Merge pull request #467 from yetanalytics/csv-export-auth

[SQL-283] Authentication for CSV export

Author: kelvinqian00

src/db/postgres/lrsql/postgres/record.clj

@@ -80,7 +80,8 @@
       (add-statement-to-actor-cascading-delete! tx))
     (when (some? (query-varchar-exists tx))
       (convert-varchars-to-text! tx))
-    (create-blocked-jwt-table! tx))
+    (create-blocked-jwt-table! tx)
+    (alter-blocked-jwt-add-one-time-id! tx))
 
   bp/BackendUtil
   (-txn-retry? [_ ex]
@@ -210,10 +211,16 @@
   bp/JWTBlocklistBackend
   (-insert-blocked-jwt! [_ tx input]
     (insert-blocked-jwt! tx input))
+  (-insert-one-time-jwt! [_ tx input]
+    (insert-one-time-jwt! tx input))
+  (-update-one-time-jwt! [_ tx input]
+    (update-one-time-jwt! tx input))
   (-delete-blocked-jwt-by-time! [_ tx input]
     (delete-blocked-jwt-by-time! tx input))
   (-query-blocked-jwt [_ tx input]
     (query-blocked-jwt-exists tx input))
+  (-query-one-time-jwt [_ tx input]
+    (query-one-time-jwt-exists tx input))
 
   bp/CredentialBackend
   (-insert-credential! [_ tx input]

src/db/postgres/lrsql/postgres/sql/ddl.sql

@@ -499,3 +499,10 @@ CREATE TABLE IF NOT EXISTS blocked_jwt (
   evict_time TIMESTAMP WITH TIME ZONE
 );
 CREATE INDEX IF NOT EXISTS blocked_jwt_evict_time_idx ON blocked_jwt(evict_time);
+
+/* Migration 2025-03-05 - Add One-Time ID to Blocklist Table */
+
+-- :name alter-blocked-jwt-add-one-time-id!
+-- :command :execute
+-- :doc Add the column `blocked_jwt.one_time_id` for one-time JWTs; JWTs with one-time IDs are not considered blocked yet.
+ALTER TABLE IF EXISTS blocked_jwt ADD COLUMN IF NOT EXISTS one_time_id UUID UNIQUE;

src/db/postgres/lrsql/postgres/sql/insert.sql

@@ -171,3 +171,13 @@ INSERT INTO blocked_jwt (
 ) VALUES (
   :jwt, :eviction-time
 );
+
+-- :name insert-one-time-jwt!
+-- :command :insert
+-- :result :affected
+-- :doc Insert a `:jwt` and a `:eviction-time` with `:one-time-id` into the blocklist.
+INSERT INTO blocked_jwt (
+  jwt, evict_time, one_time_id
+) VALUES (
+  :jwt, :eviction-time, :one-time-id
+);

src/db/postgres/lrsql/postgres/sql/query.sql

@@ -433,6 +433,15 @@ WHERE reaction_id IS NOT NULL;
 -- :name query-blocked-jwt-exists
 -- :command :query
 -- :result :one
--- :doc Query that `:jwt` is in the blocklist.
+-- :doc Query that `:jwt` is in the blocklist. Excludes JWTs where `one_time_id` is not null.
 SELECT 1 FROM blocked_jwt
-WHERE jwt = :jwt;
+WHERE jwt = :jwt
+AND one_time_id IS NULL;
+
+-- :name query-one-time-jwt-exists
+-- :command :query
+-- :result :one
+-- :doc Query that `:jwt` with `:one-time-id` exists.
+SELECT 1 FROM blocked_jwt
+WHERE jwt = :jwt
+AND one_time_id = :one-time-id;

src/db/postgres/lrsql/postgres/sql/update.sql

@@ -77,6 +77,15 @@ SET
   passhash = :new-passhash
 WHERE id = :account-id;
 
+-- :name update-one-time-jwt!
+-- :command :execute
+-- :result :affected
+-- :doc Update `blocked_jwt.one_time_id` to be null, thus blocking the JWT.
+UPDATE blocked_jwt
+SET
+  one_time_id = NULL
+WHERE one_time_id = :one-time-id;
+
 -- :name update-reaction!
 -- :command :execute
 -- :result :affected

src/db/sqlite/lrsql/sqlite/record.clj

@@ -117,6 +117,9 @@
       (update-schema-simple! tx alter-statement-to-actor-add-cascade-delete!))
     (create-blocked-jwt-table! tx)
     (create-blocked-jwt-evict-time-idx! tx)
+    (when-not (some? (query-blocked-jwt-one-time-id-exists tx))
+      (alter-blocked-jwt-add-one-time-id! tx)
+      (alter-blocked-jwt-add-one-time-id-idx! tx))
     (log/infof "sqlite schema_version: %d"
                (:schema_version (query-schema-version tx))))
 
