Address Greptile review on board CLI auth

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-16 19:00:38 +09:00 · 2026-03-23 08:45:56 -05:00 · 2026-03-23 08:45:56 -05:00 · 7f9a76411a
commit 7f9a76411a
parent 01b6b7e66a
9 changed files with 207 additions and 54 deletions
--- a/packages/db/src/client.test.ts
+++ b/packages/db/src/client.test.ts
@ -198,4 +198,34 @@ describe("applyPendingMigrations", () => {
    },
    20_000,
  );
+
+  it(
+    "enforces a unique board_api_keys.key_hash after migration 0044",
+    async () => {
+      const connectionString = await createTempDatabase();
+
+      await applyPendingMigrations(connectionString);
+
+      const sql = postgres(connectionString, { max: 1, onnotice: () => {} });
+      try {
+        await sql.unsafe(`
+          INSERT INTO "user" ("id", "name", "email", "email_verified", "created_at", "updated_at")
+          VALUES ('user-1', 'User One', 'user@example.com', true, now(), now())
+        `);
+        await sql.unsafe(`
+          INSERT INTO "board_api_keys" ("id", "user_id", "name", "key_hash", "created_at")
+          VALUES ('00000000-0000-0000-0000-000000000001', 'user-1', 'Key One', 'dup-hash', now())
+        `);
+        await expect(
+          sql.unsafe(`
+            INSERT INTO "board_api_keys" ("id", "user_id", "name", "key_hash", "created_at")
+            VALUES ('00000000-0000-0000-0000-000000000002', 'user-1', 'Key Two', 'dup-hash', now())
+          `),
+        ).rejects.toThrow();
+      } finally {
+        await sql.end();
+      }
+    },
+    20_000,
+  );
 });
--- a/packages/db/src/migrations/0044_illegal_toad.sql
+++ b/packages/db/src/migrations/0044_illegal_toad.sql
@ -48,7 +48,8 @@ DO $$ BEGIN
  ALTER TABLE "cli_auth_challenges" ADD CONSTRAINT "cli_auth_challenges_board_api_key_id_board_api_keys_id_fk" FOREIGN KEY ("board_api_key_id") REFERENCES "public"."board_api_keys"("id") ON DELETE set null ON UPDATE no action;
 END IF;
 END $$;--> statement-breakpoint
-CREATE INDEX IF NOT EXISTS "board_api_keys_key_hash_idx" ON "board_api_keys" USING btree ("key_hash");--> statement-breakpoint
+DROP INDEX IF EXISTS "board_api_keys_key_hash_idx";--> statement-breakpoint
+CREATE UNIQUE INDEX IF NOT EXISTS "board_api_keys_key_hash_idx" ON "board_api_keys" USING btree ("key_hash");--> statement-breakpoint
 CREATE INDEX IF NOT EXISTS "board_api_keys_user_idx" ON "board_api_keys" USING btree ("user_id");--> statement-breakpoint
 CREATE INDEX IF NOT EXISTS "cli_auth_challenges_secret_hash_idx" ON "cli_auth_challenges" USING btree ("secret_hash");--> statement-breakpoint
 CREATE INDEX IF NOT EXISTS "cli_auth_challenges_approved_by_idx" ON "cli_auth_challenges" USING btree ("approved_by_user_id");--> statement-breakpoint
--- a/packages/db/src/schema/board_api_keys.ts
+++ b/packages/db/src/schema/board_api_keys.ts
@ -1,4 +1,4 @@
-import { pgTable, uuid, text, timestamp, index } from "drizzle-orm/pg-core";
+import { pgTable, uuid, text, timestamp, index, uniqueIndex } from "drizzle-orm/pg-core";
 import { authUsers } from "./auth.js";

 export const boardApiKeys = pgTable(
@ -14,7 +14,7 @@ export const boardApiKeys = pgTable(
    createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
  },
  (table) => ({
-    keyHashIdx: index("board_api_keys_key_hash_idx").on(table.keyHash),
+    keyHashIdx: uniqueIndex("board_api_keys_key_hash_idx").on(table.keyHash),
    userIdx: index("board_api_keys_user_idx").on(table.userId),
  }),
 );