1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
//! Migration for OAuth2/OIDC identity tables
//!
//! This migration adds tables for:
//! - oauth2_identity: Links OAuth2 provider identities to local Kellnr users
//! - oauth2_state: Temporary storage for PKCE/CSRF state during OAuth2 auth flow
use sea_orm_migration::prelude::*;
use crate::iden::{OAuth2IdentityIden, OAuth2StateIden, UserIden};
#[derive(DeriveMigrationName)]
pub struct Migration;
#[async_trait::async_trait]
impl MigrationTrait for Migration {
async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
// oauth2_identity table - links OAuth2 identities to local users
manager
.create_table(
Table::create()
.table(OAuth2IdentityIden::Table)
.if_not_exists()
.col(
ColumnDef::new(OAuth2IdentityIden::Id)
.big_integer()
.not_null()
.auto_increment()
.primary_key(),
)
.col(
ColumnDef::new(OAuth2IdentityIden::UserFk)
.big_integer()
.not_null(),
)
.col(
ColumnDef::new(OAuth2IdentityIden::ProviderIssuer)
.text()
.not_null(),
)
.col(
ColumnDef::new(OAuth2IdentityIden::Subject)
.text()
.not_null(),
)
.col(ColumnDef::new(OAuth2IdentityIden::Email).text())
.col(
ColumnDef::new(OAuth2IdentityIden::Created)
.text()
.not_null(),
)
.foreign_key(
ForeignKey::create()
.name("oauth2_identity_user_fk")
.from(OAuth2IdentityIden::Table, OAuth2IdentityIden::UserFk)
.to(UserIden::Table, UserIden::Id)
.on_update(ForeignKeyAction::NoAction)
.on_delete(ForeignKeyAction::Cascade),
)
.to_owned(),
)
.await?;
// Unique index on (provider_issuer, subject) - ensures one identity per provider/user
manager
.create_index(
Index::create()
.if_not_exists()
.name("idx_oauth2_identity_provider_subject")
.table(OAuth2IdentityIden::Table)
.col(OAuth2IdentityIden::ProviderIssuer)
.col(OAuth2IdentityIden::Subject)
.unique()
.to_owned(),
)
.await?;
// Index on user_fk for efficient lookups
manager
.create_index(
Index::create()
.if_not_exists()
.name("idx_oauth2_identity_user_fk")
.table(OAuth2IdentityIden::Table)
.col(OAuth2IdentityIden::UserFk)
.to_owned(),
)
.await?;
// oauth2_state table - temporary storage for OAuth2 auth flow
manager
.create_table(
Table::create()
.table(OAuth2StateIden::Table)
.if_not_exists()
.col(
ColumnDef::new(OAuth2StateIden::Id)
.big_integer()
.not_null()
.auto_increment()
.primary_key(),
)
.col(
ColumnDef::new(OAuth2StateIden::State)
.text()
.not_null()
.unique_key(),
)
.col(
ColumnDef::new(OAuth2StateIden::PkceVerifier)
.text()
.not_null(),
)
.col(ColumnDef::new(OAuth2StateIden::Nonce).text().not_null())
.col(ColumnDef::new(OAuth2StateIden::Created).text().not_null())
.to_owned(),
)
.await?;
Ok(())
}
async fn down(&self, manager: &SchemaManager) -> Result<(), DbErr> {
// Drop tables in reverse order
manager
.drop_table(Table::drop().table(OAuth2StateIden::Table).to_owned())
.await?;
manager
.drop_table(Table::drop().table(OAuth2IdentityIden::Table).to_owned())
.await?;
Ok(())
}
}