Skip to content

Commit 99def10

Browse files
committed
Trim OAuth provider migration comments
1 parent 5810023 commit 99def10

3 files changed

Lines changed: 3 additions & 59 deletions

File tree

src/Migration/Destinations/Appwrite.php

Lines changed: 1 addition & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -3552,21 +3552,13 @@ protected function createAuthMethods(AuthMethods $resource): bool
35523552
return true;
35533553
}
35543554

3555-
/**
3556-
* Read-then-merge a single provider's entries on the project's
3557-
* `oAuthProviders` map, keyed `{providerKey}Appid` / `{providerKey}Secret` /
3558-
* `{providerKey}Enabled`. The handshake secret is never migrated (see
3559-
* OAuth2Provider), so `enabled` is propagated as-is and sign-in will fail
3560-
* until the admin re-enters the secret on the destination.
3561-
*/
35623555
protected function createOAuth2Provider(OAuth2Provider $resource): bool
35633556
{
35643557
$key = $resource->getProviderKey();
35653558
$project = $this->dbForPlatform->getDocument('projects', $this->projectId);
35663559
$oAuthProviders = $project->getAttribute('oAuthProviders', []);
35673560

35683561
if ($key === 'apple') {
3569-
// Apple's app id is the serviceId; keyId/teamId ride in the secret JSON blob.
35703562
$serviceId = (string) $resource->getSetting('serviceId');
35713563
if ($serviceId !== '') {
35723564
$oAuthProviders[$key . 'Appid'] = $serviceId;
@@ -3581,7 +3573,6 @@ protected function createOAuth2Provider(OAuth2Provider $resource): bool
35813573
if ($clientId !== '') {
35823574
$oAuthProviders[$key . 'Appid'] = $clientId;
35833575
}
3584-
// Per-shape extras (endpoint/tenant/prompt) ride inside the JSON secret blob.
35853576
foreach (['endpoint', 'tenant', 'prompt'] as $field) {
35863577
$value = $resource->getSetting($field);
35873578
if ($value !== null && $value !== '' && $value !== []) {
@@ -3607,10 +3598,7 @@ protected function createOAuth2Provider(OAuth2Provider $resource): bool
36073598
}
36083599

36093600
/**
3610-
* Apple stores its credential as a JSON blob of `{keyID, teamID, p8}`.
3611-
* Migration carries keyID/teamID (readable) but not p8 (write-only).
3612-
* Read the destination's existing blob, overlay the migrated fields, keep
3613-
* the destination's `p8` untouched.
3601+
* Preserve Apple's existing p8 secret while updating readable metadata.
36143602
*/
36153603
private function mergeAppleSecret(string $existing, string $keyId, string $teamId): string
36163604
{
@@ -3626,9 +3614,6 @@ private function mergeAppleSecret(string $existing, string $keyId, string $teamI
36263614
}
36273615

36283616
/**
3629-
* Merge a partial fields map into a JSON-encoded secret blob, preserving
3630-
* existing keys on the destination and overriding only the migrated ones.
3631-
*
36323617
* @param array<string, mixed> $fields
36333618
*/
36343619
private function mergeJsonSecret(string $existing, array $fields): string

src/Migration/Resources/Auth/OAuth2/OAuth2Provider.php

Lines changed: 2 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -6,30 +6,12 @@
66
use Utopia\Migration\Transfer;
77

