feat: add regenerated_at timestamp to PAT (#1542)

AmanGIT07 · web-flow · commit fd77b87a4aed · 2026-04-15T15:20:26.000+05:30
diff --git a/Makefile b/Makefile
@@ -4,7 +4,7 @@ TAG := $(shell git rev-list --tags --max-count=1)
 VERSION := $(shell git describe --tags ${TAG})
 .PHONY: build check fmt lint test test-race vet test-cover-html help install proto admin-app compose-up-dev
 .DEFAULT_GOAL := build
-PROTON_COMMIT := "c3eb9d66b9f6dd04f7d87a7829565be4772f9c47"
+PROTON_COMMIT := "3959f2283a9335b800a60eb6fd1cf498c2e2e8aa"
 
 admin-app:
 	@echo " > generating admin build"
diff --git a/core/aggregates/orgpats/service.go b/core/aggregates/orgpats/service.go
@@ -39,14 +39,15 @@ type CreatedBy struct {
 }
 
 type AggregatedPAT struct {
-	ID         string
-	Title      string
-	CreatedBy  CreatedBy
-	Scopes     []patmodels.PATScope
-	CreatedAt  time.Time
-	ExpiresAt  time.Time
-	LastUsedAt *time.Time
-	UserID     string
+	ID            string
+	Title         string
+	CreatedBy     CreatedBy
+	Scopes        []patmodels.PATScope
+	CreatedAt     time.Time
+	ExpiresAt     time.Time
+	LastUsedAt    *time.Time
+	RegeneratedAt *time.Time
+	UserID        string
 }
 
 // PATSearchFields is used for RQL validation — flat struct with rql tags.
@@ -58,6 +59,7 @@ type PATSearchFields struct {
 	CreatedAt      time.Time  `rql:"name=created_at,type=datetime"`
 	ExpiresAt      time.Time  `rql:"name=expires_at,type=datetime"`
 	LastUsedAt     *time.Time `rql:"name=last_used_at,type=datetime"`
+	RegeneratedAt  *time.Time `rql:"name=regenerated_at,type=datetime"`
 }
 
 type OrganizationPATs struct {
diff --git a/core/userpat/models/pat.go b/core/userpat/models/pat.go
@@ -15,17 +15,18 @@ type PATScope struct {
 }
 
 type PAT struct {
-	ID         string `rql:"name=id,type=string"`
-	UserID     string `rql:"name=user_id,type=string"`
-	OrgID      string `rql:"name=org_id,type=string"`
-	Title      string `rql:"name=title,type=string"`
-	SecretHash string `json:"-"`
-	Metadata   metadata.Metadata
-	Scopes     []PATScope
-	LastUsedAt *time.Time `rql:"name=last_used_at,type=datetime"` // last_used_at can be null
-	ExpiresAt  time.Time  `rql:"name=expires_at,type=datetime"`
-	CreatedAt  time.Time  `rql:"name=created_at,type=datetime"`
-	UpdatedAt  time.Time  `rql:"name=updated_at,type=datetime"`
+	ID            string `rql:"name=id,type=string"`
+	UserID        string `rql:"name=user_id,type=string"`
+	OrgID         string `rql:"name=org_id,type=string"`
+	Title         string `rql:"name=title,type=string"`
+	SecretHash    string `json:"-"`
+	Metadata      metadata.Metadata
+	Scopes        []PATScope
+	LastUsedAt    *time.Time `rql:"name=last_used_at,type=datetime"`   // last_used_at can be null
+	RegeneratedAt *time.Time `rql:"name=regenerated_at,type=datetime"` // regenerated_at can be null
+	ExpiresAt     time.Time  `rql:"name=expires_at,type=datetime"`
+	CreatedAt     time.Time  `rql:"name=created_at,type=datetime"`
+	UpdatedAt     time.Time  `rql:"name=updated_at,type=datetime"`
 }
 
 type PATList struct {
diff --git a/core/userpat/service.go b/core/userpat/service.go
@@ -203,7 +203,7 @@ func (s *Service) Regenerate(ctx context.Context, userID, id string, newExpiresA
 		return patmodels.PAT{}, "", fmt.Errorf("enriching PAT scope: %w", err)
 	}
 
