fix: add migration 018 for OAuth user_id columns

Root cause: createOAuthTables (which contained migrateOAuthUserColumns)
was only called inside migration 012's guard. Migration 012 already ran
on production, so the user_id column additions never executed. Now:
- New migration 018_oauth_user_id_columns runs ALTER TABLE on existing
  oauth_codes, oauth_tokens, oauth_pending_requests tables
- ReflectOAuthProvider constructor calls ensureOAuthUserColumns on every
  startup as a safety net
- Diagnostic /health endpoint reports column existence and DB state

Made-with: Cursor

Author: van-reflect

src/index.ts

@@ -437,7 +437,7 @@ if (!db.prepare(`SELECT 1 FROM _migrations WHERE name = ?`).get(ciTrashMigration
 }
 
 // Migration: create OAuth tables for MCP native connector
-import { createOAuthTables } from "./oauth-store.js";
+import { createOAuthTables, ensureOAuthUserColumns } from "./oauth-store.js";
 const oauthMigrationName = "012_oauth_tables";
 if (!db.prepare(`SELECT 1 FROM _migrations WHERE name = ?`).get(oauthMigrationName)) {
   createOAuthTables(db);
@@ -550,6 +550,16 @@ if (!db.prepare(`SELECT 1 FROM _migrations WHERE name = ?`).get(phantomReadsMigr
   );
 }
 
+const oauthUserIdMigration = "018_oauth_user_id_columns";
+if (!db.prepare(`SELECT 1 FROM _migrations WHERE name = ?`).get(oauthUserIdMigration)) {
+  ensureOAuthUserColumns(db);
+  db.prepare(`INSERT INTO _migrations (name, applied_at) VALUES (?, ?)`).run(
+    oauthUserIdMigration,
+    new Date().toISOString(),
+  );
+  console.log("[migration] Added user_id columns to OAuth tables and created agent_keys");
+}
+
 const ownerEmail = optionalEnv("RM_OWNER_EMAIL", "").toLowerCase();
 
 let userId: string;

src/mcp-server.ts

@@ -16,7 +16,7 @@ import type { AuthInfo } from "@modelcontextprotocol/sdk/server/auth/types.js";
 import { z } from "zod";
 import { jwtVerify } from "jose";
 import type Database from "better-sqlite3";
-import { ReflectOAuthProvider, resolveAgentKeyUser } from "./oauth-store.js";
+import { ReflectOAuthProvider, resolveAgentKeyUser, hasUserIdColumns } from "./oauth-store.js";
 import { authenticateApiKey } from "./api-key-service.js";
 import { findOrCreateUserByEmail } from "./user-service.js";
 import {
@@ -561,15 +561,39 @@ export function startMcpServer(config: McpServerConfig, port: number): void {
 
   app.get("/health", (_req, res) => {
     const secretLen = dashboardJwtSecret?.length ?? 0;
+    const svcKeyLen = dashboardServiceKey?.length ?? 0;
+
+    let dbDiag: Record<string, unknown> = {};
+    try {
+      const pendingCount = (db.prepare(`SELECT COUNT(*) as c FROM oauth_pending_requests`).get() as { c: number }).c;
+      const clientCount = (db.prepare(`SELECT COUNT(*) as c FROM oauth_clients`).get() as { c: number }).c;
+      const tokenCount = (db.prepare(`SELECT COUNT(*) as c FROM oauth_tokens`).get() as { c: number }).c;
+      const codesCols = (db.prepare(`PRAGMA table_info(oauth_codes)`).all() as { name: string }[]).map(c => c.name);
+      const tokensCols = (db.prepare(`PRAGMA table_info(oauth_tokens)`).all() as { name: string }[]).map(c => c.name);
+      const pendingCols = (db.prepare(`PRAGMA table_info(oauth_pending_requests)`).all() as { name: string }[]).map(c => c.name);
+      dbDiag = {
+        pending_requests: pendingCount,
+        clients: clientCount,
+        tokens: tokenCount,
+        codes_has_user_id: codesCols.includes("user_id"),
+        tokens_has_user_id: tokensCols.includes("user_id"),
+        pending_has_user_id: pendingCols.includes("user_id"),
+      };
+    } catch (err) {
+      dbDiag = { error: (err as Error).message };
+    }
+
     res.json({
       service: "reflect-memory-mcp",
       status: "ok",
       oauth: {
         jwt_secret_configured: secretLen > 0,
-        jwt_secret_length: secretLen,
+        service_key_configured: svcKeyLen > 0,
+        has_user_id_cols: hasUserIdColumns(),
         dashboard_url: dashboardUrl || "(not set)",
         public_url: publicUrl || "(not set)",
       },
+      db: dbDiag,
       sessions: Object.keys(transports).length,
     });
   });

