feat(schemas): init app_secrets table

.scripts/compare-database.js

@@ -42,14 +42,14 @@ const queryDatabaseManifest = async (database) => {
   `);
 
   const { rows: constraints } = await pool.query(/* sql */`
-    select conrelid::regclass AS table, con.*, pg_get_constraintdef(con.oid)
+    select conrelid::regclass as r_table, con.*, pg_get_constraintdef(con.oid) as def
     from pg_catalog.pg_constraint con
     inner join pg_catalog.pg_class rel
     on rel.oid = con.conrelid
     inner join pg_catalog.pg_namespace nsp
     on nsp.oid = connamespace
     where nsp.nspname = 'public'
-    order by conname asc;
+    order by conname asc, def asc;
   `);
 
   const { rows: indexes } = await pool.query(/* sql */`

packages/schemas/alterations/next-1721483240-multiple-app-secrets.ts

@@ -0,0 +1,77 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      -- Remove existing constraint
+      alter table organization_application_relations drop constraint application_type;
+
+      -- Drop the function
+      drop function check_application_type;
+
+      -- Create a new function that accepts a variadic array of application types
+      create function check_application_type(
+        application_id varchar(21),
+        variadic target_type application_type[]
+      ) returns boolean as
+      $$ begin
+        return (select type from applications where id = application_id) = any(target_type);
+      end; $$ language plpgsql set search_path = public;
+
+      -- Add back the constraint
+      alter table organization_application_relations
+        add constraint application_type
+        check (check_application_type(application_id, 'MachineToMachine'));
+
+      -- Create the new table
+      create table application_secrets (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        application_id varchar(21) not null
+          references applications (id) on update cascade on delete cascade,
+        /** The name of the secret. Should be unique within the application. */
+        name varchar(256) not null,
+        value varchar(64) not null,
+        expires_at timestamptz,
+        created_at timestamptz not null default now(),
+        primary key (tenant_id, application_id, name),
+        constraint application_type
+          check (check_application_type(application_id, 'MachineToMachine', 'Traditional', 'Protected'))
+      );
+    `);
+    await applyTableRls(pool, 'application_secrets');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'application_secrets');
+    await pool.query(sql`
+      -- Remove the table
+      drop table application_secrets;
+
+      -- Remove the constraint
+      alter table organization_application_relations drop constraint application_type;
+
+      -- Drop the function
+      drop function check_application_type;
+
+      -- Restore the original function
+      create function check_application_type(
+        application_id varchar(21),
+        target_type application_type
+      ) returns boolean as
+      $$ begin
+        return (select type from applications where id = application_id) = target_type;
+      end; $$ language plpgsql set search_path = public;
+
+      -- Add back the constraint
+      alter table organization_application_relations
+        add constraint application_type
+        check (check_application_type(application_id, 'MachineToMachine'));
+    `);
+  },
+};
+
+export default alteration;

packages/schemas/src/consts/system.ts

@@ -9,3 +9,6 @@
  * If we use `/default`, the URL will look ugly; thus we keep the old fashion `/console`.
  */
 export const ossConsolePath = '/console';
+
+/** The prefix for keys and values that need to be explicitly marked as internal. */
+export const internalPrefix = '#internal:';

packages/schemas/tables/application_secrets.sql

@@ -0,0 +1,17 @@
+/* init_order = 2 */
+
+/** Application secrets for the `client_credentials` grant type and other confidential client use cases. Note that these secrets replace the `secret` column in the `applications` table, while the `secret` column is still used for the internal validation as `oidc-provider` does not support multiple secrets per client. */
+create table application_secrets (
+  tenant_id varchar(21) not null
+    references tenants (id) on update cascade on delete cascade,
+  application_id varchar(21) not null
+    references applications (id) on update cascade on delete cascade,
+  /** The name of the secret. Should be unique within the application. */
+  name varchar(256) not null,
+  value varchar(64) not null,
+  created_at timestamptz not null default now(),
+  expires_at timestamptz,
+  primary key (tenant_id, application_id, name),
+  constraint application_type
+    check (check_application_type(application_id, 'MachineToMachine', 'Traditional', 'Protected'))
+);

packages/schemas/tables/applications.sql

@@ -34,7 +34,10 @@ create unique index applications__protected_app_metadata_custom_domain
     (protected_app_metadata->'customDomains'->0->>'domain')
   );
 
-create function check_application_type(application_id varchar(21), target_type application_type) returns boolean as
+create function check_application_type(
+  application_id varchar(21),
+  variadic target_type application_type[]
+) returns boolean as
 $$ begin
-  return (select type from applications where id = application_id) = target_type;
+  return (select type from applications where id = application_id) = any(target_type);
 end; $$ language plpgsql set search_path = public;