-	if err := s.createAuditRecord(ctx, pkgAuditRecord.PATRegeneratedEvent, regenerated, time.Now().UTC(), map[string]any{
+	if err := s.createAuditRecord(ctx, pkgAuditRecord.PATRegeneratedEvent, regenerated, *regenerated.RegeneratedAt, map[string]any{
 		"expires_at":     regenerated.ExpiresAt,
 		"old_expires_at": oldExpiresAt,
 	}); err != nil {
diff --git a/core/userpat/service_test.go b/core/userpat/service_test.go
@@ -2253,14 +2253,16 @@ func TestService_Regenerate(t *testing.T) {
 		UpdatedAt: time.Now(),
 	}
 
+	regenTime := time.Now()
 	regeneratedPAT := models.PAT{
-		ID:        "pat-1",
-		UserID:    "user-1",
-		OrgID:     "org-1",
-		Title:     "my-token",
-		ExpiresAt: futureExpiry,
-		CreatedAt: activePAT.CreatedAt,
-		UpdatedAt: time.Now(),
+		ID:            "pat-1",
+		UserID:        "user-1",
+		OrgID:         "org-1",
+		Title:         "my-token",
+		ExpiresAt:     futureExpiry,
+		RegeneratedAt: &regenTime,
+		CreatedAt:     activePAT.CreatedAt,
+		UpdatedAt:     time.Now(),
 	}
 
 	tests := []struct {
diff --git a/internal/api/v1beta1connect/organization_pats.go b/internal/api/v1beta1connect/organization_pats.go
@@ -81,6 +81,9 @@ func transformAggregatedPATToPB(pat svc.AggregatedPAT) *frontierv1beta1.SearchOr
 	if pat.LastUsedAt != nil {
 		pbPAT.LastUsedAt = timestamppb.New(*pat.LastUsedAt)
 	}
+	if pat.RegeneratedAt != nil {
+		pbPAT.RegeneratedAt = timestamppb.New(*pat.RegeneratedAt)
+	}
 	return pbPAT
 }
 
diff --git a/internal/api/v1beta1connect/user_pat.go b/internal/api/v1beta1connect/user_pat.go
@@ -304,6 +304,9 @@ func transformPATToPB(pat models.PAT, patValue string) *frontierv1beta1.PAT {
 	if pat.LastUsedAt != nil {
 		pbPAT.LastUsedAt = timestamppb.New(*pat.LastUsedAt)
 	}
+	if pat.RegeneratedAt != nil {
+		pbPAT.RegeneratedAt = timestamppb.New(*pat.RegeneratedAt)
+	}
 	if pat.Metadata != nil {
 		metaPB, err := pat.Metadata.ToStructPB()
 		if err == nil {
diff --git a/internal/store/postgres/migrations/20260415100000_user_pats_regenerated_at.down.sql b/internal/store/postgres/migrations/20260415100000_user_pats_regenerated_at.down.sql
@@ -0,0 +1 @@
+ALTER TABLE user_pats DROP COLUMN IF EXISTS regenerated_at;
diff --git a/internal/store/postgres/migrations/20260415100000_user_pats_regenerated_at.up.sql b/internal/store/postgres/migrations/20260415100000_user_pats_regenerated_at.up.sql
@@ -0,0 +1 @@
+ALTER TABLE user_pats ADD COLUMN regenerated_at TIMESTAMPTZ;
diff --git a/internal/store/postgres/org_pats_repository.go b/internal/store/postgres/org_pats_repository.go
@@ -36,6 +36,7 @@ var orgPATFilterFields = map[string]string{
 	"created_at":       "p.created_at",
 	"expires_at":       "p.expires_at",
 	"last_used_at":     "p.last_used_at",
+	"regenerated_at":   "p.regenerated_at",
 }
 
 // orgPATSearchColumns are searched with ILIKE when RQL search is used.
@@ -54,6 +55,7 @@ var orgPATSortFields = map[string]string{
 	"created_at":       "p.created_at",
 	"expires_at":       "p.expires_at",
 	"last_used_at":     "p.last_used_at",
+	"regenerated_at":   "p.regenerated_at",
 }
 
