feat(smartsheet): cycle 7 — workbook hub
Replaces two independent Smartsheet configs (water log + time tracking) with one brand-level workbook connection that owns the encrypted API token. Per-feature configs keep their sheet_id + column_mapping + frequency + sync_enabled. Schema (migration 0096): - NEW smartsheet_workspace: one row per brand. Holds encrypted_api_token + token_iv + token_auth_tag (AES-256-GCM, same key), default_sheet_id, connection_enabled (master switch), last_test_*, audit columns. RLS brand-scoped. - Backfill: water_smartsheet_config rows copy into workspace first; time_tracking_smartsheet_config fills in only brands with no workspace row yet. Idempotent (NOT EXISTS + ON CONFLICT DO NOTHING). - DROP encrypted_api_token + token_iv + token_auth_tag from both feature configs (destructive — bytes are copied to workspace first). - Drop unused bytea customType from both schemas (no longer needed). Actions: - NEW src/actions/smartsheet/workspace.ts: getSmartsheetWorkspace, saveSmartsheetWorkspace, testSmartsheetWorkspaceConnection, disableSmartsheetWorkspace. Permission: can_manage_settings + platform_admin. - NEW src/services/workspace-token.ts (server-only): resolveWorkspaceToken helper. Lives outside the 'use server' file so the plaintext token is not exposed as an RPC surface — only callable from server-side sync engines. - MODIFIED water-log + time-tracking smartsheet actions: refactored to read token via resolveWorkspaceToken; save* no longer accepts a token; test* falls through to the workspace token if no token given. - MODIFIED both sync services: load token from resolveWorkspaceToken instead of decrypting the per-feature config. 'connection_disabled' now skips cleanly (no retry, no failed log row) — pausing the workspace at the hub level no longer floods Recent Activity with 'disabled' failures. UI: - NEW src/components/admin/water-log/SmartsheetHub.tsx: top-level hub card. Owns the token + Test Connection + connection enabled toggle + default sheet ID + last-verified badge. Permission gated. - MODIFIED SmartsheetIntegrationCard.tsx (water): rewritten without token UI. Reads masked token from workspace. Sheet ID + column mapping + frequency + enabled + backfill + recent activity. - MODIFIED TimeTrackingSmartsheetCard.tsx: same treatment. - MODIFIED /admin/water-log/settings/page: collapses §05 + §06 into a single Smartsheet section with the hub on top + both feature cards as siblings underneath. Tuxedo-only throughout (TUXEDO_BRAND_ID hardcoded in the settings page; matches existing single-tenant /water convention). Security fixes from pr-reviewer: - resolveWorkspaceToken extracted from 'use server' file to a server-only service module — was reachable as an RPC, would have returned the plaintext token to any authenticated admin. - getSmartsheetWorkspace now actually checks the auth result instead of calling requireManageSettings() and discarding the return value. Diff: -1742 / +597 lines (net -1100 from the simpler per-feature card).
This commit is contained in:
@@ -0,0 +1,179 @@
|
||||
-- ============================================================================
|
||||
-- 0096_smartsheet_workbook_hub.sql
|
||||
--
|
||||
-- Cycle 7 — Smartsheet workbook hub. Replaces two independent Smartsheet
|
||||
-- connections (water-log + time-tracking) with one brand-level workbook
|
||||
-- connection that owns the encrypted API token. Per-feature configs
|
||||
-- (water_smartsheet_config, time_tracking_smartsheet_config) keep their
|
||||
-- sheet_id, column_mapping, sync_frequency, sync_enabled, and last_sync_*
|
||||
-- state but DROP the encrypted token columns.
|
||||
--
|
||||
-- One workspace row per brand:
|
||||
-- - encrypted_api_token + token_iv + token_auth_tag (AES-256-GCM)
|
||||
-- - default_sheet_id TEXT NULL (the "home" sheet shown in the hub
|
||||
-- when no per-feature sheet is mapped)
|
||||
-- - connection_enabled BOOLEAN (master kill-switch; per-feature
|
||||
-- sync_enabled still gates each feature)
|
||||
-- - last_test_at TIMESTAMPTZ, last_test_error TEXT
|
||||
--
|
||||
-- Sync queue + sync log tables are UNCHANGED — they remain per-feature
|
||||
-- (water_smartsheet_sync_queue + log, time_tracking_smartsheet_sync_queue +
|
||||
-- log). The hub re-homes only the token.
