emailed to users. Keyed by email (not member id) | ||
| -- because the member row is only created once the link is verified. | ||
| CREATE TABLE IF NOT EXISTS "magic_link_tokens" ( | ||
| id UUID PRIMARY KEY, |
There was a problem hiding this comment.
Should this be uuid? Maybe investigate?
| @@ -0,0 +1,4 @@ | |||
| app: | |||
| auth: | |||
| # Dev runs plain HTTP through the Vite proxy; a Secure cookie would be silently dropped. | |||
There was a problem hiding this comment.
Does this need to be the case? Should we be logging in on dev too?
| datasource: | ||
| url: jdbc:postgresql://${DATABASE_HOST:localhost}:${DATABASE_PORT:5432}/${DATABASE_NAME:patchats} | ||
| username: ${DATABASE_USER:postgres} | ||
| password: ${DATABASE_PASSWORD:} |
There was a problem hiding this comment.
I'll look into this and see if we should be leaning towards spring's jdbc or what not.




magic-link verification can create shell accounts before sign-up
spring.session.jdbc.initialize-schema=never)
the existing DATABASE_* env vars; disable runtime Flyway (migrations
stay out-of-band via
just migrate)only transitive via oauth2-client), spring-security-test
dev profile serves non-Secure cookies over plain HTTP
Co-Authored-By: Claude Fable 5 noreply@anthropic.com