From 1d3c0385dd03a1e74f17d7e8178d5c1add9dc5f5 Mon Sep 17 00:00:00 2001 From: Zac Gaetano Date: Wed, 27 May 2026 13:44:07 -0400 Subject: [PATCH] =?UTF-8?q?feat(mam-api):=20migration=20023=20=E2=80=94=20?= =?UTF-8?q?auth=20timestamps=20+=20idempotent=20dev=20user=20seed?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../023-auth-session-timestamps.sql | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 services/mam-api/src/db/migrations/023-auth-session-timestamps.sql diff --git a/services/mam-api/src/db/migrations/023-auth-session-timestamps.sql b/services/mam-api/src/db/migrations/023-auth-session-timestamps.sql new file mode 100644 index 0000000..9273c4b --- /dev/null +++ b/services/mam-api/src/db/migrations/023-auth-session-timestamps.sql @@ -0,0 +1,22 @@ +-- Migration 023 — auth-related user timestamps + idempotent dev user. +-- +-- See docs/superpowers/specs/2026-05-27-auth-system-design.md +-- +-- password_updated_at + last_login_at are operator visibility, no logic depends on them yet. +-- The dev user is seeded with a fixed UUID so FK-bearing routes (api_tokens, +-- future audit fields) keep working when AUTH_ENABLED=false. The seeded +-- password_hash is a placeholder that no bcrypt.compare will accept, so the +-- dev row cannot be used to log in even if AUTH_ENABLED is later flipped on. + +ALTER TABLE users ADD COLUMN IF NOT EXISTS password_updated_at TIMESTAMPTZ DEFAULT NOW(); +ALTER TABLE users ADD COLUMN IF NOT EXISTS last_login_at TIMESTAMPTZ; + +INSERT INTO users (id, username, password_hash, display_name, role) +VALUES ( + '00000000-0000-4000-8000-000000000dev', + 'dev', + '!disabled-no-login!', + 'Dev (AUTH_ENABLED=false)', + 'admin' +) +ON CONFLICT (id) DO NOTHING;