Database Schema

[confused-Techie]

EDIT::
Alright, seems we have reached a decision on the final schema of the database, and any further modifications, will likely need to come during a 2.0 release of the backend, to allow this version to become completed.

Below will be the finalized version of this schema.

names

name	data type	details	content
name	text	Primary key of names	The text name of the package
pointer	uuid	Foriegn key referencing packages	references the package pointer

stars

name	data type	details	content
package	uuid	TDB type of key	references the packages pointer
user	uuid	TDB type of key	references the users UUID

users

name	data type	details	content
uuid	uuid	Primary key	UUID generated for the user, unique among all users
created_at	timestamp	''	Epoch based timestamp of when the account was created
username	text	''	Username of the user, initially could be linked to the user name used to create the account. But later may be modifiable
token	text	''	A hashed version of their OAuth token, to allow comparison later on when verifying user login
avatar	text	''	A URL that links to the avatar, in the future should be modifiable, but for now can link to the users gravatar
data	jsonb	''	Spare object to allow additional storage, that currently may not be in use.

packages

name	data type	details	content
pointer	uuid	primary key	The UUID of the package.
name	text	''	The text of the package name itself.
created	timestamp	''	An epoch timestamp of when the package was created.
updated	timestamp	''	Epoch timestamp of when the package was last updated.
creation_method	text	''	Text based message indicating how the package was created.
downloads	bigint	''	Count of the downloads of the package
stargazers_count	bigint	''	Count of the stars a package has received. Derived from the count from stars and updated when modified.
data	jsonb	''	Rest of the packages data, containing the readme, and any other data that does not fit. Could even be updated, to be the detailed return of a pacakge, when that data is modified, to allow faster return during queries.

versions

name	data type	details	content
id	integer	primary key	Auto-Incrementing integer for each version of each package published.
package_id	uuid	foreign key	UUID refernece to the packages uuid
status	enum	''	Text representation of its status. Could currently use latest, published but really that data will currently be determined by the id of the field, since its auto incrementing nature, allows easy historical sorting. But once beta packages are supported, could indicate this.
semver	varchar(256)	''	Actual semver of the new version.
engine	jsonb	''	The engine object from the package.json
license	varchar(256)	''	The License of the specific package.
meta	jsonb	''	A JSON blob of the full object. Including information that doesn't fit nicely in here, as well as the data here.

Beyond this, some other choices that have been made via or since the creation of this thread.

Authentication

While originally the token was stored in the DB unencrypted, intended to be kept safe by the DB protections, the plan then became to force users to pass PAT tokens during each request, but finally, the best method or at least decided on one now, is to hash these tokens in the DB, and compare the hashed tokens to the ones in the DB when passed them. If it matches we can confirm a login, and then operate with the in memory token to complete any requests needed.

Otherwise feel free to update this with any other needed data that fits this schema. Thanks to everyone that helped to make these choices, and the fantastic PR's that already exist to integrate with them. If those more familiar with SQL want to try and replace all data.js and users.js functions with queries that return the same amount of information I can begin the consumption of them. If how the data will be returned is not obvious, a comment detailing such would be highly appreciated. Otherwise we are close to finishing a beta version 1.0.0, fantastic work to everyone.

---

So our discussion over on #33 has become quite long, and I feel we are reaching a conclusion and wanted an easier format to track the communication. @Digitalone1 @mauricioszabo

Thought that it may be a good idea to layout how the database schema is currently created.

packages

Column Name	Column Data Type	Column Contents
pointer	uuid	A server side generated UUIDv4. That cannot conflict with any others.
data	jsonb	The full collection of all package data stored as JSON.

pointers

Column Name	Column Data Type	Column Contents
name	text	The basic name of the package.
pointer	uuid	The same uuid as shown within packages.

stars

Column Name	Column Data Type	Column Contents
packagepointer	uuid	The UUID referenced from a package.
userid	integer	The ID of the user that stared the package

users

Column Name	Column Data Type	Column Contents
id	bigint	Auto-Incrementing ID of the user.
pulsartoken	character varying (256)	A randomly generated token thats unique to this user.
githubtoken	character varying (256)	The token provided via GitHub OAuth
created_at	bigint	A epoch datetime of when the account was created.
data	jsonb	While NOT currently used for anything intended to hold data we may want to use in the future.
username	character varying (256)	The UserName retrieved from GitHub

Obviously this format caused a lot of concern and sparked a lot of discussion. I kept modifying and recreating as we talked, and kept changing the code. But I have soon realized just how big of an overhaul this type of change will be to the code base, and want to work to definitively decide on the schema before continuing. So that we all are on the same page, and ideally work can be done together to migrate the codebase to the schema we eventually decide on.

