Duplicate GitHub OAuth info to a linked_accounts table (deploy 1)

That has a `provider` column that will (for now) always be set to 0,
which corresponds to `AccountProvider::Github`.

The table's primary key is (provider, account_id), which corresponds to
(0, gh_id). This constraint will mean a particular GitHub/GitLab/etc
account, identified from the provider by an ID, may only be associated
with one crates.io user record, but a crates.io user record could
(eventually) have *both* a GitHub *and* a GitLab account associated with
it (or two GitHub accounts, even!)

This is the first step of many to eventually allow for crates.io
accounts linked to other OAuth providers in addition/instead of GitHub.

No code aside from one test is reading from the linked accounts table at
this time.

No backfill has been done yet.

No handling of creating/associating multiple OAuth accounts with one
crates.io account has been done yet.

Author: carols10cents

crates/crates_io_database/src/models/mod.rs

@@ -14,7 +14,7 @@ pub use self::krate::{Crate, CrateName, NewCrate, RecentCrateDownloads};
 pub use self::owner::{CrateOwner, Owner, OwnerKind};
 pub use self::team::{NewTeam, Team};
 pub use self::token::ApiToken;
-pub use self::user::{NewUser, User};
+pub use self::user::{AccountProvider, LinkedAccount, NewUser, User};
 pub use self::version::{NewVersion, TopVersions, Version};
 
 pub mod helpers;

crates/crates_io_database/src/models/user.rs

@@ -8,8 +8,8 @@ use diesel_async::{AsyncPgConnection, RunQueryDsl};
 use secrecy::SecretString;
 
 use crate::models::{Crate, CrateOwner, Email, Owner, OwnerKind};
-use crate::schema::{crate_owners, emails, users};
-use crates_io_diesel_helpers::lower;
+use crate::schema::{crate_owners, emails, linked_accounts, users};
+use crates_io_diesel_helpers::{lower, pg_enum};
 
 /// The model representing a row in the `users` database table.
 #[derive(Clone, Debug, Queryable, Identifiable, Selectable)]
@@ -78,6 +78,31 @@ impl User {
     }
 }
 
+// Supported OAuth providers. Currently only GitHub.
+pg_enum! {
+    pub enum AccountProvider {
+        Github = 0,
+    }
+}
+
+/// Represents an OAuth account record linked to a user record.
+#[derive(Associations, Identifiable, Selectable, Queryable, Debug, Clone)]
+#[diesel(
+    table_name = linked_accounts,
+    check_for_backend(diesel::pg::Pg),
+    primary_key(provider, account_id),
+    belongs_to(User),
+)]
+pub struct LinkedAccount {
+    pub user_id: i32,
+    pub provider: AccountProvider,
+    pub account_id: i32, // corresponds to user.gh_id
+    #[diesel(deserialize_as = String)]
+    pub access_token: SecretString, // corresponds to user.gh_access_token
+    pub login: String,   // corresponds to user.gh_login
+    pub avatar: Option<String>, // corresponds to user.gh_avatar
+}
+
 /// Represents a new user record insertable to the `users` table
 #[derive(Insertable, Debug, Builder)]
 #[diesel(table_name = users, check_for_backend(diesel::pg::Pg))]

