remove static auth because signin/up doesn't support custom login

deps/db-sync/README.md

@@ -43,16 +43,10 @@ npm run build:node-adapter
 Run the adapter with Cognito auth:
 
 ```bash
-./start.sh
-```
-
-Run the adapter with a static token (local dev):
-
-```bash
-export DB_SYNC_AUTH_DRIVER=static
-export DB_SYNC_AUTH_TOKEN=dev-token
-export DB_SYNC_STATIC_USER_ID=user-1
-export DB_SYNC_PORT=8787
+DB_SYNC_PORT=8787 \
+COGNITO_ISSUER=https://cognito-idp.us-east-2.amazonaws.com/us-east-2_kAqZcxIeM \
+COGNITO_CLIENT_ID=1qi1uijg8b6ra70nejvbptis0q \
+COGNITO_JWKS_URL=https://cognito-idp.us-east-2.amazonaws.com/us-east-2_kAqZcxIeM/.well-known/jwks.json \
 node worker/dist/node-adapter.js
 ```
 
@@ -74,11 +68,6 @@ npm run test:node-adapter
 | DB_SYNC_DATA_DIR | Data directory for sqlite + assets |
 | DB_SYNC_STORAGE_DRIVER | Storage backend selection (sqlite) |
 | DB_SYNC_ASSETS_DRIVER | Assets backend selection (filesystem) |
-| DB_SYNC_AUTH_DRIVER | Auth driver (cognito, static, none) |
-| DB_SYNC_AUTH_TOKEN | Static token for local dev |
-| DB_SYNC_STATIC_USER_ID | Static user id for local dev |
-| DB_SYNC_STATIC_EMAIL | Static user email for local dev |
-| DB_SYNC_STATIC_USERNAME | Static username for local dev |
 | SENTRY_DSN | Sentry DSN |
 | SENTRY_RELEASE | Release identifier for Sentry events and sourcemaps |
 | SENTRY_ENVIRONMENT | Sentry environment name (prod, staging, etc.) |

deps/db-sync/package.json

@@ -19,9 +19,9 @@
   "dependencies": {
     "@sentry/cloudflare": "^10.38.0",
     "@sentry/node": "^10.38.0",
-    "better-sqlite3": "^11.10.0",
-    "ws": "^8.18.3",
-    "shadow-cljs": "^3.3.4"
+    "better-sqlite3": "^12.6.2",
+    "shadow-cljs": "^3.3.4",
+    "ws": "^8.18.3"
   },
   "devDependencies": {
     "@sentry/cli": "^3.1.0"

deps/db-sync/src/logseq/db_sync/node/config.cljs

@@ -16,34 +16,29 @@
      :data-dir (or (env-value env "DB_SYNC_DATA_DIR") "data/db-sync")
      :storage-driver (or (env-value env "DB_SYNC_STORAGE_DRIVER") "sqlite")
      :assets-driver (or (env-value env "DB_SYNC_ASSETS_DRIVER") "filesystem")
-     :auth-driver (or (env-value env "DB_SYNC_AUTH_DRIVER") "cognito")
-     :auth-token (env-value env "DB_SYNC_AUTH_TOKEN")
-     :static-user-id (env-value env "DB_SYNC_STATIC_USER_ID")
-     :static-email (env-value env "DB_SYNC_STATIC_EMAIL")
-     :static-username (env-value env "DB_SYNC_STATIC_USERNAME")
      :log-level (or (env-value env "DB_SYNC_LOG_LEVEL") "info")
      :cognito-issuer (env-value env "COGNITO_ISSUER")
      :cognito-client-id (env-value env "COGNITO_CLIENT_ID")
      :cognito-jwks-url (env-value env "COGNITO_JWKS_URL")}))
 
+(def ^:private allowed-config-keys
+  [:port :base-url :data-dir :storage-driver :assets-driver :log-level
+   :cognito-issuer :cognito-client-id :cognito-jwks-url])
+
 (defn normalize-config [overrides]
   (let [defaults {:port 8080
                   :data-dir "data/db-sync"
                   :storage-driver "sqlite"
                   :assets-driver "filesystem"
-                  :auth-driver "cognito"
                   :log-level "info"}
         merged (merge defaults (config-from-env) overrides)
-        auth-driver (string/lower-case (:auth-driver merged))
         storage-driver (string/lower-case (:storage-driver merged))
         assets-driver (string/lower-case (:assets-driver merged))]
-    (when-not (#{"cognito" "static" "none"} auth-driver)
-      (throw (js/Error. (str "unsupported auth driver: " auth-driver))))
     (when-not (#{"sqlite"} storage-driver)
       (throw (js/Error. (str "unsupported storage driver: " storage-driver))))
     (when-not (#{"filesystem"} assets-driver)
       (throw (js/Error. (str "unsupported assets driver: " assets-driver))))
-    (assoc merged
-           :auth-driver auth-driver
-           :storage-driver storage-driver
-           :assets-driver assets-driver)))
+    (-> merged
+        (select-keys allowed-config-keys)
+        (assoc :storage-driver storage-driver
+               :assets-driver assets-driver))))

