feat: secu migrate to user uuid

2025-08-21 13:54:13 +02:00
parent ef16c73625
commit 578f0858e8
12 changed files with 532 additions and 70 deletions
--- a/scripts/init.sql
+++ b/scripts/init.sql
@@ -1,3 +1,6 @@
+-- Enable UUID extension for secure user identification
+CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
+
 -- Create enum for skill levels
 CREATE TYPE skill_level_enum AS ENUM ('never', 'not-autonomous', 'autonomous', 'expert');

@@ -38,15 +41,19 @@ CREATE TABLE skill_links (
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
 );

-- Users table
+-- Users table with UUID primary key for security
+-- UUIDs prevent user enumeration attacks (vs sequential IDs 1,2,3...)
 CREATE TABLE users (
-    id SERIAL PRIMARY KEY,
+    id SERIAL, -- Legacy ID kept for backward compatibility during migration
+    uuid_id UUID DEFAULT uuid_generate_v4() NOT NULL,
    first_name VARCHAR(100) NOT NULL,
    last_name VARCHAR(100) NOT NULL,
    team_id VARCHAR(50) REFERENCES teams(id),
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
    updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
-    UNIQUE(first_name, last_name, team_id)
+    PRIMARY KEY (uuid_id),
+    UNIQUE(first_name, last_name, team_id),
+    UNIQUE(uuid_id)
 );

 -- ========================================
@@ -56,10 +63,11 @@ CREATE TABLE users (
 -- User evaluations - metadata about user's evaluation session
 CREATE TABLE user_evaluations (
    id SERIAL PRIMARY KEY,
-    user_id INTEGER REFERENCES users(id) ON DELETE CASCADE,
+    user_id INTEGER, -- Legacy column kept for backward compatibility
+    user_uuid UUID REFERENCES users(uuid_id) ON DELETE CASCADE,
    last_updated TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
-    UNIQUE(user_id)
+    UNIQUE(user_uuid)
 );

 -- Skill evaluations - direct relationship between user and skill
@@ -93,7 +101,9 @@ CREATE INDEX idx_skills_category_id ON skills(category_id);
 CREATE INDEX idx_skill_links_skill_id ON skill_links(skill_id);
 CREATE INDEX idx_users_team_id ON users(team_id);
 CREATE INDEX idx_users_unique_person ON users(first_name, last_name, team_id);
-CREATE INDEX idx_user_evaluations_user_id ON user_evaluations(user_id);
+CREATE INDEX idx_users_uuid_id ON users(uuid_id); -- Index on UUID for performance
+CREATE INDEX idx_user_evaluations_user_uuid ON user_evaluations(user_uuid);
+CREATE INDEX idx_user_evaluations_user_id ON user_evaluations(user_id); -- Legacy index
 CREATE INDEX idx_skill_evaluations_user_evaluation_id ON skill_evaluations(user_evaluation_id);
 CREATE INDEX idx_skill_evaluations_skill_id ON skill_evaluations(skill_id);
 CREATE INDEX idx_skill_evaluations_is_selected ON skill_evaluations(is_selected);
@@ -138,7 +148,7 @@ SELECT
    se.updated_at
 FROM users u
 JOIN teams t ON u.team_id = t.id
-JOIN user_evaluations ue ON u.id = ue.user_id
+JOIN user_evaluations ue ON u.uuid_id = ue.user_uuid
 JOIN skill_evaluations se ON ue.id = se.user_evaluation_id
 JOIN skills s ON se.skill_id = s.id
 JOIN skill_categories sc ON s.category_id = sc.id;