feat: enhance database schema and authentication flow with foreign key constraints and session management improvements

Author: JasonKrik

services/backend/DB.md

@@ -162,6 +162,8 @@ Tables defined by plugins are automatically created when the plugin is loaded an
 - Include proper foreign key constraints for relational data
 - Add explicit types for all columns
 - Always use migrations for schema changes in development and production
+- **Important**: When adding foreign key relationships, update the dialect-specific schema files (e.g., `src/db/schema.sqlite.ts`) rather than the central `schema.ts` file, as Drizzle Kit uses these files for migration generation
+- Never manually create migration files - always use `npm run db:generate` to ensure proper migration structure
 
 ## Inspecting the Database
 

services/backend/SECURITY.md

@@ -21,19 +21,36 @@ This approach ensures that even if the database were compromised, recovering the
 
 ## Session Management
 
-User sessions are managed using `lucia-auth`.
+User sessions are managed using `lucia-auth` v3.
 
-- Session identifiers are cryptographically random and stored in secure, HTTP-only cookies to prevent XSS attacks from accessing them.
-- Sessions have defined expiration times (both active and idle timeouts) to limit the window of opportunity for session hijacking.
+- Session identifiers are cryptographically random (40 characters) generated using Lucia's `generateId()` function and stored in secure, HTTP-only cookies to prevent XSS attacks from accessing them.
+- Sessions have defined expiration times (30 days from creation) to limit the window of opportunity for session hijacking.
+- Session data is stored in the `authSession` table with proper foreign key constraints to the `authUser` table.
+- Session cookies are configured with appropriate security attributes:
+  - `httpOnly`: true (prevents JavaScript access)
+  - `secure`: true in production (HTTPS only)
+  - `sameSite`: 'lax' (CSRF protection)
 
 ## Data Validation
 
 All incoming data from clients (e.g., API request bodies, URL parameters) is rigorously validated using `zod` schemas on the server-side before being processed. This helps prevent common vulnerabilities such as injection attacks and unexpected data handling errors.
 
+- Registration endpoint validates: username, email, password, first_name, last_name
+- Email addresses are normalized to lowercase before storage
+- Duplicate username and email checks are performed before user creation
+- All database operations use parameterized queries via Drizzle ORM to prevent SQL injection
+
 ## Dependencies
 
 We strive to keep our dependencies up-to-date and regularly review them for known vulnerabilities. Automated tools may be used to scan for vulnerabilities in our dependency tree.
 
+### Key Security Dependencies:
+- `@node-rs/argon2`: Password hashing
+- `lucia`: Session management
+- `drizzle-orm`: Database ORM with parameterized queries
+- `zod`: Input validation and sanitization
+- `@fastify/cookie`: Secure cookie handling
+
 ## Infrastructure Security
 
 [Placeholder: Add details about infrastructure security, e.g., network configuration, firewalls, access controls, HTTPS enforcement, etc., as applicable to your deployment environment.]

services/backend/drizzle/migrations_sqlite/0002_overconfident_ozymandias.sql

@@ -0,0 +1,36 @@
+PRAGMA foreign_keys=OFF;--> statement-breakpoint
+CREATE TABLE `__new_users` (
+	`id` text PRIMARY KEY NOT NULL,
+	`email` text NOT NULL,
+	`name` text,
+	`created_at` integer NOT NULL,
+	`updated_at` integer NOT NULL
+);
+--> statement-breakpoint
+INSERT INTO `__new_users`("id", "email", "name", "created_at", "updated_at") SELECT "id", "email", "name", "created_at", "updated_at" FROM `users`;--> statement-breakpoint
+DROP TABLE `users`;--> statement-breakpoint
+ALTER TABLE `__new_users` RENAME TO `users`;--> statement-breakpoint
+PRAGMA foreign_keys=ON;--> statement-breakpoint
+CREATE UNIQUE INDEX `users_email_unique` ON `users` (`email`);--> statement-breakpoint
+CREATE TABLE `__new_authKey` (
+	`id` text PRIMARY KEY NOT NULL,
+	`user_id` text NOT NULL,
+	`primary_key` text NOT NULL,
+	`hashed_password` text,
+	`expires` integer,
+	FOREIGN KEY (`user_id`) REFERENCES `authUser`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+INSERT INTO `__new_authKey`("id", "user_id", "primary_key", "hashed_password", "expires") SELECT "id", "user_id", "primary_key", "hashed_password", "expires" FROM `authKey`;--> statement-breakpoint
+DROP TABLE `authKey`;--> statement-breakpoint
+ALTER TABLE `__new_authKey` RENAME TO `authKey`;--> statement-breakpoint
+CREATE TABLE `__new_authSession` (
+	`id` text PRIMARY KEY NOT NULL,
+	`user_id` text NOT NULL,
+	`expires_at` integer NOT NULL,
+	FOREIGN KEY (`user_id`) REFERENCES `authUser`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+INSERT INTO `__new_authSession`("id", "user_id", "expires_at") SELECT "id", "user_id", "expires_at" FROM `authSession`;--> statement-breakpoint
+DROP TABLE `authSession`;--> statement-breakpoint
+ALTER TABLE `__new_authSession` RENAME TO `authSession`;

