feat: refactor one-time tokens for performance #1558
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hf
force-pushed
the
hf/add-one-time-tokens
branch
2 times, most recently
from
988959a
to
46d4d44
Compare
hf
commented
Apr 28, 2024
hf
commented
Apr 28, 2024
hf
commented
Apr 28, 2024
hf
commented
Apr 28, 2024
hf
commented
Apr 28, 2024
hf
commented
Apr 28, 2024
hf
commented
Apr 28, 2024
hf
commented
Apr 28, 2024
hf
commented
Apr 28, 2024
Pull Request Test Coverage Report for Build 8970405577Details
💛 - Coveralls |
J0
reviewed
Apr 29, 2024
kangmingtay
reviewed
May 2, 2024
There was a problem hiding this comment.
While testing the different OTP flows, I noticed that when secure email change is disabled, a row is created in one_time_tokens for email_change_token_current but no token_hash is present.
We should only be creating a one_time_token for email_change_token_new and not for email_change_token_current
Right this is because the code maps 1:1 to the column. Because we set the column to be |
hf
force-pushed
the
hf/add-one-time-tokens
branch
4 times, most recently
from
90c8f3a
to
976ef9e
Compare
hf
commented
May 3, 2024
J0
reviewed
May 3, 2024
yeah i think it's better if we simply don't insert a row into |
J0
reviewed
May 6, 2024
J0
reviewed
May 6, 2024
J0
approved these changes
May 6, 2024
Co-authored-by: Joel Lee <[email protected]>
kangmingtay
approved these changes
May 6, 2024
hf
pushed a commit
that referenced
this pull request
May 6, 2024
🤖 I have created a release *beep* *boop* --- ## [2.151.0](v2.150.1...v2.151.0) (2024-05-06) ### Features * refactor one-time tokens for performance ([#1558](#1558)) ([d1cf8d9](d1cf8d9)) ### Bug Fixes * do call send sms hook when SMS autoconfirm is enabled ([#1562](#1562)) ([bfe4d98](bfe4d98)) * format test otps ([#1567](#1567)) ([434a59a](434a59a)) * log final writer error instead of handling ([#1564](#1564)) ([170bd66](170bd66)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
kangmingtay
added a commit
that referenced
this pull request
May 17, 2024
…1569) Removes legacy lookups in `auth.users` for when a corresponding entry in `one_time_tokens` is not found. Phase II of the refactor, based on #1558, to be released after it's deployed for a few days. --------- Co-authored-by: Kang Ming <[email protected]>
uxodb
pushed a commit
to uxodb/auth
that referenced
this pull request
Nov 13, 2024
Refactors all One-Time Tokens (OTP) used for sign-in with email, SMS, email confirmation, phone confirmation, change... to achieve: - Performance (as current method does not use an index due to the use of [partial indexes](https://github.com/supabase/auth/blob/master/migrations/20220429102000_add_unique_idx.up.sql#L10-L14) which [cannot be used in practice](https://www.postgresql.org/docs/current/indexes-partial.html)) - Future enhancements (such as OTP verification counters, adaptive OTP lengths, etc.) Summary of the change: - A new `one_time_tokens` table is added which uses a double-write mechanism with `users`. - Each new OTP is both written in the corresponding `users` column and as a new row in `one_time_tokens`. - Lookup for an OTP hash is performed first in `one_time_tokens` and if not found, using the traditional `users` approach. - In a few days, once all OTPs using the `users` columns have expired, a new change will be deployed which removes the `users` lookup. This completely solves the performance issue for looking up OTPs. - In a future change, the `one_time_tokens` table can be used to add a verification counter based on lookups on the `relates_to` (email or phone number) column, enabling new security features. --------- Co-authored-by: Joel Lee <[email protected]>
uxodb
pushed a commit
to uxodb/auth
that referenced
this pull request
Nov 13, 2024
