Add AuthDataMigrationJob model and related migration scripts

- Introduced the AuthDataMigrationJob model in the Prisma schema to manage authentication migration jobs.
- Created SQL migration scripts to establish the AuthDataMigrationJob table with necessary constraints and indexes.
- Implemented API routes for creating, listing, retrieving, and retrying auth migration jobs.
- Added utility functions for handling encryption and decryption of migration credentials.
- Developed tests to validate the functionality and constraints of the new migration job model.

Author: mantrakp04

apps/backend/prisma/migrations/20260501000000_auth_data_migration_jobs/migration.sql

@@ -0,0 +1,33 @@
+CREATE TABLE "AuthDataMigrationJob" (
+  "tenancyId" UUID NOT NULL,
+  "id" UUID NOT NULL DEFAULT gen_random_uuid(),
+  "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  "updatedAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  "projectId" TEXT NOT NULL,
+  "branchId" TEXT NOT NULL,
+  "provider" TEXT NOT NULL,
+  "status" TEXT NOT NULL DEFAULT 'PENDING',
+  "encryptedCredentials" JSONB NOT NULL,
+  "createdByProjectUserId" UUID,
+  "attemptCount" INTEGER NOT NULL DEFAULT 0,
+  "maxAttempts" INTEGER NOT NULL DEFAULT 5,
+  "nextAttemptAt" TIMESTAMP(3) DEFAULT CURRENT_TIMESTAMP,
+  "startedAt" TIMESTAMP(3),
+  "finishedAt" TIMESTAMP(3),
+  "lastErrorExternalMessage" TEXT,
+  "lastErrorInternalDetails" JSONB,
+  "result" JSONB,
+
+  CONSTRAINT "AuthDataMigrationJob_pkey" PRIMARY KEY ("tenancyId", "id"),
+  CONSTRAINT "AuthDataMigrationJob_tenancyId_fkey" FOREIGN KEY ("tenancyId") REFERENCES "Tenancy"("id") ON DELETE CASCADE ON UPDATE CASCADE,
+  CONSTRAINT "AuthDataMigrationJob_provider_valid" CHECK ("provider" IN ('workos', 'clerk', 'authjs', 'auth0', 'supabase', 'better_auth')),
+  CONSTRAINT "AuthDataMigrationJob_status_valid" CHECK ("status" IN ('PENDING', 'RUNNING', 'WAITING_RETRY', 'SUCCEEDED', 'FAILED')),
+  CONSTRAINT "AuthDataMigrationJob_attempts_valid" CHECK ("attemptCount" >= 0 AND "maxAttempts" > 0),
+  CONSTRAINT "AuthDataMigrationJob_terminal_finished" CHECK (
+    ("status" IN ('SUCCEEDED', 'FAILED') AND "finishedAt" IS NOT NULL)
+    OR ("status" NOT IN ('SUCCEEDED', 'FAILED'))
+  )
+);
+
+CREATE INDEX "AuthDataMigrationJob_queue_idx" ON "AuthDataMigrationJob"("status", "nextAttemptAt", "createdAt");
+CREATE INDEX "AuthDataMigrationJob_tenancy_created_idx" ON "AuthDataMigrationJob"("tenancyId", "createdAt");

apps/backend/prisma/migrations/20260501000000_auth_data_migration_jobs/tests/job-table-constraints.ts

