From 194d34106e23afdae747784eafe84fd82edd2937 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Sat, 19 Nov 2022 16:47:09 +1100 Subject: [PATCH] fix(storage): schema inconsistency (#4262) --- cmd/authelia-gen/cmd_docs_cli.go | 26 +- cmd/authelia-scripts/cmd/gen.go | 2 +- .../en/configuration/storage/migrations.md | 1 + .../content/en/configuration/storage/mysql.md | 15 +- .../en/configuration/storage/postgres.md | 13 +- .../guidelines/database-schema.md | 64 ++ docs/content/en/reference/cli/_index.md | 2 +- .../en/reference/cli/authelia-gen/_index.md | 2 +- .../cli/authelia-gen/authelia-gen.md | 2 +- .../cli/authelia-gen/authelia-gen_code.md | 2 +- .../authelia-gen/authelia-gen_code_keys.md | 2 +- .../authelia-gen/authelia-gen_code_scripts.md | 2 +- .../authelia-gen/authelia-gen_code_server.md | 2 +- .../authelia-gen/authelia-gen_commit-lint.md | 2 +- .../cli/authelia-gen/authelia-gen_docs.md | 2 +- .../cli/authelia-gen/authelia-gen_docs_cli.md | 2 +- .../authelia-gen/authelia-gen_docs_data.md | 2 +- .../authelia-gen_docs_data_keys.md | 2 +- .../authelia-gen_docs_data_misc.md | 2 +- .../authelia-gen/authelia-gen_docs_date.md | 2 +- .../cli/authelia-gen/authelia-gen_github.md | 2 +- .../authelia-gen_github_issue-templates.md | 2 +- ...a-gen_github_issue-templates_bug-report.md | 2 +- ..._github_issue-templates_feature-request.md | 2 +- .../cli/authelia-gen/authelia-gen_locales.md | 2 +- .../reference/cli/authelia-scripts/_index.md | 2 +- .../cli/authelia-scripts/authelia-scripts.md | 2 +- .../authelia-scripts_bootstrap.md | 2 +- .../authelia-scripts_build.md | 2 +- .../authelia-scripts/authelia-scripts_ci.md | 2 +- .../authelia-scripts_clean.md | 2 +- .../authelia-scripts_docker.md | 2 +- .../authelia-scripts_docker_build.md | 2 +- .../authelia-scripts_docker_push-manifest.md | 2 +- .../authelia-scripts_serve.md | 2 +- .../authelia-scripts_suites.md | 2 +- .../authelia-scripts_suites_list.md | 2 +- .../authelia-scripts_suites_setup.md | 2 +- .../authelia-scripts_suites_teardown.md | 2 +- .../authelia-scripts_suites_test.md | 2 +- .../authelia-scripts_unittest.md | 2 +- .../authelia-scripts_xflags.md | 2 +- .../en/reference/cli/authelia/_index.md | 2 +- .../en/reference/cli/authelia/authelia.md | 2 +- .../cli/authelia/authelia_access-control.md | 2 +- .../authelia_access-control_check-policy.md | 2 +- .../cli/authelia/authelia_build-info.md | 2 +- .../reference/cli/authelia/authelia_crypto.md | 2 +- .../authelia/authelia_crypto_certificate.md | 2 +- .../authelia_crypto_certificate_ecdsa.md | 2 +- ...helia_crypto_certificate_ecdsa_generate.md | 2 +- ...thelia_crypto_certificate_ecdsa_request.md | 2 +- .../authelia_crypto_certificate_ed25519.md | 2 +- ...lia_crypto_certificate_ed25519_generate.md | 2 +- ...elia_crypto_certificate_ed25519_request.md | 2 +- .../authelia_crypto_certificate_rsa.md | 2 +- ...uthelia_crypto_certificate_rsa_generate.md | 2 +- ...authelia_crypto_certificate_rsa_request.md | 2 +- .../cli/authelia/authelia_crypto_hash.md | 2 +- .../authelia/authelia_crypto_hash_generate.md | 2 +- .../authelia_crypto_hash_generate_argon2.md | 2 +- .../authelia_crypto_hash_generate_bcrypt.md | 2 +- .../authelia_crypto_hash_generate_pbkdf2.md | 2 +- .../authelia_crypto_hash_generate_scrypt.md | 2 +- ...authelia_crypto_hash_generate_sha2crypt.md | 2 +- .../authelia/authelia_crypto_hash_validate.md | 2 +- .../cli/authelia/authelia_crypto_pair.md | 2 +- .../authelia/authelia_crypto_pair_ecdsa.md | 2 +- .../authelia_crypto_pair_ecdsa_generate.md | 2 +- .../authelia/authelia_crypto_pair_ed25519.md | 2 +- .../authelia_crypto_pair_ed25519_generate.md | 2 +- .../cli/authelia/authelia_crypto_pair_rsa.md | 2 +- .../authelia_crypto_pair_rsa_generate.md | 2 +- .../cli/authelia/authelia_crypto_rand.md | 2 +- .../cli/authelia/authelia_hash-password.md | 2 +- .../cli/authelia/authelia_storage.md | 2 +- .../authelia/authelia_storage_encryption.md | 2 +- .../authelia_storage_encryption_change-key.md | 2 +- .../authelia_storage_encryption_check.md | 2 +- .../cli/authelia/authelia_storage_migrate.md | 2 +- .../authelia/authelia_storage_migrate_down.md | 2 +- .../authelia_storage_migrate_history.md | 2 +- .../authelia_storage_migrate_list-down.md | 2 +- .../authelia_storage_migrate_list-up.md | 2 +- .../authelia/authelia_storage_migrate_up.md | 2 +- .../authelia/authelia_storage_schema-info.md | 2 +- .../cli/authelia/authelia_storage_user.md | 2 +- .../authelia_storage_user_identifiers.md | 2 +- .../authelia_storage_user_identifiers_add.md | 2 +- ...uthelia_storage_user_identifiers_export.md | 2 +- ...helia_storage_user_identifiers_generate.md | 2 +- ...uthelia_storage_user_identifiers_import.md | 2 +- .../authelia/authelia_storage_user_totp.md | 2 +- .../authelia_storage_user_totp_delete.md | 2 +- .../authelia_storage_user_totp_export.md | 2 +- .../authelia_storage_user_totp_generate.md | 2 +- .../authelia_storage_user_webauthn.md | 2 +- .../authelia_storage_user_webauthn_delete.md | 2 +- .../authelia_storage_user_webauthn_list.md | 2 +- .../cli/authelia/authelia_validate-config.md | 2 +- .../en/reference/integrations/_index.md | 9 + .../integrations/database-integrations.md | 94 +++ .../en/reference/integrations/introduction.md | 24 + internal/model/webauthn.go | 31 +- .../V0001.Initial_Schema.all.down.sql | 2 +- .../V0001.Initial_Schema.mysql.up.sql | 50 +- .../V0001.Initial_Schema.postgres.up.sql | 62 +- .../V0001.Initial_Schema.sqlite.up.sql | 36 +- .../migrations/V0002.Webauthn.mysql.down.sql | 22 +- .../migrations/V0002.Webauthn.mysql.up.sql | 17 +- .../V0002.Webauthn.postgres.down.sql | 36 +- .../migrations/V0002.Webauthn.postgres.up.sql | 31 +- .../migrations/V0002.Webauthn.sqlite.down.sql | 18 +- .../migrations/V0002.Webauthn.sqlite.up.sql | 17 +- .../V0003.WebauthnKIDLength.mysql.up.sql | 8 +- .../V0003.WebauthnKIDLength.postgres.up.sql | 20 +- .../V0003.WebauthnKIDLength.sqlite.up.sql | 6 +- .../V0004.OpenIDConnect.all.down.sql | 2 +- .../V0004.OpenIDConnect.mysql.up.sql | 136 ++-- .../V0004.OpenIDConnect.postgres.up.sql | 118 ++-- .../V0004.OpenIDConnect.sqlite.up.sql | 72 +- .../V0005.ConsentSubjectNULL.mysql.down.sql | 12 +- .../V0005.ConsentSubjectNULL.mysql.up.sql | 20 +- ...V0005.ConsentSubjectNULL.postgres.down.sql | 10 +- .../V0005.ConsentSubjectNULL.postgres.up.sql | 18 +- .../V0005.ConsentSubjectNULL.sqlite.down.sql | 267 ++++++- .../V0005.ConsentSubjectNULL.sqlite.up.sql | 181 ++--- ...006.ConsentPreConfiguration.mysql.down.sql | 191 ++--- ...V0006.ConsentPreConfiguration.mysql.up.sql | 211 +++--- ....ConsentPreConfiguration.postgres.down.sql | 136 ++-- ...06.ConsentPreConfiguration.postgres.up.sql | 203 +++--- ...06.ConsentPreConfiguration.sqlite.down.sql | 84 +-- ...0006.ConsentPreConfiguration.sqlite.up.sql | 101 ++- .../V0007.ConsistencyFixes.mysql.down.sql | 96 +++ .../V0007.ConsistencyFixes.mysql.up.sql | 213 ++++++ .../V0007.ConsistencyFixes.postgres.down.sql | 111 +++ .../V0007.ConsistencyFixes.postgres.up.sql | 208 ++++++ .../V0007.ConsistencyFixes.sqlite.down.sql | 617 ++++++++++++++++ .../V0007.ConsistencyFixes.sqlite.up.sql | 667 ++++++++++++++++++ internal/storage/migrations_test.go | 2 +- 140 files changed, 3458 insertions(+), 1010 deletions(-) create mode 100644 docs/content/en/contributing/guidelines/database-schema.md create mode 100644 docs/content/en/reference/integrations/_index.md create mode 100644 docs/content/en/reference/integrations/database-integrations.md create mode 100644 docs/content/en/reference/integrations/introduction.md create mode 100644 internal/storage/migrations/V0007.ConsistencyFixes.mysql.down.sql create mode 100644 internal/storage/migrations/V0007.ConsistencyFixes.mysql.up.sql create mode 100644 internal/storage/migrations/V0007.ConsistencyFixes.postgres.down.sql create mode 100644 internal/storage/migrations/V0007.ConsistencyFixes.postgres.up.sql create mode 100644 internal/storage/migrations/V0007.ConsistencyFixes.sqlite.down.sql create mode 100644 internal/storage/migrations/V0007.ConsistencyFixes.sqlite.up.sql diff --git a/cmd/authelia-gen/cmd_docs_cli.go b/cmd/authelia-gen/cmd_docs_cli.go index 178583749..0bade8795 100644 --- a/cmd/authelia-gen/cmd_docs_cli.go +++ b/cmd/authelia-gen/cmd_docs_cli.go @@ -98,11 +98,7 @@ func genCLIDocWriteIndex(path, name string) (err error) { return err } - weight := 900 - - if name == "authelia" { - weight = 320 - } + weight := genCLIDocCmdToWeight(name) _, err = fmt.Fprintf(f, indexDocs, name, now.Format(dateFmtYAML), "cli-"+name, weight) @@ -119,14 +115,28 @@ func prepend(input string) string { args := strings.Join(parts, " ") - weight := 330 - if len(parts) == 1 { - weight = 320 + weight := genCLIDocCmdToWeight(parts[0]) + + if len(parts) != 1 { + weight += 5 } return fmt.Sprintf(prefixDocs, args, fmt.Sprintf("Reference for the %s command.", args), "", now.Format(dateFmtYAML), "cli-"+cmd, weight) } +func genCLIDocCmdToWeight(cmd string) int { + switch cmd { + case "authelia": + return 900 + case "authelia-gen": + return 910 + case "authelia-scripts": + return 920 + default: + return 990 + } +} + func linker(input string) string { return input } diff --git a/cmd/authelia-scripts/cmd/gen.go b/cmd/authelia-scripts/cmd/gen.go index 10f06b412..fb9464135 100644 --- a/cmd/authelia-scripts/cmd/gen.go +++ b/cmd/authelia-scripts/cmd/gen.go @@ -7,5 +7,5 @@ package cmd const ( - versionSwaggerUI = "4.15.2" + versionSwaggerUI = "4.15.5" ) diff --git a/docs/content/en/configuration/storage/migrations.md b/docs/content/en/configuration/storage/migrations.md index fbc84df83..308976472 100644 --- a/docs/content/en/configuration/storage/migrations.md +++ b/docs/content/en/configuration/storage/migrations.md @@ -35,3 +35,4 @@ this instance if you wanted to downgrade to pre1 you would need to use an Authel | 4 | 4.35.0 | Added OpenID Connect storage tables and opaque user identifier tables | | 5 | 4.35.1 | Fixed the oauth2_consent_session table to accept NULL subjects for users who are not yet signed in | | 6 | 4.37.0 | Adjusted the OpenID Connect tables to allow pre-configured consent improvements | +| 7 | 4.37.3 | Fixed some schema inconsistencies most notably the MySQL/MariaDB Engine and Collation | diff --git a/docs/content/en/configuration/storage/mysql.md b/docs/content/en/configuration/storage/mysql.md index 15aa648ee..227eff96f 100644 --- a/docs/content/en/configuration/storage/mysql.md +++ b/docs/content/en/configuration/storage/mysql.md @@ -17,19 +17,8 @@ aliases: ## Version support -When using [MySQL] or [MariaDB] we recommend using the latest version that is officially supported by the [MySQL] or -[MariaDB] developers. We also suggest checking out [PostgreSQL](postgres.md) as an alternative. - -The oldest versions that have been tested are [MySQL] 5.7 and [MariaDB] 10.6. - -If using [MySQL] 5.7 or [MariaDB] 10.6 you may be required to adjust the `explicit_defaults_for_timestamp` setting. This -will be evident when the container starts with an error similar to `Error 1067: Invalid default value for 'exp'`. You -can adjust this setting in the mysql.cnf file like so: - -```cnf -[mysqld] -explicit_defaults_for_timestamp = 1 -``` +See the [MySQL Database Integration](../../reference/integrations/database-integrations.md#mysql) reference +guide for supported version information. ## Configuration diff --git a/docs/content/en/configuration/storage/postgres.md b/docs/content/en/configuration/storage/postgres.md index 4c3adbc60..55f4c88e3 100644 --- a/docs/content/en/configuration/storage/postgres.md +++ b/docs/content/en/configuration/storage/postgres.md @@ -16,17 +16,8 @@ aliases: ## Version support -See [PostgreSQL support](https://www.postgresql.org/support/versioning/) for the versions supported by [PostgreSQL]. We -recommend the *current minor* version of one of the versions supported by [PostgreSQL]. - -The versions of [PostgreSQL] that should be supported by Authelia are: - -* 14 -* 13 -* 12 -* 11 -* 10 -* 9.6 +See the [PostgreSQL Database Integration](../../reference/integrations/database-integrations.md#postgresql) reference +guide for supported version information. ## Configuration diff --git a/docs/content/en/contributing/guidelines/database-schema.md b/docs/content/en/contributing/guidelines/database-schema.md new file mode 100644 index 000000000..bf8ea664b --- /dev/null +++ b/docs/content/en/contributing/guidelines/database-schema.md @@ -0,0 +1,64 @@ +--- +title: "Database Schema" +description: "Authelia Development Database Schema Guidelines" +lead: "This section covers the database schema guidelines we use for development." +date: 2022-11-09T09:20:18+11:00 +draft: false +images: [] +menu: + contributing: + parent: "guidelines" +weight: 320 +toc: true +aliases: [] +--- + +## Table Names + +1. Should match in every database implementation. +2. Should be all lower case. +3. Should use singular form (i.e. not plural). +4. Should use the underscore character (`_`) between words. +5. Should only contain alphanumeric characters and the underscore character (`_`). + 1. The underscore character (`_`): + 1. Should always be used between words. + 2. Should only be used: + 1. Between words. + 2. As a prefix for temporary tables. + 2. Should start and end with only an alphabetic character, excluding specific exceptions mentioned elsewhere with + prefix and suffix terminology. + +## Column Names + +1. Should match in every database implementation. +2. Should be all lower case. +3. Should only contain alphanumeric characters and the underscore character (`_`). + 1. The underscore character (`_`): + 1. Should always be used between words. + 2. Should only be used between words. + 2. Should only start and end with an alphabetic character. + +## Key Names + +### Foreign Keys + +Format: `__fkey` + +Where: + +- The table name is the name of the table the foreign key exists on. +- The column name is the name of the column the foreign key is for. + +### Unique Keys + +Format: `__key` + +Where: + +- The table name is the name of the table the unique key is on. +- The key name is the name to describe this key. This can also be the column name it exists on. + +### Primary Keys + +Most database engines don't allow customizing the primary key names. As such the primary key should not be explicitly +set except to change it back to the default format. diff --git a/docs/content/en/reference/cli/_index.md b/docs/content/en/reference/cli/_index.md index c6b867ddb..1fee1ca4f 100644 --- a/docs/content/en/reference/cli/_index.md +++ b/docs/content/en/reference/cli/_index.md @@ -5,6 +5,6 @@ lead: "" date: 2022-06-15T17:51:47+10:00 draft: false images: [] -weight: 300 +weight: 900 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-gen/_index.md b/docs/content/en/reference/cli/authelia-gen/_index.md index 3795ca9f8..ef7cf7b22 100644 --- a/docs/content/en/reference/cli/authelia-gen/_index.md +++ b/docs/content/en/reference/cli/authelia-gen/_index.md @@ -9,6 +9,6 @@ menu: reference: parent: "cli" identifier: "cli-authelia-gen" -weight: 900 +weight: 910 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-gen/authelia-gen.md b/docs/content/en/reference/cli/authelia-gen/authelia-gen.md index 1dc7be5b0..ca2fc3c6f 100644 --- a/docs/content/en/reference/cli/authelia-gen/authelia-gen.md +++ b/docs/content/en/reference/cli/authelia-gen/authelia-gen.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-gen" -weight: 320 +weight: 910 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-gen/authelia-gen_code.md b/docs/content/en/reference/cli/authelia-gen/authelia-gen_code.md index 65adbfe01..bf1bd4a0a 100644 --- a/docs/content/en/reference/cli/authelia-gen/authelia-gen_code.md +++ b/docs/content/en/reference/cli/authelia-gen/authelia-gen_code.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-gen" -weight: 330 +weight: 915 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-gen/authelia-gen_code_keys.md b/docs/content/en/reference/cli/authelia-gen/authelia-gen_code_keys.md index 2b0a9ea98..bbd4cd760 100644 --- a/docs/content/en/reference/cli/authelia-gen/authelia-gen_code_keys.md +++ b/docs/content/en/reference/cli/authelia-gen/authelia-gen_code_keys.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-gen" -weight: 330 +weight: 915 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-gen/authelia-gen_code_scripts.md b/docs/content/en/reference/cli/authelia-gen/authelia-gen_code_scripts.md index b482188e3..3ef5a1278 100644 --- a/docs/content/en/reference/cli/authelia-gen/authelia-gen_code_scripts.md +++ b/docs/content/en/reference/cli/authelia-gen/authelia-gen_code_scripts.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-gen" -weight: 330 +weight: 915 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-gen/authelia-gen_code_server.md b/docs/content/en/reference/cli/authelia-gen/authelia-gen_code_server.md index 75d4b7c7c..bd22ca9e4 100644 --- a/docs/content/en/reference/cli/authelia-gen/authelia-gen_code_server.md +++ b/docs/content/en/reference/cli/authelia-gen/authelia-gen_code_server.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-gen" -weight: 330 +weight: 915 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-gen/authelia-gen_commit-lint.md b/docs/content/en/reference/cli/authelia-gen/authelia-gen_commit-lint.md index c559fd142..69d40ffdf 100644 --- a/docs/content/en/reference/cli/authelia-gen/authelia-gen_commit-lint.md +++ b/docs/content/en/reference/cli/authelia-gen/authelia-gen_commit-lint.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-gen" -weight: 330 +weight: 915 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-gen/authelia-gen_docs.md b/docs/content/en/reference/cli/authelia-gen/authelia-gen_docs.md index 5c28d1603..2b202dde5 100644 --- a/docs/content/en/reference/cli/authelia-gen/authelia-gen_docs.md +++ b/docs/content/en/reference/cli/authelia-gen/authelia-gen_docs.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-gen" -weight: 330 +weight: 915 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-gen/authelia-gen_docs_cli.md b/docs/content/en/reference/cli/authelia-gen/authelia-gen_docs_cli.md index 8f4dfa7b6..75818a942 100644 --- a/docs/content/en/reference/cli/authelia-gen/authelia-gen_docs_cli.md +++ b/docs/content/en/reference/cli/authelia-gen/authelia-gen_docs_cli.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-gen" -weight: 330 +weight: 915 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-gen/authelia-gen_docs_data.md b/docs/content/en/reference/cli/authelia-gen/authelia-gen_docs_data.md index 2ba5ed90a..c2023c97b 100644 --- a/docs/content/en/reference/cli/authelia-gen/authelia-gen_docs_data.md +++ b/docs/content/en/reference/cli/authelia-gen/authelia-gen_docs_data.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-gen" -weight: 330 +weight: 915 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-gen/authelia-gen_docs_data_keys.md b/docs/content/en/reference/cli/authelia-gen/authelia-gen_docs_data_keys.md index 82932eedd..7a843345e 100644 --- a/docs/content/en/reference/cli/authelia-gen/authelia-gen_docs_data_keys.md +++ b/docs/content/en/reference/cli/authelia-gen/authelia-gen_docs_data_keys.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-gen" -weight: 330 +weight: 915 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-gen/authelia-gen_docs_data_misc.md b/docs/content/en/reference/cli/authelia-gen/authelia-gen_docs_data_misc.md index cdcb1042e..7627d9df6 100644 --- a/docs/content/en/reference/cli/authelia-gen/authelia-gen_docs_data_misc.md +++ b/docs/content/en/reference/cli/authelia-gen/authelia-gen_docs_data_misc.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-gen" -weight: 330 +weight: 915 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-gen/authelia-gen_docs_date.md b/docs/content/en/reference/cli/authelia-gen/authelia-gen_docs_date.md index 4110ca86c..95192998f 100644 --- a/docs/content/en/reference/cli/authelia-gen/authelia-gen_docs_date.md +++ b/docs/content/en/reference/cli/authelia-gen/authelia-gen_docs_date.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-gen" -weight: 330 +weight: 915 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-gen/authelia-gen_github.md b/docs/content/en/reference/cli/authelia-gen/authelia-gen_github.md index 432b603e9..a3fa361ed 100644 --- a/docs/content/en/reference/cli/authelia-gen/authelia-gen_github.md +++ b/docs/content/en/reference/cli/authelia-gen/authelia-gen_github.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-gen" -weight: 330 +weight: 915 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-gen/authelia-gen_github_issue-templates.md b/docs/content/en/reference/cli/authelia-gen/authelia-gen_github_issue-templates.md index bc855e6f0..24f627249 100644 --- a/docs/content/en/reference/cli/authelia-gen/authelia-gen_github_issue-templates.md +++ b/docs/content/en/reference/cli/authelia-gen/authelia-gen_github_issue-templates.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-gen" -weight: 330 +weight: 915 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-gen/authelia-gen_github_issue-templates_bug-report.md b/docs/content/en/reference/cli/authelia-gen/authelia-gen_github_issue-templates_bug-report.md index 0f6c5be4e..1910e8891 100644 --- a/docs/content/en/reference/cli/authelia-gen/authelia-gen_github_issue-templates_bug-report.md +++ b/docs/content/en/reference/cli/authelia-gen/authelia-gen_github_issue-templates_bug-report.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-gen" -weight: 330 +weight: 915 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-gen/authelia-gen_github_issue-templates_feature-request.md b/docs/content/en/reference/cli/authelia-gen/authelia-gen_github_issue-templates_feature-request.md index 63ca5cb17..f327f39f2 100644 --- a/docs/content/en/reference/cli/authelia-gen/authelia-gen_github_issue-templates_feature-request.md +++ b/docs/content/en/reference/cli/authelia-gen/authelia-gen_github_issue-templates_feature-request.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-gen" -weight: 330 +weight: 915 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-gen/authelia-gen_locales.md b/docs/content/en/reference/cli/authelia-gen/authelia-gen_locales.md index 69d169ec1..206da13c4 100644 --- a/docs/content/en/reference/cli/authelia-gen/authelia-gen_locales.md +++ b/docs/content/en/reference/cli/authelia-gen/authelia-gen_locales.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-gen" -weight: 330 +weight: 915 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-scripts/_index.md b/docs/content/en/reference/cli/authelia-scripts/_index.md index b18caa9b6..71177a26b 100644 --- a/docs/content/en/reference/cli/authelia-scripts/_index.md +++ b/docs/content/en/reference/cli/authelia-scripts/_index.md @@ -9,6 +9,6 @@ menu: reference: parent: "cli" identifier: "cli-authelia-scripts" -weight: 900 +weight: 920 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts.md b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts.md index 8625d1574..65a5a455c 100644 --- a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts.md +++ b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-scripts" -weight: 320 +weight: 920 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_bootstrap.md b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_bootstrap.md index 9b80e6306..b705e4709 100644 --- a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_bootstrap.md +++ b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_bootstrap.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-scripts" -weight: 330 +weight: 925 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_build.md b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_build.md index 61ef1696f..b60afce3e 100644 --- a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_build.md +++ b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_build.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-scripts" -weight: 330 +weight: 925 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_ci.md b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_ci.md index df9bc2d81..5c123a09c 100644 --- a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_ci.md +++ b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_ci.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-scripts" -weight: 330 +weight: 925 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_clean.md b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_clean.md index 5c3bf927f..53cc8748f 100644 --- a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_clean.md +++ b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_clean.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-scripts" -weight: 330 +weight: 925 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_docker.md b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_docker.md index 4fc6b42c6..4ad8be55c 100644 --- a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_docker.md +++ b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_docker.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-scripts" -weight: 330 +weight: 925 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_docker_build.md b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_docker_build.md index e145f638e..b83e027b4 100644 --- a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_docker_build.md +++ b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_docker_build.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-scripts" -weight: 330 +weight: 925 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_docker_push-manifest.md b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_docker_push-manifest.md index ee6548fde..aa71a5b87 100644 --- a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_docker_push-manifest.md +++ b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_docker_push-manifest.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-scripts" -weight: 330 +weight: 925 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_serve.md b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_serve.md index 11348575b..33106528c 100644 --- a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_serve.md +++ b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_serve.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-scripts" -weight: 330 +weight: 925 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_suites.md b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_suites.md index 3954efddd..fe271b917 100644 --- a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_suites.md +++ b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_suites.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-scripts" -weight: 330 +weight: 925 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_suites_list.md b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_suites_list.md index e31be2d1e..710ca66b2 100644 --- a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_suites_list.md +++ b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_suites_list.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-scripts" -weight: 330 +weight: 925 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_suites_setup.md b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_suites_setup.md index b4b3be036..b24ef4490 100644 --- a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_suites_setup.md +++ b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_suites_setup.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-scripts" -weight: 330 +weight: 925 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_suites_teardown.md b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_suites_teardown.md index e58fe9693..c73f72d7c 100644 --- a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_suites_teardown.md +++ b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_suites_teardown.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-scripts" -weight: 330 +weight: 925 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_suites_test.md b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_suites_test.md index df61fb72d..e26376975 100644 --- a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_suites_test.md +++ b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_suites_test.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-scripts" -weight: 330 +weight: 925 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_unittest.md b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_unittest.md index 5b4481612..34ca01767 100644 --- a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_unittest.md +++ b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_unittest.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-scripts" -weight: 330 +weight: 925 toc: true --- diff --git a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_xflags.md b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_xflags.md index 78f798537..e7efd8ba8 100644 --- a/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_xflags.md +++ b/docs/content/en/reference/cli/authelia-scripts/authelia-scripts_xflags.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia-scripts" -weight: 330 +weight: 925 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/_index.md b/docs/content/en/reference/cli/authelia/_index.md index aab5ea421..f6bceffab 100644 --- a/docs/content/en/reference/cli/authelia/_index.md +++ b/docs/content/en/reference/cli/authelia/_index.md @@ -9,6 +9,6 @@ menu: reference: parent: "cli" identifier: "cli-authelia" -weight: 320 +weight: 900 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia.md b/docs/content/en/reference/cli/authelia/authelia.md index 40b955dc2..91ddc0bdb 100644 --- a/docs/content/en/reference/cli/authelia/authelia.md +++ b/docs/content/en/reference/cli/authelia/authelia.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 320 +weight: 900 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_access-control.md b/docs/content/en/reference/cli/authelia/authelia_access-control.md index 7c6e04414..002c0f8bd 100644 --- a/docs/content/en/reference/cli/authelia/authelia_access-control.md +++ b/docs/content/en/reference/cli/authelia/authelia_access-control.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_access-control_check-policy.md b/docs/content/en/reference/cli/authelia/authelia_access-control_check-policy.md index de6f13b37..026b51072 100644 --- a/docs/content/en/reference/cli/authelia/authelia_access-control_check-policy.md +++ b/docs/content/en/reference/cli/authelia/authelia_access-control_check-policy.