Skip to content

Add id column on tokens and sessions #8137

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Add id column on tokens and sessions #8137

wants to merge 8 commits into from
+415 −157

Conversation

david-crespo
Copy link
Contributor

@david-crespo david-crespo commented May 12, 2025
edited
Loading

Closes #8139

WIP. Everything compiles and existing tests work, but we are not yet testing retrieval by ID and we need to think about authz checks on the datastore functions for retrieving tokens and sessions by token string.

This PR would be a lot shorter if not for the fact that the token column was the primary key on both tables, so adding the id requires a bunch of migration steps to change the primary key. There were also a lot of changes to code and tests around making things ID-centric instead of token-centric.

  • SQL migrations for adding id col and changing primary key to that
  • Add TypedUuid to session and token DB models
  • Update authz_resource! and lookup_resource! calls for new primary key
  • Update Session trait methods to use id instead of token
  • Update app and datastore session and token methods to use ID instead of token
  • Update two distinct but nearly identical FakeSession implementations (one for unit tests, one for integration tests) to a) track sessions in a Vec instead of a HashMap with token keys
  • Figure out authz situation in new fetch session/token by token string methods

david-crespo
david-crespo commented May 13, 2025
View reviewed changes
nexus/auth/src/authz/api_resources.rs
@@ -957,7 +957,7 @@ authz_resource! {
authz_resource! {
name = "DeviceAccessToken",
parent = "Fleet",
primary_key = String, // token
primary_key = { uuid_kind = AccessTokenKind },
roles_allowed = false,
polar_snippet = FleetChild,
Copy link
Contributor Author

@david-crespo david-crespo May 13, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm realizing FleetChild will probably have to change.

@david-crespo david-crespo marked this pull request as ready for review May 20, 2025 15:27
david-crespo
david-crespo commented May 20, 2025
View reviewed changes
nexus/db-queries/src/db/datastore/console_session.rs
lookup_type: LookupType::ByOther("session token".to_string()),
})
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am struggling with one last thing — after changing the primary key from token to ID, I don't know how to authz check the new explicit lookup by token operation. I understand this is analogous to the authz check on a password login and should probably use the external authenticator opctx.
After the lookup by token, we have the whole session record on hand and can use a normal authz session for any further operations like expiration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add ID columns to tokens and sessions
1 participant
@david-crespo