Remove Cognito auto-refresh and PII from database - TEST#209
Merged
Conversation
…ors/12h The auto-refresh-from-Cognito code path attempted to call AdminGetUser on every request for users without email, but AWS credentials were never configured — generating constant cognito_user_info_error noise. Since Dec 2 2025 (c848bf2), email is optional metadata and cognito_user_id is the sole identity key; aggressively chasing email server-side contradicts that design. Email is still opportunistically captured from the JWT when present. Removed: - Both auto-refresh blocks in dependencies.py (new-user + existing-user) - update_user_from_cognito() in crud/user.py (only caller was auto-refresh) - get_user_info() in cognito_service.py (only caller was the above) - cognito_service import from dependencies.py Kept: - cognito_service.delete_user() (used by account deletion endpoint) - JWT-based email update (passive, no server-side AWS call) Made-with: Cursor
… time - Drop email and name columns from users table (alembic migration) - GET /me now fetches email live from Cognito via user's access token (same pattern as the frontend's GetUserCommand) - cognito_service uses ECS task role instead of explicit AWS credentials - Remove email sync logic from auth pipeline (dependencies.py) - Remove get_user_by_email, UserCreate, UserUpdate, UserLogin schemas - Remove AWS_ACCESS_KEY_ID/SECRET/TOKEN from config (task role provides creds) - Clean up all email/name references in cache, logging, and local testing Cognito is now the single source of truth for PII. The database only stores cognito_user_id and application-level fields. Made-with: Cursor
- Changed the method of determining the database host and port by retrieving connection details from a dedicated AWS Secrets Manager secret. - Updated the DATABASE_URL format to include the port for PostgreSQL connections. - Improved comments for clarity regarding environment determination and database credential retrieval. This refactor enhances the maintainability and clarity of the build workflow configuration.
feat: remove PII from database, resolve email from Cognito live
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
emailandnamecolumns from theuserstable — PII now lives exclusively in CognitoGET /mefetches email live from Cognito using the caller's own access token (same pattern as the frontend'sGetUserCommand) — nothing stored, retrieved at executioncognito_serviceuses ECS task role instead of explicit AWS credentials (which were never set and caused 2500+UnrecognizedClientExceptionerrors per 12h window)AdminDeleteUser(production only, per PR Delete Cognito user only in production; skip in dev/test #202)get_user_by_email,UserCreate/UserUpdate/UserLoginschemas,AWS_ACCESS_KEY_ID/SECRET/TOKENconfig, email sync in auth pipelineCompanion Infra changes (Morpheus-Infra)
AdminDeleteUser+GetUseron the Cognito user pool (task role)AWS_ACCESS_KEY_ID/SECRET_ACCESS_KEY/SESSION_TOKENfrom ECS task definition secretsMigration
Alembic migration
drop_email_name_2026dropsemailandnamecolumns and theix_users_email_nonuniqueindex. Reversible (downgrade adds columns back as nullable).