Listed below are certain considerations and interactions with the Database that have been discussed and are likely the best going forward:

• While the status row of the package_versions table is redundant, I feel it will be important to keep once we decide to support alpha, beta tags of packages, otherwise for the meantime, while these should still be updated, for finding the most recent package, or creating a history of package updates, the AUTO-INCREMENTING ID should be prioritized as the newest version.
• The stargazers_count row of packages will do its best to be accurate, but otherwise is more an estimation of total stars a package has received. When a package is starred, its entry should be added to the stars table, then all items of that table are counted that apply to the specific package, this number then replaces whatever is present in stargazers_count. While this may have some edge cases where its count is slightly off, it doesn't seem of the most important to always have this number be correct.

While I know my decision to use the pointer system may seem foreign, its in a goal to keep true to upstream functionality that I would like to preserve. That will be laid out below as well as some other considerations we should take going forward.

• The package name is permanent. This means that if I create todo-package one day, and the next decide to rename that package to todo-helper anybody that says to install or follows a link to todo-package will be automatically linked to todo-helper. Forever and always, now of course package deletion should free up the namespace, but thats a consideration on how to delete a package fully.
• Currently the username will mirror the one from GitHub. This comes from Atoms strong reliance on GitHub. But I do agree with what has been said that this shouldn't always be the case. That one day it'd be nice to support multiple git providers, and in that means I also agree it would be nice to be more open in general, specifically to changing the username a user has on the Pulsar account. Meaning that the username is non-static, and non-permanent.
• With the amount of work it'll take to rewrite the codebase to support SQL and the different fields already, it seems best that we normalize as much as needed at this time, rather than push the can down the road as they say. So we should normalize whats needed, but not unnecessarily, I would like to prevent unneeded normalization because the results will have to be turned into JSON every time we want to give it to the end user. Which could add cost to the project for no good reason.
• Finally it has been brought up again and again in various chats that we shouldn't touch auth. And originally I didn't see a way around that, since thats not how Atom did it, and we don't want any breaking changes at this time. But a great point was brought out that we don't need breaking changes to change auth, simply we let the user provide their PAT token directly from GitHub. Meaning we just pass along the provided token on any auth based requests. This does mean we will query GitHub more often for local auth against package modification, but the flip side would be the possibility of getting a users account compromised if we make a mistake and hurting trust in Pulsar. So really I hope we don't have to touch authentication with a ten foot poll.

With all of that said, I've looked over previous suggestions, and current implementations and want to purpose a final schema for the database.

The Following tables have been modified since original posting to include new additions & decisions

names

Column Name	Column Data Type	Column Contents
name	text	The standard text of the package this pointer links to
pointer	uuid	A Reference to the packages pointer

stars

Column Name	Column Data Type	Column Contents
package	uuid	Reference to the packages pointer.
user	uuid	Reference to the users UUID

users

Column Name	Column Data Type	Column Contents
uuid	uuid	A UUID Generated for the user, unique among all users and is the primary key.
created_at	timestamp	A epoch based timestamp of when the account was created.
username	text	The Username of the user, initially could be linked to the user name used to create the account, but later should be modifiable
service_id	text	The Unique ID of the user on the service they authenticated with.
avatar	text	A URL that links to the avatar, in the future should be modifiable but for now can link to the users gravatar
auth	text	This would be a predetermined auth string that defines how the user authenticates. Like "github", "gitlab"
data	jsonb	Again a spare object to hold any extra data we deem to be important.