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_build-info.md b/docs/content/en/reference/cli/authelia/authelia_build-info.md index 3a541a4d8..dec6af881 100644 --- a/docs/content/en/reference/cli/authelia/authelia_build-info.md +++ b/docs/content/en/reference/cli/authelia/authelia_build-info.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto.md b/docs/content/en/reference/cli/authelia/authelia_crypto.md index f979b583f..2e8e12541 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate.md b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate.md index 9d494ac7e..3644a0bb4 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ecdsa.md b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ecdsa.md index 2d4c43e75..611dbba9f 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ecdsa.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ecdsa.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ecdsa_generate.md b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ecdsa_generate.md index 562ffff84..2e9dd2285 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ecdsa_generate.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ecdsa_generate.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ecdsa_request.md b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ecdsa_request.md index 406cfc999..8b31a4381 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ecdsa_request.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ecdsa_request.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ed25519.md b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ed25519.md index 2172bf131..2f7cf88ae 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ed25519.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ed25519.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ed25519_generate.md b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ed25519_generate.md index da4812cd5..5c1678778 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ed25519_generate.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ed25519_generate.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ed25519_request.md b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ed25519_request.md index a9a5cd8f7..36ff997c2 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ed25519_request.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ed25519_request.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_rsa.md b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_rsa.md index 164e63fe9..588950169 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_rsa.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_rsa.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_rsa_generate.md b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_rsa_generate.md index 3c96098e5..58c06b469 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_rsa_generate.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_rsa_generate.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_rsa_request.md b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_rsa_request.md index eb041be96..0b4ddf684 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_rsa_request.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_rsa_request.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_hash.md b/docs/content/en/reference/cli/authelia/authelia_crypto_hash.md index 7068a1ca9..e4dc2cecb 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_hash.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_hash.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate.md b/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate.md index 9f0ed8d61..29ec3b58c 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_argon2.md b/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_argon2.md index b4cea0659..23aa9af28 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_argon2.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_argon2.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_bcrypt.md b/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_bcrypt.md index fdf1beb07..72ef32099 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_bcrypt.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_bcrypt.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_pbkdf2.md b/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_pbkdf2.md index 56c977f35..9ece92331 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_pbkdf2.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_pbkdf2.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_scrypt.md b/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_scrypt.md index ca078fedf..2be31e151 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_scrypt.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_scrypt.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_sha2crypt.md b/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_sha2crypt.md index 6a35cab21..59deb1c2d 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_sha2crypt.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_sha2crypt.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_hash_validate.md b/docs/content/en/reference/cli/authelia/authelia_crypto_hash_validate.md index 839569b71..f9ef2de0e 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_hash_validate.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_hash_validate.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_pair.md b/docs/content/en/reference/cli/authelia/authelia_crypto_pair.md index 5f06969e5..22f83b87f 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_pair.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_pair.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_pair_ecdsa.md b/docs/content/en/reference/cli/authelia/authelia_crypto_pair_ecdsa.md index cc707f83e..a0250744b 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_pair_ecdsa.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_pair_ecdsa.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_pair_ecdsa_generate.md b/docs/content/en/reference/cli/authelia/authelia_crypto_pair_ecdsa_generate.md index 780e96cee..1cec3fb35 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_pair_ecdsa_generate.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_pair_ecdsa_generate.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_pair_ed25519.md b/docs/content/en/reference/cli/authelia/authelia_crypto_pair_ed25519.md index 9f2dbc92a..ef8fc2feb 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_pair_ed25519.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_pair_ed25519.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_pair_ed25519_generate.md b/docs/content/en/reference/cli/authelia/authelia_crypto_pair_ed25519_generate.md index 416db58d8..734301718 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_pair_ed25519_generate.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_pair_ed25519_generate.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_pair_rsa.md b/docs/content/en/reference/cli/authelia/authelia_crypto_pair_rsa.md index e7e1e3d3c..18eb02a19 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_pair_rsa.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_pair_rsa.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_pair_rsa_generate.md b/docs/content/en/reference/cli/authelia/authelia_crypto_pair_rsa_generate.md index 412b8105b..1b0d95ee7 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_pair_rsa_generate.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_pair_rsa_generate.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_crypto_rand.md b/docs/content/en/reference/cli/authelia/authelia_crypto_rand.md index fdf6d8664..a2881b09b 100644 --- a/docs/content/en/reference/cli/authelia/authelia_crypto_rand.md +++ b/docs/content/en/reference/cli/authelia/authelia_crypto_rand.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_hash-password.md b/docs/content/en/reference/cli/authelia/authelia_hash-password.md index 7c7f97048..08e378da8 100644 --- a/docs/content/en/reference/cli/authelia/authelia_hash-password.md +++ b/docs/content/en/reference/cli/authelia/authelia_hash-password.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_storage.md b/docs/content/en/reference/cli/authelia/authelia_storage.md index 8bb0a21c9..7b29c9551 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_encryption.md b/docs/content/en/reference/cli/authelia/authelia_storage_encryption.md index fc6681273..8cac96245 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage_encryption.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage_encryption.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_encryption_change-key.md b/docs/content/en/reference/cli/authelia/authelia_storage_encryption_change-key.md index b91e2de16..9f8655112 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage_encryption_change-key.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage_encryption_change-key.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_encryption_check.md b/docs/content/en/reference/cli/authelia/authelia_storage_encryption_check.md index 7821f5cf5..b15536234 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage_encryption_check.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage_encryption_check.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_migrate.md b/docs/content/en/reference/cli/authelia/authelia_storage_migrate.md index 0d3a85b0b..4e4b9950e 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage_migrate.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage_migrate.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_migrate_down.md b/docs/content/en/reference/cli/authelia/authelia_storage_migrate_down.md index 09b024f88..373e76886 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage_migrate_down.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage_migrate_down.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_migrate_history.md b/docs/content/en/reference/cli/authelia/authelia_storage_migrate_history.md index ad5c488f5..c09284f7d 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage_migrate_history.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage_migrate_history.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_migrate_list-down.md b/docs/content/en/reference/cli/authelia/authelia_storage_migrate_list-down.md index b235e910a..f5ee9adbd 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage_migrate_list-down.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage_migrate_list-down.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_migrate_list-up.md b/docs/content/en/reference/cli/authelia/authelia_storage_migrate_list-up.md index ab6fa538a..4790f146b 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage_migrate_list-up.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage_migrate_list-up.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_migrate_up.md b/docs/content/en/reference/cli/authelia/authelia_storage_migrate_up.md index a4e8c55f2..0fd7e566f 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage_migrate_up.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage_migrate_up.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_schema-info.md b/docs/content/en/reference/cli/authelia/authelia_storage_schema-info.md index bb655ab99..e68f10635 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage_schema-info.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage_schema-info.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_user.md b/docs/content/en/reference/cli/authelia/authelia_storage_user.md index 90fc3c917..3bd19da5d 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage_user.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage_user.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers.md b/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers.md index 4ecb61538..65723cbd9 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers_add.md b/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers_add.md index 9c2220ced..898eca5c5 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers_add.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers_add.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers_export.md b/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers_export.md index 329bcb5b6..033d426a5 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers_export.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers_export.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers_generate.md b/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers_generate.md index 63095adfd..89521e187 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers_generate.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers_generate.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers_import.md b/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers_import.md index 4fc0aaca0..bfe854d89 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers_import.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers_import.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_user_totp.md b/docs/content/en/reference/cli/authelia/authelia_storage_user_totp.md index d61a3e1be..ab2e5fb32 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage_user_totp.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_totp.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_delete.md b/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_delete.md index 8a245fa30..dc8d9e90a 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_delete.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_delete.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_export.md b/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_export.md index 0473db9f1..01aa812fe 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_export.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_export.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_generate.md b/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_generate.md index e87a2e354..cbbafea4d 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_generate.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_generate.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn.md b/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn.md index 65ee8c777..bde1bb87d 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn_delete.md b/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn_delete.md index cf2545624..1b1605e3a 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn_delete.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn_delete.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn_list.md b/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn_list.md index 185e8af15..af4ee9b68 100644 --- a/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn_list.md +++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn_list.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/cli/authelia/authelia_validate-config.md b/docs/content/en/reference/cli/authelia/authelia_validate-config.md index d3fda50a6..64a01cb20 100644 --- a/docs/content/en/reference/cli/authelia/authelia_validate-config.md +++ b/docs/content/en/reference/cli/authelia/authelia_validate-config.md @@ -8,7 +8,7 @@ images: [] menu: reference: parent: "cli-authelia" -weight: 330 +weight: 905 toc: true --- diff --git a/docs/content/en/reference/integrations/_index.md b/docs/content/en/reference/integrations/_index.md new file mode 100644 index 000000000..5eef15c9f --- /dev/null +++ b/docs/content/en/reference/integrations/_index.md @@ -0,0 +1,9 @@ +--- +title: "Integrations" +description: "Integrations Reference Prologue" +lead: "" +date: 2022-06-15T17:51:47+10:00 +draft: false +images: [] +weight: 300 +--- diff --git a/docs/content/en/reference/integrations/database-integrations.md b/docs/content/en/reference/integrations/database-integrations.md new file mode 100644 index 000000000..67de3b070 --- /dev/null +++ b/docs/content/en/reference/integrations/database-integrations.md @@ -0,0 +1,94 @@ +--- +title: "Database Integrations" +description: "A database integration reference guide" +lead: "This section contains a database integration reference guide for Authelia." +date: 2022-11-10T11:03:47+11:00 +draft: false +images: [] +menu: + reference: + parent: "integrations" +weight: 320 +toc: true +--- + +We generally recommend using [PostgreSQL] for a database. If high availability is not a consideration we also support +[SQLite3]. + + +## PostgreSQL + +The only current support criteria for [PostgreSQL] at present is that the version you're using is supported by the +[PostgreSQL] developers. See their [Versioning Policy](https://www.postgresql.org/support/versioning/) for more +information. + +We generally perform integration testing against the latest supported version of [PostgreSQL] and that is generally the +recommended version for new installations. + +## MySQL + +[MySQL] and [MariaDB] are both supported as part of the [MySQL] implementation. This is generally discouraged as +[PostgreSQL] is widely considered as a significantly better database engine. If you choose to go with [MySQL], we +recommend specifically using the [MariaDB] backend. + +[MySQL] comes with some rigid support requirements in addition to the standard requirements for us supporting a third +party. + +1. Must both support the `InnoDB` engine and this engine must be the default engine. +2. Must support the `utf8mb4` charset. +3. Must support the `utf8mb4_unicode_520_ci` collation. +4. Must support maximum index size of no less than 2048 bytes. The default maximum index size for the InnoDB engine is + 3072 bytes on: + 1. [MySQL] [8.0](https://dev.mysql.com/doc/refman/8.0/en/innodb-limits.html) or later. + 2. [MySQL] [5.7](https://dev.mysql.com/doc/refman/5.7/en/innodb-limits.html) provided + [innodb_large_prefix](#innodb-large-prefixes) or later. + 3. [MariaDB] [10.3](https://mariadb.com/kb/en/innodb-system-variables/#innodb_large_prefix) or later. +5. Must support ANSI standard time behaviours. See [ANSI standard time behaviours](#ansi-standard-time-behaviours). + +We generally perform integration testing against the latest supported version of [MySQL] and [MariaDB], and the latest +supported version of [MariaDB] is generally the recommended version for new installations. + +### Specific Notes + +#### InnoDB Large Prefixes + +This can be configured in the [MySQL] configuration file by setting the `innodb_large_prefix` value to on. +According to the Oracle documentation this is the default behaviour in +[MySQL] [5.7](https://dev.mysql.com/doc/refman/5.7/en/innodb-parameters.html#sysvar_innodb_large_prefix) and it can't be +turned off in [MySQL] [8.0](https://dev.mysql.com/doc/refman/8.0/en/innodb-limits.html) or in [MariaDB] 10.3 and later. + +```cnf +[mysqld] +innodb_large_prefix = ON +``` + +#### ANSI standard time behaviours + +This can be configured in the [MySQL] configuration file by setting the `explicit_defaults_for_timestamp` value to on. +According to the Oracle documentation this is the default behaviour in +[MySQL] [5.7](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_explicit_defaults_for_timestamp) +and [MySQL] [8.0](https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_explicit_defaults_for_timestamp). +This is however not the default behaviour in +[MariaDB](https://mariadb.com/kb/en/server-system-variables/#explicit_defaults_for_timestamp) before 10.10. + +```cnf +[mysqld] +explicit_defaults_for_timestamp = ON +``` + +### Vendor Supported Versions + +#### MariaDB Vendor Supported Versions + +See the [MariaDB Server Releases](https://mariadb.com/kb/en/mariadb-server-release-dates/) for more information. + +#### MySQL Vendor Supported Versions + +See the [MySQL Supported Platforms](https://www.mysql.com/support/supportedplatforms/database.html) for information on +which versions and platforms they support. + +[PostgreSQL]: https://www.postgresql.org/ +[MySQL]: https://www.mysql.com/ +[MariaDB]: https://mariadb.org/ +[SQLite3]: https://www.sqlite.org/index.html + diff --git a/docs/content/en/reference/integrations/introduction.md b/docs/content/en/reference/integrations/introduction.md new file mode 100644 index 000000000..42f0a7e4c --- /dev/null +++ b/docs/content/en/reference/integrations/introduction.md @@ -0,0 +1,24 @@ +--- +title: "Integrations" +description: "A collection of integration reference guides" +lead: "This section contains integration reference guides for Authelia." +date: 2022-11-10T11:03:47+11:00 +draft: false +images: [] +menu: + reference: + parent: "integrations" +weight: 310 +toc: true +--- + +The integration guides in this section detail specific requirements when integrating Authelia with other products such +as supported versions, configurations, etc. + +## General Rules + +1. If the version or platform of the third party integration or combination thereof is not unsupported by the + developer/vendor/etc of the third party integration we likely will not support it. +2. When we claim to support a product it is expressly the official releases of the product. It does not include + versions that are heavily modified or drop in replacements (such as KeyDB which is a drop in replacement for redis + that IS NOT supported). diff --git a/internal/model/webauthn.go b/internal/model/webauthn.go index bd9400f89..415e50a69 100644 --- a/internal/model/webauthn.go +++ b/internal/model/webauthn.go @@ -127,26 +127,29 @@ func NewWebauthnDeviceFromCredential(rpid, username, description string, credent Transport: strings.Join(transport, ","), } - device.AAGUID, _ = uuid.Parse(hex.EncodeToString(credential.Authenticator.AAGUID)) + aaguid, err := uuid.Parse(hex.EncodeToString(credential.Authenticator.AAGUID)) + if err == nil && aaguid.ID() != 0 { + device.AAGUID = uuid.NullUUID{Valid: true, UUID: aaguid} + } return device } // WebauthnDevice represents a Webauthn Device in the database storage. type WebauthnDevice struct { - ID int `db:"id"` - CreatedAt time.Time `db:"created_at"` - LastUsedAt sql.NullTime `db:"last_used_at"` - RPID string `db:"rpid"` - Username string `db:"username"` - Description string `db:"description"` - KID Base64 `db:"kid"` - PublicKey []byte `db:"public_key"` - AttestationType string `db:"attestation_type"` - Transport string `db:"transport"` - AAGUID uuid.UUID `db:"aaguid"` - SignCount uint32 `db:"sign_count"` - CloneWarning bool `db:"clone_warning"` + ID int `db:"id"` + CreatedAt time.Time `db:"created_at"` + LastUsedAt sql.NullTime `db:"last_used_at"` + RPID string `db:"rpid"` + Username string `db:"username"` + Description string `db:"description"` + KID Base64 `db:"kid"` + PublicKey []byte `db:"public_key"` + AttestationType string `db:"attestation_type"` + Transport string `db:"transport"` + AAGUID uuid.NullUUID `db:"aaguid"` + SignCount uint32 `db:"sign_count"` + CloneWarning bool `db:"clone_warning"` } // UpdateSignInInfo adjusts the values of the WebauthnDevice after a sign in. diff --git a/internal/storage/migrations/V0001.Initial_Schema.all.down.sql b/internal/storage/migrations/V0001.Initial_Schema.all.down.sql index 615ed34c2..27491bf57 100644 --- a/internal/storage/migrations/V0001.Initial_Schema.all.down.sql +++ b/internal/storage/migrations/V0001.Initial_Schema.all.down.sql @@ -5,4 +5,4 @@ DROP TABLE IF EXISTS u2f_devices; DROP TABLE IF EXISTS duo_devices; DROP TABLE IF EXISTS user_preferences; DROP TABLE IF EXISTS migrations; -DROP TABLE IF EXISTS encryption; \ No newline at end of file +DROP TABLE IF EXISTS encryption; diff --git a/internal/storage/migrations/V0001.Initial_Schema.mysql.up.sql b/internal/storage/migrations/V0001.Initial_Schema.mysql.up.sql index 55bde1c51..d678a3307 100644 --- a/internal/storage/migrations/V0001.Initial_Schema.mysql.up.sql +++ b/internal/storage/migrations/V0001.Initial_Schema.mysql.up.sql @@ -1,5 +1,5 @@ CREATE TABLE IF NOT EXISTS authentication_logs ( - id INTEGER AUTO_INCREMENT, + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, time TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, successful BOOLEAN NOT NULL, banned BOOLEAN NOT NULL DEFAULT FALSE, @@ -7,15 +7,14 @@ CREATE TABLE IF NOT EXISTS authentication_logs ( auth_type VARCHAR(8) NOT NULL DEFAULT '1FA', remote_ip VARCHAR(39) NULL DEFAULT NULL, request_uri TEXT, - request_method VARCHAR(8) NOT NULL DEFAULT '', - PRIMARY KEY (id) -); + request_method VARCHAR(8) NOT NULL DEFAULT '' +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; CREATE INDEX authentication_logs_username_idx ON authentication_logs (time, username, auth_type); CREATE INDEX authentication_logs_remote_ip_idx ON authentication_logs (time, remote_ip, auth_type); CREATE TABLE IF NOT EXISTS identity_verification ( - id INTEGER AUTO_INCREMENT, + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, jti CHAR(36), iat TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, issued_ip VARCHAR(39) NOT NULL, @@ -24,62 +23,55 @@ CREATE TABLE IF NOT EXISTS identity_verification ( action VARCHAR(50) NOT NULL, consumed TIMESTAMP NULL DEFAULT NULL, consumed_ip VARCHAR(39) NULL DEFAULT NULL, - PRIMARY KEY (id), UNIQUE KEY (jti) -); +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; CREATE TABLE IF NOT EXISTS totp_configurations ( - id INTEGER AUTO_INCREMENT, + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, username VARCHAR(100) NOT NULL, issuer VARCHAR(100), algorithm VARCHAR(6) NOT NULL DEFAULT 'SHA1', digits INTEGER NOT NULL DEFAULT 6, period INTEGER NOT NULL DEFAULT 30, secret BLOB NOT NULL, - PRIMARY KEY (id), UNIQUE KEY (username) -); +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; CREATE TABLE IF NOT EXISTS u2f_devices ( - id INTEGER AUTO_INCREMENT, + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, username VARCHAR(100) NOT NULL, description VARCHAR(30) NOT NULL DEFAULT 'Primary', key_handle BLOB NOT NULL, public_key BLOB NOT NULL, - PRIMARY KEY (id), UNIQUE KEY (username, description) -); +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; CREATE TABLE IF NOT EXISTS duo_devices ( - id INTEGER AUTO_INCREMENT, + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, username VARCHAR(100) NOT NULL, device VARCHAR(32) NOT NULL, method VARCHAR(16) NOT NULL, - PRIMARY KEY (id), UNIQUE KEY (username) -); +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; CREATE TABLE IF NOT EXISTS user_preferences ( - id INTEGER AUTO_INCREMENT, + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, username VARCHAR(100) NOT NULL, second_factor_method VARCHAR(11) NOT NULL, - PRIMARY KEY (id), UNIQUE KEY (username) -); +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; CREATE TABLE IF NOT EXISTS migrations ( - id INTEGER AUTO_INCREMENT, + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, applied TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, version_before INTEGER NULL DEFAULT NULL, version_after INTEGER NOT NULL, - application_version VARCHAR(128) NOT NULL, - PRIMARY KEY (id) -); + application_version VARCHAR(128) NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; CREATE TABLE IF NOT EXISTS encryption ( - id INTEGER AUTO_INCREMENT, - name VARCHAR(100), - value BLOB NOT NULL, - PRIMARY KEY (id), - UNIQUE KEY (name) -); + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + name VARCHAR(100), + value BLOB NOT NULL, + UNIQUE KEY (name) +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; diff --git a/internal/storage/migrations/V0001.Initial_Schema.postgres.up.sql b/internal/storage/migrations/V0001.Initial_Schema.postgres.up.sql index c56e70421..0e424edd5 100644 --- a/internal/storage/migrations/V0001.Initial_Schema.postgres.up.sql +++ b/internal/storage/migrations/V0001.Initial_Schema.postgres.up.sql @@ -1,5 +1,5 @@ CREATE TABLE IF NOT EXISTS authentication_logs ( - id SERIAL, + id SERIAL CONSTRAINT authentication_logs_pkey PRIMARY KEY, time TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP, successful BOOLEAN NOT NULL, banned BOOLEAN NOT NULL DEFAULT FALSE, @@ -7,15 +7,14 @@ CREATE TABLE IF NOT EXISTS authentication_logs ( auth_type VARCHAR(8) NOT NULL DEFAULT '1FA', remote_ip VARCHAR(39) NULL DEFAULT NULL, request_uri TEXT, - request_method VARCHAR(8) NOT NULL DEFAULT '', - PRIMARY KEY (id) + request_method VARCHAR(8) NOT NULL DEFAULT '' ); CREATE INDEX authentication_logs_username_idx ON authentication_logs (time, username, auth_type); CREATE INDEX authentication_logs_remote_ip_idx ON authentication_logs (time, remote_ip, auth_type); CREATE TABLE IF NOT EXISTS identity_verification ( - id SERIAL, + id SERIAL CONSTRAINT identity_verification_pkey PRIMARY KEY, jti CHAR(36), iat TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP, issued_ip VARCHAR(39) NOT NULL, @@ -23,63 +22,62 @@ CREATE TABLE IF NOT EXISTS identity_verification ( username VARCHAR(100) NOT NULL, action VARCHAR(50) NOT NULL, consumed TIMESTAMP WITH TIME ZONE NULL DEFAULT NULL, - consumed_ip VARCHAR(39) NULL DEFAULT NULL, - PRIMARY KEY (id), - UNIQUE (jti) + consumed_ip VARCHAR(39) NULL DEFAULT NULL ); +CREATE UNIQUE INDEX identity_verification_jti_key ON identity_verification (jti); + CREATE TABLE IF NOT EXISTS totp_configurations ( - id SERIAL, + id SERIAL CONSTRAINT totp_configurations_pkey PRIMARY KEY, username VARCHAR(100) NOT NULL, issuer VARCHAR(100), algorithm VARCHAR(6) NOT NULL DEFAULT 'SHA1', digits INTEGER NOT NULL DEFAULT 6, period INTEGER NOT NULL DEFAULT 30, - secret BYTEA NOT NULL, - PRIMARY KEY (id), - UNIQUE (username) + secret BYTEA NOT NULL ); +CREATE UNIQUE INDEX totp_configurations_username_key ON totp_configurations (username); + CREATE TABLE IF NOT EXISTS u2f_devices ( - id SERIAL, + id SERIAL CONSTRAINT u2f_devices_pkey PRIMARY KEY, username VARCHAR(100) NOT NULL, description VARCHAR(30) NOT NULL DEFAULT 'Primary', key_handle BYTEA NOT NULL, - public_key BYTEA NOT NULL, - PRIMARY KEY (id), - UNIQUE (username, description) + public_key BYTEA NOT NULL ); +CREATE UNIQUE INDEX u2f_devices_lookup_key ON u2f_devices (username, description); + CREATE TABLE IF NOT EXISTS duo_devices ( - id SERIAL, + id SERIAL CONSTRAINT duo_devices_pkey PRIMARY KEY, username VARCHAR(100) NOT NULL, device VARCHAR(32) NOT NULL, - method VARCHAR(16) NOT NULL, - PRIMARY KEY (id), - UNIQUE (username) + method VARCHAR(16) NOT NULL ); +CREATE UNIQUE INDEX duo_devices_username_key ON duo_devices (username); + CREATE TABLE IF NOT EXISTS user_preferences ( - id SERIAL, + id SERIAL CONSTRAINT