Merge branch 'dev' into dashboard/changelog

Author: madster456

.github/workflows/docker-server-build-run.yaml

@@ -22,6 +22,13 @@ jobs:
           docker run -d --name db -e POSTGRES_USER=postgres -e POSTGRES_PASSWORD=password -e POSTGRES_DB=stackframe -p 8128:5432 postgres:latest
           sleep 5
           docker logs db
+      
+      - name: Setup clickhouse
+        run: |
+          docker run -d --name clickhouse -e CLICKHOUSE_DB=analytics -e CLICKHOUSE_USER=stackframe -e CLICKHOUSE_PASSWORD=password -e CLICKHOUSE_DEFAULT_ACCESS_MANAGEMENT=1 -p 8133:8123 clickhouse/clickhouse-server:25.10
+          sleep 5
+          docker logs clickhouse
+
 
       - name: Build Docker image
         run: docker build -f docker/server/Dockerfile -t server .

.github/workflows/swift-sdk-publish.yaml

@@ -0,0 +1,100 @@
+name: Publish Swift SDK to prerelease repo
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'sdks/implementations/swift/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false  # Don't cancel publishing in progress
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout source repo
+        uses: actions/checkout@v4
+        with:
+          path: source
+
+      - name: Read version from package.json
+        id: version
+        run: |
+          VERSION=$(jq -r '.version' source/sdks/implementations/swift/package.json)
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Swift SDK version: $VERSION"
+
+      - name: Check if tag already exists in target repo
+        id: check-tag
+        run: |
+          TAG="v${{ steps.version.outputs.version }}"
+          echo "Checking if tag $TAG exists in stack-auth/swift-sdk-prerelease..."
+          
+          # Use the GitHub API to check if the tag exists
+          HTTP_STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
+            -H "Authorization: Bearer ${{ secrets.SWIFT_SDK_PUBLISH_TOKEN }}" \
+            -H "Accept: application/vnd.github+json" \
+            "https://api.github.com/repos/stack-auth/swift-sdk-prerelease/git/refs/tags/$TAG")
+          
+          if [ "$HTTP_STATUS" = "200" ]; then
+            echo "Tag $TAG already exists, skipping publish"
+            echo "exists=true" >> $GITHUB_OUTPUT
+          else
+            echo "Tag $TAG does not exist, will publish"
+            echo "exists=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Clone target repo
+        if: steps.check-tag.outputs.exists == 'false'
+        run: |
+          git clone https://x-access-token:${{ secrets.SWIFT_SDK_PUBLISH_TOKEN }}@github.com/stack-auth/swift-sdk-prerelease.git target
+
+      - name: Copy Swift SDK to target repo
+        if: steps.check-tag.outputs.exists == 'false'
+        run: |
+          # Remove all files except .git from target
+          cd target
+          find . -maxdepth 1 -not -name '.git' -not -name '.' -exec rm -rf {} +
+          cd ..
+          
+          # Copy everything from Swift SDK
+          cp -r source/sdks/implementations/swift/* target/
+          cp source/sdks/implementations/swift/.gitignore target/ 2>/dev/null || true
+          
+          # Remove package.json (it's only for turborepo integration, not part of the Swift package)
+          rm -f target/package.json
+
+      - name: Commit and push to target repo
+        if: steps.check-tag.outputs.exists == 'false'
+        run: |
+          cd target
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git config user.name "github-actions[bot]"
+          
+          git add -A
+          
+          # Check if there are changes to commit
+          if git diff --staged --quiet; then
+            echo "No changes to commit"
+          else
+            git commit -m "Release v${{ steps.version.outputs.version }}"
+          fi
+          
+          # Create and push tag
+          TAG="v${{ steps.version.outputs.version }}"
+          git tag "$TAG"
+          git push origin main --tags
+          
+          echo "Successfully published Swift SDK v${{ steps.version.outputs.version }}"
+
+      - name: Summary
+        run: |
+          if [ "${{ steps.check-tag.outputs.exists }}" = "true" ]; then
+            echo "::notice::Skipped publishing - tag v${{ steps.version.outputs.version }} already exists"
+          else
+            echo "::notice::Published Swift SDK v${{ steps.version.outputs.version }} to stack-auth/swift-sdk-prerelease"
+          fi

