feat(migrate-tool): add track migration tool#14392
Merged
Merged
Conversation
|
Contributor
🌐 Web preview readyPreview URL: https://audius-web-preview-pr-14392.audius.workers.dev Unique preview for this PR (deployed from this branch). |
A small Vite + React SPA backed by Vercel functions + Supabase that lets an artist request migration of tracks from an old Audius account they've lost access to onto a new account they control. Every migration sits in a pending queue until an Audius team member approves it via an admin route gated by a bearer token — the README spells out that identity verification of the requester has to happen out-of-band. The frontend uses the SDK's PKCE OAuth flow with apiKey only; on approval the backend re-uploads each track via createSdkWithServices using the dev app's API key + bearer token, acting on behalf of the new owner. Designed for migrate.audius.co. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Audio source resolution now walks a prioritized candidate list per track (raw orig_file_cid → CID mirror → gated download URL → transcoded mp3 stream), trying each until one fetch succeeds. Original masters now flow through for every indexed track that still has its bytes on the network, not just the ones the artist toggled downloadable. The stream fallback guarantees every approved request migrates at least the lossy mp3 so a single pruned original never aborts the run. Preview UI relabeled to "mp3 only" for the rare tracks where no original is on file. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
dylanjeffers
force-pushed
the
feat/migrate-tool
branch
from
ddae4ad to
da1756b
Compare
Replace the static ADMIN_BEARER_TOKEN unlock in the admin UI with Google
sign-in restricted to @audius.co / @audius.org accounts, mirroring the
notifications-dashboard auth pattern.
- api/_lib/auth.ts: add isAudiusEmail, jose-signed session JWT helpers,
httpOnly session cookie, and upgrade requireAdmin to accept a valid
staff session cookie OR the existing ADMIN_BEARER_TOKEN (now an optional
escape hatch for programmatic access).
- api/auth/{index,session,logout}.ts: verify Google ID token via
google-auth-library, enforce the Audius-domain check, mint/clear session.
- admin endpoints (requests/approve/reject) now await requireAdmin.
- Admin.tsx: Google sign-in + session restore + sign out; admin calls use
the session cookie (credentials: 'include') instead of a bearer header.
- config/vite-env: VITE_GOOGLE_CLIENT_ID. Document GOOGLE_CLIENT_ID and
AUTH_SESSION_SECRET in .env.example and README.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Dependency limit exceeded — report not shown. This pull request scan exceeded the 10,000-dependency limit applied to this scan, so the results are incomplete and may be inaccurate. To avoid reporting false positives, Socket has not posted a report. Upgrade your plan to raise the dependency limit and get complete reports, or view the partial scan in the dashboard. Socket is always free for open source. If this is a non-commercial open source project, contact us to request a free Team account. |
…isting migrate-tool used ^0.23.0 while distro/embed pin 0.17.0, which npm hoists to the root. The injected `vite-plugin-node-polyfills/shims/process` import then resolved against the shadowing 0.17.0 (which only exports `./shims/banner`), breaking `vite build` in the monorepo. Aligning migrate-tool to 0.17.0 dedupes to the single hoisted copy so plugin code and resolved package match. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
dylanjeffers
added a commit
that referenced
this pull request
Jun 18, 2026
…ead of bearer token (#14496) ## Summary Follow-up to #14392. Switches the migrate-tool's server-side SDK initialization from a bearer token to `apiKey` + `apiSecret` (Basic auth), which is cleaner for app-level server-side operations. The SDK's EntityManager relay call in `manageEntity` accepts either `Authorization: Bearer <bearerToken>` or `Basic base64(apiKey:apiSecret)`. Using `apiKey`+`apiSecret` lets the developer app authenticate and sign its own requests server-side without an OAuth-derived bearer token. ## Changes - `api/_lib/audius.ts` — `getServerSDK()` now reads `AUDIUS_API_SECRET` and passes `apiSecret` to `createSdkWithServices` instead of `bearerToken`. Updated error message and doc comment. - `.env.example` — `AUDIUS_BEARER_TOKEN` → `AUDIUS_API_SECRET`. - `README.md` — env var documentation updated to reference the API Secret. The unrelated `ADMIN_BEARER_TOKEN` escape hatch for admin endpoints is untouched. ## Verification - `tsc -b` passes. - `vite build` passes (polyfill issue resolved by the vite-plugin-node-polyfills 0.17.0 pin from #14392). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
A small Vite + React SPA + Vercel-functions tool that helps artists move tracks from an old Audius account they've lost access to onto a new account they control. Intended to live at migrate.audius.co.
apiKeyonly). User signs in with new account, enters old handle, previews the tracks, submits.migration_requeststable, exposes admin endpoints gated byADMIN_BEARER_TOKEN.apiKey + bearerTokenviacreateSdkWithServices) fetches each old track's audio + artwork and re-uploads it as the new owner using the OAuth grant. Per-track results are written back to the DB.Approval flow
The README is explicit that identity verification of the requester happens out-of-band (support ticket, Discord DM, etc.). The admin step in this tool is just a gate so nothing executes automatically; the team is responsible for confirming ownership before they click "Approve & execute."
Known limitations (documented in the README)
maxDuration: 300set in vercel.json. For artists with many tracks this should be moved to a queue/cron worker.Verification
npx tsc -bpasses for the SPA and the API functions (no type errors).vite buildwas not verified locally — there's a pre-existingvite-plugin-node-polyfillsresolver issue in this worktree's install that also breakspackages/web/examples/upload, so it isn't specific to this change. A fresh install on Vercel should build cleanly.Test plan
VITE_AUDIUS_API_KEY,AUDIUS_API_KEY,AUDIUS_BEARER_TOKEN,ADMIN_BEARER_TOKEN,SUPABASE_URL,SUPABASE_SERVICE_ROLE_KEY.npm run dev+ sign in with a test account, enter another artist's handle, preview shows tracks.status = 'pending'./admin, unlock withADMIN_BEARER_TOKEN, click Reject — confirm status flips torejected.🤖 Generated with Claude Code