ENG-430 Add access-token table

[mdroidian]

To be used for GitHub Apps initially.

node -e "if (process.env.HOME !== '/vercel') { require('child_process').execSync('supabase start && supabase migrations up && (supabase gen types typescript --local --schema public > types.gen.ts)', { stdio: 'inherit' }) }"`

Summary by CodeRabbit

• New Features

  • Introduced a new "access-token" table to the database, enabling storage and management of access tokens with associated codes, states, and timestamps.

• Bug Fixes

  • Not applicable.

• Documentation

  • Not applicable.

• Chores

  • Updated database configuration and type definitions to reflect the new "access-token" table.

[linear]

ENG-430 Add access-token table

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
discourse-graph	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 10, 2025 8:22pm

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

📝 Walkthrough

Walkthrough

A new database table named "access-token" has been introduced, along with its schema, migration script, and TypeScript type definitions. Configuration files were updated to include the new schema. The table features several columns, indexes, a check constraint, and grants specific privileges to certain roles.

Changes

File(s)	Change Summary
packages/database/supabase/schemas/access_token.sql, packages/database/supabase/migrations/...sql	Added creation of "access-token" table with columns, indexes, and constraints.
packages/database/supabase/config.toml	Appended access_token.sql to the schema paths for migrations.
packages/database/types.gen.ts	Added TypeScript type definitions for the new "access-token" table in the Database["public"]["Tables"] type.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Database

    Client->>Database: Insert new access-token (with code/state)
    Database-->>Client: Insert success/failure (check constraint enforced)

    Client->>Database: Query access-token by code/state/access-token
    Database-->>Client: Return matching access-token rows

    Client->>Database: Update access-token fields
    Database-->>Client: Update success/failure

    Client->>Database: Delete access-token
    Database-->>Client: Delete success/failure

Loading

Poem

In the warren of data, a new table appears,
"Access-token" hops in, with codes and with peers.
Indexed and checked, with constraints held tight,
TypeScript now knows it, migrations take flight.
With privileges granted, let tokens abound—
A hoppy new feature, securely profound!
🐇✨

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[mdroidian]

@CodeRabbit full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

packages/database/types.gen.ts (1)

12-35: Consider reviewing naming conventions for database identifiers.

The TypeScript types are correctly structured and consistent with the database schema. However, consider these naming convention improvements:

1. Table name "access-token" uses hyphens, which is less common than underscores in database naming
2. Column name "access-token" matches the table name, which could cause confusion

Consider renaming to improve clarity:

-      "access-token": {
+      "access_token": {
         Row: {
-          "access-token": string
+          token: string

packages/database/supabase/schemas/access_token.sql (1)

12-15: Optimize indexing strategy for nullable columns.

Creating indexes on nullable columns (code, state) may have limited effectiveness depending on data distribution. Consider:

1. Partial indexes for better performance:

-create index access_token_code_idx on "access-token" (code);
-create index access_token_state_idx on "access-token" (state);
+create index access_token_code_idx on "access-token" (code) where code is not null;
+create index access_token_state_idx on "access-token" (state) where state is not null;

2. Consider composite indexes if you frequently query by combinations of these fields.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 901e473 and a8d9848.

📒 Files selected for processing (4)

• packages/database/supabase/config.toml (1 hunks)
• packages/database/supabase/migrations/20250609051037_create_access_table.sql (1 hunks)
• packages/database/supabase/schemas/access_token.sql (1 hunks)
• packages/database/types.gen.ts (1 hunks)

🔇 Additional comments (2)

packages/database/supabase/config.toml (1)

62-62: LGTM! Schema path correctly added.

The new access_token.sql schema file is properly integrated into the migration configuration following the existing pattern.

packages/database/supabase/migrations/20250609051037_create_access_table.sql (1)

22-24: Good practice: Proper constraint validation pattern.

The migration correctly uses the two-step constraint creation pattern (add as not valid, then validate), which is a PostgreSQL best practice for large tables as it avoids blocking writes during validation.

[maparent]

Ok, a few questions: Are access tokens unique for spaces? In which case should the Id not be the foreign key to the state instead of an independent identity?
If they are indeed not unique, would they have an owner? (reference to PlatformAccount)
And would they still not be reference a space in any case?
Either way the space should be indexed, as it is the most likely point of access.
What is the semantic of code and state? Should those two have an index? (I.e. are they likely to be the identifiers in a query, vs a filter? There is a performance cost to unused indices.)
I think I need to understand more about the intent of the table.
On another note: Right now I have a SpaceAccess table, which has a "editor" boolean. I'm thinking we'll need three states: Reader, Editor, Admin. The latter would gate access to the token table.
I have another thought: Should we instead have a "SpaceAdminSecrets" table with a json or columns? Is there any chance we'll go beyond tokens someday? I'm thinking of state-specific access token for LLM providers, in particular. (which is open-ended, and why I'm leaning on json, but not strongly.)

[maparent]

Another issue, on me: I'm maintaining the linkml/svg with tooling that I did not include in the build, because I did not want to impose it to everyone to install. As long as I was mostly manipulating the tables, not an issue. Do you have an opinion on whether I should include it or keep maintaining it in the background?

[mdroidian]

I think I need to understand more about the intent of the table.

For this use case it is authorizing a GitHub App to act on users behalf to sync a Discourse Node to a GitHub Issue.
Flow:

• user clicks "Install App", generate state, get popup
• user installs app on repo
• popup window redirects to our callback page with code
• callback page uses code to get accessToken
• on success
  • save to db
  • post accessToken back to browser, store in app
  • when app is used instead of browser, we cannot post back, so client periodically calls table for state

Ok, a few questions: Are access tokens unique for spaces?

Not necessarily, they could possibly have a PlatformAccount in the future. Other uses for this table might be tied to spaces. In either case, we'll address that when if/when it shows up.

What is the semantic of code and state? Should those two have an index?

Both will be used to query the table and return accessToken.

On another note: Right now I have a SpaceAccess table, which has a "editor" boolean. I'm thinking we'll need three states: Reader, Editor, Admin. The latter would gate access to the token table.

I don't see the need currently.

I have another thought: Should we instead have a "SpaceAdminSecrets" table with a json or columns?

I don't think so.

Is there any chance we'll go beyond tokens someday? I'm thinking of state-specific access token for LLM providers, in particular.

Maybe. We'll cross that bridge when we come to it.

[mdroidian]

Another issue, on me: I'm maintaining the linkml/svg

Any feature in the repo should not be dependent on a single dev. If we keep it, instructions need to be included. Ideally this would be automated by an npm package and not require additional local tooling.

[mdroidian]

@maparent added platform_account_id, awaiting review.

[maparent]

Still trying to understand some of the details of part of the flow:

• user clicks "Install App", generate state, get popup Click presumably in frontend, is popup also under control of frontend?
• user installs app on repo That's on GitHub, right?
• popup window redirects to our callback page with code Who generates code? Github or popup?
• callback page uses code to get accessToken assuming that's a vercel function calling GitHub... but through a browser page. accessToken from github
• on success
  • save to db still Vercel function
  • post accessToken back to browser, store in app inter-page channel?
  • when app is used instead of browser, we cannot post back, so client periodically calls table for state. I think you mean using state as a key.?

Anyhow the reason I'm asking for details, besides clarity, is I'm trying to see if there's a primary key in there besides the numeric identity. I suspect state is the primary key, and what is used to make queries, or is it code? Would it make sense to use state directly as a primary key and not use a numeric identity at all?

[maparent]

Another issue, on me: I'm maintaining the linkml/svg

Any feature in the repo should not be dependent on a single dev. If we keep it, instructions need to be included. Ideally this would be automated by an npm package and not require additional local tooling.

That's why I have not done it yet, LinkML is a python package, no NPM version. I could probably make it run using minimal tooling installs, but I want an ok for installing non-npm tools. Same with plantuml, there's a npm version but it's quite outdated. Npm is a bottleneck.

[maparent]

Other than the primary key issue, the rest looks good.

[mdroidian]

Reviewed live by @maparent