feat(db): V012 migration — oauth_tokens.jkt column + oauth_signing_key table

malpercio.dev / ezpds

fork atom

An easy-to-host PDS on the ATProtocol, MacOS. Grandma-approved.

fork atom

malpercio.dev 5 days ago b420037c a912cc66

+18

1 changed file

expand all

crates

relay

src

migrations

V012__oauth_token_endpoint.sql

+18

crates/relay/src/db/migrations/V012__oauth_token_endpoint.sql

··· 1 + -- V012: OAuth token endpoint schema additions 2 + -- Applied in a single transaction by the migration runner. 3 + -- 4 + -- Adds DPoP key thumbprint (jkt) to oauth_tokens for DPoP-bound refresh tokens. 5 + -- Creates oauth_signing_key single-row table for the server's persistent ES256 keypair. 6 + 7 + -- DPoP key thumbprint — NULL for tokens issued before V012 or without DPoP binding. 8 + ALTER TABLE oauth_tokens ADD COLUMN jkt TEXT; 9 + 10 + -- Single-row table for the server's persistent ES256 signing keypair. 11 + -- WITHOUT ROWID: the key is always fetched by its id (primary key lookup). 12 + CREATE TABLE oauth_signing_key ( 13 + id TEXT NOT NULL, -- UUID key identifier 14 + public_key_jwk TEXT NOT NULL, -- JWK JSON string (EC P-256 public key) 15 + private_key_encrypted TEXT NOT NULL, -- base64(nonce(12) || ciphertext(32) || tag(16)) 16 + created_at TEXT NOT NULL, -- ISO 8601 UTC 17 + PRIMARY KEY (id) 18 + ) WITHOUT ROWID;