feat: deprecate xxx_token columns from users table (phase iii)

hack/test.env

@@ -11,7 +11,7 @@ GOTRUE_API_HOST=localhost
 PORT=9999
 API_EXTERNAL_URL="http://localhost:9999"
 GOTRUE_LOG_SQL=none
-GOTRUE_LOG_LEVEL=warn
+GOTRUE_LOG_LEVEL=info
 GOTRUE_SITE_URL=https://example.netlify.com
 GOTRUE_URI_ALLOW_LIST="http://localhost:3000"
 GOTRUE_OPERATOR_TOKEN=foobar

internal/api/admin_test.go

@@ -585,20 +585,20 @@
 	// create user
 	u, err := models.NewUser("123456789", "[email protected]", "secret", ts.Config.JWT.Aud, map[string]interface{}{"name": "test"})
 	require.NoError(ts.T(), err)
-	u.ConfirmationToken = "some_token"
-	u.RecoveryToken = "some_token"
-	u.EmailChangeTokenCurrent = "some_token"
-	u.EmailChangeTokenNew = "some_token"
-	u.PhoneChangeToken = "some_token"
 	u.AppMetaData = map[string]interface{}{
 		"provider": "email",
 	}
 	require.NoError(ts.T(), ts.API.db.Create(u))
-	require.NoError(ts.T(), models.CreateOneTimeToken(ts.API.db, u.ID, u.GetEmail(), u.ConfirmationToken, models.ConfirmationToken))
-	require.NoError(ts.T(), models.CreateOneTimeToken(ts.API.db, u.ID, u.GetEmail(), u.RecoveryToken, models.RecoveryToken))
-	require.NoError(ts.T(), models.CreateOneTimeToken(ts.API.db, u.ID, u.GetEmail(), u.EmailChangeTokenCurrent, models.EmailChangeTokenCurrent))
-	require.NoError(ts.T(), models.CreateOneTimeToken(ts.API.db, u.ID, u.GetEmail(), u.EmailChangeTokenNew, models.EmailChangeTokenNew))
-	require.NoError(ts.T(), models.CreateOneTimeToken(ts.API.db, u.ID, u.GetPhone(), u.PhoneChangeToken, models.PhoneChangeToken))
+	_, err = models.CreateOneTimeToken(ts.API.db, u.ID, u.GetEmail(), "some_token", models.ConfirmationToken)
+	require.NoError(ts.T(), err)
+	_, err = models.CreateOneTimeToken(ts.API.db, u.ID, u.GetEmail(), "some_token", models.RecoveryToken)
+	require.NoError(ts.T(), err)
+	_, err = models.CreateOneTimeToken(ts.API.db, u.ID, u.GetEmail(), "some_token", models.EmailChangeTokenCurrent)
+	require.NoError(ts.T(), err)
+	_, err = models.CreateOneTimeToken(ts.API.db, u.ID, u.GetEmail(), "some_token", models.EmailChangeTokenNew)
+	require.NoError(ts.T(), err)
+	_, err = models.CreateOneTimeToken(ts.API.db, u.ID, u.GetPhone(), "some_token", models.PhoneChangeToken)
+	require.NoError(ts.T(), err)
 
 	// create user identities
 	_, err = ts.API.createNewIdentity(ts.API.db, u, "email", map[string]interface{}{
@@ -628,12 +628,16 @@
 	deletedUser, err := models.FindUserByID(ts.API.db, u.ID)
 	require.NoError(ts.T(), err)
 
+	// TODO(km): remove once the db columns are removed
 	require.Empty(ts.T(), deletedUser.ConfirmationToken)
 	require.Empty(ts.T(), deletedUser.RecoveryToken)
 	require.Empty(ts.T(), deletedUser.EmailChangeTokenCurrent)
 	require.Empty(ts.T(), deletedUser.EmailChangeTokenNew)
 	require.Empty(ts.T(), deletedUser.EncryptedPassword)
 	require.Empty(ts.T(), deletedUser.PhoneChangeToken)
+
+	// one time tokens table should be empty after a soft deletion
+	require.Empty(ts.T(), u.OneTimeTokens)
 	require.Empty(ts.T(), deletedUser.UserMetaData)
 	require.Empty(ts.T(), deletedUser.AppMetaData)
 	require.NotEmpty(ts.T(), deletedUser.DeletedAt)

internal/api/anonymous_test.go

@@ -142,8 +142,9 @@ func (ts *AnonymousTestSuite) TestConvertAnonymousUserToPermanent() {
 
 			switch c.verificationType {
 			case mail.EmailChangeVerification:
+				emailChangeToken := user.OneTimeTokens[0].TokenHash
 				require.NoError(ts.T(), json.NewEncoder(&buffer).Encode(map[string]interface{}{
-					"token_hash": user.EmailChangeTokenNew,
+					"token_hash": emailChangeToken,
 					"type":       c.verificationType,
 				}))
 			case phoneChangeVerification:

internal/api/api_test.go

@@ -6,6 +6,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"github.com/supabase/auth/internal/conf"
 	"github.com/supabase/auth/internal/crypto"
+	"github.com/supabase/auth/internal/observability"
 	"github.com/supabase/auth/internal/storage"
 	"github.com/supabase/auth/internal/storage/test"
 )
@@ -32,6 +33,10 @@ func setupAPIForTestWithCallback(cb func(*conf.GlobalConfiguration, *storage.Con
 		return nil, nil, err
 	}
 