packages

Column Name	Column Data Type	Column Contents
pointer	uuid	The UUID for the package
name	text	The text of the package itself.
created	timestamp	An epoch timestamp of when the package was created.
updated	timestamp	An epoch timestamp of when the package was last updated.
creation_method	text	A Text based message indicated how the package was created.
downloads	bigint	A count of the downloads of a package
stargazers_count	bigint	A count of the stars a package has received.
data	jsonb	The rest of the packages data, containing all versions and the readme.

versions

Column Name	Column Data Type	Column Contents
id	integer	An Auto-Incrementing integer to serve as the primary key of each version published.
package_id	uuid	The UUID reference to the packages uuid. Serving as the foreign key.
status	text	The text representation of its status. Ex. latest, published, removed. Or for future use beta, dev
semver	varchar (256)	The actual semver of the new version.
engine	jsonb	The engine object from the package.json.
license	varchar (256)	The License of the specific package.
meta	jsonb	A JSON blob of the full object. Including information that doesn't fit nicely in here, as well as the data here.

Why:

To outline why I feel this would be the best schema going forward is a few points.

• Allows the package name to change while still always pointing to the original package.
• Allows the auth to be handed off to GitHub or whoever. When the user needs to authenticate, We can pass the PAT token asking for the identify of the user, when the identify is found, we check our database for that users service_id if found we ensure that their auth method aligns with the service we have checked. Now this may need to be reworked once we support other methods, like providing a username as well, but this would work for just GitHub for now. And would allow us to never store any auth information for the user, while still having unique user accounts.
• This also allows as much normalization of the packages as possible while still keeping minimal creating the JSON data on the fly.

Considerations:

The biggest consideration is about Auth. If we never store any auth info, how do we create user accounts?

Well we could still setup OAuth on the website and collect our information during that time, but that still would require the user to pass their PAT token during subsequent requests. And negates the functionality of revoking access via OAuth. Plus it makes staying logged in or logging in again on the browser a pain. Since we can't store the logged in state, unless we have potentially problematic session storage specifying a user id, that could be maliciously used in the future.

Then we may need the user to sign up via OAuth, and immediately provide a PAT token, which we could implement as part of the sign up flow, which may not be to bad, and could really be explained as more of a feature, specifying that it is needed because we don't want to leak any sensitive credentials, and then we just store the PAT token in the local session storage.

Lastly I know it was mentioned to normalize the package versions, and while there is a single endpoint on the backend that does sort through these, I feel it may not be worth it to normalize this field for the single endpoint (that I never saw used in the actual APM code) while having to then recreate the JSON data with it for EVERY endpoint. It seems it'd be more cost effective to parse through it the single time its needed, and otherwise just be able to return it as JSON data the rest of the time.

Common Scenarios

Now I know there are some questions about common flows and how they are handled, and while they may have been answered previously thought it'd be good to summarize some info I've put out previously here.

Create a Package:

When a user attempts to create a package, first we verify the auth. The same way as mentioned about, using the provided PAT token to check the user identity, once the unique ID is found on the service, thats checked against all unique ID's in our db, and if the service used matches then we have our user. From there we take the owner/repo provided in the query parameter and check it against GitHub, using GitHub's API's we check if they have write permissions to the repo. If they do, we can generate the UUID, and take whatever the packages name is from the package.json within the repo, and assign that as a new item onto the pointers table. Then the data would be uploaded the packages table normalized.

Change a Package Name:

Really when changing a name, other than everything else described above, like authentication methodology, then we just add another row to the pointers database, with the same UUID since that hasn't changed and the new package. Meaning that querying for either package name will resolve to the same UUID, and thus same package.

Please feel free to delve further into any aspect of this, But I am hoping to get the schema finalized for the short term before beginning the modification of the codebase to support it. Thanks for any and all assistance, previous and continuing

[confused-Techie]

Seems talking in the Discord server theres reason to add back the package version table. @Digitalone1 has previously created a layout that I will link to here.

versions

Column Name	Column Data Type	Column Contents
id	integer	An Auto-Incrementing integer to serve as the primary key of each version published.
package_id	uuid	The UUID reference to the packages uuid. Serving as a foreign key.
semver	varchar (256)	The actual semver of the new version.
engine	jsonb	Unsure, but seems that this would be the engines object. Originally with just the atom declaration, but could contain the Pulsar version
license	varchar (256)	The License of the package

One concern I have here, is this was brought up recently as a way to quickly find the newest version, but without a SemVer parser this will still be difficult and I find this the same complexity as extracting that from the JSON with the current setup. But still this can be added if maybe we want to add another column to help determine that.