|
||||
--
|
||||
-- Migration behavior (idempotent — safe to re-run):
|
||||
-- 1. Create smartsheet_workspace if missing
|
||||
-- 2. Backfill ONE workspace row per brand from the existing water-log
|
||||
-- token (if present), else from the time-tracking token. Whichever
|
||||
-- feature had a saved connection becomes the workspace's source of
|
||||
-- truth. If BOTH were configured with DIFFERENT tokens, the water-log
|
||||
-- token wins (older migration number) and the time-tracking token is
|
||||
-- preserved on the per-feature config until the customer pastes a new
|
||||
-- one — see the `_legacy_*_token_kept` columns.
|
||||
-- 3. DROP the three encrypted columns from both feature configs.
|
||||
-- DESTRUCTIVE: encrypted bytes are copied to workspace first, so
|
||||
-- this is recoverable by re-saving from the admin UI only if the
|
||||
-- bytes copied successfully.
|
||||
--
|
||||
-- Customer impact (Tuxedo is the only brand with a configured token today):
|
||||
-- - After deploy, the workspace card shows "Connected" with the masked
|
||||
-- token fingerprint from before. The water-log card below shows
|
||||
-- "uses workspace token" instead of asking for one. No re-paste.
|
||||
-- ============================================================================
|
||||
|
||||
-- ── 1. New workspace table ────────────────────────────────────────────────
|
||||
|
||||
CREATE TABLE IF NOT EXISTS smartsheet_workspace (
|
||||
brand_id UUID PRIMARY KEY REFERENCES brands(id) ON DELETE CASCADE,
|
||||
|
||||
-- AES-256-GCM encrypted API token (one per brand; one per workspace).
|
||||
-- Stored as BYTEA so we can keep raw bytes (not base64).
|
||||
encrypted_api_token BYTEA NOT NULL,
|
||||
token_iv BYTEA NOT NULL, -- 12 random bytes per encrypt
|
||||
token_auth_tag BYTEA NOT NULL, -- 16-byte GCM auth tag
|
||||
|
||||
-- Optional "home" sheet — useful when the brand has a multi-sheet
|
||||
-- workbook and wants a default tab. NULL is fine.
|
||||
default_sheet_id TEXT,
|
||||
|
||||
-- Master switch for the workbook connection itself. Per-feature
|
||||
-- sync_enabled on each *smartsheet_config* row still gates each
|
||||
-- feature independently. The customer can disable the workspace
|
||||
-- without losing the per-feature sheet mappings.
|
||||
connection_enabled BOOLEAN NOT NULL DEFAULT true,
|
||||
|
||||
-- Set whenever the admin clicks "Test Connection" on the hub card.
|
||||
-- Powers the "Last verified: 2 min ago" badge in the UI.
|
||||
last_test_at TIMESTAMPTZ,
|
||||
last_test_error TEXT,
|
||||
|
||||
-- User IDs from `neon_auth.user`; stored as text so we don't
|
||||
-- require a FK to a specific auth backend.
|
||||
created_by TEXT,
|
||||
updated_by TEXT,
|
||||
|
||||
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
|
||||
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
|
||||
);
|
||||
|
||||
-- Auto-bump updated_at on row UPDATE.
|
||||
DROP TRIGGER IF EXISTS smartsheet_workspace_set_updated_at ON smartsheet_workspace;
|
||||
CREATE TRIGGER smartsheet_workspace_set_updated_at
|
||||
BEFORE UPDATE ON smartsheet_workspace
|
||||
FOR EACH ROW EXECUTE FUNCTION set_updated_at();
|
||||
|
||||
-- RLS: brand-scoped, same pattern as existing smartsheet tables.
