Improve OpenID login flow security

2026-03-13 05:49:16 +01:00 · 2023-12-06 13:34:56 -10:00 · 2023-12-06 13:34:56 -10:00 · 22ebf72b6b
commit 22ebf72b6b
parent d47a11cfc2
5 changed files with 77 additions and 28 deletions
--- a/prisma/migrations/20231206231959_add_issuer_and_client_to_flows/migration.sql
+++ b/prisma/migrations/20231206231959_add_issuer_and_client_to_flows/migration.sql
@ -0,0 +1,12 @@
+/*
+  Warnings:
+
+  - Added the required column `issuerId` to the `OpenIdLoginFlow` table without a default value. This is not possible if the table is not empty.
+
+*/
+-- AlterTable
+ALTER TABLE "OpenIdLoginFlow" ADD COLUMN     "applicationId" UUID,
+ADD COLUMN     "issuerId" TEXT NOT NULL;
+
+-- AddForeignKey
+ALTER TABLE "OpenIdLoginFlow" ADD CONSTRAINT "OpenIdLoginFlow_applicationId_fkey" FOREIGN KEY ("applicationId") REFERENCES "Application"("id") ON DELETE CASCADE ON UPDATE CASCADE;
--- a/prisma/migrations/20231206232131_make_client_id_unique/migration.sql
+++ b/prisma/migrations/20231206232131_make_client_id_unique/migration.sql
@ -0,0 +1,8 @@
+/*
+  Warnings:
+
+  - A unique constraint covering the columns `[client_id]` on the table `Application` will be added. If there are existing duplicate values, this will fail.
+
+*/
+-- CreateIndex
+CREATE UNIQUE INDEX "Application_client_id_key" ON "Application"("client_id");
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@ -10,16 +10,17 @@ datasource db {
 }

 model Application {
-  id            String   @id @default(dbgenerated("uuid_generate_v7()")) @db.Uuid
-  name          String
-  website       String?
-  vapid_key     String?
-  client_id     String
-  secret        String
-  scopes        String
-  redirect_uris String
-  statuses      Status[] // One to many relation with Status
-  tokens        Token[] // One to many relation with Token
+  id               String            @id @default(dbgenerated("uuid_generate_v7()")) @db.Uuid
+  name             String
+  website          String?
+  vapid_key        String?
+  client_id        String            @unique
+  secret           String
+  scopes           String
+  redirect_uris    String
+  statuses         Status[] // One to many relation with Status
+  tokens           Token[] // One to many relation with Token
+  openIdLoginFlows OpenIdLoginFlow[]
 }

 model Emoji {
@ -140,8 +141,11 @@ model Token {
 }

 model OpenIdLoginFlow {
-  id           String @id @default(dbgenerated("uuid_generate_v7()")) @db.Uuid
-  codeVerifier String
+  id            String       @id @default(dbgenerated("uuid_generate_v7()")) @db.Uuid
+  codeVerifier  String
+  issuerId      String
+  application   Application? @relation(fields: [applicationId], references: [id], onDelete: Cascade)
+  applicationId String?      @db.Uuid
 }

 model Attachment {