crates/crates_io_database/src/schema.rs

@@ -593,6 +593,50 @@ diesel::table! {
     }
 }
 
+diesel::table! {
+    /// Representation of the `linked_accounts` table.
+    ///
+    /// (Automatically generated by Diesel.)
+    linked_accounts (provider, account_id) {
+        /// The `user_id` column of the `linked_accounts` table.
+        ///
+        /// Its SQL type is `Int4`.
+        ///
+        /// (Automatically generated by Diesel.)
+        user_id -> Int4,
+        /// The `provider` column of the `linked_accounts` table.
+        ///
+        /// Its SQL type is `Int4`.
+        ///
+        /// (Automatically generated by Diesel.)
+        provider -> Int4,
+        /// The `account_id` column of the `linked_accounts` table.
+        ///
+        /// Its SQL type is `Int4`.
+        ///
+        /// (Automatically generated by Diesel.)
+        account_id -> Int4,
+        /// The `access_token` column of the `linked_accounts` table.
+        ///
+        /// Its SQL type is `Varchar`.
+        ///
+        /// (Automatically generated by Diesel.)
+        access_token -> Varchar,
+        /// The `login` column of the `linked_accounts` table.
+        ///
+        /// Its SQL type is `Varchar`.
+        ///
+        /// (Automatically generated by Diesel.)
+        login -> Varchar,
+        /// The `avatar` column of the `linked_accounts` table.
+        ///
+        /// Its SQL type is `Nullable<Varchar>`.
+        ///
+        /// (Automatically generated by Diesel.)
+        avatar -> Nullable<Varchar>,
+    }
+}
+
 diesel::table! {
     /// Representation of the `metadata` table.
     ///
@@ -1064,6 +1108,7 @@ diesel::joinable!(dependencies -> versions (version_id));
 diesel::joinable!(emails -> users (user_id));
 diesel::joinable!(follows -> crates (crate_id));
 diesel::joinable!(follows -> users (user_id));
+diesel::joinable!(linked_accounts -> users (user_id));
 diesel::joinable!(publish_limit_buckets -> users (user_id));
 diesel::joinable!(publish_rate_overrides -> users (user_id));
 diesel::joinable!(readme_renderings -> versions (version_id));
@@ -1092,6 +1137,7 @@ diesel::allow_tables_to_appear_in_same_query!(
     emails,
     follows,
     keywords,
+    linked_accounts,
     metadata,
     processed_log_files,
     publish_limit_buckets,

crates/crates_io_database_dump/src/dump-db.toml

@@ -154,6 +154,16 @@ keyword = "public"
 crates_cnt = "public"
 created_at = "public"
 
+[linked_accounts.columns]
+user_id = "public"
+provider = "public"
+account_id = "public"
+access_token = "private"
+login = "public"
+avatar = "public"
+[linked_accounts.column_defaults]
+access_token = "''"
+
 [metadata.columns]
 total_downloads = "public"
 

crates/crates_io_database_dump/src/snapshots/[email protected]

@@ -1,13 +1,15 @@
 ---
 source: crates/crates_io_database_dump/src/lib.rs
 expression: content
+snapshot_kind: text
 ---
 BEGIN ISOLATION LEVEL REPEATABLE READ, READ ONLY;
 
     \copy "categories" ("category", "crates_cnt", "created_at", "description", "id", "path", "slug") TO 'data/categories.csv' WITH CSV HEADER
     \copy "crate_downloads" ("crate_id", "downloads") TO 'data/crate_downloads.csv' WITH CSV HEADER
     \copy "crates" ("created_at", "description", "documentation", "homepage", "id", "max_features", "max_upload_size", "name", "readme", "repository", "updated_at") TO 'data/crates.csv' WITH CSV HEADER
     \copy "keywords" ("crates_cnt", "created_at", "id", "keyword") TO 'data/keywords.csv' WITH CSV HEADER
+    \copy "linked_accounts" ("account_id", "avatar", "login", "provider", "user_id") TO 'data/linked_accounts.csv' WITH CSV HEADER
     \copy "metadata" ("total_downloads") TO 'data/metadata.csv' WITH CSV HEADER
     \copy "reserved_crate_names" ("name") TO 'data/reserved_crate_names.csv' WITH CSV HEADER
     \copy "teams" ("avatar", "github_id", "id", "login", "name", "org_id") TO 'data/teams.csv' WITH CSV HEADER

crates/crates_io_database_dump/src/snapshots/[email protected]

