feat: historicized membership data model

[fontanierh]

Description

fixes https://github.com/dust-tt/tasks/issues/548

In #4521, we added startAt and endAt on the memberships table. The idea is to stop using the revoked role, and instead have a history of memberships so we can tell who was a member of what workspace at any given time.

Previous PR added the fields, the backfill script, and the BL to automatically fill startAt on membership creation and endAt on membership revoke. But everywhere in the app, we still use the revoked role instead of checking the endDate, and we still update memberships in-place.

This PR changes the memberships business logic to switch to historicized memberships, removing the need for the revoked status. We now have a MembershipResource that follows the resource pattern and centralizes usage of the memberships table (with one exception, the Poké workspace deletion flow).

Risk

Security critical
Quite risky as it touches the memberships.

Deploy Plan

• deploy the code
• run the migration script to clear the revoked status from the DB

[github-actions]

	Warnings
⚠️	Files in **/lib/models/ have been modified and the PR has the migration-ack label. Don't forget to run the migration from the -edge infrastructure.

Generated by 🚫 dangerJS against 7948601

[fontanierh]

I removed the update method from the BaseResource. Ideally, we don't want to have these update methods on resources since it's just exposing the Sequelize API on resources (and we're actively trying to strangle the use of Sequelize API within resources)

[fontanierh]

So in the meantime, the implementation was copypastad onto the resource classes that use it.

[philipperolet]

Ok; so afaiu:

• we always want to update resources;
• long term, the best is to have a clean (non-sequelized based) base method for update;
• in the meantime we basically havwe a pass-through sequelize;

So at some point we'll refactor all the updates. In what way is it cleaner to refactor the copy-pasted version in each resource, vs refactor the base_resource version + change the call sites?

[spolu]

ack

[fontanierh]

So at some point we'll refactor all the updates. In what way is it cleaner to refactor the copy-pasted version in each resource, vs refactor the base_resource version + change the call sites?

I don't think we will. Having a generic "update" is not desirable as it is a departure from the resource pattern. What we want is to have resource-specific methods that may perform updates. For example "revoke()" instead of "update({role: 'revoked'}".

[fontanierh]

Here we may be doing a bit of over-fetching if some members were revoked and re-invited several times. I believe this is fine since:

• the number of over-fetched stuff will be quite low
• it is not on a hot path
• it makes the code / querying a lot simpler

[spolu]

This is a hot path since it's called from getLatestMembershipOfUserInWorkspace which is called from login ?

[spolu]

I think the over-fetch is fine, but noting this is quite hot

[spolu]

Actually you don't get revoked memberships here do you?

[fontanierh]

Yes we do get the revoked memberships, it's this method's purpose vs getActiveMemberships.
The overfetching comes from getting the non-latest memberships, which IMO is fine.

[spolu]

First batch of comments.

Need more time to review. Let's try to have WorkspaceType or LightWorkspaceType in all interfaces of ressources 🙏

Will require minimal additional gymnastic but will set us up for a much better world.

[fontanierh]

@spolu

Need more time to review. Let's try to have WorkspaceType or LightWorkspaceType in all interfaces of ressources 🙏

Will require minimal additional gymnastic but will set us up for a much better world.

This is temporary as we'll have a workspace resource at some point. Once we get there we'll be fine but in the meantime we're going to have to either accept Workspace on just accept to take a ModelId

[spolu]

This is temporary as we'll have a workspace resource at some point. Once we get there we'll be fine but in the meantime we're going to have to either accept Workspace on just accept to take a ModelId

Agreed that we may have a big WorkspaceResource that spans Menbership management. But in the meantime I think it's a low cost change to Accept a LightWorkspaceType which has sId and id in these interface.

We just need to call something like renderLightWorkspaceFromModel(workspace: Workspace) that we can add in types or in lib/api/

[philipperolet]

Hey ! First pass, pushing coms now so you can check them, finishing the reveiw meanwhile

[philipperolet]

Ok; so afaiu:

• we always want to update resources;
• long term, the best is to have a clean (non-sequelized based) base method for update;
• in the meantime we basically havwe a pass-through sequelize;

So at some point we'll refactor all the updates. In what way is it cleaner to refactor the copy-pasted version in each resource, vs refactor the base_resource version + change the call sites?

[philipperolet]

nit: wouldn't that work?

const where: WhereOptions<InferAttributes<MembershipModel>> = {
      role: roles,
      userId: userIds ? { [Op.in]: userIds } : undefined,
      workspaceId: workspace ? workspace.id : undefined,
    };

[philipperolet]

and also a similar version for the function above

[fontanierh]

I believe it might, but I am not convinced that inline ternaries are bringing a lot of extra readability here.

[philipperolet]

Ok I understand;
I advocate for it because it turns 13 lines into 3, and while I agree that ternaries are hard to read in some cases e.g. when nested, flat ternaries are the equivalent of saying "hi" vs "good morning"; legit part of the language (that we commonly use) and we should learn to read them as fluently as as we learned to read the ifs

Clearly a nit, will approve anyway

[fontanierh]

Alright you flipped me :) changing

[philipperolet]

why not check that also on the function above? or globally via the GetMembershipOptions type (don't know if it is actually possible)

[fontanierh]

It's partially done by the type system, but sadly the type cannot easily check that the array is non-empty (unless you force the caller to always cast the array as non-empty for non-literal cases.