deps/db-sync/src/logseq/db_sync/node/graph.cljs

@@ -11,11 +11,6 @@
   (doto (js-obj)
     (aset "DB" index-db)
     (aset "LOGSEQ_SYNC_ASSETS" assets-bucket)
-    (aset "DB_SYNC_AUTH_DRIVER" (:auth-driver cfg))
-    (aset "DB_SYNC_AUTH_TOKEN" (:auth-token cfg))
-    (aset "DB_SYNC_STATIC_USER_ID" (:static-user-id cfg))
-    (aset "DB_SYNC_STATIC_EMAIL" (:static-email cfg))
-    (aset "DB_SYNC_STATIC_USERNAME" (:static-username cfg))
     (aset "COGNITO_ISSUER" (:cognito-issuer cfg))
     (aset "COGNITO_CLIENT_ID" (:cognito-client-id cfg))
     (aset "COGNITO_JWKS_URL" (:cognito-jwks-url cfg))))

deps/db-sync/src/logseq/db_sync/node/server.cljs

@@ -24,11 +24,6 @@
   (doto (js-obj)
     (aset "DB" index-db)
     (aset "LOGSEQ_SYNC_ASSETS" assets-bucket)
-    (aset "DB_SYNC_AUTH_DRIVER" (:auth-driver cfg))
-    (aset "DB_SYNC_AUTH_TOKEN" (:auth-token cfg))
-    (aset "DB_SYNC_STATIC_USER_ID" (:static-user-id cfg))
-    (aset "DB_SYNC_STATIC_EMAIL" (:static-email cfg))
-    (aset "DB_SYNC_STATIC_USERNAME" (:static-username cfg))
     (aset "COGNITO_ISSUER" (:cognito-issuer cfg))
     (aset "COGNITO_CLIENT_ID" (:cognito-client-id cfg))
     (aset "COGNITO_JWKS_URL" (:cognito-jwks-url cfg))))

deps/db-sync/src/logseq/db_sync/worker/auth.cljs

@@ -42,26 +42,6 @@
       (let [url (js/URL. (.-url request))]
         (.get (.-searchParams url) "token"))))
 
-(defn- static-claims [env token]
-  (let [expected (aget env "DB_SYNC_AUTH_TOKEN")
-        user-id (or (aget env "DB_SYNC_STATIC_USER_ID") "user")
-        email (aget env "DB_SYNC_STATIC_EMAIL")
-        username (aget env "DB_SYNC_STATIC_USERNAME")]
-    (when (and (string? expected) (string? token) (= expected token))
-      (let [claims #js {"sub" user-id}]
-        (when (string? email) (aset claims "email" email))
-        (when (string? username) (aset claims "username" username))
-        claims))))
-
-(defn- none-claims [env]
-  (let [user-id (or (aget env "DB_SYNC_STATIC_USER_ID") "user")
-        email (aget env "DB_SYNC_STATIC_EMAIL")
-        username (aget env "DB_SYNC_STATIC_USERNAME")
-        claims #js {"sub" user-id}]
-    (when (string? email) (aset claims "email" email))
-    (when (string? username) (aset claims "username" username))
-    claims))
-
 (defn- decode-jwt-part [part]
   (let [pad (if (pos? (mod (count part) 4))
               (apply str (repeat (- 4 (mod (count part) 4)) "="))
@@ -82,22 +62,14 @@
       nil)))
 