user_preferences_pkey PRIMARY KEY, username VARCHAR(100) NOT NULL, - second_factor_method VARCHAR(11) NOT NULL, - PRIMARY KEY (id), - UNIQUE (username) + second_factor_method VARCHAR(11) NOT NULL ); +CREATE UNIQUE INDEX user_preferences_username_key ON user_preferences (username); + CREATE TABLE IF NOT EXISTS migrations ( - id SERIAL, + id SERIAL CONSTRAINT migrations_pkey PRIMARY KEY, applied TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP, version_before INTEGER NULL DEFAULT NULL, version_after INTEGER NOT NULL, - application_version VARCHAR(128) NOT NULL, - PRIMARY KEY (id) + application_version VARCHAR(128) NOT NULL ); CREATE TABLE IF NOT EXISTS encryption ( - id SERIAL, - name VARCHAR(100), - value BYTEA NOT NULL, - PRIMARY KEY (id), - UNIQUE (name) -); \ No newline at end of file + id SERIAL CONSTRAINT encryption_pkey PRIMARY KEY, + name VARCHAR(100), + value BYTEA NOT NULL +); + +CREATE UNIQUE INDEX encryption_name_key ON encryption (name); diff --git a/internal/storage/migrations/V0001.Initial_Schema.sqlite.up.sql b/internal/storage/migrations/V0001.Initial_Schema.sqlite.up.sql index e4e49e4ba..9852a5076 100644 --- a/internal/storage/migrations/V0001.Initial_Schema.sqlite.up.sql +++ b/internal/storage/migrations/V0001.Initial_Schema.sqlite.up.sql @@ -1,5 +1,5 @@ CREATE TABLE IF NOT EXISTS authentication_logs ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, time TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, successful BOOLEAN NOT NULL, banned BOOLEAN NOT NULL DEFAULT FALSE, @@ -7,15 +7,14 @@ CREATE TABLE IF NOT EXISTS authentication_logs ( auth_type VARCHAR(8) NOT NULL DEFAULT '1FA', remote_ip VARCHAR(39) NULL DEFAULT NULL, request_uri TEXT, - request_method VARCHAR(8) NOT NULL DEFAULT '', - PRIMARY KEY (id) + request_method VARCHAR(8) NOT NULL DEFAULT '' ); CREATE INDEX authentication_logs_username_idx ON authentication_logs (time, username, auth_type); CREATE INDEX authentication_logs_remote_ip_idx ON authentication_logs (time, remote_ip, auth_type); CREATE TABLE IF NOT EXISTS identity_verification ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, jti VARCHAR(36), iat TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, issued_ip VARCHAR(39) NOT NULL, @@ -24,61 +23,54 @@ CREATE TABLE IF NOT EXISTS identity_verification ( action VARCHAR(50) NOT NULL, consumed TIMESTAMP NULL DEFAULT NULL, consumed_ip VARCHAR(39) NULL DEFAULT NULL, - PRIMARY KEY (id), UNIQUE (jti) ); CREATE TABLE IF NOT EXISTS totp_configurations ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, username VARCHAR(100) NOT NULL, issuer VARCHAR(100), algorithm VARCHAR(6) NOT NULL DEFAULT 'SHA1', digits INTEGER NOT NULL DEFAULT 6, period INTEGER NOT NULL DEFAULT 30, secret BLOB NOT NULL, - PRIMARY KEY (id), UNIQUE (username) ); CREATE TABLE IF NOT EXISTS u2f_devices ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, username VARCHAR(100) NOT NULL, description VARCHAR(30) NOT NULL DEFAULT 'Primary', key_handle BLOB NOT NULL, public_key BLOB NOT NULL, - PRIMARY KEY (id), UNIQUE (username, description) ); CREATE TABLE IF NOT EXISTS duo_devices ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, username VARCHAR(100) NOT NULL, device VARCHAR(32) NOT NULL, method VARCHAR(16) NOT NULL, - PRIMARY KEY (id), UNIQUE (username) ); CREATE TABLE IF NOT EXISTS user_preferences ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, username VARCHAR(100) UNIQUE NOT NULL, - second_factor_method VARCHAR(11) NOT NULL, - PRIMARY KEY (id) + second_factor_method VARCHAR(11) NOT NULL ); CREATE TABLE IF NOT EXISTS migrations ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, applied TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, version_before INTEGER NULL DEFAULT NULL, version_after INTEGER NOT NULL, - application_version VARCHAR(128) NOT NULL, - PRIMARY KEY (id) + application_version VARCHAR(128) NOT NULL ); CREATE TABLE IF NOT EXISTS encryption ( - id INTEGER, - name VARCHAR(100), - value BLOB NOT NULL, - PRIMARY KEY (id), - UNIQUE (name) + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + name VARCHAR(100), + value BLOB NOT NULL, + UNIQUE (name) ); diff --git a/internal/storage/migrations/V0002.Webauthn.mysql.down.sql b/internal/storage/migrations/V0002.Webauthn.mysql.down.sql index 318ca400d..70fd8aed3 100644 --- a/internal/storage/migrations/V0002.Webauthn.mysql.down.sql +++ b/internal/storage/migrations/V0002.Webauthn.mysql.down.sql @@ -1,31 +1,32 @@ -ALTER TABLE totp_configurations RENAME _bkp_DOWN_V0002_totp_configurations; -ALTER TABLE webauthn_devices RENAME _bkp_DOWN_V0002_webauthn_devices; +ALTER TABLE totp_configurations + RENAME _bkp_DOWN_V0002_totp_configurations; + +ALTER TABLE webauthn_devices + RENAME _bkp_DOWN_V0002_webauthn_devices; CREATE TABLE IF NOT EXISTS totp_configurations ( - id INTEGER AUTO_INCREMENT, + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, username VARCHAR(100) NOT NULL, issuer VARCHAR(100), algorithm VARCHAR(6) NOT NULL DEFAULT 'SHA1', digits INTEGER NOT NULL DEFAULT 6, period INTEGER NOT NULL DEFAULT 30, secret BLOB NOT NULL, - PRIMARY KEY (id), UNIQUE KEY (username) -); +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; INSERT INTO totp_configurations (id, username, issuer, algorithm, digits, period, secret) SELECT id, username, issuer, algorithm, digits, period, secret FROM _bkp_DOWN_V0002_totp_configurations; CREATE TABLE IF NOT EXISTS u2f_devices ( - id INTEGER AUTO_INCREMENT, + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, username VARCHAR(100) NOT NULL, description VARCHAR(30) NOT NULL DEFAULT 'Primary', key_handle BLOB NOT NULL, public_key BLOB NOT NULL, - PRIMARY KEY (id), UNIQUE KEY (username, description) -); +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; INSERT INTO u2f_devices (id, username, description, key_handle, public_key) SELECT id, username, description, FROM_BASE64(kid), public_key @@ -35,3 +36,8 @@ WHERE attestation_type = 'fido-u2f'; UPDATE user_preferences SET second_factor_method = 'u2f' WHERE second_factor_method = 'webauthn'; + +DROP TABLE IF EXISTS _bkp_DOWN_V0002_totp_configurations; +DROP TABLE IF EXISTS _bkp_DOWN_V0002_webauthn_devices; +DROP TABLE IF EXISTS _bkp_UP_V0002_totp_configurations; +DROP TABLE IF EXISTS _bkp_UP_V0002_u2f_devices; diff --git a/internal/storage/migrations/V0002.Webauthn.mysql.up.sql b/internal/storage/migrations/V0002.Webauthn.mysql.up.sql index 9b617e255..9febf8cf3 100644 --- a/internal/storage/migrations/V0002.Webauthn.mysql.up.sql +++ b/internal/storage/migrations/V0002.Webauthn.mysql.up.sql @@ -1,8 +1,11 @@ -ALTER TABLE totp_configurations RENAME _bkp_UP_V0002_totp_configurations; -ALTER TABLE u2f_devices RENAME _bkp_UP_V0002_u2f_devices; +ALTER TABLE totp_configurations + RENAME _bkp_UP_V0002_totp_configurations; + +ALTER TABLE u2f_devices + RENAME _bkp_UP_V0002_u2f_devices; CREATE TABLE IF NOT EXISTS totp_configurations ( - id INTEGER AUTO_INCREMENT, + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, last_used_at TIMESTAMP NULL DEFAULT NULL, username VARCHAR(100) NOT NULL, @@ -11,16 +14,15 @@ CREATE TABLE IF NOT EXISTS totp_configurations ( digits INTEGER NOT NULL DEFAULT 6, period INTEGER NOT NULL DEFAULT 30, secret BLOB NOT NULL, - PRIMARY KEY (id), UNIQUE KEY (username) -); +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; INSERT INTO totp_configurations (id, username, issuer, algorithm, digits, period, secret) SELECT id, username, issuer, algorithm, digits, period, secret FROM _bkp_UP_V0002_totp_configurations; CREATE TABLE IF NOT EXISTS webauthn_devices ( - id INTEGER AUTO_INCREMENT, + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, last_used_at TIMESTAMP NULL DEFAULT NULL, rpid TEXT, @@ -33,10 +35,9 @@ CREATE TABLE IF NOT EXISTS webauthn_devices ( aaguid CHAR(36) NOT NULL, sign_count INTEGER DEFAULT 0, clone_warning BOOLEAN NOT NULL DEFAULT FALSE, - PRIMARY KEY (id), UNIQUE KEY (username, description), UNIQUE KEY (kid) -); +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; INSERT INTO webauthn_devices (id, rpid, username, description, kid, public_key, attestation_type, aaguid, sign_count) SELECT id, '', username, description, TO_BASE64(key_handle), public_key, 'fido-u2f', '00000000-0000-0000-0000-000000000000', 0 diff --git a/internal/storage/migrations/V0002.Webauthn.postgres.down.sql b/internal/storage/migrations/V0002.Webauthn.postgres.down.sql index 240ca9b31..c965f4768 100644 --- a/internal/storage/migrations/V0002.Webauthn.postgres.down.sql +++ b/internal/storage/migrations/V0002.Webauthn.postgres.down.sql @@ -1,32 +1,43 @@ -ALTER TABLE totp_configurations RENAME TO _bkp_DOWN_V0002_totp_configurations; -ALTER TABLE webauthn_devices RENAME TO _bkp_DOWN_V0002_webauthn_devices; +ALTER TABLE totp_configurations + DROP CONSTRAINT IF EXISTS totp_configurations_pkey, + DROP CONSTRAINT IF EXISTS totp_configurations_pkey1; + +ALTER TABLE totp_configurations + RENAME TO _bkp_DOWN_V0002_totp_configurations; + +ALTER TABLE webauthn_devices + DROP CONSTRAINT IF EXISTS webauthn_devices_pkey, + DROP CONSTRAINT IF EXISTS webauthn_devices_pkey1; + +ALTER TABLE webauthn_devices + RENAME TO _bkp_DOWN_V0002_webauthn_devices; CREATE TABLE IF NOT EXISTS totp_configurations ( - id SERIAL, + id SERIAL CONSTRAINT totp_configurations_pkey PRIMARY KEY, username VARCHAR(100) NOT NULL, issuer VARCHAR(100), algorithm VARCHAR(6) NOT NULL DEFAULT 'SHA1', digits INTEGER NOT NULL DEFAULT 6, period INTEGER NOT NULL DEFAULT 30, - secret BYTEA NOT NULL, - PRIMARY KEY (id), - UNIQUE (username) + secret BYTEA NOT NULL ); +CREATE UNIQUE INDEX totp_configurations_username_key ON totp_configurations (username); + INSERT INTO totp_configurations (id, username, issuer, algorithm, digits, period, secret) SELECT id, username, issuer, algorithm, digits, period, secret FROM _bkp_DOWN_V0002_totp_configurations; CREATE TABLE IF NOT EXISTS u2f_devices ( - id SERIAL, + id SERIAL CONSTRAINT u2f_devices_pkey PRIMARY KEY, username VARCHAR(100) NOT NULL, description VARCHAR(30) NOT NULL DEFAULT 'Primary', key_handle BYTEA NOT NULL, - public_key BYTEA NOT NULL, - PRIMARY KEY (id), - UNIQUE (username, description) + public_key BYTEA NOT NULL ); +CREATE UNIQUE INDEX u2f_devices_lookup_key ON u2f_devices (username, description); + INSERT INTO u2f_devices (id, username, description, key_handle, public_key) SELECT id, username, description, DECODE(kid, 'base64'), public_key FROM _bkp_DOWN_V0002_webauthn_devices @@ -35,3 +46,8 @@ WHERE attestation_type = 'fido-u2f'; UPDATE user_preferences SET second_factor_method = 'u2f' WHERE second_factor_method = 'webauthn'; + +DROP TABLE IF EXISTS _bkp_DOWN_V0002_totp_configurations; +DROP TABLE IF EXISTS _bkp_DOWN_V0002_webauthn_devices; +DROP TABLE IF EXISTS _bkp_UP_V0002_totp_configurations; +DROP TABLE IF EXISTS _bkp_UP_V0002_u2f_devices; diff --git a/internal/storage/migrations/V0002.Webauthn.postgres.up.sql b/internal/storage/migrations/V0002.Webauthn.postgres.up.sql index a02767846..57108fc9a 100644 --- a/internal/storage/migrations/V0002.Webauthn.postgres.up.sql +++ b/internal/storage/migrations/V0002.Webauthn.postgres.up.sql @@ -1,8 +1,17 @@ -ALTER TABLE totp_configurations RENAME TO _bkp_UP_V0002_totp_configurations; -ALTER TABLE u2f_devices RENAME TO _bkp_UP_V0002_u2f_devices; +ALTER TABLE totp_configurations + DROP CONSTRAINT IF EXISTS totp_configurations_pkey, + DROP CONSTRAINT IF EXISTS totp_configurations_pkey1; + +ALTER TABLE totp_configurations + RENAME TO _bkp_UP_V0002_totp_configurations; + +ALTER TABLE u2f_devices + RENAME TO _bkp_UP_V0002_u2f_devices; + +DROP INDEX IF EXISTS totp_configurations_username_key; CREATE TABLE IF NOT EXISTS totp_configurations ( - id SERIAL, + id SERIAL CONSTRAINT totp_configurations_pkey PRIMARY KEY, created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP, last_used_at TIMESTAMP WITH TIME ZONE NULL DEFAULT NULL, username VARCHAR(100) NOT NULL, @@ -10,17 +19,17 @@ CREATE TABLE IF NOT EXISTS totp_configurations ( algorithm VARCHAR(6) NOT NULL DEFAULT 'SHA1', digits INTEGER NOT NULL DEFAULT 6, period INTEGER NOT NULL DEFAULT 30, - secret BYTEA NOT NULL, - PRIMARY KEY (id), - UNIQUE (username) + secret BYTEA NOT NULL ); +CREATE UNIQUE INDEX totp_configurations_username_key ON totp_configurations (username); + INSERT INTO totp_configurations (id, username, issuer, algorithm, digits, period, secret) SELECT id, username, issuer, algorithm, digits, period, secret FROM _bkp_UP_V0002_totp_configurations; CREATE TABLE IF NOT EXISTS webauthn_devices ( - id SERIAL, + id SERIAL CONSTRAINT webauthn_devices_pkey PRIMARY KEY, created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP, last_used_at TIMESTAMP WITH TIME ZONE NULL DEFAULT NULL, rpid TEXT, @@ -32,12 +41,12 @@ CREATE TABLE IF NOT EXISTS webauthn_devices ( transport VARCHAR(20) DEFAULT '', aaguid CHAR(36) NOT NULL, sign_count INTEGER DEFAULT 0, - clone_warning BOOLEAN NOT NULL DEFAULT FALSE, - PRIMARY KEY (id), - UNIQUE (username, description), - UNIQUE (kid) + clone_warning BOOLEAN NOT NULL DEFAULT FALSE ); +CREATE UNIQUE INDEX webauthn_devices_kid_key ON webauthn_devices (kid); +CREATE UNIQUE INDEX webauthn_devices_lookup_key ON webauthn_devices (username, description); + INSERT INTO webauthn_devices (id, rpid, username, description, kid, public_key, attestation_type, aaguid, sign_count) SELECT id, '', username, description, ENCODE(key_handle::BYTEA, 'base64'), public_key, 'fido-u2f', '00000000-0000-0000-0000-000000000000', 0 FROM _bkp_UP_V0002_u2f_devices; diff --git a/internal/storage/migrations/V0002.Webauthn.sqlite.down.sql b/internal/storage/migrations/V0002.Webauthn.sqlite.down.sql index dd89c26a3..1baf4e5e9 100644 --- a/internal/storage/migrations/V0002.Webauthn.sqlite.down.sql +++ b/internal/storage/migrations/V0002.Webauthn.sqlite.down.sql @@ -1,15 +1,17 @@ -ALTER TABLE totp_configurations RENAME TO _bkp_DOWN_V0002_totp_configurations; -ALTER TABLE webauthn_devices RENAME TO _bkp_DOWN_V0002_webauthn_devices; +ALTER TABLE totp_configurations + RENAME TO _bkp_DOWN_V0002_totp_configurations; + +ALTER TABLE webauthn_devices + RENAME TO _bkp_DOWN_V0002_webauthn_devices; CREATE TABLE IF NOT EXISTS totp_configurations ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, username VARCHAR(100) NOT NULL, issuer VARCHAR(100), algorithm VARCHAR(6) NOT NULL DEFAULT 'SHA1', digits INTEGER NOT NULL DEFAULT 6, period INTEGER NOT NULL DEFAULT 30, secret BLOB NOT NULL, - PRIMARY KEY (id), UNIQUE (username) ); @@ -18,12 +20,11 @@ SELECT id, username, issuer, algorithm, digits, period, secret FROM _bkp_DOWN_V0002_totp_configurations; CREATE TABLE IF NOT EXISTS u2f_devices ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, username VARCHAR(100) NOT NULL, description VARCHAR(30) NOT NULL DEFAULT 'Primary', key_handle BLOB NOT NULL, public_key BLOB NOT NULL, - PRIMARY KEY (id), UNIQUE (username, description) ); @@ -35,3 +36,8 @@ WHERE attestation_type = 'fido-u2f'; UPDATE user_preferences SET second_factor_method = 'u2f' WHERE second_factor_method = 'webauthn'; + +DROP TABLE IF EXISTS _bkp_DOWN_V0002_totp_configurations; +DROP TABLE IF EXISTS _bkp_DOWN_V0002_webauthn_devices; +DROP TABLE IF EXISTS _bkp_UP_V0002_totp_configurations; +DROP TABLE IF EXISTS _bkp_UP_V0002_u2f_devices; diff --git a/internal/storage/migrations/V0002.Webauthn.sqlite.up.sql b/internal/storage/migrations/V0002.Webauthn.sqlite.up.sql index d18f6d744..1f7e63169 100644 --- a/internal/storage/migrations/V0002.Webauthn.sqlite.up.sql +++ b/internal/storage/migrations/V0002.Webauthn.sqlite.up.sql @@ -1,8 +1,11 @@ -ALTER TABLE totp_configurations RENAME TO _bkp_UP_V0002_totp_configurations; -ALTER TABLE u2f_devices RENAME TO _bkp_UP_V0002_u2f_devices; +ALTER TABLE totp_configurations + RENAME TO _bkp_UP_V0002_totp_configurations; + +ALTER TABLE u2f_devices + RENAME TO _bkp_UP_V0002_u2f_devices; CREATE TABLE IF NOT EXISTS totp_configurations ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, last_used_at TIMESTAMP NULL DEFAULT NULL, username VARCHAR(100) NOT NULL, @@ -11,7 +14,6 @@ CREATE TABLE IF NOT EXISTS totp_configurations ( digits INTEGER NOT NULL DEFAULT 6, period INTEGER NOT NULL DEFAULT 30, secret BLOB NOT NULL, - PRIMARY KEY (id), UNIQUE (username) ); @@ -19,8 +21,10 @@ INSERT INTO totp_configurations (id, username, issuer, algorithm, digits, period SELECT id, username, issuer, algorithm, digits, period, secret FROM _bkp_UP_V0002_totp_configurations; +DROP TABLE IF EXISTS _bkp_UP_V0002_totp_configurations; + CREATE TABLE IF NOT EXISTS webauthn_devices ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, last_used_at TIMESTAMP NULL DEFAULT NULL, rpid TEXT, @@ -33,7 +37,6 @@ CREATE TABLE IF NOT EXISTS webauthn_devices ( aaguid CHAR(36) NOT NULL, sign_count INTEGER DEFAULT 0, clone_warning BOOLEAN NOT NULL DEFAULT FALSE, - PRIMARY KEY (id), UNIQUE (username, description), UNIQUE (kid) ); @@ -42,6 +45,8 @@ INSERT INTO webauthn_devices (id, rpid, username, description, kid, public_key, SELECT id, '', username, description, BIN2B64(key_handle), public_key, 'fido-u2f', '00000000-0000-0000-0000-000000000000', 0 FROM _bkp_UP_V0002_u2f_devices; +DROP TABLE IF EXISTS _bkp_UP_V0002_u2f_devices; + UPDATE user_preferences SET second_factor_method = 'webauthn' WHERE second_factor_method = 'u2f'; diff --git a/internal/storage/migrations/V0003.WebauthnKIDLength.mysql.up.sql b/internal/storage/migrations/V0003.WebauthnKIDLength.mysql.up.sql index 79fede7c9..f2caeca95 100644 --- a/internal/storage/migrations/V0003.WebauthnKIDLength.mysql.up.sql +++ b/internal/storage/migrations/V0003.WebauthnKIDLength.mysql.up.sql @@ -1,7 +1,8 @@ -ALTER TABLE webauthn_devices RENAME _bkp_UP_V0003_webauthn_devices; +ALTER TABLE webauthn_devices + RENAME _bkp_UP_V0003_webauthn_devices; CREATE TABLE IF NOT EXISTS webauthn_devices ( - id INTEGER AUTO_INCREMENT, + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, last_used_at TIMESTAMP NULL DEFAULT NULL, rpid TEXT, @@ -14,10 +15,9 @@ CREATE TABLE IF NOT EXISTS webauthn_devices ( aaguid CHAR(36) NOT NULL, sign_count INTEGER DEFAULT 0, clone_warning BOOLEAN NOT NULL DEFAULT FALSE, - PRIMARY KEY (id), UNIQUE KEY (username, description), UNIQUE KEY (kid) -); +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; INSERT INTO webauthn_devices (id, created_at, last_used_at, rpid, username, description, kid, public_key, attestation_type, transport, aaguid, sign_count, clone_warning) SELECT id, created_at, last_used_at, rpid, username, description, kid, public_key, attestation_type, transport, aaguid, sign_count, clone_warning diff --git a/internal/storage/migrations/V0003.WebauthnKIDLength.postgres.up.sql b/internal/storage/migrations/V0003.WebauthnKIDLength.postgres.up.sql index 2aeeb828e..078b51627 100644 --- a/internal/storage/migrations/V0003.WebauthnKIDLength.postgres.up.sql +++ b/internal/storage/migrations/V0003.WebauthnKIDLength.postgres.up.sql @@ -1,7 +1,15 @@ -ALTER TABLE webauthn_devices RENAME TO _bkp_UP_V0003_webauthn_devices; +ALTER TABLE webauthn_devices + DROP CONSTRAINT IF EXISTS webauthn_devices_pkey, + DROP CONSTRAINT IF EXISTS webauthn_devices_pkey1; + +ALTER TABLE webauthn_devices + RENAME TO _bkp_UP_V0003_webauthn_devices; + +DROP INDEX IF EXISTS webauthn_devices_kid_key; +DROP INDEX IF EXISTS webauthn_devices_lookup_key; CREATE TABLE IF NOT EXISTS webauthn_devices ( - id SERIAL, + id SERIAL CONSTRAINT webauthn_devices_pkey PRIMARY KEY, created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP, last_used_at TIMESTAMP WITH TIME ZONE NULL DEFAULT NULL, rpid TEXT, @@ -13,12 +21,12 @@ CREATE TABLE IF NOT EXISTS webauthn_devices ( transport VARCHAR(20) DEFAULT '', aaguid CHAR(36) NOT NULL, sign_count INTEGER DEFAULT 0, - clone_warning BOOLEAN NOT NULL DEFAULT FALSE, - PRIMARY KEY (id), - UNIQUE (username, description), - UNIQUE (kid) + clone_warning BOOLEAN NOT NULL DEFAULT FALSE ); +CREATE UNIQUE INDEX webauthn_devices_kid_key ON webauthn_devices (kid); +CREATE UNIQUE INDEX webauthn_devices_lookup_key ON webauthn_devices (username, description); + INSERT INTO webauthn_devices (id, created_at, last_used_at, rpid, username, description, kid, public_key, attestation_type, transport, aaguid, sign_count, clone_warning) SELECT id, created_at, last_used_at, rpid, username, description, kid, public_key, attestation_type, transport, aaguid, sign_count, clone_warning FROM _bkp_UP_V0003_webauthn_devices; diff --git a/internal/storage/migrations/V0003.WebauthnKIDLength.sqlite.up.sql b/internal/storage/migrations/V0003.WebauthnKIDLength.sqlite.up.sql index 52c34b3d3..d19030808 100644 --- a/internal/storage/migrations/V0003.WebauthnKIDLength.sqlite.up.sql +++ b/internal/storage/migrations/V0003.WebauthnKIDLength.sqlite.up.sql @@ -1,7 +1,8 @@ -ALTER TABLE webauthn_devices RENAME TO _bkp_UP_V0003_webauthn_devices; +ALTER TABLE webauthn_devices + RENAME TO _bkp_UP_V0003_webauthn_devices; CREATE TABLE IF NOT EXISTS webauthn_devices ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, last_used_at TIMESTAMP NULL DEFAULT NULL, rpid TEXT, @@ -14,7 +15,6 @@ CREATE TABLE IF NOT EXISTS webauthn_devices ( aaguid CHAR(36) NOT NULL, sign_count INTEGER DEFAULT 0, clone_warning BOOLEAN NOT NULL DEFAULT FALSE, - PRIMARY KEY (id), UNIQUE (username, description), UNIQUE (kid) ); diff --git a/internal/storage/migrations/V0004.OpenIDConnect.all.down.sql b/internal/storage/migrations/V0004.OpenIDConnect.all.down.sql index 481f502fb..257ddcc97 100644 --- a/internal/storage/migrations/V0004.OpenIDConnect.all.down.sql +++ b/internal/storage/migrations/V0004.OpenIDConnect.all.down.sql @@ -5,4 +5,4 @@ DROP TABLE IF EXISTS oauth2_refresh_token_session; DROP TABLE IF EXISTS oauth2_pkce_request_session; DROP TABLE IF EXISTS oauth2_openid_connect_session; DROP TABLE IF EXISTS oauth2_consent_session; -DROP TABLE IF EXISTS user_opaque_identifier; \ No newline at end of file +DROP TABLE IF EXISTS user_opaque_identifier; diff --git a/internal/storage/migrations/V0004.OpenIDConnect.mysql.up.sql b/internal/storage/migrations/V0004.OpenIDConnect.mysql.up.sql index 4fc3adc70..aa415acc1 100644 --- a/internal/storage/migrations/V0004.OpenIDConnect.mysql.up.sql +++ b/internal/storage/migrations/V0004.OpenIDConnect.mysql.up.sql @@ -1,26 +1,24 @@ CREATE TABLE IF NOT EXISTS user_opaque_identifier ( - id INTEGER AUTO_INCREMENT, + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, service VARCHAR(20) NOT NULL, sector_id VARCHAR(255) NOT NULL, username VARCHAR(100) NOT NULL, - identifier CHAR(36) NOT NULL, - PRIMARY KEY (id) -); + identifier CHAR(36) NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; CREATE UNIQUE INDEX user_opaque_identifier_service_sector_id_username_key ON user_opaque_identifier (service, sector_id, username); CREATE UNIQUE INDEX user_opaque_identifier_identifier_key ON user_opaque_identifier (identifier); CREATE TABLE IF NOT EXISTS oauth2_blacklisted_jti ( - id INTEGER AUTO_INCREMENT, + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, signature VARCHAR(64) NOT NULL, - expires_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - PRIMARY KEY (id) -); + expires_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; CREATE UNIQUE INDEX oauth2_blacklisted_jti_signature_key ON oauth2_blacklisted_jti (signature); CREATE TABLE IF NOT EXISTS oauth2_consent_session ( - id INTEGER AUTO_INCREMENT, + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, challenge_id CHAR(36) NOT NULL, client_id VARCHAR(255) NOT NULL, subject CHAR(36) NOT NULL, @@ -33,17 +31,18 @@ CREATE TABLE IF NOT EXISTS oauth2_consent_session ( requested_scopes TEXT NOT NULL, granted_scopes TEXT NOT NULL, requested_audience TEXT NULL, - granted_audience TEXT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_consent_subject_fkey - FOREIGN KEY (subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT -); + granted_audience TEXT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; CREATE UNIQUE INDEX oauth2_consent_session_challenge_id_key ON oauth2_consent_session (challenge_id); +ALTER TABLE oauth2_consent_session + ADD CONSTRAINT oauth2_consent_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + CREATE TABLE IF NOT EXISTS oauth2_authorization_code_session ( - id INTEGER AUTO_INCREMENT, + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -57,22 +56,23 @@ CREATE TABLE IF NOT EXISTS oauth2_authorization_code_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BLOB NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_authorization_code_session_challenge_id_fkey - FOREIGN KEY (challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_authorization_code_session_subject_fkey - FOREIGN KEY (subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT -); + session_data BLOB NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; CREATE INDEX oauth2_authorization_code_session_request_id_idx ON oauth2_authorization_code_session (request_id); CREATE INDEX oauth2_authorization_code_session_client_id_idx ON oauth2_authorization_code_session (client_id); CREATE INDEX oauth2_authorization_code_session_client_id_subject_idx ON oauth2_authorization_code_session (client_id, subject); +ALTER TABLE oauth2_authorization_code_session + ADD CONSTRAINT oauth2_authorization_code_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_authorization_code_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + CREATE TABLE IF NOT EXISTS oauth2_access_token_session ( - id INTEGER AUTO_INCREMENT, + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -86,22 +86,23 @@ CREATE TABLE IF NOT EXISTS oauth2_access_token_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BLOB NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_access_token_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_access_token_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT -); + session_data BLOB NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; CREATE INDEX oauth2_access_token_session_request_id_idx ON oauth2_access_token_session (request_id); CREATE INDEX oauth2_access_token_session_client_id_idx ON oauth2_access_token_session (client_id); CREATE INDEX oauth2_access_token_session_client_id_subject_idx ON oauth2_access_token_session (client_id, subject); +ALTER TABLE oauth2_access_token_session + ADD CONSTRAINT oauth2_access_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_access_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + CREATE TABLE IF NOT EXISTS oauth2_refresh_token_session ( - id INTEGER AUTO_INCREMENT, + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -115,22 +116,23 @@ CREATE TABLE IF NOT EXISTS oauth2_refresh_token_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BLOB NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_refresh_token_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_refresh_token_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT -); + session_data BLOB NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; CREATE INDEX oauth2_refresh_token_session_request_id_idx ON oauth2_refresh_token_session (request_id); CREATE INDEX oauth2_refresh_token_session_client_id_idx ON oauth2_refresh_token_session (client_id); CREATE INDEX oauth2_refresh_token_session_client_id_subject_idx ON oauth2_refresh_token_session (client_id, subject); +ALTER TABLE oauth2_refresh_token_session + ADD CONSTRAINT oauth2_refresh_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_refresh_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + CREATE TABLE IF NOT EXISTS oauth2_pkce_request_session ( - id INTEGER AUTO_INCREMENT, + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -144,22 +146,23 @@ CREATE TABLE IF NOT EXISTS oauth2_pkce_request_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BLOB NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_pkce_request_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_pkce_request_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT -); + session_data BLOB NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; CREATE INDEX oauth2_pkce_request_session_request_id_idx ON oauth2_pkce_request_session (request_id); CREATE INDEX oauth2_pkce_request_session_client_id_idx ON oauth2_pkce_request_session (client_id); CREATE INDEX oauth2_pkce_request_session_client_id_subject_idx ON oauth2_pkce_request_session (client_id, subject); +ALTER TABLE oauth2_pkce_request_session + ADD CONSTRAINT oauth2_pkce_request_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_pkce_request_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + CREATE TABLE IF NOT EXISTS oauth2_openid_connect_session ( - id INTEGER AUTO_INCREMENT, + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -173,16 +176,17 @@ CREATE TABLE IF NOT EXISTS oauth2_openid_connect_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BLOB NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_openid_connect_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_openid_connect_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT -); + session_data BLOB NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; CREATE INDEX oauth2_openid_connect_session_request_id_idx ON oauth2_openid_connect_session (request_id); CREATE INDEX oauth2_openid_connect_session_client_id_idx ON oauth2_openid_connect_session (client_id); -CREATE INDEX oauth2_openid_connect_session_client_id_subject_idx ON oauth2_openid_connect_session (client_id, subject); \ No newline at end of file +CREATE INDEX oauth2_openid_connect_session_client_id_subject_idx ON oauth2_openid_connect_session (client_id, subject); + +ALTER TABLE oauth2_openid_connect_session + ADD CONSTRAINT oauth2_openid_connect_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_openid_connect_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; diff --git a/internal/storage/migrations/V0004.OpenIDConnect.postgres.up.sql b/internal/storage/migrations/V0004.OpenIDConnect.postgres.up.sql index c5685dd21..9003da79a 100644 --- a/internal/storage/migrations/V0004.OpenIDConnect.postgres.up.sql +++ b/internal/storage/migrations/V0004.OpenIDConnect.postgres.up.sql @@ -1,26 +1,24 @@ CREATE TABLE IF NOT EXISTS user_opaque_identifier ( - id SERIAL, + id SERIAL CONSTRAINT user_opaque_identifier_pkey PRIMARY KEY, service VARCHAR(20) NOT NULL, sector_id VARCHAR(255) NOT NULL, username VARCHAR(100) NOT NULL, - identifier CHAR(36) NOT NULL, - PRIMARY KEY (id) + identifier CHAR(36) NOT NULL ); CREATE UNIQUE INDEX user_opaque_identifier_service_sector_id_username_key ON user_opaque_identifier (service, sector_id, username); CREATE UNIQUE INDEX user_opaque_identifier_identifier_key