Fix ephemeral webauthn_id for existing users#125
Merged
santiagorodriguez96 merged 4 commits intomasterfrom Mar 2, 2026
Merged
Conversation
…n_id` column Replaces invoke of `active_record:migration` with a migration template that includes the `webauthn_id` column and backfill for existing records.
…re_create` Now that we are backfilling the `webauthn_id` for existing users, we can switch the `after_initialize` for a `before_create`.
Contributor
There was a problem hiding this comment.
Should we have the generated migration on the internal app?
Collaborator
Author
There was a problem hiding this comment.
We don't have the migrations in our internal app 😕
Comment on lines
+8
to
+19
| # WARNING: The code below backfills webauthn_id for all existing records | ||
| # one row at a time. For larger tables, consider removing it and running | ||
| # the backfill separately (e.g., in a background job or maintenance task). | ||
| # | ||
| # Worth noting: PostgreSQL and MySQL support single-query backfills: | ||
| # | ||
| # PostgreSQL: | ||
| # UPDATE <%= user_table_name %> SET webauthn_id = encode(gen_random_bytes(64), 'base64') WHERE webauthn_id IS NULL | ||
| # | ||
| # MySQL: | ||
| # UPDATE <%= user_table_name %> SET webauthn_id = TO_BASE64(RANDOM_BYTES(64)) WHERE webauthn_id IS NULL | ||
| # |
Collaborator
Author
There was a problem hiding this comment.
@RenzoMinelli I'm hesitant over mentioning in the code the option of setting the default in the database – as the value that we are trying to set is not static, I think it will trigger a full rewrite of the database which would lock the table on most database engines 😕
Contributor
There was a problem hiding this comment.
yeah looking into this it would be basically the same as what's presented here, needs to update each row individually. Okay sounds good
RenzoMinelli
approved these changes
Feb 25, 2026
Collaborator
Author
|
Having considered some options, we decided that adding some sort of “placeholder” data migration to let users know that they should do that and perhaps find their own way of solving it. We know this solution is not ideal, but we think it’s the best we can do at least for now – feedback and alternative solutions are more than welcome 🙂 A couple of the solutions considered:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #120.
Details:
webauthn_idin theresourcetable that backfillswebauthn_idfor existing records.webauthn_idgeneration fromafter_initializetobefore_validation, so it only runs once at record validation time. That way, when updating an existing user that doesn't have awebauthn_id, the callback will set it.