[mauricioszabo]

The problem with not adding a status is how to query for keywords, tags, etc.

As a real example, I keep a package that added support for a language called Plank. In some future version I removed that, to re-add later. How do I query the "latest version of all packages" that add that version? A query ordering by DESC will return way too many redundant info, honestly, and may return the same package over and over until we get to a second option

I also don't agree with two booleans. It doesn't make too much sense for me things like published=false AND deleted=true for example.

Finally, WDYT about changing id to UUID? Self-incrementing ids sometime expose information about the backend that we may not want to share...

[Digitalone1]

As a real example, I keep a package that added support for a language called Plank. In some future version I removed that, to re-add later. How do I query the "latest version of all packages" that add that version? A query ordering by DESC will return way too many redundant info, honestly, and may return the same package over and over until we get to a second option

Include in the WHERE clause the condition that contains Plank language. How do you search for it? The query above does not return the package, but the version, and only the first result (LIMIT 1).

I also don't agree with two booleans. It doesn't make too much sense for me things like published=false AND deleted=true for example.

No problem. Do you prefer to remove the record completely if the version is deleted?

Finally, WDYT about changing id to UUID? Self-incrementing ids sometime expose information about the backend that we may not want to share...

How do you expose it? Just do not select it in the query.

Another way could be adding a timestamp released_at for the versions. The timestamps can be ordered and the latest one can be picked as the most recent version. The problem is how do we set it for already existing versions? Do we have the release date somehow?

[mauricioszabo]

Include in the WHERE clause the condition that contains Plank

No, I mean, search ALL packages where the latest version include Plank.

[confused-Techie]

@Digitalone1 for the existing versions there was no way I was aware of to collect the publishing times, and it has been set as the time they were migrated originally. So the versions would all have the same (ish) timestamp. As for putting a time stamp on each version that would be an interesting way to no longer have to track updated_at on the package table, since we could then find the highest incremented row of its version, and use that.

@mauricioszabo as for exposing information on the backend, ideally this ID would never be returned to the actual user, as its value would be pruned before resolving the query. But it is a consideration if that step is forgotten. But really if our source is open source, couldn't anyone technically then interpret the information of the backend? But if you are meaning other data of the literal structure of the backend possibly being at risk to exposure, we could change it.

Personally I think there can be some value in having the status message, and as for deletion, I wonder if theres some way we could flag a row for deletion after a certain amount of time automatically? Setting it for deletion in an hour, to allow a user to essential undo it, or more realistically if some process around it fails. For example delete a package, and we first have to delete all versions, if the package deletion fails for whatever it could be nice to then restore the versions. But that was my line of thinking when working with large JSON files, and may not be applicable within a sql environment

[confused-Techie]

Speaking of redundancy. The stargazers_count is also redundant since we can just take the stars count with a query already reported here.

SELECT COUNT(stars.user) AS stargazers_count,
FROM stars,
WHERE stars.package = '{$id}'
GROUP BY stars.package

Anyway, since this query may be heavy on the database, reporting the count inside the row could be helpful to get it faster, but we should remember that the stargazers_count should be updated every time

• the user adds/removes a vote on the package
• the package and/or one of its versions are updated.

Not just incrementing or decrementing the count, but recounting with the query above. Anyway this is likely error prone because we could forget it somewhere in the code and it's easy falling in a state where the column does not reflect the correct count did with the query.

I think that the best way forward here is keeping the stored count, for accessing quickly and not using to many server resources. But still recalculating each time the stars table is modified. And realistically if this count is only off by one or two, due to it being missed somewhere or just because of an error I don't think that'll effect anything to much.