 (defn auth-claims [request env]
-  (let [token (token-from-request request)
-        driver (some-> (aget env "DB_SYNC_AUTH_DRIVER") string/lower-case)]
-    (case driver
-      "static"
-      (js/Promise.resolve (static-claims env token))
-
-      "none"
-      (js/Promise.resolve (none-claims env))
-
-      (if (string? token)
-        (if-let [claims (cached-claims token)]
-          (js/Promise.resolve claims)
-          (-> (authorization/verify-jwt token env)
-              (.then (fn [claims]
-                       (when claims
-                         (cache-claims! token claims))
-                       claims))
-              (.catch (fn [_] nil))))
-        (js/Promise.resolve nil)))))
+  (let [token (token-from-request request)]
+    (if (string? token)
+      (if-let [claims (cached-claims token)]
+        (js/Promise.resolve claims)
+        (-> (authorization/verify-jwt token env)
+            (.then (fn [claims]
+                     (when claims
+                       (cache-claims! token claims))
+                     claims))
+            (.catch (fn [_] nil))))
+      (js/Promise.resolve nil))))

deps/db-sync/start.sh

@@ -1,11 +1,17 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-export COGNITO_JWKS_URL="https://cognito-idp.us-east-1.amazonaws.com/us-east-1_dtagLnju8/.well-known/jwks.json"
-export COGNITO_ISSUER="https://cognito-idp.us-east-1.amazonaws.com/us-east-1_dtagLnju8"
-export COGNITO_CLIENT_ID="69cs1lgme7p8kbgld8n5kseii6"
+: "${DB_SYNC_PORT:=8787}"
 
-# Optional: choose a fixed port
-export DB_SYNC_PORT=8787
+# Defaults match the local `yarn watch` app auth config.
+# Override these env vars for production pool values if needed.
+: "${COGNITO_ISSUER:=https://cognito-idp.us-east-2.amazonaws.com/us-east-2_kAqZcxIeM}"
+: "${COGNITO_CLIENT_ID:=1qi1uijg8b6ra70nejvbptis0q}"
+: "${COGNITO_JWKS_URL:=https://cognito-idp.us-east-2.amazonaws.com/us-east-2_kAqZcxIeM/.well-known/jwks.json}"
+
+export DB_SYNC_PORT
+export COGNITO_ISSUER
+export COGNITO_CLIENT_ID
+export COGNITO_JWKS_URL
 
 node worker/dist/node-adapter.js

deps/db-sync/test/logseq/db_sync/node_adapter_test.cljs

@@ -26,82 +26,79 @@
   (let [suffix (str (random-uuid))
         dir (str "tmp/db-sync-node-test/" suffix)]
     (node-server/start! {:port 0
-                         :auth-driver "static"
-                         :auth-token test-token
-                         :static-user-id "user-1"
                          :data-dir dir})))
 ;; FIXME: Tests are disabled until they stop hanging
 #_(deftest node-adapter-http-roundtrip-test
-  (async done
-         (p/let [{:keys [base-url stop!]} (start-test-server)
-                 health-resp (js/fetch (str base-url "/health"))
-                 health-body (parse-json health-resp)]
-           (testing "health"
-             (is (.-ok health-resp))
-             (is (= true (aget health-body "ok"))))
+    (async done
+           (p/let [{:keys [base-url stop!]} (start-test-server)
+                   health-resp (js/fetch (str base-url "/health"))
+                   health-body (parse-json health-resp)]
+             (testing "health"
+               (is (.-ok health-resp))
+               (is (= true (aget health-body "ok"))))
            ;; FIXME: Test hangs here due to an exception
-           (p/let [create-resp (post-json (str base-url "/graphs") {:graph-name "Test Graph"})
-                   create-body (parse-json create-resp)
-                   graph-id (aget create-body "graph-id")
-                   access-resp (get-json (str base-url "/graphs/" graph-id "/access"))
-                   access-body (parse-json access-resp)
-                   sync-health (get-json (str base-url "/sync/" graph-id "/health"))
-                   sync-health-body (parse-json sync-health)]
-             (testing "graph access"
-               (is (.-ok create-resp))
-               (is (string? graph-id))
-               (is (.-ok access-resp))
-               (is (= true (aget access-body "ok"))))
-             (testing "sync health"
-               (is (.-ok sync-health))
-               (is (= true (aget sync-health-body "ok"))))
-             (p/let [tx-data [{:block/uuid (random-uuid)
-                               :block/content "hello"}]
-                     txs (protocol/tx->transit tx-data)
-                     tx-resp (post-json (str base-url "/sync/" graph-id "/tx/batch")
-                                        {:t-before 0
-                                         :txs txs})
-                     tx-body (parse-json tx-resp)
-                     pull-resp (get-json (str base-url "/sync/" graph-id "/pull?since=0"))
-                     pull-body (parse-json pull-resp)]
-               (testing "tx batch"
-                 (is (.-ok tx-resp))
-                 (is (= "tx/batch/ok" (aget tx-body "type"))))
-               (testing "pull"
-                 (is (.-ok pull-resp))
-                 (is (= "pull/ok" (aget pull-body "type")))
-                 (is (pos? (count (aget pull-body "txs")))))
-               (p/then (stop!) (fn [] (done))))))))
+             (p/let [create-resp (post-json (str base-url "/graphs") {:graph-name "Test Graph"})
+                     create-body (parse-json create-resp)
+                     graph-id (aget create-body "graph-id")
+                     access-resp (get-json (str base-url "/graphs/" graph-id "/access"))
+                     access-body (parse-json access-resp)
+                     sync-health (get-json (str base-url "/sync/" graph-id "/health"))
+                     sync-health-body (parse-json sync-health)]
+               (testing "graph access"
+                 (is (.-ok create-resp))
+                 (is (string? graph-id))
+                 (is (.-ok access-resp))
+                 (is (= true (aget access-body "ok"))))
+               (testing "sync health"
+                 (is (.-ok sync-health))
+                 (is (= true (aget sync-health-body "ok"))))
+               (p/let [tx-data [{:block/uuid (random-uuid)
+                                 :block/content "hello"}]
+                       txs (protocol/tx->transit tx-data)
+                       tx-resp (post-json (str base-url "/sync/" graph-id "/tx/batch")
+                                          {:t-before 0
+                                           :txs txs})
+                       tx-body (parse-json tx-resp)
+                       pull-resp (get-json (str base-url "/sync/" graph-id "/pull?since=0"))
+                       pull-body (parse-json pull-resp)]
+                 (testing "tx batch"
+                   (is (.-ok tx-resp))
+                   (is (= "tx/batch/ok" (aget tx-body "type"))))
+                 (testing "pull"
+                   (is (.-ok pull-resp))
+                   (is (= "pull/ok" (aget pull-body "type")))
+                   (is (pos? (count (aget pull-body "txs")))))
+                 (p/then (stop!) (fn [] (done))))))))
 