@@ -0,0 +1,51 @@
+import { randomUUID } from "crypto";
+import type { Sql } from "postgres";
+import { expect } from "vitest";
+
+export const preMigration = async (sql: Sql) => {
+  const projectId = `test-${randomUUID()}`;
+  const tenancyId = randomUUID();
+
+  await sql`INSERT INTO "Project" ("id", "createdAt", "updatedAt", "displayName", "description", "isProductionMode") VALUES (${projectId}, NOW(), NOW(), 'Auth Migration Test', '', false)`;
+  await sql`INSERT INTO "Tenancy" ("id", "createdAt", "updatedAt", "projectId", "branchId", "hasNoOrganization") VALUES (${tenancyId}::uuid, NOW(), NOW(), ${projectId}, 'main', 'TRUE'::"BooleanTrue")`;
+
+  return { projectId, tenancyId };
+};
+
+export const postMigration = async (sql: Sql, ctx: Awaited<ReturnType<typeof preMigration>>) => {
+  const jobId = randomUUID();
+
+  await sql`
+    INSERT INTO "AuthDataMigrationJob" (
+      "tenancyId", "id", "projectId", "branchId", "provider", "encryptedCredentials"
+    )
+    VALUES (
+      ${ctx.tenancyId}::uuid, ${jobId}::uuid, ${ctx.projectId}, 'main', 'better_auth', '{"ciphertext_base64":"abc"}'::jsonb
+    )
+  `;
+
+  const rows = await sql`
+    SELECT "status", "attemptCount", "maxAttempts"
+    FROM "AuthDataMigrationJob"
+    WHERE "tenancyId" = ${ctx.tenancyId}::uuid AND "id" = ${jobId}::uuid
+  `;
+  expect(rows).toHaveLength(1);
+  expect(rows[0].status).toBe("PENDING");
+  expect(rows[0].attemptCount).toBe(0);
+  expect(rows[0].maxAttempts).toBe(5);
+
+  await expect(sql`
+    INSERT INTO "AuthDataMigrationJob" (
+      "tenancyId", "projectId", "branchId", "provider", "status", "encryptedCredentials"
+    )
+    VALUES (
+      ${ctx.tenancyId}::uuid, ${ctx.projectId}, 'main', 'unknown', 'PENDING', '{"ciphertext_base64":"abc"}'::jsonb
+    )
+  `).rejects.toThrow(/AuthDataMigrationJob_provider_valid/);
+
+  await expect(sql`
+    UPDATE "AuthDataMigrationJob"
+    SET "status" = 'SUCCEEDED', "finishedAt" = NULL
+    WHERE "tenancyId" = ${ctx.tenancyId}::uuid AND "id" = ${jobId}::uuid
+  `).rejects.toThrow(/AuthDataMigrationJob_terminal_finished/);
+};

apps/backend/prisma/schema.prisma

@@ -73,6 +73,7 @@ model Tenancy {
   organizationId      String?              @db.Uuid
   hasNoOrganization   BooleanTrue?
   emailOutboxes       EmailOutbox[]
+  authDataMigrationJobs AuthDataMigrationJob[]
   sessionReplays      SessionReplay[]
   sessionReplayChunks SessionReplayChunk[]
   managedEmailDomains ManagedEmailDomain[]
@@ -1076,6 +1077,39 @@ model EmailOutboxProcessingMetadata {
   lastExecutedAt DateTime?
 }
 
+model AuthDataMigrationJob {
+  tenancyId String @db.Uuid
+  id        String @default(uuid()) @db.Uuid
+
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  projectId String
+  branchId  String
+  provider  String
+  status    String @default("PENDING")
+
+  encryptedCredentials Json
+  createdByProjectUserId String? @db.Uuid
+
+  attemptCount  Int @default(0)
+  maxAttempts   Int @default(5)
+  nextAttemptAt DateTime? @default(now())
+
+  startedAt  DateTime?
+  finishedAt DateTime?
+
+  lastErrorExternalMessage String?
+  lastErrorInternalDetails Json?
+  result                   Json?
+
+  tenancy Tenancy @relation(fields: [tenancyId], references: [id], onDelete: Cascade)
+
+  @@id([tenancyId, id])
+  @@index([status, nextAttemptAt, createdAt], map: "AuthDataMigrationJob_queue_idx")
+  @@index([tenancyId, createdAt], map: "AuthDataMigrationJob_tenancy_created_idx")
+}
+
 model EmailDraft {
   tenancyId String @db.Uuid
 

apps/backend/scripts/run-cron-jobs.ts

@@ -6,6 +6,7 @@ import { Result } from "@stackframe/stack-shared/dist/utils/results";
 const endpoints = [
   "/api/latest/internal/external-db-sync/sequencer",
   "/api/latest/internal/external-db-sync/poller",
+  "/api/latest/internal/auth-migrations/process",
 ];
 
