mirror of
https://github.com/Significant-Gravitas/AutoGPT.git
synced 2026-04-08 03:00:28 -04:00
a8259ca935
### Changes 🏗️ Adds `autogpt_platform/analytics/` — 14 SQL view definitions that expose production data safely through a locked-down `analytics` schema. **Security model:** - Views use `security_invoker = false` (PostgreSQL 15+), so they execute as their owner (`postgres`), not the caller - `analytics_readonly` role only has access to `analytics.*` — cannot touch `platform` or `auth` tables directly **Files:** - `backend/generate_views.py` — does everything; auto-reads credentials from `backend/.env` - `analytics/queries/*.sql` — 14 documented view definitions (auth, user activity, executions, onboarding funnel, cohort retention) --- ### Running locally (dev) ```bash cd autogpt_platform/backend # First time only — creates analytics schema, role, grants poetry run analytics-setup # Create / refresh views (auto-reads backend/.env) poetry run analytics-views ``` ### Running in production (Supabase) ```bash cd autogpt_platform/backend # Step 1 — first time only (run in Supabase SQL Editor as postgres superuser) poetry run analytics-setup --dry-run # Paste the output into Supabase SQL Editor and run # Step 2 — apply views (use direct connection host, not pooler) poetry run analytics-views --db-url "postgresql://postgres:PASSWORD@db.<ref>.supabase.co:5432/postgres" # Step 3 — set password for analytics_readonly so external tools can connect # Run in Supabase SQL Editor: # ALTER ROLE analytics_readonly WITH PASSWORD 'your-password'; ``` --- ### Checklist 📋 #### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: - [x] Setup + views applied cleanly on local Postgres 15 - [x] `analytics_readonly` can `SELECT` from all 14 `analytics.*` views - [x] `analytics_readonly` gets `permission denied` on `platform.*` and `auth.*` directly --------- Co-authored-by: Otto (AGPT) <otto@agpt.co>
41 lines
1.5 KiB
SQL
41 lines
1.5 KiB
SQL
-- =============================================================
|
|
-- View: analytics.auth_activities
|
|
-- Looker source alias: ds49 | Charts: 1
|
|
-- =============================================================
|
|
-- DESCRIPTION
|
|
-- Tracks authentication events (login, logout, SSO, password
|
|
-- reset, etc.) from Supabase's internal audit log.
|
|
-- Useful for monitoring sign-in patterns and detecting anomalies.
|
|
--
|
|
-- SOURCE TABLES
|
|
-- auth.audit_log_entries — Supabase internal auth event log
|
|
--
|
|
-- OUTPUT COLUMNS
|
|
-- created_at TIMESTAMPTZ When the auth event occurred
|
|
-- actor_id TEXT User ID who triggered the event
|
|
-- actor_via_sso TEXT Whether the action was via SSO ('true'/'false')
|
|
-- action TEXT Event type (e.g. 'login', 'logout', 'token_refreshed')
|
|
--
|
|
-- WINDOW
|
|
-- Rolling 90 days from current date
|
|
--
|
|
-- EXAMPLE QUERIES
|
|
-- -- Daily login counts
|
|
-- SELECT DATE_TRUNC('day', created_at) AS day, COUNT(*) AS logins
|
|
-- FROM analytics.auth_activities
|
|
-- WHERE action = 'login'
|
|
-- GROUP BY 1 ORDER BY 1;
|
|
--
|
|
-- -- SSO vs password login breakdown
|
|
-- SELECT actor_via_sso, COUNT(*) FROM analytics.auth_activities
|
|
-- WHERE action = 'login' GROUP BY 1;
|
|
-- =============================================================
|
|
|
|
SELECT
|
|
created_at,
|
|
payload->>'actor_id' AS actor_id,
|
|
payload->>'actor_via_sso' AS actor_via_sso,
|
|
payload->>'action' AS action
|
|
FROM auth.audit_log_entries
|
|
WHERE created_at >= NOW() - INTERVAL '90 days'
|