 #_(deftest node-adapter-websocket-test
-  (async done
-         (p/let [{:keys [base-url stop!]} (start-test-server)
-                 create-resp (post-json (str base-url "/graphs") {:graph-name "WS Graph"})
-                 create-body (parse-json create-resp)
-                 graph-id (aget create-body "graph-id")]
-           (testing "websocket hello and changed"
-             (let [ws-url (str (string/replace base-url "http" "ws") "/sync/" graph-id)
-                   ws-module (js/require "ws")
-                   WebSocket (or (.-WebSocket ws-module) ws-module)
-                   client (new WebSocket ws-url #js {:headers (auth-headers)})
-                   messages (atom [])
-                   push-message (fn [data]
-                                  (let [text (if (string? data) data (.toString data))]
-                                    (swap! messages conj (js/JSON.parse text))))]
-               (.on client "message" push-message)
-               (.on client "open"
-                    (fn []
-                      (.send client (protocol/encode-message {:type "hello" :client "test"}))))
-               (p/let [_ (p/delay 50)
-                       tx-data [{:block/uuid (random-uuid)
-                                 :block/content "ws"}]
-                       txs (protocol/tx->transit tx-data)
-                       _ (post-json (str base-url "/sync/" graph-id "/tx/batch")
-                                    {:t-before 0
-                                     :txs txs})
-                       _ (p/delay 100)]
-                 (let [types (set (map #(aget % "type") @messages))]
-                   (is (contains? types "hello"))
-                   (is (contains? types "changed")))
-                 (.close client)
-                 (p/then (stop!) (fn [] (done)))))))))
+    (async done
+           (p/let [{:keys [base-url stop!]} (start-test-server)
+                   create-resp (post-json (str base-url "/graphs") {:graph-name "WS Graph"})
+                   create-body (parse-json create-resp)
+                   graph-id (aget create-body "graph-id")]
+             (testing "websocket hello and changed"
+               (let [ws-url (str (string/replace base-url "http" "ws") "/sync/" graph-id)
+                     ws-module (js/require "ws")
+                     WebSocket (or (.-WebSocket ws-module) ws-module)
+                     client (new WebSocket ws-url #js {:headers (auth-headers)})
+                     messages (atom [])
+                     push-message (fn [data]
+                                    (let [text (if (string? data) data (.toString data))]
+                                      (swap! messages conj (js/JSON.parse text))))]
+                 (.on client "message" push-message)
+                 (.on client "open"
+                      (fn []
+                        (.send client (protocol/encode-message {:type "hello" :client "test"}))))
+                 (p/let [_ (p/delay 50)
+                         tx-data [{:block/uuid (random-uuid)
+                                   :block/content "ws"}]
+                         txs (protocol/tx->transit tx-data)
+                         _ (post-json (str base-url "/sync/" graph-id "/tx/batch")
+                                      {:t-before 0
+                                       :txs txs})
+                         _ (p/delay 100)]
+                   (let [types (set (map #(aget % "type") @messages))]
+                     (is (contains? types "hello"))
+                     (is (contains? types "changed")))
+                   (.close client)
+                   (p/then (stop!) (fn [] (done)))))))))