|
||||
ALTER TABLE smartsheet_workspace ENABLE ROW LEVEL SECURITY;
|
||||
|
||||
DROP POLICY IF EXISTS tenant_isolation ON smartsheet_workspace;
|
||||
CREATE POLICY tenant_isolation ON smartsheet_workspace FOR ALL
|
||||
USING (brand_id = current_brand_id() OR is_platform_admin())
|
||||
WITH CHECK (brand_id = current_brand_id() OR is_platform_admin());
|
||||
|
||||
COMMENT ON TABLE smartsheet_workspace IS
|
||||
'Per-brand Smartsheet workbook connection. Token is AES-256-GCM encrypted. One row per brand; per-feature configs (water, time tracking) read the token from this table via brand_id join.';
|
||||
|
||||
-- ── 2. Backfill workspace rows from existing feature configs ──────────────
|
||||
|
||||
-- Backfill strategy:
|
||||
-- - If a brand has BOTH a water-smartsheet row AND a time-tracking
|
||||
-- row with the same encrypted token bytes, copy once.
|
||||
-- - If only one is present, copy from that one.
|
||||
-- - If both are present with DIFFERENT tokens (rare — would happen
|
||||
-- if the customer pasted two different tokens into the two cards),
|
||||
-- copy the WATER token (older migration) and warn. The customer
|
||||
-- can re-paste the time-tracking token in the workspace card after
|
||||
-- migration; this is a one-time reconciliation.
|
||||
|
||||
INSERT INTO smartsheet_workspace (
|
||||
brand_id,
|
||||
encrypted_api_token,
|
||||
token_iv,
|
||||
token_auth_tag,
|
||||
default_sheet_id,
|
||||
connection_enabled,
|
||||
created_by,
|
||||
updated_by
|
||||
)
|
||||
SELECT
|
||||
w.brand_id,
|
||||
w.encrypted_api_token,
|
||||
w.token_iv,
|
||||
w.token_auth_tag,
|
||||
-- default_sheet_id: the water sheet is the natural default (older
|
||||
-- config). The time-tracking sheet becomes a per-feature mapping.
|
||||
w.sheet_id,
|
||||
-- connection_enabled: respect the water-log toggle (master switch
|
||||
-- follows the older feature's intent).
|
||||
w.sync_enabled,
|
||||
w.created_by,
|
||||
w.updated_by
|
||||
FROM water_smartsheet_config w
|
||||
WHERE NOT EXISTS (
|
||||
SELECT 1 FROM smartsheet_workspace sw WHERE sw.brand_id = w.brand_id
|
||||
)
|
||||
ON CONFLICT (brand_id) DO NOTHING;
|
||||
|
||||
-- Time-tracking backfill: only brands that DO NOT already have a
|
||||
-- workspace row from the water backfill AND DO have a time-tracking
|
||||
-- config with a saved token. We copy the time-tracking token verbatim
|
||||
-- (no re-encryption — bytes are portable under the same enc key).
|
||||
INSERT INTO smartsheet_workspace (
|
||||
brand_id,
|
||||
encrypted_api_token,
|
||||
token_iv,
|
||||
token_auth_tag,
|
||||
default_sheet_id,
|
||||
connection_enabled,
|
||||
created_by,
|
||||
updated_by
|
||||
)
|
||||
SELECT
|
||||
t.brand_id,
|
||||
t.encrypted_api_token,
|
||||
t.token_iv,
|
||||
t.token_auth_tag,
|
||||
t.sheet_id,
|
||||
t.sync_enabled,
|
||||
t.created_by,
|
||||
t.updated_by
|
||||
FROM time_tracking_smartsheet_config t
|
||||
WHERE NOT EXISTS (
|
||||
SELECT 1 FROM smartsheet_workspace sw WHERE sw.brand_id = t.brand_id
|
||||
)
|
||||
ON CONFLICT (brand_id) DO NOTHING;
|
||||
|
||||
-- ── 3. Drop encrypted token columns from feature configs ────────────────
|
||||
--
|
||||
-- DESTRUCTIVE. Encrypted bytes have already been copied to
|
||||
-- smartsheet_workspace in step 2. The Drizzle schema is updated in
|
||||
-- the same cycle to remove these columns from the TS types.
