Skip to content

Commit 12d42bb

Browse files
raghavyuvaraghavyuva
committed
feat: add OAuth2 provider for M2M client credentials auth
Enable machine-to-machine authentication via OAuth 2.1 client_credentials grant. Adds OAuth2 provider plugin to Better Auth with token issuance and introspection endpoints for service-to-service communication. - OAuth2 schema tables (oauth_client, oauth_access_token, etc.) - Drizzle migrations for OAuth and cancelled subscription status - Seed script for provisioning M2M OAuth clients - better-auth-oauth dependency
1 parent 1333272 commit 12d42bb

11 files changed

Lines changed: 13961 additions & 18 deletions

bun.lock

Lines changed: 53 additions & 13 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

drizzle/0033_add_cancelled_status.sql

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
ALTER TYPE "public"."status" ADD VALUE 'cancelled';

drizzle/0034_robust_tinkerer.sql

Lines changed: 90 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,90 @@
1+
CREATE TABLE "jwks" (
2+
"id" uuid PRIMARY KEY DEFAULT pg_catalog.gen_random_uuid() NOT NULL,
3+
"public_key" text NOT NULL,
4+
"private_key" text NOT NULL,
5+
"created_at" timestamp NOT NULL,
6+
"expires_at" timestamp
7+
);
8+
--> statement-breakpoint
9+
CREATE TABLE "oauth_access_token" (
10+
"id" uuid PRIMARY KEY DEFAULT pg_catalog.gen_random_uuid() NOT NULL,
11+
"token" text,
12+
"client_id" text NOT NULL,
13+
"session_id" uuid,
14+
"user_id" uuid,
15+
"reference_id" text,
16+
"refresh_id" uuid,
17+
"expires_at" timestamp,
18+
"created_at" timestamp,
19+
"scopes" text[] NOT NULL,
20+
CONSTRAINT "oauth_access_token_token_unique" UNIQUE("token")
21+
);
22+
--> statement-breakpoint
23+
CREATE TABLE "oauth_client" (
24+
"id" uuid PRIMARY KEY DEFAULT pg_catalog.gen_random_uuid() NOT NULL,
25+
"client_id" text NOT NULL,
26+
"client_secret" text,
27+
"disabled" boolean DEFAULT false,
28+
"skip_consent" boolean,
29+
"enable_end_session" boolean,
30+
"subject_type" text,
31+
"scopes" text[],
32+
"user_id" uuid,
33+
"created_at" timestamp,
34+
"updated_at" timestamp,
35+
"name" text,
36+
"uri" text,
37+
"icon" text,
38+
"contacts" text[],
39+
"tos" text,
40+
"policy" text,
41+
"software_id" text,
42+
"software_version" text,
43+
"software_statement" text,
44+
"redirect_uris" text[] NOT NULL,
45+
"post_logout_redirect_uris" text[],
46+
"token_endpoint_auth_method" text,
47+
"grant_types" text[],
48+
"response_types" text[],
49+
"public" boolean,
50+
"type" text,
51+
"require_pkce" boolean,
52+
"reference_id" text,
53+
"metadata" jsonb,
54+
CONSTRAINT "oauth_client_client_id_unique" UNIQUE("client_id")
55+
);
56+
--> statement-breakpoint
57+
CREATE TABLE "oauth_consent" (
58+
"id" uuid PRIMARY KEY DEFAULT pg_catalog.gen_random_uuid() NOT NULL,
59+
"client_id" text NOT NULL,
60+
"user_id" uuid,
61+
"reference_id" text,
62+
"scopes" text[] NOT NULL,
63+
"created_at" timestamp,
64+
"updated_at" timestamp
65+
);
66+
--> statement-breakpoint
67+
CREATE TABLE "oauth_refresh_token" (
68+
"id" uuid PRIMARY KEY DEFAULT pg_catalog.gen_random_uuid() NOT NULL,
69+
"token" text NOT NULL,
70+
"client_id" text NOT NULL,
71+
"session_id" uuid,
72+
"user_id" uuid NOT NULL,
73+
"reference_id" text,
74+
"expires_at" timestamp,
75+
"created_at" timestamp,
76+
"revoked" timestamp,
77+
"auth_time" timestamp,
78+
"scopes" text[] NOT NULL
79+
);
80+
--> statement-breakpoint
81+
ALTER TABLE "oauth_access_token" ADD CONSTRAINT "oauth_access_token_client_id_oauth_client_client_id_fk" FOREIGN KEY ("client_id") REFERENCES "public"."oauth_client"("client_id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
82+
ALTER TABLE "oauth_access_token" ADD CONSTRAINT "oauth_access_token_session_id_session_id_fk" FOREIGN KEY ("session_id") REFERENCES "public"."session"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
83+
ALTER TABLE "oauth_access_token" ADD CONSTRAINT "oauth_access_token_user_id_user_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."user"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
84+
ALTER TABLE "oauth_access_token" ADD CONSTRAINT "oauth_access_token_refresh_id_oauth_refresh_token_id_fk" FOREIGN KEY ("refresh_id") REFERENCES "public"."oauth_refresh_token"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
85+
ALTER TABLE "oauth_client" ADD CONSTRAINT "oauth_client_user_id_user_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."user"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
86+
ALTER TABLE "oauth_consent" ADD CONSTRAINT "oauth_consent_client_id_oauth_client_client_id_fk" FOREIGN KEY ("client_id") REFERENCES "public"."oauth_client"("client_id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
87+
ALTER TABLE "oauth_consent" ADD CONSTRAINT "oauth_consent_user_id_user_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."user"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
88+
ALTER TABLE "oauth_refresh_token" ADD CONSTRAINT "oauth_refresh_token_client_id_oauth_client_client_id_fk" FOREIGN KEY ("client_id") REFERENCES "public"."oauth_client"("client_id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
89+
ALTER TABLE "oauth_refresh_token" ADD CONSTRAINT "oauth_refresh_token_session_id_session_id_fk" FOREIGN KEY ("session_id") REFERENCES "public"."session"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
90+
ALTER TABLE "oauth_refresh_token" ADD CONSTRAINT "oauth_refresh_token_user_id_user_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."user"("id") ON DELETE cascade ON UPDATE no action;

0 commit comments

Comments
 (0)