Update user in tables to use hashed password (#1667)

Fixes OPS-3123.

Author: MarceloRGonc

compose.yaml

@@ -2,7 +2,7 @@ name: openopsdev
 services:
   tables:
     container_name: tables
-    image: public.ecr.aws/openops/openops-tables:0.2.10
+    image: public.ecr.aws/openops/openops-tables:0.2.12
     environment:
       BASEROW_PUBLIC_URL: ${OPS_OPENOPS_TABLES_PUBLIC_URL}
       BASEROW_PRIVATE_URL: http://localhost:3001

deploy/docker-compose/docker-compose.yml

@@ -21,7 +21,7 @@ services:
     environment:
       OPS_COMPONENT: app
       OPS_VERSION: ${OPS_VERSION:-latest}
-      OPS_OPENOPS_TABLES_VERSION: 0.2.10
+      OPS_OPENOPS_TABLES_VERSION: 0.2.12
       OPS_ANALYTICS_VERSION: 0.14.1
     depends_on:
       openops-tables:
@@ -47,7 +47,7 @@ services:
       - ${HOST_AZURE_CONFIG_DIR:-openops_azure_cli_data}:/tmp/azure
       - ${HOST_CLOUDSDK_CONFIG:-openops_gcloud_cli_data}:/tmp/gcloud
   openops-tables:
-    image: public.ecr.aws/openops/openops-tables:0.2.10
+    image: public.ecr.aws/openops/openops-tables:0.2.12
     restart: unless-stopped
     environment:
       BASEROW_PUBLIC_URL: ${OPS_OPENOPS_TABLES_PUBLIC_URL}

deploy/helm/openops/values.yaml

@@ -90,7 +90,7 @@ engine:
 tables:
   name: openops-tables
   image: openops-tables
-  tag: "0.2.10"
+  tag: "0.2.12"
   replicas: 1
   env:
     BASEROW_PUBLIC_URL: "{{ .Values.openopsEnv.OPS_OPENOPS_TABLES_PUBLIC_URL }}"

packages/server/api/src/app/authentication/basic/authentication-service.ts

@@ -38,7 +38,7 @@ export const authenticationService = {
 
     const { refresh_token } = await authenticateUserInOpenOpsTables(
       request.email,
-      request.password,
+      user.password,
     );
 
     return this.authResponse(user, refresh_token);

packages/server/api/src/app/authentication/new-user/create-user.ts

@@ -122,7 +122,7 @@ export async function createUser(
     const tablesRefreshToken = await createTablesUser(
       name,
       params.email,
-      params.password,
+      user.password,
     );
 
     return {

packages/server/api/src/app/database/migrations/1763755045436-MigrateTablesUserPassword.ts

@@ -0,0 +1,41 @@
+import {
+  authenticateUserInOpenOpsTables,
+  resetUserPassword,
+} from '@openops/common';
+import { AppSystemProp, system } from '@openops/server-shared';
+import { MigrationInterface, QueryRunner } from 'typeorm';
+
+export class MigrateTablesUserPassword1763755045436
+  implements MigrationInterface
+{
+  name = 'MigrateTablesUserPassword1763755045436';
+
+  public async up(queryRunner: QueryRunner): Promise<void> {
+    const users = await queryRunner.query(
+      'SELECT "email", "password" FROM "user"',
+    );
+
+    if (users.length === 0) {
+      return;
+    }
+
+    const adminEmail = system.getOrThrow(AppSystemProp.OPENOPS_ADMIN_EMAIL);
+    const password = system.getOrThrow(AppSystemProp.OPENOPS_ADMIN_PASSWORD);
+    const { token } = await authenticateUserInOpenOpsTables(
+      adminEmail,
+      password,
+    );
+
+    for (const record of users) {
+      if (record.email === adminEmail) {
+        continue;
+      }
+
+      await resetUserPassword(record.email, record.password, token);
+    }
+  }
+
+  public async down(_: QueryRunner): Promise<void> {
+    throw new Error('Rollback not implemented');
+  }
+}