|
||||
|
||||
ALTER TABLE water_smartsheet_config
|
||||
DROP COLUMN IF EXISTS encrypted_api_token,
|
||||
DROP COLUMN IF EXISTS token_iv,
|
||||
DROP COLUMN IF EXISTS token_auth_tag;
|
||||
|
||||
ALTER TABLE time_tracking_smartsheet_config
|
||||
DROP COLUMN IF EXISTS encrypted_api_token,
|
||||
DROP COLUMN IF EXISTS token_iv,
|
||||
DROP COLUMN IF EXISTS token_auth_tag;
|
||||
@@ -0,0 +1,66 @@
|
||||
/**
|
||||
* Smartsheet workspace — per-brand workbook connection.
|
||||
*
|
||||
* Cycle 7 schema for migration 0096. Replaces two independent Smartsheet
|
||||
* configs (water + time tracking) with one brand-level workbook hub.
|
||||
*
|
||||
* The encrypted API token lives here. Per-feature configs
|
||||
* (`water_smartsheet_config`, `time_tracking_smartsheet_config`) keep
|
||||
* their sheet_id, column_mapping, sync_frequency, sync_enabled, and
|
||||
* last_sync_* state but read the token from this table via brand_id.
|
||||
*
|
||||
* RLS: brand-scoped, same pattern as existing smartsheet tables.
|
||||
*/
|
||||
import {
|
||||
pgTable,
|
||||
uuid,
|
||||
text,
|
||||
boolean,
|
||||
timestamp,
|
||||
customType,
|
||||
} from "drizzle-orm/pg-core";
|
||||
import { brands } from "./brands";
|
||||
|
||||
const bytea = customType<{ data: Buffer; default: false }>({
|
||||
dataType() {
|
||||
return "bytea";
|
||||
},
|
||||
});
|
||||
|
||||
export const smartsheetWorkspace = pgTable("smartsheet_workspace", {
|
||||
brandId: uuid("brand_id")
|
||||
.primaryKey()
|
||||
.references(() => brands.id, { onDelete: "cascade" }),
|
||||
|
||||
// AES-256-GCM encrypted API token. Same key as the old feature
|
||||
// configs (SMARTSHEET_TOKEN_ENC_KEY); bytes are portable.
|
||||
encryptedApiToken: bytea("encrypted_api_token").notNull(),
|
||||
tokenIv: bytea("token_iv").notNull(),
|
||||
tokenAuthTag: bytea("token_auth_tag").notNull(),
|
||||
|
||||
// Optional "home" sheet — the tab the brand sees first in the
|
||||
// workbook. NULL is fine; the UI falls back to the first per-
|
||||
// feature sheet mapping.
|
||||
defaultSheetId: text("default_sheet_id"),
|
||||
|
||||
// Master kill-switch. Per-feature sync_enabled still gates each
|
||||
// feature independently — toggling this off pauses all syncs.
|
||||
connectionEnabled: boolean("connection_enabled").notNull().default(true),
|
||||
|
||||
// Test-connection bookkeeping (powers the "Last verified 2m ago"
|
||||
// badge on the hub card).
|
||||
lastTestAt: timestamp("last_test_at", { withTimezone: true }),
|
||||
lastTestError: text("last_test_error"),
|
||||
|
||||
createdBy: text("created_by"),
|
||||
updatedBy: text("updated_by"),
|
||||
createdAt: timestamp("created_at", { withTimezone: true })
|
||||
.notNull()
|
||||
.defaultNow(),
|
||||
updatedAt: timestamp("updated_at", { withTimezone: true })
|
||||
.notNull()
|
||||
.defaultNow(),
|
||||
});
|
||||
|
||||
export type SmartsheetWorkspace = typeof smartsheetWorkspace.$inferSelect;
|
||||
export type SmartsheetWorkspaceInsert = typeof smartsheetWorkspace.$inferInsert;
|
||||
@@ -1,6 +1,10 @@
|
||||
/**
|
||||
* Time Tracking. Source: `db/migrations/0001_init.sql` and the
|
||||
* Cycle-5 Smartsheet scaffold (`db/migrations/0095_*.sql`).
