More database fixes.

Author: ThreeHats

go-relay/internal/database/db.go

@@ -779,6 +779,73 @@ func backfillEmailVerified(ctx context.Context, sqlDB *sqlx.DB, dbType string) {
 	_, _ = sqlDB.ExecContext(ctx, fmt.Sprintf(`INSERT INTO %s (name) VALUES ($1)`, smTable), migrationName)
 }
 
+// backfillUserAPIKeyHashes generates a fresh master API key hash for any Users row
+// whose apiKeyHash is NULL. This happens for Sequelize-era accounts where the
+// plaintext apiKey column was dropped before its SHA-256 hash was stored.
+// Without apiKeyHash, WebSocket connection-token validation always fails because
+// the user lookup returns an empty identifier.
+//
+// The generated key is random — the user never knew it and doesn't need to. It
+// exists only so the relay can use apiKeyHash as a stable per-account identifier
+// in ClientManager and Redis. If the user later needs to use their master API key
+// directly, they can regenerate it from the dashboard (which shows it once).
+func backfillUserAPIKeyHashes(ctx context.Context, sqlDB *sqlx.DB, dbType string) {
+	const migrationName = "backfill_user_api_key_hashes_v3_1"
+	smTable := "SchemaMigrations"
+	usersTable := "Users"
+	if dbType != "sqlite" {
+		smTable = `"SchemaMigrations"`
+		usersTable = `"Users"`
+	}
+
+	var count int
+	_ = sqlDB.GetContext(ctx, &count, fmt.Sprintf(`SELECT COUNT(*) FROM %s WHERE name = $1`, smTable), migrationName)
+	if count > 0 {
+		return
+	}
+
+	// Find all users with no apiKeyHash.
+	rows, err := sqlDB.QueryContext(ctx, fmt.Sprintf(`SELECT id FROM %s WHERE "apiKeyHash" IS NULL OR "apiKeyHash" = ''`, usersTable))
+	if err != nil {
+		log.Warn().Err(err).Msg("backfillUserAPIKeyHashes: failed to query users")
+		return
+	}
+	defer rows.Close()
+
+	var ids []int64
+	for rows.Next() {
+		var id int64
+		if err := rows.Scan(&id); err == nil {
+			ids = append(ids, id)
+		}
+	}
+	_ = rows.Close()
+
+	for _, id := range ids {
+		// GenerateAPIKey returns 64 random hex chars (32 bytes via crypto/rand).
+		rawKey, err := model.GenerateAPIKey()
+		if err != nil {
+			log.Warn().Err(err).Int64("userId", id).Msg("backfillUserAPIKeyHashes: failed to generate key")
+			continue
+		}
+		sum := sha256.Sum256([]byte(rawKey))
+		hash := hex.EncodeToString(sum[:])
+		if _, err := sqlDB.ExecContext(ctx,
+			fmt.Sprintf(`UPDATE %s SET "apiKeyHash" = $1, "apiKeyRotationRequired" = TRUE WHERE id = $2`, usersTable),
+			hash, id,
+		); err != nil {
+			log.Warn().Err(err).Int64("userId", id).Msg("backfillUserAPIKeyHashes: failed to update user")
+		} else {
+			log.Info().Int64("userId", id).Msg("backfillUserAPIKeyHashes: generated apiKeyHash for user")
+		}
+	}
+
+	if len(ids) > 0 {
+		log.Info().Int("count", len(ids)).Msg("backfillUserAPIKeyHashes: populated missing apiKeyHash values")
+	}
+	_, _ = sqlDB.ExecContext(ctx, fmt.Sprintf(`INSERT INTO %s (name) VALUES ($1)`, smTable), migrationName)
+}
+
 // addWorldIdUniqueConstraint is the v3.0 migration that:
 //  1. Deletes all KnownClients rows with NULL worldId (unknown-world orphans from v2.x)
 //  2. Creates a UNIQUE index on (userId, worldId) so each world can only have one row per user
@@ -1143,6 +1210,7 @@ func (db *DB) migratePostgres(ctx context.Context) error {
 		`ALTER TABLE "ConnectionTokens" ADD COLUMN IF NOT EXISTS "remoteRequestsPerHour" INTEGER DEFAULT 0`,
 		`ALTER TABLE "ConnectionTokens" ADD COLUMN IF NOT EXISTS source VARCHAR(20) DEFAULT 'dashboard'`,
 		`ALTER TABLE "ConnectionTokens" ADD COLUMN IF NOT EXISTS "clientId" VARCHAR(255) DEFAULT ''`,
+		`ALTER TABLE "ConnectionTokens" ADD COLUMN IF NOT EXISTS "lastUsedAt" TIMESTAMPTZ`,
 		// Pairing code can be bound to an existing clientId for "add browser" flows
 		`ALTER TABLE "PairingCodes" ADD COLUMN IF NOT EXISTS "clientId" VARCHAR(255)`,
 		`ALTER TABLE "PairingCodes" ADD COLUMN IF NOT EXISTS "allowedTargetClients" TEXT DEFAULT ''`,
@@ -1413,6 +1481,10 @@ func (db *DB) migratePostgres(ctx context.Context) error {
 	// since email verification was introduced after these accounts were created.
 	backfillEmailVerified(ctx, db.sqlDB, "postgres")
 