[Digitalone1]

@mauricioszabo Not easy. I'd say something like this. How would you do it?

SELECT packages.name
FROM packages, package_versions
WHERE packages.pointer = package_versions.package_id AND
  package_versions.engine ->> 'keywords' ILIKE '%plank%' AND
  package_versions.id IN (
    SELECT MAX(package_versions.id)
    FROM package_versions
    GROUP BY package_versions.package_id
  )

[mauricioszabo]

The current API don't allow us to republish the same version twice, and I agree with that - it can be a security issue - having two different people with the same version of a package installed, but with different code...

[Digitalone1]

Okay, so flagging it as removed is enough. The funny thing is, when you do that, you still have to do something like the query I reported to reflag the previous version as latest.

[Digitalone1]

Anyway, I'm thinking about it and it feels weird having tags and keywords on versions. Is it really useful? If it's doable, it's much more straightforward having them on the package itself.

You have plank in the latest version? Add the tag on the package. You removed it in the newer release? Remove the tag from the package.

Is there a use case for having tags and keywords for all versions?

[mauricioszabo]

Yes, some specific version may support, other will not. That's how the data we extracted from the current Atom's API is structured too.

I fact, data that's inside the package itself is almost useless, because everything else is inside the version :(

[confused-Techie]

I still think the package can be helpful, but mostly for the data an end user actual looks at. Like the package.json meta JSONB, and the readme. As for actual DB queries yeah not super useful anymore. But maybe thats ok?

[Digitalone1]

Is the names table really necessary? We already have packages with names and pointers.

[confused-Techie]

The names table is what actually takes advantage of the pointers themselves.

I know we have touched on it a few times, but I'll copy/paste some previous messages I sent Mauricio on the topic that tries to clear up the purpose of the pointers.

---

Basically lets say I make a package called todo-package and publish it to pulsar, anyone can access and install it via atom.io/api/packages/todo-package. But lets say later I decide to rename it to todo-helper now the link would be atom.io/api/packages/todo-helper but Atom would also still resolve atom.io/api/packages/todo-package to the same renamed package. The old name always redirects to the same updated package. To try and accomplish this, the basic way would be on each package have a names: [] field that stores every single name a package has ever had. But then when a user types in atom.io/api/packages/todo-package I would have to loop through every package, then through every value in the names array to find what they mean. And this seems slow, and unnecessary
So instead I thought we could use the pointer table, just a name linking to the UUID of a package. So that when I first create a package the table gets { name: "todo-package", uuid: "1234" } then when a user types in atom.io/api/packages/todo-package I can just check the DB for the matching name, and respond with the package that has the UUID. Now if I change my package name again, without removing anything from the pointer table we add { name: "todo-helper", uuid: "1234" }
This now means that if I type atom.io/api/packages/todo-package OR atom.io/api/packages/todo-helper I can ask the DB simply what UUID is in the same column as this name, and every time I will get the uuid 1234 back. So that a package can change names as many times and always still give me the same package, even if the name I starred, or saved as a link somwhere is outdated. Or say I installed todo-package as an end user then I later ask, give me the newest update of todo-package the API will respond with the proper newest update, even if the name changed.

---

So I think we need to still keep it so that a package that has changed names will still point to the same pointer, if we get rid of it, we would have to add all the names as an array to the package, which would make finding the package later on a pain, taking more time than needed.

[Digitalone1]

Oh, I forget about this, you mentioned it in another topic.

This is used to pick packages by name, but to work as intended the name field must be the primary key of names table. And uuid set as foreign key referencing packages.

[confused-Techie]

Ah great point, I'll update that above, thanks for pointing it out.

[confused-Techie]

So I've gone ahead and updated this document to touch on some conversations that have been had here, if theres no other major points of contention we can begin looking at the create scripts, appreciating any feedback on this.

Thanks!

[Digitalone1]

It's better to make the status field an enum.

Which tables do you have to create yet? I can try to provide SQL script.

[confused-Techie]

With the new formats, all tables will need to be created, and we do need SQL scripts for all of them, then I'll need to write the migration scripts for the package data.