 // OrgPATRow is the flat SQL result row from the joined query.
@@ -67,6 +69,7 @@ type OrgPATRow struct {
 	CreatedAt      time.Time  `db:"pat_created_at"`
 	ExpiresAt      time.Time  `db:"pat_expires_at"`
 	LastUsedAt     *time.Time `db:"pat_last_used_at"`
+	RegeneratedAt  *time.Time `db:"pat_regenerated_at"`
 	RoleID         *string    `db:"role_id"`
 	ResourceType   *string    `db:"resource_type"`
 	ResourceID     *string    `db:"resource_id"`
@@ -177,7 +180,7 @@ func (r OrgPATsRepository) buildDataQuery(orgID string, rqlQuery *rql.Query) (st
 	paginatedInner := inner.
 		Select(
 			goqu.I("p.id"), goqu.I("p.title"), goqu.I("p.user_id"),
-			goqu.I("p.created_at"), goqu.I("p.expires_at"), goqu.I("p.last_used_at"),
+			goqu.I("p.created_at"), goqu.I("p.expires_at"), goqu.I("p.last_used_at"), goqu.I("p.regenerated_at"),
 		).
 		Offset(uint(rqlQuery.Offset)).
 		Limit(uint(rqlQuery.Limit))
@@ -192,6 +195,7 @@ func (r OrgPATsRepository) buildDataQuery(orgID string, rqlQuery *rql.Query) (st
 			goqu.I("p.created_at").As("pat_created_at"),
 			goqu.I("p.expires_at").As("pat_expires_at"),
 			goqu.I("p.last_used_at").As("pat_last_used_at"),
+			goqu.I("p.regenerated_at").As("pat_regenerated_at"),
 			goqu.I("pol.role_id"),
 			goqu.I("pol.resource_type"),
 			goqu.I("pol.resource_id"),
@@ -207,13 +211,18 @@ func (r OrgPATsRepository) buildDataQuery(orgID string, rqlQuery *rql.Query) (st
 				goqu.I("pol.principal_id").Eq(goqu.I("p.id")),
 				goqu.I("pol.principal_type").Eq(schema.PATPrincipal),
 			),
-		).
-		Order(
-			goqu.I("p.created_at").Desc(),
-			goqu.I("p.id").Asc(),
-			goqu.I("pol.role_id").Asc(),
 		)
 
+	// Apply the same sort to the outer query to preserve the user's requested order.
+	// The inner query sort controls pagination (which rows), the outer sort controls
+	// final row order after the policy LEFT JOIN expands rows.
+	outer, err = r.addSort(outer, rqlQuery.Sort)
+	if err != nil {
+		return "", nil, err
+	}
+	// Add deterministic tiebreakers
+	outer = outer.OrderAppend(goqu.I("p.id").Asc(), goqu.I("pol.role_id").Asc())
+
 	return outer.ToSQL()
 }
 
@@ -297,10 +306,11 @@ func (r OrgPATsRepository) groupRows(rows []OrgPATRow) []svc.AggregatedPAT {
 					Title: row.CreatedByTitle,
 					Email: row.CreatedByEmail,
 				},
-				CreatedAt:  row.CreatedAt,
-				ExpiresAt:  row.ExpiresAt,
-				LastUsedAt: row.LastUsedAt,
-				UserID:     row.CreatedByID,
+				CreatedAt:     row.CreatedAt,
+				ExpiresAt:     row.ExpiresAt,
+				LastUsedAt:    row.LastUsedAt,
+				RegeneratedAt: row.RegeneratedAt,
+				UserID:        row.CreatedByID,
 			}
 			patMap[row.PATID] = pat
 			patOrder = append(patOrder, row.PATID)
diff --git a/internal/store/postgres/userpat.go b/internal/store/postgres/userpat.go
@@ -8,17 +8,18 @@ import (
 )
 
 type UserPAT struct {
-	ID         string     `db:"id" goqu:"skipinsert"`
-	UserID     string     `db:"user_id"`
-	OrgID      string     `db:"org_id"`
-	Title      string     `db:"title"`
-	SecretHash string     `db:"secret_hash"`
-	Metadata   []byte     `db:"metadata"`
-	LastUsedAt *time.Time `db:"last_used_at"`
-	ExpiresAt  time.Time  `db:"expires_at"`
-	CreatedAt  time.Time  `db:"created_at"`
-	UpdatedAt  time.Time  `db:"updated_at"`
-	DeletedAt  *time.Time `db:"deleted_at"`
+	ID            string     `db:"id" goqu:"skipinsert"`
+	UserID        string     `db:"user_id"`
+	OrgID         string     `db:"org_id"`
+	Title         string     `db:"title"`
+	SecretHash    string     `db:"secret_hash"`
+	Metadata      []byte     `db:"metadata"`
+	LastUsedAt    *time.Time `db:"last_used_at"`
+	RegeneratedAt *time.Time `db:"regenerated_at"`
+	ExpiresAt     time.Time  `db:"expires_at"`
+	CreatedAt     time.Time  `db:"created_at"`
+	UpdatedAt     time.Time  `db:"updated_at"`
+	DeletedAt     *time.Time `db:"deleted_at"`
 }
 
