satellite/satellitedb/dbx: document oauth tables

Change-Id: Ide327699f4b7b35f46c9356d558221ece5bd77a9
2023-02-23 17:40:44 +02:00 · 2023-02-23 17:40:44 +02:00 · f13d0f7df0
commit f13d0f7df0
parent 76d7bc6d18
1 changed files with 70 additions and 45 deletions
--- a/satellite/satellitedb/dbx/oauth.dbx
+++ b/satellite/satellitedb/dbx/oauth.dbx
@ -1,15 +1,21 @@
 // oauth_client stores information about known clients developed against stroj.
 model oauth_client (
-    key id
+	key id

-    index ( fields user_id )
+	index ( fields user_id )

-    field id                blob
-    field encrypted_secret  blob ( updatable ) // encrypted
-    field redirect_url      text ( updatable )
-    field user_id           blob
-    field app_name          text ( updatable )
-    field app_logo_url      text ( updatable )
+	// id is a unique identifier for the client.
+	field id                blob
+	// encrypted_secret is a token that the client uses to authenticate.
+	field encrypted_secret  blob ( updatable )
+	// redirect_url is the uri where the user should be redirected after authentication.
+	field redirect_url      text ( updatable )
+	// user_id is a UUID which refers to user.id.
+	field user_id           blob
+	// app_name is text that should be displayed as the application requesting authentication.
+	field app_name          text ( updatable )
+	// app_logo_url is icon that should be shown for the application.
+	field app_logo_url      text ( updatable )
 )

 create oauth_client (
@ -17,40 +23,52 @@ create oauth_client (
 )

 read one (
-    select oauth_client
-    where oauth_client.id = ?
+	select oauth_client
+	where oauth_client.id = ?
 )

 update oauth_client (
-    where oauth_client.id = ?
-    noreturn
+	where oauth_client.id = ?
+	noreturn
 )

 delete oauth_client (
-    where oauth_client.id = ?
+	where oauth_client.id = ?
 )

 // oauth_code are single use tokens that are handed off to the third party applications.
 // they're exchanged for an access_token (and maybe a refresh_token).
 // they can only be claimed once.
 model oauth_code (
-    key code
+	key code

-    index ( fields user_id )
-    index ( fields client_id )
+	index ( fields user_id )
+	index ( fields client_id )

-    field client_id     blob
-    field user_id       blob
-    field scope         text
-    field redirect_url  text
+	// client_id is the oauth_client.id that requested this user.
+	field client_id     blob
+	// user_id is the user.id that tries to use this token.
+	field user_id       blob
+	// scope is Access Token Scope which specifies what the user is allowed to access.
+	field scope         text
+	// redirect_url is the location that user should be redirected to.
+	field redirect_url  text

-    field challenge         text
-    field challenge_method  text
+	// challenge is used for PKCE authorization flow. It is created from code verifier that the
+	// client uses to verify the response.
+	field challenge         text
+	// challenge_method is used for PKCE authorization flow.
+	// It is the method that was used to generate the challenge.
+	field challenge_method  text

-    field code              text
-    field created_at        timestamp
-    field expires_at        timestamp
-    field claimed_at        timestamp ( nullable, updatable )
+	// code contains the authorization code which the client will later exchange for an access token.
+	field code              text
+	// created_at specifies when the code was created.
+	field created_at        timestamp
+	// expires_at specifies when the code is invalid.
+	field expires_at        timestamp
+	// claimed_at specifies the time when the code was used.
+	field claimed_at        timestamp ( nullable, updatable )
 )

 create oauth_code (
@ -58,32 +76,39 @@ create oauth_code (
 )

 read one (
-    select oauth_code
-    where oauth_code.code = ?
-    where oauth_code.claimed_at = null
+	select oauth_code
+	where oauth_code.code = ?
+	where oauth_code.claimed_at = null
 )

 update oauth_code (
-    where oauth_code.code       = ?
-    where oauth_code.claimed_at = null
-    noreturn
+	where oauth_code.code       = ?
+	where oauth_code.claimed_at = null
+	noreturn
 )

 // oauth_token can be an access or refresh token
 model oauth_token (
-    key token
+	key token

-    index ( fields user_id )
-    index ( fields client_id )
+	index ( fields user_id )
+	index ( fields client_id )

-    field client_id     blob
-    field user_id       blob
-    field scope         text
+	// client_id is the oauth_client.id that requested this user.
+	field client_id     blob
+	// user_id is the user.id that tries to use this token.
+	field user_id       blob
+	// scope is Access Token Scope which specifies what the user is allowed to access.
+	field scope         text

-    field kind          int     // access or refresh
-    field token         blob    // encrypted macaroon
-    field created_at    timestamp
-    field expires_at    timestamp ( updatable )
+	// kind specifies the purpose of the token. It refers to oidc.OAuthTokenKind. unknown=0, access=1, refresh=2, rest=3.
+	field kind          int
+	// token is the access which is implemented as an encrypted macaroon.
+	field token         blob
+	// created_at is when the token was created.
+	field created_at    timestamp
+	// expires_at says when the token becomes invalid.
+	field expires_at    timestamp ( updatable )
 )

 create oauth_token (
@ -91,9 +116,9 @@ create oauth_token (
 )

 read one (
-    select oauth_token
-    where oauth_token.kind = ?
-    where oauth_token.token = ?
+	select oauth_token
+	where oauth_token.kind = ?
+	where oauth_token.token = ?
 )

 update oauth_token (