284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Integration Tests / Check for relevant changes (push) Waiting to run
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Mobile checks / Mobile unit tests (push) Waiting to run
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Temporal Readiness / fast-readiness (push) Waiting to run
Temporal Readiness / docker-parity (push) Waiting to run
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Unit Tests / Skipped-test budget (push) Waiting to run
Unit Tests / Nx affected unit tests (push) Waiting to run
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz Source: /opt/alga-psa on psa.joliet.tech
63 lines
2.0 KiB
JavaScript
63 lines
2.0 KiB
JavaScript
/**
|
|
* Sign in with Apple identity mapping (App Store guideline 4.8).
|
|
*
|
|
* Maps the stable Apple `sub` claim to an existing Alga user/tenant. Stores
|
|
* the encrypted Apple refresh token so account deletion can revoke it
|
|
* (guideline 5.1.1(v)).
|
|
*
|
|
* Reference table (replicated across Citus nodes) because sign-in lookups
|
|
* are tenant-less: the client only knows the Apple identity until we've
|
|
* resolved which tenant it belongs to.
|
|
*
|
|
* @param { import("knex").Knex } knex
|
|
* @returns { Promise<void> }
|
|
*/
|
|
exports.up = async function up(knex) {
|
|
const hasTable = await knex.schema.hasTable('apple_user_identities');
|
|
if (!hasTable) {
|
|
await knex.schema.createTable('apple_user_identities', (table) => {
|
|
table.text('apple_user_id').primary();
|
|
table.uuid('tenant').notNullable();
|
|
table.uuid('user_id').notNullable();
|
|
table.text('email').nullable();
|
|
table.boolean('is_private_email').notNullable().defaultTo(false);
|
|
table.text('apple_refresh_token_enc').nullable();
|
|
table.timestamp('linked_at').notNullable().defaultTo(knex.fn.now());
|
|
table.timestamp('last_sign_in_at').nullable();
|
|
|
|
table.index(['tenant', 'user_id']);
|
|
table.index(['email']);
|
|
});
|
|
}
|
|
|
|
const citusFn = await knex.raw(`
|
|
SELECT EXISTS (
|
|
SELECT 1 FROM pg_proc
|
|
WHERE proname = 'create_reference_table'
|
|
) AS exists;
|
|
`);
|
|
|
|
if (citusFn.rows?.[0]?.exists) {
|
|
const distributed = await knex.raw(`
|
|
SELECT EXISTS (
|
|
SELECT 1 FROM pg_dist_partition
|
|
WHERE logicalrelid = 'apple_user_identities'::regclass
|
|
) AS is_distributed;
|
|
`);
|
|
if (!distributed.rows?.[0]?.is_distributed) {
|
|
await knex.raw("SELECT create_reference_table('apple_user_identities')");
|
|
}
|
|
}
|
|
};
|
|
|
|
/**
|
|
* @param { import("knex").Knex } knex
|
|
* @returns { Promise<void> }
|
|
*/
|
|
exports.down = async function down(knex) {
|
|
await knex.schema.dropTableIfExists('apple_user_identities');
|
|
};
|
|
|
|
// Disable transaction for Citus DB compatibility
|
|
exports.config = { transaction: false };
|