diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8e1e6047..a1e92ee2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest services: postgres: - image: postgres:17.6 + image: postgres:18 env: POSTGRES_USER: piyaz POSTGRES_PASSWORD: piyaz diff --git a/docker-compose.test.yml b/docker-compose.test.yml index f43e0387..351c009e 100644 --- a/docker-compose.test.yml +++ b/docker-compose.test.yml @@ -9,7 +9,7 @@ name: piyaz-test services: db-test: - image: postgres:17.10 + image: postgres:18 environment: POSTGRES_USER: piyaz POSTGRES_PASSWORD: piyaz @@ -17,7 +17,7 @@ services: ports: - "5433:5432" tmpfs: - - /var/lib/postgresql/data + - /var/lib/postgresql healthcheck: test: ["CMD-SHELL", "pg_isready -U piyaz -d piyaz_test"] interval: 2s diff --git a/docker-compose.yml b/docker-compose.yml index a469857a..61b6b218 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,7 +1,7 @@ name: piyaz services: db: - image: postgres:17.10 + image: postgres:18 restart: unless-stopped environment: POSTGRES_USER: piyaz @@ -15,7 +15,7 @@ services: ports: - "5432:5432" volumes: - - pgdata:/var/lib/postgresql/data + - pgdata:/var/lib/postgresql - ./docker/init-auth.sql:/docker-entrypoint-initdb.d/01-auth.sql:ro - ./docker/init-rls.sh:/docker-entrypoint-initdb.d/02-rls.sh:ro - ./docker/grants.sql:/opt/postgres-init/grants.sql:ro diff --git a/docker/grants.sql b/docker/grants.sql index 9d8701b3..4e26c3b3 100644 --- a/docker/grants.sql +++ b/docker/grants.sql @@ -25,30 +25,30 @@ GRANT CREATE ON SCHEMA public TO service_role; GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO app_user, service_role; GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO app_user, service_role; --- neon_auth: app_user reaches it only via SECURITY DEFINER functions. +-- piyaz_auth: app_user reaches it only via SECURITY DEFINER functions. -- Explicit REVOKEs make re-runs idempotent on pre-lockdown installs. -GRANT USAGE ON SCHEMA neon_auth TO service_role, auth_role; -REVOKE ALL ON SCHEMA neon_auth FROM app_user; -REVOKE ALL ON ALL TABLES IN SCHEMA neon_auth FROM app_user; -REVOKE ALL ON ALL SEQUENCES IN SCHEMA neon_auth FROM app_user; +GRANT USAGE ON SCHEMA piyaz_auth TO service_role, auth_role; +REVOKE ALL ON SCHEMA piyaz_auth FROM app_user; +REVOKE ALL ON ALL TABLES IN SCHEMA piyaz_auth FROM app_user; +REVOKE ALL ON ALL SEQUENCES IN SCHEMA piyaz_auth FROM app_user; --- service_role: minimal set on neon_auth — used by +-- service_role: minimal set on piyaz_auth — used by -- clearOrgMembershipArtifacts and the OAuth-session settings UI. -GRANT SELECT, REFERENCES ON neon_auth."member" TO service_role; -GRANT SELECT, REFERENCES ON neon_auth.organization TO service_role; -GRANT SELECT, REFERENCES ON neon_auth."user" TO service_role; -GRANT SELECT, REFERENCES ON neon_auth.invitation TO service_role; -GRANT SELECT, UPDATE ON neon_auth."session" TO service_role; -GRANT SELECT, DELETE ON neon_auth."oauthAccessToken" TO service_role; +GRANT SELECT, REFERENCES ON piyaz_auth."member" TO service_role; +GRANT SELECT, REFERENCES ON piyaz_auth.organization TO service_role; +GRANT SELECT, REFERENCES ON piyaz_auth."user" TO service_role; +GRANT SELECT, REFERENCES ON piyaz_auth.invitation TO service_role; +GRANT SELECT, UPDATE ON piyaz_auth."session" TO service_role; +GRANT SELECT, DELETE ON piyaz_auth."oauthAccessToken" TO service_role; -- UPDATE: revokeOAuthSession soft-revokes (`revoked = now()`) before -- cascading the access-token delete in the same tx. -GRANT SELECT, UPDATE, DELETE ON neon_auth."oauthRefreshToken" TO service_role; -GRANT SELECT, DELETE ON neon_auth."oauthConsent" TO service_role; +GRANT SELECT, UPDATE, DELETE ON piyaz_auth."oauthRefreshToken" TO service_role; +GRANT SELECT, DELETE ON piyaz_auth."oauthConsent" TO service_role; -- SELECT only; writes go through auth_role. -GRANT SELECT ON neon_auth."oauthClient" TO service_role; +GRANT SELECT ON piyaz_auth."oauthClient" TO service_role; --- auth_role: full DML on neon_auth, zero grants on public. No +-- auth_role: full DML on piyaz_auth, zero grants on public. No -- ALTER DEFAULT PRIVILEGES — same RLS-race rationale as the public block. --- New neon_auth tables need explicit grants in their migration. -GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA neon_auth TO auth_role; -GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA neon_auth TO auth_role; +-- New piyaz_auth tables need explicit grants in their migration. +GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA piyaz_auth TO auth_role; +GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA piyaz_auth TO auth_role; diff --git a/docker/init-auth.sql b/docker/init-auth.sql index e9c451c6..aa9d36a1 100644 --- a/docker/init-auth.sql +++ b/docker/init-auth.sql @@ -1,9 +1,9 @@ --- Neon Auth schema for self-hosted Postgres. --- Mirrors the tables Neon Auth provisions on hosted Neon projects. +-- Self-managed piyaz_auth schema for Postgres (Better Auth tables). +-- The project does not use Neon Auth Managed; this script owns the schema. -- Idempotent — safe to re-run on existing databases. -CREATE SCHEMA IF NOT EXISTS neon_auth; -SET search_path TO neon_auth; +CREATE SCHEMA IF NOT EXISTS piyaz_auth; +SET search_path TO piyaz_auth; CREATE TABLE IF NOT EXISTS "user" ( "id" uuid PRIMARY KEY DEFAULT gen_random_uuid(), diff --git a/docker/init-pg-cron.sql b/docker/init-pg-cron.sql index e8484a92..7df905de 100644 --- a/docker/init-pg-cron.sql +++ b/docker/init-pg-cron.sql @@ -14,9 +14,9 @@ SELECT cron.schedule( 'purge-oauth-tokens', '0 3 * * *', $$ - DELETE FROM neon_auth."oauthRefreshToken" + DELETE FROM piyaz_auth."oauthRefreshToken" WHERE revoked IS NOT NULL OR "expiresAt" < now(); - DELETE FROM neon_auth."oauthAccessToken" + DELETE FROM piyaz_auth."oauthAccessToken" WHERE "expiresAt" < now(); $$ ); diff --git a/docker/rls-functions.sql b/docker/rls-functions.sql index c643cfad..96f0f8c7 100644 --- a/docker/rls-functions.sql +++ b/docker/rls-functions.sql @@ -153,8 +153,8 @@ GRANT EXECUTE ON FUNCTION public.list_org_project_ids(uuid) TO service_role; -- --------------------------------------------------------------------------- --- current_user_* helpers — app_user's only path to neon_auth.*. --- STABLE plpgsql; pinned search_path defeats neon_auth.* shadowing. +-- current_user_* helpers — app_user's only path to piyaz_auth.*. +-- STABLE plpgsql; pinned search_path defeats piyaz_auth.* shadowing. -- --------------------------------------------------------------------------- CREATE OR REPLACE FUNCTION public.current_user_org_ids() @@ -162,7 +162,7 @@ RETURNS uuid[] LANGUAGE plpgsql STABLE SECURITY DEFINER -SET search_path = neon_auth, pg_catalog, pg_temp +SET search_path = piyaz_auth, pg_catalog, pg_temp AS $$ BEGIN RETURN ( @@ -170,7 +170,7 @@ BEGIN array_agg("organizationId") FILTER (WHERE "organizationId" IS NOT NULL), ARRAY[]::uuid[] ) - FROM neon_auth."member" + FROM piyaz_auth."member" WHERE "userId" = NULLIF(current_setting('app.user_id', TRUE), '')::uuid ); END; @@ -183,13 +183,13 @@ RETURNS text LANGUAGE plpgsql STABLE SECURITY DEFINER -SET search_path = neon_auth, pg_catalog, pg_temp +SET search_path = piyaz_auth, pg_catalog, pg_temp AS $$ DECLARE v_role text; BEGIN SELECT role INTO v_role - FROM neon_auth."member" + FROM piyaz_auth."member" WHERE "organizationId" = p_org_id AND "userId" = NULLIF(current_setting('app.user_id', TRUE), '')::uuid LIMIT 1; @@ -214,7 +214,7 @@ RETURNS TABLE ( LANGUAGE plpgsql STABLE SECURITY DEFINER -SET search_path = neon_auth, pg_catalog, pg_temp +SET search_path = piyaz_auth, pg_catalog, pg_temp AS $$ BEGIN RETURN QUERY @@ -223,11 +223,11 @@ BEGIN o.name, o.slug, m.role, - (SELECT count(*)::int FROM neon_auth."member" mc WHERE mc."organizationId" = o.id) AS member_count, + (SELECT count(*)::int FROM piyaz_auth."member" mc WHERE mc."organizationId" = o.id) AS member_count, m."createdAt", o."createdAt" - FROM neon_auth."member" m - INNER JOIN neon_auth."organization" o ON o.id = m."organizationId" + FROM piyaz_auth."member" m + INNER JOIN piyaz_auth."organization" o ON o.id = m."organizationId" WHERE m."userId" = NULLIF(current_setting('app.user_id', TRUE), '')::uuid ORDER BY m."createdAt" ASC, o.id ASC; END; @@ -240,12 +240,12 @@ RETURNS boolean LANGUAGE plpgsql STABLE SECURITY DEFINER -SET search_path = neon_auth, pg_catalog, pg_temp +SET search_path = piyaz_auth, pg_catalog, pg_temp AS $$ BEGIN RETURN EXISTS ( SELECT 1 - FROM neon_auth."member" + FROM piyaz_auth."member" WHERE "userId" = NULLIF(current_setting('app.user_id', TRUE), '')::uuid ); END; @@ -260,16 +260,16 @@ RETURNS TABLE (id