Skip to content

Auth: add magic-link/session migrations and runtime datasource#44

Open
RandyJDean wants to merge 1 commit into
mainfrom
07-09-auth_add_magic-link_session_migrations_and_runtime_datasource
Open

Auth: add magic-link/session migrations and runtime datasource#44
RandyJDean wants to merge 1 commit into
mainfrom
07-09-auth_add_magic-link_session_migrations_and_runtime_datasource

Conversation

@RandyJDean

Copy link
Copy Markdown
Contributor
  • V0004 relaxes members.full_name and adds profile_completed_at so
    magic-link verification can create shell accounts before sign-up
  • V0005 creates magic_link_tokens (hashed, single-use, email-keyed)
  • V0006 creates Spring Session JDBC tables (schema owned by Flyway;
    spring.session.jdbc.initialize-schema=never)
  • Re-enable DataSourceAutoConfiguration with spring.datasource wired to
    the existing DATABASE_* env vars; disable runtime Flyway (migrations
    stay out-of-band via just migrate)
  • Add spring-session-jdbc, spring-boot-starter-security (previously
    only transitive via oauth2-client), spring-security-test
  • New app.auth.* properties (base-url, cookie-secure, magic-link-ttl);
    dev profile serves non-Secure cookies over plain HTTP
  • Fix .example.env DATABASE_NAME leftover from codebloom -> patchats

Co-Authored-By: Claude Fable 5 noreply@anthropic.com

- V0004 relaxes members.full_name and adds profile_completed_at so
  magic-link verification can create shell accounts before sign-up
- V0005 creates magic_link_tokens (hashed, single-use, email-keyed)
- V0006 creates Spring Session JDBC tables (schema owned by Flyway;
  spring.session.jdbc.initialize-schema=never)
- Re-enable DataSourceAutoConfiguration with spring.datasource wired to
  the existing DATABASE_* env vars; disable runtime Flyway (migrations
  stay out-of-band via `just migrate`)
- Add spring-session-jdbc, spring-boot-starter-security (previously
  only transitive via oauth2-client), spring-security-test
- New app.auth.* properties (base-url, cookie-secure, magic-link-ttl);
  dev profile serves non-Secure cookies over plain HTTP
- Fix .example.env DATABASE_NAME leftover from codebloom -> patchats

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@sonarqubecloud

sonarqubecloud Bot commented Jul 9, 2026

Copy link
Copy Markdown

@RandyJDean RandyJDean marked this pull request as ready for review July 10, 2026 18:47
@RandyJDean RandyJDean requested a review from a team as a code owner July 10, 2026 18:47
@graphite-app graphite-app Bot requested review from Arshadul-Monir and arklian July 10, 2026 18:47
@graphite-app

graphite-app Bot commented Jul 10, 2026

Copy link
Copy Markdown

Graphite Automations

"Request reviewers once CI passes" took an action on this PR • (07/10/26)

2 reviewers were added to this PR based on Henry Chen's automation.

Comment on lines +26 to +28
server:
# Trust X-Forwarded-* from the reverse proxy so rate limiting sees real client IPs.
forward-headers-strategy: framework

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gotta investigate what this does.

@@ -0,0 +1,9 @@
-- Magic-link auth creates a minimal "shell" member row at link-verification time,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we sending them a magic link before they fill out the sign up form?

@@ -0,0 +1,12 @@
-- Single-use sign-in tokens emailed to users. Keyed by email (not member id)
-- because the member row is only created once the link is verified.
CREATE TABLE IF NOT EXISTS "magic_link_tokens" (

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should figure out a style guide for SQL stuff. Should the table names be lowercase or caps or whatever standard?

-- Single-use sign-in tokens emailed to users. Keyed by email (not member id)
-- because the member row is only created once the link is verified.
CREATE TABLE IF NOT EXISTS "magic_link_tokens" (
id UUID PRIMARY KEY,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be uuid? Maybe investigate?

@@ -0,0 +1,4 @@
app:
auth:
# Dev runs plain HTTP through the Vite proxy; a Secure cookie would be silently dropped.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this need to be the case? Should we be logging in on dev too?

Comment on lines +2 to +5
datasource:
url: jdbc:postgresql://${DATABASE_HOST:localhost}:${DATABASE_PORT:5432}/${DATABASE_NAME:patchats}
username: ${DATABASE_USER:postgres}
password: ${DATABASE_PASSWORD:}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll look into this and see if we should be leaning towards spring's jdbc or what not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants