New migration to hash tokens

jlledom · jlledom · commit dfaf55e8fda5 · 2026-03-20T14:56:03.000+01:00
diff --git a/db/migrate/20260310134934_hash_access_token_values.rb b/db/migrate/20260310134934_hash_access_token_values.rb
@@ -0,0 +1,38 @@
+class HashAccessTokenValues < ActiveRecord::Migration[7.1]
+  disable_ddl_transaction! if System::Database.postgres?
+
+  BATCH_SIZE = 1000
+  DIGEST_PREFIX = 'SHA384$'.freeze
+
+  def up
+    say "Hashing legacy access token values..."
+
+    loop do
+      rows_updated = exec_update(batch_update_sql)
+      break if rows_updated == 0
+
+      sleep(0.1)
+    end
+
+    say "Done."
+  end
+
+  private
+
+  def batch_update_sql
+    if System::Database.mysql?
+      "UPDATE access_tokens SET value = CONCAT('#{DIGEST_PREFIX}', SHA2(value, 384)) " \
+        "WHERE value NOT LIKE '#{DIGEST_PREFIX}%' LIMIT #{BATCH_SIZE}"
+    elsif System::Database.postgres?
+      "UPDATE access_tokens SET value = '#{DIGEST_PREFIX}' || encode(sha384(value::bytea), 'hex') " \
+        "WHERE id IN (SELECT id FROM access_tokens WHERE value NOT LIKE '#{DIGEST_PREFIX}%' LIMIT #{BATCH_SIZE})"
+    elsif System::Database.oracle?
+      "UPDATE access_tokens SET value = '#{DIGEST_PREFIX}' || LOWER(STANDARD_HASH(value, 'SHA384')) " \
+        "WHERE ROWID IN (SELECT ROWID FROM access_tokens WHERE value NOT LIKE '#{DIGEST_PREFIX}%' AND ROWNUM <= #{BATCH_SIZE})"
+    end
+  end
+
+  def down
+    raise ActiveRecord::IrreversibleMigration
+  end
+end
diff --git a/db/oracle_schema.rb b/db/oracle_schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.1].define(version: 2025_05_22_195407) do
+ActiveRecord::Schema[7.1].define(version: 2026_03_10_134934) do
   create_table "access_tokens", force: :cascade do |t|
     t.integer "owner_id", precision: 38, null: false
     t.text "scopes"
diff --git a/db/postgres_schema.rb b/db/postgres_schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.1].define(version: 2025_05_22_195407) do
+ActiveRecord::Schema[7.1].define(version: 2026_03_10_134934) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
 
diff --git a/db/schema.rb b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.1].define(version: 2025_05_22_195407) do
+ActiveRecord::Schema[7.1].define(version: 2026_03_10_134934) do
   create_table "access_tokens", charset: "utf8mb3", collation: "utf8mb3_bin", force: :cascade do |t|
     t.bigint "owner_id", null: false
     t.text "scopes"

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@`
`10`	`10`	`#`
`11`	`11`	`# It's strongly recommended that you check this file into your version control system.`
`12`	`12`
`13`		`-ActiveRecord::Schema[7.1].define(version: 2025_05_22_195407) do`
	`13`	`+ActiveRecord::Schema[7.1].define(version: 2026_03_10_134934) do`
`14`	`14`	`create_table "access_tokens", force: :cascade do \|t\|`
`15`	`15`	`t.integer "owner_id", precision: 38, null: false`
`16`	`16`	`t.text "scopes"`