uuid, role text, organization_id uuid) LANGUAGE plpgsql STABLE SECURITY DEFINER -SET search_path = neon_auth, pg_catalog, pg_temp +SET search_path = piyaz_auth, pg_catalog, pg_temp AS $$ BEGIN RETURN QUERY SELECT m.id, m.role, m."organizationId" - FROM neon_auth."member" m + FROM piyaz_auth."member" m WHERE m.id = p_member_id AND EXISTS ( SELECT 1 - FROM neon_auth."member" caller + FROM piyaz_auth."member" caller WHERE caller."organizationId" = m."organizationId" AND caller."userId" = NULLIF(current_setting('app.user_id', TRUE), '')::uuid ) @@ -284,16 +284,16 @@ RETURNS TABLE (role text) LANGUAGE plpgsql STABLE SECURITY DEFINER -SET search_path = neon_auth, pg_catalog, pg_temp +SET search_path = piyaz_auth, pg_catalog, pg_temp AS $$ BEGIN RETURN QUERY SELECT m.role - FROM neon_auth."member" m + FROM piyaz_auth."member" m WHERE m."organizationId" = p_org_id AND EXISTS ( SELECT 1 - FROM neon_auth."member" caller + FROM piyaz_auth."member" caller WHERE caller."organizationId" = p_org_id AND caller."userId" = NULLIF(current_setting('app.user_id', TRUE), '')::uuid ); @@ -317,7 +317,7 @@ RETURNS TABLE (id uuid, name text) LANGUAGE plpgsql STABLE SECURITY DEFINER -SET search_path = neon_auth, pg_catalog, pg_temp +SET search_path = piyaz_auth, pg_catalog, pg_temp AS $$ BEGIN IF cardinality(p_user_ids) > 1000 THEN @@ -326,12 +326,12 @@ BEGIN END IF; RETURN QUERY SELECT u.id, u.name - FROM neon_auth."user" u + FROM piyaz_auth."user" u WHERE u.id = ANY (p_user_ids) AND EXISTS ( SELECT 1 - FROM neon_auth."member" m1 - INNER JOIN neon_auth."member" m2 + FROM piyaz_auth."member" m1 + INNER JOIN piyaz_auth."member" m2 ON m2."organizationId" = m1."organizationId" WHERE m1."userId" = u.id AND m2."userId" = NULLIF(current_setting('app.user_id', TRUE), '')::uuid @@ -353,19 +353,19 @@ RETURNS TABLE (user_id uuid, name text, email text) LANGUAGE plpgsql STABLE SECURITY DEFINER -SET search_path = public, neon_auth, pg_catalog, pg_temp +SET search_path = public, piyaz_auth, pg_catalog, pg_temp AS $$ BEGIN RETURN QUERY SELECT ta.user_id, u.name, u.email FROM public.task_assignees ta - INNER JOIN neon_auth."user" u ON u.id = ta.user_id + INNER JOIN piyaz_auth."user" u ON u.id = ta.user_id WHERE ta.task_id = p_task_id AND EXISTS ( SELECT 1 FROM public.tasks t INNER JOIN public.projects pj ON pj.id = t.project_id - INNER JOIN neon_auth."member" caller + INNER JOIN piyaz_auth."member" caller ON caller."organizationId" = pj.organization_id WHERE t.id = p_task_id AND caller."userId" = NULLIF(current_setting('app.user_id', TRUE), '')::uuid @@ -386,19 +386,19 @@ RETURNS TABLE (task_id uuid, user_id uuid, name text, email text) LANGUAGE plpgsql STABLE SECURITY DEFINER -SET search_path = public, neon_auth, pg_catalog, pg_temp +SET search_path = public, piyaz_auth, pg_catalog, pg_temp AS $$ BEGIN RETURN QUERY SELECT ta.task_id, ta.user_id, u.name, u.email FROM public.tasks t INNER JOIN public.task_assignees ta ON ta.task_id = t.id - INNER JOIN neon_auth."user" u ON u.id = ta.user_id + INNER JOIN piyaz_auth."user" u ON u.id = ta.user_id WHERE t.project_id = p_project_id AND EXISTS ( SELECT 1 FROM public.projects pj - INNER JOIN neon_auth."member" caller + INNER JOIN piyaz_auth."member" caller ON caller."organizationId" = pj.organization_id WHERE pj.id = p_project_id AND caller."userId" = NULLIF(current_setting('app.user_id', TRUE), '')::uuid @@ -422,17 +422,17 @@ RETURNS TABLE (user_id uuid) LANGUAGE plpgsql STABLE SECURITY DEFINER -SET search_path = neon_auth, pg_catalog, pg_temp +SET search_path = piyaz_auth, pg_catalog, pg_temp AS $$ BEGIN RETURN QUERY SELECT m."userId" - FROM neon_auth."member" m + FROM piyaz_auth."member" m WHERE m."organizationId" = p_org_id AND m."userId" = ANY (p_user_ids) AND EXISTS ( SELECT 1 - FROM neon_auth."member" caller + FROM piyaz_auth."member" caller WHERE caller."organizationId" = p_org_id AND caller."userId" = NULLIF(current_setting('app.user_id', TRUE), '')::uuid ); @@ -454,13 +454,13 @@ CREATE OR REPLACE FUNCTION public.is_caller_in_invitation_org( LANGUAGE plpgsql STABLE SECURITY DEFINER -SET search_path = neon_auth, pg_catalog, pg_temp +SET search_path = piyaz_auth, pg_catalog, pg_temp AS $$ BEGIN RETURN EXISTS ( SELECT 1 - FROM neon_auth.invitation i - INNER JOIN neon_auth."member" caller + FROM piyaz_auth.invitation i + INNER JOIN piyaz_auth."member" caller ON caller."organizationId" = i."organizationId" WHERE i.id = p_invitation_id AND i."organizationId" = p_expected_org_id @@ -600,11 +600,11 @@ RETURNS TABLE (user_id uuid) LANGUAGE plpgsql STABLE SECURITY DEFINER -SET search_path = neon_auth, pg_catalog, pg_temp +SET search_path = piyaz_auth, pg_catalog, pg_temp AS $$ BEGIN RETURN QUERY - SELECT m."userId" FROM neon_auth."member" m WHERE m."organizationId" = p_org_id; + SELECT m."userId" FROM piyaz_auth."member" m WHERE m."organizationId" = p_org_id; END; $$; REVOKE EXECUTE ON FUNCTION public.find_org_member_user_ids_as_admin(uuid) FROM public; diff --git a/drizzle/0000_goofy_the_enforcers.sql b/drizzle/0000_goofy_the_enforcers.sql index 57eb5c18..76deab0f 100644 --- a/drizzle/0000_goofy_the_enforcers.sql +++ b/drizzle/0000_goofy_the_enforcers.sql @@ -102,18 +102,18 @@ CREATE TABLE "team_invite_code" ( CONSTRAINT "team_invite_code_default_role_check" CHECK ("team_invite_code"."default_role" IN ('member', 'admin')) ); --> statement-breakpoint -ALTER TABLE "projects" ADD CONSTRAINT "projects_organization_id_organization_id_fk" FOREIGN KEY ("organization_id") REFERENCES "neon_auth"."organization"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint +ALTER TABLE "projects" ADD CONSTRAINT "projects_organization_id_organization_id_fk" FOREIGN KEY ("organization_id") REFERENCES "piyaz_auth"."organization"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint ALTER TABLE "task_acceptance_criteria" ADD CONSTRAINT "task_acceptance_criteria_task_id_tasks_id_fk" FOREIGN KEY ("task_id") REFERENCES "public"."tasks"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint ALTER TABLE "task_assignees" ADD CONSTRAINT "task_assignees_task_id_tasks_id_fk" FOREIGN KEY ("task_id") REFERENCES "public"."tasks"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint -ALTER TABLE "task_assignees" ADD CONSTRAINT "task_assignees_user_id_user_id_fk" FOREIGN KEY ("user_id") REFERENCES "neon_auth"."user"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint +ALTER TABLE "task_assignees" ADD CONSTRAINT "task_assignees_user_id_user_id_fk" FOREIGN KEY ("user_id") REFERENCES "piyaz_auth"."user"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint ALTER TABLE "task_decisions" ADD CONSTRAINT "task_decisions_task_id_tasks_id_fk" FOREIGN KEY ("task_id") REFERENCES "public"."tasks"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint ALTER TABLE "task_edges" ADD CONSTRAINT "task_edges_source_task_id_tasks_id_fk" FOREIGN KEY ("source_task_id") REFERENCES "public"."tasks"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint ALTER TABLE "task_edges" ADD CONSTRAINT "task_edges_target_task_id_tasks_id_fk" FOREIGN KEY ("target_task_id") REFERENCES "public"."tasks"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint ALTER TABLE "task_links" ADD CONSTRAINT "task_links_task_id_tasks_id_fk" FOREIGN KEY ("task_id") REFERENCES "public"."tasks"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint -ALTER TABLE "task_links" ADD CONSTRAINT "task_links_created_by_user_id_fk" FOREIGN KEY ("created_by") REFERENCES "neon_auth"."user"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint +ALTER TABLE "task_links" ADD CONSTRAINT "task_links_created_by_user_id_fk" FOREIGN KEY ("created_by") REFERENCES "piyaz_auth"."user"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint ALTER TABLE "tasks" ADD CONSTRAINT "tasks_project_id_projects_id_fk" FOREIGN KEY ("project_id") REFERENCES "public"."projects"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint -ALTER TABLE "team_invite_code" ADD CONSTRAINT "team_invite_code_organization_id_organization_id_fk" FOREIGN KEY ("organization_id") REFERENCES "neon_auth"."organization"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint -ALTER TABLE "team_invite_code" ADD CONSTRAINT "team_invite_code_created_by_user_id_fk" FOREIGN KEY ("created_by") REFERENCES "neon_auth"."user"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint +ALTER TABLE "team_invite_code" ADD CONSTRAINT "team_invite_code_organization_id_organization_id_fk" FOREIGN KEY ("organization_id") REFERENCES "piyaz_auth"."organization"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint +ALTER TABLE "team_invite_code" ADD