ON user_opaque_identifier (identifier); CREATE TABLE IF NOT EXISTS oauth2_blacklisted_jti ( - id SERIAL, + id SERIAL CONSTRAINT oauth2_blacklisted_jti_pkey PRIMARY KEY, signature VARCHAR(64) NOT NULL, - expires_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP, - PRIMARY KEY (id) + expires_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP ); CREATE UNIQUE INDEX oauth2_blacklisted_jti_signature_key ON oauth2_blacklisted_jti (signature); CREATE TABLE IF NOT EXISTS oauth2_consent_session ( - id SERIAL, + id SERIAL CONSTRAINT oauth2_consent_session_pkey PRIMARY KEY, challenge_id CHAR(36) NOT NULL, client_id VARCHAR(255) NOT NULL, subject CHAR(36) NOT NULL, @@ -33,17 +31,18 @@ CREATE TABLE IF NOT EXISTS oauth2_consent_session ( requested_scopes TEXT NOT NULL, granted_scopes TEXT NOT NULL, requested_audience TEXT NULL DEFAULT '', - granted_audience TEXT NULL DEFAULT '', - PRIMARY KEY (id), - CONSTRAINT oauth2_consent_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + granted_audience TEXT NULL DEFAULT '' ); CREATE UNIQUE INDEX oauth2_consent_session_challenge_id_key ON oauth2_consent_session (challenge_id); +ALTER TABLE oauth2_consent_session + ADD CONSTRAINT oauth2_consent_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + CREATE TABLE IF NOT EXISTS oauth2_authorization_code_session ( - id SERIAL, + id SERIAL CONSTRAINT oauth2_authorization_code_session_pkey PRIMARY KEY, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -57,22 +56,23 @@ CREATE TABLE IF NOT EXISTS oauth2_authorization_code_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BYTEA NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_authorization_code_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_authorization_code_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + session_data BYTEA NOT NULL ); CREATE INDEX oauth2_authorization_code_session_request_id_idx ON oauth2_authorization_code_session (request_id); CREATE INDEX oauth2_authorization_code_session_client_id_idx ON oauth2_authorization_code_session (client_id); CREATE INDEX oauth2_authorization_code_session_client_id_subject_idx ON oauth2_authorization_code_session (client_id, subject); +ALTER TABLE oauth2_authorization_code_session + ADD CONSTRAINT oauth2_authorization_code_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_authorization_code_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + CREATE TABLE IF NOT EXISTS oauth2_access_token_session ( - id SERIAL, + id SERIAL CONSTRAINT oauth2_access_token_session_pkey PRIMARY KEY, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -86,22 +86,23 @@ CREATE TABLE IF NOT EXISTS oauth2_access_token_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BYTEA NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_access_token_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_access_token_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + session_data BYTEA NOT NULL ); CREATE INDEX oauth2_access_token_session_request_id_idx ON oauth2_access_token_session (request_id); CREATE INDEX oauth2_access_token_session_client_id_idx ON oauth2_access_token_session (client_id); CREATE INDEX oauth2_access_token_session_client_id_subject_idx ON oauth2_access_token_session (client_id, subject); +ALTER TABLE oauth2_access_token_session + ADD CONSTRAINT oauth2_access_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_access_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + CREATE TABLE IF NOT EXISTS oauth2_refresh_token_session ( - id SERIAL, + id SERIAL CONSTRAINT oauth2_refresh_token_session_pkey PRIMARY KEY, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -115,22 +116,23 @@ CREATE TABLE IF NOT EXISTS oauth2_refresh_token_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BYTEA NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_refresh_token_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_refresh_token_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + session_data BYTEA NOT NULL ); CREATE INDEX oauth2_refresh_token_session_request_id_idx ON oauth2_refresh_token_session (request_id); CREATE INDEX oauth2_refresh_token_session_client_id_idx ON oauth2_refresh_token_session (client_id); CREATE INDEX oauth2_refresh_token_session_client_id_subject_idx ON oauth2_refresh_token_session (client_id, subject); +ALTER TABLE oauth2_refresh_token_session + ADD CONSTRAINT oauth2_refresh_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_refresh_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + CREATE TABLE IF NOT EXISTS oauth2_pkce_request_session ( - id SERIAL, + id SERIAL CONSTRAINT oauth2_pkce_request_session_pkey PRIMARY KEY, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -144,22 +146,23 @@ CREATE TABLE IF NOT EXISTS oauth2_pkce_request_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BYTEA NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_pkce_request_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_pkce_request_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + session_data BYTEA NOT NULL ); CREATE INDEX oauth2_pkce_request_session_request_id_idx ON oauth2_pkce_request_session (request_id); CREATE INDEX oauth2_pkce_request_session_client_id_idx ON oauth2_pkce_request_session (client_id); CREATE INDEX oauth2_pkce_request_session_client_id_subject_idx ON oauth2_pkce_request_session (client_id, subject); +ALTER TABLE oauth2_pkce_request_session + ADD CONSTRAINT oauth2_pkce_request_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_pkce_request_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + CREATE TABLE IF NOT EXISTS oauth2_openid_connect_session ( - id SERIAL, + id SERIAL CONSTRAINT oauth2_openid_connect_session_pkey PRIMARY KEY, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -173,16 +176,17 @@ CREATE TABLE IF NOT EXISTS oauth2_openid_connect_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BYTEA NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_openid_connect_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_openid_connect_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + session_data BYTEA NOT NULL ); CREATE INDEX oauth2_openid_connect_session_request_id_idx ON oauth2_openid_connect_session (request_id); CREATE INDEX oauth2_openid_connect_session_client_id_idx ON oauth2_openid_connect_session (client_id); CREATE INDEX oauth2_openid_connect_session_client_id_subject_idx ON oauth2_openid_connect_session (client_id, subject); + +ALTER TABLE oauth2_openid_connect_session + ADD CONSTRAINT oauth2_openid_connect_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_openid_connect_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; diff --git a/internal/storage/migrations/V0004.OpenIDConnect.sqlite.up.sql b/internal/storage/migrations/V0004.OpenIDConnect.sqlite.up.sql index 372fbeb58..0be3e9a54 100644 --- a/internal/storage/migrations/V0004.OpenIDConnect.sqlite.up.sql +++ b/internal/storage/migrations/V0004.OpenIDConnect.sqlite.up.sql @@ -1,26 +1,24 @@ CREATE TABLE IF NOT EXISTS user_opaque_identifier ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, service VARCHAR(20) NOT NULL, sector_id VARCHAR(255) NOT NULL, username VARCHAR(100) NOT NULL, - identifier CHAR(36) NOT NULL, - PRIMARY KEY (id) + identifier CHAR(36) NOT NULL ); CREATE UNIQUE INDEX user_opaque_identifier_service_sector_id_username_key ON user_opaque_identifier (service, sector_id, username); CREATE UNIQUE INDEX user_opaque_identifier_identifier_key ON user_opaque_identifier (identifier); CREATE TABLE IF NOT EXISTS oauth2_blacklisted_jti ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, signature VARCHAR(64) NOT NULL, - expires_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - PRIMARY KEY (id) + expires_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP ); CREATE UNIQUE INDEX oauth2_blacklisted_jti_signature_key ON oauth2_blacklisted_jti (signature); CREATE TABLE IF NOT EXISTS oauth2_consent_session ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, challenge_id CHAR(36) NOT NULL, client_id VARCHAR(255) NOT NULL, subject CHAR(36) NOT NULL, @@ -34,16 +32,15 @@ CREATE TABLE IF NOT EXISTS oauth2_consent_session ( granted_scopes TEXT NOT NULL, requested_audience TEXT NULL DEFAULT '', granted_audience TEXT NULL DEFAULT '', - PRIMARY KEY (id), CONSTRAINT oauth2_consent_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); CREATE UNIQUE INDEX oauth2_consent_session_challenge_id_key ON oauth2_consent_session (challenge_id); CREATE TABLE IF NOT EXISTS oauth2_authorization_code_session ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -58,13 +55,12 @@ CREATE TABLE IF NOT EXISTS oauth2_authorization_code_session ( revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, session_data BLOB NOT NULL, - PRIMARY KEY (id), CONSTRAINT oauth2_authorization_code_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, CONSTRAINT oauth2_authorization_code_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); CREATE INDEX oauth2_authorization_code_session_request_id_idx ON oauth2_authorization_code_session (request_id); @@ -72,7 +68,7 @@ CREATE INDEX oauth2_authorization_code_session_client_id_idx ON oauth2_authoriza CREATE INDEX oauth2_authorization_code_session_client_id_subject_idx ON oauth2_authorization_code_session (client_id, subject); CREATE TABLE IF NOT EXISTS oauth2_access_token_session ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -87,13 +83,12 @@ CREATE TABLE IF NOT EXISTS oauth2_access_token_session ( revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, session_data BLOB NOT NULL, - PRIMARY KEY (id), CONSTRAINT oauth2_access_token_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, CONSTRAINT oauth2_access_token_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); CREATE INDEX oauth2_access_token_session_request_id_idx ON oauth2_access_token_session (request_id); @@ -101,7 +96,7 @@ CREATE INDEX oauth2_access_token_session_client_id_idx ON oauth2_access_token_se CREATE INDEX oauth2_access_token_session_client_id_subject_idx ON oauth2_access_token_session (client_id, subject); CREATE TABLE IF NOT EXISTS oauth2_refresh_token_session ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -116,13 +111,12 @@ CREATE TABLE IF NOT EXISTS oauth2_refresh_token_session ( revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, session_data BLOB NOT NULL, - PRIMARY KEY (id), CONSTRAINT oauth2_refresh_token_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, CONSTRAINT oauth2_refresh_token_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); CREATE INDEX oauth2_refresh_token_session_request_id_idx ON oauth2_refresh_token_session (request_id); @@ -130,7 +124,7 @@ CREATE INDEX oauth2_refresh_token_session_client_id_idx ON oauth2_refresh_token_ CREATE INDEX oauth2_refresh_token_session_client_id_subject_idx ON oauth2_refresh_token_session (client_id, subject); CREATE TABLE IF NOT EXISTS oauth2_pkce_request_session ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -145,13 +139,12 @@ CREATE TABLE IF NOT EXISTS oauth2_pkce_request_session ( revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, session_data BLOB NOT NULL, - PRIMARY KEY (id), CONSTRAINT oauth2_pkce_request_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, CONSTRAINT oauth2_pkce_request_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); CREATE INDEX oauth2_pkce_request_session_request_id_idx ON oauth2_pkce_request_session (request_id); @@ -159,7 +152,7 @@ CREATE INDEX oauth2_pkce_request_session_client_id_idx ON oauth2_pkce_request_se CREATE INDEX oauth2_pkce_request_session_client_id_subject_idx ON oauth2_pkce_request_session (client_id, subject); CREATE TABLE IF NOT EXISTS oauth2_openid_connect_session ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -174,13 +167,12 @@ CREATE TABLE IF NOT EXISTS oauth2_openid_connect_session ( revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, session_data BLOB NOT NULL, - PRIMARY KEY (id), CONSTRAINT oauth2_openid_connect_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, CONSTRAINT oauth2_openid_connect_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); CREATE INDEX oauth2_openid_connect_session_request_id_idx ON oauth2_openid_connect_session (request_id); diff --git a/internal/storage/migrations/V0005.ConsentSubjectNULL.mysql.down.sql b/internal/storage/migrations/V0005.ConsentSubjectNULL.mysql.down.sql index 95aab5ef0..2fe4c9aa7 100644 --- a/internal/storage/migrations/V0005.ConsentSubjectNULL.mysql.down.sql +++ b/internal/storage/migrations/V0005.ConsentSubjectNULL.mysql.down.sql @@ -1,3 +1,11 @@ ALTER TABLE oauth2_consent_session -DROP FOREIGN KEY oauth2_consent_session_subject_fkey, - ADD CONSTRAINT oauth2_consent_subject_fkey FOREIGN KEY (subject) REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; \ No newline at end of file + DROP FOREIGN KEY oauth2_consent_session_subject_fkey, + ADD CONSTRAINT oauth2_consent_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +DELETE FROM oauth2_consent_session +WHERE subject IS NULL; + +ALTER TABLE oauth2_consent_session + MODIFY subject CHAR(36) NOT NULL; diff --git a/internal/storage/migrations/V0005.ConsentSubjectNULL.mysql.up.sql b/internal/storage/migrations/V0005.ConsentSubjectNULL.mysql.up.sql index 72399fa12..9fb490909 100644 --- a/internal/storage/migrations/V0005.ConsentSubjectNULL.mysql.up.sql +++ b/internal/storage/migrations/V0005.ConsentSubjectNULL.mysql.up.sql @@ -1,7 +1,17 @@ -DELETE FROM oauth2_consent_session WHERE subject IN(SELECT identifier FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect')); -DELETE FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect'); -DELETE FROM user_opaque_identifier WHERE service <> 'openid'; -ALTER TABLE oauth2_consent_session MODIFY subject CHAR(36) NULL DEFAULT NULL; +DELETE FROM oauth2_consent_session + WHERE subject IN(SELECT identifier FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect')); + +DELETE FROM user_opaque_identifier + WHERE username = '' AND service IN('openid', 'openid_connect'); + +DELETE FROM user_opaque_identifier + WHERE service <> 'openid'; + +ALTER TABLE oauth2_consent_session + MODIFY subject CHAR(36) NULL DEFAULT NULL; + ALTER TABLE oauth2_consent_session DROP FOREIGN KEY oauth2_consent_subject_fkey, - ADD CONSTRAINT oauth2_consent_session_subject_fkey FOREIGN KEY (subject) REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + ADD CONSTRAINT oauth2_consent_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; diff --git a/internal/storage/migrations/V0005.ConsentSubjectNULL.postgres.down.sql b/internal/storage/migrations/V0005.ConsentSubjectNULL.postgres.down.sql index 7fd6d685d..8def062aa 100644 --- a/internal/storage/migrations/V0005.ConsentSubjectNULL.postgres.down.sql +++ b/internal/storage/migrations/V0005.ConsentSubjectNULL.postgres.down.sql @@ -1 +1,9 @@ -ALTER TABLE oauth2_consent_session RENAME CONSTRAINT oauth2_consent_session_subject_fkey TO oauth2_consent_subject_fkey; \ No newline at end of file +ALTER TABLE oauth2_consent_session + RENAME CONSTRAINT oauth2_consent_session_subject_fkey TO oauth2_consent_subject_fkey; + +DELETE FROM oauth2_consent_session +WHERE subject IS NULL; + +ALTER TABLE oauth2_consent_session + ALTER COLUMN subject SET NOT NULL, + ALTER COLUMN subject DROP DEFAULT; diff --git a/internal/storage/migrations/V0005.ConsentSubjectNULL.postgres.up.sql b/internal/storage/migrations/V0005.ConsentSubjectNULL.postgres.up.sql index b68f381be..0a41727d4 100644 --- a/internal/storage/migrations/V0005.ConsentSubjectNULL.postgres.up.sql +++ b/internal/storage/migrations/V0005.ConsentSubjectNULL.postgres.up.sql @@ -1,6 +1,12 @@ -DELETE FROM oauth2_consent_session WHERE subject IN(SELECT identifier FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect')); -DELETE FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect'); -DELETE FROM user_opaque_identifier WHERE service <> 'openid'; -ALTER TABLE oauth2_consent_session ALTER COLUMN subject DROP NOT NULL; -ALTER TABLE oauth2_consent_session ALTER COLUMN subject SET DEFAULT NULL; -ALTER TABLE oauth2_consent_session RENAME CONSTRAINT oauth2_consent_subject_fkey TO oauth2_consent_session_subject_fkey; +DELETE FROM oauth2_consent_session + WHERE subject IN(SELECT identifier FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect')); + +DELETE FROM user_opaque_identifier + WHERE service <> 'openid' OR username = ''; + +ALTER TABLE oauth2_consent_session + ALTER COLUMN subject DROP NOT NULL, + ALTER COLUMN subject SET DEFAULT NULL; + +ALTER TABLE oauth2_consent_session + RENAME CONSTRAINT oauth2_consent_subject_fkey TO oauth2_consent_session_subject_fkey; diff --git a/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.down.sql b/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.down.sql index e0ac49d1e..c736d6b87 100644 --- a/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.down.sql +++ b/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.down.sql @@ -1 +1,266 @@ -SELECT 1; +PRAGMA foreign_keys=off; + +BEGIN TRANSACTION; + +DELETE FROM oauth2_consent_session + WHERE subject IN(SELECT identifier FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect')); + +DELETE FROM user_opaque_identifier + WHERE username = '' AND service IN('openid', 'openid_connect'); + +DELETE FROM user_opaque_identifier + WHERE service <> 'openid'; + +DROP INDEX IF EXISTS oauth2_consent_session_challenge_id_key; + +ALTER TABLE oauth2_consent_session + RENAME TO _bkp_DOWN_V0005_oauth2_consent_session; + +CREATE TABLE IF NOT EXISTS oauth2_consent_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + client_id VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + authorized BOOLEAN NOT NULL DEFAULT FALSE, + granted BOOLEAN NOT NULL DEFAULT FALSE, + requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + responded_at TIMESTAMP NULL DEFAULT NULL, + expires_at TIMESTAMP NULL DEFAULT NULL, + form_data TEXT NOT NULL, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + CONSTRAINT oauth2_consent_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT +); + +CREATE UNIQUE INDEX oauth2_consent_session_challenge_id_key ON oauth2_consent_session (challenge_id); + +INSERT INTO oauth2_consent_session (challenge_id, client_id, subject, authorized, granted, requested_at, responded_at, expires_at, form_data, requested_scopes, granted_scopes, requested_audience, granted_audience) +SELECT challenge_id, client_id, subject, authorized, granted, requested_at, responded_at, expires_at, form_data, requested_scopes, granted_scopes, requested_audience, granted_audience +FROM _bkp_DOWN_V0005_oauth2_consent_session +WHERE subject IS NOT NULL +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_DOWN_V0005_oauth2_consent_session; + +DROP INDEX IF EXISTS oauth2_authorization_code_session_request_id_idx; +DROP INDEX IF EXISTS oauth2_authorization_code_session_client_id_idx; +DROP INDEX IF EXISTS oauth2_authorization_code_session_client_id_subject_idx; + +ALTER TABLE oauth2_authorization_code_session + RENAME TO _bkp_DOWN_V0005_oauth2_authorization_code_session; + +CREATE TABLE IF NOT EXISTS oauth2_authorization_code_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL, + CONSTRAINT oauth2_authorization_code_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + CONSTRAINT oauth2_authorization_code_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT +); + +CREATE INDEX oauth2_authorization_code_session_request_id_idx ON oauth2_authorization_code_session (request_id); +CREATE INDEX oauth2_authorization_code_session_client_id_idx ON oauth2_authorization_code_session (client_id); +CREATE INDEX oauth2_authorization_code_session_client_id_subject_idx ON oauth2_authorization_code_session (client_id, subject); + +INSERT INTO oauth2_authorization_code_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +FROM _bkp_DOWN_V0005_oauth2_authorization_code_session +WHERE challenge_id IN (SELECT challenge_id FROM oauth2_consent_session) +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_DOWN_V0005_oauth2_authorization_code_session; + +DROP INDEX IF EXISTS oauth2_access_token_session_request_id_idx; +DROP INDEX IF EXISTS oauth2_access_token_session_client_id_idx; +DROP INDEX IF EXISTS oauth2_access_token_session_client_id_subject_idx; + +ALTER TABLE oauth2_access_token_session + RENAME TO _bkp_DOWN_V0005_oauth2_access_token_session; + +CREATE TABLE IF NOT EXISTS oauth2_access_token_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL, + CONSTRAINT oauth2_access_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + CONSTRAINT oauth2_access_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT +); + +CREATE INDEX oauth2_access_token_session_request_id_idx ON oauth2_access_token_session (request_id); +CREATE INDEX oauth2_access_token_session_client_id_idx ON oauth2_access_token_session (client_id); +CREATE INDEX oauth2_access_token_session_client_id_subject_idx ON oauth2_access_token_session (client_id, subject); + +INSERT INTO oauth2_access_token_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +FROM _bkp_DOWN_V0005_oauth2_access_token_session +WHERE challenge_id IN (SELECT challenge_id FROM oauth2_consent_session) +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_DOWN_V0005_oauth2_access_token_session; + +DROP INDEX IF EXISTS oauth2_refresh_token_session_request_id_idx; +DROP INDEX IF EXISTS oauth2_refresh_token_session_client_id_idx; +DROP INDEX IF EXISTS oauth2_refresh_token_session_client_id_subject_idx; + +ALTER TABLE oauth2_refresh_token_session + RENAME TO _bkp_DOWN_V0005_oauth2_refresh_token_session; + +CREATE TABLE IF NOT EXISTS oauth2_refresh_token_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL, + CONSTRAINT oauth2_refresh_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + CONSTRAINT oauth2_refresh_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT +); + +CREATE INDEX oauth2_refresh_token_session_request_id_idx ON oauth2_refresh_token_session (request_id); +CREATE INDEX oauth2_refresh_token_session_client_id_idx ON oauth2_refresh_token_session (client_id); +CREATE INDEX oauth2_refresh_token_session_client_id_subject_idx ON oauth2_refresh_token_session (client_id, subject); + +INSERT INTO oauth2_refresh_token_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +FROM _bkp_DOWN_V0005_oauth2_refresh_token_session +WHERE challenge_id IN (SELECT challenge_id FROM oauth2_consent_session) +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_DOWN_V0005_oauth2_refresh_token_session; + +DROP INDEX IF EXISTS oauth2_pkce_request_session_request_id_idx; +DROP INDEX IF EXISTS oauth2_pkce_request_session_client_id_idx; +DROP INDEX IF EXISTS oauth2_pkce_request_session_client_id_subject_idx; + +ALTER TABLE oauth2_pkce_request_session + RENAME TO _bkp_DOWN_V0005_oauth2_pkce_request_session; + +CREATE TABLE IF NOT EXISTS oauth2_pkce_request_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL, + CONSTRAINT oauth2_pkce_request_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + CONSTRAINT oauth2_pkce_request_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT +); + +CREATE INDEX oauth2_pkce_request_session_request_id_idx ON oauth2_pkce_request_session (request_id); +CREATE INDEX oauth2_pkce_request_session_client_id_idx ON oauth2_pkce_request_session (client_id); +CREATE INDEX oauth2_pkce_request_session_client_id_subject_idx ON oauth2_pkce_request_session (client_id, subject); + +INSERT INTO oauth2_pkce_request_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +FROM _bkp_DOWN_V0005_oauth2_pkce_request_session +WHERE challenge_id IN (SELECT challenge_id FROM oauth2_consent_session) +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_DOWN_V0005_oauth2_pkce_request_session; + +DROP INDEX IF EXISTS oauth2_openid_connect_session_request_id_idx; +DROP INDEX IF EXISTS oauth2_openid_connect_session_client_id_idx; +DROP INDEX IF EXISTS oauth2_openid_connect_session_client_id_subject_idx; + +ALTER TABLE oauth2_openid_connect_session + RENAME TO _bkp_DOWN_V0005_oauth2_openid_connect_session; + +CREATE TABLE IF NOT EXISTS oauth2_openid_connect_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL, + CONSTRAINT oauth2_openid_connect_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + CONSTRAINT oauth2_openid_connect_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT +); + +CREATE INDEX oauth2_openid_connect_session_request_id_idx ON oauth2_openid_connect_session (request_id); +CREATE INDEX oauth2_openid_connect_session_client_id_idx ON oauth2_openid_connect_session (client_id); +CREATE INDEX oauth2_openid_connect_session_client_id_subject_idx ON oauth2_openid_connect_session (client_id, subject); + +INSERT INTO oauth2_openid_connect_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +FROM _bkp_DOWN_V0005_oauth2_openid_connect_session +WHERE challenge_id IN (SELECT challenge_id FROM oauth2_consent_session) +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_DOWN_V0005_oauth2_openid_connect_session; + +COMMIT; + +PRAGMA foreign_keys=on; diff --git a/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.up.sql b/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.up.sql index a40a79c2e..c9347cb4d 100644 --- a/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.up.sql +++ b/internal/storage/migrations/V0005.ConsentSubjectNULL.sqlite.up.sql @@ -2,14 +2,22 @@ PRAGMA foreign_keys=off; BEGIN TRANSACTION; -DELETE FROM oauth2_consent_session WHERE subject IN(SELECT identifier FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect')); -DELETE FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect'); -DELETE FROM user_opaque_identifier WHERE service <> 'openid'; +DELETE FROM oauth2_consent_session + WHERE subject IN(SELECT identifier FROM user_opaque_identifier WHERE username = '' AND service IN('openid', 'openid_connect')); -ALTER TABLE oauth2_consent_session RENAME TO _bkp_UP_V0005_oauth2_consent_session; +DELETE FROM user_opaque_identifier + WHERE username = '' AND service IN('openid', 'openid_connect'); + +DELETE FROM user_opaque_identifier + WHERE service <> 'openid'; + +DROP INDEX IF EXISTS oauth2_consent_session_challenge_id_key; + +ALTER TABLE oauth2_consent_session + RENAME TO _bkp_UP_V0005_oauth2_consent_session; CREATE TABLE IF NOT EXISTS oauth2_consent_session ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, challenge_id CHAR(36) NOT NULL, client_id VARCHAR(255) NOT NULL, subject CHAR(36) NULL DEFAULT NULL, @@ -23,27 +31,29 @@ CREATE TABLE IF NOT EXISTS oauth2_consent_session ( granted_scopes TEXT NOT NULL, requested_audience TEXT NULL DEFAULT '', granted_audience TEXT NULL DEFAULT '', - PRIMARY KEY (id), CONSTRAINT oauth2_consent_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); +CREATE UNIQUE INDEX oauth2_consent_session_challenge_id_key ON oauth2_consent_session (challenge_id); + INSERT INTO oauth2_consent_session (challenge_id, client_id, subject, authorized, granted, requested_at, responded_at, expires_at, form_data, requested_scopes, granted_scopes, requested_audience, granted_audience) SELECT challenge_id, client_id, subject, authorized, granted, requested_at, responded_at, expires_at, form_data, requested_scopes, granted_scopes, requested_audience, granted_audience FROM _bkp_UP_V0005_oauth2_consent_session ORDER BY id; -DROP INDEX oauth2_consent_session_challenge_id_key; +DROP TABLE IF EXISTS _bkp_UP_V0005_oauth2_consent_session; -CREATE UNIQUE INDEX oauth2_consent_session_challenge_id_key ON oauth2_consent_session (challenge_id); +DROP INDEX IF EXISTS oauth2_authorization_code_session_request_id_idx; +DROP INDEX IF EXISTS oauth2_authorization_code_session_client_id_idx; +DROP INDEX IF EXISTS oauth2_authorization_code_session_client_id_subject_idx; -DROP TABLE _bkp_UP_V0005_oauth2_consent_session; - -ALTER TABLE oauth2_authorization_code_session RENAME TO _bkp_UP_V0005_oauth2_authorization_code_session; +ALTER TABLE oauth2_authorization_code_session + RENAME TO _bkp_UP_V0005_oauth2_authorization_code_session; CREATE TABLE IF NOT EXISTS oauth2_authorization_code_session ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -58,34 +68,34 @@ CREATE TABLE IF NOT EXISTS oauth2_authorization_code_session ( revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, session_data BLOB NOT NULL, - PRIMARY KEY (id), CONSTRAINT oauth2_authorization_code_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, CONSTRAINT oauth2_authorization_code_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); +CREATE INDEX oauth2_authorization_code_session_request_id_idx ON oauth2_authorization_code_session (request_id); +CREATE INDEX oauth2_authorization_code_session_client_id_idx ON oauth2_authorization_code_session (client_id); +CREATE INDEX oauth2_authorization_code_session_client_id_subject_idx ON oauth2_authorization_code_session (client_id, subject); + INSERT INTO oauth2_authorization_code_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data FROM _bkp_UP_V0005_oauth2_authorization_code_session ORDER BY id; -DROP INDEX oauth2_authorization_code_session_request_id_idx; -DROP INDEX oauth2_authorization_code_session_client_id_idx; -DROP INDEX oauth2_authorization_code_session_client_id_subject_idx; +DROP TABLE IF EXISTS _bkp_UP_V0005_oauth2_authorization_code_session; -CREATE INDEX oauth2_authorization_code_session_request_id_idx ON oauth2_authorization_code_session (request_id); -CREATE INDEX oauth2_authorization_code_session_client_id_idx ON oauth2_authorization_code_session (client_id); -CREATE INDEX oauth2_authorization_code_session_client_id_subject_idx ON oauth2_authorization_code_session (client_id, subject); +DROP INDEX IF EXISTS oauth2_access_token_session_request_id_idx; +DROP INDEX IF EXISTS oauth2_access_token_session_client_id_idx; +DROP INDEX IF EXISTS oauth2_access_token_session_client_id_subject_idx; -DROP TABLE _bkp_UP_V0005_oauth2_authorization_code_session; - -ALTER TABLE oauth2_access_token_session RENAME TO _bkp_UP_V0005_oauth2_access_token_session; +ALTER TABLE oauth2_access_token_session + RENAME TO _bkp_UP_V0005_oauth2_access_token_session; CREATE TABLE IF NOT EXISTS oauth2_access_token_session ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -100,34 +110,34 @@ CREATE TABLE IF NOT EXISTS oauth2_access_token_session ( revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, session_data BLOB NOT NULL, - PRIMARY KEY (id), CONSTRAINT oauth2_access_token_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, CONSTRAINT oauth2_access_token_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); +CREATE INDEX