apps/backend/.env

@@ -81,6 +81,13 @@ STACK_QSTASH_TOKEN=
 STACK_QSTASH_CURRENT_SIGNING_KEY=
 STACK_QSTASH_NEXT_SIGNING_KEY=
 
+# Clickhouse
+STACK_CLICKHOUSE_URL=# URL of the Clickhouse instance
+STACK_CLICKHOUSE_ADMIN_USER=# username of the admin account
+STACK_CLICKHOUSE_ADMIN_PASSWORD=# password of the admin account
+STACK_CLICKHOUSE_EXTERNAL_PASSWORD=# a randomly generated secure string. The user account will be created automatically
+
+
 # Misc
 STACK_ACCESS_TOKEN_EXPIRATION_TIME=# enter the expiration time for the access token here. Optional, don't specify it for default value
 STACK_SETUP_ADMIN_GITHUB_ID=# enter the account ID of the admin user here, and after running the seed script they will be able to access the internal project in the Stack dashboard. Optional, don't specify it for default value

apps/backend/.env.development

@@ -75,3 +75,9 @@ STACK_QSTASH_URL=http://localhost:${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}25
 STACK_QSTASH_TOKEN=eyJVc2VySUQiOiJkZWZhdWx0VXNlciIsIlBhc3N3b3JkIjoiZGVmYXVsdFBhc3N3b3JkIn0=
 STACK_QSTASH_CURRENT_SIGNING_KEY=sig_7kYjw48mhY7kAjqNGcy6cr29RJ6r
 STACK_QSTASH_NEXT_SIGNING_KEY=sig_5ZB6DVzB1wjE8S6rZ7eenA8Pdnhs
+
+# Clickhouse
+STACK_CLICKHOUSE_URL=http://localhost:${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}36
+STACK_CLICKHOUSE_ADMIN_USER=stackframe
+STACK_CLICKHOUSE_ADMIN_PASSWORD=PASSWORD-PLACEHOLDER--9gKyMxJeMx
+STACK_CLICKHOUSE_EXTERNAL_PASSWORD=PASSWORD-PLACEHOLDER--EZeHscBMzE

apps/backend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@stackframe/stack-backend",
-  "version": "2.8.60",
+  "version": "2.8.62",
   "repository": "https://github.com/stack-auth/stack-auth",
   "private": true,
   "type": "module",
@@ -25,6 +25,7 @@
     "codegen": "pnpm run with-env pnpm run generate-migration-imports && pnpm run with-env bash -c 'if [ \"$STACK_ACCELERATE_ENABLED\" = \"true\" ]; then pnpm run prisma generate --no-engine; else pnpm run codegen-prisma; fi' && pnpm run codegen-docs && pnpm run codegen-route-info",
     "codegen:watch": "concurrently -n \"prisma,docs,route-info,migration-imports\" -k \"pnpm run codegen-prisma:watch\" \"pnpm run codegen-docs:watch\" \"pnpm run codegen-route-info:watch\" \"pnpm run generate-migration-imports:watch\"",
     "psql-inner": "psql $(echo $STACK_DATABASE_CONNECTION_STRING | sed 's/\\?.*$//')",
+    "clickhouse": "pnpm run with-env clickhouse-client --host localhost --port ${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}37 --user stackframe --password PASSWORD-PLACEHOLDER--9gKyMxJeMx",
     "psql": "pnpm run with-env:dev pnpm run psql-inner",
     "prisma-studio": "pnpm run with-env:dev prisma studio --port ${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}06 --browser none",
     "prisma:dev": "pnpm run with-env:dev prisma",
@@ -41,7 +42,7 @@
     "codegen-docs:watch": "pnpm run with-env tsx watch --exclude '**/node_modules/**' --clear-screen=false scripts/generate-openapi-fumadocs.ts",
     "generate-keys": "pnpm run with-env tsx scripts/generate-keys.ts",
     "db-seed-script": "pnpm run db:seed",
-    "verify-data-integrity": "pnpm run with-env:dev tsx scripts/verify-data-integrity.ts",
+    "verify-data-integrity": "pnpm run with-env:dev tsx scripts/verify-data-integrity/index.ts",
     "run-email-queue": "pnpm run with-env:dev tsx scripts/run-email-queue.ts"
   },
   "prisma": {
@@ -50,6 +51,7 @@
   "dependencies": {
     "@ai-sdk/openai": "^1.3.23",
     "@aws-sdk/client-s3": "^3.855.0",
+    "@clickhouse/client": "^1.14.0",
     "@node-oauth/oauth2-server": "^5.1.0",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/api-logs": "^0.53.0",
@@ -86,7 +88,7 @@
     "freestyle-sandboxes": "^0.1.6",
     "jose": "^6.1.3",
     "json-diff": "^1.0.6",
-    "next": "16.1.1",
+    "next": "16.1.5",
     "nodemailer": "^6.9.10",
     "oidc-provider": "^8.5.1",
     "openid-client": "5.6.4",

apps/backend/prisma/migrations/20260201240000_event_created_at_index/migration.sql