CONSTRAINT "team_invite_code_created_by_user_id_fk" FOREIGN KEY ("created_by") REFERENCES "piyaz_auth"."user"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint CREATE INDEX "projects_organization_id_idx" ON "projects" USING btree ("organization_id");--> statement-breakpoint CREATE INDEX "task_acceptance_criteria_task_id_position_idx" ON "task_acceptance_criteria" USING btree ("task_id","position");--> statement-breakpoint CREATE INDEX "task_assignees_user_id_idx" ON "task_assignees" USING btree ("user_id");--> statement-breakpoint diff --git a/drizzle/meta/0000_snapshot.json b/drizzle/meta/0000_snapshot.json index b50ce07b..b9a6cc69 100644 --- a/drizzle/meta/0000_snapshot.json +++ b/drizzle/meta/0000_snapshot.json @@ -98,7 +98,7 @@ "name": "projects_organization_id_organization_id_fk", "tableFrom": "projects", "tableTo": "organization", - "schemaTo": "neon_auth", + "schemaTo": "piyaz_auth", "columnsFrom": [ "organization_id" ], @@ -286,7 +286,7 @@ "name": "task_assignees_user_id_user_id_fk", "tableFrom": "task_assignees", "tableTo": "user", - "schemaTo": "neon_auth", + "schemaTo": "piyaz_auth", "columnsFrom": [ "user_id" ], @@ -653,7 +653,7 @@ "name": "task_links_created_by_user_id_fk", "tableFrom": "task_links", "tableTo": "user", - "schemaTo": "neon_auth", + "schemaTo": "piyaz_auth", "columnsFrom": [ "created_by" ], @@ -940,7 +940,7 @@ "name": "team_invite_code_organization_id_organization_id_fk", "tableFrom": "team_invite_code", "tableTo": "organization", - "schemaTo": "neon_auth", + "schemaTo": "piyaz_auth", "columnsFrom": [ "organization_id" ], @@ -954,7 +954,7 @@ "name": "team_invite_code_created_by_user_id_fk", "tableFrom": "team_invite_code", "tableTo": "user", - "schemaTo": "neon_auth", + "schemaTo": "piyaz_auth", "columnsFrom": [ "created_by" ], diff --git a/lib/actions/team-invitations-map.ts b/lib/actions/team-invitations-map.ts index 231223e4..cc82bc28 100644 --- a/lib/actions/team-invitations-map.ts +++ b/lib/actions/team-invitations-map.ts @@ -12,7 +12,7 @@ export type InvitationView = { expiresAt: Date; /** When the invitation was issued. */ createdAt: Date; - /** Inviter display name (joined from `neon_auth.user.name`). */ + /** Inviter display name (joined from `piyaz_auth.user.name`). */ inviterName: string; }; diff --git a/lib/actions/team-members-map.ts b/lib/actions/team-members-map.ts index 3310d556..e3a909dc 100644 --- a/lib/actions/team-members-map.ts +++ b/lib/actions/team-members-map.ts @@ -7,9 +7,9 @@ export type MemberView = { id: string; /** User id behind the membership — drives gradient avatar and self-row checks. */ userId: string; - /** Display name from `neon_auth.user.name`. */ + /** Display name from `piyaz_auth.user.name`. */ name: string; - /** Sign-in email from `neon_auth.user.email`. */ + /** Sign-in email from `piyaz_auth.user.email`. */ email: string; /** Raw `member.role` string (e.g. "owner", "admin", "member"). */ role: string; diff --git a/lib/auth.ts b/lib/auth.ts index 1585c969..773b3513 100644 --- a/lib/auth.ts +++ b/lib/auth.ts @@ -39,7 +39,7 @@ if (IS_CLOUDFLARE && !process.env.BETTER_AUTH_URL) { /** * Better Auth server instance with email/password auth and - * organization-based team management. Adapts the `neon_auth` schema via + * organization-based team management. Adapts the `piyaz_auth` schema via * drizzleAdapter. */ export const auth = betterAuth({ diff --git a/lib/auth/org-permissions.ts b/lib/auth/org-permissions.ts index 1e426570..c465e0af 100644 --- a/lib/auth/org-permissions.ts +++ b/lib/auth/org-permissions.ts @@ -6,7 +6,7 @@ import { auth } from "@/lib/auth"; /** * Check whether the caller can administer the named team. Delegates to * Better Auth's `/organization/has-permission` API, which reads the - * caller's role from `neon_auth.member` for the supplied `organizationId` + * caller's role from `piyaz_auth.member` for the supplied `organizationId` * and consults the active access-control policy. Returns `false` (never * throws) so callers can collapse the result into a typed `forbidden` * failure. diff --git a/lib/data/access.ts b/lib/data/access.ts index 619728b3..414b67d9 100644 --- a/lib/data/access.ts +++ b/lib/data/access.ts @@ -1,7 +1,7 @@ /** * Membership-gated project + task lookups. * - * RLS scopes every read here. `app_user` has no grants on `neon_auth.*`; + * RLS scopes every read here. `app_user` has no grants on `piyaz_auth.*`; * the org metadata join routes through `public.current_user_orgs()` * (SECURITY DEFINER). `*Tx` variants take a caller-supplied tx so the * access check and the protected work share one `withUserContext` frame. @@ -111,7 +111,7 @@ export async function findProjectAccessTx( } /** - * Membership-gated task lookup. RLS gates membership; no neon_auth JOIN. + * Membership-gated task lookup. RLS gates membership; no piyaz_auth JOIN. * * @param userId - Verified user id. * @param taskId - UUID of the task. diff --git a/lib/data/account.ts b/lib/data/account.ts index 75c51498..64866154 100644 --- a/lib/data/account.ts +++ b/lib/data/account.ts @@ -16,7 +16,7 @@ import { projects, tasks, taskAssignees } from "@/lib/db/schema"; * changed. The row's `updatedAt` bumps on every password write, so it * doubles as "password last changed" for the settings UI. * - * Reads through `authDb` (auth_role): `neon_auth.account` holds password + * Reads through `authDb` (auth_role): `piyaz_auth.account` holds password * hashes, so `docker/grants.sql` deliberately excludes it from * `service_role`'s table grants. Only the auth layer's role may touch it. * @@ -104,7 +104,7 @@ export async function clearOrgMembershipArtifacts( eq(oauthConsent.referenceId, orgId), ), ); - // `task_assignees` FK to `neon_auth.user` only cascades on full user + // `task_assignees` FK to `piyaz_auth.user` only cascades on full user // deletion, not on team-membership removal. A removed member would // otherwise keep appearing in `getTaskFull(...).assignees` for tasks // in the org they left. Scrub their junction rows scoped to tasks diff --git a/lib/data/invitation.ts b/lib/data/invitation.ts index 7835da97..df5ef8f2 100644 --- a/lib/data/invitation.ts +++ b/lib/data/invitation.ts @@ -8,7 +8,7 @@ import { withUserContext } from "@/lib/db/rls"; * Boolean predicate: caller is a member of the invitation's org AND * the supplied `expectedOrgId` matches the invitation's own * `organizationId`. Routed through `is_caller_in_invitation_org` so - * `app_user` can resolve `neon_auth.invitation` without disclosing the + * `app_user` can resolve `piyaz_auth.invitation` without disclosing the * invitation→org linkage to non-members. * * @param userId - Authenticated caller's user id (UUID). diff --git a/lib/data/membership.ts b/lib/data/membership.ts index bd96cf11..a229dc31 100644 --- a/lib/data/membership.ts +++ b/lib/data/membership.ts @@ -1,7 +1,7 @@ /** * Membership helpers. * - * `app_user` has no grants on `neon_auth.*`; every read here routes through + * `app_user` has no grants on `piyaz_auth.*`; every read here routes through * the `public.current_user_*` / `public.team_*_visible` SECURITY DEFINER * functions that read `app.user_id` from the GUC `withUserContext` sets. */ diff --git a/lib/data/oauth-session.ts b/lib/data/oauth-session.ts index c1e8cd2d..638ebf64 100644 --- a/lib/data/oauth-session.ts +++ b/lib/data/oauth-session.ts @@ -1,7 +1,7 @@ /** * OAuth session helpers. * - * `app_user` has no grants on `neon_auth.oauth*`; every helper here goes + * `app_user` has no grants on `piyaz_auth.oauth*`; every helper here goes * through `serviceRoleDb` (BYPASSRLS). Callers must pass a `userId` that * `requireSession` verified — the WHERE clause is the effective scope. */ diff --git a/lib/data/task.ts b/lib/data/task.ts index e7c8b92f..9ca0ea75 100644 --- a/lib/data/task.ts +++ b/lib/data/task.ts @@ -616,7 +616,7 @@ export async function getTaskFullWithEdges( /** * Fetch the assignee projection (userId + name + email) for a task, * routed through the `task_assignees_visible` SECURITY DEFINER function - * so `app_user` can read `neon_auth.user` under the Option-B lockdown. + * so `app_user` can read `piyaz_auth.user` under the Option-B lockdown. * * UNCHECKED: the SDF itself re-checks caller membership of the task's * org, but the upstream `assertTaskAccess` is still the contract. The diff --git a/lib/data/views.ts b/lib/data/views.ts index 0ce4a2f2..2a7952b4 100644 --- a/lib/data/views.ts +++ b/lib/data/views.ts @@ -11,7 +11,7 @@ import type { /** * Lightweight assignee projection used by surfaces that render * the people assigned to a task. Source: `task_assignees` joined - * to `neon_auth.user`. + * to `piyaz_auth.user`. */ export type AssigneeRef = { userId: string; diff --git a/lib/db/_driver.node.ts b/lib/db/_driver.node.ts index 2427e016..d6811080 100644 --- a/lib/db/_driver.node.ts +++ b/lib/db/_driver.node.ts @@ -51,7 +51,7 @@ export function buildAppPool(): DbBundle { /** * Build the Better-auth Drizzle client backed by postgres-js. * - * @returns Pool + Drizzle instance bound to the neon_auth schema. + * @returns Pool + Drizzle instance bound to the piyaz_auth schema. * @throws Error when `DATABASE_AUTH_URL` is unset. */ export function buildAuthPool(): DbBundle { @@ -59,7 +59,7 @@ export function buildAuthPool(): DbBundle { if (!url) { throw new Error( "DATABASE_AUTH_URL is required — Better Auth must connect via auth_role " + - "(DML on neon_auth.