accounts: move challenges and OTPs from D1 to KV#594
Closed
Conversation
The existing key store got accidentally nuked. Use a new key store.
Ephemeral data (challenges, email OTPs) now use Cloudflare KV with native TTL instead of D1 tables with manual expiry checks. - Add src/kv.ts with challenge/OTP functions backed by KV - Remove challengesTable and emailOtpsTable from drizzle schema - Remove challenge/OTP methods from repo (D1) - Update auth and wallet routes to use kv.* functions - Add KV namespace binding (ACCOUNTS_KV + preview) Amp-Thread-ID: https://ampcode.com/threads/T-019c5848-6731-70b6-86a9-66699abf0b43 Co-authored-by: Amp <amp@ampcode.com>
Bundle Size Report
Chunk changes (>1KB)
Compared against main branch (baseline from 2/4/2026, 5:13:51 PM) |
Cloudflare Deployments
|
- Decode base64url challenge from clientDataJSON back to hex for KV lookup - Pass original base64url challenge to verifyAssertion for comparison - Remove legacy email_auth_session cookie cleanup - Remove __Host-session clearing - Simplify sessionCookies and clearSessionCookies Amp-Thread-ID: https://ampcode.com/threads/T-019c58a5-1497-716a-8c73-260f4b29bbb5 Co-authored-by: Amp <amp@ampcode.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Move ephemeral data (challenges, email OTPs) from D1 to Cloudflare KV with native TTL. Fix passkey login challenge encoding mismatch.
Motivation
Challenges and OTPs are short-lived (5min), keyed by a single value, and don't need relational queries. KV is a better fit — native TTL replaces manual expiry checks, and we eliminate two D1 tables.
Passkey login was always returning "invalid or expired challenge" because the challenge stored in KV was keyed by hex, but the lookup used the base64url-encoded value from
clientDataJSON.Changes
src/kv.tswith challenge and OTP functions backed by KVchallengesTableandemailOtpsTablefrom drizzle schema (src/db/schema.ts)src/db/repo.tssrc/routes/auth.tsandsrc/routes/wallets.tsto usekv.*KVnamespace binding towrangler.jsoncandenv.d.tsotpprefix fromsrc/db/ids.tsverifyAssertionemail_auth_sessionand__Host-sessioncookie cleanupsessionCookiesandclearSessionCookiesTesting
Old D1 tables can be dropped via
db:pushafter deploy.