Skip to content

Add SSO/shared identity foundation: code, UUID, and auth_sub fields#76

Closed
Copilot wants to merge 2 commits intomainfrom
copilot/add-sso-foundation-fields
Closed

Add SSO/shared identity foundation: code, UUID, and auth_sub fields#76
Copilot wants to merge 2 commits intomainfrom
copilot/add-sso-foundation-fields

Conversation

Copy link

Copilot AI commented Mar 14, 2026
edited
Loading

Lays the non-breaking groundwork for cross-app shared identity and future SSO integration. All new fields are nullable with no unique constraints — enforcement deferred until after backfill.

Models & Migration (0014_sso_identity_fields)

Model Field Type
Organization code CharField(50) — human-managed short code
Organization org_uuid UUIDField, db_index
Space code CharField(50) — human-managed short code
Space space_uuid UUIDField, db_index
User auth_sub CharField(255), db_index — stable Auth/SSO subject identifier

Admin

  • OrganizationAdmin / SpaceAdmin: code added to list_display and search_fields; new SSO / Shared Identity fieldset exposes code and the uuid field for manual management.

Management Commands

export_identity_data — dumps orgs/spaces to JSON or CSV (stdout or file) with legacy_id, code, uuid, name, slug for bootstrapping the Auth service.

python manage.py export_identity_data --format csv --output /tmp/export.csv
python manage.py export_identity_data --model org --format json

backfill_identity_fields — idempotent; generates slug-derived placeholder codes and random UUIDs for rows with blank values.

python manage.py backfill_identity_fields --dry-run        # preview
python manage.py backfill_identity_fields --skip-codes     # UUIDs only
python manage.py backfill_identity_fields --model space    # spaces only
python manage.py backfill_identity_fields --force          # overwrite existing
Original prompt

Implement initial SSO/Shared Space identity groundwork in joisemp/services.

Context:

  • Move towards a shared Auth/SSO system, with canonical space/organisation directory owned by an external Auth service.
  • Organisation and Space should have globally unique, human-managed code fields and canonical UUIDs.
  • Role checks are properties on User (is_central_admin, etc.), derived from user_type.
  • Existing data/relationships must not be broken.

Goal of this PR
Add all non-breaking fields needed for cross-app shared identity and future SSO integration:

  1. Add globally unique, human-managed code fields and canonical UUID fields to Organization and Space.
  2. Add a stable link from users to Auth users (auth_sub).
  3. Provide admin visibility for the new fields.
  4. Provide management command(s) to assist with backfilling codes/uuids and exporting mappings to help bootstrap the Auth service later.

Scope (requirements)
A) Models/Migrations

  • Organisation (Organization) model:
    • Add code (CharField, nullable, globally unique, human-managed)
    • Add org_uuid (UUIDField, nullable, db_index)
  • Space model:
    • Add code (CharField, nullable, globally unique, human-managed)
    • Add space_uuid (UUIDField, nullable, db_index)
  • User model:
    • Add auth_sub (CharField or UUIDField, nullable, db_index)
  • Create safe, backward-compatible migrations for all of the above.
  • In this PR, keep code fields nullable and without unique constraint to avoid accidentally breaking old data; enforce with a followup after backfill.

B) Admin

  • Update admin registrations for Organization and Space to display code and uuid fields for manual management.

C) Management command(s)

  • Add management command(s) (e.g. in src/core/management/commands/) to:
    1. Export current Organizations and Spaces to JSON/CSV: legacy_id, code (if any), uuid (if any), name, slug.
    2. Optionally, generate placeholder codes for blank items (e.g. ORG-) and print for review (no DB write unless --apply)

D) Docs

  • Add short documentation note in README/CONTRIBUTING to explain codes + UUIDs are the new canonical identity, how to manage/fix codes, and that final UUIDs will be backfilled from Auth later when integration is complete.

E) Tests

  • Add/extend basic tests to verify:
    • New fields exist, accept null
    • Export command works, outputs correct headers/fields

Notes:

  • Don't change PKs or existing FKs.
  • Move toward UUIDs for space- and org-identity in a non-destructive, stepwise way.

Codes and UUIDs to be filled according to later Auth-side registry and migration plan.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: 1. both have a unique ids also store space uuid

Assistant: Great — if both already have a stable unique id for Space/Institution, and you want to store space_uuid directly in BusNest (and Services too), here’s the clean, non-breaking plan.

Goal

  • Keep current integer PKs and all existing FK relationships intact
  • Add a canonical UUID for each Space/Institution (same UUID in both apps + in the new Auth service)
  • Store space_uuid in app tables so filtering/permissions can use UUIDs (future-proof)

1) Choose the canonical key and UUID source of truth

Since both have a unique id, use this matching key to unify:

Canonical match key (recommended):

  • org_unique_id + space_unique_id (or institution id)
  • Example: (organisation.slug, space.slug) or (org.code, space.code)

UUID creation strategy (important)

To ensure both apps generate the same UUID without manual mapping:

  • Use UUIDv5 (deterministic) from your canonical key string.

Example namespace approach:

  • Namespace UUID constant: one fixed UUID you hardcode in all projects
  • UUID = uuid5(NAMESPACE, f"{org_uid}:{space_uid}")

This way:

  • existing rows get predictable UUIDs
  • Services and BusNest will always agree
  • Auth can recompute the same UUIDs during import

No existing data breaks because this UUID is an additional column.

2) Changes in Services (Spaces)

Add field

Add to Space model:

  • space_uuid = UUIDField(null=True, unique=True, db_index=True)

Migration steps

  1. Schema migration: add nullable field (safe)
  2. Data migration:
    • for each space row, compute UUIDv5 from its existing unique ids
    • set space_uuid
  3. Alter migration: set null=False (after backfill)

This does not touch the current id PK.

3) Changes in BusNest (Institutions)

Do the same:

  • add space_uuid to Institution model (even if model name remains Institution)

Then you can start using space_uuid for cross-app identity and for Auth-based permissions.

4) Store space_uuid in “downstream” tables (gradually)

You said “also store space uuid” — typically you’ll add it to models that currently FK to Space/Institution, for example:

  • registrations
  • trips
  • routes
  • issues/tasks (in Services)
  • etc.

Non-breaking pattern

For each table ...

This pull request was created from Copilot chat.

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.

@joisemp
Add SSO/shared identity groundwork: code/uuid fields, auth_sub, admin…
62d5c81 
… visibility, management commands

Co-authored-by: joisemp <69669027+joisemp@users.noreply.github.com>
Copilot AI changed the title [WIP] Add initial SSO identity groundwork for shared space Add SSO/shared identity foundation: code, UUID, and auth_sub fields Mar 14, 2026
Copilot AI requested a review from joisemp March 14, 2026 06:29
@joisemp joisemp closed this Mar 16, 2026
@joisemp joisemp deleted the copilot/add-sso-foundation-fields branch March 16, 2026 05:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joisemp joisemp Awaiting requested review from joisemp

Assignees

@joisemp joisemp

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@joisemp