senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/veza-backend-api/migrations/936_oauth_states_pkce.sql

19 lines
736 B
MySQL
Raw Normal View History

release(v0.902): Sentinel - PKCE OAuth, token encryption, redirect validation, CHAT_JWT_SECRET - PKCE (S256) in OAuth flow: code_verifier in oauth_states, code_challenge in auth URL - CryptoService: AES-256-GCM encryption for OAuth provider tokens at rest - OAuth redirect URL validated against OAUTH_ALLOWED_REDIRECT_DOMAINS - CHAT_JWT_SECRET must differ from JWT_SECRET in production - Migration script: cmd/tools/encrypt_oauth_tokens for existing tokens - Fixes: VEZA-SEC-003, VEZA-SEC-004, VEZA-SEC-009, VEZA-SEC-010
2026-02-26 18:49:15 +00:00
-- 936_oauth_states_pkce.sql
-- OAuth states table with PKCE code_verifier support (v0.902 Sentinel)
CREATE TABLE IF NOT EXISTS public.oauth_states (
id BIGSERIAL PRIMARY KEY,
state_token VARCHAR(255) NOT NULL UNIQUE,
provider VARCHAR(50) NOT NULL,
redirect_url TEXT,
code_verifier VARCHAR(255),
expires_at TIMESTAMPTZ NOT NULL,
created_at TIMESTAMPTZ DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_oauth_states_state_token ON public.oauth_states(state_token);
CREATE INDEX IF NOT EXISTS idx_oauth_states_expires_at ON public.oauth_states(expires_at);
-- If table already exists (without code_verifier), add the column
ALTER TABLE public.oauth_states ADD COLUMN IF NOT EXISTS code_verifier VARCHAR(255);
Reference in a new issue Copy permalink