Indeed I should add it in the other method 🙏

[philipperolet]

oh ok. But if we accept userIds = [] with a workspace (and return [] in that case), why not accept it without a workspace and return [] too, and then remove the line above?

[fontanierh]

Workspace is either null or non-null, so it's easy to force it via type system

[spolu]

I thiink we want to have a getUserActiveMembership function to use in places of:

• getLatestMembershipOfUserInWorkspace (maybe except the membership update endpoint but TBD)
• getActiveMemberships with [userId] as argument

This will simplify many code places by removing the [0] derefs of getActiveMemberships and more importantly all the places where we check the endDate existence and logic (error prone yet security critical) outside of the Resource.

[spolu]

The type system does not catch that given RequireAtLeastOne ?

[fontanierh]

Cannot check for array emptiness

[fontanierh]

(at least not without making it quite painful on the caller side with a bunch of manual casts)

[spolu]

Should we prioritize end = null first and startAt second?

[fontanierh]

Technically equivalent, since you cannot create a new membership if there is already an overlapping one. If you have an active membership (i.e non-ended), it is necessarily the one with the greatest startAt, so it simplifies the code to only check for startAt.

[spolu]

This is a hot path since it's called from getLatestMembershipOfUserInWorkspace which is called from login ?

[spolu]

Actually you don't get revoked memberships here do you?

[spolu]

ack

[spolu]

I would be in favour of having a getActiveMenbership function to avoid the [0] deref. We'll likely need it in other places.

[fontanierh]

done

[spolu]

Wouldn't it be easier to have a getActiveUserMenbership function that returns a membership only if it has an active one for the workspace. Will abstract the error prone endAt checks inside the Resource?

[fontanierh]

as per IRL, we need it to put users in the right flow. Refactored with isRevoked()

[spolu]

Could also use getActiveUserMenbership kinda weird you use both getActiveMemberships and getLatestMembershipOfUserInWorkspace in this file?

[fontanierh]

Each case is different. Here we get all active memberships of a user (across all workspaces).

[spolu]

Other than the comments above generally LGTM.
Please requalify the Risk section of the pull request as: "Security critical"

Will make another review once finalised given the security criticality

[philipperolet]

Another little batch (would say 2/3)

[philipperolet]

Took me a while to gather what the code did. here we could

return memberships
   .reduce( (arr, v) => if !(arr.find( (a) => a.userId === v.userId && a.workpaceId === a.memberId)) arr.push(v) )
   .map( (resource) => new MembershipResource(MembershipModel, resource.get())

leveraging the fact that membership is already ordered
this would remove the need for orderedResourcesFromModels and for an intermediary map; wdyt?

[fontanierh]

Your version is less performant with O(n^2) complexity and IMHO less readable

[philipperolet]

On the perf side, I thought o(n^2) would not be a problem here, might have been a bit fast in that assesment I reckon 👍

On the readability, I'm genuinely surprised, this can make up for a good 80/20 debate :) 🍺

I get that you don't like "reduce", but to the point of creating a custom 6-line function, then 11 lines to turn an array into a map, that you will then turn back into an array?

16 lines (omitting the map line that is common to both solutions), whereas a 1-line reduce that directly says "add to the array if it isn't already there"

Obv will not block approval for this of course, but glad to discuss that on friday 👍

[philipperolet]

Here we may be doing a bit of over-fetching if some members were revoked and re-invited several times. I believe this is fine since:

the number of over-fetched stuff will be quite low
it is not on a hot path
it makes the code / querying a lot simpler

Re this comment above => is this still not on a hot path here? (or expected to be quick anyways)
just checking

[fontanierh]

might be a hot path after all with userIds.length === 1 . However the over fetching would be ridiculously small in such cases, and non-existent most of the time.

[philipperolet]

so not possible to update the endDate of a membership. Good for me since we probably don't have "future" endDates in code yet, so out of the PR scope (mentioning to confirm it's intentional)

[fontanierh]

No currently indeed, but would be relatively straight forward to add support for. Wanted to avoid introducing such capability without a clear need for it.

[philipperolet]

nit: basically toJSON = the business defined json, and toListJSON = the JSON with all the raw db fields?

=> would go with toRawJSON instead of toListJSON

[fontanierh]

toJson = SomethingType
toListJson = LightSomethingType

[fontanierh]

I'm going to remove them actually they don't make a ton of sense for this resource since we never really serialize it.

[philipperolet]

oooh so wasn't it toLightJSON? and not toListJSON ?
but yeah if we don't use it removing is best

[fontanierh]

cargo culted from other resources, but I agree toLightJson wouldn't be bad

[philipperolet]

Done, this was a large one, thanks 🙏 Mostly good for me, cf a few coms split on 3 reviews
We'll be better with that, worth it.

[philipperolet]

nit: remove 1 workspace

[fontanierh]

cleaned up

[philipperolet]

why do we delete find / add-user? is it sideways from the PR?

[fontanierh]

Kind of sideways yes. Some of the commands required refactoring for the new setup, and since all of these are dead code I figured I might just delete them so the total net diff is a little bit less green :)

[spolu]

LGTM

[spolu]

From the queries we use, shouldn't this be ["endAt", "startAt"] instead?

[fontanierh]

You are right (although in practice it's almost the same).
Will do in separate PR since this one has no migration (just moved this mode)