*, no public-schema access).", + "(DML on piyaz_auth.*, no public-schema access).", ); } const pool = postgres(url, POSTGRES_OPTS); diff --git a/lib/db/_driver.workers.ts b/lib/db/_driver.workers.ts index 35772070..50ca86e5 100644 --- a/lib/db/_driver.workers.ts +++ b/lib/db/_driver.workers.ts @@ -47,7 +47,7 @@ const DB_URL_REQUIRED = { app: "DATABASE_URL is required for the app runtime connection (app_user role).", auth: "DATABASE_AUTH_URL is required — Better Auth must connect via auth_role " + - "(DML on neon_auth.*, no public-schema access).", + "(DML on piyaz_auth.*, no public-schema access).", service: "DATABASE_SERVICE_ROLE_URL is required for service-role data access", } as const; @@ -132,7 +132,7 @@ export function buildAppPool(url = process.env.DATABASE_URL): DbBundle { * Fresh request-scoped Pool per call; see {@link buildAppPool}. * * @param url - Connection string, defaulting to `DATABASE_AUTH_URL`. - * @returns Pool + Drizzle instance bound to the neon_auth schema. + * @returns Pool + Drizzle instance bound to the piyaz_auth schema. * @throws Error when `DATABASE_AUTH_URL` is unset. */ export function buildAuthPool( diff --git a/lib/db/auth-schema.ts b/lib/db/auth-schema.ts index 176aabf2..56a5b02e 100644 --- a/lib/db/auth-schema.ts +++ b/lib/db/auth-schema.ts @@ -9,23 +9,23 @@ import { } from "drizzle-orm/pg-core"; /** - * Drizzle table definitions for the neon_auth schema. - * Uses pgSchema("neon_auth") for fully-qualified table names - * (e.g. "neon_auth"."user") so queries work with connection + * Drizzle table definitions for the piyaz_auth schema. + * Uses pgSchema("piyaz_auth") for fully-qualified table names + * (e.g. "piyaz_auth"."user") so queries work with connection * poolers (PgBouncer) that reset search_path. * - * Matches Neon Auth's actual DB structure exactly: + * Self-managed schema (the project does not use Neon Auth Managed): * - uuid IDs with gen_random_uuid() default * - timestamptz for all date columns * - camelCase column names (PostgreSQL quoted identifiers) * * Used by drizzleAdapter to map Better Auth models to DB tables. * NOT managed by drizzle-kit — auth tables are created by - * Neon Auth (hosted) or docker/init-auth.sql (self-hosted). + * docker/init-auth.sql. */ -const neonAuth = pgSchema("neon_auth"); +const piyazAuth = pgSchema("piyaz_auth"); -export const user = neonAuth.table("user", { +export const user = piyazAuth.table("user", { id: uuid("id").primaryKey().defaultRandom(), name: text("name").notNull(), email: text("email").notNull().unique(), @@ -43,7 +43,7 @@ export const user = neonAuth.table("user", { banExpires: timestamp("banExpires", { withTimezone: true }), }); -export const session = neonAuth.table( +export const session = piyazAuth.table( "session", { id: uuid("id").primaryKey().defaultRandom(), @@ -64,7 +64,7 @@ export const session = neonAuth.table( (table) => [index("session_userId_idx").on(table.userId)], ); -export const account = neonAuth.table( +export const account = piyazAuth.table( "account", { id: uuid("id").primaryKey().defaultRandom(), @@ -92,7 +92,7 @@ export const account = neonAuth.table( (table) => [index("account_userId_idx").on(table.userId)], ); -export const verification = neonAuth.table( +export const verification = piyazAuth.table( "verification", { id: uuid("id").primaryKey().defaultRandom(), @@ -109,7 +109,7 @@ export const verification = neonAuth.table( (table) => [index("verification_identifier_idx").on(table.identifier)], ); -export const organization = neonAuth.table( +export const organization = piyazAuth.table( "organization", { id: uuid("id").primaryKey().defaultRandom(), @@ -122,7 +122,7 @@ export const organization = neonAuth.table( (table) => [uniqueIndex("organization_slug_uidx").on(table.slug)], ); -export const member = neonAuth.table( +export const member = piyazAuth.table( "member", { id: uuid("id").primaryKey().defaultRandom(), @@ -141,7 +141,7 @@ export const member = neonAuth.table( ], ); -export const invitation = neonAuth.table( +export const invitation = piyazAuth.table( "invitation", { id: uuid("id").primaryKey().defaultRandom(), @@ -165,7 +165,7 @@ export const invitation = neonAuth.table( ], ); -export const jwks = neonAuth.table("jwks", { +export const jwks = piyazAuth.table("jwks", { id: uuid("id").primaryKey().defaultRandom(), publicKey: text("publicKey").notNull(), privateKey: text("privateKey").notNull(), @@ -179,7 +179,7 @@ export const jwks = neonAuth.table("jwks", { * and user consent records for the MCP auth flow. */ -export const oauthClient = neonAuth.table( +export const oauthClient = piyazAuth.table( "oauthClient", { id: uuid("id").primaryKey().defaultRandom(), @@ -223,7 +223,7 @@ export const oauthClient = neonAuth.table( ], ); -export const oauthAccessToken = neonAuth.table( +export const oauthAccessToken = piyazAuth.table( "oauthAccessToken", { id: uuid("id").primaryKey().defaultRandom(), @@ -245,7 +245,7 @@ export const oauthAccessToken = neonAuth.table( ], ); -export const oauthRefreshToken = neonAuth.table( +export const oauthRefreshToken = piyazAuth.table( "oauthRefreshToken", { id: uuid("id").primaryKey().defaultRandom(), @@ -270,7 +270,7 @@ export const oauthRefreshToken = neonAuth.table( ], ); -export const oauthConsent = neonAuth.table( +export const oauthConsent = piyazAuth.table( "oauthConsent", { id: uuid("id").primaryKey().defaultRandom(), diff --git a/lib/db/connection.ts b/lib/db/connection.ts index 3e05cfe4..8635477e 100644 --- a/lib/db/connection.ts +++ b/lib/db/connection.ts @@ -142,7 +142,7 @@ export const appDb = new Proxy({} as AppUserConn, { * Lazily initialized Better-auth Drizzle client. * * Same driver-selection and caching semantics as {@link appDb} but bound - * to the `neon_auth` schema used by `drizzleAdapter` in {@link auth}. + * to the `piyaz_auth` schema used by `drizzleAdapter` in {@link auth}. */ export const authDb = new Proxy({} as AuthDb, { get(_target, prop, receiver) { diff --git a/lib/db/raw/fetch-assignees-by-project.ts b/lib/db/raw/fetch-assignees-by-project.ts index 5fb8696a..7f7c3324 100644 --- a/lib/db/raw/fetch-assignees-by-project.ts +++ b/lib/db/raw/fetch-assignees-by-project.ts @@ -13,7 +13,7 @@ export type AssigneeByProjectRow = { /** * Every visible task assignee in a project, as a lazy batch statement. * Routes through the `task_assignees_for_project_visible` SECURITY DEFINER - * function so `app_user` can read `neon_auth.user` under the Option-B + * function so `app_user` can read `piyaz_auth.user` under the Option-B * lockdown. Normalize the batch result with * `normalizeExecuteResult` and fold with * {@link mapAssigneesByProjectRows}. diff --git a/lib/db/raw/get-project-list-max-updated-at.ts b/lib/db/raw/get-project-list-max-updated-at.ts index fd8c1ac6..547b3220 100644 --- a/lib/db/raw/get-project-list-max-updated-at.ts +++ b/lib/db/raw/get-project-list-max-updated-at.ts @@ -13,7 +13,7 @@ import { executeRaw, type Conn } from "@/lib/db/raw"; * membership-derived scope (`docker/rls-policies.sql`). The helper must * therefore run inside `withUserContext` so `app.user_id` is set. * - * Three independent table aggregates — no `neon_auth.member` join + * Three independent table aggregates — no `piyaz_auth.member` join * (app_user has no grant there). Each `MAX(updated_at)` runs over the * RLS-filtered row set, so non-members see zero rows and GREATEST * collapses to epoch-0. diff --git a/lib/db/team-schema.ts b/lib/db/team-schema.ts index 45df2bf1..d650bb54 100644 --- a/lib/db/team-schema.ts +++ b/lib/db/team-schema.ts @@ -13,23 +13,23 @@ import { organization, user } from "@/lib/db/auth-schema"; /** * Shareable team invite codes — one row per organization in v1. * - * Lives in `public` (drizzle-managed) and references `neon_auth.organization` - * + `neon_auth.user` via cross-schema FKs. Kept separate from `lib/db/schema.ts` + * Lives in `public` (drizzle-managed) and references `piyaz_auth.organization` + * + `piyaz_auth.user` via cross-schema FKs. Kept separate from `lib/db/schema.ts` * because it's a join concept between the auth and app schemas — same split * we already use for `auth-schema.ts` vs `schema.ts`. * - * Distinct from `neon_auth.invitation`: that table is per-recipient-email and + * Distinct from `piyaz_auth.invitation`: that table is per-recipient-email and * Better Auth's `acceptInvitation` enforces `invitation.email === session.user.email`. * A team-wide code can't ride that flow without forging email, so we use * `auth.api.addMember` against this separate table instead. * * RLS is enabled here via `.enableRLS()`; the policy DDL itself lives in - * `docker/rls-policies.sql` (1-hop membership through `neon_auth.member`, + * `docker/rls-policies.sql` (1-hop membership through `piyaz_auth.member`, * applied after `db:push`). The three join-path helpers in * `lib/data/team-invite-code.ts` (`reserveInviteCodeSlot`, * `releaseInviteCodeSlot`, `diagnoseTeamInviteCode`) call SECURITY DEFINER * SQL functions (see `docker/rls-functions.sql`) because the joining user - * has no `neon_auth.member` row at the moment of lookup — the functions + * has no `piyaz_auth.member` row at the moment of lookup — the functions * run as their owner and have a narrow audited surface. The four admin * helpers (`findTeamInviteCode`, `createTeamInviteCode`, * `rotateTeamInviteCode`, `revokeTeamInviteCode`) run under diff --git a/migrations/001-oauth-tables.sql b/migrations/001-oauth-tables.sql index 4f25ee34..6bb007ae 100644 --- a/migrations/001-oauth-tables.sql +++ b/migrations/001-oauth-tables.sql @@ -1,8 +1,8 @@ -- OAuth 2.1 Provider tables for @better-auth/oauth-provider. --- Run once against the neon_auth schema on hosted Neon. +-- Run once against the piyaz_auth schema on hosted Neon. -- Self-hosted path: these tables are in docker/init-auth.sql instead. -SET search_path TO neon_auth; +SET search_path TO piyaz_auth; CREATE TABLE "oauthClient" ( "id" uuid PRIMARY KEY DEFAULT gen_random_uuid(), diff --git a/tests/auth/change-password.test.ts b/tests/auth/change-password.test.ts index e928b142..b4d0cc41 100644 --- a/tests/auth/change-password.test.ts +++ b/tests/auth/change-password.test.ts @@ -221,16 +221,16 @@ test("password change wipes the user's OAuth agent tokens (account.update.after const sql = superuserPool(); const [{ id: userId }] = await sql<{ id: string }[]>` - SELECT id FROM neon_auth."user" WHERE email = ${email} + SELECT id FROM piyaz_auth."user" WHERE email = ${email} `; await sql` - INSERT INTO neon_auth."oauthAccessToken" + INSERT INTO piyaz_auth."oauthAccessToken" ("token", "clientId", "userId", "scopes", "expiresAt") VALUES ('test-access-token', 'test-client', ${userId}::uuid, '{openid}', now() + interval '1 hour') `; await sql` - INSERT INTO neon_auth."oauthRefreshToken" + INSERT INTO piyaz_auth."oauthRefreshToken" ("token", "clientId", "userId", "scopes", "expiresAt") VALUES ('test-refresh-token', 'test-client', ${userId}::uuid, '{openid}', now() + interval '7 days') @@ -249,10 +249,10 @@ test("password change wipes the user's OAuth agent tokens (account.update.after expect(response.status).toBe(200); const accessRows = await sql` - SELECT id FROM neon_auth."oauthAccessToken" WHERE "userId" = ${userId}::uuid + SELECT id FROM piyaz_auth."oauthAccessToken" WHERE "userId" = ${userId}::uuid `; const refreshRows = await sql` - SELECT id FROM neon_auth."oauthRefreshToken" WHERE "userId" = ${userId}::uuid + SELECT id FROM piyaz_auth."oauthRefreshToken" WHERE "userId" = ${userId}::uuid `; expect(accessRows.length).toBe(0); expect(refreshRows.length).toBe(0); diff --git a/tests/data/account.test.ts b/tests/data/account.test.ts index 26818561..94be3f98 100644 --- a/tests/data/account.test.ts +++ b/tests/data/account.test.ts @@ -13,7 +13,7 @@ afterEach(async () => { describe("getPasswordUpdatedAt", () => { // Regression: the helper must read through authDb (auth_role). - // docker/grants.sql deliberately excludes neon_auth.account (password + // docker/grants.sql deliberately excludes piyaz_auth.account (password // hashes) from service_role's grants, so a serviceRoleDb read throws // "permission denied for table account" at runtime. These tests run // against the real role split and fail on any client downgrade. @@ -21,7 +21,7 @@ describe("getPasswordUpdatedAt", () => { const f = await seedUserOrgProject("pw-updated-at"); const sqlc = superuserPool(); await sqlc` - INSERT INTO neon_auth."account" + INSERT INTO piyaz_auth."account" ("accountId", "providerId", "userId", "password", "updatedAt") VALUES (${f.userId}, 'credential', ${f.userId}, 'scrypt-hash-placeholder', '2026-03-01T12:00:00Z') @@ -44,41 +44,41 @@ describe("clearOrgMembershipArtifacts", () => { const sqlc = superuserPool(); try { await sqlc` - INSERT INTO neon_auth."session" ("expiresAt", "token", "updatedAt", "userId", "activeOrganizationId") + INSERT INTO piyaz_auth."session" ("expiresAt", "token", "updatedAt", "userId", "activeOrganizationId") VALUES (now() + interval '7 days', 'tok-' || gen_random_uuid()::text, now(), ${f.userId}, ${f.organizationId}::text) `; await sqlc` - INSERT INTO neon_auth."oauthAccessToken" ("token", "clientId", "userId", "referenceId", "scopes", "expiresAt") + INSERT INTO piyaz_auth."oauthAccessToken" ("token", "clientId", "userId", "referenceId", "scopes", "expiresAt") VALUES ('at-1', 'client-1', ${f.userId}, ${f.organizationId}, '{}', now() + interval '1 hour') `; await sqlc` - INSERT INTO neon_auth."oauthRefreshToken" ("token", "clientId", "userId", "referenceId", "scopes", "expiresAt") + INSERT INTO piyaz_auth."oauthRefreshToken" ("token", "clientId", "userId", "referenceId", "scopes", "expiresAt") VALUES ('rt-1', 'client-1', ${f.userId}, ${f.organizationId}, '{}', now() + interval '7 days') `; await sqlc` - INSERT INTO neon_auth."oauthConsent" ("clientId", "userId", "referenceId", "scopes") + INSERT INTO piyaz_auth."oauthConsent" ("clientId", "userId", "referenceId", "scopes") VALUES ('client-1', ${f.userId}, ${f.organizationId}, '{}') `; await clearOrgMembershipArtifacts(f.userId, f.organizationId); const [{ activePtr }] = await sqlc<{ activePtr: string | null }[]>` - SELECT "activeOrganizationId" AS "activePtr" FROM neon_auth."session" + SELECT "activeOrganizationId" AS "activePtr" FROM piyaz_auth."session" WHERE "userId" = ${f.userId} LIMIT 1 `; expect(activePtr).toBeNull(); const at = - await sqlc`SELECT id FROM neon_auth."oauthAccessToken" WHERE "userId" = ${f.userId}`; + await sqlc`SELECT id FROM piyaz_auth."oauthAccessToken" WHERE "userId" = ${f.userId}`; expect(at.length).toBe(0); const rt = - await sqlc`SELECT id FROM neon_auth."oauthRefreshToken" WHERE "userId" = ${f.userId}`; + await sqlc`SELECT id FROM piyaz_auth."oauthRefreshToken" WHERE "userId" = ${f.userId}`; expect(rt.length).toBe(0); const cs = - await sqlc`SELECT id FROM neon_auth."oauthConsent" WHERE "userId" = ${f.userId}`; + await sqlc`SELECT id FROM piyaz_auth."oauthConsent" WHERE "userId" = ${f.userId}`; expect(cs.length).toBe(0); } finally { await sqlc.end({ timeout: 5 }); @@ -92,7 +92,7 @@ describe("clearOrgMembershipArtifacts", () => { const sqlc = superuserPool(); try { await sqlc` - INSERT INTO neon_auth."oauthAccessToken" ("token", "clientId", "userId", "referenceId", "scopes", "expiresAt") + INSERT INTO piyaz_auth."oauthAccessToken" ("token", "clientId", "userId", "referenceId", "scopes", "expiresAt") VALUES ('at-a-a', 'client-1', ${a.userId}, ${a.organizationId}, '{}', now() + interval '1 hour'), ('at-a-b', 'client-1', ${a.userId}, ${b.organizationId}, '{}', now() + interval '1 hour'), @@ -103,7 +103,7 @@ describe("clearOrgMembershipArtifacts", () => { await clearOrgMembershipArtifacts(a.userId, a.organizationId); const remaining = await sqlc<{ token: string }[]>` - SELECT token FROM neon_auth."oauthAccessToken" + SELECT token FROM piyaz_auth."oauthAccessToken" ORDER BY token ASC `; const tokens = remaining.map((r) => r.token); diff --git a/tests/data/membership.test.ts b/tests/data/membership.test.ts index 2802c384..5802318e 100644 --- a/tests/data/membership.test.ts +++ b/tests/data/membership.test.ts @@ -19,12 +19,12 @@ test("listMembershipsWithCounts paginates by (createdAt, id) cursor", async () = try { for (let i = 0; i < 5; i++) { const [o] = await sqlc<{ id: string }[]>` - INSERT INTO neon_auth."organization" ("name", "slug", "createdAt") + INSERT