fix: identify users by GitHub user ID instead of access token (#307)

TooAngel · web-flow · commit 2e2247caabd9 · 2025-11-01T05:56:21.000Z
This prevents creation of duplicate user records when OAuth tokens change during token refresh, scope changes, or multiple logins. Changes: - Add githubUserId field to User model and database schema - Add User.findByGithubUserId() method - Update OAuth callback to fetch GitHub user info - Update existing users' tokens instead of creating duplicates - Create migration script to populate githubUserId for existing users - Add unique index on githubUserId field Benefits: - One user record per GitHub user (no duplicates) - Automatic token updates without losing repository associations - Better security and data integrity - Simplified user management Closes #289
diff --git a/scripts/migrate-user-github-ids.js b/scripts/migrate-user-github-ids.js
@@ -0,0 +1,209 @@
+#!/usr/bin/env node
+
+import {
+  database,
+  client,
+  connectionPromise,
+} from '../src/database/database.js';
+
+/**
+ * Fetch GitHub user info using an access token
+ * @param {string} accessToken
+ * @returns {Promise<{id: number, login: string} | null>}
+ */
+async function fetchGitHubUser(accessToken) {
+  try {
+    const response = await fetch('https://api.github.com/user', {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        Accept: 'application/vnd.github.v3+json',
+      },
+    });
+
+    if (!response.ok) {
+      console.error(
+        `Failed to fetch GitHub user: ${response.status} ${response.statusText}`
+      );
+      return null;
+    }
+
+    const user = await response.json();
+    return { id: user.id, login: user.login };
+  } catch (error) {
+    console.error('Error fetching GitHub user:', error);
+    return null;
+  }
+}
+
+async function migrateDatabase() {
+  try {
+    // Wait for database connection to be established
+    await connectionPromise;
+
+    console.log('[MIGRATION] Checking user GitHub ID migration status...');
+
+    // Check if migration is already complete
+    const usersWithoutGithubId = await database.users
+      .find({ githubUserId: { $exists: false } })
+      .toArray();
+
+    if (usersWithoutGithubId.length === 0) {
+      console.log(
+        '[MIGRATION] ✅ Already migrated - all users have githubUserId field'
+      );
+      return { alreadyMigrated: true, usersUpdated: 0 };
+    }
+
+    console.log(
+      `[MIGRATION] Found ${usersWithoutGithubId.length} users without githubUserId to migrate`
+    );
+
+    const usersByGithubId = new Map();
+    const failedUsers = [];
+
+    // Fetch GitHub user IDs for existing users
+    for (const user of usersWithoutGithubId) {
+      console.log(`[MIGRATION] Processing user ${user._id}...`);
+
+      const githubUser = await fetchGitHubUser(user.githubAccessToken);
+
+      if (!githubUser) {
+        console.warn(
+          `[MIGRATION]   ⚠️  Could not fetch GitHub user info for user ${user._id} (token may be expired)`
+        );
+        failedUsers.push(user);
+        continue;
+      }
+
+      console.log(
+        `[MIGRATION]   ✓ Found GitHub user: ${githubUser.login} (ID: ${githubUser.id})`
+      );
+
+      // Track users by GitHub ID to find duplicates
+      if (!usersByGithubId.has(githubUser.id)) {
+        usersByGithubId.set(githubUser.id, []);
+      }
+      usersByGithubId.get(githubUser.id).push({
+        ...user,
+        githubUserId: githubUser.id,
+        githubLogin: githubUser.login,
+      });
+    }
+
+    // Process users: update or merge duplicates
+    let updatedCount = 0;
+    let mergedCount = 0;
+
+    for (const [githubUserId, users] of usersByGithubId.entries()) {
+      if (users.length === 1) {
+        // Single user - just update
+        const user = users[0];
+        await database.users.updateOne(
+          { _id: user._id },
+          {
+            $set: {
+              githubUserId: githubUserId,
+              updatedAt: new Date(),
+            },
+          }
+        );
+        updatedCount++;
+        console.log(
+          `[MIGRATION]   ✓ Updated user ${user._id} with githubUserId ${githubUserId}`
+        );
+      } else {
+        // Multiple users with same GitHub ID - merge them
+        console.log(
+          `[MIGRATION]   ⚠️  Found ${users.length} duplicate users for GitHub ID ${githubUserId}`
+        );
+
+        // Keep the most recently updated user
+        const sortedUsers = users.sort(
+          (a, b) => b.updatedAt.getTime() - a.updatedAt.getTime()
+        );
+        const keepUser = sortedUsers[0];
+        const deleteUsers = sortedUsers.slice(1);
+
+        // Update the keeper with githubUserId
+        await database.users.updateOne(
+          { _id: keepUser._id },
+          {
+            $set: {
+              githubUserId: githubUserId,
+              updatedAt: new Date(),
+            },
+          }
+        );
+
+        // Delete duplicate users
+        for (const user of deleteUsers) {
+          await database.users.deleteOne({ _id: user._id });
+          console.log(`[MIGRATION]     • Deleted duplicate user ${user._id}`);
+        }
+
+        mergedCount += deleteUsers.length;
+        console.log(
+          `[MIGRATION]   ✓ Kept user ${keepUser._id}, deleted ${deleteUsers.length} duplicates`
+        );
+      }
+    }
+
+    console.log('\n[MIGRATION] Migration summary:');
+    console.log(`[MIGRATION]   • Updated: ${updatedCount} users`);
+    console.log(`[MIGRATION]   • Merged: ${mergedCount} duplicate users`);
+    console.log(
+      `[MIGRATION]   • Failed: ${failedUsers.length} users (expired tokens)`
+    );
+
+    if (failedUsers.length > 0) {
+      console.log(
+        '\n[MIGRATION] Users with expired tokens (will be updated on next login):'
+      );
+      for (const user of failedUsers) {
+        console.log(`[MIGRATION]   - ${user._id}`);
+      }
+    }
+
+    // Create unique index on githubUserId
+    console.log('\n[MIGRATION] Creating unique index on githubUserId...');
+    try {
+      await database.users.createIndex(
+        { githubUserId: 1 },
+        { unique: true, sparse: true }
+      );
+      console.log('[MIGRATION]   ✓ Index created successfully');
+    } catch (error) {
+      if (error.code === 85) {
+        console.log('[MIGRATION]   • Index already exists, skipping');
+      } else {
+        throw error;
+      }
+    }
+
+    console.log('\n[MIGRATION] ✓ User GitHub ID migration complete!');
+  } catch (error) {
+    console.error(
+      '[MIGRATION] ❌ User GitHub ID migration failed:',
+      error.message
+    );
+    throw error;
+  }
+}
+
+// Only close client if run directly (not imported)
+if (import.meta.url === `file://${process.argv[1]}`) {
+  migrateDatabase()
+    .then(() => {
+      console.log('[MIGRATION] Migration completed successfully');
+      process.exit(0);
+    })
+    .catch(error => {
+      console.error('[MIGRATION] Unexpected error:', error);
+      process.exit(1);
+    })
+    .finally(() => {
+      client.close();
+    });
+}
+
+export { migrateDatabase };
diff --git a/src/database/database.js b/src/database/database.js
@@ -8,6 +8,7 @@ export const client = new MongoClient(url);
 /**
  * @typedef {object} User
  * @property {import("mongodb").ObjectId} [_id]
+ * @property {number} githubUserId - GitHub user ID (stable identifier)
  * @property {string} githubAccessToken
  * @property {Date} createdAt
  * @property {Date} updatedAt
diff --git a/src/database/models.js b/src/database/models.js
@@ -7,6 +7,7 @@ export const User = {
   /**
    * Create a new user
    * @param {object} userData
+   * @param {number} userData.githubUserId - GitHub user ID (stable identifier)
    * @param {string} userData.githubAccessToken
    * @returns {Promise<import('./database.js').User>}
    */
@@ -39,6 +40,15 @@ export const User = {
     return await database.users.findOne({ githubAccessToken });
   },
 
