♻️ Refactor and Upgrade Users Repository including users_secrets split (#8124)

Author: pcrespov

packages/notifications-library/tests/with_db/conftest.py

@@ -16,11 +16,14 @@
 from models_library.users import UserID
 from notifications_library._templates import get_default_named_templates
 from pydantic import validate_call
+from pytest_simcore.helpers.postgres_tools import insert_and_get_row_lifespan
+from pytest_simcore.helpers.postgres_users import (
+    insert_and_get_user_and_secrets_lifespan,
+)
 from simcore_postgres_database.models.jinja2_templates import jinja2_templates
 from simcore_postgres_database.models.payments_transactions import payments_transactions
 from simcore_postgres_database.models.products import products
 from simcore_postgres_database.models.products_to_templates import products_to_templates
-from simcore_postgres_database.models.users import users
 from sqlalchemy.engine.row import Row
 from sqlalchemy.ext.asyncio.engine import AsyncEngine
 
@@ -50,16 +53,11 @@ async def user(
     and injects a user in db
     """
     assert user_id == user["id"]
-    pk_args = users.c.id, user["id"]
-
-    # NOTE: creation of primary group and setting `groupid`` is automatically triggered after creation of user by postgres
-    async with sqlalchemy_async_engine.begin() as conn:
-        row: Row = await _insert_and_get_row(conn, users, user, *pk_args)
-
-    yield row._asdict()
-
-    async with sqlalchemy_async_engine.begin() as conn:
-        await _delete_row(conn, users, *pk_args)
+    async with insert_and_get_user_and_secrets_lifespan(  # pylint:disable=contextmanager-generator-missing-cleanup
+        sqlalchemy_async_engine,
+        **user,
+    ) as row:
+        yield row
 
 
 @pytest.fixture
@@ -82,15 +80,14 @@ async def product(
     # NOTE: osparc product is already in db. This is another product
     assert product["name"] != "osparc"
 
-    pk_args = products.c.name, product["name"]
-
-    async with sqlalchemy_async_engine.begin() as conn:
-        row: Row = await _insert_and_get_row(conn, products, product, *pk_args)
-
-    yield row._asdict()
-
-    async with sqlalchemy_async_engine.begin() as conn:
-        await _delete_row(conn, products, *pk_args)
+    async with insert_and_get_row_lifespan(  # pylint:disable=contextmanager-generator-missing-cleanup
+        sqlalchemy_async_engine,
+        table=products,
+        values=product,
+        pk_col=products.c.name,
+        pk_value=product["name"],
+    ) as row:
+        yield row
 
 
 @pytest.fixture

packages/postgres-database/src/simcore_postgres_database/migration/versions/5679165336c8_new_users_secrets.py

@@ -0,0 +1,77 @@
+"""new users secrets
+
+Revision ID: 5679165336c8
+Revises: 61b98a60e934
+Create Date: 2025-07-17 17:07:20.200038+00:00
+
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "5679165336c8"
+down_revision = "61b98a60e934"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.create_table(
+        "users_secrets",
+        sa.Column("user_id", sa.BigInteger(), nullable=False),
+        sa.Column("password_hash", sa.String(), nullable=False),
+        sa.Column(
+            "modified",
+            sa.DateTime(timezone=True),
+            server_default=sa.text("now()"),
+            nullable=False,
+        ),
+        sa.ForeignKeyConstraint(
+            ["user_id"],
+            ["users.id"],
+            name="fk_users_secrets_user_id_users",
+            onupdate="CASCADE",
+            ondelete="CASCADE",
+        ),
+        sa.PrimaryKeyConstraint("user_id", name="users_secrets_pkey"),
+    )
+
+    # Copy password data from users table to users_secrets table
+    op.execute(
+        sa.DDL(
+            """
+        INSERT INTO users_secrets (user_id, password_hash, modified)
+        SELECT id, password_hash, created_at
+        FROM users
+        WHERE password_hash IS NOT NULL
+    """
+        )
+    )
+
+    op.drop_column("users", "password_hash")
+
+
+def downgrade():
+    # Add column as nullable first
+    op.add_column(
+        "users",
+        sa.Column("password_hash", sa.VARCHAR(), autoincrement=False, nullable=True),
+    )
+
+    # Copy password data back from users_secrets table to users table
+    op.execute(
+        sa.DDL(
+            """
+        UPDATE users
+        SET password_hash = us.password_hash
+        FROM users_secrets us
+        WHERE users.id = us.user_id
+    """
+        )
+    )
+
+    # Now make the column NOT NULL
+    op.alter_column("users", "password_hash", nullable=False)
+
+    op.drop_table("users_secrets")

packages/postgres-database/src/simcore_postgres_database/models/_common.py

@@ -16,24 +16,28 @@ class RefActions:
     NO_ACTION: Final[str] = "NO ACTION"
 
 
-def column_created_datetime(*, timezone: bool = True) -> sa.Column:
+def column_created_datetime(
+    *, timezone: bool = True, doc="Timestamp auto-generated upon creation"
+) -> sa.Column:
     return sa.Column(
         "created",
         sa.DateTime(timezone=timezone),
         nullable=False,
         server_default=sa.sql.func.now(),
-        doc="Timestamp auto-generated upon creation",
+        doc=doc,
     )
 
 
-def column_modified_datetime(*, timezone: bool = True) -> sa.Column:
+def column_modified_datetime(
+    *, timezone: bool = True, doc="Timestamp with last row update"
+) -> sa.Column:
     return sa.Column(
         "modified",
         sa.DateTime(timezone=timezone),
         nullable=False,
         server_default=sa.sql.func.now(),
         onupdate=sa.sql.func.now(),
-        doc="Timestamp with last row update",
+        doc=doc,
     )
 
 

packages/postgres-database/src/simcore_postgres_database/models/users.py

@@ -67,15 +67,6 @@
         "NOTE: new policy (NK) is that the same phone can be reused therefore it does not has to be unique",
     ),
     #
-    # User Secrets  ------------------
-    #
-    sa.Column(
-        "password_hash",
-        sa.String(),
-        nullable=False,
-        doc="Hashed password",
-    ),
-    #
     # User Account ------------------
     #
     sa.Column(

packages/postgres-database/src/simcore_postgres_database/models/users_secrets.py

@@ -0,0 +1,34 @@
+import sqlalchemy as sa
+
+from ._common import RefActions, column_modified_datetime
+from .base import metadata
+
+__all__: tuple[str, ...] = ("users_secrets",)
+
+users_secrets = sa.Table(
+    "users_secrets",
+    metadata,
+    #
+    # User Secrets  ------------------
+    #
+    sa.Column(
+        "user_id",
+        sa.BigInteger(),
+        sa.ForeignKey(
+            "users.id",
+            name="fk_users_secrets_user_id_users",
+            onupdate=RefActions.CASCADE,
+            ondelete=RefActions.CASCADE,
+        ),
+        nullable=False,
+    ),
+    sa.Column(
+        "password_hash",
+        sa.String(),
+        nullable=False,
+        doc="Hashed password",
+    ),
+    column_modified_datetime(timezone=True, doc="Last password modification timestamp"),
+    # ---------------------------
+    sa.PrimaryKeyConstraint("user_id", name="users_secrets_pkey"),
+)