+	// v3.1: generate apiKeyHash for Sequelize-era accounts that had their
+	// plaintext apiKey column dropped before the hash was computed.
+	backfillUserAPIKeyHashes(ctx, db.sqlDB, "postgres")
+
 	return nil
 }
 

go-relay/internal/handler/connection_tokens.go

@@ -404,7 +404,7 @@ func RegisterConnectionTokenRoutes(r chi.Router, db *database.DB, cfg *config.Co
 			"relayUrl": relayURL,
 		})
 
-		log.Info().Int64("userId", pairingCode.UserID).Str("clientId", clientID).Str("worldId", body.WorldID).Msg("Pairing completed")
+		log.Info().Int64("userId", pairingCode.UserID).Str("clientId", clientID).Str("worldId", body.WorldID).Int64("tokenId", connToken.ID).Str("tokenHashPrefix", tokenHash[:8]+"…").Msg("Pairing completed")
 	})
 
 	// GET /auth/remote-request-logs — View cross-world audit log (authenticated, master key only)

go-relay/internal/model/known_client.go

@@ -226,7 +226,7 @@ func (s *SQLKnownClientStore) Upsert(ctx context.Context, client *KnownClient) e
 	return s.DB.QueryRowContext(ctx, query,
 		client.UserID, client.ClientID, client.WorldID, client.WorldTitle,
 		client.SystemID, client.SystemTitle, client.SystemVersion,
-		client.FoundryVersion, client.CustomName, client.IsOnline,
+		client.FoundryVersion, client.CustomName, bool(client.IsOnline),
 		now, now,
 	).Scan(&client.ID)
 }
@@ -321,13 +321,9 @@ func (s *SQLKnownClientStore) SetCredentialID(ctx context.Context, id int64, cre
 
 func (s *SQLKnownClientStore) SetAutoStartOnRemoteRequest(ctx context.Context, id int64, enabled bool) error {
 	now := NewSQLiteTime(time.Now())
-	val := 0
-	if enabled {
-		val = 1
-	}
 	query := fmt.Sprintf(`UPDATE %s SET %s = $1, %s = $2 WHERE id = $3`,
 		s.tableName(), s.col("auto_start_on_remote_request"), s.col("updated_at"))
-	_, err := s.DB.ExecContext(ctx, query, val, now, id)
+	_, err := s.DB.ExecContext(ctx, query, enabled, now, id)
 	return err
 }
 

go-relay/internal/model/remote_request_log.go

@@ -70,7 +70,7 @@ func (s *SQLRemoteRequestLogStore) Create(ctx context.Context, l *RemoteRequestL
 		query += " RETURNING id"
 		return s.DB.QueryRowContext(ctx, query,
 			l.UserID, l.SourceClientID, l.SourceTokenID, l.TargetClientID,
-			l.Action, l.Success, l.ErrorMessage, l.SourceIP, now,
+			l.Action, bool(l.Success), l.ErrorMessage, l.SourceIP, now,
 		).Scan(&l.ID)
 	}
 

go-relay/internal/server/server.go

@@ -729,7 +729,7 @@ func (s *Server) setupRouter() *chi.Mux {
 		ValidateConnectionToken:  service.MakeWSValidateConnectionToken(s.db),
 		ValidateHeadless: func(clientID, token string) (bool, error) {
 			if s.Headless == nil {
-				return false, nil
+				return true, nil
 			}
 			return s.Headless.ValidateHeadlessSession(clientID, token)
 		},

go-relay/internal/service/api_key_validation.go

@@ -108,7 +108,12 @@ func MakeWSValidateConnectionToken(db *database.DB) func(token string) (string,
 
 		ctx := context.Background()
 		ct, err := db.ConnectionTokenStore().FindByTokenHash(ctx, tokenHash)
-		if err != nil || ct == nil {
+		if err != nil {
+			log.Warn().Err(err).Str("hash", tokenHash[:8]+"…").Msg("Connection token lookup DB error")
+			return "", "", "", 0, fmt.Errorf("invalid connection token")
+		}
+		if ct == nil {
+			log.Warn().Str("hash", tokenHash[:8]+"…").Msg("Connection token not found in DB")
 			return "", "", "", 0, fmt.Errorf("invalid connection token")
 		}