@@ -0,0 +1,11 @@
+-- SPLIT_STATEMENT_SENTINEL
+-- SINGLE_STATEMENT_SENTINEL
+-- RUN_OUTSIDE_TRANSACTION_SENTINEL
+-- Add index on createdAt for efficient range queries (used by ClickHouse migration and similar count queries).
+CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_event_created_at ON "Event" ("createdAt");
+
+-- SPLIT_STATEMENT_SENTINEL
+-- SINGLE_STATEMENT_SENTINEL
+-- RUN_OUTSIDE_TRANSACTION_SENTINEL
+-- Add composite index (createdAt, id) for cursor-based pagination queries.
+CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_event_created_at_id ON "Event" ("createdAt", "id");

apps/backend/prisma/schema.prisma

@@ -659,6 +659,8 @@ model Event {
   // =============================== END END USER PROPERTIES ===============================
 
   @@index([data(ops: JsonbPathOps)], type: Gin)
+  @@index([createdAt])
+  @@index([createdAt, id])
 }
 
 // An IP address that was seen in an event. Use the location fields instead of refetching the location from the ip, as the real-world geoip data may have changed since the event was logged.

apps/backend/scripts/clickhouse-migrations.ts

@@ -0,0 +1,61 @@
+import { getClickhouseAdminClient } from "@/lib/clickhouse";
+import { getEnvVariable } from "@stackframe/stack-shared/dist/utils/env";
+
+export async function runClickhouseMigrations() {
+  console.log("[Clickhouse] Running Clickhouse migrations...");
+  const client = getClickhouseAdminClient();
+  const clickhouseExternalPassword = getEnvVariable("STACK_CLICKHOUSE_EXTERNAL_PASSWORD");
+  await client.exec({
+    query: "CREATE USER IF NOT EXISTS limited_user IDENTIFIED WITH sha256_password BY {clickhouseExternalPassword:String}",
+    query_params: { clickhouseExternalPassword },
+  });
+  // todo: create migration files
+  await client.exec({ query: EXTERNAL_ANALYTICS_DB_SQL });
+  await client.exec({ query: EVENTS_TABLE_BASE_SQL });
+  await client.exec({ query: EVENTS_VIEW_SQL });
+  const queries = [
+    "REVOKE ALL PRIVILEGES ON *.* FROM limited_user;",
+    "REVOKE ALL FROM limited_user;",
+    "GRANT SELECT ON default.events TO limited_user;",
+  ];
+  await client.exec({
+    query: "CREATE ROW POLICY IF NOT EXISTS events_project_isolation ON default.events FOR SELECT USING project_id = getSetting('SQL_project_id') AND branch_id = getSetting('SQL_branch_id') TO limited_user",
+  });
+  for (const query of queries) {
+    await client.exec({ query });
+  }
+  console.log("[Clickhouse] Clickhouse migrations complete");
+  await client.close();
+}
+
+const EVENTS_TABLE_BASE_SQL = `
+CREATE TABLE IF NOT EXISTS analytics_internal.events (
+    event_type       LowCardinality(String),
+    event_at         DateTime64(3, 'UTC'),
+    data             JSON,
+    project_id       String,
+    branch_id        String,
+    user_id          String,
+    team_id          String,
+    refresh_token_id String,
+    is_anonymous     Boolean,
+    session_id       String,
+    ip_address       String,
+    created_at DateTime64(3, 'UTC') DEFAULT now64(3)
+)
+ENGINE MergeTree
+PARTITION BY toYYYYMM(event_at)
+ORDER BY (project_id, branch_id, event_at);
+`;
+
+const EVENTS_VIEW_SQL = `
+CREATE OR REPLACE VIEW default.events 
+SQL SECURITY DEFINER
+AS
+SELECT *
+FROM analytics_internal.events;
+`;
+
+const EXTERNAL_ANALYTICS_DB_SQL = `
+CREATE DATABASE IF NOT EXISTS analytics_internal;
+`;

apps/backend/scripts/db-migrations.ts

@@ -2,18 +2,25 @@ import { applyMigrations } from "@/auto-migrations";
 import { MIGRATION_FILES_DIR, getMigrationFiles } from "@/auto-migrations/utils";
 import { Prisma } from "@/generated/prisma/client";
 import { globalPrismaClient, globalPrismaSchema, sqlQuoteIdent } from "@/prisma-client";
-import { getEnvVariable } from "@stackframe/stack-shared/dist/utils/env";
 import { spawnSync } from "child_process";
 import fs from "fs";
 import path from "path";
 import * as readline from "readline";
 import { seed } from "../prisma/seed";
+import { getEnvVariable } from "@stackframe/stack-shared/dist/utils/env";
+import { runClickhouseMigrations } from "./clickhouse-migrations";
+import { getClickhouseAdminClient } from "@/lib/clickhouse";
+
+const getClickhouseClient = () => getClickhouseAdminClient();
 
