6823e5a30d
- PKCE (S256) in OAuth flow: code_verifier in oauth_states, code_challenge in auth URL - CryptoService: AES-256-GCM encryption for OAuth provider tokens at rest - OAuth redirect URL validated against OAUTH_ALLOWED_REDIRECT_DOMAINS - CHAT_JWT_SECRET must differ from JWT_SECRET in production - Migration script: cmd/tools/encrypt_oauth_tokens for existing tokens - Fixes: VEZA-SEC-003, VEZA-SEC-004, VEZA-SEC-009, VEZA-SEC-010
18 lines
736 B
SQL
18 lines
736 B
SQL
-- 936_oauth_states_pkce.sql
|
|
-- OAuth states table with PKCE code_verifier support (v0.902 Sentinel)
|
|
|
|
CREATE TABLE IF NOT EXISTS public.oauth_states (
|
|
id BIGSERIAL PRIMARY KEY,
|
|
state_token VARCHAR(255) NOT NULL UNIQUE,
|
|
provider VARCHAR(50) NOT NULL,
|
|
redirect_url TEXT,
|
|
code_verifier VARCHAR(255),
|
|
expires_at TIMESTAMPTZ NOT NULL,
|
|
created_at TIMESTAMPTZ DEFAULT NOW()
|
|
);
|
|
|
|
CREATE INDEX IF NOT EXISTS idx_oauth_states_state_token ON public.oauth_states(state_token);
|
|
CREATE INDEX IF NOT EXISTS idx_oauth_states_expires_at ON public.oauth_states(expires_at);
|
|
|
|
-- If table already exists (without code_verifier), add the column
|
|
ALTER TABLE public.oauth_states ADD COLUMN IF NOT EXISTS code_verifier VARCHAR(255);
|