admin/honeyDueAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d74cfeee6274bd0319063193e601f78f5979d1e4
honeyDueAPI/migrations/000007_kratos_identity.sql
T
Trey t 81578f6e27
Backend CI / Test (push) Has been cancelled
Details
Backend CI / Contract Tests (push) Has been cancelled
Details
Backend CI / Lint (push) Has been cancelled
Details
Backend CI / Secret Scanning (push) Has been cancelled
Details
Backend CI / Build (push) Has been cancelled
Details
feat(auth): replace hand-rolled auth with Ory Kratos — phase 2 backend 
Delegates all credential management (login, register, password reset,
email verification, social sign-in) to Ory Kratos. The Go API now acts
as a resource server: the new KratosAuth middleware validates sessions
against the Kratos whoami endpoint, writes the local User mirror into
Echo context, and all existing domain handlers continue working
unchanged. Hand-rolled token auth, AuthToken model, apple_auth/
google_auth services, and the auth refresh flow are removed. Tests are
updated to use the fake-token middleware pattern so existing integration
assertions require no rewrite.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 17:55:56 -05:00

38 lines
1.8 KiB
SQL
Raw Blame History

-- +goose Up
-- Phase 2: hand-rolled auth replaced by Ory Kratos. Kratos owns identities,
-- credentials, sessions, email verification, recovery and social sign-in.
-- honeyDue keeps a slim auth_user row linked to the Kratos identity by
-- kratos_id; all domain tables keep their existing integer auth_user FKs.
--
-- Pre-production: a clean slate is taken. auth_user is truncated (cascading
-- to all user-scoped domain data) so no auth_user row exists without a
-- Kratos identity behind it. There is no data migration.
-- honeyDue's hand-rolled auth tables are no longer used — Kratos owns this.
DROP TABLE IF EXISTS user_authtoken;
DROP TABLE IF EXISTS user_confirmationcode;
DROP TABLE IF EXISTS user_passwordresetcode;
DROP TABLE IF EXISTS user_applesocialauth;
DROP TABLE IF EXISTS user_googlesocialauth;
-- Link each auth_user row to its Kratos identity (UUID).
ALTER TABLE auth_user ADD COLUMN IF NOT EXISTS kratos_id uuid;
CREATE UNIQUE INDEX IF NOT EXISTS uq_auth_user_kratos_id
ON auth_user (kratos_id) WHERE kratos_id IS NOT NULL;
-- password is NOT NULL in the Django-era schema but is no longer used —
-- Kratos holds credentials. Make it nullable so provisioning need not
-- invent a placeholder hash.
ALTER TABLE auth_user ALTER COLUMN password DROP NOT NULL;
-- Clean slate (pre-production): drop every existing account and all
-- user-scoped domain data so nothing is left orphaned without a Kratos id.
TRUNCATE TABLE auth_user CASCADE;
-- +goose Down
-- The dropped tables' data cannot be restored. Down only removes the
-- kratos_id column and restores the password NOT NULL constraint; reverting
-- to hand-rolled auth means reverting the Phase 2 application code.
DROP INDEX IF EXISTS uq_auth_user_kratos_id;
ALTER TABLE auth_user DROP COLUMN IF EXISTS kratos_id;
Reference in New Issue View Git Blame Copy Permalink