()
| 92 | } |
| 93 | |
| 94 | export async function runBackfill(): Promise<void> { |
| 95 | const dryRun = process.argv.includes('--dry-run') |
| 96 | |
| 97 | const connectionString = process.env.POSTGRES_URL ?? process.env.DATABASE_URL |
| 98 | if (!connectionString) { |
| 99 | console.error('Missing POSTGRES_URL or DATABASE_URL environment variable') |
| 100 | process.exit(1) |
| 101 | } |
| 102 | |
| 103 | const apiEncryptionKey = process.env.API_ENCRYPTION_KEY ?? null |
| 104 | if (!apiEncryptionKey) { |
| 105 | console.warn( |
| 106 | 'API_ENCRYPTION_KEY is not set. Rows whose stored key is encrypted will fail to decrypt. ' + |
| 107 | 'Only rows whose stored key is already plain text will be backfilled in this run.' |
| 108 | ) |
| 109 | } else if (apiEncryptionKey.length !== 64) { |
| 110 | console.error('API_ENCRYPTION_KEY must be a 64-character hex string (32 bytes)') |
| 111 | process.exit(1) |
| 112 | } |
| 113 | |
| 114 | assertCryptoRoundTrip(apiEncryptionKey) |
| 115 | |
| 116 | const postgresClient = postgres(connectionString, { |
| 117 | prepare: false, |
| 118 | idle_timeout: 20, |
| 119 | connect_timeout: 30, |
| 120 | max: 5, |
| 121 | onnotice: () => {}, |
| 122 | }) |
| 123 | const db = drizzle(postgresClient) |
| 124 | |
| 125 | const stats: BackfillStats = { |
| 126 | scanned: 0, |
| 127 | updated: 0, |
| 128 | skippedEncryptedNoKey: 0, |
| 129 | failed: 0, |
| 130 | } |
| 131 | |
| 132 | try { |
| 133 | const [{ count: pendingBefore }] = await db |
| 134 | .select({ count: sql<number>`count(*)::int` }) |
| 135 | .from(apiKey) |
| 136 | .where(isNull(apiKey.keyHash)) |
| 137 | |
| 138 | console.log( |
| 139 | `Backfill starting — ${pendingBefore} row(s) with NULL key_hash${dryRun ? ' [DRY RUN]' : ''}` |
| 140 | ) |
| 141 | |
| 142 | for (;;) { |
| 143 | const rows = await db |
| 144 | .select({ id: apiKey.id, key: apiKey.key }) |
| 145 | .from(apiKey) |
| 146 | .where(isNull(apiKey.keyHash)) |
| 147 | .limit(BATCH_SIZE) |
| 148 | |
| 149 | if (rows.length === 0) break |
| 150 | |
| 151 | await Promise.all( |
no test coverage detected