88
/**
9-
* OAuth2 provider migration resource — one class for every provider. The
10-
* provider key and that provider's readable (non-secret) field names come from
11-
* the {@see OAuth2Provider::PROVIDERS} map, not from per-provider subclasses.
12-
*
13-
* Only non-secret fields are migrated: the handshake secret (clientSecret, or
14-
* Apple's p8File) is write-only on the source, so it is not carried across — the
15-
* destination admin must re-enter it post-migration, after which sign-in works.
16-
*
17-
* All providers share Resource::TYPE_OAUTH2_PROVIDER; the destination dispatches
18-
* per provider on the provider key, not on the concrete type.
9+
* OAuth2 provider secrets are write-only and are not migrated.
1910
*/
2011
final class OAuth2Provider extends Resource
2112
{
2213
/**
23-
* provider key => the readable, non-secret field names migrated for it.
24-
*
25-
* This list doubles as the secret allow-list: only these keys are copied off
26-
* the (heterogeneous) `listOAuth2Providers` payload, so a secret field the
27-
* server may add upstream later is never carried across by accident.
28-
*
29-
* Destination field routing (see Destinations\Appwrite::createOAuth2Provider):
30-
* - `clientId` / `serviceId` (Apple) -> `{key}Appid`
31-
* - `endpoint` / `tenant` / `prompt` -> merged into the `{key}Secret` JSON blob
32-
* - `keyId` / `teamId` (Apple) -> merged into the Apple secret JSON blob
14+
* Allow-list of readable provider fields that are safe to migrate.
3315
*
3416
* @var array<string, array<string>>
3517
*/
@@ -78,9 +60,6 @@ final class OAuth2Provider extends Resource
7860
'zoom' => ['clientId'],
7961
];
8062

81-
/**
82-
* @param array<string, mixed> $settings Non-secret fields, keyed per PROVIDERS[$providerKey].
83-
*/
8463
public function __construct(
8564
string $id,
8665
protected readonly string $providerKey,
@@ -105,11 +84,6 @@ public function getGroup(): string
10584
}
10685

10786
/**
108-
* Build a provider from a single `listOAuth2Providers` entry, copying only
109-
* the non-secret fields declared for `$providerKey`. Returns null for a key
110-
* this lib has no mapping for yet (e.g. a provider added upstream after this
111-
* release), so callers can report it rather than mis-migrate it.
112-
*
11387
* @param array<string, mixed> $array
11488
*/
11589
public static function fromArray(string $providerKey, array $array): ?self
@@ -174,11 +148,6 @@ public function getSetting(string $field): mixed
174148
return $this->settings[$field] ?? null;
175149
}
176150

177-
/**
178-
* Whether the project actually configured this provider — `listOAuth2Providers`
179-
* returns every supported provider, but only configured ones are migrated. The
180-
* app id is `serviceId` for Apple and `clientId` for everyone else.
181-
*/
182151
public function isConfigured(): bool
183152
{
184153
return $this->enabled

src/Migration/Sources/Appwrite.php

Lines changed: 0 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -393,7 +393,6 @@ private function reportAuth(array $resources, array &$report, array $resourceIds
393393
$report[Resource::TYPE_AUTH_METHODS] = 1;
394394
}
395395

396-
// Count only configured providers, matching exportOAuth2Providers().
397396
if (\in_array(Resource::TYPE_OAUTH2_PROVIDER, $resources)) {
398397
$count = 0;
399398
foreach ($this->project->listOAuth2Providers()->providers ?? [] as $provider) {
@@ -755,12 +754,6 @@ private function exportAuthMethods(): void
755754
$this->callback([$authMethods]);
756755
}
757756

758-
/**
759-
* Route each entry of the heterogeneous `listOAuth2Providers` response
760-
* through OAuth2Provider, which extracts that provider's readable fields by
761-
* key (see OAuth2Provider::PROVIDERS). Secrets come back blanked and are not
762-
* migrated.
763-
*/
764757
private function exportOAuth2Providers(): void
765758
{
766759
$response = $this->project->listOAuth2Providers();
@@ -777,8 +770,6 @@ private function exportOAuth2Providers(): void
777770
$resource = OAuth2Provider::fromArray($key, $payload);
778771

779772
if ($resource === null) {
780-
// Provider with no field mapping yet (added upstream after this
781-
// release): report it as non-fatal rather than dropping it silently.
782773
$this->addError(new Exception(
783774
Resource::TYPE_OAUTH2_PROVIDER,
784775
Transfer::GROUP_AUTH,
@@ -788,7 +779,6 @@ private function exportOAuth2Providers(): void
788779
continue;
789780
}
790781

791-
// The server lists every provider; carry over only configured ones.
792782
if (!$resource->isConfigured()) {
793783
continue;
794784
}

0 commit comments

Comments
 (0)