forked from cardosofelipe/fast-next-template
46 lines
1.5 KiB
Python
46 lines
1.5 KiB
Python
"""OAuth state model for CSRF protection during OAuth flows."""
|
|
|
|
from sqlalchemy import Column, DateTime, String
|
|
from sqlalchemy.dialects.postgresql import UUID
|
|
|
|
from .base import Base, TimestampMixin, UUIDMixin
|
|
|
|
|
|
class OAuthState(Base, UUIDMixin, TimestampMixin):
|
|
"""
|
|
Temporary storage for OAuth state parameters.
|
|
|
|
Prevents CSRF attacks during OAuth flows by storing a random state
|
|
value that must match on callback. Also stores PKCE code_verifier
|
|
for the Authorization Code flow with PKCE.
|
|
|
|
These records are short-lived (10 minutes by default) and should
|
|
be deleted after use or expiration.
|
|
"""
|
|
|
|
__tablename__ = "oauth_states"
|
|
|
|
# Random state parameter (CSRF protection)
|
|
state = Column(String(255), unique=True, nullable=False, index=True)
|
|
|
|
# PKCE code_verifier (used to generate code_challenge)
|
|
code_verifier = Column(String(128), nullable=True)
|
|
|
|
# OIDC nonce for ID token replay protection
|
|
nonce = Column(String(255), nullable=True)
|
|
|
|
# OAuth provider (google, github, etc.)
|
|
provider = Column(String(50), nullable=False)
|
|
|
|
# Original redirect URI (for callback validation)
|
|
redirect_uri = Column(String(500), nullable=True)
|
|
|
|
# User ID if this is an account linking flow (user is already logged in)
|
|
user_id = Column(UUID(as_uuid=True), nullable=True)
|
|
|
|
# Expiration time
|
|
expires_at = Column(DateTime(timezone=True), nullable=False)
|
|
|
|
def __repr__(self):
|
|
return f"<OAuthState {self.state[:8]}... ({self.provider})>"
|