 async function main() {

apps/backend/src/app/api/latest/internal/auth-migrations/[id]/retry/route.tsx

@@ -0,0 +1,49 @@
+import { retryAuthMigrationJob } from "@/lib/auth-migrations/jobs";
+import { authMigrationProviders } from "@/lib/auth-migrations/types";
+import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
+import { adaptSchema, adminAuthTypeSchema, yupMixed, yupNumber, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
+
+const jobResponseSchema = yupObject({
+  id: yupString().uuid().defined(),
+  provider: yupString().oneOf(authMigrationProviders).defined(),
+  status: yupString().oneOf(["PENDING", "RUNNING", "WAITING_RETRY", "SUCCEEDED", "FAILED"]).defined(),
+  attempt_count: yupNumber().integer().defined(),
+  max_attempts: yupNumber().integer().defined(),
+  next_attempt_at_millis: yupNumber().nullable().defined(),
+  started_at_millis: yupNumber().nullable().defined(),
+  finished_at_millis: yupNumber().nullable().defined(),
+  last_error_external_message: yupString().nullable().defined(),
+  result: yupMixed().nullable(),
+  created_at_millis: yupNumber().defined(),
+  updated_at_millis: yupNumber().defined(),
+}).defined();
+
+export const POST = createSmartRouteHandler({
+  metadata: {
+    hidden: true,
+    summary: "Retry auth migration job",
+    description: "Moves a failed or waiting provider migration job back to the pending queue.",
+    tags: ["Migrations"],
+  },
+  request: yupObject({
+    auth: yupObject({
+      type: adminAuthTypeSchema.defined(),
+      tenancy: adaptSchema.defined(),
+    }).defined(),
+    params: yupObject({
+      id: yupString().uuid().defined(),
+    }).defined(),
+  }),
+  response: yupObject({
+    statusCode: yupNumber().oneOf([200]).defined(),
+    bodyType: yupString().oneOf(["json"]).defined(),
+    body: jobResponseSchema,
+  }),
+  handler: async ({ auth, params }) => {
+    return {
+      statusCode: 200,
+      bodyType: "json",
+      body: await retryAuthMigrationJob(auth.tenancy.id, params.id),
+    };
+  },
+});

apps/backend/src/app/api/latest/internal/auth-migrations/[id]/route.tsx

@@ -0,0 +1,49 @@
+import { getAuthMigrationJob } from "@/lib/auth-migrations/jobs";
+import { authMigrationProviders } from "@/lib/auth-migrations/types";
+import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
+import { adaptSchema, adminAuthTypeSchema, yupMixed, yupNumber, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
+
+const jobResponseSchema = yupObject({
+  id: yupString().uuid().defined(),
+  provider: yupString().oneOf(authMigrationProviders).defined(),
+  status: yupString().oneOf(["PENDING", "RUNNING", "WAITING_RETRY", "SUCCEEDED", "FAILED"]).defined(),
+  attempt_count: yupNumber().integer().defined(),
+  max_attempts: yupNumber().integer().defined(),
+  next_attempt_at_millis: yupNumber().nullable().defined(),
+  started_at_millis: yupNumber().nullable().defined(),
+  finished_at_millis: yupNumber().nullable().defined(),
+  last_error_external_message: yupString().nullable().defined(),
+  result: yupMixed().nullable(),
+  created_at_millis: yupNumber().defined(),
+  updated_at_millis: yupNumber().defined(),
+}).defined();
+
+export const GET = createSmartRouteHandler({
+  metadata: {
+    hidden: true,
+    summary: "Get auth migration job",
+    description: "Gets a provider migration job for the current project branch.",
+    tags: ["Migrations"],
+  },
+  request: yupObject({
+    auth: yupObject({
+      type: adminAuthTypeSchema.defined(),
+      tenancy: adaptSchema.defined(),
+    }).defined(),
+    params: yupObject({
+      id: yupString().uuid().defined(),
+    }).defined(),
+  }),
+  response: yupObject({
+    statusCode: yupNumber().oneOf([200]).defined(),
+    bodyType: yupString().oneOf(["json"]).defined(),
+    body: jobResponseSchema,
+  }),
+  handler: async ({ auth, params }) => {
+    return {
+      statusCode: 200,
+      bodyType: "json",
+      body: await getAuthMigrationJob(auth.tenancy.id, params.id),
+    };
+  },
+});

apps/backend/src/app/api/latest/internal/auth-migrations/process/route.tsx

@@ -0,0 +1,48 @@
+import { runAuthMigrationQueueStep } from "@/lib/auth-migrations/jobs";
+import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
+import { yupNumber, yupObject, yupString, yupTuple } from "@stackframe/stack-shared/dist/schema-fields";
+import { getEnvVariable } from "@stackframe/stack-shared/dist/utils/env";
+import { StatusError } from "@stackframe/stack-shared/dist/utils/errors";
+
+export const dynamic = "force-dynamic";
+export const fetchCache = "force-no-store";
+
+export const GET = createSmartRouteHandler({
+  metadata: {
+    hidden: true,
+    summary: "Process auth migration queue step",
+    description: "Internal endpoint invoked by cron to advance auth provider migration jobs.",
+    tags: ["Migrations"],
+  },
+  request: yupObject({
+    auth: yupObject({}).nullable().optional(),
+    method: yupString().oneOf(["GET"]).defined(),
+    headers: yupObject({
+      "authorization": yupTuple([yupString()]).defined(),
+    }).defined(),
+  }),
+  response: yupObject({
+    statusCode: yupNumber().oneOf([200]).defined(),
+    bodyType: yupString().oneOf(["json"]).defined(),
+    body: yupObject({
+      claimed: yupNumber().integer().defined(),
+      reset_stuck: yupNumber().integer().defined(),
+    }).defined(),
+  }),
+  handler: async ({ headers }) => {
+    const authHeader = headers.authorization[0];
+    if (authHeader !== `Bearer ${getEnvVariable('CRON_SECRET')}`) {
+      throw new StatusError(401, "Unauthorized");
+    }
+
+    const result = await runAuthMigrationQueueStep();
+    return {
+      statusCode: 200,
+      bodyType: "json",
+      body: {
+        claimed: result.claimed,
+        reset_stuck: result.resetStuck,
+      },
+    };
+  },
+});

