- Notifications
You must be signed in to change notification settings - Fork947
refactor: replace OAuth2 callback_url with RFC 6749 compliant redirect_uris#18810
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:thomask33/07-07-feat_standardize_oauth2_endpoints_and_add_token_revocation
Are you sure you want to change the base?
Uh oh!
There was an error while loading.Please reload this page.
Changes fromall commits
File filter
Filter by extension
Conversations
Uh oh!
There was an error while loading.Please reload this page.
Jump to
Uh oh!
There was an error while loading.Please reload this page.
Diff view
Diff view
There are no files selected for viewing
Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.
Uh oh!
There was an error while loading.Please reload this page.
Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.
Uh oh!
There was an error while loading.Please reload this page.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -5336,7 +5336,33 @@ func (s *MethodTestSuite) TestOAuth2ProviderApps() { | ||
| }) | ||
| })) | ||
| s.Run("InsertOAuth2ProviderApp", s.Subtest(func(db database.Store, check *expects) { | ||
| check.Args(database.InsertOAuth2ProviderAppParams{ | ||
| ID: uuid.New(), | ||
| Name: fmt.Sprintf("test-app-%d", time.Now().UnixNano()), | ||
| CreatedAt: dbtestutil.NowInDefaultTimezone(), | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. Nit: easier to see what's important if the zero values are omitted. | ||
| UpdatedAt: dbtestutil.NowInDefaultTimezone(), | ||
| Icon: "", | ||
| RedirectUris: []string{"http://localhost"}, | ||
| ClientType: sql.NullString{String: "confidential", Valid: true}, | ||
| DynamicallyRegistered: sql.NullBool{Bool: false, Valid: true}, | ||
| ClientIDIssuedAt: sql.NullTime{}, | ||
| ClientSecretExpiresAt: sql.NullTime{}, | ||
| GrantTypes: []string{"authorization_code", "refresh_token"}, | ||
| ResponseTypes: []string{"code"}, | ||
| TokenEndpointAuthMethod: sql.NullString{String: "client_secret_basic", Valid: true}, | ||
| Scope: sql.NullString{}, | ||
| Contacts: []string{}, | ||
| ClientUri: sql.NullString{}, | ||
| LogoUri: sql.NullString{}, | ||
| TosUri: sql.NullString{}, | ||
| PolicyUri: sql.NullString{}, | ||
| JwksUri: sql.NullString{}, | ||
| Jwks: pqtype.NullRawMessage{}, | ||
| SoftwareID: sql.NullString{}, | ||
| SoftwareVersion: sql.NullString{}, | ||
| RegistrationAccessToken: sql.NullString{}, | ||
| RegistrationClientUri: sql.NullString{}, | ||
| }).Asserts(rbac.ResourceOauth2App, policy.ActionCreate) | ||
| })) | ||
| s.Run("UpdateOAuth2ProviderAppByID", s.Subtest(func(db database.Store, check *expects) { | ||
| dbtestutil.DisableForeignKeysAndTriggers(s.T(), db) | ||
| @@ -5347,7 +5373,6 @@ func (s *MethodTestSuite) TestOAuth2ProviderApps() { | ||
| ID: app.ID, | ||
| Name: app.Name, | ||
| Icon: app.Icon, | ||
| RedirectUris: app.RedirectUris, | ||
| ClientType: app.ClientType, | ||
| DynamicallyRegistered: app.DynamicallyRegistered, | ||
| @@ -5389,7 +5414,6 @@ func (s *MethodTestSuite) TestOAuth2ProviderApps() { | ||
| ID: app.ID, | ||
| Name: app.Name, | ||
| Icon: app.Icon, | ||
| RedirectUris: app.RedirectUris, | ||
| ClientType: app.ClientType, | ||
| ClientSecretExpiresAt: app.ClientSecretExpiresAt, | ||
Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.
Uh oh!
There was an error while loading.Please reload this page.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| -- Reverse migration: restore callback_url column from redirect_uris | ||
| -- Add back the callback_url column | ||
| ALTER TABLE oauth2_provider_apps | ||
| ADD COLUMN callback_url text; | ||
| -- Populate callback_url from the first redirect_uri | ||
| UPDATE oauth2_provider_apps | ||
| SET callback_url = redirect_uris[1] | ||
| WHERE redirect_uris IS NOT NULL AND array_length(redirect_uris, 1) > 0; | ||
| -- Remove NOT NULL and CHECK constraints from redirect_uris (restore original state) | ||
| ALTER TABLE oauth2_provider_apps | ||
| DROP CONSTRAINT IF EXISTS oauth2_provider_apps_redirect_uris_nonempty; | ||
| ALTER TABLE oauth2_provider_apps | ||
| ALTER COLUMN redirect_uris DROP NOT NULL; | ||
| COMMENT ON COLUMN oauth2_provider_apps.callback_url IS 'Legacy callback URL field (replaced by redirect_uris array)'; |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| -- Migrate from callback_url to redirect_uris as source of truth for OAuth2 apps | ||
| -- RFC 6749 compliance: use array of redirect URIs instead of single callback URL | ||
| -- Populate redirect_uris from callback_url where redirect_uris is empty or NULL. | ||
| -- NULLIF is used to treat empty strings in callback_url as NULL. | ||
| -- If callback_url is NULL or empty, this will result in redirect_uris | ||
| -- being an array with a single NULL element. This is preferable to an empty | ||
| -- array as it will pass a CHECK for array length > 0, enforcing that all | ||
| -- apps have at least one URI entry, even if it's null. | ||
Comment on lines +7 to +9 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. Can't we make the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. I think I'm doing that in the client_credentials PR up in the stack, but I would need to double-check. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. I'm sorry. I just reread the comment. I'd rather not introduce a possible null here and perform a clean migration from callback_url to redirect_uris, then make sure that all of them get carried over. The constraint for | ||
| UPDATE oauth2_provider_apps | ||
| SET redirect_uris = ARRAY[NULLIF(callback_url, '')] | ||
| WHERE (redirect_uris IS NULL OR cardinality(redirect_uris) = 0); | ||
| -- Add NOT NULL constraint to redirect_uris | ||
| ALTER TABLE oauth2_provider_apps | ||
| ALTER COLUMN redirect_uris SET NOT NULL; | ||
| -- Add CHECK constraint to ensure redirect_uris is not empty. | ||
| -- This prevents empty arrays, which could have been created by the old logic, | ||
| -- and ensures data integrity going forward. | ||
| ALTER TABLE oauth2_provider_apps | ||
| ADD CONSTRAINT redirect_uris_not_empty CHECK (cardinality(redirect_uris) > 0); | ||
| -- Drop the callback_url column entirely | ||
| ALTER TABLE oauth2_provider_apps | ||
| DROP COLUMN callback_url; | ||
| COMMENT ON COLUMN oauth2_provider_apps.redirect_uris IS 'RFC 6749 compliant list of valid redirect URIs for the application'; | ||
Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.