INTO piyaz_auth."organization" ("name", "slug", "createdAt") VALUES (${"Extra " + i}, ${"extra-" + i}, ${new Date(Date.now() + (i + 1) * 1000)}) RETURNING id `; await sqlc` - INSERT INTO neon_auth."member" ("organizationId", "userId", "role", "createdAt") + INSERT INTO piyaz_auth."member" ("organizationId", "userId", "role", "createdAt") VALUES (${o.id}, ${base.userId}, 'owner', now()) `; } @@ -56,12 +56,12 @@ describe("demoteMemberWithGuard", () => { let secondMemberId: string; try { const [u] = await sqlc<{ id: string }[]>` - INSERT INTO neon_auth."user" ("name", "email", "emailVerified", "updatedAt") + INSERT INTO piyaz_auth."user" ("name", "email", "emailVerified", "updatedAt") VALUES ('Second', 'second-demote-ok@test.local', true, now()) RETURNING id `; const [m] = await sqlc<{ id: string }[]>` - INSERT INTO neon_auth."member" ("organizationId", "userId", "role", "createdAt") + INSERT INTO piyaz_auth."member" ("organizationId", "userId", "role", "createdAt") VALUES (${f.organizationId}, ${u.id}, 'admin', now()) RETURNING id `; @@ -117,7 +117,7 @@ describe("demoteMemberWithGuard", () => { let bMemberId: string; try { const [m] = await sqlc<{ id: string }[]>` - SELECT id FROM neon_auth."member" + SELECT id FROM piyaz_auth."member" WHERE "organizationId" = ${b.organizationId} AND "userId" = ${b.userId} LIMIT 1 `; @@ -155,7 +155,7 @@ describe("demoteMemberWithGuard", () => { let memberId: string; try { const [m] = await sqlc<{ id: string }[]>` - SELECT id FROM neon_auth."member" + SELECT id FROM piyaz_auth."member" WHERE "organizationId" = ${f.organizationId} AND "userId" = ${f.userId} LIMIT 1 `; @@ -191,19 +191,19 @@ describe("demoteMemberWithGuard", () => { let secondMemberId: string; try { const [m1] = await sqlc<{ id: string }[]>` - SELECT id FROM neon_auth."member" + SELECT id FROM piyaz_auth."member" WHERE "organizationId" = ${f.organizationId} AND "userId" = ${f.userId} LIMIT 1 `; firstMemberId = m1.id; const [u] = await sqlc<{ id: string }[]>` - INSERT INTO neon_auth."user" ("name", "email", "emailVerified", "updatedAt") + INSERT INTO piyaz_auth."user" ("name", "email", "emailVerified", "updatedAt") VALUES ('Second Owner', 'second-owner-race@test.local', true, now()) RETURNING id `; const [m2] = await sqlc<{ id: string }[]>` - INSERT INTO neon_auth."member" ("organizationId", "userId", "role", "createdAt") + INSERT INTO piyaz_auth."member" ("organizationId", "userId", "role", "createdAt") VALUES (${f.organizationId}, ${u.id}, 'owner', now()) RETURNING id `; @@ -216,7 +216,7 @@ describe("demoteMemberWithGuard", () => { const c = superuserPool(); try { await c` - UPDATE neon_auth."member" + UPDATE piyaz_auth."member" SET role = 'member' WHERE id = ${memberId} `; diff --git a/tests/data/project.test.ts b/tests/data/project.test.ts index 02cbc8ff..18b846aa 100644 --- a/tests/data/project.test.ts +++ b/tests/data/project.test.ts @@ -257,7 +257,7 @@ test("getProjectMaxUpdatedAt returns the latest updated_at across project + task test("getProjectListMaxUpdatedAt returns the latest updated_at across the caller's accessible scope", async () => { // RLS scopes the row sets; the helper aggregates MAX(updated_at) with - // no neon_auth join (app_user has no grant there). + // no piyaz_auth join (app_user has no grant there). const f = await seedUserOrgProject("listmax"); const ctx = makeAuthContext(f.userId); @@ -530,12 +530,12 @@ test("listProjectsForMcp skips teams with zero projects", async () => { const sqlc = superuserPool(); try { const [emptyOrg] = await sqlc<{ id: string }[]>` - INSERT INTO neon_auth."organization" ("name", "slug", "createdAt") + INSERT INTO piyaz_auth."organization" ("name", "slug", "createdAt") VALUES ('Empty Team Mcp', 'empty-team-mcp', now()) RETURNING id `; await sqlc` - INSERT INTO neon_auth."member" ("organizationId", "userId", "role", "createdAt") + INSERT INTO piyaz_auth."member" ("organizationId", "userId", "role", "createdAt") VALUES (${emptyOrg.id}, ${f.userId}, 'owner', now()) `; } finally { diff --git a/tests/data/rls-dataring.test.ts b/tests/data/rls-dataring.test.ts index 1c4b7e87..97adea84 100644 --- a/tests/data/rls-dataring.test.ts +++ b/tests/data/rls-dataring.test.ts @@ -72,7 +72,7 @@ describe("RLS data-ring discipline — withUserContext wrappers", () => { } // teamB's admin should NOT see teamA's invite-code row. The policy - // joins through neon_auth.member, which has no (teamA.org, teamB.user) + // joins through piyaz_auth.member, which has no (teamA.org, teamB.user) // pairing, so the USING predicate filters the row out. const leak = await findTeamInviteCode( makeAuthContext(teamB.userId), diff --git a/tests/data/rls-team-invite-code.test.ts b/tests/data/rls-team-invite-code.test.ts index 9c848356..fefa6804 100644 --- a/tests/data/rls-team-invite-code.test.ts +++ b/tests/data/rls-team-invite-code.test.ts @@ -20,7 +20,7 @@ import { * policy so the join flow still works for non-admin members. * * Membership-role changes use the testcontainer superuser (`getConnectionString`) - * because `service_role` only has SELECT/REFERENCES on `neon_auth."member"` + * because `service_role` only has SELECT/REFERENCES on `piyaz_auth."member"` * by design (see `docker/grants.sql`). */ @@ -33,7 +33,7 @@ describe("team_invite_code RLS — admin-only writes", () => { const fx = await seedUserOrgProject("ic-member"); const seed = superuserPool(); try { - await seed`UPDATE neon_auth."member" SET "role" = 'member' + await seed`UPDATE piyaz_auth."member" SET "role" = 'member' WHERE "userId" = ${fx.userId} AND "organizationId" = ${fx.organizationId}`; } finally { await seed.end({ timeout: 5 }); @@ -54,7 +54,7 @@ describe("team_invite_code RLS — admin-only writes", () => { const fx = await seedUserOrgProject("ic-admin"); const seed = superuserPool(); try { - await seed`UPDATE neon_auth."member" SET "role" = 'admin' + await seed`UPDATE piyaz_auth."member" SET "role" = 'admin' WHERE "userId" = ${fx.userId} AND "organizationId" = ${fx.organizationId}`; } finally { await seed.end({ timeout: 5 }); @@ -193,7 +193,7 @@ describe("team_invite_code RLS — admin-only writes", () => { const fx = await seedUserOrgProject("tc3-member"); const seed = superuserPool(); try { - await seed`UPDATE neon_auth."member" SET "role" = 'member' + await seed`UPDATE piyaz_auth."member" SET "role" = 'member' WHERE "userId" = ${fx.userId} AND "organizationId" = ${fx.organizationId}`; await seed`CREATE POLICY temp_member_can_write ON team_invite_code AS PERMISSIVE FOR INSERT TO app_user WITH CHECK (true)`; @@ -328,7 +328,7 @@ describe("team_invite_code RLS — admin-only writes", () => { try { await seed`INSERT INTO team_invite_code (organization_id, code, default_role) VALUES (${fx.organizationId}, 'h1selmember', 'member')`; - await seed`UPDATE neon_auth."member" SET "role" = 'member' + await seed`UPDATE piyaz_auth."member" SET "role" = 'member' WHERE "userId" = ${fx.userId} AND "organizationId" = ${fx.organizationId}`; } finally { await seed.end({ timeout: 5 }); @@ -353,7 +353,7 @@ describe("team_invite_code RLS — admin-only writes", () => { try { await seed`INSERT INTO team_invite_code (organization_id, code, default_role) VALUES (${fx.organizationId}, 'h1seladmin', 'member')`; - await seed`UPDATE neon_auth."member" SET "role" = 'admin' + await seed`UPDATE piyaz_auth."member" SET "role" = 'admin' WHERE "userId" = ${fx.userId} AND "organizationId" = ${fx.organizationId}`; } finally { await seed.end({ timeout: 5 }); @@ -379,7 +379,7 @@ describe("team_invite_code RLS — admin-only writes", () => { try { await seed`INSERT INTO team_invite_code (organization_id, code, default_role) VALUES (${fx.organizationId}, 'h7updmember', 'member')`; - await seed`UPDATE neon_auth."member" SET "role" = 'member' + await seed`UPDATE piyaz_auth."member" SET "role" = 'member' WHERE "userId" = ${fx.userId} AND "organizationId" = ${fx.organizationId}`; } finally { await seed.end({ timeout: 5 }); @@ -415,7 +415,7 @@ describe("team_invite_code RLS — admin-only writes", () => { try { await seed`INSERT INTO team_invite_code (organization_id, code, default_role) VALUES (${fx.organizationId}, 'h7delmember', 'member')`; - await seed`UPDATE neon_auth."member" SET "role" = 'member' + await seed`UPDATE piyaz_auth."member" SET "role" = 'member' WHERE "userId" = ${fx.userId} AND "organizationId" = ${fx.organizationId}`; } finally { await seed.end({ timeout: 5 }); @@ -450,7 +450,7 @@ describe("team_invite_code RLS — admin-only writes", () => { try { await seed`INSERT INTO team_invite_code (organization_id, code, default_role) VALUES (${fx.organizationId}, 