deps/db-sync/test/logseq/db_sync/node_config_test.cljs

@@ -8,12 +8,13 @@
     false
     (catch :default _ true)))
 
-(deftest normalize-config-auth-driver-test
-  (testing "static auth driver accepted"
-    (let [cfg (config/normalize-config {:auth-driver "static" :auth-token "x"})]
-      (is (= "static" (:auth-driver cfg)))))
-  (testing "unsupported auth driver throws"
-    (is (throws? #(config/normalize-config {:auth-driver "nope"})))))
+(deftest normalize-config-drops-unknown-keys-test
+  (let [cfg (config/normalize-config {:port 7777
+                                      :unknown-key "value"
+                                      :legacy-auth-key "value"})]
+    (is (= 7777 (:port cfg)))
+    (is (nil? (:unknown-key cfg)))
+    (is (nil? (:legacy-auth-key cfg)))))
 
 (deftest normalize-config-storage-driver-test
   (testing "sqlite storage driver accepted"

deps/db-sync/test/logseq/db_sync/test_runner.cljs

@@ -3,6 +3,7 @@
             [logseq.db-sync.node-adapter-test]
             [logseq.db-sync.node-config-test]
             [logseq.db-sync.platform-test]
+            [logseq.db-sync.worker-auth-test]
             [logseq.db-sync.worker-handler-assets-test]
             [logseq.db-sync.worker-handler-sync-test]
             [logseq.db-sync.worker-handler-ws-test]

deps/db-sync/test/logseq/db_sync/worker_auth_test.cljs

@@ -0,0 +1,29 @@
+(ns logseq.db-sync.worker-auth-test
+  (:require [cljs.test :refer [async deftest is]]
+            [logseq.common.authorization :as authorization]
+            [logseq.db-sync.worker.auth :as auth]
+            [promesa.core :as p]))
+
+(deftest auth-claims-uses-jwt-verification-test
+  (async done
+         (let [request (js/Request. "http://localhost/graphs"
+                                    #js {:headers #js {"authorization" "Bearer dev-token"}})]
+           (-> (p/with-redefs [authorization/verify-jwt
+                               (fn [token _env]
+                                 (js/Promise.resolve #js {"sub" (str "jwt:" token)}))]
+                 (p/let [claims (auth/auth-claims request #js {})]
+                   (is (= "jwt:dev-token" (aget claims "sub")))))
+               (p/then (fn [] (done)))
+               (p/catch (fn [error]
+                          (is false (str error))
+                          (done)))))))
+
+(deftest auth-claims-without-token-returns-nil-test
+  (async done
+         (let [request (js/Request. "http://localhost/graphs")]
+           (-> (p/let [claims (auth/auth-claims request #js {})]
+                 (is (nil? claims)))
+               (p/then (fn [] (done)))
+               (p/catch (fn [error]
+                          (is false (str error))
+                          (done)))))))

deps/db-sync/yarn.lock

@@ -500,10 +500,10 @@ base64-js@^1.3.1:
   resolved "https://registry.yarnpkg.com/base64-js/-/base64-js-1.5.1.tgz#1b1b440160a5bf7ad40b650f095963481903930a"
   integrity sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==
 
-better-sqlite3@^11.10.0:
-  version "11.10.0"
-  resolved "https://registry.yarnpkg.com/better-sqlite3/-/better-sqlite3-11.10.0.tgz#2b1b14c5acd75a43fd84d12cc291ea98cef57d98"
-  integrity sha512-EwhOpyXiOEL/lKzHz9AW1msWFNzGc/z+LzeB3/jnFJpxu+th2yqvzsSWas1v9jgs9+xiXJcD5A8CJxAG2TaghQ==
+better-sqlite3@^12.6.2:
+  version "12.6.2"
+  resolved "https://registry.yarnpkg.com/better-sqlite3/-/better-sqlite3-12.6.2.tgz#770649f28a62e543a360f3dfa1afe4cc944b1937"
+  integrity sha512-8VYKM3MjCa9WcaSAI3hzwhmyHVlH8tiGFwf0RlTsZPWJ1I5MkzjiudCo4KC4DxOaL/53A5B1sI/IbldNFDbsKA==
   dependencies:
     bindings "^1.5.0"
     prebuild-install "^7.1.1"
@@ -826,9 +826,9 @@ safe-buffer@^5.0.1, safe-buffer@~5.2.0:
   integrity sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==
 