+	if err := observability.ConfigureLogging(&config.Logging); err != nil {
+		return nil, nil, err
+	}
+
 	if cb != nil {
 		cb(config, nil)
 	}

internal/api/external_test.go

@@ -49,15 +49,12 @@ func (ts *ExternalTestSuite) createUser(providerId string, email string, name st
 		userData["avatar_url"] = avatar
 	}
 	u, err := models.NewUser("", email, "test", ts.Config.JWT.Aud, userData)
-
-	if confirmationToken != "" {
-		u.ConfirmationToken = confirmationToken
-	}
 	ts.Require().NoError(err, "Error making new user")
 	ts.Require().NoError(ts.API.db.Create(u), "Error creating user")
 
 	if confirmationToken != "" {
-		ts.Require().NoError(models.CreateOneTimeToken(ts.API.db, u.ID, email, u.ConfirmationToken, models.ConfirmationToken), "Error creating one-time confirmation/invite token")
+		_, err = models.CreateOneTimeToken(ts.API.db, u.ID, email, confirmationToken, models.ConfirmationToken)
+		ts.Require().NoError(err, "Error creating one-time confirmation/invite token")
 	}
 
 	i, err := models.NewIdentity(u, "email", map[string]interface{}{

internal/api/invite_test.go

@@ -208,10 +208,10 @@ func (ts *InviteTestSuite) TestVerifyInvite() {
 			user.InvitedAt = &now
 			user.ConfirmationSentAt = &now
 			user.EncryptedPassword = ""
-			user.ConfirmationToken = crypto.GenerateTokenHash(c.email, c.requestBody["token"].(string))
 			require.NoError(ts.T(), err)
 			require.NoError(ts.T(), ts.API.db.Create(user))
-			require.NoError(ts.T(), models.CreateOneTimeToken(ts.API.db, user.ID, user.GetEmail(), user.ConfirmationToken, models.ConfirmationToken))
+			_, err = models.CreateOneTimeToken(ts.API.db, user.ID, user.GetEmail(), crypto.GenerateTokenHash(c.email, c.requestBody["token"].(string)), models.ConfirmationToken)
+			require.NoError(ts.T(), err)
 
 			// Find test user
 			_, err = models.FindUserByEmailAndAudience(ts.API.db, c.email, ts.Config.JWT.Aud)
@@ -279,9 +279,10 @@ func (ts *InviteTestSuite) TestInviteExternalGitlab() {
 	// Find test user
 	user, err := models.FindUserByEmailAndAudience(ts.API.db, "[email protected]", ts.Config.JWT.Aud)
 	require.NoError(ts.T(), err)
+	inviteToken := user.OneTimeTokens[0].TokenHash
 
 	// get redirect url w/ state
-	req = httptest.NewRequest(http.MethodGet, "http://localhost/authorize?provider=gitlab&invite_token="+user.ConfirmationToken, nil)
+	req = httptest.NewRequest(http.MethodGet, "http://localhost/authorize?provider=gitlab&invite_token="+inviteToken, nil)
 	w = httptest.NewRecorder()
 	ts.API.handler.ServeHTTP(w, req)
 	ts.Require().Equal(http.StatusFound, w.Code)
@@ -371,9 +372,10 @@ func (ts *InviteTestSuite) TestInviteExternalGitlab_MismatchedEmails() {
 	// Find test user
 	user, err := models.FindUserByEmailAndAudience(ts.API.db, "[email protected]", ts.Config.JWT.Aud)
 	require.NoError(ts.T(), err)
+	inviteToken := user.OneTimeTokens[0].TokenHash
 
 	// get redirect url w/ state
-	req = httptest.NewRequest(http.MethodGet, "http://localhost/authorize?provider=gitlab&invite_token="+user.ConfirmationToken, nil)
+	req = httptest.NewRequest(http.MethodGet, "http://localhost/authorize?provider=gitlab&invite_token="+inviteToken, nil)
 	w = httptest.NewRecorder()
 	ts.API.handler.ServeHTTP(w, req)
 	ts.Require().Equal(http.StatusFound, w.Code)