-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathschema.sql
More file actions
109 lines (100 loc) · 3.6 KB
/
Copy pathschema.sql
File metadata and controls
109 lines (100 loc) · 3.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
-- Users table
CREATE TABLE IF NOT EXISTS users (
id TEXT PRIMARY KEY,
username TEXT NOT NULL UNIQUE,
email TEXT NOT NULL UNIQUE,
hashed_password TEXT NOT NULL,
display_name TEXT,
avatar_url TEXT,
created_at INTEGER NOT NULL,
updated_at INTEGER NOT NULL
);
-- Sessions table
CREATE TABLE IF NOT EXISTS sessions (
id TEXT PRIMARY KEY,
user_id TEXT NOT NULL,
expires_at INTEGER NOT NULL,
FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
);
-- OAuth accounts table (for future OAuth integration)
CREATE TABLE IF NOT EXISTS oauth_accounts (
provider TEXT NOT NULL,
provider_user_id TEXT NOT NULL,
user_id TEXT NOT NULL,
created_at INTEGER NOT NULL,
PRIMARY KEY (provider, provider_user_id),
FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
);
-- Applications table (for SSO clients)
CREATE TABLE IF NOT EXISTS applications (
id TEXT PRIMARY KEY,
name TEXT NOT NULL,
client_id TEXT NOT NULL UNIQUE,
client_secret TEXT NOT NULL,
redirect_uris TEXT NOT NULL,
created_at INTEGER NOT NULL
);
-- Authorization codes table
CREATE TABLE IF NOT EXISTS auth_codes (
code TEXT PRIMARY KEY,
user_id TEXT NOT NULL,
client_id TEXT NOT NULL,
redirect_uri TEXT NOT NULL,
expires_at INTEGER NOT NULL,
created_at INTEGER NOT NULL,
code_challenge TEXT,
code_challenge_method TEXT DEFAULT 'S256',
state TEXT,
scope TEXT DEFAULT 'profile',
FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
);
-- OAuth access tokens table (short-lived, 1 hour)
CREATE TABLE IF NOT EXISTS access_tokens (
token TEXT PRIMARY KEY,
user_id TEXT NOT NULL,
client_id TEXT NOT NULL,
scope TEXT NOT NULL DEFAULT 'profile',
expires_at INTEGER NOT NULL,
created_at INTEGER NOT NULL,
FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE,
FOREIGN KEY (client_id) REFERENCES applications(client_id) ON DELETE CASCADE
);
-- OAuth refresh tokens table (long-lived, 30 days)
CREATE TABLE IF NOT EXISTS refresh_tokens (
token TEXT PRIMARY KEY,
user_id TEXT NOT NULL,
client_id TEXT NOT NULL,
scope TEXT NOT NULL DEFAULT 'profile',
expires_at INTEGER NOT NULL,
created_at INTEGER NOT NULL,
last_used_at INTEGER,
FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE,
FOREIGN KEY (client_id) REFERENCES applications(client_id) ON DELETE CASCADE
);
CREATE INDEX IF NOT EXISTS idx_sessions_user_id ON sessions(user_id);
CREATE INDEX IF NOT EXISTS idx_oauth_accounts_user_id ON oauth_accounts(user_id);
CREATE INDEX IF NOT EXISTS idx_auth_codes_user_id ON auth_codes(user_id);
CREATE INDEX IF NOT EXISTS idx_access_tokens_user_id ON access_tokens(user_id);
CREATE INDEX IF NOT EXISTS idx_access_tokens_expires_at ON access_tokens(expires_at);
CREATE INDEX IF NOT EXISTS idx_refresh_tokens_user_id ON refresh_tokens(user_id);
CREATE INDEX IF NOT EXISTS idx_refresh_tokens_expires_at ON refresh_tokens(expires_at);
-- Signing keys for OIDC ID tokens
-- Used to sign and verify ID tokens (JWT)
CREATE TABLE IF NOT EXISTS signing_keys (
kid TEXT PRIMARY KEY,
public_key_jwk TEXT NOT NULL,
private_key_jwk TEXT NOT NULL, -- Encrypted with AES-256-GCM
algorithm TEXT NOT NULL,
created_at INTEGER NOT NULL,
expires_at INTEGER NOT NULL,
revoked_at INTEGER,
status TEXT NOT NULL DEFAULT 'active'
);
-- OIDC authentication data
-- Stores nonce and auth_time for OIDC flows
CREATE TABLE IF NOT EXISTS oidc_auth_data (
code TEXT PRIMARY KEY,
nonce TEXT,
auth_time INTEGER NOT NULL,
FOREIGN KEY (code) REFERENCES auth_codes(code) ON DELETE CASCADE
);