284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Integration Tests / Check for relevant changes (push) Waiting to run
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Mobile checks / Mobile unit tests (push) Waiting to run
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Temporal Readiness / fast-readiness (push) Waiting to run
Temporal Readiness / docker-parity (push) Waiting to run
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Unit Tests / Skipped-test budget (push) Waiting to run
Unit Tests / Nx affected unit tests (push) Waiting to run
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz Source: /opt/alga-psa on psa.joliet.tech
79 lines
3.1 KiB
JavaScript
79 lines
3.1 KiB
JavaScript
/**
|
|
* Migration: Add session tracking columns to sessions table
|
|
*
|
|
* Adds comprehensive session tracking fields including:
|
|
* - IP address and location tracking
|
|
* - Device information and fingerprinting
|
|
* - Activity and expiration tracking
|
|
* - Revocation tracking
|
|
* - Login method tracking
|
|
*
|
|
* CRITICAL: Makes the 'token' column nullable to avoid NOT NULL constraint violations
|
|
* The session_id (stored in JWT) is used as the correlation key instead of token
|
|
*/
|
|
|
|
exports.up = async function(knex) {
|
|
await knex.schema.alterTable('sessions', (table) => {
|
|
// IP and location tracking
|
|
table.string('ip_address', 45); // Support IPv4 and IPv6
|
|
table.jsonb('location_data'); // {city, country, timezone}
|
|
|
|
// Device information
|
|
table.text('user_agent');
|
|
table.text('device_fingerprint'); // SHA-256 hash
|
|
table.text('device_name'); // "Chrome on macOS"
|
|
table.text('device_type'); // desktop, mobile, tablet
|
|
|
|
// Activity tracking
|
|
table.timestamp('last_activity_at', { useTz: true }).defaultTo(knex.fn.now());
|
|
table.timestamp('expires_at', { useTz: true });
|
|
|
|
// Revocation tracking
|
|
table.timestamp('revoked_at', { useTz: true });
|
|
table.text('revoked_reason'); // user_logout, admin_revoke, max_sessions, security, inactivity
|
|
|
|
// Session metadata
|
|
table.text('login_method'); // 'credentials', 'google', 'microsoft', 'keycloak'
|
|
|
|
// NOTE: No token_hash column - we use session_id (stored in JWT) as correlation key
|
|
// NOTE: No is_current column - UI determines current session dynamically
|
|
});
|
|
|
|
// CRITICAL: Make the old 'token' column nullable
|
|
// The existing sessions table has token TEXT NOT NULL which will cause inserts to fail
|
|
// We don't use this column anymore (session_id is the correlation key), but keep it nullable for compatibility
|
|
await knex.schema.raw('ALTER TABLE sessions ALTER COLUMN token DROP NOT NULL');
|
|
|
|
// Add indexes for performance
|
|
// IMPORTANT: Include tenant column for CitusDB distributed table compatibility
|
|
await knex.schema.raw(
|
|
'CREATE INDEX idx_sessions_user_active ON sessions(tenant, user_id) WHERE revoked_at IS NULL'
|
|
);
|
|
await knex.schema.raw(
|
|
'CREATE INDEX idx_sessions_expires_at ON sessions(tenant, expires_at) WHERE revoked_at IS NULL'
|
|
);
|
|
// NOTE: No token_hash index - we use session_id (PK) as lookup key
|
|
};
|
|
|
|
exports.down = async function(knex) {
|
|
// Restore NOT NULL constraint on token
|
|
await knex.schema.raw('ALTER TABLE sessions ALTER COLUMN token SET NOT NULL');
|
|
|
|
await knex.schema.alterTable('sessions', (table) => {
|
|
table.dropColumn('ip_address');
|
|
table.dropColumn('location_data');
|
|
table.dropColumn('user_agent');
|
|
table.dropColumn('device_fingerprint');
|
|
table.dropColumn('device_name');
|
|
table.dropColumn('device_type');
|
|
table.dropColumn('last_activity_at');
|
|
table.dropColumn('expires_at');
|
|
table.dropColumn('revoked_at');
|
|
table.dropColumn('revoked_reason');
|
|
table.dropColumn('login_method');
|
|
});
|
|
|
|
await knex.schema.raw('DROP INDEX IF EXISTS idx_sessions_user_active');
|
|
await knex.schema.raw('DROP INDEX IF EXISTS idx_sessions_expires_at');
|
|
};
|