+  /**
+   * Find user by GitHub user ID
+   * @param {number} githubUserId
+   * @returns {Promise<import('./database.js').User|null>}
+   */
+  async findByGithubUserId(githubUserId) {
+    return await database.users.findOne({ githubUserId });
+  },
+
   /**
    * Find all users
    * @returns {Promise<import('./database.js').User[]>}
diff --git a/src/index.js b/src/index.js
@@ -28,6 +28,7 @@ import {
 } from './helpers/installationHandler.js';
 import { removePatAuthentication } from '../scripts/remove-pat-auth.js';
 import { removeConfiguredField } from '../scripts/remove-configured-field.js';
+import { migrateDatabase as migrateUserGithubIds } from '../scripts/migrate-user-github-ids.js';
 
 const mongoSessionStore = MongoStore.create({
   clientPromise: client.connect(),
@@ -59,6 +60,16 @@ async function startServer() {
     // Continue anyway - migration failure shouldn't prevent app startup
   }
 
+  try {
+    await migrateUserGithubIds();
+  } catch (error) {
+    console.error(
+      '[STARTUP] Failed to run user GitHub ID migration:',
+      error.message
+    );
+    // Continue anyway - migration failure shouldn't prevent app startup
+  }
+
   const app = express();
 
   // Setup Vite middleware for development
@@ -161,9 +172,40 @@ async function startServer() {
         return res.redirect('/');
       }
 
-      let user = await User.findByGithubToken(data.access_token);
-      if (!user) {
+      // Fetch GitHub user info to get the user ID
+      const githubUserResponse = await fetch('https://api.github.com/user', {
+        headers: {
+          Authorization: `Bearer ${data.access_token}`,
+          Accept: 'application/vnd.github.v3+json',
+        },
+      });
+
+      if (!githubUserResponse.ok) {
+        console.error(
+          'Failed to fetch GitHub user info:',
+          githubUserResponse.status,
+          githubUserResponse.statusText
+        );
+        return res.redirect('/');
+      }
+
+      const githubUser = await githubUserResponse.json();
+      if (!githubUser.id) {
+        console.error('GitHub user response missing ID');
+        return res.redirect('/');
+      }
+
+      // Find user by GitHub user ID
+      let user = await User.findByGithubUserId(githubUser.id);
+      if (user) {
+        // Update existing user's access token
+        user = await User.update(user._id, {
+          githubAccessToken: data.access_token,
+        });
+      } else {
+        // Create new user with GitHub user ID and access token
         user = await User.create({
+          githubUserId: githubUser.id,
           githubAccessToken: data.access_token,
         });
       }