[Digitalone1]

I made some draft scripts in the relative issue about create table clause. I can refactor them. Do you ensure all the data in the first post is correct and definitive? So I can follow those directives.

About migration scripts. How is the original data? Array of package_object_full?

[confused-Techie]

@Digitalone1 while those scripts may be helpful, we may want to take a look at refactoring them. As for migration, it'll be reading from the file system the saved package_object_full, but I do already have that somewhat created.

As for the finality of the data, I think I'll make one last update, and ping you here when I do, of the updated structure, just to make sure theres no confusion, especially because this discussion lists both of them.

[confused-Techie]

@Digitalone1 the finalized schema has been updated, if you'd like the create scripts can be a new PR, or can be added as new threads to the discussion here.

[confused-Techie]

@Digitalone1 considering the pros and cons of storing OAuth Token data in our database, I do believe the advantages of speed, or keeping everything self contained may be worth it for some extra effort on our part to keep it safe.

Since you are more familiar with SQL queries, I wanted to ask if using native Decryption and Encryption on the tokens would be a good idea at all,
here is a quick example I found on StackOverflow and obviously would need to be reworked for our implementation. Keeping in mind we would usually be querying for data via the decrypted token value.

Create Example Table:

CREATE TABLE public.test_crypto
(
  id bigint NOT NULL DEFAULT nextval('test_crypto_id_seq'::regclass),
  plain_text text COLLATE pg_catalog."default",
  crypted_text text COLLATE pg_catalog."default",
  CONSTRAINT test_crypto_pkey PRIMARY KEY (id)
)
WITH (
  OIDS = FALSE 
)
TABLESPACE pg_default;

Then encrypting data like so: (This example also stores the decrypted data, which we would have to not do)

insert into public.test_crypt (plain_text, crypted_text)
values ('plaintext', encrypt('plaintext', 'salty', 'aes'))

Then to decrypt data:

select id, plain_text,
convert_from(decrypt(cryted_text::bytea, 'salty', 'aes'), 'SQL_ASCII')
from test_crypto

Or if there is a better method to keep tokens at rest encrypted it may be best to do that. Since the decrypted token is only needed when querying GitHub. Really if there is a sufficiently advanced one way hash or something like that, we can store the data hashed, and just compare a new hash against the newly provided token passed by the user, then query for the hashed token in the database, if it matches then the backend API server holds onto the token for the lifetime of the call.

[confused-Techie]

We may even want to go ahead and use something like crypto-js to do one way hashing then keep it in memory

[Digitalone1]

It's doable, but since we have to handle tokens, maybe it's better to use functions related to hashing passwords. The module you linked seems more general purpose even if it can be used for our scope.

I do not work with passwords, but on PHP it's recommended to use password_hash or crypt, and verification is made with password_verify (I read this).

In JS similar functions are crypto.scrypt and crypto.verify or node.bcrypt.js module.

[confused-Techie]

Yeah we can lock down the best module to use for this in time, but as long as it seems doable I think this will be the best way to do so

[idleberg]

Are there any plans (in a future release?) to support namespaces in the fashion of npm (@owner/package) of VSCode (owner.package)? It has often been talked about and, personally, I think this feature is long overdue.

of course package deletion should free up the namespace

If a package get deleted, then I think it's a terrible idea from a security perspective to make it available for someone else. This must never happen!

[confused-Techie]

It wasn't something we had originally suggested, but if thats a feature the community wants, I don't see why we wouldn't be able to add it in. This of course would come with a 2.0 release, as any changes that stray from the original spec are designated as.

But I can go ahead and add it to the project board

As for your comments on the package deletion freeing the namespace, I can see what you mean on the security concern, as someone could take that namespace and use it for their own advantage. While personally I would dislike having all the names taken up by packages, causing them to have to be longer and longer, since that behavior is similar to how user names function maybe its not the biggest deal, and we could implement that functionality, to not delete the name within names table.

[idleberg]

Using namespaces kind of softens the problem of "taken" package names. Of course, that won't stop people from using better-something or something-2 as package names. I agree, that these shouldn't be considered before 2.0, but I'd even go as far and think about making them mandatory.