@@ -1,6 +1,7 @@
 ---
 source: crates/crates_io_database_dump/src/lib.rs
 expression: content
+snapshot_kind: text
 ---
 BEGIN;
     -- Disable triggers on each table.
@@ -9,6 +10,7 @@ BEGIN;
     ALTER TABLE "crate_downloads" DISABLE TRIGGER ALL;
     ALTER TABLE "crates" DISABLE TRIGGER ALL;
     ALTER TABLE "keywords" DISABLE TRIGGER ALL;
+    ALTER TABLE "linked_accounts" DISABLE TRIGGER ALL;
     ALTER TABLE "metadata" DISABLE TRIGGER ALL;
     ALTER TABLE "reserved_crate_names" DISABLE TRIGGER ALL;
     ALTER TABLE "teams" DISABLE TRIGGER ALL;
@@ -23,6 +25,7 @@ BEGIN;
 
     -- Set defaults for non-nullable columns not included in the dump.
 
+    ALTER TABLE "linked_accounts" ALTER COLUMN "access_token" SET DEFAULT '';
     ALTER TABLE "users" ALTER COLUMN "gh_access_token" SET DEFAULT '';
 
     -- Truncate all tables.
@@ -31,6 +34,7 @@ BEGIN;
     TRUNCATE "crate_downloads" RESTART IDENTITY CASCADE;
     TRUNCATE "crates" RESTART IDENTITY CASCADE;
     TRUNCATE "keywords" RESTART IDENTITY CASCADE;
+    TRUNCATE "linked_accounts" RESTART IDENTITY CASCADE;
     TRUNCATE "metadata" RESTART IDENTITY CASCADE;
     TRUNCATE "reserved_crate_names" RESTART IDENTITY CASCADE;
     TRUNCATE "teams" RESTART IDENTITY CASCADE;
@@ -52,6 +56,7 @@ BEGIN;
     \copy "crate_downloads" ("crate_id", "downloads") FROM 'data/crate_downloads.csv' WITH CSV HEADER
     \copy "crates" ("created_at", "description", "documentation", "homepage", "id", "max_features", "max_upload_size", "name", "readme", "repository", "updated_at") FROM 'data/crates.csv' WITH CSV HEADER
     \copy "keywords" ("crates_cnt", "created_at", "id", "keyword") FROM 'data/keywords.csv' WITH CSV HEADER
+    \copy "linked_accounts" ("account_id", "avatar", "login", "provider", "user_id") FROM 'data/linked_accounts.csv' WITH CSV HEADER
     \copy "metadata" ("total_downloads") FROM 'data/metadata.csv' WITH CSV HEADER
     \copy "reserved_crate_names" ("name") FROM 'data/reserved_crate_names.csv' WITH CSV HEADER
     \copy "teams" ("avatar", "github_id", "id", "login", "name", "org_id") FROM 'data/teams.csv' WITH CSV HEADER
@@ -66,6 +71,7 @@ BEGIN;
 
     -- Drop the defaults again.
 
+    ALTER TABLE "linked_accounts" ALTER COLUMN "access_token" DROP DEFAULT;
     ALTER TABLE "users" ALTER COLUMN "gh_access_token" DROP DEFAULT;
 
     -- Reenable triggers on each table.
@@ -74,6 +80,7 @@ BEGIN;
     ALTER TABLE "crate_downloads" ENABLE TRIGGER ALL;
     ALTER TABLE "crates" ENABLE TRIGGER ALL;
     ALTER TABLE "keywords" ENABLE TRIGGER ALL;
+    ALTER TABLE "linked_accounts" ENABLE TRIGGER ALL;
     ALTER TABLE "metadata" ENABLE TRIGGER ALL;
     ALTER TABLE "reserved_crate_names" ENABLE TRIGGER ALL;
     ALTER TABLE "teams" ENABLE TRIGGER ALL;

migrations/2025-01-29-205705_linked_accounts_table/down.sql

@@ -0,0 +1 @@
+DROP TABLE linked_accounts;

migrations/2025-01-29-205705_linked_accounts_table/up.sql

@@ -0,0 +1,9 @@
+CREATE TABLE linked_accounts (
+  user_id INTEGER NOT NULL REFERENCES users (id) ON DELETE CASCADE,
+  provider INTEGER NOT NULL,
+  account_id INTEGER NOT NULL,
+  access_token VARCHAR NOT NULL,
+  login VARCHAR NOT NULL,
+  avatar VARCHAR,
+  PRIMARY KEY (provider, account_id)
+);