oauth2_access_token_session_request_id_idx ON oauth2_access_token_session (request_id); +CREATE INDEX oauth2_access_token_session_client_id_idx ON oauth2_access_token_session (client_id); +CREATE INDEX oauth2_access_token_session_client_id_subject_idx ON oauth2_access_token_session (client_id, subject); + INSERT INTO oauth2_access_token_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data FROM _bkp_UP_V0005_oauth2_access_token_session ORDER BY id; -DROP INDEX oauth2_access_token_session_request_id_idx; -DROP INDEX oauth2_access_token_session_client_id_idx; -DROP INDEX oauth2_access_token_session_client_id_subject_idx; +DROP TABLE IF EXISTS _bkp_UP_V0005_oauth2_access_token_session; -CREATE INDEX oauth2_access_token_session_request_id_idx ON oauth2_access_token_session (request_id); -CREATE INDEX oauth2_access_token_session_client_id_idx ON oauth2_access_token_session (client_id); -CREATE INDEX oauth2_access_token_session_client_id_subject_idx ON oauth2_access_token_session (client_id, subject); +DROP INDEX IF EXISTS oauth2_refresh_token_session_request_id_idx; +DROP INDEX IF EXISTS oauth2_refresh_token_session_client_id_idx; +DROP INDEX IF EXISTS oauth2_refresh_token_session_client_id_subject_idx; -DROP TABLE _bkp_UP_V0005_oauth2_access_token_session; - -ALTER TABLE oauth2_refresh_token_session RENAME TO _bkp_UP_V0005_oauth2_refresh_token_session; +ALTER TABLE oauth2_refresh_token_session + RENAME TO _bkp_UP_V0005_oauth2_refresh_token_session; CREATE TABLE IF NOT EXISTS oauth2_refresh_token_session ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -142,34 +152,34 @@ CREATE TABLE IF NOT EXISTS oauth2_refresh_token_session ( revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, session_data BLOB NOT NULL, - PRIMARY KEY (id), CONSTRAINT oauth2_refresh_token_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, CONSTRAINT oauth2_refresh_token_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); +CREATE INDEX oauth2_refresh_token_session_request_id_idx ON oauth2_refresh_token_session (request_id); +CREATE INDEX oauth2_refresh_token_session_client_id_idx ON oauth2_refresh_token_session (client_id); +CREATE INDEX oauth2_refresh_token_session_client_id_subject_idx ON oauth2_refresh_token_session (client_id, subject); + INSERT INTO oauth2_refresh_token_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data FROM _bkp_UP_V0005_oauth2_refresh_token_session ORDER BY id; -DROP INDEX oauth2_refresh_token_session_request_id_idx; -DROP INDEX oauth2_refresh_token_session_client_id_idx; -DROP INDEX oauth2_refresh_token_session_client_id_subject_idx; +DROP TABLE IF EXISTS _bkp_UP_V0005_oauth2_refresh_token_session; -CREATE INDEX oauth2_refresh_token_session_request_id_idx ON oauth2_refresh_token_session (request_id); -CREATE INDEX oauth2_refresh_token_session_client_id_idx ON oauth2_refresh_token_session (client_id); -CREATE INDEX oauth2_refresh_token_session_client_id_subject_idx ON oauth2_refresh_token_session (client_id, subject); +DROP INDEX IF EXISTS oauth2_pkce_request_session_request_id_idx; +DROP INDEX IF EXISTS oauth2_pkce_request_session_client_id_idx; +DROP INDEX IF EXISTS oauth2_pkce_request_session_client_id_subject_idx; -DROP TABLE _bkp_UP_V0005_oauth2_refresh_token_session; - -ALTER TABLE oauth2_pkce_request_session RENAME TO _bkp_UP_V0005_oauth2_pkce_request_session; +ALTER TABLE oauth2_pkce_request_session + RENAME TO _bkp_UP_V0005_oauth2_pkce_request_session; CREATE TABLE IF NOT EXISTS oauth2_pkce_request_session ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -184,34 +194,34 @@ CREATE TABLE IF NOT EXISTS oauth2_pkce_request_session ( revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, session_data BLOB NOT NULL, - PRIMARY KEY (id), CONSTRAINT oauth2_pkce_request_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, CONSTRAINT oauth2_pkce_request_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); +CREATE INDEX oauth2_pkce_request_session_request_id_idx ON oauth2_pkce_request_session (request_id); +CREATE INDEX oauth2_pkce_request_session_client_id_idx ON oauth2_pkce_request_session (client_id); +CREATE INDEX oauth2_pkce_request_session_client_id_subject_idx ON oauth2_pkce_request_session (client_id, subject); + INSERT INTO oauth2_pkce_request_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data FROM _bkp_UP_V0005_oauth2_pkce_request_session ORDER BY id; -DROP INDEX oauth2_pkce_request_session_request_id_idx; -DROP INDEX oauth2_pkce_request_session_client_id_idx; -DROP INDEX oauth2_pkce_request_session_client_id_subject_idx; +DROP TABLE IF EXISTS _bkp_UP_V0005_oauth2_pkce_request_session; -CREATE INDEX oauth2_pkce_request_session_request_id_idx ON oauth2_pkce_request_session (request_id); -CREATE INDEX oauth2_pkce_request_session_client_id_idx ON oauth2_pkce_request_session (client_id); -CREATE INDEX oauth2_pkce_request_session_client_id_subject_idx ON oauth2_pkce_request_session (client_id, subject); +DROP INDEX IF EXISTS oauth2_openid_connect_session_request_id_idx; +DROP INDEX IF EXISTS oauth2_openid_connect_session_client_id_idx; +DROP INDEX IF EXISTS oauth2_openid_connect_session_client_id_subject_idx; -DROP TABLE _bkp_UP_V0005_oauth2_pkce_request_session; - -ALTER TABLE oauth2_openid_connect_session RENAME TO _bkp_UP_V0005_oauth2_openid_connect_session; +ALTER TABLE oauth2_openid_connect_session + RENAME TO _bkp_UP_V0005_oauth2_openid_connect_session; CREATE TABLE IF NOT EXISTS oauth2_openid_connect_session ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -226,29 +236,24 @@ CREATE TABLE IF NOT EXISTS oauth2_openid_connect_session ( revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, session_data BLOB NOT NULL, - PRIMARY KEY (id), CONSTRAINT oauth2_openid_connect_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, CONSTRAINT oauth2_openid_connect_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); +CREATE INDEX oauth2_openid_connect_session_request_id_idx ON oauth2_openid_connect_session (request_id); +CREATE INDEX oauth2_openid_connect_session_client_id_idx ON oauth2_openid_connect_session (client_id); +CREATE INDEX oauth2_openid_connect_session_client_id_subject_idx ON oauth2_openid_connect_session (client_id, subject); + INSERT INTO oauth2_openid_connect_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data FROM _bkp_UP_V0005_oauth2_openid_connect_session ORDER BY id; -DROP INDEX oauth2_openid_connect_session_request_id_idx; -DROP INDEX oauth2_openid_connect_session_client_id_idx; -DROP INDEX oauth2_openid_connect_session_client_id_subject_idx; - -CREATE INDEX oauth2_openid_connect_session_request_id_idx ON oauth2_openid_connect_session (request_id); -CREATE INDEX oauth2_openid_connect_session_client_id_idx ON oauth2_openid_connect_session (client_id); -CREATE INDEX oauth2_openid_connect_session_client_id_subject_idx ON oauth2_openid_connect_session (client_id, subject); - -DROP TABLE _bkp_UP_V0005_oauth2_openid_connect_session; +DROP TABLE IF EXISTS _bkp_UP_V0005_oauth2_openid_connect_session; COMMIT; diff --git a/internal/storage/migrations/V0006.ConsentPreConfiguration.mysql.down.sql b/internal/storage/migrations/V0006.ConsentPreConfiguration.mysql.down.sql index e06f19d81..1a25ce77f 100644 --- a/internal/storage/migrations/V0006.ConsentPreConfiguration.mysql.down.sql +++ b/internal/storage/migrations/V0006.ConsentPreConfiguration.mysql.down.sql @@ -1,13 +1,13 @@ -DROP TABLE oauth2_authorization_code_session; -DROP TABLE oauth2_access_token_session; -DROP TABLE oauth2_refresh_token_session; -DROP TABLE oauth2_pkce_request_session; -DROP TABLE oauth2_openid_connect_session; -DROP TABLE oauth2_consent_session; -DROP TABLE oauth2_consent_preconfiguration; +DROP TABLE IF EXISTS oauth2_authorization_code_session; +DROP TABLE IF EXISTS oauth2_access_token_session; +DROP TABLE IF EXISTS oauth2_refresh_token_session; +DROP TABLE IF EXISTS oauth2_pkce_request_session; +DROP TABLE IF EXISTS oauth2_openid_connect_session; +DROP TABLE IF EXISTS oauth2_consent_session; +DROP TABLE IF EXISTS oauth2_consent_preconfiguration; -CREATE TABLE oauth2_consent_session ( - id INTEGER AUTO_INCREMENT, +CREATE TABLE IF NOT EXISTS oauth2_consent_session ( + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, challenge_id CHAR(36) NOT NULL, client_id VARCHAR(255) NOT NULL, subject CHAR(36) NULL DEFAULT NULL, @@ -20,46 +20,18 @@ CREATE TABLE oauth2_consent_session ( requested_scopes TEXT NOT NULL, granted_scopes TEXT NOT NULL, requested_audience TEXT NULL, - granted_audience TEXT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_consent_session_subject_fkey - FOREIGN KEY (subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT -); + granted_audience TEXT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; CREATE UNIQUE INDEX oauth2_consent_session_challenge_id_key ON oauth2_consent_session (challenge_id); -CREATE TABLE oauth2_authorization_code_session ( - id INTEGER AUTO_INCREMENT, - challenge_id CHAR(36) NOT NULL, - request_id VARCHAR(40) NOT NULL, - client_id VARCHAR(255) NOT NULL, - signature VARCHAR(255) NOT NULL, - subject CHAR(36) NOT NULL, - requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - requested_scopes TEXT NOT NULL, - granted_scopes TEXT NOT NULL, - requested_audience TEXT NULL, - granted_audience TEXT NULL, - active BOOLEAN NOT NULL DEFAULT FALSE, - revoked BOOLEAN NOT NULL DEFAULT FALSE, - form_data TEXT NOT NULL, - session_data BLOB NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_authorization_code_session_challenge_id_fkey - FOREIGN KEY (challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_authorization_code_session_subject_fkey +ALTER TABLE oauth2_consent_session + ADD CONSTRAINT oauth2_consent_session_subject_fkey FOREIGN KEY (subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT -); + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; -CREATE INDEX oauth2_authorization_code_session_request_id_idx ON oauth2_authorization_code_session (request_id); -CREATE INDEX oauth2_authorization_code_session_client_id_idx ON oauth2_authorization_code_session (client_id); -CREATE INDEX oauth2_authorization_code_session_client_id_subject_idx ON oauth2_authorization_code_session (client_id, subject); - -CREATE TABLE oauth2_access_token_session ( - id INTEGER AUTO_INCREMENT, +CREATE TABLE IF NOT EXISTS oauth2_access_token_session ( + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -73,22 +45,23 @@ CREATE TABLE oauth2_access_token_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BLOB NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_access_token_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_access_token_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT -); + session_data BLOB NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; CREATE INDEX oauth2_access_token_session_request_id_idx ON oauth2_access_token_session (request_id); CREATE INDEX oauth2_access_token_session_client_id_idx ON oauth2_access_token_session (client_id); CREATE INDEX oauth2_access_token_session_client_id_subject_idx ON oauth2_access_token_session (client_id, subject); -CREATE TABLE oauth2_refresh_token_session ( - id INTEGER AUTO_INCREMENT, +ALTER TABLE oauth2_access_token_session + ADD CONSTRAINT oauth2_access_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_access_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +CREATE TABLE IF NOT EXISTS oauth2_authorization_code_session ( + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -102,22 +75,23 @@ CREATE TABLE oauth2_refresh_token_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BLOB NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_refresh_token_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_refresh_token_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT -); + session_data BLOB NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; -CREATE INDEX oauth2_refresh_token_session_request_id_idx ON oauth2_refresh_token_session (request_id); -CREATE INDEX oauth2_refresh_token_session_client_id_idx ON oauth2_refresh_token_session (client_id); -CREATE INDEX oauth2_refresh_token_session_client_id_subject_idx ON oauth2_refresh_token_session (client_id, subject); +CREATE INDEX oauth2_authorization_code_session_request_id_idx ON oauth2_authorization_code_session (request_id); +CREATE INDEX oauth2_authorization_code_session_client_id_idx ON oauth2_authorization_code_session (client_id); +CREATE INDEX oauth2_authorization_code_session_client_id_subject_idx ON oauth2_authorization_code_session (client_id, subject); -CREATE TABLE oauth2_pkce_request_session ( - id INTEGER AUTO_INCREMENT, +ALTER TABLE oauth2_authorization_code_session + ADD CONSTRAINT oauth2_authorization_code_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_authorization_code_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +CREATE TABLE IF NOT EXISTS oauth2_openid_connect_session ( + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -131,22 +105,54 @@ CREATE TABLE oauth2_pkce_request_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BLOB NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_pkce_request_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_pkce_request_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT -); + session_data BLOB NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; + +CREATE INDEX oauth2_openid_connect_session_request_id_idx ON oauth2_openid_connect_session (request_id); +CREATE INDEX oauth2_openid_connect_session_client_id_idx ON oauth2_openid_connect_session (client_id); +CREATE INDEX oauth2_openid_connect_session_client_id_subject_idx ON oauth2_openid_connect_session (client_id, subject); + +ALTER TABLE oauth2_openid_connect_session + ADD CONSTRAINT oauth2_openid_connect_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_openid_connect_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +CREATE TABLE IF NOT EXISTS oauth2_pkce_request_session ( + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL, + granted_audience TEXT NULL, + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL + +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; CREATE INDEX oauth2_pkce_request_session_request_id_idx ON oauth2_pkce_request_session (request_id); CREATE INDEX oauth2_pkce_request_session_client_id_idx ON oauth2_pkce_request_session (client_id); CREATE INDEX oauth2_pkce_request_session_client_id_subject_idx ON oauth2_pkce_request_session (client_id, subject); -CREATE TABLE oauth2_openid_connect_session ( - id INTEGER AUTO_INCREMENT, +ALTER TABLE oauth2_pkce_request_session + ADD CONSTRAINT oauth2_pkce_request_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_pkce_request_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +CREATE TABLE IF NOT EXISTS oauth2_refresh_token_session ( + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -160,16 +166,17 @@ CREATE TABLE oauth2_openid_connect_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BLOB NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_openid_connect_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_openid_connect_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT -); + session_data BLOB NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; -CREATE INDEX oauth2_openid_connect_session_request_id_idx ON oauth2_openid_connect_session (request_id); -CREATE INDEX oauth2_openid_connect_session_client_id_idx ON oauth2_openid_connect_session (client_id); -CREATE INDEX oauth2_openid_connect_session_client_id_subject_idx ON oauth2_openid_connect_session (client_id, subject); +CREATE INDEX oauth2_refresh_token_session_request_id_idx ON oauth2_refresh_token_session (request_id); +CREATE INDEX oauth2_refresh_token_session_client_id_idx ON oauth2_refresh_token_session (client_id); +CREATE INDEX oauth2_refresh_token_session_client_id_subject_idx ON oauth2_refresh_token_session (client_id, subject); + +ALTER TABLE oauth2_refresh_token_session + ADD CONSTRAINT oauth2_refresh_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_refresh_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; diff --git a/internal/storage/migrations/V0006.ConsentPreConfiguration.mysql.up.sql b/internal/storage/migrations/V0006.ConsentPreConfiguration.mysql.up.sql index 2e15cdd7f..374f9f691 100644 --- a/internal/storage/migrations/V0006.ConsentPreConfiguration.mysql.up.sql +++ b/internal/storage/migrations/V0006.ConsentPreConfiguration.mysql.up.sql @@ -1,17 +1,18 @@ -CREATE TABLE oauth2_consent_preconfiguration ( - id INTEGER AUTO_INCREMENT, +CREATE TABLE IF NOT EXISTS oauth2_consent_preconfiguration ( + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, client_id VARCHAR(255) NOT NULL, subject CHAR(36) NOT NULL, created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, expires_at TIMESTAMP NULL DEFAULT NULL, revoked BOOLEAN NOT NULL DEFAULT FALSE, scopes TEXT NOT NULL, - audience TEXT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_consent_preconfiguration_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT -); + audience TEXT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; + +ALTER TABLE oauth2_consent_preconfiguration + ADD CONSTRAINT oauth2_consent_preconfiguration_subjct_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; INSERT INTO oauth2_consent_preconfiguration (client_id, subject, created_at, expires_at, scopes, audience) SELECT client_id, subject, responded_at, expires_at, granted_scopes, granted_audience @@ -19,15 +20,15 @@ FROM oauth2_consent_session WHERE expires_at IS NOT NULL AND responded_at IS NOT NULL ORDER BY responded_at; -DROP TABLE oauth2_authorization_code_session; -DROP TABLE oauth2_access_token_session; -DROP TABLE oauth2_refresh_token_session; -DROP TABLE oauth2_pkce_request_session; -DROP TABLE oauth2_openid_connect_session; -DROP TABLE oauth2_consent_session; +DROP TABLE IF EXISTS oauth2_access_token_session; +DROP TABLE IF EXISTS oauth2_authorization_code_session; +DROP TABLE IF EXISTS oauth2_openid_connect_session; +DROP TABLE IF EXISTS oauth2_pkce_request_session; +DROP TABLE IF EXISTS oauth2_refresh_token_session; +DROP TABLE IF EXISTS oauth2_consent_session; -CREATE TABLE oauth2_consent_session ( - id INTEGER AUTO_INCREMENT, +CREATE TABLE IF NOT EXISTS oauth2_consent_session ( + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, challenge_id CHAR(36) NOT NULL, client_id VARCHAR(255) NOT NULL, subject CHAR(36) NOT NULL, @@ -40,49 +41,21 @@ CREATE TABLE oauth2_consent_session ( granted_scopes TEXT NOT NULL, requested_audience TEXT NULL, granted_audience TEXT NULL, - preconfiguration INTEGER NULL DEFAULT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_consent_session_subject_fkey - FOREIGN KEY (subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT, - CONSTRAINT oauth2_consent_session_preconfiguration_fkey - FOREIGN KEY (preconfiguration) - REFERENCES oauth2_consent_preconfiguration(id) ON UPDATE CASCADE ON DELETE CASCADE -); + preconfiguration INTEGER NULL DEFAULT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; CREATE UNIQUE INDEX oauth2_consent_session_challenge_id_key ON oauth2_consent_session (challenge_id); -CREATE TABLE oauth2_authorization_code_session ( - id INTEGER AUTO_INCREMENT, - challenge_id CHAR(36) NOT NULL, - request_id VARCHAR(40) NOT NULL, - client_id VARCHAR(255) NOT NULL, - signature VARCHAR(255) NOT NULL, - subject CHAR(36) NOT NULL, - requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, - requested_scopes TEXT NOT NULL, - granted_scopes TEXT NOT NULL, - requested_audience TEXT NULL, - granted_audience TEXT NULL, - active BOOLEAN NOT NULL DEFAULT FALSE, - revoked BOOLEAN NOT NULL DEFAULT FALSE, - form_data TEXT NOT NULL, - session_data BLOB NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_authorization_code_session_challenge_id_fkey - FOREIGN KEY (challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_authorization_code_session_subject_fkey +ALTER TABLE oauth2_consent_session + ADD CONSTRAINT oauth2_consent_session_subject_fkey FOREIGN KEY (subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT -); + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT, + ADD CONSTRAINT oauth2_consent_session_preconfiguration_fkey + FOREIGN KEY (preconfiguration) + REFERENCES oauth2_consent_preconfiguration (id) ON UPDATE CASCADE ON DELETE CASCADE; -CREATE INDEX oauth2_authorization_code_session_request_id_idx ON oauth2_authorization_code_session (request_id); -CREATE INDEX oauth2_authorization_code_session_client_id_idx ON oauth2_authorization_code_session (client_id); -CREATE INDEX oauth2_authorization_code_session_client_id_subject_idx ON oauth2_authorization_code_session (client_id, subject); - -CREATE TABLE oauth2_access_token_session ( - id INTEGER AUTO_INCREMENT, +CREATE TABLE IF NOT EXISTS oauth2_access_token_session ( + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -96,22 +69,23 @@ CREATE TABLE oauth2_access_token_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BLOB NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_access_token_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_access_token_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT -); + session_data BLOB NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; CREATE INDEX oauth2_access_token_session_request_id_idx ON oauth2_access_token_session (request_id); CREATE INDEX oauth2_access_token_session_client_id_idx ON oauth2_access_token_session (client_id); CREATE INDEX oauth2_access_token_session_client_id_subject_idx ON oauth2_access_token_session (client_id, subject); -CREATE TABLE oauth2_refresh_token_session ( - id INTEGER AUTO_INCREMENT, +ALTER TABLE oauth2_access_token_session + ADD CONSTRAINT oauth2_access_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_access_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +CREATE TABLE IF NOT EXISTS oauth2_authorization_code_session ( + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -125,22 +99,23 @@ CREATE TABLE oauth2_refresh_token_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BLOB NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_refresh_token_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_refresh_token_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT -); + session_data BLOB NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; -CREATE INDEX oauth2_refresh_token_session_request_id_idx ON oauth2_refresh_token_session (request_id); -CREATE INDEX oauth2_refresh_token_session_client_id_idx ON oauth2_refresh_token_session (client_id); -CREATE INDEX oauth2_refresh_token_session_client_id_subject_idx ON oauth2_refresh_token_session (client_id, subject); +CREATE INDEX oauth2_authorization_code_session_request_id_idx ON oauth2_authorization_code_session (request_id); +CREATE INDEX oauth2_authorization_code_session_client_id_idx ON oauth2_authorization_code_session (client_id); +CREATE INDEX oauth2_authorization_code_session_client_id_subject_idx ON oauth2_authorization_code_session (client_id, subject); -CREATE TABLE oauth2_pkce_request_session ( - id INTEGER AUTO_INCREMENT, +ALTER TABLE oauth2_authorization_code_session + ADD CONSTRAINT oauth2_authorization_code_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_authorization_code_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +CREATE TABLE IF NOT EXISTS oauth2_openid_connect_session ( + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -154,22 +129,53 @@ CREATE TABLE oauth2_pkce_request_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BLOB NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_pkce_request_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_pkce_request_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT -); + session_data BLOB NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; + +CREATE INDEX oauth2_openid_connect_session_request_id_idx ON oauth2_openid_connect_session (request_id); +CREATE INDEX oauth2_openid_connect_session_client_id_idx ON oauth2_openid_connect_session (client_id); +CREATE INDEX oauth2_openid_connect_session_client_id_subject_idx ON oauth2_openid_connect_session (client_id, subject); + +ALTER TABLE oauth2_openid_connect_session + ADD CONSTRAINT oauth2_openid_connect_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_openid_connect_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +CREATE TABLE IF NOT EXISTS oauth2_pkce_request_session ( + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL, + granted_audience TEXT NULL, + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; CREATE INDEX oauth2_pkce_request_session_request_id_idx ON oauth2_pkce_request_session (request_id); CREATE INDEX oauth2_pkce_request_session_client_id_idx ON oauth2_pkce_request_session (client_id); CREATE INDEX oauth2_pkce_request_session_client_id_subject_idx ON oauth2_pkce_request_session (client_id, subject); -CREATE TABLE oauth2_openid_connect_session ( - id INTEGER AUTO_INCREMENT, +ALTER TABLE oauth2_pkce_request_session + ADD CONSTRAINT oauth2_pkce_request_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_pkce_request_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +CREATE TABLE IF NOT EXISTS oauth2_refresh_token_session ( + id INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -183,16 +189,17 @@ CREATE TABLE oauth2_openid_connect_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BLOB NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_openid_connect_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_openid_connect_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT -); + session_data BLOB NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci; -CREATE INDEX oauth2_openid_connect_session_request_id_idx ON oauth2_openid_connect_session (request_id); -CREATE INDEX oauth2_openid_connect_session_client_id_idx ON oauth2_openid_connect_session (client_id); -CREATE INDEX oauth2_openid_connect_session_client_id_subject_idx ON oauth2_openid_connect_session (client_id, subject); +CREATE INDEX oauth2_refresh_token_session_request_id_idx ON oauth2_refresh_token_session (request_id); +CREATE INDEX oauth2_refresh_token_session_client_id_idx ON oauth2_refresh_token_session (client_id); +CREATE INDEX oauth2_refresh_token_session_client_id_subject_idx ON oauth2_refresh_token_session (client_id, subject); + +ALTER TABLE oauth2_refresh_token_session + ADD CONSTRAINT oauth2_refresh_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_refresh_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; diff --git a/internal/storage/migrations/V0006.ConsentPreConfiguration.postgres.down.sql b/internal/storage/migrations/V0006.ConsentPreConfiguration.postgres.down.sql index a180af297..8cdcacffa 100644 --- a/internal/storage/migrations/V0006.ConsentPreConfiguration.postgres.down.sql +++ b/internal/storage/migrations/V0006.ConsentPreConfiguration.postgres.down.sql @@ -1,13 +1,13 @@ -DROP TABLE oauth2_authorization_code_session; -DROP TABLE oauth2_access_token_session; -DROP TABLE oauth2_refresh_token_session; -DROP TABLE oauth2_pkce_request_session; -DROP TABLE oauth2_openid_connect_session; -DROP TABLE oauth2_consent_session; -DROP TABLE oauth2_consent_preconfiguration; +DROP TABLE IF EXISTS oauth2_authorization_code_session; +DROP TABLE IF EXISTS oauth2_access_token_session; +DROP TABLE IF EXISTS oauth2_refresh_token_session; +DROP TABLE IF EXISTS oauth2_pkce_request_session; +DROP TABLE IF EXISTS oauth2_openid_connect_session; +DROP TABLE IF EXISTS oauth2_consent_session; +DROP TABLE IF EXISTS oauth2_consent_preconfiguration; -CREATE TABLE oauth2_consent_session ( - id SERIAL, +CREATE TABLE IF NOT EXISTS oauth2_consent_session ( + id SERIAL CONSTRAINT oauth2_consent_session_pkey PRIMARY KEY, challenge_id CHAR(36) NOT NULL, client_id VARCHAR(255) NOT NULL, subject CHAR(36) NULL DEFAULT NULL, @@ -20,17 +20,18 @@ CREATE TABLE oauth2_consent_session ( requested_scopes TEXT NOT NULL, granted_scopes TEXT NOT NULL, requested_audience TEXT NULL DEFAULT '', - granted_audience TEXT NULL DEFAULT '', - PRIMARY KEY (id), - CONSTRAINT oauth2_consent_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + granted_audience TEXT NULL DEFAULT '' ); CREATE UNIQUE INDEX oauth2_consent_session_challenge_id_key ON oauth2_consent_session (challenge_id); -CREATE TABLE oauth2_authorization_code_session ( - id SERIAL, +ALTER TABLE oauth2_consent_session + ADD CONSTRAINT oauth2_consent_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +CREATE TABLE IF NOT EXISTS oauth2_authorization_code_session ( + id SERIAL CONSTRAINT oauth2_authorization_code_session_pkey PRIMARY KEY, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -44,22 +45,25 @@ CREATE TABLE oauth2_authorization_code_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BYTEA NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_authorization_code_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_authorization_code_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + session_data BYTEA NOT NULL ); CREATE INDEX oauth2_authorization_code_session_request_id_idx ON oauth2_authorization_code_session (request_id); CREATE INDEX oauth2_authorization_code_session_client_id_idx ON oauth2_authorization_code_session (client_id); CREATE INDEX oauth2_authorization_code_session_client_id_subject_idx ON oauth2_authorization_code_session (client_id, subject); -CREATE TABLE oauth2_access_token_session ( - id SERIAL, +ALTER TABLE oauth2_authorization_code_session + ADD CONSTRAINT oauth2_authorization_code_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE; + +ALTER TABLE oauth2_authorization_code_session + ADD CONSTRAINT oauth2_authorization_code_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +CREATE TABLE IF NOT EXISTS oauth2_access_token_session ( + id SERIAL CONSTRAINT oauth2_access_token_session_pkey PRIMARY KEY, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -73,22 +77,23 @@ CREATE TABLE oauth2_access_token_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BYTEA NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_access_token_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_access_token_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + session_data BYTEA NOT NULL ); CREATE INDEX oauth2_access_token_session_request_id_idx ON oauth2_access_token_session (request_id); CREATE INDEX oauth2_access_token_session_client_id_idx ON oauth2_access_token_session (client_id); CREATE INDEX oauth2_access_token_session_client_id_subject_idx ON oauth2_access_token_session (client_id, subject); -CREATE TABLE oauth2_refresh_token_session ( - id SERIAL, +ALTER TABLE oauth2_access_token_session + ADD CONSTRAINT oauth2_access_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_access_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +CREATE TABLE IF NOT EXISTS oauth2_refresh_token_session ( + id SERIAL CONSTRAINT oauth2_refresh_token_session_pkey PRIMARY KEY, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -102,22 +107,23 @@ CREATE TABLE oauth2_refresh_token_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BYTEA NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_refresh_token_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_refresh_token_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + session_data BYTEA NOT NULL ); CREATE INDEX oauth2_refresh_token_session_request_id_idx ON oauth2_refresh_token_session (request_id); CREATE INDEX oauth2_refresh_token_session_client_id_idx ON oauth2_refresh_token_session (client_id); CREATE INDEX oauth2_refresh_token_session_client_id_subject_idx ON oauth2_refresh_token_session (client_id, subject); -CREATE TABLE oauth2_pkce_request_session ( - id SERIAL, +ALTER TABLE oauth2_refresh_token_session + ADD CONSTRAINT oauth2_refresh_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_refresh_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +CREATE TABLE IF NOT EXISTS oauth2_pkce_request_session ( + id SERIAL CONSTRAINT oauth2_pkce_request_session_pkey PRIMARY KEY, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -131,22 +137,23 @@ CREATE TABLE oauth2_pkce_request_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BYTEA NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_pkce_request_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_pkce_request_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + session_data BYTEA NOT NULL ); CREATE INDEX oauth2_pkce_request_session_request_id_idx ON oauth2_pkce_request_session (request_id); CREATE INDEX oauth2_pkce_request_session_client_id_idx ON oauth2_pkce_request_session (client_id); CREATE INDEX oauth2_pkce_request_session_client_id_subject_idx ON oauth2_pkce_request_session (client_id, subject); -CREATE TABLE oauth2_openid_connect_session ( - id SERIAL, +ALTER TABLE oauth2_pkce_request_session + ADD CONSTRAINT oauth2_pkce_request_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_pkce_request_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +CREATE TABLE IF NOT EXISTS oauth2_openid_connect_session ( + id SERIAL CONSTRAINT oauth2_openid_connect_session_pkey PRIMARY KEY, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -160,16 +167,17 @@ CREATE TABLE oauth2_openid_connect_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BYTEA NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_openid_connect_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_openid_connect_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + session_data BYTEA NOT NULL ); CREATE INDEX oauth2_openid_connect_session_request_id_idx ON oauth2_openid_connect_session (request_id); CREATE INDEX oauth2_openid_connect_session_client_id_idx ON oauth2_openid_connect_session (client_id); CREATE INDEX oauth2_openid_connect_session_client_id_subject_idx ON oauth2_openid_connect_session (client_id, subject); + +ALTER TABLE oauth2_openid_connect_session + ADD CONSTRAINT oauth2_openid_connect_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_openid_connect_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; diff --git a/internal/storage/migrations/V0006.ConsentPreConfiguration.postgres.up.sql b/internal/storage/migrations/V0006.ConsentPreConfiguration.postgres.up.sql index 21f1319d6..0d00375ab 100644 --- a/internal/storage/migrations/V0006.ConsentPreConfiguration.postgres.up.sql +++ b/internal/storage/migrations/V0006.ConsentPreConfiguration.postgres.up.sql @@ -1,33 +1,34 @@ -CREATE TABLE oauth2_consent_preconfiguration ( - id SERIAL, +CREATE TABLE IF NOT EXISTS oauth2_consent_preconfiguration ( + id SERIAL CONSTRAINT oauth2_consent_preconfiguration_pkey PRIMARY KEY, client_id VARCHAR(255) NOT NULL, subject CHAR(36) NOT NULL, created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP, expires_at TIMESTAMP WITH TIME ZONE NULL DEFAULT NULL, revoked BOOLEAN NOT NULL DEFAULT FALSE, scopes TEXT NOT NULL, - audience TEXT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_consent_preconfiguration_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + audience TEXT NULL ); +ALTER TABLE oauth2_consent_preconfiguration + ADD CONSTRAINT oauth2_consent_preconfiguration_subjct_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + INSERT INTO oauth2_consent_preconfiguration (client_id, subject, created_at, expires_at, scopes, audience) SELECT client_id, subject, responded_at, expires_at, granted_scopes, granted_audience FROM oauth2_consent_session WHERE expires_at IS NOT NULL AND responded_at IS NOT NULL ORDER BY responded_at; -DROP TABLE oauth2_authorization_code_session; -DROP TABLE oauth2_access_token_session; -DROP TABLE oauth2_refresh_token_session; -DROP TABLE oauth2_pkce_request_session; -DROP TABLE oauth2_openid_connect_session; -DROP TABLE oauth2_consent_session; +DROP TABLE IF EXISTS oauth2_access_token_session; +DROP TABLE IF EXISTS oauth2_authorization_code_session; +DROP TABLE IF EXISTS oauth2_openid_connect_session; +DROP TABLE IF EXISTS oauth2_pkce_request_session; +DROP TABLE IF EXISTS oauth2_refresh_token_session; +DROP TABLE IF EXISTS oauth2_consent_session; -CREATE TABLE oauth2_consent_session ( - id SERIAL, +CREATE TABLE IF NOT EXISTS oauth2_consent_session ( + id SERIAL CONSTRAINT oauth2_consent_session_pkey PRIMARY KEY, challenge_id CHAR(36) NOT NULL, client_id VARCHAR(255) NOT NULL, subject CHAR(36) NOT NULL, @@ -40,20 +41,21 @@ CREATE TABLE oauth2_consent_session ( granted_scopes TEXT NOT NULL, requested_audience TEXT NULL, granted_audience TEXT NULL, - preconfiguration INTEGER NULL DEFAULT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_consent_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT, - CONSTRAINT oauth2_consent_session_preconfiguration_fkey - FOREIGN KEY(preconfiguration) - REFERENCES oauth2_consent_preconfiguration(id) ON UPDATE CASCADE ON DELETE CASCADE + preconfiguration INTEGER NULL DEFAULT NULL ); CREATE UNIQUE INDEX oauth2_consent_session_challenge_id_key ON oauth2_consent_session (challenge_id); -CREATE TABLE oauth2_authorization_code_session ( - id SERIAL, +ALTER TABLE oauth2_consent_session + ADD CONSTRAINT oauth2_consent_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT, + ADD CONSTRAINT oauth2_consent_session_preconfiguration_fkey + FOREIGN KEY (preconfiguration) + REFERENCES oauth2_consent_preconfiguration (id) ON UPDATE CASCADE ON DELETE CASCADE; + +CREATE TABLE IF NOT EXISTS oauth2_access_token_session ( + id SERIAL CONSTRAINT oauth2_access_token_session_pkey PRIMARY KEY, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -67,51 +69,23 @@ CREATE TABLE oauth2_authorization_code_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BYTEA NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_authorization_code_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_authorization_code_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT -); - -CREATE INDEX oauth2_authorization_code_session_request_id_idx ON oauth2_authorization_code_session (request_id); -CREATE INDEX oauth2_authorization_code_session_client_id_idx ON oauth2_authorization_code_session (client_id); -CREATE INDEX oauth2_authorization_code_session_client_id_subject_idx ON oauth2_authorization_code_session (client_id, subject); - -CREATE TABLE oauth2_access_token_session ( - id SERIAL, - challenge_id CHAR(36) NOT NULL, - request_id VARCHAR(40) NOT NULL, - client_id VARCHAR(255) NOT NULL, - signature VARCHAR(255) NOT NULL, - subject CHAR(36) NOT NULL, - requested_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP, - requested_scopes TEXT NOT NULL, - granted_scopes TEXT NOT NULL, - requested_audience TEXT NULL DEFAULT '', - granted_audience TEXT NULL DEFAULT '', - active BOOLEAN NOT NULL DEFAULT FALSE, - revoked BOOLEAN NOT NULL DEFAULT FALSE, - form_data TEXT NOT NULL, - session_data BYTEA NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_access_token_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_access_token_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + session_data BYTEA NOT NULL ); CREATE INDEX oauth2_access_token_session_request_id_idx ON oauth2_access_token_session (request_id); CREATE INDEX oauth2_access_token_session_client_id_idx ON oauth2_access_token_session (client_id); CREATE INDEX oauth2_access_token_session_client_id_subject_idx ON oauth2_access_token_session (client_id, subject); -CREATE TABLE oauth2_refresh_token_session ( - id SERIAL, +ALTER TABLE oauth2_access_token_session + ADD CONSTRAINT oauth2_access_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_access_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +CREATE TABLE IF NOT EXISTS oauth2_authorization_code_session ( + id SERIAL CONSTRAINT oauth2_authorization_code_session_pkey PRIMARY KEY, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -125,22 +99,23 @@ CREATE TABLE oauth2_refresh_token_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BYTEA NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_refresh_token_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_refresh_token_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + session_data BYTEA NOT NULL ); -CREATE INDEX oauth2_refresh_token_session_request_id_idx ON oauth2_refresh_token_session (request_id); -CREATE INDEX oauth2_refresh_token_session_client_id_idx ON oauth2_refresh_token_session (client_id); -CREATE INDEX oauth2_refresh_token_session_client_id_subject_idx ON oauth2_refresh_token_session (client_id, subject); +CREATE INDEX oauth2_authorization_code_session_request_id_idx ON oauth2_authorization_code_session (request_id); +CREATE INDEX oauth2_authorization_code_session_client_id_idx ON oauth2_authorization_code_session (client_id); +CREATE INDEX oauth2_authorization_code_session_client_id_subject_idx ON oauth2_authorization_code_session (client_id, subject); -CREATE TABLE oauth2_pkce_request_session ( - id SERIAL, +ALTER TABLE oauth2_authorization_code_session + ADD CONSTRAINT oauth2_authorization_code_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_authorization_code_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +CREATE TABLE IF NOT EXISTS oauth2_openid_connect_session ( + id SERIAL CONSTRAINT oauth2_openid_connect_session_pkey PRIMARY KEY, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -154,22 +129,53 @@ CREATE TABLE oauth2_pkce_request_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BYTEA NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_pkce_request_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_pkce_request_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + session_data BYTEA NOT NULL +); + +CREATE INDEX oauth2_openid_connect_session_request_id_idx ON oauth2_openid_connect_session (request_id); +CREATE INDEX oauth2_openid_connect_session_client_id_idx ON oauth2_openid_connect_session (client_id); +CREATE INDEX oauth2_openid_connect_session_client_id_subject_idx ON oauth2_openid_connect_session (client_id, subject); + +ALTER TABLE oauth2_openid_connect_session + ADD CONSTRAINT oauth2_openid_connect_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_openid_connect_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +CREATE TABLE IF NOT EXISTS oauth2_pkce_request_session ( + id SERIAL CONSTRAINT oauth2_pkce_request_session_pkey PRIMARY KEY, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BYTEA NOT NULL ); CREATE INDEX oauth2_pkce_request_session_request_id_idx ON oauth2_pkce_request_session (request_id); CREATE INDEX oauth2_pkce_request_session_client_id_idx ON oauth2_pkce_request_session (client_id); CREATE INDEX oauth2_pkce_request_session_client_id_subject_idx ON oauth2_pkce_request_session (client_id, subject); -CREATE TABLE oauth2_openid_connect_session ( - id SERIAL, +ALTER TABLE oauth2_pkce_request_session + ADD CONSTRAINT oauth2_pkce_request_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_pkce_request_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +CREATE TABLE IF NOT EXISTS oauth2_refresh_token_session ( + id SERIAL CONSTRAINT oauth2_refresh_token_session_pkey PRIMARY KEY, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -183,16 +189,17 @@ CREATE TABLE oauth2_openid_connect_session ( active BOOLEAN NOT NULL DEFAULT FALSE, revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, - session_data BYTEA NOT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_openid_connect_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, - CONSTRAINT oauth2_openid_connect_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + session_data BYTEA NOT NULL ); -CREATE INDEX oauth2_openid_connect_session_request_id_idx ON oauth2_openid_connect_session (request_id); -CREATE INDEX oauth2_openid_connect_session_client_id_idx ON oauth2_openid_connect_session (client_id); -CREATE INDEX oauth2_openid_connect_session_client_id_subject_idx ON oauth2_openid_connect_session (client_id, subject); +CREATE INDEX oauth2_refresh_token_session_request_id_idx ON oauth2_refresh_token_session (request_id); +CREATE INDEX oauth2_refresh_token_session_client_id_idx ON oauth2_refresh_token_session (client_id); +CREATE INDEX oauth2_refresh_token_session_client_id_subject_idx ON oauth2_refresh_token_session (client_id, subject); + +ALTER TABLE oauth2_refresh_token_session + ADD CONSTRAINT oauth2_refresh_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_refresh_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; diff --git a/internal/storage/migrations/V0006.ConsentPreConfiguration.sqlite.down.sql b/internal/storage/migrations/V0006.ConsentPreConfiguration.sqlite.down.sql index c98c1f49a..7eed980a6 100644 --- a/internal/storage/migrations/V0006.ConsentPreConfiguration.sqlite.down.sql +++ b/internal/storage/migrations/V0006.ConsentPreConfiguration.sqlite.down.sql @@ -1,13 +1,13 @@ -DROP TABLE oauth2_authorization_code_session; -DROP TABLE oauth2_access_token_session; -DROP TABLE oauth2_refresh_token_session; -DROP TABLE oauth2_pkce_request_session; -DROP TABLE oauth2_openid_connect_session; -DROP TABLE oauth2_consent_session; -DROP TABLE oauth2_consent_preconfiguration; +DROP TABLE IF EXISTS oauth2_authorization_code_session; +DROP TABLE IF EXISTS oauth2_access_token_session; +DROP TABLE IF EXISTS oauth2_refresh_token_session; +DROP TABLE IF EXISTS oauth2_pkce_request_session; +DROP TABLE IF EXISTS oauth2_openid_connect_session; +DROP TABLE IF EXISTS oauth2_consent_session; +DROP TABLE IF EXISTS oauth2_consent_preconfiguration; -CREATE TABLE oauth2_consent_session ( - id INTEGER, +CREATE TABLE IF NOT EXISTS oauth2_consent_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, challenge_id CHAR(36) NOT NULL, client_id VARCHAR(255) NOT NULL, subject CHAR(36) NULL DEFAULT NULL, @@ -21,16 +21,15 @@ CREATE TABLE oauth2_consent_session ( granted_scopes TEXT NOT NULL, requested_audience TEXT NULL DEFAULT '', granted_audience TEXT NULL DEFAULT '', - PRIMARY KEY (id), CONSTRAINT oauth2_consent_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); CREATE UNIQUE INDEX oauth2_consent_session_challenge_id_key ON oauth2_consent_session (challenge_id); -CREATE TABLE oauth2_authorization_code_session ( - id INTEGER, +CREATE TABLE IF NOT EXISTS oauth2_authorization_code_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -45,13 +44,12 @@ CREATE TABLE oauth2_authorization_code_session ( revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, session_data BLOB NOT NULL, - PRIMARY KEY (id), CONSTRAINT oauth2_authorization_code_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, CONSTRAINT oauth2_authorization_code_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); CREATE INDEX oauth2_authorization_code_session_request_id_idx ON oauth2_authorization_code_session (request_id); @@ -59,7 +57,7 @@ CREATE INDEX oauth2_authorization_code_session_client_id_idx ON oauth2_authoriza CREATE INDEX oauth2_authorization_code_session_client_id_subject_idx ON oauth2_authorization_code_session (client_id, subject); CREATE TABLE IF NOT EXISTS oauth2_access_token_session ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -74,13 +72,12 @@ CREATE TABLE IF NOT EXISTS oauth2_access_token_session ( revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, session_data BLOB NOT NULL, - PRIMARY KEY (id), CONSTRAINT oauth2_access_token_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, CONSTRAINT oauth2_access_token_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); CREATE INDEX oauth2_access_token_session_request_id_idx ON oauth2_access_token_session (request_id); @@ -88,7 +85,7 @@ CREATE INDEX oauth2_access_token_session_client_id_idx ON oauth2_access_token_se CREATE INDEX oauth2_access_token_session_client_id_subject_idx ON oauth2_access_token_session (client_id, subject); CREATE TABLE IF NOT EXISTS oauth2_refresh_token_session ( - id INTEGER, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -103,21 +100,20 @@ CREATE TABLE IF NOT EXISTS oauth2_refresh_token_session ( revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, session_data BLOB NOT NULL, - PRIMARY KEY (id), CONSTRAINT oauth2_refresh_token_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, CONSTRAINT oauth2_refresh_token_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); CREATE INDEX oauth2_refresh_token_session_request_id_idx ON oauth2_refresh_token_session (request_id); CREATE INDEX oauth2_refresh_token_session_client_id_idx ON oauth2_refresh_token_session (client_id); CREATE INDEX oauth2_refresh_token_session_client_id_subject_idx ON oauth2_refresh_token_session (client_id, subject); -CREATE TABLE oauth2_pkce_request_session ( - id INTEGER, +CREATE TABLE IF NOT EXISTS oauth2_pkce_request_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -132,21 +128,20 @@ CREATE TABLE oauth2_pkce_request_session ( revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, session_data BLOB NOT NULL, - PRIMARY KEY (id), CONSTRAINT oauth2_pkce_request_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, CONSTRAINT oauth2_pkce_request_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); CREATE INDEX oauth2_pkce_request_session_request_id_idx ON oauth2_pkce_request_session (request_id); CREATE INDEX oauth2_pkce_request_session_client_id_idx ON oauth2_pkce_request_session (client_id); CREATE INDEX oauth2_pkce_request_session_client_id_subject_idx ON oauth2_pkce_request_session (client_id, subject); -CREATE TABLE oauth2_openid_connect_session ( - id INTEGER, +CREATE TABLE IF NOT EXISTS oauth2_openid_connect_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -161,13 +156,12 @@ CREATE TABLE oauth2_openid_connect_session ( revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, session_data BLOB NOT NULL, - PRIMARY KEY (id), CONSTRAINT oauth2_openid_connect_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, CONSTRAINT oauth2_openid_connect_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); CREATE INDEX oauth2_openid_connect_session_request_id_idx ON oauth2_openid_connect_session (request_id); diff --git a/internal/storage/migrations/V0006.ConsentPreConfiguration.sqlite.up.sql b/internal/storage/migrations/V0006.ConsentPreConfiguration.sqlite.up.sql index 544574e6d..33fe8aa77 100644 --- a/internal/storage/migrations/V0006.ConsentPreConfiguration.sqlite.up.sql +++ b/internal/storage/migrations/V0006.ConsentPreConfiguration.sqlite.up.sql @@ -1,5 +1,5 @@ -CREATE TABLE oauth2_consent_preconfiguration ( - id INTEGER, +CREATE TABLE IF NOT EXISTS oauth2_consent_preconfiguration ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, client_id VARCHAR(255) NOT NULL, subject CHAR(36) NOT NULL, created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, @@ -7,10 +7,9 @@ CREATE TABLE oauth2_consent_preconfiguration ( revoked BOOLEAN NOT NULL DEFAULT FALSE, scopes TEXT NOT NULL, audience TEXT NULL, - PRIMARY KEY (id), - CONSTRAINT oauth2_consent_preconfiguration_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + CONSTRAINT oauth2_consent_preconfiguration_subjct_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); INSERT INTO oauth2_consent_preconfiguration (client_id, subject, created_at, expires_at, scopes, audience) @@ -19,15 +18,15 @@ FROM oauth2_consent_session WHERE expires_at IS NOT NULL AND responded_at IS NOT NULL ORDER BY responded_at; -DROP TABLE oauth2_authorization_code_session; -DROP TABLE oauth2_access_token_session; -DROP TABLE oauth2_refresh_token_session; -DROP TABLE oauth2_pkce_request_session; -DROP TABLE oauth2_openid_connect_session; -DROP TABLE oauth2_consent_session; +DROP TABLE IF EXISTS oauth2_authorization_code_session; +DROP TABLE IF EXISTS oauth2_access_token_session; +DROP TABLE IF EXISTS oauth2_refresh_token_session; +DROP TABLE IF EXISTS oauth2_pkce_request_session; +DROP TABLE IF EXISTS oauth2_openid_connect_session; +DROP TABLE IF EXISTS oauth2_consent_session; -CREATE TABLE oauth2_consent_session ( - id INTEGER, +CREATE TABLE IF NOT EXISTS oauth2_consent_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, challenge_id CHAR(36) NOT NULL, client_id VARCHAR(255) NOT NULL, subject CHAR(36) NOT NULL, @@ -41,19 +40,18 @@ CREATE TABLE oauth2_consent_session ( requested_audience TEXT NULL DEFAULT '', granted_audience TEXT NULL DEFAULT '', preconfiguration INTEGER NULL DEFAULT NULL, - PRIMARY KEY (id), CONSTRAINT oauth2_consent_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT, + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT, CONSTRAINT oauth2_consent_session_preconfiguration_fkey - FOREIGN KEY(preconfiguration) - REFERENCES oauth2_consent_preconfiguration(id) ON UPDATE CASCADE ON DELETE CASCADE + FOREIGN KEY (preconfiguration) + REFERENCES oauth2_consent_preconfiguration (id) ON UPDATE CASCADE ON DELETE CASCADE ); CREATE UNIQUE INDEX oauth2_consent_session_challenge_id_key ON oauth2_consent_session (challenge_id); -CREATE TABLE oauth2_authorization_code_session ( - id INTEGER, +CREATE TABLE IF NOT EXISTS oauth2_authorization_code_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -68,21 +66,20 @@ CREATE TABLE oauth2_authorization_code_session ( revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, session_data BLOB NOT NULL, - PRIMARY KEY (id), CONSTRAINT oauth2_authorization_code_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, CONSTRAINT oauth2_authorization_code_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); CREATE INDEX oauth2_authorization_code_session_request_id_idx ON oauth2_authorization_code_session (request_id); CREATE INDEX oauth2_authorization_code_session_client_id_idx ON oauth2_authorization_code_session (client_id); CREATE INDEX oauth2_authorization_code_session_client_id_subject_idx ON oauth2_authorization_code_session (client_id, subject); -CREATE TABLE oauth2_access_token_session ( - id INTEGER, +CREATE TABLE IF NOT EXISTS oauth2_access_token_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -97,21 +94,20 @@ CREATE TABLE oauth2_access_token_session ( revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, session_data BLOB NOT NULL, - PRIMARY KEY (id), CONSTRAINT oauth2_access_token_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, CONSTRAINT oauth2_access_token_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); CREATE INDEX oauth2_access_token_session_request_id_idx ON oauth2_access_token_session (request_id); CREATE INDEX oauth2_access_token_session_client_id_idx ON oauth2_access_token_session (client_id); CREATE INDEX oauth2_access_token_session_client_id_subject_idx ON oauth2_access_token_session (client_id, subject); -CREATE TABLE oauth2_refresh_token_session ( - id INTEGER, +CREATE TABLE IF NOT EXISTS oauth2_refresh_token_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -126,21 +122,20 @@ CREATE TABLE oauth2_refresh_token_session ( revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, session_data BLOB NOT NULL, - PRIMARY KEY (id), CONSTRAINT oauth2_refresh_token_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, CONSTRAINT oauth2_refresh_token_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); CREATE INDEX oauth2_refresh_token_session_request_id_idx ON oauth2_refresh_token_session (request_id); CREATE INDEX oauth2_refresh_token_session_client_id_idx ON oauth2_refresh_token_session (client_id); CREATE INDEX oauth2_refresh_token_session_client_id_subject_idx ON oauth2_refresh_token_session (client_id, subject); -CREATE TABLE oauth2_pkce_request_session ( - id INTEGER, +CREATE TABLE IF NOT EXISTS oauth2_pkce_request_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -155,21 +150,20 @@ CREATE TABLE oauth2_pkce_request_session ( revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, session_data BLOB NOT NULL, - PRIMARY KEY (id), CONSTRAINT oauth2_pkce_request_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, CONSTRAINT oauth2_pkce_request_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); CREATE INDEX oauth2_pkce_request_session_request_id_idx ON oauth2_pkce_request_session (request_id); CREATE INDEX oauth2_pkce_request_session_client_id_idx ON oauth2_pkce_request_session (client_id); CREATE INDEX oauth2_pkce_request_session_client_id_subject_idx ON oauth2_pkce_request_session (client_id, subject); -CREATE TABLE oauth2_openid_connect_session ( - id INTEGER, +CREATE TABLE IF NOT EXISTS oauth2_openid_connect_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, challenge_id CHAR(36) NOT NULL, request_id VARCHAR(40) NOT NULL, client_id VARCHAR(255) NOT NULL, @@ -184,13 +178,12 @@ CREATE TABLE oauth2_openid_connect_session ( revoked BOOLEAN NOT NULL DEFAULT FALSE, form_data TEXT NOT NULL, session_data BLOB NOT NULL, - PRIMARY KEY (id), CONSTRAINT oauth2_openid_connect_session_challenge_id_fkey - FOREIGN KEY(challenge_id) - REFERENCES oauth2_consent_session(challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, CONSTRAINT oauth2_openid_connect_session_subject_fkey - FOREIGN KEY(subject) - REFERENCES user_opaque_identifier(identifier) ON UPDATE RESTRICT ON DELETE RESTRICT + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT ); CREATE INDEX oauth2_openid_connect_session_request_id_idx ON oauth2_openid_connect_session (request_id); diff --git a/internal/storage/migrations/V0007.ConsistencyFixes.mysql.down.sql b/internal/storage/migrations/V0007.ConsistencyFixes.mysql.down.sql new file mode 100644 index 000000000..c82a607ad --- /dev/null +++ b/internal/storage/migrations/V0007.ConsistencyFixes.mysql.down.sql @@ -0,0 +1,96 @@ +CALL PROC_DROP_FOREIGN_KEY('oauth2_consent_session', 'oauth2_consent_session_subject_fkey'); +CALL PROC_DROP_FOREIGN_KEY('oauth2_consent_session', 'oauth2_consent_session_preconfiguration_fkey'); +CALL PROC_DROP_FOREIGN_KEY('oauth2_consent_preconfiguration', 'oauth2_consent_preconfiguration_subject_fkey'); +CALL PROC_DROP_FOREIGN_KEY('oauth2_access_token_session', 'oauth2_access_token_session_challenge_id_fkey'); +CALL PROC_DROP_FOREIGN_KEY('oauth2_access_token_session', 'oauth2_access_token_session_subject_fkey'); +CALL PROC_DROP_FOREIGN_KEY('oauth2_authorization_code_session', 'oauth2_authorization_code_session_challenge_id_fkey'); +CALL PROC_DROP_FOREIGN_KEY('oauth2_authorization_code_session', 'oauth2_authorization_code_session_subject_fkey'); +CALL PROC_DROP_FOREIGN_KEY('oauth2_openid_connect_session', 'oauth2_openid_connect_session_challenge_id_fkey'); +CALL PROC_DROP_FOREIGN_KEY('oauth2_openid_connect_session', 'oauth2_openid_connect_session_subject_fkey'); +CALL PROC_DROP_FOREIGN_KEY('oauth2_pkce_request_session', 'oauth2_pkce_request_session_challenge_id_fkey'); +CALL PROC_DROP_FOREIGN_KEY('oauth2_pkce_request_session', 'oauth2_pkce_request_session_subject_fkey'); +CALL PROC_DROP_FOREIGN_KEY('oauth2_refresh_token_session', 'oauth2_refresh_token_session_challenge_id_fkey'); +CALL PROC_DROP_FOREIGN_KEY('oauth2_refresh_token_session', 'oauth2_refresh_token_session_subject_fkey'); + +CALL PROC_DROP_INDEX('duo_devices', 'duo_devices_username_key'); +CALL PROC_DROP_INDEX('encryption', 'encryption_name_key'); +CALL PROC_DROP_INDEX('identity_verification', 'identity_verification_jti_key'); +CALL PROC_DROP_INDEX('totp_configurations', 'totp_configurations_username_key'); +CALL PROC_DROP_INDEX('user_opaque_identifier', 'user_opaque_identifier_lookup_key'); +CALL PROC_DROP_INDEX('user_opaque_identifier', 'user_opaque_identifier_identifier_key'); +CALL PROC_DROP_INDEX('user_preferences', 'user_preferences_username_key'); +CALL PROC_DROP_INDEX('webauthn_devices', 'webauthn_devices_kid_key'); +CALL PROC_DROP_INDEX('webauthn_devices', 'webauthn_devices_lookup_key'); + +CREATE UNIQUE INDEX username ON duo_devices (username); +CREATE UNIQUE INDEX name ON encryption (name); +CREATE UNIQUE INDEX jti ON identity_verification (jti); +CREATE UNIQUE INDEX username ON totp_configurations (username); +CREATE UNIQUE INDEX user_opaque_identifier_identifier_key ON user_opaque_identifier (identifier); +CREATE UNIQUE INDEX user_opaque_identifier_service_sector_id_username_key ON user_opaque_identifier (service, sector_id, username); +CREATE UNIQUE INDEX username ON user_preferences (username); +CREATE UNIQUE INDEX kid ON webauthn_devices (kid); +CREATE UNIQUE INDEX username ON webauthn_devices (username, description); + +UPDATE webauthn_devices +SET aaguid = '00000000-00000000-00000000-00000000' +WHERE aaguid IS NULL; + +ALTER TABLE webauthn_devices + MODIFY aaguid CHAR(36) NOT NULL; + +ALTER TABLE oauth2_consent_session + ADD CONSTRAINT oauth2_consent_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT, + ADD CONSTRAINT oauth2_consent_session_preconfiguration_fkey + FOREIGN KEY (preconfiguration) + REFERENCES oauth2_consent_preconfiguration (id) ON UPDATE CASCADE ON DELETE CASCADE; + +ALTER TABLE oauth2_consent_preconfiguration + ADD CONSTRAINT oauth2_consent_preconfiguration_subjct_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +ALTER TABLE oauth2_access_token_session + ADD CONSTRAINT oauth2_access_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_access_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +ALTER TABLE oauth2_authorization_code_session + ADD CONSTRAINT oauth2_authorization_code_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_authorization_code_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +ALTER TABLE oauth2_openid_connect_session + ADD CONSTRAINT