From 938448a43b0b6d6f7cab5090f5f82bedd42ac8e2 Mon Sep 17 00:00:00 2001 From: Jamil Date: Sun, 15 Dec 2024 10:08:25 -0800 Subject: [PATCH] fix(portal): Update existing auth_identities migration to include `provider_identifier` in the index (#7523) #7522 won't successfully complete on production because of the migration in this PR. So, instead, we need to modify this migration, and then manually apply the same operation to staging. --- ...0241126185037_add_identity_email_unique_index.exs | 8 +++++++- ...1214030516_change_identity_email_unique_index.exs | 12 ++++-------- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/elixir/apps/domain/priv/repo/migrations/20241126185037_add_identity_email_unique_index.exs b/elixir/apps/domain/priv/repo/migrations/20241126185037_add_identity_email_unique_index.exs index c6a675ab9..1ad4a2672 100644 --- a/elixir/apps/domain/priv/repo/migrations/20241126185037_add_identity_email_unique_index.exs +++ b/elixir/apps/domain/priv/repo/migrations/20241126185037_add_identity_email_unique_index.exs @@ -2,8 +2,14 @@ defmodule Domain.Repo.Migrations.AddIdentityEmailUniqueIndex do use Ecto.Migration def change do + # We include provider_identifier in the index because it's possible + # for two identities in the same provider to share an email address. + # + # This can happen for example if the IdP allows auth methods on their + # end tied to a single OIDC connector with Firezone. Examples of IdPs + # that do this are Authelia, Auth0, Keycloak and likely others. create( - index(:auth_identities, [:account_id, :provider_id, :email], + index(:auth_identities, [:account_id, :provider_id, :email, :provider_identifier], name: :auth_identities_account_id_provider_id_email_idx, where: "deleted_at IS NULL", unique: true diff --git a/elixir/apps/domain/priv/repo/migrations/20241214030516_change_identity_email_unique_index.exs b/elixir/apps/domain/priv/repo/migrations/20241214030516_change_identity_email_unique_index.exs index 7d11541ee..59ab0b67e 100644 --- a/elixir/apps/domain/priv/repo/migrations/20241214030516_change_identity_email_unique_index.exs +++ b/elixir/apps/domain/priv/repo/migrations/20241214030516_change_identity_email_unique_index.exs @@ -1,21 +1,17 @@ defmodule Domain.Repo.Migrations.ChangeIdentityEmailUniqueIndex do use Ecto.Migration + # We need to rename the index because the "add_identity_email_unique_index" originally + # succeeded on staging but failed on production, so we need this migration to resolve + # the difference between the two environments. def change do drop( - index(:auth_identities, [:account_id, :provider_id, :email], + index(:auth_identities, [:account_id, :provider_id, :email, :provider_identifier], name: :auth_identities_account_id_provider_id_email_idx, where: "deleted_at IS NULL", unique: true ) ) - - # We include provider_identifier in the index because it's possible - # for two identities in the same provider to share an email address. - # - # This can happen for example if the IdP allows auth methods on their - # end tied to a single OIDC connector with Firezone. Examples of IdPs - # that do this are Authelia, Auth0, Keycloak and likely others. create( index(:auth_identities, [:account_id, :provider_id, :email, :provider_identifier], name: :auth_identities_acct_id_provider_id_email_prov_ident_unique_idx,