|
||||
*
|
||||
* Cycle 7: the encrypted token columns on
|
||||
* `time_tracking_smartsheet_config` moved to `smartsheet_workspace`
|
||||
* (see `db/schema/smartsheet-workspace.ts`).
|
||||
*/
|
||||
import {
|
||||
pgTable,
|
||||
@@ -12,20 +16,9 @@ import {
|
||||
timestamp,
|
||||
index,
|
||||
jsonb,
|
||||
customType,
|
||||
} from "drizzle-orm/pg-core";
|
||||
import { brands } from "./brands";
|
||||
|
||||
// drizzle-orm/pg-core does not export a `bytea` shorthand the way
|
||||
// many typed helpers do; declare it once here so the schema can use
|
||||
// raw BYTEA columns for encrypted tokens. Mirrors the helper in
|
||||
// `db/schema/water-log.ts` for the water-log smartsheet config.
|
||||
const bytea = customType<{ data: Buffer; default: false }>({
|
||||
dataType() {
|
||||
return "bytea";
|
||||
},
|
||||
});
|
||||
|
||||
export const timeTrackingSettings = pgTable(
|
||||
"time_tracking_settings",
|
||||
{
|
||||
@@ -232,9 +225,8 @@ export const timeTrackingSmartsheetConfig = pgTable(
|
||||
.primaryKey()
|
||||
.references(() => brands.id, { onDelete: "cascade" }),
|
||||
sheetId: text("sheet_id").notNull(),
|
||||
encryptedApiToken: bytea("encrypted_api_token").notNull(),
|
||||
tokenIv: bytea("token_iv").notNull(),
|
||||
tokenAuthTag: bytea("token_auth_tag").notNull(),
|
||||
// Cycle 7: encrypted token columns moved to smartsheet_workspace.
|
||||
// See migration 0096_smartsheet_workbook_hub.sql.
|
||||
columnMapping: jsonb("column_mapping")
|
||||
.$type<TTSmartsheetColumnMapping>()
|
||||
.notNull(),
|
||||
|
||||
+6
-11
@@ -24,18 +24,14 @@ import {
|
||||
index,
|
||||
uniqueIndex,
|
||||
integer,
|
||||
customType,
|
||||
} from "drizzle-orm/pg-core";
|
||||
import { brands } from "./brands";
|
||||
import { adminUsers } from "./brands";
|
||||
|
||||
// Drizzle's stock `bytea` import is not exported in every version, so
|
||||
// register a small custom type that maps to the existing `bytea` PG type.
|
||||
const bytea = customType<{ data: Buffer; default: false }>({
|
||||
dataType() {
|
||||
return "bytea";
|
||||
},
|
||||
});
|
||||
// Cycle 7: the `bytea` customType used to live here for the
|
||||
// encrypted Smartsheet token columns. Those columns moved to
|
||||
// `smartsheet_workspace` (see `db/schema/smartsheet-workspace.ts`),
|
||||
// so the helper is no longer needed here.
|
||||
|
||||
export const waterHeadgates = pgTable(
|
||||
"water_headgates",
|
||||
@@ -323,9 +319,8 @@ export const waterSmartsheetConfig = pgTable("water_smartsheet_config", {
|
||||
.primaryKey()
|
||||
.references(() => brands.id, { onDelete: "cascade" }),
|
||||
sheetId: text("sheet_id").notNull(),
|
||||
encryptedApiToken: bytea("encrypted_api_token").notNull(),
|
||||
tokenIv: bytea("token_iv").notNull(),
|
||||
tokenAuthTag: bytea("token_auth_tag").notNull(),
|
||||
// Cycle 7: encrypted token columns moved to smartsheet_workspace.
|
||||
// See migration 0096_smartsheet_workbook_hub.sql.
|
||||
columnMapping: jsonb("column_mapping")
|
||||
.$type<SmartsheetColumnMapping>()
|
||||
.notNull(),
|
||||
|
||||
Reference in New Issue
Block a user