'h7updadmin', 'member')`; - await seed`UPDATE neon_auth."member" SET "role" = 'admin' + await seed`UPDATE piyaz_auth."member" SET "role" = 'admin' WHERE "userId" = ${fx.userId} AND "organizationId" = ${fx.organizationId}`; } finally { await seed.end({ timeout: 5 }); @@ -477,7 +477,7 @@ describe("team_invite_code RLS — admin-only writes", () => { try { await seed`INSERT INTO team_invite_code (organization_id, code, default_role) VALUES (${fx.organizationId}, 'h7deladmin', 'member')`; - await seed`UPDATE neon_auth."member" SET "role" = 'admin' + await seed`UPDATE piyaz_auth."member" SET "role" = 'admin' WHERE "userId" = ${fx.userId} AND "organizationId" = ${fx.organizationId}`; } finally { await seed.end({ timeout: 5 }); diff --git a/tests/data/rls.test.ts b/tests/data/rls.test.ts index cf2b0b25..0be0cb3c 100644 --- a/tests/data/rls.test.ts +++ b/tests/data/rls.test.ts @@ -582,7 +582,7 @@ describe("RLS — defense-in-depth on team isolation", () => { let taskBId: string; try { await su` - INSERT INTO neon_auth."member" ("organizationId", "userId", "role", "createdAt") + INSERT INTO piyaz_auth."member" ("organizationId", "userId", "role", "createdAt") VALUES (${teamB.organizationId}, ${teamA.userId}, 'member', now()) `; const [a] = await su<{ id: string }[]>` @@ -740,12 +740,12 @@ describe("RLS — defense-in-depth on team isolation", () => { const teamA = await seedUserOrgProject("rls-x-tic-floor-admin"); const su = superuserPool(); const [u] = await su<{ id: string }[]>` - INSERT INTO neon_auth."user" ("name", "email", "emailVerified", "updatedAt") + INSERT INTO piyaz_auth."user" ("name", "email", "emailVerified", "updatedAt") VALUES ('Regular Member', 'regular@test.local', true, now()) RETURNING id `; await su` - INSERT INTO neon_auth."member" ("organizationId", "userId", "role", "createdAt") + INSERT INTO piyaz_auth."member" ("organizationId", "userId", "role", "createdAt") VALUES (${teamA.organizationId}, ${u.id}, 'member', now()) `; diff --git a/tests/data/task.test.ts b/tests/data/task.test.ts index 591ce083..43b8f9bf 100644 --- a/tests/data/task.test.ts +++ b/tests/data/task.test.ts @@ -999,7 +999,7 @@ test("createTask with assigneeIds rejects non-team-member users", async () => { let strangerId: string; try { const [u] = await sqlc<{ id: string }[]>` - INSERT INTO neon_auth."user" ("name", "email", "emailVerified", "updatedAt") + INSERT INTO piyaz_auth."user" ("name", "email", "emailVerified", "updatedAt") VALUES ('Stranger', 'stranger@test.local', true, now()) RETURNING id `; @@ -1032,13 +1032,13 @@ test("updateTask appends assigneeIds by default and replaces with overwriteArray let secondId: string; try { const [u] = await sqlc<{ id: string }[]>` - INSERT INTO neon_auth."user" ("name", "email", "emailVerified", "updatedAt") + INSERT INTO piyaz_auth."user" ("name", "email", "emailVerified", "updatedAt") VALUES ('Second', 'second@test.local', true, now()) RETURNING id `; secondId = u.id; await sqlc` - INSERT INTO neon_auth."member" ("organizationId", "userId", "role", "createdAt") + INSERT INTO piyaz_auth."member" ("organizationId", "userId", "role", "createdAt") VALUES (${f.organizationId}, ${secondId}, 'member', now()) `; } finally { diff --git a/tests/db/connection.test.ts b/tests/db/connection.test.ts index 6ebe5ed3..11ce7516 100644 --- a/tests/db/connection.test.ts +++ b/tests/db/connection.test.ts @@ -14,7 +14,7 @@ test("container is reachable and migrations applied", async () => { try { const rows = await sql<{ name: string }[]>` SELECT table_name AS name FROM information_schema.tables - WHERE table_schema IN ('public', 'neon_auth') + WHERE table_schema IN ('public', 'piyaz_auth') ORDER BY table_name `; const names = rows.map((r) => r.name); diff --git a/tests/db/immutability.test.ts b/tests/db/immutability.test.ts index 9e8da1aa..0096e593 100644 --- a/tests/db/immutability.test.ts +++ b/tests/db/immutability.test.ts @@ -120,7 +120,7 @@ describe("dual-org member cannot reparent rows under app_user", () => { const su = superuserPool(); try { await su` - INSERT INTO neon_auth."member" ("organizationId", "userId", "role", "createdAt") + INSERT INTO piyaz_auth."member" ("organizationId", "userId", "role", "createdAt") VALUES (${b.organizationId}::uuid, ${a.userId}::uuid, 'member', now()) `; } finally { @@ -144,7 +144,7 @@ describe("dual-org member cannot reparent rows under app_user", () => { let taskId: string; try { await su` - INSERT INTO neon_auth."member" ("organizationId", "userId", "role", "createdAt") + INSERT INTO piyaz_auth."member" ("organizationId", "userId", "role", "createdAt") VALUES (${b.organizationId}::uuid, ${a.userId}::uuid, 'member', now()) `; const [t] = await su<{ id: string }[]>` @@ -173,7 +173,7 @@ describe("dual-org member cannot reparent rows under app_user", () => { let codeId: string; try { await su` - INSERT INTO neon_auth."member" ("organizationId", "userId", "role", "createdAt") + INSERT INTO piyaz_auth."member" ("organizationId", "userId", "role", "createdAt") VALUES (${b.organizationId}::uuid, ${a.userId}::uuid, 'admin', now()) `; const [row] = await su<{ id: string }[]>` diff --git a/tests/db/neon-auth-lockdown.test.ts b/tests/db/piyaz-auth-lockdown.test.ts similarity index 92% rename from tests/db/neon-auth-lockdown.test.ts rename to tests/db/piyaz-auth-lockdown.test.ts index 26fbf6bc..eeb636ce 100644 --- a/tests/db/neon-auth-lockdown.test.ts +++ b/tests/db/piyaz-auth-lockdown.test.ts @@ -9,7 +9,7 @@ afterEach(async () => { await truncateAll(); }); -describe("app_user neon_auth lockdown", () => { +describe("app_user piyaz_auth lockdown", () => { const tables = [ "user", "session", @@ -26,10 +26,10 @@ describe("app_user neon_auth lockdown", () => { ]; for (const t of tables) { - test(`app_user cannot SELECT from neon_auth.${t}`, async () => { + test(`app_user cannot SELECT from piyaz_auth.${t}`, async () => { const c = appUserConnect(); await expectQueryRejects( - c.unsafe(`SELECT 1 FROM neon_auth."${t}" LIMIT 1`), + c.unsafe(`SELECT 1 FROM piyaz_auth."${t}" LIMIT 1`), /permission denied/i, ); }); @@ -96,7 +96,7 @@ describe("app_user neon_auth lockdown", () => { } }); - test("app_user has zero rows in information_schema.table_privileges for schema neon_auth", async () => { + test("app_user has zero rows in information_schema.table_privileges for schema piyaz_auth", async () => { // The runtime SELECT-deny probes above prove the surface is // unreachable, but a catalog assertion is the static-shape backup — // a future docker/grants.sql edit that accidentally added a grant @@ -109,12 +109,12 @@ describe("app_user neon_auth lockdown", () => { SELECT grantee, table_name, privilege_type FROM information_schema.table_privileges WHERE grantee = 'app_user' - AND table_schema = 'neon_auth' + AND table_schema = 'piyaz_auth' `; const found = rows.map((r) => `${r.table_name}.${r.privilege_type}`); expect( found, - `app_user must have zero table privileges in neon_auth (found: ${found.join(", ")})`, + `app_user must have zero table privileges in piyaz_auth (found: ${found.join(", ")})`, ).toEqual([]); } finally { await su.end({ timeout: 5 }); @@ -202,7 +202,7 @@ describe("auth_role public.* lockdown", () => { }); }); -describe("service_role neon_auth grants pin the call-site contract", () => { +describe("service_role piyaz_auth grants pin the call-site contract", () => { // The data-layer call sites in lib/data/oauth-session.ts and // lib/data/account.ts rely on a documented, MINIMAL set of grants. If // grants.sql ever loses one of these, the affected UI surface dies @@ -232,20 +232,20 @@ describe("service_role neon_auth grants pin the call-site contract", () => { } for (const { table, needs } of requiredGrants) { - test(`service_role has the documented grants on neon_auth.${table}`, async () => { + test(`service_role has the documented grants on piyaz_auth.${table}`, async () => { const c = serviceRolePool(); try { for (const priv of needs) { const [row] = await c>` SELECT has_table_privilege( 'service_role', - ${'neon_auth."' + table + '"'}, + ${'piyaz_auth."' + table + '"'}, ${priv} ) AS has `; expect( row.has, - `service_role must have ${priv} on neon_auth.${table}`, + `service_role must have ${priv} on piyaz_auth.