src/controllers/session.rs

@@ -2,6 +2,7 @@ use axum::extract::{FromRequestParts, Query};
 use axum::Json;
 use axum_extra::json;
 use axum_extra::response::ErasedJson;
+use diesel::insert_into;
 use diesel::prelude::*;
 use diesel_async::scoped_futures::ScopedFutureExt;
 use diesel_async::{AsyncConnection, AsyncPgConnection, RunQueryDsl};
@@ -12,8 +13,8 @@ use crate::app::AppState;
 use crate::controllers::user::update::UserConfirmEmail;
 use crate::email::Emails;
 use crate::middleware::log_request::RequestLogExt;
-use crate::models::{NewEmail, NewUser, User};
-use crate::schema::users;
+use crate::models::{AccountProvider, NewEmail, NewUser, User};
+use crate::schema::{linked_accounts, users};
 use crate::util::diesel::is_read_only_error;
 use crate::util::errors::{bad_request, server_error, AppResult};
 use crate::views::EncodableMe;
@@ -175,6 +176,24 @@ async fn create_or_update_user(
         async move {
             let user = new_user.insert_or_update(conn).await?;
 
+            // To assist in eventually someday allowing OAuth with more than GitHub, also
+            // write the GitHub info to the `linked_accounts` table. Nothing currently reads
+            // from this table. Only log errors but don't fail login if this writing fails.
+            if let Err(e) = insert_into(linked_accounts::table)
+                .values((
+                    linked_accounts::user_id.eq(user.id),
+                    linked_accounts::provider.eq(AccountProvider::Github),
+                    linked_accounts::account_id.eq(user.gh_id),
+                    linked_accounts::access_token.eq(&new_user.gh_access_token),
+                    linked_accounts::login.eq(&user.gh_login),
+                    linked_accounts::avatar.eq(&user.gh_avatar),
+                ))
+                .execute(conn)
+                .await
+            {
+                info!("Error inserting linked_accounts record: {e}");
+            }
+
             // To send the user an account verification email
             if let Some(user_email) = email {
                 let new_email = NewEmail::builder()

src/tests/user.rs

@@ -1,5 +1,6 @@
 use crate::controllers::session;
-use crate::models::{ApiToken, Email, User};
+use crate::models::{AccountProvider, ApiToken, Email, LinkedAccount, User};
+use crate::schema::linked_accounts;
 use crate::tests::util::github::next_gh_id;
 use crate::tests::util::{MockCookieUser, RequestHelper};
 use crate::tests::TestApp;
@@ -265,3 +266,33 @@ async fn test_existing_user_email() -> anyhow::Result<()> {
 
     Ok(())
 }
+
+// To assist in eventually someday allowing OAuth with more than GitHub, verify that we're starting
+// to also write the GitHub info to the `linked_accounts` table. Nothing currently reads from this
+// table other than this test.
+#[tokio::test(flavor = "multi_thread")]
+async fn also_write_to_linked_accounts() -> anyhow::Result<()> {
+    let (app, _) = TestApp::init().empty().await;
+    let mut conn = app.db_conn().await;
+
+    let user = app.db_new_user("arbitrary_username").await;
+    let u = user.as_model();
+
+    let linked_accounts = linked_accounts::table
+        .filter(linked_accounts::provider.eq(AccountProvider::Github))
+        .filter(linked_accounts::login.eq(&u.gh_login))
+        .load::<LinkedAccount>(&mut conn)
+        .await
+        .unwrap();
+
+    assert_eq!(linked_accounts.len(), 1);
+    let linked_account = &linked_accounts[0];
+    assert_eq!(linked_account.user_id, u.id);
+    assert_eq!(linked_account.account_id, u.gh_id);
+    assert_eq!(
+        linked_account.access_token.expose_secret(),
+        u.gh_access_token.expose_secret()
+    );
+
+    Ok(())
+}