src/oauth-store.ts

@@ -24,8 +24,6 @@ import type {
 let _hasUserIdCols = false;
 
 export function createOAuthTables(db: Database.Database): void {
-  // Create core tables WITHOUT user_id so CREATE TABLE IF NOT EXISTS is a clean
-  // no-op on databases that already have these tables from before the migration.
   db.exec(`
     CREATE TABLE IF NOT EXISTS oauth_clients (
       client_id           TEXT NOT NULL PRIMARY KEY,
@@ -74,8 +72,27 @@ export function createOAuthTables(db: Database.Database): void {
       created_at    TEXT NOT NULL
     ) STRICT;
   `);
+}
+
+/**
+ * Add user_id columns to OAuth tables and create agent_keys table.
+ * Safe to call multiple times -- each operation is idempotent.
+ * Called from migration 018 in index.ts AND from ReflectOAuthProvider constructor.
+ */
+export function ensureOAuthUserColumns(db: Database.Database): void {
+  const tables = ["oauth_codes", "oauth_tokens", "oauth_pending_requests"];
+  for (const table of tables) {
+    try {
+      const cols = db.prepare(`PRAGMA table_info(${table})`).all() as { name: string }[];
+      if (!cols.some((c) => c.name === "user_id")) {
+        db.exec(`ALTER TABLE ${table} ADD COLUMN user_id TEXT`);
+        console.log(`[oauth] Added user_id column to ${table}`);
+      }
+    } catch (err) {
+      console.error(`[oauth] Failed to add user_id to ${table}: ${(err as Error).message}`);
+    }
+  }
 
-  // agent_keys table -- separate exec so failures don't block core tables
   try {
     db.exec(`
       CREATE TABLE IF NOT EXISTS agent_keys (
@@ -93,35 +110,14 @@ export function createOAuthTables(db: Database.Database): void {
     console.warn(`[oauth] agent_keys table setup: ${(err as Error).message}`);
   }
 
-  // Migrate user_id columns onto existing tables (each in its own try/catch)
-  _hasUserIdCols = migrateOAuthUserColumns(db);
-}
-
-function migrateOAuthUserColumns(db: Database.Database): boolean {
-  const tables = ["oauth_codes", "oauth_tokens", "oauth_pending_requests"];
-  let allOk = true;
-  for (const table of tables) {
-    try {
-      const cols = db.prepare(`PRAGMA table_info(${table})`).all() as { name: string }[];
-      if (!cols.some((c) => c.name === "user_id")) {
-        db.exec(`ALTER TABLE ${table} ADD COLUMN user_id TEXT`);
-        console.log(`[oauth] Added user_id column to ${table}`);
-      }
-    } catch (err) {
-      console.error(`[oauth] Failed to add user_id to ${table}: ${(err as Error).message}`);
-      allOk = false;
-    }
-  }
-  // Final check: verify the columns actually exist
+  // Set the flag based on actual column existence
   try {
     const cols = db.prepare(`PRAGMA table_info(oauth_codes)`).all() as { name: string }[];
-    const hasIt = cols.some((c) => c.name === "user_id");
-    if (!hasIt) {
-      console.error(`[oauth] CRITICAL: user_id column still missing from oauth_codes after migration`);
-      allOk = false;
-    }
-  } catch { allOk = false; }
-  return allOk;
+    _hasUserIdCols = cols.some((c) => c.name === "user_id");
+  } catch {
+    _hasUserIdCols = false;
+  }
+  console.log(`[oauth] user_id columns available: ${_hasUserIdCols}`);
 }
 
 export function hasUserIdColumns(): boolean {
@@ -286,6 +282,8 @@ export class ReflectOAuthProvider implements OAuthServerProvider {
     this._clientsStore = new SqliteClientsStore(config.db);
     this.issuerUrl = config.issuerUrl;
     this.dashboardUrl = config.dashboardUrl || "https://reflectmemory.com";
+    // Ensure user_id columns exist every time the provider starts
+    ensureOAuthUserColumns(config.db);
   }
 
   get clientsStore(): OAuthRegisteredClientsStore {