fix(portal): Update existing auth_identities migration to include provider_identifier in the index (#7523)

#7522 won't successfully complete on production because of the migration in this PR. So, instead, we need to modify this migration, and then manually apply the same operation to staging.
2026-01-27 10:18:54 +00:00 · 2024-12-15 10:08:25 -08:00
parent d3f38a22ae
commit 938448a43b
2 changed files with 11 additions and 9 deletions
--- a/elixir/apps/domain/priv/repo/migrations/20241126185037_add_identity_email_unique_index.exs
+++ b/elixir/apps/domain/priv/repo/migrations/20241126185037_add_identity_email_unique_index.exs
@@ -2,8 +2,14 @@ defmodule Domain.Repo.Migrations.AddIdentityEmailUniqueIndex do
  use Ecto.Migration

  def change do
+    # We include provider_identifier in the index because it's possible
+    # for two identities in the same provider to share an email address.
+    #
+    # This can happen for example if the IdP allows auth methods on their
+    # end tied to a single OIDC connector with Firezone. Examples of IdPs
+    # that do this are Authelia, Auth0, Keycloak and likely others.
    create(
-      index(:auth_identities, [:account_id, :provider_id, :email],
+      index(:auth_identities, [:account_id, :provider_id, :email, :provider_identifier],
        name: :auth_identities_account_id_provider_id_email_idx,
        where: "deleted_at IS NULL",
        unique: true
--- a/elixir/apps/domain/priv/repo/migrations/20241214030516_change_identity_email_unique_index.exs
+++ b/elixir/apps/domain/priv/repo/migrations/20241214030516_change_identity_email_unique_index.exs
@@ -1,21 +1,17 @@
 defmodule Domain.Repo.Migrations.ChangeIdentityEmailUniqueIndex do
  use Ecto.Migration

+  # We need to rename the index because the "add_identity_email_unique_index" originally
+  # succeeded on staging but failed on production, so we need this migration to resolve
+  # the difference between the two environments.
  def change do
    drop(
-      index(:auth_identities, [:account_id, :provider_id, :email],
+      index(:auth_identities, [:account_id, :provider_id, :email, :provider_identifier],
        name: :auth_identities_account_id_provider_id_email_idx,
        where: "deleted_at IS NULL",
        unique: true
      )
    )
-
-    # We include provider_identifier in the index because it's possible
-    # for two identities in the same provider to share an email address.
-    #
-    # This can happen for example if the IdP allows auth methods on their
-    # end tied to a single OIDC connector with Firezone. Examples of IdPs
-    # that do this are Authelia, Auth0, Keycloak and likely others.
    create(
      index(:auth_identities, [:account_id, :provider_id, :email, :provider_identifier],
        name: :auth_identities_acct_id_provider_id_email_prov_ident_unique_idx,