chihlasm/resolutionflow
1
0
Fork 0
Code Issues 23 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

[Schema] Session Sharing - Database Schema & Access Control #37

New Issue
Closed
opened 2026-02-07 22:47:01 +00:00 by chihlasm · 1 comment
chihlasm commented 2026-02-07 22:47:01 +00:00 (Migrated from github.com)
Copy Link

Overview

Implement session share token schema for read-only session sharing with configurable access control (public vs account-only).

Design Document

See: docs/plans/2026-02-07-foundational-schema-design.md (Part 3)

Database Changes

Migration 023: Add Session Sharing

New table: session_shares

  • Token-based share links
  • Visibility control (public/account-only)
  • Optional expiration
  • Soft revocation (is_active)
  • View count tracking (deprecated by session_share_views)

New table: session_share_views

  • Detailed view analytics
  • Track viewer identity (for account-only shares)
  • Track IP, user agent, timestamp

New column on accounts:

  • allow_public_shares (Boolean, default true)

Key Features

  • Token generation: secrets.token_urlsafe(48) with collision retry
  • Access control: Public (no auth) vs Account-only (requires membership)
  • Account policy: Admins can disable public sharing
  • Multiple shares: One session can have many active share links
  • View tracking: Detailed analytics on who accessed shares

Cascade Behaviors

  • Session deleted → shares CASCADE deleted
  • Share deleted → views CASCADE deleted
  • Viewer (User) deleted → viewer_id SET NULL (preserve analytics)

Indexes

session_shares:

  • session_id, share_token (unique), created_by, expires_at, is_active

session_share_views:

  • share_id, viewer_id, viewed_at

Acceptance Criteria

  • Migration 023 created and tested
  • SessionShare model implemented
  • SessionShareView model implemented
  • Token generation with retry logic
  • Access control validation (public vs account)
  • Account policy enforcement
  • View tracking records created correctly
  • Cascade deletes work as designed
  • All indexes created

Related Issues

Part of foundational schema work (Issue #15)

## Overview Implement session share token schema for read-only session sharing with configurable access control (public vs account-only). ## Design Document See: `docs/plans/2026-02-07-foundational-schema-design.md` (Part 3) ## Database Changes ### Migration 023: Add Session Sharing **New table: `session_shares`** - Token-based share links - Visibility control (public/account-only) - Optional expiration - Soft revocation (is_active) - View count tracking (deprecated by session_share_views) **New table: `session_share_views`** - Detailed view analytics - Track viewer identity (for account-only shares) - Track IP, user agent, timestamp **New column on `accounts`:** - `allow_public_shares` (Boolean, default true) ## Key Features - **Token generation**: secrets.token_urlsafe(48) with collision retry - **Access control**: Public (no auth) vs Account-only (requires membership) - **Account policy**: Admins can disable public sharing - **Multiple shares**: One session can have many active share links - **View tracking**: Detailed analytics on who accessed shares ## Cascade Behaviors - Session deleted → shares CASCADE deleted - Share deleted → views CASCADE deleted - Viewer (User) deleted → viewer_id SET NULL (preserve analytics) ## Indexes **session_shares:** - session_id, share_token (unique), created_by, expires_at, is_active **session_share_views:** - share_id, viewer_id, viewed_at ## Acceptance Criteria - [ ] Migration 023 created and tested - [ ] SessionShare model implemented - [ ] SessionShareView model implemented - [ ] Token generation with retry logic - [ ] Access control validation (public vs account) - [ ] Account policy enforcement - [ ] View tracking records created correctly - [ ] Cascade deletes work as designed - [ ] All indexes created ## Related Issues Part of foundational schema work (Issue #15)
chihlasm commented 2026-02-08 00:40:52 +00:00 (Migrated from github.com)
Copy Link

Completed in PR #39. Migration 023 adds session_shares and session_share_views tables plus allow_public_shares on accounts. Includes token generation, public/account-scoped visibility, view tracking, expiration support, cascade deletes, and rate limiting on public access. 12 passing tests.

Completed in PR #39. Migration 023 adds `session_shares` and `session_share_views` tables plus `allow_public_shares` on accounts. Includes token generation, public/account-scoped visibility, view tracking, expiration support, cascade deletes, and rate limiting on public access. 12 passing tests.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
10x-analysis
From 10x product analysis
 backend
FastAPI/Python work
 bug
Something isn't working
 collaboration
Team sharing, escalation, notifications
 database
PostgreSQL/schema changes
 documentation
Documentation updates
 duplicate
This issue or pull request already exists
 enhancement
Improvement to existing feature
 feature
New functionality
 frontend
React work
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 integration
PSA, external service integrations
 intelligence
Analytics, AI, data-driven features
 invalid
This doesn't seem right
 priority: high
Do this soon
 priority: low
Nice to have
 priority: medium
Important but not urgent
 question
Further information is requested
 quick-win
Low effort, high value
 strategic
Long-term strategic bet
 ux
User experience improvements
 wontfix
This will not be worked on
No Label backend database priority: high
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
chihlasm
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: chihlasm/resolutionflow#37
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?