apps/backend/src/app/api/latest/internal/auth-migrations/route.tsx

@@ -0,0 +1,101 @@
+import { createAuthMigrationJob, listAuthMigrationJobs } from "@/lib/auth-migrations/jobs";
+import { validateAuthMigrationCredentials } from "@/lib/auth-migrations/providers";
+import { authMigrationProviders, type AuthMigrationCredentials } from "@/lib/auth-migrations/types";
+import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
+import { adaptSchema, adminAuthTypeSchema, yupArray, yupMixed, yupNumber, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
+import { StatusError } from "@stackframe/stack-shared/dist/utils/errors";
+
+const jobResponseSchema = yupObject({
+  id: yupString().uuid().defined(),
+  provider: yupString().oneOf(authMigrationProviders).defined(),
+  status: yupString().oneOf(["PENDING", "RUNNING", "WAITING_RETRY", "SUCCEEDED", "FAILED"]).defined(),
+  attempt_count: yupNumber().integer().defined(),
+  max_attempts: yupNumber().integer().defined(),
+  next_attempt_at_millis: yupNumber().nullable().defined(),
+  started_at_millis: yupNumber().nullable().defined(),
+  finished_at_millis: yupNumber().nullable().defined(),
+  last_error_external_message: yupString().nullable().defined(),
+  result: yupMixed().nullable(),
+  created_at_millis: yupNumber().defined(),
+  updated_at_millis: yupNumber().defined(),
+}).defined();
+
+function assertCredentialsObject(credentials: unknown): AuthMigrationCredentials {
+  if (typeof credentials !== "object" || credentials === null || Array.isArray(credentials)) {
+    throw new StatusError(400, "credentials must be an object.");
+  }
+  return credentials as AuthMigrationCredentials;
+}
+
+export const GET = createSmartRouteHandler({
+  metadata: {
+    hidden: true,
+    summary: "List auth migration jobs",
+    description: "Lists provider migration jobs for the current project branch.",
+    tags: ["Migrations"],
+  },
+  request: yupObject({
+    auth: yupObject({
+      type: adminAuthTypeSchema.defined(),
+      tenancy: adaptSchema.defined(),
+    }).defined(),
+  }),
+  response: yupObject({
+    statusCode: yupNumber().oneOf([200]).defined(),
+    bodyType: yupString().oneOf(["json"]).defined(),
+    body: yupObject({
+      items: yupArray(jobResponseSchema).defined(),
+    }).defined(),
+  }),
+  handler: async ({ auth }) => {
+    return {
+      statusCode: 200,
+      bodyType: "json",
+      body: {
+        items: await listAuthMigrationJobs(auth.tenancy.id),
+      },
+    };
+  },
+});
+
+export const POST = createSmartRouteHandler({
+  metadata: {
+    hidden: true,
+    summary: "Create auth migration job",
+    description: "Creates a queued auth provider migration job for the current project branch.",
+    tags: ["Migrations"],
+  },
+  request: yupObject({
+    auth: yupObject({
+      type: adminAuthTypeSchema.defined(),
+      tenancy: adaptSchema.defined(),
+      user: adaptSchema.optional(),
+    }).defined(),
+    body: yupObject({
+      provider: yupString().oneOf(authMigrationProviders).defined(),
+      credentials: yupMixed<AuthMigrationCredentials>().defined(),
+    }).defined(),
+  }),
+  response: yupObject({
+    statusCode: yupNumber().oneOf([200]).defined(),
+    bodyType: yupString().oneOf(["json"]).defined(),
+    body: jobResponseSchema,
+  }),
+  handler: async ({ auth, body }) => {
+    const credentials = assertCredentialsObject(body.credentials);
+    validateAuthMigrationCredentials(body.provider, credentials);
+    const job = await createAuthMigrationJob({
+      tenancyId: auth.tenancy.id,
+      projectId: auth.tenancy.project.id,
+      branchId: auth.tenancy.branchId,
+      provider: body.provider,
+      credentials,
+      createdByProjectUserId: auth.user?.id ?? null,
+    });
+    return {
+      statusCode: 200,
+      bodyType: "json",
+      body: job,
+    };
+  },
+});