packages/server/api/src/app/database/postgres-connection.ts

@@ -38,6 +38,7 @@ import { MigrateAiConfigToAppConnection1759242268873 } from './migrations/175924
 import { AddTestRunActionLimitsToFlowVersion1760429290001 } from './migrations/1760429290001-AddTestRunActionLimitsToFlowVersion';
 import { MoveTablesWorkspaceIdFromOrganizationToProject1760500000000 } from './migrations/1760500000000-MoveTablesWorkspaceIdFromOrganizationToProject';
 import { AddTablesDatabaseTokenToProject1763394159990 } from './migrations/1763394159990-AddTablesTokenToProject';
+import { MigrateTablesUserPassword1763755045436 } from './migrations/1763755045436-MigrateTablesUserPassword';
 
 const getSslConfig = (): boolean | TlsOptions => {
   const useSsl = system.get(AppSystemProp.POSTGRES_USE_SSL);
@@ -84,6 +85,7 @@ const getMigrations = (): (new () => MigrationInterface)[] => {
     AddTestRunActionLimitsToFlowVersion1760429290001,
     MoveTablesWorkspaceIdFromOrganizationToProject1760500000000,
     AddTablesDatabaseTokenToProject1763394159990,
+    MigrateTablesUserPassword1763755045436,
   ];
 };
 

packages/server/api/src/app/database/seeds/seed-admin.ts

@@ -1,3 +1,7 @@
+import {
+  authenticateUserInOpenOpsTables,
+  resetUserPassword,
+} from '@openops/common';
 import { AppSystemProp, logger, system } from '@openops/server-shared';
 import { OrganizationRole, Provider, User } from '@openops/shared';
 import { authenticationService } from '../../authentication/basic/authentication-service';
@@ -53,6 +57,7 @@ async function ensureUserExists(
       `Admin user already exists [${email}], updating their password`,
       email,
     );
+
     await upsertAdminPassword(user, password);
     return user;
   }
@@ -73,7 +78,11 @@ async function ensureUserExists(
     email,
   );
 
-  return createAdminUser(email, password);
+  user = await createAdminUser(email, password);
+  const { token } = await authenticateUserInOpenOpsTables(email, password);
+  await resetUserPassword(email, user.password, token);
+
+  return user;
 }
 
 async function ensureOpenOpsTablesWorkspaceAndDatabaseExist(): Promise<{
@@ -160,7 +169,14 @@ async function upsertAdminPassword(
 ): Promise<void> {
   const email = user.email;
   logger.info(`Updating password for admin [${email}]`, email);
-  await userService.updatePassword({ id: user.id, newPassword });
+
+  const updatedUser = await userService.updatePassword({
+    id: user.id,
+    newPassword,
+  });
+
+  const { token } = await authenticateUserInOpenOpsTables(email, newPassword);
+  await resetUserPassword(email, updatedUser.password, token);
 }
 
 async function upsertAdminEmail(user: User, email: string): Promise<void> {

packages/server/api/src/app/openops-tables/auth-admin-tables.ts

@@ -1,6 +1,7 @@
 import { authenticateUserInOpenOpsTables } from '@openops/common';
 import { AppSystemProp, cacheWrapper, system } from '@openops/server-shared';
 import { IAxiosRetryConfig } from 'axios-retry';
+import { userService } from '../user/user-service';
 
 export type AuthTokens = {
   token: string;
@@ -22,11 +23,11 @@ export async function authenticateAdminUserInOpenOpsTables(
 
   if (!tokens) {
     const email = system.getOrThrow(AppSystemProp.OPENOPS_ADMIN_EMAIL);
-    const password = system.getOrThrow(AppSystemProp.OPENOPS_ADMIN_PASSWORD);
+    const user = await userService.getUserByEmailOrFail({ email });
 
     tokens = await authenticateUserInOpenOpsTables(
       email,
-      password,
+      user.password,
       axiosRetryConfig,
     );
     await cacheWrapper.setSerializedObject(

packages/server/api/src/app/openops-tables/index.ts

@@ -1,5 +1,4 @@
 import { addUserToWorkspace } from './add-user-workspace';
-import { authenticateAdminUserInOpenOpsTables } from './auth-admin-tables';
 import { createDatabase } from './create-database';
 import { createDatabaseToken } from './create-database-token';
 import { createMcpEndpoint } from './create-mcp-endpoint';
@@ -29,5 +28,4 @@ export const openopsTables = {
   getMcpEndpointList,
   createMcpEndpoint,
   getWorkspaceByName,
-  authenticateAdminUserInOpenOpsTables,
 };