arazzo: 1.0.1
info:
  title: PropelAuth Migrate User With Password
  summary: Import a user from an external auth system, resolve their ID, then attach a legacy password hash.
  description: >-
    A migration flow for moving users off a legacy authentication provider. The
    workflow imports the user from the external source, looks the migrated user
    up by email to resolve the new PropelAuth user ID, and then attaches the
    legacy hashed password to that user so they can sign in with their existing
    credentials. Each step inlines its request, including the Backend Integration
    API key as a bearer token.
  version: 1.0.0
sourceDescriptions:
- name: userApi
  url: ../openapi/propelauth-user-api-openapi.yml
  type: openapi
workflows:
- workflowId: migrate-user-with-password
  summary: Migrate a user from an external source, then attach their legacy password hash.
  description: >-
    Imports a user from an external auth provider, resolves the new user ID by
    email, and migrates the legacy hashed password onto that user.
  inputs:
    type: object
    required:
    - backendApiKey
    - email
    - passwordHash
    - passwordHashType
    properties:
      backendApiKey:
        type: string
        description: PropelAuth Backend Integration API key presented as a bearer token.
      email:
        type: string
        description: Email address of the user being migrated.
      passwordHash:
        type: string
        description: The legacy hashed password to attach to the migrated user.
      passwordHashType:
        type: string
        description: The hashing algorithm of the legacy password (e.g. bcrypt, argon2).
  steps:
  - stepId: migrateUser
    description: Import the user from the external authentication source.
    operationId: migrateUser
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $inputs.backendApiKey"
    requestBody:
      contentType: application/json
      payload:
        email: $inputs.email
        email_confirmed: true
        enabled: true
    successCriteria:
    - condition: $statusCode == 200
  - stepId: resolveUser
    description: Resolve the migrated user's PropelAuth ID by email.
    operationId: fetchUserByEmail
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $inputs.backendApiKey"
    - name: email
      in: query
      value: $inputs.email
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      userId: $response.body#/user_id
  - stepId: migratePassword
    description: Attach the legacy hashed password to the migrated user.
    operationId: migrateUserPassword
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $inputs.backendApiKey"
    requestBody:
      contentType: application/json
      payload:
        user_id: $steps.resolveUser.outputs.userId
        password_hash: $inputs.passwordHash
        password_hash_type: $inputs.passwordHashType
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      migratedStatus: $statusCode
  outputs:
    userId: $steps.resolveUser.outputs.userId