 const dropSchema = async () => {
   await globalPrismaClient.$executeRaw(Prisma.sql`DROP SCHEMA ${sqlQuoteIdent(globalPrismaSchema)} CASCADE`);
   await globalPrismaClient.$executeRaw(Prisma.sql`CREATE SCHEMA ${sqlQuoteIdent(globalPrismaSchema)}`);
   await globalPrismaClient.$executeRaw(Prisma.sql`GRANT ALL ON SCHEMA ${sqlQuoteIdent(globalPrismaSchema)} TO postgres`);
   await globalPrismaClient.$executeRaw(Prisma.sql`GRANT ALL ON SCHEMA ${sqlQuoteIdent(globalPrismaSchema)} TO public`);
+  const clickhouseClient = getClickhouseClient();
+  await clickhouseClient.command({ query: "DROP DATABASE IF EXISTS analytics_internal" });
+  await clickhouseClient.command({ query: "CREATE DATABASE IF NOT EXISTS analytics_internal" });
 };
 
 
@@ -163,6 +170,8 @@ const migrate = async (selectedMigrationFiles?: { migrationName: string, sql: st
 
   console.log('='.repeat(60) + '\n');
 
+  await runClickhouseMigrations();
+
   return result;
 };
 

apps/backend/scripts/verify-data-integrity/api.ts

@@ -0,0 +1,92 @@
+import { getEnvVariable } from "@stackframe/stack-shared/dist/utils/env";
+import { StackAssertionError } from "@stackframe/stack-shared/dist/utils/errors";
+import { deepPlainEquals, filterUndefined } from "@stackframe/stack-shared/dist/utils/objects";
+import { deindent } from "@stackframe/stack-shared/dist/utils/strings";
+
+export type EndpointOutput = {
+  status: number,
+  responseJson: any,
+};
+
+export type OutputData = Record<string, EndpointOutput[]>;
+
+export type ExpectStatusCode = <T = any>(
+  expectedStatusCode: number,
+  endpoint: string,
+  request: RequestInit,
+) => Promise<T>;
+
+export function createApiHelpers(options: {
+  currentOutputData: OutputData,
+  targetOutputData?: OutputData,
+}) {
+  const { currentOutputData, targetOutputData } = options;
+
+  function appendOutputData(endpoint: string, output: EndpointOutput) {
+    if (!(endpoint in currentOutputData)) {
+      currentOutputData[endpoint] = [];
+    }
+    const newLength = currentOutputData[endpoint].push(output);
+    if (targetOutputData) {
+      if (!(endpoint in targetOutputData)) {
+        throw new StackAssertionError(deindent`
+          Output data mismatch for endpoint ${endpoint}:
+            Expected ${endpoint} to be in targetOutputData, but it is not.
+        `, { endpoint });
+      }
+      if (targetOutputData[endpoint].length < newLength) {
+        throw new StackAssertionError(deindent`
+          Output data mismatch for endpoint ${endpoint}:
+            Expected ${targetOutputData[endpoint].length} outputs but got at least ${newLength}.
+        `, { endpoint });
+      }
+      if (!(deepPlainEquals(targetOutputData[endpoint][newLength - 1], output))) {
+        throw new StackAssertionError(deindent`
+          Output data mismatch for endpoint ${endpoint}:
+            Expected output[${JSON.stringify(endpoint)}][${newLength - 1}] to be:
+              ${JSON.stringify(targetOutputData[endpoint][newLength - 1], null, 2)}
+            but got:
+              ${JSON.stringify(output, null, 2)}.
+        `, { endpoint });
+      }
+    }
+  }
+
+  const expectStatusCode: ExpectStatusCode = async (expectedStatusCode, endpoint, request) => {
+    const apiUrl = new URL(getEnvVariable("NEXT_PUBLIC_STACK_API_URL"));
+    const response = await fetch(new URL(endpoint, apiUrl), {
+      ...request,
+      headers: {
+        "x-stack-disable-artificial-development-delay": "yes",
+        "x-stack-development-disable-extended-logging": "yes",
+        ...filterUndefined(request.headers ?? {}),
+      },
+    });
+
+    const responseText = await response.text();
+
+    if (response.status !== expectedStatusCode) {
+      throw new StackAssertionError(deindent`
+        Expected status code ${expectedStatusCode} but got ${response.status} for ${endpoint}:
+
+            ${responseText}
+      `, { request, response });
+    }
+
+    const responseJson = JSON.parse(responseText);
+    const currentOutput: EndpointOutput = {
+      status: response.status,
+      responseJson,
+    };
+
+    appendOutputData(endpoint, currentOutput);
+
+    return responseJson;
+  };
+
+  return {
+    appendOutputData,
+    expectStatusCode,
+  };
+}
+