 semver@^7.3.5:
-  version "7.7.3"
-  resolved "https://registry.yarnpkg.com/semver/-/semver-7.7.3.tgz#4b5f4143d007633a8dc671cd0a6ef9147b8bb946"
-  integrity sha512-SdsKMrI9TdgjdweUSR9MweHA4EJ8YxHn8DFaDisvhVlUOe4BF1tLD7GAj0lIqWVl+dPb/rExr0Btby5loQm20Q==
+  version "7.7.4"
+  resolved "https://registry.yarnpkg.com/semver/-/semver-7.7.4.tgz#28464e36060e991fa7a11d0279d2d3f3b57a7e8a"
+  integrity sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA==
 
 [email protected]:
   version "1.3.4"

docs/agent-guide/001-db-sync-nodejs-adapter.md

@@ -65,9 +65,11 @@ Use the following environment variables for the Node adapter configuration.
 | DB_SYNC_PORT | HTTP server port | 8080 |
 | DB_SYNC_BASE_URL | External base URL for asset links | https://sync.example.com |
 | DB_SYNC_STORAGE_DRIVER | Storage backend selection | sqlite | 
-| DB_SYNC_AUTH_DRIVER | Auth backend selection | bearer | 
 | DB_SYNC_ASSETS_DRIVER | Asset storage backend selection | filesystem |
 | DB_SYNC_LOG_LEVEL | Log verbosity | info |
+| COGNITO_ISSUER | Cognito issuer URL | https://cognito-idp.us-east-2.amazonaws.com/us-east-2_kAqZcxIeM |
+| COGNITO_CLIENT_ID | Cognito app client id | 1qi1uijg8b6ra70nejvbptis0q |
+| COGNITO_JWKS_URL | Cognito JWKS URL | https://cognito-idp.us-east-2.amazonaws.com/us-east-2_kAqZcxIeM/.well-known/jwks.json |
 
 ## Verification
 Run the server-side test suite.

docs/develop-logseq.md

@@ -130,13 +130,22 @@ Build and run the Node.js adapter for self-hosted DB sync.
 ```bash
 cd deps/db-sync
 yarn install
-DB_SYNC_AUTH_DRIVER=static DB_SYNC_AUTH_TOKEN=dev-token DB_SYNC_PORT=8080 yarn build:node-adapter
-DB_SYNC_AUTH_DRIVER=static DB_SYNC_AUTH_TOKEN=dev-token DB_SYNC_PORT=8080 yarn start:node-adapter
+DB_SYNC_PORT=8787 \
+COGNITO_ISSUER=https://cognito-idp.us-east-2.amazonaws.com/us-east-2_kAqZcxIeM \
+COGNITO_CLIENT_ID=1qi1uijg8b6ra70nejvbptis0q \
+COGNITO_JWKS_URL=https://cognito-idp.us-east-2.amazonaws.com/us-east-2_kAqZcxIeM/.well-known/jwks.json \
+yarn build:node-adapter
+
+DB_SYNC_PORT=8787 \
+COGNITO_ISSUER=https://cognito-idp.us-east-2.amazonaws.com/us-east-2_kAqZcxIeM \
+COGNITO_CLIENT_ID=1qi1uijg8b6ra70nejvbptis0q \
+COGNITO_JWKS_URL=https://cognito-idp.us-east-2.amazonaws.com/us-east-2_kAqZcxIeM/.well-known/jwks.json \
+yarn start:node-adapter
 ```
 
 Optional environment variables:
 - DB_SYNC_DATA_DIR (defaults to data/db-sync)
-- DB_SYNC_STATIC_USER_ID (defaults to user)
-- DB_SYNC_STATIC_EMAIL
-- DB_SYNC_STATIC_USERNAME
 
+Notes:
+- The Cognito values above match `ENABLE_DB_SYNC_LOCAL=true yarn watch` default auth config.
+- For production builds, use the production Cognito pool values from `src/main/frontend/config.cljs`.