services/backend/drizzle/migrations_sqlite/meta/0002_snapshot.json

@@ -0,0 +1,263 @@
+{
+  "version": "6",
+  "dialect": "sqlite",
+  "id": "299fd8bd-0b6d-4a21-8570-067f6a9c2579",
+  "prevId": "d6eedd77-5a05-4196-80bd-d81e8a42b7f1",
+  "tables": {
+    "authKey": {
+      "name": "authKey",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "primary_key": {
+          "name": "primary_key",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "hashed_password": {
+          "name": "hashed_password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "expires": {
+          "name": "expires",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "authKey_user_id_authUser_id_fk": {
+          "name": "authKey_user_id_authUser_id_fk",
+          "tableFrom": "authKey",
+          "tableTo": "authUser",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "authSession": {
+      "name": "authSession",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "authSession_user_id_authUser_id_fk": {
+          "name": "authSession_user_id_authUser_id_fk",
+          "tableFrom": "authSession",
+          "tableTo": "authUser",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "authUser": {
+      "name": "authUser",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "username": {
+          "name": "username",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "auth_type": {
+          "name": "auth_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "first_name": {
+          "name": "first_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_name": {
+          "name": "last_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "github_id": {
+          "name": "github_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "hashed_password": {
+          "name": "hashed_password",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {
+        "authUser_username_unique": {
+          "name": "authUser_username_unique",
+          "columns": [
+            "username"
+          ],
+          "isUnique": true
+        },
+        "authUser_email_unique": {
+          "name": "authUser_email_unique",
+          "columns": [
+            "email"
+          ],
+          "isUnique": true
+        },
+        "authUser_github_id_unique": {
+          "name": "authUser_github_id_unique",
+          "columns": [
+            "github_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "users": {
+      "name": "users",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "text",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "email": {
+          "name": "email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        }
+      },
+      "indexes": {
+        "users_email_unique": {
+          "name": "users_email_unique",
+          "columns": [
+            "email"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    }
+  },
+  "views": {},
+  "enums": {},
+  "_meta": {
+    "schemas": {},
+    "tables": {},
+    "columns": {}
+  },
+  "internal": {
+    "indexes": {}
+  }
+}

services/backend/drizzle/migrations_sqlite/meta/_journal.json

@@ -15,6 +15,13 @@
       "when": 1748554510411,
       "tag": "0001_workable_tiger_shark",
       "breakpoints": true
+    },
+    {
+      "idx": 2,
+      "version": "6",
+      "when": 1748609862894,
+      "tag": "0002_overconfident_ozymandias",
+      "breakpoints": true
     }
   ]
 }

services/backend/src/db/index.ts

@@ -65,7 +65,7 @@ function generateSchema(dialect: 'sqlite' | 'postgres'): AnySchema {
       let builderType: 'text' | 'integer' | 'timestamp' = 'text';
 
       // Special handling for specific columns
-      if (columnName === 'id') {
+      if (columnName === 'id' || columnName === 'user_id') {
         builderType = 'text'; // All IDs are text (Lucia uses string IDs)
       } else if (columnName === 'expires_at') {
         builderType = 'integer'; // Lucia uses number for expires_at