🤖 I have created a release *beep* *boop* --- ## [2.151.0](supabase/auth@v2.150.1...v2.151.0) (2024-05-06) ### Features * refactor one-time tokens for performance ([supabase#1558](supabase#1558)) ([d1cf8d9](supabase@d1cf8d9)) ### Bug Fixes * do call send sms hook when SMS autoconfirm is enabled ([supabase#1562](supabase#1562)) ([bfe4d98](supabase@bfe4d98)) * format test otps ([supabase#1567](supabase#1567)) ([434a59a](supabase@434a59a)) * log final writer error instead of handling ([supabase#1564](supabase#1564)) ([170bd66](supabase@170bd66)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
uxodb
pushed a commit
to uxodb/auth
that referenced
this pull request
Nov 13, 2024
…upabase#1569) Removes legacy lookups in `auth.users` for when a corresponding entry in `one_time_tokens` is not found. Phase II of the refactor, based on supabase#1558, to be released after it's deployed for a few days. --------- Co-authored-by: Kang Ming <[email protected]>
LashaJini
pushed a commit
to LashaJini/auth
that referenced
this pull request
Nov 13, 2024
Refactors all One-Time Tokens (OTP) used for sign-in with email, SMS, email confirmation, phone confirmation, change... to achieve: - Performance (as current method does not use an index due to the use of [partial indexes](https://github.com/supabase/auth/blob/master/migrations/20220429102000_add_unique_idx.up.sql#L10-L14) which [cannot be used in practice](https://www.postgresql.org/docs/current/indexes-partial.html)) - Future enhancements (such as OTP verification counters, adaptive OTP lengths, etc.) Summary of the change: - A new `one_time_tokens` table is added which uses a double-write mechanism with `users`. - Each new OTP is both written in the corresponding `users` column and as a new row in `one_time_tokens`. - Lookup for an OTP hash is performed first in `one_time_tokens` and if not found, using the traditional `users` approach. - In a few days, once all OTPs using the `users` columns have expired, a new change will be deployed which removes the `users` lookup. This completely solves the performance issue for looking up OTPs. - In a future change, the `one_time_tokens` table can be used to add a verification counter based on lookups on the `relates_to` (email or phone number) column, enabling new security features. --------- Co-authored-by: Joel Lee <[email protected]>
LashaJini
pushed a commit
to LashaJini/auth
that referenced
this pull request
Nov 13, 2024
🤖 I have created a release *beep* *boop* --- ## [2.151.0](supabase/auth@v2.150.1...v2.151.0) (2024-05-06) ### Features * refactor one-time tokens for performance ([supabase#1558](supabase#1558)) ([d1cf8d9](supabase@d1cf8d9)) ### Bug Fixes * do call send sms hook when SMS autoconfirm is enabled ([supabase#1562](supabase#1562)) ([bfe4d98](supabase@bfe4d98)) * format test otps ([supabase#1567](supabase#1567)) ([434a59a](supabase@434a59a)) * log final writer error instead of handling ([supabase#1564](supabase#1564)) ([170bd66](supabase@170bd66)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
LashaJini
pushed a commit
to LashaJini/auth
that referenced
this pull request
Nov 13, 2024
…upabase#1569) Removes legacy lookups in `auth.users` for when a corresponding entry in `one_time_tokens` is not found. Phase II of the refactor, based on supabase#1558, to be released after it's deployed for a few days. --------- Co-authored-by: Kang Ming <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Refactors all One-Time Tokens (OTP) used for sign-in with email, SMS, email confirmation, phone confirmation, change... to achieve:
Summary of the change:
one_time_tokenstable is added which uses a double-write mechanism withusers.userscolumn and as a new row inone_time_tokens.one_time_tokensand if not found, using the traditionalusersapproach.userscolumns have expired, a new change will be deployed which removes theuserslookup. This completely solves the performance issue for looking up OTPs.one_time_tokenstable can be used to add a verification counter based on lookups on therelates_to(email or phone number) column, enabling new security features.