oauth2_openid_connect_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_openid_connect_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +ALTER TABLE oauth2_pkce_request_session + ADD CONSTRAINT oauth2_pkce_request_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_pkce_request_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +ALTER TABLE oauth2_refresh_token_session + ADD CONSTRAINT oauth2_refresh_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_refresh_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +DROP PROCEDURE IF EXISTS PROC_DROP_FOREIGN_KEY; +DROP PROCEDURE IF EXISTS PROC_DROP_INDEX; diff --git a/internal/storage/migrations/V0007.ConsistencyFixes.mysql.up.sql b/internal/storage/migrations/V0007.ConsistencyFixes.mysql.up.sql new file mode 100644 index 000000000..0b0d319f5 --- /dev/null +++ b/internal/storage/migrations/V0007.ConsistencyFixes.mysql.up.sql @@ -0,0 +1,213 @@ +DROP PROCEDURE IF EXISTS PROC_DROP_FOREIGN_KEY; +DROP PROCEDURE IF EXISTS PROC_DROP_INDEX; + +CREATE PROCEDURE PROC_DROP_FOREIGN_KEY(IN tableName VARCHAR(64), IN constraintName VARCHAR(64)) +BEGIN + IF EXISTS( + SELECT * FROM information_schema.TABLE_CONSTRAINTS + WHERE + TABLE_SCHEMA = DATABASE() AND + TABLE_NAME = tableName AND + CONSTRAINT_NAME = constraintName AND + CONSTRAINT_TYPE = 'FOREIGN KEY') + THEN + SET @query = CONCAT('ALTER TABLE ', tableName, ' DROP FOREIGN KEY ', constraintName, ';'); + PREPARE stmt FROM @query; + EXECUTE stmt; + DEALLOCATE PREPARE stmt; + END IF; +END; + +CREATE PROCEDURE PROC_DROP_INDEX(IN tableName VARCHAR(64), IN indexName VARCHAR(64)) +BEGIN + IF EXISTS( + SELECT * FROM information_schema.STATISTICS + WHERE + TABLE_SCHEMA = DATABASE() AND + INDEX_SCHEMA = DATABASE() AND + TABLE_NAME = tableName AND + INDEX_NAME = indexName) + THEN + SET @query = CONCAT('ALTER TABLE ', tableName, ' DROP INDEX ', indexName, ';'); + PREPARE stmt FROM @query; + EXECUTE stmt; + DEALLOCATE PREPARE stmt; + END IF; +END; + +DROP TABLE IF EXISTS _bkp_UP_V0002_totp_configurations; +DROP TABLE IF EXISTS _bkp_UP_V0002_u2f_devices; +DROP TABLE IF EXISTS totp_secrets; +DROP TABLE IF EXISTS identity_verification_tokens; +DROP TABLE IF EXISTS u2f_devices; +DROP TABLE IF EXISTS config; +DROP TABLE IF EXISTS AuthenticationLogs; +DROP TABLE IF EXISTS IdentityVerificationTokens; +DROP TABLE IF EXISTS Preferences; +DROP TABLE IF EXISTS PreferencesTableName; +DROP TABLE IF EXISTS SecondFactorPreferences; +DROP TABLE IF EXISTS TOTPSecrets; +DROP TABLE IF EXISTS U2FDeviceHandles; + +CALL PROC_DROP_FOREIGN_KEY('oauth2_consent_session', 'oauth2_consent_session_subject_fkey'); +CALL PROC_DROP_FOREIGN_KEY('oauth2_consent_session', 'oauth2_consent_session_preconfiguration_fkey'); +CALL PROC_DROP_FOREIGN_KEY('oauth2_consent_preconfiguration', 'oauth2_consent_preconfiguration_subjct_fkey'); +CALL PROC_DROP_FOREIGN_KEY('oauth2_consent_preconfiguration', 'oauth2_consent_preconfiguration_subject_fkey'); +CALL PROC_DROP_FOREIGN_KEY('oauth2_access_token_session', 'oauth2_access_token_session_challenge_id_fkey'); +CALL PROC_DROP_FOREIGN_KEY('oauth2_access_token_session', 'oauth2_access_token_session_subject_fkey'); +CALL PROC_DROP_FOREIGN_KEY('oauth2_authorization_code_session', 'oauth2_authorization_code_session_challenge_id_fkey'); +CALL PROC_DROP_FOREIGN_KEY('oauth2_authorization_code_session', 'oauth2_authorization_code_session_subject_fkey'); +CALL PROC_DROP_FOREIGN_KEY('oauth2_openid_connect_session', 'oauth2_openid_connect_session_challenge_id_fkey'); +CALL PROC_DROP_FOREIGN_KEY('oauth2_openid_connect_session', 'oauth2_openid_connect_session_subject_fkey'); +CALL PROC_DROP_FOREIGN_KEY('oauth2_pkce_request_session', 'oauth2_pkce_request_session_challenge_id_fkey'); +CALL PROC_DROP_FOREIGN_KEY('oauth2_pkce_request_session', 'oauth2_pkce_request_session_subject_fkey'); +CALL PROC_DROP_FOREIGN_KEY('oauth2_refresh_token_session', 'oauth2_refresh_token_session_challenge_id_fkey'); +CALL PROC_DROP_FOREIGN_KEY('oauth2_refresh_token_session', 'oauth2_refresh_token_session_subject_fkey'); + +CALL PROC_DROP_INDEX('duo_devices', 'username'); +CALL PROC_DROP_INDEX('encryption', 'name'); +CALL PROC_DROP_INDEX('identity_verification', 'jti'); +CALL PROC_DROP_INDEX('totp_configurations', 'username'); +CALL PROC_DROP_INDEX('user_opaque_identifier', 'user_opaque_identifier_identifier_key'); +CALL PROC_DROP_INDEX('user_opaque_identifier', 'user_opaque_identifier_service_sector_id_username_key'); +CALL PROC_DROP_INDEX('user_preferences', 'username'); +CALL PROC_DROP_INDEX('webauthn_devices', 'username'); +CALL PROC_DROP_INDEX('webauthn_devices', 'kid'); + +CREATE UNIQUE INDEX duo_devices_username_key ON duo_devices (username); +CREATE UNIQUE INDEX encryption_name_key ON encryption (name); +CREATE UNIQUE INDEX identity_verification_jti_key ON identity_verification (jti); +CREATE UNIQUE INDEX totp_configurations_username_key ON totp_configurations (username); +CREATE UNIQUE INDEX user_opaque_identifier_identifier_key ON user_opaque_identifier (identifier); +CREATE UNIQUE INDEX user_opaque_identifier_lookup_key ON user_opaque_identifier (service, sector_id, username); +CREATE UNIQUE INDEX user_preferences_username_key ON user_preferences (username); +CREATE UNIQUE INDEX webauthn_devices_kid_key ON webauthn_devices (kid); +CREATE UNIQUE INDEX webauthn_devices_lookup_key ON webauthn_devices (username, description); + +ALTER TABLE webauthn_devices + MODIFY aaguid CHAR(36) NULL; + +UPDATE webauthn_devices +SET aaguid = NULL +WHERE aaguid = '' OR aaguid = '00000000-00000000-00000000-00000000'; + +ALTER TABLE authentication_logs + ENGINE=InnoDB, + CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_520_ci; + +ALTER TABLE duo_devices + ENGINE=InnoDB, + CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_520_ci; + +ALTER TABLE encryption + ENGINE=InnoDB, + CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_520_ci; + +ALTER TABLE identity_verification + ENGINE=InnoDB, + CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_520_ci; + +ALTER TABLE migrations + ENGINE=InnoDB, + CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_520_ci; + +ALTER TABLE oauth2_blacklisted_jti + ENGINE=InnoDB, + CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_520_ci; + +ALTER TABLE oauth2_consent_session + ENGINE=InnoDB, + CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_520_ci; + +ALTER TABLE oauth2_consent_preconfiguration + ENGINE=InnoDB, + CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_520_ci; + +ALTER TABLE oauth2_access_token_session + ENGINE=InnoDB, + CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_520_ci; + +ALTER TABLE oauth2_authorization_code_session + ENGINE=InnoDB, + CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_520_ci; + +ALTER TABLE oauth2_openid_connect_session + ENGINE=InnoDB, + CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_520_ci; + +ALTER TABLE oauth2_pkce_request_session + ENGINE=InnoDB, + CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_520_ci; + +ALTER TABLE oauth2_refresh_token_session + ENGINE=InnoDB, + CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_520_ci; + +ALTER TABLE totp_configurations + ENGINE=InnoDB, + CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_520_ci; + +ALTER TABLE user_opaque_identifier + ENGINE=InnoDB, + CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_520_ci; + +ALTER TABLE user_preferences + ENGINE=InnoDB, + CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_520_ci; + +ALTER TABLE webauthn_devices + ENGINE=InnoDB, + CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_520_ci; + +ALTER TABLE oauth2_consent_session + ADD CONSTRAINT oauth2_consent_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE CASCADE ON DELETE RESTRICT, + ADD CONSTRAINT oauth2_consent_session_preconfiguration_fkey + FOREIGN KEY (preconfiguration) + REFERENCES oauth2_consent_preconfiguration (id) ON UPDATE CASCADE ON DELETE CASCADE; + +ALTER TABLE oauth2_consent_preconfiguration + ADD CONSTRAINT oauth2_consent_preconfiguration_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE CASCADE ON DELETE RESTRICT; + +ALTER TABLE oauth2_access_token_session + ADD CONSTRAINT oauth2_access_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_access_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE CASCADE ON DELETE RESTRICT; + +ALTER TABLE oauth2_authorization_code_session + ADD CONSTRAINT oauth2_authorization_code_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_authorization_code_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE CASCADE ON DELETE RESTRICT; + +ALTER TABLE oauth2_openid_connect_session + ADD CONSTRAINT oauth2_openid_connect_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_openid_connect_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE CASCADE ON DELETE RESTRICT; + +ALTER TABLE oauth2_pkce_request_session + ADD CONSTRAINT oauth2_pkce_request_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_pkce_request_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE CASCADE ON DELETE RESTRICT; + +ALTER TABLE oauth2_refresh_token_session + ADD CONSTRAINT oauth2_refresh_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_refresh_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE CASCADE ON DELETE RESTRICT; diff --git a/internal/storage/migrations/V0007.ConsistencyFixes.postgres.down.sql b/internal/storage/migrations/V0007.ConsistencyFixes.postgres.down.sql new file mode 100644 index 000000000..da89cb8c7 --- /dev/null +++ b/internal/storage/migrations/V0007.ConsistencyFixes.postgres.down.sql @@ -0,0 +1,111 @@ +UPDATE webauthn_devices +SET aaguid = '00000000-00000000-00000000-00000000' +WHERE aaguid IS NULL; + +ALTER TABLE webauthn_devices + ALTER COLUMN aaguid SET NOT NULL; + +ALTER TABLE totp_configurations + DROP CONSTRAINT IF EXISTS totp_configurations_username_key1, + DROP CONSTRAINT IF EXISTS totp_configurations_username_key; + +ALTER TABLE webauthn_devices + DROP CONSTRAINT IF EXISTS webauthn_devices_username_description_key1, + DROP CONSTRAINT IF EXISTS webauthn_devices_kid_key1, + DROP CONSTRAINT IF EXISTS webauthn_devices_lookup_key1, + DROP CONSTRAINT IF EXISTS webauthn_devices_username_description_key, + DROP CONSTRAINT IF EXISTS webauthn_devices_kid_key, + DROP CONSTRAINT IF EXISTS webauthn_devices_lookup_key; + +DROP INDEX IF EXISTS totp_configurations_username_key1; +DROP INDEX IF EXISTS webauthn_devices_username_description_key1; +DROP INDEX IF EXISTS webauthn_devices_kid_key1; +DROP INDEX IF EXISTS webauthn_devices_lookup_key1; +DROP INDEX IF EXISTS totp_configurations_username_key; +DROP INDEX IF EXISTS webauthn_devices_username_description_key; +DROP INDEX IF EXISTS webauthn_devices_kid_key; +DROP INDEX IF EXISTS webauthn_devices_lookup_key; + +CREATE UNIQUE INDEX totp_configurations_username_key1 ON totp_configurations (username); +CREATE UNIQUE INDEX webauthn_devices_kid_key1 ON webauthn_devices (kid); +CREATE UNIQUE INDEX webauthn_devices_lookup_key1 ON webauthn_devices (username, description); + +ALTER TABLE oauth2_consent_session + DROP CONSTRAINT oauth2_consent_session_subject_fkey, + DROP CONSTRAINT oauth2_consent_session_preconfiguration_fkey; + +ALTER TABLE oauth2_consent_preconfiguration + DROP CONSTRAINT oauth2_consent_preconfiguration_subject_fkey; + +ALTER TABLE oauth2_access_token_session + DROP CONSTRAINT oauth2_access_token_session_challenge_id_fkey, + DROP CONSTRAINT oauth2_access_token_session_subject_fkey; + +ALTER TABLE oauth2_authorization_code_session + DROP CONSTRAINT oauth2_authorization_code_session_challenge_id_fkey, + DROP CONSTRAINT oauth2_authorization_code_session_subject_fkey; + +ALTER TABLE oauth2_openid_connect_session + DROP CONSTRAINT oauth2_openid_connect_session_challenge_id_fkey, + DROP CONSTRAINT oauth2_openid_connect_session_subject_fkey; + +ALTER TABLE oauth2_pkce_request_session + DROP CONSTRAINT oauth2_pkce_request_session_challenge_id_fkey, + DROP CONSTRAINT oauth2_pkce_request_session_subject_fkey; + +ALTER TABLE oauth2_refresh_token_session + DROP CONSTRAINT oauth2_refresh_token_session_challenge_id_fkey, + DROP CONSTRAINT oauth2_refresh_token_session_subject_fkey; + +ALTER TABLE oauth2_consent_session + ADD CONSTRAINT oauth2_consent_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT, + ADD CONSTRAINT oauth2_consent_session_preconfiguration_fkey + FOREIGN KEY (preconfiguration) + REFERENCES oauth2_consent_preconfiguration (id) ON UPDATE CASCADE ON DELETE CASCADE; + +ALTER TABLE oauth2_consent_preconfiguration + ADD CONSTRAINT oauth2_consent_preconfiguration_subjct_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +ALTER TABLE oauth2_access_token_session + ADD CONSTRAINT oauth2_access_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_access_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +ALTER TABLE oauth2_authorization_code_session + ADD CONSTRAINT oauth2_authorization_code_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_authorization_code_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +ALTER TABLE oauth2_openid_connect_session + ADD CONSTRAINT oauth2_openid_connect_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_openid_connect_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +ALTER TABLE oauth2_pkce_request_session + ADD CONSTRAINT oauth2_pkce_request_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_pkce_request_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; + +ALTER TABLE oauth2_refresh_token_session + ADD CONSTRAINT oauth2_refresh_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_refresh_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT; diff --git a/internal/storage/migrations/V0007.ConsistencyFixes.postgres.up.sql b/internal/storage/migrations/V0007.ConsistencyFixes.postgres.up.sql new file mode 100644 index 000000000..a0c50cc90 --- /dev/null +++ b/internal/storage/migrations/V0007.ConsistencyFixes.postgres.up.sql @@ -0,0 +1,208 @@ +DROP TABLE IF EXISTS _bkp_UP_V0002_totp_configurations; +DROP TABLE IF EXISTS _bkp_UP_V0002_u2f_devices; +DROP TABLE IF EXISTS totp_secrets; +DROP TABLE IF EXISTS identity_verification_tokens; +DROP TABLE IF EXISTS u2f_devices; +DROP TABLE IF EXISTS config; +DROP TABLE IF EXISTS AuthenticationLogs; +DROP TABLE IF EXISTS IdentityVerificationTokens; +DROP TABLE IF EXISTS Preferences; +DROP TABLE IF EXISTS PreferencesTableName; +DROP TABLE IF EXISTS SecondFactorPreferences; +DROP TABLE IF EXISTS TOTPSecrets; +DROP TABLE IF EXISTS U2FDeviceHandles; + +ALTER TABLE webauthn_devices + ALTER COLUMN aaguid DROP NOT NULL; + +UPDATE webauthn_devices +SET aaguid = NULL +WHERE aaguid = '' OR aaguid = '00000000-00000000-00000000-00000000'; + +ALTER TABLE duo_devices + DROP CONSTRAINT IF EXISTS duo_devices_username_key; + +DROP INDEX IF EXISTS duo_devices_username_key; + +CREATE UNIQUE INDEX duo_devices_username_key ON duo_devices (username); + +ALTER TABLE encryption + DROP CONSTRAINT IF EXISTS encryption_name_key; + +DROP INDEX IF EXISTS encryption_name_key; + +CREATE UNIQUE INDEX encryption_name_key ON encryption (name); + +ALTER TABLE identity_verification + DROP CONSTRAINT IF EXISTS identity_verification_jti_key; + +DROP INDEX IF EXISTS identity_verification_jti_key; + +CREATE UNIQUE INDEX identity_verification_jti_key ON identity_verification (jti); + +ALTER TABLE user_preferences + DROP CONSTRAINT IF EXISTS user_preferences_username_key; + +DROP INDEX IF EXISTS user_preferences_username_key; + +CREATE UNIQUE INDEX user_preferences_username_key ON user_preferences (username); + +ALTER TABLE totp_configurations + DROP CONSTRAINT IF EXISTS totp_configurations_username_key1, + DROP CONSTRAINT IF EXISTS totp_configurations_username_key, + DROP CONSTRAINT IF EXISTS totp_configurations_pkey, + DROP CONSTRAINT IF EXISTS totp_configurations_pkey1; + +DROP INDEX IF EXISTS totp_configurations_username_key1; +DROP INDEX IF EXISTS totp_configurations_username_key; + +ALTER TABLE totp_configurations + RENAME TO _bkp_UP_V0007_totp_configurations; + +CREATE TABLE IF NOT EXISTS totp_configurations ( + id SERIAL CONSTRAINT totp_configurations_pkey PRIMARY KEY, + created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP, + last_used_at TIMESTAMP WITH TIME ZONE NULL DEFAULT NULL, + username VARCHAR(100) NOT NULL, + issuer VARCHAR(100), + algorithm VARCHAR(6) NOT NULL DEFAULT 'SHA1', + digits INTEGER NOT NULL DEFAULT 6, + period INTEGER NOT NULL DEFAULT 30, + secret BYTEA NOT NULL +); + +CREATE UNIQUE INDEX totp_configurations_username_key ON totp_configurations (username); + +INSERT INTO totp_configurations (created_at, last_used_at, username, issuer, algorithm, digits, period, secret) +SELECT created_at, last_used_at, username, issuer, algorithm, digits, period, secret +FROM _bkp_UP_V0007_totp_configurations +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_UP_V0007_totp_configurations; + +ALTER TABLE webauthn_devices + DROP CONSTRAINT IF EXISTS webauthn_devices_username_description_key1, + DROP CONSTRAINT IF EXISTS webauthn_devices_kid_key1, + DROP CONSTRAINT IF EXISTS webauthn_devices_lookup_key1, + DROP CONSTRAINT IF EXISTS webauthn_devices_username_description_key, + DROP CONSTRAINT IF EXISTS webauthn_devices_kid_key, + DROP CONSTRAINT IF EXISTS webauthn_devices_lookup_key, + DROP CONSTRAINT IF EXISTS webauthn_devices_pkey, + DROP CONSTRAINT IF EXISTS webauthn_devices_pkey1; + +DROP INDEX IF EXISTS webauthn_devices_username_description_key1; +DROP INDEX IF EXISTS webauthn_devices_kid_key1; +DROP INDEX IF EXISTS webauthn_devices_lookup_key1; +DROP INDEX IF EXISTS webauthn_devices_username_description_key; +DROP INDEX IF EXISTS webauthn_devices_kid_key; +DROP INDEX IF EXISTS webauthn_devices_lookup_key; + +ALTER TABLE webauthn_devices + RENAME TO _bkp_UP_V0007_webauthn_devices; + +CREATE TABLE IF NOT EXISTS webauthn_devices ( + id SERIAL CONSTRAINT webauthn_devices_pkey PRIMARY KEY, + created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP, + last_used_at TIMESTAMP WITH TIME ZONE NULL DEFAULT NULL, + rpid TEXT, + username VARCHAR(100) NOT NULL, + description VARCHAR(30) NOT NULL DEFAULT 'Primary', + kid VARCHAR(512) NOT NULL, + public_key BYTEA NOT NULL, + attestation_type VARCHAR(32), + transport VARCHAR(20) DEFAULT '', + aaguid CHAR(36) NOT NULL, + sign_count INTEGER DEFAULT 0, + clone_warning BOOLEAN NOT NULL DEFAULT FALSE +); + +CREATE UNIQUE INDEX webauthn_devices_kid_key ON webauthn_devices (kid); +CREATE UNIQUE INDEX webauthn_devices_lookup_key ON webauthn_devices (username, description); + +INSERT INTO webauthn_devices (created_at, last_used_at, rpid, username, description, kid, public_key, attestation_type, transport, aaguid, sign_count, clone_warning) +SELECT created_at, last_used_at, rpid, username, description, kid, public_key, attestation_type, transport, aaguid, sign_count, clone_warning +FROM _bkp_UP_V0007_webauthn_devices; + +DROP TABLE IF EXISTS _bkp_UP_V0007_webauthn_devices; + +ALTER TABLE oauth2_consent_session + DROP CONSTRAINT oauth2_consent_session_subject_fkey, + DROP CONSTRAINT oauth2_consent_session_preconfiguration_fkey; + +ALTER TABLE oauth2_consent_preconfiguration + DROP CONSTRAINT IF EXISTS oauth2_consent_preconfiguration_subjct_fkey, + DROP CONSTRAINT IF EXISTS oauth2_consent_preconfiguration_subject_fkey; + +ALTER TABLE oauth2_access_token_session + DROP CONSTRAINT oauth2_access_token_session_challenge_id_fkey, + DROP CONSTRAINT oauth2_access_token_session_subject_fkey; + +ALTER TABLE oauth2_authorization_code_session + DROP CONSTRAINT oauth2_authorization_code_session_challenge_id_fkey, + DROP CONSTRAINT oauth2_authorization_code_session_subject_fkey; + +ALTER TABLE oauth2_openid_connect_session + DROP CONSTRAINT oauth2_openid_connect_session_challenge_id_fkey, + DROP CONSTRAINT oauth2_openid_connect_session_subject_fkey; + +ALTER TABLE oauth2_pkce_request_session + DROP CONSTRAINT oauth2_pkce_request_session_challenge_id_fkey, + DROP CONSTRAINT oauth2_pkce_request_session_subject_fkey; + +ALTER TABLE oauth2_refresh_token_session + DROP CONSTRAINT oauth2_refresh_token_session_challenge_id_fkey, + DROP CONSTRAINT oauth2_refresh_token_session_subject_fkey; + +ALTER TABLE oauth2_consent_session + ADD CONSTRAINT oauth2_consent_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE CASCADE ON DELETE RESTRICT, + ADD CONSTRAINT oauth2_consent_session_preconfiguration_fkey + FOREIGN KEY (preconfiguration) + REFERENCES oauth2_consent_preconfiguration (id) ON UPDATE CASCADE ON DELETE CASCADE; + +ALTER TABLE oauth2_consent_preconfiguration + ADD CONSTRAINT oauth2_consent_preconfiguration_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE CASCADE ON DELETE RESTRICT; + +ALTER TABLE oauth2_access_token_session + ADD CONSTRAINT oauth2_access_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_access_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE CASCADE ON DELETE RESTRICT; + +ALTER TABLE oauth2_authorization_code_session + ADD CONSTRAINT oauth2_authorization_code_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_authorization_code_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE CASCADE ON DELETE RESTRICT; + +ALTER TABLE oauth2_openid_connect_session + ADD CONSTRAINT oauth2_openid_connect_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_openid_connect_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE CASCADE ON DELETE RESTRICT; + +ALTER TABLE oauth2_pkce_request_session + ADD CONSTRAINT oauth2_pkce_request_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_pkce_request_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE CASCADE ON DELETE RESTRICT; + +ALTER TABLE oauth2_refresh_token_session + ADD CONSTRAINT oauth2_refresh_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + ADD CONSTRAINT oauth2_refresh_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE CASCADE ON DELETE RESTRICT; + diff --git a/internal/storage/migrations/V0007.ConsistencyFixes.sqlite.down.sql b/internal/storage/migrations/V0007.ConsistencyFixes.sqlite.down.sql new file mode 100644 index 000000000..b5a31858d --- /dev/null +++ b/internal/storage/migrations/V0007.ConsistencyFixes.sqlite.down.sql @@ -0,0 +1,617 @@ +PRAGMA foreign_keys=off; + +BEGIN TRANSACTION; + +ALTER TABLE webauthn_devices + RENAME TO _bkp_DOWN_V0007_webauthn_devices; + +CREATE TABLE IF NOT EXISTS webauthn_devices ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + last_used_at TIMESTAMP NULL DEFAULT NULL, + rpid TEXT, + username VARCHAR(100) NOT NULL, + description VARCHAR(30) NOT NULL DEFAULT 'Primary', + kid VARCHAR(512) NOT NULL, + public_key BLOB NOT NULL, + attestation_type VARCHAR(32), + transport VARCHAR(20) DEFAULT '', + aaguid CHAR(36) NOT NULL, + sign_count INTEGER DEFAULT 0, + clone_warning BOOLEAN NOT NULL DEFAULT FALSE, + UNIQUE (username, description), + UNIQUE (kid) +); + +INSERT INTO webauthn_devices (created_at, last_used_at, rpid, username, description, kid, public_key, attestation_type, transport, aaguid, sign_count, clone_warning) +SELECT created_at, last_used_at, rpid, username, description, kid, public_key, attestation_type, transport, aaguid, sign_count, clone_warning +FROM _bkp_DOWN_V0007_webauthn_devices; + +DROP TABLE IF EXISTS _bkp_DOWN_V0007_webauthn_devices; + +ALTER TABLE identity_verification + RENAME TO _bkp_DOWN_V0007_identity_verification; + +CREATE TABLE IF NOT EXISTS identity_verification ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + jti VARCHAR(36), + iat TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + issued_ip VARCHAR(39) NOT NULL, + exp TIMESTAMP NOT NULL, + username VARCHAR(100) NOT NULL, + action VARCHAR(50) NOT NULL, + consumed TIMESTAMP NULL DEFAULT NULL, + consumed_ip VARCHAR(39) NULL DEFAULT NULL, + UNIQUE (jti) +); + +INSERT INTO identity_verification (jti, iat, issued_ip, exp, username, action, consumed, consumed_ip) +SELECT jti, iat, issued_ip, exp, username, action, consumed, consumed_ip +FROM _bkp_DOWN_V0007_identity_verification +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_DOWN_V0007_identity_verification; + +ALTER TABLE totp_configurations + RENAME TO _bkp_DOWN_V0007_totp_configurations; + +CREATE TABLE IF NOT EXISTS totp_configurations ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + last_used_at TIMESTAMP NULL DEFAULT NULL, + username VARCHAR(100) NOT NULL, + issuer VARCHAR(100), + algorithm VARCHAR(6) NOT NULL DEFAULT 'SHA1', + digits INTEGER NOT NULL DEFAULT 6, + period INTEGER NOT NULL DEFAULT 30, + secret BLOB NOT NULL, + UNIQUE (username) +); + +INSERT INTO totp_configurations (username, issuer, algorithm, digits, period, secret) +SELECT username, issuer, algorithm, digits, period, secret +FROM _bkp_DOWN_V0007_totp_configurations +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_DOWN_V0007_totp_configurations; + +ALTER TABLE duo_devices + RENAME TO _bkp_DOWN_V0007_duo_devices; + +CREATE TABLE IF NOT EXISTS duo_devices ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + username VARCHAR(100) NOT NULL, + device VARCHAR(32) NOT NULL, + method VARCHAR(16) NOT NULL, + UNIQUE (username) +); + +INSERT INTO duo_devices (username, device, method) +SELECT username, device, method +FROM _bkp_DOWN_V0007_duo_devices +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_DOWN_V0007_duo_devices; + +ALTER TABLE user_preferences + RENAME TO _bkp_DOWN_V0007_user_preferences; + +CREATE TABLE IF NOT EXISTS user_preferences ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + username VARCHAR(100) NOT NULL, + second_factor_method VARCHAR(11) NOT NULL, + UNIQUE (username) +); + +INSERT INTO user_preferences (username, second_factor_method) +SELECT username, second_factor_method +FROM _bkp_DOWN_V0007_user_preferences +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_DOWN_V0007_user_preferences; + +ALTER TABLE encryption + RENAME TO _bkp_DOWN_V0007_encryption; + +CREATE TABLE IF NOT EXISTS encryption ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + name VARCHAR(100), + value BLOB NOT NULL, + UNIQUE (name) +); + +INSERT INTO encryption (name, value) +SELECT name, value +FROM _bkp_DOWN_V0007_encryption +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_DOWN_V0007_encryption; + +CREATE TABLE IF NOT EXISTS _bkp_DOWN_V0007_oauth2_consent_preconfiguration ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + client_id VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + expires_at TIMESTAMP NULL DEFAULT NULL, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + scopes TEXT NOT NULL, + audience TEXT NULL +); + +INSERT INTO _bkp_DOWN_V0007_oauth2_consent_preconfiguration (client_id, subject, created_at, expires_at, revoked, scopes, audience) +SELECT client_id, subject, created_at, expires_at, revoked, scopes, audience +FROM oauth2_consent_preconfiguration +ORDER BY id; + +DROP TABLE IF EXISTS oauth2_consent_preconfiguration; + +CREATE TABLE IF NOT EXISTS _bkp_DOWN_V0007_oauth2_consent_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + client_id VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + authorized BOOLEAN NOT NULL DEFAULT FALSE, + granted BOOLEAN NOT NULL DEFAULT FALSE, + requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + responded_at TIMESTAMP NULL DEFAULT NULL, + form_data TEXT NOT NULL, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + preconfiguration INTEGER NULL DEFAULT NULL +); + +INSERT INTO _bkp_DOWN_V0007_oauth2_consent_session (challenge_id, client_id, subject, authorized, granted, requested_at, responded_at, form_data, requested_scopes, granted_scopes, requested_audience, granted_audience, preconfiguration) +SELECT challenge_id, client_id, subject, authorized, granted, requested_at, responded_at, form_data, requested_scopes, granted_scopes, requested_audience, granted_audience, preconfiguration +FROM oauth2_consent_session +ORDER BY id; + +DROP TABLE IF EXISTS oauth2_consent_session; + +CREATE TABLE IF NOT EXISTS _bkp_DOWN_V0007_oauth2_authorization_code_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL +); + +INSERT INTO _bkp_DOWN_V0007_oauth2_authorization_code_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +FROM oauth2_authorization_code_session +ORDER BY id; + +DROP TABLE IF EXISTS oauth2_authorization_code_session; + +CREATE TABLE IF NOT EXISTS _bkp_DOWN_V0007_oauth2_access_token_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL +); + +INSERT INTO _bkp_DOWN_V0007_oauth2_access_token_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +FROM oauth2_access_token_session +ORDER BY id; + +DROP TABLE IF EXISTS oauth2_access_token_session; + +CREATE TABLE IF NOT EXISTS _bkp_DOWN_V0007_oauth2_refresh_token_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL +); + +INSERT INTO _bkp_DOWN_V0007_oauth2_refresh_token_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +FROM oauth2_refresh_token_session +ORDER BY id; + +DROP TABLE IF EXISTS oauth2_refresh_token_session; + +CREATE TABLE IF NOT EXISTS _bkp_DOWN_V0007_oauth2_pkce_request_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL +); + +INSERT INTO _bkp_DOWN_V0007_oauth2_pkce_request_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +FROM oauth2_pkce_request_session +ORDER BY id; + +DROP TABLE IF EXISTS oauth2_pkce_request_session; + +CREATE TABLE IF NOT EXISTS _bkp_DOWN_V0007_oauth2_openid_connect_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL +); + +INSERT INTO _bkp_DOWN_V0007_oauth2_openid_connect_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +FROM oauth2_openid_connect_session +ORDER BY id; + +DROP TABLE IF EXISTS oauth2_openid_connect_session; + +DROP INDEX IF EXISTS user_opaque_identifier_identifier_key; +DROP INDEX IF EXISTS user_opaque_identifier_lookup_key; + +ALTER TABLE user_opaque_identifier + RENAME TO _bkp_DOWN_V0007_user_opaque_identifier; + +CREATE TABLE IF NOT EXISTS user_opaque_identifier ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + service VARCHAR(20) NOT NULL, + sector_id VARCHAR(255) NOT NULL, + username VARCHAR(100) NOT NULL, + identifier CHAR(36) NOT NULL +); + +CREATE UNIQUE INDEX user_opaque_identifier_service_sector_id_username_key ON user_opaque_identifier (service, sector_id, username); +CREATE UNIQUE INDEX user_opaque_identifier_identifier_key ON user_opaque_identifier (identifier); + +INSERT INTO user_opaque_identifier (service, sector_id, username, identifier) +SELECT service, sector_id, username, identifier +FROM _bkp_DOWN_V0007_user_opaque_identifier +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_DOWN_V0007_user_opaque_identifier; + +DROP INDEX IF EXISTS authentication_logs_username_idx; +DROP INDEX IF EXISTS authentication_logs_remote_ip_idx; + +ALTER