cleanup: drop retired login and auth schema residue #308

New issue

Closed

opened 2026-05-11 19:19:07 +00:00 by barrettruth · 0 comments

barrettruth commented 2026-05-11 19:19:07 +00:00

Owner

Copy link

Parent: #305

Problem

The app login flow is gone, but the active schema and setup scripts still imply password/TOTP/WebAuthn/recovery/session infrastructure. scripts/setup.sh still asks for a password even though the seed path no longer needs app-login credentials.

Current residue

• users.passwordHash, totpSecret, and totpEnabled
• webauthn_credentials
• recovery_codes
• sessions
• accounts if it is only a leftover login/OAuth table rather than the Google sync provider model
• password prompts in setup/seed scripts
• tests that only prove removed login behavior is hidden

Solution

Collapse auth to the current single-owner/API-key contract:

• keep only the fields needed for owner identity, API key, and provider sync ownership
• remove password/TOTP/WebAuthn/recovery/session schema and tests that no longer correspond to a live feature
• make setup bootstrap the owner/API key without asking for dead credentials
• keep Google provider OAuth separate from app authentication

Acceptance criteria

• Setup no longer asks for an unused password.
• Active schema no longer exports retired login tables/columns.
• Auth/core tests describe the single-owner API-key behavior, not removed login flows.
• Google provider OAuth issues (#290, #123, #291) still have a clear token-storage path.

Parent: #305 ## Problem The app login flow is gone, but the active schema and setup scripts still imply password/TOTP/WebAuthn/recovery/session infrastructure. `scripts/setup.sh` still asks for a password even though the seed path no longer needs app-login credentials. ## Current residue - `users.passwordHash`, `totpSecret`, and `totpEnabled` - `webauthn_credentials` - `recovery_codes` - `sessions` - `accounts` if it is only a leftover login/OAuth table rather than the Google sync provider model - password prompts in setup/seed scripts - tests that only prove removed login behavior is hidden ## Solution Collapse auth to the current single-owner/API-key contract: - keep only the fields needed for owner identity, API key, and provider sync ownership - remove password/TOTP/WebAuthn/recovery/session schema and tests that no longer correspond to a live feature - make setup bootstrap the owner/API key without asking for dead credentials - keep Google provider OAuth separate from app authentication ## Acceptance criteria - Setup no longer asks for an unused password. - Active schema no longer exports retired login tables/columns. - Auth/core tests describe the single-owner API-key behavior, not removed login flows. - Google provider OAuth issues (#290, #123, #291) still have a clear token-storage path.

barrettruth added this to the v0.1.0 milestone 2026-05-11 19:19:07 +00:00

barrettruth added the

track:core

type:cleanup

labels 2026-05-11 19:19:07 +00:00

barrettruth referenced this issue 2026-05-11 19:20:49 +00:00

tracker: blank-start cleanup and foundation migration #305

barrettruth referenced this issue from a pull request that will close it, 2026-05-11 20:22:10 +00:00

cleanup: drop retired auth schema #351

barrettruth closed this issue 2026-05-11 20:29:58 +00:00

barrettruth referenced this issue from a commit 2026-05-11 20:29:59 +00:00

cleanup: drop retired auth schema (#351)

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

feat/software-sync

ship/delta-codex-skill

fix/cli-filter-args

fix-calendar-g-leader-shortcuts

harden-keyboard-capture

fix-queue-gc-hard-refresh

fix/task-panel-scroll-restoration

fix/calendar-quick-add-preview-stability

fix/467-local-first-shortcuts

docs/nixos-self-hosting-first-pass

calendar-elapsed-events

calendar-active-day-blue

calendar-outline-no-fill

calendar-neutral-day-state

fix-calendar-drag-visual-position

issue-364-task-api-route-adapters

issue-362-manpage-drift

issue-315-geocoding-config

release/cli-0.0.5

release/cli-0.0.4

fix/task-panel-save-atomicity

settings-modal

feat/add-task-external-links

feat/reminder-transport-settings

feat/reminder-foundation

build/oidc-release-pipeline

fix/settings-cleanup

fix/remove-oauth-config-ui

cli-v0.0.6

cli-v0.0.5

cli-v0.0.4

nightly-20260426

cli-v0.0.2

Labels

Clear labels   

bug

Something isn't working

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

enhancement

New feature or request

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

question

Further information is requested

  

status:blocked

Blocked on a decision, credential, or external dependency

  

track:api

API layer track

  

track:auto

Automation track

  

track:core

Core engine track

  

track:deploy

Deployment track

  

track:infra

Infrastructure track

  

track:ui

Web UI track

  

type:cleanup

Small cleanup, polish, or consolidation work

  

type:docs

Documentation and operator guidance

  

type:epic

Umbrella issue that coordinates related work

  

type:release

Release, packaging, and versioning work

  

type:research

Decision or investigation work before implementation

  

wontfix

This will not be worked on

No labels

bug

documentation

duplicate

enhancement

good first issue

help wanted

invalid

question

status:blocked

track:api

track:auto

track:core

track:deploy

track:infra

track:ui

type:cleanup

type:docs

type:epic

type:release

type:research

wontfix

Milestone

Clear milestone

No items

No milestone

v0.1.0

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

barrettruth/delta#308

No description provided.