 func (t UserPAT) transform() (models.PAT, error) {
@@ -29,15 +30,16 @@ func (t UserPAT) transform() (models.PAT, error) {
 		}
 	}
 	return models.PAT{
-		ID:         t.ID,
-		UserID:     t.UserID,
-		OrgID:      t.OrgID,
-		Title:      t.Title,
-		SecretHash: t.SecretHash,
-		Metadata:   unmarshalledMetadata,
-		LastUsedAt: t.LastUsedAt,
-		ExpiresAt:  t.ExpiresAt,
-		CreatedAt:  t.CreatedAt,
-		UpdatedAt:  t.UpdatedAt,
+		ID:            t.ID,
+		UserID:        t.UserID,
+		OrgID:         t.OrgID,
+		Title:         t.Title,
+		SecretHash:    t.SecretHash,
+		Metadata:      unmarshalledMetadata,
+		LastUsedAt:    t.LastUsedAt,
+		RegeneratedAt: t.RegeneratedAt,
+		ExpiresAt:     t.ExpiresAt,
+		CreatedAt:     t.CreatedAt,
+		UpdatedAt:     t.UpdatedAt,
 	}, nil
 }
diff --git a/internal/store/postgres/userpat_repository.go b/internal/store/postgres/userpat_repository.go
@@ -20,7 +20,7 @@ import (
 )
 
 var (
-	patRQLFilterSupportedColumns = []string{"id", "title", "expires_at", "created_at"}
+	patRQLFilterSupportedColumns = []string{"id", "title", "expires_at", "created_at", "regenerated_at"}
 	patRQLSearchSupportedColumns = []string{"id", "title"}
 )
 
@@ -334,8 +334,9 @@ func (r UserPATRepository) Update(ctx context.Context, pat models.PAT) (models.P
 func (r UserPATRepository) Regenerate(ctx context.Context, id, secretHash string, expiresAt time.Time) (models.PAT, error) {
 	query, params, err := dialect.Update(TABLE_USER_PATS).
 		Set(goqu.Record{
-			"secret_hash": secretHash,
-			"expires_at":  expiresAt,
+			"secret_hash":    secretHash,
+			"expires_at":     expiresAt,
+			"regenerated_at": time.Now().UTC(),
 		}).
 		Where(
 			goqu.Ex{"id": id},
diff --git a/proto/v1beta1/admin.pb.go b/proto/v1beta1/admin.pb.go
diff --git a/proto/v1beta1/models.pb.go b/proto/v1beta1/models.pb.go

Original file line number	Diff line number	Diff line change
`@@ -203,7 +203,7 @@ func (s *Service) Regenerate(ctx context.Context, userID, id string, newExpiresA`
`203`	`203`	`return patmodels.PAT{}, "", fmt.Errorf("enriching PAT scope: %w", err)`
`204`	`204`	`}`
`205`	`205`
`206`		`- if err := s.createAuditRecord(ctx, pkgAuditRecord.PATRegeneratedEvent, regenerated, time.Now().UTC(), map[string]any{`
	`206`	`+ if err := s.createAuditRecord(ctx, pkgAuditRecord.PATRegeneratedEvent, regenerated, *regenerated.RegeneratedAt, map[string]any{`
`207`	`207`	`"expires_at": regenerated.ExpiresAt,`
`208`	`208`	`"old_expires_at": oldExpiresAt,`
`209`	`209`	`}); err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -81,6 +81,9 @@ func transformAggregatedPATToPB(pat svc.AggregatedPAT) *frontierv1beta1.SearchOr`
`81`	`81`	`if pat.LastUsedAt != nil {`
`82`	`82`	`pbPAT.LastUsedAt = timestamppb.New(*pat.LastUsedAt)`
`83`	`83`	`}`
	`84`	`+ if pat.RegeneratedAt != nil {`
	`85`	`+ pbPAT.RegeneratedAt = timestamppb.New(*pat.RegeneratedAt)`
	`86`	`+ }`
`84`	`87`	`return pbPAT`
`85`	`88`	`}`
`86`	`89`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+ALTER TABLE user_pats DROP COLUMN IF EXISTS regenerated_at;`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+ALTER TABLE user_pats ADD COLUMN regenerated_at TIMESTAMPTZ;`