TABLE authentication_logs + RENAME TO _bkp_DOWN_V0007_authentication_logs; + +CREATE TABLE IF NOT EXISTS authentication_logs ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + time TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + successful BOOLEAN NOT NULL, + banned BOOLEAN NOT NULL DEFAULT FALSE, + username VARCHAR(100) NOT NULL, + auth_type VARCHAR(8) NOT NULL DEFAULT '1FA', + remote_ip VARCHAR(39) NULL DEFAULT NULL, + request_uri TEXT, + request_method VARCHAR(8) NOT NULL DEFAULT '' +); + +CREATE INDEX authentication_logs_username_idx ON authentication_logs (time, username, auth_type); +CREATE INDEX authentication_logs_remote_ip_idx ON authentication_logs (time, remote_ip, auth_type); + +INSERT INTO authentication_logs (time, successful, banned, username, auth_type, remote_ip, request_uri, request_method) +SELECT time, successful, banned, username, auth_type, remote_ip, request_uri, request_method +FROM _bkp_DOWN_V0007_authentication_logs +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_DOWN_V0007_authentication_logs; + +ALTER TABLE migrations + RENAME TO _bkp_DOWN_V0007_migrations; + +CREATE TABLE IF NOT EXISTS migrations ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + applied TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + version_before INTEGER NULL DEFAULT NULL, + version_after INTEGER NOT NULL, + application_version VARCHAR(128) NOT NULL +); + +INSERT INTO migrations (applied, version_before, version_after, application_version) +SELECT applied, version_before, version_after, application_version +FROM _bkp_DOWN_V0007_migrations +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_DOWN_V0007_migrations; + +DROP INDEX IF EXISTS oauth2_blacklisted_jti_signature_key; + +ALTER TABLE oauth2_blacklisted_jti + RENAME TO _bkp_DOWN_V0007_oauth2_blacklisted_jti; + +CREATE TABLE IF NOT EXISTS oauth2_blacklisted_jti ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + signature VARCHAR(64) NOT NULL, + expires_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP +); + +CREATE UNIQUE INDEX oauth2_blacklisted_jti_signature_key ON oauth2_blacklisted_jti (signature); + +INSERT INTO oauth2_blacklisted_jti (signature, expires_at) +SELECT signature, expires_at +FROM _bkp_DOWN_V0007_oauth2_blacklisted_jti +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_DOWN_V0007_oauth2_blacklisted_jti; + +CREATE TABLE IF NOT EXISTS oauth2_consent_preconfiguration ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + client_id VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + expires_at TIMESTAMP NULL DEFAULT NULL, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + scopes TEXT NOT NULL, + audience TEXT NULL, + CONSTRAINT oauth2_consent_preconfiguration_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT +); + +INSERT INTO oauth2_consent_preconfiguration (client_id, subject, created_at, expires_at, revoked, scopes, audience) +SELECT client_id, subject, created_at, expires_at, revoked, scopes, audience +FROM _bkp_DOWN_V0007_oauth2_consent_preconfiguration +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_DOWN_V0007_oauth2_consent_preconfiguration; + +CREATE TABLE IF NOT EXISTS oauth2_consent_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + client_id VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + authorized BOOLEAN NOT NULL DEFAULT FALSE, + granted BOOLEAN NOT NULL DEFAULT FALSE, + requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + responded_at TIMESTAMP NULL DEFAULT NULL, + form_data TEXT NOT NULL, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + preconfiguration INTEGER NULL DEFAULT NULL, + CONSTRAINT oauth2_consent_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT, + CONSTRAINT oauth2_consent_session_preconfiguration_fkey + FOREIGN KEY (preconfiguration) + REFERENCES oauth2_consent_preconfiguration (id) ON UPDATE CASCADE ON DELETE CASCADE +); + +CREATE UNIQUE INDEX oauth2_consent_session_challenge_id_key ON oauth2_consent_session (challenge_id); + +INSERT INTO oauth2_consent_session (challenge_id, client_id, subject, authorized, granted, requested_at, responded_at, form_data, requested_scopes, granted_scopes, requested_audience, granted_audience, preconfiguration) +SELECT challenge_id, client_id, subject, authorized, granted, requested_at, responded_at, form_data, requested_scopes, granted_scopes, requested_audience, granted_audience, preconfiguration +FROM _bkp_DOWN_V0007_oauth2_consent_session +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_DOWN_V0007_oauth2_consent_session; + +CREATE TABLE IF NOT EXISTS oauth2_authorization_code_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL, + CONSTRAINT oauth2_authorization_code_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + CONSTRAINT oauth2_authorization_code_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT +); + +CREATE INDEX oauth2_authorization_code_session_request_id_idx ON oauth2_authorization_code_session (request_id); +CREATE INDEX oauth2_authorization_code_session_client_id_idx ON oauth2_authorization_code_session (client_id); +CREATE INDEX oauth2_authorization_code_session_client_id_subject_idx ON oauth2_authorization_code_session (client_id, subject); + +INSERT INTO oauth2_authorization_code_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +FROM _bkp_DOWN_V0007_oauth2_authorization_code_session +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_DOWN_V0007_oauth2_authorization_code_session; + +CREATE TABLE IF NOT EXISTS oauth2_access_token_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL, + CONSTRAINT oauth2_access_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + CONSTRAINT oauth2_access_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT +); + +CREATE INDEX oauth2_access_token_session_request_id_idx ON oauth2_access_token_session (request_id); +CREATE INDEX oauth2_access_token_session_client_id_idx ON oauth2_access_token_session (client_id); +CREATE INDEX oauth2_access_token_session_client_id_subject_idx ON oauth2_access_token_session (client_id, subject); + +INSERT INTO oauth2_access_token_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +FROM _bkp_DOWN_V0007_oauth2_access_token_session +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_DOWN_V0007_oauth2_access_token_session; + +CREATE TABLE IF NOT EXISTS oauth2_refresh_token_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL, + CONSTRAINT oauth2_refresh_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + CONSTRAINT oauth2_refresh_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT +); + +CREATE INDEX oauth2_refresh_token_session_request_id_idx ON oauth2_refresh_token_session (request_id); +CREATE INDEX oauth2_refresh_token_session_client_id_idx ON oauth2_refresh_token_session (client_id); +CREATE INDEX oauth2_refresh_token_session_client_id_subject_idx ON oauth2_refresh_token_session (client_id, subject); + +INSERT INTO oauth2_refresh_token_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +FROM _bkp_DOWN_V0007_oauth2_refresh_token_session +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_DOWN_V0007_oauth2_refresh_token_session; + +CREATE TABLE IF NOT EXISTS oauth2_pkce_request_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL, + CONSTRAINT oauth2_pkce_request_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + CONSTRAINT oauth2_pkce_request_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT +); + +CREATE INDEX oauth2_pkce_request_session_request_id_idx ON oauth2_pkce_request_session (request_id); +CREATE INDEX oauth2_pkce_request_session_client_id_idx ON oauth2_pkce_request_session (client_id); +CREATE INDEX oauth2_pkce_request_session_client_id_subject_idx ON oauth2_pkce_request_session (client_id, subject); + +INSERT INTO oauth2_pkce_request_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +FROM _bkp_DOWN_V0007_oauth2_pkce_request_session +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_DOWN_V0007_oauth2_pkce_request_session; + +CREATE TABLE IF NOT EXISTS oauth2_openid_connect_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL, + CONSTRAINT oauth2_openid_connect_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + CONSTRAINT oauth2_openid_connect_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE RESTRICT ON DELETE RESTRICT +); + +CREATE INDEX oauth2_openid_connect_session_request_id_idx ON oauth2_openid_connect_session (request_id); +CREATE INDEX oauth2_openid_connect_session_client_id_idx ON oauth2_openid_connect_session (client_id); +CREATE INDEX oauth2_openid_connect_session_client_id_subject_idx ON oauth2_openid_connect_session (client_id, subject); + +INSERT INTO oauth2_openid_connect_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +FROM _bkp_DOWN_V0007_oauth2_openid_connect_session +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_DOWN_V0007_oauth2_openid_connect_session; + +COMMIT; + +PRAGMA foreign_keys=on; diff --git a/internal/storage/migrations/V0007.ConsistencyFixes.sqlite.up.sql b/internal/storage/migrations/V0007.ConsistencyFixes.sqlite.up.sql new file mode 100644 index 000000000..80847f593 --- /dev/null +++ b/internal/storage/migrations/V0007.ConsistencyFixes.sqlite.up.sql @@ -0,0 +1,667 @@ +PRAGMA foreign_keys=off; + +BEGIN TRANSACTION; + +DROP TABLE IF EXISTS _bkp_UP_V0002_totp_configurations; +DROP TABLE IF EXISTS _bkp_UP_V0002_u2f_devices; +DROP TABLE IF EXISTS totp_secrets; +DROP TABLE IF EXISTS identity_verification_tokens; +DROP TABLE IF EXISTS u2f_devices; +DROP TABLE IF EXISTS config; +DROP TABLE IF EXISTS AuthenticationLogs; +DROP TABLE IF EXISTS IdentityVerificationTokens; +DROP TABLE IF EXISTS Preferences; +DROP TABLE IF EXISTS PreferencesTableName; +DROP TABLE IF EXISTS SecondFactorPreferences; +DROP TABLE IF EXISTS TOTPSecrets; +DROP TABLE IF EXISTS U2FDeviceHandles; + +DROP INDEX IF EXISTS webauthn_devices_lookup_key; +DROP INDEX IF EXISTS webauthn_devices_kid_key; + +ALTER TABLE webauthn_devices + RENAME TO _bkp_UP_V0007_webauthn_devices; + +CREATE TABLE IF NOT EXISTS webauthn_devices ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + created_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, + last_used_at DATETIME NULL DEFAULT NULL, + rpid TEXT, + username VARCHAR(100) NOT NULL, + description VARCHAR(30) NOT NULL DEFAULT 'Primary', + kid VARCHAR(512) NOT NULL, + public_key BLOB NOT NULL, + attestation_type VARCHAR(32), + transport VARCHAR(20) DEFAULT '', + aaguid CHAR(36) NULL, + sign_count INTEGER DEFAULT 0, + clone_warning BOOLEAN NOT NULL DEFAULT FALSE +); + +CREATE UNIQUE INDEX webauthn_devices_lookup_key ON webauthn_devices (username, description); +CREATE UNIQUE INDEX webauthn_devices_kid_key ON webauthn_devices (kid); + +INSERT INTO webauthn_devices (created_at, last_used_at, rpid, username, description, kid, public_key, attestation_type, transport, aaguid, sign_count, clone_warning) +SELECT created_at, last_used_at, rpid, username, description, kid, public_key, attestation_type, transport, aaguid, sign_count, clone_warning +FROM _bkp_UP_V0007_webauthn_devices; + +DROP TABLE IF EXISTS _bkp_UP_V0007_webauthn_devices; + +DROP INDEX IF EXISTS identity_verification_jti_key; + +ALTER TABLE identity_verification + RENAME TO _bkp_UP_V0007_identity_verification; + +CREATE TABLE IF NOT EXISTS identity_verification ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + jti VARCHAR(36), + iat DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, + issued_ip VARCHAR(39) NOT NULL, + exp DATETIME NOT NULL, + username VARCHAR(100) NOT NULL, + action VARCHAR(50) NOT NULL, + consumed DATETIME NULL DEFAULT NULL, + consumed_ip VARCHAR(39) NULL DEFAULT NULL +); + +CREATE UNIQUE INDEX identity_verification_jti_key ON identity_verification (jti); + +INSERT INTO identity_verification (jti, iat, issued_ip, exp, username, action, consumed, consumed_ip) +SELECT jti, iat, issued_ip, exp, username, action, consumed, consumed_ip +FROM _bkp_UP_V0007_identity_verification +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_UP_V0007_identity_verification; + +DROP INDEX IF EXISTS totp_configurations_username_key; + +ALTER TABLE totp_configurations + RENAME TO _bkp_UP_V0007_totp_configurations; + +CREATE TABLE IF NOT EXISTS totp_configurations ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + created_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, + last_used_at DATETIME NULL DEFAULT NULL, + username VARCHAR(100) NOT NULL, + issuer VARCHAR(100), + algorithm VARCHAR(6) NOT NULL DEFAULT 'SHA1', + digits INTEGER NOT NULL DEFAULT 6, + period INTEGER NOT NULL DEFAULT 30, + secret BLOB NOT NULL +); + +CREATE UNIQUE INDEX totp_configurations_username_key ON totp_configurations (username); + +INSERT INTO totp_configurations (username, issuer, algorithm, digits, period, secret) +SELECT username, issuer, algorithm, digits, period, secret +FROM _bkp_UP_V0007_totp_configurations +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_UP_V0007_totp_configurations; + +DROP INDEX IF EXISTS duo_devices_username_key; + +ALTER TABLE duo_devices + RENAME TO _bkp_UP_V0007_duo_devices; + +CREATE TABLE IF NOT EXISTS duo_devices ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + username VARCHAR(100) NOT NULL, + device VARCHAR(32) NOT NULL, + method VARCHAR(16) NOT NULL +); + +CREATE UNIQUE INDEX duo_devices_username_key ON duo_devices (username); + +INSERT INTO duo_devices (username, device, method) +SELECT username, device, method +FROM _bkp_UP_V0007_duo_devices; + +DROP TABLE IF EXISTS _bkp_UP_V0007_duo_devices; + +ALTER TABLE user_preferences + RENAME TO _bkp_UP_V0007_user_preferences; + +CREATE TABLE IF NOT EXISTS user_preferences ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + username VARCHAR(100) NOT NULL, + second_factor_method VARCHAR(11) NOT NULL +); + +CREATE UNIQUE INDEX user_preferences_username_key ON user_preferences (username); + +INSERT INTO user_preferences (username, second_factor_method) +SELECT username, second_factor_method +FROM _bkp_UP_V0007_user_preferences +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_UP_V0007_user_preferences; + +ALTER TABLE encryption + RENAME TO _bkp_UP_V0007_encryption; + +CREATE TABLE IF NOT EXISTS encryption ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + name VARCHAR(100), + value BLOB NOT NULL +); + +CREATE UNIQUE INDEX encryption_name_key ON encryption (name); + +INSERT INTO encryption (name, value) +SELECT name, value +FROM _bkp_UP_V0007_encryption +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_UP_V0007_encryption; + +CREATE TABLE IF NOT EXISTS _bkp_UP_V0007_oauth2_consent_preconfiguration ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + client_id VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + created_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, + expires_at DATETIME NULL DEFAULT NULL, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + scopes TEXT NOT NULL, + audience TEXT NULL +); + +INSERT INTO _bkp_UP_V0007_oauth2_consent_preconfiguration (client_id, subject, created_at, expires_at, revoked, scopes, audience) +SELECT client_id, subject, created_at, expires_at, revoked, scopes, audience +FROM oauth2_consent_preconfiguration +ORDER BY id; + +DROP TABLE IF EXISTS oauth2_consent_preconfiguration; + +CREATE TABLE IF NOT EXISTS _bkp_UP_V0007_oauth2_consent_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + client_id VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + authorized BOOLEAN NOT NULL DEFAULT FALSE, + granted BOOLEAN NOT NULL DEFAULT FALSE, + requested_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, + responded_at DATETIME NULL DEFAULT NULL, + form_data TEXT NOT NULL, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + preconfiguration INTEGER NULL DEFAULT NULL +); + +INSERT INTO _bkp_UP_V0007_oauth2_consent_session (challenge_id, client_id, subject, authorized, granted, requested_at, responded_at, form_data, requested_scopes, granted_scopes, requested_audience, granted_audience, preconfiguration) +SELECT challenge_id, client_id, subject, authorized, granted, requested_at, responded_at, form_data, requested_scopes, granted_scopes, requested_audience, granted_audience, preconfiguration +FROM oauth2_consent_session +ORDER BY id; + +DROP TABLE IF EXISTS oauth2_consent_session; + +CREATE TABLE IF NOT EXISTS _bkp_UP_V0007_oauth2_authorization_code_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL +); + +INSERT INTO _bkp_UP_V0007_oauth2_authorization_code_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +FROM oauth2_authorization_code_session +ORDER BY id; + +DROP TABLE IF EXISTS oauth2_authorization_code_session; + +CREATE TABLE IF NOT EXISTS _bkp_UP_V0007_oauth2_access_token_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL +); + +INSERT INTO _bkp_UP_V0007_oauth2_access_token_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +FROM oauth2_access_token_session +ORDER BY id; + +DROP TABLE IF EXISTS oauth2_access_token_session; + +CREATE TABLE IF NOT EXISTS _bkp_UP_V0007_oauth2_refresh_token_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL +); + +INSERT INTO _bkp_UP_V0007_oauth2_refresh_token_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +FROM oauth2_refresh_token_session +ORDER BY id; + +DROP TABLE IF EXISTS oauth2_refresh_token_session; + +CREATE TABLE IF NOT EXISTS _bkp_UP_V0007_oauth2_pkce_request_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL +); + +INSERT INTO _bkp_UP_V0007_oauth2_pkce_request_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +FROM oauth2_pkce_request_session +ORDER BY id; + +DROP TABLE IF EXISTS oauth2_pkce_request_session; + +CREATE TABLE IF NOT EXISTS _bkp_UP_V0007_oauth2_openid_connect_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL +); + +INSERT INTO _bkp_UP_V0007_oauth2_openid_connect_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +FROM oauth2_openid_connect_session +ORDER BY id; + +DROP TABLE IF EXISTS oauth2_openid_connect_session; + +DROP INDEX IF EXISTS user_opaque_identifier_identifier_key; +DROP INDEX IF EXISTS user_opaque_identifier_service_sector_id_username_key; + +ALTER TABLE user_opaque_identifier + RENAME TO _bkp_UP_V0007_user_opaque_identifier; + +CREATE TABLE IF NOT EXISTS user_opaque_identifier ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + service VARCHAR(20) NOT NULL, + sector_id VARCHAR(255) NOT NULL, + username VARCHAR(100) NOT NULL, + identifier CHAR(36) NOT NULL +); + +CREATE UNIQUE INDEX user_opaque_identifier_lookup_key ON user_opaque_identifier (service, sector_id, username); +CREATE UNIQUE INDEX user_opaque_identifier_identifier_key ON user_opaque_identifier (identifier); + +INSERT INTO user_opaque_identifier (service, sector_id, username, identifier) +SELECT service, sector_id, username, identifier +FROM _bkp_UP_V0007_user_opaque_identifier +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_UP_V0007_user_opaque_identifier; + +DROP INDEX IF EXISTS authentication_logs_username_idx; +DROP INDEX IF EXISTS authentication_logs_remote_ip_idx; + +ALTER TABLE authentication_logs + RENAME TO _bkp_UP_V0007_authentication_logs; + +CREATE TABLE IF NOT EXISTS authentication_logs ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + time DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, + successful BOOLEAN NOT NULL, + banned BOOLEAN NOT NULL DEFAULT FALSE, + username VARCHAR(100) NOT NULL, + auth_type VARCHAR(8) NOT NULL DEFAULT '1FA', + remote_ip VARCHAR(39) NULL DEFAULT NULL, + request_uri TEXT, + request_method VARCHAR(8) NOT NULL DEFAULT '' +); + +CREATE INDEX authentication_logs_username_idx ON authentication_logs (time, username, auth_type); +CREATE INDEX authentication_logs_remote_ip_idx ON authentication_logs (time, remote_ip, auth_type); + +INSERT INTO authentication_logs (time, successful, banned, username, auth_type, remote_ip, request_uri, request_method) +SELECT time, successful, banned, username, auth_type, remote_ip, request_uri, request_method +FROM _bkp_UP_V0007_authentication_logs +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_UP_V0007_authentication_logs; + +ALTER TABLE migrations + RENAME TO _bkp_UP_V0007_migrations; + +CREATE TABLE IF NOT EXISTS migrations ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + applied DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, + version_before INTEGER NULL DEFAULT NULL, + version_after INTEGER NOT NULL, + application_version VARCHAR(128) NOT NULL +); + +INSERT INTO migrations (applied, version_before, version_after, application_version) +SELECT applied, version_before, version_after, application_version +FROM _bkp_UP_V0007_migrations +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_UP_V0007_migrations; + +DROP INDEX IF EXISTS oauth2_blacklisted_jti_signature_key; + +ALTER TABLE oauth2_blacklisted_jti + RENAME TO _bkp_UP_V0007_oauth2_blacklisted_jti; + +CREATE TABLE IF NOT EXISTS oauth2_blacklisted_jti ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + signature VARCHAR(64) NOT NULL, + expires_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP +); + +CREATE UNIQUE INDEX oauth2_blacklisted_jti_signature_key ON oauth2_blacklisted_jti (signature); + +INSERT INTO oauth2_blacklisted_jti (signature, expires_at) +SELECT signature, expires_at +FROM _bkp_UP_V0007_oauth2_blacklisted_jti +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_UP_V0007_oauth2_blacklisted_jti; + +CREATE TABLE IF NOT EXISTS oauth2_consent_preconfiguration ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + client_id VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + created_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, + expires_at DATETIME NULL DEFAULT NULL, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + scopes TEXT NOT NULL, + audience TEXT NULL, + CONSTRAINT "oauth2_consent_preconfiguration_subject_fkey" + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE CASCADE ON DELETE RESTRICT +); + +INSERT INTO oauth2_consent_preconfiguration (client_id, subject, created_at, expires_at, revoked, scopes, audience) +SELECT client_id, subject, created_at, expires_at, revoked, scopes, audience +FROM _bkp_UP_V0007_oauth2_consent_preconfiguration +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_UP_V0007_oauth2_consent_preconfiguration; + +DROP INDEX IF EXISTS oauth2_consent_session_challenge_id_key; + +CREATE TABLE IF NOT EXISTS oauth2_consent_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + client_id VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + authorized BOOLEAN NOT NULL DEFAULT FALSE, + granted BOOLEAN NOT NULL DEFAULT FALSE, + requested_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, + responded_at DATETIME NULL DEFAULT NULL, + form_data TEXT NOT NULL, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + preconfiguration INTEGER NULL DEFAULT NULL, + CONSTRAINT oauth2_consent_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE CASCADE ON DELETE RESTRICT, + CONSTRAINT oauth2_consent_session_preconfiguration_fkey + FOREIGN KEY (preconfiguration) + REFERENCES oauth2_consent_preconfiguration (id) ON UPDATE CASCADE ON DELETE CASCADE +); + +CREATE UNIQUE INDEX oauth2_consent_session_challenge_id_key ON oauth2_consent_session (challenge_id); + +INSERT INTO oauth2_consent_session (challenge_id, client_id, subject, authorized, granted, requested_at, responded_at, form_data, requested_scopes, granted_scopes, requested_audience, granted_audience, preconfiguration) +SELECT challenge_id, client_id, subject, authorized, granted, requested_at, responded_at, form_data, requested_scopes, granted_scopes, requested_audience, granted_audience, preconfiguration +FROM _bkp_UP_V0007_oauth2_consent_session +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_UP_V0007_oauth2_consent_session; + +DROP INDEX IF EXISTS oauth2_authorization_code_session_request_id_idx; +DROP INDEX IF EXISTS oauth2_authorization_code_session_client_id_idx; +DROP INDEX IF EXISTS oauth2_authorization_code_session_client_id_subject_idx; + +CREATE TABLE IF NOT EXISTS oauth2_authorization_code_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL, + CONSTRAINT oauth2_authorization_code_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + CONSTRAINT oauth2_authorization_code_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE CASCADE ON DELETE RESTRICT +); + +CREATE INDEX oauth2_authorization_code_session_request_id_idx ON oauth2_authorization_code_session (request_id); +CREATE INDEX oauth2_authorization_code_session_client_id_idx ON oauth2_authorization_code_session (client_id); +CREATE INDEX oauth2_authorization_code_session_client_id_subject_idx ON oauth2_authorization_code_session (client_id, subject); + +INSERT INTO oauth2_authorization_code_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +FROM _bkp_UP_V0007_oauth2_authorization_code_session +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_UP_V0007_oauth2_authorization_code_session; + +DROP INDEX IF EXISTS oauth2_access_token_session_request_id_idx; +DROP INDEX IF EXISTS oauth2_access_token_session_client_id_idx; +DROP INDEX IF EXISTS oauth2_access_token_session_client_id_subject_idx; + +CREATE TABLE IF NOT EXISTS oauth2_access_token_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL, + CONSTRAINT oauth2_access_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + CONSTRAINT oauth2_access_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE CASCADE ON DELETE RESTRICT +); + +CREATE INDEX oauth2_access_token_session_request_id_idx ON oauth2_access_token_session (request_id); +CREATE INDEX oauth2_access_token_session_client_id_idx ON oauth2_access_token_session (client_id); +CREATE INDEX oauth2_access_token_session_client_id_subject_idx ON oauth2_access_token_session (client_id, subject); + +INSERT INTO oauth2_access_token_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +FROM _bkp_UP_V0007_oauth2_access_token_session +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_UP_V0007_oauth2_access_token_session; + +DROP INDEX IF EXISTS oauth2_refresh_token_session_request_id_idx; +DROP INDEX IF EXISTS oauth2_refresh_token_session_client_id_idx; +DROP INDEX IF EXISTS oauth2_refresh_token_session_client_id_subject_idx; + +CREATE TABLE IF NOT EXISTS oauth2_refresh_token_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL, + CONSTRAINT oauth2_refresh_token_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + CONSTRAINT oauth2_refresh_token_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE CASCADE ON DELETE RESTRICT +); + +CREATE INDEX oauth2_refresh_token_session_request_id_idx ON oauth2_refresh_token_session (request_id); +CREATE INDEX oauth2_refresh_token_session_client_id_idx ON oauth2_refresh_token_session (client_id); +CREATE INDEX oauth2_refresh_token_session_client_id_subject_idx ON oauth2_refresh_token_session (client_id, subject); + +INSERT INTO oauth2_refresh_token_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +FROM _bkp_UP_V0007_oauth2_refresh_token_session +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_UP_V0007_oauth2_refresh_token_session; + +DROP INDEX IF EXISTS oauth2_pkce_request_session_request_id_idx; +DROP INDEX IF EXISTS oauth2_pkce_request_session_client_id_idx; +DROP INDEX IF EXISTS oauth2_pkce_request_session_client_id_subject_idx; + +CREATE TABLE IF NOT EXISTS oauth2_pkce_request_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL, + CONSTRAINT oauth2_pkce_request_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + CONSTRAINT oauth2_pkce_request_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE CASCADE ON DELETE RESTRICT +); + +CREATE INDEX oauth2_pkce_request_session_request_id_idx ON oauth2_pkce_request_session (request_id); +CREATE INDEX oauth2_pkce_request_session_client_id_idx ON oauth2_pkce_request_session (client_id); +CREATE INDEX oauth2_pkce_request_session_client_id_subject_idx ON oauth2_pkce_request_session (client_id, subject); + +INSERT INTO oauth2_pkce_request_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +FROM _bkp_UP_V0007_oauth2_pkce_request_session +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_UP_V0007_oauth2_pkce_request_session; + +DROP INDEX IF EXISTS oauth2_openid_connect_session_request_id_idx; +DROP INDEX IF EXISTS oauth2_openid_connect_session_client_id_idx; +DROP INDEX IF EXISTS oauth2_openid_connect_session_client_id_subject_idx; + +CREATE TABLE IF NOT EXISTS oauth2_openid_connect_session ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + challenge_id CHAR(36) NOT NULL, + request_id VARCHAR(40) NOT NULL, + client_id VARCHAR(255) NOT NULL, + signature VARCHAR(255) NOT NULL, + subject CHAR(36) NOT NULL, + requested_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, + requested_scopes TEXT NOT NULL, + granted_scopes TEXT NOT NULL, + requested_audience TEXT NULL DEFAULT '', + granted_audience TEXT NULL DEFAULT '', + active BOOLEAN NOT NULL DEFAULT FALSE, + revoked BOOLEAN NOT NULL DEFAULT FALSE, + form_data TEXT NOT NULL, + session_data BLOB NOT NULL, + CONSTRAINT oauth2_openid_connect_session_challenge_id_fkey + FOREIGN KEY (challenge_id) + REFERENCES oauth2_consent_session (challenge_id) ON UPDATE CASCADE ON DELETE CASCADE, + CONSTRAINT oauth2_openid_connect_session_subject_fkey + FOREIGN KEY (subject) + REFERENCES user_opaque_identifier (identifier) ON UPDATE CASCADE ON DELETE RESTRICT +); + +CREATE INDEX oauth2_openid_connect_session_request_id_idx ON oauth2_openid_connect_session (request_id); +CREATE INDEX oauth2_openid_connect_session_client_id_idx ON oauth2_openid_connect_session (client_id); +CREATE INDEX oauth2_openid_connect_session_client_id_subject_idx ON oauth2_openid_connect_session (client_id, subject); + +INSERT INTO oauth2_openid_connect_session (challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data) +SELECT challenge_id, request_id, client_id, signature, subject, requested_at, requested_scopes, granted_scopes, requested_audience, granted_audience, active, revoked, form_data, session_data +FROM _bkp_UP_V0007_oauth2_openid_connect_session +ORDER BY id; + +DROP TABLE IF EXISTS _bkp_UP_V0007_oauth2_openid_connect_session; + +COMMIT; + +PRAGMA foreign_keys=on; diff --git a/internal/storage/migrations_test.go b/internal/storage/migrations_test.go index f7c9df73e..b60a13628 100644 --- a/internal/storage/migrations_test.go +++ b/internal/storage/migrations_test.go @@ -9,7 +9,7 @@ import ( const ( // This is the latest schema version for the purpose of tests. - LatestVersion = 6 + LatestVersion = 7 ) func TestShouldObtainCorrectUpMigrations(t *testing.T) {