@@ -247,10 +250,16 @@
   bp/JWTBlocklistBackend
   (-insert-blocked-jwt! [_ tx input]
     (insert-blocked-jwt! tx input))
+  (-insert-one-time-jwt! [_ tx input]
+    (insert-one-time-jwt! tx input))
+  (-update-one-time-jwt! [_ tx input]
+    (update-one-time-jwt! tx input))
   (-delete-blocked-jwt-by-time! [_ tx input]
     (delete-blocked-jwt-by-time! tx input))
   (-query-blocked-jwt [_ tx input]
     (query-blocked-jwt-exists tx input))
+  (-query-one-time-jwt [_ tx input]
+    (query-one-time-jwt-exists tx input))
 
   bp/CredentialBackend
   (-insert-credential! [_ tx input]

src/db/sqlite/lrsql/sqlite/sql/ddl.sql

@@ -538,3 +538,23 @@ CREATE TABLE IF NOT EXISTS blocked_jwt (
 -- :command :execute
 -- :doc Create the `blocked_jwt_evict_time_idx` table if it does not exist yet.
 CREATE INDEX IF NOT EXISTS blocked_jwt_evict_time_idx ON blocked_jwt(evict_time);
+
+/* Migration 2025-03-05 - Add One-Time ID to Blocklist Table */
+
+-- :name query-blocked-jwt-one-time-id-exists
+-- :command :query
+-- :result :one
+-- :doc Query to see if `blocked_jwt.one_time_id` exists.
+SELECT 1 FROM pragma_table_info('blocked_jwt') WHERE name = 'one_time_id';
+
+-- :name alter-blocked-jwt-add-one-time-id!
+-- :command :execute
+-- :result :one
+-- :doc Add the column `blocked_jwt.one_time_id` for one-time JWTs; JWTs with one-time IDs are not considered blocked yet.
+ALTER TABLE blocked_jwt ADD COLUMN one_time_id TEXT;
+
+-- :name alter-blocked-jwt-add-one-time-id-idx!
+-- :command :execute
+-- :result :one
+-- :doc Add a unique index on `blocked_jwt.one_time_id` (since SQLite does not allow directly adding unique columns).
+CREATE UNIQUE INDEX IF NOT EXISTS blocked_jwt_one_time_id_idx ON blocked_jwt(one_time_id);

src/db/sqlite/lrsql/sqlite/sql/insert.sql

@@ -171,3 +171,13 @@ INSERT INTO blocked_jwt (
 ) VALUES (
   :jwt, :eviction-time
 );
+
+-- :name insert-one-time-jwt!
+-- :command :insert
+-- :result :affected
+-- :doc Insert a `:jwt` and a `:eviction-time` with `:one-time-id` into the blocklist.
+INSERT INTO blocked_jwt (
+  jwt, evict_time, one_time_id
+) VALUES (
+  :jwt, :eviction-time, :one-time-id
+);

src/db/sqlite/lrsql/sqlite/sql/query.sql

@@ -400,6 +400,15 @@ WHERE reaction_id IS NOT NULL;
 -- :name query-blocked-jwt-exists
 -- :command :query
 -- :result :one
--- :doc Query that `:jwt` is in the blocklist.
+-- :doc Query that `:jwt` is in the blocklist. Excludes JWTs where `one_time_id` is not null.
 SELECT 1 FROM blocked_jwt
 WHERE jwt = :jwt
+AND one_time_id IS NULL;
+
+-- :name query-one-time-jwt-exists
+-- :command :query
+-- :result :one
+-- :doc Query that `:jwt` with `:one-time-id` exists.
+SELECT 1 FROM blocked_jwt
+WHERE jwt = :jwt
+AND one_time_id = :one-time-id;

src/db/sqlite/lrsql/sqlite/sql/update.sql

@@ -72,6 +72,16 @@ SET
   passhash = :new-passhash
 WHERE id = :account-id
 
+-- :name update-one-time-jwt!
+-- :command :execute
+-- :result :affected
+-- :doc Update `blocked_jwt.one_time_id` to be null, thus blocking the JWT.
+UPDATE blocked_jwt
+SET
+  one_time_id = NULL
+WHERE jwt = :jwt
+AND one_time_id = :one-time-id;
+
 -- :name update-reaction!
 -- :command :execute
 -- :result :affected