${table}`, ).toBe(true); } } finally { diff --git a/tests/db/rls-functions.test.ts b/tests/db/rls-functions.test.ts index 8af2bd72..da83a41d 100644 --- a/tests/db/rls-functions.test.ts +++ b/tests/db/rls-functions.test.ts @@ -633,12 +633,12 @@ describe("is_caller_in_invitation_org SECURITY DEFINER", () => { ): Promise<{ id: string }> { const su = superuserPool(); const [row] = await su<{ id: string }[]>` - INSERT INTO neon_auth."invitation" + INSERT INTO piyaz_auth."invitation" ("organizationId", "email", "role", "status", "expiresAt", "inviterId") VALUES ( ${orgId}, ${email}, 'member', 'pending', ${new Date(Date.now() + 7 * 86400_000)}, - (SELECT "userId" FROM neon_auth."member" WHERE "organizationId" = ${orgId} LIMIT 1) + (SELECT "userId" FROM piyaz_auth."member" WHERE "organizationId" = ${orgId} LIMIT 1) ) RETURNING id `; @@ -673,7 +673,7 @@ describe("is_caller_in_invitation_org SECURITY DEFINER", () => { const fxB = await seedUserOrgProject("inv-bind-b"); const su = superuserPool(); await su` - INSERT INTO neon_auth."member" ("organizationId", "userId", "role", "createdAt") + INSERT INTO piyaz_auth."member" ("organizationId", "userId", "role", "createdAt") VALUES (${fxB.organizationId}, ${fxA.userId}, 'member', now()) `; const inv = await seedInvitation(fxA.organizationId, "bind@test.local"); @@ -773,7 +773,7 @@ describe("SECURITY DEFINER catalog invariants", () => { /** * Every `*_visible` SECURITY DEFINER below carries an inline - * `EXISTS (SELECT 1 FROM neon_auth."member" caller WHERE …)` guard on + * `EXISTS (SELECT 1 FROM piyaz_auth."member" caller WHERE …)` guard on * the caller's GUC-supplied user_id. If a future regression drops that * guard, an app_user session in team B could read team A's data * through the SDF — the brand types and the EXECUTE grant matrix would @@ -872,7 +872,7 @@ describe("SECURITY DEFINER — cross-team caller-membership re-checks", () => { const teamB = await seedUserOrgProject("sdf-cuvm-b"); const su = superuserPool(); const [member] = await su<{ id: string }[]>` - SELECT id FROM neon_auth."member" + SELECT id FROM piyaz_auth."member" WHERE "organizationId" = ${teamA.organizationId} AND "userId" = ${teamA.userId} `; const c = appUserConnect(); diff --git a/tests/realtime/access.test.ts b/tests/realtime/access.test.ts index 23fdf43f..19defeb9 100644 --- a/tests/realtime/access.test.ts +++ b/tests/realtime/access.test.ts @@ -155,7 +155,7 @@ test("revokeOrgAccess enumerates and unregisters subs for every project in the o // RLS predicate. revokeOrgAccess must instead route through an admin path // so the project enumeration still works after membership is gone. const f = await seedUserOrgProject("revoke-rt-no-membership"); - // Use the testcontainer superuser for DELETE on neon_auth.member — neither + // Use the testcontainer superuser for DELETE on piyaz_auth.member — neither // app_user nor service_role have DELETE on that table; only auth_role does // and it has no public-schema access, so the simplest path is the same // superuser the seed helper uses. @@ -167,7 +167,7 @@ test("revokeOrgAccess enumerates and unregisters subs for every project in the o VALUES (${f.organizationId}, 'Second project', 'PRJ2') RETURNING id`; project2Id = p2.id; - await su`DELETE FROM neon_auth."member" + await su`DELETE FROM piyaz_auth."member" WHERE "userId" = ${f.userId} AND "organizationId" = ${f.organizationId}`; } finally { diff --git a/tests/security/list-invitations-bypass.test.ts b/tests/security/list-invitations-bypass.test.ts index 63306038..4f8c3abc 100644 --- a/tests/security/list-invitations-bypass.test.ts +++ b/tests/security/list-invitations-bypass.test.ts @@ -101,7 +101,7 @@ afterEach(async () => { * `expiresAt` is +24h from now, well outside any plausible test runtime. * * @param orgId - Organization that owns the invitation. - * @param inviterId - User who issued the invitation (FK into `neon_auth.user`). + * @param inviterId - User who issued the invitation (FK into `piyaz_auth.user`). * @param email - Invitee email. * @returns The inserted row id. */ @@ -113,7 +113,7 @@ async function seedInvitation( const su = superuserPool(); const expiresAt = new Date(Date.now() + 1000 * 60 * 60 * 24); const [row] = await su<{ id: string }[]>` - INSERT INTO neon_auth."invitation" + INSERT INTO piyaz_auth."invitation" ("organizationId", "email", "role", "status", "expiresAt", "inviterId") VALUES (${orgId}, ${email}, 'member', 'pending', ${expiresAt}, ${inviterId}) @@ -207,10 +207,10 @@ describe("catch-all HTTP allowlist (MYMR-155)", () => { }); const su = superuserPool(); const [attacker] = await su<{ id: string }[]>` - SELECT id FROM neon_auth."user" WHERE email = ${attackerEmail} + SELECT id FROM piyaz_auth."user" WHERE email = ${attackerEmail} `; await su` - INSERT INTO neon_auth."member" + INSERT INTO piyaz_auth."member" ("organizationId", "userId", "role", "createdAt") VALUES (${targetOrg.organizationId}, ${attacker.id}, 'member', now()) @@ -271,7 +271,7 @@ describe("listPendingInvitationsAction (MYMR-155)", () => { const targetOrg = await seedUserOrgProject("mymr155-target-action"); const su = superuserPool(); const [member] = await su<{ id: string }[]>` - INSERT INTO neon_auth."user" ("name", "email", "emailVerified", "updatedAt") + INSERT INTO piyaz_auth."user" ("name", "email", "emailVerified", "updatedAt") VALUES ( 'MYMR-155 Non-admin Member', 'mymr155-nonadmin-member-action@test.local', @@ -281,7 +281,7 @@ describe("listPendingInvitationsAction (MYMR-155)", () => { RETURNING id `; await su` - INSERT INTO neon_auth."member" + INSERT INTO piyaz_auth."member" ("organizationId", "userId", "role", "createdAt") VALUES (${targetOrg.organizationId}, ${member.id}, 'member', now()) diff --git a/tests/setup/migrate.ts b/tests/setup/migrate.ts index 3a3d06fb..e23f592a 100644 --- a/tests/setup/migrate.ts +++ b/tests/setup/migrate.ts @@ -109,7 +109,7 @@ async function applyRlsFunctions( } /** - * Apply `docker/init-auth.sql` (the neon_auth schema for self-hosted + * Apply `docker/init-auth.sql` (the piyaz_auth schema for self-hosted * Postgres), provision the RLS role split (`app_user` + `service_role`), * run `drizzle-kit push` to create the public schema, then apply * `docker/rls-policies.sql` so RLS policies land. Run once per container @@ -133,10 +133,10 @@ export async function applyMigrations(url: string): Promise { "utf8", ); await sql.unsafe(initAuth); - // `init-auth.sql` calls `SET search_path TO neon_auth` for the duration + // `init-auth.sql` calls `SET search_path TO piyaz_auth` for the duration // of its CREATE TABLEs. The setting persists on the pooled connection; // reset it so subsequent statements land in the `public` schema. - await sql.unsafe("SET search_path TO public, neon_auth"); + await sql.unsafe("SET search_path TO public, piyaz_auth"); await provisionRoles(sql); } finally { await sql.end({ timeout: 5 }); diff --git a/tests/setup/schema.ts b/tests/setup/schema.ts index 0b14fa68..6608c1d0 100644 --- a/tests/setup/schema.ts +++ b/tests/setup/schema.ts @@ -13,18 +13,18 @@ const TRUNCATE_TABLES = [ "tasks", "team_invite_code", "projects", - '"neon_auth"."oauthAccessToken"', - '"neon_auth"."oauthRefreshToken"', - '"neon_auth"."oauthConsent"', - '"neon_auth"."oauthClient"', - '"neon_auth"."invitation"', - '"neon_auth"."member"', - '"neon_auth"."session"', - '"neon_auth"."account"', - '"neon_auth"."organization"', - '"neon_auth"."user"', - '"neon_auth"."verification"', - '"neon_auth"."jwks"', + '"piyaz_auth"."oauthAccessToken"', + '"piyaz_auth"."oauthRefreshToken"', + '"piyaz_auth"."oauthConsent"', + '"piyaz_auth"."oauthClient"', + '"piyaz_auth"."invitation"', + '"piyaz_auth"."member"', + '"piyaz_auth"."session"', + '"piyaz_auth"."account"', + '"piyaz_auth"."organization"', + '"piyaz_auth"."user"', + '"piyaz_auth"."verification"', + '"piyaz_auth"."jwks"', ]; /** diff --git a/tests/setup/seed.ts b/tests/setup/seed.ts index 78ec5b4d..ff80ca75 100644 --- a/tests/setup/seed.ts +++ b/tests/setup/seed.ts @@ -41,17 +41,17 @@ export type Fixture = { export async function seedUserOrgProject(suffix = "1"): Promise { const sql = superuserPool(); const [u] = await sql<{ id: string }[]>` - INSERT INTO neon_auth."user" ("name", "email", "emailVerified", "updatedAt") + INSERT INTO piyaz_auth."user" ("name", "email", "emailVerified", "updatedAt") VALUES (${"User " + suffix}, ${"user" + suffix + "@test.local"}, true, now()) RETURNING id `; const [o] = await sql<{ id: string }[]>` - INSERT INTO neon_auth."organization" ("name", "slug", "createdAt") + INSERT INTO piyaz_auth."organization" ("name", "slug", "createdAt") VALUES (${"Team " + suffix}, ${"team-" + suffix}, now()) RETURNING id `; await sql` - INSERT INTO neon_auth."member" ("organizationId", "userId", "role", "createdAt") + INSERT INTO piyaz_auth."member" ("organizationId", "userId", "role", "createdAt") VALUES (${o.id}, ${u.id}, 'owner', now()) `; const [p] = await sql<{ id: string }[]>`